Commit graph

8957 commits

Author SHA1 Message Date
Brian Kassouf 8bf1598bff
changelog++ 2018-10-01 10:49:04 -07:00
Martin 03fb39033f Add support for token passed Authorization Bearer header (#5397)
* Support Authorization Bearer as token header

* add requestAuth test

* remove spew debug output in test

* Add Authorization in CORS Allowed headers

* use const where applicable

* use less allocations in bearer token checking

* address PR comments on tests and apply last commit

* reorder error checking in a TestHandler_requestAuth
2018-10-01 10:33:21 -07:00
Chris Pick 36c20e8e2d Note that GCP auth method needs iam API enabled (#5339)
In addition to the specific permissions that are already mentioned, the project also needs the `iam.googleapis.com` API enabled, otherwise authenticating will fail with an error similar to:

```
Error authenticating: Error making API request.

URL: PUT https://localhost:8200/v1/auth/gcp/login
Code: 400. Errors:

* could not find service account key or Google Oauth cert with given 'kid' id
```
2018-10-01 10:09:32 -07:00
Vishal Nayak 8e66e474ca Ensure old group alias is removed when a new one is written (#5350) 2018-10-01 10:06:10 -07:00
Becca Petrin 3da8d38e7d point at a fork of aliyun-oss-go-sdk (#5358) 2018-10-01 10:05:08 -07:00
Chris Hoffman 33accf60be
changelog++ 2018-09-28 17:48:45 -04:00
Matthew Irish 572fb826be
UI aws engine tweaks (#5294)
* allow passing a path for options so that it can be extracted from the model

* add cred type selector for the aws generate form

* style hint text on generate creds form

* add tests for aws-credential adapter

* allow for the case where we might have zero ttl

* show error for TTL picker if a non-number is entered for the duration part of the TTL

* fix positioning of tooltips

* fix ttl rendering with invalid input for initialValue
2018-09-28 16:45:30 -05:00
Brian Shumate d62d482033 Guide/Identity: use consistent id/accessor example to fix #5340 (#5432) 2018-09-28 17:43:15 -04:00
Chris Hoffman 8ff89b972c
changelog++ 2018-09-28 17:39:48 -04:00
Jeff Mitchell 6814b0e88a changelog++ 2018-09-28 11:29:28 -04:00
Jeff Mitchell 13f98d9a4b
Fix reading Okta token parameter when config param exists (#5429)
Fixes #5409
2018-09-28 11:28:06 -04:00
Matthew Irish a22861cee9
UI - ent init (#5428)
* allow for enterprise init attributes

* allow moving from init to auth in the init flow on the tutorial machine

* show loading spinner while cluster is unsealing

* use seal-status type to determine the init attrs

* add init acceptance tests

* stored_shares should always be 1

* fix lint

* format template

* remove explicity model attr from init controller
2018-09-28 09:36:18 -05:00
Mike Christof f7bf4a4384 fixed read-entity-by-name code (#5422) 2018-09-28 07:23:46 -07:00
Calvin Leung Huang 253d999c55 docs: Update CLI page to include namespace and flags info (#5363) 2018-09-27 17:08:14 -07:00
Chris Hoffman e34a9c5395
changelog++ 2018-09-27 20:07:23 -04:00
joe miller d39ffc9e25 add allowed_organiztaional_units parameter to cert credential backend (#5252)
Specifying the `allowed_organiztaional_units` parameter to a cert auth
backend role will require client certificates to contain at least one of
a list of one or more "organizational units" (OU).

