578b82acf5
Pass only valid inputs to validation methods
2016-09-21 15:44:54 -04:00
93604e1e2e
Added cidrutil helper
2016-09-21 13:58:32 -04:00
676e7e0f07
Ensure upgrades have a valid HMAC key
2016-09-21 11:10:57 -04:00
0ff76e16d2
Transit and audit enhancements
2016-09-21 10:49:26 -04:00
5c241d31e7
Renaming ttl_max -> max_ttl in mssql backend ( #1905 )
2016-09-20 12:39:02 -04:00
97dc0e9f64
Merge pull request #1897 from hashicorp/secret-id-accessor-locks
...
Safely manipulate secret id accessors
2016-09-19 11:37:38 -04:00
fefd3a6c0b
s/GetOctalFormatted/GetHexFormatted
2016-09-16 17:47:15 -04:00
897d3c6d2c
Rename GetOctalFormatted and add serial number to ParsedCertBundle. Basically a noop.
2016-09-16 11:05:43 -04:00
ba72e7887a
Safely manipulate secret id accessors
2016-09-15 18:13:50 -04:00
61664bc653
Merge pull request #1886 from hashicorp/approle-upgrade-notes
...
upgrade notes entry for approle constraint and warning on role read
2016-09-15 12:14:01 -04:00
5597156886
check for nil role
2016-09-15 12:10:40 -04:00
92986bb2a0
Address review feedback
2016-09-15 11:41:52 -04:00
a1de742dce
s/disableReauthenticationNonce/reauthentication-disabled-nonce
2016-09-15 11:29:02 -04:00
9bca127631
Updated docs with nonce usage
2016-09-14 19:31:09 -04:00
857f921d76
Added comment
2016-09-14 18:27:35 -04:00
39796e8801
Disable reauthentication if nonce is explicitly set to empty
2016-09-14 17:58:00 -04:00
d0e4d77fce
address review feedback
2016-09-14 14:28:02 -04:00
d7ce69c5eb
Remove the client nonce being empty check
2016-09-14 14:28:02 -04:00
53c919b1d0
Generate the nonce by default
2016-09-14 14:28:02 -04:00
455a4ae055
address review feedback
2016-09-14 12:08:35 -04:00
b1392567d1
Use constant time comparisons for client nonce
2016-09-13 20:12:43 -04:00
d2e66014ba
Address review feedback
2016-09-13 18:30:04 -04:00
29b67141eb
Only use running state for checking if instance is alive. ( #1885 )
...
Fixes #1884
2016-09-13 18:08:05 -04:00
99a2655d8e
upgrade notes entry for approle constraint and warning on role read
2016-09-13 17:44:07 -04:00
bef9c2ee61
Ensure at least one constraint on the role
2016-09-13 16:03:15 -04:00
197c7eae5f
Allow encrypting empty ciphertext values. ( #1881 )
...
Replaces #1874
2016-09-13 12:00:04 -04:00
b599948e1c
Use uuid.GenerateRandomBytes
2016-09-09 14:17:09 -04:00
127f61473b
Not exposing structs from the backend's package
2016-09-01 11:57:28 -04:00
1db0544b7a
Use unexported kdf const names
2016-08-31 07:19:58 -04:00
c46a7391c0
Merge pull request #1799 from hashicorp/fix-role-locking
...
approle: fix racy updates problem for roles
2016-08-30 16:46:40 -04:00
cdcfa4572f
Address review feedback
2016-08-30 16:36:58 -04:00
d2239d22d9
Use hkdf for transit key derivation for new keys ( #1812 )
...
Use hkdf for transit key derivation for new keys
2016-08-30 16:29:09 -04:00
29b9295673
approle: fix racy updates problem for roles
2016-08-30 16:11:14 -04:00
9dbc97028b
STS path field description update
2016-08-30 10:53:21 -04:00
0b07ec7303
Added UpdateOperation to logical AWS STS path
2016-08-30 10:30:13 -04:00
cdd1d96a64
Merge pull request #1804 from hashicorp/issue-1800
...
