Vishal Nayak
bf464b9a4b
Merge pull request #661 from hashicorp/maxopenconns
...
Parameterize max open connections in postgresql and mysql backends
2015-10-03 16:55:20 -04:00
vishalnayak
a740c68eab
Added a test case. Removed setting of defaultTTL in config.
2015-10-03 15:36:57 -04:00
vishalnayak
145aee229e
Merge branch 'master' of https://github.com/hashicorp/vault
2015-10-03 00:07:34 -04:00
vishalnayak
8e7975edc8
Added ConnectionURL along with ConnectionString
2015-10-02 23:47:10 -04:00
vishalnayak
e3f04dc444
Added testcases for config writes
2015-10-02 22:10:51 -04:00
Jeff Mitchell
645932a0df
Remove use of os/user as it cannot be run with CGO disabled
2015-10-02 18:43:38 -07:00
vishalnayak
ea0aba8e47
Use SanitizeTTL in credential request path instead of config
2015-10-02 15:41:35 -04:00
vishalnayak
69b478fff1
fix struct tags
2015-10-02 14:13:27 -04:00
vishalnayak
3dd84446ab
Github backend: enable auth renewals
2015-10-02 13:33:19 -04:00
vishalnayak
1f12482995
Fix ConnectionString JSON value
2015-10-02 12:07:31 -04:00
vishalnayak
644a655920
mysql: made max_open_connections configurable
2015-10-01 21:15:56 -04:00
vishalnayak
2051101c43
postgresql: Configurable max open connections to the database
2015-10-01 20:11:24 -04:00
Jeff Mitchell
c3bdde8abe
Add a static system view to github credential backend to fix acceptance tests
2015-09-29 18:55:59 -07:00
Jeff Mitchell
af27a99bb7
Remove JWT for the 0.3 release; it needs a lot of rework.
2015-09-24 16:23:44 -04:00
Jeff Mitchell
f10343921b
Start rejigging JWT
2015-09-24 16:20:22 -04:00
Jeff Mitchell
29c722dbb6
Enhance SSH backend documentation; remove getting of stored keys and have TTLs honor backends systemview values
2015-09-21 16:14:30 -04:00
Jeff Mitchell
3eb38d19ba
Update transit backend documentation, and also return the min decryption
...
value in a read operation on the key.
2015-09-21 16:13:43 -04:00
Jeff Mitchell
5dde76fa1c
Expand HMAC support in Salt; require an identifier be passed in to specify type but allow generation with and without. Add a StaticSalt ID for testing functions. Fix bugs; unit tests pass.
2015-09-18 17:38:30 -04:00
Jeff Mitchell
b655f6b858
Add HMAC capability to salt. Pass a salt into audit backends. Require it for audit.Hash.
2015-09-18 17:38:22 -04:00
Jeff Mitchell
01ee6c4fe1
Move no_plaintext to two separate paths for datakey.
2015-09-18 14:41:05 -04:00
Jeff Mitchell
448249108c
Add datakey generation to transit.
...
Can specify 128 bits (defaults to 256) and control whether or not
plaintext is returned (default true).
Unit tests for all of the new functionality.
2015-09-18 14:41:05 -04:00
Jeff Mitchell
61398f1b01
Remove enable/disable and make deletion_allowed a configurable property. On read, return the version and creation time of each key
2015-09-18 14:41:05 -04:00
Jeff Mitchell
801e531364
Enhance transit backend:
...
* Remove raw endpoint from transit
* Add multi-key structure
* Add enable, disable, rewrap, and rotate functionality
* Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function
* Unit tests for everything
2015-09-18 14:41:05 -04:00
Jeff Mitchell
9c5dcac90c
Make TLS backend honor SystemView default values. Expose lease TTLs on read. Make auth command show lease TTL if one exists. Addresses most of #527
2015-09-18 14:01:28 -04:00
vishalnayak
1f53376ae6
Userpass Bk: Added tests for TTL duration verifications
2015-09-17 16:33:26 -04:00
vishalnayak
4332eb9d05
Vault userpass: Enable renewals for login tokens
2015-09-17 14:35:50 -04:00
Jeff Mitchell
77e7379ab5
Implement the cubbyhole backend
...
In order to implement this efficiently, I have introduced the concept of
"singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't
much reason to allow sys to be mounted at multiple places, and there
isn't much reason you'd need multiple per-token storage areas. By
restricting it to just one, I can store that particular mount instead of
iterating through them in order to call the appropriate revoke function.
Additionally, because revocation on the backend needs to be triggered by
the token store, the token store's salt is kept in the router and
client tokens going to the cubbyhole backend are double-salted by the
router. This allows the token store to drive when revocation happens
using its salted tokens.
