vishalnayak
fde768125c
Cert backend, CRL tests
2016-04-29 02:32:48 -04:00
vishalnayak
23d8ce62a3
Ensure that the instance is running during renewal
2016-04-28 16:34:35 -04:00
vishalnayak
2a2dc0befb
Added allow_instance_migration to the role tag
2016-04-28 11:43:48 -04:00
vishalnayak
4161d3ef4f
Change all time references to UTC
2016-04-28 10:19:29 -04:00
vishalnayak
e591632630
Fix the deadlock issue
2016-04-28 01:01:33 -04:00
vishalnayak
4712533f1d
minor updates
2016-04-28 00:35:49 -04:00
vishalnayak
e6a9a5957d
Refactor locks around config tidy endpoints
2016-04-27 22:32:43 -04:00
vishalnayak
b75a6e2f0f
Fix locking around config/client
2016-04-27 22:25:15 -04:00
vishalnayak
0e97b57beb
Fix the list response of role tags
2016-04-27 22:03:11 -04:00
vishalnayak
779d73ce2b
Removed existence check on blacklist/roletags, docs fixes
2016-04-27 21:29:32 -04:00
vishalnayak
d44326ded6
Remove unnecessary lock switching around flushCachedEC2Clients
2016-04-27 20:13:56 -04:00
vishalnayak
e1080f86ed
Remove recreate parameter from clientEC2
2016-04-27 20:01:39 -04:00
vishalnayak
441477f342
Added ami_id to token metadata
2016-04-27 11:32:05 -04:00
leon
b9c96bf7ce
- updated refactored functions in ldap backend to return error instead of ldap response and fixed interrupted search in ldap groups search func
2016-04-27 18:17:54 +03:00
leon
08be31e9ab
- refactored functionality in separate functions in ldap backend and used a separate ldap query to get ldap groups from userDN
2016-04-27 15:00:26 +03:00
vishalnayak
7144fd54f9
Added tests
2016-04-26 23:40:11 -04:00
vishalnayak
88942b0503
Added tests
2016-04-26 10:22:29 -04:00
vishalnayak
5a676a129e
Added tests
2016-04-26 10:22:29 -04:00
vishalnayak
e16f256b14
Added tests
2016-04-26 10:22:29 -04:00
vishalnayak
3a4021d6c4
Added tests
2016-04-26 10:22:29 -04:00
vishalnayak
de1a1be564
tidy endpoint fixes
2016-04-26 10:22:29 -04:00
vishalnayak
044d01fd69
HMAC Key per AMI ID and avoided secondary call to AWS to fetch the tags
2016-04-26 10:22:29 -04:00
vishalnayak
5996c3e9d8
Rework and refactoring
2016-04-26 10:22:29 -04:00
vishalnayak
3aeae62c00
Added mutex locking for config/certificate endpoint
2016-04-26 10:22:29 -04:00
vishalnayak
21854776af
Added cooldown period for periodic tidying operation
2016-04-26 10:22:29 -04:00
vishalnayak
9aa8fb6cc1
Support periodic tidy callback and config endpoints.
2016-04-26 10:22:29 -04:00
vishalnayak
2810196e0f
Use fullsailor/pkcs7 package instead of its fork. Fix tests
2016-04-26 10:22:29 -04:00
vishalnayak
5a2e1340df
Removed redundant AWS public certificate. Docs update.
2016-04-26 10:22:29 -04:00
vishalnayak
a456f2c3f6
Removed region
parameter from config/client
endpoint.
...
Region to create ec2 client objects is fetched from the identity document.
Maintaining a map of cached clients indexed by region.
2016-04-26 10:22:29 -04:00
vishalnayak
790b143c75
Instance ID can optionally be accepted as a the role tag parameter.
2016-04-26 10:22:29 -04:00
vishalnayak
58c485f519
Support providing multiple certificates.
...
Append all the certificates to the PKCS#7 parser during signature verification.
