049e086b07
Fix typo. Closes GH-2528
2017-04-04 12:29:18 -04:00
709389dd36
Use ParseStringSlice on PKI organization/organizational unit. ( #2561 )
...
After, separately dedup and use new flag to not lowercase value.
Fixes #2555
2017-04-04 08:54:18 -07:00
b506bd7790
On change of configuration rotate the database type
2017-04-03 18:30:38 -07:00
d7dd0ab35c
Merge branch 'database-refactor' of github.com:hashicorp/vault into database-refactor
2017-04-03 17:52:41 -07:00
e8781b6a2b
Plugin catalog
2017-04-03 17:52:29 -07:00
aa15a1d3a9
Database refactor mssql ( #2562 )
...
* WIP on mssql secret backend refactor
* Add RevokeUser test, and use sqlserver driver internally
* Remove debug statements
* Fix code comment
2017-04-03 09:59:30 -07:00
210fa77e3c
fix for plugin commands that have more than one paramater
2017-03-28 14:37:57 -07:00
50729a4528
Add comments to connection and credential producers
2017-03-28 13:08:11 -07:00
b09526e1c9
Cleanup the db factory code and add comments
2017-03-28 12:57:30 -07:00
6b877039e7
Update tests
2017-03-28 12:20:17 -07:00
c50a6ebc39
Add functionaility to build db objects from disk so restarts work
2017-03-28 11:30:45 -07:00
02b0230f19
Fix for checking types of database on update
2017-03-28 10:04:42 -07:00
494f963581
Wrap the database calls with tracing information
2017-03-27 15:17:28 -07:00
2799586f45
Remove the unused sync.Once object
2017-03-27 11:46:20 -07:00
29ae4602dc
More work on getting tests to pass
2017-03-23 15:54:15 -07:00
c0223d888e
Remove unsused code block
2017-03-22 17:09:39 -07:00
1068076703
s/postgres/mysql/
2017-03-22 16:44:33 -07:00
dac1bb210b
Add test files for postgres and mysql databases
2017-03-22 16:39:08 -07:00
ae9961b811
Add a error message for empty creation statement
2017-03-22 12:40:16 -07:00
c55bef85d3
Fix race with deleting the connection
2017-03-22 09:54:19 -07:00
85ef468d46
Add a delete method
2017-03-21 17:19:30 -07:00
83ff132705
Verify connections regardless of if this connections is already existing
2017-03-21 16:05:59 -07:00
003ef004c6
sshca: ensure atleast cert type is allowed ( #2508 )
2017-03-19 18:58:48 -04:00
a4e5e0f8c9
Comment and fix plugin Type function
2017-03-16 18:24:56 -07:00
417770a58f
Change the handshake config from the default
2017-03-16 17:51:25 -07:00
2873825848
Add a secure config to verify the checksum of the plugin
2017-03-16 16:20:18 -07:00
f2df4ef0e7
Comment and slight refactor of the TLS plugin helper
2017-03-16 14:14:49 -07:00
0a52ea5c69
Break tls code into helper library
2017-03-16 11:55:21 -07:00
24886c1006
Ensure CN check is made when exclude_cn_from_sans is used
...
Fixes #2363
2017-03-16 11:41:13 -04:00
ae8967d635
Always include a hash of the public key and "vault" (to know where it ( #2498 )
...
came from) when generating a cert for SSH.
Follow on from #2494
2017-03-16 11:14:17 -04:00
95df7beed9
Adding allow_user_key_ids field to SSH role config ( #2494 )
...
Adding a boolean field that determines whether users will be allowed to
set the ID of the signed SSH key or whether it will always be the token
display name. Preventing users from changing the ID and always using
the token name is useful for auditing who actually used a key to access
a remote host since sshd logs key IDs.
2017-03-16 08:45:11 -04:00
eb6117cbb2
Work on TLS communication over plugins
2017-03-15 17:14:48 -07:00
12e5132779
Allow roles to specify whether CSR SANs should be used instead of ( #2489 )
...
request values. Fix up some documentation.
Fixes #2451
Fixes #2488
2017-03-15 14:38:18 -04:00
7ab6844eb4
Set CA chain when intermediate does not have an authority key ID.
...
This is essentially an approved review of the code provided in #2465 .
Fixes #2465
2017-03-15 11:52:02 -04:00
3ecb344878
wrap plugin database type with metrics middleware
2017-03-14 13:12:47 -07:00
822a3eb20a
Add a metrics middleware
2017-03-14 13:11:28 -07:00
662b372364
Reads on unconfigured SSH CA public key return 400
2017-03-14 10:21:48 -04:00
7d59d7d3ac
Reads on ssh/config/ca return the public keys
...
If configured/generated.
2017-03-14 10:21:48 -04:00
830de2dbbd
If generating an SSH CA signing key - return the public part
...
So that the user can actually use the SSH CA, by adding the public key
to their respective sshd_config/authorized_keys, etc.
2017-03-14 10:21:48 -04:00
2054fff890
Add a way to initalize plugins and builtin databases the same way.
2017-03-13 14:39:55 -07:00
71b81aad23
Add checksum attribute
2017-03-10 14:10:42 -08:00
a11911d4d4
Rename reset to close
2017-03-09 22:35:45 -08:00
fda45f531d
Add special path to enforce root on plugin configuration
2017-03-09 21:31:29 -08:00
748c70cfb4
Add plugin file
2017-03-09 17:43:58 -08:00
9099231229
Add plugin features
2017-03-09 17:43:37 -08:00
220beb2cde
doc: ssh allowed_users update ( #2462 )
...
* doc: ssh allowed_users update
* added some more context in default_user field
2017-03-09 10:34:55 -05:00
f085cd71ab
Fix typo
2017-03-08 17:49:39 -05:00
b7128f8370
Update secrets fields
2017-03-08 14:46:53 -08:00
766c2e6ee0
SSH CA enhancements ( #2442 )
...
