Commit graph

641 commits

Author SHA1 Message Date
Sean Chittenden 2e828383e0
Move the parameter down to where the statement is executed. 2016-07-03 16:20:27 -07:00
Sean Chittenden 08fb1a30d4
Use lib/pq's QuoteIdentifier() on all identifiers and Prepare
for all literals.
2016-07-03 16:01:39 -07:00
Matt Hurne 292c2fad69 Merge branch 'master' into mongodb-secret-backend 2016-07-01 20:39:13 -04:00
Jeff Mitchell 4a8d9eb942 Shave off a lot of PKI testing time by not requiring key generation when testing CSRs. Also enable all tests all the time. 2016-07-01 17:28:48 -04:00
Jeff Mitchell 369dcff5f9 Merge pull request #1581 from mp911de/cassandra_connect_timeout
Support connect_timeout for Cassandra and align timeout.
2016-07-01 22:33:24 +02:00
Mark Paluch ab63c938c4 Address review feedback.
Switch ConnectTimeout to framework.TypeDurationSecond  with a default of 5. Remove own parsing code.
2016-07-01 22:26:08 +02:00
Mark Paluch 3859f7938a Support connect_timeout for Cassandra and align timeout.
The cassandra backend now supports a configurable connect timeout. The timeout is configured using the connect_timeout parameter in the session configuration.  Also align the timeout to 5 seconds which is the default for the Python and Java drivers.

Fixes #1538
2016-07-01 21:22:37 +02:00
Jeff Mitchell db211a4b61 Migrate Consul acceptance tests to Docker 2016-07-01 13:59:56 -04:00
Matt Hurne cdde4071d7 mongodb secret backend: Parse ssl URI option as a boolean rather than relying on string comparison 2016-07-01 13:55:06 -04:00
Jeff Mitchell a2e95614d6 Have SQL backends Ping() before access.
If unsuccessful, reestablish connections as needed.
2016-07-01 12:02:17 -04:00
Jeff Mitchell e50e331ffc Always run transit acceptance tests 2016-07-01 11:45:56 -04:00
Jeff Mitchell 8d984c111d Convert MySQL tests to Dockerized versions 2016-07-01 11:36:28 -04:00
Matt Hurne 46bf080409 mongodb secret backend: Refactor URI parsing logic to leverage url.Parse 2016-07-01 09:12:26 -04:00
Matt Hurne 6f05d6f21f mongodb secret backend: Prefix all generated usernames with "vault-", and cleanly handle empty display names when generating usernames 2016-06-30 21:11:45 -04:00
Matt Hurne acf4b0b637 Merge branch 'master' into mongodb-secret-backend 2016-06-30 16:43:53 -04:00
Jeff Mitchell 8da8881825 Add comment around bind to localhost 2016-06-30 13:49:11 -04:00
Jeff Mitchell 22e83ae7f5 Dockerize Postgres secret backend acceptance tests
Additionally enable them on all unit test runs.
2016-06-30 13:46:39 -04:00
Jeff Mitchell 619ddc38b7 Use TRACE not WARN here 2016-06-30 12:41:56 -04:00
Matt Hurne 7879812f76 Persist verify_connection field in mongodb secret backend's connection config 2016-06-30 11:39:02 -04:00
Matt Hurne 350b69670c Rename mongodb secret backend's 'ttl_max' lease configuration field to 'max_ttl' 2016-06-30 09:57:43 -04:00
Matt Hurne 05cc4f2761 Merge branch 'master' into mongodb-secret-backend 2016-06-30 09:02:30 -04:00
Jeff Mitchell 16d4f79c71 Fix test 2016-06-30 08:21:00 -04:00
Jeff Mitchell 5df2dd30c5 Change warn to trace for these messages 2016-06-29 21:04:02 -04:00
Jeff Mitchell cf178d3c9e Merge remote-tracking branch 'oss/master' into postgres-pl-lock 2016-06-29 17:40:34 -04:00
Jeff Mitchell 934e60c3c9 Add stmt close calls 2016-06-29 17:39:47 -04:00
Jeff Mitchell a56f79adcb Run prepare on the transaction, not the db 2016-06-29 17:20:41 -04:00
Matt Hurne 5e8c912048 Add mongodb secret backend 2016-06-29 08:33:06 -04:00
cara marie 11c205e19b removed option to create 1024 keybitlength certs 2016-06-28 16:56:14 -04:00
Jeff Mitchell 43df682365 Add more debug output 2016-06-28 11:03:56 -04:00
Jeff Mitchell 0802497c8a Add some logging to enter/exit of some functions 2016-06-24 16:11:22 -04:00
Jeff Mitchell 9dc0599a30 Address review feedback 2016-06-23 10:18:03 -04:00
Jeff Mitchell d7029fc49a Add some more testing 2016-06-23 09:49:03 -04:00
Jeff Mitchell 45a442e593 Set some basic key usages by default.
Some programs (such as OpenVPN) don't like it if you don't include key
usages. This adds a default set that should suffice for most extended
usages. However, since things get twitchy when these are set in ways
various crypto stacks don't like, it's fully controllable by the user.

