luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
7537 commits 1 branch 0 tags 214 MiB
Commit graph

362 commits

Author SHA1 Message Date
Jeff Mitchell 4f4ddbf017 Create more granular ACL capabilities. 
This commit splits ACL policies into more fine-grained capabilities.
This both drastically simplifies the checking code and makes it possible
to support needed workflows that are not possible with the previous
method. It is backwards compatible; policies containing a "policy"
string are simply converted to a set of capabilities matching previous
behavior.

Fixes #724 (and others).
 2016-01-08 13:05:14 -05:00
kenjones-cisco 496e9962d0 Fixes mis-placed html tag 2015-12-31 10:37:01 -05:00
kenjones c02013f631 add missing html tag 2015-12-20 14:20:30 -05:00
Jeff Mitchell 8bba9497ac Some copyediting/simplifying of the Consul page 2015-12-18 10:07:40 -05:00
kenjones 0d74de9da4 Update secret backend Consul documentation 
Adds information on the steps to get a management token for use by
Vault when communicating with Consul as a secret backend.
 2015-12-18 09:44:31 -05:00
Jeff Mitchell 7dca03eb3f Update documentation with Consul backend token_type parameter. 
Fixes #854
 2015-12-14 20:54:13 -05:00
Jeff Mitchell 448efd56fa Merge branch 'master' into pki-csrs 2015-12-08 10:57:53 -05:00
Jeff Mitchell 902b7b0589 Add a warning about consistency of IAM credentials as a stop-gap. 
Ping #687
 2015-12-08 10:56:34 -05:00
Jeff Mitchell 4eec9d69e8 Change allowed_base_domain to allowed_domains and allow_base_domain to 
allow_bare_domains, for comma-separated multi-domain support.
 2015-11-30 23:49:11 -05:00
Jeff Mitchell b6c49ddf01 Remove token display names from input options as there isn't a viable 
use-case for it at the moment
 2015-11-30 18:07:42 -05:00
Jeff Mitchell d461929c1d Documentation update 2015-11-20 13:13:57 -05:00
Jeff Mitchell 25e359084c Update documentation, some comments, make code cleaner, and make generated roots be revoked when their TTL is up 2015-11-19 17:14:22 -05:00
Jeff Mitchell af3d6ced8e Update validator function for URIs. Change example of entering a CA to a 
root cert generation. Other minor documentation updates. Fix private key
output in issue/sign.
 2015-11-19 11:35:17 -05:00
Jeff Mitchell 71f9ea8561 Make it clear that generating/setting a CA cert will overwrite what's 
there.
 2015-11-19 09:51:18 -05:00
Jeff Mitchell a95228e4ee Split root and intermediate functionality into their own sections in the API. Update documentation. Add sign-verbatim endpoint. 2015-11-19 09:51:18 -05:00
Jeff Mitchell c461652b40 Address some feedback from review 2015-11-19 09:51:18 -05:00
Jeff Mitchell ed62afec14 Large documentation updates, remove the pathlength path in favor of 
making that a parameter at CA generation/sign time, and allow more
fields to be configured at CSR generation time.
 2015-11-19 09:51:18 -05:00
Jeff Mitchell ea676ad4cc Add tests for intermediate signing and CRL, and fix a couple things 
Completes extra functionality.
 2015-11-19 09:51:17 -05:00
Jeff Mitchell e2d4a5fe0f Documentation update around path/key name encryption. 
Make it clear that path/key names in generic are not encrypted.