* Use constants for storage paths
* Upgrade path for public key storage
* Fix calculateValidPrincipals, upgrade ca_private_key, and other changes
* Remove a print statement
* Added tests for upgrade case
* Make exporting consistent in creation bundle
* unexporting and constants
* Move keys into a struct instead of plain string
* minor changes
2017-03-08 17:36:21 -05:00
2fb6bf9882
Fix renew and revoke calls
2017-03-07 17:21:44 -08:00
b7c3b4b0d7
Add defaults to the cassandra databse type
2017-03-07 17:00:52 -08:00
3976a2a0a6
Pass statements object
2017-03-07 16:48:17 -08:00
843d584254
Remove unused sql object
2017-03-07 15:34:23 -08:00
919155ab12
Remove double lock
2017-03-07 15:33:05 -08:00
c959882b93
Update locking functionaility
2017-03-07 13:48:29 -08:00
3d162b63cc
Use locks in a slice rather than a map, which is faster and makes things cleaner ( #2446 )
2017-03-07 11:21:32 -05:00
5119b173c4
Rename helper 'duration' to 'parseutil'. ( #2449 )
...
Add a ParseBool function that accepts various kinds of ways of
specifying booleans.
Have config use ParseBool for UI and disabling mlock/cache.
2017-03-07 11:21:22 -05:00
bc53e119ca
rename mysql variable
2017-03-03 15:07:41 -08:00
bba832e6bf
Make db instances immutable and add a reset path to tear down and create a new database instance with an updated config
2017-03-03 14:38:49 -08:00
29e07ac9e8
Fix mysql connections
2017-03-03 14:38:49 -08:00
24ddea9954
Add mysql into the factory
2017-03-03 14:38:48 -08:00
8e8f260d96
Add max connection lifetime param and set consistancy on cassandra session
2017-03-03 14:38:48 -08:00
1f009518cd
s/Statement/Statements/
2017-03-03 14:38:48 -08:00
46aa7142c1
Add mysql database type
2017-03-03 14:38:48 -08:00
2ec5ab5616
More work on refactor and cassandra database
2017-03-03 14:38:48 -08:00
acdcd79af3
Begin work on database refactor
2017-03-03 14:38:48 -08:00
4b81bcb379
ssh: Added DeleteOperation to config/ca ( #2434 )
...
* ssh: Added DeleteOperation to config/ca
* Address review feedback
2017-03-03 10:19:45 -05:00
491a56fe9f
AppRole: Support restricted use tokens ( #2435 )
...
* approle: added token_num_uses to the role
* approle: added RUD tests for token_num_uses on role
* approle: doc: added token_num_uses
2017-03-03 09:31:20 -05:00
55e69277ce
Update SSH CA logic/tests
2017-03-02 16:39:22 -05:00
a1331278ff
Refactor the generate_signing_key processing ( #2430 )
2017-03-02 16:22:06 -05:00
fa474924aa
Update error text to make it more obvious what the issue is when valid principals aren't found
2017-03-02 15:56:08 -05:00
eca68d5913
Fix a bunch of errors from returning 5xx, and parse more duration types
2017-03-02 15:38:34 -05:00
70bfdb5ae9
Changes from code review
2017-03-02 14:36:13 -05:00
36b3d89604
Allow internal generation of the signing SSH key pair
2017-03-02 14:36:13 -05:00
3795d2ea64
Rework ssh ca ( #2419 )
...
* docs: input format for default_critical_options and default_extensions
* s/sshca/ssh
* Added default_critical_options and default_extensions to the read endpoint of role
* Change default time return value to 0
2017-03-01 15:50:23 -05:00
9f75f84175
Changes from code review
...
Major changes are:
* Remove duplicate code
* Check the public key used to configure the backend is a valid one
2017-03-01 15:19:18 -05:00
ff1ff02bd7
Changes from code review
...
Major changes are:
* Change `allow_{user,host}_certificates` to default to false
* Add separate `allowed_domains` role property
2017-03-01 15:19:18 -05:00
099d561b20
Add ability to create SSH certificates
2017-03-01 15:19:18 -05:00
47f8478a97
Fix github compile breakage after dep upgrade
2017-02-24 15:32:05 -05:00
b762c43fe2
Aws Ec2 additional binds for SubnetID, VpcID and Region ( #2407 )
...
* awsec2: Added bound_region
* awsec2: Added bound_subnet_id and bound_vpc_id
* Add bound_subnet_id and bound_vpc_id to docs
* Remove fmt.Printf
* Added crud test for aws ec2 role
* Address review feedback
2017-02-24 14:19:10 -05:00
2e911fc650
Fix broken build caused due to resolve merge conflicts
2017-02-24 12:41:20 -05:00
c6f138bb9a
PKI: Role switch to control lease generation ( #2403 )
...
* pki: Make generation of leases optional
* pki: add tests for upgrading generate_lease
* pki: add tests for leased and non-leased certs
* docs++ pki generate_lease
* Generate lease is applicable for both issuing and signing
* pki: fix tests
* Address review feedback
* Address review feedback
2017-02-24 12:12:40 -05:00
01f3056b8b
pki: Include private_key_type on DER-formatted responses from /pki/issue/ ( #2405 )
2017-02-24 11:17:59 -05:00
c81582fea0
More porting from rep ( #2388 )
...
* More porting from rep
* Address review feedback
2017-02-16 16:29:30 -05:00
0c39b613c8
Port some replication bits to OSS ( #2386 )
2017-02-16 15:15:02 -05:00
d7a6ec8d43
Add some repcluster handling to audit and add some tests ( #2384 )
...
* Add some repcluster handling to audit and add some tests
* Fix incorrect assumption about nil auth
2017-02-16 13:09:53 -05:00
c96fe56d44
Fix copypasta, thanks tests
2017-02-16 01:32:39 -05:00
817bec0955
Add Organization support to PKI backend. ( #2380 )
...
Fixes #2369
2017-02-16 01:04:29 -05:00
eb4ef0f6e0
cidrutil: added test data points ( #2378 )
2017-02-16 00:51:02 -05:00
81c95b36eb
aws-ec2 auth: Return the role period in seconds ( #2374 )
...
* aws-ec2 auth: Return the role period in seconds
* cast return values to int64 for comparison with expected values
2017-02-15 10:57:57 -05:00
04b4a6aa50
Fix Okta auth issue when a user has no policies and/or groups set. ( #2371 )
...
