17310654a1
Add PKCS8 marshaling to PKI ( #3518 )
2017-11-06 12:05:07 -05:00
52df62d4ff
Encrypt/Decrypt/Sign/Verify using RSA in Transit backend ( #3489 )
...
* encrypt/decrypt/sign/verify RSA
* update path-help and doc
* Fix the bug which was breaking convergent encryption
* support both 2048 and 4096
* update doc to contain both 2048 and 4096
* Add test for encrypt, decrypt and rotate on RSA keys
* Support exporting RSA keys
* Add sign and verify test steps
* Remove 'RSA' from PEM header
* use the default salt length
* Add 'RSA' to PEM header since openssl is expecting that
* export rsa keys as signing-key as well
* Comment the reasoning behind the PEM headers
* remove comment
* update comment
* Parameterize hashing for RSA signing and verification
* Added test steps to check hash algo choice for RSA sign/verify
* fix test by using 'prehashed'
2017-11-03 10:45:53 -04:00
83ea47f706
fixing test after field rename ( #3530 )
2017-11-03 10:29:42 -04:00
3a2440a651
Check input size to avoid a panic ( #3521 )
2017-11-02 16:40:52 -05:00
7bae606662
External identity groups ( #3447 )
...
* external identity groups
* add local LDAP groups as well to group aliases
* add group aliases for okta credential backend
* Fix panic in tests
* fix build failure
* remove duplicated struct tag
* add test steps to test out removal of group member during renewals
* Add comment for having a prefix check in router
* fix tests
* s/parent_id/canonical_id
* s/parent/canonical in comments and errors
2017-11-02 16:05:48 -04:00
7fed43c035
Add the ability to glob allowed roles in the Database Backend ( #3387 )
...
* Add the ability to glob allowed roles in the Database Backend
* Make the error messages better
* Switch to the go-glob repo
2017-10-30 13:24:25 -07:00
713d5d5307
Don't swallow errors on token functions.
2017-10-24 09:39:35 -04:00
c5665920f6
Standardize on "auth method"
...
This removes all references I could find to:
- credential provider
- authentication backend
- authentication provider
- auth provider
- auth backend
in favor of the unified:
- auth method
2017-10-24 09:32:15 -04:00
844fe0a507
Make pgpkeys helper implement our flags interface
2017-10-24 09:28:06 -04:00
a80791ce7e
Update proto
2017-10-23 17:45:05 -04:00
c144f95be0
Sync over
2017-10-23 16:43:07 -04:00
2ede750c78
return the actual error for base64 decoding failure ( #3397 )
2017-10-20 11:21:45 -04:00
f7ed6732a5
Porting identity store ( #3419 )
...
* porting identity to OSS
* changes that glue things together
* add testing bits
* wrapped entity id
* fix mount error
* some more changes to core
* fix storagepacker tests
* fix some more tests
* fix mount tests
* fix http mount tests
* audit changes for identity
* remove upgrade structs on the oss side
* added go-memdb to vendor
2017-10-11 10:21:20 -07:00
9077adb377
Sanitize policy behavior across backends ( #3324 )
...
Fixes #3323
Fixes #3318
* Fix tests
* Fix tests
2017-09-13 11:36:52 -04:00
481b4a8b7f
Fix typo in transit error
2017-09-13 11:05:57 -04:00
a8d9426d9f
Update locking components from DR replication changes ( #3283 )
...
* Update locking components from DR replication changes
* Fix plugin backend test
* Add a comment about needing the statelock:
2017-09-04 19:38:37 -04:00
a581e96b78
Lazy-load plugin mounts ( #3255 )
...
* Lazy load plugins to avoid setup-unwrap cycle
* Remove commented blocks
* Refactor NewTestCluster, use single core cluster on basic plugin tests
* Set c.pluginDirectory in TestAddTestPlugin for setupPluginCatalog to work properly
* Add special path to mock plugin
* Move ensureCoresSealed to vault/testing.go
* Use same method for EnsureCoresSealed and Cleanup
* Bump ensureCoresSealed timeout to 60s
* Correctly handle nil opts on NewTestCluster
* Add metadata flag to APIClientMeta, use meta-enabled plugin when mounting to bootstrap
* Check metadata flag directly on the plugin process
* Plumb isMetadataMode down to PluginRunner
* Add NOOP shims when running in metadata mode
* Remove unused flag from the APIMetadata object
* Remove setupSecretPlugins and setupCredentialPlugins functions
* Move when we setup rollback manager to after the plugins are initialized
* Fix tests
* Fix merge issue
* start rollback manager after the credential setup
* Add guards against running certain client and server functions while in metadata mode
* Call initialize once a plugin is loaded on the fly
* Add more tests, update basic secret/auth plugin tests to trigger lazy loading
* Skip mount if plugin removed from catalog
* Fixup
* Remove commented line on LookupPlugin
* Fail on mount operation if plugin is re-added to catalog and mount is on existing path
* Check type and special paths on startBackend
* Fix merge conflicts
* Refactor PluginRunner run methods to use runCommon, fix TestSystemBackend_Plugin_auth
2017-09-01 01:02:03 -04:00
d62937aaf3
Use TypeDurationSecond for TTL values in PKI. ( #3270 )
2017-08-31 15:46:13 -04:00
3edb337a00
Add option to set cluster TLS cipher suites. ( #3228 )
...
