802d030506
Refactor cert_util_test
2017-04-27 17:09:59 -04:00
b5990321bf
Verify update operation was performed on revokeCert
2017-04-27 12:30:44 -04:00
3b27a9c12c
Rename tests, use HandleRequest() for existing paths
2017-04-27 09:47:56 -04:00
53752c3002
Add check to ensure we don't overwrite existing connections
2017-04-26 16:43:42 -07:00
081101c7cf
Add an error check to reset a plugin if it is closed
2017-04-26 15:55:34 -07:00
d0cad5345a
Update to a RWMutex
2017-04-26 15:23:14 -07:00
628e5d594b
Add remaining tests
2017-04-26 16:05:58 -04:00
4782d9d2af
Update the error messages for renew and revoke
2017-04-26 10:29:16 -07:00
892812d67d
Change ttl types to TypeDurationSecond
2017-04-26 10:02:37 -07:00
d24757f2e0
Fix crl_util test
2017-04-26 09:58:34 -04:00
18ed2d6097
Tests for cert and crl util
2017-04-26 02:46:01 -04:00
e3e5f12f9e
Default deny when allowed roles is empty
2017-04-25 11:48:24 -07:00
207d01fd39
Update the connection details data and fix allowedRoles
2017-04-25 11:11:10 -07:00
eb0f831d6a
Rename path_role_create to path_creds_create
2017-04-25 10:39:17 -07:00
3d3e4eb5a4
Use TypeCommaStringSlice for allowed_roles
2017-04-25 10:26:23 -07:00
bed1c17b1e
Update logging to new structure
2017-04-25 10:24:19 -07:00
f25b367732
Don't uppercase ErrorResponses
2017-04-24 14:03:48 -07:00
378ae98809
s/DatabaseType/Database/
2017-04-24 13:59:12 -07:00
e06a78a474
Create unified aws auth backend ( #2441 )
...
* Rename builtin/credential/aws-ec2 to aws
The aws-ec2 authentication backend is being expanded and will become the
generic aws backend. This is a small rename commit to keep the commit
history clean.
* Expand aws-ec2 backend to more generic aws
This adds the ability to authenticate arbitrary AWS IAM principals using
AWS's sts:GetCallerIdentity method. The AWS-EC2 auth backend is being to
just AWS with the expansion.
* Add missing aws auth handler to CLI
This was omitted from the previous commit
* aws auth backend general variable name cleanup
Also fixed a bug where allowed auth types weren't being checked upon
login, and added tests for it.
* Update docs for the aws auth backend
* Refactor aws bind validation
* Fix env var override in aws backend test
Intent is to override the AWS environment variables with the TEST_*
versions if they are set, but the reverse was happening.
* Update docs on use of IAM authentication profile
AWS now allows you to change the instance profile of a running instance,
so the use case of "a long-lived instance that's not in an instance
profile" no longer means you have to use the the EC2 auth method. You
can now just change the instance profile on the fly.
* Fix typo in aws auth cli help
* Respond to PR feedback
* More PR feedback
* Respond to additional PR feedback
* Address more feedback on aws auth PR
* Make aws auth_type immutable per role
* Address more aws auth PR feedback
* Address more iam auth PR feedback
* Rename aws-ec2.html.md to aws.html.md
Per PR feedback, to go along with new backend name.
* Add MountType to logical.Request
* Make default aws auth_type dependent upon MountType
When MountType is aws-ec2, default to ec2 auth_type for backwards
compatibility with legacy roles. Otherwise, default to iam.
* Pass MountPoint and MountType back up to the core
Previously the request router reset the MountPoint and MountType back to
the empty string before returning to the core. This ensures they get set
back to the correct values.
2017-04-24 15:15:50 -04:00
6f9d178370
Calls to builtin plugins now go directly to the implementation instead of go-plugin
2017-04-20 18:46:41 -07:00
af9ff63e9a
Merge remote-tracking branch 'oss/master' into database-refactor
2017-04-19 15:16:00 -07:00
847c86f788
Rename ParseDedupAndSortStrings to ParseDedupLowercaseAndSortStrings ( #2614 )
2017-04-19 10:39:07 -04:00
938eab37b6
Do not lowercase groups attached to users in ldap ( #2613 )
2017-04-19 10:36:45 -04:00
2ee593c6ea
Mssql driver update ( #2610 )
...
* Switching driver from mssql to sqlserver
* Adding explicit database to sp_msloginmappings call
2017-04-18 17:49:59 -04:00
4995c69763
Update sign-verbatim to correctly set generate_lease ( #2593 )
2017-04-18 15:54:31 -04:00
a051ec1b59
Use service bind for searching LDAP groups ( #2534 )
...
Fixes #2387
2017-04-18 15:52:05 -04:00
0897da93f0
Parse and dedup but do not lowercase principals in SSH certs. ( #2591 )
2017-04-18 12:21:02 -04:00
822d86ad90
Change storage of entries from colons to hyphens and add a
...
lookup/migration path
Still TODO: tests on migration path
Fixes #2552
2017-04-18 11:14:23 -04:00
e8adc13826
Fix cassandra dep breakage
2017-04-17 11:51:42 -04:00
09cd069435
Consider new bounds as a criteria to allow role creation ( #2600 )
...