Fixes #2367
2017-02-14 16:28:16 -05:00
ca06bc0b53
audit: support a configurable prefix string to write before each message ( #2359 )
...
A static token at the beginning of a log line can help systems parse
logs better. For example, rsyslog and syslog-ng will recognize the
'@cee: ' prefix and will parse the rest of the line as a valid json message.
This is useful in environments where there is a mix of structured and
unstructured logs.
2017-02-10 16:56:28 -08:00
2bbc247ab4
use net.JoinHostPort
2017-02-08 18:39:09 -05:00
72db329d67
Add support for backup/multiple LDAP URLs. ( #2350 )
2017-02-08 14:59:24 -08:00
a217be589c
Merge pull request #2154 from fcantournet/default-ldap-username
...
ldap auth via cli defaults username to env (#2137 )
2017-02-07 21:47:59 -08:00
a2f07acbc4
Use Getenv instead of LookupEnv
...
This prevents returning empty username if LOGNAME is set but empty and USER is set but not empty.
2017-02-07 21:47:06 -08:00
f05b482e46
Update error text
2017-02-07 21:44:23 -08:00
8f957579d8
Update some help text for RADIUS
2017-02-07 16:06:27 -05:00
29d9d5676e
RADIUS Authentication Backend ( #2268 )
2017-02-07 16:04:27 -05:00
2923934813
Merge pull request #2326 from hashicorp/pr-2161
...
Add Socket Audit Backend
2017-02-07 11:27:25 -08:00
7f2717b74a
transit: change batch input format ( #2331 )
...
* transit: change batch input format
* transit: no json-in-json for batch response
* docs: transit: update batch input format
* transit: fix tests after changing response format
2017-02-06 14:56:16 -05:00
09049c2787
Added a single retry after a reconnection
2017-02-06 11:38:38 -08:00
af1847f2b4
Update the docs and move the logic for reconnecting into its own function
2017-02-04 16:55:17 -08:00
5de633fd27
Make userpass help text mention radius too
2017-02-04 07:48:30 -05:00
a8ea05f365
Add default mount param to userpass cli handler
2017-02-04 07:47:09 -05:00
b38eeec96a
Add write deadline and a Reload function
2017-02-02 15:44:56 -08:00
b09077c2d8
add socket audit backend
2017-02-02 14:21:48 -08:00
6701ba8a10
Configure the request headers that are output to the audit log ( #2321 )
...
* Add /sys/config/audited-headers endpoint for configuring the headers that will be audited
* Remove some debug lines
* Add a persistant layer and refactor a bit
* update the api endpoints to be more restful
* Add comments and clean up a few functions
* Remove unneeded hash structure functionaility
* Fix existing tests
* Add tests
* Add test for Applying the header config
* Add Benchmark for the ApplyConfig method
* ResetTimer on the benchmark:
* Update the headers comment
* Add test for audit broker
* Use hyphens instead of camel case
* Add size paramater to the allocation of the result map
* Fix the tests for the audit broker
* PR feedback
* update the path and permissions on config/* paths
* Add docs file
* Fix TestSystemBackend_RootPaths test
2017-02-02 11:49:20 -08:00
5fb28f53cb
Transit: Support batch encryption and decryption ( #2143 )
...
* Transit: Support batch encryption
* Address review feedback
* Make the normal flow go through as a batch request
* Transit: Error out if encryption fails during batch processing
* Transit: Infer the 'derived' parameter based on 'context' being set
* Transit: Batch encryption doc updates
* Transit: Return a JSON string instead of []byte
* Transit: Add batch encryption tests
* Remove plaintext empty check
* Added tests for batch encryption, more coming..
* Added more batch encryption tests
* Check for base64 decoding of plaintext before encrypting
* Transit: Support batch decryption
* Transit: Added tests for batch decryption
* Transit: Doc update for batch decryption
* Transit: Sync the path-help and website docs for decrypt endpoint
* Add batch processing for rewrap
* transit: input validation for context
* transit: add rewrap batch option to docs
* Remove unnecessary variables from test
* transit: Added tests for rewrap use cases
* Address review feedback
* Address review feedback
* Address review feedback
* transit: move input checking out of critical path
* transit: allow empty plaintexts for batch encryption
* transit: use common structs for batch processing
* transit: avoid duplicate creation of structs; add omitempty to response structs
* transit: address review feedback
* transit: fix tests
* address review feedback
* transit: fix tests
* transit: rewrap encrypt user error should not error out
* transit: error out for internal errors
2017-02-02 14:24:20 -05:00
3457a11afd
awsec2: support periodic tokens ( #2324 )
...
* awsec2: support periodic tokens
* awsec2: add api docs for 'period'
2017-02-02 13:28:01 -05:00
14fcc4b6eb
approle: secret-id listing lock sanity check ( #2315 )
...
* approle: secret-id listing lock sanity
* Skip processing an empty secretIDHMAC item during the iteration
* approle: use dedicated lock for listing of secret-id-accessors
2017-02-01 18:13:49 -05:00
0548555219
Support for Cross-Account AWS Auth ( #2148 )
2017-02-01 14:16:03 -05:00
47274eca88
Add cleanup functions to multiple DB backends. ( #2313 )
...
Ensure it's called on unmount, not just for seal.
2017-02-01 14:05:25 -05:00
f1a5a858d3
Make export errors a bit more meaningful
2017-01-30 09:25:50 -05:00
2e15dc93df
Have transit exporting return the same structure regardless of one key or many
2017-01-28 10:37:35 -05:00
6033ea884c
Okta implementation ( #1966 )
2017-01-26 19:08:52 -05:00
e788780709
Migrate cassandra test from acceptance to dockertest ( #2295 )
2017-01-25 15:37:55 -05:00
f43a041bf2
Revert "Disable PKI OU tests to fix the build"
...
This reverts commit b1ab7c5603180af9073caab1b3022ca438dc12be.
2017-01-24 09:58:28 -05:00
c8b6ab7223
Disable PKI OU tests to fix the build
2017-01-24 06:25:56 -05:00
98df700495
allow roles to set OU value in certificates issued by the pki backend ( #2251 )
2017-01-23 12:44:45 -05:00
7568a212b1
Adding support for exportable transit keys ( #2133 )
2017-01-23 11:04:43 -05:00
5aba2d47b6
ldap: Minor enhancements, tests and doc update ( #2272 )
2017-01-23 10:56:43 -05:00
fa7d61baa3
Merge pull request #2202 from fcantournet/fix_govet_fatalf
...
all: test: Fix govet warnings
2017-01-17 16:45:35 -05:00
1d7ded02b4
Merge pull request #2152 from mr-tron/master
...
