luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity
1,919 Commits 1 Branch 0 Tags 214 MiB
Commit Graph

326 Commits

Author SHA1 Message Date
Jeff Mitchell af27a99bb7 Remove JWT for the 0.3 release; it needs a lot of rework. 2015-09-24 16:23:44 -04:00
Jeff Mitchell f10343921b Start rejigging JWT 2015-09-24 16:20:22 -04:00
Jeff Mitchell 29c722dbb6 Enhance SSH backend documentation; remove getting of stored keys and have TTLs honor backends systemview values 2015-09-21 16:14:30 -04:00
Jeff Mitchell 3eb38d19ba Update transit backend documentation, and also return the min decryption 
value in a read operation on the key.
 2015-09-21 16:13:43 -04:00
Jeff Mitchell 5dde76fa1c Expand HMAC support in Salt; require an identifier be passed in to specify type but allow generation with and without. Add a StaticSalt ID for testing functions. Fix bugs; unit tests pass. 2015-09-18 17:38:30 -04:00
Jeff Mitchell b655f6b858 Add HMAC capability to salt. Pass a salt into audit backends. Require it for audit.Hash. 2015-09-18 17:38:22 -04:00
Jeff Mitchell 01ee6c4fe1 Move no_plaintext to two separate paths for datakey. 2015-09-18 14:41:05 -04:00
Jeff Mitchell 448249108c Add datakey generation to transit. 
Can specify 128 bits (defaults to 256) and control whether or not
plaintext is returned (default true).

Unit tests for all of the new functionality.
 2015-09-18 14:41:05 -04:00
Jeff Mitchell 61398f1b01 Remove enable/disable and make deletion_allowed a configurable property. On read, return the version and creation time of each key 2015-09-18 14:41:05 -04:00
Jeff Mitchell 801e531364 Enhance transit backend: 
* Remove raw endpoint from transit
* Add multi-key structure
* Add enable, disable, rewrap, and rotate functionality
* Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function
* Unit tests for everything
 2015-09-18 14:41:05 -04:00
Jeff Mitchell 9c5dcac90c Make TLS backend honor SystemView default values. Expose lease TTLs on read. Make auth command show lease TTL if one exists. Addresses most of #527 2015-09-18 14:01:28 -04:00
vishalnayak 1f53376ae6 Userpass Bk: Added tests for TTL duration verifications 2015-09-17 16:33:26 -04:00
vishalnayak 4332eb9d05 Vault userpass: Enable renewals for login tokens 2015-09-17 14:35:50 -04:00
Jeff Mitchell 77e7379ab5 Implement the cubbyhole backend 
In order to implement this efficiently, I have introduced the concept of
"singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't
much reason to allow sys to be mounted at multiple places, and there
isn't much reason you'd need multiple per-token storage areas. By
restricting it to just one, I can store that particular mount instead of
iterating through them in order to call the appropriate revoke function.

Additionally, because revocation on the backend needs to be triggered by
the token store, the token store's salt is kept in the router and
client tokens going to the cubbyhole backend are double-salted by the
router. This allows the token store to drive when revocation happens
using its salted tokens.
 2015-09-15 13:50:37 -04:00
Jeff Mitchell 104b29ab04 Rename View to StorageView to make it more distinct from SystemView 2015-09-15 13:50:37 -04:00
Lassi Pölönen 83d0ab73f5 Define time zone explicitly in postgresql connection string. 2015-09-14 13:43:06 +03:00
Lassi Pölönen a9aaee6f5a Explicitly set timezone with PostgreSQL timestamps. 2015-09-14 13:43:06 +03:00
Lassi Pölönen 79f68c934a Call ResetDB as Cleanup routine to close existing database connections 
on backend unmount.
 2015-09-11 11:45:58 +03:00
Vishal Nayak 08f7fb9c8d Merge pull request #580 from hashicorp/zeroaddress-path 
Add root authenticated path to allow default CIDR to select roles
 2015-09-10 15:28:49 -04:00
Jeff Mitchell 39cfcccdac Remove error returns from sysview TTL calls 2015-09-10 15:09:54 -04:00
Jeff Mitchell 488d33c70a Rejig how dynamic values are represented in system view and location of some functions in various packages; create mount-tune command and API analogues; update documentation 2015-09-10 15:09:54 -04:00
Jeff Mitchell 4239f9d243 Add DynamicSystemView. This uses a pointer to a pointer to always have 
up-to-date information. This allows remount to be implemented with the
same source and dest, allowing mount options to be changed on the fly.
If/when Vault gains the ability to HUP its configuration, this should
just work for the global values as well.

