Commit Graph

766 Commits

Author SHA1 Message Date
Vishal Nayak 3b0ff5b5f1 Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault 2015-07-01 09:31:25 -04:00
Armon Dadgar b52d3e6506 cred/app-id: testing upgrade to salted keys 2015-06-30 18:37:10 -07:00
Armon Dadgar eeb717c901 cred/app-id: first pass at automatic upgrading to salting 2015-06-30 18:09:08 -07:00
Armon Dadgar 4b27e4d8c5 Remove SetLogger, and unify on framework.Setup 2015-06-30 17:45:20 -07:00
Armon Dadgar 5d69e7da90 Updating for backend API change 2015-06-30 17:36:12 -07:00
Vishal Nayak b0043737af lease handling fix 2015-06-30 20:21:41 -04:00
Vishal Nayak 8627f3c360 Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault 2015-06-30 18:33:37 -04:00
Vishal Nayak 5e5e6788be Input validations, help strings, default_user support 2015-06-30 18:33:17 -04:00
Armon Dadgar 8bc99f8c23 helper/uuid: single generateUUID definition 2015-06-30 12:38:32 -07:00
Armon Dadgar 3c58773598 Merge pull request #380 from kgutwin/cert-cli
Enable TLS client cert authentication via the CLI
2015-06-30 11:44:28 -07:00
Armon Dadgar b1f7e2f0ea ldap: fixing merge conflict 2015-06-30 09:40:43 -07:00
Jeff Mitchell 762108d9eb Put timestamp back into the username. Since Cassandra doesn't support expiration, this can be used by scripts to manually clean up old users if revocation fails for some reason.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-30 11:15:46 -04:00
Jeff Mitchell 42b90fa9b9 Address some issues from code review.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-30 09:27:23 -04:00
Jeff Mitchell fccbc587c6 A Cassandra secrets backend.
Supports creation and deletion of users in Cassandra using flexible CQL queries.

TLS, including client authentication, is supported.

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-30 09:04:01 -04:00
Karl Gutwin 0062d923cc Better error messages. 2015-06-30 08:59:38 -04:00
Karl Gutwin a54ba31635 Merge remote-tracking branch 'upstream/master' into cert-cli 2015-06-30 08:31:00 -04:00
Karl Gutwin dafcc5b2ce enable CLI cert login 2015-06-29 23:29:41 -04:00
Vishal Nayak f7a0c17100 merge changes from master 2015-06-29 22:01:43 -04:00
Vishal Nayak 91ed2dcdc2 Refactoring changes 2015-06-29 22:00:08 -04:00
esell c0e1843263 change skipsslverify to insecure_tls 2015-06-29 19:23:31 -06:00
Armon Dadgar 12d3aee58e audit: fixing panic caused by tls connection state. Fixes #322 2015-06-29 17:16:17 -07:00
Armon Dadgar add8e1a3fd Fixing merge conflict 2015-06-29 15:19:04 -07:00
Armon Dadgar 337997ab04 Fixing merge conflict 2015-06-29 14:50:55 -07:00
Vishal Nayak 0f2c1f867e SCP in pure GO and CIDR parsing fix 2015-06-29 11:49:34 -04:00
Vishal Nayak 29696d4b6b Creating SSH keys and removal of files in pure 'go' 2015-06-26 15:43:27 -04:00
Vishal Nayak 8c15e2313b ssh/lookup implementation and refactoring 2015-06-25 21:47:32 -04:00
Vishal Nayak f39df58eef Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault 2015-06-24 18:13:26 -04:00
Vishal Nayak b237a3bcc2 POC: Rework. Doing away with policy file. 2015-06-24 18:13:12 -04:00
esell e81f966842 Set SkipSSLVerify default to false, add warning in help message 2015-06-24 13:38:14 -06:00
esell d3225dae07 cleanup the code a bit 2015-06-24 10:09:29 -06:00
esell 84371ea734 allow skipping SSL verification on ldap auth 2015-06-24 10:05:45 -06:00
Jeff Mitchell e086879fa3 Merge remote-tracking branch 'upstream/master' into f-pki 2015-06-19 13:01:26 -04:00
Vishal Nayak f8d164f477 SSHs to multiple users by registering the respective host keys 2015-06-19 12:59:36 -04:00
Jeff Mitchell a6fc48b854 A few things:
* Add comments to every non-obvious (e.g. not basic read/write handler type) function
* Remove revoked/ endpoint, at least for now
* Add configurable CRL lifetime
* Cleanup
* Address some comments from code review