* Add option to set cluster TLS cipher suites.
Fixes #3227
2017-08-30 16:28:23 -04:00
b023d46cb8
Direct plugin logs through vault's logger ( #3142 )
...
* Direct plugin logs through vault's logger
* Pass in a logger in testConfig
2017-08-15 10:16:48 -04:00
a133286609
Switch policies in AppRole to TypeCommaStringSlice ( #3163 )
2017-08-14 20:15:51 -04:00
cca327feae
Only use specified HTTP client for AWS creds if one is passed in. ( #3161 )
...
Probably fixes #3159
2017-08-14 12:43:11 -04:00
a023ab5152
Fix MySQL legacy username regression ( #3141 )
...
* Fix the mysql legacy username length
* Remove boolean parameter
* Add a MySQL 5.6 container to test the legacy MySQL plugin against
* Add database plugins to the make file
* Fix credsutil test
2017-08-10 18:28:18 -07:00
db9d9e6415
Store original request path in WrapInfo ( #3100 )
...
* Store original request path in WrapInfo as CreationPath
* Add wrapping_token_creation_path to CLI output
* Add CreationPath to AuditResponseWrapInfo
* Fix tests
* Add and fix tests, update API docs with new sample responses
2017-08-02 18:28:58 -04:00
7e3ff5e56c
Add PROXY protocol support ( #3098 )
2017-08-02 18:24:12 -04:00
4885b3e502
Use RemoteCredProvider instead of EC2RoleProvider ( #2983 )
2017-07-31 18:27:16 -04:00
1bfc6d4fe7
Add a -dev-three-node option for devs. ( #3081 )
2017-07-31 11:28:06 -04:00
bb54e9c131
Backend plugin system ( #2874 )
...
* Add backend plugin changes
* Fix totp backend plugin tests
* Fix logical/plugin InvalidateKey test
* Fix plugin catalog CRUD test, fix NoopBackend
* Clean up commented code block
* Fix system backend mount test
* Set plugin_name to omitempty, fix handleMountTable config parsing
* Clean up comments, keep shim connections alive until cleanup
* Include pluginClient, disallow LookupPlugin call from within a plugin
* Add wrapper around backendPluginClient for proper cleanup
* Add logger shim tests
* Add logger, storage, and system shim tests
* Use pointer receivers for system view shim
* Use plugin name if no path is provided on mount
* Enable plugins for auth backends
* Add backend type attribute, move builtin/plugin/package
* Fix merge conflict
* Fix missing plugin name in mount config
* Add integration tests on enabling auth backend plugins
* Remove dependency cycle on mock-plugin
* Add passthrough backend plugin, use logical.BackendType to determine lease generation
* Remove vault package dependency on passthrough package
* Add basic impl test for passthrough plugin
* Incorporate feedback; set b.backend after shims creation on backendPluginServer
* Fix totp plugin test
* Add plugin backends docs
* Fix tests
* Fix builtin/plugin tests
* Remove flatten from PluginRunner fields
* Move mock plugin to logical/plugin, remove totp and passthrough plugins
* Move pluginMap into newPluginClient
* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck
* Change shim logger's Fatal to no-op
* Change BackendType to uint32, match UX backend types
* Change framework.Backend Setup signature
* Add Setup func to logical.Backend interface
* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments
* Remove commented var in plugin package
* RegisterLicense on logical.Backend interface (#3017 )
* Add RegisterLicense to logical.Backend interface
* Update RegisterLicense to use callback func on framework.Backend
* Refactor framework.Backend.RegisterLicense
* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs
* plugin: Revert BackendType to remove TypePassthrough and related references
* Fix typo in plugin backends docs
2017-07-20 13:28:40 -04:00
a449424bde
only check special characters on CLI when not in key=value format ( #2998 )
2017-07-12 13:28:57 -07:00
07088fe8a0
Added HANA database plugin ( #2811 )
...
