129328e842
MVP of working Nomad Secret Backend
2017-09-20 15:59:35 -05:00
1076cea5d1
Tests were not actually forcing the intermediate to have a longer TTL
...
because of mount max TTL constraint. This ups the mount max to force the
test to work as expected.
2017-09-14 22:49:04 -04:00
cb6ac1e926
Change behavior of TTL in sign-intermediate ( #3325 )
...
* Fix using wrong public key in sign-self-issued
* Change behavior of TTL in sign-intermediate
This allows signing CA certs with an expiration past the signer's
NotAfter.
It also change sign-self-issued to replace the Issuer, since it's
potentially RFC legal but stacks won't validate it.
Ref: https://groups.google.com/d/msg/vault-tool/giP69-n2o20/FfhRpW1vAQAJ
2017-09-13 11:42:45 -04:00
78b1dfd7bb
Handle errors from getRootConfig on aws logical backend ( #3294 )
2017-09-08 13:00:29 -04:00
7be6905eb0
Add a bit more delay to backend test in case Travis is loaded
2017-09-04 14:45:12 -04:00
abb2ab2918
Add pki/root/sign-self-issued. ( #3274 )
...
* Add pki/root/sign-self-issued.
This is useful for root CA rolling, and is also suitably dangerous.
Along the way I noticed we weren't setting the authority key IDs
anywhere, so I addressed that.
* Add tests
2017-08-31 23:07:15 -04:00
d62937aaf3
Use TypeDurationSecond for TTL values in PKI. ( #3270 )
2017-08-31 15:46:13 -04:00
13901b1346
fix swallowed errors in pki package tests ( #3215 )
2017-08-29 13:15:36 -04:00
340fe4e609
Add permitted dns domains to pki ( #3164 )
2017-08-15 16:10:36 -04:00
e4eb6e9020
Make PKI root generation idempotent-ish and add delete endpoint. ( #3165 )
2017-08-15 14:00:40 -04:00
b023d46cb8
Direct plugin logs through vault's logger ( #3142 )
...
* Direct plugin logs through vault's logger
* Pass in a logger in testConfig
2017-08-15 10:16:48 -04:00
2e80e6488f
Bump database plugin protocol version
2017-08-08 17:01:38 -07:00
71ffa3429f
Handle dropped checkok pattern in mysql package ( #3082 )
2017-08-02 19:34:58 -04:00
77336f4ca2
adding warning for conflicting role and request parameters ( #3083 )
2017-08-02 10:02:40 -04:00
4885b3e502
Use RemoteCredProvider instead of EC2RoleProvider ( #2983 )
2017-07-31 18:27:16 -04:00
474f008b2d
Clean up plugin tests with CA info
2017-07-31 15:09:19 -04:00
1bfc6d4fe7
Add a -dev-three-node option for devs. ( #3081 )
2017-07-31 11:28:06 -04:00
3e8aecc7d5
Add BackendType to existing backends ( #3078 )
2017-07-28 14:04:46 -04:00
45fd7dad60
Add note about ed25519 hashing to docs and path help.
...
Fixes #3074
Closes #3076
2017-07-28 09:30:27 -04:00
d404dfc494
fixing recovery from x/golang/crypto panics
2017-07-27 21:00:31 -04:00
0a2ac3160d
Recover during a request forward.
...
gRPC doesn't have a handler for recovering from a panic like a normal
HTTP request so a panic will actually kill Vault's listener. This
basically copies the net/http logic for managing this.
The SSH-specific logic is removed here as the underlying issue is caused
by the request forwarding mechanism.
2017-07-27 11:44:56 -04:00
72ee5e573c
Handle dropped checkok pattern in postgresql package ( #3046 )
2017-07-26 12:28:02 -04:00
bb54e9c131
Backend plugin system ( #2874 )
...
* Add backend plugin changes
* Fix totp backend plugin tests
* Fix logical/plugin InvalidateKey test
* Fix plugin catalog CRUD test, fix NoopBackend
* Clean up commented code block
* Fix system backend mount test
* Set plugin_name to omitempty, fix handleMountTable config parsing
* Clean up comments, keep shim connections alive until cleanup
* Include pluginClient, disallow LookupPlugin call from within a plugin
* Add wrapper around backendPluginClient for proper cleanup
* Add logger shim tests
* Add logger, storage, and system shim tests
* Use pointer receivers for system view shim
* Use plugin name if no path is provided on mount
* Enable plugins for auth backends
* Add backend type attribute, move builtin/plugin/package
* Fix merge conflict
* Fix missing plugin name in mount config
* Add integration tests on enabling auth backend plugins
* Remove dependency cycle on mock-plugin
* Add passthrough backend plugin, use logical.BackendType to determine lease generation
* Remove vault package dependency on passthrough package
* Add basic impl test for passthrough plugin
* Incorporate feedback; set b.backend after shims creation on backendPluginServer
* Fix totp plugin test
* Add plugin backends docs
* Fix tests
* Fix builtin/plugin tests
* Remove flatten from PluginRunner fields
* Move mock plugin to logical/plugin, remove totp and passthrough plugins
* Move pluginMap into newPluginClient
* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck
* Change shim logger's Fatal to no-op
* Change BackendType to uint32, match UX backend types
* Change framework.Backend Setup signature
* Add Setup func to logical.Backend interface
* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments
* Remove commented var in plugin package
* RegisterLicense on logical.Backend interface (#3017 )
* Add RegisterLicense to logical.Backend interface
* Update RegisterLicense to use callback func on framework.Backend
* Refactor framework.Backend.RegisterLicense
* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs
* plugin: Revert BackendType to remove TypePassthrough and related references
* Fix typo in plugin backends docs
2017-07-20 13:28:40 -04:00
3f0b15826a
Fix swallowed errors in builtin ( #2977 )
2017-07-07 08:23:12 -04:00
873aacf23f
Don't panic in audit logs when reading transit keys. ( #2970 )
2017-07-05 11:25:10 -04:00
4d6ca4c884
DOCS: fix typo in ssh path help ( #2966 )
2017-07-04 13:59:34 -04:00
753b68fa1b
Port TestCluster changes from proxy branch
2017-07-03 14:54:01 -04:00
45c7bc718f
Add the option to specify a specific key id format that is generated … ( #2888 )
2017-06-29 04:05:06 +01:00
0957500abe
Ensure TOTP codes cannot be reused. ( #2908 )
2017-06-23 16:21:34 +01:00
be383217b6
If recovering from panic ensure the cert returned is nil
2017-06-16 18:18:15 -04:00
60d743a5b9
Go's SSH library can panic without warning; recover.
...
Ping #2877 -- but don't close yet in case there are more places.
2017-06-16 18:16:45 -04:00
d26a8ebf5e
add min_encryption_version to the transit key response ( #2838 )
2017-06-08 13:07:18 -05:00
fdf92aeba5
Add listing to database connections. ( #2827 )
...
Fixes #2823
2017-06-07 10:03:17 -04:00
a7fca34076
Add ability to specify encryption key version in `transit` ( #2821 )
2017-06-06 16:02:54 -04:00
606fe393be
Use the role name in the db username ( #2812 )
2017-06-06 09:49:49 -04:00
3eebd5cf5a
ed25519 support in transit ( #2778 )
2017-06-05 15:00:39 -04:00
f7df60b131
Allow accessing Warnings directly in Response. ( #2806 )
...
