65f0ce8ca3
Remove the sanity check which is not proving to be useful
2016-10-27 19:11:26 -04:00
dc93e57cf1
Return the revocation_sql from role read all the time
2016-10-27 12:24:31 -04:00
e0fb8c17ce
Added revocation_sql to the website docs
2016-10-27 12:15:08 -04:00
c14a6c8666
Move policy test to keysutil package
2016-10-26 19:57:28 -04:00
6d1e1a3ba5
Pulled out transit's lock manager and policy structs into a helper
2016-10-26 19:52:31 -04:00
79d45355c8
Merge pull request #2004 from hashicorp/role-id-update
...
Fix regression caused by not creating a role_id secondary index
2016-10-26 16:29:46 -04:00
931c96d1ba
ssh: Use temporary file to store the identity file
2016-10-18 12:50:12 -04:00
6dd560d9c6
Merge pull request #2005 from hashicorp/dedup-ldap-policies
...
Deduplicate the policies in ldap backend
2016-10-18 10:42:11 -04:00
4b6e82afcb
Add ability to list keys in transit backend ( #1987 )
2016-10-18 10:13:01 -04:00
2ce8bc95eb
Deduplicate the policies in ldap backend
2016-10-14 17:20:50 -04:00
1487dce475
Fix regression caused by not creating a role_id secondary index
2016-10-14 12:56:29 -04:00
dcf44a8fc7
Merge pull request #1980 from hashicorp/audit-update
...
Audit file update
2016-10-10 14:34:53 -04:00
0da9d1ac0c
test updates to address feedback
2016-10-10 12:58:30 -04:00
5ce9737eb4
address feedback
2016-10-10 12:16:55 -04:00
962a383bfb
address latest feedback
2016-10-10 11:58:26 -04:00
290ccee990
minor fix
2016-10-10 10:05:36 -04:00
9fc5a37e84
address feedback
2016-10-09 22:23:30 -04:00
05519a1267
adding unit tests for file mode
2016-10-09 00:33:24 -04:00
e5a7e3d6cb
initial commit to fix empty consistency option issue
2016-10-08 20:22:26 -04:00
1b8d12fe82
changes for 'mode'
2016-10-08 19:52:49 -04:00
60ceea5532
initial commit for adding audit file permission changes
2016-10-07 15:09:32 -04:00
c45ab41b39
Update aws-ec2 configuration help
...
Updated to reflect enhanced functionality and clarify necessary
permissions.
2016-10-05 12:40:58 -07:00
70a9fc47b4
Don't use quoted identifier for the username
2016-10-05 14:31:19 -04:00
7f9a88d8db
Postgres revocation sql, beta mode ( #1972 )
2016-10-05 13:52:59 -04:00
de5dec6b15
Refactor mysql's revoke SQL
2016-10-04 19:30:25 -04:00
1ab7023483
Merge pull request #1914 from jpweber/mysql-revoke
...
Mysql revoke with non-wildcard hosts
2016-10-04 17:44:15 -04:00
87f206b536
removed an unused ok variable. Added warning and force use for default queries if role is nil
2016-10-04 17:15:29 -04:00
0f8c132ede
Minor doc updates
2016-10-04 15:46:09 -04:00
2e1aa80f31
Address review feedback 2
2016-10-04 15:30:42 -04:00
59475d7f14
Address review feedback
2016-10-04 15:05:44 -04:00
cc38f3253a
fixed an incorrect assignment
2016-10-03 21:51:40 -04:00
348a09e05f
Add only relevant certificates
2016-10-03 20:34:28 -04:00
dbd364453e
aws-ec2 config endpoints support type option to distinguish certs
2016-10-03 20:25:07 -04:00
ac78ddc178
More resilient around cases of missing role names and using the default when needed.
2016-10-03 20:20:00 -04:00
b105f8ccf3
Authenticate aws-ec2 instances using identity document and its RSA signature
2016-10-03 18:57:41 -04:00
0a7f1089ca
Refactored logic some to make sure we can always fall back to default revoke statments
...
Changed rolename to role
made default sql revoke statments a const
2016-10-03 15:59:56 -04:00
704fccaf2e
fixed some more issues I had with the tests.
2016-10-03 15:58:09 -04:00
a2d6624a69
renamed rolname to role
2016-10-03 15:57:47 -04:00
bfb0c2d3ff
Reduced duplicated code and fixed comments and simple variable name mistakes
2016-10-03 14:53:05 -04:00
bb70ecc5a7
Added test for revoking mysql user with wild card host and non-wildcard host
2016-10-02 22:28:54 -04:00
dbb00534d9
saving role name to the Secret Internal data. Default revoke query added
...
The rolename is now saved to the secret internal data for fetching
later during the user revocation process. No longer deriving the role
name from request path
Added support for default revoke SQL statements that will provide the
same functionality as before. If not revoke SQL statements are provided
the default statements are used.
Cleaned up personal ignores from the .gitignore file
2016-10-02 18:53:16 -04:00
6d00f0c483
Adds HUP support for audit log files to close and reopen. ( #1953 )
...
Adds HUP support for audit log files to close and reopen. This makes it
much easier to deal with normal log rotation methods.
As part of testing this I noticed that HUP and other items that come out
of command/server.go are going to stderr, which is where our normal log
lines go. This isn't so much problematic with our normal output but as
we officially move to supporting other formats this can cause
interleaving issues, so I moved those to stdout instead.
2016-09-30 12:04:50 -07:00
4c74b646fe
Merge pull request #1947 from hashicorp/secret-id-lookup-delete
...
Introduce lookup and destroy endpoints for secret IDs and its accessors
2016-09-29 10:19:54 -04:00
34e76f8b41
Added website docs for lookup and destroy APIs
2016-09-28 22:11:48 -04:00
d20819949c
Make secret-id reading and deleting, a POST op instead of GET
2016-09-28 20:22:37 -04:00
2dd1f584e6
Update documentation for required AWS API permissions
...
In order for Vault to map IAM instance profiles to roles, Vault
must query the 'iam:GetInstanceProfile' API, so update the documentation
and help to include the additional permissions needed.
2016-09-28 16:50:20 -07:00
f0203741ff
Change default TTL from 30 to 32 to accommodate monthly operations ( #1942 )
2016-09-28 18:32:49 -04:00
5adfaa0d7d
Merge pull request #1939 from hashicorp/secret-id-upgrade
...
Respond secret_id_num_uses and deprecate SecretIDNumUses
2016-09-28 18:16:07 -04:00
e9142f418a
Added todo to remind removal of upgrade code
2016-09-28 18:17:13 -04:00
e01f99f042
Check for prefix match instead of exact match for IAM bound parameters
2016-09-28 18:08:28 -04:00
21d9731286
Don't reset the deprecated value yet
2016-09-28 15:48:50 -04:00
4a30a6b4f8
Merge pull request #1913 from hashicorp/bound-iam-instance-profile-arn
...
Proper naming for bound_iam_instance_profile_arn
2016-09-28 15:34:56 -04:00
31e450a175
Add some validation checks
2016-09-28 15:36:02 -04:00
9eabf75f5f
Fix the misplaced response warning
2016-09-28 14:20:03 -04:00
a2338f5970
Added testcase to check secret_id_num_uses
2016-09-28 13:58:53 -04:00
ba1d238f9b
Pull out reading and storing of secret ID into separate functions and handle upgrade properly
2016-09-28 12:42:26 -04:00
010293ccc3
Merge pull request #1931 from hashicorp/cass-consistency
...
Adding consistency into cassandra
2016-09-27 21:12:02 -04:00
d235acf809
Adding support for chained intermediate CAs in pki backend ( #1694 )
2016-09-27 17:50:17 -07:00
5ac43873c4
minor updates
2016-09-27 20:35:11 -04:00
e14fe05c13
added parsing at role creation
2016-09-27 16:01:51 -04:00
4938aa56bf
initial commit for consistency added into cassandra
2016-09-27 13:25:18 -04:00
5eff59c410
Fix "SecretIDNumUses" in AppRole auth backend
...