* Added HANA dynamic secret backend
* Added acceptance tests for HANA secret backend
* Add HANA backend as a logical backend to server
* Added documentation to HANA secret backend
* Added vendored libraries
* Go fmt
* Migrate hana credential creation to plugin
* Removed deprecated hana logical backend
* Migrated documentation for HANA database plugin
* Updated HANA DB plugin to use role name in credential generation
* Update HANA plugin tests
* If env vars are not configured, tests will skip rather than succeed
* Fixed some improperly named string variables
* Removed unused import
* Import SAP hdb driver
2017-07-07 13:11:23 -07:00
5dbf30eb81
compressutil: Add Snappy support ( #2987 )
2017-07-07 14:43:45 -04:00
551f91e8e2
properly unlock policy when returning key setting errors ( #2974 )
2017-07-05 11:47:15 -04:00
32add0809e
More efficient s3 paging ( #2780 )
2017-06-16 11:09:15 -04:00
a7fca34076
Add ability to specify encryption key version in `transit` ( #2821 )
2017-06-06 16:02:54 -04:00
606fe393be
Use the role name in the db username ( #2812 )
2017-06-06 09:49:49 -04:00
3eebd5cf5a
ed25519 support in transit ( #2778 )
2017-06-05 15:00:39 -04:00
0d4e7fba69
Remove non-gRPC request forwarding
2017-05-24 09:34:59 -04:00
07704fa81c
Fix index out of range bug in ParseKeyValues
2017-05-17 21:47:13 -04:00
858deb9ca4
Don't allow parent references in file paths
2017-05-12 13:52:33 -04:00
d52228c843
Add mongodb plugin to builtin list
2017-05-11 19:29:28 -04:00
3874b63af3
Fix typos in error message ( #2692 )
2017-05-10 10:28:35 -04:00
45eaa7ad01
Increase plugin wrapping token time to 60 seconds; 10 can be too short as seen in tests
2017-05-09 09:50:07 -04:00
5ee0d696d4
Merge remote-tracking branch 'oss/master' into database-refactor
2017-05-04 10:45:18 -07:00
29bfc0a0d4
PR comments
2017-05-04 10:41:59 -07:00
0875e78a13
Feedback from PR
2017-05-03 17:37:34 -07:00
223598c675
Add the other mysql plugin types with the correct username length settings
2017-05-03 13:33:56 -07:00
b60ff2048d
Update docs and add cassandra as a builtin plugin
2017-05-02 17:04:49 -07:00
fdf045b3bd
Fix a few PR comments
2017-05-02 15:59:08 -07:00
29d9b831d3
Update the api for serving plugins and provide a utility to pass TLS data for commuinicating with the vault process
2017-05-02 14:40:11 -07:00
537342f038
Fixing printf (and similar) issues ( #2666 )
2017-05-01 23:34:10 -04:00
9a60ec9fda
Update interface name from Wrapper to a more descriptive RunnerUtil
2017-05-01 14:59:55 -07:00
8bb6c8caef
Return error message for failure to parse CSR ( #2657 )
2017-04-28 08:30:24 -04:00
6a1ae9160d
Add mssql builtin plugin type
2017-04-26 10:34:45 -07:00
ce9688ce8c
Change MlockDisabled to MlockEnabled
2017-04-24 12:21:49 -07:00
657d433330
Update the ResponseWrapData function to return a wrapping.ResponseWrapInfo object
2017-04-24 12:15:01 -07:00
6c8239ba03
Update the builtin keys; move catalog to core; protect against unset plugin directory
2017-04-24 10:30:33 -07:00
6f9d178370
Calls to builtin plugins now go directly to the implementation instead of go-plugin
2017-04-20 18:46:41 -07:00
2ab159569d
Use the same TLS cert for the server and client
2017-04-19 15:46:07 -07:00
af9ff63e9a
Merge remote-tracking branch 'oss/master' into database-refactor
2017-04-19 15:16:00 -07:00
847c86f788
Rename ParseDedupAndSortStrings to ParseDedupLowercaseAndSortStrings ( #2614 )
2017-04-19 10:39:07 -04:00
6afcf2aa7d
List Handling in API and CLI ( #2584 )
2017-04-18 16:02:31 -04:00
4e9f89430c
Move plugins into main vault repo
2017-04-13 13:48:32 -07:00
cfe25e2a00
Add comments to the plugin runner
2017-04-12 17:35:53 -07:00
8ccf10641b
Merge branch 'master' into database-refactor
2017-04-12 14:29:10 -07:00
faaeb09065
Add remaining crud functions to plugin catalog and tests
2017-04-12 09:40:54 -07:00
8071aed758
Mlock the plugin process
2017-04-10 17:12:52 -07:00
93136ea51e
Add backend test
2017-04-07 15:50:03 -07:00
62d59e5f4e
Move plugin code into sub directory
2017-04-06 12:20:10 -07:00
2e23cf58b8
Add postgres builtin plugin
2017-04-05 17:19:29 -07:00
ca2c3d0c53
Refactor to use builtin plugins from an external repo
2017-04-05 16:20:31 -07:00
b071144c67
move builtin plugins list to the pluginutil
2017-04-05 11:00:13 -07:00
709389dd36
Use ParseStringSlice on PKI organization/organizational unit. ( #2561 )
...
After, separately dedup and use new flag to not lowercase value.
Fixes #2555
2017-04-04 08:54:18 -07:00
e8781b6a2b
Plugin catalog
2017-04-03 17:52:29 -07:00
c50a6ebc39
Add functionaility to build db objects from disk so restarts work
2017-03-28 11:30:45 -07:00
29ae4602dc
More work on getting tests to pass
2017-03-23 15:54:15 -07:00
d453008dea
Update the name of PluginUnwrapTokenEnv
2017-03-16 14:17:44 -07:00
f2df4ef0e7
Comment and slight refactor of the TLS plugin helper
2017-03-16 14:14:49 -07:00
0a52ea5c69
Break tls code into helper library
2017-03-16 11:55:21 -07:00
3d162b63cc
Use locks in a slice rather than a map, which is faster and makes things cleaner ( #2446 )
2017-03-07 11:21:32 -05:00
5119b173c4
Rename helper 'duration' to 'parseutil'. ( #2449 )
...
Add a ParseBool function that accepts various kinds of ways of
specifying booleans.
Have config use ParseBool for UI and disabling mlock/cache.
2017-03-07 11:21:22 -05:00
e62f5dbc31
Allowed/Denied parameters support for globs ( #2438 )
...