A change in copystructure has caused some panics due to the custom copy
function. I'm more nervous about production panics than I am about
keeping some bad code wiping out some existing warnings, so remove the
custom copy function and just allow direct setting of Warnings.
2017-06-05 10:52:43 -04:00
4693881fe9
Update some path-help in datakey
2017-05-23 10:04:32 -04:00
2557693aa3
Added host key call back for ssh config ( #2752 )
2017-05-21 20:16:13 -04:00
aa40d2cff6
add gofmt checks to Vault and format existing code ( #2745 )
2017-05-19 08:34:17 -04:00
90be96989a
logical/aws: Fix typo in warning message ( #2747 )
...
Signed-off-by: Steffen Prohaska <prohaska@zib.de>
2017-05-19 06:20:54 -04:00
533dbe5d4c
Update the error when no key can be found to a more clear error text ( #2720 )
2017-05-12 14:14:00 -04:00
1460c2fcc7
Add plugin level docs for what statements are supported and how they should be formatted
2017-05-11 11:59:58 -07:00
3874b63af3
Fix typos in error message ( #2692 )
2017-05-10 10:28:35 -04:00
d25aa9fc21
Don't write salts in initialization, look up on demand ( #2702 )
2017-05-09 17:51:09 -04:00
185ba8a1c3
Only run cassandra tests on Travis for right now
2017-05-09 08:36:20 -04:00
6f6f242061
Add logic to skip initialization in some cases and some invalidation logic
2017-05-05 15:01:52 -04:00
7dcec6e68f
Merge remote-tracking branch 'oss/master' into database-refactor
2017-05-04 12:40:00 -07:00
82b58d5b9c
Update docs and return a better error message
2017-05-04 11:45:27 -07:00
4c0e3c5d2f
Implemented TOTP Secret Backend ( #2492 )
...
* Initialized basic outline of TOTP backend using Postgresql backend as template
* Updated TOTP backend.go's structure and help string
* Updated TOTP path_roles.go's structure and help strings
* Updated TOTP path_role_create.go's structure and help strings
* Fixed typo in path_roles.go
* Fixed errors in path_role_create.go and path_roles.go
* Added TOTP secret backend information to cli commands
* Fixed build errors in path_roles.go and path_role_create.go
* Changed field values of period and digits from uint to int, added uint conversion of period when generating passwords
* Initialized TOTP test file based on structure of postgresql test file
* Added enforcement of input values
* Added otp library to vendor folder
* Added test steps and cleaned up errors
* Modified read credential test step, not working yet
* Use of vendored package not allowed - Test error
* Removed vendor files for TOTP library
* Revert "Removed vendor files for TOTP library"
This reverts commit fcd030994bc1741dbf490f3995944e091b11da61.
* Hopefully fixed vendor folder issue with TOTP Library
* Added additional tests for TOTP backend
* Cleaned up comments in TOTP backend_test.go
* Added default values of period, algorithm and digits to field schema
* Changed account_name and issuer fields to optional
* Removed MD5 as a hash algorithm option
* Implemented requested pull request changes
* Added ability to validate TOTP codes
* Added ability to have a key generated
* Added skew, qr size and key size parameters
* Reset vendor.json prior to merge
* Readded otp and barcode libraries to vendor.json
* Modified help strings for path_role_create.go
* Fixed test issue in testAccStepReadRole
* Cleaned up error formatting, variable names and path names. Also added some additional documentation
* Moveed barcode and url output to key creation function and did some additional cleanup based on requested changes
* Added ability to pass in TOTP urls
* Added additional tests for TOTP server functions
* Removed unused QRSize, URL and Generate members of keyEntry struct
* Removed unnecessary urlstring variable from pathKeyCreate
* Added website documentation for TOTP secret backend
* Added errors if generate is true and url or key is passed, removed logger from backend, and revised parameter documentation.
* Updated website documentation and added QR example
* Added exported variable and ability to disable QR generation, cleaned up error reporting, changed default skew value, updated documentation and added additional tests
* Updated API documentation to inlude to exported variable and qr size option
* Cleaned up return statements in path_code, added error handling while validating codes and clarified documentation for generate parameters in path_keys
2017-05-04 10:49:42 -07:00
5ee0d696d4
Merge remote-tracking branch 'oss/master' into database-refactor
2017-05-04 10:45:18 -07:00
29bfc0a0d4
PR comments
2017-05-04 10:41:59 -07:00
0875e78a13
Feedback from PR
2017-05-03 17:37:34 -07:00
cbcb8635a4
Update databse backend tests to use the APIClientMeta for the plugin conns
2017-05-03 16:34:09 -07:00
26cf09ab15
Minor comment update on cert_util
2017-05-03 16:13:54 -04:00
1c14d207b5
Merge pull request #2575 from hashicorp/pki-colons-to-hyphens
...
Change storage of PKI entries from colons to hyphens
2017-05-03 15:07:15 -04:00
e34a45fdcd
Minor readability enhancements for migration path from old to new
2017-05-03 14:58:22 -04:00
a00a7815f6
Include and use normalizeSerial func
2017-05-03 10:12:58 -04:00
7ae8f02f4b
Only wrap in tracing middleware if the logger is set to trace level
2017-05-02 17:19:49 -07:00
29d9b831d3
Update the api for serving plugins and provide a utility to pass TLS data for commuinicating with the vault process
2017-05-02 14:40:11 -07:00
2b7a66e23b
Use variables for string replacements on cert_util
2017-05-02 14:11:57 -04:00
c8bbea9f37
Rename NewPluginServer to just Serve
2017-05-02 02:00:39 -07:00
b3819c433b
Don't store an error response as a package variable
2017-05-01 15:30:56 -07:00
9a60ec9fda
Update interface name from Wrapper to a more descriptive RunnerUtil
2017-05-01 14:59:55 -07:00
403efeb5ae
Add globbing support to the PKI backend's allowed_domains list ( #2517 )
2017-05-01 10:40:18 -04:00
ff4cf41ebb
Add test for ca and crl case
2017-04-28 08:55:28 -04:00
8bb6c8caef
Return error message for failure to parse CSR ( #2657 )
2017-04-28 08:30:24 -04:00
802d030506
Refactor cert_util_test
2017-04-27 17:09:59 -04:00
b5990321bf
Verify update operation was performed on revokeCert
2017-04-27 12:30:44 -04:00
3b27a9c12c
Rename tests, use HandleRequest() for existing paths
2017-04-27 09:47:56 -04:00
53752c3002
Add check to ensure we don't overwrite existing connections
2017-04-26 16:43:42 -07:00
081101c7cf
Add an error check to reset a plugin if it is closed
2017-04-26 15:55:34 -07:00
d0cad5345a
Update to a RWMutex
2017-04-26 15:23:14 -07:00
628e5d594b
Add remaining tests
2017-04-26 16:05:58 -04:00
4782d9d2af
Update the error messages for renew and revoke
2017-04-26 10:29:16 -07:00
892812d67d
Change ttl types to TypeDurationSecond
2017-04-26 10:02:37 -07:00
d24757f2e0
Fix crl_util test
2017-04-26 09:58:34 -04:00
18ed2d6097
Tests for cert and crl util
2017-04-26 02:46:01 -04:00
e3e5f12f9e
Default deny when allowed roles is empty
2017-04-25 11:48:24 -07:00
207d01fd39
Update the connection details data and fix allowedRoles
2017-04-25 11:11:10 -07:00
eb0f831d6a
Rename path_role_create to path_creds_create
2017-04-25 10:39:17 -07:00
3d3e4eb5a4
Use TypeCommaStringSlice for allowed_roles
2017-04-25 10:26:23 -07:00
bed1c17b1e
Update logging to new structure
2017-04-25 10:24:19 -07:00
f25b367732
Don't uppercase ErrorResponses
2017-04-24 14:03:48 -07:00
378ae98809
s/DatabaseType/Database/
2017-04-24 13:59:12 -07:00
6f9d178370
Calls to builtin plugins now go directly to the implementation instead of go-plugin
2017-04-20 18:46:41 -07:00
af9ff63e9a
Merge remote-tracking branch 'oss/master' into database-refactor
2017-04-19 15:16:00 -07:00
847c86f788
Rename ParseDedupAndSortStrings to ParseDedupLowercaseAndSortStrings ( #2614 )
2017-04-19 10:39:07 -04:00
2ee593c6ea
Mssql driver update ( #2610 )
...
