Denis Subbotin
2797c609b0
fix checking that users policies is not nil
2016-11-29 16:35:49 +03:00
Denis Subbotin
cc374b3e2c
add support per user acl for ldap users
2016-11-29 13:32:59 +03:00
Thomas Soëte
5eaef287a8
Close ldap connection to avoid leak ( #2130 )
2016-11-28 09:31:36 -08:00
Jeff Mitchell
890c19312f
Update path help for approle secret id TTL
2016-11-15 11:50:51 -05:00
Daniel Somerfield
637414a623
Added support for individual user policy mapping in github auth backend. ( #2079 )
2016-11-10 16:21:14 -05:00
vascop
ba3dc07bb3
Fix typo and remove trailing whitespace. ( #2074 )
2016-11-08 09:32:23 -05:00
Jeff Mitchell
aa68041231
Fix GitHub tests
2016-11-08 07:13:42 -05:00
Glenn McAllister
50c8af0515
Add ldap tls_max_version config ( #2060 )
2016-11-07 13:43:39 -05:00
Jeff Mitchell
26fa2655b1
Add listing to Consul secret roles ( #2065 )
2016-11-04 12:35:16 -04:00
vishalnayak
65f0ce8ca3
Remove the sanity check which is not proving to be useful
2016-10-27 19:11:26 -04:00
vishalnayak
dc93e57cf1
Return the revocation_sql from role read all the time
2016-10-27 12:24:31 -04:00
vishalnayak
e0fb8c17ce
Added revocation_sql to the website docs
2016-10-27 12:15:08 -04:00
vishalnayak
c14a6c8666
Move policy test to keysutil package
2016-10-26 19:57:28 -04:00
vishalnayak
6d1e1a3ba5
Pulled out transit's lock manager and policy structs into a helper
2016-10-26 19:52:31 -04:00
Vishal Nayak
79d45355c8
Merge pull request #2004 from hashicorp/role-id-update
...
Fix regression caused by not creating a role_id secondary index
2016-10-26 16:29:46 -04:00
vishalnayak
931c96d1ba
ssh: Use temporary file to store the identity file
2016-10-18 12:50:12 -04:00
Vishal Nayak
6dd560d9c6
Merge pull request #2005 from hashicorp/dedup-ldap-policies
...
Deduplicate the policies in ldap backend
2016-10-18 10:42:11 -04:00
Chris Hoffman
4b6e82afcb
Add ability to list keys in transit backend ( #1987 )
2016-10-18 10:13:01 -04:00
vishalnayak
2ce8bc95eb
Deduplicate the policies in ldap backend
2016-10-14 17:20:50 -04:00
vishalnayak
1487dce475
Fix regression caused by not creating a role_id secondary index
2016-10-14 12:56:29 -04:00
Laura Bennett
dcf44a8fc7
Merge pull request #1980 from hashicorp/audit-update
...
Audit file update
2016-10-10 14:34:53 -04:00
Laura Bennett
0da9d1ac0c
test updates to address feedback
2016-10-10 12:58:30 -04:00
Laura Bennett
5ce9737eb4
address feedback
2016-10-10 12:16:55 -04:00
Laura Bennett
962a383bfb
address latest feedback
2016-10-10 11:58:26 -04:00
Laura Bennett
290ccee990
minor fix
2016-10-10 10:05:36 -04:00
Laura Bennett
9fc5a37e84
address feedback
2016-10-09 22:23:30 -04:00
Laura Bennett
05519a1267
adding unit tests for file mode
2016-10-09 00:33:24 -04:00
Laura Bennett
e5a7e3d6cb
initial commit to fix empty consistency option issue
2016-10-08 20:22:26 -04:00
Laura Bennett
1b8d12fe82
changes for 'mode'
2016-10-08 19:52:49 -04:00
Laura Bennett
60ceea5532
initial commit for adding audit file permission changes
2016-10-07 15:09:32 -04:00
Michael S. Fischer
c45ab41b39
Update aws-ec2 configuration help
...
Updated to reflect enhanced functionality and clarify necessary
permissions.
2016-10-05 12:40:58 -07:00
Jeff Mitchell
70a9fc47b4
Don't use quoted identifier for the username
2016-10-05 14:31:19 -04:00
Jeff Mitchell
7f9a88d8db
Postgres revocation sql, beta mode ( #1972 )
2016-10-05 13:52:59 -04:00
vishalnayak
de5dec6b15
Refactor mysql's revoke SQL
2016-10-04 19:30:25 -04:00
Vishal Nayak
1ab7023483
Merge pull request #1914 from jpweber/mysql-revoke
...