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-19 12:48:18 -04:00
Nate Brown 4ec685dc1a Logging authentication errors and bad token usage 2015-06-18 18:30:18 -07:00
Vishal Nayak 90605c6079 merging with master 2015-06-18 20:51:11 -04:00
Vishal Nayak 8d98968a54 Roles, key renewal handled. End-to-end basic flow working. 2015-06-18 20:48:41 -04:00
Jeff Mitchell 34f495a354 Refactor to allow only issuing CAs to be set and not have things blow up. This is useful/important for e.g. the Cassandra backend, where you may want to do TLS with a specific CA cert for server validation, but not actually do client authentication with a client cert.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-18 15:22:58 -04:00
Vishal Nayak 2aed5f8798 Implementation for storing and deleting the host information in Vault 2015-06-17 22:10:47 -04:00
Armon Dadgar d34861b811 secret/transit: allow policies to be upserted 2015-06-17 18:51:05 -07:00
Armon Dadgar f53d31a580 secret/transit: Use special endpoint to get underlying keys. Fixes #219 2015-06-17 18:42:23 -07:00
Vishal Nayak cfef144dc2 Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault 2015-06-17 20:34:56 -04:00
Vishal Nayak 303a7cef9a Received OTK in SSH client. Forked SSH process from CLI. Added utility file for SSH. 2015-06-17 20:33:03 -04:00
Armon Dadgar 45d3c512fb builtin: fixing API change in logical framework 2015-06-17 14:34:11 -07:00
Armon Dadgar 30de4ea80d secret/postgres: Ensure sane username length. Fixes #326 2015-06-17 13:31:56 -07:00
Jeff Mitchell 29e7ec3e21 A lot of refactoring: move PEM bundle parsing into helper/certutil, so that it is usable by other backends that want to use it to get the necessary data for TLS auth.
Also, enhance the raw cert bundle => parsed cert bundle to make it more useful and perform more validation checks.

More refactoring could be done within the PKI backend itself, but that can wait.

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-17 16:07:20 -04:00
Vishal Nayak 3ed73d98c2 Added: Ssh CLI command and API, config lease impl, sshConnect path to backend, http handler for Ssh connect 2015-06-17 12:39:49 -04:00
Vishal Nayak 08c921c75e Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 16:58:54 -04:00
Jeff Mitchell 49f1fdbdcc Merge branch 'master' into f-pki 2015-06-16 13:43:25 -04:00
Jeff Mitchell 03b0675350 A bunch of cleanup and moving around. logical/certutil is a package that now has helper functions
useful for other parts of Vault (including the API) to take advantage of.

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-16 13:43:12 -04:00
Mitchell Hashimoto 4bf84392ec credential/github: get rid of stray tab 2015-06-16 10:05:51 -07:00
Mitchell Hashimoto 0ecf05c043 command/auth, github: improve cli docs
/cc @sethvargo
2015-06-16 10:05:11 -07:00
Christian Svensson e3d3012795 Record the common name in TLS metadata
It is useful to be able to save the client cert's Common Name for auditing purposes when using a central CA.

This adds a "common_name" value to the Metadata structure passed from login.
2015-06-14 23:18:21 +01:00
Jeff Mitchell ae1cbc1a7a Erp, forgot this feedback...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-11 23:16:13 -04:00
Jeff Mitchell 7cf1f186ed Add locking for revocation/CRL generation. I originally was going to use an RWMutex but punted, because it's not worth trying to save some milliseconds with the possibility of getting something wrong. So the entire operations are now wrapped, which is minimally slower but very safe.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-11 22:28:13 -04:00
Jeff Mitchell 018c0ec7f5 Address most of Armon's initial feedback.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-11 21:57:05 -04:00
Jeff Mitchell 1513e2baa4 Add acceptance tests
* CA bundle uploading
* Basic role creation
* Common Name restrictions
* IP SAN restrictions
* EC + RSA keys
* Various key usages
* Lease times
* CA fetching in various formats
* DNS SAN handling

Also, fix a bug when trying to get code signing certificates.

Not tested:
* Revocation (I believe this is impossible with the current testing framework)

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-08 00:06:09 -04:00
Jeff Mitchell 0d832de65d Initial PKI backend implementation.
Complete:
* Up-to-date API documents
* Backend configuration (root certificate and private key)
* Highly granular role configuration
* Certificate generation
* CN checking against role
* IP and DNS subject alternative names
* Server, client, and code signing usage types
* Later certificate (but not private key) retrieval
* CRL creation and update
* CRL/CA bare endpoints (for cert extensions)
* Revocation (both Vault-native and by serial number)
* CRL force-rotation endpoint

