919155ab12
Remove double lock
2017-03-07 15:33:05 -08:00
c959882b93
Update locking functionaility
2017-03-07 13:48:29 -08:00
3d162b63cc
Use locks in a slice rather than a map, which is faster and makes things cleaner ( #2446 )
2017-03-07 11:21:32 -05:00
5119b173c4
Rename helper 'duration' to 'parseutil'. ( #2449 )
...
Add a ParseBool function that accepts various kinds of ways of
specifying booleans.
Have config use ParseBool for UI and disabling mlock/cache.
2017-03-07 11:21:22 -05:00
bc53e119ca
rename mysql variable
2017-03-03 15:07:41 -08:00
bba832e6bf
Make db instances immutable and add a reset path to tear down and create a new database instance with an updated config
2017-03-03 14:38:49 -08:00
29e07ac9e8
Fix mysql connections
2017-03-03 14:38:49 -08:00
24ddea9954
Add mysql into the factory
2017-03-03 14:38:48 -08:00
8e8f260d96
Add max connection lifetime param and set consistancy on cassandra session
2017-03-03 14:38:48 -08:00
1f009518cd
s/Statement/Statements/
2017-03-03 14:38:48 -08:00
46aa7142c1
Add mysql database type
2017-03-03 14:38:48 -08:00
2ec5ab5616
More work on refactor and cassandra database
2017-03-03 14:38:48 -08:00
acdcd79af3
Begin work on database refactor
2017-03-03 14:38:48 -08:00
4b81bcb379
ssh: Added DeleteOperation to config/ca ( #2434 )
...
* ssh: Added DeleteOperation to config/ca
* Address review feedback
2017-03-03 10:19:45 -05:00
491a56fe9f
AppRole: Support restricted use tokens ( #2435 )
...
* approle: added token_num_uses to the role
* approle: added RUD tests for token_num_uses on role
* approle: doc: added token_num_uses
2017-03-03 09:31:20 -05:00
55e69277ce
Update SSH CA logic/tests
2017-03-02 16:39:22 -05:00
a1331278ff
Refactor the generate_signing_key processing ( #2430 )
2017-03-02 16:22:06 -05:00
fa474924aa
Update error text to make it more obvious what the issue is when valid principals aren't found
2017-03-02 15:56:08 -05:00
eca68d5913
Fix a bunch of errors from returning 5xx, and parse more duration types
2017-03-02 15:38:34 -05:00
70bfdb5ae9
Changes from code review
2017-03-02 14:36:13 -05:00
36b3d89604
Allow internal generation of the signing SSH key pair
2017-03-02 14:36:13 -05:00
3795d2ea64
Rework ssh ca ( #2419 )
...
* docs: input format for default_critical_options and default_extensions
* s/sshca/ssh
* Added default_critical_options and default_extensions to the read endpoint of role
* Change default time return value to 0
2017-03-01 15:50:23 -05:00
9f75f84175
Changes from code review
...
Major changes are:
* Remove duplicate code
* Check the public key used to configure the backend is a valid one
2017-03-01 15:19:18 -05:00
ff1ff02bd7
Changes from code review
...
Major changes are:
* Change `allow_{user,host}_certificates` to default to false
* Add separate `allowed_domains` role property
2017-03-01 15:19:18 -05:00
099d561b20
Add ability to create SSH certificates
2017-03-01 15:19:18 -05:00
47f8478a97
Fix github compile breakage after dep upgrade
2017-02-24 15:32:05 -05:00
b762c43fe2
Aws Ec2 additional binds for SubnetID, VpcID and Region ( #2407 )
...
* awsec2: Added bound_region
* awsec2: Added bound_subnet_id and bound_vpc_id
* Add bound_subnet_id and bound_vpc_id to docs
* Remove fmt.Printf
* Added crud test for aws ec2 role
* Address review feedback
2017-02-24 14:19:10 -05:00
2e911fc650
Fix broken build caused due to resolve merge conflicts
2017-02-24 12:41:20 -05:00
c6f138bb9a
PKI: Role switch to control lease generation ( #2403 )
...
* pki: Make generation of leases optional
* pki: add tests for upgrading generate_lease
* pki: add tests for leased and non-leased certs
* docs++ pki generate_lease
* Generate lease is applicable for both issuing and signing
* pki: fix tests
* Address review feedback
* Address review feedback
2017-02-24 12:12:40 -05:00
01f3056b8b
pki: Include private_key_type on DER-formatted responses from /pki/issue/ ( #2405 )
2017-02-24 11:17:59 -05:00
c81582fea0
More porting from rep ( #2388 )
...