Fixes #1476
2016-06-22 16:08:24 -04:00
Jeff Mitchell 407373df5d Revert "Use x509 package ext key usage instead of custom type"
This reverts commit 0b2d8ff475a26ff98c37337a64859d150d62cfc1.
2016-06-22 13:07:31 -04:00
Jeff Mitchell c0dee06aab Use x509 package ext key usage instead of custom type 2016-06-22 11:51:32 -04:00
Jeff Mitchell 62f66dc4d8 Do some internal renaming in PKI 2016-06-22 11:39:57 -04:00
Vishal Nayak d47fc4c4ad Merge pull request #1515 from hashicorp/sql-config-reading
Allow reading of config in sql backends
2016-06-21 10:07:34 -04:00
vishalnayak 389581f47b Added warnings when configuring connection info in sql backends 2016-06-21 09:58:57 -04:00
Vishal Nayak 711c05a319 Merge pull request #1546 from hashicorp/secret-aws-roles
Added list functionality to logical aws backend's roles
2016-06-20 20:10:24 -04:00
vishalnayak 1976c9e75b Added test case for listing aws secret backend roles 2016-06-20 20:09:31 -04:00
vishalnayak 8b490e44a1 Added list functionality to logical aws backend's roles 2016-06-20 19:51:04 -04:00
Vishal Nayak 69d562c5db Merge pull request #1514 from hashicorp/backend-return-objects
Backend() functions should return 'backend' objects.
2016-06-20 19:30:00 -04:00
Jeff Mitchell 2e7704ea7e Add convergent encryption option to transit.
Fixes #1537
2016-06-20 13:17:48 -04:00
vishalnayak cf15354e44 Address review feedback 2016-06-17 10:11:39 -04:00
vishalnayak 1776ff449f Allow reading of config in sql backends 2016-06-11 11:48:40 -04:00
vishalnayak 0760a89eb4 Backend() functions should return 'backend' objects.
If they return pointers to 'framework.Backend' objects, the receiver functions can't be tested.
2016-06-10 15:53:02 -04:00
Laura Bennett 5ccb4fe907 Merge pull request #1498 from hashicorp/pki-list
PKI List Functionality
2016-06-08 15:42:50 -04:00
vishalnayak f9c3afcc21 Fix broken test 2016-06-08 13:00:19 -04:00
vishalnayak 6c4234eae6 Minor changes to the RabbitMQ acceptance tests 2016-06-08 12:50:43 -04:00
LLBennett 3795b65d19 Updates to the test based on feedback. 2016-06-08 16:49:10 +00:00
Laura Bennett 2f2a80e2be Add PKI listing 2016-06-08 11:50:59 -04:00
Jeff Mitchell 94cd00f32a Add an explicit default for TTLs for rabbit creds 2016-06-08 11:35:09 -04:00
Jeff Mitchell 86d697884b Fix some typos in rmq text and structure 2016-06-08 11:31:57 -04:00
vishalnayak 1b7da070ae Added pooled transport for rmq client. Added tests 2016-06-08 10:46:46 -04:00
Jeff Mitchell 95f3726f1c Migrate to go-uuid 2016-06-08 10:36:16 -04:00
vishalnayak 5a3dd98d06 Polish the code 2016-06-08 10:25:03 -04:00
Vishal Nayak ab543414f6 Merge pull request #788 from doubledutch/master
RabbitMQ Secret Backend
2016-06-08 10:02:24 -04:00
Jeff Mitchell 8f437d6142 Make logical.InmemStorage a wrapper around physical.InmemBackend.
This:

* Allows removing LockingInmemStorage since the physical backend already
  locks properly
* Makes listing work properly by adhering to expected semantics of only
  listing up to the next prefix separator
* Reduces duplicated code
2016-06-06 12:03:08 -04:00
Jeff Mitchell 50c011e79f Use backend function instead of separate backend creation in consul 2016-06-03 10:08:58 -04:00
Jeff Mitchell 86d2c796b0 Change AWS/SSH to reuse backend creation code for test functions 2016-06-01 12:17:47 -04:00
Vishal Nayak 3c5fb471a4 Merge pull request #1445 from hashicorp/consul-fixups
Reading consul access configuration in the consul secret backend.
2016-06-01 12:11:12 -04:00
Jeff Mitchell 99c1e071f3 Remove most Root paths 2016-05-31 23:42:54 +00:00
vishalnayak eefd9acbf0 Set config access test case as an acceptance test and make travis happy 2016-05-31 13:27:34 -04:00
vishalnayak f64987a6cf Add tests around writing and reading consul access configuration 2016-05-31 13:27:34 -04:00
Jeff Mitchell 036e7fa63e Add reading to consul config, and some better error handling. 2016-05-31 13:27:34 -04:00
vishalnayak 30fa7f304b Allow * to be set for allowed_users 2016-05-30 03:12:43 -04:00
vishalnayak 971b2cb7b7 Do not allow any username to login if allowed_users is not set 2016-05-30 03:01:47 -04:00
Jeff Mitchell 39fe3200e3 Return nil for pre-0.5.3 Consul tokens to avoid pathological behavior 2016-05-27 13:09:52 -04:00
Jeff Mitchell f035a320d0 Add test for renew/revoke to Consul secret backend 2016-05-27 11:27:53 -04:00
Vishal Nayak 644ac5f5e8 Merge pull request #1456 from hashicorp/consul-lease-renewal
Fix the consul secret backends renewal revocation problem
2016-05-26 13:59:45 -04:00
Jeff Mitchell 05d1da0656 Add comment about the deletions 2016-05-26 10:33:35 -04:00
Jeff Mitchell ccfa8d0567 Remove deprecated entries from PKI role output.
Fixes #1452
2016-05-26 10:32:04 -04:00
vishalnayak 2ca846b401 s/logical.ErrorResponse/fmt.Errorf in revocation functions of secrets 2016-05-26 10:04:11 -04:00
vishalnayak 70b8530962 Fix the consul secret backends renewal revocation problem 2016-05-25 23:24:16 -04:00
Kevin Pike cdfc6b46fd Update and document rabbitmq test envvars 2016-05-20 23:28:02 -07:00
Kevin Pike 4eb20e4aa8 Merge remote-tracking branch 'origin/master' into rabbitmq 2016-05-20 23:27:22 -07:00
Kevin Pike 5783b02e36 Address feedback 2016-05-20 22:57:24 -07:00
Jeff Mitchell 8f592f3442 Don't use pointers to int64 in function calls when not necessary 2016-05-19 12:26:02 -04:00
Jeff Mitchell a13807e759 Merge pull request #1318 from steve-jansen/aws-logical-assume-role
Add sts:AssumeRole support to the AWS secret backend
2016-05-19 12:17:27 -04:00
Jeff Mitchell 86e078ff98 Use Consul API client's DefaultNonPooledTransport.
What we should probably do is create a client with a mutex and
invalidate it when parameters change rather than creating a client over
and over...that can be a TODO for later but for now this fix suffices.

