Commit graph

1053 commits

Author SHA1 Message Date
Jeff Mitchell 619ddc38b7 Use TRACE not WARN here 2016-06-30 12:41:56 -04:00
Matt Hurne 7879812f76 Persist verify_connection field in mongodb secret backend's connection config 2016-06-30 11:39:02 -04:00
Matt Hurne 350b69670c Rename mongodb secret backend's 'ttl_max' lease configuration field to 'max_ttl' 2016-06-30 09:57:43 -04:00
Matt Hurne 05cc4f2761 Merge branch 'master' into mongodb-secret-backend 2016-06-30 09:02:30 -04:00
Jeff Mitchell 16d4f79c71 Fix test 2016-06-30 08:21:00 -04:00
Jeff Mitchell 5df2dd30c5 Change warn to trace for these messages 2016-06-29 21:04:02 -04:00
Jeff Mitchell cf178d3c9e Merge remote-tracking branch 'oss/master' into postgres-pl-lock 2016-06-29 17:40:34 -04:00
Jeff Mitchell 934e60c3c9 Add stmt close calls 2016-06-29 17:39:47 -04:00
Jeff Mitchell a56f79adcb Run prepare on the transaction, not the db 2016-06-29 17:20:41 -04:00
Matt Hurne 5e8c912048 Add mongodb secret backend 2016-06-29 08:33:06 -04:00
cara marie 11c205e19b removed option to create 1024 keybitlength certs 2016-06-28 16:56:14 -04:00
Jeff Mitchell 43df682365 Add more debug output 2016-06-28 11:03:56 -04:00
Jeff Mitchell 0802497c8a Add some logging to enter/exit of some functions 2016-06-24 16:11:22 -04:00
Jeff Mitchell 9dc0599a30 Address review feedback 2016-06-23 10:18:03 -04:00
Jeff Mitchell d7029fc49a Add some more testing 2016-06-23 09:49:03 -04:00
Jeff Mitchell 45a442e593 Set some basic key usages by default.
Some programs (such as OpenVPN) don't like it if you don't include key
usages. This adds a default set that should suffice for most extended
usages. However, since things get twitchy when these are set in ways
various crypto stacks don't like, it's fully controllable by the user.

Fixes #1476
2016-06-22 16:08:24 -04:00
Jeff Mitchell 407373df5d Revert "Use x509 package ext key usage instead of custom type"
This reverts commit 0b2d8ff475a26ff98c37337a64859d150d62cfc1.
2016-06-22 13:07:31 -04:00
Jeff Mitchell c0dee06aab Use x509 package ext key usage instead of custom type 2016-06-22 11:51:32 -04:00
Jeff Mitchell 62f66dc4d8 Do some internal renaming in PKI 2016-06-22 11:39:57 -04:00
vishalnayak 5f5a81d8da Fix broken build 2016-06-21 18:25:36 -04:00
vishalnayak e97f81ecaa Print role name in the error message 2016-06-21 17:53:33 -04:00
Vishal Nayak d47fc4c4ad Merge pull request #1515 from hashicorp/sql-config-reading
Allow reading of config in sql backends
2016-06-21 10:07:34 -04:00
Vishal Nayak 78d4d5c8c3 Merge pull request #1523 from hashicorp/bind-account-id-aws-ec2
Added bound_account_id to aws-ec2 auth backend
2016-06-21 10:03:20 -04:00
vishalnayak f7a44a2643 Correct casing of abbreviations 2016-06-21 10:02:22 -04:00
vishalnayak 389581f47b Added warnings when configuring connection info in sql backends 2016-06-21 09:58:57 -04:00
Vishal Nayak 711c05a319 Merge pull request #1546 from hashicorp/secret-aws-roles
Added list functionality to logical aws backend's roles
2016-06-20 20:10:24 -04:00
vishalnayak 1976c9e75b Added test case for listing aws secret backend roles 2016-06-20 20:09:31 -04:00
vishalnayak 8b490e44a1 Added list functionality to logical aws backend's roles 2016-06-20 19:51:04 -04:00
Vishal Nayak 69d562c5db Merge pull request #1514 from hashicorp/backend-return-objects
Backend() functions should return 'backend' objects.
2016-06-20 19:30:00 -04:00
Jeff Mitchell 2e7704ea7e Add convergent encryption option to transit.
Fixes #1537
2016-06-20 13:17:48 -04:00
vishalnayak 383be815b6 aws-ec2: added a nil check for storedIdentity in login renewal 2016-06-20 10:19:57 -04:00
vishalnayak dccfc413d4 Replace an 'if' block with 'switch' 2016-06-17 12:35:44 -04:00
vishalnayak cf15354e44 Address review feedback 2016-06-17 10:11:39 -04:00
vishalnayak 8e03c1448b Merge branch 'master-oss' into bind-account-id-aws-ec2
Conflicts:
	builtin/credential/aws-ec2/backend_test.go
	builtin/credential/aws-ec2/path_login.go
	builtin/credential/aws-ec2/path_role.go
2016-06-14 14:46:08 -04:00
Ivan Fuyivara 74e84113db fixing the test for the wrong IAM Role ARN 2016-06-14 18:17:41 +00:00
Ivan Fuyivara 0ffbef0ccd added tests, nil validations and doccumentation 2016-06-14 16:58:50 +00:00
vishalnayak 26f7fcf6a1 Added bound_account_id to aws-ec2 auth backend 2016-06-14 11:58:19 -04:00
Ivan Fuyivara 2c5a8fb39f fixing spaces 2016-06-14 14:57:46 +00:00
root 52a47e1c4f adding IAM Role as constrain 2016-06-14 14:49:36 +00:00
Jeff Mitchell e925987cb6 Add token accessor to wrap information if one exists 2016-06-13 23:58:17 +00:00
vishalnayak b7eb28bb3a Added bound_ami_id check 2016-06-13 08:56:39 -04:00
vishalnayak 1776ff449f Allow reading of config in sql backends 2016-06-11 11:48:40 -04:00
vishalnayak 0760a89eb4 Backend() functions should return 'backend' objects.