Fixes #697
 2015-10-29 11:21:40 -04:00
Seth Vargo 50f720bc06 Remove tabs from terminal output 
This also standardizes on the indentation we use for multi-line commands as
well as prefixes all commands with a $ to indicate a shell.
 2015-10-12 12:10:22 -04:00
vishalnayak 644a655920 mysql: made max_open_connections configurable 2015-10-01 21:15:56 -04:00
vishalnayak 2051101c43 postgresql: Configurable max open connections to the database 2015-10-01 20:11:24 -04:00
Colin Rymer e2b157aa79 Remove redundant wording for SSH OTP introduction. 2015-09-30 10:58:44 -04:00
Jeff Mitchell af27a99bb7 Remove JWT for the 0.3 release; it needs a lot of rework. 2015-09-24 16:23:44 -04:00
Dominic Luechinger 89511e6977 Fixes docs for new JWT secret backend 2015-09-24 16:47:17 +02:00
Spencer Herzberg 54c62fe5aa docs: pg username not prefixed with vault- 
due to
05fa4a4a48,
vault no longer prefixes the username with `vault-`
 2015-09-22 10:14:47 -05:00
Jeff Mitchell a5f52f43b1 Minor doc update to SSH 2015-09-21 16:26:07 -04:00
Jeff Mitchell 29c722dbb6 Enhance SSH backend documentation; remove getting of stored keys and have TTLs honor backends systemview values 2015-09-21 16:14:30 -04:00
Jeff Mitchell 3eb38d19ba Update transit backend documentation, and also return the min decryption 
value in a read operation on the key.
 2015-09-21 16:13:43 -04:00
Jeff Mitchell ca33cd8423 Add API endpoint documentation to cubbyhole 2015-09-21 16:13:36 -04:00
Jeff Mitchell 273f13fb41 Add API endpoint documentation to generic 2015-09-21 16:13:29 -04:00
Jeff Mitchell 801e531364 Enhance transit backend: 
* Remove raw endpoint from transit
* Add multi-key structure
* Add enable, disable, rewrap, and rotate functionality
* Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function
* Unit tests for everything
 2015-09-18 14:41:05 -04:00
Jeff Mitchell 538852d6d6 Add documentation for cubbyhole 2015-09-15 13:50:37 -04:00
Brian Lalor 2ae48fa586 Remove unused param to 'vault write aws/roles/deploy' 
The name is taken from the path, not the request body.  Having the duplicate key is confusing.
 2015-09-06 06:57:39 -04:00
Armon Dadgar 4eaacaf546 Merge pull request #590 from MarkVLK/patch-1 
Update mysql docs markdown to fix grammar error
 2015-09-04 19:13:50 -07:00
MarkVLK fae51d605f Update transit docs markdown to add missing word 
Added the presumably missing *decrypt* from "encrypt/data" in the first sentence.
 2015-09-04 17:11:34 -07:00
MarkVLK cd292d5372 Update mysql docs markdown to fix grammar error 
Changed "... used to **generated** those credentials" to "... used to **generate** those credentials."
 2015-09-04 17:05:45 -07:00
Vishal Nayak d4609dea28 Merge pull request #578 from hashicorp/exclude-cidr-list 
Vault SSH: Added exclude_cidr_list option to role
 2015-08-28 07:59:46 -04:00
vishalnayak b12a2f0013 Vault SSH: Added exclude_cidr_list option to role 2015-08-27 23:19:55 -04:00
Jeff Mitchell a4fc4a8e90 Deprecate lease -> ttl in PKI backend, and default to system TTL values if not given. This prevents issuing certificates with a longer duration than the maximum lease TTL configured in Vault. Fixes #470. 2015-08-27 12:24:37 -07:00
vishalnayak fbff20d9ab Vault SSH: Docs for default CIDR value 2015-08-27 13:10:15 -04:00
vishalnayak 702a869010 Vault SSH: Provide key option specifications for dynamic keys 2015-08-27 11:41:29 -04:00
Jeff Mitchell ea9fbb90bc Rejig Lease terminology internally; also, put a few JSON names back to their original values 2015-08-20 22:27:01 -07:00
Jeff Mitchell 0fa783f850 Update help text for TTL values in generic backend 2015-08-20 17:59:30 -07:00
Jeff Mitchell b57ce8e5c2 Change "lease" parameter in the generic backend to be "ttl" to reduce confusion. "lease" is now deprecated but will remain valid until 0.4. 
Fixes #528.
 2015-08-20 16:41:25 -07:00
Vishal Nayak beca9f1596 Merge pull request #385 from hashicorp/vishal/vault 
SSH Secret Backend for Vault
 2015-08-20 10:03:15 -07:00
Bernhard K. Weisshuhn 86cde438a5 avoid dashes in generated usernames for cassandra to avoid quoting issues 2015-08-20 11:15:28 +02:00
vishalnayak 76ed3bec74 Vault SSH: 1024 is default key size and removed 4096 2015-08-19 12:51:33 -07:00
vishalnayak b5cda4942b Vault SSH: doc update 2015-08-18 11:50:32 -07:00
vishalnayak b91ebbc6e2 Vault SSH: Documentation update and minor refactoring changes. 2015-08-17 18:22:03 -07:00
vishalnayak 9db318fc55 Vault SSH: Website page for SSH backend 2015-08-14 12:41:26 -07:00
vishalnayak 93dfa67039 Merging changes from master 2015-08-12 09:28:16 -07:00
vishalnayak 0abf07cb91 Vault SSH: Website doc v1. Removed path_echo 2015-08-12 09:25:28 -07:00
Erik Kristensen 2233f993ae initial pass at JWT secret backend 2015-08-06 17:49:44 -06:00
Fabian Ruff 41106d9b69 fix doc for pki/revoke API 2015-07-29 14:28:12 +02:00
Justin LaRose 361f10f79e Cassandra secret backend doc update for connection config - "hosts" instead of "host" 2015-07-23 03:07:29 -04:00
Armon Dadgar 3042452def website: fixing lots of references to vault help 2015-07-13 20:12:09 +10:00
Armon Dadgar 0be3d419c8 secret/transit: address PR feedback 2015-07-05 19:58:31 -06:00
Armon Dadgar f4d555a2ba website: document derived keys in secret/transit 2015-07-05 14:47:16 -07:00
Jeff Mitchell 42b90fa9b9 Address some issues from code review. 
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
 2015-06-30 09:27:23 -04:00
Jeff Mitchell fccbc587c6 A Cassandra secrets backend. 
Supports creation and deletion of users in Cassandra using flexible CQL queries.

