luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
4308 commits 1 branch 0 tags 214 MiB
Commit graph

549 commits

Author SHA1 Message Date
Jeff Mitchell f21b88802f Add some more tests around deletion and fix upsert status returning 2016-05-03 00:19:18 -04:00
Jeff Mitchell 7e1bdbe924 Massively simplify lock handling based on feedback 2016-05-02 23:47:18 -04:00
Jeff Mitchell 7f3613cc6e Remove some deferring 2016-05-02 22:36:44 -04:00
Jeff Mitchell fa0d389a95 Change use-hint of lockAll and lockPolicy 2016-05-02 22:36:44 -04:00
Jeff Mitchell 49c56f05e8 Address review feedback 2016-05-02 22:36:44 -04:00
Jeff Mitchell 3e5391aa9c Switch to lockManager 2016-05-02 22:36:44 -04:00
Jeff Mitchell 08b91b776d Address feedback 2016-05-02 22:36:44 -04:00
Jeff Mitchell fedc8711a7 Fix up commenting and some minor tidbits 2016-05-02 22:36:44 -04:00
Jeff Mitchell fe1f56de40 Make a non-caching but still locking variant of transit for when caches are disabled 2016-05-02 22:36:44 -04:00
vishalnayak 9aa8fb6cc1 Support periodic tidy callback and config endpoints. 2016-04-26 10:22:29 -04:00
Jeff Mitchell 30ba5b7887 Merge pull request #1291 from mmickan/ssh-keyinstall-perms 
Ensure authorized_keys file is readable when uninstalling an ssh key
 2016-04-25 14:00:37 -04:00
Adam Shannon fb07d07ad9 all: Cleanup from running go vet 2016-04-13 14:38:29 -05:00
vishalnayak 06eeaecef6 Skip acceptance tests if VAULT_ACC is not set 2016-04-11 20:00:15 -04:00
Kevin Pike dd98b08d36 Do not provide a default lease 2016-04-08 09:50:47 -07:00
Kevin Pike eeb145f049 List roles 2016-04-08 09:46:25 -07:00
Kevin Pike a86e5e3cd9 Support verify_connection flag 2016-04-08 09:44:15 -07:00
Kevin Pike 706ed5839e Fix username generation 2016-04-08 09:32:29 -07:00
Kevin Pike e3db8c999e Merge branch 'master' of github.com:doubledutch/vault 2016-04-08 09:25:28 -07:00
Kevin Pike 1102863f5a Update comment 2016-04-08 09:07:06 -07:00
Kevin Pike 35f49107cd Fix documentation typo 2016-04-08 09:05:38 -07:00
Kevin Pike 5460c24b94 Fix documentation typo 2016-04-08 09:05:06 -07:00
Kevin Pike 070fe56648 Rename uri to connection_uri 2016-04-08 09:04:42 -07:00
Kevin Pike 48d1f99afb Merge remote-tracking branch 'upstream/master' 2016-04-08 08:57:10 -07:00
vishalnayak fd8b023655 s/TF_ACC/VAULT_ACC 2016-04-05 15:24:59 -04:00
vishalnayak 95abdebb06 Added AcceptanceTest boolean to logical.TestCase 2016-04-05 15:10:44 -04:00
Mark Mickan a55124f0b6 Ensure authorized_keys file is readable when uninstalling an ssh key 
Without this change, if the user running the ssh key install script doesn't
have read access to the authorized_keys file when uninstalling a key, all
keys will be deleted from the authorized_keys file.

Fixes GH #1285
 2016-04-05 17:26:21 +09:30
Jeff Mitchell dfc5a745ee Remove check for using CSR values with non-CA certificate. 
The endpoint enforces whether the certificate is a CA or not anyways, so
this ends up not actually providing benefit and causing a bug.

