Commit graph

1497 commits

Author SHA1 Message Date
Joel Thompson 53003a5e66 Let AWS auth CLI helper only generate login data (#3015)
* Let AWS auth CLI helper only generate login data

This will be useful to other golang clients so they can manage the login
process themselves.

Also helps for #2855

* Respond to PR feedback
2017-07-18 08:34:48 -04:00
Joel Thompson de419a6c99 Properly store iam_server_id_header_value (#3014)
In auth/aws/config/client, when only the iam_server_id_header_value was
being updated on an existing config, it wouldn't get stored because I
was trying to avoid unnecessarily flushing the cache of AWS clients, and
the flag to not flush the cache also meant that the updated entry didn't
get written back to the storage. This now adds a new flag for when
other changes occur that don't require flushing the cache but do require
getting written to the storage. It also adds a test for this explicitly.

Fixes #3004
2017-07-17 11:08:57 -04:00
Joel Thompson 06dda97445 Look up proper AWS account ID on aws token renew (#3012)
Also properly handle renewing tokens when bound_iam_principal_arn has a
path component.

Fixes #2990
2017-07-17 10:59:18 -04:00
Gobin Sougrakpam 048f2c3ca4 Adding validation for certificates to be proper x509 PEM encoded (#3016) 2017-07-17 10:49:50 -04:00
Jeff Mitchell 98f64e5154 Opportunistically try re-opening file audit fd on error (#2999)
Addresses a pain point from
https://github.com/hashicorp/vault/issues/2863#issuecomment-309434605
2017-07-14 11:03:01 -04:00
Jeff Mitchell 6adee19987 Add approle role name to metadata (#2985) 2017-07-13 19:07:15 -04:00
Lars Lehtonen 3f0b15826a Fix swallowed errors in builtin (#2977) 2017-07-07 08:23:12 -04:00
Jeff Mitchell 488aad00b0 Don't dial on backend startup; retry dials at log time so that transient (#2934)
network failures are worked around. Also, during a reconnect always
close the existing connection.

Fixes #2931
2017-07-06 10:18:18 -04:00
Jeff Mitchell 873aacf23f Don't panic in audit logs when reading transit keys. (#2970) 2017-07-05 11:25:10 -04:00
Will May 23ff17c769 Allow Okta auth backend to specify TTL and max TTL values (#2915) 2017-07-05 09:42:37 -04:00
Brian Shumate 4d6ca4c884 DOCS: fix typo in ssh path help (#2966) 2017-07-04 13:59:34 -04:00
Jeff Mitchell 753b68fa1b Port TestCluster changes from proxy branch 2017-07-03 14:54:01 -04:00
Brian Nuszkowski 45c7bc718f Add the option to specify a specific key id format that is generated … (#2888) 2017-06-29 04:05:06 +01:00
Jeff Mitchell 0957500abe Ensure TOTP codes cannot be reused. (#2908) 2017-06-23 16:21:34 +01:00
Jeff Mitchell be383217b6 If recovering from panic ensure the cert returned is nil 2017-06-16 18:18:15 -04:00
Jeff Mitchell 60d743a5b9 Go's SSH library can panic without warning; recover.
Ping #2877 -- but don't close yet in case there are more places.
2017-06-16 18:16:45 -04:00
Matthew Irish d26a8ebf5e add min_encryption_version to the transit key response (#2838) 2017-06-08 13:07:18 -05:00
Joel Thompson 4a934915d7 Resolve AWS IAM unique IDs (#2814) 2017-06-07 10:27:11 -04:00
Jeff Mitchell 2cc4a761f7 Honor role period for IAM auth type in AWS backend (#2828)
Fixes #2825
2017-06-07 10:18:02 -04:00
Jeff Mitchell fdf92aeba5 Add listing to database connections. (#2827)
Fixes #2823
2017-06-07 10:03:17 -04:00
Joel Thompson 7437ada31c Check if there's a bound iam arn when renewing (#2819)
Previously, the renew method would ALWAYS check to ensure the
authenticated IAM principal ARN matched the bound ARN.  However, there
is a valid use case in which no bound_iam_principal_arn is specified and
all bindings are done through inferencing. When a role is configured
like this, clients won't be able to renew their token because of the
check.

This now checks to ensure that the bound_iam_principal_arn is not empty
before requriing that it match the originally authenticated client.

Fixes #2781
2017-06-06 22:35:12 -04:00
Jeff Mitchell a7fca34076 Add ability to specify encryption key version in transit (#2821) 2017-06-06 16:02:54 -04:00
Brian Kassouf 606fe393be Use the role name in the db username (#2812) 2017-06-06 09:49:49 -04:00
Jeff Mitchell 3eebd5cf5a ed25519 support in transit (#2778) 2017-06-05 15:00:39 -04:00
Scott Sinclair 0c7d240968 Change split on instance profile name (#2802)
This now splits on the /, so we only get the last component of the instance profile name (ignoring paths)
2017-06-05 12:39:37 -04:00
Jeff Mitchell 7e02082f5f Use the oauth2 context ability to specify a clean http client. (#2808)
Hopefully fixes #2793
2017-06-05 12:27:01 -04:00
Jeff Mitchell b90c84a2c6 Add unsalted test to app-id 2017-06-05 11:37:16 -04:00
Jeff Mitchell f7df60b131 Allow accessing Warnings directly in Response. (#2806)
A change in copystructure has caused some panics due to the custom copy
function. I'm more nervous about production panics than I am about
keeping some bad code wiping out some existing warnings, so remove the
custom copy function and just allow direct setting of Warnings.
2017-06-05 10:52:43 -04:00
Jeff Mitchell 8f2ba268a0 Fix instantiation of salt funcs in app-id structs 2017-06-05 10:04:54 -04:00
Dan Stark 9f6b77598e Fixes typos in error message and comment for AWS auth CLI (#2798) 2017-06-02 17:35:25 -07:00
Andrew e33e489eee Improve EC2 describe instances performance (#2766)
Query the EC2 API for the instance ID rather than filter the results of
all instances.
2017-05-26 08:38:01 -04:00
Vishal Nayak 3c968260a8 Cert verification for non-CA certs (#2761)
* Cert verification for non-CA certs

