open-vault

Author	SHA1	Message	Date
Calvin Leung Huang	628e5d594b	Add remaining tests	2017-04-26 16:05:58 -04:00
Calvin Leung Huang	d24757f2e0	Fix crl_util test	2017-04-26 09:58:34 -04:00
Calvin Leung Huang	18ed2d6097	Tests for cert and crl util	2017-04-26 02:46:01 -04:00
Jeff Mitchell	822d86ad90	Change storage of entries from colons to hyphens and add a lookup/migration path Still TODO: tests on migration path Fixes #2552	2017-04-18 11:14:23 -04:00
Jeff Mitchell	e8adc13826	Fix cassandra dep breakage	2017-04-17 11:51:42 -04:00
Vishal Nayak	09cd069435	Consider new bounds as a criteria to allow role creation (#2600 ) * Consider new bounds as a criteria to allow role creation * Added a test	2017-04-17 10:36:11 -04:00
Jeff Mitchell	79fb8bdf69	Verify that a CSR specifies IP SANs before checking whether it's allowed (#2574 )	2017-04-13 13:40:31 -04:00
Shivaram Lingamneni	2117dfd717	implement a no_store option for pki roles (#2565 )	2017-04-07 11:25:47 -07:00
Jeff Mitchell	f805618a2c	Update SSH CA documentation Fixes #2551 Fixes #2569	2017-04-07 11:59:25 -04:00
vishalnayak	049e086b07	Fix typo. Closes GH-2528	2017-04-04 12:29:18 -04:00
Jeff Mitchell	709389dd36	Use ParseStringSlice on PKI organization/organizational unit. (#2561 ) After, separately dedup and use new flag to not lowercase value. Fixes #2555	2017-04-04 08:54:18 -07:00
Vishal Nayak	003ef004c6	sshca: ensure atleast cert type is allowed (#2508 )	2017-03-19 18:58:48 -04:00
Jeff Mitchell	24886c1006	Ensure CN check is made when exclude_cn_from_sans is used Fixes #2363	2017-03-16 11:41:13 -04:00
Jeff Mitchell	ae8967d635	Always include a hash of the public key and "vault" (to know where it (#2498 ) came from) when generating a cert for SSH. Follow on from #2494	2017-03-16 11:14:17 -04:00
Mike Okner	95df7beed9	Adding allow_user_key_ids field to SSH role config (#2494 ) Adding a boolean field that determines whether users will be allowed to set the ID of the signed SSH key or whether it will always be the token display name. Preventing users from changing the ID and always using the token name is useful for auditing who actually used a key to access a remote host since sshd logs key IDs.	2017-03-16 08:45:11 -04:00
Jeff Mitchell	12e5132779	Allow roles to specify whether CSR SANs should be used instead of (#2489 ) request values. Fix up some documentation. Fixes #2451 Fixes #2488	2017-03-15 14:38:18 -04:00
Jeff Mitchell	7ab6844eb4	Set CA chain when intermediate does not have an authority key ID. This is essentially an approved review of the code provided in #2465. Fixes #2465	2017-03-15 11:52:02 -04:00
Stanislav Grozev	662b372364	Reads on unconfigured SSH CA public key return 400	2017-03-14 10:21:48 -04:00
Stanislav Grozev	7d59d7d3ac	Reads on ssh/config/ca return the public keys If configured/generated.	2017-03-14 10:21:48 -04:00
Stanislav Grozev	830de2dbbd	If generating an SSH CA signing key - return the public part So that the user can actually use the SSH CA, by adding the public key to their respective sshd_config/authorized_keys, etc.	2017-03-14 10:21:48 -04:00
Vishal Nayak	220beb2cde	doc: ssh allowed_users update (#2462 ) * doc: ssh allowed_users update * added some more context in default_user field	2017-03-09 10:34:55 -05:00
vishalnayak	f085cd71ab	Fix typo	2017-03-08 17:49:39 -05:00
Vishal Nayak	766c2e6ee0	SSH CA enhancements (#2442 ) * Use constants for storage paths * Upgrade path for public key storage * Fix calculateValidPrincipals, upgrade ca_private_key, and other changes * Remove a print statement * Added tests for upgrade case * Make exporting consistent in creation bundle * unexporting and constants * Move keys into a struct instead of plain string * minor changes	2017-03-08 17:36:21 -05:00
Jeff Mitchell	3d162b63cc	Use locks in a slice rather than a map, which is faster and makes things cleaner (#2446 )	2017-03-07 11:21:32 -05:00
Jeff Mitchell	5119b173c4	Rename helper 'duration' to 'parseutil'. (#2449 ) Add a ParseBool function that accepts various kinds of ways of specifying booleans. Have config use ParseBool for UI and disabling mlock/cache.	2017-03-07 11:21:22 -05:00