Fixes #1250
 2016-03-23 10:05:38 -04:00
Jeff Mitchell 1951a01998 Add ability to exclude adding the CN to SANs. 
Fixes #1220
 2016-03-17 16:28:40 -04:00
Vishal Nayak 343e6f1671 Merge pull request #998 from chrishoffman/mssql 
Sql Server (mssql) secret backend
 2016-03-10 22:30:24 -05:00
Chris Hoffman b1703fb18d Cleaning up lease and lease duration vars and params 2016-03-10 21:15:18 -05:00
Chris Hoffman ba94451875 Removing root protected endpoints 2016-03-10 21:08:39 -05:00
Chris Hoffman dc7da4f4e8 Changing DROP USER query to a more compatible version 2016-03-10 21:06:50 -05:00
Chris Hoffman 5af33afd90 Adding verify_connection to config, docs updates, misc cleanup 2016-03-09 23:08:05 -05:00
Jeff Mitchell 7a9122bbd1 Sanitize serial number in revocation path. 
Ping #1180
 2016-03-08 10:51:59 -05:00
Jeff Mitchell 34a9cb1a70 Add serial_number back to path_issue_sign responses in PKI 2016-03-08 09:25:48 -05:00
Jeff Mitchell 11dc3f328f Add revocation information to PKI fetch output (non-raw only). 
Fixes #1180
 2016-03-07 10:57:38 -05:00
Jeff Mitchell 67b85b8f7f Error rather than skip Consul acceptance tests if Consul isn't found 2016-03-07 10:09:36 -05:00
Chris Hoffman 0b4a8f5b94 Adding mssql secret backend 2016-03-03 09:19:17 -05:00
Jeff Mitchell 64ab16d137 Don't spawn consul servers when testing unless it's an acceptance test 2016-02-29 14:58:06 -05:00
Jeff Mitchell f6092f8311 Don't run transit fuzzing if not during acceptance tests 2016-02-29 14:44:04 -05:00
Jeff Mitchell 2205133ae4 Only run PKI backend setup functions when TF_ACC is set 2016-02-29 14:41:14 -05:00
Jeff Mitchell 7ae573b35b Apply hyphen/underscore replacement across the entire username. 
Handles app-id generated display names.