* Consider new bounds as a criteria to allow role creation
* Added a test
2017-04-17 10:36:11 -04:00
79fb8bdf69
Verify that a CSR specifies IP SANs before checking whether it's allowed ( #2574 )
2017-04-13 13:40:31 -04:00
883c80540a
Add allowed_roles parameter and checks
2017-04-13 10:33:34 -07:00
0cfe1ea81c
Cleanup path files
2017-04-12 17:35:02 -07:00
a9a05f5bba
Update Type() to return an error
2017-04-12 16:41:06 -07:00
8ccf10641b
Merge branch 'master' into database-refactor
2017-04-12 14:29:10 -07:00
128f25c13d
Update help text and comments
2017-04-11 11:50:34 -07:00
c85b7be22f
Remove unnecessary abstraction
2017-04-10 18:38:34 -07:00
8071aed758
Mlock the plugin process
2017-04-10 17:12:52 -07:00
f6ff3b1146
Add a flag to tell plugins to verify the connection was successful
2017-04-10 15:36:59 -07:00
db91a80540
Update plugin test
2017-04-10 14:12:28 -07:00
bbbd81220c
Update the interface for plugins removing functions for creating creds
2017-04-10 12:24:16 -07:00
459e3eda4e
Update backend tests
2017-04-10 10:35:16 -07:00
93136ea51e
Add backend test
2017-04-07 15:50:03 -07:00
2117dfd717
implement a no_store option for pki roles ( #2565 )
2017-04-07 11:25:47 -07:00
f805618a2c
Update SSH CA documentation
...
Fixes #2551
Fixes #2569
2017-04-07 11:59:25 -04:00
62d59e5f4e
Move plugin code into sub directory
2017-04-06 12:20:10 -07:00
ca2c3d0c53
Refactor to use builtin plugins from an external repo
2017-04-05 16:20:31 -07:00
2255884a4c
Do not mark conn as initialized until the end ( #2567 )
2017-04-04 14:26:59 -07:00
305ccd54f7
Don't return strings, always structs
2017-04-04 11:33:58 -07:00
9dd666c7e6
Database refactor invalidate ( #2566 )
...
* WIP on invalidate function
* cassandraConnectionProducer has Close()
* Delete database from connections map on successful db.Close()
* Move clear connection into its own func
* Use const for database config path
2017-04-04 11:32:42 -07:00
049e086b07
Fix typo. Closes GH-2528
2017-04-04 12:29:18 -04:00
709389dd36
Use ParseStringSlice on PKI organization/organizational unit. ( #2561 )
...
After, separately dedup and use new flag to not lowercase value.
Fixes #2555
2017-04-04 08:54:18 -07:00
b506bd7790
On change of configuration rotate the database type
2017-04-03 18:30:38 -07:00
d7dd0ab35c
Merge branch 'database-refactor' of github.com:hashicorp/vault into database-refactor
2017-04-03 17:52:41 -07:00
e8781b6a2b
Plugin catalog
2017-04-03 17:52:29 -07:00
aa15a1d3a9
Database refactor mssql ( #2562 )
...
* WIP on mssql secret backend refactor
* Add RevokeUser test, and use sqlserver driver internally
* Remove debug statements
* Fix code comment
2017-04-03 09:59:30 -07:00
210fa77e3c
fix for plugin commands that have more than one paramater
2017-03-28 14:37:57 -07:00
50729a4528
Add comments to connection and credential producers
2017-03-28 13:08:11 -07:00
b09526e1c9
Cleanup the db factory code and add comments
2017-03-28 12:57:30 -07:00
6b877039e7
Update tests
2017-03-28 12:20:17 -07:00
c50a6ebc39
Add functionaility to build db objects from disk so restarts work
2017-03-28 11:30:45 -07:00
02b0230f19
Fix for checking types of database on update
2017-03-28 10:04:42 -07:00
494f963581
Wrap the database calls with tracing information
2017-03-27 15:17:28 -07:00
2799586f45
Remove the unused sync.Once object
2017-03-27 11:46:20 -07:00
29ae4602dc
More work on getting tests to pass
2017-03-23 15:54:15 -07:00
c0223d888e
Remove unsused code block
2017-03-22 17:09:39 -07:00
1068076703
s/postgres/mysql/
2017-03-22 16:44:33 -07:00
dac1bb210b
Add test files for postgres and mysql databases
2017-03-22 16:39:08 -07:00
ae9961b811
Add a error message for empty creation statement
2017-03-22 12:40:16 -07:00
c55bef85d3
Fix race with deleting the connection
2017-03-22 09:54:19 -07:00
85ef468d46
Add a delete method
2017-03-21 17:19:30 -07:00
83ff132705
Verify connections regardless of if this connections is already existing
2017-03-21 16:05:59 -07:00
003ef004c6
sshca: ensure atleast cert type is allowed ( #2508 )
2017-03-19 18:58:48 -04:00
a4e5e0f8c9
Comment and fix plugin Type function
2017-03-16 18:24:56 -07:00
417770a58f
Change the handshake config from the default
2017-03-16 17:51:25 -07:00
2873825848
Add a secure config to verify the checksum of the plugin
2017-03-16 16:20:18 -07:00
f2df4ef0e7
Comment and slight refactor of the TLS plugin helper
2017-03-16 14:14:49 -07:00
0a52ea5c69
Break tls code into helper library
2017-03-16 11:55:21 -07:00
24886c1006
Ensure CN check is made when exclude_cn_from_sans is used
...