* Add check for globbed strings
* Add tests for the acl globbing
* Fix bad test case
2017-03-03 14:50:55 -08:00
b1c2a930fe
Clean up request forwarding logic
2017-03-01 18:17:06 -05:00
eec66eaa3c
Have duration.ParseDurationSecond handle json.Number
2017-03-01 08:32:05 -05:00
7f0a99e8eb
Add max/min wrapping TTL ACL statements ( #2411 )
2017-02-27 14:42:00 -05:00
01f3056b8b
pki: Include private_key_type on DER-formatted responses from /pki/issue/ ( #2405 )
2017-02-24 11:17:59 -05:00
c81582fea0
More porting from rep ( #2388 )
...
* More porting from rep
* Address review feedback
2017-02-16 16:29:30 -05:00
0c39b613c8
Port some replication bits to OSS ( #2386 )
2017-02-16 15:15:02 -05:00
0a9a6d3343
Move ReplicationState to consts
2017-02-16 13:37:21 -05:00
13ec9c5dbf
Load leases into the expiration manager in parallel ( #2370 )
...
* Add a benchmark for exiration.Restore
* Add benchmarks for consul Restore functions
* Add a parallel version of expiration.Restore
* remove debug code
* Up the MaxIdleConnsPerHost
* Add tests for etcd
* Return errors and ensure go routines are exited
* Refactor inmem benchmark
* Add s3 bench and refactor a bit
* Few tweaks
* Fix race with waitgroup.Add()
* Fix waitgroup race condition
* Move wait above the info log
* Add helper/consts package to store consts that are needed in cyclic packages
* Remove not used benchmarks
2017-02-16 10:16:06 -08:00
eb4ef0f6e0
cidrutil: added test data points ( #2378 )
2017-02-16 00:51:02 -05:00
6c02e9357a
Update protos
2017-02-02 16:20:32 -05:00
85eceef188
Fix cipher preferred order
2017-01-24 09:29:57 +02:00
42894754a6
Remove comments destined to be outdated
2017-01-23 13:49:15 -05:00
1615280efa
Added tls_cipher_suites, tls_prefer_server_ciphers config options to listener ( #2293 )
2017-01-23 13:48:35 -05:00
98df700495
allow roles to set OU value in certificates issued by the pki backend ( #2251 )
2017-01-23 12:44:45 -05:00
7568a212b1
Adding support for exportable transit keys ( #2133 )
2017-01-23 11:04:43 -05:00
c9bd2a37f8
Don't sanitize disallowed_policies on token role
2017-01-17 21:34:14 -05:00
103b7ceab2
all: test: Fix govet warnings
...
Fix calls to t.Fatal() with formatting.
Fixed some calls to Fatalf() with wrong formatting
2016-12-21 19:44:07 +01:00
98a6e0fea3
Add Duo pushinfo capabilities ( #2118 )
2016-12-19 15:37:44 -05:00
8400b87473
Don't add default policy to child token if parent does not have it ( #2164 )
2016-12-16 00:36:39 -05:00
fc81a301b8
Don't say mlock is supported on OSX when it isn't. ( #2120 )
...
Fixes #2119
2016-11-22 12:56:36 -05:00
ee29b329fb
Bump proto files after update
2016-11-17 10:06:26 -05:00
ac9304e660
Remove the methods introduced to make the tests work from its older package
2016-10-26 20:03:51 -04:00
c14a6c8666
Move policy test to keysutil package
2016-10-26 19:57:28 -04:00
6d1e1a3ba5
Pulled out transit's lock manager and policy structs into a helper
2016-10-26 19:52:31 -04:00
69df3fb95e
Added a few checks to the CIDR Subset checking util
2016-09-28 14:04:02 -04:00
d235acf809
Adding support for chained intermediate CAs in pki backend ( #1694 )
2016-09-27 17:50:17 -07:00
b1ee56a15b
Merge pull request #1910 from hashicorp/secret-id-cidr-list
...
CIDR restrictions on Secret ID
2016-09-26 10:22:48 -04:00
72b9c4c649
Fix parsing env var, needed to be in the helper too
2016-09-23 13:20:26 -04:00
a31f9bb0e9
Fix zeroAddr check
2016-09-23 12:50:26 -04:00
f560e20b28
Address review feedback
2016-09-22 18:07:35 -04:00
07b1b244d6
Use net.IPv4zero to check for zero address
2016-09-21 20:29:33 -04:00
aaadd4ad97
Store the CIDR list in the secret ID storage entry.
...
Use the stored information to validate the source address and credential issue time.
Correct the logic used to verify BoundCIDRList on the role.
Reverify the subset requirements between secret ID and role during credential issue time.
2016-09-21 20:19:26 -04:00
93604e1e2e
Added cidrutil helper
2016-09-21 13:58:32 -04:00
0ff76e16d2
Transit and audit enhancements
2016-09-21 10:49:26 -04:00
897d3c6d2c
Rename GetOctalFormatted and add serial number to ParsedCertBundle. Basically a noop.
