Calvin Leung Huang
2b7a66e23b
Use variables for string replacements on cert_util
2017-05-02 14:11:57 -04:00
Brian Kassouf
c8bbea9f37
Rename NewPluginServer to just Serve
2017-05-02 02:00:39 -07:00
Ben Gadbois
537342f038
Fixing printf (and similar) issues ( #2666 )
2017-05-01 23:34:10 -04:00
Brian Kassouf
b3819c433b
Don't store an error response as a package variable
2017-05-01 15:30:56 -07:00
Brian Kassouf
9a60ec9fda
Update interface name from Wrapper to a more descriptive RunnerUtil
2017-05-01 14:59:55 -07:00
Justin Gerace
403efeb5ae
Add globbing support to the PKI backend's allowed_domains list ( #2517 )
2017-05-01 10:40:18 -04:00
Michael Ansel
30b71cbbac
Add constraints on the Common Name for certificate-based authentication ( #2595 )
...
* Refactor to consolidate constraints on the matching chain
* Add CN prefix/suffix constraint
* Maintain backwards compatibility (pick a random cert if multiple match)
* Vendor go-glob
* Replace cn_prefix/suffix with required_name/globbing
Move all the new tests to acceptance-capable tests instead of embedding in the CRL test
* Allow authenticating against a single cert
* Add new params to documentation
* Add CLI support for new param
* Refactor for style
* Support multiple (ORed) name patterns
* Rename required_names to allowed_names
* Update docs for parameter rename
* Use the new TypeCommaStringSlice
2017-04-30 11:37:10 -04:00
Jeff Mitchell
9a72b3162f
Flip back to sstarcher go-okta post-merge
2017-04-28 17:21:49 -04:00
Calvin Leung Huang
ff4cf41ebb
Add test for ca and crl case
2017-04-28 08:55:28 -04:00
Jeff Mitchell
0f214cc502
Switch to jefferai/go-okta for now to work around Fatal lines in upstream ( #2658 )
...
Switch to jefferai/go-okta for now to work around Fatal lines in upstream
2017-04-28 08:39:51 -04:00
Vishal Nayak
8bb6c8caef
Return error message for failure to parse CSR ( #2657 )
2017-04-28 08:30:24 -04:00
Calvin Leung Huang
802d030506
Refactor cert_util_test
2017-04-27 17:09:59 -04:00
Calvin Leung Huang
b5990321bf
Verify update operation was performed on revokeCert
2017-04-27 12:30:44 -04:00
Calvin Leung Huang
3b27a9c12c
Rename tests, use HandleRequest() for existing paths
2017-04-27 09:47:56 -04:00
Brian Kassouf
53752c3002
Add check to ensure we don't overwrite existing connections
2017-04-26 16:43:42 -07:00
Brian Kassouf
081101c7cf
Add an error check to reset a plugin if it is closed
2017-04-26 15:55:34 -07:00
Brian Kassouf
d0cad5345a
Update to a RWMutex
2017-04-26 15:23:14 -07:00
Calvin Leung Huang
628e5d594b
Add remaining tests
2017-04-26 16:05:58 -04:00
Brian Kassouf
4782d9d2af
Update the error messages for renew and revoke
2017-04-26 10:29:16 -07:00
Brian Kassouf
892812d67d
Change ttl types to TypeDurationSecond
2017-04-26 10:02:37 -07:00
Calvin Leung Huang
d24757f2e0
Fix crl_util test
2017-04-26 09:58:34 -04:00
Calvin Leung Huang
18ed2d6097
Tests for cert and crl util
2017-04-26 02:46:01 -04:00
Brian Kassouf
e3e5f12f9e
Default deny when allowed roles is empty
2017-04-25 11:48:24 -07:00
Brian Kassouf
207d01fd39
Update the connection details data and fix allowedRoles
2017-04-25 11:11:10 -07:00
Brian Kassouf
eb0f831d6a
Rename path_role_create to path_creds_create
2017-04-25 10:39:17 -07:00
Brian Kassouf
3d3e4eb5a4
Use TypeCommaStringSlice for allowed_roles
2017-04-25 10:26:23 -07:00
Brian Kassouf
bed1c17b1e
Update logging to new structure
2017-04-25 10:24:19 -07:00
Brian Kassouf
f25b367732
Don't uppercase ErrorResponses
2017-04-24 14:03:48 -07:00
Brian Kassouf
378ae98809
s/DatabaseType/Database/
2017-04-24 13:59:12 -07:00
Joel Thompson
e06a78a474
Create unified aws auth backend ( #2441 )
...
* Rename builtin/credential/aws-ec2 to aws
The aws-ec2 authentication backend is being expanded and will become the
generic aws backend. This is a small rename commit to keep the commit
history clean.
* Expand aws-ec2 backend to more generic aws
This adds the ability to authenticate arbitrary AWS IAM principals using
AWS's sts:GetCallerIdentity method. The AWS-EC2 auth backend is being to
just AWS with the expansion.
* Add missing aws auth handler to CLI
This was omitted from the previous commit
* aws auth backend general variable name cleanup
Also fixed a bug where allowed auth types weren't being checked upon
login, and added tests for it.