Thanks for submitting this. I am going to merge this in and write tests.
2017-01-13 14:29:46 -05:00
e019cca4ea
Merge pull request #2257 from bkrodgers/git-config-read
...
Added a 'read' for github config
2017-01-11 12:23:00 -05:00
f33d35f3de
Added a nil check for config and renamed org field internally.
2017-01-11 11:04:15 -06:00
cb8bbc4fbd
Transit key actions ( #2254 )
...
* add supports_* for transit key reads
* update transit docs with new supports_* fields
2017-01-11 10:05:06 -06:00
a8f12dff01
Added a 'read' for github config
2017-01-10 18:21:31 -06:00
78dacc154a
sign-verbatim should set use_csr_common_name to true ( #2243 )
2017-01-10 09:47:59 -05:00
80dc5819d3
Use dockertest.v2 ( #2247 )
...
New dockertest has a totally different API and will require some serious
refactoring. This will tide over until then by pinning the API version.
2017-01-09 13:46:54 -05:00
103b7ceab2
all: test: Fix govet warnings
...
Fix calls to t.Fatal() with formatting.
Fixed some calls to Fatalf() with wrong formatting
2016-12-21 19:44:07 +01:00
1816446f46
Address review feedback
2016-12-20 11:19:47 -05:00
b3e323bbcc
pki: Avoiding a storage read
2016-12-20 11:07:20 -05:00
db5e0bb3c3
Minor cleanup in audit backend ( #2194 )
2016-12-19 15:35:55 -05:00
2e23f1a992
pki: Appended error to error message
2016-12-19 10:49:32 -05:00
ba1cc709bd
PKI: Added error to the error message
2016-12-19 10:47:29 -05:00
bb54bd40f6
normalize some capitlization in error messages
2016-12-15 19:02:33 -05:00
8fff7daf51
Don't panic when TLS is enabled but the initial dial doesn't return a connection ( #2188 )
...
Related to #2186
2016-12-15 15:49:30 -05:00
e818efde7c
ldap auth via cli defaults username to env ( #2137 )
...
try to guess the username from 'LOGNAME' or if it isn't set 'USER'
2016-12-02 19:08:32 +01:00
6ee61af87f
Fix nil value panic when Consul returns a user error ( #2145 )
2016-12-01 10:22:32 -08:00
3d66907966
Disallow passwords LDAP binds by default ( #2103 )
2016-12-01 10:11:40 -08:00
2797c609b0
fix checking that users policies is not nil
2016-11-29 16:35:49 +03:00
cc374b3e2c
add support per user acl for ldap users
2016-11-29 13:32:59 +03:00
5eaef287a8
Close ldap connection to avoid leak ( #2130 )
2016-11-28 09:31:36 -08:00
890c19312f
Update path help for approle secret id TTL
2016-11-15 11:50:51 -05:00
637414a623
Added support for individual user policy mapping in github auth backend. ( #2079 )
2016-11-10 16:21:14 -05:00
ba3dc07bb3
Fix typo and remove trailing whitespace. ( #2074 )
2016-11-08 09:32:23 -05:00
aa68041231
Fix GitHub tests
2016-11-08 07:13:42 -05:00
50c8af0515
Add ldap tls_max_version config ( #2060 )
2016-11-07 13:43:39 -05:00
26fa2655b1
Add listing to Consul secret roles ( #2065 )
2016-11-04 12:35:16 -04:00
65f0ce8ca3
Remove the sanity check which is not proving to be useful
2016-10-27 19:11:26 -04:00
dc93e57cf1
Return the revocation_sql from role read all the time
2016-10-27 12:24:31 -04:00
e0fb8c17ce
Added revocation_sql to the website docs
2016-10-27 12:15:08 -04:00
c14a6c8666
Move policy test to keysutil package
2016-10-26 19:57:28 -04:00
6d1e1a3ba5
Pulled out transit's lock manager and policy structs into a helper
2016-10-26 19:52:31 -04:00
79d45355c8
Merge pull request #2004 from hashicorp/role-id-update
...
Fix regression caused by not creating a role_id secondary index
2016-10-26 16:29:46 -04:00
931c96d1ba
ssh: Use temporary file to store the identity file
2016-10-18 12:50:12 -04:00
6dd560d9c6
Merge pull request #2005 from hashicorp/dedup-ldap-policies
...
Deduplicate the policies in ldap backend
2016-10-18 10:42:11 -04:00
4b6e82afcb
Add ability to list keys in transit backend ( #1987 )
2016-10-18 10:13:01 -04:00
2ce8bc95eb
Deduplicate the policies in ldap backend
2016-10-14 17:20:50 -04:00
1487dce475
Fix regression caused by not creating a role_id secondary index
2016-10-14 12:56:29 -04:00
dcf44a8fc7
Merge pull request #1980 from hashicorp/audit-update
...
Audit file update
2016-10-10 14:34:53 -04:00
0da9d1ac0c
test updates to address feedback
2016-10-10 12:58:30 -04:00
5ce9737eb4
address feedback
2016-10-10 12:16:55 -04:00
962a383bfb
address latest feedback
2016-10-10 11:58:26 -04:00
290ccee990
minor fix
2016-10-10 10:05:36 -04:00
9fc5a37e84
address feedback
2016-10-09 22:23:30 -04:00
05519a1267
adding unit tests for file mode
2016-10-09 00:33:24 -04:00
e5a7e3d6cb
initial commit to fix empty consistency option issue
2016-10-08 20:22:26 -04:00
1b8d12fe82
changes for 'mode'
2016-10-08 19:52:49 -04:00
60ceea5532
initial commit for adding audit file permission changes
2016-10-07 15:09:32 -04:00
c45ab41b39
Update aws-ec2 configuration help
...
Updated to reflect enhanced functionality and clarify necessary
permissions.
