30378d5ff6
remove the Initialize wrap and call close explicitly ( #3769 )
2018-01-10 13:07:55 -08:00
d8009bced1
Merge branch 'master-oss' into sethvargo/cli-magic
2018-01-10 11:15:49 -05:00
9c70985c3a
Add json.Number parsing for iam_request_header values ( #3770 )
...
Fixes #3763
2018-01-10 09:56:38 -06:00
01914feb18
secret/database: ensure plugins are closed if they cannot be initialized ( #3768 )
2018-01-09 13:14:50 -08:00
64da50c27c
Update plugin deps to include context changes ( #3765 )
...
* Update plugin deps to include context changes
* Fix tests
2018-01-08 12:26:13 -08:00
1c190d4bda
Pass context to backends ( #3750 )
...
* Start work on passing context to backends
* More work on passing context
* Unindent logical system
* Unindent token store
* Unindent passthrough
* Unindent cubbyhole
* Fix tests
* use requestContext in rollback and expiration managers
2018-01-08 10:31:38 -08:00
282f648597
Document that AWS STS lease revocation is a no-op [ fixes #3736 ] ( #3760 )
2018-01-08 10:28:07 -06:00
d1803098ae
Merge branch 'master-oss' into sethvargo/cli-magic
2018-01-03 14:02:31 -05:00
2481803ac5
Update some approle related help output ( #3747 )
2018-01-03 13:56:14 -05:00
aa4d5a942e
Add the ability to pass in mfa parameters when authenticating via the… ( #3729 )
2017-12-26 13:40:44 -05:00
a97b8c6f30
secret/database: Fix upgrading database backend ( #3714 )
2017-12-18 19:38:47 -08:00
c4e951efb8
Add period and max_ttl to cert role creation ( #3642 )
2017-12-18 15:29:45 -05:00
b1aee36251
short circuit cert extensions check ( #3712 )
2017-12-18 13:19:05 -05:00
cf3e284396
Use Custom Cert Extensions as Cert Auth Constraint ( #3634 )
2017-12-18 12:53:44 -05:00
08f73e4a50
Merge pull request #3695 from hashicorp/creds-period-logic
2017-12-18 12:40:03 -05:00
77a7c52392
Merge branch 'master' into f-nomad
2017-12-18 12:23:39 -05:00
e7faad641c
Add Duo MFA to the Github backend ( #3696 )
2017-12-18 09:59:17 -05:00
400d738403
use defaultconfig as base, adding env var test
2017-12-17 10:51:39 -05:00
f6bed8b925
fixing up config to allow environment vars supported by api client
2017-12-17 09:10:56 -05:00
b08606b320
adding existence check for roles
2017-12-15 19:50:20 -05:00
b904d28d82
adding access config existence check and delete endpoint
2017-12-15 19:18:32 -05:00
997a1453e7
Use shortMaxTTL on Ec2 paths
2017-12-15 17:29:40 -05:00
c71f596fbd
address some feedback
2017-12-15 17:06:56 -05:00
db0006ef65
Merge remote-tracking branch 'oss/master' into f-nomad
...
* oss/master:
Defer reader.Close that is used to determine sha256
changelog++
Avoid unseal failure if plugin backends fail to setup during postUnseal (#3686 )
Add logic for using Auth.Period when handling auth login/renew requests (#3677 )
plugins/database: use context with plugins that use database/sql package (#3691 )
changelog++
Fix plaintext backup in transit (#3692 )
Database gRPC plugins (#3666 )
2017-12-15 17:05:42 -05:00
fe7ce434e4
Update logic on renew paths
2017-12-15 16:26:42 -05:00
643451d46a
Update login logic for aws creds backend
2017-12-15 16:18:19 -05:00
ba19b99f55
Update login logic for aws creds backend
2017-12-15 16:01:40 -05:00
79cb82e133
Add logic for using Auth.Period when handling auth login/renew requests ( #3677 )
...