* Switching driver from mssql to sqlserver
* Adding explicit database to sp_msloginmappings call
2017-04-18 17:49:59 -04:00
4995c69763
Update sign-verbatim to correctly set generate_lease ( #2593 )
2017-04-18 15:54:31 -04:00
0897da93f0
Parse and dedup but do not lowercase principals in SSH certs. ( #2591 )
2017-04-18 12:21:02 -04:00
822d86ad90
Change storage of entries from colons to hyphens and add a
...
lookup/migration path
Still TODO: tests on migration path
Fixes #2552
2017-04-18 11:14:23 -04:00
e8adc13826
Fix cassandra dep breakage
2017-04-17 11:51:42 -04:00
79fb8bdf69
Verify that a CSR specifies IP SANs before checking whether it's allowed ( #2574 )
2017-04-13 13:40:31 -04:00
883c80540a
Add allowed_roles parameter and checks
2017-04-13 10:33:34 -07:00
0cfe1ea81c
Cleanup path files
2017-04-12 17:35:02 -07:00
a9a05f5bba
Update Type() to return an error
2017-04-12 16:41:06 -07:00
8ccf10641b
Merge branch 'master' into database-refactor
2017-04-12 14:29:10 -07:00
128f25c13d
Update help text and comments
2017-04-11 11:50:34 -07:00
c85b7be22f
Remove unnecessary abstraction
2017-04-10 18:38:34 -07:00
8071aed758
Mlock the plugin process
2017-04-10 17:12:52 -07:00
f6ff3b1146
Add a flag to tell plugins to verify the connection was successful
2017-04-10 15:36:59 -07:00
db91a80540
Update plugin test
2017-04-10 14:12:28 -07:00
bbbd81220c
Update the interface for plugins removing functions for creating creds
2017-04-10 12:24:16 -07:00
459e3eda4e
Update backend tests
2017-04-10 10:35:16 -07:00
93136ea51e
Add backend test
2017-04-07 15:50:03 -07:00
2117dfd717
implement a no_store option for pki roles ( #2565 )
2017-04-07 11:25:47 -07:00
f805618a2c
Update SSH CA documentation
...
Fixes #2551
Fixes #2569
2017-04-07 11:59:25 -04:00
62d59e5f4e
Move plugin code into sub directory
2017-04-06 12:20:10 -07:00
ca2c3d0c53
Refactor to use builtin plugins from an external repo
2017-04-05 16:20:31 -07:00
2255884a4c
Do not mark conn as initialized until the end ( #2567 )
2017-04-04 14:26:59 -07:00
305ccd54f7
Don't return strings, always structs
2017-04-04 11:33:58 -07:00
9dd666c7e6
Database refactor invalidate ( #2566 )
...
* WIP on invalidate function
* cassandraConnectionProducer has Close()
* Delete database from connections map on successful db.Close()
* Move clear connection into its own func
* Use const for database config path
2017-04-04 11:32:42 -07:00
709389dd36
Use ParseStringSlice on PKI organization/organizational unit. ( #2561 )
...
After, separately dedup and use new flag to not lowercase value.
Fixes #2555
2017-04-04 08:54:18 -07:00
b506bd7790
On change of configuration rotate the database type
2017-04-03 18:30:38 -07:00
d7dd0ab35c
Merge branch 'database-refactor' of github.com:hashicorp/vault into database-refactor
2017-04-03 17:52:41 -07:00
e8781b6a2b
Plugin catalog
2017-04-03 17:52:29 -07:00
aa15a1d3a9
Database refactor mssql ( #2562 )
...
* WIP on mssql secret backend refactor
* Add RevokeUser test, and use sqlserver driver internally
* Remove debug statements
* Fix code comment
2017-04-03 09:59:30 -07:00
210fa77e3c
fix for plugin commands that have more than one paramater
2017-03-28 14:37:57 -07:00
50729a4528
Add comments to connection and credential producers
2017-03-28 13:08:11 -07:00
b09526e1c9
Cleanup the db factory code and add comments
2017-03-28 12:57:30 -07:00
6b877039e7
Update tests
2017-03-28 12:20:17 -07:00
c50a6ebc39
Add functionaility to build db objects from disk so restarts work
2017-03-28 11:30:45 -07:00
02b0230f19
Fix for checking types of database on update
2017-03-28 10:04:42 -07:00
494f963581
Wrap the database calls with tracing information
2017-03-27 15:17:28 -07:00
2799586f45
Remove the unused sync.Once object
2017-03-27 11:46:20 -07:00
29ae4602dc
More work on getting tests to pass
2017-03-23 15:54:15 -07:00
c0223d888e
Remove unsused code block
2017-03-22 17:09:39 -07:00
1068076703
s/postgres/mysql/
2017-03-22 16:44:33 -07:00
dac1bb210b
Add test files for postgres and mysql databases
2017-03-22 16:39:08 -07:00
ae9961b811
Add a error message for empty creation statement
2017-03-22 12:40:16 -07:00
c55bef85d3
Fix race with deleting the connection
2017-03-22 09:54:19 -07:00
85ef468d46
Add a delete method
2017-03-21 17:19:30 -07:00
83ff132705
Verify connections regardless of if this connections is already existing
2017-03-21 16:05:59 -07:00
003ef004c6
sshca: ensure atleast cert type is allowed ( #2508 )
2017-03-19 18:58:48 -04:00
a4e5e0f8c9
Comment and fix plugin Type function
2017-03-16 18:24:56 -07:00
417770a58f
Change the handshake config from the default
2017-03-16 17:51:25 -07:00
2873825848
Add a secure config to verify the checksum of the plugin
2017-03-16 16:20:18 -07:00
f2df4ef0e7
Comment and slight refactor of the TLS plugin helper
2017-03-16 14:14:49 -07:00
0a52ea5c69
Break tls code into helper library
2017-03-16 11:55:21 -07:00
24886c1006
Ensure CN check is made when exclude_cn_from_sans is used
...
