luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
2095 commits 1 branch 0 tags 214 MiB
Commit graph

111 commits

Author SHA1 Message Date
Jeff Mitchell 5e72453b49 Use TypeDurationSecond instead of TypeString 2015-11-03 10:52:20 -05:00
Jeff Mitchell 154fc24777 Address first round of feedback from review 2015-11-03 10:52:20 -05:00
Jeff Mitchell 59cc61cc79 Add documentation for CRLs and some minor cleanup. 2015-11-03 10:52:20 -05:00
Jeff Mitchell 5d562693bd Add tests for the crls path, and fix a couple bugs 2015-11-03 10:52:20 -05:00
Jeff Mitchell b6b62f7dc1 Drastically simplify the method and logic; keep an in-memory cache and use that for most operations, only affecting the backend storage when needed. 2015-11-03 10:52:20 -05:00
Jeff Mitchell c66f0918be Add delete method, and ability to delete only one serial as well as an entire set. 2015-11-03 10:52:20 -05:00
Jeff Mitchell be1a2266cc Add CRLSets endpoints; write method is done. Add verification logic to 
login path. Change certs "ttl" field to be a string to match common
backend behavior.
 2015-11-03 10:52:19 -05:00
Jeff Mitchell 22c65c0c07 Use cleanhttp instead of bare http.Client 2015-10-22 14:37:12 -04:00
Jeff Mitchell cba4e82682 Don't use http.DefaultClient 
This strips out http.DefaultClient everywhere I could immediately find
it. Too many things use it and then modify it in incompatible ways.

Fixes #700, I believe.
 2015-10-15 17:54:00 -04:00
Jeff Mitchell 6f4e42efed Add StaticSystemView to LDAP acceptance tests 2015-10-06 15:48:10 -04:00
vishalnayak a740c68eab Added a test case. Removed setting of defaultTTL in config. 2015-10-03 15:36:57 -04:00
vishalnayak e3f04dc444 Added testcases for config writes 2015-10-02 22:10:51 -04:00
vishalnayak ea0aba8e47 Use SanitizeTTL in credential request path instead of config 2015-10-02 15:41:35 -04:00
vishalnayak 3dd84446ab Github backend: enable auth renewals 2015-10-02 13:33:19 -04:00
Jeff Mitchell c3bdde8abe Add a static system view to github credential backend to fix acceptance tests 2015-09-29 18:55:59 -07:00
Jeff Mitchell b655f6b858 Add HMAC capability to salt. Pass a salt into audit backends. Require it for audit.Hash. 2015-09-18 17:38:22 -04:00
Jeff Mitchell 9c5dcac90c Make TLS backend honor SystemView default values. Expose lease TTLs on read. Make auth command show lease TTL if one exists. Addresses most of #527 2015-09-18 14:01:28 -04:00
vishalnayak 1f53376ae6 Userpass Bk: Added tests for TTL duration verifications 2015-09-17 16:33:26 -04:00
vishalnayak 4332eb9d05 Vault userpass: Enable renewals for login tokens 2015-09-17 14:35:50 -04:00
Jeff Mitchell 77e7379ab5 Implement the cubbyhole backend 
In order to implement this efficiently, I have introduced the concept of
"singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't
much reason to allow sys to be mounted at multiple places, and there
isn't much reason you'd need multiple per-token storage areas. By
restricting it to just one, I can store that particular mount instead of
iterating through them in order to call the appropriate revoke function.