* Update docs for the aws auth backend
* Refactor aws bind validation
* Fix env var override in aws backend test
Intent is to override the AWS environment variables with the TEST_*
versions if they are set, but the reverse was happening.
* Update docs on use of IAM authentication profile
AWS now allows you to change the instance profile of a running instance,
so the use case of "a long-lived instance that's not in an instance
profile" no longer means you have to use the the EC2 auth method. You
can now just change the instance profile on the fly.
* Fix typo in aws auth cli help
* Respond to PR feedback
* More PR feedback
* Respond to additional PR feedback
* Address more feedback on aws auth PR
* Make aws auth_type immutable per role
* Address more aws auth PR feedback
* Address more iam auth PR feedback
* Rename aws-ec2.html.md to aws.html.md
Per PR feedback, to go along with new backend name.
* Add MountType to logical.Request
* Make default aws auth_type dependent upon MountType
When MountType is aws-ec2, default to ec2 auth_type for backwards
compatibility with legacy roles. Otherwise, default to iam.
* Pass MountPoint and MountType back up to the core
Previously the request router reset the MountPoint and MountType back to
the empty string before returning to the core. This ensures they get set
back to the correct values.
2017-04-24 15:15:50 -04:00
Brian Kassouf
6f9d178370
Calls to builtin plugins now go directly to the implementation instead of go-plugin
2017-04-20 18:46:41 -07:00
Brian Kassouf
af9ff63e9a
Merge remote-tracking branch 'oss/master' into database-refactor
2017-04-19 15:16:00 -07:00
Chris Hoffman
847c86f788
Rename ParseDedupAndSortStrings to ParseDedupLowercaseAndSortStrings ( #2614 )
2017-04-19 10:39:07 -04:00
Chris Hoffman
938eab37b6
Do not lowercase groups attached to users in ldap ( #2613 )
2017-04-19 10:36:45 -04:00
Chris Hoffman
2ee593c6ea
Mssql driver update ( #2610 )
...
* Switching driver from mssql to sqlserver
* Adding explicit database to sp_msloginmappings call
2017-04-18 17:49:59 -04:00
Jeff Mitchell
4995c69763
Update sign-verbatim to correctly set generate_lease ( #2593 )
2017-04-18 15:54:31 -04:00
Mitch Davis
a051ec1b59
Use service bind for searching LDAP groups ( #2534 )
...
Fixes #2387
2017-04-18 15:52:05 -04:00
Jeff Mitchell
0897da93f0
Parse and dedup but do not lowercase principals in SSH certs. ( #2591 )
2017-04-18 12:21:02 -04:00
Jeff Mitchell
822d86ad90
Change storage of entries from colons to hyphens and add a
...
lookup/migration path
Still TODO: tests on migration path
Fixes #2552
2017-04-18 11:14:23 -04:00
Jeff Mitchell
e8adc13826
Fix cassandra dep breakage
2017-04-17 11:51:42 -04:00
Vishal Nayak
09cd069435
Consider new bounds as a criteria to allow role creation ( #2600 )
...
* Consider new bounds as a criteria to allow role creation
* Added a test
2017-04-17 10:36:11 -04:00
Jeff Mitchell
79fb8bdf69
Verify that a CSR specifies IP SANs before checking whether it's allowed ( #2574 )
2017-04-13 13:40:31 -04:00
Brian Kassouf
883c80540a
Add allowed_roles parameter and checks
2017-04-13 10:33:34 -07:00
Brian Kassouf
0cfe1ea81c
Cleanup path files
2017-04-12 17:35:02 -07:00
Brian Kassouf
a9a05f5bba
Update Type() to return an error
2017-04-12 16:41:06 -07:00
Brian Kassouf
8ccf10641b
Merge branch 'master' into database-refactor
2017-04-12 14:29:10 -07:00
Brian Kassouf
128f25c13d
Update help text and comments
2017-04-11 11:50:34 -07:00
Brian Kassouf
c85b7be22f
Remove unnecessary abstraction
2017-04-10 18:38:34 -07:00
Brian Kassouf
8071aed758
Mlock the plugin process
2017-04-10 17:12:52 -07:00
Brian Kassouf
f6ff3b1146
Add a flag to tell plugins to verify the connection was successful
2017-04-10 15:36:59 -07:00
Brian Kassouf
db91a80540
Update plugin test
2017-04-10 14:12:28 -07:00
Brian Kassouf
bbbd81220c
Update the interface for plugins removing functions for creating creds
2017-04-10 12:24:16 -07:00
Brian Kassouf
459e3eda4e
Update backend tests
2017-04-10 10:35:16 -07:00
Brian Kassouf
93136ea51e
Add backend test
2017-04-07 15:50:03 -07:00
Shivaram Lingamneni
2117dfd717
implement a no_store option for pki roles ( #2565 )
2017-04-07 11:25:47 -07:00
Jeff Mitchell
f805618a2c
Update SSH CA documentation
...
Fixes #2551
Fixes #2569
2017-04-07 11:59:25 -04:00
Brian Kassouf
62d59e5f4e
Move plugin code into sub directory
2017-04-06 12:20:10 -07:00
Brian Kassouf
ca2c3d0c53
Refactor to use builtin plugins from an external repo
2017-04-05 16:20:31 -07:00
Calvin Leung Huang
2255884a4c
Do not mark conn as initialized until the end ( #2567 )
2017-04-04 14:26:59 -07:00
Brian Kassouf
305ccd54f7
Don't return strings, always structs
2017-04-04 11:33:58 -07:00
Calvin Leung Huang
9dd666c7e6
Database refactor invalidate ( #2566 )
...