Fixes #2363
2017-03-16 11:41:13 -04:00
ae8967d635
Always include a hash of the public key and "vault" (to know where it ( #2498 )
...
came from) when generating a cert for SSH.
Follow on from #2494
2017-03-16 11:14:17 -04:00
95df7beed9
Adding allow_user_key_ids field to SSH role config ( #2494 )
...
Adding a boolean field that determines whether users will be allowed to
set the ID of the signed SSH key or whether it will always be the token
display name. Preventing users from changing the ID and always using
the token name is useful for auditing who actually used a key to access
a remote host since sshd logs key IDs.
2017-03-16 08:45:11 -04:00
eb6117cbb2
Work on TLS communication over plugins
2017-03-15 17:14:48 -07:00
12e5132779
Allow roles to specify whether CSR SANs should be used instead of ( #2489 )
...
request values. Fix up some documentation.
Fixes #2451
Fixes #2488
2017-03-15 14:38:18 -04:00
7ab6844eb4
Set CA chain when intermediate does not have an authority key ID.
...
This is essentially an approved review of the code provided in #2465 .
Fixes #2465
2017-03-15 11:52:02 -04:00
3ecb344878
wrap plugin database type with metrics middleware
2017-03-14 13:12:47 -07:00
822a3eb20a
Add a metrics middleware
2017-03-14 13:11:28 -07:00
662b372364
Reads on unconfigured SSH CA public key return 400
2017-03-14 10:21:48 -04:00
7d59d7d3ac
Reads on ssh/config/ca return the public keys
...
If configured/generated.
2017-03-14 10:21:48 -04:00
830de2dbbd
If generating an SSH CA signing key - return the public part
...
So that the user can actually use the SSH CA, by adding the public key
to their respective sshd_config/authorized_keys, etc.
2017-03-14 10:21:48 -04:00
2054fff890
Add a way to initalize plugins and builtin databases the same way.
2017-03-13 14:39:55 -07:00
71b81aad23
Add checksum attribute
2017-03-10 14:10:42 -08:00
a11911d4d4
Rename reset to close
2017-03-09 22:35:45 -08:00
fda45f531d
Add special path to enforce root on plugin configuration
2017-03-09 21:31:29 -08:00
748c70cfb4
Add plugin file
2017-03-09 17:43:58 -08:00
9099231229
Add plugin features
2017-03-09 17:43:37 -08:00
220beb2cde
doc: ssh allowed_users update ( #2462 )
...
* doc: ssh allowed_users update
* added some more context in default_user field
2017-03-09 10:34:55 -05:00
f085cd71ab
Fix typo
2017-03-08 17:49:39 -05:00
b7128f8370
Update secrets fields
2017-03-08 14:46:53 -08:00
766c2e6ee0
SSH CA enhancements ( #2442 )
...
* Use constants for storage paths
* Upgrade path for public key storage
* Fix calculateValidPrincipals, upgrade ca_private_key, and other changes
* Remove a print statement
* Added tests for upgrade case
* Make exporting consistent in creation bundle
* unexporting and constants
* Move keys into a struct instead of plain string
* minor changes
2017-03-08 17:36:21 -05:00
2fb6bf9882
Fix renew and revoke calls
2017-03-07 17:21:44 -08:00
b7c3b4b0d7
Add defaults to the cassandra databse type
2017-03-07 17:00:52 -08:00
3976a2a0a6
Pass statements object
2017-03-07 16:48:17 -08:00
843d584254
Remove unused sql object
2017-03-07 15:34:23 -08:00
919155ab12
Remove double lock
2017-03-07 15:33:05 -08:00
c959882b93
Update locking functionaility
2017-03-07 13:48:29 -08:00
3d162b63cc
Use locks in a slice rather than a map, which is faster and makes things cleaner ( #2446 )
2017-03-07 11:21:32 -05:00
5119b173c4
Rename helper 'duration' to 'parseutil'. ( #2449 )
...
Add a ParseBool function that accepts various kinds of ways of
specifying booleans.
Have config use ParseBool for UI and disabling mlock/cache.
2017-03-07 11:21:22 -05:00
bc53e119ca
rename mysql variable
2017-03-03 15:07:41 -08:00
bba832e6bf
Make db instances immutable and add a reset path to tear down and create a new database instance with an updated config
2017-03-03 14:38:49 -08:00
29e07ac9e8
Fix mysql connections
2017-03-03 14:38:49 -08:00
24ddea9954
Add mysql into the factory
2017-03-03 14:38:48 -08:00
8e8f260d96
Add max connection lifetime param and set consistancy on cassandra session
2017-03-03 14:38:48 -08:00
1f009518cd
s/Statement/Statements/
2017-03-03 14:38:48 -08:00
46aa7142c1
Add mysql database type
2017-03-03 14:38:48 -08:00
2ec5ab5616
More work on refactor and cassandra database
2017-03-03 14:38:48 -08:00
acdcd79af3
Begin work on database refactor
2017-03-03 14:38:48 -08:00
4b81bcb379
ssh: Added DeleteOperation to config/ca ( #2434 )
...
* ssh: Added DeleteOperation to config/ca
* Address review feedback
2017-03-03 10:19:45 -05:00
491a56fe9f
AppRole: Support restricted use tokens ( #2435 )
...
