Commit graph

1877 commits

Author SHA1 Message Date
Jeff Mitchell 28890ee198 Make proto
It appears the only thing that actually change is that the tag got
`proto3` values added.
2018-07-10 20:49:48 -04:00
Jim Kalafut eb70ad032a Fix interface conversion panic during database creds revoke (#4850) 2018-06-28 09:42:04 -07:00
Jeff Mitchell 3fee2cc8dd Simplify logic 2018-06-19 23:07:56 -04:00
Calvin Leung Huang ac4be8d44d Do not fail login if no policies are mapped to the user or group (#4798)
* Do not fail login if no policies are mapped to the user or group

* Remove debug line

* Remove restriction in radius
2018-06-19 23:00:22 -04:00
Becca Petrin 73cbbe2a9f Add bound cidrs to tokens in AppRole (#4680) 2018-06-19 22:57:11 -04:00
Chris Hoffman 52f9f7412c
correct delete path for tidy operations (#4799) 2018-06-19 20:58:12 -04:00
Jeff Mitchell cffb1183a8
Database updates (#4787)
* Database updates

* Add create/update distinction for connection config
* Add create/update distinction for role config
* Add db name and revocation statements to leases to give revocation a
shot at working if the role has been deleted

Fixes #3544
Fixes #4782

* Add create/update info to docs
2018-06-19 11:24:28 -04:00
Vishal Nayak 69eff9c354
return 404 when role does exist on update operations (#4778) 2018-06-18 09:29:05 -04:00
Jeff Mitchell e52b554c0b
Add an idle timeout for the server (#4760)
* Add an idle timeout for the server

Because tidy operations can be long-running, this also changes all tidy
operations to behave the same operationally (kick off the process, get a
warning back, log errors to server log) and makes them all run in a
goroutine.

This could mean a sort of hard stop if Vault gets sealed because the
function won't have the read lock. This should generally be okay
(running tidy again should pick back up where it left off), but future
work could use cleanup funcs to trigger the functions to stop.

* Fix up tidy test

* Add deadline to cluster connections and an idle timeout to the cluster server, plus add readheader/read timeout to api server
2018-06-16 18:21:33 -04:00
Mr Talbot 5551a63221 pki: add ext_key_usage to mirror key_usage and add to sign-verbatim (#4777)
* pki: add ext_key_usage parameter to role

* pki: add key_usage and ext_key_usage parameter to sign-verbatim

* pki: cleanup code as per comments
2018-06-15 18:20:43 -04:00
Jeff Mitchell 91ca3d4b7f
Add URI SANs (#4767) 2018-06-15 15:32:25 -04:00
Jeff Mitchell 5d44c54947
Changes the way policies are reported in audit logs (#4747)
* This changes the way policies are reported in audit logs.

Previously, only policies tied to tokens would be reported. This could
make it difficult to perform after-the-fact analysis based on both the
initial response entry and further requests. Now, the full set of
applicable policies from both the token and any derived policies from
Identity are reported.

To keep things consistent, token authentications now also return the
full set of policies in api.Secret.Auth responses, so this both makes it
easier for users to understand their actual full set, and it matches
what the audit logs now report.
2018-06-14 09:49:33 -04:00
Jeff Mitchell 76b0d11793
Redo transit locking (#4720)
This massively simplifies transit locking behavior by pushing some
locking down to the Policy level, and embedding either a local or global
lock in the Policy depending on whether caching is enabled or not.
2018-06-12 12:24:12 -04:00
Vishal Nayak cb3c689798
Fix panic due to metadata being nil (#4719)
* Fix panic due to metadata being nil

* added a nil check

* Added a test

* ensure metadata is never nil

* Remove unnecessary allocation

* revert back to early initialization
2018-06-11 11:22:26 -04:00
Jeff Mitchell b65959c8a0 Fix build 2018-06-11 11:21:37 -04:00
Jeff Mitchell 8d3503a048
Add context handling to Consul operations (#4739) 2018-06-11 11:03:00 -04:00
Jeff Mitchell 8916f6b625
Some atomic cleanup (#4732)
Taking inspiration from
https://github.com/golang/go/issues/17604#issuecomment-256384471
suggests that taking the address of a stack variable for use in atomics
works (at least, the race detector doesn't complain) but is doing it
wrong.

The only other change is a change in Leader() detecting if HA is enabled
to fast-path out. This value never changes after NewCore, so we don't
need to grab the read lock to check it.
2018-06-09 15:35:22 -04:00
Jeff Mitchell 4b7d2bed01 Transit convergent v3 2018-06-05 18:53:39 -04:00
Vishal Nayak 11e2fd2fce approle: Fix role name case sensitivity issue 2018-06-05 18:53:27 -04:00
Jeff Mitchell 0138351ea4
Return generic messages if pre-login ldap operations fail (#4700)
This avoids leaking any information about valid usernames.
2018-06-05 11:23:10 -04:00
Marcin Wielgoszewski 9316c96364 Add support for x.509 Name Serial Number attribute in subject of certificates (#4694) 2018-06-04 23:18:39 -04:00
Chris Hoffman 5344b7c5ae
adding option go_package to protos (#4687)
* adding option go_package to protos

* switching proto output dir to relative paths
2018-06-04 10:19:26 -04:00
Becca Petrin b558b388ce strip checking cidrs on renewals (#4682) 2018-06-03 09:22:54 -04:00
Alex Ionescu 7c31dacea2 Custom extended key usage for PKI. (#4667)
Custom extended key usage for PKI
2018-06-01 09:13:54 -04:00
Jeff Mitchell c4b53bc805 Block travis from running ldap tests as the test server is often failing 2018-05-30 08:46:25 -04:00
Brian Kassouf 893d874291 Update proto files (#4651) 2018-05-29 18:23:51 -04:00
Jeff Mitchell 244cb0bf9a
Ensure safety_buffer in PKI is greater than zero (#4643)
Fixes #4641
2018-05-28 12:08:22 -04:00
Jeff Mitchell 3e95305efa Fix mistaken extra Period value 2018-05-25 11:54:36 -04:00
Nicholas Jackson 17460461a0 Breakout parameters for x.509 certificate login (#4463) 2018-05-25 10:34:46 -04:00
Becca Petrin 4c1d8013f3
move fields and field parsing to helper (#4603) 2018-05-21 17:04:26 -07:00
Becca Petrin fb04064967
Restrict userpass logins & tokens by CIDR (#4557) 2018-05-21 11:47:28 -07:00
Jeff Mitchell 72200603c6
Fix role writing not allowing key_type of any (#4596)
Fixes #4595
2018-05-19 10:24:43 -07:00
Becca Petrin 910925457f
Move LDAP client and config code to helper (#4532) 2018-05-10 14:12:42 -07:00
Becca Petrin e4656c1264
Shorten code by using ParseAddrs (#4546) 2018-05-10 13:21:55 -07:00
Becca Petrin 76c717b081
Restrict cert auth by CIDR (#4478) 2018-05-09 15:39:55 -07:00
Jeff Mitchell 072cd783b5 Fix another PKI test 2018-05-09 12:51:34 -04:00
Jeff Mitchell 573b403b5e Fix PKI test 2018-05-09 12:47:00 -04:00
Jeff Mitchell e5f4ca83a0
Update PKI to natively use time.Duration (#4493)
* Update PKI to natively use time.Duration

Among other things this now means PKI will output durations in seconds
like other backends, instead of as Go strings.

* Add a warning when refusing to blow away an existing root instead of just returning success

* Fix another issue found while debugging this...