* WIP on invalidate function
* cassandraConnectionProducer has Close()
* Delete database from connections map on successful db.Close()
* Move clear connection into its own func
* Use const for database config path
2017-04-04 11:32:42 -07:00
vishalnayak
049e086b07
Fix typo. Closes GH-2528
2017-04-04 12:29:18 -04:00
Jeff Mitchell
709389dd36
Use ParseStringSlice on PKI organization/organizational unit. ( #2561 )
...
After, separately dedup and use new flag to not lowercase value.
Fixes #2555
2017-04-04 08:54:18 -07:00
Brian Kassouf
b506bd7790
On change of configuration rotate the database type
2017-04-03 18:30:38 -07:00
Brian Kassouf
d7dd0ab35c
Merge branch 'database-refactor' of github.com:hashicorp/vault into database-refactor
2017-04-03 17:52:41 -07:00
Brian Kassouf
e8781b6a2b
Plugin catalog
2017-04-03 17:52:29 -07:00
Calvin Leung Huang
aa15a1d3a9
Database refactor mssql ( #2562 )
...
* WIP on mssql secret backend refactor
* Add RevokeUser test, and use sqlserver driver internally
* Remove debug statements
* Fix code comment
2017-04-03 09:59:30 -07:00
Brian Kassouf
210fa77e3c
fix for plugin commands that have more than one paramater
2017-03-28 14:37:57 -07:00
Brian Kassouf
50729a4528
Add comments to connection and credential producers
2017-03-28 13:08:11 -07:00
Brian Kassouf
b09526e1c9
Cleanup the db factory code and add comments
2017-03-28 12:57:30 -07:00
Brian Kassouf
6b877039e7
Update tests
2017-03-28 12:20:17 -07:00
Brian Kassouf
c50a6ebc39
Add functionaility to build db objects from disk so restarts work
2017-03-28 11:30:45 -07:00
Brian Kassouf
02b0230f19
Fix for checking types of database on update
2017-03-28 10:04:42 -07:00
Brian Kassouf
494f963581
Wrap the database calls with tracing information
2017-03-27 15:17:28 -07:00
Brian Kassouf
2799586f45
Remove the unused sync.Once object
2017-03-27 11:46:20 -07:00
Brian Kassouf
29ae4602dc
More work on getting tests to pass
2017-03-23 15:54:15 -07:00
Brian Kassouf
c0223d888e
Remove unsused code block
2017-03-22 17:09:39 -07:00
Brian Kassouf
1068076703
s/postgres/mysql/
2017-03-22 16:44:33 -07:00
Brian Kassouf
dac1bb210b
Add test files for postgres and mysql databases
2017-03-22 16:39:08 -07:00
Brian Kassouf
ae9961b811
Add a error message for empty creation statement
2017-03-22 12:40:16 -07:00
Brian Kassouf
c55bef85d3
Fix race with deleting the connection
2017-03-22 09:54:19 -07:00
Brian Kassouf
85ef468d46
Add a delete method
2017-03-21 17:19:30 -07:00
Brian Kassouf
83ff132705
Verify connections regardless of if this connections is already existing
2017-03-21 16:05:59 -07:00
Vishal Nayak
003ef004c6
sshca: ensure atleast cert type is allowed ( #2508 )
2017-03-19 18:58:48 -04:00
Brian Kassouf
a4e5e0f8c9
Comment and fix plugin Type function
2017-03-16 18:24:56 -07:00
Brian Kassouf
417770a58f
Change the handshake config from the default
2017-03-16 17:51:25 -07:00
Brian Kassouf
2873825848
Add a secure config to verify the checksum of the plugin
2017-03-16 16:20:18 -07:00
Brian Kassouf
f2df4ef0e7
Comment and slight refactor of the TLS plugin helper
2017-03-16 14:14:49 -07:00
Brian Kassouf
0a52ea5c69
Break tls code into helper library
2017-03-16 11:55:21 -07:00
Jeff Mitchell
24886c1006
Ensure CN check is made when exclude_cn_from_sans is used
...
Fixes #2363
2017-03-16 11:41:13 -04:00
Jeff Mitchell
ae8967d635
Always include a hash of the public key and "vault" (to know where it ( #2498 )
...
came from) when generating a cert for SSH.
Follow on from #2494
2017-03-16 11:14:17 -04:00
Mike Okner
95df7beed9
Adding allow_user_key_ids field to SSH role config ( #2494 )
...
Adding a boolean field that determines whether users will be allowed to
set the ID of the signed SSH key or whether it will always be the token
display name. Preventing users from changing the ID and always using
the token name is useful for auditing who actually used a key to access
a remote host since sshd logs key IDs.
2017-03-16 08:45:11 -04:00
Brian Kassouf
eb6117cbb2
Work on TLS communication over plugins
2017-03-15 17:14:48 -07:00
Jeff Mitchell
12e5132779
Allow roles to specify whether CSR SANs should be used instead of ( #2489 )
...
request values. Fix up some documentation.