2016-10-05 12:40:58 -07:00
70a9fc47b4
Don't use quoted identifier for the username
2016-10-05 14:31:19 -04:00
7f9a88d8db
Postgres revocation sql, beta mode ( #1972 )
2016-10-05 13:52:59 -04:00
de5dec6b15
Refactor mysql's revoke SQL
2016-10-04 19:30:25 -04:00
1ab7023483
Merge pull request #1914 from jpweber/mysql-revoke
...
Mysql revoke with non-wildcard hosts
2016-10-04 17:44:15 -04:00
87f206b536
removed an unused ok variable. Added warning and force use for default queries if role is nil
2016-10-04 17:15:29 -04:00
0f8c132ede
Minor doc updates
2016-10-04 15:46:09 -04:00
2e1aa80f31
Address review feedback 2
2016-10-04 15:30:42 -04:00
59475d7f14
Address review feedback
2016-10-04 15:05:44 -04:00
cc38f3253a
fixed an incorrect assignment
2016-10-03 21:51:40 -04:00
348a09e05f
Add only relevant certificates
2016-10-03 20:34:28 -04:00
dbd364453e
aws-ec2 config endpoints support type option to distinguish certs
2016-10-03 20:25:07 -04:00
ac78ddc178
More resilient around cases of missing role names and using the default when needed.
2016-10-03 20:20:00 -04:00
b105f8ccf3
Authenticate aws-ec2 instances using identity document and its RSA signature
2016-10-03 18:57:41 -04:00
0a7f1089ca
Refactored logic some to make sure we can always fall back to default revoke statments
...
Changed rolename to role
made default sql revoke statments a const
2016-10-03 15:59:56 -04:00
704fccaf2e
fixed some more issues I had with the tests.
2016-10-03 15:58:09 -04:00
a2d6624a69
renamed rolname to role
2016-10-03 15:57:47 -04:00
bfb0c2d3ff
Reduced duplicated code and fixed comments and simple variable name mistakes
2016-10-03 14:53:05 -04:00
bb70ecc5a7
Added test for revoking mysql user with wild card host and non-wildcard host
2016-10-02 22:28:54 -04:00
dbb00534d9
saving role name to the Secret Internal data. Default revoke query added
...
The rolename is now saved to the secret internal data for fetching
later during the user revocation process. No longer deriving the role
name from request path
Added support for default revoke SQL statements that will provide the
same functionality as before. If not revoke SQL statements are provided
the default statements are used.
Cleaned up personal ignores from the .gitignore file
2016-10-02 18:53:16 -04:00
6d00f0c483
Adds HUP support for audit log files to close and reopen. ( #1953 )
...
Adds HUP support for audit log files to close and reopen. This makes it
much easier to deal with normal log rotation methods.
As part of testing this I noticed that HUP and other items that come out
of command/server.go are going to stderr, which is where our normal log
lines go. This isn't so much problematic with our normal output but as
we officially move to supporting other formats this can cause
interleaving issues, so I moved those to stdout instead.
2016-09-30 12:04:50 -07:00
4c74b646fe
Merge pull request #1947 from hashicorp/secret-id-lookup-delete
...
Introduce lookup and destroy endpoints for secret IDs and its accessors
2016-09-29 10:19:54 -04:00
34e76f8b41
Added website docs for lookup and destroy APIs
2016-09-28 22:11:48 -04:00
d20819949c
Make secret-id reading and deleting, a POST op instead of GET
2016-09-28 20:22:37 -04:00
2dd1f584e6
Update documentation for required AWS API permissions
...
In order for Vault to map IAM instance profiles to roles, Vault
must query the 'iam:GetInstanceProfile' API, so update the documentation
and help to include the additional permissions needed.
2016-09-28 16:50:20 -07:00
f0203741ff
Change default TTL from 30 to 32 to accommodate monthly operations ( #1942 )
2016-09-28 18:32:49 -04:00
5adfaa0d7d
Merge pull request #1939 from hashicorp/secret-id-upgrade
...
Respond secret_id_num_uses and deprecate SecretIDNumUses
2016-09-28 18:16:07 -04:00
e9142f418a
Added todo to remind removal of upgrade code
2016-09-28 18:17:13 -04:00
e01f99f042
Check for prefix match instead of exact match for IAM bound parameters
2016-09-28 18:08:28 -04:00
21d9731286
Don't reset the deprecated value yet
2016-09-28 15:48:50 -04:00
4a30a6b4f8
Merge pull request #1913 from hashicorp/bound-iam-instance-profile-arn
...
Proper naming for bound_iam_instance_profile_arn
2016-09-28 15:34:56 -04:00
31e450a175
Add some validation checks
2016-09-28 15:36:02 -04:00
9eabf75f5f
Fix the misplaced response warning
2016-09-28 14:20:03 -04:00
a2338f5970
Added testcase to check secret_id_num_uses
2016-09-28 13:58:53 -04:00
ba1d238f9b
Pull out reading and storing of secret ID into separate functions and handle upgrade properly
2016-09-28 12:42:26 -04:00
010293ccc3
Merge pull request #1931 from hashicorp/cass-consistency
...
Adding consistency into cassandra
2016-09-27 21:12:02 -04:00
d235acf809
Adding support for chained intermediate CAs in pki backend ( #1694 )
2016-09-27 17:50:17 -07:00
5ac43873c4
minor updates
2016-09-27 20:35:11 -04:00
e14fe05c13
added parsing at role creation
2016-09-27 16:01:51 -04:00
4938aa56bf
initial commit for consistency added into cassandra
2016-09-27 13:25:18 -04:00
5eff59c410
Fix "SecretIDNumUses" in AppRole auth backend
...
There was a typo.
2016-09-27 17:26:52 +03:00
b1ee56a15b
Merge pull request #1910 from hashicorp/secret-id-cidr-list
...
CIDR restrictions on Secret ID
2016-09-26 10:22:48 -04:00
a4b119dc25
Merge pull request #1920 from legal90/fix-approle-delete
...
Fix panic on deleting the AppRole which doesn't exist
2016-09-26 10:05:33 -04:00
3f77013004
Fix panic on deleting the AppRole which doesn't exist
...