2016-04-26 10:22:29 -04:00
vishalnayak
9d4a7c5901
Docs update
2016-04-26 10:22:29 -04:00
vishalnayak
ba9c86c92d
Added acceptance test for login endpoint
2016-04-26 10:22:29 -04:00
vishalnayak
c2c1a5eedc
Added test case TestBackend_PathBlacklistRoleTag
2016-04-26 10:22:29 -04:00
vishalnayak
85c9176cb4
Return 4xx error at appropriate places
2016-04-26 10:22:29 -04:00
vishalnayak
1841ef0ebf
Tested pathImageTag
2016-04-26 10:22:29 -04:00
vishalnayak
80e3063334
Tested parseRoleTagValue
2016-04-26 10:22:29 -04:00
vishalnayak
dab1a00313
Make client nonce optional even during first login, when disallow_reauthentication is set
2016-04-26 10:22:29 -04:00
vishalnayak
e0cf8c5608
Rename 'name' to 'ami_id' for clarity
2016-04-26 10:22:29 -04:00
vishalnayak
092feca996
Moved HMAC parsing inside parseRoleTagValue
2016-04-26 10:22:29 -04:00
vishalnayak
ddfdf37d33
Properly handle empty client nonce case when disallow_reauthentication is set
2016-04-26 10:22:29 -04:00
vishalnayak
b8d9b18193
Added disallow_reauthentication feature
2016-04-26 10:22:29 -04:00
vishalnayak
a1d07cbff5
Remove todo and change clientNonce length limit to 128 chars
2016-04-26 10:22:28 -04:00
Jeff Mitchell
bb276d350a
Fix typo
2016-04-26 10:22:28 -04:00
Jeff Mitchell
a5aadc908d
Add environment and EC2 instance metadata role providers for AWS creds.
2016-04-26 10:22:28 -04:00
vishalnayak
012f9273f7
Remove certificate verification
2016-04-26 10:22:28 -04:00
vishalnayak
41cc7c4a15
Test path config/certificate
2016-04-26 10:22:28 -04:00
vishalnayak
5ff8d0cf96
Add existence check verification to config/client testcase
2016-04-26 10:22:28 -04:00
vishalnayak
3286194384
Testing pathImage
2016-04-26 10:22:28 -04:00
Jeff Mitchell
a8082a9a6e
allow_instance_reboot -> allow_instance_migration
2016-04-26 10:22:28 -04:00
Jeff Mitchell
075a81214e
Update image output to show allow_instance_reboot value and keep policies in a list
2016-04-26 10:22:28 -04:00
vishalnayak
91433fedf2
Changed the blacklist URL pattern to optionally accept base64 encoded role tags
2016-04-26 10:22:28 -04:00
vishalnayak
efcc07967e
Accept instance_id in the URL for whitelist endpoint
2016-04-26 10:22:28 -04:00
Jeff Mitchell
cf56895772
Switch around some logic to be more consistent/readable and respect max
...
TTL on initial token issuance.
2016-04-26 10:22:28 -04:00
vishalnayak
338054d49e
Return un-expired entries from blacklist and whitelist
2016-04-26 10:22:28 -04:00
vishalnayak
b6bd30b9fb
Test ConfigClient
2016-04-26 10:22:28 -04:00
vishalnayak
d3adc85886
AWS EC2 instances authentication backend
2016-04-26 10:22:28 -04:00
leon
81ac4c3fcf
- fixed merge with upstream master
2016-04-26 13:23:43 +03:00
leon
1991aebc0a
Merge remote-tracking branch 'upstream/master'
...
Conflicts:
builtin/credential/ldap/backend.go
2016-04-26 13:16:42 +03:00
Adam Shannon
fb07d07ad9
all: Cleanup from running go vet
2016-04-13 14:38:29 -05:00
Jeff Mitchell
d92b960f7a
Add list support to userpass users. Remove some unneeded existence
...
checks. Remove paths from requiring root.
Fixes #911
2016-04-09 18:28:55 -04:00
vishalnayak
e3a1ee92b5
Utility Enhancements
2016-04-05 20:32:59 -04:00
vishalnayak
95abdebb06
Added AcceptanceTest boolean to logical.TestCase
2016-04-05 15:10:44 -04:00
Jeff Mitchell
7df3ec46b0
Some fixups around error/warning in LDAP
2016-04-02 13:33:00 -04:00
Jeff Mitchell
40325b8042
If no group DN is configured, still look for policies on local users and
...
return a warning, rather than just trying to do an LDAP search on an
empty string.