* Added test case to ensure login fails with expired non-CA cert

* Address review feedback
2017-05-25 10:49:09 -04:00
Jeff Mitchell 9f681ea4cf Use auth-saved cert name during renewals to avoid a panic. (#2755) 2017-05-23 20:41:01 -04:00
Jeff Mitchell 7cc72a9066 Delay salt initialization for audit backends 2017-05-23 20:36:20 -04:00
Jeff Mitchell 4693881fe9 Update some path-help in datakey 2017-05-23 10:04:32 -04:00
Vishal Nayak 2557693aa3 Added host key call back for ssh config (#2752) 2017-05-21 20:16:13 -04:00
emily aa40d2cff6 add gofmt checks to Vault and format existing code (#2745) 2017-05-19 08:34:17 -04:00
sprohaska 90be96989a logical/aws: Fix typo in warning message (#2747)
Signed-off-by: Steffen Prohaska <prohaska@zib.de>
2017-05-19 06:20:54 -04:00
Brian Kassouf 533dbe5d4c Update the error when no key can be found to a more clear error text (#2720) 2017-05-12 14:14:00 -04:00
Brian Kassouf 1460c2fcc7 Add plugin level docs for what statements are supported and how they should be formatted 2017-05-11 11:59:58 -07:00
Seth Rutner 3874b63af3 Fix typos in error message (#2692) 2017-05-10 10:28:35 -04:00
Jeff Mitchell d25aa9fc21 Don't write salts in initialization, look up on demand (#2702) 2017-05-09 17:51:09 -04:00
Jeff Mitchell 185ba8a1c3 Only run cassandra tests on Travis for right now 2017-05-09 08:36:20 -04:00
Jeff Mitchell 490b01d6d8 Add salt mutex to app-id (#2690) 2017-05-08 16:15:24 -04:00
Jeff Mitchell 6f6f242061 Add logic to skip initialization in some cases and some invalidation logic 2017-05-05 15:01:52 -04:00
Brian Kassouf 7dcec6e68f Merge remote-tracking branch 'oss/master' into database-refactor 2017-05-04 12:40:00 -07:00
Brian Kassouf 82b58d5b9c Update docs and return a better error message 2017-05-04 11:45:27 -07:00
mymercurialsky 4c0e3c5d2f Implemented TOTP Secret Backend (#2492)
* Initialized basic outline of TOTP backend using Postgresql backend as template

* Updated TOTP backend.go's structure and help string

* Updated TOTP path_roles.go's structure and help strings

* Updated TOTP path_role_create.go's structure and help strings

* Fixed typo in path_roles.go

* Fixed errors in path_role_create.go and path_roles.go

* Added TOTP secret backend information to cli commands

* Fixed build errors in path_roles.go and path_role_create.go

* Changed field values of period and digits from uint to int, added uint conversion of period when generating passwords

* Initialized TOTP test file based on structure of postgresql test file

* Added enforcement of input values

* Added otp library to vendor folder

* Added test steps and cleaned up errors

* Modified read credential test step, not working yet

* Use of vendored package not allowed - Test error

* Removed vendor files for TOTP library

* Revert "Removed vendor files for TOTP library"

This reverts commit fcd030994bc1741dbf490f3995944e091b11da61.

* Hopefully fixed vendor folder issue with TOTP Library

* Added additional tests for TOTP backend

* Cleaned up comments in TOTP backend_test.go

* Added default values of period, algorithm and digits to field schema

* Changed account_name and issuer fields to optional

* Removed MD5 as a hash algorithm option

* Implemented requested pull request changes

* Added ability to validate TOTP codes

* Added ability to have a key generated

* Added skew, qr size and key size parameters

* Reset vendor.json prior to merge

* Readded otp and barcode libraries to vendor.json

* Modified help strings for path_role_create.go

* Fixed test issue in testAccStepReadRole

* Cleaned up error formatting, variable names and path names. Also added some additional documentation

* Moveed barcode and url output to key creation function and did some additional cleanup based on requested changes

* Added ability to pass in TOTP urls

* Added additional tests for TOTP server functions

* Removed unused QRSize, URL and Generate members of keyEntry struct

* Removed unnecessary urlstring variable from pathKeyCreate

* Added website documentation for TOTP secret backend

* Added errors if generate is true and url or key is passed, removed logger from backend, and revised parameter documentation.

* Updated website documentation and added QR example

* Added exported variable and ability to disable QR generation, cleaned up error reporting, changed default skew value, updated documentation and added additional tests