#pathRoleDelete should return silently if the specified AppRole doesn't exist
Fixes GH-1919
2016-09-26 16:55:08 +03:00
da5b5d3a8e
Address review feedback from @jefferai
2016-09-26 09:53:24 -04:00
d080107a87
Update docs to contain bound_iam_role_arn
2016-09-26 09:37:38 -04:00
bf0b7f218e
Implemented bound_iam_role_arn constraint
2016-09-23 21:35:36 -04:00
e0ea497cfe
Getting role name from the creds path used in revocation
2016-09-23 16:57:08 -04:00
8709406eb3
secretCredsRevoke command no longer uses hardcoded query
...
The removal of a user from the db is now handled similar to the
creation. The SQL is read out of a key from the role and then executed
with values substituted for username.
2016-09-23 16:05:49 -04:00
1bed6bfc2c
Added support for a revokeSQL key value pair to the role
2016-09-23 16:00:23 -04:00
6bf871995b
Don't use time.Time in responses. ( #1912 )
...
This fixes #1911 but not directly; it doesn't address the cause of the
panic. However, it turns out that this is the correct fix anyways,
because it ensures that the value being logged is RFC3339 format, which
is what the time turns into in JSON but not the normal time string
value, so what we audit log (and HMAC) matches what we are returning.
2016-09-23 12:32:07 -04:00
e0c41f02c8
Fix incorrect naming of bound_iam_instance_profile_arn
2016-09-23 11:22:23 -04:00
c26754000b
Fix ssh tests
2016-09-22 11:37:55 -04:00
aaadd4ad97
Store the CIDR list in the secret ID storage entry.
...
Use the stored information to validate the source address and credential issue time.
Correct the logic used to verify BoundCIDRList on the role.
Reverify the subset requirements between secret ID and role during credential issue time.
2016-09-21 20:19:26 -04:00
578b82acf5
Pass only valid inputs to validation methods
2016-09-21 15:44:54 -04:00
93604e1e2e
Added cidrutil helper
2016-09-21 13:58:32 -04:00
676e7e0f07
Ensure upgrades have a valid HMAC key
2016-09-21 11:10:57 -04:00
0ff76e16d2
Transit and audit enhancements
2016-09-21 10:49:26 -04:00
5c241d31e7
Renaming ttl_max -> max_ttl in mssql backend ( #1905 )
2016-09-20 12:39:02 -04:00
97dc0e9f64
Merge pull request #1897 from hashicorp/secret-id-accessor-locks
...
Safely manipulate secret id accessors
2016-09-19 11:37:38 -04:00
fefd3a6c0b
s/GetOctalFormatted/GetHexFormatted
2016-09-16 17:47:15 -04:00
897d3c6d2c
Rename GetOctalFormatted and add serial number to ParsedCertBundle. Basically a noop.
2016-09-16 11:05:43 -04:00
ba72e7887a
Safely manipulate secret id accessors
2016-09-15 18:13:50 -04:00
61664bc653
Merge pull request #1886 from hashicorp/approle-upgrade-notes
...
upgrade notes entry for approle constraint and warning on role read
2016-09-15 12:14:01 -04:00
5597156886
check for nil role
2016-09-15 12:10:40 -04:00
92986bb2a0
Address review feedback
2016-09-15 11:41:52 -04:00
a1de742dce
s/disableReauthenticationNonce/reauthentication-disabled-nonce
2016-09-15 11:29:02 -04:00
9bca127631
Updated docs with nonce usage
2016-09-14 19:31:09 -04:00
857f921d76
Added comment
2016-09-14 18:27:35 -04:00
39796e8801
Disable reauthentication if nonce is explicitly set to empty
2016-09-14 17:58:00 -04:00
d0e4d77fce
address review feedback
2016-09-14 14:28:02 -04:00
d7ce69c5eb
Remove the client nonce being empty check
2016-09-14 14:28:02 -04:00
53c919b1d0
Generate the nonce by default
2016-09-14 14:28:02 -04:00
455a4ae055
address review feedback
2016-09-14 12:08:35 -04:00
b1392567d1
Use constant time comparisons for client nonce
2016-09-13 20:12:43 -04:00
d2e66014ba
Address review feedback
2016-09-13 18:30:04 -04:00
29b67141eb
Only use running state for checking if instance is alive. ( #1885 )
...
Fixes #1884
2016-09-13 18:08:05 -04:00
99a2655d8e
upgrade notes entry for approle constraint and warning on role read
2016-09-13 17:44:07 -04:00
bef9c2ee61
Ensure at least one constraint on the role
2016-09-13 16:03:15 -04:00
197c7eae5f
Allow encrypting empty ciphertext values. ( #1881 )
...
Replaces #1874
2016-09-13 12:00:04 -04:00
b599948e1c
Use uuid.GenerateRandomBytes
2016-09-09 14:17:09 -04:00
127f61473b
Not exposing structs from the backend's package
2016-09-01 11:57:28 -04:00
1db0544b7a
Use unexported kdf const names
2016-08-31 07:19:58 -04:00
c46a7391c0
Merge pull request #1799 from hashicorp/fix-role-locking
...
approle: fix racy updates problem for roles
2016-08-30 16:46:40 -04:00
cdcfa4572f
Address review feedback
2016-08-30 16:36:58 -04:00
d2239d22d9
Use hkdf for transit key derivation for new keys ( #1812 )
...
Use hkdf for transit key derivation for new keys
2016-08-30 16:29:09 -04:00
29b9295673
approle: fix racy updates problem for roles
2016-08-30 16:11:14 -04:00
9dbc97028b
STS path field description update
2016-08-30 10:53:21 -04:00
0b07ec7303
Added UpdateOperation to logical AWS STS path
2016-08-30 10:30:13 -04:00
cdd1d96a64
Merge pull request #1804 from hashicorp/issue-1800
...
Mark STS secrets as non-renwable
2016-08-29 11:46:19 -04:00
8612b6139e
Fixes #1801 Reuse Cassandra session object for create creds ( #1802 )
2016-08-28 17:32:41 -04:00
f0537572a8
Mark STS secrets as non-renwable
...
Ping #1800
2016-08-28 14:27:56 -04:00
0b113f7916
Derive nonce fully in convergent mode ( #1796 )
...