Fixes #1140
 2016-02-26 15:26:23 -05:00
Jeff Mitchell 8ca847c9b3 Be more explicit about buffer type 2016-02-24 22:05:39 -05:00
Jeff Mitchell 7d41607b6e Add "tidy/" which allows removing expired certificates. 
A buffer is used to ensure that we only remove certificates that are
both expired and for which the buffer has past. Options allow removal
from revoked/ and/or certs/.
 2016-02-24 21:24:48 -05:00
vishalnayak 69bcbb28aa rename verify_cert as disable_binding and invert the logic 2016-02-24 21:01:21 -05:00
Matt Hurne 11187112bc Improve error message returned when client attempts to generate STS credentials for a managed policy; addresses #1113 2016-02-23 08:58:28 -05:00
Jeff Mitchell f56e4a604d Merge pull request #1114 from hashicorp/dont-delete-certs 
Do not delete certs (or revocation information)
 2016-02-22 16:11:13 -05:00
Jeff Mitchell 4514192145 Address review feedback 2016-02-22 16:11:01 -05:00
Jeff Mitchell f43ab6a25d Remove extra debugging from PKI tests 2016-02-22 13:39:05 -05:00
Jeff Mitchell f27eab1d28 Do not delete certs (or revocation information) to avoid potential 
issues related to time synchronization. A function will be added to
allow operators to perform cleanup at chosen times.
 2016-02-22 13:36:17 -05:00
Jeff Mitchell 51ced69bf8 Fix issue where leftover values after cn tests could trigger errors in ipsan tests 2016-02-22 13:35:57 -05:00
Vishal Nayak 949f8a6b69 Merge pull request #1112 from hashicorp/1089-postgres-connection-url 
postgres: connection_url fix
 2016-02-22 11:36:04 -05:00
Jeff Mitchell 4c327ca4cc More improvements to PKI tests; allow setting a specific seed, output 
the seed to the console, and split generated steps to make it
understandable which seed is for which set of steps.
 2016-02-22 11:22:52 -05:00
vishalnayak c9899a5300 postgres: connection_url fix 2016-02-22 11:22:49 -05:00
Jeff Mitchell 8d4c6f4c98 Use more fuzziness in PKI backend tests 2016-02-22 10:59:37 -05:00
Jeff Mitchell 392a26e9cd Better handle errors from fetchCertBySerial 2016-02-22 10:36:26 -05:00
Kevin Pike bcaac7f876 Update update operation and uuid references 2016-02-21 15:31:22 -08:00
Kevin Pike 264c9cc40e Merge branch 'master' into rabbitmq 2016-02-21 14:55:06 -08:00
Kevin Pike c755065415 Add RabbitMQ secret backend 2016-02-21 14:52:57 -08:00
Jeff Mitchell 58432c5d57 Add tests for minimum key size checking. (This will also verify that the 
key type matches that of the role, since type assertions are required to
check the bit size). Like the rest, these are fuzz tests; I have
verified that the random seed will eventually hit error conditions if
ErrorOk is not set correctly when we expect an error.
 2016-02-19 21:39:40 -05:00
Jeff Mitchell c57b646848 Check role key type and bits when signing CSR. 
Two exceptions: signing an intermediate CA CSR, and signing a CSR via
the 'sign-verbatim' path.
 2016-02-19 20:50:49 -05:00
vishalnayak c4abe72075 Cap the length midString in IAM user's username to 42 2016-02-19 18:31:10 -05:00
Vishal Nayak 773de69796 Merge pull request #1102 from hashicorp/shorten-aws-usernames 
Set limits on generated IAM user and STS token names.
 2016-02-19 18:25:29 -05:00
Jeff Mitchell 574542b683 Some minor changes in mysql commenting and names 2016-02-19 16:44:52 -05:00
Jeff Mitchell 25b9f9b4a6 Set limits on generated IAM user and STS token names. 
Fixes #1031
Fixes #1063
 2016-02-19 16:35:06 -05:00
vishalnayak a16055c809 mysql: fix error message 2016-02-19 16:07:06 -05:00
vishalnayak 38b55bd8b1 Don't deprecate value field yet 2016-02-19 16:07:06 -05:00
vishalnayak 99f4969b20 Removed connectionString.ConnectionString 2016-02-19 16:07:05 -05:00
vishalnayak 380b662c3d mysql: provide allow_verification option to disable connection_url check 2016-02-19 16:07:05 -05:00
Jeff Mitchell 7fc4ee1ed7 Disallow 1024-bit RSA keys. 
Existing certificates are kept but roles with key bits < 2048 will need
to be updated as the signing/issuing functions now enforce this.
 2016-02-19 14:33:02 -05:00
Vishal Nayak ba134f5a7a Merge pull request #1086 from hashicorp/iss962-verify-otp-response-code 
SSH: Fix response code for ssh/verify
 2016-02-18 13:32:28 -05:00
vishalnayak a6f3b31a36 ssh: Fix response code for ssh/verify 2016-02-16 19:46:29 -05:00
vishalnayak d9536043e7 Pki: Respond user error when cert is not found instead of internal error 2016-02-16 17:58:57 -05:00
Jeff Mitchell 3378db0166 Merge pull request #1061 from tomrittervg/tomrittervg-typos-1 
Fix some typos
 2016-02-11 15:12:09 -05:00
Jeff Mitchell 880c9798b7 Merge pull request #1062 from tomrittervg/tomrittervg-AllowedBaseDomain-migration 
AllowedBaseDomain will stay non-empty in certain error conditions. None of these conditions should be hit anyways, but this provides an extra safety check.
 2016-02-11 15:07:54 -05:00
Jeff Mitchell 46b22745c6 Merge pull request #1053 from mwielgoszewski/postgresql-revocation 
Fix PostgreSQL secret backend issues revoking users
 2016-02-11 12:52:37 -05:00
Tom Ritter a10dc14625 Fix AllowedBaseDomain Migration 
AllowedBaseDomain is only zero-ed out if the domain is not found in the (new) AllowedDomains configuration setting. If the domain is found, AllowedBaseDomain is not emptied and this code will be run every single time.

