Commit graph

785 commits

Author SHA1 Message Date
Jeff Mitchell 2f41018df8
Fix panic when logging in to userpass without a valid user (#7160) 2019-07-22 12:27:28 -04:00
Mike Jarmy e0ce2195cc AWS upgrade role entries (#7025)
* upgrade aws roles

* test upgrade aws roles

* Initialize aws credential backend at mount time

* add a TODO

* create end-to-end test for builtin/credential/aws

* fix bug in initializer

* improve comments

* add Initialize() to logical.Backend

* use Initialize() in Core.enableCredentialInternal()

* use InitializeRequest to call Initialize()

* improve unit testing for framework.Backend

* call logical.Backend.Initialize() from all of the places that it needs to be called.

* implement backend.proto changes for logical.Backend.Initialize()

* persist current role storage version when upgrading aws roles

* format comments correctly

* improve comments

* use postUnseal funcs to initialize backends

* simplify test suite

* improve test suite

* simplify logic in aws role upgrade

* simplify aws credential initialization logic

* simplify logic in aws role upgrade

* use the core's activeContext for initialization

* refactor builtin/plugin/Backend

* use a goroutine to upgrade the aws roles

* misc improvements and cleanup

* do not run AWS role upgrade on DR Secondary

* always call logical.Backend.Initialize() when loading a plugin.

* improve comments

* on standbys and DR secondaries we do not want to run any kind of upgrade logic

* fix awsVersion struct

* clarify aws version upgrade

* make the upgrade logic for aws auth more explicit

* aws upgrade is now called from a switch

* fix fallthrough bug

* simplify logic

* simplify logic

* rename things

* introduce currentAwsVersion const to track aws version

* improve comments

* rearrange things once more

* conglomerate things into one function

* stub out aws auth initialize e2e test

* improve aws auth initialize e2e test

* finish aws auth initialize e2e test

* tinker with aws auth initialize e2e test

* tinker with aws auth initialize e2e test

* tinker with aws auth initialize e2e test

* fix typo in test suite

* simplify logic a tad

* rearrange assignment

* Fix a few lifecycle related issues in #7025 (#7075)

* Fix panic when plugin fails to load
2019-07-05 16:55:40 -07:00
Jeff Mitchell fd856bdd24
Fix some compatibility (#7048) 2019-07-02 23:29:42 -04:00
Jeff Mitchell e36f626e75 Fix import cycle 2019-07-02 21:01:34 -04:00
Jeff Mitchell 7b672fee99
Add bound cidr checking at login time for remaining auths (#7046) 2019-07-02 17:44:38 -04:00
Jeff Mitchell ba29917e25 Fix github config path returning 500 instead of 404 2019-07-02 12:57:48 -04:00
Jeff Mitchell 126bdf2d02
Add UpgradeValue path to tokenutil (#7041)
This drastically reduces boilerplate for upgrading existing values
2019-07-02 09:52:05 -04:00
Jeff Mitchell 81770a4fe5 Fix some missing Period statements in recently tokenutilified auth method renewal funcs 2019-07-01 19:36:27 -04:00
Madalyn 910f615bf5
UI: Clean up Dynamic UI for CRUD (#6994) 2019-07-01 16:35:18 -04:00
Jeff Mitchell 25f676b42e
Switch cert to tokenutil (#7037) 2019-07-01 16:31:37 -04:00
Jeff Mitchell 18a4ab1db5
Update github to tokenutil (#7031)
* Update github to tokenutil