Fixes #2363
2017-03-16 11:41:13 -04:00
ae8967d635
Always include a hash of the public key and "vault" (to know where it ( #2498 )
...
came from) when generating a cert for SSH.
Follow on from #2494
2017-03-16 11:14:17 -04:00
95df7beed9
Adding allow_user_key_ids field to SSH role config ( #2494 )
...
Adding a boolean field that determines whether users will be allowed to
set the ID of the signed SSH key or whether it will always be the token
display name. Preventing users from changing the ID and always using
the token name is useful for auditing who actually used a key to access
a remote host since sshd logs key IDs.
2017-03-16 08:45:11 -04:00
eb6117cbb2
Work on TLS communication over plugins
2017-03-15 17:14:48 -07:00
12e5132779
Allow roles to specify whether CSR SANs should be used instead of ( #2489 )
...
request values. Fix up some documentation.
Fixes #2451
Fixes #2488
2017-03-15 14:38:18 -04:00
7ab6844eb4
Set CA chain when intermediate does not have an authority key ID.
...
This is essentially an approved review of the code provided in #2465 .
Fixes #2465
2017-03-15 11:52:02 -04:00
3ecb344878
wrap plugin database type with metrics middleware
2017-03-14 13:12:47 -07:00
822a3eb20a
Add a metrics middleware
2017-03-14 13:11:28 -07:00
662b372364
Reads on unconfigured SSH CA public key return 400
2017-03-14 10:21:48 -04:00
7d59d7d3ac
Reads on ssh/config/ca return the public keys
...
If configured/generated.
2017-03-14 10:21:48 -04:00
830de2dbbd
If generating an SSH CA signing key - return the public part
...
So that the user can actually use the SSH CA, by adding the public key
to their respective sshd_config/authorized_keys, etc.
2017-03-14 10:21:48 -04:00
2054fff890
Add a way to initalize plugins and builtin databases the same way.
2017-03-13 14:39:55 -07:00
71b81aad23
Add checksum attribute
2017-03-10 14:10:42 -08:00
a11911d4d4
Rename reset to close
2017-03-09 22:35:45 -08:00
fda45f531d
Add special path to enforce root on plugin configuration
2017-03-09 21:31:29 -08:00
748c70cfb4
Add plugin file
2017-03-09 17:43:58 -08:00
9099231229
Add plugin features
2017-03-09 17:43:37 -08:00
220beb2cde
doc: ssh allowed_users update ( #2462 )
...
* doc: ssh allowed_users update
* added some more context in default_user field
2017-03-09 10:34:55 -05:00
f085cd71ab
Fix typo
2017-03-08 17:49:39 -05:00
b7128f8370
Update secrets fields
2017-03-08 14:46:53 -08:00
766c2e6ee0
SSH CA enhancements ( #2442 )
...
* Use constants for storage paths
* Upgrade path for public key storage
* Fix calculateValidPrincipals, upgrade ca_private_key, and other changes
* Remove a print statement
* Added tests for upgrade case
* Make exporting consistent in creation bundle
* unexporting and constants
* Move keys into a struct instead of plain string
* minor changes
2017-03-08 17:36:21 -05:00
2fb6bf9882
Fix renew and revoke calls
2017-03-07 17:21:44 -08:00
b7c3b4b0d7
Add defaults to the cassandra databse type
2017-03-07 17:00:52 -08:00
3976a2a0a6
Pass statements object
2017-03-07 16:48:17 -08:00
843d584254
Remove unused sql object
2017-03-07 15:34:23 -08:00
919155ab12
Remove double lock
2017-03-07 15:33:05 -08:00
c959882b93
Update locking functionaility
2017-03-07 13:48:29 -08:00
5119b173c4
Rename helper 'duration' to 'parseutil'. ( #2449 )
...
Add a ParseBool function that accepts various kinds of ways of
specifying booleans.
Have config use ParseBool for UI and disabling mlock/cache.
2017-03-07 11:21:22 -05:00
bc53e119ca
rename mysql variable
2017-03-03 15:07:41 -08:00
bba832e6bf
Make db instances immutable and add a reset path to tear down and create a new database instance with an updated config
2017-03-03 14:38:49 -08:00
29e07ac9e8
Fix mysql connections
2017-03-03 14:38:49 -08:00
24ddea9954
Add mysql into the factory
2017-03-03 14:38:48 -08:00
8e8f260d96
Add max connection lifetime param and set consistancy on cassandra session
2017-03-03 14:38:48 -08:00
1f009518cd
s/Statement/Statements/
2017-03-03 14:38:48 -08:00
46aa7142c1
Add mysql database type
2017-03-03 14:38:48 -08:00
2ec5ab5616
More work on refactor and cassandra database
2017-03-03 14:38:48 -08:00
acdcd79af3
Begin work on database refactor
2017-03-03 14:38:48 -08:00
4b81bcb379
ssh: Added DeleteOperation to config/ca ( #2434 )
...
* ssh: Added DeleteOperation to config/ca
* Address review feedback
2017-03-03 10:19:45 -05:00
55e69277ce
Update SSH CA logic/tests
2017-03-02 16:39:22 -05:00
a1331278ff
Refactor the generate_signing_key processing ( #2430 )
2017-03-02 16:22:06 -05:00
fa474924aa
Update error text to make it more obvious what the issue is when valid principals aren't found
2017-03-02 15:56:08 -05:00
eca68d5913
Fix a bunch of errors from returning 5xx, and parse more duration types
2017-03-02 15:38:34 -05:00
70bfdb5ae9
Changes from code review
2017-03-02 14:36:13 -05:00
36b3d89604
Allow internal generation of the signing SSH key pair
2017-03-02 14:36:13 -05:00
3795d2ea64
Rework ssh ca ( #2419 )
...
* docs: input format for default_critical_options and default_extensions
* s/sshca/ssh
* Added default_critical_options and default_extensions to the read endpoint of role
* Change default time return value to 0
2017-03-01 15:50:23 -05:00
9f75f84175
Changes from code review
...
Major changes are:
* Remove duplicate code
* Check the public key used to configure the backend is a valid one
2017-03-01 15:19:18 -05:00
ff1ff02bd7
Changes from code review
...
Major changes are:
* Change `allow_{user,host}_certificates` to default to false
* Add separate `allowed_domains` role property
2017-03-01 15:19:18 -05:00
099d561b20
Add ability to create SSH certificates
2017-03-01 15:19:18 -05:00
2e911fc650
Fix broken build caused due to resolve merge conflicts
2017-02-24 12:41:20 -05:00
c6f138bb9a
PKI: Role switch to control lease generation ( #2403 )
...
* pki: Make generation of leases optional
* pki: add tests for upgrading generate_lease
* pki: add tests for leased and non-leased certs
* docs++ pki generate_lease
* Generate lease is applicable for both issuing and signing
* pki: fix tests
* Address review feedback
* Address review feedback
2017-02-24 12:12:40 -05:00
01f3056b8b
pki: Include private_key_type on DER-formatted responses from /pki/issue/ ( #2405 )
2017-02-24 11:17:59 -05:00
c81582fea0
More porting from rep ( #2388 )
...
* More porting from rep
* Address review feedback
2017-02-16 16:29:30 -05:00
0c39b613c8
Port some replication bits to OSS ( #2386 )
2017-02-16 15:15:02 -05:00
c96fe56d44
Fix copypasta, thanks tests
2017-02-16 01:32:39 -05:00
817bec0955
Add Organization support to PKI backend. ( #2380 )
...