Fixes #2451
Fixes #2488
2017-03-15 14:38:18 -04:00
Jeff Mitchell
7ab6844eb4
Set CA chain when intermediate does not have an authority key ID.
...
This is essentially an approved review of the code provided in #2465 .
Fixes #2465
2017-03-15 11:52:02 -04:00
Brian Kassouf
3ecb344878
wrap plugin database type with metrics middleware
2017-03-14 13:12:47 -07:00
Brian Kassouf
822a3eb20a
Add a metrics middleware
2017-03-14 13:11:28 -07:00
Stanislav Grozev
662b372364
Reads on unconfigured SSH CA public key return 400
2017-03-14 10:21:48 -04:00
Stanislav Grozev
7d59d7d3ac
Reads on ssh/config/ca return the public keys
...
If configured/generated.
2017-03-14 10:21:48 -04:00
Stanislav Grozev
830de2dbbd
If generating an SSH CA signing key - return the public part
...
So that the user can actually use the SSH CA, by adding the public key
to their respective sshd_config/authorized_keys, etc.
2017-03-14 10:21:48 -04:00
Brian Kassouf
2054fff890
Add a way to initalize plugins and builtin databases the same way.
2017-03-13 14:39:55 -07:00
Brian Kassouf
71b81aad23
Add checksum attribute
2017-03-10 14:10:42 -08:00
Brian Kassouf
a11911d4d4
Rename reset to close
2017-03-09 22:35:45 -08:00
Brian Kassouf
fda45f531d
Add special path to enforce root on plugin configuration
2017-03-09 21:31:29 -08:00
Brian Kassouf
748c70cfb4
Add plugin file
2017-03-09 17:43:58 -08:00
Brian Kassouf
9099231229
Add plugin features
2017-03-09 17:43:37 -08:00
Vishal Nayak
220beb2cde
doc: ssh allowed_users update ( #2462 )
...
* doc: ssh allowed_users update
* added some more context in default_user field
2017-03-09 10:34:55 -05:00
vishalnayak
f085cd71ab
Fix typo
2017-03-08 17:49:39 -05:00
Brian Kassouf
b7128f8370
Update secrets fields
2017-03-08 14:46:53 -08:00
Vishal Nayak
766c2e6ee0
SSH CA enhancements ( #2442 )
...
* Use constants for storage paths
* Upgrade path for public key storage
* Fix calculateValidPrincipals, upgrade ca_private_key, and other changes
* Remove a print statement
* Added tests for upgrade case
* Make exporting consistent in creation bundle
* unexporting and constants
* Move keys into a struct instead of plain string
* minor changes
2017-03-08 17:36:21 -05:00
Brian Kassouf
2fb6bf9882
Fix renew and revoke calls
2017-03-07 17:21:44 -08:00
Brian Kassouf
b7c3b4b0d7
Add defaults to the cassandra databse type
2017-03-07 17:00:52 -08:00
Brian Kassouf
3976a2a0a6
Pass statements object
2017-03-07 16:48:17 -08:00
Brian Kassouf
843d584254
Remove unused sql object
2017-03-07 15:34:23 -08:00
Brian Kassouf
919155ab12
Remove double lock
2017-03-07 15:33:05 -08:00
Brian Kassouf
c959882b93
Update locking functionaility
2017-03-07 13:48:29 -08:00
Jeff Mitchell
3d162b63cc
Use locks in a slice rather than a map, which is faster and makes things cleaner ( #2446 )
2017-03-07 11:21:32 -05:00
Jeff Mitchell
5119b173c4
Rename helper 'duration' to 'parseutil'. ( #2449 )
...
Add a ParseBool function that accepts various kinds of ways of
specifying booleans.
Have config use ParseBool for UI and disabling mlock/cache.
2017-03-07 11:21:22 -05:00
Brian Kassouf
bc53e119ca
rename mysql variable
2017-03-03 15:07:41 -08:00
Brian Kassouf
bba832e6bf
Make db instances immutable and add a reset path to tear down and create a new database instance with an updated config
2017-03-03 14:38:49 -08:00
Brian Kassouf
29e07ac9e8
Fix mysql connections
2017-03-03 14:38:49 -08:00
Brian Kassouf
24ddea9954
Add mysql into the factory
2017-03-03 14:38:48 -08:00
Brian Kassouf
8e8f260d96
Add max connection lifetime param and set consistancy on cassandra session
2017-03-03 14:38:48 -08:00
Brian Kassouf
1f009518cd
s/Statement/Statements/
2017-03-03 14:38:48 -08:00
Brian Kassouf
46aa7142c1
Add mysql database type
2017-03-03 14:38:48 -08:00
Brian Kassouf
2ec5ab5616
More work on refactor and cassandra database
2017-03-03 14:38:48 -08:00
Brian Kassouf
acdcd79af3
Begin work on database refactor
2017-03-03 14:38:48 -08:00
Vishal Nayak
4b81bcb379
ssh: Added DeleteOperation to config/ca ( #2434 )
...
* ssh: Added DeleteOperation to config/ca
* Address review feedback
2017-03-03 10:19:45 -05:00
Vishal Nayak
491a56fe9f
AppRole: Support restricted use tokens ( #2435 )
...