* Update phrasing
2019-07-01 16:31:30 -04:00
Jeff Mitchell e8f9ea2857
Tokenutilize radius (#7034) 2019-07-01 16:30:39 -04:00
Jeff Mitchell 9c81f88623
Tokenutilize Okta (#7032) 2019-07-01 16:30:30 -04:00
Jeff Mitchell 2bca5f439f
AppRole TokenUtil conversion (#7020) 2019-07-01 16:30:08 -04:00
Jeff Mitchell d5d2414b4b
Tokenutilize the AWS auth backend (#7027) 2019-07-01 16:29:34 -04:00
Jeff Mitchell 4e226a7c0e
Tokenutilize ldap (#7036) 2019-07-01 16:16:23 -04:00
Jeff Mitchell 5435645bb6
Fix upgrade logic with tokenutil (#7026)
If only a non-_token field is provided we don't want to clear out the
Token version of the params, we want to set both. Otherwise we can't
rely on using the Token version of the parameter when creating the Auth
struct.
2019-06-30 14:24:41 -04:00
Jeff Mitchell c3b7d35ecc
When using tokenutil, return []string not nil for empty slices (#7019)
This conveys type information instead of being a JSON null.
2019-06-29 16:36:21 -04:00
Jeff Mitchell 2e71ed0be2
Update userpass to use tokenutil's TokenParams (#6907)
* Update userpass to use tokenutil's TokenParams

* Use tokenutil deprecation helper
2019-06-28 18:20:53 -04:00
Jeff Mitchell 297a233b82 This breaks build (for a moment) because I want to pull this change out
of the tokenutil-userpass PR so that stands alone as a template.
2019-06-28 18:19:48 -04:00
Jeff Mitchell fe7bb0b630
Standardize how we format deprecated values in traditional path-help (#7007) 2019-06-27 14:52:52 -04:00
Madalyn a2606ddccf
update OpenAPI output to use DisplayAttributes struct (#6928) 2019-06-21 11:08:08 -04:00
Jim Kalafut 6d08c94866
Update LDAP "groups" parameter to use TypeCommaStringSlice (#6942)
No functional change, but the updated type plays nicer with the
OpenAPI-driven UI.
2019-06-20 15:36:54 -07:00
Jeff Mitchell 62158d65fe
Use a role cache to avoid separate locking paths (#6926)
* Use a role cache to avoid separate locking paths

Due to the various locked/nonlocked paths we had a case where we weren't
always checking for secondary status before trying to upgrade. This
broadly simplifies things by using a cache to store the current role
values (avoiding a lot of storage hits) and updating the cache on any
write, delete, or invalidation.
2019-06-20 10:31:31 -04:00
Calvin Leung Huang 76cc52f48c
auth/aws: guard against malformed assumed role ARNs (#6917)
* auth/aws: guard against malformed assumed role ARNs

* revert helper func changes
2019-06-18 15:51:40 -07:00
Jim Kalafut 8a0d423ed8
Fix gofmt (#6764) 2019-05-20 15:15:05 -07:00
Jim Kalafut 8bc9fa4583
Fix Okta auth to allow group names containing slashes (#6665)
This PR also adds CollectKeysPrefix which allows a more memory efficient
key scan for those cases where the result is immediately filtered by
prefix.
2019-05-01 14:56:18 -07:00
Calvin Leung Huang 93ee14844f cert/tests: fix tests due to cert expiry (#6647) 2019-04-26 16:49:30 -07:00
ncabatoff 06574da57a
Merge multiple functions for creating consul containers into one. (#6612)
Merge both functions for creating mongodb containers into one.
Add retries to docker container cleanups.
Require $VAULT_ACC be set to enable AWS tests.
2019-04-22 12:26:10 -04:00
Jeff Mitchell 5dcfe7bf5f
Fix a dropped Okta error (#6592) 2019-04-16 13:05:50 -04:00
Jeff Mitchell 213b9fd1cf Update to api 1.0.1 and sdk 0.1.8 2019-04-15 14:10:07 -04:00
Jeff Mitchell 9ebc57581d
Switch to go modules (#6585)
* Switch to go modules

