Commit graph

147 commits

Author SHA1 Message Date
Sam Salisbury 84ca2ef0af sdk: set version to 1.4.0-beta 2020-02-20 09:11:25 +00:00
ncabatoff e5721310ac
Add persistent feature flags to be used on enterprise non-primaries. (#8391) 2020-02-19 18:06:53 -05:00
Noelle Daley ced8a3f6b3
clarify that EditType is optional (#8386) 2020-02-19 11:44:22 -06:00
JulesRenz c54c8c92bd
RSA3072 implementation in transit secrets engine (#8151)
* RSA3072 implementation in transit secrets engine

* moved new KeyType at the end of the list
So already stored keys still work properly

Co-authored-by: Jim Kalafut <jim@kalafut.net>
2020-02-15 14:40:50 -08:00
Jeff Mitchell f09f21e512 Move reload/listenerutil/gatedwriter back out of sdk 2020-02-15 14:56:00 -05:00
Gerardo Di Giacomo 8573eefe90
enabling TLS 1.3 support for TCP listeners (#8305)
* adding support for TLS 1.3 for TCP listeners

* removed test as CI uses go 1.12

* removed Cassandra support, added deprecation notice

* re-added TestTCPListener_tls13
2020-02-15 11:40:18 -08:00
Brian Kassouf 3bbd9dc34c
Port some changes back to OSS (#8359) 2020-02-14 16:39:13 -08:00
Jeff Mitchell e90d9f3946 Update to go-kms-wrapping entropy module 2020-02-14 17:27:19 -05:00
Jeff Mitchell 31b6345c31 Remove EncryptedBlobInfo in Entry 2020-02-14 17:03:40 -05:00
Jeff Mitchell aeac23d59e Revert "Move encrypted blob info (#8357)"
This reverts commit 5a3c55b6dfe89d0348d78acafcb83b60cf614d38.
2020-02-14 17:02:33 -05:00
Jeff Mitchell e12351f263
Move encrypted blob info (#8357) 2020-02-14 16:45:37 -05:00
Jeff Mitchell 01402febb8 Update proto 2020-02-14 16:00:33 -05:00
Michel Vocks 985acc4ce5
Fix ldap client upndomain (#8333) 2020-02-14 10:26:30 -08:00
Becca Petrin 5a01a5af0f
Add Kubernetes service registration (#8249) 2020-02-13 09:56:29 -08:00
Jeff Malnick 27ad920399
Add redshift database plugin (#8299)
* feat: add redshift database plugin

* build: update vendored libraries

* docs: add reference doc for redshift variant of the database secrets engine

* feat: set middlewear type name for better metrics naming (#8346)

Co-authored-by: Becca Petrin <beccapetrin@gmail.com>
2020-02-13 09:42:30 -08:00
Jeff Mitchell fedb451a12 Move reload and listenerutil into sdk 2020-02-13 10:40:02 -05:00
Becca Petrin 759f9b38f7
Observer pattern for service registration interface (#8123)
* use observer pattern for service discovery

* update perf standby method

* fix test

* revert usersTags to being called serviceTags

* use previous consul code

* vault isnt a performance standby before starting

* log err

* changes from feedback

* add Run method to interface

* changes from feedback

* fix core test

* update example
2020-01-24 09:42:03 -08:00
Jeff Mitchell 997a74cf18 Fix Flush interface in gatedwriter 2020-01-23 14:24:13 -05:00
Jeff Mitchell 3be3cd6d42 Update sdk's go-hclog 2020-01-23 14:11:38 -05:00
Jeff Mitchell d3adf1286d Migrate gated-writer to sdk 2020-01-23 14:00:15 -05:00
Becca Petrin 02c9a45c40
Fix AWS region tests (#8145)
* fix aws region tests