2016-04-02 13:11:36 -04:00
Jeff Mitchell
7fd5a679ca
Fix potential error scoping issue.
...
Ping #1262
2016-03-30 19:48:23 -04:00
Jeff Mitchell
3cfcd4ddf1
Check for nil connection back from go-ldap, which apparently can happen even with no error
...
Ping #1262
2016-03-29 10:00:04 -04:00
Jeff Mitchell
17613f5fcf
Removing debugging comment
2016-03-24 09:48:13 -04:00
Jeff Mitchell
4c4a65ebd0
Properly check for policy equivalency during renewal.
...
This introduces a function that compares two string policy sets while
ignoring the presence of "default" (since it's added by core, not the
backend), and ensuring that ordering and/or duplication are not failure
conditions.
Fixes #1256
2016-03-24 09:41:51 -04:00
leon
e7942062bd
- updated LDAP group search by iterating through all the attributes and searching for CN value instead of assuming the CN is always the first attribute from the RDN list
2016-03-21 19:44:08 +02:00
leon
a82114eeb2
- added another method to search LDAP groups by querying the userDN for memberOf attribute
2016-03-21 16:55:38 +02:00
Jeff Mitchell
a8dd6aa4f1
Don't renew cert-based tokens if the policies have changed.
...
Also, add cert renewal testing.
Fixes #477
2016-03-17 14:22:24 -04:00
Jeff Mitchell
77e4ee76bb
Normalize userpass errors around bad user/pass
2016-03-16 15:19:55 -04:00
Jeff Mitchell
8a3f1ad13e
Use 400 instead of 500 for failing to provide a userpass password.
2016-03-16 15:14:28 -04:00
vishalnayak
f9b1fc3aa0
Add comments to existence functions
2016-03-16 14:53:53 -04:00
vishalnayak
1951159b25
Addessing review comments
2016-03-16 14:21:14 -04:00
vishalnayak
239ad4ad7e
Refactor updating user values
2016-03-16 13:42:02 -04:00
vishalnayak
533b136fe7
Reduce the visibility of setUser
2016-03-16 11:39:52 -04:00
vishalnayak
2914ff7502
Use helper for existence check. Avoid panic by fetching default values for field data
2016-03-16 11:26:33 -04:00
vishalnayak
1e889bc08c
Input validations and field renaming
2016-03-15 17:47:13 -04:00
vishalnayak
a0958c9359
Refactor updating and creating userEntry into a helper function
2016-03-15 17:32:39 -04:00
vishalnayak
acd545f1ed
Fetch and store UserEntry to properly handle both create and update
2016-03-15 17:05:23 -04:00
vishalnayak
9609fe151b
Change path structure of password and policies endpoints in userpass
2016-03-15 16:46:12 -04:00
vishalnayak
8be36b6925
Reuse the variable instead of fetching 'name' again
2016-03-15 16:21:47 -04:00
vishalnayak
61b4cac458
Added paths to update policies and password
2016-03-15 16:12:55 -04:00
vishalnayak
731bb97db5
Tests for updating password and policies in userpass backend
2016-03-15 16:09:23 -04:00
vishalnayak
b7eb0a97e5
Userpass: Support updating policies and password
2016-03-15 15:18:21 -04:00
Jeff Mitchell
8aaf29b78d
Add forgotten test
2016-03-15 14:18:35 -04:00
Jeff Mitchell
8bf935bc2b
Add list support to certs in cert auth backend.
...
Fixes #1212
2016-03-15 14:07:40 -04:00
Jeff Mitchell
d648306d52
Add the ability to specify the app-id in the login path.
...
This makes it easier to use prefix revocation for tokens.
Ping #424
2016-03-14 16:24:01 -04:00
Vishal Nayak
a6d8fc9d98
Merge pull request #1190 from grunzwei/master
...
fix github tests to use the provided GITHUB_ORG environment variable
2016-03-09 09:51:28 -05:00
Nathan Grunzweig
ae469cc796
fix github tests to use the provided GITHUB_ORG environment variable
...
