53752c3002
Add check to ensure we don't overwrite existing connections
2017-04-26 16:43:42 -07:00
081101c7cf
Add an error check to reset a plugin if it is closed
2017-04-26 15:55:34 -07:00
d0cad5345a
Update to a RWMutex
2017-04-26 15:23:14 -07:00
628e5d594b
Add remaining tests
2017-04-26 16:05:58 -04:00
4782d9d2af
Update the error messages for renew and revoke
2017-04-26 10:29:16 -07:00
892812d67d
Change ttl types to TypeDurationSecond
2017-04-26 10:02:37 -07:00
d24757f2e0
Fix crl_util test
2017-04-26 09:58:34 -04:00
18ed2d6097
Tests for cert and crl util
2017-04-26 02:46:01 -04:00
e3e5f12f9e
Default deny when allowed roles is empty
2017-04-25 11:48:24 -07:00
207d01fd39
Update the connection details data and fix allowedRoles
2017-04-25 11:11:10 -07:00
eb0f831d6a
Rename path_role_create to path_creds_create
2017-04-25 10:39:17 -07:00
3d3e4eb5a4
Use TypeCommaStringSlice for allowed_roles
2017-04-25 10:26:23 -07:00
bed1c17b1e
Update logging to new structure
2017-04-25 10:24:19 -07:00
f25b367732
Don't uppercase ErrorResponses
2017-04-24 14:03:48 -07:00
378ae98809
s/DatabaseType/Database/
2017-04-24 13:59:12 -07:00
e06a78a474
Create unified aws auth backend ( #2441 )
...
* Rename builtin/credential/aws-ec2 to aws
The aws-ec2 authentication backend is being expanded and will become the
generic aws backend. This is a small rename commit to keep the commit
history clean.
* Expand aws-ec2 backend to more generic aws
This adds the ability to authenticate arbitrary AWS IAM principals using
AWS's sts:GetCallerIdentity method. The AWS-EC2 auth backend is being to
just AWS with the expansion.
* Add missing aws auth handler to CLI
This was omitted from the previous commit
* aws auth backend general variable name cleanup
Also fixed a bug where allowed auth types weren't being checked upon
login, and added tests for it.
* Update docs for the aws auth backend
* Refactor aws bind validation
* Fix env var override in aws backend test
Intent is to override the AWS environment variables with the TEST_*
versions if they are set, but the reverse was happening.
* Update docs on use of IAM authentication profile
AWS now allows you to change the instance profile of a running instance,
so the use case of "a long-lived instance that's not in an instance
profile" no longer means you have to use the the EC2 auth method. You
can now just change the instance profile on the fly.
* Fix typo in aws auth cli help
* Respond to PR feedback
* More PR feedback
* Respond to additional PR feedback
* Address more feedback on aws auth PR
* Make aws auth_type immutable per role
* Address more aws auth PR feedback
* Address more iam auth PR feedback
* Rename aws-ec2.html.md to aws.html.md
Per PR feedback, to go along with new backend name.
* Add MountType to logical.Request
* Make default aws auth_type dependent upon MountType
When MountType is aws-ec2, default to ec2 auth_type for backwards
compatibility with legacy roles. Otherwise, default to iam.
* Pass MountPoint and MountType back up to the core
Previously the request router reset the MountPoint and MountType back to
the empty string before returning to the core. This ensures they get set
back to the correct values.
2017-04-24 15:15:50 -04:00
6f9d178370
Calls to builtin plugins now go directly to the implementation instead of go-plugin
2017-04-20 18:46:41 -07:00
af9ff63e9a
Merge remote-tracking branch 'oss/master' into database-refactor
2017-04-19 15:16:00 -07:00
847c86f788
Rename ParseDedupAndSortStrings to ParseDedupLowercaseAndSortStrings ( #2614 )
2017-04-19 10:39:07 -04:00
938eab37b6
Do not lowercase groups attached to users in ldap ( #2613 )
2017-04-19 10:36:45 -04:00
2ee593c6ea
Mssql driver update ( #2610 )
...
* Switching driver from mssql to sqlserver
* Adding explicit database to sp_msloginmappings call
2017-04-18 17:49:59 -04:00
4995c69763
Update sign-verbatim to correctly set generate_lease ( #2593 )
2017-04-18 15:54:31 -04:00
a051ec1b59
Use service bind for searching LDAP groups ( #2534 )
...