If they return pointers to 'framework.Backend' objects, the receiver functions can't be tested.
2016-06-10 15:53:02 -04:00
vishalnayak c6a27f2fa8 s/VAULT_GITHUB_AUTH_TOKEN/VAULT_AUTH_GITHUB_TOKEN 2016-06-09 14:00:56 -04:00
Jeff Mitchell b82033516e Merge pull request #1510 from hashicorp/fix-gh-renew-panic
Fix panic when renewing a github token from a previous version of Vault
2016-06-09 13:54:20 -04:00
Jeff Mitchell 7c65dc9bf1 xInt->xRaw 2016-06-09 13:54:04 -04:00
vishalnayak 308294db46 Added VAULT_GITHUB_AUTH_TOKEN env var to receive GitHub auth token 2016-06-09 13:45:56 -04:00
Jeff Mitchell 1715b3dcb8 Fix panic when renewing a github token from a previous version of Vault 2016-06-09 13:37:09 -04:00
Laura Bennett 5ccb4fe907 Merge pull request #1498 from hashicorp/pki-list
PKI List Functionality
2016-06-08 15:42:50 -04:00
vishalnayak f9c3afcc21 Fix broken test 2016-06-08 13:00:19 -04:00
vishalnayak 6c4234eae6 Minor changes to the RabbitMQ acceptance tests 2016-06-08 12:50:43 -04:00
LLBennett 3795b65d19 Updates to the test based on feedback. 2016-06-08 16:49:10 +00:00
Laura Bennett 2f2a80e2be Add PKI listing 2016-06-08 11:50:59 -04:00
Jeff Mitchell 94cd00f32a Add an explicit default for TTLs for rabbit creds 2016-06-08 11:35:09 -04:00
Jeff Mitchell 86d697884b Fix some typos in rmq text and structure 2016-06-08 11:31:57 -04:00
vishalnayak 1b7da070ae Added pooled transport for rmq client. Added tests 2016-06-08 10:46:46 -04:00
Jeff Mitchell 95f3726f1c Migrate to go-uuid 2016-06-08 10:36:16 -04:00
vishalnayak 5a3dd98d06 Polish the code 2016-06-08 10:25:03 -04:00
Vishal Nayak ab543414f6 Merge pull request #788 from doubledutch/master
RabbitMQ Secret Backend
2016-06-08 10:02:24 -04:00
Jeff Mitchell 8f437d6142 Make logical.InmemStorage a wrapper around physical.InmemBackend.
This:

* Allows removing LockingInmemStorage since the physical backend already
  locks properly
* Makes listing work properly by adhering to expected semantics of only
  listing up to the next prefix separator
* Reduces duplicated code
2016-06-06 12:03:08 -04:00
Jeff Mitchell 50c011e79f Use backend function instead of separate backend creation in consul 2016-06-03 10:08:58 -04:00
Jeff Mitchell ca47478aed Merge pull request #1479 from hashicorp/reuse-be-creation-tests
Change AWS/SSH to reuse backend creation code for test functions
2016-06-03 09:59:37 -04:00
vishalnayak e9fbb9fabe Remove failOnError method from cert tests 2016-06-01 16:01:28 -04:00
Jeff Mitchell 86d2c796b0 Change AWS/SSH to reuse backend creation code for test functions 2016-06-01 12:17:47 -04:00
Vishal Nayak 3c5fb471a4 Merge pull request #1445 from hashicorp/consul-fixups
Reading consul access configuration in the consul secret backend.
