39a0c8e91f
Read from 'path' to retain backward compatibility
2016-03-15 20:05:51 -04:00
1e889bc08c
Input validations and field renaming
2016-03-15 17:47:13 -04:00
a0958c9359
Refactor updating and creating userEntry into a helper function
2016-03-15 17:32:39 -04:00
acd545f1ed
Fetch and store UserEntry to properly handle both create and update
2016-03-15 17:05:23 -04:00
9609fe151b
Change path structure of password and policies endpoints in userpass
2016-03-15 16:46:12 -04:00
8be36b6925
Reuse the variable instead of fetching 'name' again
2016-03-15 16:21:47 -04:00
61b4cac458
Added paths to update policies and password
2016-03-15 16:12:55 -04:00
731bb97db5
Tests for updating password and policies in userpass backend
2016-03-15 16:09:23 -04:00
b7eb0a97e5
Userpass: Support updating policies and password
2016-03-15 15:18:21 -04:00
8aaf29b78d
Add forgotten test
2016-03-15 14:18:35 -04:00
8bf935bc2b
Add list support to certs in cert auth backend.
...
Fixes #1212
2016-03-15 14:07:40 -04:00
71fc07833f
Rename id to path and path to file_path, print audit backend paths
2016-03-14 17:15:07 -04:00
d648306d52
Add the ability to specify the app-id in the login path.
...
This makes it easier to use prefix revocation for tokens.
Ping #424
2016-03-14 16:24:01 -04:00
9bfd24cd69
s/hash_accessor/hmac_accessor/g
2016-03-14 14:52:29 -04:00
ea108fba18
Use accessor being set as the condition to restore non-hashed values
2016-03-14 11:23:30 -04:00
e09819fedc
Added hash_accessor option to audit backends
2016-03-11 19:28:06 -05:00
343e6f1671
Merge pull request #998 from chrishoffman/mssql
...
Sql Server (mssql) secret backend
2016-03-10 22:30:24 -05:00
b1703fb18d
Cleaning up lease and lease duration vars and params
2016-03-10 21:15:18 -05:00
ba94451875
Removing root protected endpoints
2016-03-10 21:08:39 -05:00
dc7da4f4e8
Changing DROP USER query to a more compatible version
2016-03-10 21:06:50 -05:00
5af33afd90
Adding verify_connection to config, docs updates, misc cleanup
2016-03-09 23:08:05 -05:00
a6d8fc9d98
Merge pull request #1190 from grunzwei/master
...
fix github tests to use the provided GITHUB_ORG environment variable
2016-03-09 09:51:28 -05:00
ae469cc796
fix github tests to use the provided GITHUB_ORG environment variable
...
(tests fail for non hashicorp people)
2016-03-09 15:34:03 +02:00
7a9122bbd1
Sanitize serial number in revocation path.
...
Ping #1180
2016-03-08 10:51:59 -05:00
34a9cb1a70
Add serial_number back to path_issue_sign responses in PKI
2016-03-08 09:25:48 -05:00
5a17735dcb
Add subject/authority key id to cert metadata
2016-03-07 14:59:00 -05:00
11dc3f328f
Add revocation information to PKI fetch output (non-raw only).
...
Fixes #1180
2016-03-07 10:57:38 -05:00
67b85b8f7f
Error rather than skip Consul acceptance tests if Consul isn't found
2016-03-07 10:09:36 -05:00
4a3d3ef300
Use better error message on LDAP renew failure
2016-03-07 09:34:16 -05:00
0b4a8f5b94
Adding mssql secret backend
2016-03-03 09:19:17 -05:00
44208455f6
continue if non-CA policy is not found
2016-03-01 16:43:51 -05:00
9a3ddc9696
Added ExtKeyUsageAny, changed big.Int comparison and fixed code flow
2016-03-01 16:37:01 -05:00
cc1592e27a
corrections, policy matching changes and test cert changes
2016-03-01 16:37:01 -05:00
09eef70853
Added testcase for cert writes
2016-03-01 16:37:01 -05:00
f056e8a5a5
supporting non-ca certs for verification
2016-03-01 16:37:01 -05:00
aee006ba2d
moved the test cert keys to appropriate test-fixtures folder
2016-02-29 15:49:08 -05:00
64ab16d137
Don't spawn consul servers when testing unless it's an acceptance test
2016-02-29 14:58:06 -05:00
f6092f8311
Don't run transit fuzzing if not during acceptance tests
2016-02-29 14:44:04 -05:00
2205133ae4
Only run PKI backend setup functions when TF_ACC is set
2016-02-29 14:41:14 -05:00
cf672400d6
fixed the error log message
2016-02-29 10:41:10 -05:00
dca18aec2e
replaced old certs, with new certs generated from PKI backend, containing IP SANs
2016-02-28 22:15:54 -05:00
7ae573b35b
Apply hyphen/underscore replacement across the entire username.