Fixes #1428
2016-05-18 00:47:42 +00:00
Sean Chittenden 792950e16c Merge pull request #1417 from hashicorp/b-pki-expire-ttl-unset
Set entry's TTL before writing out the storage entry's config
2016-05-15 10:02:03 -07:00
Sean Chittenden 7a4b31ce51
Speling police 2016-05-15 09:58:36 -07:00
Sean Chittenden b0bba6d271
Store clamped TTLs back in the role's config 2016-05-15 08:13:56 -07:00
Sean Chittenden 539475714d
Set entry's TTL before writing out the storage entry's config 2016-05-15 07:06:33 -07:00
vishalnayak ddcaf26396 Merge branch 'master-oss' into aws-auth-backend 2016-05-10 14:50:00 -04:00
Jeff Mitchell d899f9d411 Don't revoke CA certificates with leases. 2016-05-09 19:53:28 -04:00
Jeff Mitchell d77563994c Merge pull request #1346 from hashicorp/disable-all-caches
Disable all caches
2016-05-07 16:33:45 -04:00
Steve Jansen 597d59962c Adds sts:AssumeRole support to the AWS secret backend
Support use cases where you want to provision STS tokens
using Vault, but, you need to call AWS APIs that are blocked
for federated tokens.  For example, STS federated tokens cannot
invoke IAM APIs, such as  Terraform scripts containing
`aws_iam_*` resources.
2016-05-05 23:32:41 -04:00
Jeff Mitchell 4600ca8073 Merge branch 'master-oss' into aws-auth-backend 2016-05-05 10:36:06 -04:00
Jeff Mitchell 1b0df1d46f Cleanups, add shared provider, ability to specify http client, and port S3 physical backend over 2016-05-03 17:01:02 -04:00
Jeff Mitchell 7fbe5d2eaa Region is required so error in awsutil if not set and set if empty in client code in logical/aws 2016-05-03 15:25:11 -04:00
Jeff Mitchell a244ef8a00 Refactor AWS credential code into a function that returns a static->env->instance chain 2016-05-03 15:10:35 -04:00
Jeff Mitchell f21b88802f Add some more tests around deletion and fix upsert status returning 2016-05-03 00:19:18 -04:00
Jeff Mitchell 7e1bdbe924 Massively simplify lock handling based on feedback 2016-05-02 23:47:18 -04:00
Jeff Mitchell 7f3613cc6e Remove some deferring 2016-05-02 22:36:44 -04:00
Jeff Mitchell fa0d389a95 Change use-hint of lockAll and lockPolicy 2016-05-02 22:36:44 -04:00
Jeff Mitchell 49c56f05e8 Address review feedback 2016-05-02 22:36:44 -04:00
Jeff Mitchell 3e5391aa9c Switch to lockManager 2016-05-02 22:36:44 -04:00
Jeff Mitchell 08b91b776d Address feedback 2016-05-02 22:36:44 -04:00
Jeff Mitchell fedc8711a7 Fix up commenting and some minor tidbits 2016-05-02 22:36:44 -04:00
Jeff Mitchell fe1f56de40 Make a non-caching but still locking variant of transit for when caches are disabled 2016-05-02 22:36:44 -04:00
vishalnayak 9aa8fb6cc1 Support periodic tidy callback and config endpoints. 2016-04-26 10:22:29 -04:00
Jeff Mitchell 30ba5b7887 Merge pull request #1291 from mmickan/ssh-keyinstall-perms
Ensure authorized_keys file is readable when uninstalling an ssh key
2016-04-25 14:00:37 -04:00
Adam Shannon fb07d07ad9 all: Cleanup from running go vet 2016-04-13 14:38:29 -05:00
vishalnayak 06eeaecef6 Skip acceptance tests if VAULT_ACC is not set 2016-04-11 20:00:15 -04:00
Kevin Pike dd98b08d36 Do not provide a default lease 2016-04-08 09:50:47 -07:00
Kevin Pike eeb145f049 List roles 2016-04-08 09:46:25 -07:00
Kevin Pike a86e5e3cd9 Support verify_connection flag 2016-04-08 09:44:15 -07:00
Kevin Pike 706ed5839e Fix username generation 2016-04-08 09:32:29 -07:00
Kevin Pike e3db8c999e Merge branch 'master' of github.com:doubledutch/vault 2016-04-08 09:25:28 -07:00
Kevin Pike 1102863f5a Update comment 2016-04-08 09:07:06 -07:00
Kevin Pike 35f49107cd Fix documentation typo 2016-04-08 09:05:38 -07:00
Kevin Pike 5460c24b94 Fix documentation typo 2016-04-08 09:05:06 -07:00
Kevin Pike 070fe56648 Rename uri to connection_uri 2016-04-08 09:04:42 -07:00
Kevin Pike 48d1f99afb Merge remote-tracking branch 'upstream/master' 2016-04-08 08:57:10 -07:00
vishalnayak fd8b023655 s/TF_ACC/VAULT_ACC 2016-04-05 15:24:59 -04:00
vishalnayak 95abdebb06 Added AcceptanceTest boolean to logical.TestCase 2016-04-05 15:10:44 -04:00
Mark Mickan a55124f0b6 Ensure authorized_keys file is readable when uninstalling an ssh key
Without this change, if the user running the ssh key install script doesn't
have read access to the authorized_keys file when uninstalling a key, all
keys will be deleted from the authorized_keys file.