Example use cases:

Certificates are issued to entities in an organization arrangement by
organizational unit (OU). The OU may be a department, team, or any other logical
grouping of resources with similar roles. The entities within the OU
should be granted the same policies.

```
$ vault write auth/cert/certs/ou-engineering \
    certificate=@ca.pem \
    policies=engineering \
    allowed_organiztaional_units=engineering

$ vault write auth/cert/certs/ou-engineering \
    certificate=@ca.pem \
    policies=engineering \
    allowed_organiztaional_units=engineering,support
```
2018-09-27 19:04:55 -05:00
Jeff Mitchell dbae477cca changelog++ 2018-09-27 18:35:38 -04:00
Jeff Mitchell ef144c4c25 Send initialized information via sys/seal-status (#5424) 2018-09-27 14:03:37 -07:00
Ben Boeckel a5378c8c1f ask-a-question: remove mobile link (#5426) 2018-09-27 13:31:34 -07:00
Martin ea509fd2f2 only run cassandra RotateRootCred test when in Travis (#5420) 2018-09-27 10:43:33 -05:00
vishalnayak c91266950f Fix broken build 2018-09-27 10:58:04 -04:00
Joel Thompson 73112c49fb logical/aws: Harden WAL entry creation (#5202)
* logical/aws: Harden WAL entry creation

If AWS IAM user creation failed in any way, the WAL corresponding to the
IAM user would get left around and Vault would try to roll it back.
However, because the user never existed, the rollback failed. Thus, the
WAL would essentially get "stuck" and Vault would continually attempt to
roll it back, failing every time. A similar situation could arise if the
IAM user that Vault created got deleted out of band, or if Vault deleted
it but was unable to write the lease revocation back to storage (e.g., a
storage failure).

This attempts to harden it in two ways. One is by deleting the WAL log
entry if the IAM user creation fails. However, the WAL deletion could
still fail, and this wouldn't help where the user is deleted out of
band, so second, consider the user rolled back if the user just doesn't
exist, under certain circumstances.

Fixes #5190

* Fix segfault in expiration unit tests

TestExpiration_Tidy was passing in a leaseEntry that had a nil Secret,
which then caused a segfault as the changes to revokeEntry didn't check
whether Secret was nil; this is probably unlikely to occur in real life,
but good to be extra cautious.

* Fix potential segfault

Missed the else...

* Respond to PR feedback
2018-09-27 09:54:59 -05:00
Andy Manoske 463c90ae32
Merge pull request #5415 from hashicorp/partnership-broken-links
Broken link fix
2018-09-26 19:48:29 -07:00
Andy Manoske 32feda57fb
Broken link fix
Fix broken links
2018-09-26 19:48:07 -07:00
Andy Manoske 1797eb92ee
Merge pull request #5413 from hashicorp/partnerships-format
partnerships-format
2018-09-26 19:41:50 -07:00
Andy Manoske d42a78a2b1
partnerships-format
Some small formatting fixes
2018-09-26 19:41:27 -07:00
Andy Manoske 9503821d70
Merge pull request #5411 from hashicorp/partnerships-docs-fix
Fix header issues
2018-09-26 19:31:00 -07:00
Andy Manoske 05f51a4332
Fix header issues
Fix partnerships docs formatting issues
2018-09-26 19:30:28 -07:00
Andy Manoske 73eb50a791
Merge pull request #5285 from hashicorp/partnerships-add-docs
Partnerships docs updates
2018-09-26 19:18:07 -07:00
Andy Manoske ab1494389c
Merge branch 'master' into partnerships-add-docs 2018-09-26 19:17:26 -07:00
Andy Manoske 860a655814
Update community.html.erb 2018-09-26 19:16:56 -07:00
Andy Manoske 8b9160035c
Delete partnerships.html.erb 2018-09-26 19:14:06 -07:00
Andy Manoske ece77e4789
Update guides.erb 2018-09-26 19:12:03 -07:00
Andy Manoske 367d75c089
Create index.html.md 2018-09-26 19:06:22 -07:00
Andy Manoske d63e66a902
Update partnerships.html.erb 2018-09-26 18:56:48 -07:00
Brian Kassouf f5d0541d5d
Fix Capabilities check when in a child namespace (#5406) 2018-09-26 15:10:36 -07:00
Jim Kalafut d9d93e42a8
Fix server command test (#5407)
The addition of CheckMigration to the server startup process means
that physical backends in this test need to be able to respond to Get() without error.
2018-09-26 14:52:11 -07:00
Jim Kalafut e8c06e6a74
Tablify compression tests (#5405) 2018-09-26 11:08:04 -07:00
Jim Kalafut 462dc06a88 operator migrate docs (#5400)
* operator migrate docs

