Commit graph

1344 commits

Author SHA1 Message Date
Gobin Sougrakpam 048f2c3ca4 Adding validation for certificates to be proper x509 PEM encoded (#3016) 2017-07-17 10:49:50 -04:00
Jeff Mitchell 98f64e5154 Opportunistically try re-opening file audit fd on error (#2999)
Addresses a pain point from
https://github.com/hashicorp/vault/issues/2863#issuecomment-309434605
2017-07-14 11:03:01 -04:00
Jeff Mitchell 6adee19987 Add approle role name to metadata (#2985) 2017-07-13 19:07:15 -04:00
Lars Lehtonen 3f0b15826a Fix swallowed errors in builtin (#2977) 2017-07-07 08:23:12 -04:00
Jeff Mitchell 488aad00b0 Don't dial on backend startup; retry dials at log time so that transient (#2934)
network failures are worked around. Also, during a reconnect always
close the existing connection.

Fixes #2931
2017-07-06 10:18:18 -04:00
Jeff Mitchell 873aacf23f Don't panic in audit logs when reading transit keys. (#2970) 2017-07-05 11:25:10 -04:00
Will May 23ff17c769 Allow Okta auth backend to specify TTL and max TTL values (#2915) 2017-07-05 09:42:37 -04:00
Brian Shumate 4d6ca4c884 DOCS: fix typo in ssh path help (#2966) 2017-07-04 13:59:34 -04:00
Jeff Mitchell 753b68fa1b Port TestCluster changes from proxy branch 2017-07-03 14:54:01 -04:00
Brian Nuszkowski 45c7bc718f Add the option to specify a specific key id format that is generated … (#2888) 2017-06-29 04:05:06 +01:00
Jeff Mitchell 0957500abe Ensure TOTP codes cannot be reused. (#2908) 2017-06-23 16:21:34 +01:00
Jeff Mitchell be383217b6 If recovering from panic ensure the cert returned is nil 2017-06-16 18:18:15 -04:00
Jeff Mitchell 60d743a5b9 Go's SSH library can panic without warning; recover.
Ping #2877 -- but don't close yet in case there are more places.
2017-06-16 18:16:45 -04:00
Matthew Irish d26a8ebf5e add min_encryption_version to the transit key response (#2838) 2017-06-08 13:07:18 -05:00
Joel Thompson 4a934915d7 Resolve AWS IAM unique IDs (#2814) 2017-06-07 10:27:11 -04:00
Jeff Mitchell 2cc4a761f7 Honor role period for IAM auth type in AWS backend (#2828)
Fixes #2825
2017-06-07 10:18:02 -04:00
Jeff Mitchell fdf92aeba5 Add listing to database connections. (#2827)
Fixes #2823
2017-06-07 10:03:17 -04:00
Joel Thompson 7437ada31c Check if there's a bound iam arn when renewing (#2819)
Previously, the renew method would ALWAYS check to ensure the
authenticated IAM principal ARN matched the bound ARN.  However, there
is a valid use case in which no bound_iam_principal_arn is specified and
all bindings are done through inferencing. When a role is configured
like this, clients won't be able to renew their token because of the
check.

This now checks to ensure that the bound_iam_principal_arn is not empty
before requriing that it match the originally authenticated client.