The reason it wasn't caught on tests in the first place is that the ttl
and max ttl were only being compared if in addition to a provided csr, a
role was also provided. This was because the check was in the role !=
nil block instead of outside of it. This has been fixed, which made the
problem occur in all sign-verbatim cases and the changes in this PR have
now verified the fix.
2018-05-09 10:29:54 -04:00
Vishal Nayak df8484f7af
approle: Make invalid role_id a 400 error instead of 500 (#4470)
* make invalid role_id a 400 error

* remove single-use validateCredentials function

* remove single-use validateBindSecretID function

* adjust the error message for CIDR check failure

* locking updates as review feedback
2018-05-04 10:15:16 -04:00
Jeff Mitchell b1d44a7dee
Fix alias data being used for cert auth (serial number -> common name) (#4495)
Fixes #4475
2018-05-04 10:08:23 -04:00
Jeff Mitchell c0ed57feae
Revert "proto changes (#4503)" (#4504)
This reverts commit 14594bd76e04ff09c442738800be5fdebc45512f.
2018-05-03 15:38:53 -04:00
Vishal Nayak 7549ea0d12
proto changes (#4503) 2018-05-03 15:23:14 -04:00
Becca Petrin d51acbde68
New proto version (#4501) 2018-05-03 10:19:39 -07:00
Robison Jacka b78b9c7ebf Iterating over CSR extensions, and skipping BasicConstraints, since those should be defined by the endpoint that's performing the signing. (#4469) 2018-05-01 11:22:49 -04:00
Calvin Leung Huang 44b44f7f54
Early skip mssql test if not on acceptance, defer Teardown() early in testing.Test (#4457) 2018-04-26 12:17:44 -04:00
Calvin Leung Huang 7d214d2a3a
Purge opened connections on retries during tests (#4452) 2018-04-26 11:28:58 -04:00
vishalnayak 9ef3a36007 s/enable_local_secret_ids/local_secret_ids 2018-04-24 17:52:42 -04:00
vishalnayak 965a16f888 remove unneeded comments 2018-04-24 16:28:25 -04:00
vishalnayak b91d53fd76 refactor to be able to defer lock.Unlock() 2018-04-24 16:17:24 -04:00
vishalnayak f3dd8b3d17 fix typo 2018-04-24 16:03:18 -04:00
vishalnayak b16ee7b32d remove unneeded setting of secret ID prefix 2018-04-24 15:55:40 -04:00
vishalnayak 7832e06fdc Add field read test 2018-04-24 15:48:07 -04:00
vishalnayak 10579f5d8d Fix api path for reading the field 2018-04-24 14:28:03 -04:00
vishalnayak 7039f6dccd Merge branch 'master-oss' into approle-local-secretid 2018-04-24 11:03:39 -04:00
vishalnayak c46e021543 Add tests 2018-04-24 11:02:11 -04:00
vishalnayak aade040e50 Add immutability test 2018-04-24 10:05:17 -04:00
vishalnayak 97c03c5a65 Add enable_local_secret_ids to role read response 2018-04-24 09:53:36 -04:00
Alex Samorukov cb52f3eb80 Use locking to avoid parallel script execution (#4358) 2018-04-23 18:04:22 -04:00
vishalnayak 6b7a042003 error on enable_local_secret_ids update after role creation 2018-04-23 17:05:53 -04:00
vishalnayak 644892c53c naming changes 2018-04-23 16:52:09 -04:00
vishalnayak a369a4edb6 Upgrade secret ID prefix and fix tests 2018-04-23 16:31:51 -04:00
vishalnayak d14cd4a51e segregate local and non-local accessor entries 2018-04-23 16:19:05 -04:00
vishalnayak 7efbee2a12 Fix the tidy operation to consider both local and non-local secretID cleanups 2018-04-23 16:02:55 -04:00
vishalnayak 743e3ace13 fix path regex and role storage 2018-04-23 14:08:30 -04:00
vishalnayak 1680b56d43 add prefix to LocalStorage 2018-04-23 14:08:30 -04:00
vishalnayak 97b821b231 local secret IDs 2018-04-23 14:08:30 -04:00
Calvin Leung Huang 31633654ee Explicitly use 5.7 and below to test mysql backends (#4429) 2018-04-23 13:03:02 -04:00
Becca Petrin b3b7fba67e
Release database resources on each iteration of a loop (#4305) 2018-04-17 16:31:09 -07:00
Calvin Leung Huang c7dddaf537
Skip CI acceptance tests on missing required values (#4346)
* Skip dynamic key acceptance test if vaultssh user not present

* Skip aws acceptance test if required environment variables are missing
2018-04-13 10:18:06 -04:00
Becca Petrin da1cfb86e9 run make fmt 2018-04-11 14:25:09 -07:00
Becca Petrin 8569c8c235 Merge branch 'opensource-master' into struct-tags 2018-04-11 13:04:08 -07:00
Becca Petrin dab933ccaf deviate from snake case 2018-04-11 13:03:33 -07:00
Calvin Leung Huang 2dc4aa05f0 Dockerize radius auth backend acceptance tests (#4276) 2018-04-11 14:26:35 -04:00
Becca Petrin fcfe036e60 fix 2 minor struct tag issues 2018-04-10 16:11:44 -07:00
Calvin Leung Huang bacf136785 Fix pki tests (#4318) 2018-04-09 15:19:05 -04:00
Becca Petrin abb621752f Clean up error string formatting (#4304) 2018-04-09 14:35:21 -04:00
Chris Hoffman 19f9f6ee89
Root Credential Rotation Docs (#4312)
* updating root credential docs

* more docs updates

* more docs updates
2018-04-09 12:20:29 -04:00
Calvin Leung Huang 656a762e0a
Dockerize mssql secret backend tests (#4290)
* Dockerize mssql secret backend tests

* Extend total mysql container timeout to 1 minute
2018-04-09 10:46:52 -04:00
Matthew Irish cff34e983f
UI - pki updates (#4291)
* add require_cn to pki roles
* add policy_identifiers and basic_constraints_valid_for_non_ca to pki role form
* add new fields to the PKI docs
* add add_basic_constraints field
2018-04-08 21:09:29 -05:00
Chris Hoffman 71c0b749b5
Fix deadlock in root credential rotation (#4309)
* fix deadlock in root credential rotation

* add more logging of errors

* adding cassandra test
2018-04-08 13:34:59 -04:00
Chris Hoffman 40dc317f41
Prevent returning password in reads of connection config info (#4300)
* prevent returning password in reads of connection config info

* fixing a test

* masking password in connection url on reads

* addressing feedback

* removing extra check
2018-04-07 11:06:04 -04:00
Vishal Nayak 28e3eb9e2c
Errwrap everywhere (#4252)
* package api

* package builtin/credential

* package builtin/logical

* package command

* package helper

* package http and logical

* package physical

* package shamir

* package vault

* package vault

* address feedback

* more fixes
2018-04-05 11:49:21 -04:00
Vishal Nayak ef60ded908
TypeDurationSecond for ttl and max_ttl (#4268)
* use typedurationsecond for ttl and max_ttl

* address review feedback
2018-04-04 17:47:18 -04:00
Calvin Leung Huang f392620cb8
Dockerize rabbitmq secret backend (#4271) 2018-04-04 16:09:26 -04:00
Chris Hoffman 8250da87a9
Fix a few missing TTL core changes (#4265)
* Fix missing ttl handling in backends

* fix test
2018-04-04 06:43:21 -04:00
Chris Hoffman a7ada08b3b
Core handling of TTLs (#4230)
* govet cleanup in token store

* adding general ttl handling to login requests

* consolidating TTL calculation to system view

* deprecate LeaseExtend

* deprecate LeaseExtend

* set the increment to the correct value

* move calculateTTL out of SystemView

* remove unused value

* add back clearing of lease id

* implement core ttl in some backends

* removing increment and issue time from lease options

* adding ttl tests, fixing some compile issue

* adding ttl tests

* fixing some explicit max TTL logic

* fixing up some tests

* removing unneeded test

* off by one errors...

* adding back some logic for bc

* adding period to return on renewal

* tweaking max ttl capping slightly

* use the appropriate precision for ttl calculation

* deprecate proto fields instead of delete

* addressing feedback

* moving TTL handling for backends to core

* mongo is a secret backend not auth

* adding estimated ttl for backends that also manage the expiration time

* set the estimate values before calling the renew request

* moving calculate TTL to framework, revert removal of increment and issue time from logical

* minor edits

* addressing feedback

* address more feedback
2018-04-03 12:20:20 -04:00
Jeff Mitchell f5ba4796f5
Case insensitive behavior for LDAP (#4238) 2018-04-03 09:52:43 -04:00
Becca Petrin 03cf302e9a Move to "github.com/hashicorp/go-hclog" (#4227)
* logbridge with hclog and identical output

* Initial search & replace

This compiles, but there is a fair amount of TODO
and commented out code, especially around the
plugin logclient/logserver code.

