Armon Dadgar
0be3d419c8
secret/transit: address PR feedback
2015-07-05 19:58:31 -06:00
Armon Dadgar
8293457633
secret/transit: use base64 for context to allow binary
2015-07-05 14:37:51 -07:00
Armon Dadgar
f0eec18cc7
secret/transit: testing key derivation
2015-07-05 14:30:45 -07:00
Armon Dadgar
143cd0875e
secret/transit: support key derivation in encrypt/decrypt
2015-07-05 14:19:24 -07:00
Armon Dadgar
ae9591004b
secret/transit: check for context for derived keys
2015-07-05 14:12:07 -07:00
Armon Dadgar
b30dbce404
secret/transit: support derived keys
2015-07-05 14:11:02 -07:00
Vishal Nayak
425b69be32
Vault SSH: PR review rework: Formatting/Refactoring
2015-07-02 19:52:47 -04:00
Bradley Girardeau
42050fe77b
ldap: add starttls support and option to specificy ca certificate
2015-07-02 15:49:51 -07:00
Vishal Nayak
c0a62f28b1
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-07-02 17:23:13 -04:00
Vishal Nayak
a1e2705173
Vault SSH: PR review rework
2015-07-02 17:23:09 -04:00
Jeff Mitchell
13c5fe0a16
Fix regexes to allow hyphens in role names, as the documentation shows
2015-07-01 20:39:18 -05:00
Vishal Nayak
30a24eef2c
Vault SSH: review rework: formatted and moved code
2015-07-01 21:26:42 -04:00
Vishal Nayak
67e543a863
Vault SSH: Regex supports hypen in key name and role names
2015-07-01 21:05:52 -04:00
Vishal Nayak
bb16052141
Vault SSH: replaced concatenated strings by fmt.Sprintf
2015-07-01 20:35:11 -04:00
Vishal Nayak
d691a95531
Vault SSH: PR review rework - 1
2015-07-01 11:58:49 -04:00
Vishal Nayak
1f001d283f
For SSH backend, allow factory to be provided instead of Backend
2015-07-01 09:37:11 -04:00
Vishal Nayak
3b0ff5b5f1
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-07-01 09:31:25 -04:00
Armon Dadgar
b52d3e6506
cred/app-id: testing upgrade to salted keys
2015-06-30 18:37:10 -07:00
Armon Dadgar
eeb717c901
cred/app-id: first pass at automatic upgrading to salting
2015-06-30 18:09:08 -07:00
Armon Dadgar
4b27e4d8c5
Remove SetLogger, and unify on framework.Setup
2015-06-30 17:45:20 -07:00
Armon Dadgar
5d69e7da90
Updating for backend API change
2015-06-30 17:36:12 -07:00
Vishal Nayak
b0043737af
lease handling fix
2015-06-30 20:21:41 -04:00
Vishal Nayak
8627f3c360
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-06-30 18:33:37 -04:00
Vishal Nayak
5e5e6788be
Input validations, help strings, default_user support
2015-06-30 18:33:17 -04:00
Armon Dadgar
8bc99f8c23
helper/uuid: single generateUUID definition
2015-06-30 12:38:32 -07:00
Armon Dadgar
3c58773598
Merge pull request #380 from kgutwin/cert-cli
...
Enable TLS client cert authentication via the CLI
2015-06-30 11:44:28 -07:00
Armon Dadgar
b1f7e2f0ea
ldap: fixing merge conflict
2015-06-30 09:40:43 -07:00
Jeff Mitchell
762108d9eb
Put timestamp back into the username. Since Cassandra doesn't support expiration, this can be used by scripts to manually clean up old users if revocation fails for some reason.
...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-30 11:15:46 -04:00
Jeff Mitchell
42b90fa9b9
Address some issues from code review.
...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-30 09:27:23 -04:00
Jeff Mitchell
fccbc587c6
A Cassandra secrets backend.
...
Supports creation and deletion of users in Cassandra using flexible CQL queries.
TLS, including client authentication, is supported.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-30 09:04:01 -04:00
Karl Gutwin
0062d923cc
Better error messages.