Fixes GH #1285
2016-04-05 17:26:21 +09:30
Jeff Mitchell dfc5a745ee Remove check for using CSR values with non-CA certificate.
The endpoint enforces whether the certificate is a CA or not anyways, so
this ends up not actually providing benefit and causing a bug.

Fixes #1250
2016-03-23 10:05:38 -04:00
Jeff Mitchell 1951a01998 Add ability to exclude adding the CN to SANs.
Fixes #1220
2016-03-17 16:28:40 -04:00
Vishal Nayak 343e6f1671 Merge pull request #998 from chrishoffman/mssql
Sql Server (mssql) secret backend
2016-03-10 22:30:24 -05:00
Chris Hoffman b1703fb18d Cleaning up lease and lease duration vars and params 2016-03-10 21:15:18 -05:00
Chris Hoffman ba94451875 Removing root protected endpoints 2016-03-10 21:08:39 -05:00
Chris Hoffman dc7da4f4e8 Changing DROP USER query to a more compatible version 2016-03-10 21:06:50 -05:00
Chris Hoffman 5af33afd90 Adding verify_connection to config, docs updates, misc cleanup 2016-03-09 23:08:05 -05:00
Jeff Mitchell 7a9122bbd1 Sanitize serial number in revocation path.
Ping #1180
2016-03-08 10:51:59 -05:00
Jeff Mitchell 34a9cb1a70 Add serial_number back to path_issue_sign responses in PKI 2016-03-08 09:25:48 -05:00
Jeff Mitchell 11dc3f328f Add revocation information to PKI fetch output (non-raw only).
Fixes #1180
2016-03-07 10:57:38 -05:00
Jeff Mitchell 67b85b8f7f Error rather than skip Consul acceptance tests if Consul isn't found 2016-03-07 10:09:36 -05:00
Chris Hoffman 0b4a8f5b94 Adding mssql secret backend 2016-03-03 09:19:17 -05:00
Jeff Mitchell 64ab16d137 Don't spawn consul servers when testing unless it's an acceptance test 2016-02-29 14:58:06 -05:00
Jeff Mitchell f6092f8311 Don't run transit fuzzing if not during acceptance tests 2016-02-29 14:44:04 -05:00
Jeff Mitchell 2205133ae4 Only run PKI backend setup functions when TF_ACC is set 2016-02-29 14:41:14 -05:00
Jeff Mitchell 7ae573b35b Apply hyphen/underscore replacement across the entire username.
Handles app-id generated display names.