There was a typo.
2016-09-27 17:26:52 +03:00
b1ee56a15b
Merge pull request #1910 from hashicorp/secret-id-cidr-list
...
CIDR restrictions on Secret ID
2016-09-26 10:22:48 -04:00
a4b119dc25
Merge pull request #1920 from legal90/fix-approle-delete
...
Fix panic on deleting the AppRole which doesn't exist
2016-09-26 10:05:33 -04:00
3f77013004
Fix panic on deleting the AppRole which doesn't exist
...
#pathRoleDelete should return silently if the specified AppRole doesn't exist
Fixes GH-1919
2016-09-26 16:55:08 +03:00
da5b5d3a8e
Address review feedback from @jefferai
2016-09-26 09:53:24 -04:00
d080107a87
Update docs to contain bound_iam_role_arn
2016-09-26 09:37:38 -04:00
bf0b7f218e
Implemented bound_iam_role_arn constraint
2016-09-23 21:35:36 -04:00
e0ea497cfe
Getting role name from the creds path used in revocation
2016-09-23 16:57:08 -04:00
8709406eb3
secretCredsRevoke command no longer uses hardcoded query
...
The removal of a user from the db is now handled similar to the
creation. The SQL is read out of a key from the role and then executed
with values substituted for username.
2016-09-23 16:05:49 -04:00
1bed6bfc2c
Added support for a revokeSQL key value pair to the role
2016-09-23 16:00:23 -04:00
6bf871995b
Don't use time.Time in responses. ( #1912 )
...
This fixes #1911 but not directly; it doesn't address the cause of the
panic. However, it turns out that this is the correct fix anyways,
because it ensures that the value being logged is RFC3339 format, which
is what the time turns into in JSON but not the normal time string
value, so what we audit log (and HMAC) matches what we are returning.
2016-09-23 12:32:07 -04:00
e0c41f02c8
Fix incorrect naming of bound_iam_instance_profile_arn
2016-09-23 11:22:23 -04:00
c26754000b
Fix ssh tests
2016-09-22 11:37:55 -04:00
aaadd4ad97
Store the CIDR list in the secret ID storage entry.
...
Use the stored information to validate the source address and credential issue time.
Correct the logic used to verify BoundCIDRList on the role.
Reverify the subset requirements between secret ID and role during credential issue time.
2016-09-21 20:19:26 -04:00
578b82acf5
Pass only valid inputs to validation methods
2016-09-21 15:44:54 -04:00
93604e1e2e
Added cidrutil helper
2016-09-21 13:58:32 -04:00
676e7e0f07
Ensure upgrades have a valid HMAC key
2016-09-21 11:10:57 -04:00
0ff76e16d2
Transit and audit enhancements
2016-09-21 10:49:26 -04:00
5c241d31e7
Renaming ttl_max -> max_ttl in mssql backend ( #1905 )
2016-09-20 12:39:02 -04:00
97dc0e9f64
Merge pull request #1897 from hashicorp/secret-id-accessor-locks
...
Safely manipulate secret id accessors
2016-09-19 11:37:38 -04:00
fefd3a6c0b
s/GetOctalFormatted/GetHexFormatted
2016-09-16 17:47:15 -04:00
897d3c6d2c
Rename GetOctalFormatted and add serial number to ParsedCertBundle. Basically a noop.
2016-09-16 11:05:43 -04:00
ba72e7887a
Safely manipulate secret id accessors
2016-09-15 18:13:50 -04:00
61664bc653
Merge pull request #1886 from hashicorp/approle-upgrade-notes
...
upgrade notes entry for approle constraint and warning on role read
2016-09-15 12:14:01 -04:00
5597156886
check for nil role
2016-09-15 12:10:40 -04:00
92986bb2a0
Address review feedback
2016-09-15 11:41:52 -04:00
a1de742dce
s/disableReauthenticationNonce/reauthentication-disabled-nonce
2016-09-15 11:29:02 -04:00
9bca127631
Updated docs with nonce usage
2016-09-14 19:31:09 -04:00
857f921d76
Added comment
2016-09-14 18:27:35 -04:00
39796e8801
Disable reauthentication if nonce is explicitly set to empty
2016-09-14 17:58:00 -04:00
d0e4d77fce
address review feedback
2016-09-14 14:28:02 -04:00
d7ce69c5eb
Remove the client nonce being empty check
2016-09-14 14:28:02 -04:00
53c919b1d0
Generate the nonce by default
2016-09-14 14:28:02 -04:00
455a4ae055
address review feedback
2016-09-14 12:08:35 -04:00
b1392567d1
Use constant time comparisons for client nonce
2016-09-13 20:12:43 -04:00
d2e66014ba
Address review feedback
2016-09-13 18:30:04 -04:00
29b67141eb
Only use running state for checking if instance is alive. ( #1885 )
...
Fixes #1884
2016-09-13 18:08:05 -04:00
99a2655d8e
upgrade notes entry for approle constraint and warning on role read
2016-09-13 17:44:07 -04:00
bef9c2ee61
Ensure at least one constraint on the role
2016-09-13 16:03:15 -04:00
197c7eae5f
Allow encrypting empty ciphertext values. ( #1881 )
...
Replaces #1874
2016-09-13 12:00:04 -04:00
b599948e1c
Use uuid.GenerateRandomBytes
2016-09-09 14:17:09 -04:00
127f61473b
Not exposing structs from the backend's package
2016-09-01 11:57:28 -04:00
1db0544b7a
Use unexported kdf const names
2016-08-31 07:19:58 -04:00
c46a7391c0
Merge pull request #1799 from hashicorp/fix-role-locking
...
approle: fix racy updates problem for roles
2016-08-30 16:46:40 -04:00
cdcfa4572f
Address review feedback
2016-08-30 16:36:58 -04:00
d2239d22d9
Use hkdf for transit key derivation for new keys ( #1812 )
...
Use hkdf for transit key derivation for new keys
2016-08-30 16:29:09 -04:00
29b9295673
approle: fix racy updates problem for roles
2016-08-30 16:11:14 -04:00
9dbc97028b
STS path field description update
2016-08-30 10:53:21 -04:00
0b07ec7303
Added UpdateOperation to logical AWS STS path
2016-08-30 10:30:13 -04:00
cdd1d96a64
Merge pull request #1804 from hashicorp/issue-1800
...
Mark STS secrets as non-renwable
2016-08-29 11:46:19 -04:00
8612b6139e
Fixes #1801 Reuse Cassandra session object for create creds ( #1802 )
2016-08-28 17:32:41 -04:00
f0537572a8
Mark STS secrets as non-renwable
...
Ping #1800
2016-08-28 14:27:56 -04:00
0b113f7916
Derive nonce fully in convergent mode ( #1796 )
...
Ping #1794
2016-08-26 17:01:56 -04:00
2f5876dfe9
Use key derivation for convergent nonce. ( #1794 )
...
Use key derivation for convergent nonce.
Fixes #1792
2016-08-26 14:11:03 -04:00
28739f3528
Decode secret internal data into struct and fix type assertion. ( #1781 )
2016-08-24 15:04:04 -04:00
d1284944c3
Merge pull request #1755 from hashicorp/logxi
...
Convert to logxi
2016-08-21 19:28:18 -04:00
58b32e5432
Convert to logxi
2016-08-21 18:13:37 -04:00
524ed6db37
Extract out common code
2016-08-21 15:46:11 -04:00
dfe73733d5
Seperate endpoints for read/delete using secret-id and accessor
2016-08-21 14:42:49 -04:00
2860dcc60f
gofmt
2016-08-19 16:48:32 -04:00
7ce631f1dc
Pretty print the warning
2016-08-18 16:09:10 -04:00
870ffd6fd8
Use shortestTTL value during renewals too
2016-08-18 15:43:58 -04:00
4f1c47478e
When TTL is not set, consider the system default TTL as well
2016-08-18 15:37:59 -04:00
56b8c33c95
aws-ec2: se max_ttl when ttl is not set, during login
2016-08-18 15:16:32 -04:00
638e61192a
Actually show the error occurring if a file audit log can't be opened
2016-08-15 16:26:36 -04:00
86874def5c
Parameter change
...