//untested
 2016-02-09 15:42:15 -06:00
Tom Ritter 940a58cb9d Typo in error message in path_intermediate.go 2016-02-09 15:08:30 -06:00
Tom Ritter e5952a1c28 Typo in policy.go 2016-02-08 12:00:06 -06:00
Jeff Mitchell 4771884c78 Add slack on NotBefore value for generated certs. 
This fixes an issue where, due to clock skew, one system can get a cert
and try to use it before it thinks it's actually valid. The tolerance of
30 seconds should be high enough for pretty much any set of systems
using NTP.

Fixes #1035
 2016-02-07 14:00:03 -05:00
Jeff Mitchell eb1deefac1 Introduce a locking inmem storage for unit tests that are doing concurrent things 2016-02-04 09:40:35 -05:00
Jeff Mitchell 70eeaa1519 Add transit fuzz test 2016-02-03 17:36:15 -05:00
Vishal Nayak d02930fd95 Merge pull request #1013 from hashicorp/fix-ssh-tests 
Fix SSH tests
 2016-02-02 14:22:09 -05:00
vishalnayak f2e8ac0658 Fix SSH test cases. 2016-02-02 12:32:50 -05:00
Jeff Mitchell 159754acf2 Use capabilities to determine upsert-ability in transit. 2016-02-02 10:03:14 -05:00
Jeff Mitchell 5ef8839e48 Revert "Re-add upsert into transit. Defaults to off and a new endpoint /config" 
This reverts commit dc27d012c0357f93bfd5bd8d480f3e229166307a.
 2016-02-02 09:26:25 -05:00
Jeff Mitchell 1d385b4de3 Re-add upsert into transit. Defaults to off and a new endpoint /config 
can be used to turn it on for a given mount.
 2016-02-01 20:13:57 -05:00
Jeff Mitchell 20f45678e6 Fix comment text 2016-02-01 17:20:16 -05:00
Jeff Mitchell fc6d23a54e Allow the format to be specified as pem_bundle, which creates a 
concatenated PEM file.

Fixes #992
 2016-02-01 13:19:41 -05:00
Jeff Mitchell af73d965a4 Cassandra: 
* Add ability to change protocol version
* Remove config as a root path, use normal ACLs
* Update docs
 2016-02-01 10:27:26 -05:00
Jeff Mitchell 627082b838 Remove grace periods 2016-01-31 19:33:16 -05:00
Jeff Mitchell 470ea58d73 Match leases in the test 2016-01-29 20:45:38 -05:00
Jeff Mitchell bab1220fb8 Fix building of consul backend test 2016-01-29 20:03:38 -05:00
Jeff Mitchell d3a705f17b Make backends much more consistent: 
1) Use the new LeaseExtend
2) Use default values controlled by mount tuning/system defaults instead
of a random hard coded value
3) Remove grace periods
 2016-01-29 20:03:37 -05:00
Jeff Mitchell 02cd4d7bf6 Merge pull request #979 from hashicorp/transit-locking 
Implement locking in the transit backend.
 2016-01-29 14:40:32 -05:00
Jeff Mitchell 073e755aa6 Update error return strings 2016-01-29 14:40:13 -05:00
Jeff Mitchell 3396b42c6c Address final review feedback 2016-01-29 14:33:51 -05:00
Jeff Mitchell cb1928451b Only specify cert sign / CRL sign for CAs and only specify extended key 
usages for clients.

This will hopefully fully get rid of the various incompatible ways that
various browsers/libraries deal with key usages.

Fixes #987
 2016-01-29 10:26:35 -05:00
Jeff Mitchell 2015118958 Add listing of roles to PKI 2016-01-28 15:18:07 -05:00
Jeff Mitchell f8a375777b Add list support for mysql roles 2016-01-28 15:04:25 -05:00
Jeff Mitchell 62e3ac83f8 Add list support for postgres roles 2016-01-28 14:41:50 -05:00
Jeff Mitchell 7be090b185 Fix postgres backend test SQL for user priv checking 2016-01-28 14:41:13 -05:00
Jeff Mitchell 12bd2f430b Ensure generatePolicy checks disk, not just the cache, now that we aren't eager loading 2016-01-28 13:10:59 -05:00
Jeff Mitchell dd57a3f55d Add listing of roles to ssh backend 2016-01-28 12:48:00 -05:00
Jeff Mitchell dd1b94fbd6 Remove eager loading 2016-01-28 08:59:05 -05:00
Jeff Mitchell be83340b14 Embed the cache directly 2016-01-27 21:59:20 -05:00
Jeff Mitchell 1ebae324ce Merge pull request #942 from wikiwi/fix-ssh-open-con 
Cleanly close SSH connections
 2016-01-27 17:18:54 -05:00
Jeff Mitchell 48c9f79896 Implement locking in the transit backend. 
This ensures that we can safely rotate and modify configuration
parameters with multiple requests in flight.