Fixes #1140
2016-02-26 15:26:23 -05:00
Jeff Mitchell 8ca847c9b3 Be more explicit about buffer type 2016-02-24 22:05:39 -05:00
Jeff Mitchell 7d41607b6e Add "tidy/" which allows removing expired certificates.
A buffer is used to ensure that we only remove certificates that are
both expired and for which the buffer has past. Options allow removal
from revoked/ and/or certs/.
2016-02-24 21:24:48 -05:00
vishalnayak 69bcbb28aa rename verify_cert as disable_binding and invert the logic 2016-02-24 21:01:21 -05:00
Matt Hurne 11187112bc Improve error message returned when client attempts to generate STS credentials for a managed policy; addresses #1113 2016-02-23 08:58:28 -05:00
Jeff Mitchell f56e4a604d Merge pull request #1114 from hashicorp/dont-delete-certs
Do not delete certs (or revocation information)
2016-02-22 16:11:13 -05:00
Jeff Mitchell 4514192145 Address review feedback 2016-02-22 16:11:01 -05:00
Jeff Mitchell f43ab6a25d Remove extra debugging from PKI tests 2016-02-22 13:39:05 -05:00
Jeff Mitchell f27eab1d28 Do not delete certs (or revocation information) to avoid potential
issues related to time synchronization. A function will be added to
allow operators to perform cleanup at chosen times.
2016-02-22 13:36:17 -05:00
Jeff Mitchell 51ced69bf8 Fix issue where leftover values after cn tests could trigger errors in ipsan tests 2016-02-22 13:35:57 -05:00
Vishal Nayak 949f8a6b69 Merge pull request #1112 from hashicorp/1089-postgres-connection-url
postgres: connection_url fix
2016-02-22 11:36:04 -05:00
Jeff Mitchell 4c327ca4cc More improvements to PKI tests; allow setting a specific seed, output
the seed to the console, and split generated steps to make it
understandable which seed is for which set of steps.
2016-02-22 11:22:52 -05:00
vishalnayak c9899a5300 postgres: connection_url fix 2016-02-22 11:22:49 -05:00
Jeff Mitchell 8d4c6f4c98 Use more fuzziness in PKI backend tests 2016-02-22 10:59:37 -05:00
Jeff Mitchell 392a26e9cd Better handle errors from fetchCertBySerial 2016-02-22 10:36:26 -05:00
Kevin Pike bcaac7f876 Update update operation and uuid references 2016-02-21 15:31:22 -08:00
Kevin Pike 264c9cc40e Merge branch 'master' into rabbitmq 2016-02-21 14:55:06 -08:00
Kevin Pike c755065415 Add RabbitMQ secret backend 2016-02-21 14:52:57 -08:00
Jeff Mitchell 58432c5d57 Add tests for minimum key size checking. (This will also verify that the
key type matches that of the role, since type assertions are required to
check the bit size). Like the rest, these are fuzz tests; I have
verified that the random seed will eventually hit error conditions if