Both revocation times are UTC so clarify via parameter name that it's just a formatting difference. Also leave as a time.Time here, as it automatically marshals into RFC3339.
2016-08-14 21:43:57 -04:00
39cfd116b6
Cleanup
2016-08-13 11:52:09 -04:00
1b8711e7b7
Ensure utc value is not zero before adding
2016-08-13 11:50:57 -04:00
d6d08250ff
Ensure values to be encoded in a CRL are in UTC. This aligns with the
...
RFC. You might expect Go to ensure this in the CRL generation call,
but...it doesn't.
Fixes #1727
2016-08-13 08:40:09 -04:00
b150c14caa
Address review feedback by @jefferai
2016-08-09 17:45:42 -04:00
8d261b1a78
Added ttl field to aws-ec2 auth backend role
2016-08-09 17:29:45 -04:00
b69ed7ea93
Fix build
2016-08-08 17:00:59 -04:00
7f6c58b807
Address review feedback
2016-08-08 16:30:48 -04:00
0a67bcb5bd
Merge pull request #1696 from hashicorp/transit-convergent-specify-nonce
...
Require nonce specification for more flexibility
2016-08-08 11:41:10 -04:00
1f198e9256
Return warning about ACLing the LDAP configuration endpoint.
...
Fixes #1263
2016-08-08 10:18:36 -04:00
606ba64e23
Remove context-as-nonce, add docs, and properly support datakey
2016-08-07 15:53:40 -04:00
1976bc0534
Add unit tests for convergence in non-context mode
2016-08-07 15:16:36 -04:00
8b1d47037e
Refactor convergent encryption to make specifying a nonce in addition to context possible
2016-08-05 17:52:44 -04:00
0b73c2ff9a
Fix PKI logical backend email alt_names
2016-08-04 12:10:34 +02:00
58e9cbbfc6
Add postgres test for block statements
2016-08-03 15:34:50 -04:00
9e204bd88c
Add arbitrary string slice parsing.
...
Like the KV function, this supports either separated strings or JSON
strings, base64-encoded or not.
Fixes #1619 in theory.
2016-08-03 14:24:16 -04:00
c025b292b5
Cleanup
2016-08-03 13:09:12 -04:00
cff7aada7a
Fix invalid input getting marked as internal error
2016-07-28 16:23:11 -04:00
e0c5f5f5fa
Add convergence tests to transit backend
2016-07-28 11:30:52 -04:00
a6907769b0
AppRole authentication backend
2016-07-26 09:32:41 -04:00
0cfb112e87
Explicitly set invalid request status when a password isn't included
2016-07-25 11:14:15 -04:00
dc4b85b55e
Don't return 500 for user error in userpass when setting password
2016-07-25 11:09:46 -04:00
d4c3e27c4e
Fix re-specification of filter
2016-07-25 09:08:29 -04:00
cd6d114e42
LDAP Auth Backend Overhaul
...
--------------------------
Added new configuration option to ldap auth backend - groupfilter.
GroupFilter accepts a Go template which will be used in conjunction with
GroupDN for finding the groups a user is a member of. The template will
be provided with context consisting of UserDN and Username.
Simplified group membership lookup significantly to support multiple use-cases:
* Enumerating groups via memberOf attribute on user object
* Previous default behavior of querying groups based on member/memberUid/uniqueMember attributes
* Custom queries to support nested groups in AD via LDAP_MATCHING_RULE_IN_CHAIN matchind rule
There is now a new configuration option - groupattr - which specifies
how to resolve group membership from the objects returned by the primary groupfilter query.
Additional changes:
* Clarify documentation for LDAP auth backend.
* Reworked how default values are set, added tests
* Removed Dial from LDAP config read. Network should not affect configuration.
2016-07-22 21:20:05 -04:00
68dcf677fa
Fix panic if no certificates are supplied by client
...
Fixes #1637
2016-07-21 10:20:41 -04:00
b353e44209
Fix build
2016-07-21 09:53:41 -04:00
d335038b40
Ensure we never return a nil set of trusted CA certs
...
Fixes #1637
2016-07-21 09:50:31 -04:00
559b0a5006
Merge pull request #1635 from hashicorp/mysql-idle-conns
...
Added maximum idle connections to mysql to close hashicorp/vault#1616
2016-07-20 15:31:37 -04:00
b558c35943
Set defaults to handle upgrade cases.
...
Ping #1604
2016-07-20 14:07:19 -04:00
f2b6569b0b
Merge pull request #1604 from memory/mysql-displayname-2
...
concat role name and token displayname to form mysql username
2016-07-20 14:02:17 -04:00
ea294f1d27
use both role name and token display name to form mysql username
2016-07-20 10:17:00 -07:00
e6bf4fa489
whitespace error corrected
2016-07-20 12:00:05 -04:00
0483457ad2
respond to feedback from @vishalnayak
...
- split out usernameLength and displaynameLength truncation values,
as they are different things
- fetch username and displayname lengths from the role, not from
the request parameters
- add appropriate defaults for username and displayname lengths
2016-07-20 06:36:51 -07:00
7cdb8a28bc
max_idle_connections added
2016-07-20 09:26:26 -04:00
03c7eb7d18
initial commit before rebase to stay current with master
2016-07-19 14:18:37 -04:00
30ca541f99
Merge pull request #1414 from mhurne/mongodb-secret-backend
...
Add mongodb secret backend
2016-07-19 13:56:15 -04:00
3334b22993
Some minor linting
2016-07-19 13:54:18 -04:00
0f9ee8fbed
Merge branch 'master' into mongodb-secret-backend
2016-07-19 12:47:58 -04:00
072c5bc915
mongodb secret backend: Remove redundant type declarations
2016-07-19 12:35:14 -04:00
c7d42cb112
mongodb secret backend: Fix broken tests, clean up unused parameters
2016-07-19 12:26:23 -04:00
fbb04349b5
Merge pull request #1629 from hashicorp/remove-verify-connection
...
Remove unused VerifyConnection from storage entries of SQL backends
2016-07-19 12:21:23 -04:00
8a1bb1626a
Merge pull request #1583 from hashicorp/ssh-allowed-roles
...
Add allowed_roles to ssh-helper-config and return role name from verify call
2016-07-19 12:04:12 -04:00
7fb04a1bbd
Remove unused VerifyConnection from storage entries of SQL backends
2016-07-19 11:55:49 -04:00
316837857b
mongodb secret backend: Return lease ttl and max_ttl in lease read in seconds rather than as duration strings
2016-07-19 11:23:56 -04:00
f18d98272d
mongodb secret backend: Don't bother persisting verify_connection field in connection config
2016-07-19 11:20:45 -04:00
f8e6bcbb69
mongodb secret backend: Handle cases where stored username or db is not a string as expected when revoking credentials
2016-07-19 11:18:00 -04:00
75a5fbd8fe
Merge branch 'master' into mongodb-secret-backend
2016-07-19 10:38:45 -04:00
434ed2faf2
Merge pull request #1573 from mickhansen/logical-postgresql-revoke-sequences
...
handle revocations for roles that have privileges on sequences
2016-07-18 13:30:42 -04:00
c14235b206
Merge branch 'master-oss' into json-use-number
...
Conflicts:
http/handler.go
logical/framework/field_data.go
logical/framework/wal.go
vault/logical_passthrough.go
2016-07-15 19:21:55 -04:00
cdf58da43b
Merge pull request #1610 from hashicorp/min-tls-ver-12
...
Set minimum TLS version in all tls.Config objects
2016-07-13 10:53:14 -06:00
09a4142fd3
Handled upgrade path for TLSMinVersion
2016-07-13 12:42:51 -04:00
9f1e6c7b26
Merge pull request #1607 from hashicorp/standardize-time
...