* Make fmt
2019-04-13 03:44:06 -04:00
Jeff Mitchell 28e2ce8577 Fix build breakages 2019-04-12 22:01:13 -04:00
Becca Petrin 6ded269700
Merge pull request #6268 from hashicorp/6234-aws-region
Add region to CLI for generating AWS login data
2019-04-12 16:15:38 -07:00
Jeff Mitchell 80c303ac83 Move ldaputil and tlsutil over to sdk 2019-04-12 18:26:54 -04:00
Jeff Mitchell a1796b3ece Move password to sdk 2019-04-12 18:12:13 -04:00
Jeff Mitchell 8d6ce1ffb5 Move policyutil to sdk 2019-04-12 18:08:46 -04:00
Jeff Mitchell 7ca424e8d2 Move cidrutil to sdk 2019-04-12 18:03:59 -04:00
Jeff Mitchell 8bcb533a1b
Create sdk/ and api/ submodules (#6583) 2019-04-12 17:54:35 -04:00
Becca Petrin 4a4eab50a1 Merge branch 'opensource-master' into 6234-aws-region 2019-04-03 11:37:33 -07:00
Jeff Mitchell 0e93244b14 Clean up test artifacts 2019-04-02 15:09:31 -04:00
Jeff Mitchell a6d6d55c03
Fix failing cert test due to cert expiration (#6520)
This introduces a way to just generate new certs for each test. It
doesn't port everything over but we can over time.
2019-04-02 14:49:42 -04:00
Calvin Leung Huang 000066aff7
Update builtin/credential/aws/cli.go
Co-Authored-By: tyrannosaurus-becks <beccapetrin@posteo.net>
2019-04-01 15:37:02 -07:00
Becca Petrin 339cfcaaf8 merge master 2019-04-01 13:52:44 -07:00
T.K 453f1ac109 changed misspelled english words (#6432) 2019-03-19 09:32:45 -04:00
Iskander (Alex) Sharipov b4d30a1b6c all: fix no-op append calls (#6360)
Append call in form of `append(s)` has no effect,
it just returns `s`. Sometimes such invocation is a sign
of a programming error, so it's better to remove these.

Signed-off-by: Iskander Sharipov <quasilyte@gmail.com>
2019-03-14 13:40:30 -07:00
Martin 1b9327fe3f Fix inverted description for ldap/users$ and ldap/groups$ endpoints (#6406) 2019-03-13 11:02:45 -07:00
Becca Petrin 5829774e91
Support env vars for STS region (#6284) 2019-02-28 09:31:06 -08:00
Joel Thompson dbff485a1f Coax AWS SDK to use right region for STS 2019-02-20 22:57:39 -05:00
Becca Petrin 65b8ad9187 allow aws region in cli login 2019-02-20 16:43:21 -08:00
madalynrose 625f0c7546
Update OpenAPI responses to include information the UI can use (#6204) 2019-02-14 12:42:44 -05:00
Jeff Mitchell 82a85aa8c8 Make fmt 2019-02-08 09:12:55 -05:00
Naoki Ainoya a967078d80 add missing key bound_cidrs in pathCertRead Response (#6080) 2019-02-07 22:41:38 -05:00
Jeff Mitchell 2f9a7c6203
Add more perf standby guards (#6149) 2019-02-01 16:56:57 -05:00
Jeff Mitchell bbc1d53a5d Revert "Refactor common token fields and operations into a helper (#5953)"
This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 11:23:40 -05:00
Joel Thompson 33400e6e99 Fix typo in help text (#6136)
Small typo introduced in #6133
2019-01-31 08:53:54 -08:00
Jeff Mitchell 85a560abba
Refactor common token fields and operations into a helper (#5953) 2019-01-30 16:23:28 -05:00
Jeff Mitchell d8b0015d71 Add role ID to token metadata and internal data 2019-01-30 16:17:31 -05:00
Jeff Mitchell 47accf8086 Add role_id as an alias name source for AWS and change the defaults 2019-01-30 15:51:45 -05:00
Jeff Mitchell 159f0c1b0a Fix typo in comment 2019-01-17 13:28:27 -05:00
Vishal Nayak 0c30f46587
Add option to configure ec2_alias values (#5846)
* Add option to configure ec2_alias values