Mysql revoke with non-wildcard hosts
2016-10-04 17:44:15 -04:00
Jim Weber
87f206b536
removed an unused ok variable. Added warning and force use for default queries if role is nil
2016-10-04 17:15:29 -04:00
vishalnayak
0f8c132ede
Minor doc updates
2016-10-04 15:46:09 -04:00
vishalnayak
2e1aa80f31
Address review feedback 2
2016-10-04 15:30:42 -04:00
vishalnayak
59475d7f14
Address review feedback
2016-10-04 15:05:44 -04:00
Jim Weber
cc38f3253a
fixed an incorrect assignment
2016-10-03 21:51:40 -04:00
vishalnayak
348a09e05f
Add only relevant certificates
2016-10-03 20:34:28 -04:00
vishalnayak
dbd364453e
aws-ec2 config endpoints support type option to distinguish certs
2016-10-03 20:25:07 -04:00
Jim Weber
ac78ddc178
More resilient around cases of missing role names and using the default when needed.
2016-10-03 20:20:00 -04:00
vishalnayak
b105f8ccf3
Authenticate aws-ec2 instances using identity document and its RSA signature
2016-10-03 18:57:41 -04:00
Jim Weber
0a7f1089ca
Refactored logic some to make sure we can always fall back to default revoke statments
...
Changed rolename to role
made default sql revoke statments a const
2016-10-03 15:59:56 -04:00
Jim Weber
704fccaf2e
fixed some more issues I had with the tests.
2016-10-03 15:58:09 -04:00
Jim Weber
a2d6624a69
renamed rolname to role
2016-10-03 15:57:47 -04:00
Jim Weber
bfb0c2d3ff
Reduced duplicated code and fixed comments and simple variable name mistakes
2016-10-03 14:53:05 -04:00
Jim Weber
bb70ecc5a7
Added test for revoking mysql user with wild card host and non-wildcard host
2016-10-02 22:28:54 -04:00
Jim Weber
dbb00534d9
saving role name to the Secret Internal data. Default revoke query added
...
The rolename is now saved to the secret internal data for fetching
later during the user revocation process. No longer deriving the role
name from request path
Added support for default revoke SQL statements that will provide the
same functionality as before. If not revoke SQL statements are provided
the default statements are used.
Cleaned up personal ignores from the .gitignore file
2016-10-02 18:53:16 -04:00
Jeff Mitchell
6d00f0c483
Adds HUP support for audit log files to close and reopen. ( #1953 )
...
Adds HUP support for audit log files to close and reopen. This makes it
much easier to deal with normal log rotation methods.
As part of testing this I noticed that HUP and other items that come out
of command/server.go are going to stderr, which is where our normal log
lines go. This isn't so much problematic with our normal output but as
we officially move to supporting other formats this can cause
interleaving issues, so I moved those to stdout instead.
2016-09-30 12:04:50 -07:00
Vishal Nayak
4c74b646fe
Merge pull request #1947 from hashicorp/secret-id-lookup-delete
...
Introduce lookup and destroy endpoints for secret IDs and its accessors
2016-09-29 10:19:54 -04:00
vishalnayak
34e76f8b41
Added website docs for lookup and destroy APIs
2016-09-28 22:11:48 -04:00
vishalnayak
d20819949c
Make secret-id reading and deleting, a POST op instead of GET
2016-09-28 20:22:37 -04:00
Michael S. Fischer
2dd1f584e6
Update documentation for required AWS API permissions
...
In order for Vault to map IAM instance profiles to roles, Vault
must query the 'iam:GetInstanceProfile' API, so update the documentation
and help to include the additional permissions needed.
2016-09-28 16:50:20 -07:00
Jeff Mitchell
f0203741ff
Change default TTL from 30 to 32 to accommodate monthly operations ( #1942 )
2016-09-28 18:32:49 -04:00
Vishal Nayak
5adfaa0d7d
Merge pull request #1939 from hashicorp/secret-id-upgrade
...
Respond secret_id_num_uses and deprecate SecretIDNumUses
2016-09-28 18:16:07 -04:00
vishalnayak
e9142f418a
Added todo to remind removal of upgrade code
2016-09-28 18:17:13 -04:00
vishalnayak
e01f99f042
Check for prefix match instead of exact match for IAM bound parameters
2016-09-28 18:08:28 -04:00
vishalnayak
21d9731286
Don't reset the deprecated value yet
2016-09-28 15:48:50 -04:00
Vishal Nayak
4a30a6b4f8
Merge pull request #1913 from hashicorp/bound-iam-instance-profile-arn
...
