Commit graph

971 commits

Author SHA1 Message Date
Jeff Mitchell cf7c86e0f8 *Partially* revert "Remove now-unneeded PKCS8 code and update certutil tests for Go 1.10"
This partially reverts commit 83f6b21d3ef930df0352a4ae7b1e971790e3eb22.
2018-02-22 20:15:56 -05:00
Andrei Burd 90f3788ce5 Handling nomad maxTokenNameLength = 64 (#4009) 2018-02-20 10:16:37 -05:00
Jeff Mitchell 0f26cb9b8d Fix PKI tests by generating on-demand 2018-02-20 00:23:37 -05:00
Jeff Mitchell ce8f652ef9 Remove now-unneeded PKCS8 code and update certutil tests for Go 1.10 2018-02-19 22:46:17 -05:00
Robison Jacka 9541e8f643 Adding path roles test coverage for storing PKIX fields (#4003) 2018-02-18 16:22:35 -05:00
Robison Jacka 71d939894b Add test coverage for recently-added PKIX fields. (#4002) 2018-02-18 13:21:54 -05:00
Jeff Mitchell a408a03495 Fix missing CommonName in subject generation 2018-02-17 21:01:36 -05:00
Jeff Mitchell f29bde0052
Support other names in SANs (#3889) 2018-02-16 17:19:34 -05:00
Mohsen 41b07a0987 Maximum number of retries aws sdk attempts for recoverable exceptions. (#3965) 2018-02-16 11:11:17 -05:00
Jeff Mitchell 35906aaa6c
Add ChaCha20-Poly1305 support to transit (#3975) 2018-02-14 11:59:46 -05:00
Jeff Mitchell 8655a1c135
Various PKI updates (#3953) 2018-02-10 10:07:10 -05:00
Jeff Mitchell bd3cdd8095 Fix compile 2018-02-09 14:04:05 -05:00
Chris Hoffman 898026c58f Fix auditing for transit keys with backup/restore info (#3919) 2018-02-09 13:54:18 -05:00
Vishal Nayak 80ffd07b8b added a flag to make common name optional if desired (#3940)
* added a flag to make common name optional if desired

* Cover one more case where cn can be empty

* remove skipping when empty; instead check for emptiness before calling validateNames

* Add verification before adding to DNS names to also fix #3918
2018-02-09 13:42:19 -05:00
John Eismeier d2534c4bde Fix some typos (#3923) 2018-02-06 13:35:01 -05:00
Jeff Mitchell 642b88c76a go vet fixes 2018-02-05 14:26:31 -05:00
Jeff Mitchell fc6564e4ee
Don't run rollback and upgrade functionality if we are a replication secondary (#3900)
* Don't run rollback and upgrade functionality if we are a replication
secondary, but do if the mount is local.
2018-02-02 20:28:25 -05:00
Vishal Nayak 150ad8405b
Remove logical.Initialize() method (#3848)
* Remove logical.Initialize() method

* More cleanup

* Fix test
2018-01-25 20:19:27 -05:00
Calvin Leung Huang 385140ee6b
Version protocol switch (#3833)
* Use version to determine plugin protocol to use

* Remove field from ServeOpts

* Fix missing assignment, handle errors

* contraint -> constraint

* Inject the version string from the vault side

* Fix the version check

* Add grpc support check to database plugins

* Default to use grpc unless missing env var or fail on contraint check

* Add GRPCSupport test

* Add greater than test case

* Add go-version dep
2018-01-23 17:29:26 -05:00
Brian Kassouf 2f19de0305 Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 01:44:44 -05:00
Brian Kassouf 7050c1ca41
gRPC Backend Plugins (#3808)
* Add grpc plugins