(tests fail for non hashicorp people)
2016-03-09 15:34:03 +02:00
Jeff Mitchell
5a17735dcb
Add subject/authority key id to cert metadata
2016-03-07 14:59:00 -05:00
Jeff Mitchell
4a3d3ef300
Use better error message on LDAP renew failure
2016-03-07 09:34:16 -05:00
vishalnayak
44208455f6
continue if non-CA policy is not found
2016-03-01 16:43:51 -05:00
vishalnayak
9a3ddc9696
Added ExtKeyUsageAny, changed big.Int comparison and fixed code flow
2016-03-01 16:37:01 -05:00
vishalnayak
cc1592e27a
corrections, policy matching changes and test cert changes
2016-03-01 16:37:01 -05:00
vishalnayak
09eef70853
Added testcase for cert writes
2016-03-01 16:37:01 -05:00
vishalnayak
f056e8a5a5
supporting non-ca certs for verification
2016-03-01 16:37:01 -05:00
vishalnayak
aee006ba2d
moved the test cert keys to appropriate test-fixtures folder
2016-02-29 15:49:08 -05:00
vishalnayak
cf672400d6
fixed the error log message
2016-02-29 10:41:10 -05:00
vishalnayak
dca18aec2e
replaced old certs, with new certs generated from PKI backend, containing IP SANs
2016-02-28 22:15:54 -05:00
Jeff Mitchell
6b6005ee2e
Remove root token requirement from GitHub configuration
2016-02-25 08:51:53 -05:00
vishalnayak
69bcbb28aa
rename verify_cert as disable_binding and invert the logic
2016-02-24 21:01:21 -05:00
vishalnayak
902c780f2b
make the verification of certs in renewal configurable
2016-02-24 16:42:20 -05:00
vishalnayak
bc4710eb06
Cert: renewal enhancements
2016-02-24 14:31:38 -05:00
vishalnayak
053bbd97ea
check CIDR block for renewal as well
2016-02-24 10:55:31 -05:00
vishalnayak
978075a1b4
Added renewal capability to app-id backend
2016-02-24 10:40:15 -05:00
Jeff Mitchell
fab2d8687a
Remove root requirement for certs/ and crls/ in TLS auth backend.
...
Fixes #468
2016-02-21 15:33:33 -05:00
Jeff Mitchell
6df75231b8
Merge pull request #1100 from hashicorp/issue-1030
...
Properly escape filter values in LDAP filters
2016-02-19 14:56:40 -05:00
Jeff Mitchell
05b5ff69ed
Address some feedback on ldap escaping help text
2016-02-19 13:47:26 -05:00
Jeff Mitchell
d7b40b32db
Properly escape filter values.
...
Fixes #1030
2016-02-19 13:16:52 -05:00
Jeff Mitchell
c67871c36e
Update LDAP documentation with a note on escaping
2016-02-19 13:16:18 -05:00
Jeff Mitchell
d3f3122307
Add tests to ldap using the discover capability
2016-02-19 11:46:59 -05:00
Jeff Mitchell
154c326060
Add ldap tests that use a bind dn and bind password
2016-02-19 11:38:27 -05:00
vishalnayak
0b44d81a16
Github renewal enhancement
2016-02-11 20:42:42 -05:00
Jeff Mitchell
61eec74b4e
Remove app-id renewal for the moment until verification logic is added
2016-01-31 19:12:20 -05:00
Jeff Mitchell
bf13d68372
Fix userpass acceptance tests by giving it a system view
2016-01-29 20:14:14 -05:00
Jeff Mitchell
d3a705f17b
Make backends much more consistent:
...
1) Use the new LeaseExtend
2) Use default values controlled by mount tuning/system defaults instead
of a random hard coded value
3) Remove grace periods
2016-01-29 20:03:37 -05:00
Hanno Hecker
0db33274b7
discover bind dn with anonymous binds
2016-01-27 17:06:27 +01:00
Hanno Hecker
4606cd1492
fix stupid c&p error
2016-01-26 16:15:25 +01:00
Hanno Hecker
6a570345a0
add binddn/bindpath to search for the users bind DN
2016-01-26 15:56:41 +01:00
Jack DeLoach
8fecccde21
Add STS path to AWS backend.