* approle: added token_num_uses to the role
* approle: added RUD tests for token_num_uses on role
* approle: doc: added token_num_uses
2017-03-03 09:31:20 -05:00
55e69277ce
Update SSH CA logic/tests
2017-03-02 16:39:22 -05:00
a1331278ff
Refactor the generate_signing_key processing ( #2430 )
2017-03-02 16:22:06 -05:00
fa474924aa
Update error text to make it more obvious what the issue is when valid principals aren't found
2017-03-02 15:56:08 -05:00
eca68d5913
Fix a bunch of errors from returning 5xx, and parse more duration types
2017-03-02 15:38:34 -05:00
70bfdb5ae9
Changes from code review
2017-03-02 14:36:13 -05:00
36b3d89604
Allow internal generation of the signing SSH key pair
2017-03-02 14:36:13 -05:00
3795d2ea64
Rework ssh ca ( #2419 )
...
* docs: input format for default_critical_options and default_extensions
* s/sshca/ssh
* Added default_critical_options and default_extensions to the read endpoint of role
* Change default time return value to 0
2017-03-01 15:50:23 -05:00
9f75f84175
Changes from code review
...
Major changes are:
* Remove duplicate code
* Check the public key used to configure the backend is a valid one
2017-03-01 15:19:18 -05:00
ff1ff02bd7
Changes from code review
...
Major changes are:
* Change `allow_{user,host}_certificates` to default to false
* Add separate `allowed_domains` role property
2017-03-01 15:19:18 -05:00
099d561b20
Add ability to create SSH certificates
2017-03-01 15:19:18 -05:00
47f8478a97
Fix github compile breakage after dep upgrade
2017-02-24 15:32:05 -05:00
b762c43fe2
Aws Ec2 additional binds for SubnetID, VpcID and Region ( #2407 )
...
* awsec2: Added bound_region
* awsec2: Added bound_subnet_id and bound_vpc_id
* Add bound_subnet_id and bound_vpc_id to docs
* Remove fmt.Printf
* Added crud test for aws ec2 role
* Address review feedback
2017-02-24 14:19:10 -05:00
2e911fc650
Fix broken build caused due to resolve merge conflicts
2017-02-24 12:41:20 -05:00
c6f138bb9a
PKI: Role switch to control lease generation ( #2403 )
...
* pki: Make generation of leases optional
* pki: add tests for upgrading generate_lease
* pki: add tests for leased and non-leased certs
* docs++ pki generate_lease
* Generate lease is applicable for both issuing and signing
* pki: fix tests
* Address review feedback
* Address review feedback
2017-02-24 12:12:40 -05:00
01f3056b8b
pki: Include private_key_type on DER-formatted responses from /pki/issue/ ( #2405 )
2017-02-24 11:17:59 -05:00
c81582fea0
More porting from rep ( #2388 )
...
* More porting from rep
* Address review feedback
2017-02-16 16:29:30 -05:00
0c39b613c8
Port some replication bits to OSS ( #2386 )
2017-02-16 15:15:02 -05:00
d7a6ec8d43
Add some repcluster handling to audit and add some tests ( #2384 )
...
* Add some repcluster handling to audit and add some tests
* Fix incorrect assumption about nil auth
2017-02-16 13:09:53 -05:00
c96fe56d44
Fix copypasta, thanks tests
2017-02-16 01:32:39 -05:00
817bec0955
Add Organization support to PKI backend. ( #2380 )
...
Fixes #2369
2017-02-16 01:04:29 -05:00
eb4ef0f6e0
cidrutil: added test data points ( #2378 )
2017-02-16 00:51:02 -05:00
81c95b36eb
aws-ec2 auth: Return the role period in seconds ( #2374 )
...
* aws-ec2 auth: Return the role period in seconds
* cast return values to int64 for comparison with expected values
2017-02-15 10:57:57 -05:00
04b4a6aa50
Fix Okta auth issue when a user has no policies and/or groups set. ( #2371 )
...
Fixes #2367
2017-02-14 16:28:16 -05:00
ca06bc0b53
audit: support a configurable prefix string to write before each message ( #2359 )
...
A static token at the beginning of a log line can help systems parse
logs better. For example, rsyslog and syslog-ng will recognize the
'@cee: ' prefix and will parse the rest of the line as a valid json message.
This is useful in environments where there is a mix of structured and
unstructured logs.
2017-02-10 16:56:28 -08:00
2bbc247ab4
use net.JoinHostPort
2017-02-08 18:39:09 -05:00
72db329d67
Add support for backup/multiple LDAP URLs. ( #2350 )
2017-02-08 14:59:24 -08:00
a217be589c
Merge pull request #2154 from fcantournet/default-ldap-username
...
ldap auth via cli defaults username to env (#2137 )
2017-02-07 21:47:59 -08:00
a2f07acbc4
Use Getenv instead of LookupEnv
...
This prevents returning empty username if LOGNAME is set but empty and USER is set but not empty.
2017-02-07 21:47:06 -08:00
f05b482e46
Update error text
2017-02-07 21:44:23 -08:00
8f957579d8
Update some help text for RADIUS
2017-02-07 16:06:27 -05:00
29d9d5676e
RADIUS Authentication Backend ( #2268 )
2017-02-07 16:04:27 -05:00
2923934813
Merge pull request #2326 from hashicorp/pr-2161
...
Add Socket Audit Backend
2017-02-07 11:27:25 -08:00
7f2717b74a
transit: change batch input format ( #2331 )
...