Fixes #2387
2017-04-18 15:52:05 -04:00
0897da93f0
Parse and dedup but do not lowercase principals in SSH certs. ( #2591 )
2017-04-18 12:21:02 -04:00
822d86ad90
Change storage of entries from colons to hyphens and add a
...
lookup/migration path
Still TODO: tests on migration path
Fixes #2552
2017-04-18 11:14:23 -04:00
e8adc13826
Fix cassandra dep breakage
2017-04-17 11:51:42 -04:00
09cd069435
Consider new bounds as a criteria to allow role creation ( #2600 )
...
* Consider new bounds as a criteria to allow role creation
* Added a test
2017-04-17 10:36:11 -04:00
79fb8bdf69
Verify that a CSR specifies IP SANs before checking whether it's allowed ( #2574 )
2017-04-13 13:40:31 -04:00
883c80540a
Add allowed_roles parameter and checks
2017-04-13 10:33:34 -07:00
0cfe1ea81c
Cleanup path files
2017-04-12 17:35:02 -07:00
a9a05f5bba
Update Type() to return an error
2017-04-12 16:41:06 -07:00
8ccf10641b
Merge branch 'master' into database-refactor
2017-04-12 14:29:10 -07:00
128f25c13d
Update help text and comments
2017-04-11 11:50:34 -07:00
c85b7be22f
Remove unnecessary abstraction
2017-04-10 18:38:34 -07:00
8071aed758
Mlock the plugin process
2017-04-10 17:12:52 -07:00
f6ff3b1146
Add a flag to tell plugins to verify the connection was successful
2017-04-10 15:36:59 -07:00
db91a80540
Update plugin test
2017-04-10 14:12:28 -07:00
bbbd81220c
Update the interface for plugins removing functions for creating creds
2017-04-10 12:24:16 -07:00
459e3eda4e
Update backend tests
2017-04-10 10:35:16 -07:00
93136ea51e
Add backend test
2017-04-07 15:50:03 -07:00
2117dfd717
implement a no_store option for pki roles ( #2565 )
2017-04-07 11:25:47 -07:00
f805618a2c
Update SSH CA documentation
...
Fixes #2551
Fixes #2569
2017-04-07 11:59:25 -04:00
62d59e5f4e
Move plugin code into sub directory
2017-04-06 12:20:10 -07:00
ca2c3d0c53
Refactor to use builtin plugins from an external repo
2017-04-05 16:20:31 -07:00
2255884a4c
Do not mark conn as initialized until the end ( #2567 )
2017-04-04 14:26:59 -07:00
305ccd54f7
Don't return strings, always structs
2017-04-04 11:33:58 -07:00
9dd666c7e6
Database refactor invalidate ( #2566 )
...
* WIP on invalidate function
* cassandraConnectionProducer has Close()
* Delete database from connections map on successful db.Close()
* Move clear connection into its own func
* Use const for database config path
2017-04-04 11:32:42 -07:00
049e086b07
Fix typo. Closes GH-2528
2017-04-04 12:29:18 -04:00
709389dd36
Use ParseStringSlice on PKI organization/organizational unit. ( #2561 )
...
After, separately dedup and use new flag to not lowercase value.
Fixes #2555
2017-04-04 08:54:18 -07:00
b506bd7790
On change of configuration rotate the database type
2017-04-03 18:30:38 -07:00
d7dd0ab35c
Merge branch 'database-refactor' of github.com:hashicorp/vault into database-refactor
2017-04-03 17:52:41 -07:00
e8781b6a2b
Plugin catalog
2017-04-03 17:52:29 -07:00
aa15a1d3a9
Database refactor mssql ( #2562 )
...