Proper naming for bound_iam_instance_profile_arn
2016-09-28 15:34:56 -04:00
vishalnayak
31e450a175
Add some validation checks
2016-09-28 15:36:02 -04:00
vishalnayak
9eabf75f5f
Fix the misplaced response warning
2016-09-28 14:20:03 -04:00
vishalnayak
a2338f5970
Added testcase to check secret_id_num_uses
2016-09-28 13:58:53 -04:00
vishalnayak
ba1d238f9b
Pull out reading and storing of secret ID into separate functions and handle upgrade properly
2016-09-28 12:42:26 -04:00
Laura Bennett
010293ccc3
Merge pull request #1931 from hashicorp/cass-consistency
...
Adding consistency into cassandra
2016-09-27 21:12:02 -04:00
Chris Hoffman
d235acf809
Adding support for chained intermediate CAs in pki backend ( #1694 )
2016-09-27 17:50:17 -07:00
Laura Bennett
5ac43873c4
minor updates
2016-09-27 20:35:11 -04:00
Laura Bennett
e14fe05c13
added parsing at role creation
2016-09-27 16:01:51 -04:00
Laura Bennett
4938aa56bf
initial commit for consistency added into cassandra
2016-09-27 13:25:18 -04:00
Mikhail Zholobov
5eff59c410
Fix "SecretIDNumUses" in AppRole auth backend
...
There was a typo.
2016-09-27 17:26:52 +03:00
Vishal Nayak
b1ee56a15b
Merge pull request #1910 from hashicorp/secret-id-cidr-list
...
CIDR restrictions on Secret ID
2016-09-26 10:22:48 -04:00
Vishal Nayak
a4b119dc25
Merge pull request #1920 from legal90/fix-approle-delete
...
Fix panic on deleting the AppRole which doesn't exist
2016-09-26 10:05:33 -04:00
Mikhail Zholobov
3f77013004
Fix panic on deleting the AppRole which doesn't exist
...
#pathRoleDelete should return silently if the specified AppRole doesn't exist
Fixes GH-1919
2016-09-26 16:55:08 +03:00
vishalnayak
da5b5d3a8e
Address review feedback from @jefferai
2016-09-26 09:53:24 -04:00
vishalnayak
d080107a87
Update docs to contain bound_iam_role_arn
2016-09-26 09:37:38 -04:00
vishalnayak
bf0b7f218e
Implemented bound_iam_role_arn constraint
2016-09-23 21:35:36 -04:00
Jim Weber
e0ea497cfe
Getting role name from the creds path used in revocation
2016-09-23 16:57:08 -04:00
Jim Weber
8709406eb3
secretCredsRevoke command no longer uses hardcoded query
...
The removal of a user from the db is now handled similar to the
creation. The SQL is read out of a key from the role and then executed
with values substituted for username.
2016-09-23 16:05:49 -04:00
Jim Weber
1bed6bfc2c
Added support for a revokeSQL key value pair to the role
2016-09-23 16:00:23 -04:00
Jeff Mitchell
6bf871995b
Don't use time.Time in responses. ( #1912 )
...
This fixes #1911 but not directly; it doesn't address the cause of the
panic. However, it turns out that this is the correct fix anyways,
because it ensures that the value being logged is RFC3339 format, which
is what the time turns into in JSON but not the normal time string
value, so what we audit log (and HMAC) matches what we are returning.
2016-09-23 12:32:07 -04:00
vishalnayak
e0c41f02c8
Fix incorrect naming of bound_iam_instance_profile_arn
2016-09-23 11:22:23 -04:00
vishalnayak
c26754000b
Fix ssh tests
2016-09-22 11:37:55 -04:00
vishalnayak
aaadd4ad97
Store the CIDR list in the secret ID storage entry.
...
Use the stored information to validate the source address and credential issue time.
Correct the logic used to verify BoundCIDRList on the role.
Reverify the subset requirements between secret ID and role during credential issue time.