* strip logbridge

* fix majority of tests

* update logxi aliases

* WIP fixing tests

* more test fixes

* Update test to hclog

* Fix format

* Rename hclog -> log

* WIP making hclog and logxi love each other

* update logger_test.go

* clean up merged comments

* Replace RawLogger interface with a Logger

* Add some logger names

* Replace Trace with Debug

* update builtin logical logging patterns

* Fix build errors

* More log updates

* update log approach in command and builtin

* More log updates

* update helper, http, and logical directories

* Update loggers

* Log updates

* Update logging

* Update logging

* Update logging

* Update logging

* update logging in physical

* prefixing and lowercase

* Update logging

* Move phyisical logging name to server command

* Fix som tests

* address jims feedback so far

* incorporate brians feedback so far

* strip comments

* move vault.go to logging package

* update Debug to Trace

* Update go-plugin deps

* Update logging based on review comments

* Updates from review

* Unvendor logxi

* Remove null_logger.go
2018-04-02 17:46:59 -07:00
Ben Feld 3f5d60b54b Fixed typo and adjusted line wrapping in backend help (#4239) 2018-04-02 13:51:26 -07:00
Calvin Leung Huang 610c137a3d
Remove sensitive fields when reading config data (#4216)
* Remove sensitive fields when reading config data

* Do not use structs; build and return map explicitly

* Revert tag in postgresql

* Fix tests
2018-03-30 10:17:39 -04:00
Jeff Mitchell 7a6f582168
1.10 Updates (#4218) 2018-03-29 15:32:16 -04:00
Jeff Mitchell 6484b9b164
Continue and warn when tidying in pki if an entry or value is nil (#4214)
Ref #4177
2018-03-29 15:27:51 -04:00
Jeff Mitchell e4d277fc0b Sanitizize some error capitalization 2018-03-29 10:14:42 -04:00
Chris Hoffman e4832fdbcf
Database Root Credential Rotation (#3976)
* redoing connection handling

* a little more cleanup

* empty implementation of rotation

* updating rotate signature

* signature update

* updating interfaces again :(

* changing back to interface

* adding templated url support and rotation for postgres

* adding correct username

* return updates

* updating statements to be a list

* adding error sanitizing middleware

* fixing log sanitizier

* adding postgres rotate test

* removing conf from rotate

* adding rotate command

* adding mysql rotate

* finishing up the endpoint in the db backend for rotate

* no more structs, just store raw config

* fixing tests

* adding db instance lock

* adding support for statement list in cassandra

* wip redoing interface to support BC

* adding falllback for Initialize implementation

* adding backwards compat for statements

* fix tests

* fix more tests

* fixing up tests, switching to new fields in statements

* fixing more tests

* adding mssql and mysql

* wrapping all the things in middleware, implementing templating for mongodb

* wrapping all db servers with error santizer

* fixing test

* store the name with the db instance

* adding rotate to cassandra

* adding compatibility translation to both server and plugin

* reordering a few things

* store the name with the db instance

* reordering

* adding a few more tests

* switch secret values from slice to map

* addressing some feedback

* reinstate execute plugin after resetting connection

* set database connection to closed

* switching secret values func to map[string]interface for potential future uses

* addressing feedback
2018-03-21 15:05:56 -04:00
Jeff Mitchell 487cb7a41a
We don't need to limit the size of ldap queries, so set a high limit (#4169)
Fixes #4162
2018-03-20 16:06:39 -04:00
Josh Soref 73b1fde82f Spelling (#4119) 2018-03-20 14:54:10 -04:00
Jeff Mitchell 48a6ce618a
Add ability to set CA:true when generating intermediate CSR. (#4163)
Fixes #3883
2018-03-20 10:09:59 -04:00
Jeff Mitchell 414097018a Add a check on incoming policy identifiers
cc #4125
2018-03-19 22:10:18 -04:00
Rémi Pauchet 40e226184b Support certificate policies in the pki backend (#4125) 2018-03-19 22:05:21 -04:00
Jeff Mitchell 8697d80d2e
More cleanup of TTL handling in PKI (#4158)
* Max role's max_ttl parameter a TypeDurationString like ttl
* Don't clamp values at write time in favor of evaluating at issue time,
as is the current best practice
* Lots of general cleanup of logic to fix missing cases
2018-03-19 21:01:41 -04:00
Jeff Mitchell 2e50667b12
Codify using strings.Join and strings.TrimSpace around PEM handling to ensure newline sanity (#4148)
Fixes #4136
2018-03-18 16:00:51 -04:00
Joel Thompson 3e2006eb13 Allow non-prefix-matched IAM role and instance profile ARNs in AWS auth backend (#4071)
* Update aws auth docs with new semantics

Moving away from implicitly globbed bound_iam_role_arn and
bound_iam_instance_profile_arn variables to make them explicit

* Refactor tests to reduce duplication

auth/aws EC2 login tests had the same flow duplicated a few times, so
refactoring to reduce duplication

* Add tests for aws auth explicit wildcard constraints

* Remove implicit prefix matching from AWS auth backend

In the aws auth backend, bound_iam_role_arn and
bound_iam_instance_profile_arn were ALWAYS prefix matched, and there was
no way to opt out of this implicit prefix matching. This now makes the
implicit prefix matching an explicit opt-in feature by requiring users
to specify a * at the end of an ARN if they want the prefix matching.
2018-03-17 21:24:49 -04:00
Jeff Mitchell 83dea6204c
Honor mount-tuned ttl/max ttl for database credential generatoin (#4053) 2018-03-15 09:24:02 -07:00
Joel Thompson 39dc981301 auth/aws: Allow binding by EC2 instance IDs (#3816)
* auth/aws: Allow binding by EC2 instance IDs

This allows specifying a list of EC2 instance IDs that are allowed to
bind to the role. To keep style formatting with the other bindings, this
is still called bound_ec2_instance_id rather than bound_ec2_instance_ids
as I intend to convert the other bindings to accept lists as well (where
it makes sense) and keeping them with singular names would be the
easiest for backwards compatibility.

Partially fixes #3797
2018-03-15 09:19:28 -07:00
Brian Nuszkowski 76be90f384 Add PKCS1v15 as a RSA signature and verification option on the Transit secret engine (#4018)
Option to specify the RSA signature type, in specific add support for PKCS1v15
2018-03-15 09:17:02 -07:00
Jeff Mitchell 300ca9c6ee
Have Okta respect its set max_ttl. (#4111)
Fixes #4110
2018-03-13 10:39:51 -04:00
Joel Thompson 2f8e3c27f4 Accept temp creds in AWS secret backend acceptance tests (#4076)
* Accept temp creds in AWS secret backend acceptance tests

The AWS secret backend acceptance tests implicitly accepted long-lived
AWS credentials (i.e., AWS IAM user and/or root credentials) in two
ways:

1. It expected credentials to be passed in via the AWS_ACCESS_KEY_ID and
   AWS_SECRET_ACCESS_KEY environment variables. By not accepting
   AWS_SESSION_TOKEN or AWS_SECURITY_TOKEN, temporary credentials could
   not be passed in. (This also forced all credentials to be passed in
   via environment variables, which is a bit ugly).
2. The AWS sts:GetFederationToken call is only allowed from long-term
   credentials. This is called by the Vault code which the acceptance
   tests exercise.

1 is solved by deleting explicit references to credentials, which allows
the SDK to do one of the things it does best -- find credentials via the
default chain.

2 is a little more complicated. Rather than pass in whatever creds the
acceptance test was run under to the backend, the acceptance test now
creates a new IAM user and gets an access key from it, then passes the
IAM user's creds back to the backend so that it can call
sts:GetFederationToken (and then tries to clean up afterwards).