Remove redundant invocations of UTC() call on `time.Time` objects
2016-07-13 10:19:23 -06:00
de19314f18
Address review feedback
2016-07-13 11:52:26 -04:00
407722a9b4
Added tls_min_version to consul storage backend
2016-07-12 20:10:54 -04:00
314a5ecec0
allow overriding the default truncation length for mysql usernames
...
see https://github.com/hashicorp/vault/issues/1605
2016-07-12 17:05:43 -07:00
f34f0ef503
Make 'tls_min_version' configurable
2016-07-12 19:32:47 -04:00
46d34130ac
Set minimum TLS version in all tls.Config objects
2016-07-12 17:06:28 -04:00
8269f323d3
Revert 'risky' changes
2016-07-12 16:38:07 -04:00
57cdb58374
Switch to pester from go-retryablehttp to avoid swallowing 500 error messages
2016-07-11 21:37:46 +00:00
9ee4542a7c
incorporate code style guidelines
2016-07-11 13:35:35 +02:00
c25788e1d4
handle revocations for roles that have privileges on sequences
2016-07-11 13:16:45 +02:00
2cf4490b37
use role name rather than token displayname in generated mysql usernames
...
If a single token generates multiple myself roles, the generated mysql
username was previously prepended with the displayname of the vault
user; this makes the output of `show processlist` in mysql potentially
difficult to correlate with the roles actually in use without cross-
checking against the vault audit log.
See https://github.com/hashicorp/vault/pull/1603 for further discussion.
2016-07-10 15:57:47 -07:00
6505e85dae
mongodb secret backend: Improve safety of MongoDB roles storage
2016-07-09 21:12:42 -04:00
e09b40e155
Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC
2016-07-08 18:30:18 -04:00
bb8a45eb8b
Format code in mongodb secret backend
2016-07-07 23:16:11 -04:00
8d5a7992c1
mongodb secret backend: Improve and correct errors in documentation; improve "parameter is required" error response messages
2016-07-07 23:09:45 -04:00
eee6f04e40
mongodb secret backend: Refactor to eliminate unnecessary variable
2016-07-07 22:29:17 -04:00
ce845df43c
mongodb secret backend: Consider a "user not found" response a success when removing a user from Mongo
2016-07-07 22:27:47 -04:00
138d74f745
mongodb secret backend: Improve roles path help
2016-07-07 22:16:34 -04:00
7f9d91acb6
mongodb secret backend: Remove default value for Mongo authentication DB for roles; validate that role name and authentication db were specified when creating a role
2016-07-07 22:09:00 -04:00
de84cdabe6
mongodb secret backend: Leverage framework.TypeDurationSecond to simplify storage of lease ttl and max_ttl
2016-07-07 21:48:44 -04:00
6d7c9f5424
mongodb secret backend: Verify existing Session is still working before reusing it
2016-07-07 21:37:44 -04:00
db3670c353
Fix transit tests
2016-07-06 22:04:08 -04:00
ad7cb2c8f1
Added JSON Decode and Encode helpers.
...
Changed all the occurances of Unmarshal to use the helpers.
Fixed http/ package tests.
2016-07-06 12:25:40 -04:00
5367a7223d
Add allowed_roles to ssh-helper-config and return role name from verify call
2016-07-05 11:14:29 -04:00
769d20c770
Merge branch 'master' into mongodb-secret-backend
2016-07-05 09:33:12 -04:00
ba9c97b915
mongodb secret backend: Add support for reading connection configuration; Dockerize tests
2016-07-05 09:32:38 -04:00
2e828383e0
Move the parameter down to where the statement is executed.
2016-07-03 16:20:27 -07:00
08fb1a30d4
Use `lib/pq`'s `QuoteIdentifier()` on all identifiers and Prepare
...
for all literals.
2016-07-03 16:01:39 -07:00
292c2fad69
Merge branch 'master' into mongodb-secret-backend
2016-07-01 20:39:13 -04:00
4a8d9eb942
Shave off a lot of PKI testing time by not requiring key generation when testing CSRs. Also enable all tests all the time.
2016-07-01 17:28:48 -04:00
369dcff5f9
Merge pull request #1581 from mp911de/cassandra_connect_timeout
...
Support connect_timeout for Cassandra and align timeout.
2016-07-01 22:33:24 +02:00
ab63c938c4
Address review feedback.
...
Switch ConnectTimeout to framework.TypeDurationSecond with a default of 5. Remove own parsing code.
2016-07-01 22:26:08 +02:00
3859f7938a
Support connect_timeout for Cassandra and align timeout.
...
The cassandra backend now supports a configurable connect timeout. The timeout is configured using the connect_timeout parameter in the session configuration. Also align the timeout to 5 seconds which is the default for the Python and Java drivers.
Fixes #1538
2016-07-01 21:22:37 +02:00
51cd67115c
Run appid/cert auth tests always
2016-07-01 14:06:33 -04:00
db211a4b61
Migrate Consul acceptance tests to Docker
2016-07-01 13:59:56 -04:00
cdde4071d7
mongodb secret backend: Parse ssl URI option as a boolean rather than relying on string comparison
2016-07-01 13:55:06 -04:00
a2e95614d6
Have SQL backends Ping() before access.
...
If unsuccessful, reestablish connections as needed.
2016-07-01 12:02:17 -04:00
e50e331ffc
Always run transit acceptance tests
2016-07-01 11:45:56 -04:00
5313ae8a1b
Merge pull request #1578 from hashicorp/dockerize-mysql-acc-tests
...
Convert MySQL tests to Dockerized versions
2016-07-01 17:38:52 +02:00
5d707c41ff
Always run userpass acceptance tests
2016-07-01 11:37:38 -04:00
8d984c111d
Convert MySQL tests to Dockerized versions
2016-07-01 11:36:28 -04:00
46bf080409
mongodb secret backend: Refactor URI parsing logic to leverage url.Parse
2016-07-01 09:12:26 -04:00
6f05d6f21f
mongodb secret backend: Prefix all generated usernames with "vault-", and cleanly handle empty display names when generating usernames
2016-06-30 21:11:45 -04:00
acf4b0b637
Merge branch 'master' into mongodb-secret-backend
2016-06-30 16:43:53 -04:00
2488d520a4
Merge branch 'master-oss' into dockerize-pg-secret-tests
2016-06-30 14:31:52 -04:00
3e515c5885
Fix up breakage from bumping deps
2016-06-30 14:31:41 -04:00
8da8881825
Add comment around bind to localhost
2016-06-30 13:49:11 -04:00
22e83ae7f5
Dockerize Postgres secret backend acceptance tests
...
Additionally enable them on all unit test runs.
2016-06-30 13:46:39 -04:00
619ddc38b7
Use TRACE not WARN here
2016-06-30 12:41:56 -04:00
7879812f76
Persist verify_connection field in mongodb secret backend's connection config
2016-06-30 11:39:02 -04:00
350b69670c
Rename mongodb secret backend's 'ttl_max' lease configuration field to 'max_ttl'
2016-06-30 09:57:43 -04:00
05cc4f2761
Merge branch 'master' into mongodb-secret-backend
2016-06-30 09:02:30 -04:00
16d4f79c71
Fix test
2016-06-30 08:21:00 -04:00
5df2dd30c5
Change warn to trace for these messages
2016-06-29 21:04:02 -04:00
cf178d3c9e
Merge remote-tracking branch 'oss/master' into postgres-pl-lock
2016-06-29 17:40:34 -04:00
934e60c3c9
Add stmt close calls
2016-06-29 17:39:47 -04:00
a56f79adcb
Run prepare on the transaction, not the db
2016-06-29 17:20:41 -04:00
5e8c912048
Add mongodb secret backend
2016-06-29 08:33:06 -04:00
11c205e19b
removed option to create 1024 keybitlength certs
2016-06-28 16:56:14 -04:00
43df682365
Add more debug output
2016-06-28 11:03:56 -04:00
0802497c8a
Add some logging to enter/exit of some functions
2016-06-24 16:11:22 -04:00
9dc0599a30
Address review feedback
2016-06-23 10:18:03 -04:00
d7029fc49a
Add some more testing
2016-06-23 09:49:03 -04:00
45a442e593
Set some basic key usages by default.
