Commit graph

115 commits

Author SHA1 Message Date
ncabatoff b615da43d7
Run CI tests in docker instead of a machine. (#8948) 2020-09-15 10:01:26 -04:00
Artem Alexandrov 301ea4c0f0
pki: Allow to use not only one variable during templating in allowed_domains #8509 (#9498) 2020-08-17 11:37:00 -07:00
Calvin Leung Huang fbe2a86693
pki: use revocationInfo.RevocationTimeUTC when revoking certs with ti… (#9609)
* pki: use revocationInfo.RevocationTimeUTC when revoking certs with tidy_revoked_certs set to true

* update comment

* tidy: use same time snapshot for OR comparison
2020-07-30 15:10:26 -07:00
Andrej van der Zee 8f305b1531
Add option allowed_domains_template enabling identity templating for issuing PKI certs. (#8509) 2020-07-08 12:52:25 -04:00
Becca Petrin c2894b8d05
Add Kerberos auth agent (#7999)
* add kerberos auth agent

* strip old comment

* changes from feedback

* strip appengine indirect dependency
2020-01-09 14:56:34 -08:00
ncabatoff fde5e55ce9
Handle otherName SANs in CSRs (#6163)
If a CSR contains a SAN of type otherName, encoded in UTF-8, and the signing role specifies use_csr_sans, the otherName SAN will be included in the signed cert's SAN extension.

Allow single star in allowed_other_sans to match any OtherName.  Update documentation to clarify globbing behaviour.
2019-12-11 10:16:44 -05:00
Denis Subbotin e9cdd451d1 Don't allow duplicate SAN names in PKI-issued certs (#7605)
* fix https://github.com/hashicorp/vault/issues/6571

* fix test TestBackend_OID_SANs because now SANs are alphabetic sorted
2019-10-28 12:31:56 -04:00
ncabatoff c48936c4fd
Refactor cert util (#6676)
Break dataBundle into two pieces: inputBundle, which contains data that
is specific to the pki backend, and creationBundle, which is a more
generic bundle of validated inputs given to certificate creation/signing routines.

Move functions that only take creationBundle to certutil and make them public.
2019-05-09 11:43:11 -04:00
Mark Gritter 4cab0047a1
Fix test to use stable order to generate expected result. (#6692) 2019-05-07 14:01:49 -05:00
Jeff Mitchell 9ebc57581d
Switch to go modules (#6585)
* Switch to go modules

* Make fmt
2019-04-13 03:44:06 -04:00
Jeff Mitchell 8bcb533a1b
Create sdk/ and api/ submodules (#6583) 2019-04-12 17:54:35 -04:00
T.K 453f1ac109 changed misspelled english words (#6432) 2019-03-19 09:32:45 -04:00
Calvin Leung Huang e6ec67fb8f
Use inclusive range on cert role diff comparison (#5737) 2018-11-08 12:15:12 -08:00
Jeff Mitchell fa26beeaed fmt 2018-11-07 16:52:01 -05:00
Becca Petrin 7bd22e6779
Run all builtins as plugins (#5536) 2018-11-06 17:21:24 -08:00
Calvin Leung Huang 20faa90ee3 Use Truncate instead of Round on duration diff (#5691) 2018-11-05 17:32:33 -05:00
Calvin Leung Huang 1a4e8fe53d Round time diff to nearest second to reduce flakiness (#5688) 2018-11-05 16:49:25 -05:00
Jeff Mitchell ec2ab502fc make fmt 2018-10-02 14:30:10 -04:00
sk4ry 0fab335eec Add ability to configure the NotBefore property of certificates in role api (#5325)
* Add ability to configure the NotBefore property of certificates in role api

* Update index.html.md

* converting field to time.Duration

* setting default back to 30s

* renaming the parameter not_before_duration to differentiate between the NotBefore datetime on the cert

* Update description
2018-10-02 11:10:43 -04:00
Becca Petrin 7a8c116fb1
undo make fmt (#5265) 2018-09-04 09:29:18 -07:00
Becca Petrin ed7639b0ec
run make fmt (#5261) 2018-09-04 09:12:59 -07:00
Calvin Leung Huang 9988ace85e gofmt files (#5233) 2018-08-31 09:15:40 -07:00
Jeff Mitchell 4d1a6690f5
Use Go's in-built permitted DNS domain logic (#4908)
Fixes #4863
2018-07-11 17:35:46 -04:00
Jeff Mitchell 935c045cfa
Fix permitted dns domain handling (#4905)
It should not require a period to indicate subdomains being allowed

Fixes #4863
2018-07-11 12:44:49 -04:00
Jeff Mitchell e52b554c0b
Add an idle timeout for the server (#4760)
* Add an idle timeout for the server

Because tidy operations can be long-running, this also changes all tidy
operations to behave the same operationally (kick off the process, get a
warning back, log errors to server log) and makes them all run in a
goroutine.

This could mean a sort of hard stop if Vault gets sealed because the
function won't have the read lock. This should generally be okay
(running tidy again should pick back up where it left off), but future
work could use cleanup funcs to trigger the functions to stop.