...
Handles app-id generated display names.
Fixes #1140
2016-02-26 15:26:23 -05:00
e2c15eb693
Merge pull request #1129 from hashicorp/pki-tidy
...
Add "pki/tidy" which allows removing expired certificates.
2016-02-25 10:39:54 -05:00
6b6005ee2e
Remove root token requirement from GitHub configuration
2016-02-25 08:51:53 -05:00
8ca847c9b3
Be more explicit about buffer type
2016-02-24 22:05:39 -05:00
7d41607b6e
Add "tidy/" which allows removing expired certificates.
...
A buffer is used to ensure that we only remove certificates that are
both expired and for which the buffer has past. Options allow removal
from revoked/ and/or certs/.
2016-02-24 21:24:48 -05:00
69bcbb28aa
rename verify_cert as disable_binding and invert the logic
2016-02-24 21:01:21 -05:00
902c780f2b
make the verification of certs in renewal configurable
2016-02-24 16:42:20 -05:00
bc4710eb06
Cert: renewal enhancements
2016-02-24 14:31:38 -05:00
053bbd97ea
check CIDR block for renewal as well
2016-02-24 10:55:31 -05:00
978075a1b4
Added renewal capability to app-id backend
2016-02-24 10:40:15 -05:00
11187112bc
Improve error message returned when client attempts to generate STS credentials for a managed policy; addresses #1113
2016-02-23 08:58:28 -05:00
f56e4a604d
Merge pull request #1114 from hashicorp/dont-delete-certs
...
Do not delete certs (or revocation information)
2016-02-22 16:11:13 -05:00
4514192145
Address review feedback
2016-02-22 16:11:01 -05:00
f43ab6a25d
Remove extra debugging from PKI tests
2016-02-22 13:39:05 -05:00
f27eab1d28
Do not delete certs (or revocation information) to avoid potential
...
issues related to time synchronization. A function will be added to
allow operators to perform cleanup at chosen times.
2016-02-22 13:36:17 -05:00
51ced69bf8
Fix issue where leftover values after cn tests could trigger errors in ipsan tests
2016-02-22 13:35:57 -05:00
949f8a6b69
Merge pull request #1112 from hashicorp/1089-postgres-connection-url
...
postgres: connection_url fix
2016-02-22 11:36:04 -05:00
4c327ca4cc
More improvements to PKI tests; allow setting a specific seed, output
...
the seed to the console, and split generated steps to make it
understandable which seed is for which set of steps.
2016-02-22 11:22:52 -05:00
c9899a5300
postgres: connection_url fix
2016-02-22 11:22:49 -05:00
8d4c6f4c98
Use more fuzziness in PKI backend tests
2016-02-22 10:59:37 -05:00
392a26e9cd
Better handle errors from fetchCertBySerial
2016-02-22 10:36:26 -05:00
fab2d8687a
Remove root requirement for certs/ and crls/ in TLS auth backend.
...
Fixes #468
2016-02-21 15:33:33 -05:00
58432c5d57
Add tests for minimum key size checking. (This will also verify that the
...
key type matches that of the role, since type assertions are required to
check the bit size). Like the rest, these are fuzz tests; I have
verified that the random seed will eventually hit error conditions if
ErrorOk is not set correctly when we expect an error.
2016-02-19 21:39:40 -05:00
c57b646848
Check role key type and bits when signing CSR.
...
Two exceptions: signing an intermediate CA CSR, and signing a CSR via
the 'sign-verbatim' path.
2016-02-19 20:50:49 -05:00
c4abe72075
Cap the length midString in IAM user's username to 42
2016-02-19 18:31:10 -05:00
773de69796
Merge pull request #1102 from hashicorp/shorten-aws-usernames
...
Set limits on generated IAM user and STS token names.
2016-02-19 18:25:29 -05:00
574542b683
Some minor changes in mysql commenting and names
2016-02-19 16:44:52 -05:00
25b9f9b4a6
Set limits on generated IAM user and STS token names.
...