Missing:
* OCSP support (can't implement without changes in Vault)
* Unit tests

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-08 00:06:09 -04:00
Jonathan Sokolowski 348924eaab logical/consul: Combine policy and lease into single storage struct 2015-05-28 09:36:23 +10:00
Jonathan Sokolowski 6b0820d709 logical/consul: custom lease time for roles 2015-05-27 09:53:46 +10:00
Ian Unruh 2e1bce27a9 Allow dot in LDAP login username 2015-05-20 11:54:15 -07:00
Armon Dadgar cc966d6b52 auth/cert: Guard against empty certs. Fixes #214 2015-05-18 16:11:09 -07:00
Armon Dadgar 56659a2db2 cred/app-id: ensure consistent error message 2015-05-15 11:45:57 -07:00
Armon Dadgar 8cff23f29b cred/app-id: stricter validation and error messaging 2015-05-15 11:40:45 -07:00
Jonathan Sokolowski 6746a24c78 credential/app-id: Test DeleteOperation 2015-05-14 22:30:02 +10:00
Etourneau Gwenn a3fe4b889f Fix Error message 2015-05-12 14:32:09 +09:00
Mitchell Hashimoto 1ca0b2340c credential/app-id: add hash of user/app ID to metadata for logs 2015-05-11 10:46:11 -07:00
Mitchell Hashimoto 5406d3189e Merge pull request #184 from hashicorp/b-github-casing
credential/github: case insensitive mappings
2015-05-11 10:27:45 -07:00
Mitchell Hashimoto 5c63b70eea logical/framework: PathMap is case insensitive by default 2015-05-11 10:27:04 -07:00
Mitchell Hashimoto 4e861f29bc credential/github: case insensitive mappings 2015-05-11 10:24:39 -07:00
Giovanni Bajo 8156b88353 auth/ldap: move password into InternalData 2015-05-09 22:06:34 +02:00
Giovanni Bajo 84388b2b20 auth/ldap: move username into the path (to allow per-user revokation on the path) 2015-05-09 22:06:28 +02:00
Giovanni Bajo 5e899e7de2 auth/ldap: fix pasto 2015-05-09 22:06:22 +02:00
Giovanni Bajo 1e1219dfcc auth/ldap: implement login renew 2015-05-09 22:04:20 +02:00
Giovanni Bajo a0f53f177c auth/ldap: document LDAP server used in tests 2015-05-09 22:04:20 +02:00
Giovanni Bajo b4093e2ddf auth/ldap: add acceptance tests 2015-05-09 22:04:20 +02:00
Giovanni Bajo 02d3b1c74c auth/ldap: add support for groups with unique members 2015-05-09 22:04:20 +02:00
Giovanni Bajo c313ff2802 auth/ldap: implement authorization via LDAP groups 2015-05-09 22:04:20 +02:00
Giovanni Bajo dc6b4ab9db auth/ldap: add configuration path for groups 2015-05-09 22:04:20 +02:00
Giovanni Bajo 7e39da2e67 Attempt connection to LDAP server at login time.
Also switch to a LDAP library fork which fixes a panic when
shutting down a connection immediately.
2015-05-09 22:04:19 +02:00
Giovanni Bajo 7492c5712a Initial implementation of the LDAP credential backend 2015-05-09 22:04:19 +02:00
Seth Vargo f3c3f4717a Remove references to -var 2015-05-08 11:45:29 -04:00
Armon Dadgar a6a4bee2ee cred/app-id: Add help synopsis to login path 2015-05-07 15:45:43 -07:00
Seth Vargo 04015fdf55 Fix output from GitHub help 2015-05-07 14:13:12 -04:00
Armon Dadgar b07d0bc56f audit/file: Create file if it does not exist. Fixes #148 2015-05-06 11:33:06 -07:00
Mitchell Hashimoto deab183cbd token/disk: write token with 0600 2015-05-02 13:34:01 -07:00
Trevor Pounds 582677b134 Fix documentation typo. 2015-04-28 22:15:56 -07:00
Armon Dadgar 848433a355 audit/file: add log_raw parameter and default to hashing 2015-04-27 15:56:41 -07:00
Armon Dadgar f01e14351a audit/syslog: switch defaults 2015-04-27 15:56:41 -07:00
Armon Dadgar de7a81a8fb audit/syslog: Copy structure before hashing to avoid breaking result 2015-04-27 15:56:40 -07:00
Armon Dadgar 1b659d41ff audit/syslog: Hash everything by default, optionally disable 2015-04-27 15:56:40 -07:00
