Commit graph

918 commits

Author SHA1 Message Date
Vishal Nayak cdd1d96a64 Merge pull request #1804 from hashicorp/issue-1800
Mark STS secrets as non-renwable
2016-08-29 11:46:19 -04:00
navinanandaraj 8612b6139e Fixes #1801 Reuse Cassandra session object for create creds (#1802) 2016-08-28 17:32:41 -04:00
Jeff Mitchell f0537572a8 Mark STS secrets as non-renwable
Ping #1800
2016-08-28 14:27:56 -04:00
Jeff Mitchell 0b113f7916 Derive nonce fully in convergent mode (#1796)
Ping #1794
2016-08-26 17:01:56 -04:00
Jeff Mitchell 2f5876dfe9 Use key derivation for convergent nonce. (#1794)
Use key derivation for convergent nonce.

Fixes #1792
2016-08-26 14:11:03 -04:00
Jeff Mitchell 28739f3528 Decode secret internal data into struct and fix type assertion. (#1781) 2016-08-24 15:04:04 -04:00
Jeff Mitchell d1284944c3 Merge pull request #1755 from hashicorp/logxi
Convert to logxi
2016-08-21 19:28:18 -04:00
Jeff Mitchell 58b32e5432 Convert to logxi 2016-08-21 18:13:37 -04:00
vishalnayak 524ed6db37 Extract out common code 2016-08-21 15:46:11 -04:00
vishalnayak dfe73733d5 Seperate endpoints for read/delete using secret-id and accessor 2016-08-21 14:42:49 -04:00
Jeff Mitchell 2860dcc60f gofmt 2016-08-19 16:48:32 -04:00
vishalnayak 7ce631f1dc Pretty print the warning 2016-08-18 16:09:10 -04:00
vishalnayak 870ffd6fd8 Use shortestTTL value during renewals too 2016-08-18 15:43:58 -04:00
vishalnayak 4f1c47478e When TTL is not set, consider the system default TTL as well 2016-08-18 15:37:59 -04:00
vishalnayak 56b8c33c95 aws-ec2: se max_ttl when ttl is not set, during login 2016-08-18 15:16:32 -04:00
Jeff Mitchell 638e61192a Actually show the error occurring if a file audit log can't be opened 2016-08-15 16:26:36 -04:00
Jeff Mitchell 86874def5c Parameter change
Both revocation times are UTC so clarify via parameter name that it's just a formatting difference. Also leave as a time.Time here, as it automatically marshals into RFC3339.
2016-08-14 21:43:57 -04:00
Jeff Mitchell 39cfd116b6 Cleanup 2016-08-13 11:52:09 -04:00
Jeff Mitchell 1b8711e7b7 Ensure utc value is not zero before adding 2016-08-13 11:50:57 -04:00
Jeff Mitchell d6d08250ff Ensure values to be encoded in a CRL are in UTC. This aligns with the
RFC. You might expect Go to ensure this in the CRL generation call,
but...it doesn't.

Fixes #1727
2016-08-13 08:40:09 -04:00
vishalnayak b150c14caa Address review feedback by @jefferai 2016-08-09 17:45:42 -04:00
vishalnayak 8d261b1a78 Added ttl field to aws-ec2 auth backend role 2016-08-09 17:29:45 -04:00
Jeff Mitchell b69ed7ea93 Fix build 2016-08-08 17:00:59 -04:00
Jeff Mitchell 7f6c58b807 Address review feedback 2016-08-08 16:30:48 -04:00
Jeff Mitchell 0a67bcb5bd Merge pull request #1696 from hashicorp/transit-convergent-specify-nonce
Require nonce specification for more flexibility
2016-08-08 11:41:10 -04:00
Jeff Mitchell 1f198e9256 Return warning about ACLing the LDAP configuration endpoint.
Fixes #1263
2016-08-08 10:18:36 -04:00
Jeff Mitchell 606ba64e23 Remove context-as-nonce, add docs, and properly support datakey 2016-08-07 15:53:40 -04:00
Jeff Mitchell 1976bc0534 Add unit tests for convergence in non-context mode 2016-08-07 15:16:36 -04:00
Jeff Mitchell 8b1d47037e Refactor convergent encryption to make specifying a nonce in addition to context possible 2016-08-05 17:52:44 -04:00
Vincent Batoufflet 0b73c2ff9a Fix PKI logical backend email alt_names 2016-08-04 12:10:34 +02:00
Jeff Mitchell 58e9cbbfc6 Add postgres test for block statements 2016-08-03 15:34:50 -04:00
Jeff Mitchell 9e204bd88c Add arbitrary string slice parsing.
Like the KV function, this supports either separated strings or JSON
strings, base64-encoded or not.