2015-09-15 13:50:37 -04:00
Jeff Mitchell
104b29ab04
Rename View to StorageView to make it more distinct from SystemView
2015-09-15 13:50:37 -04:00
Lassi Pölönen
83d0ab73f5
Define time zone explicitly in postgresql connection string.
2015-09-14 13:43:06 +03:00
Lassi Pölönen
a9aaee6f5a
Explicitly set timezone with PostgreSQL timestamps.
2015-09-14 13:43:06 +03:00
Lassi Pölönen
79f68c934a
Call ResetDB as Cleanup routine to close existing database connections
...
on backend unmount.
2015-09-11 11:45:58 +03:00
Vishal Nayak
08f7fb9c8d
Merge pull request #580 from hashicorp/zeroaddress-path
...
Add root authenticated path to allow default CIDR to select roles
2015-09-10 15:28:49 -04:00
Jeff Mitchell
39cfcccdac
Remove error returns from sysview TTL calls
2015-09-10 15:09:54 -04:00
Jeff Mitchell
488d33c70a
Rejig how dynamic values are represented in system view and location of some functions in various packages; create mount-tune command and API analogues; update documentation
2015-09-10 15:09:54 -04:00
Jeff Mitchell
4239f9d243
Add DynamicSystemView. This uses a pointer to a pointer to always have
...
up-to-date information. This allows remount to be implemented with the
same source and dest, allowing mount options to be changed on the fly.
If/when Vault gains the ability to HUP its configuration, this should
just work for the global values as well.
Need specific unit tests for this functionality.
2015-09-10 15:09:54 -04:00
Jeff Mitchell
d435048d9e
Switch StaticSystemView values to pointers, to support updating
2015-09-10 15:09:54 -04:00
vishalnayak
473c1d759d
Vault SSH: Testing credential creation on zero address roles
2015-09-10 11:55:07 -04:00
vishalnayak
d26497267c
Vault SSH: Expected data for testRoleRead
2015-09-10 10:44:26 -04:00
vishalnayak
475df43c59
Merge branch 'master' of https://github.com/hashicorp/vault
2015-09-10 10:03:17 -04:00
vishalnayak
d6b40c576d
Vault SSH: Refactoring tests
2015-09-03 18:56:45 -04:00
vishalnayak
17c266bfd3
Vault SSH: Refactor lookup test case
2015-09-03 18:43:53 -04:00
vishalnayak
c8c472e461
Vault SSH: Testcase restructuring
2015-09-03 18:11:04 -04:00
Jeff Mitchell
959a727acd
Don't re-use tls configuration, to fix a possible race issue during test
2015-09-03 13:04:32 -04:00
vishalnayak
3e7aa75d70
Vault SSH: make Zeroaddress entry Remove method private
2015-08-31 17:10:55 -04:00
vishalnayak
9918105404
Vault SSH: Store roles as slice of strings
2015-08-31 17:03:46 -04:00
vishalnayak
f21ad7da4c
Vault SSH: refactoring
2015-08-31 16:03:28 -04:00
vishalnayak
59bf9e6f9f
Vault SSH: Refactoring backend_test
2015-08-30 14:30:59 -04:00
vishalnayak
5e3f8d53f3
Vault SSH: ZeroAddress CRUD test
2015-08-30 14:20:16 -04:00
vishalnayak
6427a7e41e
Vault SSH: Add read method for zeroaddress endpoint
2015-08-29 20:22:34 -04:00
vishalnayak
dc4f97b61b
Vault SSH: Zeroaddress roles and CIDR overlap check
2015-08-29 15:24:15 -04:00
Jeff Mitchell
5fa76b5640
Add base_url option to GitHub auth provider to allow selecting a custom endpoint. Fixes #572 .
2015-08-28 06:28:43 -07:00
Vishal Nayak
d4609dea28
Merge pull request #578 from hashicorp/exclude-cidr-list
...
Vault SSH: Added exclude_cidr_list option to role
2015-08-28 07:59:46 -04:00
vishalnayak
b12a2f0013
Vault SSH: Added exclude_cidr_list option to role
2015-08-27 23:19:55 -04:00
Jeff Mitchell
a4fc4a8e90
Deprecate lease -> ttl in PKI backend, and default to system TTL values if not given. This prevents issuing certificates with a longer duration than the maximum lease TTL configured in Vault. Fixes #470 .