* Updated API documentation to inlude to exported variable and qr size option

* Cleaned up return statements in path_code, added error handling while validating codes and clarified documentation for generate parameters in path_keys
2017-05-04 10:49:42 -07:00
Brian Kassouf 5ee0d696d4 Merge remote-tracking branch 'oss/master' into database-refactor 2017-05-04 10:45:18 -07:00
Brian Kassouf 29bfc0a0d4 PR comments 2017-05-04 10:41:59 -07:00
Brian Kassouf 0875e78a13 Feedback from PR 2017-05-03 17:37:34 -07:00
Brian Kassouf cbcb8635a4 Update databse backend tests to use the APIClientMeta for the plugin conns 2017-05-03 16:34:09 -07:00
Calvin Leung Huang 26cf09ab15 Minor comment update on cert_util 2017-05-03 16:13:54 -04:00
Chris Hoffman 1c14d207b5 Merge pull request #2575 from hashicorp/pki-colons-to-hyphens
Change storage of PKI entries from colons to hyphens
2017-05-03 15:07:15 -04:00
Chris Hoffman e34a45fdcd Minor readability enhancements for migration path from old to new 2017-05-03 14:58:22 -04:00
Calvin Leung Huang a00a7815f6 Include and use normalizeSerial func 2017-05-03 10:12:58 -04:00
Brian Kassouf 7ae8f02f4b Only wrap in tracing middleware if the logger is set to trace level 2017-05-02 17:19:49 -07:00
Brian Kassouf 29d9b831d3 Update the api for serving plugins and provide a utility to pass TLS data for commuinicating with the vault process 2017-05-02 14:40:11 -07:00
Calvin Leung Huang 2b7a66e23b Use variables for string replacements on cert_util 2017-05-02 14:11:57 -04:00
Brian Kassouf c8bbea9f37 Rename NewPluginServer to just Serve 2017-05-02 02:00:39 -07:00
Ben Gadbois 537342f038 Fixing printf (and similar) issues (#2666) 2017-05-01 23:34:10 -04:00
Brian Kassouf b3819c433b Don't store an error response as a package variable 2017-05-01 15:30:56 -07:00
Brian Kassouf 9a60ec9fda Update interface name from Wrapper to a more descriptive RunnerUtil 2017-05-01 14:59:55 -07:00
Justin Gerace 403efeb5ae Add globbing support to the PKI backend's allowed_domains list (#2517) 2017-05-01 10:40:18 -04:00
Michael Ansel 30b71cbbac Add constraints on the Common Name for certificate-based authentication (#2595)
* Refactor to consolidate constraints on the matching chain

* Add CN prefix/suffix constraint

* Maintain backwards compatibility (pick a random cert if multiple match)

* Vendor go-glob

* Replace cn_prefix/suffix with required_name/globbing

Move all the new tests to acceptance-capable tests instead of embedding in the CRL test

* Allow authenticating against a single cert

* Add new params to documentation

* Add CLI support for new param

* Refactor for style

* Support multiple (ORed) name patterns

* Rename required_names to allowed_names

* Update docs for parameter rename

* Use the new TypeCommaStringSlice
2017-04-30 11:37:10 -04:00
Jeff Mitchell 9a72b3162f Flip back to sstarcher go-okta post-merge 2017-04-28 17:21:49 -04:00
Calvin Leung Huang ff4cf41ebb Add test for ca and crl case 2017-04-28 08:55:28 -04:00
Jeff Mitchell 0f214cc502 Switch to jefferai/go-okta for now to work around Fatal lines in upstream (#2658)
Switch to jefferai/go-okta for now to work around Fatal lines in upstream
2017-04-28 08:39:51 -04:00
Vishal Nayak 8bb6c8caef Return error message for failure to parse CSR (#2657) 2017-04-28 08:30:24 -04:00
Calvin Leung Huang 802d030506 Refactor cert_util_test 2017-04-27 17:09:59 -04:00
Calvin Leung Huang b5990321bf Verify update operation was performed on revokeCert 2017-04-27 12:30:44 -04:00
Calvin Leung Huang 3b27a9c12c Rename tests, use HandleRequest() for existing paths 2017-04-27 09:47:56 -04:00
Brian Kassouf 53752c3002 Add check to ensure we don't overwrite existing connections 2017-04-26 16:43:42 -07:00
Brian Kassouf 081101c7cf Add an error check to reset a plugin if it is closed 2017-04-26 15:55:34 -07:00
Brian Kassouf d0cad5345a Update to a RWMutex 2017-04-26 15:23:14 -07:00
Calvin Leung Huang 628e5d594b Add remaining tests 2017-04-26 16:05:58 -04:00
Brian Kassouf 4782d9d2af Update the error messages for renew and revoke 2017-04-26 10:29:16 -07:00
Brian Kassouf 892812d67d Change ttl types to TypeDurationSecond 2017-04-26 10:02:37 -07:00
Calvin Leung Huang d24757f2e0 Fix crl_util test 2017-04-26 09:58:34 -04:00
Calvin Leung Huang 18ed2d6097 Tests for cert and crl util 2017-04-26 02:46:01 -04:00
Brian Kassouf e3e5f12f9e Default deny when allowed roles is empty 2017-04-25 11:48:24 -07:00
Brian Kassouf 207d01fd39 Update the connection details data and fix allowedRoles 2017-04-25 11:11:10 -07:00
Brian Kassouf eb0f831d6a Rename path_role_create to path_creds_create 2017-04-25 10:39:17 -07:00
Brian Kassouf 3d3e4eb5a4 Use TypeCommaStringSlice for allowed_roles 2017-04-25 10:26:23 -07:00
Brian Kassouf bed1c17b1e Update logging to new structure 2017-04-25 10:24:19 -07:00
Brian Kassouf f25b367732 Don't uppercase ErrorResponses 2017-04-24 14:03:48 -07:00
Brian Kassouf 378ae98809 s/DatabaseType/Database/ 2017-04-24 13:59:12 -07:00
Joel Thompson e06a78a474 Create unified aws auth backend (#2441)
* Rename builtin/credential/aws-ec2 to aws

The aws-ec2 authentication backend is being expanded and will become the
generic aws backend. This is a small rename commit to keep the commit
history clean.

* Expand aws-ec2 backend to more generic aws

This adds the ability to authenticate arbitrary AWS IAM principals using
AWS's sts:GetCallerIdentity method. The AWS-EC2 auth backend is being to
just AWS with the expansion.