* transit: change batch input format
* transit: no json-in-json for batch response
* docs: transit: update batch input format
* transit: fix tests after changing response format
2017-02-06 14:56:16 -05:00
09049c2787
Added a single retry after a reconnection
2017-02-06 11:38:38 -08:00
af1847f2b4
Update the docs and move the logic for reconnecting into its own function
2017-02-04 16:55:17 -08:00
5de633fd27
Make userpass help text mention radius too
2017-02-04 07:48:30 -05:00
a8ea05f365
Add default mount param to userpass cli handler
2017-02-04 07:47:09 -05:00
b38eeec96a
Add write deadline and a Reload function
2017-02-02 15:44:56 -08:00
b09077c2d8
add socket audit backend
2017-02-02 14:21:48 -08:00
6701ba8a10
Configure the request headers that are output to the audit log ( #2321 )
...
* Add /sys/config/audited-headers endpoint for configuring the headers that will be audited
* Remove some debug lines
* Add a persistant layer and refactor a bit
* update the api endpoints to be more restful
* Add comments and clean up a few functions
* Remove unneeded hash structure functionaility
* Fix existing tests
* Add tests
* Add test for Applying the header config
* Add Benchmark for the ApplyConfig method
* ResetTimer on the benchmark:
* Update the headers comment
* Add test for audit broker
* Use hyphens instead of camel case
* Add size paramater to the allocation of the result map
* Fix the tests for the audit broker
* PR feedback
* update the path and permissions on config/* paths
* Add docs file
* Fix TestSystemBackend_RootPaths test
2017-02-02 11:49:20 -08:00
5fb28f53cb
Transit: Support batch encryption and decryption ( #2143 )
...
* Transit: Support batch encryption
* Address review feedback
* Make the normal flow go through as a batch request
* Transit: Error out if encryption fails during batch processing
* Transit: Infer the 'derived' parameter based on 'context' being set
* Transit: Batch encryption doc updates
* Transit: Return a JSON string instead of []byte
* Transit: Add batch encryption tests
* Remove plaintext empty check
* Added tests for batch encryption, more coming..
* Added more batch encryption tests
* Check for base64 decoding of plaintext before encrypting
* Transit: Support batch decryption
* Transit: Added tests for batch decryption
* Transit: Doc update for batch decryption
* Transit: Sync the path-help and website docs for decrypt endpoint
* Add batch processing for rewrap
* transit: input validation for context
* transit: add rewrap batch option to docs
* Remove unnecessary variables from test
* transit: Added tests for rewrap use cases
* Address review feedback
* Address review feedback
* Address review feedback
* transit: move input checking out of critical path
* transit: allow empty plaintexts for batch encryption
* transit: use common structs for batch processing
* transit: avoid duplicate creation of structs; add omitempty to response structs
* transit: address review feedback
* transit: fix tests
* address review feedback
* transit: fix tests
* transit: rewrap encrypt user error should not error out
* transit: error out for internal errors
2017-02-02 14:24:20 -05:00
3457a11afd
awsec2: support periodic tokens ( #2324 )
...
* awsec2: support periodic tokens
* awsec2: add api docs for 'period'
2017-02-02 13:28:01 -05:00
14fcc4b6eb
approle: secret-id listing lock sanity check ( #2315 )
...
* approle: secret-id listing lock sanity
* Skip processing an empty secretIDHMAC item during the iteration
* approle: use dedicated lock for listing of secret-id-accessors
2017-02-01 18:13:49 -05:00
0548555219
Support for Cross-Account AWS Auth ( #2148 )
2017-02-01 14:16:03 -05:00
47274eca88
Add cleanup functions to multiple DB backends. ( #2313 )
...
Ensure it's called on unmount, not just for seal.
2017-02-01 14:05:25 -05:00
f1a5a858d3
Make export errors a bit more meaningful
2017-01-30 09:25:50 -05:00
2e15dc93df
Have transit exporting return the same structure regardless of one key or many
2017-01-28 10:37:35 -05:00
6033ea884c
Okta implementation ( #1966 )
2017-01-26 19:08:52 -05:00
e788780709
Migrate cassandra test from acceptance to dockertest ( #2295 )
2017-01-25 15:37:55 -05:00
f43a041bf2
Revert "Disable PKI OU tests to fix the build"
...
This reverts commit b1ab7c5603180af9073caab1b3022ca438dc12be.
2017-01-24 09:58:28 -05:00
c8b6ab7223
Disable PKI OU tests to fix the build
2017-01-24 06:25:56 -05:00
98df700495
allow roles to set OU value in certificates issued by the pki backend ( #2251 )
2017-01-23 12:44:45 -05:00
7568a212b1
Adding support for exportable transit keys ( #2133 )
2017-01-23 11:04:43 -05:00
5aba2d47b6
ldap: Minor enhancements, tests and doc update ( #2272 )
2017-01-23 10:56:43 -05:00
fa7d61baa3
Merge pull request #2202 from fcantournet/fix_govet_fatalf
...
all: test: Fix govet warnings
2017-01-17 16:45:35 -05:00
1d7ded02b4
Merge pull request #2152 from mr-tron/master
...
Thanks for submitting this. I am going to merge this in and write tests.
2017-01-13 14:29:46 -05:00
e019cca4ea
Merge pull request #2257 from bkrodgers/git-config-read
...
Added a 'read' for github config
2017-01-11 12:23:00 -05:00
f33d35f3de
Added a nil check for config and renamed org field internally.
2017-01-11 11:04:15 -06:00
cb8bbc4fbd
Transit key actions ( #2254 )
...