As a side effect we also get a cache, which should provide a nice
speedup since we don't need to decrypt/deserialize constantly, which
would happen even with the physical LRU.
 2016-01-27 17:03:21 -05:00
Jeff Mitchell d1b2bf3183 Move archive location; also detect first load of a policy after archive 
is added and cause the keys to be copied to the archive.
 2016-01-27 13:41:37 -05:00
Jeff Mitchell 369d0bbad0 Address review feedback 2016-01-27 13:41:37 -05:00
Jeff Mitchell e5a58109ec Store all keys in archive always 2016-01-27 13:41:37 -05:00
Jeff Mitchell 30ffc18c19 Add unit tests 2016-01-27 13:41:37 -05:00
Jeff Mitchell 5000711a67 Force min decrypt version to 1 if it's zero, which allows fixing problematic archiving logic 2016-01-27 13:41:37 -05:00
Jeff Mitchell 7a27dd5cb3 Fix logic bug when restoring keys 2016-01-27 13:41:37 -05:00
Jeff Mitchell 004b35be36 Fix decrementing instead of incrementing 2016-01-27 13:41:37 -05:00
Jeff Mitchell beafe25508 Initial transit key archiving work 2016-01-27 13:41:37 -05:00
Jeff Mitchell 7390cd5264 Add a max_idle_connections parameter. 2016-01-25 14:47:07 -05:00
Jeff Mitchell 12c00b97ef Allow backends to see taint status. 
This can be seen via System(). In the PKI backend, if the CA is
reconfigured but not fully (e.g. an intermediate CSR is generated but no
corresponding cert set) and there are already leases (issued certs), the
CRL is unable to be built. As a result revocation fails. But in this
case we don't actually need revocation to be successful since the CRL is
useless after unmounting. By checking taint status we know if we can
simply fast-path out of revocation with a success in this case.

Fixes #946
 2016-01-22 17:01:22 -05:00
Dmitriy Gromov 70ef2e3398 STS now uses root vault user for keys 
The secretAccessKeysRevoke revoke function now asserts that it is
not dealing with STS keys by checking a new internal data flag. Defaults
to IAM when the flag is not found.

Factored out genUsername into its own function to share between STS and
IAM secret creation functions.