...
Some programs (such as OpenVPN) don't like it if you don't include key
usages. This adds a default set that should suffice for most extended
usages. However, since things get twitchy when these are set in ways
various crypto stacks don't like, it's fully controllable by the user.
Fixes #1476
2016-06-22 16:08:24 -04:00
407373df5d
Revert "Use x509 package ext key usage instead of custom type"
...
This reverts commit 0b2d8ff475a26ff98c37337a64859d150d62cfc1.
2016-06-22 13:07:31 -04:00
c0dee06aab
Use x509 package ext key usage instead of custom type
2016-06-22 11:51:32 -04:00
62f66dc4d8
Do some internal renaming in PKI
2016-06-22 11:39:57 -04:00
5f5a81d8da
Fix broken build
2016-06-21 18:25:36 -04:00
e97f81ecaa
Print role name in the error message
2016-06-21 17:53:33 -04:00
d47fc4c4ad
Merge pull request #1515 from hashicorp/sql-config-reading
...
Allow reading of config in sql backends
2016-06-21 10:07:34 -04:00
78d4d5c8c3
Merge pull request #1523 from hashicorp/bind-account-id-aws-ec2
...
Added bound_account_id to aws-ec2 auth backend
2016-06-21 10:03:20 -04:00
f7a44a2643
Correct casing of abbreviations
2016-06-21 10:02:22 -04:00
389581f47b
Added warnings when configuring connection info in sql backends
2016-06-21 09:58:57 -04:00
711c05a319
Merge pull request #1546 from hashicorp/secret-aws-roles
...
Added list functionality to logical aws backend's roles
2016-06-20 20:10:24 -04:00
1976c9e75b
Added test case for listing aws secret backend roles
2016-06-20 20:09:31 -04:00
8b490e44a1
Added list functionality to logical aws backend's roles
2016-06-20 19:51:04 -04:00
69d562c5db
Merge pull request #1514 from hashicorp/backend-return-objects
...
Backend() functions should return 'backend' objects.
2016-06-20 19:30:00 -04:00
2e7704ea7e
Add convergent encryption option to transit.
...
Fixes #1537
2016-06-20 13:17:48 -04:00
383be815b6
aws-ec2: added a nil check for storedIdentity in login renewal
2016-06-20 10:19:57 -04:00
dccfc413d4
Replace an 'if' block with 'switch'
2016-06-17 12:35:44 -04:00
cf15354e44
Address review feedback
2016-06-17 10:11:39 -04:00
8e03c1448b
Merge branch 'master-oss' into bind-account-id-aws-ec2
...
Conflicts:
builtin/credential/aws-ec2/backend_test.go
builtin/credential/aws-ec2/path_login.go
builtin/credential/aws-ec2/path_role.go
2016-06-14 14:46:08 -04:00
74e84113db
fixing the test for the wrong IAM Role ARN
2016-06-14 18:17:41 +00:00
0ffbef0ccd
added tests, nil validations and doccumentation
2016-06-14 16:58:50 +00:00
26f7fcf6a1
Added bound_account_id to aws-ec2 auth backend
2016-06-14 11:58:19 -04:00
2c5a8fb39f
fixing spaces
2016-06-14 14:57:46 +00:00
52a47e1c4f
adding IAM Role as constrain
2016-06-14 14:49:36 +00:00
e925987cb6
Add token accessor to wrap information if one exists
2016-06-13 23:58:17 +00:00
b7eb28bb3a
Added bound_ami_id check
2016-06-13 08:56:39 -04:00
1776ff449f
Allow reading of config in sql backends
2016-06-11 11:48:40 -04:00
0760a89eb4
Backend() functions should return 'backend' objects.
...
If they return pointers to 'framework.Backend' objects, the receiver functions can't be tested.
2016-06-10 15:53:02 -04:00
c6a27f2fa8
s/VAULT_GITHUB_AUTH_TOKEN/VAULT_AUTH_GITHUB_TOKEN
2016-06-09 14:00:56 -04:00
b82033516e
Merge pull request #1510 from hashicorp/fix-gh-renew-panic
...
Fix panic when renewing a github token from a previous version of Vault
2016-06-09 13:54:20 -04:00
7c65dc9bf1
xInt->xRaw
2016-06-09 13:54:04 -04:00
308294db46
Added VAULT_GITHUB_AUTH_TOKEN env var to receive GitHub auth token
2016-06-09 13:45:56 -04:00
1715b3dcb8
Fix panic when renewing a github token from a previous version of Vault
2016-06-09 13:37:09 -04:00
5ccb4fe907
Merge pull request #1498 from hashicorp/pki-list
...
PKI List Functionality
2016-06-08 15:42:50 -04:00
f9c3afcc21
Fix broken test
2016-06-08 13:00:19 -04:00
6c4234eae6
Minor changes to the RabbitMQ acceptance tests
2016-06-08 12:50:43 -04:00
3795b65d19
Updates to the test based on feedback.
2016-06-08 16:49:10 +00:00
2f2a80e2be
Add PKI listing
2016-06-08 11:50:59 -04:00
94cd00f32a
Add an explicit default for TTLs for rabbit creds
2016-06-08 11:35:09 -04:00
86d697884b
Fix some typos in rmq text and structure
2016-06-08 11:31:57 -04:00
1b7da070ae
Added pooled transport for rmq client. Added tests
2016-06-08 10:46:46 -04:00
95f3726f1c
Migrate to go-uuid
2016-06-08 10:36:16 -04:00
5a3dd98d06
Polish the code
2016-06-08 10:25:03 -04:00
ab543414f6
Merge pull request #788 from doubledutch/master
...
RabbitMQ Secret Backend
2016-06-08 10:02:24 -04:00
8f437d6142
Make logical.InmemStorage a wrapper around physical.InmemBackend.
...
This:
* Allows removing LockingInmemStorage since the physical backend already
locks properly
* Makes listing work properly by adhering to expected semantics of only
listing up to the next prefix separator
* Reduces duplicated code
2016-06-06 12:03:08 -04:00
50c011e79f
Use backend function instead of separate backend creation in consul
2016-06-03 10:08:58 -04:00
ca47478aed
Merge pull request #1479 from hashicorp/reuse-be-creation-tests
...
Change AWS/SSH to reuse backend creation code for test functions
2016-06-03 09:59:37 -04:00
e9fbb9fabe
Remove failOnError method from cert tests
2016-06-01 16:01:28 -04:00
86d2c796b0
Change AWS/SSH to reuse backend creation code for test functions
2016-06-01 12:17:47 -04:00
3c5fb471a4
Merge pull request #1445 from hashicorp/consul-fixups
...
Reading consul access configuration in the consul secret backend.
2016-06-01 12:11:12 -04:00
3a460b9c4b
Merge pull request #1471 from hashicorp/rename-aws-auth
...
auth backend: rename `aws` as `aws-ec2`
2016-06-01 10:41:13 -04:00
dbee3cd81b
Address review feedback
2016-06-01 10:36:58 -04:00
4fea41f7e5
Use entry.Type as a criteria for upgrade
2016-06-01 10:30:11 -04:00
99c1e071f3
Remove most Root paths
2016-05-31 23:42:54 +00:00
eefd9acbf0
Set config access test case as an acceptance test and make travis happy
2016-05-31 13:27:34 -04:00
f64987a6cf
Add tests around writing and reading consul access configuration
2016-05-31 13:27:34 -04:00
036e7fa63e
Add reading to consul config, and some better error handling.
2016-05-31 13:27:34 -04:00
a072f2807d
Rename aws as aws-ec2
2016-05-30 14:11:15 -04:00
950c76c020
rename credential/aws as credential/aws-ec2
2016-05-30 14:11:15 -04:00
30fa7f304b
Allow * to be set for allowed_users
2016-05-30 03:12:43 -04:00
971b2cb7b7
Do not allow any username to login if allowed_users is not set
2016-05-30 03:01:47 -04:00
e01bce371d
Merge pull request #1462 from hashicorp/enable-auth-rollbacks
...
