luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
14720 commits 1 branch 0 tags 214 MiB
Commit graph

328 commits

Author SHA1 Message Date
Jeff Mitchell 935c045cfa
Fix permitted dns domain handling (#4905) 
It should not require a period to indicate subdomains being allowed

Fixes #4863
 2018-07-11 12:44:49 -04:00
Jeff Mitchell e52b554c0b
Add an idle timeout for the server (#4760) 
* Add an idle timeout for the server

Because tidy operations can be long-running, this also changes all tidy
operations to behave the same operationally (kick off the process, get a
warning back, log errors to server log) and makes them all run in a
goroutine.

This could mean a sort of hard stop if Vault gets sealed because the
function won't have the read lock. This should generally be okay
(running tidy again should pick back up where it left off), but future
work could use cleanup funcs to trigger the functions to stop.

* Fix up tidy test

* Add deadline to cluster connections and an idle timeout to the cluster server, plus add readheader/read timeout to api server
 2018-06-16 18:21:33 -04:00
Mr Talbot 5551a63221 pki: add ext_key_usage to mirror key_usage and add to sign-verbatim (#4777) 
* pki: add ext_key_usage parameter to role

* pki: add key_usage and ext_key_usage parameter to sign-verbatim

* pki: cleanup code as per comments
 2018-06-15 18:20:43 -04:00
Jeff Mitchell 91ca3d4b7f
Add URI SANs (#4767) 2018-06-15 15:32:25 -04:00
Marcin Wielgoszewski 9316c96364 Add support for x.509 Name Serial Number attribute in subject of certificates (#4694) 2018-06-04 23:18:39 -04:00
Alex Ionescu 7c31dacea2 Custom extended key usage for PKI. (#4667) 
Custom extended key usage for PKI
 2018-06-01 09:13:54 -04:00
Jeff Mitchell 244cb0bf9a
Ensure safety_buffer in PKI is greater than zero (#4643) 
Fixes #4641
 2018-05-28 12:08:22 -04:00
Jeff Mitchell 72200603c6
Fix role writing not allowing key_type of any (#4596) 
Fixes #4595
 2018-05-19 10:24:43 -07:00
Jeff Mitchell 072cd783b5 Fix another PKI test 2018-05-09 12:51:34 -04:00
Jeff Mitchell 573b403b5e Fix PKI test 2018-05-09 12:47:00 -04:00
Jeff Mitchell e5f4ca83a0
Update PKI to natively use time.Duration (#4493) 
* Update PKI to natively use time.Duration

Among other things this now means PKI will output durations in seconds
like other backends, instead of as Go strings.

* Add a warning when refusing to blow away an existing root instead of just returning success

* Fix another issue found while debugging this...

The reason it wasn't caught on tests in the first place is that the ttl
and max ttl were only being compared if in addition to a provided csr, a
role was also provided. This was because the check was in the role !=
nil block instead of outside of it. This has been fixed, which made the
problem occur in all sign-verbatim cases and the changes in this PR have
now verified the fix.
 2018-05-09 10:29:54 -04:00
Robison Jacka b78b9c7ebf Iterating over CSR extensions, and skipping BasicConstraints, since those should be defined by the endpoint that's performing the signing. (#4469) 2018-05-01 11:22:49 -04:00
Calvin Leung Huang bacf136785 Fix pki tests (#4318) 2018-04-09 15:19:05 -04:00
Becca Petrin abb621752f Clean up error string formatting (#4304) 2018-04-09 14:35:21 -04:00
Matthew Irish cff34e983f
UI - pki updates (#4291) 
* add require_cn to pki roles
* add policy_identifiers and basic_constraints_valid_for_non_ca to pki role form
* add new fields to the PKI docs
* add add_basic_constraints field
 2018-04-08 21:09:29 -05:00
Vishal Nayak 28e3eb9e2c
Errwrap everywhere (#4252) 
* package api