* strip logger

* return an error, restore tests to master

* fix extra line at import

* revert changes in spacing and comments

* Update sdk/helper/awsutil/region.go

Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>

* strip explicit nil value

Co-authored-by: Jim Kalafut <jim@kalafut.net>
2020-01-13 14:56:41 -08:00
Jeff Mitchell a0694943cc
Migrate built in auto seal to go-kms-wrapping (#8118) 2020-01-10 20:39:52 -05:00
Jeff Mitchell 156e31c740 Bump go-uuid 2020-01-10 10:43:37 -05:00
Jim Kalafut aa1761fb03
Update framework forwarding logic to handle nil system views (#8114) 2020-01-08 05:59:44 -08:00
Jim Kalafut fb4edc129e
Add path attributes to indicate when operations should forward (#7175) 2020-01-07 14:04:08 -08:00
Michel Vocks d4d82cdd4a
Fix MySQL Plugin password special character escape bug (#8040)
* Fix MySQL password escape bug

* Add test

* Add debug output

* Add debug line

* Added debug output

* Debug

* Debug

* Update vendor

* Remove debug comments
2020-01-07 16:51:49 +01:00
Brian Kassouf 549faf47f2
Add identity templating helper to sdk/framework (#8088)
* Add identity templating helper to sdk/framework

* Cleanup a bit

* Fix length issue when groups/aliases are filtered due to ns

* review feedback
2020-01-06 10:16:52 -08:00
Jeff Mitchell f437b80370
Update go-hclog to version that removes some possible panics and incorrect mutex locking (#8054) 2019-12-18 16:32:02 -05:00
Becca Petrin 3d7cdea66f
Avoid potential panic in LDAP client (#8047)
* fix potential panic

* add comment

* vendor the ldap update

* use localhost in test
2019-12-17 16:33:59 -08:00
ncabatoff fde5e55ce9
Handle otherName SANs in CSRs (#6163)
If a CSR contains a SAN of type otherName, encoded in UTF-8, and the signing role specifies use_csr_sans, the otherName SAN will be included in the signed cert's SAN extension.

Allow single star in allowed_other_sans to match any OtherName.  Update documentation to clarify globbing behaviour.
2019-12-11 10:16:44 -05:00
Mike Jarmy e42bc0ffc0
Introduce optional service_registration stanza (#7887)
* move ServiceDiscovery into methods

* add ServiceDiscoveryFactory

* add serviceDiscovery field to vault.Core

* refactor ConsulServiceDiscovery into separate struct

* cleanup

* revert accidental change to go.mod

* cleanup

* get rid of un-needed struct tags in vault.CoreConfig

* add service_discovery parser

* add ServiceDiscovery to config

* cleanup

* cleanup

* add test for ConfigServiceDiscovery to Core

* unit testing for config service_discovery stanza

* cleanup

* get rid of un-needed redirect_addr stuff in service_discovery stanza

* improve test suite

* cleanup

* clean up test a bit

* create docs for service_discovery

* check if service_discovery is configured, but storage does not support HA

* tinker with test

* tinker with test

* tweak docs

* move ServiceDiscovery into its own package

* tweak a variable name

* fix comment

* rename service_discovery to service_registration

* tweak service_registration config

* Revert "tweak service_registration config"

This reverts commit 5509920a8ab4c5a216468f262fc07c98121dce35.

* simplify naming

* refactor into ./serviceregistration/consul
2019-12-06 09:46:39 -05:00
Jason O'Donnell 854d00c609 Add int64 pointerutil (#7973) 2019-12-05 14:02:36 -08:00
Seth Vargo 4ac5764c4d Output human duration in TTL warnings (#7901) 2019-11-22 09:38:46 -08:00
Calvin Leung Huang 7009dcc432
sdk/ldaputil: add request_timeout configuration option (#7909)
* sdk/ldaputil: add request_timeout configuration option