Re-enable rollback triggers for auth backends
2016-05-27 15:01:35 -04:00
39fe3200e3
Return nil for pre-0.5.3 Consul tokens to avoid pathological behavior
2016-05-27 13:09:52 -04:00
f035a320d0
Add test for renew/revoke to Consul secret backend
2016-05-27 11:27:53 -04:00
1d94828e45
Re-enable rollback triggers for auth backends
2016-05-26 14:29:41 -04:00
644ac5f5e8
Merge pull request #1456 from hashicorp/consul-lease-renewal
...
Fix the consul secret backends renewal revocation problem
2016-05-26 13:59:45 -04:00
cfd337d06a
Fix broken cert backend test
2016-05-26 11:06:46 -04:00
05d1da0656
Add comment about the deletions
2016-05-26 10:33:35 -04:00
ccfa8d0567
Remove deprecated entries from PKI role output.
...
Fixes #1452
2016-05-26 10:32:04 -04:00
c0e745dbfa
s/logical.ErrorResponse/fmt.Errorf in renewal functions of credential backends
2016-05-26 10:21:03 -04:00
2ca846b401
s/logical.ErrorResponse/fmt.Errorf in revocation functions of secrets
2016-05-26 10:04:11 -04:00
70b8530962
Fix the consul secret backends renewal revocation problem
2016-05-25 23:24:16 -04:00
cdfc6b46fd
Update and document rabbitmq test envvars
2016-05-20 23:28:02 -07:00
4eb20e4aa8
Merge remote-tracking branch 'origin/master' into rabbitmq
2016-05-20 23:27:22 -07:00
5783b02e36
Address feedback
2016-05-20 22:57:24 -07:00
8f592f3442
Don't use pointers to int64 in function calls when not necessary
2016-05-19 12:26:02 -04:00
a13807e759
Merge pull request #1318 from steve-jansen/aws-logical-assume-role
...
Add sts:AssumeRole support to the AWS secret backend
2016-05-19 12:17:27 -04:00
1bef0c3584
Merge pull request #1245 from LeonDaniel/master
...
Improved groups search for LDAP login
2016-05-19 12:13:29 -04:00
91b65a893e
Merge pull request #1430 from hashicorp/issue-1428
...
Use Consul API client's DefaultNonPooledTransport.
2016-05-17 20:59:50 -04:00
86e078ff98
Use Consul API client's DefaultNonPooledTransport.
...
What we should probably do is create a client with a mutex and
invalidate it when parameters change rather than creating a client over
and over...that can be a TODO for later but for now this fix suffices.
Fixes #1428
2016-05-18 00:47:42 +00:00
65801942cb
Naming of the locked and nonLocked methods
2016-05-17 20:39:24 -04:00
ed574d63fe
Merge pull request #1416 from shomron/list_ldap_group_mappings
...
Support listing ldap group to policy mappings
2016-05-16 16:22:13 -04:00
792950e16c
Merge pull request #1417 from hashicorp/b-pki-expire-ttl-unset
...
Set entry's TTL before writing out the storage entry's config
2016-05-15 10:02:03 -07:00
7a4b31ce51
Speling police
2016-05-15 09:58:36 -07:00
b0bba6d271
Store clamped TTLs back in the role's config
2016-05-15 08:13:56 -07:00
539475714d
Set entry's TTL before writing out the storage entry's config
2016-05-15 07:06:33 -07:00
b8840ab9eb
Support listing ldap group to policy mappings ( Fixes #1270 )
2016-05-14 20:00:40 -04:00
53fc941761
Merge pull request #1300 from hashicorp/aws-auth-backend
...
AWS EC2 instances authentication backend
2016-05-14 19:42:03 -04:00
4122ed860b
Rename 'role_name' to 'role'
2016-05-13 14:31:13 -04:00
9147f99c43
Remove unused param from checkForValidChain
2016-05-12 15:07:10 -04:00
85d9523f98
Perform CRL checking for non-CA registered certs
2016-05-12 14:37:07 -04:00
be88306f92
Name the files based on changed path patterns
2016-05-12 11:52:07 -04:00
7e8a2d55d0
Update docs and path names to the new patterns
2016-05-12 11:45:10 -04:00
ddcaf26396
Merge branch 'master-oss' into aws-auth-backend
2016-05-10 14:50:00 -04:00
d09748a135
Fix the acceptance tests
2016-05-09 22:07:51 -04:00
95f3f08d29
Call client config internal from the locking method
2016-05-09 21:01:57 -04:00
d899f9d411
Don't revoke CA certificates with leases.
2016-05-09 19:53:28 -04:00
4549625367
Update client code to use internal entry fetching
2016-05-09 23:26:00 +00:00
d77563994c
Merge pull request #1346 from hashicorp/disable-all-caches
...
Disable all caches
2016-05-07 16:33:45 -04:00
597d59962c
Adds sts:AssumeRole support to the AWS secret backend
...
Support use cases where you want to provision STS tokens
using Vault, but, you need to call AWS APIs that are blocked
for federated tokens. For example, STS federated tokens cannot
invoke IAM APIs, such as Terraform scripts containing
`aws_iam_*` resources.
2016-05-05 23:32:41 -04:00
c16b0a4f41
Switch whitelist to use longest max TTL
2016-05-05 20:44:48 -04:00
7a6c76289a
Role tag updates
2016-05-05 15:32:14 -04:00
b58ad615f2
Fix HMAC being overwritten. Also some documentation, and add a lock to role operations
2016-05-05 14:51:09 -04:00
0eddeb5c94
Guard tidy functions
2016-05-05 14:28:46 -04:00
2d4c390f87
More updates to mutexes and adjust blacklisted roletag default safety buffer
2016-05-05 14:12:22 -04:00
8fef6e3ac0
Rename identity whitelist and roletag blacklist api endpoints
2016-05-05 13:34:50 -04:00
c69ba40d05
Move some mutexes around
2016-05-05 12:53:27 -04:00
f689e4712d
Update some mutexes in client config
2016-05-05 12:44:40 -04:00
c15c227774
Fall back to non-base64 cert if it can't be decoded (it's checked later anyways)
2016-05-05 11:36:28 -04:00
25913fb18c
Update commenting
2016-05-05 11:22:36 -04:00
15cbcedf1f
Make the roletag blacklist the longest duration, not least
2016-05-05 11:00:41 -04:00
e45d6c1120
Switch client code to shared awsutil code
2016-05-05 10:40:49 -04:00
4600ca8073
Merge branch 'master-oss' into aws-auth-backend
2016-05-05 10:36:06 -04:00
b6b9cd6f1f
Merge remote-tracking branch 'origin/master' into aws-cred-chain
2016-05-05 10:31:12 -04:00
3e71221839
Merge remote-tracking branch 'origin/master' into aws-auth-backend
2016-05-05 10:04:52 -04:00
92fe94546c
Split SanitizeTTL method to support time.Duration parameters as well
2016-05-05 09:45:48 -04:00
4ede1d6f08
Add the steps to generate the CRL test's test-fixture files
2016-05-04 05:48:34 -04:00
b7c48ba109
Change image/ to a more flexible /role endpoint
2016-05-03 23:36:59 -04:00
1b0df1d46f
Cleanups, add shared provider, ability to specify http client, and port S3 physical backend over
2016-05-03 17:01:02 -04:00
7fbe5d2eaa
Region is required so error in awsutil if not set and set if empty in client code in logical/aws
2016-05-03 15:25:11 -04:00
a244ef8a00
Refactor AWS credential code into a function that returns a static->env->instance chain
2016-05-03 15:10:35 -04:00
45a120f491
Switch our tri-copy ca loading code to go-rootcerts
2016-05-03 12:23:25 -04:00
f21b88802f
Add some more tests around deletion and fix upsert status returning
2016-05-03 00:19:18 -04:00
7e1bdbe924
Massively simplify lock handling based on feedback
2016-05-02 23:47:18 -04:00
7f3613cc6e
Remove some deferring
2016-05-02 22:36:44 -04:00
fa0d389a95
Change use-hint of lockAll and lockPolicy
2016-05-02 22:36:44 -04:00
49c56f05e8
Address review feedback
2016-05-02 22:36:44 -04:00
3e5391aa9c
Switch to lockManager
2016-05-02 22:36:44 -04:00
08b91b776d
Address feedback
2016-05-02 22:36:44 -04:00
fedc8711a7
Fix up commenting and some minor tidbits
2016-05-02 22:36:44 -04:00
fe1f56de40
Make a non-caching but still locking variant of transit for when caches are disabled
2016-05-02 22:36:44 -04:00
9f2a111e85
Allow custom endpoint URLs to be supplied to make EC2 API calls
2016-05-02 17:21:52 -04:00
57e8fcd8c2
Extend the expiry of test-fixture certs of Cert backend
2016-05-02 12:34:46 -04:00
3d1c88f315
Make GitHub org comparison case insensitive.