2015-08-27 12:24:37 -07:00
vishalnayak
fbff20d9ab
Vault SSH: Docs for default CIDR value
2015-08-27 13:10:15 -04:00
vishalnayak
5063a0608b
Vault SSH: Default CIDR for roles
2015-08-27 13:04:15 -04:00
vishalnayak
702a869010
Vault SSH: Provide key option specifications for dynamic keys
2015-08-27 11:41:29 -04:00
vishalnayak
5b08e01bb1
Vault SSH: Create .ssh directory if not present. Closes #573
2015-08-27 08:45:34 -04:00
Jeff Mitchell
9db8a5c744
Merge pull request #567 from hobbeswalsh/master
...
Spaces in displayName break AWS IAM
2015-08-26 12:37:52 -04:00
Robin Walsh
34b84367b5
Adding one more test (for no-op case)
2015-08-26 09:26:20 -07:00
Robin Walsh
4b7c2cc114
Adding unit test for normalizeDisplayName()
2015-08-26 09:23:33 -07:00
Jeff Mitchell
2098446d47
Ensure that the 'file' audit backend can successfully open its given path before returning success. Fixes #550 .
2015-08-26 09:13:10 -07:00
Jeff Mitchell
2d8bfff02b
Explicitly check for blank leases in AWS, and give a better error message if lease_max cannot be parsed. Fixes #569 .
2015-08-26 09:04:47 -07:00
Robin Walsh
8530f14fee
s/string replacement/regexp replacement
2015-08-24 17:00:54 -07:00
Robin Walsh
69f5abdc91
spaces in displayName break AWS IAM
2015-08-24 16:12:45 -07:00
vishalnayak
c35d78b3cb
Vault SSH: Documentation update
2015-08-24 14:18:37 -04:00
vishalnayak
e6987beb61
Vault SSH: Replace args with named vars
2015-08-24 14:07:07 -04:00
vishalnayak
eb91a3451b
Merging with master
2015-08-24 13:55:20 -04:00
vishalnayak
44c07cff5b
Vault SSH: Cleanup of aux files in install script
2015-08-24 13:50:46 -04:00
Jeff Mitchell
f7845234b4
Merge pull request #555 from hashicorp/toggleable-hostname-enforcement
...
Allow enforcement of hostnames to be toggleable for certificates.
2015-08-21 19:23:09 -07:00
Jeff Mitchell
5695d57ba0
Merge pull request #561 from hashicorp/fix-wild-cards
...
Allow hyphens in endpoint patterns of most backends
2015-08-21 11:40:42 -07:00
vishalnayak
6822af68e1
Vault SSH: Undo changes which does not belong to wild card changes
2015-08-21 09:58:15 -07:00
vishalnayak
6c2927ede0
Vault: Fix wild card paths for all backends
2015-08-21 00:56:13 -07:00
Jeff Mitchell
93ef9a54bd
Internally refactor Lease/LeaseGracePeriod into TTL/GracePeriod
2015-08-20 18:00:51 -07:00
vishalnayak
0ffad79548
Vault SSH: Make the script readable
2015-08-20 16:12:17 -07:00
Jeff Mitchell
133380915a
Disallow non-client X509 key usages for client TLS cert authentication.
2015-08-20 15:50:47 -07:00
Jeff Mitchell
41b85a1c83
Allow enforcement of hostnames to be toggleable for certificates. Fixes #451 .
2015-08-20 14:33:37 -07:00
Vishal Nayak
beca9f1596
Merge pull request #385 from hashicorp/vishal/vault
...
SSH Secret Backend for Vault
2015-08-20 10:03:15 -07:00
Bernhard K. Weisshuhn
8a5361ea79
skip revoke permissions step on cassandra rollback (drop user is enough)
2015-08-20 11:15:43 +02:00
Bernhard K. Weisshuhn
86cde438a5
avoid dashes in generated usernames for cassandra to avoid quoting issues
2015-08-20 11:15:28 +02:00
vishalnayak
451d2b0532
Vault SSH: Removing script file
2015-08-19 12:59:52 -07:00
vishalnayak
76ed3bec74
Vault SSH: 1024 is default key size and removed 4096
2015-08-19 12:51:33 -07:00
vishalnayak
5b1ba99757
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-08-18 19:00:38 -07:00
vishalnayak
251cd997ad
Vault SSH: TLS client creation test
2015-08-18 19:00:27 -07:00
Armon Dadgar
aefb92b74c
Merge pull request #534 from ctennis/lease_reader
...
Fix #533 , add a reader for lease values (#529 ) and an acceptance test for mysql to prove it works
2015-08-18 19:00:18 -07:00
Jeff Mitchell
3cc4bd0b96
Fix AWS, again, and update Godeps.