* package builtin/credential

* package builtin/logical

* package command

* package helper

* package http and logical

* package physical

* package shamir

* package vault

* package vault

* address feedback

* more fixes
 2018-04-05 11:49:21 -04:00
Jeff Mitchell 7a6f582168
1.10 Updates (#4218) 2018-03-29 15:32:16 -04:00
Jeff Mitchell 6484b9b164
Continue and warn when tidying in pki if an entry or value is nil (#4214) 
Ref #4177
 2018-03-29 15:27:51 -04:00
Jeff Mitchell e4d277fc0b Sanitizize some error capitalization 2018-03-29 10:14:42 -04:00
Josh Soref 73b1fde82f Spelling (#4119) 2018-03-20 14:54:10 -04:00
Jeff Mitchell 48a6ce618a
Add ability to set CA:true when generating intermediate CSR. (#4163) 
Fixes #3883
 2018-03-20 10:09:59 -04:00
Jeff Mitchell 414097018a Add a check on incoming policy identifiers 
cc #4125
 2018-03-19 22:10:18 -04:00
Rémi Pauchet 40e226184b Support certificate policies in the pki backend (#4125) 2018-03-19 22:05:21 -04:00
Jeff Mitchell 8697d80d2e
More cleanup of TTL handling in PKI (#4158) 
* Max role's max_ttl parameter a TypeDurationString like ttl
* Don't clamp values at write time in favor of evaluating at issue time,
as is the current best practice
* Lots of general cleanup of logic to fix missing cases
 2018-03-19 21:01:41 -04:00
Jeff Mitchell 2e50667b12
Codify using strings.Join and strings.TrimSpace around PEM handling to ensure newline sanity (#4148) 
Fixes #4136
 2018-03-18 16:00:51 -04:00
Jeff Mitchell cf7c86e0f8 *Partially* revert "Remove now-unneeded PKCS8 code and update certutil tests for Go 1.10" 
This partially reverts commit 83f6b21d3ef930df0352a4ae7b1e971790e3eb22.
 2018-02-22 20:15:56 -05:00
Jeff Mitchell 0f26cb9b8d Fix PKI tests by generating on-demand 2018-02-20 00:23:37 -05:00
Jeff Mitchell ce8f652ef9 Remove now-unneeded PKCS8 code and update certutil tests for Go 1.10 2018-02-19 22:46:17 -05:00
Robison Jacka 9541e8f643 Adding path roles test coverage for storing PKIX fields (#4003) 2018-02-18 16:22:35 -05:00
Robison Jacka 71d939894b Add test coverage for recently-added PKIX fields. (#4002) 2018-02-18 13:21:54 -05:00
Jeff Mitchell a408a03495 Fix missing CommonName in subject generation 2018-02-17 21:01:36 -05:00
Jeff Mitchell f29bde0052
Support other names in SANs (#3889) 2018-02-16 17:19:34 -05:00
Jeff Mitchell 8655a1c135
Various PKI updates (#3953) 2018-02-10 10:07:10 -05:00
Jeff Mitchell bd3cdd8095 Fix compile 2018-02-09 14:04:05 -05:00
Vishal Nayak 80ffd07b8b added a flag to make common name optional if desired (#3940) 
* added a flag to make common name optional if desired

* Cover one more case where cn can be empty

* remove skipping when empty; instead check for emptiness before calling validateNames

* Add verification before adding to DNS names to also fix #3918
 2018-02-09 13:42:19 -05:00
Jeff Mitchell fc6564e4ee
Don't run rollback and upgrade functionality if we are a replication secondary (#3900) 
* Don't run rollback and upgrade functionality if we are a replication
secondary, but do if the mount is local.
 2018-02-02 20:28:25 -05:00
Brian Kassouf 2f19de0305 Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 01:44:44 -05:00
Chris Hoffman 5b2b168e97
Converting OU and Organization role fields to CommaStringSlice (#3804) 2018-01-17 11:53:49 -05:00
Brian Kassouf 1c190d4bda
Pass context to backends (#3750) 
* Start work on passing context to backends

* More work on passing context

* Unindent logical system

* Unindent token store

* Unindent passthrough

* Unindent cubbyhole

* Fix tests

* use requestContext in rollback and expiration managers
 2018-01-08 10:31:38 -08:00
Chris Hoffman 3b0ba609b2
Converting key_usage and allowed_domains in PKI to CommaStringSlice (#3621) 2017-12-11 13:13:35 -05:00
Mohsen 2aa576149c Small typo relating to no_store in pki secret backend (#3662) 
* Removed typo :)

* Corrected typo in the website related to no_store
 2017-12-07 10:40:21 -05:00
Jeff Mitchell 6b72b90efa Remove allow_base_domain from PKI role output. 
It was never used in a release, in favor of allow_bare_domains.