* Add missing aws auth handler to CLI

This was omitted from the previous commit

* aws auth backend general variable name cleanup

Also fixed a bug where allowed auth types weren't being checked upon
login, and added tests for it.

* Update docs for the aws auth backend

* Refactor aws bind validation

* Fix env var override in aws backend test

Intent is to override the AWS environment variables with the TEST_*
versions if they are set, but the reverse was happening.

* Update docs on use of IAM authentication profile

AWS now allows you to change the instance profile of a running instance,
so the use case of "a long-lived instance that's not in an instance
profile" no longer means you have to use the the EC2 auth method. You
can now just change the instance profile on the fly.

* Fix typo in aws auth cli help

* Respond to PR feedback

* More PR feedback

* Respond to additional PR feedback

* Address more feedback on aws auth PR

* Make aws auth_type immutable per role

* Address more aws auth PR feedback

* Address more iam auth PR feedback

* Rename aws-ec2.html.md to aws.html.md

Per PR feedback, to go along with new backend name.

* Add MountType to logical.Request

* Make default aws auth_type dependent upon MountType

When MountType is aws-ec2, default to ec2 auth_type for backwards
compatibility with legacy roles. Otherwise, default to iam.

* Pass MountPoint and MountType back up to the core

Previously the request router reset the MountPoint and MountType back to
the empty string before returning to the core. This ensures they get set
back to the correct values.
2017-04-24 15:15:50 -04:00
Brian Kassouf 6f9d178370 Calls to builtin plugins now go directly to the implementation instead of go-plugin 2017-04-20 18:46:41 -07:00
Brian Kassouf af9ff63e9a Merge remote-tracking branch 'oss/master' into database-refactor 2017-04-19 15:16:00 -07:00
Chris Hoffman 847c86f788 Rename ParseDedupAndSortStrings to ParseDedupLowercaseAndSortStrings (#2614) 2017-04-19 10:39:07 -04:00
Chris Hoffman 938eab37b6 Do not lowercase groups attached to users in ldap (#2613) 2017-04-19 10:36:45 -04:00
Chris Hoffman 2ee593c6ea Mssql driver update (#2610)
* Switching driver from mssql to sqlserver
* Adding explicit database to sp_msloginmappings call
2017-04-18 17:49:59 -04:00
Jeff Mitchell 4995c69763 Update sign-verbatim to correctly set generate_lease (#2593) 2017-04-18 15:54:31 -04:00
Mitch Davis a051ec1b59 Use service bind for searching LDAP groups (#2534)
Fixes #2387
2017-04-18 15:52:05 -04:00
Jeff Mitchell 0897da93f0 Parse and dedup but do not lowercase principals in SSH certs. (#2591) 2017-04-18 12:21:02 -04:00
Jeff Mitchell 822d86ad90 Change storage of entries from colons to hyphens and add a
lookup/migration path

Still TODO: tests on migration path

Fixes #2552
2017-04-18 11:14:23 -04:00
Jeff Mitchell e8adc13826 Fix cassandra dep breakage 2017-04-17 11:51:42 -04:00
Vishal Nayak 09cd069435 Consider new bounds as a criteria to allow role creation (#2600)
* Consider new bounds as a criteria to allow role creation

* Added a test
2017-04-17 10:36:11 -04:00
Jeff Mitchell 79fb8bdf69 Verify that a CSR specifies IP SANs before checking whether it's allowed (#2574) 2017-04-13 13:40:31 -04:00
Brian Kassouf 883c80540a Add allowed_roles parameter and checks 2017-04-13 10:33:34 -07:00
Brian Kassouf 0cfe1ea81c Cleanup path files 2017-04-12 17:35:02 -07:00
Brian Kassouf a9a05f5bba Update Type() to return an error 2017-04-12 16:41:06 -07:00
Brian Kassouf 8ccf10641b Merge branch 'master' into database-refactor 2017-04-12 14:29:10 -07:00
Brian Kassouf 128f25c13d Update help text and comments 2017-04-11 11:50:34 -07:00
Brian Kassouf c85b7be22f Remove unnecessary abstraction 2017-04-10 18:38:34 -07:00
Brian Kassouf 8071aed758 Mlock the plugin process 2017-04-10 17:12:52 -07:00
Brian Kassouf f6ff3b1146 Add a flag to tell plugins to verify the connection was successful 2017-04-10 15:36:59 -07:00
Brian Kassouf db91a80540 Update plugin test 2017-04-10 14:12:28 -07:00
Brian Kassouf bbbd81220c Update the interface for plugins removing functions for creating creds 2017-04-10 12:24:16 -07:00
Brian Kassouf 459e3eda4e Update backend tests 2017-04-10 10:35:16 -07:00
Brian Kassouf 93136ea51e Add backend test 2017-04-07 15:50:03 -07:00
Shivaram Lingamneni 2117dfd717 implement a no_store option for pki roles (#2565) 2017-04-07 11:25:47 -07:00
Jeff Mitchell f805618a2c Update SSH CA documentation
Fixes #2551
Fixes #2569
2017-04-07 11:59:25 -04:00
Brian Kassouf 62d59e5f4e Move plugin code into sub directory 2017-04-06 12:20:10 -07:00
Brian Kassouf ca2c3d0c53 Refactor to use builtin plugins from an external repo 2017-04-05 16:20:31 -07:00
Calvin Leung Huang 2255884a4c Do not mark conn as initialized until the end (#2567) 2017-04-04 14:26:59 -07:00
Brian Kassouf 305ccd54f7 Don't return strings, always structs 2017-04-04 11:33:58 -07:00
Calvin Leung Huang 9dd666c7e6 Database refactor invalidate (#2566)
* WIP on invalidate function

* cassandraConnectionProducer has Close()

* Delete database from connections map on successful db.Close()

* Move clear connection into its own func

* Use const for database config path
2017-04-04 11:32:42 -07:00
vishalnayak 049e086b07 Fix typo. Closes GH-2528 2017-04-04 12:29:18 -04:00
Jeff Mitchell 709389dd36 Use ParseStringSlice on PKI organization/organizational unit. (#2561)
After, separately dedup and use new flag to not lowercase value.