2015-08-18 18:12:51 -07:00
vishalnayak
9324db7979
Vault SSH: verify echo test
2015-08-18 16:48:50 -07:00
vishalnayak
0c0ca91d2e
Vault SSH: Fix backend test cases
2015-08-18 15:40:52 -07:00
vishalnayak
b91ebbc6e2
Vault SSH: Documentation update and minor refactoring changes.
2015-08-17 18:22:03 -07:00
vishalnayak
9db318fc55
Vault SSH: Website page for SSH backend
2015-08-14 12:41:26 -07:00
vishalnayak
b2f29c517b
Vault SSH: Install script is optional now. Default script will be for Linux host.
2015-08-13 17:07:43 -07:00
vishalnayak
7f9babed2a
Vault SSH: CLI embellishments
2015-08-13 16:55:47 -07:00
vishalnayak
d670b50e78
Vault SSH: Introduced allowed_users option. Added helpers getKey and getOTP
2015-08-13 14:18:30 -07:00
Caleb Tennis
a36910799e
Fix #533 , add a reader for lease values ( #529 ) and an acceptance test for mysql to prove it works
2015-08-13 15:33:06 -04:00
vishalnayak
2320bfb1e4
Vault SSH: Helper for OTP creation and role read
2015-08-13 11:12:30 -07:00
vishalnayak
c11bcecbbb
Vault SSH: Mandate default_user. Other refactoring
2015-08-13 10:36:31 -07:00
vishalnayak
8e946f27cc
Vault SSH: cidr to cidr_list
2015-08-13 08:46:55 -07:00
vishalnayak
7d3025fd6e
Vault SSH: Default lease duration, policy/ to role/
2015-08-12 17:36:27 -07:00
vishalnayak
330ef396ca
Vault SSH: Default lease of 5 min for SSH secrets
2015-08-12 17:10:35 -07:00
vishalnayak
2d23ffe3d2
Vault SSH: Exposed verify request/response messges to agent
2015-08-12 13:22:48 -07:00
vishalnayak
f84347c542
Vault SSH: Added SSHAgent API
2015-08-12 10:48:58 -07:00
vishalnayak
93dfa67039
Merging changes from master
2015-08-12 09:28:16 -07:00
vishalnayak
0abf07cb91
Vault SSH: Website doc v1. Removed path_echo
2015-08-12 09:25:28 -07:00
Armon Dadgar
d1a09e295a
Merge pull request #509 from ekristen/github-fix
...
Reimplements #459
2015-08-11 10:06:10 -07:00
Armon Dadgar
3b9a6d5e33
Fixing merge conflict
2015-08-11 10:04:47 -07:00
Erik Kristensen
611965844b
reimplements #459
2015-08-09 11:25:45 -06:00
Michael S. Fischer
21ab4d526c
Provide working example of TLS certificate authentication
...
Fixes #474
2015-08-07 15:15:53 -07:00
Erik Kristensen
ae34ec2bff
adding basic tests
2015-08-06 17:50:34 -06:00
Erik Kristensen
2233f993ae
initial pass at JWT secret backend
2015-08-06 17:49:44 -06:00
vishalnayak
e5080a7f32
Merging with master
2015-08-06 18:44:40 -04:00
vishalnayak
32502977f6
Vault SSH: Automate OTP typing if sshpass is installed
2015-08-06 17:00:50 -04:00
vishalnayak
0af97b8291
Vault SSH: uninstall dynamic keys using script
2015-08-06 15:50:12 -04:00
vishalnayak
3dd8fe750d
Vault SSH: Script to install dynamic keys in target
2015-08-06 14:48:19 -04:00
Paul Hinze
fc9de56736
Update vault code to match latest aws-sdk-go APIs
2015-08-06 11:37:08 -05:00
Seth Vargo
bfd4b818b8
Update to latest aws and move off of hashicorp/aws-sdk-go
2015-08-06 12:26:41 -04:00
vishalnayak
9aa075f3c7
Vault SSH: Added 'echo' path to SSH
2015-08-04 15:30:24 -04:00
vishalnayak
476da10f1c
Vault SSH: Testing OTP creation
2015-08-03 19:04:07 -04:00
Erik Kristensen
26387f6535
remove newline
2015-08-03 16:34:24 -06:00
Erik Kristensen
f9c49f4a57
fix bug #488
2015-08-03 15:47:30 -06:00
vishalnayak
8409ba7210
Vault SSH: CRUD tests for named keys
2015-08-03 16:18:14 -04:00
Rusty Ross
719ac6e714
update doc for app-id
...
make clearer in doc that user-id can accept multiple app-id mappngs as comma-separated values
2015-08-03 09:44:26 -07:00
vishalnayak
b7c7befe68
Vault SSH: CRUD test for lookup API
2015-08-03 11:22:00 -04:00
vishalnayak
c4bd85c241
Vault SSH: CRUD test for dynamic role
2015-07-31 15:17:40 -04:00
vishalnayak
b592dcc3af
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-07-31 13:24:28 -04:00
vishalnayak
c7ef0b95c2
Vault SSH: CRUD test case for OTP Role
2015-07-31 13:24:23 -04:00
Armon Dadgar
03728af495
Merge pull request #464 from bgirardeau/master
...