Ping #1794
2016-08-26 17:01:56 -04:00
2f5876dfe9
Use key derivation for convergent nonce. ( #1794 )
...
Use key derivation for convergent nonce.
Fixes #1792
2016-08-26 14:11:03 -04:00
28739f3528
Decode secret internal data into struct and fix type assertion. ( #1781 )
2016-08-24 15:04:04 -04:00
d1284944c3
Merge pull request #1755 from hashicorp/logxi
...
Convert to logxi
2016-08-21 19:28:18 -04:00
58b32e5432
Convert to logxi
2016-08-21 18:13:37 -04:00
524ed6db37
Extract out common code
2016-08-21 15:46:11 -04:00
dfe73733d5
Seperate endpoints for read/delete using secret-id and accessor
2016-08-21 14:42:49 -04:00
2860dcc60f
gofmt
2016-08-19 16:48:32 -04:00
7ce631f1dc
Pretty print the warning
2016-08-18 16:09:10 -04:00
870ffd6fd8
Use shortestTTL value during renewals too
2016-08-18 15:43:58 -04:00
4f1c47478e
When TTL is not set, consider the system default TTL as well
2016-08-18 15:37:59 -04:00
56b8c33c95
aws-ec2: se max_ttl when ttl is not set, during login
2016-08-18 15:16:32 -04:00
638e61192a
Actually show the error occurring if a file audit log can't be opened
2016-08-15 16:26:36 -04:00
86874def5c
Parameter change
...
Both revocation times are UTC so clarify via parameter name that it's just a formatting difference. Also leave as a time.Time here, as it automatically marshals into RFC3339.
2016-08-14 21:43:57 -04:00
39cfd116b6
Cleanup
2016-08-13 11:52:09 -04:00
1b8711e7b7
Ensure utc value is not zero before adding
2016-08-13 11:50:57 -04:00
d6d08250ff
Ensure values to be encoded in a CRL are in UTC. This aligns with the
...
RFC. You might expect Go to ensure this in the CRL generation call,
but...it doesn't.
Fixes #1727
2016-08-13 08:40:09 -04:00
b150c14caa
Address review feedback by @jefferai
2016-08-09 17:45:42 -04:00
8d261b1a78
Added ttl field to aws-ec2 auth backend role
2016-08-09 17:29:45 -04:00
b69ed7ea93
Fix build
2016-08-08 17:00:59 -04:00
7f6c58b807
Address review feedback
2016-08-08 16:30:48 -04:00
0a67bcb5bd
Merge pull request #1696 from hashicorp/transit-convergent-specify-nonce
...
Require nonce specification for more flexibility
2016-08-08 11:41:10 -04:00
1f198e9256
Return warning about ACLing the LDAP configuration endpoint.
...
Fixes #1263
2016-08-08 10:18:36 -04:00
606ba64e23
Remove context-as-nonce, add docs, and properly support datakey
2016-08-07 15:53:40 -04:00
1976bc0534
Add unit tests for convergence in non-context mode
2016-08-07 15:16:36 -04:00
8b1d47037e
Refactor convergent encryption to make specifying a nonce in addition to context possible
2016-08-05 17:52:44 -04:00
0b73c2ff9a
Fix PKI logical backend email alt_names
2016-08-04 12:10:34 +02:00
58e9cbbfc6
Add postgres test for block statements
2016-08-03 15:34:50 -04:00
9e204bd88c
Add arbitrary string slice parsing.
...
Like the KV function, this supports either separated strings or JSON
strings, base64-encoded or not.
Fixes #1619 in theory.
2016-08-03 14:24:16 -04:00
c025b292b5
Cleanup
2016-08-03 13:09:12 -04:00
cff7aada7a
Fix invalid input getting marked as internal error
2016-07-28 16:23:11 -04:00
e0c5f5f5fa
Add convergence tests to transit backend
2016-07-28 11:30:52 -04:00
a6907769b0
AppRole authentication backend
2016-07-26 09:32:41 -04:00
0cfb112e87
Explicitly set invalid request status when a password isn't included
2016-07-25 11:14:15 -04:00
dc4b85b55e
Don't return 500 for user error in userpass when setting password
2016-07-25 11:09:46 -04:00
d4c3e27c4e
Fix re-specification of filter
2016-07-25 09:08:29 -04:00
cd6d114e42
LDAP Auth Backend Overhaul
...
--------------------------
Added new configuration option to ldap auth backend - groupfilter.
GroupFilter accepts a Go template which will be used in conjunction with
GroupDN for finding the groups a user is a member of. The template will
be provided with context consisting of UserDN and Username.
Simplified group membership lookup significantly to support multiple use-cases:
* Enumerating groups via memberOf attribute on user object
* Previous default behavior of querying groups based on member/memberUid/uniqueMember attributes
* Custom queries to support nested groups in AD via LDAP_MATCHING_RULE_IN_CHAIN matchind rule
There is now a new configuration option - groupattr - which specifies
how to resolve group membership from the objects returned by the primary groupfilter query.
Additional changes:
* Clarify documentation for LDAP auth backend.
* Reworked how default values are set, added tests
* Removed Dial from LDAP config read. Network should not affect configuration.
2016-07-22 21:20:05 -04:00
68dcf677fa
Fix panic if no certificates are supplied by client
...
Fixes #1637
2016-07-21 10:20:41 -04:00
b353e44209
Fix build
2016-07-21 09:53:41 -04:00
d335038b40
Ensure we never return a nil set of trusted CA certs
...
Fixes #1637
2016-07-21 09:50:31 -04:00
559b0a5006
Merge pull request #1635 from hashicorp/mysql-idle-conns
...
Added maximum idle connections to mysql to close hashicorp/vault#1616
2016-07-20 15:31:37 -04:00
b558c35943
Set defaults to handle upgrade cases.
...
Ping #1604
2016-07-20 14:07:19 -04:00
f2b6569b0b
Merge pull request #1604 from memory/mysql-displayname-2
...
concat role name and token displayname to form mysql username
2016-07-20 14:02:17 -04:00
ea294f1d27
use both role name and token display name to form mysql username
2016-07-20 10:17:00 -07:00
e6bf4fa489
whitespace error corrected
2016-07-20 12:00:05 -04:00
0483457ad2
respond to feedback from @vishalnayak
...