Armon Dadgar bb1dd509d7 audit/syslog: first pass 2015-04-27 15:56:40 -07:00
Armon Dadgar 434305a6c2 secret/aws: Using roles instead of policy 2015-04-27 14:20:28 -07:00
Armon Dadgar 5edf8cf3a8 Do not root protect role configurations 2015-04-27 14:07:20 -07:00
Armon Dadgar 12e8c0f8cf secret/postgres: secret/mysql: roles endpoints root protected 2015-04-27 14:04:10 -07:00
Armon Dadgar 816d981d1a secret/consul: replace policy with roles, and prefix the token path 2015-04-27 13:59:56 -07:00
Armon Dadgar 6a38090822 secret/transit: rename policy to keys 2015-04-27 13:52:47 -07:00
Armon Dadgar 793e6efef4 secret/transit: Adding more help. Fixes #41 2015-04-27 12:47:09 -07:00
Armon Dadgar 27c73da308 audit/file: Attempt to create directory path. Fixes #38 2015-04-27 12:40:32 -07:00
Armon Dadgar a753fadcb4 secret/postgresql: testing support for multiple statements 2015-04-27 12:00:07 -07:00
Armon Dadgar 1c8288c3da secret/postgresql: support multiple sql statements 2015-04-27 11:31:27 -07:00
Armon Dadgar 50879eb2e5 mysql: cleanup 2015-04-27 11:31:11 -07:00
Armon Dadgar 9cae5520a0 logical/consul: Added missing policy endpoints 2015-04-27 11:08:37 -07:00
Armon Dadgar 1d95694a7c secret/mysql: improve the example statement 2015-04-25 12:58:50 -07:00
Armon Dadgar 503241eeee secret/mysql: adding acceptance test 2015-04-25 12:56:23 -07:00
Armon Dadgar e378f5c4a2 secret/mysql: fixing mysql oddities 2015-04-25 12:56:11 -07:00
Armon Dadgar 57e66f3b6c secret/mysql: initial pass at mysql secret backend 2015-04-25 12:05:26 -07:00
Armon Dadgar 9087471bad credential/cert: support leasing and renewal 2015-04-24 12:58:39 -07:00
Armon Dadgar 3a9e20748b credential/cert: default display name 2015-04-24 10:52:17 -07:00
Armon Dadgar 7b4ceeb7e6 credential/cert: more validation on cert setup 2015-04-24 10:39:44 -07:00
Armon Dadgar d57c8ea0f0 credential/cert: return logical error if invalid 2015-04-24 10:36:25 -07:00
Armon Dadgar ae272b83ce credential/cert: major refactor 2015-04-24 10:31:57 -07:00
Armon Dadgar 28b18422b7 credential/cert: First pass at public key credential backend 2015-04-23 21:46:21 -07:00
Mitchell Hashimoto ee2b113831 audit/file: append 2015-04-19 22:43:39 -07:00
Mitchell Hashimoto 0b7e7190b5 credentials/userpass: integrate into auth cli 2015-04-19 15:17:24 -07:00
Mitchell Hashimoto c5cadc026d credential/userpass: renewal 2015-04-19 15:12:50 -07:00
Mitchell Hashimoto 0ae9eadfd3 credential/userpass: help 2015-04-19 15:07:11 -07:00
Mitchell Hashimoto 0aec679bb4 credential/userpass: login 2015-04-19 15:06:29 -07:00
Mitchell Hashimoto fedda20c41 credential/userpass: configuring users 2015-04-19 14:59:30 -07:00
Mitchell Hashimoto 17676af663 logical/postgresql: when renewing, alter the valid until 2015-04-18 22:55:33 -07:00
Mitchell Hashimoto 4e21f702a8 logical/consul: leasing 2015-04-18 22:29:46 -07:00
Mitchell Hashimoto 517236ea50 logical/consul: config/access is the new path for config 2015-04-18 22:28:53 -07:00
Mitchell Hashimoto 23a156b414 logical/aws: leasing/renewal support 2015-04-18 22:25:37 -07:00
Mitchell Hashimoto 2a8dfd85f4 logical/aws: fix build 2015-04-18 22:22:35 -07:00
Mitchell Hashimoto 208dd1e8be logical/aws: move root creds config to config/root 2015-04-18 22:21:31 -07:00
Mitchell Hashimoto f61626f7a6 logical/aws: support read/delete policies 2015-04-18 22:13:12 -07:00
Mitchell Hashimoto 79ccb2f412 logical/postgresql: support deleting roles and reading them 2015-04-18 21:59:59 -07:00
Mitchell Hashimoto 84bca3ef28 logical/postgresql: renew for secret 2015-04-18 21:47:19 -07:00