...
The new STS path allows for obtaining the same credentials that you would get
from the AWS "creds" path, except it will also provide a security token, and
will not have an annoyingly long propagation time before returning to the user.
2016-01-21 14:05:09 -05:00
Jeff Mitchell
f3ce90164f
WriteOperation -> UpdateOperation
2016-01-08 13:03:03 -05:00
Jeff Mitchell
5e72453b49
Use TypeDurationSecond instead of TypeString
2015-11-03 10:52:20 -05:00
Jeff Mitchell
154fc24777
Address first round of feedback from review
2015-11-03 10:52:20 -05:00
Jeff Mitchell
59cc61cc79
Add documentation for CRLs and some minor cleanup.
2015-11-03 10:52:20 -05:00
Jeff Mitchell
5d562693bd
Add tests for the crls path, and fix a couple bugs
2015-11-03 10:52:20 -05:00
Jeff Mitchell
b6b62f7dc1
Drastically simplify the method and logic; keep an in-memory cache and use that for most operations, only affecting the backend storage when needed.
2015-11-03 10:52:20 -05:00
Jeff Mitchell
c66f0918be
Add delete method, and ability to delete only one serial as well as an entire set.
2015-11-03 10:52:20 -05:00
Jeff Mitchell
be1a2266cc
Add CRLSets endpoints; write method is done. Add verification logic to
...
login path. Change certs "ttl" field to be a string to match common
backend behavior.
2015-11-03 10:52:19 -05:00
Jeff Mitchell
22c65c0c07
Use cleanhttp instead of bare http.Client
2015-10-22 14:37:12 -04:00
Jeff Mitchell
cba4e82682
Don't use http.DefaultClient
...
This strips out http.DefaultClient everywhere I could immediately find
it. Too many things use it and then modify it in incompatible ways.
Fixes #700 , I believe.
2015-10-15 17:54:00 -04:00
Jeff Mitchell
6f4e42efed
Add StaticSystemView to LDAP acceptance tests
2015-10-06 15:48:10 -04:00
vishalnayak
a740c68eab
Added a test case. Removed setting of defaultTTL in config.
2015-10-03 15:36:57 -04:00
vishalnayak
e3f04dc444
Added testcases for config writes
2015-10-02 22:10:51 -04:00
vishalnayak
ea0aba8e47
Use SanitizeTTL in credential request path instead of config
2015-10-02 15:41:35 -04:00
vishalnayak
3dd84446ab
Github backend: enable auth renewals
2015-10-02 13:33:19 -04:00
Jeff Mitchell
c3bdde8abe
Add a static system view to github credential backend to fix acceptance tests
2015-09-29 18:55:59 -07:00
Jeff Mitchell
b655f6b858
Add HMAC capability to salt. Pass a salt into audit backends. Require it for audit.Hash.
2015-09-18 17:38:22 -04:00
Jeff Mitchell
9c5dcac90c
Make TLS backend honor SystemView default values. Expose lease TTLs on read. Make auth command show lease TTL if one exists. Addresses most of #527
2015-09-18 14:01:28 -04:00
vishalnayak
1f53376ae6
Userpass Bk: Added tests for TTL duration verifications
2015-09-17 16:33:26 -04:00
vishalnayak
4332eb9d05
Vault userpass: Enable renewals for login tokens
2015-09-17 14:35:50 -04:00
Jeff Mitchell
77e7379ab5
Implement the cubbyhole backend
...
In order to implement this efficiently, I have introduced the concept of
"singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't
much reason to allow sys to be mounted at multiple places, and there
isn't much reason you'd need multiple per-token storage areas. By
restricting it to just one, I can store that particular mount instead of
iterating through them in order to call the appropriate revoke function.
Additionally, because revocation on the backend needs to be triggered by
the token store, the token store's salt is kept in the router and
client tokens going to the cubbyhole backend are double-salted by the
router. This allows the token store to drive when revocation happens
using its salted tokens.