* More porting from rep
* Address review feedback
2017-02-16 16:29:30 -05:00
0c39b613c8
Port some replication bits to OSS ( #2386 )
2017-02-16 15:15:02 -05:00
d7a6ec8d43
Add some repcluster handling to audit and add some tests ( #2384 )
...
* Add some repcluster handling to audit and add some tests
* Fix incorrect assumption about nil auth
2017-02-16 13:09:53 -05:00
c96fe56d44
Fix copypasta, thanks tests
2017-02-16 01:32:39 -05:00
817bec0955
Add Organization support to PKI backend. ( #2380 )
...
Fixes #2369
2017-02-16 01:04:29 -05:00
eb4ef0f6e0
cidrutil: added test data points ( #2378 )
2017-02-16 00:51:02 -05:00
81c95b36eb
aws-ec2 auth: Return the role period in seconds ( #2374 )
...
* aws-ec2 auth: Return the role period in seconds
* cast return values to int64 for comparison with expected values
2017-02-15 10:57:57 -05:00
04b4a6aa50
Fix Okta auth issue when a user has no policies and/or groups set. ( #2371 )
...
Fixes #2367
2017-02-14 16:28:16 -05:00
ca06bc0b53
audit: support a configurable prefix string to write before each message ( #2359 )
...
A static token at the beginning of a log line can help systems parse
logs better. For example, rsyslog and syslog-ng will recognize the
'@cee: ' prefix and will parse the rest of the line as a valid json message.
This is useful in environments where there is a mix of structured and
unstructured logs.
2017-02-10 16:56:28 -08:00
2bbc247ab4
use net.JoinHostPort
2017-02-08 18:39:09 -05:00
72db329d67
Add support for backup/multiple LDAP URLs. ( #2350 )
2017-02-08 14:59:24 -08:00
a217be589c
Merge pull request #2154 from fcantournet/default-ldap-username
...
ldap auth via cli defaults username to env (#2137 )
2017-02-07 21:47:59 -08:00
a2f07acbc4
Use Getenv instead of LookupEnv
...
This prevents returning empty username if LOGNAME is set but empty and USER is set but not empty.
2017-02-07 21:47:06 -08:00
f05b482e46
Update error text
2017-02-07 21:44:23 -08:00
8f957579d8
Update some help text for RADIUS
2017-02-07 16:06:27 -05:00
29d9d5676e
RADIUS Authentication Backend ( #2268 )
2017-02-07 16:04:27 -05:00
2923934813
Merge pull request #2326 from hashicorp/pr-2161
...
Add Socket Audit Backend
2017-02-07 11:27:25 -08:00
7f2717b74a
transit: change batch input format ( #2331 )
...
* transit: change batch input format
* transit: no json-in-json for batch response
* docs: transit: update batch input format
* transit: fix tests after changing response format
2017-02-06 14:56:16 -05:00
09049c2787
Added a single retry after a reconnection
2017-02-06 11:38:38 -08:00
af1847f2b4
Update the docs and move the logic for reconnecting into its own function
2017-02-04 16:55:17 -08:00
5de633fd27
Make userpass help text mention radius too
2017-02-04 07:48:30 -05:00
a8ea05f365
Add default mount param to userpass cli handler
2017-02-04 07:47:09 -05:00
b38eeec96a
Add write deadline and a Reload function
2017-02-02 15:44:56 -08:00
b09077c2d8
add socket audit backend
2017-02-02 14:21:48 -08:00
6701ba8a10
Configure the request headers that are output to the audit log ( #2321 )
...
* Add /sys/config/audited-headers endpoint for configuring the headers that will be audited
* Remove some debug lines
* Add a persistant layer and refactor a bit
* update the api endpoints to be more restful
* Add comments and clean up a few functions
* Remove unneeded hash structure functionaility
* Fix existing tests
* Add tests
* Add test for Applying the header config
* Add Benchmark for the ApplyConfig method
* ResetTimer on the benchmark:
* Update the headers comment
* Add test for audit broker
* Use hyphens instead of camel case
* Add size paramater to the allocation of the result map
* Fix the tests for the audit broker
* PR feedback
* update the path and permissions on config/* paths
* Add docs file
* Fix TestSystemBackend_RootPaths test
2017-02-02 11:49:20 -08:00
5fb28f53cb
Transit: Support batch encryption and decryption ( #2143 )
...
