Commit graph

612 commits

Author SHA1 Message Date
Vishal Nayak df8484f7af
approle: Make invalid role_id a 400 error instead of 500 (#4470)
* make invalid role_id a 400 error

* remove single-use validateCredentials function

* remove single-use validateBindSecretID function

* adjust the error message for CIDR check failure

* locking updates as review feedback
2018-05-04 10:15:16 -04:00
Jeff Mitchell b1d44a7dee
Fix alias data being used for cert auth (serial number -> common name) (#4495)
Fixes #4475
2018-05-04 10:08:23 -04:00
vishalnayak 9ef3a36007 s/enable_local_secret_ids/local_secret_ids 2018-04-24 17:52:42 -04:00
vishalnayak 965a16f888 remove unneeded comments 2018-04-24 16:28:25 -04:00
vishalnayak b91d53fd76 refactor to be able to defer lock.Unlock() 2018-04-24 16:17:24 -04:00
vishalnayak f3dd8b3d17 fix typo 2018-04-24 16:03:18 -04:00
vishalnayak b16ee7b32d remove unneeded setting of secret ID prefix 2018-04-24 15:55:40 -04:00
vishalnayak 7832e06fdc Add field read test 2018-04-24 15:48:07 -04:00
vishalnayak 10579f5d8d Fix api path for reading the field 2018-04-24 14:28:03 -04:00
vishalnayak c46e021543 Add tests 2018-04-24 11:02:11 -04:00
vishalnayak aade040e50 Add immutability test 2018-04-24 10:05:17 -04:00
vishalnayak 97c03c5a65 Add enable_local_secret_ids to role read response 2018-04-24 09:53:36 -04:00
vishalnayak 6b7a042003 error on enable_local_secret_ids update after role creation 2018-04-23 17:05:53 -04:00
vishalnayak 644892c53c naming changes 2018-04-23 16:52:09 -04:00
vishalnayak a369a4edb6 Upgrade secret ID prefix and fix tests 2018-04-23 16:31:51 -04:00
vishalnayak d14cd4a51e segregate local and non-local accessor entries 2018-04-23 16:19:05 -04:00
vishalnayak 7efbee2a12 Fix the tidy operation to consider both local and non-local secretID cleanups 2018-04-23 16:02:55 -04:00
vishalnayak 743e3ace13 fix path regex and role storage 2018-04-23 14:08:30 -04:00
vishalnayak 1680b56d43 add prefix to LocalStorage 2018-04-23 14:08:30 -04:00
vishalnayak 97b821b231 local secret IDs 2018-04-23 14:08:30 -04:00
Calvin Leung Huang c7dddaf537
Skip CI acceptance tests on missing required values (#4346)
* Skip dynamic key acceptance test if vaultssh user not present

* Skip aws acceptance test if required environment variables are missing
2018-04-13 10:18:06 -04:00
Becca Petrin da1cfb86e9 run make fmt 2018-04-11 14:25:09 -07:00
Becca Petrin 8569c8c235 Merge branch 'opensource-master' into struct-tags 2018-04-11 13:04:08 -07:00
Becca Petrin dab933ccaf deviate from snake case 2018-04-11 13:03:33 -07:00
Calvin Leung Huang 2dc4aa05f0 Dockerize radius auth backend acceptance tests (#4276) 2018-04-11 14:26:35 -04:00
Becca Petrin fcfe036e60 fix 2 minor struct tag issues 2018-04-10 16:11:44 -07:00
Becca Petrin abb621752f Clean up error string formatting (#4304) 2018-04-09 14:35:21 -04:00
Vishal Nayak 28e3eb9e2c
Errwrap everywhere (#4252)
* package api

* package builtin/credential

* package builtin/logical

* package command

* package helper

* package http and logical

* package physical

* package shamir

* package vault

* package vault

* address feedback

* more fixes
2018-04-05 11:49:21 -04:00
Vishal Nayak ef60ded908
TypeDurationSecond for ttl and max_ttl (#4268)
* use typedurationsecond for ttl and max_ttl

* address review feedback
2018-04-04 17:47:18 -04:00
Chris Hoffman 8250da87a9
Fix a few missing TTL core changes (#4265)
* Fix missing ttl handling in backends

* fix test
2018-04-04 06:43:21 -04:00
Chris Hoffman a7ada08b3b
Core handling of TTLs (#4230)
* govet cleanup in token store

* adding general ttl handling to login requests

* consolidating TTL calculation to system view

* deprecate LeaseExtend

* deprecate LeaseExtend

* set the increment to the correct value

* move calculateTTL out of SystemView

* remove unused value

* add back clearing of lease id

* implement core ttl in some backends

* removing increment and issue time from lease options

* adding ttl tests, fixing some compile issue

* adding ttl tests

* fixing some explicit max TTL logic

* fixing up some tests

* removing unneeded test

* off by one errors...

* adding back some logic for bc

* adding period to return on renewal

* tweaking max ttl capping slightly

* use the appropriate precision for ttl calculation

* deprecate proto fields instead of delete

* addressing feedback

* moving TTL handling for backends to core

* mongo is a secret backend not auth

* adding estimated ttl for backends that also manage the expiration time

* set the estimate values before calling the renew request

* moving calculate TTL to framework, revert removal of increment and issue time from logical

* minor edits

* addressing feedback

* address more feedback
2018-04-03 12:20:20 -04:00
Jeff Mitchell f5ba4796f5
Case insensitive behavior for LDAP (#4238) 2018-04-03 09:52:43 -04:00
Becca Petrin 03cf302e9a Move to "github.com/hashicorp/go-hclog" (#4227)
* logbridge with hclog and identical output

* Initial search & replace

This compiles, but there is a fair amount of TODO
and commented out code, especially around the
plugin logclient/logserver code.