* Doc updates

* Fix overwriting of previous config value

* s/configEntry/config

* Fix formatting

* Address review feedback

* Address review feedback
2019-01-09 18:28:29 -05:00
Jim Kalafut d0e2badbae Run goimports across the repository (#6010)
The result will still pass gofmtcheck and won't trigger additional
changes if someone isn't using goimports, but it will avoid the
piecemeal imports changes we've been seeing.
2019-01-08 16:48:57 -08:00
Brian Kassouf 0c6793d774
Update path_role.go (#5820) 2018-11-19 13:40:36 -08:00
Jeff Mitchell fa26beeaed fmt 2018-11-07 16:52:01 -05:00
Becca Petrin 7bd22e6779
Run all builtins as plugins (#5536) 2018-11-06 17:21:24 -08:00
Calvin Leung Huang b4503d02c6
Call wg.Add(1) outside of goroutine (#5716) 2018-11-06 16:36:13 -08:00
Jeff Mitchell 8eca41ee2d Fix build 2018-10-27 14:06:20 -04:00
Jeff Mitchell a21a7e9eb4
Change ordering of user lookup vs. password hashing (#5614)
* Change ordering of user lookup vs. password hashing

This fixes a very minor information leak where someone could brute force
the existence of a username. It's not perfect as the underlying storage
plays a part but bcrypt's slowness puts that much more in the noise.
2018-10-27 10:43:08 -07:00
Jeff Mitchell 89f0efb6a1 fmt 2018-10-20 21:09:51 -04:00
Jeff Mitchell 841c4fcdd1 Merge branch 'master-oss' into 1.0-beta-oss 2018-10-19 09:25:17 -04:00
Evgeniy Zakharochkin 46948aef80 ability to add NAS Identifier header to radius request (#5465) 2018-10-18 13:41:14 -04:00
Jeff Mitchell d843e0b52c Merge branch 'master-oss' into 1.0-beta-oss 2018-10-18 10:28:14 -04:00
Vishal Nayak 4c8aa842ad
Return absolute paths while listing in LDAP backend (#5537) 2018-10-17 14:56:51 -07:00
Jeff Mitchell a64fc7d7cb
Batch tokens (#755) 2018-10-15 12:56:24 -04:00
Becca Petrin 937cfff21a
Make builtin auth and secret plugins buildable (#5456) 2018-10-09 09:29:20 -07:00
Brian Kassouf 2995c06a53
Fix build (#5457) 2018-10-03 14:53:08 -07:00
Jeff Mitchell 13f98d9a4b
Fix reading Okta token parameter when config param exists (#5429)
Fixes #5409
2018-09-28 11:28:06 -04:00
joe miller d39ffc9e25 add allowed_organiztaional_units parameter to cert credential backend (#5252)
Specifying the `allowed_organiztaional_units` parameter to a cert auth
backend role will require client certificates to contain at least one of
a list of one or more "organizational units" (OU).

Example use cases:

Certificates are issued to entities in an organization arrangement by
organizational unit (OU). The OU may be a department, team, or any other logical
grouping of resources with similar roles. The entities within the OU
should be granted the same policies.

```
$ vault write auth/cert/certs/ou-engineering \
    certificate=@ca.pem \
    policies=engineering \
    allowed_organiztaional_units=engineering

$ vault write auth/cert/certs/ou-engineering \
    certificate=@ca.pem \
    policies=engineering \
    allowed_organiztaional_units=engineering,support
```
2018-09-27 19:04:55 -05:00
Joel Thompson 2dc468f4d1 auth/aws: Make identity alias configurable (#5247)
* auth/aws: Make identity alias configurable

This is inspired by #4178, though not quite exactly what is requested
there. Rather than just use RoleSessionName as the Identity alias, the
full ARN is uses as the Alias. This mitigates against concerns that an
AWS role with an insufficiently secured trust policy could allow an
attacker to generate arbitrary RoleSessionNames in AssumeRole calls to
impersonate anybody in the Identity store that had an alias set up.
By using the full ARN, the owner of the identity store has to explicitly
trust specific AWS roles in specific AWS accounts to generate an
appropriate RoleSessionName to map back to an identity.