* Transit: Support batch encryption
* Address review feedback
* Make the normal flow go through as a batch request
* Transit: Error out if encryption fails during batch processing
* Transit: Infer the 'derived' parameter based on 'context' being set
* Transit: Batch encryption doc updates
* Transit: Return a JSON string instead of []byte
* Transit: Add batch encryption tests
* Remove plaintext empty check
* Added tests for batch encryption, more coming..
* Added more batch encryption tests
* Check for base64 decoding of plaintext before encrypting
* Transit: Support batch decryption
* Transit: Added tests for batch decryption
* Transit: Doc update for batch decryption
* Transit: Sync the path-help and website docs for decrypt endpoint
* Add batch processing for rewrap
* transit: input validation for context
* transit: add rewrap batch option to docs
* Remove unnecessary variables from test
* transit: Added tests for rewrap use cases
* Address review feedback
* Address review feedback
* Address review feedback
* transit: move input checking out of critical path
* transit: allow empty plaintexts for batch encryption
* transit: use common structs for batch processing
* transit: avoid duplicate creation of structs; add omitempty to response structs
* transit: address review feedback
* transit: fix tests
* address review feedback
* transit: fix tests
* transit: rewrap encrypt user error should not error out
* transit: error out for internal errors
2017-02-02 14:24:20 -05:00
3457a11afd
awsec2: support periodic tokens ( #2324 )
...
* awsec2: support periodic tokens
* awsec2: add api docs for 'period'
2017-02-02 13:28:01 -05:00
14fcc4b6eb
approle: secret-id listing lock sanity check ( #2315 )
...
* approle: secret-id listing lock sanity
* Skip processing an empty secretIDHMAC item during the iteration
* approle: use dedicated lock for listing of secret-id-accessors
2017-02-01 18:13:49 -05:00
0548555219
Support for Cross-Account AWS Auth ( #2148 )
2017-02-01 14:16:03 -05:00
47274eca88
Add cleanup functions to multiple DB backends. ( #2313 )
...
Ensure it's called on unmount, not just for seal.
2017-02-01 14:05:25 -05:00
f1a5a858d3
Make export errors a bit more meaningful
2017-01-30 09:25:50 -05:00
2e15dc93df
Have transit exporting return the same structure regardless of one key or many
2017-01-28 10:37:35 -05:00
6033ea884c
Okta implementation ( #1966 )
2017-01-26 19:08:52 -05:00
e788780709
Migrate cassandra test from acceptance to dockertest ( #2295 )
2017-01-25 15:37:55 -05:00
f43a041bf2
Revert "Disable PKI OU tests to fix the build"
...
This reverts commit b1ab7c5603180af9073caab1b3022ca438dc12be.
2017-01-24 09:58:28 -05:00
c8b6ab7223
Disable PKI OU tests to fix the build
2017-01-24 06:25:56 -05:00
98df700495
allow roles to set OU value in certificates issued by the pki backend ( #2251 )
2017-01-23 12:44:45 -05:00
7568a212b1
Adding support for exportable transit keys ( #2133 )
2017-01-23 11:04:43 -05:00
5aba2d47b6
ldap: Minor enhancements, tests and doc update ( #2272 )
2017-01-23 10:56:43 -05:00
fa7d61baa3
Merge pull request #2202 from fcantournet/fix_govet_fatalf
...
all: test: Fix govet warnings
2017-01-17 16:45:35 -05:00
1d7ded02b4
Merge pull request #2152 from mr-tron/master
...
Thanks for submitting this. I am going to merge this in and write tests.
2017-01-13 14:29:46 -05:00
e019cca4ea
Merge pull request #2257 from bkrodgers/git-config-read
...
Added a 'read' for github config
2017-01-11 12:23:00 -05:00
f33d35f3de
Added a nil check for config and renamed org field internally.
2017-01-11 11:04:15 -06:00
cb8bbc4fbd
Transit key actions ( #2254 )
...
* add supports_* for transit key reads
* update transit docs with new supports_* fields
2017-01-11 10:05:06 -06:00
a8f12dff01
Added a 'read' for github config
2017-01-10 18:21:31 -06:00
78dacc154a
sign-verbatim should set use_csr_common_name to true ( #2243 )
2017-01-10 09:47:59 -05:00
80dc5819d3
Use dockertest.v2 ( #2247 )
...
New dockertest has a totally different API and will require some serious
refactoring. This will tide over until then by pinning the API version.
2017-01-09 13:46:54 -05:00
103b7ceab2
all: test: Fix govet warnings
...
Fix calls to t.Fatal() with formatting.