2015-06-30 08:59:38 -04:00
Karl Gutwin
a54ba31635
Merge remote-tracking branch 'upstream/master' into cert-cli
2015-06-30 08:31:00 -04:00
Karl Gutwin
dafcc5b2ce
enable CLI cert login
2015-06-29 23:29:41 -04:00
Vishal Nayak
f7a0c17100
merge changes from master
2015-06-29 22:01:43 -04:00
Vishal Nayak
91ed2dcdc2
Refactoring changes
2015-06-29 22:00:08 -04:00
esell
c0e1843263
change skipsslverify to insecure_tls
2015-06-29 19:23:31 -06:00
Armon Dadgar
12d3aee58e
audit: fixing panic caused by tls connection state. Fixes #322
2015-06-29 17:16:17 -07:00
Armon Dadgar
add8e1a3fd
Fixing merge conflict
2015-06-29 15:19:04 -07:00
Armon Dadgar
337997ab04
Fixing merge conflict
2015-06-29 14:50:55 -07:00
Vishal Nayak
0f2c1f867e
SCP in pure GO and CIDR parsing fix
2015-06-29 11:49:34 -04:00
Vishal Nayak
29696d4b6b
Creating SSH keys and removal of files in pure 'go'
2015-06-26 15:43:27 -04:00
Vishal Nayak
8c15e2313b
ssh/lookup implementation and refactoring
2015-06-25 21:47:32 -04:00
Vishal Nayak
f39df58eef
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-06-24 18:13:26 -04:00
Vishal Nayak
b237a3bcc2
POC: Rework. Doing away with policy file.
2015-06-24 18:13:12 -04:00
esell
e81f966842
Set SkipSSLVerify default to false, add warning in help message
2015-06-24 13:38:14 -06:00
esell
d3225dae07
cleanup the code a bit
2015-06-24 10:09:29 -06:00
esell
84371ea734
allow skipping SSL verification on ldap auth
2015-06-24 10:05:45 -06:00
Jeff Mitchell
e086879fa3
Merge remote-tracking branch 'upstream/master' into f-pki
2015-06-19 13:01:26 -04:00
Vishal Nayak
f8d164f477
SSHs to multiple users by registering the respective host keys
2015-06-19 12:59:36 -04:00
Jeff Mitchell
a6fc48b854
A few things:
...
* Add comments to every non-obvious (e.g. not basic read/write handler type) function
* Remove revoked/ endpoint, at least for now
* Add configurable CRL lifetime
* Cleanup
* Address some comments from code review
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-19 12:48:18 -04:00
Nate Brown
4ec685dc1a
Logging authentication errors and bad token usage
2015-06-18 18:30:18 -07:00
Vishal Nayak
90605c6079
merging with master
2015-06-18 20:51:11 -04:00
Vishal Nayak
8d98968a54
Roles, key renewal handled. End-to-end basic flow working.
2015-06-18 20:48:41 -04:00
Jeff Mitchell
34f495a354
Refactor to allow only issuing CAs to be set and not have things blow up. This is useful/important for e.g. the Cassandra backend, where you may want to do TLS with a specific CA cert for server validation, but not actually do client authentication with a client cert.
...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-18 15:22:58 -04:00
Vishal Nayak
2aed5f8798
Implementation for storing and deleting the host information in Vault
2015-06-17 22:10:47 -04:00
Armon Dadgar
d34861b811
secret/transit: allow policies to be upserted
2015-06-17 18:51:05 -07:00
Armon Dadgar
f53d31a580
secret/transit: Use special endpoint to get underlying keys. Fixes #219
2015-06-17 18:42:23 -07:00
Vishal Nayak
cfef144dc2
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-06-17 20:34:56 -04:00
Vishal Nayak
303a7cef9a
Received OTK in SSH client. Forked SSH process from CLI. Added utility file for SSH.
2015-06-17 20:33:03 -04:00
Armon Dadgar
45d3c512fb
builtin: fixing API change in logical framework
2015-06-17 14:34:11 -07:00
Armon Dadgar
30de4ea80d
secret/postgres: Ensure sane username length. Fixes #326
2015-06-17 13:31:56 -07:00
Jeff Mitchell
29e7ec3e21
A lot of refactoring: move PEM bundle parsing into helper/certutil, so that it is usable by other backends that want to use it to get the necessary data for TLS auth.
...
Also, enhance the raw cert bundle => parsed cert bundle to make it more useful and perform more validation checks.