* WIP on mssql secret backend refactor
* Add RevokeUser test, and use sqlserver driver internally
* Remove debug statements
* Fix code comment
2017-04-03 09:59:30 -07:00
210fa77e3c
fix for plugin commands that have more than one paramater
2017-03-28 14:37:57 -07:00
50729a4528
Add comments to connection and credential producers
2017-03-28 13:08:11 -07:00
b09526e1c9
Cleanup the db factory code and add comments
2017-03-28 12:57:30 -07:00
6b877039e7
Update tests
2017-03-28 12:20:17 -07:00
c50a6ebc39
Add functionaility to build db objects from disk so restarts work
2017-03-28 11:30:45 -07:00
02b0230f19
Fix for checking types of database on update
2017-03-28 10:04:42 -07:00
494f963581
Wrap the database calls with tracing information
2017-03-27 15:17:28 -07:00
2799586f45
Remove the unused sync.Once object
2017-03-27 11:46:20 -07:00
29ae4602dc
More work on getting tests to pass
2017-03-23 15:54:15 -07:00
c0223d888e
Remove unsused code block
2017-03-22 17:09:39 -07:00
1068076703
s/postgres/mysql/
2017-03-22 16:44:33 -07:00
dac1bb210b
Add test files for postgres and mysql databases
2017-03-22 16:39:08 -07:00
ae9961b811
Add a error message for empty creation statement
2017-03-22 12:40:16 -07:00
c55bef85d3
Fix race with deleting the connection
2017-03-22 09:54:19 -07:00
85ef468d46
Add a delete method
2017-03-21 17:19:30 -07:00
83ff132705
Verify connections regardless of if this connections is already existing
2017-03-21 16:05:59 -07:00
003ef004c6
sshca: ensure atleast cert type is allowed ( #2508 )
2017-03-19 18:58:48 -04:00
a4e5e0f8c9
Comment and fix plugin Type function
2017-03-16 18:24:56 -07:00
417770a58f
Change the handshake config from the default
2017-03-16 17:51:25 -07:00
2873825848
Add a secure config to verify the checksum of the plugin
2017-03-16 16:20:18 -07:00
f2df4ef0e7
Comment and slight refactor of the TLS plugin helper
2017-03-16 14:14:49 -07:00
0a52ea5c69
Break tls code into helper library
2017-03-16 11:55:21 -07:00
24886c1006
Ensure CN check is made when exclude_cn_from_sans is used
...
Fixes #2363
2017-03-16 11:41:13 -04:00
ae8967d635
Always include a hash of the public key and "vault" (to know where it ( #2498 )
...
came from) when generating a cert for SSH.
Follow on from #2494
2017-03-16 11:14:17 -04:00
95df7beed9
Adding allow_user_key_ids field to SSH role config ( #2494 )
...
Adding a boolean field that determines whether users will be allowed to
set the ID of the signed SSH key or whether it will always be the token
display name. Preventing users from changing the ID and always using
the token name is useful for auditing who actually used a key to access
a remote host since sshd logs key IDs.
2017-03-16 08:45:11 -04:00
eb6117cbb2
Work on TLS communication over plugins
2017-03-15 17:14:48 -07:00
12e5132779
Allow roles to specify whether CSR SANs should be used instead of ( #2489 )
...
request values. Fix up some documentation.
Fixes #2451
Fixes #2488
2017-03-15 14:38:18 -04:00
7ab6844eb4
Set CA chain when intermediate does not have an authority key ID.
...
This is essentially an approved review of the code provided in #2465 .
Fixes #2465
2017-03-15 11:52:02 -04:00
3ecb344878
wrap plugin database type with metrics middleware
2017-03-14 13:12:47 -07:00
822a3eb20a
Add a metrics middleware
2017-03-14 13:11:28 -07:00
662b372364
Reads on unconfigured SSH CA public key return 400
2017-03-14 10:21:48 -04:00
7d59d7d3ac
Reads on ssh/config/ca return the public keys
...
If configured/generated.
2017-03-14 10:21:48 -04:00
830de2dbbd
If generating an SSH CA signing key - return the public part
...
So that the user can actually use the SSH CA, by adding the public key
to their respective sshd_config/authorized_keys, etc.
2017-03-14 10:21:48 -04:00
2054fff890
Add a way to initalize plugins and builtin databases the same way.
2017-03-13 14:39:55 -07:00
71b81aad23
Add checksum attribute
2017-03-10 14:10:42 -08:00
a11911d4d4
Rename reset to close
2017-03-09 22:35:45 -08:00
fda45f531d
Add special path to enforce root on plugin configuration
2017-03-09 21:31:29 -08:00
748c70cfb4
Add plugin file
2017-03-09 17:43:58 -08:00
9099231229
Add plugin features
2017-03-09 17:43:37 -08:00
220beb2cde
doc: ssh allowed_users update ( #2462 )
...