* add supports_* for transit key reads
* update transit docs with new supports_* fields
2017-01-11 10:05:06 -06:00
a8f12dff01
Added a 'read' for github config
2017-01-10 18:21:31 -06:00
78dacc154a
sign-verbatim should set use_csr_common_name to true ( #2243 )
2017-01-10 09:47:59 -05:00
80dc5819d3
Use dockertest.v2 ( #2247 )
...
New dockertest has a totally different API and will require some serious
refactoring. This will tide over until then by pinning the API version.
2017-01-09 13:46:54 -05:00
103b7ceab2
all: test: Fix govet warnings
...
Fix calls to t.Fatal() with formatting.
Fixed some calls to Fatalf() with wrong formatting
2016-12-21 19:44:07 +01:00
1816446f46
Address review feedback
2016-12-20 11:19:47 -05:00
b3e323bbcc
pki: Avoiding a storage read
2016-12-20 11:07:20 -05:00
db5e0bb3c3
Minor cleanup in audit backend ( #2194 )
2016-12-19 15:35:55 -05:00
2e23f1a992
pki: Appended error to error message
2016-12-19 10:49:32 -05:00
ba1cc709bd
PKI: Added error to the error message
2016-12-19 10:47:29 -05:00
bb54bd40f6
normalize some capitlization in error messages
2016-12-15 19:02:33 -05:00
8fff7daf51
Don't panic when TLS is enabled but the initial dial doesn't return a connection ( #2188 )
...
Related to #2186
2016-12-15 15:49:30 -05:00
e818efde7c
ldap auth via cli defaults username to env ( #2137 )
...
try to guess the username from 'LOGNAME' or if it isn't set 'USER'
2016-12-02 19:08:32 +01:00
6ee61af87f
Fix nil value panic when Consul returns a user error ( #2145 )
2016-12-01 10:22:32 -08:00
3d66907966
Disallow passwords LDAP binds by default ( #2103 )
2016-12-01 10:11:40 -08:00
2797c609b0
fix checking that users policies is not nil
2016-11-29 16:35:49 +03:00
cc374b3e2c
add support per user acl for ldap users
2016-11-29 13:32:59 +03:00
5eaef287a8
Close ldap connection to avoid leak ( #2130 )
2016-11-28 09:31:36 -08:00
890c19312f
Update path help for approle secret id TTL
2016-11-15 11:50:51 -05:00
637414a623
Added support for individual user policy mapping in github auth backend. ( #2079 )
2016-11-10 16:21:14 -05:00
ba3dc07bb3
Fix typo and remove trailing whitespace. ( #2074 )
2016-11-08 09:32:23 -05:00
aa68041231
Fix GitHub tests
2016-11-08 07:13:42 -05:00
50c8af0515
Add ldap tls_max_version config ( #2060 )
2016-11-07 13:43:39 -05:00
26fa2655b1
Add listing to Consul secret roles ( #2065 )
2016-11-04 12:35:16 -04:00
65f0ce8ca3
Remove the sanity check which is not proving to be useful
2016-10-27 19:11:26 -04:00
dc93e57cf1
Return the revocation_sql from role read all the time
2016-10-27 12:24:31 -04:00
e0fb8c17ce
Added revocation_sql to the website docs
2016-10-27 12:15:08 -04:00
c14a6c8666
Move policy test to keysutil package
2016-10-26 19:57:28 -04:00
6d1e1a3ba5
Pulled out transit's lock manager and policy structs into a helper
2016-10-26 19:52:31 -04:00
79d45355c8
Merge pull request #2004 from hashicorp/role-id-update
...
Fix regression caused by not creating a role_id secondary index
2016-10-26 16:29:46 -04:00
931c96d1ba
ssh: Use temporary file to store the identity file
2016-10-18 12:50:12 -04:00
6dd560d9c6
Merge pull request #2005 from hashicorp/dedup-ldap-policies
...
Deduplicate the policies in ldap backend
2016-10-18 10:42:11 -04:00
4b6e82afcb
Add ability to list keys in transit backend ( #1987 )
2016-10-18 10:13:01 -04:00
2ce8bc95eb
Deduplicate the policies in ldap backend
2016-10-14 17:20:50 -04:00
1487dce475
Fix regression caused by not creating a role_id secondary index
2016-10-14 12:56:29 -04:00
dcf44a8fc7
Merge pull request #1980 from hashicorp/audit-update
...
Audit file update
2016-10-10 14:34:53 -04:00
0da9d1ac0c
test updates to address feedback
2016-10-10 12:58:30 -04:00
5ce9737eb4
address feedback
2016-10-10 12:16:55 -04:00
962a383bfb
address latest feedback
2016-10-10 11:58:26 -04:00
290ccee990
minor fix
2016-10-10 10:05:36 -04:00
9fc5a37e84
address feedback
2016-10-09 22:23:30 -04:00
05519a1267
adding unit tests for file mode
2016-10-09 00:33:24 -04:00
e5a7e3d6cb
initial commit to fix empty consistency option issue
2016-10-08 20:22:26 -04:00
1b8d12fe82
changes for 'mode'
2016-10-08 19:52:49 -04:00
60ceea5532
initial commit for adding audit file permission changes
2016-10-07 15:09:32 -04:00
c45ab41b39
Update aws-ec2 configuration help
...
Updated to reflect enhanced functionality and clarify necessary
permissions.
