Commit graph

1361 commits

Author SHA1 Message Date
Seth Vargo 33765cfe06
Update token cli to parse "verify" 2017-10-24 09:30:48 -04:00
Seth Vargo 7b8c472e22
Update credential help
Use "vault login" instead of "vault auth" and use "method" consistently over provider.
2017-10-24 09:30:47 -04:00
Seth Vargo 0c85a9988d
Return better errors from token failures 2017-10-24 09:26:45 -04:00
Seth Vargo c8eaa8b61b
Add built-in credential provider for tokens
This was previously part of the very long command/auth.go file, where it
mimmicked the same API as other handlers. By making it a builtin
credential, we can remove a lot of conditional logic for token-based
authentication.
2017-10-24 09:26:45 -04:00
Seth Vargo 4a67643c06
Update help output for userpass auth 2017-10-24 09:26:45 -04:00
Seth Vargo de6a839b9f
Update help output for okta auth 2017-10-24 09:26:44 -04:00
Seth Vargo beb525d41b
Update help output for ldap auth 2017-10-24 09:26:44 -04:00
Seth Vargo 323f9ee26b
Update help output for github auth 2017-10-24 09:26:44 -04:00
Seth Vargo 89c84c0b17
Update help output for cert auth 2017-10-24 09:26:44 -04:00
Seth Vargo 21f7bc0dee
Update help output for aws auth 2017-10-24 09:26:44 -04:00
Jeff Mitchell a25dae82dd Final sync 2017-10-23 17:39:21 -04:00
Joel Thompson 325ac0e86e auth/aws: Fix path-help for role endpoint (#3474)
Some of the path help documentation was incorrect for auth/aws/role as
behavior changed during PR development and the help wasn't updated. This
fixes incorrect information and makes the path help somewhat more
consistent.

Fixes #3472
2017-10-23 10:53:09 -04:00
Vishal Nayak 2ede750c78 return the actual error for base64 decoding failure (#3397) 2017-10-20 11:21:45 -04:00
Jeff Mitchell 6c9dd6ed6f Try out a radius fix (#3461) 2017-10-16 16:26:34 -04:00
vishalnayak bb603c7be1 fix typo 2017-10-15 15:43:47 -04:00
Vishal Nayak 59da183b2d add entity aliases from credential backends (#3457) 2017-10-15 15:13:12 -04:00
Jeremy Voorhis af24163abd Implement signing of pre-hashed data (#3448)
Transit backend sign and verify endpoints now support algorithm=none
2017-10-11 11:48:51 -04:00
Jeff Mitchell 7ec7d34783 Status code is an int, fix printing 2017-10-04 15:41:51 -04:00
Jeff Mitchell e3ce60eb1f Allow entering PKI URLs as arrays. (#3409)
Fixes #3407
2017-10-03 16:13:57 -04:00
Vishal Nayak abcf4b3bb2 docs: Added certificate deletion operation API (#3385) 2017-09-26 20:28:52 -04:00
Chris Hoffman a2d2f1a543 Adding support for base_url for Okta api (#3316)
* Adding support for base_url for Okta api

* addressing feedback suggestions, bringing back optional group query

* updating docs

* cleaning up the login method

* clear out production flag if base_url is set

* docs updates

* docs updates
2017-09-15 00:27:45 -04:00
Jeff Mitchell 1076cea5d1 Tests were not actually forcing the intermediate to have a longer TTL
because of mount max TTL constraint. This ups the mount max to force the
test to work as expected.
2017-09-14 22:49:04 -04:00
Jeff Mitchell cb6ac1e926 Change behavior of TTL in sign-intermediate (#3325)
* Fix using wrong public key in sign-self-issued

* Change behavior of TTL in sign-intermediate

This allows signing CA certs with an expiration past the signer's
NotAfter.

It also change sign-self-issued to replace the Issuer, since it's
potentially RFC legal but stacks won't validate it.

Ref: https://groups.google.com/d/msg/vault-tool/giP69-n2o20/FfhRpW1vAQAJ
2017-09-13 11:42:45 -04:00
Jeff Mitchell 9077adb377 Sanitize policy behavior across backends (#3324)
Fixes #3323
Fixes #3318

* Fix tests

* Fix tests
2017-09-13 11:36:52 -04:00
Calvin Leung Huang 78b1dfd7bb Handle errors from getRootConfig on aws logical backend (#3294) 2017-09-08 13:00:29 -04:00
Chris Hoffman 53164d528c Fix unauth bind issues due to lib update (#3293) 2017-09-07 08:46:43 -04:00
Jeff Mitchell 44bf03e3b6 Fix compile after dep update 2017-09-05 18:18:34 -04:00
Jeff Mitchell 7be6905eb0 Add a bit more delay to backend test in case Travis is loaded 2017-09-04 14:45:12 -04:00
Joel Thompson 2a53d852f3 auth/aws: Properly handle malformed ARNs (#3280)
The parseIamArn method was making assumptions about the input arn being
properly formatted and of a certain type. If users tried to pass a
bound_iam_principal_arn that was malformed (or was the ARN of the root
user), it would cause a panic. parseIamArn now explicitly checks the
assumptions it's making and tests are added to ensure it properly errors
out (rather than panic'ing) on malformed input.
2017-09-03 20:37:06 -04:00
Lars Lehtonen f3d6866735 Fix goroutine logging in cert test (#3224) 2017-09-01 16:55:16 -04:00
Calvin Leung Huang a581e96b78 Lazy-load plugin mounts (#3255)
* Lazy load plugins to avoid setup-unwrap cycle