Mark STS secrets as non-renwable
2016-08-29 11:46:19 -04:00
8612b6139e
Fixes #1801 Reuse Cassandra session object for create creds ( #1802 )
2016-08-28 17:32:41 -04:00
f0537572a8
Mark STS secrets as non-renwable
...
Ping #1800
2016-08-28 14:27:56 -04:00
0b113f7916
Derive nonce fully in convergent mode ( #1796 )
...
Ping #1794
2016-08-26 17:01:56 -04:00
2f5876dfe9
Use key derivation for convergent nonce. ( #1794 )
...
Use key derivation for convergent nonce.
Fixes #1792
2016-08-26 14:11:03 -04:00
28739f3528
Decode secret internal data into struct and fix type assertion. ( #1781 )
2016-08-24 15:04:04 -04:00
d1284944c3
Merge pull request #1755 from hashicorp/logxi
...
Convert to logxi
2016-08-21 19:28:18 -04:00
58b32e5432
Convert to logxi
2016-08-21 18:13:37 -04:00
524ed6db37
Extract out common code
2016-08-21 15:46:11 -04:00
dfe73733d5
Seperate endpoints for read/delete using secret-id and accessor
2016-08-21 14:42:49 -04:00
2860dcc60f
gofmt
2016-08-19 16:48:32 -04:00
7ce631f1dc
Pretty print the warning
2016-08-18 16:09:10 -04:00
870ffd6fd8
Use shortestTTL value during renewals too
2016-08-18 15:43:58 -04:00
4f1c47478e
When TTL is not set, consider the system default TTL as well
2016-08-18 15:37:59 -04:00
56b8c33c95
aws-ec2: se max_ttl when ttl is not set, during login
2016-08-18 15:16:32 -04:00
638e61192a
Actually show the error occurring if a file audit log can't be opened
2016-08-15 16:26:36 -04:00
86874def5c
Parameter change
...
Both revocation times are UTC so clarify via parameter name that it's just a formatting difference. Also leave as a time.Time here, as it automatically marshals into RFC3339.
2016-08-14 21:43:57 -04:00
39cfd116b6
Cleanup
2016-08-13 11:52:09 -04:00
1b8711e7b7
Ensure utc value is not zero before adding
2016-08-13 11:50:57 -04:00
d6d08250ff
Ensure values to be encoded in a CRL are in UTC. This aligns with the
...
RFC. You might expect Go to ensure this in the CRL generation call,
but...it doesn't.
Fixes #1727
2016-08-13 08:40:09 -04:00
b150c14caa
Address review feedback by @jefferai
2016-08-09 17:45:42 -04:00
8d261b1a78
Added ttl field to aws-ec2 auth backend role
2016-08-09 17:29:45 -04:00
b69ed7ea93
Fix build
2016-08-08 17:00:59 -04:00
7f6c58b807
Address review feedback
2016-08-08 16:30:48 -04:00
0a67bcb5bd
Merge pull request #1696 from hashicorp/transit-convergent-specify-nonce
...
Require nonce specification for more flexibility
2016-08-08 11:41:10 -04:00
1f198e9256
Return warning about ACLing the LDAP configuration endpoint.
...
Fixes #1263
2016-08-08 10:18:36 -04:00
606ba64e23
Remove context-as-nonce, add docs, and properly support datakey
2016-08-07 15:53:40 -04:00
1976bc0534
Add unit tests for convergence in non-context mode
2016-08-07 15:16:36 -04:00
8b1d47037e
Refactor convergent encryption to make specifying a nonce in addition to context possible
2016-08-05 17:52:44 -04:00
0b73c2ff9a
Fix PKI logical backend email alt_names
2016-08-04 12:10:34 +02:00
58e9cbbfc6
Add postgres test for block statements
2016-08-03 15:34:50 -04:00
9e204bd88c
Add arbitrary string slice parsing.
...
Like the KV function, this supports either separated strings or JSON
strings, base64-encoded or not.
Fixes #1619 in theory.