2016-10-05 12:40:58 -07:00
70a9fc47b4
Don't use quoted identifier for the username
2016-10-05 14:31:19 -04:00
7f9a88d8db
Postgres revocation sql, beta mode ( #1972 )
2016-10-05 13:52:59 -04:00
de5dec6b15
Refactor mysql's revoke SQL
2016-10-04 19:30:25 -04:00
1ab7023483
Merge pull request #1914 from jpweber/mysql-revoke
...
Mysql revoke with non-wildcard hosts
2016-10-04 17:44:15 -04:00
87f206b536
removed an unused ok variable. Added warning and force use for default queries if role is nil
2016-10-04 17:15:29 -04:00
0f8c132ede
Minor doc updates
2016-10-04 15:46:09 -04:00
2e1aa80f31
Address review feedback 2
2016-10-04 15:30:42 -04:00
59475d7f14
Address review feedback
2016-10-04 15:05:44 -04:00
cc38f3253a
fixed an incorrect assignment
2016-10-03 21:51:40 -04:00
348a09e05f
Add only relevant certificates
2016-10-03 20:34:28 -04:00
dbd364453e
aws-ec2 config endpoints support type option to distinguish certs
2016-10-03 20:25:07 -04:00
ac78ddc178
More resilient around cases of missing role names and using the default when needed.
2016-10-03 20:20:00 -04:00
b105f8ccf3
Authenticate aws-ec2 instances using identity document and its RSA signature
2016-10-03 18:57:41 -04:00
0a7f1089ca
Refactored logic some to make sure we can always fall back to default revoke statments
...
Changed rolename to role
made default sql revoke statments a const
2016-10-03 15:59:56 -04:00
704fccaf2e
fixed some more issues I had with the tests.
2016-10-03 15:58:09 -04:00
a2d6624a69
renamed rolname to role
2016-10-03 15:57:47 -04:00
bfb0c2d3ff
Reduced duplicated code and fixed comments and simple variable name mistakes
2016-10-03 14:53:05 -04:00
bb70ecc5a7
Added test for revoking mysql user with wild card host and non-wildcard host
2016-10-02 22:28:54 -04:00
dbb00534d9
saving role name to the Secret Internal data. Default revoke query added
...
The rolename is now saved to the secret internal data for fetching
later during the user revocation process. No longer deriving the role
name from request path
Added support for default revoke SQL statements that will provide the
same functionality as before. If not revoke SQL statements are provided
the default statements are used.
Cleaned up personal ignores from the .gitignore file
2016-10-02 18:53:16 -04:00
6d00f0c483
Adds HUP support for audit log files to close and reopen. ( #1953 )
...
Adds HUP support for audit log files to close and reopen. This makes it
much easier to deal with normal log rotation methods.
As part of testing this I noticed that HUP and other items that come out
of command/server.go are going to stderr, which is where our normal log
lines go. This isn't so much problematic with our normal output but as
we officially move to supporting other formats this can cause
interleaving issues, so I moved those to stdout instead.
2016-09-30 12:04:50 -07:00
4c74b646fe
Merge pull request #1947 from hashicorp/secret-id-lookup-delete
...
Introduce lookup and destroy endpoints for secret IDs and its accessors
2016-09-29 10:19:54 -04:00
34e76f8b41
Added website docs for lookup and destroy APIs
2016-09-28 22:11:48 -04:00
d20819949c
Make secret-id reading and deleting, a POST op instead of GET
2016-09-28 20:22:37 -04:00
2dd1f584e6
Update documentation for required AWS API permissions
...
In order for Vault to map IAM instance profiles to roles, Vault
must query the 'iam:GetInstanceProfile' API, so update the documentation
and help to include the additional permissions needed.
2016-09-28 16:50:20 -07:00
f0203741ff
Change default TTL from 30 to 32 to accommodate monthly operations ( #1942 )
2016-09-28 18:32:49 -04:00
5adfaa0d7d
Merge pull request #1939 from hashicorp/secret-id-upgrade
...
Respond secret_id_num_uses and deprecate SecretIDNumUses
2016-09-28 18:16:07 -04:00
e9142f418a
Added todo to remind removal of upgrade code
2016-09-28 18:17:13 -04:00
e01f99f042
Check for prefix match instead of exact match for IAM bound parameters
2016-09-28 18:08:28 -04:00
21d9731286
Don't reset the deprecated value yet
2016-09-28 15:48:50 -04:00
4a30a6b4f8
Merge pull request #1913 from hashicorp/bound-iam-instance-profile-arn
...
Proper naming for bound_iam_instance_profile_arn
2016-09-28 15:34:56 -04:00
31e450a175
Add some validation checks
2016-09-28 15:36:02 -04:00
9eabf75f5f
Fix the misplaced response warning
2016-09-28 14:20:03 -04:00
a2338f5970
Added testcase to check secret_id_num_uses
2016-09-28 13:58:53 -04:00
ba1d238f9b
Pull out reading and storing of secret ID into separate functions and handle upgrade properly
2016-09-28 12:42:26 -04:00
010293ccc3
Merge pull request #1931 from hashicorp/cass-consistency
...