Fixed some calls to Fatalf() with wrong formatting
2016-12-21 19:44:07 +01:00
1816446f46
Address review feedback
2016-12-20 11:19:47 -05:00
b3e323bbcc
pki: Avoiding a storage read
2016-12-20 11:07:20 -05:00
db5e0bb3c3
Minor cleanup in audit backend ( #2194 )
2016-12-19 15:35:55 -05:00
2e23f1a992
pki: Appended error to error message
2016-12-19 10:49:32 -05:00
ba1cc709bd
PKI: Added error to the error message
2016-12-19 10:47:29 -05:00
bb54bd40f6
normalize some capitlization in error messages
2016-12-15 19:02:33 -05:00
8fff7daf51
Don't panic when TLS is enabled but the initial dial doesn't return a connection ( #2188 )
...
Related to #2186
2016-12-15 15:49:30 -05:00
e818efde7c
ldap auth via cli defaults username to env ( #2137 )
...
try to guess the username from 'LOGNAME' or if it isn't set 'USER'
2016-12-02 19:08:32 +01:00
6ee61af87f
Fix nil value panic when Consul returns a user error ( #2145 )
2016-12-01 10:22:32 -08:00
3d66907966
Disallow passwords LDAP binds by default ( #2103 )
2016-12-01 10:11:40 -08:00
2797c609b0
fix checking that users policies is not nil
2016-11-29 16:35:49 +03:00
cc374b3e2c
add support per user acl for ldap users
2016-11-29 13:32:59 +03:00
5eaef287a8
Close ldap connection to avoid leak ( #2130 )
2016-11-28 09:31:36 -08:00
890c19312f
Update path help for approle secret id TTL
2016-11-15 11:50:51 -05:00
637414a623
Added support for individual user policy mapping in github auth backend. ( #2079 )
2016-11-10 16:21:14 -05:00
ba3dc07bb3
Fix typo and remove trailing whitespace. ( #2074 )
2016-11-08 09:32:23 -05:00
aa68041231
Fix GitHub tests
2016-11-08 07:13:42 -05:00
50c8af0515
Add ldap tls_max_version config ( #2060 )
2016-11-07 13:43:39 -05:00
26fa2655b1
Add listing to Consul secret roles ( #2065 )
2016-11-04 12:35:16 -04:00
65f0ce8ca3
Remove the sanity check which is not proving to be useful
2016-10-27 19:11:26 -04:00
dc93e57cf1
Return the revocation_sql from role read all the time
2016-10-27 12:24:31 -04:00
e0fb8c17ce
Added revocation_sql to the website docs
2016-10-27 12:15:08 -04:00
c14a6c8666
Move policy test to keysutil package
2016-10-26 19:57:28 -04:00
6d1e1a3ba5
Pulled out transit's lock manager and policy structs into a helper
2016-10-26 19:52:31 -04:00
79d45355c8
Merge pull request #2004 from hashicorp/role-id-update
...
Fix regression caused by not creating a role_id secondary index
2016-10-26 16:29:46 -04:00
931c96d1ba
ssh: Use temporary file to store the identity file
2016-10-18 12:50:12 -04:00
6dd560d9c6
Merge pull request #2005 from hashicorp/dedup-ldap-policies
...
Deduplicate the policies in ldap backend
2016-10-18 10:42:11 -04:00
4b6e82afcb
Add ability to list keys in transit backend ( #1987 )
2016-10-18 10:13:01 -04:00
2ce8bc95eb
Deduplicate the policies in ldap backend
2016-10-14 17:20:50 -04:00
1487dce475
Fix regression caused by not creating a role_id secondary index
2016-10-14 12:56:29 -04:00
dcf44a8fc7
Merge pull request #1980 from hashicorp/audit-update
...
Audit file update
2016-10-10 14:34:53 -04:00
0da9d1ac0c
test updates to address feedback
2016-10-10 12:58:30 -04:00
5ce9737eb4
address feedback
2016-10-10 12:16:55 -04:00
962a383bfb
address latest feedback
2016-10-10 11:58:26 -04:00
290ccee990
minor fix
2016-10-10 10:05:36 -04:00
9fc5a37e84
address feedback
2016-10-09 22:23:30 -04:00
05519a1267
adding unit tests for file mode
2016-10-09 00:33:24 -04:00
e5a7e3d6cb
initial commit to fix empty consistency option issue
2016-10-08 20:22:26 -04:00
1b8d12fe82
changes for 'mode'
2016-10-08 19:52:49 -04:00
60ceea5532
initial commit for adding audit file permission changes
2016-10-07 15:09:32 -04:00
c45ab41b39
Update aws-ec2 configuration help
...