* Add logic for using Auth.Period when handling auth login/renew requests
* Set auth.TTL if not set in handleLoginRequest
* Always set auth.TTL = te.TTL on handleLoginRequest, check TTL and period against sys values on RenewToken
* Get sysView from le.Path, revert tests
* Add back auth.Policies
* Fix TokenStore tests, add resp warning when capping values
* Use switch for ttl/period check on RenewToken
* Move comments around
2017-12-15 13:30:05 -05:00
afe53eb862
Database gRPC plugins ( #3666 )
...
* Start work on context aware backends
* Start work on moving the database plugins to gRPC in order to pass context
* Add context to builtin database plugins
* use byte slice instead of string
* Context all the things
* Move proto messages to the dbplugin package
* Add a grpc mechanism for running backend plugins
* Serve the GRPC plugin
* Add backwards compatibility to the database plugins
* Remove backend plugin changes
* Remove backend plugin changes
* Cleanup the transport implementations
* If grpc connection is in an unexpected state restart the plugin
* Fix tests
* Fix tests
* Remove context from the request object, replace it with context.TODO
* Add a test to verify netRPC plugins still work
* Remove unused mapstructure call
* Code review fixes
* Code review fixes
* Code review fixes
2017-12-14 14:03:11 -08:00
b478ba8bac
Merge branch 'master' into f-nomad
2017-12-14 16:44:28 -05:00
d752da3648
Update Consul to use the role's configured lease on renew. ( #3684 )
2017-12-14 13:28:19 -05:00
15b3d8738e
Transit: backup/restore ( #3637 )
2017-12-14 12:51:50 -05:00
513d12ab7c
Fix the casing problem in approle ( #3665 )
2017-12-11 16:41:17 -05:00
539d86ab2d
Hardening RSA keys for PKI and SSH ( #3593 )
2017-12-11 13:43:56 -05:00
3b0ba609b2
Converting key_usage and allowed_domains in PKI to CommaStringSlice ( #3621 )
2017-12-11 13:13:35 -05:00
295e11d40d
Adding mfa support to okta auth backend. ( #3653 )
2017-12-07 14:17:42 -05:00
a0d1092420
Conditionally set file audit log mode ( #3649 )
2017-12-07 11:44:15 -05:00
2aa576149c
Small typo relating to no_store in pki secret backend ( #3662 )
...
* Removed typo :)
* Corrected typo in the website related to no_store
2017-12-07 10:40:21 -05:00
48ac5caaa9
Transit: Refactor internal representation of key entry map ( #3652 )
...
* convert internal map to index by string
* Add upgrade test for internal key entry map
* address review feedback
2017-12-06 18:24:00 -05:00
bc523fc294
add allowed_names to cert-response ( #3654 )
2017-12-06 16:50:02 -05:00
bfc37f0847
Re-add some functionality lost during last dep update ( #3636 )
2017-12-01 10:18:26 -05:00
b5fd1ce953
Adding SealWrap configuration, protecting the config/access path
...
Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com>
2017-11-29 21:53:21 +00:00
b3799697a2
Rename policy into policies
2017-11-29 16:31:17 +00:00
0d8f812dc8
Checking if client is not nil before deleting token
...
Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com>
2017-11-29 16:23:03 +00:00
239a9a9985
%q quotes automatically
...
Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com>
2017-11-29 16:19:31 +00:00
62fe10204a
Refactoring check for empty accessor as per Vishals suggestion
...
Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com>
2017-11-29 15:58:39 +00:00
a6d3119e3e
Pull master into f-nomad
...
Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com>
2017-11-29 15:56:37 +00:00
89466815ba
Return an error if accesor_id is nil
...
Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com>
2017-11-29 15:18:03 +00:00
031f244922
Returning nil config if is actually nil, and catching the error before creating the client in backend.go
...
Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com>
2017-11-29 11:15:54 +00:00
2a4f63e4a5
Moving LeaseConfig function to path_config_lease.go
...
Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com>
2017-11-29 11:07:17 +00:00
4f91a71c29
Return error before creating a client if conf is nil
2017-11-29 11:01:31 +00:00
e2be4bfd74
Sanitizing error outputs
2017-11-29 10:58:02 +00:00
604ead3a37
Renaming tokenRaw to accessorIDRaw to avoid confusion, as the token is not being used for revoking itself
2017-11-29 10:48:55 +00:00
34b5919931
Updating descriptions, defaults for roles
2017-11-29 10:44:40 +00:00
fc81d8a07c
Validating that Address and Token are provided in path_config_access.go
2017-11-29 10:36:34 +00:00
aab72464d6
Removing legacy field scheme that belonged to the Consul API
2017-11-29 10:29:39 +00:00
6f5aeeeae2
auth/aws: Check credential availability before auth ( #3465 )
...
Checks to ensure we can get a valid credential from the credential chain
when using the vault CLI to do AWS auth.
Fixes #3383
2017-11-13 15:43:24 -05:00
8654c06b26
avoid empty group alias names ( #3567 )
2017-11-10 16:51:37 -05:00
61d617df81
Avoid race conditions in AppRole ( #3561 )
...
* avoid race conditions in approle
* return a warning from role read if secondary index is missing
* Create a role ID index if a role is missing one
* Fix locking in approle read and add test
* address review feedback
2017-11-10 11:32:04 -05:00
6b72b90efa
Remove allow_base_domain from PKI role output.
...
It was never used in a release, in favor of allow_bare_domains.
Fixes #1452 (again)
2017-11-09 10:24:36 -05:00
3555a17d52
Don't read out an internal role member in PKI
2017-11-08 18:20:53 -05:00
210fe50b68
adding ttl to secret, refactoring for consistency
2017-11-07 09:58:19 -05:00
9ffe6421c5
Fix deprecated cassandra backend tests ( #3543 )
2017-11-06 17:15:45 -05:00
2c8cd19e14
auth/aws: Make disallow_reauthentication and allow_instance_migration mutually exclusive ( #3291 )
2017-11-06 17:12:07 -05:00
1b387f75e3
minor cleanup
2017-11-06 16:36:37 -05:00
de8c0dce99
minor cleanup
2017-11-06 16:34:20 -05:00
57c9afa357
added AWS enpoint handling ( #3416 )
2017-11-06 13:31:38 -05:00
17310654a1
Add PKCS8 marshaling to PKI ( #3518 )
2017-11-06 12:05:07 -05:00
c70bfff23a
Refactored Lease into the Backend configuration
2017-11-06 15:09:56 +00:00
6dc8edf09f
Attaching secretToken to backend
2017-11-06 14:28:30 +00:00
512b254820
Return role info for each role on pathRoleList ( #3532 )
...
* Return role info for each role on pathRoleList
* Change roles -> key_info, only return key_type
* Do not initialize result map in parseRole, refactor ListResponseWithInfo
* Add role list test
2017-11-03 17:12:03 -04:00
9952ddaf69
Add some more SealWrap declarations ( #3531 )
2017-11-03 11:43:31 -04:00
52df62d4ff
Encrypt/Decrypt/Sign/Verify using RSA in Transit backend ( #3489 )
...
* encrypt/decrypt/sign/verify RSA
* update path-help and doc
* Fix the bug which was breaking convergent encryption
* support both 2048 and 4096
* update doc to contain both 2048 and 4096
* Add test for encrypt, decrypt and rotate on RSA keys
* Support exporting RSA keys
* Add sign and verify test steps
* Remove 'RSA' from PEM header
* use the default salt length
* Add 'RSA' to PEM header since openssl is expecting that
* export rsa keys as signing-key as well
* Comment the reasoning behind the PEM headers
* remove comment
* update comment
* Parameterize hashing for RSA signing and verification
* Added test steps to check hash algo choice for RSA sign/verify
* fix test by using 'prehashed'
2017-11-03 10:45:53 -04:00
783b38c9c4
Not storing the Nomad token as we have the accesor for administrative operations
2017-11-03 07:25:47 +00:00
4b572c064c
Overhauling the client method and attaching it to the backend
2017-11-03 07:19:49 +00:00
3a2440a651
Check input size to avoid a panic ( #3521 )
2017-11-02 16:40:52 -05:00
7bae606662
External identity groups ( #3447 )
...