* doc: ssh allowed_users update
* added some more context in default_user field
2017-03-09 10:34:55 -05:00
f085cd71ab
Fix typo
2017-03-08 17:49:39 -05:00
b7128f8370
Update secrets fields
2017-03-08 14:46:53 -08:00
766c2e6ee0
SSH CA enhancements ( #2442 )
...
* Use constants for storage paths
* Upgrade path for public key storage
* Fix calculateValidPrincipals, upgrade ca_private_key, and other changes
* Remove a print statement
* Added tests for upgrade case
* Make exporting consistent in creation bundle
* unexporting and constants
* Move keys into a struct instead of plain string
* minor changes
2017-03-08 17:36:21 -05:00
2fb6bf9882
Fix renew and revoke calls
2017-03-07 17:21:44 -08:00
b7c3b4b0d7
Add defaults to the cassandra databse type
2017-03-07 17:00:52 -08:00
3976a2a0a6
Pass statements object
2017-03-07 16:48:17 -08:00
843d584254
Remove unused sql object
2017-03-07 15:34:23 -08:00
919155ab12
Remove double lock
2017-03-07 15:33:05 -08:00
c959882b93
Update locking functionaility
2017-03-07 13:48:29 -08:00
3d162b63cc
Use locks in a slice rather than a map, which is faster and makes things cleaner ( #2446 )
2017-03-07 11:21:32 -05:00
5119b173c4
Rename helper 'duration' to 'parseutil'. ( #2449 )
...
Add a ParseBool function that accepts various kinds of ways of
specifying booleans.
Have config use ParseBool for UI and disabling mlock/cache.
2017-03-07 11:21:22 -05:00
bc53e119ca
rename mysql variable
2017-03-03 15:07:41 -08:00
bba832e6bf
Make db instances immutable and add a reset path to tear down and create a new database instance with an updated config
2017-03-03 14:38:49 -08:00
29e07ac9e8
Fix mysql connections
2017-03-03 14:38:49 -08:00
24ddea9954
Add mysql into the factory
2017-03-03 14:38:48 -08:00
8e8f260d96
Add max connection lifetime param and set consistancy on cassandra session
2017-03-03 14:38:48 -08:00
1f009518cd
s/Statement/Statements/
2017-03-03 14:38:48 -08:00
46aa7142c1
Add mysql database type
2017-03-03 14:38:48 -08:00
2ec5ab5616
More work on refactor and cassandra database
2017-03-03 14:38:48 -08:00
acdcd79af3
Begin work on database refactor
2017-03-03 14:38:48 -08:00
4b81bcb379
ssh: Added DeleteOperation to config/ca ( #2434 )
...
* ssh: Added DeleteOperation to config/ca
* Address review feedback
2017-03-03 10:19:45 -05:00
491a56fe9f
AppRole: Support restricted use tokens ( #2435 )
...
* approle: added token_num_uses to the role
* approle: added RUD tests for token_num_uses on role
* approle: doc: added token_num_uses
2017-03-03 09:31:20 -05:00
55e69277ce
Update SSH CA logic/tests
2017-03-02 16:39:22 -05:00
a1331278ff
Refactor the generate_signing_key processing ( #2430 )
2017-03-02 16:22:06 -05:00
fa474924aa
Update error text to make it more obvious what the issue is when valid principals aren't found
2017-03-02 15:56:08 -05:00
eca68d5913
Fix a bunch of errors from returning 5xx, and parse more duration types
2017-03-02 15:38:34 -05:00
70bfdb5ae9
Changes from code review
2017-03-02 14:36:13 -05:00
36b3d89604
Allow internal generation of the signing SSH key pair
2017-03-02 14:36:13 -05:00
3795d2ea64
Rework ssh ca ( #2419 )
...
* docs: input format for default_critical_options and default_extensions
* s/sshca/ssh
* Added default_critical_options and default_extensions to the read endpoint of role
* Change default time return value to 0
2017-03-01 15:50:23 -05:00
9f75f84175
Changes from code review
...
Major changes are:
* Remove duplicate code
* Check the public key used to configure the backend is a valid one
2017-03-01 15:19:18 -05:00
ff1ff02bd7
Changes from code review
...
Major changes are:
* Change `allow_{user,host}_certificates` to default to false
* Add separate `allowed_domains` role property
2017-03-01 15:19:18 -05:00
099d561b20
Add ability to create SSH certificates
2017-03-01 15:19:18 -05:00
47f8478a97
Fix github compile breakage after dep upgrade
2017-02-24 15:32:05 -05:00
b762c43fe2
Aws Ec2 additional binds for SubnetID, VpcID and Region ( #2407 )
...