2016-09-21 20:19:26 -04:00
vishalnayak
578b82acf5
Pass only valid inputs to validation methods
2016-09-21 15:44:54 -04:00
vishalnayak
93604e1e2e
Added cidrutil helper
2016-09-21 13:58:32 -04:00
Jeff Mitchell
676e7e0f07
Ensure upgrades have a valid HMAC key
2016-09-21 11:10:57 -04:00
Jeff Mitchell
0ff76e16d2
Transit and audit enhancements
2016-09-21 10:49:26 -04:00
Chris Hoffman
5c241d31e7
Renaming ttl_max -> max_ttl in mssql backend ( #1905 )
2016-09-20 12:39:02 -04:00
Vishal Nayak
97dc0e9f64
Merge pull request #1897 from hashicorp/secret-id-accessor-locks
...
Safely manipulate secret id accessors
2016-09-19 11:37:38 -04:00
vishalnayak
fefd3a6c0b
s/GetOctalFormatted/GetHexFormatted
2016-09-16 17:47:15 -04:00
Jeff Mitchell
897d3c6d2c
Rename GetOctalFormatted and add serial number to ParsedCertBundle. Basically a noop.
2016-09-16 11:05:43 -04:00
vishalnayak
ba72e7887a
Safely manipulate secret id accessors
2016-09-15 18:13:50 -04:00
Vishal Nayak
61664bc653
Merge pull request #1886 from hashicorp/approle-upgrade-notes
...
upgrade notes entry for approle constraint and warning on role read
2016-09-15 12:14:01 -04:00
vishalnayak
5597156886
check for nil role
2016-09-15 12:10:40 -04:00
vishalnayak
92986bb2a0
Address review feedback
2016-09-15 11:41:52 -04:00
vishalnayak
a1de742dce
s/disableReauthenticationNonce/reauthentication-disabled-nonce
2016-09-15 11:29:02 -04:00
vishalnayak
9bca127631
Updated docs with nonce usage
2016-09-14 19:31:09 -04:00
vishalnayak
857f921d76
Added comment
2016-09-14 18:27:35 -04:00
vishalnayak
39796e8801
Disable reauthentication if nonce is explicitly set to empty
2016-09-14 17:58:00 -04:00
vishalnayak
d0e4d77fce
address review feedback
2016-09-14 14:28:02 -04:00
vishalnayak
d7ce69c5eb
Remove the client nonce being empty check
2016-09-14 14:28:02 -04:00
vishalnayak
53c919b1d0
Generate the nonce by default
2016-09-14 14:28:02 -04:00
vishalnayak
455a4ae055
address review feedback
2016-09-14 12:08:35 -04:00
vishalnayak
b1392567d1
Use constant time comparisons for client nonce
2016-09-13 20:12:43 -04:00
vishalnayak
d2e66014ba
Address review feedback
2016-09-13 18:30:04 -04:00
Jeff Mitchell
29b67141eb
Only use running state for checking if instance is alive. ( #1885 )
...
Fixes #1884
2016-09-13 18:08:05 -04:00
vishalnayak
99a2655d8e
upgrade notes entry for approle constraint and warning on role read
2016-09-13 17:44:07 -04:00
vishalnayak
bef9c2ee61
Ensure at least one constraint on the role
2016-09-13 16:03:15 -04:00
Jeff Mitchell
197c7eae5f
Allow encrypting empty ciphertext values. ( #1881 )
...
Replaces #1874
2016-09-13 12:00:04 -04:00
vishalnayak
b599948e1c
Use uuid.GenerateRandomBytes
2016-09-09 14:17:09 -04:00
vishalnayak
127f61473b
Not exposing structs from the backend's package
2016-09-01 11:57:28 -04:00
Jeff Mitchell
1db0544b7a
Use unexported kdf const names
2016-08-31 07:19:58 -04:00
Vishal Nayak
c46a7391c0
Merge pull request #1799 from hashicorp/fix-role-locking
...
approle: fix racy updates problem for roles
2016-08-30 16:46:40 -04:00
vishalnayak
cdcfa4572f
Address review feedback
2016-08-30 16:36:58 -04:00
Jeff Mitchell
d2239d22d9
Use hkdf for transit key derivation for new keys ( #1812 )
...
Use hkdf for transit key derivation for new keys
2016-08-30 16:29:09 -04:00
vishalnayak
29b9295673
approle: fix racy updates problem for roles
2016-08-30 16:11:14 -04:00
vishalnayak
9dbc97028b
STS path field description update
2016-08-30 10:53:21 -04:00
vishalnayak
0b07ec7303
Added UpdateOperation to logical AWS STS path
2016-08-30 10:30:13 -04:00
Vishal Nayak
cdd1d96a64
Merge pull request #1804 from hashicorp/issue-1800
...