TLS, including client authentication, is supported.

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
 2015-06-30 09:04:01 -04:00
Jeff Mitchell e086879fa3 Merge remote-tracking branch 'upstream/master' into f-pki 2015-06-19 13:01:26 -04:00
Jeff Mitchell a6fc48b854 A few things: 
* Add comments to every non-obvious (e.g. not basic read/write handler type) function
* Remove revoked/ endpoint, at least for now
* Add configurable CRL lifetime
* Cleanup
* Address some comments from code review

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
 2015-06-19 12:48:18 -04:00
Jeff Mitchell 34f495a354 Refactor to allow only issuing CAs to be set and not have things blow up. This is useful/important for e.g. the Cassandra backend, where you may want to do TLS with a specific CA cert for server validation, but not actually do client authentication with a client cert. 
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
 2015-06-18 15:22:58 -04:00
Armon Dadgar 7e6f44e39e website: document transit upsert behavior 2015-06-17 18:51:58 -07:00
Armon Dadgar 93ee9f6b76 website: update the transit documentation 2015-06-17 18:45:29 -07:00
Jeff Mitchell 49f1fdbdcc Merge branch 'master' into f-pki 2015-06-16 13:43:25 -04:00
Ryan Currah c232fee6b3 Do not output the trailing newline in encoding. 
Added -n to echo command to prevent newlines from showing up in encoding.
 2015-06-13 12:03:57 -04:00
Jeff Mitchell e17ced0d51 Fix a docs-out-of-date bug. 
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
 2015-06-12 16:33:00 -04:00
Jeff Mitchell db5354823f Fix some out-of-date examples. 
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
 2015-06-11 21:17:05 -04:00
Jeff Mitchell 1513e2baa4 Add acceptance tests 
* CA bundle uploading
* Basic role creation
* Common Name restrictions
* IP SAN restrictions
* EC + RSA keys
* Various key usages
* Lease times
* CA fetching in various formats
* DNS SAN handling

Also, fix a bug when trying to get code signing certificates.

Not tested:
* Revocation (I believe this is impossible with the current testing framework)

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
 2015-06-08 00:06:09 -04:00
Jeff Mitchell 0d832de65d Initial PKI backend implementation. 
Complete:
* Up-to-date API documents
* Backend configuration (root certificate and private key)
* Highly granular role configuration
* Certificate generation
* CN checking against role
* IP and DNS subject alternative names
* Server, client, and code signing usage types
* Later certificate (but not private key) retrieval
* CRL creation and update
* CRL/CA bare endpoints (for cert extensions)
* Revocation (both Vault-native and by serial number)
* CRL force-rotation endpoint