* Add grpc plugins

* Translate wrap info to/from proto

* Add nil checks

* Fix nil marshaling errors

* Provide logging through the go-plugin logger

* handle errors in the messages

* Update the TLS config so bidirectional connections work

* Add connectivity checks

* Restart plugin and add timeouts where context is not availible

* Add the response wrap data into the grpc system implementation

* Add leaseoptions to pb.Auth

* Add an error translator

* Add tests for translating the proto objects

* Fix rename of function

* Add tracing to plugins for easier debugging

* Handle plugin crashes with the go-plugin context

* Add test for grpcStorage

* Add tests for backend and system

* Bump go-plugin for GRPCBroker

* Remove RegisterLicense

* Add casing translations for new proto messages

* Use doneCtx in grpcClient

* Use doneCtx in grpcClient

* s/shutdown/shut down/
2018-01-18 13:49:20 -08:00
Jeff Mitchell c231479a18
Fix max_ttl not being honored in database backend when default_ttl is zero (#3814)
Fixes #3812
2018-01-18 01:43:38 -05:00
Chris Hoffman 102ed8cfae Locking updates in database backend (#3774) 2018-01-17 19:21:59 -05:00
Chris Hoffman 5b2b168e97
Converting OU and Organization role fields to CommaStringSlice (#3804) 2018-01-17 11:53:49 -05:00
Brian Kassouf 30378d5ff6
remove the Initialize wrap and call close explicitly (#3769) 2018-01-10 13:07:55 -08:00
Brian Kassouf 01914feb18
secret/database: ensure plugins are closed if they cannot be initialized (#3768) 2018-01-09 13:14:50 -08:00
Brian Kassouf 64da50c27c
Update plugin deps to include context changes (#3765)
* Update plugin deps to include context changes

* Fix tests
2018-01-08 12:26:13 -08:00
Brian Kassouf 1c190d4bda
Pass context to backends (#3750)
* Start work on passing context to backends

* More work on passing context

* Unindent logical system

* Unindent token store

* Unindent passthrough

* Unindent cubbyhole

* Fix tests

* use requestContext in rollback and expiration managers
2018-01-08 10:31:38 -08:00
Will Glynn 282f648597 Document that AWS STS lease revocation is a no-op [fixes #3736] (#3760) 2018-01-08 10:28:07 -06:00
Brian Kassouf a97b8c6f30
secret/database: Fix upgrading database backend (#3714) 2017-12-18 19:38:47 -08:00
Chris Hoffman 400d738403 use defaultconfig as base, adding env var test 2017-12-17 10:51:39 -05:00
Chris Hoffman f6bed8b925 fixing up config to allow environment vars supported by api client 2017-12-17 09:10:56 -05:00
Chris Hoffman b08606b320 adding existence check for roles 2017-12-15 19:50:20 -05:00
Chris Hoffman b904d28d82 adding access config existence check and delete endpoint 2017-12-15 19:18:32 -05:00
Chris Hoffman c71f596fbd address some feedback 2017-12-15 17:06:56 -05:00
Chris Hoffman db0006ef65 Merge remote-tracking branch 'oss/master' into f-nomad
* oss/master:
  Defer reader.Close that is used to determine sha256
  changelog++
  Avoid unseal failure if plugin backends fail to setup during postUnseal (#3686)
  Add logic for using Auth.Period when handling auth login/renew requests (#3677)
  plugins/database: use context with plugins that use database/sql package (#3691)
  changelog++
  Fix plaintext backup in transit (#3692)
  Database gRPC plugins (#3666)
2017-12-15 17:05:42 -05:00
Brian Kassouf afe53eb862
Database gRPC plugins (#3666)
* Start work on context aware backends

* Start work on moving the database plugins to gRPC in order to pass context

* Add context to builtin database plugins

* use byte slice instead of string

* Context all the things

* Move proto messages to the dbplugin package

* Add a grpc mechanism for running backend plugins

* Serve the GRPC plugin

* Add backwards compatibility to the database plugins

* Remove backend plugin changes

* Remove backend plugin changes

* Cleanup the transport implementations

* If grpc connection is in an unexpected state restart the plugin

* Fix tests

* Fix tests

* Remove context from the request object, replace it with context.TODO

* Add a test to verify netRPC plugins still work

* Remove unused mapstructure call

* Code review fixes

* Code review fixes

* Code review fixes
2017-12-14 14:03:11 -08:00
Jeff Mitchell b478ba8bac
Merge branch 'master' into f-nomad 2017-12-14 16:44:28 -05:00
Jeff Mitchell d752da3648
Update Consul to use the role's configured lease on renew. (#3684) 2017-12-14 13:28:19 -05:00
Vishal Nayak 15b3d8738e Transit: backup/restore (#3637) 2017-12-14 12:51:50 -05:00
Florent H. CARRÉ 539d86ab2d Hardening RSA keys for PKI and SSH (#3593) 2017-12-11 13:43:56 -05:00
Chris Hoffman 3b0ba609b2
Converting key_usage and allowed_domains in PKI to CommaStringSlice (#3621) 2017-12-11 13:13:35 -05:00
Mohsen 2aa576149c Small typo relating to no_store in pki secret backend (#3662)
* Removed typo :)

* Corrected typo in the website related to no_store
2017-12-07 10:40:21 -05:00
Vishal Nayak 48ac5caaa9
Transit: Refactor internal representation of key entry map (#3652)
* convert internal map to index by string