2016-06-01 12:11:12 -04:00
Vishal Nayak 3a460b9c4b Merge pull request #1471 from hashicorp/rename-aws-auth
auth backend: rename `aws` as `aws-ec2`
2016-06-01 10:41:13 -04:00
vishalnayak dbee3cd81b Address review feedback 2016-06-01 10:36:58 -04:00
vishalnayak 4fea41f7e5 Use entry.Type as a criteria for upgrade 2016-06-01 10:30:11 -04:00
Jeff Mitchell 99c1e071f3 Remove most Root paths 2016-05-31 23:42:54 +00:00
vishalnayak eefd9acbf0 Set config access test case as an acceptance test and make travis happy 2016-05-31 13:27:34 -04:00
vishalnayak f64987a6cf Add tests around writing and reading consul access configuration 2016-05-31 13:27:34 -04:00
Jeff Mitchell 036e7fa63e Add reading to consul config, and some better error handling. 2016-05-31 13:27:34 -04:00
vishalnayak a072f2807d Rename aws as aws-ec2 2016-05-30 14:11:15 -04:00
vishalnayak 950c76c020 rename credential/aws as credential/aws-ec2 2016-05-30 14:11:15 -04:00
vishalnayak 30fa7f304b Allow * to be set for allowed_users 2016-05-30 03:12:43 -04:00
vishalnayak 971b2cb7b7 Do not allow any username to login if allowed_users is not set 2016-05-30 03:01:47 -04:00
Jeff Mitchell e01bce371d Merge pull request #1462 from hashicorp/enable-auth-rollbacks
Re-enable rollback triggers for auth backends
2016-05-27 15:01:35 -04:00
Jeff Mitchell 39fe3200e3 Return nil for pre-0.5.3 Consul tokens to avoid pathological behavior 2016-05-27 13:09:52 -04:00
Jeff Mitchell f035a320d0 Add test for renew/revoke to Consul secret backend 2016-05-27 11:27:53 -04:00
vishalnayak 1d94828e45 Re-enable rollback triggers for auth backends 2016-05-26 14:29:41 -04:00
Vishal Nayak 644ac5f5e8 Merge pull request #1456 from hashicorp/consul-lease-renewal
Fix the consul secret backends renewal revocation problem
2016-05-26 13:59:45 -04:00
vishalnayak cfd337d06a Fix broken cert backend test 2016-05-26 11:06:46 -04:00
Jeff Mitchell 05d1da0656 Add comment about the deletions 2016-05-26 10:33:35 -04:00
Jeff Mitchell ccfa8d0567 Remove deprecated entries from PKI role output.
Fixes #1452
2016-05-26 10:32:04 -04:00
vishalnayak c0e745dbfa s/logical.ErrorResponse/fmt.Errorf in renewal functions of credential backends 2016-05-26 10:21:03 -04:00
vishalnayak 2ca846b401 s/logical.ErrorResponse/fmt.Errorf in revocation functions of secrets 2016-05-26 10:04:11 -04:00
vishalnayak 70b8530962 Fix the consul secret backends renewal revocation problem 2016-05-25 23:24:16 -04:00
Kevin Pike cdfc6b46fd Update and document rabbitmq test envvars 2016-05-20 23:28:02 -07:00
Kevin Pike 4eb20e4aa8 Merge remote-tracking branch 'origin/master' into rabbitmq 2016-05-20 23:27:22 -07:00
Kevin Pike 5783b02e36 Address feedback 2016-05-20 22:57:24 -07:00
Jeff Mitchell 8f592f3442 Don't use pointers to int64 in function calls when not necessary 2016-05-19 12:26:02 -04:00
Jeff Mitchell a13807e759 Merge pull request #1318 from steve-jansen/aws-logical-assume-role
Add sts:AssumeRole support to the AWS secret backend
2016-05-19 12:17:27 -04:00
Jeff Mitchell 1bef0c3584 Merge pull request #1245 from LeonDaniel/master
Improved groups search for LDAP login
2016-05-19 12:13:29 -04:00
Jeff Mitchell 91b65a893e Merge pull request #1430 from hashicorp/issue-1428
Use Consul API client's DefaultNonPooledTransport.
2016-05-17 20:59:50 -04:00
Jeff Mitchell 86e078ff98 Use Consul API client's DefaultNonPooledTransport.
What we should probably do is create a client with a mutex and
invalidate it when parameters change rather than creating a client over
and over...that can be a TODO for later but for now this fix suffices.

Fixes #1428
2016-05-18 00:47:42 +00:00
vishalnayak 65801942cb Naming of the locked and nonLocked methods 2016-05-17 20:39:24 -04:00
Jeff Mitchell ed574d63fe Merge pull request #1416 from shomron/list_ldap_group_mappings
Support listing ldap group to policy mappings
2016-05-16 16:22:13 -04:00
Sean Chittenden 792950e16c Merge pull request #1417 from hashicorp/b-pki-expire-ttl-unset
Set entry's TTL before writing out the storage entry's config
2016-05-15 10:02:03 -07:00
Sean Chittenden 7a4b31ce51
Speling police 2016-05-15 09:58:36 -07:00
Sean Chittenden b0bba6d271
Store clamped TTLs back in the role's config 2016-05-15 08:13:56 -07:00
Sean Chittenden 539475714d
Set entry's TTL before writing out the storage entry's config 2016-05-15 07:06:33 -07:00
Oren Shomron b8840ab9eb Support listing ldap group to policy mappings (Fixes #1270) 2016-05-14 20:00:40 -04:00
Vishal Nayak 53fc941761 Merge pull request #1300 from hashicorp/aws-auth-backend
AWS EC2 instances authentication backend
2016-05-14 19:42:03 -04:00
vishalnayak 4122ed860b Rename 'role_name' to 'role' 2016-05-13 14:31:13 -04:00
vishalnayak 9147f99c43 Remove unused param from checkForValidChain 2016-05-12 15:07:10 -04:00
vishalnayak 85d9523f98 Perform CRL checking for non-CA registered certs 2016-05-12 14:37:07 -04:00
vishalnayak be88306f92 Name the files based on changed path patterns 2016-05-12 11:52:07 -04:00
vishalnayak 7e8a2d55d0 Update docs and path names to the new patterns 2016-05-12 11:45:10 -04:00
vishalnayak ddcaf26396 Merge branch 'master-oss' into aws-auth-backend 2016-05-10 14:50:00 -04:00
vishalnayak d09748a135 Fix the acceptance tests 2016-05-09 22:07:51 -04:00
vishalnayak 95f3f08d29 Call client config internal from the locking method 2016-05-09 21:01:57 -04:00
Jeff Mitchell d899f9d411 Don't revoke CA certificates with leases. 2016-05-09 19:53:28 -04:00
Jeff Mitchell 4549625367 Update client code to use internal entry fetching 2016-05-09 23:26:00 +00:00
Jeff Mitchell d77563994c Merge pull request #1346 from hashicorp/disable-all-caches
Disable all caches
2016-05-07 16:33:45 -04:00
Steve Jansen 597d59962c Adds sts:AssumeRole support to the AWS secret backend
Support use cases where you want to provision STS tokens
using Vault, but, you need to call AWS APIs that are blocked
for federated tokens.  For example, STS federated tokens cannot
invoke IAM APIs, such as  Terraform scripts containing
`aws_iam_*` resources.