Fixes #1452 (again)
 2017-11-09 10:24:36 -05:00
Jeff Mitchell 3555a17d52 Don't read out an internal role member in PKI 2017-11-08 18:20:53 -05:00
Jeff Mitchell 17310654a1
Add PKCS8 marshaling to PKI (#3518) 2017-11-06 12:05:07 -05:00
Jeff Mitchell d8e2179a42 Rejig some error messages in pki 2017-10-27 12:02:18 -04:00
Jeff Mitchell a25dae82dd Final sync 2017-10-23 17:39:21 -04:00
Jeff Mitchell e3ce60eb1f Allow entering PKI URLs as arrays. (#3409) 
Fixes #3407
 2017-10-03 16:13:57 -04:00
Jeff Mitchell 1076cea5d1 Tests were not actually forcing the intermediate to have a longer TTL 
because of mount max TTL constraint. This ups the mount max to force the
test to work as expected.
 2017-09-14 22:49:04 -04:00
Jeff Mitchell cb6ac1e926 Change behavior of TTL in sign-intermediate (#3325) 
* Fix using wrong public key in sign-self-issued

* Change behavior of TTL in sign-intermediate

This allows signing CA certs with an expiration past the signer's
NotAfter.

It also change sign-self-issued to replace the Issuer, since it's
potentially RFC legal but stacks won't validate it.

Ref: https://groups.google.com/d/msg/vault-tool/giP69-n2o20/FfhRpW1vAQAJ
 2017-09-13 11:42:45 -04:00
Jeff Mitchell 7be6905eb0 Add a bit more delay to backend test in case Travis is loaded 2017-09-04 14:45:12 -04:00
Jeff Mitchell abb2ab2918 Add pki/root/sign-self-issued. (#3274) 
* Add pki/root/sign-self-issued.

This is useful for root CA rolling, and is also suitably dangerous.

Along the way I noticed we weren't setting the authority key IDs
anywhere, so I addressed that.

* Add tests
 2017-08-31 23:07:15 -04:00
Jeff Mitchell d62937aaf3 Use TypeDurationSecond for TTL values in PKI. (#3270) 2017-08-31 15:46:13 -04:00
Lars Lehtonen 13901b1346 fix swallowed errors in pki package tests (#3215) 2017-08-29 13:15:36 -04:00
Jeff Mitchell 340fe4e609 Add permitted dns domains to pki (#3164) 2017-08-15 16:10:36 -04:00
Jeff Mitchell e4eb6e9020 Make PKI root generation idempotent-ish and add delete endpoint. (#3165) 2017-08-15 14:00:40 -04:00
Chris Hoffman 77336f4ca2 adding warning for conflicting role and request parameters (#3083) 2017-08-02 10:02:40 -04:00
Calvin Leung Huang 3e8aecc7d5 Add BackendType to existing backends (#3078) 2017-07-28 14:04:46 -04:00
Calvin Leung Huang bb54e9c131 Backend plugin system (#2874) 
* Add backend plugin changes

* Fix totp backend plugin tests

* Fix logical/plugin InvalidateKey test

* Fix plugin catalog CRUD test, fix NoopBackend

* Clean up commented code block

* Fix system backend mount test

* Set plugin_name to omitempty, fix handleMountTable config parsing

* Clean up comments, keep shim connections alive until cleanup

* Include pluginClient, disallow LookupPlugin call from within a plugin

* Add wrapper around backendPluginClient for proper cleanup

* Add logger shim tests

* Add logger, storage, and system shim tests

* Use pointer receivers for system view shim

* Use plugin name if no path is provided on mount

* Enable plugins for auth backends

* Add backend type attribute, move builtin/plugin/package

* Fix merge conflict

* Fix missing plugin name in mount config

* Add integration tests on enabling auth backend plugins

* Remove dependency cycle on mock-plugin

* Add passthrough backend plugin, use logical.BackendType to determine lease generation