* Add upgrade test for internal key entry map

* address review feedback
2017-12-06 18:24:00 -05:00
Nicolas Corrarello b5fd1ce953
Adding SealWrap configuration, protecting the config/access path
Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com>
2017-11-29 21:53:21 +00:00
Nicolas Corrarello b3799697a2
Rename policy into policies 2017-11-29 16:31:17 +00:00
Nicolas Corrarello 0d8f812dc8
Checking if client is not nil before deleting token
Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com>
2017-11-29 16:23:03 +00:00
Nicolas Corrarello 239a9a9985
%q quotes automatically
Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com>
2017-11-29 16:19:31 +00:00
Nicolas Corrarello 62fe10204a
Refactoring check for empty accessor as per Vishals suggestion
Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com>
2017-11-29 15:58:39 +00:00
Nicolas Corrarello a6d3119e3e
Pull master into f-nomad
Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com>
2017-11-29 15:56:37 +00:00
Nicolas Corrarello 89466815ba
Return an error if accesor_id is nil
Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com>
2017-11-29 15:18:03 +00:00
Nicolas Corrarello 031f244922
Returning nil config if is actually nil, and catching the error before creating the client in backend.go
Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com>
2017-11-29 11:15:54 +00:00
Nicolas Corrarello 2a4f63e4a5
Moving LeaseConfig function to path_config_lease.go
Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com>
2017-11-29 11:07:17 +00:00
Nicolas Corrarello 4f91a71c29
Return error before creating a client if conf is nil 2017-11-29 11:01:31 +00:00
Nicolas Corrarello e2be4bfd74
Sanitizing error outputs 2017-11-29 10:58:02 +00:00
Nicolas Corrarello 604ead3a37
Renaming tokenRaw to accessorIDRaw to avoid confusion, as the token is not being used for revoking itself 2017-11-29 10:48:55 +00:00
Nicolas Corrarello 34b5919931
Updating descriptions, defaults for roles 2017-11-29 10:44:40 +00:00
Nicolas Corrarello fc81d8a07c
Validating that Address and Token are provided in path_config_access.go 2017-11-29 10:36:34 +00:00
Nicolas Corrarello aab72464d6
Removing legacy field scheme that belonged to the Consul API 2017-11-29 10:29:39 +00:00
Jeff Mitchell 6b72b90efa Remove allow_base_domain from PKI role output.
It was never used in a release, in favor of allow_bare_domains.

Fixes #1452 (again)
2017-11-09 10:24:36 -05:00
Jeff Mitchell 3555a17d52 Don't read out an internal role member in PKI 2017-11-08 18:20:53 -05:00
Chris Hoffman 210fe50b68 adding ttl to secret, refactoring for consistency 2017-11-07 09:58:19 -05:00
Calvin Leung Huang 9ffe6421c5 Fix deprecated cassandra backend tests (#3543) 2017-11-06 17:15:45 -05:00
Chris Hoffman 1b387f75e3 minor cleanup 2017-11-06 16:36:37 -05:00
Chris Hoffman de8c0dce99 minor cleanup 2017-11-06 16:34:20 -05:00
Gregory Reshetniak 57c9afa357 added AWS enpoint handling (#3416) 2017-11-06 13:31:38 -05:00
Jeff Mitchell 17310654a1
Add PKCS8 marshaling to PKI (#3518) 2017-11-06 12:05:07 -05:00
Nicolas Corrarello c70bfff23a
Refactored Lease into the Backend configuration 2017-11-06 15:09:56 +00:00
Nicolas Corrarello 6dc8edf09f
Attaching secretToken to backend 2017-11-06 14:28:30 +00:00
Calvin Leung Huang 512b254820
Return role info for each role on pathRoleList (#3532)
* Return role info for each role on pathRoleList

* Change roles -> key_info, only return key_type

* Do not initialize result map in parseRole, refactor ListResponseWithInfo

* Add role list test
2017-11-03 17:12:03 -04:00
Jeff Mitchell 9952ddaf69
Add some more SealWrap declarations (#3531) 2017-11-03 11:43:31 -04:00
Vishal Nayak 52df62d4ff
Encrypt/Decrypt/Sign/Verify using RSA in Transit backend (#3489)
* encrypt/decrypt/sign/verify RSA