2016-05-05 23:32:41 -04:00
Jeff Mitchell c16b0a4f41 Switch whitelist to use longest max TTL 2016-05-05 20:44:48 -04:00
Jeff Mitchell 7a6c76289a Role tag updates 2016-05-05 15:32:14 -04:00
Jeff Mitchell b58ad615f2 Fix HMAC being overwritten. Also some documentation, and add a lock to role operations 2016-05-05 14:51:09 -04:00
Jeff Mitchell 0eddeb5c94 Guard tidy functions 2016-05-05 14:28:46 -04:00
Jeff Mitchell 2d4c390f87 More updates to mutexes and adjust blacklisted roletag default safety buffer 2016-05-05 14:12:22 -04:00
Jeff Mitchell 8fef6e3ac0 Rename identity whitelist and roletag blacklist api endpoints 2016-05-05 13:34:50 -04:00
Jeff Mitchell c69ba40d05 Move some mutexes around 2016-05-05 12:53:27 -04:00
Jeff Mitchell f689e4712d Update some mutexes in client config 2016-05-05 12:44:40 -04:00
Jeff Mitchell c15c227774 Fall back to non-base64 cert if it can't be decoded (it's checked later anyways) 2016-05-05 11:36:28 -04:00
Jeff Mitchell 25913fb18c Update commenting 2016-05-05 11:22:36 -04:00
Jeff Mitchell 15cbcedf1f Make the roletag blacklist the longest duration, not least 2016-05-05 11:00:41 -04:00
Jeff Mitchell e45d6c1120 Switch client code to shared awsutil code 2016-05-05 10:40:49 -04:00
Jeff Mitchell 4600ca8073 Merge branch 'master-oss' into aws-auth-backend 2016-05-05 10:36:06 -04:00
Jeff Mitchell b6b9cd6f1f Merge remote-tracking branch 'origin/master' into aws-cred-chain 2016-05-05 10:31:12 -04:00
Jeff Mitchell 3e71221839 Merge remote-tracking branch 'origin/master' into aws-auth-backend 2016-05-05 10:04:52 -04:00
vishalnayak 92fe94546c Split SanitizeTTL method to support time.Duration parameters as well 2016-05-05 09:45:48 -04:00
vishalnayak 4ede1d6f08 Add the steps to generate the CRL test's test-fixture files 2016-05-04 05:48:34 -04:00
vishalnayak b7c48ba109 Change image/ to a more flexible /role endpoint 2016-05-03 23:36:59 -04:00
Jeff Mitchell 1b0df1d46f Cleanups, add shared provider, ability to specify http client, and port S3 physical backend over 2016-05-03 17:01:02 -04:00
Jeff Mitchell 7fbe5d2eaa Region is required so error in awsutil if not set and set if empty in client code in logical/aws 2016-05-03 15:25:11 -04:00
Jeff Mitchell a244ef8a00 Refactor AWS credential code into a function that returns a static->env->instance chain 2016-05-03 15:10:35 -04:00
Jeff Mitchell 45a120f491 Switch our tri-copy ca loading code to go-rootcerts 2016-05-03 12:23:25 -04:00
Jeff Mitchell f21b88802f Add some more tests around deletion and fix upsert status returning 2016-05-03 00:19:18 -04:00
Jeff Mitchell 7e1bdbe924 Massively simplify lock handling based on feedback 2016-05-02 23:47:18 -04:00
Jeff Mitchell 7f3613cc6e Remove some deferring 2016-05-02 22:36:44 -04:00
Jeff Mitchell fa0d389a95 Change use-hint of lockAll and lockPolicy 2016-05-02 22:36:44 -04:00
Jeff Mitchell 49c56f05e8 Address review feedback 2016-05-02 22:36:44 -04:00
Jeff Mitchell 3e5391aa9c Switch to lockManager 2016-05-02 22:36:44 -04:00
Jeff Mitchell 08b91b776d Address feedback 2016-05-02 22:36:44 -04:00
Jeff Mitchell fedc8711a7 Fix up commenting and some minor tidbits 2016-05-02 22:36:44 -04:00
Jeff Mitchell fe1f56de40 Make a non-caching but still locking variant of transit for when caches are disabled 2016-05-02 22:36:44 -04:00
vishalnayak 9f2a111e85 Allow custom endpoint URLs to be supplied to make EC2 API calls 2016-05-02 17:21:52 -04:00
vishalnayak 57e8fcd8c2 Extend the expiry of test-fixture certs of Cert backend 2016-05-02 12:34:46 -04:00
Jeff Mitchell 3d1c88f315 Make GitHub org comparison case insensitive.
