luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity
2,547 Commits 1 Branch 0 Tags 214 MiB
Commit Graph

293 Commits

Author SHA1 Message Date
Jeff Mitchell 3396b42c6c Address final review feedback 2016-01-29 14:33:51 -05:00
Jeff Mitchell 12bd2f430b Ensure generatePolicy checks disk, not just the cache, now that we aren't eager loading 2016-01-28 13:10:59 -05:00
Jeff Mitchell dd1b94fbd6 Remove eager loading 2016-01-28 08:59:05 -05:00
Jeff Mitchell be83340b14 Embed the cache directly 2016-01-27 21:59:20 -05:00
Jeff Mitchell 48c9f79896 Implement locking in the transit backend. 
This ensures that we can safely rotate and modify configuration
parameters with multiple requests in flight.

As a side effect we also get a cache, which should provide a nice
speedup since we don't need to decrypt/deserialize constantly, which
would happen even with the physical LRU.
 2016-01-27 17:03:21 -05:00
Jeff Mitchell d1b2bf3183 Move archive location; also detect first load of a policy after archive 
is added and cause the keys to be copied to the archive.
 2016-01-27 13:41:37 -05:00
Jeff Mitchell 369d0bbad0 Address review feedback 2016-01-27 13:41:37 -05:00
Jeff Mitchell e5a58109ec Store all keys in archive always 2016-01-27 13:41:37 -05:00
Jeff Mitchell 30ffc18c19 Add unit tests 2016-01-27 13:41:37 -05:00
Jeff Mitchell 5000711a67 Force min decrypt version to 1 if it's zero, which allows fixing problematic archiving logic 2016-01-27 13:41:37 -05:00
Jeff Mitchell 7a27dd5cb3 Fix logic bug when restoring keys 2016-01-27 13:41:37 -05:00
Jeff Mitchell 004b35be36 Fix decrementing instead of incrementing 2016-01-27 13:41:37 -05:00
Jeff Mitchell beafe25508 Initial transit key archiving work 2016-01-27 13:41:37 -05:00
Jeff Mitchell 7390cd5264 Add a max_idle_connections parameter. 2016-01-25 14:47:07 -05:00
Jeff Mitchell 12c00b97ef Allow backends to see taint status. 
This can be seen via System(). In the PKI backend, if the CA is
reconfigured but not fully (e.g. an intermediate CSR is generated but no
corresponding cert set) and there are already leases (issued certs), the
CRL is unable to be built. As a result revocation fails. But in this
case we don't actually need revocation to be successful since the CRL is
useless after unmounting. By checking taint status we know if we can
simply fast-path out of revocation with a success in this case.

Fixes #946
 2016-01-22 17:01:22 -05:00
Dmitriy Gromov 70ef2e3398 STS now uses root vault user for keys 
The secretAccessKeysRevoke revoke function now asserts that it is
not dealing with STS keys by checking a new internal data flag. Defaults
to IAM when the flag is not found.

Factored out genUsername into its own function to share between STS and
IAM secret creation functions.

Fixed bad call to "WriteOperation" instead of "UpdateOperation" in
aws/backend_test
 2016-01-21 15:04:16 -05:00
Dmitriy Gromov 4abca91d66 Renamed sts duration to ttl and added STS permissions note. 2016-01-21 14:28:34 -05:00
Dmitriy Gromov f251b13aaa Removing debug print statement from sts code 2016-01-21 14:05:10 -05:00
Dmitriy Gromov 1cf8153dfd Fixed duration type and added acceptance test for sts 2016-01-21 14:05:10 -05:00
Dmitriy Gromov 71afb7cff0 Configurable sts duration 2016-01-21 14:05:09 -05:00
Jack DeLoach 8fecccde21 Add STS path to AWS backend. 
The new STS path allows for obtaining the same credentials that you would get
from the AWS "creds" path, except it will also provide a security token, and
will not have an annoyingly long propagation time before returning to the user.
 2016-01-21 14:05:09 -05:00
Jeff Mitchell 0f0949ab06 Merge pull request #895 from nickithewatt/aws-prexisting-policies 
Allow use of pre-existing policies for AWS users
 2016-01-21 13:23:37 -05:00
Jeff Mitchell 9c5ad28632 Update deps, and adjust usage of go-uuid to match new return values 2016-01-13 13:40:08 -05:00
Jeff Mitchell f3ce90164f WriteOperation -> UpdateOperation 2016-01-08 13:03:03 -05:00
Nicki Watt 62c22a5f73 Updated AWS policy help messages 2015-12-30 19:41:07 +00:00
Nicki Watt cd4ca21b58 Allow use of pre-existing policies for AWS users 2015-12-30 18:05:54 +00:00
Jeff Mitchell 134b4d2a42 Built on GH-890 to add other types 2015-12-29 13:07:24 -05:00
Issac Goldstand fba756075a fix CA compatibility with OpenSSL 2015-12-29 18:52:43 +02:00
Jeff Mitchell f2da5b639f Migrate 'uuid' to 'go-uuid' to better fit HC naming convention 2015-12-16 12:56:20 -05:00
Jeff Mitchell dd445a53a5 Update key usage logic 
* Move to one place for both code paths
* Assign ExtKeyUsageAny to CA certs to help with validation with the
  Windows Crypto API and Go's validation logic