* Remove vault package dependency on passthrough package

* Add basic impl test for passthrough plugin

* Incorporate feedback; set b.backend after shims creation on backendPluginServer

* Fix totp plugin test

* Add plugin backends docs

* Fix tests

* Fix builtin/plugin tests

* Remove flatten from PluginRunner fields

* Move mock plugin to logical/plugin, remove totp and passthrough plugins

* Move pluginMap into newPluginClient

* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck

* Change shim logger's Fatal to no-op

* Change BackendType to uint32, match UX backend types

* Change framework.Backend Setup signature

* Add Setup func to logical.Backend interface

* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments

* Remove commented var in plugin package

* RegisterLicense on logical.Backend interface (#3017)

* Add RegisterLicense to logical.Backend interface

* Update RegisterLicense to use callback func on framework.Backend

* Refactor framework.Backend.RegisterLicense

* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs

* plugin: Revert BackendType to remove TypePassthrough and related references

* Fix typo in plugin backends docs
 2017-07-20 13:28:40 -04:00
Seth Rutner 3874b63af3 Fix typos in error message (#2692) 2017-05-10 10:28:35 -04:00
Jeff Mitchell d25aa9fc21 Don't write salts in initialization, look up on demand (#2702) 2017-05-09 17:51:09 -04:00
Calvin Leung Huang 26cf09ab15 Minor comment update on cert_util 2017-05-03 16:13:54 -04:00
Chris Hoffman 1c14d207b5 Merge pull request #2575 from hashicorp/pki-colons-to-hyphens 
Change storage of PKI entries from colons to hyphens
 2017-05-03 15:07:15 -04:00
Chris Hoffman e34a45fdcd Minor readability enhancements for migration path from old to new 2017-05-03 14:58:22 -04:00
Calvin Leung Huang a00a7815f6 Include and use normalizeSerial func 2017-05-03 10:12:58 -04:00
Calvin Leung Huang 2b7a66e23b Use variables for string replacements on cert_util 2017-05-02 14:11:57 -04:00
Justin Gerace 403efeb5ae Add globbing support to the PKI backend's allowed_domains list (#2517) 2017-05-01 10:40:18 -04:00
Calvin Leung Huang ff4cf41ebb Add test for ca and crl case 2017-04-28 08:55:28 -04:00
Vishal Nayak 8bb6c8caef Return error message for failure to parse CSR (#2657) 2017-04-28 08:30:24 -04:00
Calvin Leung Huang 802d030506 Refactor cert_util_test 2017-04-27 17:09:59 -04:00
Calvin Leung Huang b5990321bf Verify update operation was performed on revokeCert 2017-04-27 12:30:44 -04:00
Calvin Leung Huang 3b27a9c12c Rename tests, use HandleRequest() for existing paths 2017-04-27 09:47:56 -04:00
Calvin Leung Huang 628e5d594b Add remaining tests 2017-04-26 16:05:58 -04:00
Calvin Leung Huang d24757f2e0 Fix crl_util test 2017-04-26 09:58:34 -04:00
Calvin Leung Huang 18ed2d6097 Tests for cert and crl util 2017-04-26 02:46:01 -04:00
Chris Hoffman 847c86f788 Rename ParseDedupAndSortStrings to ParseDedupLowercaseAndSortStrings (#2614) 2017-04-19 10:39:07 -04:00
Jeff Mitchell 4995c69763 Update sign-verbatim to correctly set generate_lease (#2593) 2017-04-18 15:54:31 -04:00
Jeff Mitchell 822d86ad90 Change storage of entries from colons to hyphens and add a 
lookup/migration path

Still TODO: tests on migration path

Fixes #2552
 2017-04-18 11:14:23 -04:00
Jeff Mitchell 79fb8bdf69 Verify that a CSR specifies IP SANs before checking whether it's allowed (#2574) 2017-04-13 13:40:31 -04:00
Shivaram Lingamneni 2117dfd717 implement a no_store option for pki roles (#2565) 2017-04-07 11:25:47 -07:00
Jeff Mitchell 709389dd36 Use ParseStringSlice on PKI organization/organizational unit. (#2561) 
After, separately dedup and use new flag to not lowercase value.