Fixes #1359
2016-05-02 00:18:31 -04:00
vishalnayak 1c91f652d4 Remove unnecessary append call 2016-04-30 03:20:21 -04:00
vishalnayak fde768125c Cert backend, CRL tests 2016-04-29 02:32:48 -04:00
vishalnayak 23d8ce62a3 Ensure that the instance is running during renewal 2016-04-28 16:34:35 -04:00
vishalnayak 2a2dc0befb Added allow_instance_migration to the role tag 2016-04-28 11:43:48 -04:00
vishalnayak 4161d3ef4f Change all time references to UTC 2016-04-28 10:19:29 -04:00
vishalnayak e591632630 Fix the deadlock issue 2016-04-28 01:01:33 -04:00
vishalnayak 4712533f1d minor updates 2016-04-28 00:35:49 -04:00
vishalnayak e6a9a5957d Refactor locks around config tidy endpoints 2016-04-27 22:32:43 -04:00
vishalnayak b75a6e2f0f Fix locking around config/client 2016-04-27 22:25:15 -04:00
vishalnayak 0e97b57beb Fix the list response of role tags 2016-04-27 22:03:11 -04:00
vishalnayak 779d73ce2b Removed existence check on blacklist/roletags, docs fixes 2016-04-27 21:29:32 -04:00
vishalnayak d44326ded6 Remove unnecessary lock switching around flushCachedEC2Clients 2016-04-27 20:13:56 -04:00
vishalnayak e1080f86ed Remove recreate parameter from clientEC2 2016-04-27 20:01:39 -04:00
vishalnayak 441477f342 Added ami_id to token metadata 2016-04-27 11:32:05 -04:00
leon b9c96bf7ce - updated refactored functions in ldap backend to return error instead of ldap response and fixed interrupted search in ldap groups search func 2016-04-27 18:17:54 +03:00
leon 08be31e9ab - refactored functionality in separate functions in ldap backend and used a separate ldap query to get ldap groups from userDN 2016-04-27 15:00:26 +03:00
vishalnayak 7144fd54f9 Added tests 2016-04-26 23:40:11 -04:00
vishalnayak 88942b0503 Added tests 2016-04-26 10:22:29 -04:00
vishalnayak 5a676a129e Added tests 2016-04-26 10:22:29 -04:00
vishalnayak e16f256b14 Added tests 2016-04-26 10:22:29 -04:00
vishalnayak 3a4021d6c4 Added tests 2016-04-26 10:22:29 -04:00
vishalnayak de1a1be564 tidy endpoint fixes 2016-04-26 10:22:29 -04:00
vishalnayak 044d01fd69 HMAC Key per AMI ID and avoided secondary call to AWS to fetch the tags 2016-04-26 10:22:29 -04:00
vishalnayak 5996c3e9d8 Rework and refactoring 2016-04-26 10:22:29 -04:00
vishalnayak 3aeae62c00 Added mutex locking for config/certificate endpoint 2016-04-26 10:22:29 -04:00
vishalnayak 21854776af Added cooldown period for periodic tidying operation 2016-04-26 10:22:29 -04:00
vishalnayak 9aa8fb6cc1 Support periodic tidy callback and config endpoints. 2016-04-26 10:22:29 -04:00
vishalnayak 2810196e0f Use fullsailor/pkcs7 package instead of its fork. Fix tests 2016-04-26 10:22:29 -04:00
vishalnayak 5a2e1340df Removed redundant AWS public certificate. Docs update. 2016-04-26 10:22:29 -04:00
vishalnayak a456f2c3f6 Removed region parameter from config/client endpoint.
Region to create ec2 client objects is fetched from the identity document.
Maintaining a map of cached clients indexed by region.
2016-04-26 10:22:29 -04:00
vishalnayak 790b143c75 Instance ID can optionally be accepted as a the role tag parameter. 2016-04-26 10:22:29 -04:00
vishalnayak 58c485f519 Support providing multiple certificates.
Append all the certificates to the PKCS#7 parser during signature verification.