Updated to reflect enhanced functionality and clarify necessary
permissions.
2016-10-05 12:40:58 -07:00
70a9fc47b4
Don't use quoted identifier for the username
2016-10-05 14:31:19 -04:00
7f9a88d8db
Postgres revocation sql, beta mode ( #1972 )
2016-10-05 13:52:59 -04:00
de5dec6b15
Refactor mysql's revoke SQL
2016-10-04 19:30:25 -04:00
1ab7023483
Merge pull request #1914 from jpweber/mysql-revoke
...
Mysql revoke with non-wildcard hosts
2016-10-04 17:44:15 -04:00
87f206b536
removed an unused ok variable. Added warning and force use for default queries if role is nil
2016-10-04 17:15:29 -04:00
0f8c132ede
Minor doc updates
2016-10-04 15:46:09 -04:00
2e1aa80f31
Address review feedback 2
2016-10-04 15:30:42 -04:00
59475d7f14
Address review feedback
2016-10-04 15:05:44 -04:00
cc38f3253a
fixed an incorrect assignment
2016-10-03 21:51:40 -04:00
348a09e05f
Add only relevant certificates
2016-10-03 20:34:28 -04:00
dbd364453e
aws-ec2 config endpoints support type option to distinguish certs
2016-10-03 20:25:07 -04:00
ac78ddc178
More resilient around cases of missing role names and using the default when needed.
2016-10-03 20:20:00 -04:00
b105f8ccf3
Authenticate aws-ec2 instances using identity document and its RSA signature
2016-10-03 18:57:41 -04:00
0a7f1089ca
Refactored logic some to make sure we can always fall back to default revoke statments
...
Changed rolename to role
made default sql revoke statments a const
2016-10-03 15:59:56 -04:00
704fccaf2e
fixed some more issues I had with the tests.
2016-10-03 15:58:09 -04:00
a2d6624a69
renamed rolname to role
2016-10-03 15:57:47 -04:00
bfb0c2d3ff
Reduced duplicated code and fixed comments and simple variable name mistakes
2016-10-03 14:53:05 -04:00
bb70ecc5a7
Added test for revoking mysql user with wild card host and non-wildcard host
2016-10-02 22:28:54 -04:00
dbb00534d9
saving role name to the Secret Internal data. Default revoke query added
...
The rolename is now saved to the secret internal data for fetching
later during the user revocation process. No longer deriving the role
name from request path
Added support for default revoke SQL statements that will provide the
same functionality as before. If not revoke SQL statements are provided
the default statements are used.
Cleaned up personal ignores from the .gitignore file
2016-10-02 18:53:16 -04:00
6d00f0c483
Adds HUP support for audit log files to close and reopen. ( #1953 )
...
Adds HUP support for audit log files to close and reopen. This makes it
much easier to deal with normal log rotation methods.
As part of testing this I noticed that HUP and other items that come out
of command/server.go are going to stderr, which is where our normal log
lines go. This isn't so much problematic with our normal output but as
we officially move to supporting other formats this can cause
interleaving issues, so I moved those to stdout instead.
2016-09-30 12:04:50 -07:00
4c74b646fe
Merge pull request #1947 from hashicorp/secret-id-lookup-delete
...
Introduce lookup and destroy endpoints for secret IDs and its accessors
2016-09-29 10:19:54 -04:00
34e76f8b41
Added website docs for lookup and destroy APIs
2016-09-28 22:11:48 -04:00
d20819949c
Make secret-id reading and deleting, a POST op instead of GET
2016-09-28 20:22:37 -04:00
2dd1f584e6
Update documentation for required AWS API permissions
...
In order for Vault to map IAM instance profiles to roles, Vault
must query the 'iam:GetInstanceProfile' API, so update the documentation
and help to include the additional permissions needed.
2016-09-28 16:50:20 -07:00
f0203741ff
Change default TTL from 30 to 32 to accommodate monthly operations ( #1942 )
2016-09-28 18:32:49 -04:00
5adfaa0d7d
Merge pull request #1939 from hashicorp/secret-id-upgrade
...
Respond secret_id_num_uses and deprecate SecretIDNumUses
2016-09-28 18:16:07 -04:00
e9142f418a
Added todo to remind removal of upgrade code
2016-09-28 18:17:13 -04:00
e01f99f042
Check for prefix match instead of exact match for IAM bound parameters
2016-09-28 18:08:28 -04:00
21d9731286
Don't reset the deprecated value yet
2016-09-28 15:48:50 -04:00
4a30a6b4f8
Merge pull request #1913 from hashicorp/bound-iam-instance-profile-arn
...