Fixes #2555
 2017-04-04 08:54:18 -07:00
Jeff Mitchell 24886c1006 Ensure CN check is made when exclude_cn_from_sans is used 
Fixes #2363
 2017-03-16 11:41:13 -04:00
Jeff Mitchell 12e5132779 Allow roles to specify whether CSR SANs should be used instead of (#2489) 
request values. Fix up some documentation.

Fixes #2451
Fixes #2488
 2017-03-15 14:38:18 -04:00
Jeff Mitchell 7ab6844eb4 Set CA chain when intermediate does not have an authority key ID. 
This is essentially an approved review of the code provided in #2465.

Fixes #2465
 2017-03-15 11:52:02 -04:00
Jeff Mitchell 5119b173c4 Rename helper 'duration' to 'parseutil'. (#2449) 
Add a ParseBool function that accepts various kinds of ways of
specifying booleans.

Have config use ParseBool for UI and disabling mlock/cache.
 2017-03-07 11:21:22 -05:00
Jeff Mitchell eca68d5913 Fix a bunch of errors from returning 5xx, and parse more duration types 2017-03-02 15:38:34 -05:00
vishalnayak 2e911fc650 Fix broken build caused due to resolve merge conflicts 2017-02-24 12:41:20 -05:00
Vishal Nayak c6f138bb9a PKI: Role switch to control lease generation (#2403) 
* pki: Make generation of leases optional

* pki: add tests for upgrading generate_lease

* pki: add tests for leased and non-leased certs

* docs++ pki generate_lease

* Generate lease is applicable for both issuing and signing

* pki: fix tests

* Address review feedback

* Address review feedback
 2017-02-24 12:12:40 -05:00
Saj Goonatilleke 01f3056b8b pki: Include private_key_type on DER-formatted responses from /pki/issue/ (#2405) 2017-02-24 11:17:59 -05:00
Jeff Mitchell c81582fea0 More porting from rep (#2388) 
* More porting from rep

* Address review feedback
 2017-02-16 16:29:30 -05:00
Jeff Mitchell c96fe56d44 Fix copypasta, thanks tests 2017-02-16 01:32:39 -05:00
Jeff Mitchell 817bec0955 Add Organization support to PKI backend. (#2380) 
Fixes #2369
 2017-02-16 01:04:29 -05:00
Jeff Mitchell f43a041bf2 Revert "Disable PKI OU tests to fix the build" 
This reverts commit b1ab7c5603180af9073caab1b3022ca438dc12be.
 2017-01-24 09:58:28 -05:00
vishalnayak c8b6ab7223 Disable PKI OU tests to fix the build 2017-01-24 06:25:56 -05:00
joe miller 98df700495 allow roles to set OU value in certificates issued by the pki backend (#2251) 2017-01-23 12:44:45 -05:00
joe miller 78dacc154a sign-verbatim should set use_csr_common_name to true (#2243) 2017-01-10 09:47:59 -05:00
vishalnayak 1816446f46 Address review feedback 2016-12-20 11:19:47 -05:00
vishalnayak b3e323bbcc pki: Avoiding a storage read 2016-12-20 11:07:20 -05:00
vishalnayak 2e23f1a992 pki: Appended error to error message 2016-12-19 10:49:32 -05:00
vishalnayak ba1cc709bd PKI: Added error to the error message 2016-12-19 10:47:29 -05:00
Jeff Mitchell f0203741ff Change default TTL from 30 to 32 to accommodate monthly operations (#1942) 2016-09-28 18:32:49 -04:00
Chris Hoffman d235acf809 Adding support for chained intermediate CAs in pki backend (#1694) 2016-09-27 17:50:17 -07:00
Jeff Mitchell 6bf871995b Don't use time.Time in responses. (#1912) 
This fixes #1911 but not directly; it doesn't address the cause of the
panic. However, it turns out that this is the correct fix anyways,
because it ensures that the value being logged is RFC3339 format, which
is what the time turns into in JSON but not the normal time string
value, so what we audit log (and HMAC) matches what we are returning.
 2016-09-23 12:32:07 -04:00
Jeff Mitchell 897d3c6d2c Rename GetOctalFormatted and add serial number to ParsedCertBundle. Basically a noop. 2016-09-16 11:05:43 -04:00
Jeff Mitchell 58b32e5432 Convert to logxi 2016-08-21 18:13:37 -04:00
Jeff Mitchell 2860dcc60f gofmt 2016-08-19 16:48:32 -04:00
Jeff Mitchell 86874def5c Parameter change 
Both revocation times are UTC so clarify via parameter name that it's just a formatting difference. Also leave as a time.Time here, as it automatically marshals into RFC3339.
 2016-08-14 21:43:57 -04:00
Jeff Mitchell 39cfd116b6 Cleanup 2016-08-13 11:52:09 -04:00
Jeff Mitchell 1b8711e7b7 Ensure utc value is not zero before adding 2016-08-13 11:50:57 -04:00
Jeff Mitchell d6d08250ff Ensure values to be encoded in a CRL are in UTC. This aligns with the 
RFC. You might expect Go to ensure this in the CRL generation call,
but...it doesn't.