Vishal Nayak	4b81bcb379	ssh: Added DeleteOperation to config/ca (#2434 ) * ssh: Added DeleteOperation to config/ca * Address review feedback	2017-03-03 10:19:45 -05:00
Vishal Nayak	491a56fe9f	AppRole: Support restricted use tokens (#2435 ) * approle: added token_num_uses to the role * approle: added RUD tests for token_num_uses on role * approle: doc: added token_num_uses	2017-03-03 09:31:20 -05:00
Jeff Mitchell	55e69277ce	Update SSH CA logic/tests	2017-03-02 16:39:22 -05:00
Vishal Nayak	a1331278ff	Refactor the generate_signing_key processing (#2430 )	2017-03-02 16:22:06 -05:00
Jeff Mitchell	fa474924aa	Update error text to make it more obvious what the issue is when valid principals aren't found	2017-03-02 15:56:08 -05:00
Jeff Mitchell	eca68d5913	Fix a bunch of errors from returning 5xx, and parse more duration types	2017-03-02 15:38:34 -05:00
Will May	70bfdb5ae9	Changes from code review	2017-03-02 14:36:13 -05:00
Will May	36b3d89604	Allow internal generation of the signing SSH key pair	2017-03-02 14:36:13 -05:00
Vishal Nayak	3795d2ea64	Rework ssh ca (#2419 ) * docs: input format for default_critical_options and default_extensions * s/sshca/ssh * Added default_critical_options and default_extensions to the read endpoint of role * Change default time return value to 0	2017-03-01 15:50:23 -05:00
Will May	9f75f84175	Changes from code review Major changes are: * Remove duplicate code * Check the public key used to configure the backend is a valid one	2017-03-01 15:19:18 -05:00
Will May	ff1ff02bd7	Changes from code review Major changes are: * Change `allow_{user,host}_certificates` to default to false * Add separate `allowed_domains` role property	2017-03-01 15:19:18 -05:00
Will May	099d561b20	Add ability to create SSH certificates	2017-03-01 15:19:18 -05:00
Jeff Mitchell	47f8478a97	Fix github compile breakage after dep upgrade	2017-02-24 15:32:05 -05:00
Vishal Nayak	b762c43fe2	Aws Ec2 additional binds for SubnetID, VpcID and Region (#2407 ) * awsec2: Added bound_region * awsec2: Added bound_subnet_id and bound_vpc_id * Add bound_subnet_id and bound_vpc_id to docs * Remove fmt.Printf * Added crud test for aws ec2 role * Address review feedback	2017-02-24 14:19:10 -05:00
vishalnayak	2e911fc650	Fix broken build caused due to resolve merge conflicts	2017-02-24 12:41:20 -05:00
Vishal Nayak	c6f138bb9a	PKI: Role switch to control lease generation (#2403 ) * pki: Make generation of leases optional * pki: add tests for upgrading generate_lease * pki: add tests for leased and non-leased certs * docs++ pki generate_lease * Generate lease is applicable for both issuing and signing * pki: fix tests * Address review feedback * Address review feedback	2017-02-24 12:12:40 -05:00
Saj Goonatilleke	01f3056b8b	pki: Include private_key_type on DER-formatted responses from /pki/issue/ (#2405 )	2017-02-24 11:17:59 -05:00
Jeff Mitchell	c81582fea0	More porting from rep (#2388 ) * More porting from rep * Address review feedback	2017-02-16 16:29:30 -05:00
Jeff Mitchell	0c39b613c8	Port some replication bits to OSS (#2386 )	2017-02-16 15:15:02 -05:00
Jeff Mitchell	d7a6ec8d43	Add some repcluster handling to audit and add some tests (#2384 ) * Add some repcluster handling to audit and add some tests * Fix incorrect assumption about nil auth	2017-02-16 13:09:53 -05:00
Jeff Mitchell	c96fe56d44	Fix copypasta, thanks tests	2017-02-16 01:32:39 -05:00
Jeff Mitchell	817bec0955	Add Organization support to PKI backend. (#2380 ) Fixes #2369	2017-02-16 01:04:29 -05:00
Vishal Nayak	eb4ef0f6e0	cidrutil: added test data points (#2378 )	2017-02-16 00:51:02 -05:00
Vishal Nayak	81c95b36eb	aws-ec2 auth: Return the role period in seconds (#2374 ) * aws-ec2 auth: Return the role period in seconds * cast return values to int64 for comparison with expected values	2017-02-15 10:57:57 -05:00
Jeff Mitchell	04b4a6aa50	Fix Okta auth issue when a user has no policies and/or groups set. (#2371 ) Fixes #2367	2017-02-14 16:28:16 -05:00

1 2 3 4 5 ...

1137 commits