* Remove commented blocks

* Refactor NewTestCluster, use single core cluster on basic plugin tests

* Set c.pluginDirectory in TestAddTestPlugin for setupPluginCatalog to work properly

* Add special path to mock plugin

* Move ensureCoresSealed to vault/testing.go

* Use same method for EnsureCoresSealed and Cleanup

* Bump ensureCoresSealed timeout to 60s

* Correctly handle nil opts on NewTestCluster

* Add metadata flag to APIClientMeta, use meta-enabled plugin when mounting to bootstrap

* Check metadata flag directly on the plugin process

* Plumb isMetadataMode down to PluginRunner

* Add NOOP shims when running in metadata mode

* Remove unused flag from the APIMetadata object

* Remove setupSecretPlugins and setupCredentialPlugins functions

* Move when we setup rollback manager to after the plugins are initialized

* Fix tests

* Fix merge issue

* start rollback manager after the credential setup

* Add guards against running certain client and server functions while in metadata mode

* Call initialize once a plugin is loaded on the fly

* Add more tests, update basic secret/auth plugin tests to trigger lazy loading

* Skip mount if plugin removed from catalog

* Fixup

* Remove commented line on LookupPlugin

* Fail on mount operation if plugin is re-added to catalog and mount is on existing path

* Check type and special paths on startBackend

* Fix merge conflicts

* Refactor PluginRunner run methods to use runCommon, fix TestSystemBackend_Plugin_auth
2017-09-01 01:02:03 -04:00
Jeff Mitchell abb2ab2918 Add pki/root/sign-self-issued. (#3274)
* Add pki/root/sign-self-issued.

This is useful for root CA rolling, and is also suitably dangerous.

Along the way I noticed we weren't setting the authority key IDs
anywhere, so I addressed that.

* Add tests
2017-08-31 23:07:15 -04:00
Jeff Mitchell 223c4fc325 Change auth helper interface to api.Secret. (#3263)
This allows us to properly handle wrapped responses.

Fixes #3217
2017-08-31 16:57:00 -04:00
Jeff Mitchell d62937aaf3 Use TypeDurationSecond for TTL values in PKI. (#3270) 2017-08-31 15:46:13 -04:00
Chris Hoffman 194491759d Updating Okta lib for credential backend (#3245)
* migrating to chrismalek/oktasdk-go Okta library

* updating path docs

* updating bool reference from config
2017-08-30 22:37:21 -04:00
Jeff Mitchell 8acef196a8 Add 'discard' target to file audit backend (#3262)
Fixes #seth
2017-08-30 19:16:47 -04:00
Joel Thompson caf90f58d8 auth/aws: Allow wildcard in bound_iam_principal_id (#3213) 2017-08-30 17:51:48 -04:00
Christopher Pauley eccbb21ce8 stdout support for file backend via logger (#3235) 2017-08-29 14:51:16 -04:00
Lars Lehtonen 13901b1346 fix swallowed errors in pki package tests (#3215) 2017-08-29 13:15:36 -04:00
Jeff Mitchell 27ae5a269d Compare groups case-insensitively at login time (#3240)
* Compare groups case-insensitively at login time, since Okta groups are
case-insensitive but preserving.

* Make other group operations case-preserving but otherwise
case-insensitive. New groups will be written in lowercase.
2017-08-25 14:48:37 -04:00
Jeff Mitchell fe8528e56c Have Okta properly handle create/update for org/ttl/max_ttl. (#3236) 2017-08-24 18:18:05 -04:00
EXPEddrewery cf4e8f0543 Add 'Period' support to AWS IAM token renewal (#3220) 2017-08-22 09:50:53 -04:00
Jeff Mitchell a51f3ece2b Revert "Add the ability to use root credentials for AWS IAM authentication. (#3181)" (#3212)
This reverts commit e99a2cd87726986cb0896fdc445a3d5f3c11a66d.

Fixes #3198

See discussion in #3198 for context.
2017-08-18 19:46:08 -04:00
Calvin Leung Huang 86ea7e945d Add plugin auto-reload capability (#3171)
* Add automatic plugin reload

* Refactor builtin/backend

* Remove plugin reload at the core level

* Refactor plugin tests

* Add auto-reload test case

* Change backend to use sync.RWMutex, fix dangling test plugin processes

* Add a canary to plugin backends to avoid reloading many times (#3174)

* Call setupPluginCatalog before mount-related operations in postUnseal

* Don't create multiple system backends since core only holds a reference (#3176)

to one.
2017-08-15 22:10:32 -04:00
Jeff Mitchell 83cd8cd26a Add the ability to use root credentials for AWS IAM authentication. (#3181)
Partial fix for #3179
2017-08-15 21:26:16 -04:00
Jeff Mitchell 340fe4e609 Add permitted dns domains to pki (#3164) 2017-08-15 16:10:36 -04:00
Jeff Mitchell e4eb6e9020 Make PKI root generation idempotent-ish and add delete endpoint. (#3165) 2017-08-15 14:00:40 -04:00
Calvin Leung Huang b023d46cb8 Direct plugin logs through vault's logger (#3142)
* Direct plugin logs through vault's logger

* Pass in a logger in testConfig
2017-08-15 10:16:48 -04:00
Jeff Mitchell a133286609 Switch policies in AppRole to TypeCommaStringSlice (#3163) 2017-08-14 20:15:51 -04:00
Brian Kassouf 2e80e6488f Bump database plugin protocol version 2017-08-08 17:01:38 -07:00