Fixes #1727
 2016-08-13 08:40:09 -04:00
Vincent Batoufflet 0b73c2ff9a Fix PKI logical backend email alt_names 2016-08-04 12:10:34 +02:00
vishalnayak cff7aada7a Fix invalid input getting marked as internal error 2016-07-28 16:23:11 -04:00
Jeff Mitchell 3334b22993 Some minor linting 2016-07-19 13:54:18 -04:00
Jeff Mitchell 4a8d9eb942 Shave off a lot of PKI testing time by not requiring key generation when testing CSRs. Also enable all tests all the time. 2016-07-01 17:28:48 -04:00
cara marie 11c205e19b removed option to create 1024 keybitlength certs 2016-06-28 16:56:14 -04:00
Jeff Mitchell 9dc0599a30 Address review feedback 2016-06-23 10:18:03 -04:00
Jeff Mitchell d7029fc49a Add some more testing 2016-06-23 09:49:03 -04:00
Jeff Mitchell 45a442e593 Set some basic key usages by default. 
Some programs (such as OpenVPN) don't like it if you don't include key
usages. This adds a default set that should suffice for most extended
usages. However, since things get twitchy when these are set in ways
various crypto stacks don't like, it's fully controllable by the user.

Fixes #1476
 2016-06-22 16:08:24 -04:00
Jeff Mitchell 407373df5d Revert "Use x509 package ext key usage instead of custom type" 
This reverts commit 0b2d8ff475a26ff98c37337a64859d150d62cfc1.
 2016-06-22 13:07:31 -04:00
Jeff Mitchell c0dee06aab Use x509 package ext key usage instead of custom type 2016-06-22 11:51:32 -04:00
Jeff Mitchell 62f66dc4d8 Do some internal renaming in PKI 2016-06-22 11:39:57 -04:00
Vishal Nayak 711c05a319 Merge pull request #1546 from hashicorp/secret-aws-roles 
Added list functionality to logical aws backend's roles
 2016-06-20 20:10:24 -04:00
vishalnayak 8b490e44a1 Added list functionality to logical aws backend's roles 2016-06-20 19:51:04 -04:00
vishalnayak 0760a89eb4 Backend() functions should return 'backend' objects. 
If they return pointers to 'framework.Backend' objects, the receiver functions can't be tested.
 2016-06-10 15:53:02 -04:00
LLBennett 3795b65d19 Updates to the test based on feedback. 2016-06-08 16:49:10 +00:00
Laura Bennett 2f2a80e2be Add PKI listing 2016-06-08 11:50:59 -04:00
Vishal Nayak 644ac5f5e8 Merge pull request #1456 from hashicorp/consul-lease-renewal 
Fix the consul secret backends renewal revocation problem
 2016-05-26 13:59:45 -04:00
Jeff Mitchell 05d1da0656 Add comment about the deletions 2016-05-26 10:33:35 -04:00
Jeff Mitchell ccfa8d0567 Remove deprecated entries from PKI role output. 
Fixes #1452
 2016-05-26 10:32:04 -04:00
vishalnayak 2ca846b401 s/logical.ErrorResponse/fmt.Errorf in revocation functions of secrets 2016-05-26 10:04:11 -04:00
Sean Chittenden b0bba6d271
Store clamped TTLs back in the role's config 2016-05-15 08:13:56 -07:00