* approle: added token_num_uses to the role
* approle: added RUD tests for token_num_uses on role
* approle: doc: added token_num_uses
2017-03-03 09:31:20 -05:00
Jeff Mitchell
55e69277ce
Update SSH CA logic/tests
2017-03-02 16:39:22 -05:00
Vishal Nayak
a1331278ff
Refactor the generate_signing_key processing ( #2430 )
2017-03-02 16:22:06 -05:00
Jeff Mitchell
fa474924aa
Update error text to make it more obvious what the issue is when valid principals aren't found
2017-03-02 15:56:08 -05:00
Jeff Mitchell
eca68d5913
Fix a bunch of errors from returning 5xx, and parse more duration types
2017-03-02 15:38:34 -05:00
Will May
70bfdb5ae9
Changes from code review
2017-03-02 14:36:13 -05:00
Will May
36b3d89604
Allow internal generation of the signing SSH key pair
2017-03-02 14:36:13 -05:00
Vishal Nayak
3795d2ea64
Rework ssh ca ( #2419 )
...
* docs: input format for default_critical_options and default_extensions
* s/sshca/ssh
* Added default_critical_options and default_extensions to the read endpoint of role
* Change default time return value to 0
2017-03-01 15:50:23 -05:00
Will May
9f75f84175
Changes from code review
...
Major changes are:
* Remove duplicate code
* Check the public key used to configure the backend is a valid one
2017-03-01 15:19:18 -05:00
Will May
ff1ff02bd7
Changes from code review
...
Major changes are:
* Change `allow_{user,host}_certificates` to default to false
* Add separate `allowed_domains` role property
2017-03-01 15:19:18 -05:00
Will May
099d561b20
Add ability to create SSH certificates
2017-03-01 15:19:18 -05:00
Jeff Mitchell
47f8478a97
Fix github compile breakage after dep upgrade
2017-02-24 15:32:05 -05:00
Vishal Nayak
b762c43fe2
Aws Ec2 additional binds for SubnetID, VpcID and Region ( #2407 )
...
* awsec2: Added bound_region
* awsec2: Added bound_subnet_id and bound_vpc_id
* Add bound_subnet_id and bound_vpc_id to docs
* Remove fmt.Printf
* Added crud test for aws ec2 role
* Address review feedback
2017-02-24 14:19:10 -05:00
vishalnayak
2e911fc650
Fix broken build caused due to resolve merge conflicts
2017-02-24 12:41:20 -05:00
Vishal Nayak
c6f138bb9a
PKI: Role switch to control lease generation ( #2403 )
...
* pki: Make generation of leases optional
* pki: add tests for upgrading generate_lease
* pki: add tests for leased and non-leased certs
* docs++ pki generate_lease
* Generate lease is applicable for both issuing and signing
* pki: fix tests
* Address review feedback
* Address review feedback
2017-02-24 12:12:40 -05:00
Saj Goonatilleke
01f3056b8b
pki: Include private_key_type on DER-formatted responses from /pki/issue/ ( #2405 )
2017-02-24 11:17:59 -05:00
Jeff Mitchell
c81582fea0
More porting from rep ( #2388 )
...
* More porting from rep
* Address review feedback
2017-02-16 16:29:30 -05:00
Jeff Mitchell
0c39b613c8
Port some replication bits to OSS ( #2386 )
2017-02-16 15:15:02 -05:00
Jeff Mitchell
d7a6ec8d43
Add some repcluster handling to audit and add some tests ( #2384 )
...
* Add some repcluster handling to audit and add some tests
* Fix incorrect assumption about nil auth
2017-02-16 13:09:53 -05:00
Jeff Mitchell
c96fe56d44
Fix copypasta, thanks tests
2017-02-16 01:32:39 -05:00
Jeff Mitchell
817bec0955
Add Organization support to PKI backend. ( #2380 )
...
Fixes #2369
2017-02-16 01:04:29 -05:00
Vishal Nayak
eb4ef0f6e0
cidrutil: added test data points ( #2378 )
2017-02-16 00:51:02 -05:00
Vishal Nayak
81c95b36eb
aws-ec2 auth: Return the role period in seconds ( #2374 )
...
* aws-ec2 auth: Return the role period in seconds
* cast return values to int64 for comparison with expected values
2017-02-15 10:57:57 -05:00
Jeff Mitchell
04b4a6aa50
Fix Okta auth issue when a user has no policies and/or groups set. ( #2371 )
...
Fixes #2367
2017-02-14 16:28:16 -05:00
Tommy Murphy
ca06bc0b53
audit: support a configurable prefix string to write before each message ( #2359 )
...
A static token at the beginning of a log line can help systems parse
logs better. For example, rsyslog and syslog-ng will recognize the
'@cee: ' prefix and will parse the rest of the line as a valid json message.
This is useful in environments where there is a mix of structured and
unstructured logs.
2017-02-10 16:56:28 -08:00
vishalnayak
2bbc247ab4
use net.JoinHostPort
2017-02-08 18:39:09 -05:00
Jeff Mitchell
72db329d67
Add support for backup/multiple LDAP URLs. ( #2350 )
2017-02-08 14:59:24 -08:00
Jeff Mitchell
a217be589c
Merge pull request #2154 from fcantournet/default-ldap-username
...
ldap auth via cli defaults username to env (#2137 )
2017-02-07 21:47:59 -08:00
Jeff Mitchell
a2f07acbc4
Use Getenv instead of LookupEnv
...