Fixes #2781
2017-06-06 22:35:12 -04:00
Jeff Mitchell a7fca34076 Add ability to specify encryption key version in transit (#2821) 2017-06-06 16:02:54 -04:00
Brian Kassouf 606fe393be Use the role name in the db username (#2812) 2017-06-06 09:49:49 -04:00
Jeff Mitchell 3eebd5cf5a ed25519 support in transit (#2778) 2017-06-05 15:00:39 -04:00
Scott Sinclair 0c7d240968 Change split on instance profile name (#2802)
This now splits on the /, so we only get the last component of the instance profile name (ignoring paths)
2017-06-05 12:39:37 -04:00
Jeff Mitchell 7e02082f5f Use the oauth2 context ability to specify a clean http client. (#2808)
Hopefully fixes #2793
2017-06-05 12:27:01 -04:00
Jeff Mitchell b90c84a2c6 Add unsalted test to app-id 2017-06-05 11:37:16 -04:00
Jeff Mitchell f7df60b131 Allow accessing Warnings directly in Response. (#2806)
A change in copystructure has caused some panics due to the custom copy
function. I'm more nervous about production panics than I am about
keeping some bad code wiping out some existing warnings, so remove the
custom copy function and just allow direct setting of Warnings.
2017-06-05 10:52:43 -04:00
Jeff Mitchell 8f2ba268a0 Fix instantiation of salt funcs in app-id structs 2017-06-05 10:04:54 -04:00
Dan Stark 9f6b77598e Fixes typos in error message and comment for AWS auth CLI (#2798) 2017-06-02 17:35:25 -07:00
Andrew e33e489eee Improve EC2 describe instances performance (#2766)
Query the EC2 API for the instance ID rather than filter the results of
all instances.
2017-05-26 08:38:01 -04:00
Vishal Nayak 3c968260a8 Cert verification for non-CA certs (#2761)
* Cert verification for non-CA certs

* Added test case to ensure login fails with expired non-CA cert

* Address review feedback
2017-05-25 10:49:09 -04:00
Jeff Mitchell 9f681ea4cf Use auth-saved cert name during renewals to avoid a panic. (#2755) 2017-05-23 20:41:01 -04:00
Jeff Mitchell 7cc72a9066 Delay salt initialization for audit backends 2017-05-23 20:36:20 -04:00
Jeff Mitchell 4693881fe9 Update some path-help in datakey 2017-05-23 10:04:32 -04:00
Vishal Nayak 2557693aa3 Added host key call back for ssh config (#2752) 2017-05-21 20:16:13 -04:00
emily aa40d2cff6 add gofmt checks to Vault and format existing code (#2745) 2017-05-19 08:34:17 -04:00
sprohaska 90be96989a logical/aws: Fix typo in warning message (#2747)
Signed-off-by: Steffen Prohaska <prohaska@zib.de>
2017-05-19 06:20:54 -04:00
Brian Kassouf 533dbe5d4c Update the error when no key can be found to a more clear error text (#2720) 2017-05-12 14:14:00 -04:00
Brian Kassouf 1460c2fcc7 Add plugin level docs for what statements are supported and how they should be formatted 2017-05-11 11:59:58 -07:00
Seth Rutner 3874b63af3 Fix typos in error message (#2692) 2017-05-10 10:28:35 -04:00
Jeff Mitchell d25aa9fc21 Don't write salts in initialization, look up on demand (#2702) 2017-05-09 17:51:09 -04:00
Jeff Mitchell 185ba8a1c3 Only run cassandra tests on Travis for right now 2017-05-09 08:36:20 -04:00
Jeff Mitchell 490b01d6d8 Add salt mutex to app-id (#2690) 2017-05-08 16:15:24 -04:00
Jeff Mitchell 6f6f242061 Add logic to skip initialization in some cases and some invalidation logic 2017-05-05 15:01:52 -04:00
Brian Kassouf 7dcec6e68f Merge remote-tracking branch 'oss/master' into database-refactor 2017-05-04 12:40:00 -07:00
Brian Kassouf 82b58d5b9c Update docs and return a better error message 2017-05-04 11:45:27 -07:00
mymercurialsky 4c0e3c5d2f Implemented TOTP Secret Backend (#2492)
* Initialized basic outline of TOTP backend using Postgresql backend as template

* Updated TOTP backend.go's structure and help string

* Updated TOTP path_roles.go's structure and help strings

* Updated TOTP path_role_create.go's structure and help strings

* Fixed typo in path_roles.go

* Fixed errors in path_role_create.go and path_roles.go

* Added TOTP secret backend information to cli commands

* Fixed build errors in path_roles.go and path_role_create.go

* Changed field values of period and digits from uint to int, added uint conversion of period when generating passwords

* Initialized TOTP test file based on structure of postgresql test file

* Added enforcement of input values

* Added otp library to vendor folder

* Added test steps and cleaned up errors

* Modified read credential test step, not working yet

* Use of vendored package not allowed - Test error

* Removed vendor files for TOTP library

* Revert "Removed vendor files for TOTP library"

This reverts commit fcd030994bc1741dbf490f3995944e091b11da61.