Fixed bad call to "WriteOperation" instead of "UpdateOperation" in
aws/backend_test
 2016-01-21 15:04:16 -05:00
Dmitriy Gromov 4abca91d66 Renamed sts duration to ttl and added STS permissions note. 2016-01-21 14:28:34 -05:00
Dmitriy Gromov f251b13aaa Removing debug print statement from sts code 2016-01-21 14:05:10 -05:00
Dmitriy Gromov 1cf8153dfd Fixed duration type and added acceptance test for sts 2016-01-21 14:05:10 -05:00
Dmitriy Gromov 71afb7cff0 Configurable sts duration 2016-01-21 14:05:09 -05:00
Jack DeLoach 8fecccde21 Add STS path to AWS backend. 
The new STS path allows for obtaining the same credentials that you would get
from the AWS "creds" path, except it will also provide a security token, and
will not have an annoyingly long propagation time before returning to the user.
 2016-01-21 14:05:09 -05:00
Jeff Mitchell 0f0949ab06 Merge pull request #895 from nickithewatt/aws-prexisting-policies 
Allow use of pre-existing policies for AWS users
 2016-01-21 13:23:37 -05:00
Chi Vinh Le f3e5e44cd0 Cleanly close SSH connections 2016-01-19 07:59:08 +01:00
Jeff Mitchell 9c5ad28632 Update deps, and adjust usage of go-uuid to match new return values 2016-01-13 13:40:08 -05:00
Jeff Mitchell f3ce90164f WriteOperation -> UpdateOperation 2016-01-08 13:03:03 -05:00
Marcin Wielgoszewski bde81080c9 Address issues with properly revoking a user via these additional REVOKE statements 2016-01-06 09:22:55 -05:00
Nicki Watt 62c22a5f73 Updated AWS policy help messages 2015-12-30 19:41:07 +00:00
Nicki Watt cd4ca21b58 Allow use of pre-existing policies for AWS users 2015-12-30 18:05:54 +00:00
Jeff Mitchell 134b4d2a42 Built on GH-890 to add other types 2015-12-29 13:07:24 -05:00
Issac Goldstand fba756075a fix CA compatibility with OpenSSL 2015-12-29 18:52:43 +02:00
Jeff Mitchell f2da5b639f Migrate 'uuid' to 'go-uuid' to better fit HC naming convention 2015-12-16 12:56:20 -05:00
Jeff Mitchell dd445a53a5 Update key usage logic 
* Move to one place for both code paths
* Assign ExtKeyUsageAny to CA certs to help with validation with the
  Windows Crypto API and Go's validation logic

Fixes #846
 2015-12-14 14:23:51 -05:00
Jeff Mitchell 6ad1b75caf Merge branch 'master' into pki-csrs 2015-12-01 00:09:23 -05:00
Jeff Mitchell 64cd58463b Fix AWS tests 2015-12-01 00:05:04 -05:00
Jeff Mitchell 4eec9d69e8 Change allowed_base_domain to allowed_domains and allow_base_domain to 
allow_bare_domains, for comma-separated multi-domain support.
 2015-11-30 23:49:11 -05:00
Jeff Mitchell b6c49ddf01 Remove token display names from input options as there isn't a viable 
use-case for it at the moment
 2015-11-30 18:07:42 -05:00
Jeff Mitchell cf366bda9c Greatly simplify and fix the name validation function, as well as fully 
comment it.
 2015-11-23 14:15:32 -05:00
Jeff Mitchell 25e359084c Update documentation, some comments, make code cleaner, and make generated roots be revoked when their TTL is up 2015-11-19 17:14:22 -05:00
Jeff Mitchell 0dbe15cb87 Mostly revert changes to certutil as the embedded struct stuff was being 
problematic.
 2015-11-19 14:18:39 -05:00
Jeff Mitchell af3d6ced8e Update validator function for URIs. Change example of entering a CA to a 
root cert generation. Other minor documentation updates. Fix private key
output in issue/sign.
 2015-11-19 11:35:17 -05:00
Jeff Mitchell f41a2e562a fix tests 2015-11-19 10:13:28 -05:00
Jeff Mitchell a95228e4ee Split root and intermediate functionality into their own sections in the API. Update documentation. Add sign-verbatim endpoint. 2015-11-19 09:51:18 -05:00
Jeff Mitchell 26c8cf874d Move public key comparison logic to its own function 2015-11-19 09:51:18 -05:00
Jeff Mitchell 4681d027c0 Move serial number generation and key validation into certutil; centralize format and key verification 2015-11-19 09:51:18 -05:00
Jeff Mitchell c6ba4f24bc Add URL validation 2015-11-19 09:51:18 -05:00
Jeff Mitchell b14050bebc Fix zero path length handling, and move common field defs elsewhere 2015-11-19 09:51:18 -05:00
Jeff Mitchell 8008451fb5 Fix logic around zero path length -- only restrict issuing intermediate CAs in this case 2015-11-19 09:51:18 -05:00
Jeff Mitchell c461652b40 Address some feedback from review 2015-11-19 09:51:18 -05:00
Jeff Mitchell ed62afec14 Large documentation updates, remove the pathlength path in favor of 
making that a parameter at CA generation/sign time, and allow more
fields to be configured at CSR generation time.
 2015-11-19 09:51:18 -05:00
Jeff Mitchell 5970cb76b6 Add path length paths and unit tests to verify same. 2015-11-19 09:51:18 -05:00
Jeff Mitchell ca844b1dc1 Add URLs methods to set OCSP/CRL/CA urls in issued certs, and tests. 2015-11-19 09:51:18 -05:00
Jeff Mitchell 4cb10abcc0 Add tests for using raw CSR values 2015-11-19 09:51:18 -05:00
Jeff Mitchell 83975314c7 Change a few checks on names: 
- Allow an email address to be the common name of a cert even if email
protection isn't in the role if any name is set to true (this allows
certificates with a common name entry of an email address but used for
other purposes; here just for CA cert signing).