This prevents returning empty username if LOGNAME is set but empty and USER is set but not empty.
2017-02-07 21:47:06 -08:00
Jeff Mitchell
f05b482e46
Update error text
2017-02-07 21:44:23 -08:00
Jeff Mitchell
8f957579d8
Update some help text for RADIUS
2017-02-07 16:06:27 -05:00
Matteo Sessa
29d9d5676e
RADIUS Authentication Backend ( #2268 )
2017-02-07 16:04:27 -05:00
Brian Kassouf
2923934813
Merge pull request #2326 from hashicorp/pr-2161
...
Add Socket Audit Backend
2017-02-07 11:27:25 -08:00
Vishal Nayak
7f2717b74a
transit: change batch input format ( #2331 )
...
* transit: change batch input format
* transit: no json-in-json for batch response
* docs: transit: update batch input format
* transit: fix tests after changing response format
2017-02-06 14:56:16 -05:00
Brian Kassouf
09049c2787
Added a single retry after a reconnection
2017-02-06 11:38:38 -08:00
Brian Kassouf
af1847f2b4
Update the docs and move the logic for reconnecting into its own function
2017-02-04 16:55:17 -08:00
Jeff Mitchell
5de633fd27
Make userpass help text mention radius too
2017-02-04 07:48:30 -05:00
Jeff Mitchell
a8ea05f365
Add default mount param to userpass cli handler
2017-02-04 07:47:09 -05:00
Brian Kassouf
b38eeec96a
Add write deadline and a Reload function
2017-02-02 15:44:56 -08:00
Harrison Harnisch
b09077c2d8
add socket audit backend
2017-02-02 14:21:48 -08:00
Brian Kassouf
6701ba8a10
Configure the request headers that are output to the audit log ( #2321 )
...
* Add /sys/config/audited-headers endpoint for configuring the headers that will be audited
* Remove some debug lines
* Add a persistant layer and refactor a bit
* update the api endpoints to be more restful
* Add comments and clean up a few functions
* Remove unneeded hash structure functionaility
* Fix existing tests
* Add tests
* Add test for Applying the header config
* Add Benchmark for the ApplyConfig method
* ResetTimer on the benchmark:
* Update the headers comment
* Add test for audit broker
* Use hyphens instead of camel case
* Add size paramater to the allocation of the result map
* Fix the tests for the audit broker
* PR feedback
* update the path and permissions on config/* paths
* Add docs file
* Fix TestSystemBackend_RootPaths test
2017-02-02 11:49:20 -08:00
Vishal Nayak
5fb28f53cb
Transit: Support batch encryption and decryption ( #2143 )
...
* Transit: Support batch encryption
* Address review feedback
* Make the normal flow go through as a batch request
* Transit: Error out if encryption fails during batch processing
* Transit: Infer the 'derived' parameter based on 'context' being set
* Transit: Batch encryption doc updates
* Transit: Return a JSON string instead of []byte
* Transit: Add batch encryption tests
* Remove plaintext empty check
* Added tests for batch encryption, more coming..
* Added more batch encryption tests
* Check for base64 decoding of plaintext before encrypting
* Transit: Support batch decryption
* Transit: Added tests for batch decryption
* Transit: Doc update for batch decryption
* Transit: Sync the path-help and website docs for decrypt endpoint
* Add batch processing for rewrap
* transit: input validation for context
* transit: add rewrap batch option to docs
* Remove unnecessary variables from test
* transit: Added tests for rewrap use cases
* Address review feedback
* Address review feedback
* Address review feedback
* transit: move input checking out of critical path
* transit: allow empty plaintexts for batch encryption
* transit: use common structs for batch processing
* transit: avoid duplicate creation of structs; add omitempty to response structs
* transit: address review feedback
* transit: fix tests
* address review feedback
* transit: fix tests
* transit: rewrap encrypt user error should not error out
* transit: error out for internal errors
2017-02-02 14:24:20 -05:00
Vishal Nayak
3457a11afd
awsec2: support periodic tokens ( #2324 )
...
* awsec2: support periodic tokens
* awsec2: add api docs for 'period'
2017-02-02 13:28:01 -05:00
Vishal Nayak
14fcc4b6eb
approle: secret-id listing lock sanity check ( #2315 )
...
* approle: secret-id listing lock sanity
* Skip processing an empty secretIDHMAC item during the iteration
* approle: use dedicated lock for listing of secret-id-accessors
2017-02-01 18:13:49 -05:00
louism517
0548555219
Support for Cross-Account AWS Auth ( #2148 )
2017-02-01 14:16:03 -05:00
Jeff Mitchell
47274eca88
Add cleanup functions to multiple DB backends. ( #2313 )
...
Ensure it's called on unmount, not just for seal.