* Fix Travis build failure

The Travis build was failing because the user creation was happening
regardless of whether it was running in acceptance test mode or not.
This moves the user creation into the acceptance test precheck, which
requires lazily evaluating the credentials when configuring the backend
in the STS accetpance test, and so moving that to a PreFlight closure.

* Reduce blind sleeps in AWS secret backend acceptance tests

This removes a blind "sleep 10 seconds and then attempt to reuse the
credential" codepath and instead just keeps attemtping to reuse the
credential for 10 seconds and fails if there aren't any successful uses
after 10 seconds. This adds a few seconds speedup of acceptance test
runs from my experiments.
2018-03-13 10:35:10 -04:00
Vishal Nayak 527eb418fe
approle: Use TypeCommaStringSlice for BoundCIDRList (#4078)
* Use TypeCommaStringSlice for Approle bound_cidr_list

* update docs

* Add comments in the test
2018-03-08 17:49:08 -05:00
Brian Kassouf 9dba3590ac
Add context to the NewSalt function (#4102) 2018-03-08 11:21:11 -08:00
Jeff Mitchell f9f0261886
Populate AWS-generated tokens with default lease TTL to fix comparisons against role max (#4107)
* Populate AWS-generated tokens with default lease TTL to fix comparisons against role max

* Fix printing TTLs when capping them
2018-03-08 13:08:00 -05:00
Jeff Mitchell 52852b89cf
Revert "Fix AWS auth max_ttl being ignored when ttl is not set (#4086)" (#4105)
This reverts commit 135cb4e6871a75c3b996bf8ac719767560268732.
2018-03-08 11:08:32 -05:00
Kevin Wang f72540ce8e Fix AWS auth max_ttl being ignored when ttl is not set (#4086)
If ttl is not set, the value of `resp.Auth.TTL` is 0, resulting in the
max TTL check being skipped.

Also fixes the formatting of the warning message.
2018-03-08 11:07:51 -05:00
Brian Nuszkowski 40e7e24c04 Return value when reading a SSH CA Role (#4098) 2018-03-07 23:26:33 -05:00
Calvin Leung Huang e2fb199ce5
Non-HMAC audit values (#4033)
* Add non-hmac request keys

* Update comment

* Initial audit request keys implementation

* Add audit_non_hmac_response_keys

* Move where req.NonHMACKeys gets set

* Minor refactor

* Add params to auth tune endpoints

* Sync cache on loadCredentials

* Explicitly unset req.NonHMACKeys

* Do not error if entry is nil

* Add tests

* docs: Add params to api sections

* Refactor audit.Backend and Formatter interfaces, update audit broker methods

* Add audit_broker.go

* Fix method call params in audit backends

* Remove fields from logical.Request and logical.Response, pass keys via LogInput

* Use data.GetOk to allow unsetting existing values

* Remove debug lines

* Add test for unsetting values

* Address review feedback

* Initialize values in FormatRequest and FormatResponse using input values

* Update docs

* Use strutil.StrListContains

* Use strutil.StrListContains
2018-03-02 12:18:39 -05:00
Joel Thompson e4949d644b auth/aws: Allow lists in binds (#3907)
* auth/aws: Allow lists in binds

In the aws auth method, allow a number of binds to take in lists
instead of a single string value. The intended semantic is that, for
each bind type set, clients must match at least one of each of the bind
types set in order to authenticate.
2018-03-02 11:09:14 -05:00
Jeff Mitchell 121d5718ea Remove structs/mapstructure tags from auth/aws 2018-02-27 15:27:49 -05:00
Jeff Mitchell c695023bab Remove structs package from auth/aws 2018-02-27 13:22:47 -05:00
Joel Thompson b0592d2161 auth/aws: Add functional test for detached RSA signature (#4031)
Previously the functional test was only testing the PCKS7-signed identity
document, not the detached RSA signature, so adding a test for that in the
functional test suite.
2018-02-22 20:55:45 -05:00
Jeff Mitchell cf7c86e0f8 *Partially* revert "Remove now-unneeded PKCS8 code and update certutil tests for Go 1.10"
This partially reverts commit 83f6b21d3ef930df0352a4ae7b1e971790e3eb22.
2018-02-22 20:15:56 -05:00
Jeff Mitchell 9584a085b6 Revert "Remove unneeded looping since Go 1.10 cover it already (#4010)"
This reverts commit 8aeba427d239613bf78b7d1ce96900da74d2bd5d.
2018-02-22 20:13:36 -05:00
Jeff Mitchell 15c3bffcc9 Revert "Switch to a forked copy of pkcs7 to fix aws pkcs7 verification error (#4024)"
This reverts commit f75c7dd15784831aef0bd9fda8a230b0a08556f3.
2018-02-22 20:09:19 -05:00
Jeff Mitchell 67e614bac4
Switch to a forked copy of pkcs7 to fix aws pkcs7 verification error (#4024)
Fixes #4014
2018-02-22 08:49:11 -05:00
Andrei Burd 90f3788ce5 Handling nomad maxTokenNameLength = 64 (#4009) 2018-02-20 10:16:37 -05:00
Vishal Nayak bfed4af48f Remove unneeded looping since Go 1.10 cover it already (#4010) 2018-02-20 07:34:55 -05:00
Jeff Mitchell 0f26cb9b8d Fix PKI tests by generating on-demand 2018-02-20 00:23:37 -05:00
Jeff Mitchell ce8f652ef9 Remove now-unneeded PKCS8 code and update certutil tests for Go 1.10 2018-02-19 22:46:17 -05:00
Robison Jacka 9541e8f643 Adding path roles test coverage for storing PKIX fields (#4003) 2018-02-18 16:22:35 -05:00
Robison Jacka 71d939894b Add test coverage for recently-added PKIX fields. (#4002) 2018-02-18 13:21:54 -05:00
Jeff Mitchell a408a03495 Fix missing CommonName in subject generation 2018-02-17 21:01:36 -05:00
Vishal Nayak 45bb1f0adc
Verify DNS SANs if PermittedDNSDomains is set (#3982)
* Verify DNS SANs if PermittedDNSDomains is set

* Use DNSNames check and not PermittedDNSDomains on leaf certificate

* Document the check

* Add RFC link

* Test for success case

* fix the parameter name

* rename the test

* remove unneeded commented code
2018-02-16 17:42:29 -05:00
Jeff Mitchell f29bde0052
Support other names in SANs (#3889) 2018-02-16 17:19:34 -05:00
Mohsen 41b07a0987 Maximum number of retries aws sdk attempts for recoverable exceptions. (#3965) 2018-02-16 11:11:17 -05:00
Brian Nuszkowski 51fe1aa7ba Add Okta specific MFA workflow to Okta auth method (#3980)
* Add Okta specific MFA workflow to Okta auth method. Note this only
supports Okta Push.
2018-02-14 20:28:19 -05:00
Brian Nuszkowski 7ba8bb9516 Disable redirects on the http client that calls AWS STS api, which (#3983)
is used in the AWS IAM auth method.

Co-authored-by: Max Justicz <max@justi.cz>
2018-02-14 20:27:13 -05:00
Jeff Mitchell 35906aaa6c
Add ChaCha20-Poly1305 support to transit (#3975) 2018-02-14 11:59:46 -05:00
Nicolas Troncoso 2a8159c2ae Turns the okta groups array into a coma separated string (#3956) 2018-02-13 08:18:43 -05:00
Jeff Mitchell 8655a1c135
Various PKI updates (#3953) 2018-02-10 10:07:10 -05:00
Jeff Mitchell 6f025fe2ab
Adds the ability to bypass Okta MFA checks. (#3944)
* Adds the ability to bypass Okta MFA checks.

Unlike before, the administrator opts-in to this behavior, and is
suitably warned.