Mitchell Hashimoto e1e5c47362 logical/postgresql: leasing 2015-04-18 21:45:05 -07:00
Mitchell Hashimoto 8edc4d1241 logical/postgres: no session limit 2015-04-18 18:42:57 -07:00
Mitchell Hashimoto 39b8ae1b31 logical/postgers: update docs properly 2015-04-18 18:42:26 -07:00
Mitchell Hashimoto 6e10c415ef logical/postgresql: leases 2015-04-18 18:40:03 -07:00
Mitchell Hashimoto 2120235a2e logical/postgresql: create DB credentials 2015-04-18 18:37:27 -07:00
Mitchell Hashimoto d0eb1b9a74 logical/postgresql: creating roles 2015-04-18 18:09:33 -07:00
Mitchell Hashimoto d96b64286a logical/postgresql: connection 2015-04-18 17:34:36 -07:00
Mitchell Hashimoto 20324a0c9c website: more auth 2015-04-18 13:45:50 -07:00
Mitchell Hashimoto f7a1b2ced9 credential/app-id: allow restriction by CIDR block [GH-10] 2015-04-17 10:14:39 -07:00
Mitchell Hashimoto e643b48235 credential/app-id: support associating a name with app ID [GH-9] 2015-04-17 10:01:03 -07:00
Mitchell Hashimoto 37af1683c6 credential/*: adhere to new API 2015-04-17 09:40:28 -07:00
Armon Dadgar 07bffafbbd Adding transit logical backend 2015-04-15 17:08:12 -07:00
Armon Dadgar 381aa0f7af logical/aws: Use display name for IAM username 2015-04-15 15:05:00 -07:00
Armon Dadgar 489e79ffd3 logical/consul: Use the DisplayName for the ACL token name 2015-04-15 15:03:05 -07:00
Armon Dadgar cf2faa06ae credential/github: Set the github username as the display name 2015-04-15 14:30:46 -07:00
Mitchell Hashimoto ef95d9a10e audit/file: use JSON formatter to write output 2015-04-13 14:12:14 -07:00
Mitchell Hashimoto 48205d166b rename vault id to lease id all over 2015-04-10 20:35:14 -07:00
Mitchell Hashimoto 62f4d1dd0e credential/github: CLI handler 2015-04-06 09:53:43 -07:00
Mitchell Hashimoto 569991fcc5 credential/app-id 2015-04-04 18:41:49 -07:00
Mitchell Hashimoto 8bfa12297d builtin/audit: add file audit 2015-04-04 18:10:25 -07:00
Mitchell Hashimoto 606b3dbff9 credential/github: improve help 2015-04-04 12:18:33 -07:00
Mitchell Hashimoto 8dc9e0e0d5 logical/framework: better string values for types 2015-04-03 21:15:59 -07:00
Mitchell Hashimoto ec9df0439b logical/aws: help 2015-04-03 21:10:54 -07:00
Mitchell Hashimoto 0bbad03c70 logical/framework: support root help 2015-04-03 20:36:47 -07:00
Mitchell Hashimoto 12a75dd304 credential/github: auth with github 2015-04-01 15:46:37 -07:00
Mitchell Hashimoto 486c3d7f30 logical/aws: policy doesn't need to be base64 2015-03-31 17:26:41 -07:00
Mitchell Hashimoto 712d144ec7 token/disk: fix args parsing 2015-03-30 23:21:17 -07:00
Mitchell Hashimoto b12feccf38 logical/*: fix compilation errors 2015-03-30 20:30:07 -07:00
Mitchell Hashimoto e40d0874e1 command/auth: tests work wihtout vault installed 2015-03-30 11:07:31 -07:00
Mitchell Hashimoto 27bc188758 token/disk: implement unencrypted disk store 2015-03-30 09:21:59 -07:00
Mitchell Hashimoto db65fd7b95 command: unit tests pass 2015-03-29 16:20:34 -07:00
Mitchell Hashimoto 3270349456 logical/consul: actual test that the token works 2015-03-21 17:23:44 +01:00
Mitchell Hashimoto 55a3423c60 logical/consul 2015-03-21 17:19:37 +01:00
Mitchell Hashimoto 05246433bb logical/aws: refactor access key create to the secret file 2015-03-21 11:49:56 +01:00
Mitchell Hashimoto 665cbaa3e4 logical/aws: remove debug I was using to test rollback :) 2015-03-21 11:20:22 +01:00
Mitchell Hashimoto 9e4b9d593b logical/aws: WAL entry for users, rollback 2015-03-21 11:18:46 +01:00
Mitchell Hashimoto 86a6062ba2 main: enable AWS backend 2015-03-20 19:32:18 +01:00
Mitchell Hashimoto 62d9bec8be logical/aws 2015-03-20 19:03:20 +01:00