2016-09-16 11:05:43 -04:00
1d6552c625
Update logging formatting
2016-09-01 16:14:21 -04:00
cdcfa4572f
Address review feedback
2016-08-30 16:36:58 -04:00
7e41d5ab45
Pass headers back when request forwarding ( #1795 )
2016-08-26 17:53:47 -04:00
58b32e5432
Convert to logxi
2016-08-21 18:13:37 -04:00
2860dcc60f
gofmt
2016-08-19 16:48:32 -04:00
bdcfe05517
Clustering enhancements ( #1747 )
2016-08-19 11:03:53 -04:00
5c33356d14
Protobuf for forwarding ( #1743 )
2016-08-17 16:15:15 -04:00
8d6244f8e7
Don't serialize the full connection state, instead just the peer certificates, and parse them on the other side
2016-08-17 10:29:53 -04:00
37320f8798
Request forwarding ( #1721 )
...
Add request forwarding.
2016-08-15 09:42:42 -04:00
2c14ff7385
build: Add support for building on Illumos
...
This commit adds support for building for Illumos-derived operating
systems. Regrettably, the cyrpto/ssh/terminal package does not include
implementations of the functions IsTerminal, MakeRaw or Restore for the
solaris OS. Consequently this commit implements them in Vault.
makeRaw(fd int) is based on the Illumos implementation of the getpass
function [1] for the correct flags. isTerminal(fd int) is based on the
Illumos libc implementation [2] of isatty.
[1] http://src.illumos.org/source/xref/illumos-gate/usr/src/lib/libast/common/uwin/getpass.c
[2] http://src.illumos.org/source/xref/illumos-gate/usr/src/lib/libbc/libc/gen/common/isatty.c
2016-08-13 00:20:15 -04:00
c1a46349fa
Change to keybase openpgp fork as it has important fixes
2016-08-11 08:31:43 -04:00
185363d6e0
Address review feedback
2016-08-09 11:13:48 -04:00
b43cc03f0e
Address review feedback from @jefferai
2016-08-09 10:47:55 -04:00
78d57520fb
Refactoring and test fixes
2016-08-09 03:43:03 -04:00
c81460add6
Added compressutil tests
2016-08-09 02:26:38 -04:00
f994c7ccd3
Tests for (de)compression in jsonutil
2016-08-09 00:50:19 -04:00
29989fa4c1
Make generic utility for compression and decompression
2016-08-09 00:50:19 -04:00
55ecad83bc
Pull out compression code into compressutil
2016-08-09 00:50:19 -04:00
5866cee5b4
Added utilities to compress the data
2016-08-09 00:50:19 -04:00
6ffdce7f40
Fix bugs and add test case for arbitrary string slice
2016-08-03 14:57:36 -04:00
9e204bd88c
Add arbitrary string slice parsing.
...
Like the KV function, this supports either separated strings or JSON
strings, base64-encoded or not.
Fixes #1619 in theory.
2016-08-03 14:24:16 -04:00
c025b292b5
Cleanup
2016-08-03 13:09:12 -04:00
cff7aada7a
Fix invalid input getting marked as internal error
2016-07-28 16:23:11 -04:00
a6907769b0
AppRole authentication backend
2016-07-26 09:32:41 -04:00
f1cc16b77f
Remove manual selection of nextprotos from tls config coming from certutil; it's really not up to us to dictate third party requirements
2016-07-22 11:12:46 -04:00
8dc3a830dc
Address review feedback
2016-07-22 10:21:45 -04:00
58bd985551
Address review feedback from @jefferai
2016-07-22 08:44:16 -04:00
765d131b47
Added service-tags config option to provide additional tags to registered service
2016-07-22 04:41:48 -04:00
9bb89431dc
Merge pull request #1632 from hashicorp/lib-locks-create
...
Added helper to create locks
2016-07-21 10:23:34 -04:00
3ec81debe7
Trim leading/trailing space around PEM bundles.
...
Fixes #1634
2016-07-20 13:57:49 -04:00
ba4dc638bf
Added test for CreateLocks
2016-07-20 05:37:38 -04:00
331f229858
Added a cap of 256 for CreateLocks utility
2016-07-20 04:48:35 -04:00
50e8a189e9
Added helper to create locks
2016-07-19 21:37:28 -04:00
c14235b206
Merge branch 'master-oss' into json-use-number
...
Conflicts:
http/handler.go
logical/framework/field_data.go
logical/framework/wal.go
vault/logical_passthrough.go
2016-07-15 19:21:55 -04:00
de19314f18
Address review feedback
2016-07-13 11:52:26 -04:00
f78f303787
git add tlsutil
2016-07-13 11:29:17 -04:00
f34f0ef503
Make 'tls_min_version' configurable
2016-07-12 19:32:47 -04:00
46d34130ac
Set minimum TLS version in all tls.Config objects
2016-07-12 17:06:28 -04:00
5b210b2a1f
Return a duration instead and port a few other places to use it
2016-07-11 18:19:35 +00:00
ab6c2bc5e8
Factor out parsing duration second type and use it for parsing tune values too
2016-07-11 17:53:39 +00:00
10b5f6648b
Added jsonutil functional tests
2016-07-07 12:12:51 -04:00
14fd963d9f
Input validations for jsonutil
2016-07-07 11:29:38 -04:00
60912bdf65
Added jsonutil helper
2016-07-07 10:51:49 -04:00
ad7cb2c8f1
Added JSON Decode and Encode helpers.
...
Changed all the occurances of Unmarshal to use the helpers.
Fixed http/ package tests.