Fixes #846
 2015-12-14 14:23:51 -05:00
Jeff Mitchell 6ad1b75caf Merge branch 'master' into pki-csrs 2015-12-01 00:09:23 -05:00
Jeff Mitchell 64cd58463b Fix AWS tests 2015-12-01 00:05:04 -05:00
Jeff Mitchell 4eec9d69e8 Change allowed_base_domain to allowed_domains and allow_base_domain to 
allow_bare_domains, for comma-separated multi-domain support.
 2015-11-30 23:49:11 -05:00
Jeff Mitchell b6c49ddf01 Remove token display names from input options as there isn't a viable 
use-case for it at the moment
 2015-11-30 18:07:42 -05:00
Jeff Mitchell cf366bda9c Greatly simplify and fix the name validation function, as well as fully 
comment it.
 2015-11-23 14:15:32 -05:00
Jeff Mitchell 25e359084c Update documentation, some comments, make code cleaner, and make generated roots be revoked when their TTL is up 2015-11-19 17:14:22 -05:00
Jeff Mitchell 0dbe15cb87 Mostly revert changes to certutil as the embedded struct stuff was being 
problematic.
 2015-11-19 14:18:39 -05:00
Jeff Mitchell af3d6ced8e Update validator function for URIs. Change example of entering a CA to a 
root cert generation. Other minor documentation updates. Fix private key
output in issue/sign.
 2015-11-19 11:35:17 -05:00
Jeff Mitchell f41a2e562a fix tests 2015-11-19 10:13:28 -05:00
Jeff Mitchell a95228e4ee Split root and intermediate functionality into their own sections in the API. Update documentation. Add sign-verbatim endpoint. 2015-11-19 09:51:18 -05:00
Jeff Mitchell 26c8cf874d Move public key comparison logic to its own function 2015-11-19 09:51:18 -05:00
Jeff Mitchell 4681d027c0 Move serial number generation and key validation into certutil; centralize format and key verification 2015-11-19 09:51:18 -05:00
Jeff Mitchell c6ba4f24bc Add URL validation 2015-11-19 09:51:18 -05:00
Jeff Mitchell b14050bebc Fix zero path length handling, and move common field defs elsewhere 2015-11-19 09:51:18 -05:00
Jeff Mitchell 8008451fb5 Fix logic around zero path length -- only restrict issuing intermediate CAs in this case 2015-11-19 09:51:18 -05:00
Jeff Mitchell c461652b40 Address some feedback from review 2015-11-19 09:51:18 -05:00
Jeff Mitchell ed62afec14 Large documentation updates, remove the pathlength path in favor of 
making that a parameter at CA generation/sign time, and allow more
fields to be configured at CSR generation time.
 2015-11-19 09:51:18 -05:00
Jeff Mitchell 5970cb76b6 Add path length paths and unit tests to verify same. 2015-11-19 09:51:18 -05:00
Jeff Mitchell ca844b1dc1 Add URLs methods to set OCSP/CRL/CA urls in issued certs, and tests. 2015-11-19 09:51:18 -05:00
Jeff Mitchell 4cb10abcc0 Add tests for using raw CSR values 2015-11-19 09:51:18 -05:00