Proper naming for bound_iam_instance_profile_arn
2016-09-28 15:34:56 -04:00
31e450a175
Add some validation checks
2016-09-28 15:36:02 -04:00
9eabf75f5f
Fix the misplaced response warning
2016-09-28 14:20:03 -04:00
a2338f5970
Added testcase to check secret_id_num_uses
2016-09-28 13:58:53 -04:00
ba1d238f9b
Pull out reading and storing of secret ID into separate functions and handle upgrade properly
2016-09-28 12:42:26 -04:00
010293ccc3
Merge pull request #1931 from hashicorp/cass-consistency
...
Adding consistency into cassandra
2016-09-27 21:12:02 -04:00
d235acf809
Adding support for chained intermediate CAs in pki backend ( #1694 )
2016-09-27 17:50:17 -07:00
5ac43873c4
minor updates
2016-09-27 20:35:11 -04:00
e14fe05c13
added parsing at role creation
2016-09-27 16:01:51 -04:00
4938aa56bf
initial commit for consistency added into cassandra
2016-09-27 13:25:18 -04:00
5eff59c410
Fix "SecretIDNumUses" in AppRole auth backend
...
There was a typo.
2016-09-27 17:26:52 +03:00
b1ee56a15b
Merge pull request #1910 from hashicorp/secret-id-cidr-list
...
CIDR restrictions on Secret ID
2016-09-26 10:22:48 -04:00
a4b119dc25
Merge pull request #1920 from legal90/fix-approle-delete
...
Fix panic on deleting the AppRole which doesn't exist
2016-09-26 10:05:33 -04:00
3f77013004
Fix panic on deleting the AppRole which doesn't exist
...
#pathRoleDelete should return silently if the specified AppRole doesn't exist
Fixes GH-1919
2016-09-26 16:55:08 +03:00
da5b5d3a8e
Address review feedback from @jefferai
2016-09-26 09:53:24 -04:00
d080107a87
Update docs to contain bound_iam_role_arn
2016-09-26 09:37:38 -04:00
bf0b7f218e
Implemented bound_iam_role_arn constraint
2016-09-23 21:35:36 -04:00
e0ea497cfe
Getting role name from the creds path used in revocation
2016-09-23 16:57:08 -04:00
8709406eb3
secretCredsRevoke command no longer uses hardcoded query
...
The removal of a user from the db is now handled similar to the
creation. The SQL is read out of a key from the role and then executed
with values substituted for username.
2016-09-23 16:05:49 -04:00
1bed6bfc2c
Added support for a revokeSQL key value pair to the role
2016-09-23 16:00:23 -04:00
6bf871995b
Don't use time.Time in responses. ( #1912 )
...
This fixes #1911 but not directly; it doesn't address the cause of the
panic. However, it turns out that this is the correct fix anyways,
because it ensures that the value being logged is RFC3339 format, which
is what the time turns into in JSON but not the normal time string
value, so what we audit log (and HMAC) matches what we are returning.
2016-09-23 12:32:07 -04:00
e0c41f02c8
Fix incorrect naming of bound_iam_instance_profile_arn
2016-09-23 11:22:23 -04:00
c26754000b
Fix ssh tests
2016-09-22 11:37:55 -04:00
aaadd4ad97
Store the CIDR list in the secret ID storage entry.
...
Use the stored information to validate the source address and credential issue time.
Correct the logic used to verify BoundCIDRList on the role.
Reverify the subset requirements between secret ID and role during credential issue time.
2016-09-21 20:19:26 -04:00
578b82acf5
Pass only valid inputs to validation methods
2016-09-21 15:44:54 -04:00
93604e1e2e
Added cidrutil helper
2016-09-21 13:58:32 -04:00
676e7e0f07
Ensure upgrades have a valid HMAC key
2016-09-21 11:10:57 -04:00
0ff76e16d2
Transit and audit enhancements
2016-09-21 10:49:26 -04:00
5c241d31e7
Renaming ttl_max -> max_ttl in mssql backend ( #1905 )
2016-09-20 12:39:02 -04:00
97dc0e9f64
Merge pull request #1897 from hashicorp/secret-id-accessor-locks
...
Safely manipulate secret id accessors
2016-09-19 11:37:38 -04:00
fefd3a6c0b
s/GetOctalFormatted/GetHexFormatted
2016-09-16 17:47:15 -04:00
897d3c6d2c
Rename GetOctalFormatted and add serial number to ParsedCertBundle. Basically a noop.