ErrorOk is not set correctly when we expect an error.
2016-02-19 21:39:40 -05:00
Jeff Mitchell c57b646848 Check role key type and bits when signing CSR.
Two exceptions: signing an intermediate CA CSR, and signing a CSR via
the 'sign-verbatim' path.
2016-02-19 20:50:49 -05:00
vishalnayak c4abe72075 Cap the length midString in IAM user's username to 42 2016-02-19 18:31:10 -05:00
Vishal Nayak 773de69796 Merge pull request #1102 from hashicorp/shorten-aws-usernames
Set limits on generated IAM user and STS token names.
2016-02-19 18:25:29 -05:00
Jeff Mitchell 574542b683 Some minor changes in mysql commenting and names 2016-02-19 16:44:52 -05:00
Jeff Mitchell 25b9f9b4a6 Set limits on generated IAM user and STS token names.
Fixes #1031
Fixes #1063
2016-02-19 16:35:06 -05:00
vishalnayak a16055c809 mysql: fix error message 2016-02-19 16:07:06 -05:00
vishalnayak 38b55bd8b1 Don't deprecate value field yet 2016-02-19 16:07:06 -05:00
vishalnayak 99f4969b20 Removed connectionString.ConnectionString 2016-02-19 16:07:05 -05:00
vishalnayak 380b662c3d mysql: provide allow_verification option to disable connection_url check 2016-02-19 16:07:05 -05:00
Jeff Mitchell 7fc4ee1ed7 Disallow 1024-bit RSA keys.
Existing certificates are kept but roles with key bits < 2048 will need
to be updated as the signing/issuing functions now enforce this.
2016-02-19 14:33:02 -05:00
Vishal Nayak ba134f5a7a Merge pull request #1086 from hashicorp/iss962-verify-otp-response-code
SSH: Fix response code for ssh/verify
2016-02-18 13:32:28 -05:00
vishalnayak a6f3b31a36 ssh: Fix response code for ssh/verify 2016-02-16 19:46:29 -05:00
vishalnayak d9536043e7 Pki: Respond user error when cert is not found instead of internal error 2016-02-16 17:58:57 -05:00
Jeff Mitchell 3378db0166 Merge pull request #1061 from tomrittervg/tomrittervg-typos-1
Fix some typos
2016-02-11 15:12:09 -05:00
Jeff Mitchell 880c9798b7 Merge pull request #1062 from tomrittervg/tomrittervg-AllowedBaseDomain-migration
AllowedBaseDomain will stay non-empty in certain error conditions. None of these conditions should be hit anyways, but this provides an extra safety check.
2016-02-11 15:07:54 -05:00
Jeff Mitchell 46b22745c6 Merge pull request #1053 from mwielgoszewski/postgresql-revocation
Fix PostgreSQL secret backend issues revoking users
2016-02-11 12:52:37 -05:00
Tom Ritter a10dc14625 Fix AllowedBaseDomain Migration
AllowedBaseDomain is only zero-ed out if the domain is not found in the (new) AllowedDomains configuration setting. If the domain is found, AllowedBaseDomain is not emptied and this code will be run every single time.