* Fix up tidy test

* Add deadline to cluster connections and an idle timeout to the cluster server, plus add readheader/read timeout to api server
2018-06-16 18:21:33 -04:00
Jeff Mitchell 91ca3d4b7f
Add URI SANs (#4767) 2018-06-15 15:32:25 -04:00
Marcin Wielgoszewski 9316c96364 Add support for x.509 Name Serial Number attribute in subject of certificates (#4694) 2018-06-04 23:18:39 -04:00
Jeff Mitchell 72200603c6
Fix role writing not allowing key_type of any (#4596)
Fixes #4595
2018-05-19 10:24:43 -07:00
Jeff Mitchell 072cd783b5 Fix another PKI test 2018-05-09 12:51:34 -04:00
Jeff Mitchell 573b403b5e Fix PKI test 2018-05-09 12:47:00 -04:00
Jeff Mitchell e5f4ca83a0
Update PKI to natively use time.Duration (#4493)
* Update PKI to natively use time.Duration

Among other things this now means PKI will output durations in seconds
like other backends, instead of as Go strings.

* Add a warning when refusing to blow away an existing root instead of just returning success

* Fix another issue found while debugging this...

The reason it wasn't caught on tests in the first place is that the ttl
and max ttl were only being compared if in addition to a provided csr, a
role was also provided. This was because the check was in the role !=
nil block instead of outside of it. This has been fixed, which made the
problem occur in all sign-verbatim cases and the changes in this PR have
now verified the fix.
2018-05-09 10:29:54 -04:00
Calvin Leung Huang bacf136785 Fix pki tests (#4318) 2018-04-09 15:19:05 -04:00
Becca Petrin abb621752f Clean up error string formatting (#4304) 2018-04-09 14:35:21 -04:00
Josh Soref 73b1fde82f Spelling (#4119) 2018-03-20 14:54:10 -04:00
Jeff Mitchell 8697d80d2e
More cleanup of TTL handling in PKI (#4158)
* Max role's max_ttl parameter a TypeDurationString like ttl
* Don't clamp values at write time in favor of evaluating at issue time,
as is the current best practice
* Lots of general cleanup of logic to fix missing cases
2018-03-19 21:01:41 -04:00
Jeff Mitchell 2e50667b12
Codify using strings.Join and strings.TrimSpace around PEM handling to ensure newline sanity (#4148)
Fixes #4136
2018-03-18 16:00:51 -04:00
Jeff Mitchell 0f26cb9b8d Fix PKI tests by generating on-demand 2018-02-20 00:23:37 -05:00
Robison Jacka 71d939894b Add test coverage for recently-added PKIX fields. (#4002) 2018-02-18 13:21:54 -05:00
Jeff Mitchell f29bde0052
Support other names in SANs (#3889) 2018-02-16 17:19:34 -05:00
Jeff Mitchell 8655a1c135
Various PKI updates (#3953) 2018-02-10 10:07:10 -05:00
Vishal Nayak 80ffd07b8b added a flag to make common name optional if desired (#3940)
* added a flag to make common name optional if desired

* Cover one more case where cn can be empty

* remove skipping when empty; instead check for emptiness before calling validateNames

* Add verification before adding to DNS names to also fix #3918
2018-02-09 13:42:19 -05:00
Brian Kassouf 2f19de0305 Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 01:44:44 -05:00
Chris Hoffman 5b2b168e97
Converting OU and Organization role fields to CommaStringSlice (#3804) 2018-01-17 11:53:49 -05:00
Brian Kassouf 1c190d4bda
Pass context to backends (#3750)
* Start work on passing context to backends

* More work on passing context

* Unindent logical system

* Unindent token store

* Unindent passthrough

* Unindent cubbyhole

* Fix tests

* use requestContext in rollback and expiration managers
2018-01-08 10:31:38 -08:00
Chris Hoffman 3b0ba609b2
Converting key_usage and allowed_domains in PKI to CommaStringSlice (#3621) 2017-12-11 13:13:35 -05:00
Jeff Mitchell 1076cea5d1 Tests were not actually forcing the intermediate to have a longer TTL
because of mount max TTL constraint. This ups the mount max to force the
test to work as expected.
2017-09-14 22:49:04 -04:00
Jeff Mitchell cb6ac1e926 Change behavior of TTL in sign-intermediate (#3325)
* Fix using wrong public key in sign-self-issued

* Change behavior of TTL in sign-intermediate

This allows signing CA certs with an expiration past the signer's
NotAfter.

It also change sign-self-issued to replace the Issuer, since it's
potentially RFC legal but stacks won't validate it.

Ref: https://groups.google.com/d/msg/vault-tool/giP69-n2o20/FfhRpW1vAQAJ
2017-09-13 11:42:45 -04:00
Jeff Mitchell 7be6905eb0 Add a bit more delay to backend test in case Travis is loaded 2017-09-04 14:45:12 -04:00
Jeff Mitchell abb2ab2918 Add pki/root/sign-self-issued. (#3274)
* Add pki/root/sign-self-issued.

This is useful for root CA rolling, and is also suitably dangerous.

Along the way I noticed we weren't setting the authority key IDs
anywhere, so I addressed that.

* Add tests
2017-08-31 23:07:15 -04:00
Jeff Mitchell d62937aaf3 Use TypeDurationSecond for TTL values in PKI. (#3270) 2017-08-31 15:46:13 -04:00