2016-07-06 12:25:40 -04:00
1e4834bd20
Remove addDefault param from ParsePolicies
2016-05-31 13:39:58 -04:00
49b4c83580
Adding default policies while creating tokens
2016-05-31 13:39:58 -04:00
7a4b31ce51
Speling police
2016-05-15 09:58:36 -07:00
8c9dadf82b
Don't build mlock for NetBSD
...
NetBSD doesn't have the right symbols defined in Go for mlockall support. The OS supports it just fine, but the definitions aren't present in Go. If someone wanted to they could add support XOR the values from `sys/mman.h` for `MCL_CURRENT | MCL_FUTURE` which is almost certainly `0x01 | 0x02` but we're not going to do that in code due to the maintenance of a one-off just for NetBSD. PR's welcome.
2016-05-10 16:39:54 -07:00
80407eeba8
Fix up commenting
2016-05-05 10:31:50 -04:00
b6b9cd6f1f
Merge remote-tracking branch 'origin/master' into aws-cred-chain
2016-05-05 10:31:12 -04:00
314a1f9406
Updates to policy and string helpers
2016-05-05 10:22:28 -04:00
0cec22d27a
Lower case all policy values in ParsePolicies before processing
2016-05-05 05:22:59 -04:00
1b0df1d46f
Cleanups, add shared provider, ability to specify http client, and port S3 physical backend over
2016-05-03 17:01:02 -04:00
7fbe5d2eaa
Region is required so error in awsutil if not set and set if empty in client code in logical/aws
2016-05-03 15:25:11 -04:00
a244ef8a00
Refactor AWS credential code into a function that returns a static->env->instance chain
2016-05-03 15:10:35 -04:00
fb07d07ad9
all: Cleanup from running go vet
2016-04-13 14:38:29 -05:00
09ad6317ea
Merge pull request #1297 from hashicorp/f-bsd-mlock
...
F bsd mlock
2016-04-06 13:57:34 -07:00
b178bfabd9
Fix the build targets
...
I'm not entirely sure why this didn't work, but explicitly list the unsupported platforms as identified by `go tool dist list`
2016-04-05 22:24:53 -07:00
e3a1ee92b5
Utility Enhancements
2016-04-05 20:32:59 -04:00
2374129c33
Consolidate mlock calls into one place
...
In theory Android and NaCL could build Vault now, too.
List of targets derived from: `go tool dist list`
2016-04-05 13:57:29 -07:00
308057a4a9
Switch Linux over to using the `x/sys/unix` package
...
Same syscall interface, but the `x/sys/unix` package is not frozen. No functional change from this commit.
2016-04-05 12:19:46 -07:00
dcde117bcb
`go fmt` was here, no functional change
2016-04-05 12:18:45 -07:00
087e7c94d3
Add Vault support for the *BSDs, including Darwin
...
The `syscall` package has been frozen in favor of `x/sys`. As a result, all of the BSDs are supported and do have `mlockall(2)` support in current versions of Go.
2016-04-05 12:18:19 -07:00
95abdebb06
Added AcceptanceTest boolean to logical.TestCase
2016-04-05 15:10:44 -04:00
c50276ec17
Fix using wrong var
2016-03-24 10:23:09 -04:00
4c4a65ebd0
Properly check for policy equivalency during renewal.
...
This introduces a function that compares two string policy sets while
ignoring the presence of "default" (since it's added by core, not the
backend), and ensuring that ordering and/or duplication are not failure
conditions.
Fixes #1256
2016-03-24 09:41:51 -04:00
786bce24b1
Remove us building Solaris binaries for the moment, as they don't build successfully
2016-03-16 15:47:55 -04:00
8901c0b67d
Type in kdf.go
2016-02-08 14:39:46 -06:00
7a59af7d18
Fix lost code after rebase
2016-01-19 19:19:07 -05:00
973c888833
RootGeneration->GenerateRoot
2016-01-19 18:28:10 -05:00
3b100c5965
Address most of the review feedback
2016-01-19 18:28:10 -05:00
3b994dbc7f
Add the ability to generate root tokens via unseal keys.
2016-01-19 18:28:10 -05:00
630b2d83a7
Allow ASCII-armored PGP pub keys to be passed into -pgp-keys.
...
Fixes #940
2016-01-18 17:01:52 -05:00
9c5ad28632
Update deps, and adjust usage of go-uuid to match new return values
2016-01-13 13:40:08 -05:00
f3ce90164f
WriteOperation -> UpdateOperation
2016-01-08 13:03:03 -05:00
a094eedce2
Add rekey nonce/backup.
2016-01-06 09:54:35 -05:00
8d1e5cb50d
Add returning which user names could not be looked up
2016-01-04 13:56:45 -05:00
90ec946dab
Address review feedback.
2016-01-04 11:18:04 -05:00
d11509830f
Happy New Year everyone! (Add keybase support for PGP keys.)
...
Keys specified in rekey and init operations can now be sourced from
keybase.io by using "keybase:[username]" as the key.
2015-12-31 20:47:41 -05:00
4dac5f5a0e
Merge pull request #829 from andrewstuart/master
...
Add parsing of pkcs#8-encoded bundles for pki/config/ca
2015-12-22 10:06:59 -05:00
f2da5b639f
Migrate 'uuid' to 'go-uuid' to better fit HC naming convention
2015-12-16 12:56:20 -05:00
4cb2941b77
[helper] support mlock on Solaris/SmartOS
2015-12-15 11:28:16 -08:00
c81e5c41d2
Update PrivateKeyType to string, update switch statement.