2016-08-03 14:24:16 -04:00
c025b292b5
Cleanup
2016-08-03 13:09:12 -04:00
cff7aada7a
Fix invalid input getting marked as internal error
2016-07-28 16:23:11 -04:00
e0c5f5f5fa
Add convergence tests to transit backend
2016-07-28 11:30:52 -04:00
a6907769b0
AppRole authentication backend
2016-07-26 09:32:41 -04:00
0cfb112e87
Explicitly set invalid request status when a password isn't included
2016-07-25 11:14:15 -04:00
dc4b85b55e
Don't return 500 for user error in userpass when setting password
2016-07-25 11:09:46 -04:00
d4c3e27c4e
Fix re-specification of filter
2016-07-25 09:08:29 -04:00
cd6d114e42
LDAP Auth Backend Overhaul
...
--------------------------
Added new configuration option to ldap auth backend - groupfilter.
GroupFilter accepts a Go template which will be used in conjunction with
GroupDN for finding the groups a user is a member of. The template will
be provided with context consisting of UserDN and Username.
Simplified group membership lookup significantly to support multiple use-cases:
* Enumerating groups via memberOf attribute on user object
* Previous default behavior of querying groups based on member/memberUid/uniqueMember attributes
* Custom queries to support nested groups in AD via LDAP_MATCHING_RULE_IN_CHAIN matchind rule
There is now a new configuration option - groupattr - which specifies
how to resolve group membership from the objects returned by the primary groupfilter query.
Additional changes:
* Clarify documentation for LDAP auth backend.
* Reworked how default values are set, added tests
* Removed Dial from LDAP config read. Network should not affect configuration.
2016-07-22 21:20:05 -04:00
68dcf677fa
Fix panic if no certificates are supplied by client
...
Fixes #1637
2016-07-21 10:20:41 -04:00
b353e44209
Fix build
2016-07-21 09:53:41 -04:00
d335038b40
Ensure we never return a nil set of trusted CA certs
...
Fixes #1637
2016-07-21 09:50:31 -04:00
559b0a5006
Merge pull request #1635 from hashicorp/mysql-idle-conns
...
Added maximum idle connections to mysql to close hashicorp/vault#1616
2016-07-20 15:31:37 -04:00
b558c35943
Set defaults to handle upgrade cases.
...
Ping #1604
2016-07-20 14:07:19 -04:00
f2b6569b0b
Merge pull request #1604 from memory/mysql-displayname-2
...
concat role name and token displayname to form mysql username
2016-07-20 14:02:17 -04:00
ea294f1d27
use both role name and token display name to form mysql username
2016-07-20 10:17:00 -07:00
e6bf4fa489
whitespace error corrected
2016-07-20 12:00:05 -04:00
0483457ad2
respond to feedback from @vishalnayak
...
- split out usernameLength and displaynameLength truncation values,
as they are different things
- fetch username and displayname lengths from the role, not from
the request parameters
- add appropriate defaults for username and displayname lengths
2016-07-20 06:36:51 -07:00
7cdb8a28bc
max_idle_connections added
2016-07-20 09:26:26 -04:00
03c7eb7d18
initial commit before rebase to stay current with master
2016-07-19 14:18:37 -04:00
30ca541f99
Merge pull request #1414 from mhurne/mongodb-secret-backend
...
Add mongodb secret backend
2016-07-19 13:56:15 -04:00
3334b22993
Some minor linting
2016-07-19 13:54:18 -04:00
0f9ee8fbed
Merge branch 'master' into mongodb-secret-backend
2016-07-19 12:47:58 -04:00
072c5bc915
mongodb secret backend: Remove redundant type declarations
2016-07-19 12:35:14 -04:00
c7d42cb112
mongodb secret backend: Fix broken tests, clean up unused parameters
2016-07-19 12:26:23 -04:00
fbb04349b5
Merge pull request #1629 from hashicorp/remove-verify-connection
...
Remove unused VerifyConnection from storage entries of SQL backends
2016-07-19 12:21:23 -04:00
8a1bb1626a
Merge pull request #1583 from hashicorp/ssh-allowed-roles
...
