luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
2659 commits 1 branch 0 tags 214 MiB
Commit graph

456 commits

Author SHA1 Message Date
Vishal Nayak d02930fd95 Merge pull request #1013 from hashicorp/fix-ssh-tests 
Fix SSH tests
 2016-02-02 14:22:09 -05:00
vishalnayak f2e8ac0658 Fix SSH test cases. 2016-02-02 12:32:50 -05:00
Jeff Mitchell 159754acf2 Use capabilities to determine upsert-ability in transit. 2016-02-02 10:03:14 -05:00
Jeff Mitchell 5ef8839e48 Revert "Re-add upsert into transit. Defaults to off and a new endpoint /config" 
This reverts commit dc27d012c0357f93bfd5bd8d480f3e229166307a.
 2016-02-02 09:26:25 -05:00
Jeff Mitchell 1d385b4de3 Re-add upsert into transit. Defaults to off and a new endpoint /config 
can be used to turn it on for a given mount.
 2016-02-01 20:13:57 -05:00
Jeff Mitchell 20f45678e6 Fix comment text 2016-02-01 17:20:16 -05:00
Jeff Mitchell fc6d23a54e Allow the format to be specified as pem_bundle, which creates a 
concatenated PEM file.

Fixes #992
 2016-02-01 13:19:41 -05:00
Jeff Mitchell af73d965a4 Cassandra: 
* Add ability to change protocol version
* Remove config as a root path, use normal ACLs
* Update docs
 2016-02-01 10:27:26 -05:00
Jeff Mitchell 627082b838 Remove grace periods 2016-01-31 19:33:16 -05:00
Jeff Mitchell 61eec74b4e Remove app-id renewal for the moment until verification logic is added 2016-01-31 19:12:20 -05:00
Jeff Mitchell 470ea58d73 Match leases in the test 2016-01-29 20:45:38 -05:00
Jeff Mitchell bf13d68372 Fix userpass acceptance tests by giving it a system view 2016-01-29 20:14:14 -05:00
Jeff Mitchell bab1220fb8 Fix building of consul backend test 2016-01-29 20:03:38 -05:00
Jeff Mitchell d3a705f17b Make backends much more consistent: 
1) Use the new LeaseExtend
2) Use default values controlled by mount tuning/system defaults instead
of a random hard coded value
3) Remove grace periods
 2016-01-29 20:03:37 -05:00
Jeff Mitchell 02cd4d7bf6 Merge pull request #979 from hashicorp/transit-locking 
Implement locking in the transit backend.
 2016-01-29 14:40:32 -05:00
Jeff Mitchell 073e755aa6 Update error return strings 2016-01-29 14:40:13 -05:00
Jeff Mitchell 3396b42c6c Address final review feedback 2016-01-29 14:33:51 -05:00
Jeff Mitchell cb1928451b Only specify cert sign / CRL sign for CAs and only specify extended key 
usages for clients.

This will hopefully fully get rid of the various incompatible ways that
various browsers/libraries deal with key usages.

Fixes #987
 2016-01-29 10:26:35 -05:00
Jeff Mitchell 2015118958 Add listing of roles to PKI 2016-01-28 15:18:07 -05:00
Jeff Mitchell f8a375777b Add list support for mysql roles 2016-01-28 15:04:25 -05:00
Jeff Mitchell 62e3ac83f8 Add list support for postgres roles 2016-01-28 14:41:50 -05:00
Jeff Mitchell 7be090b185 Fix postgres backend test SQL for user priv checking 2016-01-28 14:41:13 -05:00
Jeff Mitchell 12bd2f430b Ensure generatePolicy checks disk, not just the cache, now that we aren't eager loading 2016-01-28 13:10:59 -05:00
Jeff Mitchell dd57a3f55d Add listing of roles to ssh backend 2016-01-28 12:48:00 -05:00
Jeff Mitchell dd1b94fbd6 Remove eager loading 2016-01-28 08:59:05 -05:00
Jeff Mitchell be83340b14 Embed the cache directly 2016-01-27 21:59:20 -05:00
Jeff Mitchell 1ebae324ce Merge pull request #942 from wikiwi/fix-ssh-open-con 
Cleanly close SSH connections
 2016-01-27 17:18:54 -05:00
Jeff Mitchell 01102f0d06 Merge pull request #975 from vetinari/ldapbind 
Implement LDAP username/password binding support, as well as anonymous search.
 2016-01-27 17:06:45 -05:00
Jeff Mitchell 48c9f79896 Implement locking in the transit backend. 
This ensures that we can safely rotate and modify configuration
parameters with multiple requests in flight.