Fixes #2555
2017-04-04 08:54:18 -07:00
Brian Kassouf b506bd7790 On change of configuration rotate the database type 2017-04-03 18:30:38 -07:00
Brian Kassouf d7dd0ab35c Merge branch 'database-refactor' of github.com:hashicorp/vault into database-refactor 2017-04-03 17:52:41 -07:00
Brian Kassouf e8781b6a2b Plugin catalog 2017-04-03 17:52:29 -07:00
Calvin Leung Huang aa15a1d3a9 Database refactor mssql (#2562)
* WIP on mssql secret backend refactor

* Add RevokeUser test, and use sqlserver driver internally

* Remove debug statements

* Fix code comment
2017-04-03 09:59:30 -07:00
Brian Kassouf 210fa77e3c fix for plugin commands that have more than one paramater 2017-03-28 14:37:57 -07:00
Brian Kassouf 50729a4528 Add comments to connection and credential producers 2017-03-28 13:08:11 -07:00
Brian Kassouf b09526e1c9 Cleanup the db factory code and add comments 2017-03-28 12:57:30 -07:00
Brian Kassouf 6b877039e7 Update tests 2017-03-28 12:20:17 -07:00
Brian Kassouf c50a6ebc39 Add functionaility to build db objects from disk so restarts work 2017-03-28 11:30:45 -07:00
Brian Kassouf 02b0230f19 Fix for checking types of database on update 2017-03-28 10:04:42 -07:00
Brian Kassouf 494f963581 Wrap the database calls with tracing information 2017-03-27 15:17:28 -07:00
Brian Kassouf 2799586f45 Remove the unused sync.Once object 2017-03-27 11:46:20 -07:00
Brian Kassouf 29ae4602dc More work on getting tests to pass 2017-03-23 15:54:15 -07:00
Brian Kassouf c0223d888e Remove unsused code block 2017-03-22 17:09:39 -07:00
Brian Kassouf 1068076703 s/postgres/mysql/ 2017-03-22 16:44:33 -07:00
Brian Kassouf dac1bb210b Add test files for postgres and mysql databases 2017-03-22 16:39:08 -07:00
Brian Kassouf ae9961b811 Add a error message for empty creation statement 2017-03-22 12:40:16 -07:00
Brian Kassouf c55bef85d3 Fix race with deleting the connection 2017-03-22 09:54:19 -07:00
Brian Kassouf 85ef468d46 Add a delete method 2017-03-21 17:19:30 -07:00
Brian Kassouf 83ff132705 Verify connections regardless of if this connections is already existing 2017-03-21 16:05:59 -07:00
Vishal Nayak 003ef004c6 sshca: ensure atleast cert type is allowed (#2508) 2017-03-19 18:58:48 -04:00
Brian Kassouf a4e5e0f8c9 Comment and fix plugin Type function 2017-03-16 18:24:56 -07:00
Brian Kassouf 417770a58f Change the handshake config from the default 2017-03-16 17:51:25 -07:00
Brian Kassouf 2873825848 Add a secure config to verify the checksum of the plugin 2017-03-16 16:20:18 -07:00
Brian Kassouf f2df4ef0e7 Comment and slight refactor of the TLS plugin helper 2017-03-16 14:14:49 -07:00
Brian Kassouf 0a52ea5c69 Break tls code into helper library 2017-03-16 11:55:21 -07:00
Jeff Mitchell 24886c1006 Ensure CN check is made when exclude_cn_from_sans is used
Fixes #2363
2017-03-16 11:41:13 -04:00
Jeff Mitchell ae8967d635 Always include a hash of the public key and "vault" (to know where it (#2498)
came from) when generating a cert for SSH.

Follow on from #2494
2017-03-16 11:14:17 -04:00
Mike Okner 95df7beed9 Adding allow_user_key_ids field to SSH role config (#2494)
Adding a boolean field that determines whether users will be allowed to
set the ID of the signed SSH key or whether it will always be the token
display name.  Preventing users from changing the ID and always using
the token name is useful for auditing who actually used a key to access
a remote host since sshd logs key IDs.
2017-03-16 08:45:11 -04:00
Brian Kassouf eb6117cbb2 Work on TLS communication over plugins 2017-03-15 17:14:48 -07:00
Jeff Mitchell 12e5132779 Allow roles to specify whether CSR SANs should be used instead of (#2489)
request values. Fix up some documentation.

Fixes #2451
Fixes #2488
2017-03-15 14:38:18 -04:00
Jeff Mitchell 7ab6844eb4 Set CA chain when intermediate does not have an authority key ID.
This is essentially an approved review of the code provided in #2465.