...
Fixes #1359
2016-05-02 00:18:31 -04:00
1c91f652d4
Remove unnecessary append call
2016-04-30 03:20:21 -04:00
fde768125c
Cert backend, CRL tests
2016-04-29 02:32:48 -04:00
23d8ce62a3
Ensure that the instance is running during renewal
2016-04-28 16:34:35 -04:00
2a2dc0befb
Added allow_instance_migration to the role tag
2016-04-28 11:43:48 -04:00
4161d3ef4f
Change all time references to UTC
2016-04-28 10:19:29 -04:00
e591632630
Fix the deadlock issue
2016-04-28 01:01:33 -04:00
4712533f1d
minor updates
2016-04-28 00:35:49 -04:00
e6a9a5957d
Refactor locks around config tidy endpoints
2016-04-27 22:32:43 -04:00
b75a6e2f0f
Fix locking around config/client
2016-04-27 22:25:15 -04:00
0e97b57beb
Fix the list response of role tags
2016-04-27 22:03:11 -04:00
779d73ce2b
Removed existence check on blacklist/roletags, docs fixes
2016-04-27 21:29:32 -04:00
d44326ded6
Remove unnecessary lock switching around flushCachedEC2Clients
2016-04-27 20:13:56 -04:00
e1080f86ed
Remove recreate parameter from clientEC2
2016-04-27 20:01:39 -04:00
441477f342
Added ami_id to token metadata
2016-04-27 11:32:05 -04:00
b9c96bf7ce
- updated refactored functions in ldap backend to return error instead of ldap response and fixed interrupted search in ldap groups search func
2016-04-27 18:17:54 +03:00
08be31e9ab
- refactored functionality in separate functions in ldap backend and used a separate ldap query to get ldap groups from userDN
2016-04-27 15:00:26 +03:00
7144fd54f9
Added tests
2016-04-26 23:40:11 -04:00
88942b0503
Added tests
2016-04-26 10:22:29 -04:00
5a676a129e
Added tests
2016-04-26 10:22:29 -04:00
e16f256b14
Added tests
2016-04-26 10:22:29 -04:00
3a4021d6c4
Added tests
2016-04-26 10:22:29 -04:00
de1a1be564
tidy endpoint fixes
2016-04-26 10:22:29 -04:00
044d01fd69
HMAC Key per AMI ID and avoided secondary call to AWS to fetch the tags
2016-04-26 10:22:29 -04:00
5996c3e9d8
Rework and refactoring
2016-04-26 10:22:29 -04:00
3aeae62c00
Added mutex locking for config/certificate endpoint
2016-04-26 10:22:29 -04:00
21854776af
Added cooldown period for periodic tidying operation
2016-04-26 10:22:29 -04:00
9aa8fb6cc1
Support periodic tidy callback and config endpoints.
2016-04-26 10:22:29 -04:00
2810196e0f
Use fullsailor/pkcs7 package instead of its fork. Fix tests
2016-04-26 10:22:29 -04:00
5a2e1340df
Removed redundant AWS public certificate. Docs update.
2016-04-26 10:22:29 -04:00
a456f2c3f6
Removed `region` parameter from `config/client` endpoint.
...
Region to create ec2 client objects is fetched from the identity document.
Maintaining a map of cached clients indexed by region.
2016-04-26 10:22:29 -04:00
790b143c75
Instance ID can optionally be accepted as a the role tag parameter.
2016-04-26 10:22:29 -04:00
58c485f519
Support providing multiple certificates.
...
Append all the certificates to the PKCS#7 parser during signature verification.
2016-04-26 10:22:29 -04:00
9d4a7c5901
Docs update
2016-04-26 10:22:29 -04:00
ba9c86c92d
Added acceptance test for login endpoint
2016-04-26 10:22:29 -04:00
c2c1a5eedc
Added test case TestBackend_PathBlacklistRoleTag
2016-04-26 10:22:29 -04:00
85c9176cb4
Return 4xx error at appropriate places
2016-04-26 10:22:29 -04:00
1841ef0ebf
Tested pathImageTag
2016-04-26 10:22:29 -04:00
80e3063334
Tested parseRoleTagValue
2016-04-26 10:22:29 -04:00
dab1a00313
Make client nonce optional even during first login, when disallow_reauthentication is set
2016-04-26 10:22:29 -04:00
e0cf8c5608
Rename 'name' to 'ami_id' for clarity
2016-04-26 10:22:29 -04:00
092feca996
Moved HMAC parsing inside parseRoleTagValue
2016-04-26 10:22:29 -04:00
ddfdf37d33
Properly handle empty client nonce case when disallow_reauthentication is set
2016-04-26 10:22:29 -04:00
b8d9b18193
Added disallow_reauthentication feature
2016-04-26 10:22:29 -04:00
a1d07cbff5
Remove todo and change clientNonce length limit to 128 chars
2016-04-26 10:22:28 -04:00
bb276d350a
Fix typo
2016-04-26 10:22:28 -04:00
a5aadc908d
Add environment and EC2 instance metadata role providers for AWS creds.
2016-04-26 10:22:28 -04:00
012f9273f7
Remove certificate verification
2016-04-26 10:22:28 -04:00
41cc7c4a15
Test path config/certificate
2016-04-26 10:22:28 -04:00
5ff8d0cf96
Add existence check verification to config/client testcase
2016-04-26 10:22:28 -04:00
3286194384
Testing pathImage
2016-04-26 10:22:28 -04:00
a8082a9a6e
allow_instance_reboot -> allow_instance_migration
2016-04-26 10:22:28 -04:00
075a81214e
Update image output to show allow_instance_reboot value and keep policies in a list
2016-04-26 10:22:28 -04:00
91433fedf2
Changed the blacklist URL pattern to optionally accept base64 encoded role tags
2016-04-26 10:22:28 -04:00
efcc07967e
Accept instance_id in the URL for whitelist endpoint
2016-04-26 10:22:28 -04:00
cf56895772
Switch around some logic to be more consistent/readable and respect max
...
TTL on initial token issuance.
2016-04-26 10:22:28 -04:00
338054d49e
Return un-expired entries from blacklist and whitelist
2016-04-26 10:22:28 -04:00
b6bd30b9fb
Test ConfigClient
2016-04-26 10:22:28 -04:00
d3adc85886
AWS EC2 instances authentication backend
2016-04-26 10:22:28 -04:00
81ac4c3fcf
- fixed merge with upstream master
2016-04-26 13:23:43 +03:00
1991aebc0a
Merge remote-tracking branch 'upstream/master'
...
Conflicts:
builtin/credential/ldap/backend.go
2016-04-26 13:16:42 +03:00
30ba5b7887
Merge pull request #1291 from mmickan/ssh-keyinstall-perms
...
Ensure authorized_keys file is readable when uninstalling an ssh key
2016-04-25 14:00:37 -04:00
fb07d07ad9
all: Cleanup from running go vet
2016-04-13 14:38:29 -05:00
06eeaecef6
Skip acceptance tests if VAULT_ACC is not set
2016-04-11 20:00:15 -04:00
d92b960f7a
Add list support to userpass users. Remove some unneeded existence
...
checks. Remove paths from requiring root.