- Don't check the user part of an email against the hostname regex.
Emails can contain e.g. "+" and "_" and these should be allowed even
though they're not part of a valid hostname.

Also, fix a nil pointer issue.
 2015-11-19 09:51:17 -05:00
Jeff Mitchell deb5131cd3 Add config/urls CRUD operations to get and set the URLs encoded into 
certificates for the issuing certificate URL, CRL distribution points,
and OCSP servers.
 2015-11-19 09:51:17 -05:00
Jeff Mitchell 779efbbbc3 Change use_csr_subject to use_csr_values; copy not only the subject, but 
also the alternate names and the extensions over as well.
 2015-11-19 09:51:17 -05:00
Jeff Mitchell 76af733ee2 Remove setting serial number in the pkix Subject 2015-11-19 09:51:17 -05:00
Jeff Mitchell 54c5c232fd Add a flag so that when signing CA certificates, the Subject (including names and extra names) can be used verbatim from the CSR 2015-11-19 09:51:17 -05:00
Jeff Mitchell 7c5a174493 Add capability to use the CSR's common name (by default for CA CSRs if 
no common_name parameter is given, role-controlled for non-CA CSRs).

Fix logic around the CA/CRL endpoints. Now settable when generating a
self-signed root or setting a CA cert into the backend; if not set,
these values are not set in issued certs. Not required when signing an
intermediate cert (and in fact it was wrong to do so in the first
place).
 2015-11-19 09:51:17 -05:00
Jeff Mitchell 54fccb2ff4 Add support for EC CA keys, output to base64-encoded DER instead of PEM, and tests for all of those. Also note that Go 1.5 is now required. 2015-11-19 09:51:17 -05:00
Jeff Mitchell 4261e594af Address some minor PR feedback 2015-11-19 09:51:17 -05:00
Jeff Mitchell 69794c7078 Fix otto import of uuid 2015-11-19 09:51:17 -05:00
Jeff Mitchell f16d8b8cd2 Cleanup, and add ability to sign CA CSRs that aren't destined for Vault 2015-11-19 09:51:17 -05:00
Jeff Mitchell ea676ad4cc Add tests for intermediate signing and CRL, and fix a couple things 
Completes extra functionality.
 2015-11-19 09:51:17 -05:00
Jeff Mitchell b2df079446 Add unit tests to test signing logic, fix up test logic for names 2015-11-19 09:51:17 -05:00
Jeff Mitchell fe7dbfaada Handle email address alternative names, fix up tests, fix up logic around name verification 2015-11-19 09:51:17 -05:00
Jeff Mitchell aa3d6dc85b Add allow_base_domain to control whether or not the actual base domain is allowed as a cert common name and/or DNS SAN 2015-11-19 09:51:17 -05:00
Jeff Mitchell 7d2730d370 Add email protection flag plumbing and tests; don't call generate bundle when making an intermediate CSR since everything is now ignored 2015-11-19 09:51:17 -05:00
Jeff Mitchell b3eb5c4957 Add sign method (untested) 2015-11-19 09:51:17 -05:00
Jeff Mitchell 6ea626e9ad Don't show field names when not needed 2015-11-19 09:51:17 -05:00
Jeff Mitchell 1cec03d9ca Implement CA cert/CSR generation. CA certs can be self-signed or 
generate an intermediate CSR, which can be signed.
 2015-11-19 09:51:17 -05:00
Kevin Pike 34dcbe176e rabbitmq secret backend 2015-11-18 21:21:52 -08:00
Jeff Mitchell 54d47957b5 Allow creating Consul management tokens 
Fixes #714
 2015-11-03 15:29:58 -05:00
Seth Vargo 658bc0634a Fix breaking API changes 2015-10-30 18:22:48 -04:00
Jeff Mitchell a0c5a24c79 Update Postgres tests and changelogify 2015-10-30 12:41:45 -04:00
Jeff Mitchell 2d8e3b35f2 Revoke permissions before dropping user in postgresql. 
Currently permissions are not revoked, which can lead revocation to not
actually work properly. This attempts to revoke all permissions and only
then drop the role.