Fixes #2465
2017-03-15 11:52:02 -04:00
Brian Kassouf 3ecb344878 wrap plugin database type with metrics middleware 2017-03-14 13:12:47 -07:00
Brian Kassouf 822a3eb20a Add a metrics middleware 2017-03-14 13:11:28 -07:00
Stanislav Grozev 662b372364 Reads on unconfigured SSH CA public key return 400 2017-03-14 10:21:48 -04:00
Stanislav Grozev 7d59d7d3ac Reads on ssh/config/ca return the public keys
If configured/generated.
2017-03-14 10:21:48 -04:00
Stanislav Grozev 830de2dbbd If generating an SSH CA signing key - return the public part
So that the user can actually use the SSH CA, by adding the public key
to their respective sshd_config/authorized_keys, etc.
2017-03-14 10:21:48 -04:00
Brian Kassouf 2054fff890 Add a way to initalize plugins and builtin databases the same way. 2017-03-13 14:39:55 -07:00
Brian Kassouf 71b81aad23 Add checksum attribute 2017-03-10 14:10:42 -08:00
Brian Kassouf a11911d4d4 Rename reset to close 2017-03-09 22:35:45 -08:00
Brian Kassouf fda45f531d Add special path to enforce root on plugin configuration 2017-03-09 21:31:29 -08:00
Brian Kassouf 748c70cfb4 Add plugin file 2017-03-09 17:43:58 -08:00
Brian Kassouf 9099231229 Add plugin features 2017-03-09 17:43:37 -08:00
Vishal Nayak 220beb2cde doc: ssh allowed_users update (#2462)
* doc: ssh allowed_users update

* added some more context in default_user field
2017-03-09 10:34:55 -05:00
vishalnayak f085cd71ab Fix typo 2017-03-08 17:49:39 -05:00
Brian Kassouf b7128f8370 Update secrets fields 2017-03-08 14:46:53 -08:00
Vishal Nayak 766c2e6ee0 SSH CA enhancements (#2442)
* Use constants for storage paths

* Upgrade path for public key storage

* Fix calculateValidPrincipals, upgrade ca_private_key, and other changes

* Remove a print statement

* Added tests for upgrade case

* Make exporting consistent in creation bundle

* unexporting and constants

* Move keys into a struct instead of plain string

* minor changes
2017-03-08 17:36:21 -05:00
Brian Kassouf 2fb6bf9882 Fix renew and revoke calls 2017-03-07 17:21:44 -08:00
Brian Kassouf b7c3b4b0d7 Add defaults to the cassandra databse type 2017-03-07 17:00:52 -08:00
Brian Kassouf 3976a2a0a6 Pass statements object 2017-03-07 16:48:17 -08:00
Brian Kassouf 843d584254 Remove unused sql object 2017-03-07 15:34:23 -08:00
Brian Kassouf 919155ab12 Remove double lock 2017-03-07 15:33:05 -08:00
Brian Kassouf c959882b93 Update locking functionaility 2017-03-07 13:48:29 -08:00
Jeff Mitchell 3d162b63cc Use locks in a slice rather than a map, which is faster and makes things cleaner (#2446) 2017-03-07 11:21:32 -05:00
Jeff Mitchell 5119b173c4 Rename helper 'duration' to 'parseutil'. (#2449)
Add a ParseBool function that accepts various kinds of ways of
specifying booleans.

Have config use ParseBool for UI and disabling mlock/cache.
2017-03-07 11:21:22 -05:00
Brian Kassouf bc53e119ca rename mysql variable 2017-03-03 15:07:41 -08:00
Brian Kassouf bba832e6bf Make db instances immutable and add a reset path to tear down and create a new database instance with an updated config 2017-03-03 14:38:49 -08:00
Brian Kassouf 29e07ac9e8 Fix mysql connections 2017-03-03 14:38:49 -08:00
Brian Kassouf 24ddea9954 Add mysql into the factory 2017-03-03 14:38:48 -08:00
Brian Kassouf 8e8f260d96 Add max connection lifetime param and set consistancy on cassandra session 2017-03-03 14:38:48 -08:00
Brian Kassouf 1f009518cd s/Statement/Statements/ 2017-03-03 14:38:48 -08:00
Brian Kassouf 46aa7142c1 Add mysql database type 2017-03-03 14:38:48 -08:00
Brian Kassouf 2ec5ab5616 More work on refactor and cassandra database 2017-03-03 14:38:48 -08:00
Brian Kassouf acdcd79af3 Begin work on database refactor 2017-03-03 14:38:48 -08:00
Vishal Nayak 4b81bcb379 ssh: Added DeleteOperation to config/ca (#2434)
* ssh: Added DeleteOperation to config/ca

* Address review feedback
2017-03-03 10:19:45 -05:00
Vishal Nayak 491a56fe9f AppRole: Support restricted use tokens (#2435)
* approle: added token_num_uses to the role

* approle: added RUD tests for token_num_uses on role

* approle: doc: added token_num_uses
2017-03-03 09:31:20 -05:00
Jeff Mitchell 55e69277ce Update SSH CA logic/tests 2017-03-02 16:39:22 -05:00
Vishal Nayak a1331278ff Refactor the generate_signing_key processing (#2430) 2017-03-02 16:22:06 -05:00
Jeff Mitchell fa474924aa Update error text to make it more obvious what the issue is when valid principals aren't found 2017-03-02 15:56:08 -05:00
Jeff Mitchell eca68d5913 Fix a bunch of errors from returning 5xx, and parse more duration types 2017-03-02 15:38:34 -05:00
Will May 70bfdb5ae9 Changes from code review 2017-03-02 14:36:13 -05:00
Will May 36b3d89604 Allow internal generation of the signing SSH key pair 2017-03-02 14:36:13 -05:00
Vishal Nayak 3795d2ea64 Rework ssh ca (#2419)
* docs: input format for default_critical_options and default_extensions

* s/sshca/ssh

* Added default_critical_options and default_extensions to the read endpoint of role