* Address feedback

* Fix title
2018-09-26 10:55:04 -07:00
vishalnayak a1855ad972 changelog++ 2018-09-26 11:31:04 -04:00
Joel Thompson 2dc468f4d1 auth/aws: Make identity alias configurable (#5247)
* auth/aws: Make identity alias configurable

This is inspired by #4178, though not quite exactly what is requested
there. Rather than just use RoleSessionName as the Identity alias, the
full ARN is uses as the Alias. This mitigates against concerns that an
AWS role with an insufficiently secured trust policy could allow an
attacker to generate arbitrary RoleSessionNames in AssumeRole calls to
impersonate anybody in the Identity store that had an alias set up.
By using the full ARN, the owner of the identity store has to explicitly
trust specific AWS roles in specific AWS accounts to generate an
appropriate RoleSessionName to map back to an identity.

Fixes #4178

* Respond to PR feedback

* Remove CreateOperation

Response to PR feedback
2018-09-26 08:27:12 -07:00
Jeff Mitchell 56aaaac944
Add lz4 to compressutil (#5403) 2018-09-26 09:20:33 -05:00
vishalnayak 84701bcb28 changelog++ 2018-09-26 10:16:15 -04:00
Joel Thompson 5e6f8904d8 Add AWS Secret Engine Root Credential Rotation (#5140)
* Add AWS Secret Engine Root Credential Rotation

This allows the AWS Secret Engine to rotate its credentials used to
access AWS. This will only work when the AWS Secret Engine has been
provided explicit IAM credentials via the config/root endpoint, and
further, when the IAM credentials provided are the only access key on
the IAM user associated wtih the access key (because AWS allows a
maximum of 2 access keys per user).

Fixes #4385

* Add test for AWS root credential rotation

Also fix a typo in the root credential rotation code

* Add docs for AWS root rotation

* Add locks around reading and writing config/root

And wire the backend up in a bunch of places so the config can get the
lock

* Respond to PR feedback

* Fix casing in error messages

* Fix merge errors

* Fix locking bugs
2018-09-26 07:10:00 -07:00
Joel Thompson e66795a095 logical/aws: Run Acceptance Tests in Parallel (#5383)
* Parallelize a couple AWS acceptance tests

Starting an effort to paralleize AWS secret engine acceptance tests.
Currently they take over a minute to run, and this parallelizes the two
that explicitly call a 10-second sleep, reulting in a 10-second speedup
in test time.

* Parameterize IAM user name

Probably not needed, but future-proofing the code

* Make remainder of tests parallel

AWS_ACCOUNT_ID environment variable is no longer being used; global
mutable state is a recipe for disaster when trying to run things in
parallel, and parallelizing the tests exposed a race condition in which
they were depending on the AWS_ACCOUNT_ID environment variable to be set
before they were run.

AWS_DEFAULT_REGION is still left as an environment variable because it
is required by AWS SDKs, but its configuration is now protected by a
sync.Once to ensure it only ever gets called a single time.

* Replace generateUnique*Name with testhelpers method
2018-09-25 17:10:53 -07:00
Jim Kalafut c1f7e4a276
Fix wording in log message (#5399) 2018-09-25 16:52:03 -07:00
Jim Kalafut 9d2f2ab2af
changelog++ 2018-09-25 16:23:32 -07:00
Jim Kalafut 4c80debe63
Add physical backend migrator command (#5143) 2018-09-25 16:18:22 -07:00
Brian Kassouf 49f11342ef
changelog++ 2018-09-25 13:29:16 -07:00
Brian Kassouf 8f212d702d
replication: Fix DR API checks when using a token (#5398) 2018-09-25 13:27:57 -07:00