Need specific unit tests for this functionality.
 2015-09-10 15:09:54 -04:00
Jeff Mitchell d435048d9e Switch StaticSystemView values to pointers, to support updating 2015-09-10 15:09:54 -04:00
vishalnayak 473c1d759d Vault SSH: Testing credential creation on zero address roles 2015-09-10 11:55:07 -04:00
vishalnayak d26497267c Vault SSH: Expected data for testRoleRead 2015-09-10 10:44:26 -04:00
vishalnayak 475df43c59 Merge branch 'master' of https://github.com/hashicorp/vault 2015-09-10 10:03:17 -04:00
vishalnayak d6b40c576d Vault SSH: Refactoring tests 2015-09-03 18:56:45 -04:00
vishalnayak 17c266bfd3 Vault SSH: Refactor lookup test case 2015-09-03 18:43:53 -04:00
vishalnayak c8c472e461 Vault SSH: Testcase restructuring 2015-09-03 18:11:04 -04:00
Jeff Mitchell 959a727acd Don't re-use tls configuration, to fix a possible race issue during test 2015-09-03 13:04:32 -04:00
vishalnayak 3e7aa75d70 Vault SSH: make Zeroaddress entry Remove method private 2015-08-31 17:10:55 -04:00
vishalnayak 9918105404 Vault SSH: Store roles as slice of strings 2015-08-31 17:03:46 -04:00
vishalnayak f21ad7da4c Vault SSH: refactoring 2015-08-31 16:03:28 -04:00
vishalnayak 59bf9e6f9f Vault SSH: Refactoring backend_test 2015-08-30 14:30:59 -04:00
vishalnayak 5e3f8d53f3 Vault SSH: ZeroAddress CRUD test 2015-08-30 14:20:16 -04:00
vishalnayak 6427a7e41e Vault SSH: Add read method for zeroaddress endpoint 2015-08-29 20:22:34 -04:00
vishalnayak dc4f97b61b Vault SSH: Zeroaddress roles and CIDR overlap check 2015-08-29 15:24:15 -04:00
Jeff Mitchell 5fa76b5640 Add base_url option to GitHub auth provider to allow selecting a custom endpoint. Fixes #572. 2015-08-28 06:28:43 -07:00
Vishal Nayak d4609dea28 Merge pull request #578 from hashicorp/exclude-cidr-list 
Vault SSH: Added exclude_cidr_list option to role
 2015-08-28 07:59:46 -04:00
vishalnayak b12a2f0013 Vault SSH: Added exclude_cidr_list option to role 2015-08-27 23:19:55 -04:00
Jeff Mitchell a4fc4a8e90 Deprecate lease -> ttl in PKI backend, and default to system TTL values if not given. This prevents issuing certificates with a longer duration than the maximum lease TTL configured in Vault. Fixes #470. 2015-08-27 12:24:37 -07:00
vishalnayak fbff20d9ab Vault SSH: Docs for default CIDR value 2015-08-27 13:10:15 -04:00
vishalnayak 5063a0608b Vault SSH: Default CIDR for roles 2015-08-27 13:04:15 -04:00
vishalnayak 702a869010 Vault SSH: Provide key option specifications for dynamic keys 2015-08-27 11:41:29 -04:00
vishalnayak 5b08e01bb1 Vault SSH: Create .ssh directory if not present. Closes #573 2015-08-27 08:45:34 -04:00
Jeff Mitchell 9db8a5c744 Merge pull request #567 from hobbeswalsh/master 
Spaces in displayName break AWS IAM
 2015-08-26 12:37:52 -04:00
Robin Walsh 34b84367b5 Adding one more test (for no-op case) 2015-08-26 09:26:20 -07:00
Robin Walsh 4b7c2cc114 Adding unit test for normalizeDisplayName() 2015-08-26 09:23:33 -07:00
Jeff Mitchell 2098446d47 Ensure that the 'file' audit backend can successfully open its given path before returning success. Fixes #550. 2015-08-26 09:13:10 -07:00
Jeff Mitchell 2d8bfff02b Explicitly check for blank leases in AWS, and give a better error message if lease_max cannot be parsed. Fixes #569. 2015-08-26 09:04:47 -07:00