Fixes #2369
2017-02-16 01:04:29 -05:00
7f2717b74a
transit: change batch input format ( #2331 )
...
* transit: change batch input format
* transit: no json-in-json for batch response
* docs: transit: update batch input format
* transit: fix tests after changing response format
2017-02-06 14:56:16 -05:00
5fb28f53cb
Transit: Support batch encryption and decryption ( #2143 )
...
* Transit: Support batch encryption
* Address review feedback
* Make the normal flow go through as a batch request
* Transit: Error out if encryption fails during batch processing
* Transit: Infer the 'derived' parameter based on 'context' being set
* Transit: Batch encryption doc updates
* Transit: Return a JSON string instead of []byte
* Transit: Add batch encryption tests
* Remove plaintext empty check
* Added tests for batch encryption, more coming..
* Added more batch encryption tests
* Check for base64 decoding of plaintext before encrypting
* Transit: Support batch decryption
* Transit: Added tests for batch decryption
* Transit: Doc update for batch decryption
* Transit: Sync the path-help and website docs for decrypt endpoint
* Add batch processing for rewrap
* transit: input validation for context
* transit: add rewrap batch option to docs
* Remove unnecessary variables from test
* transit: Added tests for rewrap use cases
* Address review feedback
* Address review feedback
* Address review feedback
* transit: move input checking out of critical path
* transit: allow empty plaintexts for batch encryption
* transit: use common structs for batch processing
* transit: avoid duplicate creation of structs; add omitempty to response structs
* transit: address review feedback
* transit: fix tests
* address review feedback
* transit: fix tests
* transit: rewrap encrypt user error should not error out
* transit: error out for internal errors
2017-02-02 14:24:20 -05:00
47274eca88
Add cleanup functions to multiple DB backends. ( #2313 )
...
Ensure it's called on unmount, not just for seal.
2017-02-01 14:05:25 -05:00
f1a5a858d3
Make export errors a bit more meaningful
2017-01-30 09:25:50 -05:00
2e15dc93df
Have transit exporting return the same structure regardless of one key or many
2017-01-28 10:37:35 -05:00
e788780709
Migrate cassandra test from acceptance to dockertest ( #2295 )
2017-01-25 15:37:55 -05:00
f43a041bf2
Revert "Disable PKI OU tests to fix the build"
...
This reverts commit b1ab7c5603180af9073caab1b3022ca438dc12be.
2017-01-24 09:58:28 -05:00
c8b6ab7223
Disable PKI OU tests to fix the build
2017-01-24 06:25:56 -05:00
98df700495
allow roles to set OU value in certificates issued by the pki backend ( #2251 )
2017-01-23 12:44:45 -05:00
7568a212b1
Adding support for exportable transit keys ( #2133 )
2017-01-23 11:04:43 -05:00
fa7d61baa3
Merge pull request #2202 from fcantournet/fix_govet_fatalf
...
all: test: Fix govet warnings
2017-01-17 16:45:35 -05:00
cb8bbc4fbd
Transit key actions ( #2254 )
...
* add supports_* for transit key reads
* update transit docs with new supports_* fields
2017-01-11 10:05:06 -06:00
78dacc154a
sign-verbatim should set use_csr_common_name to true ( #2243 )
2017-01-10 09:47:59 -05:00
80dc5819d3
Use dockertest.v2 ( #2247 )
...
New dockertest has a totally different API and will require some serious
refactoring. This will tide over until then by pinning the API version.
2017-01-09 13:46:54 -05:00
103b7ceab2
all: test: Fix govet warnings
...
Fix calls to t.Fatal() with formatting.
Fixed some calls to Fatalf() with wrong formatting
2016-12-21 19:44:07 +01:00
1816446f46
Address review feedback
2016-12-20 11:19:47 -05:00
b3e323bbcc
pki: Avoiding a storage read
2016-12-20 11:07:20 -05:00
2e23f1a992
pki: Appended error to error message
2016-12-19 10:49:32 -05:00
ba1cc709bd
PKI: Added error to the error message
2016-12-19 10:47:29 -05:00
bb54bd40f6
normalize some capitlization in error messages
2016-12-15 19:02:33 -05:00
6ee61af87f
Fix nil value panic when Consul returns a user error ( #2145 )
2016-12-01 10:22:32 -08:00
ba3dc07bb3
Fix typo and remove trailing whitespace. ( #2074 )
2016-11-08 09:32:23 -05:00
26fa2655b1
Add listing to Consul secret roles ( #2065 )
2016-11-04 12:35:16 -04:00
dc93e57cf1
Return the revocation_sql from role read all the time
2016-10-27 12:24:31 -04:00
e0fb8c17ce
Added revocation_sql to the website docs
2016-10-27 12:15:08 -04:00
c14a6c8666
Move policy test to keysutil package
2016-10-26 19:57:28 -04:00
6d1e1a3ba5
Pulled out transit's lock manager and policy structs into a helper
2016-10-26 19:52:31 -04:00
931c96d1ba
ssh: Use temporary file to store the identity file
2016-10-18 12:50:12 -04:00
4b6e82afcb
Add ability to list keys in transit backend ( #1987 )
2016-10-18 10:13:01 -04:00
5ce9737eb4
address feedback
2016-10-10 12:16:55 -04:00
e5a7e3d6cb
initial commit to fix empty consistency option issue
2016-10-08 20:22:26 -04:00
70a9fc47b4
Don't use quoted identifier for the username
2016-10-05 14:31:19 -04:00
7f9a88d8db
Postgres revocation sql, beta mode ( #1972 )
2016-10-05 13:52:59 -04:00
de5dec6b15
Refactor mysql's revoke SQL
2016-10-04 19:30:25 -04:00
1ab7023483
Merge pull request #1914 from jpweber/mysql-revoke
...
Mysql revoke with non-wildcard hosts
2016-10-04 17:44:15 -04:00
87f206b536
removed an unused ok variable. Added warning and force use for default queries if role is nil
2016-10-04 17:15:29 -04:00
cc38f3253a
fixed an incorrect assignment
2016-10-03 21:51:40 -04:00
ac78ddc178
More resilient around cases of missing role names and using the default when needed.
2016-10-03 20:20:00 -04:00
0a7f1089ca
Refactored logic some to make sure we can always fall back to default revoke statments
...
Changed rolename to role
made default sql revoke statments a const
2016-10-03 15:59:56 -04:00
704fccaf2e
fixed some more issues I had with the tests.
2016-10-03 15:58:09 -04:00
a2d6624a69
renamed rolname to role
2016-10-03 15:57:47 -04:00
bfb0c2d3ff
Reduced duplicated code and fixed comments and simple variable name mistakes
2016-10-03 14:53:05 -04:00
bb70ecc5a7
Added test for revoking mysql user with wild card host and non-wildcard host
2016-10-02 22:28:54 -04:00
dbb00534d9
saving role name to the Secret Internal data. Default revoke query added
...
The rolename is now saved to the secret internal data for fetching
later during the user revocation process. No longer deriving the role
name from request path
Added support for default revoke SQL statements that will provide the
same functionality as before. If not revoke SQL statements are provided
the default statements are used.