Add allowed_roles to ssh-helper-config and return role name from verify call
2016-07-19 12:04:12 -04:00
7fb04a1bbd
Remove unused VerifyConnection from storage entries of SQL backends
2016-07-19 11:55:49 -04:00
316837857b
mongodb secret backend: Return lease ttl and max_ttl in lease read in seconds rather than as duration strings
2016-07-19 11:23:56 -04:00
f18d98272d
mongodb secret backend: Don't bother persisting verify_connection field in connection config
2016-07-19 11:20:45 -04:00
f8e6bcbb69
mongodb secret backend: Handle cases where stored username or db is not a string as expected when revoking credentials
2016-07-19 11:18:00 -04:00
75a5fbd8fe
Merge branch 'master' into mongodb-secret-backend
2016-07-19 10:38:45 -04:00
434ed2faf2
Merge pull request #1573 from mickhansen/logical-postgresql-revoke-sequences
...
handle revocations for roles that have privileges on sequences
2016-07-18 13:30:42 -04:00
c14235b206
Merge branch 'master-oss' into json-use-number
...
Conflicts:
http/handler.go
logical/framework/field_data.go
logical/framework/wal.go
vault/logical_passthrough.go
2016-07-15 19:21:55 -04:00
cdf58da43b
Merge pull request #1610 from hashicorp/min-tls-ver-12
...
Set minimum TLS version in all tls.Config objects
2016-07-13 10:53:14 -06:00
09a4142fd3
Handled upgrade path for TLSMinVersion
2016-07-13 12:42:51 -04:00
9f1e6c7b26
Merge pull request #1607 from hashicorp/standardize-time
...
Remove redundant invocations of UTC() call on `time.Time` objects
2016-07-13 10:19:23 -06:00
de19314f18
Address review feedback
2016-07-13 11:52:26 -04:00
407722a9b4
Added tls_min_version to consul storage backend
2016-07-12 20:10:54 -04:00
314a5ecec0
allow overriding the default truncation length for mysql usernames
...
see https://github.com/hashicorp/vault/issues/1605
2016-07-12 17:05:43 -07:00
f34f0ef503
Make 'tls_min_version' configurable
2016-07-12 19:32:47 -04:00
46d34130ac
Set minimum TLS version in all tls.Config objects
2016-07-12 17:06:28 -04:00
8269f323d3
Revert 'risky' changes
2016-07-12 16:38:07 -04:00
57cdb58374
Switch to pester from go-retryablehttp to avoid swallowing 500 error messages
2016-07-11 21:37:46 +00:00
9ee4542a7c
incorporate code style guidelines
2016-07-11 13:35:35 +02:00
c25788e1d4
handle revocations for roles that have privileges on sequences
2016-07-11 13:16:45 +02:00
2cf4490b37
use role name rather than token displayname in generated mysql usernames
...
If a single token generates multiple myself roles, the generated mysql
username was previously prepended with the displayname of the vault
user; this makes the output of `show processlist` in mysql potentially
difficult to correlate with the roles actually in use without cross-
checking against the vault audit log.
See https://github.com/hashicorp/vault/pull/1603 for further discussion.
2016-07-10 15:57:47 -07:00
6505e85dae
mongodb secret backend: Improve safety of MongoDB roles storage
2016-07-09 21:12:42 -04:00
e09b40e155
Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC
2016-07-08 18:30:18 -04:00
bb8a45eb8b
Format code in mongodb secret backend
2016-07-07 23:16:11 -04:00
8d5a7992c1
mongodb secret backend: Improve and correct errors in documentation; improve "parameter is required" error response messages
2016-07-07 23:09:45 -04:00
eee6f04e40
mongodb secret backend: Refactor to eliminate unnecessary variable
2016-07-07 22:29:17 -04:00
ce845df43c
mongodb secret backend: Consider a "user not found" response a success when removing a user from Mongo
2016-07-07 22:27:47 -04:00
138d74f745
mongodb secret backend: Improve roles path help
2016-07-07 22:16:34 -04:00
7f9d91acb6
mongodb secret backend: Remove default value for Mongo authentication DB for roles; validate that role name and authentication db were specified when creating a role
2016-07-07 22:09:00 -04:00
de84cdabe6
mongodb secret backend: Leverage framework.TypeDurationSecond to simplify storage of lease ttl and max_ttl
2016-07-07 21:48:44 -04:00
6d7c9f5424
mongodb secret backend: Verify existing Session is still working before reusing it
2016-07-07 21:37:44 -04:00
db3670c353
Fix transit tests
2016-07-06 22:04:08 -04:00
ad7cb2c8f1
Added JSON Decode and Encode helpers.