//untested
2016-02-09 15:42:15 -06:00
Tom Ritter 940a58cb9d Typo in error message in path_intermediate.go 2016-02-09 15:08:30 -06:00
Tom Ritter e5952a1c28 Typo in policy.go 2016-02-08 12:00:06 -06:00
Jeff Mitchell 4771884c78 Add slack on NotBefore value for generated certs.
This fixes an issue where, due to clock skew, one system can get a cert
and try to use it before it thinks it's actually valid. The tolerance of
30 seconds should be high enough for pretty much any set of systems
using NTP.

Fixes #1035
2016-02-07 14:00:03 -05:00
Jeff Mitchell eb1deefac1 Introduce a locking inmem storage for unit tests that are doing concurrent things 2016-02-04 09:40:35 -05:00
Jeff Mitchell 70eeaa1519 Add transit fuzz test 2016-02-03 17:36:15 -05:00
Vishal Nayak d02930fd95 Merge pull request #1013 from hashicorp/fix-ssh-tests
Fix SSH tests
2016-02-02 14:22:09 -05:00
vishalnayak f2e8ac0658 Fix SSH test cases. 2016-02-02 12:32:50 -05:00
Jeff Mitchell 159754acf2 Use capabilities to determine upsert-ability in transit. 2016-02-02 10:03:14 -05:00
Jeff Mitchell 5ef8839e48 Revert "Re-add upsert into transit. Defaults to off and a new endpoint /config"
This reverts commit dc27d012c0357f93bfd5bd8d480f3e229166307a.
2016-02-02 09:26:25 -05:00
Jeff Mitchell 1d385b4de3 Re-add upsert into transit. Defaults to off and a new endpoint /config
can be used to turn it on for a given mount.
2016-02-01 20:13:57 -05:00
Jeff Mitchell 20f45678e6 Fix comment text 2016-02-01 17:20:16 -05:00
Jeff Mitchell fc6d23a54e Allow the format to be specified as pem_bundle, which creates a
concatenated PEM file.

Fixes #992
2016-02-01 13:19:41 -05:00
Jeff Mitchell af73d965a4 Cassandra:
* Add ability to change protocol version
* Remove config as a root path, use normal ACLs
* Update docs
2016-02-01 10:27:26 -05:00
Jeff Mitchell 627082b838 Remove grace periods 2016-01-31 19:33:16 -05:00
Jeff Mitchell 470ea58d73 Match leases in the test 2016-01-29 20:45:38 -05:00
Jeff Mitchell bab1220fb8 Fix building of consul backend test 2016-01-29 20:03:38 -05:00
Jeff Mitchell d3a705f17b Make backends much more consistent:
1) Use the new LeaseExtend
2) Use default values controlled by mount tuning/system defaults instead
of a random hard coded value
3) Remove grace periods
2016-01-29 20:03:37 -05:00
Jeff Mitchell 02cd4d7bf6 Merge pull request #979 from hashicorp/transit-locking
Implement locking in the transit backend.
2016-01-29 14:40:32 -05:00
Jeff Mitchell 073e755aa6 Update error return strings 2016-01-29 14:40:13 -05:00
Jeff Mitchell 3396b42c6c Address final review feedback 2016-01-29 14:33:51 -05:00
Jeff Mitchell cb1928451b Only specify cert sign / CRL sign for CAs and only specify extended key
usages for clients.

This will hopefully fully get rid of the various incompatible ways that
various browsers/libraries deal with key usages.

Fixes #987
2016-01-29 10:26:35 -05:00
Jeff Mitchell 2015118958 Add listing of roles to PKI 2016-01-28 15:18:07 -05:00
Jeff Mitchell f8a375777b Add list support for mysql roles 2016-01-28 15:04:25 -05:00
Jeff Mitchell 62e3ac83f8 Add list support for postgres roles 2016-01-28 14:41:50 -05:00
Jeff Mitchell 7be090b185 Fix postgres backend test SQL for user priv checking 2016-01-28 14:41:13 -05:00
Jeff Mitchell 12bd2f430b Ensure generatePolicy checks disk, not just the cache, now that we aren't eager loading 2016-01-28 13:10:59 -05:00
Jeff Mitchell dd57a3f55d Add listing of roles to ssh backend 2016-01-28 12:48:00 -05:00
Jeff Mitchell dd1b94fbd6 Remove eager loading 2016-01-28 08:59:05 -05:00
Jeff Mitchell be83340b14 Embed the cache directly 2016-01-27 21:59:20 -05:00
Jeff Mitchell 1ebae324ce Merge pull request #942 from wikiwi/fix-ssh-open-con
Cleanly close SSH connections
2016-01-27 17:18:54 -05:00
Jeff Mitchell 48c9f79896 Implement locking in the transit backend.
This ensures that we can safely rotate and modify configuration
parameters with multiple requests in flight.

As a side effect we also get a cache, which should provide a nice
speedup since we don't need to decrypt/deserialize constantly, which
would happen even with the physical LRU.
2016-01-27 17:03:21 -05:00