* update path-help and doc

* Fix the bug which was breaking convergent encryption

* support both 2048 and 4096

* update doc to contain both 2048 and 4096

* Add test for encrypt, decrypt and rotate on RSA keys

* Support exporting RSA keys

* Add sign and verify test steps

* Remove 'RSA' from PEM header

* use the default salt length

* Add 'RSA' to PEM header since openssl is expecting that

* export rsa keys as signing-key as well

* Comment the reasoning behind the PEM headers

* remove comment

* update comment

* Parameterize hashing for RSA signing and verification

* Added test steps to check hash algo choice for RSA sign/verify

* fix test by using 'prehashed'
2017-11-03 10:45:53 -04:00
Nicolas Corrarello 783b38c9c4 Not storing the Nomad token as we have the accesor for administrative operations 2017-11-03 07:25:47 +00:00
Nicolas Corrarello 4b572c064c Overhauling the client method and attaching it to the backend 2017-11-03 07:19:49 +00:00
Jeff Mitchell 3a2440a651
Check input size to avoid a panic (#3521) 2017-11-02 16:40:52 -05:00
Nicolas Corrarello eb7a0c0e83 Refactoring readAcessConfig to return a single type of error instead of two 2017-11-01 08:49:31 +00:00
Nicolas Corrarello 55dd69437a Refactored config error to just have a single error exit path 2017-11-01 08:41:58 +00:00
Nicolas Corrarello 5f748a1217 Ignoring userErr as it will be nil anyway 2017-11-01 07:41:58 +00:00
Nicolas Corrarello 3ce4da75ac tokenType can never be nil/empty string as there are default values 2017-11-01 07:36:14 +00:00
Nicolas Corrarello afb5d123b9 Should return an error if trying create a management token with policies attached 2017-10-31 21:12:14 +00:00
Nicolas Corrarello d540985926 Unifying Storage and API path in role 2017-10-31 21:06:10 +00:00
Nicolas Corrarello 0fc65cabc7 Minor/Cosmetic fixes 2017-10-31 19:11:24 +00:00
Brian Kassouf 7fed43c035
Add the ability to glob allowed roles in the Database Backend (#3387)
* Add the ability to glob allowed roles in the Database Backend

* Make the error messages better

* Switch to the go-glob repo
2017-10-30 13:24:25 -07:00
Jeff Mitchell 7486df810c
Simplify TTL/MaxTTL logic in SSH CA paths and sane with the rest of how (#3507)
Vault parses/returns TTLs.
2017-10-30 15:05:47 -05:00
Jeff Mitchell d8e2179a42 Rejig some error messages in pki 2017-10-27 12:02:18 -04:00
Jeff Mitchell a25dae82dd Final sync 2017-10-23 17:39:21 -04:00
Vishal Nayak 2ede750c78 return the actual error for base64 decoding failure (#3397) 2017-10-20 11:21:45 -04:00
Jeremy Voorhis af24163abd Implement signing of pre-hashed data (#3448)
Transit backend sign and verify endpoints now support algorithm=none
2017-10-11 11:48:51 -04:00
Jeff Mitchell e3ce60eb1f Allow entering PKI URLs as arrays. (#3409)
Fixes #3407
2017-10-03 16:13:57 -04:00
Nicolas Corrarello 40839d2163 Removing ignore to cleanup function 2017-09-29 09:35:17 +01:00
Nicolas Corrarello 6390021413 Working tests 2017-09-29 09:33:58 +01:00
Nicolas Corrarello ad5f1018dd Various fixes (Null pointer, wait for Nomad go up, Auth before policy creation) 2017-09-28 23:58:41 +01:00
Nicolas Corrarello 9a011781ec Adding Global tokens to the data model 2017-09-28 23:57:48 +01:00
Nicolas Corrarello ec972939c2 Added tests 2017-09-28 21:44:30 +01:00
Nicolas Corrarello 420b46fa08 Fixing data model 2017-09-20 17:14:35 -05:00
Nicolas Corrarello 129328e842 MVP of working Nomad Secret Backend 2017-09-20 15:59:35 -05:00
Jeff Mitchell 1076cea5d1 Tests were not actually forcing the intermediate to have a longer TTL
because of mount max TTL constraint. This ups the mount max to force the
test to work as expected.
2017-09-14 22:49:04 -04:00
Jeff Mitchell cb6ac1e926 Change behavior of TTL in sign-intermediate (#3325)
* Fix using wrong public key in sign-self-issued

* Change behavior of TTL in sign-intermediate

This allows signing CA certs with an expiration past the signer's
NotAfter.

It also change sign-self-issued to replace the Issuer, since it's
potentially RFC legal but stacks won't validate it.

Ref: https://groups.google.com/d/msg/vault-tool/giP69-n2o20/FfhRpW1vAQAJ
2017-09-13 11:42:45 -04:00
Calvin Leung Huang 78b1dfd7bb Handle errors from getRootConfig on aws logical backend (#3294) 2017-09-08 13:00:29 -04:00
Jeff Mitchell 7be6905eb0 Add a bit more delay to backend test in case Travis is loaded 2017-09-04 14:45:12 -04:00