Fixes #3872
2018-02-09 17:03:49 -05:00
Jeff Mitchell bd3cdd8095 Fix compile 2018-02-09 14:04:05 -05:00
Chris Hoffman 898026c58f Fix auditing for transit keys with backup/restore info (#3919) 2018-02-09 13:54:18 -05:00
Vishal Nayak 80ffd07b8b added a flag to make common name optional if desired (#3940)
* added a flag to make common name optional if desired

* Cover one more case where cn can be empty

* remove skipping when empty; instead check for emptiness before calling validateNames

* Add verification before adding to DNS names to also fix #3918
2018-02-09 13:42:19 -05:00
Vishal Nayak 9d163f5aa4
avoid masking of role tag response (#3941) 2018-02-07 20:43:05 -05:00
Vishal Nayak 41ac1e4b53
AppRole: Cleanup accessor indexes and dangling accessor indexes (#3924)
* Cleanup accessor indexes and dangling accessor indexes

* Add a test that exercises the accessor cleanup
2018-02-06 15:44:48 -05:00
John Eismeier d2534c4bde Fix some typos (#3923) 2018-02-06 13:35:01 -05:00
Jeff Mitchell 642b88c76a go vet fixes 2018-02-05 14:26:31 -05:00
Joel Thompson 4f49318b33 auth/aws: Switch role tag processing from strings.Contains to strings.HasPrefix (#3906)
strings.HasPrefix is more correct; if a tag part value ended up
containing the expected prefix of another part, it could cause incorrect
parsing. I don't think that these values would be semantically legal
today, but it's probably better to be defensive.
2018-02-04 19:37:03 -05:00
Jeff Mitchell b6614b651f
Differentiate between user/internal error in AppRole login. (#3902)
* Differentiate between user/internal error in AppRole login.

This allows us to properly pass through internal errors back up into
core.

* Separate out error cases
2018-02-02 20:34:32 -05:00
Jeff Mitchell fc6564e4ee
Don't run rollback and upgrade functionality if we are a replication secondary (#3900)
* Don't run rollback and upgrade functionality if we are a replication
secondary, but do if the mount is local.
2018-02-02 20:28:25 -05:00
Vishal Nayak effdc09a71 Add the actual error object to the message (#3901) 2018-02-02 19:06:08 -05:00
John Eismeier 6d18e0da3d Propose small spelling change (#3890) 2018-02-01 12:51:38 -05:00
Josh Giles 94fe8600b6 Return Okta config TTLs in seconds, not nanos. (#3871) 2018-02-01 12:44:57 -05:00
Jeff Mitchell f3d1e8170b Prep for 0.9.2 2018-01-26 13:59:01 -05:00
Vishal Nayak 150ad8405b
Remove logical.Initialize() method (#3848)
* Remove logical.Initialize() method

* More cleanup

* Fix test
2018-01-25 20:19:27 -05:00
Joel Thompson 2cd8051607 auth/aws: Fix error with empty bound_iam_principal_arn (#3843)
* auth/aws: Fix error with empty bound_iam_principal_arn

In cases where there doesn't need to be a bound_iam_principal_arn, i.e.,
either auth_type is ec2 or there are other bindings with the iam
auth_type, but it is specified explicitly anyway, Vault tried to parse
it to resolve to internal unique IDs. This now checks to ensure that
bound_iam_principal_arn is non-empty before attempting to resolve it.

Fixes #3837

* Fix extraneous newline
2018-01-24 23:08:05 -05:00
Calvin Leung Huang 385140ee6b
Version protocol switch (#3833)
* Use version to determine plugin protocol to use

* Remove field from ServeOpts

* Fix missing assignment, handle errors

* contraint -> constraint

* Inject the version string from the vault side

* Fix the version check

* Add grpc support check to database plugins

* Default to use grpc unless missing env var or fail on contraint check

* Add GRPCSupport test

* Add greater than test case

* Add go-version dep
2018-01-23 17:29:26 -05:00
Brian Kassouf 2f19de0305 Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 01:44:44 -05:00
Brian Kassouf 7050c1ca41
gRPC Backend Plugins (#3808)
* Add grpc plugins

* Add grpc plugins

* Translate wrap info to/from proto

* Add nil checks

* Fix nil marshaling errors

* Provide logging through the go-plugin logger

* handle errors in the messages

* Update the TLS config so bidirectional connections work

* Add connectivity checks

* Restart plugin and add timeouts where context is not availible

* Add the response wrap data into the grpc system implementation

* Add leaseoptions to pb.Auth

* Add an error translator

* Add tests for translating the proto objects

* Fix rename of function

* Add tracing to plugins for easier debugging

* Handle plugin crashes with the go-plugin context

* Add test for grpcStorage

* Add tests for backend and system

* Bump go-plugin for GRPCBroker

* Remove RegisterLicense

* Add casing translations for new proto messages

* Use doneCtx in grpcClient

* Use doneCtx in grpcClient

* s/shutdown/shut down/
2018-01-18 13:49:20 -08:00
Calvin Leung Huang f59069c22f
Don't call LeaseExtend on login renewal paths when period is provided (#3803)
* Don't call LeaseExtend on login renewal paths when period is provided

* WIP tests

* NoopBackend accept backend ttl values

* Test period value on credentials backend

* Use t.Fatalf instead

* Remove mockCoreExpiration

* Add login renewal test for approle backend

* Add resp.Auth.Period check on aws and cert backend tests

* Pass in approle's period via role's period

* Correctly set period in valid-role's role

* Add period renewal test using TestCluster and approle backend

* Check for ttl values after renewals on test
2018-01-18 12:19:18 -05:00
samiam c59b5a1a88 Write password prompts to stderr to avoid co-mingling stdout (#3781) (#3782) 2018-01-18 12:14:19 -05:00
Jeff Mitchell b281e76089 Move around some logic to be neater 2018-01-18 11:47:24 -05:00
Jeff Mitchell c231479a18
Fix max_ttl not being honored in database backend when default_ttl is zero (#3814)
Fixes #3812
2018-01-18 01:43:38 -05:00
Vishal Nayak b826c56686
SHA2-256 salting for AppID (#3806)
* Use SHA2-256 hash with prefix to upgrade the paths

* test the SHA1 upgrade to SHA256

* Remove hash identifier and the delimiter; use 's' instead

* Added API test to verify the correctness of the fix

* Fix broken test

* remove unneeded test
2018-01-17 19:48:32 -05:00
Chris Hoffman 102ed8cfae Locking updates in database backend (#3774) 2018-01-17 19:21:59 -05:00
Chris Hoffman 5b2b168e97
Converting OU and Organization role fields to CommaStringSlice (#3804) 2018-01-17 11:53:49 -05:00
Josh Giles 9c46431b80 Support JSON lists for Okta user groups+policies. (#3801)
* Support JSON lists for Okta user groups+policies.

Migrate the manually-parsed comma-separated string field types for user
groups and user policies to TypeCommaStringSlice. This means user
endpoints now accept proper lists as input for these fields in addition
to comma-separated string values. The value for reads remains a list.

Update the Okta API documentation for users and groups to reflect that
both user group and user/group policy fields are list-valued.

Update the Okta acceptance tests to cover passing a list value for the
user policy field, and require the OKTA_API_TOKEN env var to be set
(required for the "everyone" policy tests to pass).