* go mod vendor
2019-11-20 11:26:13 -08:00
Jeff Mitchell 9b5392bc8f
Fix cluster cipher test (#7900)
Go 1.13 flipped TLS 1.3 to opt-out instead of opt-in, and its TLS 1.3
support does not allow configuring cipher suites. Simply remove the
affected test; it's not relevant going forward and there's ample
evidence it works properly prior to Go 1.13.
2019-11-18 23:04:49 -05:00
Brian Kassouf 7b833aaec8 bump variables to 1.3 2019-11-11 19:33:14 -08:00
Jeff Mitchell a47758865c Bump go-ldap
Closes https://github.com/hashicorp/vault/pull/7780

Changes to other parts of Vault have to come piece by piece, that's
next.
2019-11-08 11:18:36 -05:00
Jim Kalafut 59e526614d
Run go fmt (#7823) 2019-11-07 08:54:34 -08:00
Jeff Mitchell b998849b73
Update go-metrics in sdk (#7795) 2019-11-05 15:27:07 -05:00
Clint 245935447b
Vault Agent Template (#7652)
* Vault Agent Template: parse templates  (#7540)

* add template config parsing, but it's wrong b/c it's not using mapstructure

* parsing consul templates in agent config

* add additional test to configuration parsing, to cover basics

* another test fixture, rework simple test into table

* refactor into table test

* rename test

* remove flattenKeys and add other test fixture

* Update command/agent/config/config.go

Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>

* return the decode error instead of swallowing it

* Update command/agent/config/config_test.go

Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>

* go mod tidy

* change error checking style

* Add agent template doc

* TemplateServer: render secrets with Consul Template (#7621)

* add template config parsing, but it's wrong b/c it's not using mapstructure

* parsing consul templates in agent config

* add additional test to configuration parsing, to cover basics

* another test fixture, rework simple test into table

* refactor into table test

* rename test

* remove flattenKeys and add other test fixture

* add template package

* WIP: add runner

* fix panic, actually copy templates, etc

* rework how the config.Vault is created and enable reading from the environment

* this was supposed to be a part of the prior commit

* move/add methods to testhelpers for converting some values to pointers

* use new methods in testhelpers

* add an unblock channel to block agent until a template has been rendered

* add note

* unblock if there are no templates

* cleanups

* go mod tidy

* remove dead code

* simple test to starT

* add simple, empty templates test

* Update package doc, error logs, and add missing close() on channel

* update code comment to be clear what I'm referring to

* have template.NewServer return a (<- chan) type, even though it's a normal chan, as a better practice to enforce reading only

* Update command/agent.go

Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>

* update with test

* Add README and doc.go to the command/agent directory (#7503)

* Add README and doc.go to the command/agent directory

* Add link to website

* address feedback for agent.go

* updated with feedback from Calvin

* Rework template.Server to export the unblock channel, and remove it from the NewServer function

* apply feedback from Nick

* fix/restructure rendering test

* Add pointerutil package for converting types to their pointers

* Remove pointer helper methods; use sdk/helper/pointerutil instead

* update newRunnerConfig to use pointerutil and empty strings

* only wait for unblock if template server is initialized

* drain the token channel in this test

* conditionally send on channel
2019-10-18 16:21:46 -05:00
Madalyn 977af116c8 Enable generated items for more auth methods (#7513)
* enable auth method item configuration in go code

* properly parse and list generated items

* make sure we only set name on attrs if a label comes from openAPI

* correctly construct paths object for method index route

* set sensitive property on password for userpass

* remove debugger statements

* pass method model to list route template to use paths on model for tabs

* update tab generation in generated item list, undo enabling userpass users

* enable openapi generated itams for certs and userpass, update ldap to no longer have action on list endpoint

* add editType to DisplayAttributes, pull tokenutil fields into field group

* show sensitive message for sensitive fields displayed in fieldGroupShow component

* grab sensitive and editType fields from displayAttrs in openapi-to-attrs util

* make sure we don't ask for paths for secret backends since that isn't setup yet

* fix styling of sensitive text for fieldGroupShow component

* update openapi-to-attrs util test to no longer include label by default, change debugger to console.err in path-help, remove dynamic ui auth methods from tab count test

* properly log errors to the console

* capitalize This value is sensitive...