Fixes #4178

* Respond to PR feedback

* Remove CreateOperation

Response to PR feedback
2018-09-26 08:27:12 -07:00
Clint 5882156f53
Translate AWS Rate limiting errors to 502 errors (#5270)
* Initial implemntation of returning 529 for rate limits

- bump aws iam and sts packages to v1.14.31 to get mocking interface
- promote the iam and sts clients to the aws backend struct, for mocking in tests
- this also promotes some functions to methods on the Backend struct, so
  that we can use the injected client

Generating creds requires reading config/root for credentials to contact
IAM. Here we make pathConfigRoot a method on aws/backend so we can clear
the clients on successful update of config/root path. Adds a mutex to
safely clear the clients

* refactor locking and unlocking into methods on *backend

* refactor/simply the locking

* check client after grabbing lock
2018-09-18 15:26:06 -05:00
Brian Kassouf a2608a3b61
Fix approle tidy on performance standbys (#5338)
* Fix approle tidy on performance standbys

* Forward PKI and AWS also
2018-09-17 09:53:23 -07:00
Clint 5f5af90dfe
Update AWS auth backend iam_request_headers to be TypeHeader (#5320)
Update AWS Auth backend to use TypeHeader for iam request headers

- Remove parseIamRequestHeaders function and test, no longer needed with new TypeHeader
- Update AWS auth login docs
2018-09-12 16:16:16 -05:00
Becca Petrin b2ff87c9c2
Poll for new creds in the AWS auth agent (#5300) 2018-09-12 13:30:57 -07:00
Jim Kalafut e1a326152d
Switch to strings.EqualFold (#5284) 2018-09-11 16:22:29 -07:00
Jeff Mitchell 7191bca71a
Re-add injecting into top routes (#5244) 2018-09-05 11:45:17 -04:00
Joel Thompson acc85de6b9 auth/aws: Fix outdated help texts (#5253) 2018-09-04 10:55:02 -07:00
Becca Petrin 7a8c116fb1
undo make fmt (#5265) 2018-09-04 09:29:18 -07:00
Becca Petrin ed7639b0ec
run make fmt (#5261) 2018-09-04 09:12:59 -07:00
Calvin Leung Huang 9988ace85e gofmt files (#5233) 2018-08-31 09:15:40 -07:00
Jeff Mitchell e58a8a63a7
Add the ability to specify token CIDR restrictions on secret IDs. (#5136)
Fixes #5034
2018-08-21 11:54:04 -04:00
Jim Kalafut 212b00593d
Improve error message formatting (#5029)
Fixes #4999
2018-08-01 16:20:56 -07:00
Jeff Mitchell 34a0ae1e5d
Update path_tidy_user_id_test.go 2018-07-25 03:37:24 -04:00
Jeff Mitchell 7e6faf021d Fix race in test 2018-07-25 00:18:32 -04:00
Jeff Mitchell 9bfd73bfc6 Modify approle tidy to validate dangling accessors (#4981) 2018-07-24 14:00:53 -07:00
Jeff Mitchell d144f2935e Two-pronged fix for renew policy checking (#4960)
1) In backends, ensure they are now using TokenPolicies
2) Don't reassign auth.Policies until after expmgr registration as we
don't need them at that point

Fixes #4829
2018-07-24 12:03:11 -07:00
andrejvanderzee c1c9e23fc5 Fixed writing config attribute 'max_retries' for existing client configs for aws auth method. (#4980) 2018-07-24 10:09:44 -04:00
Jeff Mitchell 9775340547 Log nil secret IDs instead of swallowing error 2018-07-23 17:46:20 -04:00
Jeff Mitchell 50ea7f3825 Fix context shadowing during radius login (#4941)
Fixes #4938
2018-07-17 11:17:07 -07:00
Becca Petrin ba39deb411 fix possible panic (#4942) 2018-07-17 11:15:28 -07:00
Jeff Mitchell 92ed8fa571 Fix test 2018-07-12 08:29:04 -04:00