2015-12-14 11:16:47 -07:00
100465fee8
Remove unnecessary cast
2015-12-14 06:17:20 -07:00
567282170f
Remove printf call from test
2015-12-11 15:47:00 -07:00
ae9e842841
Merge branch 'pkcs8'
2015-12-11 15:22:43 -07:00
43bd14a755
Add benchmark for certutil bundle parsing
2015-12-11 15:17:49 -07:00
551591fb70
Remove debugging print statement in compareCertBundleToParsedCertBundle
2015-12-11 15:17:49 -07:00
b277eb9f14
Remove flag check before trying pkcs8 parsing.
2015-12-11 15:17:49 -07:00
6f672a9589
Add pkcs8 flag setting in ParsePEMBundle
2015-12-11 15:17:49 -07:00
4da225d39e
Update tests and finish implementation of PKCS8 handling
2015-12-11 15:17:49 -07:00
25667df5f7
Update ParsePEMBundle to properly handle pkcs#8
...
Implementation based on be16001187/src/crypto/tls/tls.go (L273-L290)
2015-12-11 15:17:49 -07:00
2861be29a4
Move to pem.Block.Type-based decoding
2015-12-11 14:57:33 -07:00
9d97cc36c9
Add benchmark for certutil bundle parsing
2015-12-11 09:58:49 -07:00
e70b0b86e2
Merge branch 'master' into pkcs8
2015-12-10 21:02:59 -07:00
572f587093
Update flag to field with format info
2015-12-10 21:02:31 -07:00
889245c990
Remove debugging print statement in compareCertBundleToParsedCertBundle
2015-12-10 16:33:42 -07:00
cdeca4ed92
Remove flag check before trying pkcs8 parsing.
2015-12-09 19:41:32 -07:00
ef2be34985
Remove flag check before trying pkcs8 parsing.
2015-12-09 15:33:25 -07:00
a3b096e3fe
Add pkcs8 flag setting in ParsePEMBundle
2015-12-09 15:33:25 -07:00
7d274cbb0b
Update tests and finish implementation of PKCS8 handling
2015-12-09 15:33:25 -07:00
db48b7fccf
Update ParsePEMBundle to properly handle pkcs#8
...
Implementation based on be16001187/src/crypto/tls/tls.go (L273-L290)
2015-12-09 15:29:13 -07:00
22a6d6fa22
Merge branch 'master' into pki-csrs
2015-11-20 12:48:38 -05:00
0dbe15cb87
Mostly revert changes to certutil as the embedded struct stuff was being
...
problematic.
2015-11-19 14:18:39 -05:00
f41a2e562a
fix tests
2015-11-19 10:13:28 -05:00
26c8cf874d
Move public key comparison logic to its own function
2015-11-19 09:51:18 -05:00
4681d027c0
Move serial number generation and key validation into certutil; centralize format and key verification
2015-11-19 09:51:18 -05:00
5510a2b16f
Add unit tests for CSR bundle conversion
2015-11-19 09:51:18 -05:00
54fccb2ff4
Add support for EC CA keys, output to base64-encoded DER instead of PEM, and tests for all of those. Also note that Go 1.5 is now required.
2015-11-19 09:51:17 -05:00
b2df079446
Add unit tests to test signing logic, fix up test logic for names
2015-11-19 09:51:17 -05:00
1cec03d9ca
Implement CA cert/CSR generation. CA certs can be self-signed or
...
generate an intermediate CSR, which can be signed.
2015-11-19 09:51:17 -05:00
1c7157e632
Reintroduce the ability to look up obfuscated values in the audit log
...
with a new endpoint '/sys/audit-hash', which returns the given input
string hashed with the given audit backend's hash function and salt
(currently, always HMAC-SHA256 and a backend-specific salt).
In the process of adding the HTTP handler, this also removes the custom
HTTP handlers for the other audit endpoints, which were simply
forwarding to the logical system backend. This means that the various
audit functions will now redirect correctly from a standby to master.
(Tests all pass.)
Fixes #784
2015-11-18 20:26:03 -05:00
c66f0918be
Add delete method, and ability to delete only one serial as well as an entire set.
2015-11-03 10:52:20 -05:00
2917e6be2f
helper/password: interrupt should exit readline
2015-10-16 16:01:19 -07:00
a9155ef85e
Use split-out hashicorp/uuid
2015-10-12 14:07:12 -04:00
ad840233eb
Allow base64-encoded keys to be used on the CLI for init/rekey.
...
Fixes #653 .
2015-10-06 12:47:01 -04:00
8d71601221
Changes to salt to clean up HMAC stuff.
2015-09-18 18:13:10 -04:00
5dde76fa1c
Expand HMAC support in Salt; require an identifier be passed in to specify type but allow generation with and without. Add a StaticSalt ID for testing functions. Fix bugs; unit tests pass.
2015-09-18 17:38:30 -04:00
b655f6b858
Add HMAC capability to salt. Pass a salt into audit backends. Require it for audit.Hash.
2015-09-18 17:38:22 -04:00
8669a87fdd
When using PGP encryption on unseal keys, encrypt the hexencoded string rather than the raw bytes.