2016-09-16 11:05:43 -04:00
ba72e7887a
Safely manipulate secret id accessors
2016-09-15 18:13:50 -04:00
61664bc653
Merge pull request #1886 from hashicorp/approle-upgrade-notes
...
upgrade notes entry for approle constraint and warning on role read
2016-09-15 12:14:01 -04:00
5597156886
check for nil role
2016-09-15 12:10:40 -04:00
92986bb2a0
Address review feedback
2016-09-15 11:41:52 -04:00
a1de742dce
s/disableReauthenticationNonce/reauthentication-disabled-nonce
2016-09-15 11:29:02 -04:00
9bca127631
Updated docs with nonce usage
2016-09-14 19:31:09 -04:00
857f921d76
Added comment
2016-09-14 18:27:35 -04:00
39796e8801
Disable reauthentication if nonce is explicitly set to empty
2016-09-14 17:58:00 -04:00
d0e4d77fce
address review feedback
2016-09-14 14:28:02 -04:00
d7ce69c5eb
Remove the client nonce being empty check
2016-09-14 14:28:02 -04:00
53c919b1d0
Generate the nonce by default
2016-09-14 14:28:02 -04:00
455a4ae055
address review feedback
2016-09-14 12:08:35 -04:00
b1392567d1
Use constant time comparisons for client nonce
2016-09-13 20:12:43 -04:00
d2e66014ba
Address review feedback
2016-09-13 18:30:04 -04:00
29b67141eb
Only use running state for checking if instance is alive. ( #1885 )
...
Fixes #1884
2016-09-13 18:08:05 -04:00
99a2655d8e
upgrade notes entry for approle constraint and warning on role read
2016-09-13 17:44:07 -04:00
bef9c2ee61
Ensure at least one constraint on the role
2016-09-13 16:03:15 -04:00
197c7eae5f
Allow encrypting empty ciphertext values. ( #1881 )
...
Replaces #1874
2016-09-13 12:00:04 -04:00
b599948e1c
Use uuid.GenerateRandomBytes
2016-09-09 14:17:09 -04:00
127f61473b
Not exposing structs from the backend's package
2016-09-01 11:57:28 -04:00
1db0544b7a
Use unexported kdf const names
2016-08-31 07:19:58 -04:00
c46a7391c0
Merge pull request #1799 from hashicorp/fix-role-locking
...
approle: fix racy updates problem for roles
2016-08-30 16:46:40 -04:00
cdcfa4572f
Address review feedback
2016-08-30 16:36:58 -04:00
d2239d22d9
Use hkdf for transit key derivation for new keys ( #1812 )
...
Use hkdf for transit key derivation for new keys
2016-08-30 16:29:09 -04:00
29b9295673
approle: fix racy updates problem for roles
2016-08-30 16:11:14 -04:00
9dbc97028b
STS path field description update
2016-08-30 10:53:21 -04:00
0b07ec7303
Added UpdateOperation to logical AWS STS path
2016-08-30 10:30:13 -04:00
cdd1d96a64
Merge pull request #1804 from hashicorp/issue-1800
...
Mark STS secrets as non-renwable
2016-08-29 11:46:19 -04:00
8612b6139e
Fixes #1801 Reuse Cassandra session object for create creds ( #1802 )
2016-08-28 17:32:41 -04:00
f0537572a8
Mark STS secrets as non-renwable
...
Ping #1800
2016-08-28 14:27:56 -04:00
0b113f7916
Derive nonce fully in convergent mode ( #1796 )
...
Ping #1794
2016-08-26 17:01:56 -04:00
2f5876dfe9
Use key derivation for convergent nonce. ( #1794 )
...
Use key derivation for convergent nonce.
Fixes #1792
2016-08-26 14:11:03 -04:00
28739f3528
Decode secret internal data into struct and fix type assertion. ( #1781 )
2016-08-24 15:04:04 -04:00
d1284944c3
Merge pull request #1755 from hashicorp/logxi
...
Convert to logxi
2016-08-21 19:28:18 -04:00
58b32e5432
Convert to logxi
2016-08-21 18:13:37 -04:00
524ed6db37
Extract out common code
2016-08-21 15:46:11 -04:00
dfe73733d5
Seperate endpoints for read/delete using secret-id and accessor
2016-08-21 14:42:49 -04:00
2860dcc60f
gofmt
2016-08-19 16:48:32 -04:00
7ce631f1dc
Pretty print the warning
2016-08-18 16:09:10 -04:00
870ffd6fd8
Use shortestTTL value during renewals too
2016-08-18 15:43:58 -04:00
4f1c47478e
When TTL is not set, consider the system default TTL as well
2016-08-18 15:37:59 -04:00
56b8c33c95
aws-ec2: se max_ttl when ttl is not set, during login
2016-08-18 15:16:32 -04:00
638e61192a
Actually show the error occurring if a file audit log can't be opened
2016-08-15 16:26:36 -04:00
86874def5c
Parameter change
...