Adding consistency into cassandra
2016-09-27 21:12:02 -04:00
d235acf809
Adding support for chained intermediate CAs in pki backend ( #1694 )
2016-09-27 17:50:17 -07:00
5ac43873c4
minor updates
2016-09-27 20:35:11 -04:00
e14fe05c13
added parsing at role creation
2016-09-27 16:01:51 -04:00
4938aa56bf
initial commit for consistency added into cassandra
2016-09-27 13:25:18 -04:00
5eff59c410
Fix "SecretIDNumUses" in AppRole auth backend
...
There was a typo.
2016-09-27 17:26:52 +03:00
b1ee56a15b
Merge pull request #1910 from hashicorp/secret-id-cidr-list
...
CIDR restrictions on Secret ID
2016-09-26 10:22:48 -04:00
a4b119dc25
Merge pull request #1920 from legal90/fix-approle-delete
...
Fix panic on deleting the AppRole which doesn't exist
2016-09-26 10:05:33 -04:00
3f77013004
Fix panic on deleting the AppRole which doesn't exist
...
#pathRoleDelete should return silently if the specified AppRole doesn't exist
Fixes GH-1919
2016-09-26 16:55:08 +03:00
da5b5d3a8e
Address review feedback from @jefferai
2016-09-26 09:53:24 -04:00
d080107a87
Update docs to contain bound_iam_role_arn
2016-09-26 09:37:38 -04:00
bf0b7f218e
Implemented bound_iam_role_arn constraint
2016-09-23 21:35:36 -04:00
e0ea497cfe
Getting role name from the creds path used in revocation
2016-09-23 16:57:08 -04:00
8709406eb3
secretCredsRevoke command no longer uses hardcoded query
...
The removal of a user from the db is now handled similar to the
creation. The SQL is read out of a key from the role and then executed
with values substituted for username.
2016-09-23 16:05:49 -04:00
1bed6bfc2c
Added support for a revokeSQL key value pair to the role
2016-09-23 16:00:23 -04:00
6bf871995b
Don't use time.Time in responses. ( #1912 )
...
This fixes #1911 but not directly; it doesn't address the cause of the
panic. However, it turns out that this is the correct fix anyways,
because it ensures that the value being logged is RFC3339 format, which
is what the time turns into in JSON but not the normal time string
value, so what we audit log (and HMAC) matches what we are returning.
2016-09-23 12:32:07 -04:00
e0c41f02c8
Fix incorrect naming of bound_iam_instance_profile_arn
2016-09-23 11:22:23 -04:00
c26754000b
Fix ssh tests
2016-09-22 11:37:55 -04:00
aaadd4ad97
Store the CIDR list in the secret ID storage entry.
...
Use the stored information to validate the source address and credential issue time.
Correct the logic used to verify BoundCIDRList on the role.
Reverify the subset requirements between secret ID and role during credential issue time.
2016-09-21 20:19:26 -04:00
578b82acf5
Pass only valid inputs to validation methods
2016-09-21 15:44:54 -04:00
93604e1e2e
Added cidrutil helper
2016-09-21 13:58:32 -04:00
676e7e0f07
Ensure upgrades have a valid HMAC key
2016-09-21 11:10:57 -04:00
0ff76e16d2
Transit and audit enhancements
2016-09-21 10:49:26 -04:00
5c241d31e7
Renaming ttl_max -> max_ttl in mssql backend ( #1905 )
2016-09-20 12:39:02 -04:00
97dc0e9f64
Merge pull request #1897 from hashicorp/secret-id-accessor-locks
...
Safely manipulate secret id accessors
2016-09-19 11:37:38 -04:00
fefd3a6c0b
s/GetOctalFormatted/GetHexFormatted
2016-09-16 17:47:15 -04:00
897d3c6d2c
Rename GetOctalFormatted and add serial number to ParsedCertBundle. Basically a noop.
2016-09-16 11:05:43 -04:00
ba72e7887a
Safely manipulate secret id accessors
2016-09-15 18:13:50 -04:00
61664bc653
Merge pull request #1886 from hashicorp/approle-upgrade-notes
...
upgrade notes entry for approle constraint and warning on role read
2016-09-15 12:14:01 -04:00
5597156886
check for nil role
2016-09-15 12:10:40 -04:00
92986bb2a0
Address review feedback
2016-09-15 11:41:52 -04:00
a1de742dce
s/disableReauthenticationNonce/reauthentication-disabled-nonce
2016-09-15 11:29:02 -04:00
9bca127631
Updated docs with nonce usage
2016-09-14 19:31:09 -04:00
857f921d76
Added comment
2016-09-14 18:27:35 -04:00
39796e8801
Disable reauthentication if nonce is explicitly set to empty
2016-09-14 17:58:00 -04:00
d0e4d77fce
address review feedback
2016-09-14 14:28:02 -04:00
d7ce69c5eb
Remove the client nonce being empty check
2016-09-14 14:28:02 -04:00
53c919b1d0
Generate the nonce by default
2016-09-14 14:28:02 -04:00
455a4ae055
address review feedback
2016-09-14 12:08:35 -04:00
b1392567d1
Use constant time comparisons for client nonce
2016-09-13 20:12:43 -04:00
d2e66014ba
Address review feedback
2016-09-13 18:30:04 -04:00
29b67141eb
Only use running state for checking if instance is alive. ( #1885 )
...
Fixes #1884
2016-09-13 18:08:05 -04:00
99a2655d8e
upgrade notes entry for approle constraint and warning on role read
2016-09-13 17:44:07 -04:00
bef9c2ee61
Ensure at least one constraint on the role
2016-09-13 16:03:15 -04:00
Calvin Leung Huang