2017-02-01 14:05:25 -05:00
Jeff Mitchell
f1a5a858d3
Make export errors a bit more meaningful
2017-01-30 09:25:50 -05:00
Jeff Mitchell
2e15dc93df
Have transit exporting return the same structure regardless of one key or many
2017-01-28 10:37:35 -05:00
Shane Starcher
6033ea884c
Okta implementation ( #1966 )
2017-01-26 19:08:52 -05:00
Brian Kassouf
e788780709
Migrate cassandra test from acceptance to dockertest ( #2295 )
2017-01-25 15:37:55 -05:00
Jeff Mitchell
f43a041bf2
Revert "Disable PKI OU tests to fix the build"
...
This reverts commit b1ab7c5603180af9073caab1b3022ca438dc12be.
2017-01-24 09:58:28 -05:00
vishalnayak
c8b6ab7223
Disable PKI OU tests to fix the build
2017-01-24 06:25:56 -05:00
joe miller
98df700495
allow roles to set OU value in certificates issued by the pki backend ( #2251 )
2017-01-23 12:44:45 -05:00
Chris Hoffman
7568a212b1
Adding support for exportable transit keys ( #2133 )
2017-01-23 11:04:43 -05:00
Vishal Nayak
5aba2d47b6
ldap: Minor enhancements, tests and doc update ( #2272 )
2017-01-23 10:56:43 -05:00
Vishal Nayak
fa7d61baa3
Merge pull request #2202 from fcantournet/fix_govet_fatalf
...
all: test: Fix govet warnings
2017-01-17 16:45:35 -05:00
Vishal Nayak
1d7ded02b4
Merge pull request #2152 from mr-tron/master
...
Thanks for submitting this. I am going to merge this in and write tests.
2017-01-13 14:29:46 -05:00
Vishal Nayak
e019cca4ea
Merge pull request #2257 from bkrodgers/git-config-read
...
Added a 'read' for github config
2017-01-11 12:23:00 -05:00
Brian Rodgers
f33d35f3de
Added a nil check for config and renamed org field internally.
2017-01-11 11:04:15 -06:00
Matthew Irish
cb8bbc4fbd
Transit key actions ( #2254 )
...
* add supports_* for transit key reads
* update transit docs with new supports_* fields
2017-01-11 10:05:06 -06:00
Brian Rodgers
a8f12dff01
Added a 'read' for github config
2017-01-10 18:21:31 -06:00
joe miller
78dacc154a
sign-verbatim should set use_csr_common_name to true ( #2243 )
2017-01-10 09:47:59 -05:00
Jeff Mitchell
80dc5819d3
Use dockertest.v2 ( #2247 )
...
New dockertest has a totally different API and will require some serious
refactoring. This will tide over until then by pinning the API version.
2017-01-09 13:46:54 -05:00
Félix Cantournet
103b7ceab2
all: test: Fix govet warnings
...
Fix calls to t.Fatal() with formatting.
Fixed some calls to Fatalf() with wrong formatting
2016-12-21 19:44:07 +01:00
vishalnayak
1816446f46
Address review feedback
2016-12-20 11:19:47 -05:00
vishalnayak
b3e323bbcc
pki: Avoiding a storage read
2016-12-20 11:07:20 -05:00
Brian Nuszkowski
db5e0bb3c3
Minor cleanup in audit backend ( #2194 )
2016-12-19 15:35:55 -05:00
vishalnayak
2e23f1a992
pki: Appended error to error message
2016-12-19 10:49:32 -05:00
vishalnayak
ba1cc709bd
PKI: Added error to the error message
2016-12-19 10:47:29 -05:00
Jeff Mitchell
bb54bd40f6
normalize some capitlization in error messages
2016-12-15 19:02:33 -05:00
Jeff Mitchell
8fff7daf51
Don't panic when TLS is enabled but the initial dial doesn't return a connection ( #2188 )
...
Related to #2186
2016-12-15 15:49:30 -05:00
Félix Cantournet
e818efde7c
ldap auth via cli defaults username to env ( #2137 )
...
try to guess the username from 'LOGNAME' or if it isn't set 'USER'
2016-12-02 19:08:32 +01:00
Jeff Mitchell
6ee61af87f
Fix nil value panic when Consul returns a user error ( #2145 )
2016-12-01 10:22:32 -08:00
Brian Nuszkowski
3d66907966
Disallow passwords LDAP binds by default ( #2103 )
2016-12-01 10:11:40 -08:00
Denis Subbotin
2797c609b0
fix checking that users policies is not nil
2016-11-29 16:35:49 +03:00
Denis Subbotin
cc374b3e2c
add support per user acl for ldap users
2016-11-29 13:32:59 +03:00
Thomas Soëte
5eaef287a8
Close ldap connection to avoid leak ( #2130 )
2016-11-28 09:31:36 -08:00
Jeff Mitchell
890c19312f
Update path help for approle secret id TTL
2016-11-15 11:50:51 -05:00
Daniel Somerfield
637414a623
Added support for individual user policy mapping in github auth backend. ( #2079 )
2016-11-10 16:21:14 -05:00
vascop
ba3dc07bb3
Fix typo and remove trailing whitespace. ( #2074 )
2016-11-08 09:32:23 -05:00
Jeff Mitchell
aa68041231
Fix GitHub tests
2016-11-08 07:13:42 -05:00
Glenn McAllister
50c8af0515
Add ldap tls_max_version config ( #2060 )
2016-11-07 13:43:39 -05:00
Jeff Mitchell
26fa2655b1
Add listing to Consul secret roles ( #2065 )
2016-11-04 12:35:16 -04:00
vishalnayak
65f0ce8ca3
Remove the sanity check which is not proving to be useful
2016-10-27 19:11:26 -04:00
vishalnayak
dc93e57cf1
Return the revocation_sql from role read all the time
2016-10-27 12:24:31 -04:00
vishalnayak
e0fb8c17ce
Added revocation_sql to the website docs
2016-10-27 12:15:08 -04:00
vishalnayak
c14a6c8666
Move policy test to keysutil package
2016-10-26 19:57:28 -04:00
vishalnayak
6d1e1a3ba5
Pulled out transit's lock manager and policy structs into a helper
2016-10-26 19:52:31 -04:00
Vishal Nayak
79d45355c8
Merge pull request #2004 from hashicorp/role-id-update
...