Cleaned up personal ignores from the .gitignore file
2016-10-02 18:53:16 -04:00
f0203741ff
Change default TTL from 30 to 32 to accommodate monthly operations ( #1942 )
2016-09-28 18:32:49 -04:00
010293ccc3
Merge pull request #1931 from hashicorp/cass-consistency
...
Adding consistency into cassandra
2016-09-27 21:12:02 -04:00
d235acf809
Adding support for chained intermediate CAs in pki backend ( #1694 )
2016-09-27 17:50:17 -07:00
5ac43873c4
minor updates
2016-09-27 20:35:11 -04:00
e14fe05c13
added parsing at role creation
2016-09-27 16:01:51 -04:00
4938aa56bf
initial commit for consistency added into cassandra
2016-09-27 13:25:18 -04:00
b1ee56a15b
Merge pull request #1910 from hashicorp/secret-id-cidr-list
...
CIDR restrictions on Secret ID
2016-09-26 10:22:48 -04:00
e0ea497cfe
Getting role name from the creds path used in revocation
2016-09-23 16:57:08 -04:00
8709406eb3
secretCredsRevoke command no longer uses hardcoded query
...
The removal of a user from the db is now handled similar to the
creation. The SQL is read out of a key from the role and then executed
with values substituted for username.
2016-09-23 16:05:49 -04:00
1bed6bfc2c
Added support for a revokeSQL key value pair to the role
2016-09-23 16:00:23 -04:00
6bf871995b
Don't use time.Time in responses. ( #1912 )
...
This fixes #1911 but not directly; it doesn't address the cause of the
panic. However, it turns out that this is the correct fix anyways,
because it ensures that the value being logged is RFC3339 format, which
is what the time turns into in JSON but not the normal time string
value, so what we audit log (and HMAC) matches what we are returning.
2016-09-23 12:32:07 -04:00
c26754000b
Fix ssh tests
2016-09-22 11:37:55 -04:00
93604e1e2e
Added cidrutil helper
2016-09-21 13:58:32 -04:00
676e7e0f07
Ensure upgrades have a valid HMAC key
2016-09-21 11:10:57 -04:00
0ff76e16d2
Transit and audit enhancements
2016-09-21 10:49:26 -04:00
5c241d31e7
Renaming ttl_max -> max_ttl in mssql backend ( #1905 )
2016-09-20 12:39:02 -04:00
897d3c6d2c
Rename GetOctalFormatted and add serial number to ParsedCertBundle. Basically a noop.
2016-09-16 11:05:43 -04:00
197c7eae5f
Allow encrypting empty ciphertext values. ( #1881 )
...
Replaces #1874
2016-09-13 12:00:04 -04:00
b599948e1c
Use uuid.GenerateRandomBytes
2016-09-09 14:17:09 -04:00
127f61473b
Not exposing structs from the backend's package
2016-09-01 11:57:28 -04:00
1db0544b7a
Use unexported kdf const names
2016-08-31 07:19:58 -04:00
d2239d22d9
Use hkdf for transit key derivation for new keys ( #1812 )
...
Use hkdf for transit key derivation for new keys
2016-08-30 16:29:09 -04:00
9dbc97028b
STS path field description update
2016-08-30 10:53:21 -04:00
0b07ec7303
Added UpdateOperation to logical AWS STS path
2016-08-30 10:30:13 -04:00
cdd1d96a64
Merge pull request #1804 from hashicorp/issue-1800
...
Mark STS secrets as non-renwable
2016-08-29 11:46:19 -04:00
8612b6139e
Fixes #1801 Reuse Cassandra session object for create creds ( #1802 )
2016-08-28 17:32:41 -04:00
f0537572a8
Mark STS secrets as non-renwable
...
Ping #1800
2016-08-28 14:27:56 -04:00
0b113f7916
Derive nonce fully in convergent mode ( #1796 )
...
Ping #1794
2016-08-26 17:01:56 -04:00
2f5876dfe9
Use key derivation for convergent nonce. ( #1794 )
...
Use key derivation for convergent nonce.
Fixes #1792
2016-08-26 14:11:03 -04:00
28739f3528
Decode secret internal data into struct and fix type assertion. ( #1781 )
2016-08-24 15:04:04 -04:00
58b32e5432
Convert to logxi
2016-08-21 18:13:37 -04:00
2860dcc60f
gofmt
2016-08-19 16:48:32 -04:00
86874def5c
Parameter change
...
Both revocation times are UTC so clarify via parameter name that it's just a formatting difference. Also leave as a time.Time here, as it automatically marshals into RFC3339.
2016-08-14 21:43:57 -04:00
39cfd116b6
Cleanup
2016-08-13 11:52:09 -04:00
1b8711e7b7
Ensure utc value is not zero before adding
2016-08-13 11:50:57 -04:00
d6d08250ff
Ensure values to be encoded in a CRL are in UTC. This aligns with the
...
RFC. You might expect Go to ensure this in the CRL generation call,
but...it doesn't.
Fixes #1727
2016-08-13 08:40:09 -04:00
b69ed7ea93
Fix build
2016-08-08 17:00:59 -04:00
7f6c58b807
Address review feedback
2016-08-08 16:30:48 -04:00
606ba64e23
Remove context-as-nonce, add docs, and properly support datakey
2016-08-07 15:53:40 -04:00
1976bc0534
Add unit tests for convergence in non-context mode
2016-08-07 15:16:36 -04:00
8b1d47037e
Refactor convergent encryption to make specifying a nonce in addition to context possible
2016-08-05 17:52:44 -04:00
0b73c2ff9a
Fix PKI logical backend email alt_names
2016-08-04 12:10:34 +02:00
58e9cbbfc6
Add postgres test for block statements
2016-08-03 15:34:50 -04:00
9e204bd88c
Add arbitrary string slice parsing.
...
Like the KV function, this supports either separated strings or JSON
strings, base64-encoded or not.
Fixes #1619 in theory.
2016-08-03 14:24:16 -04:00
cff7aada7a
Fix invalid input getting marked as internal error
2016-07-28 16:23:11 -04:00
e0c5f5f5fa
Add convergence tests to transit backend
2016-07-28 11:30:52 -04:00
559b0a5006
Merge pull request #1635 from hashicorp/mysql-idle-conns
...
Added maximum idle connections to mysql to close hashicorp/vault#1616
2016-07-20 15:31:37 -04:00
b558c35943
Set defaults to handle upgrade cases.
...
Ping #1604
2016-07-20 14:07:19 -04:00
f2b6569b0b
Merge pull request #1604 from memory/mysql-displayname-2
...
concat role name and token displayname to form mysql username
2016-07-20 14:02:17 -04:00
ea294f1d27
use both role name and token display name to form mysql username
2016-07-20 10:17:00 -07:00
e6bf4fa489
whitespace error corrected
2016-07-20 12:00:05 -04:00
0483457ad2
respond to feedback from @vishalnayak
...
- split out usernameLength and displaynameLength truncation values,
as they are different things
- fetch username and displayname lengths from the role, not from
the request parameters
- add appropriate defaults for username and displayname lengths
2016-07-20 06:36:51 -07:00
7cdb8a28bc
max_idle_connections added
2016-07-20 09:26:26 -04:00
03c7eb7d18
initial commit before rebase to stay current with master
2016-07-19 14:18:37 -04:00
30ca541f99
Merge pull request #1414 from mhurne/mongodb-secret-backend
...