Both revocation times are UTC so clarify via parameter name that it's just a formatting difference. Also leave as a time.Time here, as it automatically marshals into RFC3339.
2016-08-14 21:43:57 -04:00
39cfd116b6
Cleanup
2016-08-13 11:52:09 -04:00
1b8711e7b7
Ensure utc value is not zero before adding
2016-08-13 11:50:57 -04:00
d6d08250ff
Ensure values to be encoded in a CRL are in UTC. This aligns with the
...
RFC. You might expect Go to ensure this in the CRL generation call,
but...it doesn't.
Fixes #1727
2016-08-13 08:40:09 -04:00
b150c14caa
Address review feedback by @jefferai
2016-08-09 17:45:42 -04:00
8d261b1a78
Added ttl field to aws-ec2 auth backend role
2016-08-09 17:29:45 -04:00
b69ed7ea93
Fix build
2016-08-08 17:00:59 -04:00
7f6c58b807
Address review feedback
2016-08-08 16:30:48 -04:00
0a67bcb5bd
Merge pull request #1696 from hashicorp/transit-convergent-specify-nonce
...
Require nonce specification for more flexibility
2016-08-08 11:41:10 -04:00
1f198e9256
Return warning about ACLing the LDAP configuration endpoint.
...
Fixes #1263
2016-08-08 10:18:36 -04:00
606ba64e23
Remove context-as-nonce, add docs, and properly support datakey
2016-08-07 15:53:40 -04:00
1976bc0534
Add unit tests for convergence in non-context mode
2016-08-07 15:16:36 -04:00
8b1d47037e
Refactor convergent encryption to make specifying a nonce in addition to context possible
2016-08-05 17:52:44 -04:00
0b73c2ff9a
Fix PKI logical backend email alt_names
2016-08-04 12:10:34 +02:00
58e9cbbfc6
Add postgres test for block statements
2016-08-03 15:34:50 -04:00
9e204bd88c
Add arbitrary string slice parsing.
...
Like the KV function, this supports either separated strings or JSON
strings, base64-encoded or not.
Fixes #1619 in theory.
2016-08-03 14:24:16 -04:00
c025b292b5
Cleanup
2016-08-03 13:09:12 -04:00
cff7aada7a
Fix invalid input getting marked as internal error
2016-07-28 16:23:11 -04:00
e0c5f5f5fa
Add convergence tests to transit backend
2016-07-28 11:30:52 -04:00
a6907769b0
AppRole authentication backend
2016-07-26 09:32:41 -04:00
0cfb112e87
Explicitly set invalid request status when a password isn't included
2016-07-25 11:14:15 -04:00
dc4b85b55e
Don't return 500 for user error in userpass when setting password
2016-07-25 11:09:46 -04:00
d4c3e27c4e
Fix re-specification of filter
2016-07-25 09:08:29 -04:00
cd6d114e42
LDAP Auth Backend Overhaul
...
--------------------------
Added new configuration option to ldap auth backend - groupfilter.
GroupFilter accepts a Go template which will be used in conjunction with
GroupDN for finding the groups a user is a member of. The template will
be provided with context consisting of UserDN and Username.
Simplified group membership lookup significantly to support multiple use-cases:
* Enumerating groups via memberOf attribute on user object
* Previous default behavior of querying groups based on member/memberUid/uniqueMember attributes
* Custom queries to support nested groups in AD via LDAP_MATCHING_RULE_IN_CHAIN matchind rule
There is now a new configuration option - groupattr - which specifies
how to resolve group membership from the objects returned by the primary groupfilter query.
Additional changes:
* Clarify documentation for LDAP auth backend.
* Reworked how default values are set, added tests
* Removed Dial from LDAP config read. Network should not affect configuration.
2016-07-22 21:20:05 -04:00
68dcf677fa
Fix panic if no certificates are supplied by client
...
Fixes #1637
2016-07-21 10:20:41 -04:00
b353e44209
Fix build
2016-07-21 09:53:41 -04:00
d335038b40
Ensure we never return a nil set of trusted CA certs
...
Fixes #1637
2016-07-21 09:50:31 -04:00
Brian Kassouf