2016-04-26 10:22:29 -04:00
vishalnayak 9d4a7c5901 Docs update 2016-04-26 10:22:29 -04:00
vishalnayak ba9c86c92d Added acceptance test for login endpoint 2016-04-26 10:22:29 -04:00
vishalnayak c2c1a5eedc Added test case TestBackend_PathBlacklistRoleTag 2016-04-26 10:22:29 -04:00
vishalnayak 85c9176cb4 Return 4xx error at appropriate places 2016-04-26 10:22:29 -04:00
vishalnayak 1841ef0ebf Tested pathImageTag 2016-04-26 10:22:29 -04:00
vishalnayak 80e3063334 Tested parseRoleTagValue 2016-04-26 10:22:29 -04:00
vishalnayak dab1a00313 Make client nonce optional even during first login, when disallow_reauthentication is set 2016-04-26 10:22:29 -04:00
vishalnayak e0cf8c5608 Rename 'name' to 'ami_id' for clarity 2016-04-26 10:22:29 -04:00
vishalnayak 092feca996 Moved HMAC parsing inside parseRoleTagValue 2016-04-26 10:22:29 -04:00
vishalnayak ddfdf37d33 Properly handle empty client nonce case when disallow_reauthentication is set 2016-04-26 10:22:29 -04:00
vishalnayak b8d9b18193 Added disallow_reauthentication feature 2016-04-26 10:22:29 -04:00
vishalnayak a1d07cbff5 Remove todo and change clientNonce length limit to 128 chars 2016-04-26 10:22:28 -04:00
Jeff Mitchell bb276d350a Fix typo 2016-04-26 10:22:28 -04:00
Jeff Mitchell a5aadc908d Add environment and EC2 instance metadata role providers for AWS creds. 2016-04-26 10:22:28 -04:00
vishalnayak 012f9273f7 Remove certificate verification 2016-04-26 10:22:28 -04:00
vishalnayak 41cc7c4a15 Test path config/certificate 2016-04-26 10:22:28 -04:00
vishalnayak 5ff8d0cf96 Add existence check verification to config/client testcase 2016-04-26 10:22:28 -04:00
vishalnayak 3286194384 Testing pathImage 2016-04-26 10:22:28 -04:00
Jeff Mitchell a8082a9a6e allow_instance_reboot -> allow_instance_migration 2016-04-26 10:22:28 -04:00
Jeff Mitchell 075a81214e Update image output to show allow_instance_reboot value and keep policies in a list 2016-04-26 10:22:28 -04:00
vishalnayak 91433fedf2 Changed the blacklist URL pattern to optionally accept base64 encoded role tags 2016-04-26 10:22:28 -04:00
vishalnayak efcc07967e Accept instance_id in the URL for whitelist endpoint 2016-04-26 10:22:28 -04:00
Jeff Mitchell cf56895772 Switch around some logic to be more consistent/readable and respect max
TTL on initial token issuance.
2016-04-26 10:22:28 -04:00
vishalnayak 338054d49e Return un-expired entries from blacklist and whitelist 2016-04-26 10:22:28 -04:00
vishalnayak b6bd30b9fb Test ConfigClient 2016-04-26 10:22:28 -04:00
vishalnayak d3adc85886 AWS EC2 instances authentication backend 2016-04-26 10:22:28 -04:00
leon 81ac4c3fcf - fixed merge with upstream master 2016-04-26 13:23:43 +03:00
leon 1991aebc0a Merge remote-tracking branch 'upstream/master'
Conflicts:
	builtin/credential/ldap/backend.go
2016-04-26 13:16:42 +03:00
Jeff Mitchell 30ba5b7887 Merge pull request #1291 from mmickan/ssh-keyinstall-perms
Ensure authorized_keys file is readable when uninstalling an ssh key
2016-04-25 14:00:37 -04:00
Adam Shannon fb07d07ad9 all: Cleanup from running go vet 2016-04-13 14:38:29 -05:00
vishalnayak 06eeaecef6 Skip acceptance tests if VAULT_ACC is not set 2016-04-11 20:00:15 -04:00
Jeff Mitchell d92b960f7a Add list support to userpass users. Remove some unneeded existence
checks. Remove paths from requiring root.

Fixes #911
2016-04-09 18:28:55 -04:00
Kevin Pike dd98b08d36 Do not provide a default lease 2016-04-08 09:50:47 -07:00
Kevin Pike eeb145f049 List roles 2016-04-08 09:46:25 -07:00
Kevin Pike a86e5e3cd9 Support verify_connection flag 2016-04-08 09:44:15 -07:00
Kevin Pike 706ed5839e Fix username generation 2016-04-08 09:32:29 -07:00
Kevin Pike e3db8c999e Merge branch 'master' of github.com:doubledutch/vault 2016-04-08 09:25:28 -07:00
Kevin Pike 1102863f5a Update comment 2016-04-08 09:07:06 -07:00
Kevin Pike 35f49107cd Fix documentation typo 2016-04-08 09:05:38 -07:00
Kevin Pike 5460c24b94 Fix documentation typo 2016-04-08 09:05:06 -07:00
Kevin Pike 070fe56648 Rename uri to connection_uri 2016-04-08 09:04:42 -07:00
Kevin Pike 48d1f99afb Merge remote-tracking branch 'upstream/master' 2016-04-08 08:57:10 -07:00
vishalnayak e3a1ee92b5 Utility Enhancements 2016-04-05 20:32:59 -04:00
vishalnayak fd8b023655 s/TF_ACC/VAULT_ACC 2016-04-05 15:24:59 -04:00
vishalnayak 95abdebb06 Added AcceptanceTest boolean to logical.TestCase 2016-04-05 15:10:44 -04:00
Mark Mickan a55124f0b6 Ensure authorized_keys file is readable when uninstalling an ssh key
Without this change, if the user running the ssh key install script doesn't
have read access to the authorized_keys file when uninstalling a key, all
keys will be deleted from the authorized_keys file.

Fixes GH #1285
2016-04-05 17:26:21 +09:30
Jeff Mitchell 7df3ec46b0 Some fixups around error/warning in LDAP 2016-04-02 13:33:00 -04:00
Jeff Mitchell 40325b8042 If no group DN is configured, still look for policies on local users and
return a warning, rather than just trying to do an LDAP search on an
empty string.