2015-09-15 13:50:37 -04:00
Jeff Mitchell
104b29ab04
Rename View to StorageView to make it more distinct from SystemView
2015-09-15 13:50:37 -04:00
Jeff Mitchell
959a727acd
Don't re-use tls configuration, to fix a possible race issue during test
2015-09-03 13:04:32 -04:00
Jeff Mitchell
5fa76b5640
Add base_url option to GitHub auth provider to allow selecting a custom endpoint. Fixes #572 .
2015-08-28 06:28:43 -07:00
Jeff Mitchell
5695d57ba0
Merge pull request #561 from hashicorp/fix-wild-cards
...
Allow hyphens in endpoint patterns of most backends
2015-08-21 11:40:42 -07:00
vishalnayak
6c2927ede0
Vault: Fix wild card paths for all backends
2015-08-21 00:56:13 -07:00
Jeff Mitchell
93ef9a54bd
Internally refactor Lease/LeaseGracePeriod into TTL/GracePeriod
2015-08-20 18:00:51 -07:00
Jeff Mitchell
133380915a
Disallow non-client X509 key usages for client TLS cert authentication.
2015-08-20 15:50:47 -07:00
Armon Dadgar
d1a09e295a
Merge pull request #509 from ekristen/github-fix
...
Reimplements #459
2015-08-11 10:06:10 -07:00
Erik Kristensen
611965844b
reimplements #459
2015-08-09 11:25:45 -06:00
Michael S. Fischer
21ab4d526c
Provide working example of TLS certificate authentication
...
Fixes #474
2015-08-07 15:15:53 -07:00
Erik Kristensen
26387f6535
remove newline
2015-08-03 16:34:24 -06:00
Erik Kristensen
f9c49f4a57
fix bug #488
2015-08-03 15:47:30 -06:00
Rusty Ross
719ac6e714
update doc for app-id
...
make clearer in doc that user-id can accept multiple app-id mappngs as comma-separated values
2015-08-03 09:44:26 -07:00
Armon Dadgar
03728af495
Merge pull request #464 from bgirardeau/master
...
Add Multi-factor authentication with Duo
2015-07-30 17:51:31 -07:00
Bradley Girardeau
aa55d36f03
Clean up naming and add documentation
2015-07-30 17:36:40 -07:00
Bradley Girardeau
d26b77b4f4
mfa: code cleanup
2015-07-28 11:55:46 -07:00
Bradley Girardeau
6697012dd3
mfa: improve edge cases and documentation
2015-07-27 21:14:00 -07:00
Bradley Girardeau
06863d08f0
mfa: add to userpass backend
2015-07-27 21:14:00 -07:00
Bradley Girardeau
4eb1beb31c
ldap: add mfa support to CLI
2015-07-27 21:14:00 -07:00
Bradley Girardeau
8fa5a349a5
ldap: add mfa to LDAP login
2015-07-27 21:14:00 -07:00
Raymond Pete
1ca09a74b3
name slug check
2015-07-26 22:21:16 -04:00
Bradley Girardeau
e8d26d244b
ldap: change setting user policies to setting user groups
2015-07-20 11:33:39 -07:00
Bradley Girardeau
301a22295d
ldap: add ability to set policies based on username as well as groups
2015-07-14 15:46:15 -07:00
Bradley Girardeau
0e2edc2378
ldap: add ability to login with a userPrincipalName (user@upndomain)
2015-07-14 15:37:46 -07:00
Armon Dadgar
504a7ca7c1
auth/userpass: store password as hash instead of direct. Credit @kenbreeman
2015-07-13 15:09:24 +10:00
Armon Dadgar
da4650ccb4
auth/userpass: protect against timing attack. Credit @kenbreeman
2015-07-13 15:01:18 +10:00
Armon Dadgar
599d5f1431
auth/app-id: protect against timing attack. Credit @kenbreeman
2015-07-13 14:58:18 +10:00
Bradley Girardeau
42050fe77b
ldap: add starttls support and option to specificy ca certificate
2015-07-02 15:49:51 -07:00
Armon Dadgar
b52d3e6506
cred/app-id: testing upgrade to salted keys
2015-06-30 18:37:10 -07:00
Armon Dadgar
eeb717c901
cred/app-id: first pass at automatic upgrading to salting
2015-06-30 18:09:08 -07:00
Armon Dadgar
4b27e4d8c5
Remove SetLogger, and unify on framework.Setup
2015-06-30 17:45:20 -07:00
Armon Dadgar
5d69e7da90
Updating for backend API change
2015-06-30 17:36:12 -07:00
Armon Dadgar
3c58773598
Merge pull request #380 from kgutwin/cert-cli
...