Missing:
* OCSP support (can't implement without changes in Vault)
* Unit tests

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
 2015-06-08 00:06:09 -04:00
Armon Dadgar 66ab2bbf54 Merge pull request #263 from sheldonh/iam-policy 
List IAM permissions required by root credentials
 2015-06-01 13:16:51 +02:00
Armon Dadgar 98cca9cb18 Merge pull request #261 from jsok/consul-lease 
Add ability to configure consul lease durations
 2015-06-01 13:04:28 +02:00
Chad Whitacre b83f3f2d02 Provide missing verb 2015-05-31 17:19:34 -04:00
certifiedloud ac4763027b replaced confusing term 'physical' with 'storage'. 2015-05-27 14:44:17 -06:00
Sheldon Hearn 89e7bb2569 Missed a few IAM permissions 2015-05-27 16:42:12 +02:00
Sheldon Hearn 3d2005ea56 List IAM permissions required by root credentials 2015-05-27 16:28:24 +02:00
Jonathan Sokolowski 2b1926f262 website: Update /consul/roles/ parameters 2015-05-27 09:54:15 +10:00
Armon Dadgar 96e3bac87a website: Document overwrite behavior. Fixes #182 2015-05-11 10:58:29 -07:00
Mitchell Hashimoto f3fd061ed0 Merge pull request #54 from pborreli/typos 
website: fixed typos
 2015-04-28 11:37:49 -07:00
Emil Hessman 04d09c34d2 website: merge 2015-04-28 20:36:27 +02:00
Pascal Borreli 0ec229a9c9 Fixed typos 2015-04-28 19:36:16 +01:00
Emil Hessman 3d5f3d1d70 website: address minor doc typos 2015-04-28 20:32:04 +02:00
Andrew Williams b68244b252 website: fix small typo 2015-04-28 13:21:44 -05:00
Mat Elder a7c0d26dea msyql to consul on consul backend docs 2015-04-28 14:11:42 -04:00
Armon Dadgar 43083225d0 website: remove TODO from transit quickstart 2015-04-27 14:58:53 -07:00
Armon Dadgar 434305a6c2 secret/aws: Using roles instead of policy 2015-04-27 14:20:28 -07:00
Armon Dadgar 5edf8cf3a8 Do not root protect role configurations 2015-04-27 14:07:20 -07:00
Armon Dadgar 12e8c0f8cf secret/postgres: secret/mysql: roles endpoints root protected 2015-04-27 14:04:10 -07:00
Armon Dadgar 816d981d1a secret/consul: replace policy with roles, and prefix the token path 2015-04-27 13:59:56 -07:00
Armon Dadgar 6a38090822 secret/transit: rename policy to keys 2015-04-27 13:52:47 -07:00
Armon Dadgar 190b7f30e1 website: API consistency 2015-04-27 12:30:46 -07:00
Armon Dadgar 04421a5635 website: aws API 2015-04-27 12:26:23 -07:00
Armon Dadgar b52f52ace6 website: make PG quickstart like MySQL 2015-04-27 12:16:07 -07:00
Armon Dadgar 4404dd2a8f website: adding postgresql API docs 2015-04-27 11:17:13 -07:00
Armon Dadgar 61783663e4 website: document Consul APIs 2015-04-27 11:08:47 -07:00
Seth Vargo a4b55bfc3e Add Quick Start for Postgresql 2015-04-27 09:30:21 -04:00
Seth Vargo 0ffbd1f8ea Add Quick Start for AWS 2015-04-27 09:29:16 -04:00
Armon Dadgar 6ac2c848d7 website: start consul api 2015-04-26 22:03:38 -07:00
Armon Dadgar ea29b313e9 website: consul quickstart 2015-04-26 22:03:38 -07:00
Armon Dadgar 0e12fa9b68 website: adding mysql quickstart and API 2015-04-26 22:03:38 -07:00
Armon Dadgar 0d0aec7abd website: quickstart + API for transit 2015-04-26 22:03:38 -07:00
Armon Dadgar e58676128b website: quickstart for generic 2015-04-26 22:03:38 -07:00
Armon Dadgar d801e2e555 website: adding mysql docs skeleton 2015-04-25 12:10:53 -07:00
Mitchell Hashimoto 690a932deb website: postgresql backend 2015-04-18 22:47:23 -07:00
Mitchell Hashimoto 208dd1e8be logical/aws: move root creds config to config/root 2015-04-18 22:21:31 -07:00
Mitchell Hashimoto 68e26ca2a0 website: transit backend 2015-04-17 12:56:31 -07:00
Mitchell Hashimoto 744440021f website: add a couple more secret backend sections 2015-04-13 20:42:07 -07:00
Mitchell Hashimoto 3c9b4182cb website: consul secret backend 2015-04-10 20:26:01 -07:00
Mitchell Hashimoto 3266f9513f website: aws secret backend 2015-04-10 20:24:45 -07:00
Mitchell Hashimoto a906f720b1 website: secrets index 2015-04-09 23:31:26 -07:00