2016-04-02 13:11:36 -04:00
Jeff Mitchell 7fd5a679ca Fix potential error scoping issue.
Ping #1262
2016-03-30 19:48:23 -04:00
Jeff Mitchell 3cfcd4ddf1 Check for nil connection back from go-ldap, which apparently can happen even with no error
Ping #1262
2016-03-29 10:00:04 -04:00
Jeff Mitchell 17613f5fcf Removing debugging comment 2016-03-24 09:48:13 -04:00
Jeff Mitchell 4c4a65ebd0 Properly check for policy equivalency during renewal.
This introduces a function that compares two string policy sets while
ignoring the presence of "default" (since it's added by core, not the
backend), and ensuring that ordering and/or duplication are not failure
conditions.

Fixes #1256
2016-03-24 09:41:51 -04:00
Jeff Mitchell dfc5a745ee Remove check for using CSR values with non-CA certificate.
The endpoint enforces whether the certificate is a CA or not anyways, so
this ends up not actually providing benefit and causing a bug.

Fixes #1250
2016-03-23 10:05:38 -04:00
leon e7942062bd - updated LDAP group search by iterating through all the attributes and searching for CN value instead of assuming the CN is always the first attribute from the RDN list 2016-03-21 19:44:08 +02:00
leon a82114eeb2 - added another method to search LDAP groups by querying the userDN for memberOf attribute 2016-03-21 16:55:38 +02:00
Jeff Mitchell 3e3621841d Merge pull request #1227 from hashicorp/issue-477
Don't renew cert-based tokens if the policies have changed.
2016-03-17 18:25:39 -04:00
Jeff Mitchell 1951a01998 Add ability to exclude adding the CN to SANs.
Fixes #1220
2016-03-17 16:28:40 -04:00
Jeff Mitchell a8dd6aa4f1 Don't renew cert-based tokens if the policies have changed.
Also, add cert renewal testing.

Fixes #477
2016-03-17 14:22:24 -04:00
Jeff Mitchell 77e4ee76bb Normalize userpass errors around bad user/pass 2016-03-16 15:19:55 -04:00
Jeff Mitchell 8a3f1ad13e Use 400 instead of 500 for failing to provide a userpass password. 2016-03-16 15:14:28 -04:00
Vishal Nayak 2c0c901eac Merge pull request #1216 from hashicorp/userpass-update
Userpass: Update the password and policies associated to user
2016-03-16 14:58:28 -04:00
vishalnayak f9b1fc3aa0 Add comments to existence functions 2016-03-16 14:53:53 -04:00
vishalnayak 1951159b25 Addessing review comments 2016-03-16 14:21:14 -04:00
vishalnayak 239ad4ad7e Refactor updating user values 2016-03-16 13:42:02 -04:00
vishalnayak 533b136fe7 Reduce the visibility of setUser 2016-03-16 11:39:52 -04:00
vishalnayak 2914ff7502 Use helper for existence check. Avoid panic by fetching default values for field data 2016-03-16 11:26:33 -04:00
Vishal Nayak 7db7b47fdd Merge pull request #1210 from hashicorp/audit-id-path
Rename id to path and path to file_path, print audit backend paths
2016-03-15 20:13:21 -04:00
vishalnayak 39a0c8e91f Read from 'path' to retain backward compatibility 2016-03-15 20:05:51 -04:00
vishalnayak 1e889bc08c Input validations and field renaming 2016-03-15 17:47:13 -04:00
vishalnayak a0958c9359 Refactor updating and creating userEntry into a helper function 2016-03-15 17:32:39 -04:00
vishalnayak acd545f1ed Fetch and store UserEntry to properly handle both create and update 2016-03-15 17:05:23 -04:00
vishalnayak 9609fe151b Change path structure of password and policies endpoints in userpass 2016-03-15 16:46:12 -04:00
vishalnayak 8be36b6925 Reuse the variable instead of fetching 'name' again 2016-03-15 16:21:47 -04:00
vishalnayak 61b4cac458 Added paths to update policies and password 2016-03-15 16:12:55 -04:00
vishalnayak 731bb97db5 Tests for updating password and policies in userpass backend 2016-03-15 16:09:23 -04:00
vishalnayak b7eb0a97e5 Userpass: Support updating policies and password 2016-03-15 15:18:21 -04:00
Jeff Mitchell 8aaf29b78d Add forgotten test 2016-03-15 14:18:35 -04:00
Jeff Mitchell 8bf935bc2b Add list support to certs in cert auth backend.
Fixes #1212
2016-03-15 14:07:40 -04:00
vishalnayak 71fc07833f Rename id to path and path to file_path, print audit backend paths 2016-03-14 17:15:07 -04:00
Jeff Mitchell d648306d52 Add the ability to specify the app-id in the login path.
This makes it easier to use prefix revocation for tokens.