As a side effect we also get a cache, which should provide a nice
speedup since we don't need to decrypt/deserialize constantly, which
would happen even with the physical LRU.
 2016-01-27 17:03:21 -05:00
Jeff Mitchell d1b2bf3183 Move archive location; also detect first load of a policy after archive 
is added and cause the keys to be copied to the archive.
 2016-01-27 13:41:37 -05:00
Jeff Mitchell 369d0bbad0 Address review feedback 2016-01-27 13:41:37 -05:00
Jeff Mitchell e5a58109ec Store all keys in archive always 2016-01-27 13:41:37 -05:00
Jeff Mitchell 30ffc18c19 Add unit tests 2016-01-27 13:41:37 -05:00
Jeff Mitchell 5000711a67 Force min decrypt version to 1 if it's zero, which allows fixing problematic archiving logic 2016-01-27 13:41:37 -05:00
Jeff Mitchell 7a27dd5cb3 Fix logic bug when restoring keys 2016-01-27 13:41:37 -05:00
Jeff Mitchell 004b35be36 Fix decrementing instead of incrementing 2016-01-27 13:41:37 -05:00
Jeff Mitchell beafe25508 Initial transit key archiving work 2016-01-27 13:41:37 -05:00
Hanno Hecker 0db33274b7 discover bind dn with anonymous binds 2016-01-27 17:06:27 +01:00
Hanno Hecker 4606cd1492 fix stupid c&p error 2016-01-26 16:15:25 +01:00
Hanno Hecker 6a570345a0 add binddn/bindpath to search for the users bind DN 2016-01-26 15:56:41 +01:00
Jeff Mitchell 7390cd5264 Add a max_idle_connections parameter. 2016-01-25 14:47:07 -05:00
Jeff Mitchell 12c00b97ef Allow backends to see taint status. 
This can be seen via System(). In the PKI backend, if the CA is
reconfigured but not fully (e.g. an intermediate CSR is generated but no
corresponding cert set) and there are already leases (issued certs), the
CRL is unable to be built. As a result revocation fails. But in this
case we don't actually need revocation to be successful since the CRL is
useless after unmounting. By checking taint status we know if we can
simply fast-path out of revocation with a success in this case.

Fixes #946
 2016-01-22 17:01:22 -05:00
Dmitriy Gromov 70ef2e3398 STS now uses root vault user for keys 
The secretAccessKeysRevoke revoke function now asserts that it is
not dealing with STS keys by checking a new internal data flag. Defaults
to IAM when the flag is not found.

Factored out genUsername into its own function to share between STS and
IAM secret creation functions.

Fixed bad call to "WriteOperation" instead of "UpdateOperation" in
aws/backend_test
 2016-01-21 15:04:16 -05:00
Dmitriy Gromov 4abca91d66 Renamed sts duration to ttl and added STS permissions note. 2016-01-21 14:28:34 -05:00
Dmitriy Gromov f251b13aaa Removing debug print statement from sts code 2016-01-21 14:05:10 -05:00
Dmitriy Gromov 1cf8153dfd Fixed duration type and added acceptance test for sts 2016-01-21 14:05:10 -05:00
Dmitriy Gromov 71afb7cff0 Configurable sts duration 2016-01-21 14:05:09 -05:00
Jack DeLoach 8fecccde21 Add STS path to AWS backend. 
The new STS path allows for obtaining the same credentials that you would get
from the AWS "creds" path, except it will also provide a security token, and
will not have an annoyingly long propagation time before returning to the user.
 2016-01-21 14:05:09 -05:00
Jeff Mitchell 0f0949ab06 Merge pull request #895 from nickithewatt/aws-prexisting-policies 
Allow use of pre-existing policies for AWS users
 2016-01-21 13:23:37 -05:00
Chi Vinh Le f3e5e44cd0 Cleanly close SSH connections 2016-01-19 07:59:08 +01:00