Enable TLS client cert authentication via the CLI
2015-06-30 11:44:28 -07:00
Armon Dadgar
b1f7e2f0ea
ldap: fixing merge conflict
2015-06-30 09:40:43 -07:00
Karl Gutwin
0062d923cc
Better error messages.
2015-06-30 08:59:38 -04:00
Karl Gutwin
a54ba31635
Merge remote-tracking branch 'upstream/master' into cert-cli
2015-06-30 08:31:00 -04:00
Karl Gutwin
dafcc5b2ce
enable CLI cert login
2015-06-29 23:29:41 -04:00
esell
c0e1843263
change skipsslverify to insecure_tls
2015-06-29 19:23:31 -06:00
Armon Dadgar
337997ab04
Fixing merge conflict
2015-06-29 14:50:55 -07:00
esell
e81f966842
Set SkipSSLVerify default to false, add warning in help message
2015-06-24 13:38:14 -06:00
esell
d3225dae07
cleanup the code a bit
2015-06-24 10:09:29 -06:00
esell
84371ea734
allow skipping SSL verification on ldap auth
2015-06-24 10:05:45 -06:00
Armon Dadgar
45d3c512fb
builtin: fixing API change in logical framework
2015-06-17 14:34:11 -07:00
Mitchell Hashimoto
4bf84392ec
credential/github: get rid of stray tab
2015-06-16 10:05:51 -07:00
Mitchell Hashimoto
0ecf05c043
command/auth, github: improve cli docs
...
/cc @sethvargo
2015-06-16 10:05:11 -07:00
Christian Svensson
e3d3012795
Record the common name in TLS metadata
...
It is useful to be able to save the client cert's Common Name for auditing purposes when using a central CA.
This adds a "common_name" value to the Metadata structure passed from login.
2015-06-14 23:18:21 +01:00
Ian Unruh
2e1bce27a9
Allow dot in LDAP login username
2015-05-20 11:54:15 -07:00
Armon Dadgar
cc966d6b52
auth/cert: Guard against empty certs. Fixes #214
2015-05-18 16:11:09 -07:00
Armon Dadgar
56659a2db2
cred/app-id: ensure consistent error message
2015-05-15 11:45:57 -07:00
Armon Dadgar
8cff23f29b
cred/app-id: stricter validation and error messaging
2015-05-15 11:40:45 -07:00
Jonathan Sokolowski
6746a24c78
credential/app-id: Test DeleteOperation
2015-05-14 22:30:02 +10:00
Etourneau Gwenn
a3fe4b889f
Fix Error message
2015-05-12 14:32:09 +09:00
Mitchell Hashimoto
1ca0b2340c
credential/app-id: add hash of user/app ID to metadata for logs
2015-05-11 10:46:11 -07:00
Mitchell Hashimoto
5406d3189e
Merge pull request #184 from hashicorp/b-github-casing
...