Ping #424
2016-03-14 16:24:01 -04:00
Jeff Mitchell 9bfd24cd69 s/hash_accessor/hmac_accessor/g 2016-03-14 14:52:29 -04:00
vishalnayak ea108fba18 Use accessor being set as the condition to restore non-hashed values 2016-03-14 11:23:30 -04:00
vishalnayak e09819fedc Added hash_accessor option to audit backends 2016-03-11 19:28:06 -05:00
Vishal Nayak 343e6f1671 Merge pull request #998 from chrishoffman/mssql
Sql Server (mssql) secret backend
2016-03-10 22:30:24 -05:00
Chris Hoffman b1703fb18d Cleaning up lease and lease duration vars and params 2016-03-10 21:15:18 -05:00
Chris Hoffman ba94451875 Removing root protected endpoints 2016-03-10 21:08:39 -05:00
Chris Hoffman dc7da4f4e8 Changing DROP USER query to a more compatible version 2016-03-10 21:06:50 -05:00
Chris Hoffman 5af33afd90 Adding verify_connection to config, docs updates, misc cleanup 2016-03-09 23:08:05 -05:00
Vishal Nayak a6d8fc9d98 Merge pull request #1190 from grunzwei/master
fix github tests to use the provided GITHUB_ORG environment variable
2016-03-09 09:51:28 -05:00
Nathan Grunzweig ae469cc796 fix github tests to use the provided GITHUB_ORG environment variable
(tests fail for non hashicorp people)
2016-03-09 15:34:03 +02:00
Jeff Mitchell 7a9122bbd1 Sanitize serial number in revocation path.
Ping #1180
2016-03-08 10:51:59 -05:00
Jeff Mitchell 34a9cb1a70 Add serial_number back to path_issue_sign responses in PKI 2016-03-08 09:25:48 -05:00
Jeff Mitchell 5a17735dcb Add subject/authority key id to cert metadata 2016-03-07 14:59:00 -05:00
Jeff Mitchell 11dc3f328f Add revocation information to PKI fetch output (non-raw only).
Fixes #1180
2016-03-07 10:57:38 -05:00
Jeff Mitchell 67b85b8f7f Error rather than skip Consul acceptance tests if Consul isn't found 2016-03-07 10:09:36 -05:00
Jeff Mitchell 4a3d3ef300 Use better error message on LDAP renew failure 2016-03-07 09:34:16 -05:00
Chris Hoffman 0b4a8f5b94 Adding mssql secret backend 2016-03-03 09:19:17 -05:00
vishalnayak 44208455f6 continue if non-CA policy is not found 2016-03-01 16:43:51 -05:00
vishalnayak 9a3ddc9696 Added ExtKeyUsageAny, changed big.Int comparison and fixed code flow 2016-03-01 16:37:01 -05:00
vishalnayak cc1592e27a corrections, policy matching changes and test cert changes 2016-03-01 16:37:01 -05:00
vishalnayak 09eef70853 Added testcase for cert writes 2016-03-01 16:37:01 -05:00
vishalnayak f056e8a5a5 supporting non-ca certs for verification 2016-03-01 16:37:01 -05:00
vishalnayak aee006ba2d moved the test cert keys to appropriate test-fixtures folder 2016-02-29 15:49:08 -05:00
Jeff Mitchell 64ab16d137 Don't spawn consul servers when testing unless it's an acceptance test 2016-02-29 14:58:06 -05:00
Jeff Mitchell f6092f8311 Don't run transit fuzzing if not during acceptance tests 2016-02-29 14:44:04 -05:00
Jeff Mitchell 2205133ae4 Only run PKI backend setup functions when TF_ACC is set 2016-02-29 14:41:14 -05:00
vishalnayak cf672400d6 fixed the error log message 2016-02-29 10:41:10 -05:00
vishalnayak dca18aec2e replaced old certs, with new certs generated from PKI backend, containing IP SANs 2016-02-28 22:15:54 -05:00
Jeff Mitchell 7ae573b35b Apply hyphen/underscore replacement across the entire username.
Handles app-id generated display names.

Fixes #1140
2016-02-26 15:26:23 -05:00
Jeff Mitchell e2c15eb693 Merge pull request #1129 from hashicorp/pki-tidy
Add "pki/tidy" which allows removing expired certificates.
2016-02-25 10:39:54 -05:00
Jeff Mitchell 6b6005ee2e Remove root token requirement from GitHub configuration 2016-02-25 08:51:53 -05:00
Jeff Mitchell 8ca847c9b3 Be more explicit about buffer type 2016-02-24 22:05:39 -05:00
Jeff Mitchell 7d41607b6e Add "tidy/" which allows removing expired certificates.
A buffer is used to ensure that we only remove certificates that are
both expired and for which the buffer has past. Options allow removal
from revoked/ and/or certs/.
2016-02-24 21:24:48 -05:00
vishalnayak 69bcbb28aa rename verify_cert as disable_binding and invert the logic 2016-02-24 21:01:21 -05:00
vishalnayak 902c780f2b make the verification of certs in renewal configurable 2016-02-24 16:42:20 -05:00
vishalnayak bc4710eb06 Cert: renewal enhancements 2016-02-24 14:31:38 -05:00
vishalnayak 053bbd97ea check CIDR block for renewal as well 2016-02-24 10:55:31 -05:00
vishalnayak 978075a1b4 Added renewal capability to app-id backend 2016-02-24 10:40:15 -05:00
Matt Hurne 11187112bc Improve error message returned when client attempts to generate STS credentials for a managed policy; addresses #1113 2016-02-23 08:58:28 -05:00