* external identity groups
* add local LDAP groups as well to group aliases
* add group aliases for okta credential backend
* Fix panic in tests
* fix build failure
* remove duplicated struct tag
* add test steps to test out removal of group member during renewals
* Add comment for having a prefix check in router
* fix tests
* s/parent_id/canonical_id
* s/parent/canonical in comments and errors
2017-11-02 16:05:48 -04:00
eb7a0c0e83
Refactoring readAcessConfig to return a single type of error instead of two
2017-11-01 08:49:31 +00:00
55dd69437a
Refactored config error to just have a single error exit path
2017-11-01 08:41:58 +00:00
5f748a1217
Ignoring userErr as it will be nil anyway
2017-11-01 07:41:58 +00:00
3ce4da75ac
tokenType can never be nil/empty string as there are default values
2017-11-01 07:36:14 +00:00
afb5d123b9
Should return an error if trying create a management token with policies attached
2017-10-31 21:12:14 +00:00
d540985926
Unifying Storage and API path in role
2017-10-31 21:06:10 +00:00
0fc65cabc7
Minor/Cosmetic fixes
2017-10-31 19:11:24 +00:00
7fed43c035
Add the ability to glob allowed roles in the Database Backend ( #3387 )
...
* Add the ability to glob allowed roles in the Database Backend
* Make the error messages better
* Switch to the go-glob repo
2017-10-30 13:24:25 -07:00
7486df810c
Simplify TTL/MaxTTL logic in SSH CA paths and sane with the rest of how ( #3507 )
...
Vault parses/returns TTLs.
2017-10-30 15:05:47 -05:00
d8e2179a42
Rejig some error messages in pki
2017-10-27 12:02:18 -04:00
b16084fdaf
aws-ec2: Avoid audit logging of custom nonces ( #3381 )
2017-10-27 11:23:15 -04:00
713d5d5307
Don't swallow errors on token functions.
2017-10-24 09:39:35 -04:00
9f62e942bb
Spell Okta correctly
2017-10-24 09:39:34 -04:00
e26625c909
Prompt for GitHub token if not provided
2017-10-24 09:34:12 -04:00
c5665920f6
Standardize on "auth method"
...
This removes all references I could find to:
- credential provider
- authentication backend
- authentication provider
- auth provider
- auth backend
in favor of the unified:
- auth method
2017-10-24 09:32:15 -04:00
33765cfe06
Update token cli to parse "verify"
2017-10-24 09:30:48 -04:00
7b8c472e22
Update credential help
...
Use "vault login" instead of "vault auth" and use "method" consistently over provider.
2017-10-24 09:30:47 -04:00
0c85a9988d
Return better errors from token failures
2017-10-24 09:26:45 -04:00
c8eaa8b61b
Add built-in credential provider for tokens
...
This was previously part of the very long command/auth.go file, where it
mimmicked the same API as other handlers. By making it a builtin
credential, we can remove a lot of conditional logic for token-based
authentication.
2017-10-24 09:26:45 -04:00
4a67643c06
Update help output for userpass auth
2017-10-24 09:26:45 -04:00
de6a839b9f
Update help output for okta auth
2017-10-24 09:26:44 -04:00
beb525d41b
Update help output for ldap auth
2017-10-24 09:26:44 -04:00
323f9ee26b
Update help output for github auth
2017-10-24 09:26:44 -04:00
Brian Kassouf