Commit Graph

9069 Commits

Author SHA1 Message Date
Jim Kalafut 462dc06a88 operator migrate docs (#5400)
* operator migrate docs

* Address feedback

* Fix title
2018-09-26 10:55:04 -07:00
vishalnayak a1855ad972 changelog++ 2018-09-26 11:31:04 -04:00
Joel Thompson 2dc468f4d1 auth/aws: Make identity alias configurable (#5247)
* auth/aws: Make identity alias configurable

This is inspired by #4178, though not quite exactly what is requested
there. Rather than just use RoleSessionName as the Identity alias, the
full ARN is uses as the Alias. This mitigates against concerns that an
AWS role with an insufficiently secured trust policy could allow an
attacker to generate arbitrary RoleSessionNames in AssumeRole calls to
impersonate anybody in the Identity store that had an alias set up.
By using the full ARN, the owner of the identity store has to explicitly
trust specific AWS roles in specific AWS accounts to generate an
appropriate RoleSessionName to map back to an identity.

Fixes #4178

* Respond to PR feedback

* Remove CreateOperation

Response to PR feedback
2018-09-26 08:27:12 -07:00
Jeff Mitchell 56aaaac944
Add lz4 to compressutil (#5403) 2018-09-26 09:20:33 -05:00
vishalnayak 84701bcb28 changelog++ 2018-09-26 10:16:15 -04:00
Joel Thompson 5e6f8904d8 Add AWS Secret Engine Root Credential Rotation (#5140)
* Add AWS Secret Engine Root Credential Rotation

This allows the AWS Secret Engine to rotate its credentials used to
access AWS. This will only work when the AWS Secret Engine has been
provided explicit IAM credentials via the config/root endpoint, and
further, when the IAM credentials provided are the only access key on
the IAM user associated wtih the access key (because AWS allows a
maximum of 2 access keys per user).

Fixes #4385

* Add test for AWS root credential rotation

Also fix a typo in the root credential rotation code

* Add docs for AWS root rotation

* Add locks around reading and writing config/root

And wire the backend up in a bunch of places so the config can get the
lock

* Respond to PR feedback

* Fix casing in error messages

* Fix merge errors

* Fix locking bugs
2018-09-26 07:10:00 -07:00
Joel Thompson e66795a095 logical/aws: Run Acceptance Tests in Parallel (#5383)
* Parallelize a couple AWS acceptance tests

Starting an effort to paralleize AWS secret engine acceptance tests.
Currently they take over a minute to run, and this parallelizes the two
that explicitly call a 10-second sleep, reulting in a 10-second speedup
in test time.

* Parameterize IAM user name

Probably not needed, but future-proofing the code

* Make remainder of tests parallel

AWS_ACCOUNT_ID environment variable is no longer being used; global
mutable state is a recipe for disaster when trying to run things in
parallel, and parallelizing the tests exposed a race condition in which
they were depending on the AWS_ACCOUNT_ID environment variable to be set
before they were run.

AWS_DEFAULT_REGION is still left as an environment variable because it
is required by AWS SDKs, but its configuration is now protected by a
sync.Once to ensure it only ever gets called a single time.

* Replace generateUnique*Name with testhelpers method
2018-09-25 17:10:53 -07:00
Jim Kalafut c1f7e4a276
Fix wording in log message (#5399) 2018-09-25 16:52:03 -07:00
Jim Kalafut 9d2f2ab2af
changelog++ 2018-09-25 16:23:32 -07:00
Jim Kalafut 4c80debe63
Add physical backend migrator command (#5143) 2018-09-25 16:18:22 -07:00
Brian Kassouf 49f11342ef
changelog++ 2018-09-25 13:29:16 -07:00
Brian Kassouf 8f212d702d
replication: Fix DR API checks when using a token (#5398) 2018-09-25 13:27:57 -07:00
Clint fec3b70374
Allow force restore for Transit Key Restores (#5382)
* Add test file for testing path_restore in Transit backend. Fails because 'force' is not implemented yet

* initial implementation of 'force', to force restore of existing transit key atomically
2018-09-25 15:20:59 -05:00
Vishal Nayak 1ebc5e73f8
changelog++ 2018-09-25 15:31:22 -04:00
Vishal Nayak 68a496dde4
Support operating on entities and groups by their names (#5355)
* Support operating on entities and groups by their names

* address review feedback
2018-09-25 12:28:28 -07:00
Becca Petrin b427a23bbb
update ffi (#5395) 2018-09-25 11:26:58 -07:00
Martin 79ab601cdb use constant where x-vault-token was still hardcoded (#5392) 2018-09-25 09:34:40 -07:00
Matthew Irish d509588cd2
Ember update (#5386)
Ember update - update ember-cli, ember-data, and ember to 3.4 series
2018-09-25 11:28:26 -05:00
Calvin Leung Huang ed1e41ba5c
Short-circuit TestBackend_PluginMainEnv on plain test run (#5393) 2018-09-25 09:22:34 -07:00
Rob Playford 3998942f04 fix typo in vault-plugin-auth-jwt path (#5385)
* fix typo in vault-plugin-auth-jwt path

* remove duplicate vault-plugin-auth-jwt entry
2018-09-25 10:55:45 -05:00
Jeff Mitchell 33065a60db Fix compilation/protobuf 2018-09-22 17:58:39 -04:00
andrejvanderzee dc6ea9ecbb Fix for using ExplicitMaxTTL in auth method plugins. (#5379)
* Fix for using ExplicitMaxTTL in auth method plugins.