* get rid of extra padding on bottom of fieldgroupshow

* make auth methods clickable and use new confirm ux

* Update sdk/framework/path.go

Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>

* Update sdk/framework/path.go

Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>

* add whitespace

* return intErr instead of err

* uncomment out helpUrl because we need it

* remove extra box class

* use const instead of let

* remove extra conditional since we already split the pathName later on

* ensure we request the correct url when listing generated items

* use const

* link to list and show pages

* remove dead code

* show nested item name instead of id

* add comments

* show tooltip for text-file inputs

* fix storybook

* remove extra filter

* add TODOs

* add comments

* comment out unused variables but leave them in function signature

* only link to auth methods that can be fully managed in the ui

* clean up comments

* only render tooltip if there is helpText

* rename id authMethodPath

* remove optionsForQuery since we don't need it

* add indentation

* standardize ConfirmMessage and show model name instead of id when editing

* standardize ConfirmMessage and show model name instead of id when editing

* add comments

* post to the correct updateUrl so we can edit users and groups

* use pop instead of slice

* add TODO for finding a better way to store ids

* ensure ids are handled the same way on list and show pages; fix editing and deleting

* add comment about difference between list and show urls

* use model.id instead of name since we do not need it

* remove dead code

* ensure list pages have page headers

* standardize using authMethodPath instead of method and remove dead code

* i love indentation

* remove more dead code

* use new Confirm

* show correct flash message when deleting an item

* update flash message for creating and updating

* use plus icon for creating group/user instead of an arrow
2019-10-17 16:19:14 -07:00
Lexman c86fe212c0
oss changes for entropy augmentation feature (#7670)
* oss changes for entropy augmentation feature

* fix oss command/server/config tests

* update go.sum

* fix logical_system and http/ tests

* adds vendored files

* removes unused variable
2019-10-17 10:33:00 -07:00
Mike Jarmy 510d82551a
Vault Agent Cache Auto-Auth SSRF Protection (#7627)
* implement SSRF protection header

* add test for SSRF protection header

* cleanup

* refactor

* implement SSRF header on a per-listener basis

* cleanup

* cleanup

* creat unit test for agent SSRF

* improve unit test for agent SSRF

* add VaultRequest SSRF header to CLI

* fix unit test

* cleanup

* improve test suite

* simplify check for Vault-Request header

* add constant for Vault-Request header

* improve test suite

* change 'config' to 'agentConfig'

* Revert "change 'config' to 'agentConfig'"

This reverts commit 14ee72d21fff8027966ee3c89dd3ac41d849206f.

* do not remove header from request

* change header name to X-Vault-Request

* simplify http.Handler logic

* cleanup

* simplify http.Handler logic

* use stdlib errors package
2019-10-11 18:56:07 -04:00
Brian Kassouf f43f84a354
Port over cache refresh changes (#7599) 2019-10-08 13:23:43 -07:00
Calvin Leung Huang 7a385a7854 update go.mod and sdk/go.mod 2019-10-04 09:40:23 -07:00
Jeff Mitchell 4252f5c9e4
Add AES128-GCM96 support to transit (#7555) 2019-10-03 16:11:43 -04:00
Jeff Mitchell 6d1e804a22
Add P384 and P521 support to Transit (#7551) 2019-10-03 12:32:43 -04:00
Jeff Mitchell 63f377c6b6 Tidy sdk 2019-09-18 09:09:44 -04:00
Jeff Mitchell f72bc5acb2 Update version for 1.3 dev target on master 2019-09-17 11:36:55 -04:00
Calvin Leung Huang ec64b7c672
logical/request: store the entire http.Request object instead (#7412)
This allows logical operations (along with a non-nil response writer) to
process http handler funcs within the operation function while keeping
auth and audit checks that the logical request flow provides.
2019-09-06 12:40:15 -07:00