...
Changed all the occurances of Unmarshal to use the helpers.
Fixed http/ package tests.
2016-07-06 12:25:40 -04:00
5367a7223d
Add allowed_roles to ssh-helper-config and return role name from verify call
2016-07-05 11:14:29 -04:00
769d20c770
Merge branch 'master' into mongodb-secret-backend
2016-07-05 09:33:12 -04:00
ba9c97b915
mongodb secret backend: Add support for reading connection configuration; Dockerize tests
2016-07-05 09:32:38 -04:00
2e828383e0
Move the parameter down to where the statement is executed.
2016-07-03 16:20:27 -07:00
08fb1a30d4
Use `lib/pq`'s `QuoteIdentifier()` on all identifiers and Prepare
...
for all literals.
2016-07-03 16:01:39 -07:00
292c2fad69
Merge branch 'master' into mongodb-secret-backend
2016-07-01 20:39:13 -04:00
4a8d9eb942
Shave off a lot of PKI testing time by not requiring key generation when testing CSRs. Also enable all tests all the time.
2016-07-01 17:28:48 -04:00
369dcff5f9
Merge pull request #1581 from mp911de/cassandra_connect_timeout
...
Support connect_timeout for Cassandra and align timeout.
2016-07-01 22:33:24 +02:00
ab63c938c4
Address review feedback.
...
Switch ConnectTimeout to framework.TypeDurationSecond with a default of 5. Remove own parsing code.
2016-07-01 22:26:08 +02:00
3859f7938a
Support connect_timeout for Cassandra and align timeout.
...
The cassandra backend now supports a configurable connect timeout. The timeout is configured using the connect_timeout parameter in the session configuration. Also align the timeout to 5 seconds which is the default for the Python and Java drivers.
Fixes #1538
2016-07-01 21:22:37 +02:00
51cd67115c
Run appid/cert auth tests always
2016-07-01 14:06:33 -04:00
db211a4b61
Migrate Consul acceptance tests to Docker
2016-07-01 13:59:56 -04:00
cdde4071d7
mongodb secret backend: Parse ssl URI option as a boolean rather than relying on string comparison
2016-07-01 13:55:06 -04:00
a2e95614d6
Have SQL backends Ping() before access.
...
If unsuccessful, reestablish connections as needed.
2016-07-01 12:02:17 -04:00
e50e331ffc
Always run transit acceptance tests
2016-07-01 11:45:56 -04:00
5313ae8a1b
Merge pull request #1578 from hashicorp/dockerize-mysql-acc-tests
...
Convert MySQL tests to Dockerized versions
2016-07-01 17:38:52 +02:00
5d707c41ff
Always run userpass acceptance tests
2016-07-01 11:37:38 -04:00
8d984c111d
Convert MySQL tests to Dockerized versions
2016-07-01 11:36:28 -04:00
46bf080409
mongodb secret backend: Refactor URI parsing logic to leverage url.Parse
2016-07-01 09:12:26 -04:00
6f05d6f21f
mongodb secret backend: Prefix all generated usernames with "vault-", and cleanly handle empty display names when generating usernames
2016-06-30 21:11:45 -04:00
acf4b0b637
Merge branch 'master' into mongodb-secret-backend
2016-06-30 16:43:53 -04:00
2488d520a4
Merge branch 'master-oss' into dockerize-pg-secret-tests
2016-06-30 14:31:52 -04:00
3e515c5885
Fix up breakage from bumping deps
2016-06-30 14:31:41 -04:00
8da8881825
Add comment around bind to localhost
2016-06-30 13:49:11 -04:00
22e83ae7f5
Dockerize Postgres secret backend acceptance tests
...
Additionally enable them on all unit test runs.
2016-06-30 13:46:39 -04:00
vishalnayak