* Reverted pb.go files for readability of PR.

* Fixed indenting of comment.

* Reverted unintended change by go test.
2018-09-21 14:31:29 -07:00
emily b37b8b7edf Docs PR for GCP secrets backend access token changes (#5366)
* initial docs pass

* fix docs
2018-09-21 10:31:49 -07:00
Chris Hoffman f9d62db01d
changelog++ 2018-09-21 12:42:28 -04:00
Brian Shumate b43c52d89b Add Enterprise Replication metrics (#3981) 2018-09-21 12:01:44 -04:00
Brian Shumate 25d6d03222 Docs: update policy read API output to address #5298 (#5299) 2018-09-21 10:52:46 -04:00
Seth Vargo 743161abd4 Also format TTLs in non-secret responses (#5367) 2018-09-21 09:54:18 -04:00
Brian Shumate 7d692ee614 Update screenshot (#5378)
- Use a Vault dashboard example (previous example was for Consul)
- Rename image file
2018-09-21 09:53:49 -04:00
Roman Iuvshyn 0832153f7d fixes file path option in samples (#5377)
fixes file path option in samples
2018-09-20 15:55:20 -07:00
Jim Kalafut 25fbbdb730
changelog++ 2018-09-20 15:00:25 -07:00
Jim Kalafut 343c72dbe1
Detect and bypass cycles during token revocation (#5364)
Fixes #4803
2018-09-20 14:56:38 -07:00
Yoko 3600f3dfa5
[Guide] Tokens & Leases guide **Correction** (#5375)
* Added Azure Key Vault

* Corrected the info about orphan token creation
2018-09-20 13:58:29 -07:00
Calvin Leung Huang 4ac6675fef changelog++ 2018-09-20 12:32:07 -07:00
Calvin Leung Huang 189b893b35
Add ability to provide env vars to plugins (#5359)
* Add ability to provide env vars to plugins

* Update docs

* Update docs with examples

* Refactor TestAddTestPlugin, remove TestAddTestPluginTempDir
2018-09-20 10:50:29 -07:00
Brian Shumate 74ec835b3b Docs: update Tidy API (#5374)
- Add a sample response to /auth/token/tidy API docs
- Document /auth/approle/tidy/secret-id API docs
2018-09-20 13:25:33 -04:00
Jeff Mitchell 9a24242cd1 BoundCidrs -> BoundCIDRs 2018-09-20 12:45:49 -04:00
Jeff Mitchell 5363f1308f Makefile updates 2018-09-20 12:38:05 -04:00
Laura Gjerman-Uva 6fcf6ea6fe Add -dr-token flag to commands to generate OTP and decode with OTP (required on DR secondary as of 0.11) (#5368) 2018-09-20 09:19:01 -07:00
Richard Lane 43837ecdf1 Documentation correction - update list identity whitelist sample request (#5369)
Path was incorrectly referencing the roletag-blacklist

Updated the sample to match the correct path
2018-09-19 21:21:57 -07:00
Brian Kassouf 94990a38df
changelog++ 2018-09-19 12:10:01 -07:00
pavel-usov 470131d100 Change in GET_LOCK call to make it MariaDB compatilble (#5343)
* Update mysql.go

Change in GET_LOCK call to make it MariaDB compatilble

* Use math.MaxUint32 for lock timeout, add comments
2018-09-19 12:05:04 -07:00
Jeff Mitchell da21bb14a8 changelog++ 2018-09-19 13:09:49 -04:00
Jeff Mitchell 4b45d8210f
Possibly fix Nomad capabilities issue (#5360) 2018-09-19 13:06:37 -04:00
Becca Petrin d05484b586
AliCloud Secrets Docs (#5351) 2018-09-19 08:42:59 -07:00
Becca Petrin 74d4d0ccc0
add alicloud secrets engine (#5352) 2018-09-19 08:42:28 -07:00
Jeff Mitchell c4b88333c9 Fix make proto substitutions 2018-09-19 11:37:01 -04:00
Jeff Mitchell 43aebacfa8 Fix default_max_request_duration HCL name and update docs (#5321)
* Fix default_max_request_duration HCL name and update docs

* Update tcp.html.md
2018-09-18 14:30:21 -07:00
Calvin Leung Huang 3ea1cc861d Small Makefile and script cleanup (#5354) 2018-09-18 14:28:37 -07:00
Clint 06d8dce8db
Update CHANGELOG.md 2018-09-18 16:07:08 -05:00
Clint 5882156f53
Translate AWS Rate limiting errors to 502 errors (#5270)
* Initial implemntation of returning 529 for rate limits

- bump aws iam and sts packages to v1.14.31 to get mocking interface
- promote the iam and sts clients to the aws backend struct, for mocking in tests
- this also promotes some functions to methods on the Backend struct, so
  that we can use the injected client

Generating creds requires reading config/root for credentials to contact
IAM. Here we make pathConfigRoot a method on aws/backend so we can clear
the clients on successful update of config/root path. Adds a mutex to
safely clear the clients

* refactor locking and unlocking into methods on *backend

* refactor/simply the locking

* check client after grabbing lock
2018-09-18 15:26:06 -05:00