Add Multi-factor authentication with Duo
2015-07-30 17:51:31 -07:00
Bradley Girardeau
aa55d36f03
Clean up naming and add documentation
2015-07-30 17:36:40 -07:00
vishalnayak
61c9f884a4
Vault SSH: Review Rework
2015-07-29 14:21:36 -04:00
Bradley Girardeau
d26b77b4f4
mfa: code cleanup
2015-07-28 11:55:46 -07:00
Bradley Girardeau
6697012dd3
mfa: improve edge cases and documentation
2015-07-27 21:14:00 -07:00
Bradley Girardeau
06863d08f0
mfa: add to userpass backend
2015-07-27 21:14:00 -07:00
Bradley Girardeau
4eb1beb31c
ldap: add mfa support to CLI
2015-07-27 21:14:00 -07:00
Bradley Girardeau
8fa5a349a5
ldap: add mfa to LDAP login
2015-07-27 21:14:00 -07:00
Vishal Nayak
4b4df4271d
Vault SSH: Refactoring
2015-07-27 16:42:03 -04:00
Vishal Nayak
2e7612a149
Vault SSH: admin_user/default_user fix
2015-07-27 15:03:10 -04:00
Vishal Nayak
e9f507caf0
Vault SSH: Refactoring
2015-07-27 13:02:31 -04:00
Raymond Pete
1ca09a74b3
name slug check
2015-07-26 22:21:16 -04:00
Vishal Nayak
b532ee0bf4
Vault SSH: Dynamic Key test case fix
2015-07-24 12:13:26 -04:00
Vishal Nayak
e8daf2d0a5
Vault SSH: keys/ designated special path
2015-07-23 18:12:13 -04:00
Vishal Nayak
e998face87
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-07-23 17:20:34 -04:00
Vishal Nayak
791a250732
Vault SSH: Support OTP key type from CLI
2015-07-23 17:20:28 -04:00
Vishal Nayak
47197d4cb3
Vault SSH: Added vault server otp verify API
2015-07-22 16:00:58 -04:00
Vishal Nayak
93f7448487
Vault SSH: Vault agent support
2015-07-22 14:15:19 -04:00
Bradley Girardeau
e8d26d244b
ldap: change setting user policies to setting user groups
2015-07-20 11:33:39 -07:00
Vishal Nayak
27e66e175f
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-07-17 17:22:17 -04:00
Bradley Girardeau
301a22295d
ldap: add ability to set policies based on username as well as groups
2015-07-14 15:46:15 -07:00
Bradley Girardeau
0e2edc2378
ldap: add ability to login with a userPrincipalName (user@upndomain)
2015-07-14 15:37:46 -07:00
Armon Dadgar
504a7ca7c1
auth/userpass: store password as hash instead of direct. Credit @kenbreeman
2015-07-13 15:09:24 +10:00
Armon Dadgar
da4650ccb4
auth/userpass: protect against timing attack. Credit @kenbreeman
2015-07-13 15:01:18 +10:00
Armon Dadgar
599d5f1431
auth/app-id: protect against timing attack. Credit @kenbreeman
2015-07-13 14:58:18 +10:00
Vishal Nayak
ed258f80c6
Vault SSH: Refactoring and fixes
2015-07-10 18:44:31 -06:00
Vishal Nayak
89a0e37a89
Vault SSH: Backend and CLI testing
2015-07-10 16:18:02 -06:00
Vishal Nayak
2901890df2
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-07-10 09:56:21 -06:00
Vishal Nayak
3c7dd8611c
Vault SSH: Test case skeleton
2015-07-10 09:56:14 -06:00
Armon Dadgar
96d6455ef5
audit: properly restore TLS state
2015-07-08 16:45:15 -06:00
Vishal Nayak
73414154f8
Vault SSH: Made port number configurable
2015-07-06 16:56:45 -04:00
Vishal Nayak
88a3c5d41a
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-07-06 11:05:08 -04:00
Armon Dadgar
0be3d419c8
secret/transit: address PR feedback
2015-07-05 19:58:31 -06:00
Armon Dadgar
8293457633
secret/transit: use base64 for context to allow binary
2015-07-05 14:37:51 -07:00
Armon Dadgar
f0eec18cc7