* strip logbridge

* fix majority of tests

* update logxi aliases

* WIP fixing tests

* more test fixes

* Update test to hclog

* Fix format

* Rename hclog -> log

* WIP making hclog and logxi love each other

* update logger_test.go

* clean up merged comments

* Replace RawLogger interface with a Logger

* Add some logger names

* Replace Trace with Debug

* update builtin logical logging patterns

* Fix build errors

* More log updates

* update log approach in command and builtin

* More log updates

* update helper, http, and logical directories

* Update loggers

* Log updates

* Update logging

* Update logging

* Update logging

* Update logging

* update logging in physical

* prefixing and lowercase

* Update logging

* Move phyisical logging name to server command

* Fix som tests

* address jims feedback so far

* incorporate brians feedback so far

* strip comments

* move vault.go to logging package

* update Debug to Trace

* Update go-plugin deps

* Update logging based on review comments

* Updates from review

* Unvendor logxi

* Remove null_logger.go
2018-04-02 17:46:59 -07:00
Ben Feld 3f5d60b54b Fixed typo and adjusted line wrapping in backend help (#4239) 2018-04-02 13:51:26 -07:00
Calvin Leung Huang 610c137a3d
Remove sensitive fields when reading config data (#4216)
* Remove sensitive fields when reading config data

* Do not use structs; build and return map explicitly

* Revert tag in postgresql

* Fix tests
2018-03-30 10:17:39 -04:00
Jeff Mitchell 7a6f582168
1.10 Updates (#4218) 2018-03-29 15:32:16 -04:00
Jeff Mitchell 487cb7a41a
We don't need to limit the size of ldap queries, so set a high limit (#4169)
Fixes #4162
2018-03-20 16:06:39 -04:00
Josh Soref 73b1fde82f Spelling (#4119) 2018-03-20 14:54:10 -04:00
Joel Thompson 3e2006eb13 Allow non-prefix-matched IAM role and instance profile ARNs in AWS auth backend (#4071)
* Update aws auth docs with new semantics

Moving away from implicitly globbed bound_iam_role_arn and
bound_iam_instance_profile_arn variables to make them explicit

* Refactor tests to reduce duplication

auth/aws EC2 login tests had the same flow duplicated a few times, so
refactoring to reduce duplication

* Add tests for aws auth explicit wildcard constraints

* Remove implicit prefix matching from AWS auth backend

In the aws auth backend, bound_iam_role_arn and
bound_iam_instance_profile_arn were ALWAYS prefix matched, and there was
no way to opt out of this implicit prefix matching. This now makes the
implicit prefix matching an explicit opt-in feature by requiring users
to specify a * at the end of an ARN if they want the prefix matching.
2018-03-17 21:24:49 -04:00
Joel Thompson 39dc981301 auth/aws: Allow binding by EC2 instance IDs (#3816)
* auth/aws: Allow binding by EC2 instance IDs

This allows specifying a list of EC2 instance IDs that are allowed to
bind to the role. To keep style formatting with the other bindings, this
is still called bound_ec2_instance_id rather than bound_ec2_instance_ids
as I intend to convert the other bindings to accept lists as well (where
it makes sense) and keeping them with singular names would be the
easiest for backwards compatibility.

Partially fixes #3797
2018-03-15 09:19:28 -07:00
Jeff Mitchell 300ca9c6ee
Have Okta respect its set max_ttl. (#4111)
Fixes #4110
2018-03-13 10:39:51 -04:00
Vishal Nayak 527eb418fe
approle: Use TypeCommaStringSlice for BoundCIDRList (#4078)
* Use TypeCommaStringSlice for Approle bound_cidr_list

* update docs

* Add comments in the test
2018-03-08 17:49:08 -05:00
Brian Kassouf 9dba3590ac
Add context to the NewSalt function (#4102) 2018-03-08 11:21:11 -08:00
Jeff Mitchell f9f0261886
Populate AWS-generated tokens with default lease TTL to fix comparisons against role max (#4107)
* Populate AWS-generated tokens with default lease TTL to fix comparisons against role max

* Fix printing TTLs when capping them
2018-03-08 13:08:00 -05:00
Jeff Mitchell 52852b89cf
Revert "Fix AWS auth max_ttl being ignored when ttl is not set (#4086)" (#4105)
This reverts commit 135cb4e6871a75c3b996bf8ac719767560268732.
2018-03-08 11:08:32 -05:00
Kevin Wang f72540ce8e Fix AWS auth max_ttl being ignored when ttl is not set (#4086)
If ttl is not set, the value of `resp.Auth.TTL` is 0, resulting in the
max TTL check being skipped.

Also fixes the formatting of the warning message.
2018-03-08 11:07:51 -05:00
Joel Thompson e4949d644b auth/aws: Allow lists in binds (#3907)
* auth/aws: Allow lists in binds

In the aws auth method, allow a number of binds to take in lists
instead of a single string value. The intended semantic is that, for
each bind type set, clients must match at least one of each of the bind
types set in order to authenticate.
2018-03-02 11:09:14 -05:00
Jeff Mitchell 121d5718ea Remove structs/mapstructure tags from auth/aws 2018-02-27 15:27:49 -05:00
Jeff Mitchell c695023bab Remove structs package from auth/aws 2018-02-27 13:22:47 -05:00
Joel Thompson b0592d2161 auth/aws: Add functional test for detached RSA signature (#4031)
Previously the functional test was only testing the PCKS7-signed identity
document, not the detached RSA signature, so adding a test for that in the
functional test suite.
2018-02-22 20:55:45 -05:00