* Fix typo, add comma-separated docs.
2018-01-16 18:20:19 -05:00
Dominik Müller e18e4036c7 add allowed_names to cert-response (#3779) 2018-01-16 13:41:58 -05:00
Paweł Słomka b994e83c65 Cleanup of deprecated commands in tests, docs (#3788) 2018-01-15 15:19:28 -05:00
Brian Kassouf 30378d5ff6
remove the Initialize wrap and call close explicitly (#3769) 2018-01-10 13:07:55 -08:00
Jeff Mitchell d8009bced1 Merge branch 'master-oss' into sethvargo/cli-magic 2018-01-10 11:15:49 -05:00
Jeff Mitchell 9c70985c3a
Add json.Number parsing for iam_request_header values (#3770)
Fixes #3763
2018-01-10 09:56:38 -06:00
Brian Kassouf 01914feb18
secret/database: ensure plugins are closed if they cannot be initialized (#3768) 2018-01-09 13:14:50 -08:00
Brian Kassouf 64da50c27c
Update plugin deps to include context changes (#3765)
* Update plugin deps to include context changes

* Fix tests
2018-01-08 12:26:13 -08:00
Brian Kassouf 1c190d4bda
Pass context to backends (#3750)
* Start work on passing context to backends

* More work on passing context

* Unindent logical system

* Unindent token store

* Unindent passthrough

* Unindent cubbyhole

* Fix tests

* use requestContext in rollback and expiration managers
2018-01-08 10:31:38 -08:00
Will Glynn 282f648597 Document that AWS STS lease revocation is a no-op [fixes #3736] (#3760) 2018-01-08 10:28:07 -06:00
Jeff Mitchell d1803098ae Merge branch 'master-oss' into sethvargo/cli-magic 2018-01-03 14:02:31 -05:00
Brian Shumate 2481803ac5 Update some approle related help output (#3747) 2018-01-03 13:56:14 -05:00
Brian Nuszkowski aa4d5a942e Add the ability to pass in mfa parameters when authenticating via the… (#3729) 2017-12-26 13:40:44 -05:00
Brian Kassouf a97b8c6f30
secret/database: Fix upgrading database backend (#3714) 2017-12-18 19:38:47 -08:00
Calvin Leung Huang c4e951efb8 Add period and max_ttl to cert role creation (#3642) 2017-12-18 15:29:45 -05:00
Chris Hoffman b1aee36251
short circuit cert extensions check (#3712) 2017-12-18 13:19:05 -05:00
Travis Cosgrave cf3e284396 Use Custom Cert Extensions as Cert Auth Constraint (#3634) 2017-12-18 12:53:44 -05:00
Jeff Mitchell 08f73e4a50
Merge pull request #3695 from hashicorp/creds-period-logic 2017-12-18 12:40:03 -05:00
Jeff Mitchell 77a7c52392
Merge branch 'master' into f-nomad 2017-12-18 12:23:39 -05:00
immutability e7faad641c Add Duo MFA to the Github backend (#3696) 2017-12-18 09:59:17 -05:00
Chris Hoffman 400d738403 use defaultconfig as base, adding env var test 2017-12-17 10:51:39 -05:00
Chris Hoffman f6bed8b925 fixing up config to allow environment vars supported by api client 2017-12-17 09:10:56 -05:00
Chris Hoffman b08606b320 adding existence check for roles 2017-12-15 19:50:20 -05:00
Chris Hoffman b904d28d82 adding access config existence check and delete endpoint 2017-12-15 19:18:32 -05:00
Calvin Leung Huang 997a1453e7 Use shortMaxTTL on Ec2 paths 2017-12-15 17:29:40 -05:00
Chris Hoffman c71f596fbd address some feedback 2017-12-15 17:06:56 -05:00
Chris Hoffman db0006ef65 Merge remote-tracking branch 'oss/master' into f-nomad
* oss/master:
  Defer reader.Close that is used to determine sha256
  changelog++
  Avoid unseal failure if plugin backends fail to setup during postUnseal (#3686)
  Add logic for using Auth.Period when handling auth login/renew requests (#3677)
  plugins/database: use context with plugins that use database/sql package (#3691)
  changelog++
  Fix plaintext backup in transit (#3692)
  Database gRPC plugins (#3666)
2017-12-15 17:05:42 -05:00
Calvin Leung Huang fe7ce434e4 Update logic on renew paths 2017-12-15 16:26:42 -05:00
Calvin Leung Huang 643451d46a Update login logic for aws creds backend 2017-12-15 16:18:19 -05:00
Calvin Leung Huang ba19b99f55 Update login logic for aws creds backend 2017-12-15 16:01:40 -05:00
Calvin Leung Huang 79cb82e133
Add logic for using Auth.Period when handling auth login/renew requests (#3677)
* Add logic for using Auth.Period when handling auth login/renew requests

* Set auth.TTL if not set in handleLoginRequest

* Always set auth.TTL = te.TTL on handleLoginRequest, check TTL and period against sys values on RenewToken

* Get sysView from le.Path, revert tests

* Add back auth.Policies

* Fix TokenStore tests, add resp warning when capping values

* Use switch for ttl/period check on RenewToken

* Move comments around
2017-12-15 13:30:05 -05:00
Brian Kassouf afe53eb862
Database gRPC plugins (#3666)
* Start work on context aware backends

* Start work on moving the database plugins to gRPC in order to pass context

* Add context to builtin database plugins

* use byte slice instead of string

* Context all the things

* Move proto messages to the dbplugin package

* Add a grpc mechanism for running backend plugins

* Serve the GRPC plugin

* Add backwards compatibility to the database plugins

* Remove backend plugin changes

* Remove backend plugin changes

* Cleanup the transport implementations

* If grpc connection is in an unexpected state restart the plugin

* Fix tests

* Fix tests

* Remove context from the request object, replace it with context.TODO

* Add a test to verify netRPC plugins still work

* Remove unused mapstructure call

* Code review fixes

* Code review fixes

* Code review fixes
2017-12-14 14:03:11 -08:00
Jeff Mitchell b478ba8bac
Merge branch 'master' into f-nomad 2017-12-14 16:44:28 -05:00
Jeff Mitchell d752da3648
Update Consul to use the role's configured lease on renew. (#3684) 2017-12-14 13:28:19 -05:00
Vishal Nayak 15b3d8738e Transit: backup/restore (#3637) 2017-12-14 12:51:50 -05:00
Vishal Nayak 513d12ab7c Fix the casing problem in approle (#3665) 2017-12-11 16:41:17 -05:00
Florent H. CARRÉ 539d86ab2d Hardening RSA keys for PKI and SSH (#3593) 2017-12-11 13:43:56 -05:00
Chris Hoffman 3b0ba609b2
Converting key_usage and allowed_domains in PKI to CommaStringSlice (#3621) 2017-12-11 13:13:35 -05:00
Brad Sickles 295e11d40d Adding mfa support to okta auth backend. (#3653) 2017-12-07 14:17:42 -05:00
Brian Shumate a0d1092420 Conditionally set file audit log mode (#3649) 2017-12-07 11:44:15 -05:00
Mohsen 2aa576149c Small typo relating to no_store in pki secret backend (#3662)
* Removed typo :)

* Corrected typo in the website related to no_store
2017-12-07 10:40:21 -05:00
Vishal Nayak 48ac5caaa9
Transit: Refactor internal representation of key entry map (#3652)
* convert internal map to index by string

* Add upgrade test for internal key entry map

* address review feedback
2017-12-06 18:24:00 -05:00
Dominik Müller bc523fc294 add allowed_names to cert-response (#3654) 2017-12-06 16:50:02 -05:00
Jeff Mitchell bfc37f0847
Re-add some functionality lost during last dep update (#3636) 2017-12-01 10:18:26 -05:00
Nicolas Corrarello b5fd1ce953
Adding SealWrap configuration, protecting the config/access path
Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com>
2017-11-29 21:53:21 +00:00
Nicolas Corrarello b3799697a2
Rename policy into policies 2017-11-29 16:31:17 +00:00
Nicolas Corrarello 0d8f812dc8
Checking if client is not nil before deleting token
Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com>
2017-11-29 16:23:03 +00:00
Nicolas Corrarello 239a9a9985
%q quotes automatically
Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com>
2017-11-29 16:19:31 +00:00
Nicolas Corrarello 62fe10204a
Refactoring check for empty accessor as per Vishals suggestion
Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com>
2017-11-29 15:58:39 +00:00
Nicolas Corrarello a6d3119e3e
Pull master into f-nomad
Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com>
2017-11-29 15:56:37 +00:00
Nicolas Corrarello 89466815ba
Return an error if accesor_id is nil
Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com>
2017-11-29 15:18:03 +00:00
Nicolas Corrarello 031f244922
Returning nil config if is actually nil, and catching the error before creating the client in backend.go
Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com>
2017-11-29 11:15:54 +00:00
Nicolas Corrarello 2a4f63e4a5
Moving LeaseConfig function to path_config_lease.go
Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com>
2017-11-29 11:07:17 +00:00
Nicolas Corrarello 4f91a71c29
Return error before creating a client if conf is nil 2017-11-29 11:01:31 +00:00
Nicolas Corrarello e2be4bfd74
Sanitizing error outputs 2017-11-29 10:58:02 +00:00
Nicolas Corrarello 604ead3a37
Renaming tokenRaw to accessorIDRaw to avoid confusion, as the token is not being used for revoking itself 2017-11-29 10:48:55 +00:00
Nicolas Corrarello 34b5919931
Updating descriptions, defaults for roles 2017-11-29 10:44:40 +00:00
Nicolas Corrarello fc81d8a07c
Validating that Address and Token are provided in path_config_access.go 2017-11-29 10:36:34 +00:00
Nicolas Corrarello aab72464d6
Removing legacy field scheme that belonged to the Consul API 2017-11-29 10:29:39 +00:00
Joel Thompson 6f5aeeeae2 auth/aws: Check credential availability before auth (#3465)
Checks to ensure we can get a valid credential from the credential chain
when using the vault CLI to do AWS auth.