* Hopefully fixed vendor folder issue with TOTP Library

* Added additional tests for TOTP backend

* Cleaned up comments in TOTP backend_test.go

* Added default values of period, algorithm and digits to field schema

* Changed account_name and issuer fields to optional

* Removed MD5 as a hash algorithm option

* Implemented requested pull request changes

* Added ability to validate TOTP codes

* Added ability to have a key generated

* Added skew, qr size and key size parameters

* Reset vendor.json prior to merge

* Readded otp and barcode libraries to vendor.json

* Modified help strings for path_role_create.go

* Fixed test issue in testAccStepReadRole

* Cleaned up error formatting, variable names and path names. Also added some additional documentation

* Moveed barcode and url output to key creation function and did some additional cleanup based on requested changes

* Added ability to pass in TOTP urls

* Added additional tests for TOTP server functions

* Removed unused QRSize, URL and Generate members of keyEntry struct

* Removed unnecessary urlstring variable from pathKeyCreate

* Added website documentation for TOTP secret backend

* Added errors if generate is true and url or key is passed, removed logger from backend, and revised parameter documentation.

* Updated website documentation and added QR example

* Added exported variable and ability to disable QR generation, cleaned up error reporting, changed default skew value, updated documentation and added additional tests

* Updated API documentation to inlude to exported variable and qr size option

* Cleaned up return statements in path_code, added error handling while validating codes and clarified documentation for generate parameters in path_keys
2017-05-04 10:49:42 -07:00
Brian Kassouf 5ee0d696d4 Merge remote-tracking branch 'oss/master' into database-refactor 2017-05-04 10:45:18 -07:00
Brian Kassouf 29bfc0a0d4 PR comments 2017-05-04 10:41:59 -07:00
Brian Kassouf 0875e78a13 Feedback from PR 2017-05-03 17:37:34 -07:00
Brian Kassouf cbcb8635a4 Update databse backend tests to use the APIClientMeta for the plugin conns 2017-05-03 16:34:09 -07:00
Calvin Leung Huang 26cf09ab15 Minor comment update on cert_util 2017-05-03 16:13:54 -04:00
Chris Hoffman 1c14d207b5 Merge pull request #2575 from hashicorp/pki-colons-to-hyphens
Change storage of PKI entries from colons to hyphens
2017-05-03 15:07:15 -04:00
Chris Hoffman e34a45fdcd Minor readability enhancements for migration path from old to new 2017-05-03 14:58:22 -04:00
Calvin Leung Huang a00a7815f6 Include and use normalizeSerial func 2017-05-03 10:12:58 -04:00
Brian Kassouf 7ae8f02f4b Only wrap in tracing middleware if the logger is set to trace level 2017-05-02 17:19:49 -07:00
Brian Kassouf 29d9b831d3 Update the api for serving plugins and provide a utility to pass TLS data for commuinicating with the vault process 2017-05-02 14:40:11 -07:00
Calvin Leung Huang 2b7a66e23b Use variables for string replacements on cert_util 2017-05-02 14:11:57 -04:00
Brian Kassouf c8bbea9f37 Rename NewPluginServer to just Serve 2017-05-02 02:00:39 -07:00
Ben Gadbois 537342f038 Fixing printf (and similar) issues (#2666) 2017-05-01 23:34:10 -04:00
Brian Kassouf b3819c433b Don't store an error response as a package variable 2017-05-01 15:30:56 -07:00
Brian Kassouf 9a60ec9fda Update interface name from Wrapper to a more descriptive RunnerUtil 2017-05-01 14:59:55 -07:00
Justin Gerace 403efeb5ae Add globbing support to the PKI backend's allowed_domains list (#2517) 2017-05-01 10:40:18 -04:00
Michael Ansel 30b71cbbac Add constraints on the Common Name for certificate-based authentication (#2595)
* Refactor to consolidate constraints on the matching chain