Fixes #1031
Fixes #1063
2016-02-19 16:35:06 -05:00
a16055c809
mysql: fix error message
2016-02-19 16:07:06 -05:00
38b55bd8b1
Don't deprecate value field yet
2016-02-19 16:07:06 -05:00
99f4969b20
Removed connectionString.ConnectionString
2016-02-19 16:07:05 -05:00
380b662c3d
mysql: provide allow_verification option to disable connection_url check
2016-02-19 16:07:05 -05:00
6df75231b8
Merge pull request #1100 from hashicorp/issue-1030
...
Properly escape filter values in LDAP filters
2016-02-19 14:56:40 -05:00
7fc4ee1ed7
Disallow 1024-bit RSA keys.
...
Existing certificates are kept but roles with key bits < 2048 will need
to be updated as the signing/issuing functions now enforce this.
2016-02-19 14:33:02 -05:00
05b5ff69ed
Address some feedback on ldap escaping help text
2016-02-19 13:47:26 -05:00
d7b40b32db
Properly escape filter values.
...
Fixes #1030
2016-02-19 13:16:52 -05:00
c67871c36e
Update LDAP documentation with a note on escaping
2016-02-19 13:16:18 -05:00
d3f3122307
Add tests to ldap using the discover capability
2016-02-19 11:46:59 -05:00
154c326060
Add ldap tests that use a bind dn and bind password
2016-02-19 11:38:27 -05:00
3e1a07d3d0
Merge pull request #1047 from hashicorp/vault-iss999-github-renewal
...
GitHub renewal enhancements
2016-02-18 16:47:15 -05:00
ba134f5a7a
Merge pull request #1086 from hashicorp/iss962-verify-otp-response-code
...
SSH: Fix response code for ssh/verify
2016-02-18 13:32:28 -05:00
a6f3b31a36
ssh: Fix response code for ssh/verify
2016-02-16 19:46:29 -05:00
d9536043e7
Pki: Respond user error when cert is not found instead of internal error
2016-02-16 17:58:57 -05:00
0b44d81a16
Github renewal enhancement
2016-02-11 20:42:42 -05:00
3378db0166
Merge pull request #1061 from tomrittervg/tomrittervg-typos-1
...
Fix some typos
2016-02-11 15:12:09 -05:00
880c9798b7
Merge pull request #1062 from tomrittervg/tomrittervg-AllowedBaseDomain-migration
...
AllowedBaseDomain will stay non-empty in certain error conditions. None of these conditions should be hit anyways, but this provides an extra safety check.
2016-02-11 15:07:54 -05:00
46b22745c6
Merge pull request #1053 from mwielgoszewski/postgresql-revocation
...
Fix PostgreSQL secret backend issues revoking users
2016-02-11 12:52:37 -05:00
a10dc14625
Fix AllowedBaseDomain Migration
...
AllowedBaseDomain is only zero-ed out if the domain is not found in the (new) AllowedDomains configuration setting. If the domain is found, AllowedBaseDomain is not emptied and this code will be run every single time.
//untested
2016-02-09 15:42:15 -06:00
940a58cb9d
Typo in error message in path_intermediate.go
2016-02-09 15:08:30 -06:00
e5952a1c28
Typo in policy.go
2016-02-08 12:00:06 -06:00
4771884c78
Add slack on NotBefore value for generated certs.
...
This fixes an issue where, due to clock skew, one system can get a cert
and try to use it before it thinks it's actually valid. The tolerance of
30 seconds should be high enough for pretty much any set of systems
using NTP.
Fixes #1035
2016-02-07 14:00:03 -05:00
eb1deefac1
Introduce a locking inmem storage for unit tests that are doing concurrent things
2016-02-04 09:40:35 -05:00
70eeaa1519
Add transit fuzz test
2016-02-03 17:36:15 -05:00
d02930fd95
Merge pull request #1013 from hashicorp/fix-ssh-tests
...
Fix SSH tests
2016-02-02 14:22:09 -05:00
f2e8ac0658
Fix SSH test cases.
2016-02-02 12:32:50 -05:00
159754acf2
Use capabilities to determine upsert-ability in transit.
2016-02-02 10:03:14 -05:00
5ef8839e48
Revert "Re-add upsert into transit. Defaults to off and a new endpoint /config"
...
This reverts commit dc27d012c0357f93bfd5bd8d480f3e229166307a.
2016-02-02 09:26:25 -05:00
1d385b4de3
Re-add upsert into transit. Defaults to off and a new endpoint /config
...
can be used to turn it on for a given mount.
2016-02-01 20:13:57 -05:00
20f45678e6
Fix comment text
2016-02-01 17:20:16 -05:00
vishalnayak