Fixes #3383
2017-11-13 15:43:24 -05:00
Vishal Nayak 8654c06b26
avoid empty group alias names (#3567) 2017-11-10 16:51:37 -05:00
Vishal Nayak 61d617df81
Avoid race conditions in AppRole (#3561)
* avoid race conditions in approle

* return a warning from role read if secondary index is missing

* Create a role ID index if a role is missing one

* Fix locking in approle read and add test

* address review feedback
2017-11-10 11:32:04 -05:00
Jeff Mitchell 6b72b90efa Remove allow_base_domain from PKI role output.
It was never used in a release, in favor of allow_bare_domains.

Fixes #1452 (again)
2017-11-09 10:24:36 -05:00
Jeff Mitchell 3555a17d52 Don't read out an internal role member in PKI 2017-11-08 18:20:53 -05:00
Chris Hoffman 210fe50b68 adding ttl to secret, refactoring for consistency 2017-11-07 09:58:19 -05:00
Calvin Leung Huang 9ffe6421c5 Fix deprecated cassandra backend tests (#3543) 2017-11-06 17:15:45 -05:00
Joel Thompson 2c8cd19e14 auth/aws: Make disallow_reauthentication and allow_instance_migration mutually exclusive (#3291) 2017-11-06 17:12:07 -05:00
Chris Hoffman 1b387f75e3 minor cleanup 2017-11-06 16:36:37 -05:00
Chris Hoffman de8c0dce99 minor cleanup 2017-11-06 16:34:20 -05:00
Gregory Reshetniak 57c9afa357 added AWS enpoint handling (#3416) 2017-11-06 13:31:38 -05:00
Jeff Mitchell 17310654a1
Add PKCS8 marshaling to PKI (#3518) 2017-11-06 12:05:07 -05:00
Nicolas Corrarello c70bfff23a
Refactored Lease into the Backend configuration 2017-11-06 15:09:56 +00:00
Nicolas Corrarello 6dc8edf09f
Attaching secretToken to backend 2017-11-06 14:28:30 +00:00
Calvin Leung Huang 512b254820
Return role info for each role on pathRoleList (#3532)
* Return role info for each role on pathRoleList

* Change roles -> key_info, only return key_type

* Do not initialize result map in parseRole, refactor ListResponseWithInfo

* Add role list test
2017-11-03 17:12:03 -04:00
Jeff Mitchell 9952ddaf69
Add some more SealWrap declarations (#3531) 2017-11-03 11:43:31 -04:00
Vishal Nayak 52df62d4ff
Encrypt/Decrypt/Sign/Verify using RSA in Transit backend (#3489)
* encrypt/decrypt/sign/verify RSA

* update path-help and doc

* Fix the bug which was breaking convergent encryption

* support both 2048 and 4096

* update doc to contain both 2048 and 4096

* Add test for encrypt, decrypt and rotate on RSA keys

* Support exporting RSA keys

* Add sign and verify test steps

* Remove 'RSA' from PEM header

* use the default salt length

* Add 'RSA' to PEM header since openssl is expecting that

* export rsa keys as signing-key as well

* Comment the reasoning behind the PEM headers

* remove comment

* update comment

* Parameterize hashing for RSA signing and verification

* Added test steps to check hash algo choice for RSA sign/verify

* fix test by using 'prehashed'
2017-11-03 10:45:53 -04:00
Nicolas Corrarello 783b38c9c4 Not storing the Nomad token as we have the accesor for administrative operations 2017-11-03 07:25:47 +00:00
Nicolas Corrarello 4b572c064c Overhauling the client method and attaching it to the backend 2017-11-03 07:19:49 +00:00
Jeff Mitchell 3a2440a651
Check input size to avoid a panic (#3521) 2017-11-02 16:40:52 -05:00
Vishal Nayak 7bae606662
External identity groups (#3447)
* external identity groups

* add local LDAP groups as well to group aliases

* add group aliases for okta credential backend

* Fix panic in tests

* fix build failure

* remove duplicated struct tag

* add test steps to test out removal of group member during renewals

* Add comment for having a prefix check in router

* fix tests

* s/parent_id/canonical_id

* s/parent/canonical in comments and errors
2017-11-02 16:05:48 -04:00
Nicolas Corrarello eb7a0c0e83 Refactoring readAcessConfig to return a single type of error instead of two 2017-11-01 08:49:31 +00:00
Nicolas Corrarello 55dd69437a Refactored config error to just have a single error exit path 2017-11-01 08:41:58 +00:00
Nicolas Corrarello 5f748a1217 Ignoring userErr as it will be nil anyway 2017-11-01 07:41:58 +00:00
Nicolas Corrarello 3ce4da75ac tokenType can never be nil/empty string as there are default values 2017-11-01 07:36:14 +00:00
Nicolas Corrarello afb5d123b9 Should return an error if trying create a management token with policies attached 2017-10-31 21:12:14 +00:00
Nicolas Corrarello d540985926 Unifying Storage and API path in role 2017-10-31 21:06:10 +00:00
Nicolas Corrarello 0fc65cabc7 Minor/Cosmetic fixes 2017-10-31 19:11:24 +00:00
Brian Kassouf 7fed43c035
Add the ability to glob allowed roles in the Database Backend (#3387)
* Add the ability to glob allowed roles in the Database Backend

* Make the error messages better

* Switch to the go-glob repo
2017-10-30 13:24:25 -07:00
Jeff Mitchell 7486df810c
Simplify TTL/MaxTTL logic in SSH CA paths and sane with the rest of how (#3507)
Vault parses/returns TTLs.
2017-10-30 15:05:47 -05:00
Jeff Mitchell d8e2179a42 Rejig some error messages in pki 2017-10-27 12:02:18 -04:00
Vishal Nayak b16084fdaf aws-ec2: Avoid audit logging of custom nonces (#3381) 2017-10-27 11:23:15 -04:00
Jeff Mitchell 713d5d5307
Don't swallow errors on token functions. 2017-10-24 09:39:35 -04:00
Seth Vargo 9f62e942bb
Spell Okta correctly 2017-10-24 09:39:34 -04:00
Seth Vargo e26625c909
Prompt for GitHub token if not provided 2017-10-24 09:34:12 -04:00
Seth Vargo c5665920f6
Standardize on "auth method"
This removes all references I could find to:

- credential provider
- authentication backend
- authentication provider
- auth provider
- auth backend

in favor of the unified:

- auth method
2017-10-24 09:32:15 -04:00
Seth Vargo 33765cfe06
Update token cli to parse "verify" 2017-10-24 09:30:48 -04:00
Seth Vargo 7b8c472e22
Update credential help
Use "vault login" instead of "vault auth" and use "method" consistently over provider.
2017-10-24 09:30:47 -04:00
Seth Vargo 0c85a9988d
Return better errors from token failures 2017-10-24 09:26:45 -04:00
Seth Vargo c8eaa8b61b
Add built-in credential provider for tokens
This was previously part of the very long command/auth.go file, where it
mimmicked the same API as other handlers. By making it a builtin
credential, we can remove a lot of conditional logic for token-based
authentication.
2017-10-24 09:26:45 -04:00
Seth Vargo 4a67643c06
Update help output for userpass auth 2017-10-24 09:26:45 -04:00
Seth Vargo de6a839b9f
Update help output for okta auth 2017-10-24 09:26:44 -04:00
Seth Vargo beb525d41b
Update help output for ldap auth 2017-10-24 09:26:44 -04:00
Seth Vargo 323f9ee26b
Update help output for github auth 2017-10-24 09:26:44 -04:00
Seth Vargo 89c84c0b17
Update help output for cert auth 2017-10-24 09:26:44 -04:00
Seth Vargo 21f7bc0dee
Update help output for aws auth 2017-10-24 09:26:44 -04:00
Jeff Mitchell a25dae82dd Final sync 2017-10-23 17:39:21 -04:00
Joel Thompson 325ac0e86e auth/aws: Fix path-help for role endpoint (#3474)
Some of the path help documentation was incorrect for auth/aws/role as
behavior changed during PR development and the help wasn't updated. This
fixes incorrect information and makes the path help somewhat more
consistent.

Fixes #3472
2017-10-23 10:53:09 -04:00
Vishal Nayak 2ede750c78 return the actual error for base64 decoding failure (#3397) 2017-10-20 11:21:45 -04:00
Jeff Mitchell 6c9dd6ed6f Try out a radius fix (#3461) 2017-10-16 16:26:34 -04:00
vishalnayak bb603c7be1 fix typo 2017-10-15 15:43:47 -04:00
Vishal Nayak 59da183b2d add entity aliases from credential backends (#3457) 2017-10-15 15:13:12 -04:00
Jeremy Voorhis af24163abd Implement signing of pre-hashed data (#3448)
Transit backend sign and verify endpoints now support algorithm=none
2017-10-11 11:48:51 -04:00
Jeff Mitchell 7ec7d34783 Status code is an int, fix printing 2017-10-04 15:41:51 -04:00
Jeff Mitchell e3ce60eb1f Allow entering PKI URLs as arrays. (#3409)
Fixes #3407
2017-10-03 16:13:57 -04:00
Nicolas Corrarello 40839d2163 Removing ignore to cleanup function 2017-09-29 09:35:17 +01:00
Nicolas Corrarello 6390021413 Working tests 2017-09-29 09:33:58 +01:00
Nicolas Corrarello ad5f1018dd Various fixes (Null pointer, wait for Nomad go up, Auth before policy creation) 2017-09-28 23:58:41 +01:00
Nicolas Corrarello 9a011781ec Adding Global tokens to the data model 2017-09-28 23:57:48 +01:00
Nicolas Corrarello ec972939c2 Added tests 2017-09-28 21:44:30 +01:00
Vishal Nayak abcf4b3bb2 docs: Added certificate deletion operation API (#3385) 2017-09-26 20:28:52 -04:00
Nicolas Corrarello 420b46fa08 Fixing data model 2017-09-20 17:14:35 -05:00
Nicolas Corrarello 129328e842 MVP of working Nomad Secret Backend 2017-09-20 15:59:35 -05:00
Chris Hoffman a2d2f1a543 Adding support for base_url for Okta api (#3316)
* Adding support for base_url for Okta api

* addressing feedback suggestions, bringing back optional group query

* updating docs

* cleaning up the login method

* clear out production flag if base_url is set

* docs updates

* docs updates
2017-09-15 00:27:45 -04:00
Jeff Mitchell 1076cea5d1 Tests were not actually forcing the intermediate to have a longer TTL
because of mount max TTL constraint. This ups the mount max to force the
test to work as expected.
2017-09-14 22:49:04 -04:00
Jeff Mitchell cb6ac1e926 Change behavior of TTL in sign-intermediate (#3325)
* Fix using wrong public key in sign-self-issued

* Change behavior of TTL in sign-intermediate

This allows signing CA certs with an expiration past the signer's
NotAfter.

It also change sign-self-issued to replace the Issuer, since it's
potentially RFC legal but stacks won't validate it.

Ref: https://groups.google.com/d/msg/vault-tool/giP69-n2o20/FfhRpW1vAQAJ
2017-09-13 11:42:45 -04:00
Jeff Mitchell 9077adb377 Sanitize policy behavior across backends (#3324)
Fixes #3323
Fixes #3318

* Fix tests

* Fix tests
2017-09-13 11:36:52 -04:00
Calvin Leung Huang 78b1dfd7bb Handle errors from getRootConfig on aws logical backend (#3294) 2017-09-08 13:00:29 -04:00
Chris Hoffman 53164d528c Fix unauth bind issues due to lib update (#3293) 2017-09-07 08:46:43 -04:00
Jeff Mitchell 44bf03e3b6 Fix compile after dep update 2017-09-05 18:18:34 -04:00
Jeff Mitchell 7be6905eb0 Add a bit more delay to backend test in case Travis is loaded 2017-09-04 14:45:12 -04:00
Joel Thompson 2a53d852f3 auth/aws: Properly handle malformed ARNs (#3280)
The parseIamArn method was making assumptions about the input arn being
properly formatted and of a certain type. If users tried to pass a
bound_iam_principal_arn that was malformed (or was the ARN of the root
user), it would cause a panic. parseIamArn now explicitly checks the
assumptions it's making and tests are added to ensure it properly errors
out (rather than panic'ing) on malformed input.
2017-09-03 20:37:06 -04:00
Lars Lehtonen f3d6866735 Fix goroutine logging in cert test (#3224) 2017-09-01 16:55:16 -04:00
Calvin Leung Huang a581e96b78 Lazy-load plugin mounts (#3255)
* Lazy load plugins to avoid setup-unwrap cycle

* Remove commented blocks

* Refactor NewTestCluster, use single core cluster on basic plugin tests

* Set c.pluginDirectory in TestAddTestPlugin for setupPluginCatalog to work properly

* Add special path to mock plugin

* Move ensureCoresSealed to vault/testing.go

* Use same method for EnsureCoresSealed and Cleanup

* Bump ensureCoresSealed timeout to 60s

* Correctly handle nil opts on NewTestCluster

* Add metadata flag to APIClientMeta, use meta-enabled plugin when mounting to bootstrap

* Check metadata flag directly on the plugin process

* Plumb isMetadataMode down to PluginRunner

* Add NOOP shims when running in metadata mode

* Remove unused flag from the APIMetadata object

* Remove setupSecretPlugins and setupCredentialPlugins functions

* Move when we setup rollback manager to after the plugins are initialized

* Fix tests

* Fix merge issue

* start rollback manager after the credential setup

* Add guards against running certain client and server functions while in metadata mode

* Call initialize once a plugin is loaded on the fly

* Add more tests, update basic secret/auth plugin tests to trigger lazy loading

* Skip mount if plugin removed from catalog

* Fixup

* Remove commented line on LookupPlugin

* Fail on mount operation if plugin is re-added to catalog and mount is on existing path

* Check type and special paths on startBackend

* Fix merge conflicts

* Refactor PluginRunner run methods to use runCommon, fix TestSystemBackend_Plugin_auth
2017-09-01 01:02:03 -04:00
Jeff Mitchell abb2ab2918 Add pki/root/sign-self-issued. (#3274)
* Add pki/root/sign-self-issued.

This is useful for root CA rolling, and is also suitably dangerous.

Along the way I noticed we weren't setting the authority key IDs
anywhere, so I addressed that.

* Add tests
2017-08-31 23:07:15 -04:00
Jeff Mitchell 223c4fc325 Change auth helper interface to api.Secret. (#3263)
This allows us to properly handle wrapped responses.

Fixes #3217
2017-08-31 16:57:00 -04:00
Jeff Mitchell d62937aaf3 Use TypeDurationSecond for TTL values in PKI. (#3270) 2017-08-31 15:46:13 -04:00