* Add CN prefix/suffix constraint

* Maintain backwards compatibility (pick a random cert if multiple match)

* Vendor go-glob

* Replace cn_prefix/suffix with required_name/globbing

Move all the new tests to acceptance-capable tests instead of embedding in the CRL test

* Allow authenticating against a single cert

* Add new params to documentation

* Add CLI support for new param

* Refactor for style

* Support multiple (ORed) name patterns

* Rename required_names to allowed_names

* Update docs for parameter rename

* Use the new TypeCommaStringSlice
2017-04-30 11:37:10 -04:00
Jeff Mitchell 9a72b3162f Flip back to sstarcher go-okta post-merge 2017-04-28 17:21:49 -04:00
Calvin Leung Huang ff4cf41ebb Add test for ca and crl case 2017-04-28 08:55:28 -04:00
Jeff Mitchell 0f214cc502 Switch to jefferai/go-okta for now to work around Fatal lines in upstream (#2658)
Switch to jefferai/go-okta for now to work around Fatal lines in upstream
2017-04-28 08:39:51 -04:00
Vishal Nayak 8bb6c8caef Return error message for failure to parse CSR (#2657) 2017-04-28 08:30:24 -04:00
Calvin Leung Huang 802d030506 Refactor cert_util_test 2017-04-27 17:09:59 -04:00
Calvin Leung Huang b5990321bf Verify update operation was performed on revokeCert 2017-04-27 12:30:44 -04:00
Calvin Leung Huang 3b27a9c12c Rename tests, use HandleRequest() for existing paths 2017-04-27 09:47:56 -04:00
Brian Kassouf 53752c3002 Add check to ensure we don't overwrite existing connections 2017-04-26 16:43:42 -07:00
Brian Kassouf 081101c7cf Add an error check to reset a plugin if it is closed 2017-04-26 15:55:34 -07:00
Brian Kassouf d0cad5345a Update to a RWMutex 2017-04-26 15:23:14 -07:00
Calvin Leung Huang 628e5d594b Add remaining tests 2017-04-26 16:05:58 -04:00
Brian Kassouf 4782d9d2af Update the error messages for renew and revoke 2017-04-26 10:29:16 -07:00
Brian Kassouf 892812d67d Change ttl types to TypeDurationSecond 2017-04-26 10:02:37 -07:00
Calvin Leung Huang d24757f2e0 Fix crl_util test 2017-04-26 09:58:34 -04:00
Calvin Leung Huang 18ed2d6097 Tests for cert and crl util 2017-04-26 02:46:01 -04:00
Brian Kassouf e3e5f12f9e Default deny when allowed roles is empty 2017-04-25 11:48:24 -07:00
Brian Kassouf 207d01fd39 Update the connection details data and fix allowedRoles 2017-04-25 11:11:10 -07:00
Brian Kassouf eb0f831d6a Rename path_role_create to path_creds_create 2017-04-25 10:39:17 -07:00
Brian Kassouf 3d3e4eb5a4 Use TypeCommaStringSlice for allowed_roles 2017-04-25 10:26:23 -07:00
Brian Kassouf bed1c17b1e Update logging to new structure 2017-04-25 10:24:19 -07:00
Brian Kassouf f25b367732 Don't uppercase ErrorResponses 2017-04-24 14:03:48 -07:00
Brian Kassouf 378ae98809 s/DatabaseType/Database/ 2017-04-24 13:59:12 -07:00
Joel Thompson e06a78a474 Create unified aws auth backend (#2441)
* Rename builtin/credential/aws-ec2 to aws

The aws-ec2 authentication backend is being expanded and will become the
generic aws backend. This is a small rename commit to keep the commit
history clean.