More refactoring could be done within the PKI backend itself, but that can wait.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-17 16:07:20 -04:00
Vishal Nayak
3ed73d98c2
Added: Ssh CLI command and API, config lease impl, sshConnect path to backend, http handler for Ssh connect
2015-06-17 12:39:49 -04:00
Vishal Nayak
08c921c75e
Vault SSH: POC Stage 1. Skeleton implementation.
2015-06-16 16:58:54 -04:00
Jeff Mitchell
49f1fdbdcc
Merge branch 'master' into f-pki
2015-06-16 13:43:25 -04:00
Jeff Mitchell
03b0675350
A bunch of cleanup and moving around. logical/certutil is a package that now has helper functions
...
useful for other parts of Vault (including the API) to take advantage of.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-16 13:43:12 -04:00
Mitchell Hashimoto
4bf84392ec
credential/github: get rid of stray tab
2015-06-16 10:05:51 -07:00
Mitchell Hashimoto
0ecf05c043
command/auth, github: improve cli docs
...
/cc @sethvargo
2015-06-16 10:05:11 -07:00
Christian Svensson
e3d3012795
Record the common name in TLS metadata
...
It is useful to be able to save the client cert's Common Name for auditing purposes when using a central CA.
This adds a "common_name" value to the Metadata structure passed from login.
2015-06-14 23:18:21 +01:00
Jeff Mitchell
ae1cbc1a7a
Erp, forgot this feedback...
...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-11 23:16:13 -04:00
Jeff Mitchell
7cf1f186ed
Add locking for revocation/CRL generation. I originally was going to use an RWMutex but punted, because it's not worth trying to save some milliseconds with the possibility of getting something wrong. So the entire operations are now wrapped, which is minimally slower but very safe.
...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-11 22:28:13 -04:00
Jeff Mitchell
018c0ec7f5
Address most of Armon's initial feedback.
...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-11 21:57:05 -04:00
Jeff Mitchell
1513e2baa4
Add acceptance tests
...
* CA bundle uploading
* Basic role creation
* Common Name restrictions
* IP SAN restrictions
* EC + RSA keys
* Various key usages
* Lease times
* CA fetching in various formats
* DNS SAN handling
Also, fix a bug when trying to get code signing certificates.
Not tested:
* Revocation (I believe this is impossible with the current testing framework)
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-08 00:06:09 -04:00
Jeff Mitchell
0d832de65d
Initial PKI backend implementation.
...
Complete:
* Up-to-date API documents
* Backend configuration (root certificate and private key)
* Highly granular role configuration
* Certificate generation
* CN checking against role
* IP and DNS subject alternative names
* Server, client, and code signing usage types
* Later certificate (but not private key) retrieval
* CRL creation and update
* CRL/CA bare endpoints (for cert extensions)
* Revocation (both Vault-native and by serial number)
* CRL force-rotation endpoint
Missing:
* OCSP support (can't implement without changes in Vault)
* Unit tests
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-08 00:06:09 -04:00
Jonathan Sokolowski
348924eaab
logical/consul: Combine policy and lease into single storage struct
2015-05-28 09:36:23 +10:00
Jonathan Sokolowski
6b0820d709
logical/consul: custom lease time for roles
2015-05-27 09:53:46 +10:00
Ian Unruh
2e1bce27a9
Allow dot in LDAP login username
2015-05-20 11:54:15 -07:00
Armon Dadgar
cc966d6b52
auth/cert: Guard against empty certs. Fixes #214
2015-05-18 16:11:09 -07:00
Armon Dadgar
56659a2db2
cred/app-id: ensure consistent error message
2015-05-15 11:45:57 -07:00
Armon Dadgar
8cff23f29b
cred/app-id: stricter validation and error messaging
2015-05-15 11:40:45 -07:00
Jonathan Sokolowski
6746a24c78
credential/app-id: Test DeleteOperation
2015-05-14 22:30:02 +10:00
Etourneau Gwenn
a3fe4b889f
Fix Error message
2015-05-12 14:32:09 +09:00
Mitchell Hashimoto
1ca0b2340c
credential/app-id: add hash of user/app ID to metadata for logs
2015-05-11 10:46:11 -07:00
Mitchell Hashimoto
5406d3189e
Merge pull request #184 from hashicorp/b-github-casing
...
