8c15e2313b
ssh/lookup implementation and refactoring
2015-06-25 21:47:32 -04:00
f39df58eef
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-06-24 18:13:26 -04:00
b237a3bcc2
POC: Rework. Doing away with policy file.
2015-06-24 18:13:12 -04:00
e086879fa3
Merge remote-tracking branch 'upstream/master' into f-pki
2015-06-19 13:01:26 -04:00
f8d164f477
SSHs to multiple users by registering the respective host keys
2015-06-19 12:59:36 -04:00
a6fc48b854
A few things:
...
* Add comments to every non-obvious (e.g. not basic read/write handler type) function
* Remove revoked/ endpoint, at least for now
* Add configurable CRL lifetime
* Cleanup
* Address some comments from code review
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-19 12:48:18 -04:00
90605c6079
merging with master
2015-06-18 20:51:11 -04:00
8d98968a54
Roles, key renewal handled. End-to-end basic flow working.
2015-06-18 20:48:41 -04:00
34f495a354
Refactor to allow only issuing CAs to be set and not have things blow up. This is useful/important for e.g. the Cassandra backend, where you may want to do TLS with a specific CA cert for server validation, but not actually do client authentication with a client cert.
...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-18 15:22:58 -04:00
2aed5f8798
Implementation for storing and deleting the host information in Vault
2015-06-17 22:10:47 -04:00
d34861b811
secret/transit: allow policies to be upserted
2015-06-17 18:51:05 -07:00
f53d31a580
secret/transit: Use special endpoint to get underlying keys. Fixes #219
2015-06-17 18:42:23 -07:00
cfef144dc2
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-06-17 20:34:56 -04:00
303a7cef9a
Received OTK in SSH client. Forked SSH process from CLI. Added utility file for SSH.
2015-06-17 20:33:03 -04:00
45d3c512fb
builtin: fixing API change in logical framework
2015-06-17 14:34:11 -07:00
30de4ea80d
secret/postgres: Ensure sane username length. Fixes #326
2015-06-17 13:31:56 -07:00
29e7ec3e21
A lot of refactoring: move PEM bundle parsing into helper/certutil, so that it is usable by other backends that want to use it to get the necessary data for TLS auth.
...
Also, enhance the raw cert bundle => parsed cert bundle to make it more useful and perform more validation checks.
More refactoring could be done within the PKI backend itself, but that can wait.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-17 16:07:20 -04:00
3ed73d98c2
Added: Ssh CLI command and API, config lease impl, sshConnect path to backend, http handler for Ssh connect
2015-06-17 12:39:49 -04:00
08c921c75e
Vault SSH: POC Stage 1. Skeleton implementation.
2015-06-16 16:58:54 -04:00
49f1fdbdcc
Merge branch 'master' into f-pki
2015-06-16 13:43:25 -04:00
03b0675350
A bunch of cleanup and moving around. logical/certutil is a package that now has helper functions
...
useful for other parts of Vault (including the API) to take advantage of.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-16 13:43:12 -04:00
4bf84392ec
credential/github: get rid of stray tab
2015-06-16 10:05:51 -07:00
0ecf05c043
command/auth, github: improve cli docs
...
/cc @sethvargo
2015-06-16 10:05:11 -07:00
e3d3012795
Record the common name in TLS metadata
...
It is useful to be able to save the client cert's Common Name for auditing purposes when using a central CA.
This adds a "common_name" value to the Metadata structure passed from login.
2015-06-14 23:18:21 +01:00
ae1cbc1a7a
Erp, forgot this feedback...
...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-11 23:16:13 -04:00
7cf1f186ed
Add locking for revocation/CRL generation. I originally was going to use an RWMutex but punted, because it's not worth trying to save some milliseconds with the possibility of getting something wrong. So the entire operations are now wrapped, which is minimally slower but very safe.
...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-11 22:28:13 -04:00
018c0ec7f5
Address most of Armon's initial feedback.
...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-11 21:57:05 -04:00
1513e2baa4
Add acceptance tests
...
* CA bundle uploading
* Basic role creation
* Common Name restrictions
* IP SAN restrictions
* EC + RSA keys
* Various key usages
* Lease times
* CA fetching in various formats
* DNS SAN handling
Also, fix a bug when trying to get code signing certificates.
Not tested:
* Revocation (I believe this is impossible with the current testing framework)
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-08 00:06:09 -04:00
0d832de65d
Initial PKI backend implementation.
...
Complete:
* Up-to-date API documents
* Backend configuration (root certificate and private key)
* Highly granular role configuration
* Certificate generation
* CN checking against role
* IP and DNS subject alternative names
* Server, client, and code signing usage types
* Later certificate (but not private key) retrieval
* CRL creation and update
* CRL/CA bare endpoints (for cert extensions)
* Revocation (both Vault-native and by serial number)
* CRL force-rotation endpoint
Missing:
* OCSP support (can't implement without changes in Vault)
* Unit tests
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-08 00:06:09 -04:00
348924eaab
logical/consul: Combine policy and lease into single storage struct
2015-05-28 09:36:23 +10:00
6b0820d709
logical/consul: custom lease time for roles
2015-05-27 09:53:46 +10:00
2e1bce27a9
Allow dot in LDAP login username
2015-05-20 11:54:15 -07:00
cc966d6b52
auth/cert: Guard against empty certs. Fixes #214
2015-05-18 16:11:09 -07:00
56659a2db2
cred/app-id: ensure consistent error message
2015-05-15 11:45:57 -07:00
8cff23f29b
cred/app-id: stricter validation and error messaging
2015-05-15 11:40:45 -07:00
6746a24c78
credential/app-id: Test DeleteOperation
2015-05-14 22:30:02 +10:00
a3fe4b889f
Fix Error message
2015-05-12 14:32:09 +09:00
1ca0b2340c
credential/app-id: add hash of user/app ID to metadata for logs
2015-05-11 10:46:11 -07:00
5406d3189e
Merge pull request #184 from hashicorp/b-github-casing
...
credential/github: case insensitive mappings
2015-05-11 10:27:45 -07:00
5c63b70eea
logical/framework: PathMap is case insensitive by default
2015-05-11 10:27:04 -07:00
4e861f29bc
credential/github: case insensitive mappings
2015-05-11 10:24:39 -07:00
8156b88353
auth/ldap: move password into InternalData
2015-05-09 22:06:34 +02:00
84388b2b20
auth/ldap: move username into the path (to allow per-user revokation on the path)
2015-05-09 22:06:28 +02:00
5e899e7de2
auth/ldap: fix pasto
2015-05-09 22:06:22 +02:00
1e1219dfcc
auth/ldap: implement login renew
2015-05-09 22:04:20 +02:00
a0f53f177c
auth/ldap: document LDAP server used in tests
2015-05-09 22:04:20 +02:00
b4093e2ddf
auth/ldap: add acceptance tests
2015-05-09 22:04:20 +02:00
02d3b1c74c
auth/ldap: add support for groups with unique members
2015-05-09 22:04:20 +02:00
c313ff2802
auth/ldap: implement authorization via LDAP groups
2015-05-09 22:04:20 +02:00
dc6b4ab9db
auth/ldap: add configuration path for groups
2015-05-09 22:04:20 +02:00
Vishal Nayak