Sean Chittenden 539475714d
Set entry's TTL before writing out the storage entry's config 2016-05-15 07:06:33 -07:00
Jeff Mitchell d899f9d411 Don't revoke CA certificates with leases. 2016-05-09 19:53:28 -04:00
Adam Shannon fb07d07ad9 all: Cleanup from running go vet 2016-04-13 14:38:29 -05:00
vishalnayak 06eeaecef6 Skip acceptance tests if VAULT_ACC is not set 2016-04-11 20:00:15 -04:00
vishalnayak fd8b023655 s/TF_ACC/VAULT_ACC 2016-04-05 15:24:59 -04:00
vishalnayak 95abdebb06 Added AcceptanceTest boolean to logical.TestCase 2016-04-05 15:10:44 -04:00
Jeff Mitchell dfc5a745ee Remove check for using CSR values with non-CA certificate. 
The endpoint enforces whether the certificate is a CA or not anyways, so
this ends up not actually providing benefit and causing a bug.

Fixes #1250
 2016-03-23 10:05:38 -04:00
Jeff Mitchell 1951a01998 Add ability to exclude adding the CN to SANs. 
Fixes #1220
 2016-03-17 16:28:40 -04:00
Jeff Mitchell 7a9122bbd1 Sanitize serial number in revocation path. 
Ping #1180
 2016-03-08 10:51:59 -05:00
Jeff Mitchell 34a9cb1a70 Add serial_number back to path_issue_sign responses in PKI 2016-03-08 09:25:48 -05:00
Jeff Mitchell 11dc3f328f Add revocation information to PKI fetch output (non-raw only). 
Fixes #1180
 2016-03-07 10:57:38 -05:00
Jeff Mitchell 2205133ae4 Only run PKI backend setup functions when TF_ACC is set 2016-02-29 14:41:14 -05:00
Jeff Mitchell 8ca847c9b3 Be more explicit about buffer type 2016-02-24 22:05:39 -05:00
Jeff Mitchell 7d41607b6e Add "tidy/" which allows removing expired certificates. 
A buffer is used to ensure that we only remove certificates that are
both expired and for which the buffer has past. Options allow removal
from revoked/ and/or certs/.
 2016-02-24 21:24:48 -05:00
Jeff Mitchell f56e4a604d Merge pull request #1114 from hashicorp/dont-delete-certs 
Do not delete certs (or revocation information)
 2016-02-22 16:11:13 -05:00
Jeff Mitchell 4514192145 Address review feedback 2016-02-22 16:11:01 -05:00
Jeff Mitchell f43ab6a25d Remove extra debugging from PKI tests 2016-02-22 13:39:05 -05:00
Jeff Mitchell f27eab1d28 Do not delete certs (or revocation information) to avoid potential 
issues related to time synchronization. A function will be added to
allow operators to perform cleanup at chosen times.
 2016-02-22 13:36:17 -05:00
Jeff Mitchell 51ced69bf8 Fix issue where leftover values after cn tests could trigger errors in ipsan tests 2016-02-22 13:35:57 -05:00
Jeff Mitchell 4c327ca4cc More improvements to PKI tests; allow setting a specific seed, output 
the seed to the console, and split generated steps to make it
understandable which seed is for which set of steps.
 2016-02-22 11:22:52 -05:00