* Change default time return value to 0
2017-03-01 15:50:23 -05:00
Will May 9f75f84175 Changes from code review
Major changes are:
* Remove duplicate code
* Check the public key used to configure the backend is a valid one
2017-03-01 15:19:18 -05:00
Will May ff1ff02bd7 Changes from code review
Major changes are:
* Change `allow_{user,host}_certificates` to default to false
* Add separate `allowed_domains` role property
2017-03-01 15:19:18 -05:00
Will May 099d561b20 Add ability to create SSH certificates 2017-03-01 15:19:18 -05:00
Jeff Mitchell 47f8478a97 Fix github compile breakage after dep upgrade 2017-02-24 15:32:05 -05:00
Vishal Nayak b762c43fe2 Aws Ec2 additional binds for SubnetID, VpcID and Region (#2407)
* awsec2: Added bound_region

* awsec2: Added bound_subnet_id and bound_vpc_id

* Add bound_subnet_id and bound_vpc_id to docs

* Remove fmt.Printf

* Added crud test for aws ec2 role

* Address review feedback
2017-02-24 14:19:10 -05:00
vishalnayak 2e911fc650 Fix broken build caused due to resolve merge conflicts 2017-02-24 12:41:20 -05:00
Vishal Nayak c6f138bb9a PKI: Role switch to control lease generation (#2403)
* pki: Make generation of leases optional

* pki: add tests for upgrading generate_lease

* pki: add tests for leased and non-leased certs

* docs++ pki generate_lease

* Generate lease is applicable for both issuing and signing

* pki: fix tests

* Address review feedback

* Address review feedback
2017-02-24 12:12:40 -05:00
Saj Goonatilleke 01f3056b8b pki: Include private_key_type on DER-formatted responses from /pki/issue/ (#2405) 2017-02-24 11:17:59 -05:00
Jeff Mitchell c81582fea0 More porting from rep (#2388)
* More porting from rep

* Address review feedback
2017-02-16 16:29:30 -05:00
Jeff Mitchell 0c39b613c8 Port some replication bits to OSS (#2386) 2017-02-16 15:15:02 -05:00
Jeff Mitchell d7a6ec8d43 Add some repcluster handling to audit and add some tests (#2384)
* Add some repcluster handling to audit and add some tests

* Fix incorrect assumption about nil auth
2017-02-16 13:09:53 -05:00
Jeff Mitchell c96fe56d44 Fix copypasta, thanks tests 2017-02-16 01:32:39 -05:00
Jeff Mitchell 817bec0955 Add Organization support to PKI backend. (#2380)
Fixes #2369
2017-02-16 01:04:29 -05:00
Vishal Nayak eb4ef0f6e0 cidrutil: added test data points (#2378) 2017-02-16 00:51:02 -05:00
Vishal Nayak 81c95b36eb aws-ec2 auth: Return the role period in seconds (#2374)
* aws-ec2 auth: Return the role period in seconds

* cast return values to int64 for comparison with expected values
2017-02-15 10:57:57 -05:00
Jeff Mitchell 04b4a6aa50 Fix Okta auth issue when a user has no policies and/or groups set. (#2371)
Fixes #2367
2017-02-14 16:28:16 -05:00
Tommy Murphy ca06bc0b53 audit: support a configurable prefix string to write before each message (#2359)
A static token at the beginning of a log line can help systems parse
logs better. For example, rsyslog and syslog-ng will recognize the
'@cee: ' prefix and will parse the rest of the line as a valid json message.
This is useful in environments where there is a mix of structured and
unstructured logs.
2017-02-10 16:56:28 -08:00
vishalnayak 2bbc247ab4 use net.JoinHostPort 2017-02-08 18:39:09 -05:00
Jeff Mitchell 72db329d67 Add support for backup/multiple LDAP URLs. (#2350) 2017-02-08 14:59:24 -08:00
Jeff Mitchell a217be589c Merge pull request #2154 from fcantournet/default-ldap-username
ldap auth via cli defaults username to env (#2137)
2017-02-07 21:47:59 -08:00
Jeff Mitchell a2f07acbc4 Use Getenv instead of LookupEnv
This prevents returning empty username if LOGNAME is set but empty and USER is set but not empty.
2017-02-07 21:47:06 -08:00
Jeff Mitchell f05b482e46 Update error text 2017-02-07 21:44:23 -08:00
Jeff Mitchell 8f957579d8 Update some help text for RADIUS 2017-02-07 16:06:27 -05:00
Matteo Sessa 29d9d5676e RADIUS Authentication Backend (#2268) 2017-02-07 16:04:27 -05:00
Brian Kassouf 2923934813 Merge pull request #2326 from hashicorp/pr-2161
Add Socket Audit Backend
2017-02-07 11:27:25 -08:00
Vishal Nayak 7f2717b74a transit: change batch input format (#2331)
* transit: change batch input format

* transit: no json-in-json for batch response

* docs: transit: update batch input format

* transit: fix tests after changing response format
2017-02-06 14:56:16 -05:00
Brian Kassouf 09049c2787 Added a single retry after a reconnection 2017-02-06 11:38:38 -08:00
Brian Kassouf af1847f2b4 Update the docs and move the logic for reconnecting into its own function 2017-02-04 16:55:17 -08:00
Jeff Mitchell 5de633fd27 Make userpass help text mention radius too 2017-02-04 07:48:30 -05:00
Jeff Mitchell a8ea05f365 Add default mount param to userpass cli handler 2017-02-04 07:47:09 -05:00
Brian Kassouf b38eeec96a Add write deadline and a Reload function 2017-02-02 15:44:56 -08:00
Harrison Harnisch b09077c2d8 add socket audit backend 2017-02-02 14:21:48 -08:00
Brian Kassouf 6701ba8a10 Configure the request headers that are output to the audit log (#2321)
* Add /sys/config/audited-headers endpoint for configuring the headers that will be audited