* Expand aws-ec2 backend to more generic aws

This adds the ability to authenticate arbitrary AWS IAM principals using
AWS's sts:GetCallerIdentity method. The AWS-EC2 auth backend is being to
just AWS with the expansion.

* Add missing aws auth handler to CLI

This was omitted from the previous commit

* aws auth backend general variable name cleanup

Also fixed a bug where allowed auth types weren't being checked upon
login, and added tests for it.

* Update docs for the aws auth backend

* Refactor aws bind validation

* Fix env var override in aws backend test

Intent is to override the AWS environment variables with the TEST_*
versions if they are set, but the reverse was happening.

* Update docs on use of IAM authentication profile

AWS now allows you to change the instance profile of a running instance,
so the use case of "a long-lived instance that's not in an instance
profile" no longer means you have to use the the EC2 auth method. You
can now just change the instance profile on the fly.

* Fix typo in aws auth cli help

* Respond to PR feedback

* More PR feedback

* Respond to additional PR feedback

* Address more feedback on aws auth PR

* Make aws auth_type immutable per role

* Address more aws auth PR feedback

* Address more iam auth PR feedback

* Rename aws-ec2.html.md to aws.html.md

Per PR feedback, to go along with new backend name.

* Add MountType to logical.Request

* Make default aws auth_type dependent upon MountType

When MountType is aws-ec2, default to ec2 auth_type for backwards
compatibility with legacy roles. Otherwise, default to iam.

* Pass MountPoint and MountType back up to the core

Previously the request router reset the MountPoint and MountType back to
the empty string before returning to the core. This ensures they get set
back to the correct values.
2017-04-24 15:15:50 -04:00
Brian Kassouf 6f9d178370 Calls to builtin plugins now go directly to the implementation instead of go-plugin 2017-04-20 18:46:41 -07:00
Brian Kassouf af9ff63e9a Merge remote-tracking branch 'oss/master' into database-refactor 2017-04-19 15:16:00 -07:00
Chris Hoffman 847c86f788 Rename ParseDedupAndSortStrings to ParseDedupLowercaseAndSortStrings (#2614) 2017-04-19 10:39:07 -04:00
Chris Hoffman 938eab37b6 Do not lowercase groups attached to users in ldap (#2613) 2017-04-19 10:36:45 -04:00
Chris Hoffman 2ee593c6ea Mssql driver update (#2610)
* Switching driver from mssql to sqlserver
* Adding explicit database to sp_msloginmappings call
2017-04-18 17:49:59 -04:00
Jeff Mitchell 4995c69763 Update sign-verbatim to correctly set generate_lease (#2593) 2017-04-18 15:54:31 -04:00
Mitch Davis a051ec1b59 Use service bind for searching LDAP groups (#2534)
Fixes #2387
2017-04-18 15:52:05 -04:00
Jeff Mitchell 0897da93f0 Parse and dedup but do not lowercase principals in SSH certs. (#2591) 2017-04-18 12:21:02 -04:00
Jeff Mitchell 822d86ad90 Change storage of entries from colons to hyphens and add a
lookup/migration path

Still TODO: tests on migration path

Fixes #2552
2017-04-18 11:14:23 -04:00
Jeff Mitchell e8adc13826 Fix cassandra dep breakage 2017-04-17 11:51:42 -04:00
Vishal Nayak 09cd069435 Consider new bounds as a criteria to allow role creation (#2600)
* Consider new bounds as a criteria to allow role creation

* Added a test
2017-04-17 10:36:11 -04:00
Jeff Mitchell 79fb8bdf69 Verify that a CSR specifies IP SANs before checking whether it's allowed (#2574) 2017-04-13 13:40:31 -04:00
Brian Kassouf 883c80540a Add allowed_roles parameter and checks 2017-04-13 10:33:34 -07:00
Brian Kassouf 0cfe1ea81c Cleanup path files 2017-04-12 17:35:02 -07:00
Brian Kassouf a9a05f5bba Update Type() to return an error 2017-04-12 16:41:06 -07:00