Fix regression caused by not creating a role_id secondary index
2016-10-26 16:29:46 -04:00
vishalnayak
931c96d1ba
ssh: Use temporary file to store the identity file
2016-10-18 12:50:12 -04:00
Vishal Nayak
6dd560d9c6
Merge pull request #2005 from hashicorp/dedup-ldap-policies
...
Deduplicate the policies in ldap backend
2016-10-18 10:42:11 -04:00
Chris Hoffman
4b6e82afcb
Add ability to list keys in transit backend ( #1987 )
2016-10-18 10:13:01 -04:00
vishalnayak
2ce8bc95eb
Deduplicate the policies in ldap backend
2016-10-14 17:20:50 -04:00
vishalnayak
1487dce475
Fix regression caused by not creating a role_id secondary index
2016-10-14 12:56:29 -04:00
Laura Bennett
dcf44a8fc7
Merge pull request #1980 from hashicorp/audit-update
...
Audit file update
2016-10-10 14:34:53 -04:00
Laura Bennett
0da9d1ac0c
test updates to address feedback
2016-10-10 12:58:30 -04:00
Laura Bennett
5ce9737eb4
address feedback
2016-10-10 12:16:55 -04:00
Laura Bennett
962a383bfb
address latest feedback
2016-10-10 11:58:26 -04:00
Laura Bennett
290ccee990
minor fix
2016-10-10 10:05:36 -04:00
Laura Bennett
9fc5a37e84
address feedback
2016-10-09 22:23:30 -04:00
Laura Bennett
05519a1267
adding unit tests for file mode
2016-10-09 00:33:24 -04:00
Laura Bennett
e5a7e3d6cb
initial commit to fix empty consistency option issue
2016-10-08 20:22:26 -04:00
Laura Bennett
1b8d12fe82
changes for 'mode'
2016-10-08 19:52:49 -04:00
Laura Bennett
60ceea5532
initial commit for adding audit file permission changes
2016-10-07 15:09:32 -04:00
Michael S. Fischer
c45ab41b39
Update aws-ec2 configuration help
...
Updated to reflect enhanced functionality and clarify necessary
permissions.
2016-10-05 12:40:58 -07:00
Jeff Mitchell
70a9fc47b4
Don't use quoted identifier for the username
2016-10-05 14:31:19 -04:00
Jeff Mitchell
7f9a88d8db
Postgres revocation sql, beta mode ( #1972 )
2016-10-05 13:52:59 -04:00
vishalnayak
de5dec6b15
Refactor mysql's revoke SQL
2016-10-04 19:30:25 -04:00
Vishal Nayak
1ab7023483
Merge pull request #1914 from jpweber/mysql-revoke
...
Mysql revoke with non-wildcard hosts
2016-10-04 17:44:15 -04:00
Jim Weber
87f206b536
removed an unused ok variable. Added warning and force use for default queries if role is nil
2016-10-04 17:15:29 -04:00
vishalnayak
0f8c132ede
Minor doc updates
2016-10-04 15:46:09 -04:00
vishalnayak
2e1aa80f31
Address review feedback 2
2016-10-04 15:30:42 -04:00
vishalnayak
59475d7f14
Address review feedback
2016-10-04 15:05:44 -04:00
Jim Weber
cc38f3253a
fixed an incorrect assignment
2016-10-03 21:51:40 -04:00
vishalnayak
348a09e05f
Add only relevant certificates
2016-10-03 20:34:28 -04:00
vishalnayak
dbd364453e
aws-ec2 config endpoints support type option to distinguish certs
2016-10-03 20:25:07 -04:00
Jim Weber
ac78ddc178
More resilient around cases of missing role names and using the default when needed.
2016-10-03 20:20:00 -04:00
vishalnayak
b105f8ccf3
Authenticate aws-ec2 instances using identity document and its RSA signature
2016-10-03 18:57:41 -04:00
Jim Weber
0a7f1089ca
Refactored logic some to make sure we can always fall back to default revoke statments
...
Changed rolename to role
made default sql revoke statments a const
2016-10-03 15:59:56 -04:00
Jim Weber
704fccaf2e
fixed some more issues I had with the tests.
2016-10-03 15:58:09 -04:00
Jim Weber
a2d6624a69
renamed rolname to role
2016-10-03 15:57:47 -04:00
Jim Weber
bfb0c2d3ff
Reduced duplicated code and fixed comments and simple variable name mistakes
2016-10-03 14:53:05 -04:00