credential/github: case insensitive mappings
2015-05-11 10:27:45 -07:00
Mitchell Hashimoto
5c63b70eea
logical/framework: PathMap is case insensitive by default
2015-05-11 10:27:04 -07:00
Mitchell Hashimoto
4e861f29bc
credential/github: case insensitive mappings
2015-05-11 10:24:39 -07:00
Giovanni Bajo
8156b88353
auth/ldap: move password into InternalData
2015-05-09 22:06:34 +02:00
Giovanni Bajo
84388b2b20
auth/ldap: move username into the path (to allow per-user revokation on the path)
2015-05-09 22:06:28 +02:00
Giovanni Bajo
5e899e7de2
auth/ldap: fix pasto
2015-05-09 22:06:22 +02:00
Giovanni Bajo
1e1219dfcc
auth/ldap: implement login renew
2015-05-09 22:04:20 +02:00
Giovanni Bajo
a0f53f177c
auth/ldap: document LDAP server used in tests
2015-05-09 22:04:20 +02:00
Giovanni Bajo
b4093e2ddf
auth/ldap: add acceptance tests
2015-05-09 22:04:20 +02:00
Giovanni Bajo
02d3b1c74c
auth/ldap: add support for groups with unique members
2015-05-09 22:04:20 +02:00
Giovanni Bajo
c313ff2802
auth/ldap: implement authorization via LDAP groups
2015-05-09 22:04:20 +02:00
Giovanni Bajo
dc6b4ab9db
auth/ldap: add configuration path for groups
2015-05-09 22:04:20 +02:00
Giovanni Bajo
7e39da2e67
Attempt connection to LDAP server at login time.
...
Also switch to a LDAP library fork which fixes a panic when
shutting down a connection immediately.
2015-05-09 22:04:19 +02:00
Giovanni Bajo
7492c5712a
Initial implementation of the LDAP credential backend
2015-05-09 22:04:19 +02:00
Seth Vargo
f3c3f4717a
Remove references to -var
2015-05-08 11:45:29 -04:00
Armon Dadgar
a6a4bee2ee
cred/app-id: Add help synopsis to login path
2015-05-07 15:45:43 -07:00
Seth Vargo
04015fdf55
Fix output from GitHub help
2015-05-07 14:13:12 -04:00
Trevor Pounds
582677b134
Fix documentation typo.
2015-04-28 22:15:56 -07:00
Armon Dadgar
9087471bad
credential/cert: support leasing and renewal
2015-04-24 12:58:39 -07:00
Armon Dadgar
3a9e20748b
credential/cert: default display name
2015-04-24 10:52:17 -07:00
Armon Dadgar
7b4ceeb7e6
credential/cert: more validation on cert setup
2015-04-24 10:39:44 -07:00
Armon Dadgar
d57c8ea0f0
credential/cert: return logical error if invalid
2015-04-24 10:36:25 -07:00
Armon Dadgar
ae272b83ce
credential/cert: major refactor
2015-04-24 10:31:57 -07:00
Armon Dadgar
28b18422b7
credential/cert: First pass at public key credential backend
2015-04-23 21:46:21 -07:00
Mitchell Hashimoto
0b7e7190b5
credentials/userpass: integrate into auth cli
2015-04-19 15:17:24 -07:00
Mitchell Hashimoto
c5cadc026d
credential/userpass: renewal
2015-04-19 15:12:50 -07:00
Mitchell Hashimoto
0ae9eadfd3
credential/userpass: help
2015-04-19 15:07:11 -07:00
Mitchell Hashimoto
0aec679bb4
credential/userpass: login
2015-04-19 15:06:29 -07:00
Mitchell Hashimoto
fedda20c41
credential/userpass: configuring users
2015-04-19 14:59:30 -07:00
Mitchell Hashimoto
20324a0c9c
website: more auth
2015-04-18 13:45:50 -07:00
Mitchell Hashimoto
f7a1b2ced9
credential/app-id: allow restriction by CIDR block [GH-10]
2015-04-17 10:14:39 -07:00
Mitchell Hashimoto
e643b48235
credential/app-id: support associating a name with app ID [GH-9]
2015-04-17 10:01:03 -07:00
Mitchell Hashimoto
37af1683c6
credential/*: adhere to new API
2015-04-17 09:40:28 -07:00
Armon Dadgar
cf2faa06ae
credential/github: Set the github username as the display name
2015-04-15 14:30:46 -07:00
Mitchell Hashimoto
62f4d1dd0e
credential/github: CLI handler
2015-04-06 09:53:43 -07:00
Mitchell Hashimoto
569991fcc5
credential/app-id
2015-04-04 18:41:49 -07:00
Mitchell Hashimoto
606b3dbff9
credential/github: improve help
2015-04-04 12:18:33 -07:00
Mitchell Hashimoto
12a75dd304
credential/github: auth with github
2015-04-01 15:46:37 -07:00