* awsec2: Added bound_region
* awsec2: Added bound_subnet_id and bound_vpc_id
* Add bound_subnet_id and bound_vpc_id to docs
* Remove fmt.Printf
* Added crud test for aws ec2 role
* Address review feedback
2017-02-24 14:19:10 -05:00
2e911fc650
Fix broken build caused due to resolve merge conflicts
2017-02-24 12:41:20 -05:00
c6f138bb9a
PKI: Role switch to control lease generation ( #2403 )
...
* pki: Make generation of leases optional
* pki: add tests for upgrading generate_lease
* pki: add tests for leased and non-leased certs
* docs++ pki generate_lease
* Generate lease is applicable for both issuing and signing
* pki: fix tests
* Address review feedback
* Address review feedback
2017-02-24 12:12:40 -05:00
01f3056b8b
pki: Include private_key_type on DER-formatted responses from /pki/issue/ ( #2405 )
2017-02-24 11:17:59 -05:00
c81582fea0
More porting from rep ( #2388 )
...
* More porting from rep
* Address review feedback
2017-02-16 16:29:30 -05:00
0c39b613c8
Port some replication bits to OSS ( #2386 )
2017-02-16 15:15:02 -05:00
d7a6ec8d43
Add some repcluster handling to audit and add some tests ( #2384 )
...
* Add some repcluster handling to audit and add some tests
* Fix incorrect assumption about nil auth
2017-02-16 13:09:53 -05:00
c96fe56d44
Fix copypasta, thanks tests
2017-02-16 01:32:39 -05:00
817bec0955
Add Organization support to PKI backend. ( #2380 )
...
Fixes #2369
2017-02-16 01:04:29 -05:00
eb4ef0f6e0
cidrutil: added test data points ( #2378 )
2017-02-16 00:51:02 -05:00
81c95b36eb
aws-ec2 auth: Return the role period in seconds ( #2374 )
...
* aws-ec2 auth: Return the role period in seconds
* cast return values to int64 for comparison with expected values
2017-02-15 10:57:57 -05:00
04b4a6aa50
Fix Okta auth issue when a user has no policies and/or groups set. ( #2371 )
...
Fixes #2367
2017-02-14 16:28:16 -05:00
ca06bc0b53
audit: support a configurable prefix string to write before each message ( #2359 )
...
A static token at the beginning of a log line can help systems parse
logs better. For example, rsyslog and syslog-ng will recognize the
'@cee: ' prefix and will parse the rest of the line as a valid json message.
This is useful in environments where there is a mix of structured and
unstructured logs.
2017-02-10 16:56:28 -08:00
2bbc247ab4
use net.JoinHostPort
2017-02-08 18:39:09 -05:00
72db329d67
Add support for backup/multiple LDAP URLs. ( #2350 )
2017-02-08 14:59:24 -08:00
a217be589c
Merge pull request #2154 from fcantournet/default-ldap-username
...
ldap auth via cli defaults username to env (#2137 )
2017-02-07 21:47:59 -08:00
a2f07acbc4
Use Getenv instead of LookupEnv
...
This prevents returning empty username if LOGNAME is set but empty and USER is set but not empty.
2017-02-07 21:47:06 -08:00
f05b482e46
Update error text
2017-02-07 21:44:23 -08:00
8f957579d8
Update some help text for RADIUS
2017-02-07 16:06:27 -05:00
29d9d5676e
RADIUS Authentication Backend ( #2268 )
2017-02-07 16:04:27 -05:00
2923934813
Merge pull request #2326 from hashicorp/pr-2161
...
Add Socket Audit Backend
2017-02-07 11:27:25 -08:00
7f2717b74a
transit: change batch input format ( #2331 )
...
* transit: change batch input format
* transit: no json-in-json for batch response
* docs: transit: update batch input format
* transit: fix tests after changing response format
2017-02-06 14:56:16 -05:00
09049c2787
Added a single retry after a reconnection
2017-02-06 11:38:38 -08:00
af1847f2b4
Update the docs and move the logic for reconnecting into its own function
2017-02-04 16:55:17 -08:00
Brian Kassouf