* Remove some debug lines

* Add a persistant layer and refactor a bit

* update the api endpoints to be more restful

* Add comments and clean up a few functions

* Remove unneeded hash structure functionaility

* Fix existing tests

* Add tests

* Add test for Applying the header config

* Add Benchmark for the ApplyConfig method

* ResetTimer on the benchmark:

* Update the headers comment

* Add test for audit broker

* Use hyphens instead of camel case

* Add size paramater to the allocation of the result map

* Fix the tests for the audit broker

* PR feedback

* update the path and permissions on config/* paths

* Add docs file

* Fix TestSystemBackend_RootPaths test
2017-02-02 11:49:20 -08:00
Vishal Nayak 5fb28f53cb Transit: Support batch encryption and decryption (#2143)
* Transit: Support batch encryption

* Address review feedback

* Make the normal flow go through as a batch request

* Transit: Error out if encryption fails during batch processing

* Transit: Infer the 'derived' parameter based on 'context' being set

* Transit: Batch encryption doc updates

* Transit: Return a JSON string instead of []byte

* Transit: Add batch encryption tests

* Remove plaintext empty check

* Added tests for batch encryption, more coming..

* Added more batch encryption tests

* Check for base64 decoding of plaintext before encrypting

* Transit: Support batch decryption

* Transit: Added tests for batch decryption

* Transit: Doc update for batch decryption

* Transit: Sync the path-help and website docs for decrypt endpoint

* Add batch processing for rewrap

* transit: input validation for context

* transit: add rewrap batch option to docs

* Remove unnecessary variables from test

* transit: Added tests for rewrap use cases

* Address review feedback

* Address review feedback

* Address review feedback

* transit: move input checking out of critical path

* transit: allow empty plaintexts for batch encryption

* transit: use common structs for batch processing

* transit: avoid duplicate creation of structs; add omitempty to response structs

* transit: address review feedback

* transit: fix tests

* address review feedback

* transit: fix tests

* transit: rewrap encrypt user error should not error out

* transit: error out for internal errors
2017-02-02 14:24:20 -05:00
Vishal Nayak 3457a11afd awsec2: support periodic tokens (#2324)
* awsec2: support periodic tokens

* awsec2: add api docs for 'period'
2017-02-02 13:28:01 -05:00
Vishal Nayak 14fcc4b6eb approle: secret-id listing lock sanity check (#2315)
* approle: secret-id listing lock sanity

* Skip processing an empty secretIDHMAC item during the iteration

* approle: use dedicated lock for listing of secret-id-accessors
2017-02-01 18:13:49 -05:00
louism517 0548555219 Support for Cross-Account AWS Auth (#2148) 2017-02-01 14:16:03 -05:00
Jeff Mitchell 47274eca88 Add cleanup functions to multiple DB backends. (#2313)
Ensure it's called on unmount, not just for seal.
2017-02-01 14:05:25 -05:00
Jeff Mitchell f1a5a858d3 Make export errors a bit more meaningful 2017-01-30 09:25:50 -05:00
Jeff Mitchell 2e15dc93df Have transit exporting return the same structure regardless of one key or many 2017-01-28 10:37:35 -05:00
Shane Starcher 6033ea884c Okta implementation (#1966) 2017-01-26 19:08:52 -05:00
Brian Kassouf e788780709 Migrate cassandra test from acceptance to dockertest (#2295) 2017-01-25 15:37:55 -05:00
Jeff Mitchell f43a041bf2 Revert "Disable PKI OU tests to fix the build"
This reverts commit b1ab7c5603180af9073caab1b3022ca438dc12be.
2017-01-24 09:58:28 -05:00
vishalnayak c8b6ab7223 Disable PKI OU tests to fix the build 2017-01-24 06:25:56 -05:00
joe miller 98df700495 allow roles to set OU value in certificates issued by the pki backend (#2251) 2017-01-23 12:44:45 -05:00
Chris Hoffman 7568a212b1 Adding support for exportable transit keys (#2133) 2017-01-23 11:04:43 -05:00
Vishal Nayak 5aba2d47b6 ldap: Minor enhancements, tests and doc update (#2272) 2017-01-23 10:56:43 -05:00
Vishal Nayak fa7d61baa3 Merge pull request #2202 from fcantournet/fix_govet_fatalf
all: test: Fix govet warnings
2017-01-17 16:45:35 -05:00
Vishal Nayak 1d7ded02b4 Merge pull request #2152 from mr-tron/master
Thanks for submitting this. I am going to merge this in and write tests.
2017-01-13 14:29:46 -05:00
Vishal Nayak e019cca4ea Merge pull request #2257 from bkrodgers/git-config-read
Added a 'read' for github config
2017-01-11 12:23:00 -05:00
Brian Rodgers f33d35f3de Added a nil check for config and renamed org field internally. 2017-01-11 11:04:15 -06:00
Matthew Irish cb8bbc4fbd Transit key actions (#2254)
* add supports_* for transit key reads

* update transit docs with new supports_* fields
2017-01-11 10:05:06 -06:00
Brian Rodgers a8f12dff01 Added a 'read' for github config 2017-01-10 18:21:31 -06:00
joe miller 78dacc154a sign-verbatim should set use_csr_common_name to true (#2243) 2017-01-10 09:47:59 -05:00
Jeff Mitchell 80dc5819d3 Use dockertest.v2 (#2247)
New dockertest has a totally different API and will require some serious
refactoring. This will tide over until then by pinning the API version.
2017-01-09 13:46:54 -05:00
Félix Cantournet 103b7ceab2 all: test: Fix govet warnings
Fix calls to t.Fatal() with formatting.
Fixed some calls to Fatalf() with wrong formatting
2016-12-21 19:44:07 +01:00