secret/transit: testing key derivation
2015-07-05 14:30:45 -07:00
Armon Dadgar
143cd0875e
secret/transit: support key derivation in encrypt/decrypt
2015-07-05 14:19:24 -07:00
Armon Dadgar
ae9591004b
secret/transit: check for context for derived keys
2015-07-05 14:12:07 -07:00
Armon Dadgar
b30dbce404
secret/transit: support derived keys
2015-07-05 14:11:02 -07:00
Vishal Nayak
425b69be32
Vault SSH: PR review rework: Formatting/Refactoring
2015-07-02 19:52:47 -04:00
Bradley Girardeau
42050fe77b
ldap: add starttls support and option to specificy ca certificate
2015-07-02 15:49:51 -07:00
Vishal Nayak
c0a62f28b1
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-07-02 17:23:13 -04:00
Vishal Nayak
a1e2705173
Vault SSH: PR review rework
2015-07-02 17:23:09 -04:00
Jeff Mitchell
13c5fe0a16
Fix regexes to allow hyphens in role names, as the documentation shows
2015-07-01 20:39:18 -05:00
Vishal Nayak
30a24eef2c
Vault SSH: review rework: formatted and moved code
2015-07-01 21:26:42 -04:00
Vishal Nayak
67e543a863
Vault SSH: Regex supports hypen in key name and role names
2015-07-01 21:05:52 -04:00
Vishal Nayak
bb16052141
Vault SSH: replaced concatenated strings by fmt.Sprintf
2015-07-01 20:35:11 -04:00
Vishal Nayak
d691a95531
Vault SSH: PR review rework - 1
2015-07-01 11:58:49 -04:00
Vishal Nayak
1f001d283f
For SSH backend, allow factory to be provided instead of Backend
2015-07-01 09:37:11 -04:00
Vishal Nayak
3b0ff5b5f1
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-07-01 09:31:25 -04:00
Armon Dadgar
b52d3e6506
cred/app-id: testing upgrade to salted keys
2015-06-30 18:37:10 -07:00
Armon Dadgar
eeb717c901
cred/app-id: first pass at automatic upgrading to salting
2015-06-30 18:09:08 -07:00
Armon Dadgar
4b27e4d8c5
Remove SetLogger, and unify on framework.Setup
2015-06-30 17:45:20 -07:00
Armon Dadgar
5d69e7da90
Updating for backend API change
2015-06-30 17:36:12 -07:00
Vishal Nayak
b0043737af
lease handling fix
2015-06-30 20:21:41 -04:00
Vishal Nayak
8627f3c360
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-06-30 18:33:37 -04:00
Vishal Nayak
5e5e6788be
Input validations, help strings, default_user support
2015-06-30 18:33:17 -04:00
Armon Dadgar
8bc99f8c23
helper/uuid: single generateUUID definition
2015-06-30 12:38:32 -07:00
Armon Dadgar
3c58773598
Merge pull request #380 from kgutwin/cert-cli
...
Enable TLS client cert authentication via the CLI
2015-06-30 11:44:28 -07:00
Armon Dadgar
b1f7e2f0ea
ldap: fixing merge conflict
2015-06-30 09:40:43 -07:00
Jeff Mitchell
762108d9eb
Put timestamp back into the username. Since Cassandra doesn't support expiration, this can be used by scripts to manually clean up old users if revocation fails for some reason.
...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-30 11:15:46 -04:00
Jeff Mitchell
42b90fa9b9
Address some issues from code review.
...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-30 09:27:23 -04:00
Jeff Mitchell
fccbc587c6
A Cassandra secrets backend.
...
Supports creation and deletion of users in Cassandra using flexible CQL queries.
TLS, including client authentication, is supported.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-30 09:04:01 -04:00
Karl Gutwin
0062d923cc
Better error messages.