Fixes issue #699
 2015-10-30 11:58:52 -04:00
Jeff Mitchell 528e859c4b Fix wording 2015-10-29 12:58:29 -04:00
Jeff Mitchell 22c65c0c07 Use cleanhttp instead of bare http.Client 2015-10-22 14:37:12 -04:00
Jeff Mitchell cba4e82682 Don't use http.DefaultClient 
This strips out http.DefaultClient everywhere I could immediately find
it. Too many things use it and then modify it in incompatible ways.

Fixes #700, I believe.
 2015-10-15 17:54:00 -04:00
Jeff Mitchell a9155ef85e Use split-out hashicorp/uuid 2015-10-12 14:07:12 -04:00
Vishal Nayak bf464b9a4b Merge pull request #661 from hashicorp/maxopenconns 
Parameterize max open connections in postgresql and mysql backends
 2015-10-03 16:55:20 -04:00
vishalnayak 8e7975edc8 Added ConnectionURL along with ConnectionString 2015-10-02 23:47:10 -04:00
Jeff Mitchell 645932a0df Remove use of os/user as it cannot be run with CGO disabled 2015-10-02 18:43:38 -07:00
vishalnayak 69b478fff1 fix struct tags 2015-10-02 14:13:27 -04:00
vishalnayak 1f12482995 Fix ConnectionString JSON value 2015-10-02 12:07:31 -04:00
vishalnayak 644a655920 mysql: made max_open_connections configurable 2015-10-01 21:15:56 -04:00
vishalnayak 2051101c43 postgresql: Configurable max open connections to the database 2015-10-01 20:11:24 -04:00
Jeff Mitchell af27a99bb7 Remove JWT for the 0.3 release; it needs a lot of rework. 2015-09-24 16:23:44 -04:00
Jeff Mitchell f10343921b Start rejigging JWT 2015-09-24 16:20:22 -04:00
Jeff Mitchell 29c722dbb6 Enhance SSH backend documentation; remove getting of stored keys and have TTLs honor backends systemview values 2015-09-21 16:14:30 -04:00
Jeff Mitchell 3eb38d19ba Update transit backend documentation, and also return the min decryption 
value in a read operation on the key.
 2015-09-21 16:13:43 -04:00
Jeff Mitchell b655f6b858 Add HMAC capability to salt. Pass a salt into audit backends. Require it for audit.Hash. 2015-09-18 17:38:22 -04:00
Jeff Mitchell 01ee6c4fe1 Move no_plaintext to two separate paths for datakey. 2015-09-18 14:41:05 -04:00
Jeff Mitchell 448249108c Add datakey generation to transit. 
Can specify 128 bits (defaults to 256) and control whether or not
plaintext is returned (default true).

Unit tests for all of the new functionality.
 2015-09-18 14:41:05 -04:00
Jeff Mitchell 61398f1b01 Remove enable/disable and make deletion_allowed a configurable property. On read, return the version and creation time of each key 2015-09-18 14:41:05 -04:00
Jeff Mitchell 801e531364 Enhance transit backend: 
* Remove raw endpoint from transit
* Add multi-key structure
* Add enable, disable, rewrap, and rotate functionality
* Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function
* Unit tests for everything
 2015-09-18 14:41:05 -04:00
Jeff Mitchell 104b29ab04 Rename View to StorageView to make it more distinct from SystemView 2015-09-15 13:50:37 -04:00
Lassi Pölönen 83d0ab73f5 Define time zone explicitly in postgresql connection string. 2015-09-14 13:43:06 +03:00