Add mongodb secret backend
2016-07-19 13:56:15 -04:00
3334b22993
Some minor linting
2016-07-19 13:54:18 -04:00
0f9ee8fbed
Merge branch 'master' into mongodb-secret-backend
2016-07-19 12:47:58 -04:00
072c5bc915
mongodb secret backend: Remove redundant type declarations
2016-07-19 12:35:14 -04:00
c7d42cb112
mongodb secret backend: Fix broken tests, clean up unused parameters
2016-07-19 12:26:23 -04:00
fbb04349b5
Merge pull request #1629 from hashicorp/remove-verify-connection
...
Remove unused VerifyConnection from storage entries of SQL backends
2016-07-19 12:21:23 -04:00
8a1bb1626a
Merge pull request #1583 from hashicorp/ssh-allowed-roles
...
Add allowed_roles to ssh-helper-config and return role name from verify call
2016-07-19 12:04:12 -04:00
7fb04a1bbd
Remove unused VerifyConnection from storage entries of SQL backends
2016-07-19 11:55:49 -04:00
316837857b
mongodb secret backend: Return lease ttl and max_ttl in lease read in seconds rather than as duration strings
2016-07-19 11:23:56 -04:00
f18d98272d
mongodb secret backend: Don't bother persisting verify_connection field in connection config
2016-07-19 11:20:45 -04:00
f8e6bcbb69
mongodb secret backend: Handle cases where stored username or db is not a string as expected when revoking credentials
2016-07-19 11:18:00 -04:00
75a5fbd8fe
Merge branch 'master' into mongodb-secret-backend
2016-07-19 10:38:45 -04:00
434ed2faf2
Merge pull request #1573 from mickhansen/logical-postgresql-revoke-sequences
...
handle revocations for roles that have privileges on sequences
2016-07-18 13:30:42 -04:00
c14235b206
Merge branch 'master-oss' into json-use-number
...
Conflicts:
http/handler.go
logical/framework/field_data.go
logical/framework/wal.go
vault/logical_passthrough.go
2016-07-15 19:21:55 -04:00
cdf58da43b
Merge pull request #1610 from hashicorp/min-tls-ver-12
...
Set minimum TLS version in all tls.Config objects
2016-07-13 10:53:14 -06:00
09a4142fd3
Handled upgrade path for TLSMinVersion
2016-07-13 12:42:51 -04:00
9f1e6c7b26
Merge pull request #1607 from hashicorp/standardize-time
...
Remove redundant invocations of UTC() call on `time.Time` objects
2016-07-13 10:19:23 -06:00
de19314f18
Address review feedback
2016-07-13 11:52:26 -04:00
407722a9b4
Added tls_min_version to consul storage backend
2016-07-12 20:10:54 -04:00
314a5ecec0
allow overriding the default truncation length for mysql usernames
...
see https://github.com/hashicorp/vault/issues/1605
2016-07-12 17:05:43 -07:00
f34f0ef503
Make 'tls_min_version' configurable
2016-07-12 19:32:47 -04:00
46d34130ac
Set minimum TLS version in all tls.Config objects
2016-07-12 17:06:28 -04:00
8269f323d3
Revert 'risky' changes
2016-07-12 16:38:07 -04:00
57cdb58374
Switch to pester from go-retryablehttp to avoid swallowing 500 error messages
2016-07-11 21:37:46 +00:00
9ee4542a7c
incorporate code style guidelines
2016-07-11 13:35:35 +02:00
c25788e1d4
handle revocations for roles that have privileges on sequences
2016-07-11 13:16:45 +02:00
2cf4490b37
use role name rather than token displayname in generated mysql usernames
...
If a single token generates multiple myself roles, the generated mysql
username was previously prepended with the displayname of the vault
user; this makes the output of `show processlist` in mysql potentially
difficult to correlate with the roles actually in use without cross-
checking against the vault audit log.
See https://github.com/hashicorp/vault/pull/1603 for further discussion.
2016-07-10 15:57:47 -07:00
6505e85dae
mongodb secret backend: Improve safety of MongoDB roles storage
2016-07-09 21:12:42 -04:00
e09b40e155
Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC
2016-07-08 18:30:18 -04:00
bb8a45eb8b
Format code in mongodb secret backend
2016-07-07 23:16:11 -04:00
8d5a7992c1
mongodb secret backend: Improve and correct errors in documentation; improve "parameter is required" error response messages
2016-07-07 23:09:45 -04:00
eee6f04e40
mongodb secret backend: Refactor to eliminate unnecessary variable
2016-07-07 22:29:17 -04:00
ce845df43c
mongodb secret backend: Consider a "user not found" response a success when removing a user from Mongo
2016-07-07 22:27:47 -04:00
138d74f745
mongodb secret backend: Improve roles path help
2016-07-07 22:16:34 -04:00
7f9d91acb6
mongodb secret backend: Remove default value for Mongo authentication DB for roles; validate that role name and authentication db were specified when creating a role
2016-07-07 22:09:00 -04:00
de84cdabe6
mongodb secret backend: Leverage framework.TypeDurationSecond to simplify storage of lease ttl and max_ttl
2016-07-07 21:48:44 -04:00
6d7c9f5424
mongodb secret backend: Verify existing Session is still working before reusing it
2016-07-07 21:37:44 -04:00
db3670c353
Fix transit tests
2016-07-06 22:04:08 -04:00
ad7cb2c8f1
Added JSON Decode and Encode helpers.
...
Changed all the occurances of Unmarshal to use the helpers.
Fixed http/ package tests.
2016-07-06 12:25:40 -04:00
5367a7223d
Add allowed_roles to ssh-helper-config and return role name from verify call
2016-07-05 11:14:29 -04:00
769d20c770
Merge branch 'master' into mongodb-secret-backend
2016-07-05 09:33:12 -04:00
ba9c97b915
mongodb secret backend: Add support for reading connection configuration; Dockerize tests
2016-07-05 09:32:38 -04:00
2e828383e0
Move the parameter down to where the statement is executed.
2016-07-03 16:20:27 -07:00
08fb1a30d4
Use `lib/pq`'s `QuoteIdentifier()` on all identifiers and Prepare
...
for all literals.
2016-07-03 16:01:39 -07:00
292c2fad69
Merge branch 'master' into mongodb-secret-backend
2016-07-01 20:39:13 -04:00
4a8d9eb942
Shave off a lot of PKI testing time by not requiring key generation when testing CSRs. Also enable all tests all the time.
2016-07-01 17:28:48 -04:00
369dcff5f9
Merge pull request #1581 from mp911de/cassandra_connect_timeout
...
Support connect_timeout for Cassandra and align timeout.
2016-07-01 22:33:24 +02:00
ab63c938c4
Address review feedback.
...
Switch ConnectTimeout to framework.TypeDurationSecond with a default of 5. Remove own parsing code.
2016-07-01 22:26:08 +02:00
3859f7938a
Support connect_timeout for Cassandra and align timeout.
...
The cassandra backend now supports a configurable connect timeout. The timeout is configured using the connect_timeout parameter in the session configuration. Also align the timeout to 5 seconds which is the default for the Python and Java drivers.