Additionally, because revocation on the backend needs to be triggered by
the token store, the token store's salt is kept in the router and
client tokens going to the cubbyhole backend are double-salted by the
router. This allows the token store to drive when revocation happens
using its salted tokens.
 2015-09-15 13:50:37 -04:00
Jeff Mitchell 104b29ab04 Rename View to StorageView to make it more distinct from SystemView 2015-09-15 13:50:37 -04:00
Jeff Mitchell 959a727acd Don't re-use tls configuration, to fix a possible race issue during test 2015-09-03 13:04:32 -04:00
Jeff Mitchell 5fa76b5640 Add base_url option to GitHub auth provider to allow selecting a custom endpoint. Fixes #572. 2015-08-28 06:28:43 -07:00
Jeff Mitchell 5695d57ba0 Merge pull request #561 from hashicorp/fix-wild-cards 
Allow hyphens in endpoint patterns of most backends
 2015-08-21 11:40:42 -07:00
vishalnayak 6c2927ede0 Vault: Fix wild card paths for all backends 2015-08-21 00:56:13 -07:00
Jeff Mitchell 93ef9a54bd Internally refactor Lease/LeaseGracePeriod into TTL/GracePeriod 2015-08-20 18:00:51 -07:00
Jeff Mitchell 133380915a Disallow non-client X509 key usages for client TLS cert authentication. 2015-08-20 15:50:47 -07:00
Armon Dadgar d1a09e295a Merge pull request #509 from ekristen/github-fix 
Reimplements #459
 2015-08-11 10:06:10 -07:00
Erik Kristensen 611965844b reimplements #459 2015-08-09 11:25:45 -06:00
Michael S. Fischer 21ab4d526c Provide working example of TLS certificate authentication 
Fixes #474
 2015-08-07 15:15:53 -07:00
Erik Kristensen 26387f6535 remove newline 2015-08-03 16:34:24 -06:00
Erik Kristensen f9c49f4a57 fix bug #488 2015-08-03 15:47:30 -06:00
Rusty Ross 719ac6e714 update doc for app-id 
make clearer in doc that user-id can accept multiple app-id mappngs as comma-separated values
 2015-08-03 09:44:26 -07:00
Armon Dadgar 03728af495 Merge pull request #464 from bgirardeau/master 
Add Multi-factor authentication with Duo
 2015-07-30 17:51:31 -07:00
Bradley Girardeau aa55d36f03 Clean up naming and add documentation 2015-07-30 17:36:40 -07:00
Bradley Girardeau d26b77b4f4 mfa: code cleanup 2015-07-28 11:55:46 -07:00
Bradley Girardeau 6697012dd3 mfa: improve edge cases and documentation 2015-07-27 21:14:00 -07:00
Bradley Girardeau 06863d08f0 mfa: add to userpass backend 2015-07-27 21:14:00 -07:00
Bradley Girardeau 4eb1beb31c ldap: add mfa support to CLI 2015-07-27 21:14:00 -07:00
Bradley Girardeau 8fa5a349a5 ldap: add mfa to LDAP login 2015-07-27 21:14:00 -07:00
Raymond Pete 1ca09a74b3 name slug check 2015-07-26 22:21:16 -04:00
Bradley Girardeau e8d26d244b ldap: change setting user policies to setting user groups 2015-07-20 11:33:39 -07:00
Bradley Girardeau 301a22295d ldap: add ability to set policies based on username as well as groups 2015-07-14 15:46:15 -07:00
Bradley Girardeau 0e2edc2378 ldap: add ability to login with a userPrincipalName (user@upndomain) 2015-07-14 15:37:46 -07:00
Armon Dadgar 504a7ca7c1 auth/userpass: store password as hash instead of direct. Credit @kenbreeman 2015-07-13 15:09:24 +10:00
Armon Dadgar da4650ccb4 auth/userpass: protect against timing attack. Credit @kenbreeman 2015-07-13 15:01:18 +10:00
Armon Dadgar 599d5f1431 auth/app-id: protect against timing attack. Credit @kenbreeman 2015-07-13 14:58:18 +10:00
Bradley Girardeau 42050fe77b ldap: add starttls support and option to specificy ca certificate 2015-07-02 15:49:51 -07:00
Armon Dadgar b52d3e6506 cred/app-id: testing upgrade to salted keys 2015-06-30 18:37:10 -07:00
Armon Dadgar eeb717c901 cred/app-id: first pass at automatic upgrading to salting 2015-06-30 18:09:08 -07:00