credential/github: case insensitive mappings
2015-05-11 10:27:45 -07:00
Mitchell Hashimoto
5c63b70eea
logical/framework: PathMap is case insensitive by default
2015-05-11 10:27:04 -07:00
Mitchell Hashimoto
4e861f29bc
credential/github: case insensitive mappings
2015-05-11 10:24:39 -07:00
Giovanni Bajo
8156b88353
auth/ldap: move password into InternalData
2015-05-09 22:06:34 +02:00
Giovanni Bajo
84388b2b20
auth/ldap: move username into the path (to allow per-user revokation on the path)
2015-05-09 22:06:28 +02:00
Giovanni Bajo
5e899e7de2
auth/ldap: fix pasto
2015-05-09 22:06:22 +02:00
Giovanni Bajo
1e1219dfcc
auth/ldap: implement login renew
2015-05-09 22:04:20 +02:00
Giovanni Bajo
a0f53f177c
auth/ldap: document LDAP server used in tests
2015-05-09 22:04:20 +02:00
Giovanni Bajo
b4093e2ddf
auth/ldap: add acceptance tests
2015-05-09 22:04:20 +02:00
Giovanni Bajo
02d3b1c74c
auth/ldap: add support for groups with unique members
2015-05-09 22:04:20 +02:00
Giovanni Bajo
c313ff2802
auth/ldap: implement authorization via LDAP groups
2015-05-09 22:04:20 +02:00
Giovanni Bajo
dc6b4ab9db
auth/ldap: add configuration path for groups
2015-05-09 22:04:20 +02:00
Giovanni Bajo
7e39da2e67
Attempt connection to LDAP server at login time.
...
Also switch to a LDAP library fork which fixes a panic when
shutting down a connection immediately.
2015-05-09 22:04:19 +02:00
Giovanni Bajo
7492c5712a
Initial implementation of the LDAP credential backend
2015-05-09 22:04:19 +02:00
Seth Vargo
f3c3f4717a
Remove references to -var
2015-05-08 11:45:29 -04:00
Armon Dadgar
a6a4bee2ee
cred/app-id: Add help synopsis to login path
2015-05-07 15:45:43 -07:00
Seth Vargo
04015fdf55
Fix output from GitHub help
2015-05-07 14:13:12 -04:00
Armon Dadgar
b07d0bc56f
audit/file: Create file if it does not exist. Fixes #148
2015-05-06 11:33:06 -07:00
Mitchell Hashimoto
deab183cbd
token/disk: write token with 0600
2015-05-02 13:34:01 -07:00
Trevor Pounds
582677b134
Fix documentation typo.
2015-04-28 22:15:56 -07:00
Armon Dadgar
848433a355
audit/file: add log_raw parameter and default to hashing
2015-04-27 15:56:41 -07:00
Armon Dadgar
f01e14351a
audit/syslog: switch defaults
2015-04-27 15:56:41 -07:00
Armon Dadgar
de7a81a8fb
audit/syslog: Copy structure before hashing to avoid breaking result
2015-04-27 15:56:40 -07:00
Armon Dadgar
1b659d41ff
audit/syslog: Hash everything by default, optionally disable
2015-04-27 15:56:40 -07:00
Armon Dadgar
bb1dd509d7
audit/syslog: first pass
2015-04-27 15:56:40 -07:00
Armon Dadgar
434305a6c2
secret/aws: Using roles instead of policy
2015-04-27 14:20:28 -07:00
Armon Dadgar
5edf8cf3a8
Do not root protect role configurations
2015-04-27 14:07:20 -07:00
Armon Dadgar
12e8c0f8cf
secret/postgres: secret/mysql: roles endpoints root protected
2015-04-27 14:04:10 -07:00
Armon Dadgar
816d981d1a
secret/consul: replace policy with roles, and prefix the token path
2015-04-27 13:59:56 -07:00
Armon Dadgar
6a38090822
secret/transit: rename policy to keys
2015-04-27 13:52:47 -07:00
Armon Dadgar
793e6efef4
secret/transit: Adding more help. Fixes #41
2015-04-27 12:47:09 -07:00
Armon Dadgar
27c73da308
audit/file: Attempt to create directory path. Fixes #38
2015-04-27 12:40:32 -07:00
Armon Dadgar
a753fadcb4