Fixes #911
2016-04-09 18:28:55 -04:00
dd98b08d36
Do not provide a default lease
2016-04-08 09:50:47 -07:00
eeb145f049
List roles
2016-04-08 09:46:25 -07:00
a86e5e3cd9
Support verify_connection flag
2016-04-08 09:44:15 -07:00
706ed5839e
Fix username generation
2016-04-08 09:32:29 -07:00
e3db8c999e
Merge branch 'master' of github.com:doubledutch/vault
2016-04-08 09:25:28 -07:00
1102863f5a
Update comment
2016-04-08 09:07:06 -07:00
35f49107cd
Fix documentation typo
2016-04-08 09:05:38 -07:00
5460c24b94
Fix documentation typo
2016-04-08 09:05:06 -07:00
070fe56648
Rename uri to connection_uri
2016-04-08 09:04:42 -07:00
48d1f99afb
Merge remote-tracking branch 'upstream/master'
2016-04-08 08:57:10 -07:00
e3a1ee92b5
Utility Enhancements
2016-04-05 20:32:59 -04:00
fd8b023655
s/TF_ACC/VAULT_ACC
2016-04-05 15:24:59 -04:00
95abdebb06
Added AcceptanceTest boolean to logical.TestCase
2016-04-05 15:10:44 -04:00
a55124f0b6
Ensure authorized_keys file is readable when uninstalling an ssh key
...
Without this change, if the user running the ssh key install script doesn't
have read access to the authorized_keys file when uninstalling a key, all
keys will be deleted from the authorized_keys file.
Fixes GH #1285
2016-04-05 17:26:21 +09:30
7df3ec46b0
Some fixups around error/warning in LDAP
2016-04-02 13:33:00 -04:00
40325b8042
If no group DN is configured, still look for policies on local users and
...
return a warning, rather than just trying to do an LDAP search on an
empty string.
2016-04-02 13:11:36 -04:00
7fd5a679ca
Fix potential error scoping issue.
...
Ping #1262
2016-03-30 19:48:23 -04:00
3cfcd4ddf1
Check for nil connection back from go-ldap, which apparently can happen even with no error
...
Ping #1262
2016-03-29 10:00:04 -04:00
17613f5fcf
Removing debugging comment
2016-03-24 09:48:13 -04:00
4c4a65ebd0
Properly check for policy equivalency during renewal.
...
This introduces a function that compares two string policy sets while
ignoring the presence of "default" (since it's added by core, not the
backend), and ensuring that ordering and/or duplication are not failure
conditions.
Fixes #1256
2016-03-24 09:41:51 -04:00
dfc5a745ee
Remove check for using CSR values with non-CA certificate.
...
The endpoint enforces whether the certificate is a CA or not anyways, so
this ends up not actually providing benefit and causing a bug.
Fixes #1250
2016-03-23 10:05:38 -04:00
e7942062bd
- updated LDAP group search by iterating through all the attributes and searching for CN value instead of assuming the CN is always the first attribute from the RDN list
2016-03-21 19:44:08 +02:00
a82114eeb2
- added another method to search LDAP groups by querying the userDN for memberOf attribute
2016-03-21 16:55:38 +02:00
3e3621841d
Merge pull request #1227 from hashicorp/issue-477
...
Don't renew cert-based tokens if the policies have changed.
2016-03-17 18:25:39 -04:00
1951a01998
Add ability to exclude adding the CN to SANs.
...
Fixes #1220
2016-03-17 16:28:40 -04:00
a8dd6aa4f1
Don't renew cert-based tokens if the policies have changed.
...
Also, add cert renewal testing.
Fixes #477
2016-03-17 14:22:24 -04:00
77e4ee76bb
Normalize userpass errors around bad user/pass
2016-03-16 15:19:55 -04:00
8a3f1ad13e
Use 400 instead of 500 for failing to provide a userpass password.
2016-03-16 15:14:28 -04:00
2c0c901eac
Merge pull request #1216 from hashicorp/userpass-update
...
Userpass: Update the password and policies associated to user
2016-03-16 14:58:28 -04:00
f9b1fc3aa0
Add comments to existence functions
2016-03-16 14:53:53 -04:00
1951159b25
Addessing review comments
2016-03-16 14:21:14 -04:00
239ad4ad7e
Refactor updating user values
2016-03-16 13:42:02 -04:00
533b136fe7
Reduce the visibility of setUser
2016-03-16 11:39:52 -04:00
2914ff7502
Use helper for existence check. Avoid panic by fetching default values for field data
2016-03-16 11:26:33 -04:00
7db7b47fdd
Merge pull request #1210 from hashicorp/audit-id-path
...
Rename id to path and path to file_path, print audit backend paths
2016-03-15 20:13:21 -04:00
39a0c8e91f
Read from 'path' to retain backward compatibility
2016-03-15 20:05:51 -04:00
1e889bc08c
Input validations and field renaming
2016-03-15 17:47:13 -04:00
a0958c9359
Refactor updating and creating userEntry into a helper function
2016-03-15 17:32:39 -04:00
acd545f1ed
Fetch and store UserEntry to properly handle both create and update
2016-03-15 17:05:23 -04:00
9609fe151b
Change path structure of password and policies endpoints in userpass
2016-03-15 16:46:12 -04:00
8be36b6925
Reuse the variable instead of fetching 'name' again
2016-03-15 16:21:47 -04:00
61b4cac458
Added paths to update policies and password
2016-03-15 16:12:55 -04:00
731bb97db5
Tests for updating password and policies in userpass backend
2016-03-15 16:09:23 -04:00
b7eb0a97e5
Userpass: Support updating policies and password
2016-03-15 15:18:21 -04:00
8aaf29b78d
Add forgotten test
2016-03-15 14:18:35 -04:00
8bf935bc2b
Add list support to certs in cert auth backend.
...
Fixes #1212
2016-03-15 14:07:40 -04:00
71fc07833f
Rename id to path and path to file_path, print audit backend paths
2016-03-14 17:15:07 -04:00
d648306d52
Add the ability to specify the app-id in the login path.
...
This makes it easier to use prefix revocation for tokens.
Ping #424
2016-03-14 16:24:01 -04:00
9bfd24cd69
s/hash_accessor/hmac_accessor/g
2016-03-14 14:52:29 -04:00
ea108fba18
Use accessor being set as the condition to restore non-hashed values
2016-03-14 11:23:30 -04:00
e09819fedc
Added hash_accessor option to audit backends
2016-03-11 19:28:06 -05:00
343e6f1671
Merge pull request #998 from chrishoffman/mssql
...
Sql Server (mssql) secret backend
2016-03-10 22:30:24 -05:00
b1703fb18d
Cleaning up lease and lease duration vars and params
2016-03-10 21:15:18 -05:00
ba94451875
Removing root protected endpoints
2016-03-10 21:08:39 -05:00
dc7da4f4e8
Changing DROP USER query to a more compatible version
2016-03-10 21:06:50 -05:00
5af33afd90
Adding verify_connection to config, docs updates, misc cleanup
2016-03-09 23:08:05 -05:00
a6d8fc9d98
Merge pull request #1190 from grunzwei/master
...
fix github tests to use the provided GITHUB_ORG environment variable
2016-03-09 09:51:28 -05:00
ae469cc796
fix github tests to use the provided GITHUB_ORG environment variable
...
(tests fail for non hashicorp people)
2016-03-09 15:34:03 +02:00
7a9122bbd1
Sanitize serial number in revocation path.
...
Ping #1180
2016-03-08 10:51:59 -05:00
34a9cb1a70
Add serial_number back to path_issue_sign responses in PKI
2016-03-08 09:25:48 -05:00
5a17735dcb
Add subject/authority key id to cert metadata
2016-03-07 14:59:00 -05:00
11dc3f328f
Add revocation information to PKI fetch output (non-raw only).
...
Fixes #1180
2016-03-07 10:57:38 -05:00
vishalnayak