2015-06-30 08:59:38 -04:00
Karl Gutwin
a54ba31635
Merge remote-tracking branch 'upstream/master' into cert-cli
2015-06-30 08:31:00 -04:00
Karl Gutwin
dafcc5b2ce
enable CLI cert login
2015-06-29 23:29:41 -04:00
Vishal Nayak
f7a0c17100
merge changes from master
2015-06-29 22:01:43 -04:00
Vishal Nayak
91ed2dcdc2
Refactoring changes
2015-06-29 22:00:08 -04:00
esell
c0e1843263
change skipsslverify to insecure_tls
2015-06-29 19:23:31 -06:00
Armon Dadgar
12d3aee58e
audit: fixing panic caused by tls connection state. Fixes #322
2015-06-29 17:16:17 -07:00
Armon Dadgar
add8e1a3fd
Fixing merge conflict
2015-06-29 15:19:04 -07:00
Armon Dadgar
337997ab04
Fixing merge conflict
2015-06-29 14:50:55 -07:00
Vishal Nayak
0f2c1f867e
SCP in pure GO and CIDR parsing fix
2015-06-29 11:49:34 -04:00
Vishal Nayak
29696d4b6b
Creating SSH keys and removal of files in pure 'go'
2015-06-26 15:43:27 -04:00
Vishal Nayak
8c15e2313b
ssh/lookup implementation and refactoring
2015-06-25 21:47:32 -04:00
Vishal Nayak
f39df58eef
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-06-24 18:13:26 -04:00
Vishal Nayak
b237a3bcc2
POC: Rework. Doing away with policy file.
2015-06-24 18:13:12 -04:00
esell
e81f966842
Set SkipSSLVerify default to false, add warning in help message
2015-06-24 13:38:14 -06:00
esell
d3225dae07
cleanup the code a bit
2015-06-24 10:09:29 -06:00
esell
84371ea734
allow skipping SSL verification on ldap auth
2015-06-24 10:05:45 -06:00
Jeff Mitchell
e086879fa3
Merge remote-tracking branch 'upstream/master' into f-pki
2015-06-19 13:01:26 -04:00
Vishal Nayak
f8d164f477
SSHs to multiple users by registering the respective host keys
2015-06-19 12:59:36 -04:00
Jeff Mitchell
a6fc48b854
A few things:
...
* Add comments to every non-obvious (e.g. not basic read/write handler type) function
* Remove revoked/ endpoint, at least for now
* Add configurable CRL lifetime
* Cleanup
* Address some comments from code review
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-19 12:48:18 -04:00
Nate Brown
4ec685dc1a
Logging authentication errors and bad token usage
2015-06-18 18:30:18 -07:00
Vishal Nayak
90605c6079
merging with master
2015-06-18 20:51:11 -04:00
Vishal Nayak
8d98968a54
Roles, key renewal handled. End-to-end basic flow working.
2015-06-18 20:48:41 -04:00
Jeff Mitchell
34f495a354
Refactor to allow only issuing CAs to be set and not have things blow up. This is useful/important for e.g. the Cassandra backend, where you may want to do TLS with a specific CA cert for server validation, but not actually do client authentication with a client cert.
...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-18 15:22:58 -04:00
Vishal Nayak
2aed5f8798
Implementation for storing and deleting the host information in Vault
2015-06-17 22:10:47 -04:00
Armon Dadgar
d34861b811
secret/transit: allow policies to be upserted
2015-06-17 18:51:05 -07:00
Armon Dadgar
f53d31a580
secret/transit: Use special endpoint to get underlying keys. Fixes #219
2015-06-17 18:42:23 -07:00
Vishal Nayak
cfef144dc2
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-06-17 20:34:56 -04:00
Vishal Nayak
303a7cef9a
Received OTK in SSH client. Forked SSH process from CLI. Added utility file for SSH.
2015-06-17 20:33:03 -04:00
Armon Dadgar
45d3c512fb
builtin: fixing API change in logical framework
2015-06-17 14:34:11 -07:00
Armon Dadgar
30de4ea80d
secret/postgres: Ensure sane username length. Fixes #326
2015-06-17 13:31:56 -07:00
Jeff Mitchell
29e7ec3e21
A lot of refactoring: move PEM bundle parsing into helper/certutil, so that it is usable by other backends that want to use it to get the necessary data for TLS auth.
...
Also, enhance the raw cert bundle => parsed cert bundle to make it more useful and perform more validation checks.
More refactoring could be done within the PKI backend itself, but that can wait.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-17 16:07:20 -04:00
Vishal Nayak
3ed73d98c2
Added: Ssh CLI command and API, config lease impl, sshConnect path to backend, http handler for Ssh connect
2015-06-17 12:39:49 -04:00
Vishal Nayak
08c921c75e
Vault SSH: POC Stage 1. Skeleton implementation.
2015-06-16 16:58:54 -04:00
Jeff Mitchell
49f1fdbdcc
Merge branch 'master' into f-pki
2015-06-16 13:43:25 -04:00
Jeff Mitchell
03b0675350
A bunch of cleanup and moving around. logical/certutil is a package that now has helper functions
...
useful for other parts of Vault (including the API) to take advantage of.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-16 13:43:12 -04:00
Mitchell Hashimoto
4bf84392ec
credential/github: get rid of stray tab
2015-06-16 10:05:51 -07:00
Mitchell Hashimoto
0ecf05c043
command/auth, github: improve cli docs
...