secret/postgresql: testing support for multiple statements
2015-04-27 12:00:07 -07:00
Armon Dadgar
1c8288c3da
secret/postgresql: support multiple sql statements
2015-04-27 11:31:27 -07:00
Armon Dadgar
50879eb2e5
mysql: cleanup
2015-04-27 11:31:11 -07:00
Armon Dadgar
9cae5520a0
logical/consul: Added missing policy endpoints
2015-04-27 11:08:37 -07:00
Armon Dadgar
1d95694a7c
secret/mysql: improve the example statement
2015-04-25 12:58:50 -07:00
Armon Dadgar
503241eeee
secret/mysql: adding acceptance test
2015-04-25 12:56:23 -07:00
Armon Dadgar
e378f5c4a2
secret/mysql: fixing mysql oddities
2015-04-25 12:56:11 -07:00
Armon Dadgar
57e66f3b6c
secret/mysql: initial pass at mysql secret backend
2015-04-25 12:05:26 -07:00
Armon Dadgar
9087471bad
credential/cert: support leasing and renewal
2015-04-24 12:58:39 -07:00
Armon Dadgar
3a9e20748b
credential/cert: default display name
2015-04-24 10:52:17 -07:00
Armon Dadgar
7b4ceeb7e6
credential/cert: more validation on cert setup
2015-04-24 10:39:44 -07:00
Armon Dadgar
d57c8ea0f0
credential/cert: return logical error if invalid
2015-04-24 10:36:25 -07:00
Armon Dadgar
ae272b83ce
credential/cert: major refactor
2015-04-24 10:31:57 -07:00
Armon Dadgar
28b18422b7
credential/cert: First pass at public key credential backend
2015-04-23 21:46:21 -07:00
Mitchell Hashimoto
ee2b113831
audit/file: append
2015-04-19 22:43:39 -07:00
Mitchell Hashimoto
0b7e7190b5
credentials/userpass: integrate into auth cli
2015-04-19 15:17:24 -07:00
Mitchell Hashimoto
c5cadc026d
credential/userpass: renewal
2015-04-19 15:12:50 -07:00
Mitchell Hashimoto
0ae9eadfd3
credential/userpass: help
2015-04-19 15:07:11 -07:00
Mitchell Hashimoto
0aec679bb4
credential/userpass: login
2015-04-19 15:06:29 -07:00
Mitchell Hashimoto
fedda20c41
credential/userpass: configuring users
2015-04-19 14:59:30 -07:00
Mitchell Hashimoto
17676af663
logical/postgresql: when renewing, alter the valid until
2015-04-18 22:55:33 -07:00
Mitchell Hashimoto
4e21f702a8
logical/consul: leasing
2015-04-18 22:29:46 -07:00
Mitchell Hashimoto
517236ea50
logical/consul: config/access is the new path for config
2015-04-18 22:28:53 -07:00
Mitchell Hashimoto
23a156b414
logical/aws: leasing/renewal support
2015-04-18 22:25:37 -07:00
Mitchell Hashimoto
2a8dfd85f4
logical/aws: fix build
2015-04-18 22:22:35 -07:00
Mitchell Hashimoto
208dd1e8be
logical/aws: move root creds config to config/root
2015-04-18 22:21:31 -07:00
Mitchell Hashimoto
f61626f7a6
logical/aws: support read/delete policies
2015-04-18 22:13:12 -07:00
Mitchell Hashimoto
79ccb2f412
logical/postgresql: support deleting roles and reading them
2015-04-18 21:59:59 -07:00
Mitchell Hashimoto
84bca3ef28
logical/postgresql: renew for secret
2015-04-18 21:47:19 -07:00
Mitchell Hashimoto
e1e5c47362
logical/postgresql: leasing
2015-04-18 21:45:05 -07:00
Mitchell Hashimoto
8edc4d1241
logical/postgres: no session limit
2015-04-18 18:42:57 -07:00
Mitchell Hashimoto
39b8ae1b31
logical/postgers: update docs properly
2015-04-18 18:42:26 -07:00
Mitchell Hashimoto
6e10c415ef
logical/postgresql: leases
2015-04-18 18:40:03 -07:00
Mitchell Hashimoto
2120235a2e
logical/postgresql: create DB credentials
2015-04-18 18:37:27 -07:00
Mitchell Hashimoto
d0eb1b9a74
logical/postgresql: creating roles
2015-04-18 18:09:33 -07:00