- split out usernameLength and displaynameLength truncation values,
as they are different things
- fetch username and displayname lengths from the role, not from
the request parameters
- add appropriate defaults for username and displayname lengths
2016-07-20 06:36:51 -07:00
7cdb8a28bc
max_idle_connections added
2016-07-20 09:26:26 -04:00
03c7eb7d18
initial commit before rebase to stay current with master
2016-07-19 14:18:37 -04:00
30ca541f99
Merge pull request #1414 from mhurne/mongodb-secret-backend
...
Add mongodb secret backend
2016-07-19 13:56:15 -04:00
3334b22993
Some minor linting
2016-07-19 13:54:18 -04:00
0f9ee8fbed
Merge branch 'master' into mongodb-secret-backend
2016-07-19 12:47:58 -04:00
072c5bc915
mongodb secret backend: Remove redundant type declarations
2016-07-19 12:35:14 -04:00
c7d42cb112
mongodb secret backend: Fix broken tests, clean up unused parameters
2016-07-19 12:26:23 -04:00
fbb04349b5
Merge pull request #1629 from hashicorp/remove-verify-connection
...
Remove unused VerifyConnection from storage entries of SQL backends
2016-07-19 12:21:23 -04:00
8a1bb1626a
Merge pull request #1583 from hashicorp/ssh-allowed-roles
...
Add allowed_roles to ssh-helper-config and return role name from verify call
2016-07-19 12:04:12 -04:00
7fb04a1bbd
Remove unused VerifyConnection from storage entries of SQL backends
2016-07-19 11:55:49 -04:00
316837857b
mongodb secret backend: Return lease ttl and max_ttl in lease read in seconds rather than as duration strings
2016-07-19 11:23:56 -04:00
f18d98272d
mongodb secret backend: Don't bother persisting verify_connection field in connection config
2016-07-19 11:20:45 -04:00
f8e6bcbb69
mongodb secret backend: Handle cases where stored username or db is not a string as expected when revoking credentials
2016-07-19 11:18:00 -04:00
75a5fbd8fe
Merge branch 'master' into mongodb-secret-backend
2016-07-19 10:38:45 -04:00
434ed2faf2
Merge pull request #1573 from mickhansen/logical-postgresql-revoke-sequences
...
handle revocations for roles that have privileges on sequences
2016-07-18 13:30:42 -04:00
c14235b206
Merge branch 'master-oss' into json-use-number
...
Conflicts:
http/handler.go
logical/framework/field_data.go
logical/framework/wal.go
vault/logical_passthrough.go
2016-07-15 19:21:55 -04:00
cdf58da43b
Merge pull request #1610 from hashicorp/min-tls-ver-12
...
Set minimum TLS version in all tls.Config objects
2016-07-13 10:53:14 -06:00
09a4142fd3
Handled upgrade path for TLSMinVersion
2016-07-13 12:42:51 -04:00
9f1e6c7b26
Merge pull request #1607 from hashicorp/standardize-time
...
Remove redundant invocations of UTC() call on `time.Time` objects
2016-07-13 10:19:23 -06:00
de19314f18
Address review feedback
2016-07-13 11:52:26 -04:00
407722a9b4
Added tls_min_version to consul storage backend
2016-07-12 20:10:54 -04:00
314a5ecec0
allow overriding the default truncation length for mysql usernames
...
see https://github.com/hashicorp/vault/issues/1605
2016-07-12 17:05:43 -07:00
f34f0ef503
Make 'tls_min_version' configurable
2016-07-12 19:32:47 -04:00
46d34130ac
Set minimum TLS version in all tls.Config objects
2016-07-12 17:06:28 -04:00
8269f323d3
Revert 'risky' changes
2016-07-12 16:38:07 -04:00
57cdb58374
Switch to pester from go-retryablehttp to avoid swallowing 500 error messages
2016-07-11 21:37:46 +00:00
9ee4542a7c
incorporate code style guidelines
2016-07-11 13:35:35 +02:00
c25788e1d4
handle revocations for roles that have privileges on sequences
2016-07-11 13:16:45 +02:00
2cf4490b37
use role name rather than token displayname in generated mysql usernames
...
If a single token generates multiple myself roles, the generated mysql
username was previously prepended with the displayname of the vault
user; this makes the output of `show processlist` in mysql potentially
difficult to correlate with the roles actually in use without cross-
checking against the vault audit log.
See https://github.com/hashicorp/vault/pull/1603 for further discussion.
2016-07-10 15:57:47 -07:00
6505e85dae
mongodb secret backend: Improve safety of MongoDB roles storage
2016-07-09 21:12:42 -04:00
e09b40e155
Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC
2016-07-08 18:30:18 -04:00
bb8a45eb8b
Format code in mongodb secret backend
2016-07-07 23:16:11 -04:00
8d5a7992c1
mongodb secret backend: Improve and correct errors in documentation; improve "parameter is required" error response messages
2016-07-07 23:09:45 -04:00
eee6f04e40
mongodb secret backend: Refactor to eliminate unnecessary variable
2016-07-07 22:29:17 -04:00
ce845df43c
mongodb secret backend: Consider a "user not found" response a success when removing a user from Mongo
2016-07-07 22:27:47 -04:00
138d74f745
mongodb secret backend: Improve roles path help
2016-07-07 22:16:34 -04:00
7f9d91acb6
mongodb secret backend: Remove default value for Mongo authentication DB for roles; validate that role name and authentication db were specified when creating a role
2016-07-07 22:09:00 -04:00
de84cdabe6
mongodb secret backend: Leverage framework.TypeDurationSecond to simplify storage of lease ttl and max_ttl
2016-07-07 21:48:44 -04:00
6d7c9f5424
mongodb secret backend: Verify existing Session is still working before reusing it
2016-07-07 21:37:44 -04:00
db3670c353
Fix transit tests
2016-07-06 22:04:08 -04:00
ad7cb2c8f1
Added JSON Decode and Encode helpers.
...
Changed all the occurances of Unmarshal to use the helpers.
Fixed http/ package tests.
2016-07-06 12:25:40 -04:00
vishalnayak