/cc @sethvargo
2015-06-16 10:05:11 -07:00
Christian Svensson
e3d3012795
Record the common name in TLS metadata
...
It is useful to be able to save the client cert's Common Name for auditing purposes when using a central CA.
This adds a "common_name" value to the Metadata structure passed from login.
2015-06-14 23:18:21 +01:00
Jeff Mitchell
ae1cbc1a7a
Erp, forgot this feedback...
...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-11 23:16:13 -04:00
Jeff Mitchell
7cf1f186ed
Add locking for revocation/CRL generation. I originally was going to use an RWMutex but punted, because it's not worth trying to save some milliseconds with the possibility of getting something wrong. So the entire operations are now wrapped, which is minimally slower but very safe.
...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-11 22:28:13 -04:00
Jeff Mitchell
018c0ec7f5
Address most of Armon's initial feedback.
...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-11 21:57:05 -04:00
Jeff Mitchell
1513e2baa4
Add acceptance tests
...
* CA bundle uploading
* Basic role creation
* Common Name restrictions
* IP SAN restrictions
* EC + RSA keys
* Various key usages
* Lease times
* CA fetching in various formats
* DNS SAN handling
Also, fix a bug when trying to get code signing certificates.
Not tested:
* Revocation (I believe this is impossible with the current testing framework)
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-08 00:06:09 -04:00
Jeff Mitchell
0d832de65d
Initial PKI backend implementation.
...
Complete:
* Up-to-date API documents
* Backend configuration (root certificate and private key)
* Highly granular role configuration
* Certificate generation
* CN checking against role
* IP and DNS subject alternative names
* Server, client, and code signing usage types
* Later certificate (but not private key) retrieval
* CRL creation and update
* CRL/CA bare endpoints (for cert extensions)
* Revocation (both Vault-native and by serial number)
* CRL force-rotation endpoint
Missing:
* OCSP support (can't implement without changes in Vault)
* Unit tests
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-08 00:06:09 -04:00
Jonathan Sokolowski
348924eaab
logical/consul: Combine policy and lease into single storage struct
2015-05-28 09:36:23 +10:00
Jonathan Sokolowski
6b0820d709
logical/consul: custom lease time for roles
2015-05-27 09:53:46 +10:00
Ian Unruh
2e1bce27a9
Allow dot in LDAP login username
2015-05-20 11:54:15 -07:00
Armon Dadgar
cc966d6b52
auth/cert: Guard against empty certs. Fixes #214
2015-05-18 16:11:09 -07:00
Armon Dadgar
56659a2db2
cred/app-id: ensure consistent error message
2015-05-15 11:45:57 -07:00
Armon Dadgar
8cff23f29b
cred/app-id: stricter validation and error messaging
2015-05-15 11:40:45 -07:00
Jonathan Sokolowski
6746a24c78
credential/app-id: Test DeleteOperation
2015-05-14 22:30:02 +10:00
Etourneau Gwenn
a3fe4b889f
Fix Error message
2015-05-12 14:32:09 +09:00
Mitchell Hashimoto
1ca0b2340c
credential/app-id: add hash of user/app ID to metadata for logs
2015-05-11 10:46:11 -07:00
Mitchell Hashimoto
5406d3189e
Merge pull request #184 from hashicorp/b-github-casing
...
credential/github: case insensitive mappings
2015-05-11 10:27:45 -07:00
Mitchell Hashimoto
5c63b70eea
logical/framework: PathMap is case insensitive by default
2015-05-11 10:27:04 -07:00
Mitchell Hashimoto
4e861f29bc
credential/github: case insensitive mappings
2015-05-11 10:24:39 -07:00
Giovanni Bajo
8156b88353
auth/ldap: move password into InternalData
2015-05-09 22:06:34 +02:00
Giovanni Bajo
84388b2b20
auth/ldap: move username into the path (to allow per-user revokation on the path)
2015-05-09 22:06:28 +02:00
Giovanni Bajo
5e899e7de2
auth/ldap: fix pasto
2015-05-09 22:06:22 +02:00
Giovanni Bajo
1e1219dfcc
auth/ldap: implement login renew
2015-05-09 22:04:20 +02:00
Giovanni Bajo
a0f53f177c
auth/ldap: document LDAP server used in tests
2015-05-09 22:04:20 +02:00
Giovanni Bajo
b4093e2ddf
auth/ldap: add acceptance tests
2015-05-09 22:04:20 +02:00
Giovanni Bajo
02d3b1c74c
auth/ldap: add support for groups with unique members
2015-05-09 22:04:20 +02:00