Commit graph

443 commits

Author SHA1 Message Date
Jeff Mitchell 6f6f242061 Add logic to skip initialization in some cases and some invalidation logic 2017-05-05 15:01:52 -04:00
Ben Gadbois 537342f038 Fixing printf (and similar) issues (#2666) 2017-05-01 23:34:10 -04:00
Michael Ansel 30b71cbbac Add constraints on the Common Name for certificate-based authentication (#2595)
* Refactor to consolidate constraints on the matching chain

* Add CN prefix/suffix constraint

* Maintain backwards compatibility (pick a random cert if multiple match)

* Vendor go-glob

* Replace cn_prefix/suffix with required_name/globbing

Move all the new tests to acceptance-capable tests instead of embedding in the CRL test

* Allow authenticating against a single cert

* Add new params to documentation

* Add CLI support for new param

* Refactor for style

* Support multiple (ORed) name patterns

* Rename required_names to allowed_names

* Update docs for parameter rename

* Use the new TypeCommaStringSlice
2017-04-30 11:37:10 -04:00
Jeff Mitchell 9a72b3162f Flip back to sstarcher go-okta post-merge 2017-04-28 17:21:49 -04:00
Jeff Mitchell 0f214cc502 Switch to jefferai/go-okta for now to work around Fatal lines in upstream (#2658)
Switch to jefferai/go-okta for now to work around Fatal lines in upstream
2017-04-28 08:39:51 -04:00
Joel Thompson e06a78a474 Create unified aws auth backend (#2441)
* Rename builtin/credential/aws-ec2 to aws

The aws-ec2 authentication backend is being expanded and will become the
generic aws backend. This is a small rename commit to keep the commit
history clean.

* Expand aws-ec2 backend to more generic aws

This adds the ability to authenticate arbitrary AWS IAM principals using
AWS's sts:GetCallerIdentity method. The AWS-EC2 auth backend is being to
just AWS with the expansion.

* Add missing aws auth handler to CLI

This was omitted from the previous commit

* aws auth backend general variable name cleanup

Also fixed a bug where allowed auth types weren't being checked upon
login, and added tests for it.

* Update docs for the aws auth backend

* Refactor aws bind validation

* Fix env var override in aws backend test

Intent is to override the AWS environment variables with the TEST_*
versions if they are set, but the reverse was happening.

* Update docs on use of IAM authentication profile

AWS now allows you to change the instance profile of a running instance,
so the use case of "a long-lived instance that's not in an instance
profile" no longer means you have to use the the EC2 auth method. You
can now just change the instance profile on the fly.

* Fix typo in aws auth cli help

* Respond to PR feedback

* More PR feedback

* Respond to additional PR feedback

* Address more feedback on aws auth PR

* Make aws auth_type immutable per role

* Address more aws auth PR feedback

* Address more iam auth PR feedback

* Rename aws-ec2.html.md to aws.html.md

Per PR feedback, to go along with new backend name.

* Add MountType to logical.Request

* Make default aws auth_type dependent upon MountType

When MountType is aws-ec2, default to ec2 auth_type for backwards
compatibility with legacy roles. Otherwise, default to iam.

* Pass MountPoint and MountType back up to the core

Previously the request router reset the MountPoint and MountType back to
the empty string before returning to the core. This ensures they get set
back to the correct values.
2017-04-24 15:15:50 -04:00
Chris Hoffman 847c86f788 Rename ParseDedupAndSortStrings to ParseDedupLowercaseAndSortStrings (#2614) 2017-04-19 10:39:07 -04:00
Chris Hoffman 938eab37b6 Do not lowercase groups attached to users in ldap (#2613) 2017-04-19 10:36:45 -04:00
Mitch Davis a051ec1b59 Use service bind for searching LDAP groups (#2534)
Fixes #2387
2017-04-18 15:52:05 -04:00
Vishal Nayak 09cd069435 Consider new bounds as a criteria to allow role creation (#2600)
* Consider new bounds as a criteria to allow role creation

* Added a test
2017-04-17 10:36:11 -04:00
vishalnayak 049e086b07 Fix typo. Closes GH-2528 2017-04-04 12:29:18 -04:00
Jeff Mitchell 709389dd36 Use ParseStringSlice on PKI organization/organizational unit. (#2561)
After, separately dedup and use new flag to not lowercase value.

Fixes #2555
2017-04-04 08:54:18 -07:00
Jeff Mitchell 3d162b63cc Use locks in a slice rather than a map, which is faster and makes things cleaner (#2446) 2017-03-07 11:21:32 -05:00
Vishal Nayak 491a56fe9f AppRole: Support restricted use tokens (#2435)
* approle: added token_num_uses to the role

* approle: added RUD tests for token_num_uses on role

* approle: doc: added token_num_uses
2017-03-03 09:31:20 -05:00
Jeff Mitchell 47f8478a97 Fix github compile breakage after dep upgrade 2017-02-24 15:32:05 -05:00
Vishal Nayak b762c43fe2 Aws Ec2 additional binds for SubnetID, VpcID and Region (#2407)
* awsec2: Added bound_region

* awsec2: Added bound_subnet_id and bound_vpc_id

* Add bound_subnet_id and bound_vpc_id to docs

* Remove fmt.Printf

* Added crud test for aws ec2 role

* Address review feedback
2017-02-24 14:19:10 -05:00
Jeff Mitchell c81582fea0 More porting from rep (#2388)
* More porting from rep