Fixes #1619 in theory.
2016-08-03 14:24:16 -04:00
Jeff Mitchell c025b292b5 Cleanup 2016-08-03 13:09:12 -04:00
vishalnayak cff7aada7a Fix invalid input getting marked as internal error 2016-07-28 16:23:11 -04:00
Jeff Mitchell e0c5f5f5fa Add convergence tests to transit backend 2016-07-28 11:30:52 -04:00
vishalnayak a6907769b0 AppRole authentication backend 2016-07-26 09:32:41 -04:00
Jeff Mitchell 0cfb112e87 Explicitly set invalid request status when a password isn't included 2016-07-25 11:14:15 -04:00
Jeff Mitchell dc4b85b55e Don't return 500 for user error in userpass when setting password 2016-07-25 11:09:46 -04:00
Jeff Mitchell d4c3e27c4e Fix re-specification of filter 2016-07-25 09:08:29 -04:00
Oren Shomron cd6d114e42 LDAP Auth Backend Overhaul
--------------------------

Added new configuration option to ldap auth backend - groupfilter.
GroupFilter accepts a Go template which will be used in conjunction with
GroupDN for finding the groups a user is a member of. The template will
be provided with context consisting of UserDN and Username.

Simplified group membership lookup significantly to support multiple use-cases:
  * Enumerating groups via memberOf attribute on user object
  * Previous default behavior of querying groups based on member/memberUid/uniqueMember attributes
  * Custom queries to support nested groups in AD via LDAP_MATCHING_RULE_IN_CHAIN matchind rule

There is now a new configuration option - groupattr - which specifies
how to resolve group membership from the objects returned by the primary groupfilter query.

Additional changes:
  * Clarify documentation for LDAP auth backend.
  * Reworked how default values are set, added tests
  * Removed Dial from LDAP config read. Network should not affect configuration.
2016-07-22 21:20:05 -04:00
Jeff Mitchell 68dcf677fa Fix panic if no certificates are supplied by client
Fixes #1637
2016-07-21 10:20:41 -04:00
Jeff Mitchell b353e44209 Fix build 2016-07-21 09:53:41 -04:00
Jeff Mitchell d335038b40 Ensure we never return a nil set of trusted CA certs
Fixes #1637
2016-07-21 09:50:31 -04:00
Laura Bennett 559b0a5006 Merge pull request #1635 from hashicorp/mysql-idle-conns
Added maximum idle connections to mysql to close hashicorp/vault#1616
2016-07-20 15:31:37 -04:00
Jeff Mitchell b558c35943 Set defaults to handle upgrade cases.
Ping #1604
2016-07-20 14:07:19 -04:00
Jeff Mitchell f2b6569b0b Merge pull request #1604 from memory/mysql-displayname-2
concat role name and token displayname to form mysql username
2016-07-20 14:02:17 -04:00
Nathan J. Mehl ea294f1d27 use both role name and token display name to form mysql username 2016-07-20 10:17:00 -07:00
Laura Bennett e6bf4fa489 whitespace error corrected 2016-07-20 12:00:05 -04:00
Nathan J. Mehl 0483457ad2 respond to feedback from @vishalnayak
- split out usernameLength and displaynameLength truncation values,
  as they are different things

- fetch username and displayname lengths from the role, not from
  the request parameters

- add appropriate defaults for username and displayname lengths
2016-07-20 06:36:51 -07:00
Laura Bennett 7cdb8a28bc max_idle_connections added 2016-07-20 09:26:26 -04:00