Fixes #1538
2016-07-01 21:22:37 +02:00
db211a4b61
Migrate Consul acceptance tests to Docker
2016-07-01 13:59:56 -04:00
cdde4071d7
mongodb secret backend: Parse ssl URI option as a boolean rather than relying on string comparison
2016-07-01 13:55:06 -04:00
a2e95614d6
Have SQL backends Ping() before access.
...
If unsuccessful, reestablish connections as needed.
2016-07-01 12:02:17 -04:00
e50e331ffc
Always run transit acceptance tests
2016-07-01 11:45:56 -04:00
8d984c111d
Convert MySQL tests to Dockerized versions
2016-07-01 11:36:28 -04:00
46bf080409
mongodb secret backend: Refactor URI parsing logic to leverage url.Parse
2016-07-01 09:12:26 -04:00
6f05d6f21f
mongodb secret backend: Prefix all generated usernames with "vault-", and cleanly handle empty display names when generating usernames
2016-06-30 21:11:45 -04:00
acf4b0b637
Merge branch 'master' into mongodb-secret-backend
2016-06-30 16:43:53 -04:00
8da8881825
Add comment around bind to localhost
2016-06-30 13:49:11 -04:00
22e83ae7f5
Dockerize Postgres secret backend acceptance tests
...
Additionally enable them on all unit test runs.
2016-06-30 13:46:39 -04:00
619ddc38b7
Use TRACE not WARN here
2016-06-30 12:41:56 -04:00
7879812f76
Persist verify_connection field in mongodb secret backend's connection config
2016-06-30 11:39:02 -04:00
350b69670c
Rename mongodb secret backend's 'ttl_max' lease configuration field to 'max_ttl'
2016-06-30 09:57:43 -04:00
05cc4f2761
Merge branch 'master' into mongodb-secret-backend
2016-06-30 09:02:30 -04:00
16d4f79c71
Fix test
2016-06-30 08:21:00 -04:00
5df2dd30c5
Change warn to trace for these messages
2016-06-29 21:04:02 -04:00
cf178d3c9e
Merge remote-tracking branch 'oss/master' into postgres-pl-lock
2016-06-29 17:40:34 -04:00
934e60c3c9
Add stmt close calls
2016-06-29 17:39:47 -04:00
a56f79adcb
Run prepare on the transaction, not the db
2016-06-29 17:20:41 -04:00
5e8c912048
Add mongodb secret backend
2016-06-29 08:33:06 -04:00
11c205e19b
removed option to create 1024 keybitlength certs
2016-06-28 16:56:14 -04:00
43df682365
Add more debug output
2016-06-28 11:03:56 -04:00
0802497c8a
Add some logging to enter/exit of some functions
2016-06-24 16:11:22 -04:00
9dc0599a30
Address review feedback
2016-06-23 10:18:03 -04:00
d7029fc49a
Add some more testing
2016-06-23 09:49:03 -04:00
45a442e593
Set some basic key usages by default.
...
Some programs (such as OpenVPN) don't like it if you don't include key
usages. This adds a default set that should suffice for most extended
usages. However, since things get twitchy when these are set in ways
various crypto stacks don't like, it's fully controllable by the user.
Fixes #1476
2016-06-22 16:08:24 -04:00
407373df5d
Revert "Use x509 package ext key usage instead of custom type"
...
This reverts commit 0b2d8ff475a26ff98c37337a64859d150d62cfc1.
2016-06-22 13:07:31 -04:00
c0dee06aab
Use x509 package ext key usage instead of custom type
2016-06-22 11:51:32 -04:00
62f66dc4d8
Do some internal renaming in PKI
2016-06-22 11:39:57 -04:00
d47fc4c4ad
Merge pull request #1515 from hashicorp/sql-config-reading
...
Allow reading of config in sql backends
2016-06-21 10:07:34 -04:00
389581f47b
Added warnings when configuring connection info in sql backends
2016-06-21 09:58:57 -04:00
711c05a319
Merge pull request #1546 from hashicorp/secret-aws-roles
...
Added list functionality to logical aws backend's roles
2016-06-20 20:10:24 -04:00
1976c9e75b
Added test case for listing aws secret backend roles
2016-06-20 20:09:31 -04:00
8b490e44a1
Added list functionality to logical aws backend's roles
2016-06-20 19:51:04 -04:00
69d562c5db
Merge pull request #1514 from hashicorp/backend-return-objects
...
Backend() functions should return 'backend' objects.
2016-06-20 19:30:00 -04:00
2e7704ea7e
Add convergent encryption option to transit.
...
Fixes #1537
2016-06-20 13:17:48 -04:00
cf15354e44
Address review feedback
2016-06-17 10:11:39 -04:00
1776ff449f
Allow reading of config in sql backends
2016-06-11 11:48:40 -04:00
0760a89eb4
Backend() functions should return 'backend' objects.
...
If they return pointers to 'framework.Backend' objects, the receiver functions can't be tested.
2016-06-10 15:53:02 -04:00
5ccb4fe907
Merge pull request #1498 from hashicorp/pki-list
...
PKI List Functionality
2016-06-08 15:42:50 -04:00
f9c3afcc21
Fix broken test
2016-06-08 13:00:19 -04:00
6c4234eae6
Minor changes to the RabbitMQ acceptance tests
2016-06-08 12:50:43 -04:00
3795b65d19
Updates to the test based on feedback.
2016-06-08 16:49:10 +00:00
2f2a80e2be
Add PKI listing
2016-06-08 11:50:59 -04:00
94cd00f32a
Add an explicit default for TTLs for rabbit creds
2016-06-08 11:35:09 -04:00
86d697884b
Fix some typos in rmq text and structure
2016-06-08 11:31:57 -04:00
1b7da070ae
Added pooled transport for rmq client. Added tests
2016-06-08 10:46:46 -04:00
95f3726f1c
Migrate to go-uuid
2016-06-08 10:36:16 -04:00
5a3dd98d06
Polish the code
2016-06-08 10:25:03 -04:00
ab543414f6
Merge pull request #788 from doubledutch/master
...
RabbitMQ Secret Backend
2016-06-08 10:02:24 -04:00
8f437d6142
Make logical.InmemStorage a wrapper around physical.InmemBackend.
...
This:
* Allows removing LockingInmemStorage since the physical backend already
locks properly
* Makes listing work properly by adhering to expected semantics of only
listing up to the next prefix separator
* Reduces duplicated code
2016-06-06 12:03:08 -04:00
50c011e79f
Use backend function instead of separate backend creation in consul
2016-06-03 10:08:58 -04:00
86d2c796b0
Change AWS/SSH to reuse backend creation code for test functions
2016-06-01 12:17:47 -04:00
3c5fb471a4
Merge pull request #1445 from hashicorp/consul-fixups
...
Reading consul access configuration in the consul secret backend.
2016-06-01 12:11:12 -04:00
99c1e071f3
Remove most Root paths
2016-05-31 23:42:54 +00:00
eefd9acbf0
Set config access test case as an acceptance test and make travis happy
2016-05-31 13:27:34 -04:00
f64987a6cf
Add tests around writing and reading consul access configuration
2016-05-31 13:27:34 -04:00
036e7fa63e
Add reading to consul config, and some better error handling.
2016-05-31 13:27:34 -04:00
Nicolas Corrarello