* Address review feedback
2017-02-16 16:29:30 -05:00
Vishal Nayak eb4ef0f6e0 cidrutil: added test data points (#2378) 2017-02-16 00:51:02 -05:00
Vishal Nayak 81c95b36eb aws-ec2 auth: Return the role period in seconds (#2374)
* aws-ec2 auth: Return the role period in seconds

* cast return values to int64 for comparison with expected values
2017-02-15 10:57:57 -05:00
Jeff Mitchell 04b4a6aa50 Fix Okta auth issue when a user has no policies and/or groups set. (#2371)
Fixes #2367
2017-02-14 16:28:16 -05:00
vishalnayak 2bbc247ab4 use net.JoinHostPort 2017-02-08 18:39:09 -05:00
Jeff Mitchell 72db329d67 Add support for backup/multiple LDAP URLs. (#2350) 2017-02-08 14:59:24 -08:00
Jeff Mitchell a217be589c Merge pull request #2154 from fcantournet/default-ldap-username
ldap auth via cli defaults username to env (#2137)
2017-02-07 21:47:59 -08:00
Jeff Mitchell a2f07acbc4 Use Getenv instead of LookupEnv
This prevents returning empty username if LOGNAME is set but empty and USER is set but not empty.
2017-02-07 21:47:06 -08:00
Jeff Mitchell f05b482e46 Update error text 2017-02-07 21:44:23 -08:00
Jeff Mitchell 8f957579d8 Update some help text for RADIUS 2017-02-07 16:06:27 -05:00
Matteo Sessa 29d9d5676e RADIUS Authentication Backend (#2268) 2017-02-07 16:04:27 -05:00
Jeff Mitchell 5de633fd27 Make userpass help text mention radius too 2017-02-04 07:48:30 -05:00
Jeff Mitchell a8ea05f365 Add default mount param to userpass cli handler 2017-02-04 07:47:09 -05:00
Vishal Nayak 3457a11afd awsec2: support periodic tokens (#2324)
* awsec2: support periodic tokens

* awsec2: add api docs for 'period'
2017-02-02 13:28:01 -05:00
Vishal Nayak 14fcc4b6eb approle: secret-id listing lock sanity check (#2315)
* approle: secret-id listing lock sanity

* Skip processing an empty secretIDHMAC item during the iteration

* approle: use dedicated lock for listing of secret-id-accessors
2017-02-01 18:13:49 -05:00
louism517 0548555219 Support for Cross-Account AWS Auth (#2148) 2017-02-01 14:16:03 -05:00
Shane Starcher 6033ea884c Okta implementation (#1966) 2017-01-26 19:08:52 -05:00
Vishal Nayak 5aba2d47b6 ldap: Minor enhancements, tests and doc update (#2272) 2017-01-23 10:56:43 -05:00
Vishal Nayak fa7d61baa3 Merge pull request #2202 from fcantournet/fix_govet_fatalf
all: test: Fix govet warnings
2017-01-17 16:45:35 -05:00
Vishal Nayak 1d7ded02b4 Merge pull request #2152 from mr-tron/master
Thanks for submitting this. I am going to merge this in and write tests.
2017-01-13 14:29:46 -05:00
Brian Rodgers f33d35f3de Added a nil check for config and renamed org field internally. 2017-01-11 11:04:15 -06:00
Brian Rodgers a8f12dff01 Added a 'read' for github config 2017-01-10 18:21:31 -06:00
Félix Cantournet 103b7ceab2 all: test: Fix govet warnings
Fix calls to t.Fatal() with formatting.
Fixed some calls to Fatalf() with wrong formatting
2016-12-21 19:44:07 +01:00
Jeff Mitchell 8fff7daf51 Don't panic when TLS is enabled but the initial dial doesn't return a connection (#2188)
Related to #2186
2016-12-15 15:49:30 -05:00
Félix Cantournet e818efde7c ldap auth via cli defaults username to env (#2137)
try to guess the username from 'LOGNAME' or if it isn't set 'USER'
2016-12-02 19:08:32 +01:00
Brian Nuszkowski 3d66907966 Disallow passwords LDAP binds by default (#2103) 2016-12-01 10:11:40 -08:00
Denis Subbotin 2797c609b0 fix checking that users policies is not nil 2016-11-29 16:35:49 +03:00
Denis Subbotin cc374b3e2c add support per user acl for ldap users 2016-11-29 13:32:59 +03:00
Thomas Soëte 5eaef287a8 Close ldap connection to avoid leak (#2130) 2016-11-28 09:31:36 -08:00
Jeff Mitchell 890c19312f Update path help for approle secret id TTL 2016-11-15 11:50:51 -05:00
Daniel Somerfield 637414a623 Added support for individual user policy mapping in github auth backend. (#2079) 2016-11-10 16:21:14 -05:00
Jeff Mitchell aa68041231 Fix GitHub tests 2016-11-08 07:13:42 -05:00
Glenn McAllister 50c8af0515 Add ldap tls_max_version config (#2060) 2016-11-07 13:43:39 -05:00
vishalnayak 65f0ce8ca3 Remove the sanity check which is not proving to be useful 2016-10-27 19:11:26 -04:00