Mark STS secrets as non-renwable
2016-08-29 11:46:19 -04:00
navinanandaraj
8612b6139e
Fixes #1801 Reuse Cassandra session object for create creds ( #1802 )
2016-08-28 17:32:41 -04:00
Jeff Mitchell
f0537572a8
Mark STS secrets as non-renwable
...
Ping #1800
2016-08-28 14:27:56 -04:00
Jeff Mitchell
0b113f7916
Derive nonce fully in convergent mode ( #1796 )
...
Ping #1794
2016-08-26 17:01:56 -04:00
Jeff Mitchell
2f5876dfe9
Use key derivation for convergent nonce. ( #1794 )
...
Use key derivation for convergent nonce.
Fixes #1792
2016-08-26 14:11:03 -04:00
Jeff Mitchell
28739f3528
Decode secret internal data into struct and fix type assertion. ( #1781 )
2016-08-24 15:04:04 -04:00
Jeff Mitchell
d1284944c3
Merge pull request #1755 from hashicorp/logxi
...
Convert to logxi
2016-08-21 19:28:18 -04:00
Jeff Mitchell
58b32e5432
Convert to logxi
2016-08-21 18:13:37 -04:00
vishalnayak
524ed6db37
Extract out common code
2016-08-21 15:46:11 -04:00
vishalnayak
dfe73733d5
Seperate endpoints for read/delete using secret-id and accessor
2016-08-21 14:42:49 -04:00
Jeff Mitchell
2860dcc60f
gofmt
2016-08-19 16:48:32 -04:00
vishalnayak
7ce631f1dc
Pretty print the warning
2016-08-18 16:09:10 -04:00
vishalnayak
870ffd6fd8
Use shortestTTL value during renewals too
2016-08-18 15:43:58 -04:00
vishalnayak
4f1c47478e
When TTL is not set, consider the system default TTL as well
2016-08-18 15:37:59 -04:00
vishalnayak
56b8c33c95
aws-ec2: se max_ttl when ttl is not set, during login
2016-08-18 15:16:32 -04:00
Jeff Mitchell
638e61192a
Actually show the error occurring if a file audit log can't be opened
2016-08-15 16:26:36 -04:00
Jeff Mitchell
86874def5c
Parameter change
...
Both revocation times are UTC so clarify via parameter name that it's just a formatting difference. Also leave as a time.Time here, as it automatically marshals into RFC3339.
2016-08-14 21:43:57 -04:00
Jeff Mitchell
39cfd116b6
Cleanup
2016-08-13 11:52:09 -04:00
Jeff Mitchell
1b8711e7b7
Ensure utc value is not zero before adding
2016-08-13 11:50:57 -04:00
Jeff Mitchell
d6d08250ff
Ensure values to be encoded in a CRL are in UTC. This aligns with the
...
RFC. You might expect Go to ensure this in the CRL generation call,
but...it doesn't.
Fixes #1727
2016-08-13 08:40:09 -04:00
vishalnayak
b150c14caa
Address review feedback by @jefferai
2016-08-09 17:45:42 -04:00
vishalnayak
8d261b1a78
Added ttl field to aws-ec2 auth backend role
2016-08-09 17:29:45 -04:00
Jeff Mitchell
b69ed7ea93
Fix build
2016-08-08 17:00:59 -04:00
Jeff Mitchell
7f6c58b807
Address review feedback
2016-08-08 16:30:48 -04:00
Jeff Mitchell
0a67bcb5bd
Merge pull request #1696 from hashicorp/transit-convergent-specify-nonce
...
Require nonce specification for more flexibility
2016-08-08 11:41:10 -04:00
Jeff Mitchell
1f198e9256
Return warning about ACLing the LDAP configuration endpoint.
...
Fixes #1263
2016-08-08 10:18:36 -04:00
Jeff Mitchell
606ba64e23
Remove context-as-nonce, add docs, and properly support datakey
2016-08-07 15:53:40 -04:00
Jeff Mitchell
1976bc0534
Add unit tests for convergence in non-context mode
2016-08-07 15:16:36 -04:00
Jeff Mitchell
8b1d47037e
Refactor convergent encryption to make specifying a nonce in addition to context possible
2016-08-05 17:52:44 -04:00
Vincent Batoufflet
0b73c2ff9a
Fix PKI logical backend email alt_names
2016-08-04 12:10:34 +02:00
Jeff Mitchell
58e9cbbfc6
Add postgres test for block statements
2016-08-03 15:34:50 -04:00