2015-08-26 07:59:50 -07:00
cc232e6f79
Address comments from review.
2015-08-25 15:33:58 -07:00
c887df93cc
Add support for pgp-keys argument to rekey, as well as tests, plus
...
refactor common bits out of init.
2015-08-25 14:52:13 -07:00
aa55d36f03
Clean up naming and add documentation
2015-07-30 17:36:40 -07:00
d26b77b4f4
mfa: code cleanup
2015-07-28 11:55:46 -07:00
6697012dd3
mfa: improve edge cases and documentation
2015-07-27 21:14:00 -07:00
15c9e0cfc3
mfa duo: better error messages
2015-07-27 21:14:00 -07:00
e45f957bcc
mfa: add test cases for MFA, Duo
2015-07-27 21:14:00 -07:00
5cf78d8ba2
mfa: add MFA wrapper with Duo second factor
2015-07-27 21:14:00 -07:00
81f39fbc16
helper/kdf: changing argument name for clarity
2015-07-05 14:01:56 -07:00
bd347e0430
helper/kdf: adding lib for key derivation from NIST800-108
2015-07-05 14:01:21 -07:00
3084f64e5c
helper/salt: track if salt was generated
2015-06-30 16:47:49 -07:00
a2eb1210a7
helper/salt: adding little helper for salting
2015-06-30 14:04:18 -07:00
8bc99f8c23
helper/uuid: single generateUUID definition
2015-06-30 12:38:32 -07:00
3902626163
Merge pull request #310 from jefferai/f-pki
...
Initial PKI backend implementation
2015-06-21 11:12:22 +01:00
7244094509
allow building on FreeBSD
...
Allow this file to build on FreeBSD
2015-06-19 16:59:24 -04:00
390f769d1a
Add unit tests for certutil, and fix a whitespace stripping issue.
...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-19 16:06:56 -04:00
a6fc48b854
A few things:
...
* Add comments to every non-obvious (e.g. not basic read/write handler type) function
* Remove revoked/ endpoint, at least for now
* Add configurable CRL lifetime
* Cleanup
* Address some comments from code review
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-19 12:48:18 -04:00
34f495a354
Refactor to allow only issuing CAs to be set and not have things blow up. This is useful/important for e.g. the Cassandra backend, where you may want to do TLS with a specific CA cert for server validation, but not actually do client authentication with a client cert.
...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-18 15:22:58 -04:00
9e00ca769a
Restructure a little bit to make the helper library fully standalone. This makes it easier to move around later if desired, and for use by external programs.
...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-18 06:42:57 -04:00
29e7ec3e21
A lot of refactoring: move PEM bundle parsing into helper/certutil, so that it is usable by other backends that want to use it to get the necessary data for TLS auth.
...
Also, enhance the raw cert bundle => parsed cert bundle to make it more useful and perform more validation checks.
More refactoring could be done within the PKI backend itself, but that can wait.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-17 16:07:20 -04:00
8d39d21ac2
helper/kv-builder: blank values should not panic
2015-06-16 10:00:02 -07:00
787a4bc4b5
Fixes #83
2015-04-29 10:20:09 +02:00
b5f8f3b05a
vault: add helper/mlock for doing mlock
2015-04-28 14:59:43 -07:00
fa80e90b1a
helper/passsword: fix windows compilation
2015-04-28 09:23:48 -07:00
8e3746d347
helper/kv-builder
2015-04-07 22:30:25 -07:00
481628c41f
command/auth: framework for supporting more auth methods
2015-04-05 20:50:18 -07:00
afc71d2a7b
command/server: cleaner output
2015-04-04 12:06:41 -07:00
2e9e4ee93d
helper/password: catch ctrl-c if possible
2015-04-01 17:27:29 -07:00
11f8423b4f
logical/framework, logical/testing
2015-03-15 16:39:49 -07:00
a0232eedd7
helper/backend: use logical package
2015-03-15 14:57:19 -07:00
857e00bcdc
helper/backend: start acceptance test framework
2015-03-14 17:18:19 -07:00
accd8c29ca
helper/backend: auto-generate help route
2015-03-14 10:12:50 -07:00
e8e55ef8b1
helper/backend: one callback per operation
2015-03-14 00:19:25 -07:00
7f87d9ea6f
helper/backend: HandleRequest works
2015-03-13 23:58:20 -07:00
d17c3d87d3
helper/backend: store captures for a path
2015-03-13 23:48:49 -07:00
c4e35ffb7d
helper/backend: cache route regexps (98% speedup)
...
benchmark old ns/op new ns/op delta
BenchmarkBackendRoute 49144 589 -98.80%
2015-03-13 23:25:17 -07:00
e5871abf77
helper/backend: benchmark route
2015-03-13 23:22:48 -07:00
0751c5db12
helper/backend: basic path routing (naive)
2015-03-13 23:17:25 -07:00
a68eb1a994
helper/backend: add default values
2015-03-13 21:15:20 -07:00
33a08fbfa0
helper/backend: start this thing
2015-03-13 21:11:19 -07:00
d88c20e293
command/server: add config loading
2015-03-12 15:21:11 -07:00
a524ef6537
helper/password: for reading passwords securely
2015-03-04 00:31:35 -08:00
Jeff Mitchell