05b5ff69ed
Address some feedback on ldap escaping help text
2016-02-19 13:47:26 -05:00
d7b40b32db
Properly escape filter values.
...
Fixes #1030
2016-02-19 13:16:52 -05:00
c67871c36e
Update LDAP documentation with a note on escaping
2016-02-19 13:16:18 -05:00
d3f3122307
Add tests to ldap using the discover capability
2016-02-19 11:46:59 -05:00
154c326060
Add ldap tests that use a bind dn and bind password
2016-02-19 11:38:27 -05:00
3e1a07d3d0
Merge pull request #1047 from hashicorp/vault-iss999-github-renewal
...
GitHub renewal enhancements
2016-02-18 16:47:15 -05:00
ba134f5a7a
Merge pull request #1086 from hashicorp/iss962-verify-otp-response-code
...
SSH: Fix response code for ssh/verify
2016-02-18 13:32:28 -05:00
a6f3b31a36
ssh: Fix response code for ssh/verify
2016-02-16 19:46:29 -05:00
d9536043e7
Pki: Respond user error when cert is not found instead of internal error
2016-02-16 17:58:57 -05:00
0b44d81a16
Github renewal enhancement
2016-02-11 20:42:42 -05:00
3378db0166
Merge pull request #1061 from tomrittervg/tomrittervg-typos-1
...
Fix some typos
2016-02-11 15:12:09 -05:00
880c9798b7
Merge pull request #1062 from tomrittervg/tomrittervg-AllowedBaseDomain-migration
...
AllowedBaseDomain will stay non-empty in certain error conditions. None of these conditions should be hit anyways, but this provides an extra safety check.
2016-02-11 15:07:54 -05:00
46b22745c6
Merge pull request #1053 from mwielgoszewski/postgresql-revocation
...
Fix PostgreSQL secret backend issues revoking users
2016-02-11 12:52:37 -05:00
a10dc14625
Fix AllowedBaseDomain Migration
...
AllowedBaseDomain is only zero-ed out if the domain is not found in the (new) AllowedDomains configuration setting. If the domain is found, AllowedBaseDomain is not emptied and this code will be run every single time.
//untested
2016-02-09 15:42:15 -06:00
940a58cb9d
Typo in error message in path_intermediate.go
2016-02-09 15:08:30 -06:00
e5952a1c28
Typo in policy.go
2016-02-08 12:00:06 -06:00
4771884c78
Add slack on NotBefore value for generated certs.
...
This fixes an issue where, due to clock skew, one system can get a cert
and try to use it before it thinks it's actually valid. The tolerance of
30 seconds should be high enough for pretty much any set of systems
using NTP.
Fixes #1035
2016-02-07 14:00:03 -05:00
eb1deefac1
Introduce a locking inmem storage for unit tests that are doing concurrent things
2016-02-04 09:40:35 -05:00
70eeaa1519
Add transit fuzz test
2016-02-03 17:36:15 -05:00
d02930fd95
Merge pull request #1013 from hashicorp/fix-ssh-tests
...
Fix SSH tests
2016-02-02 14:22:09 -05:00
f2e8ac0658
Fix SSH test cases.
2016-02-02 12:32:50 -05:00
159754acf2
Use capabilities to determine upsert-ability in transit.
2016-02-02 10:03:14 -05:00
5ef8839e48
Revert "Re-add upsert into transit. Defaults to off and a new endpoint /config"
...
This reverts commit dc27d012c0357f93bfd5bd8d480f3e229166307a.
2016-02-02 09:26:25 -05:00
1d385b4de3
Re-add upsert into transit. Defaults to off and a new endpoint /config
...
can be used to turn it on for a given mount.
2016-02-01 20:13:57 -05:00
20f45678e6
Fix comment text
2016-02-01 17:20:16 -05:00
fc6d23a54e
Allow the format to be specified as pem_bundle, which creates a
...
concatenated PEM file.
Fixes #992
2016-02-01 13:19:41 -05:00
af73d965a4
Cassandra:
...
* Add ability to change protocol version
* Remove config as a root path, use normal ACLs
* Update docs
2016-02-01 10:27:26 -05:00
627082b838
Remove grace periods
2016-01-31 19:33:16 -05:00
61eec74b4e
Remove app-id renewal for the moment until verification logic is added
2016-01-31 19:12:20 -05:00
470ea58d73
Match leases in the test
2016-01-29 20:45:38 -05:00
bf13d68372
Fix userpass acceptance tests by giving it a system view
2016-01-29 20:14:14 -05:00
bab1220fb8
Fix building of consul backend test
2016-01-29 20:03:38 -05:00
d3a705f17b
Make backends much more consistent:
...
1) Use the new LeaseExtend
2) Use default values controlled by mount tuning/system defaults instead
of a random hard coded value
3) Remove grace periods
2016-01-29 20:03:37 -05:00
02cd4d7bf6
Merge pull request #979 from hashicorp/transit-locking
...
Implement locking in the transit backend.
2016-01-29 14:40:32 -05:00
073e755aa6
Update error return strings
2016-01-29 14:40:13 -05:00
3396b42c6c
Address final review feedback
2016-01-29 14:33:51 -05:00
cb1928451b
Only specify cert sign / CRL sign for CAs and only specify extended key
...
usages for clients.
This will hopefully fully get rid of the various incompatible ways that
various browsers/libraries deal with key usages.
Fixes #987
2016-01-29 10:26:35 -05:00
2015118958
Add listing of roles to PKI
2016-01-28 15:18:07 -05:00
f8a375777b
Add list support for mysql roles
2016-01-28 15:04:25 -05:00
62e3ac83f8
Add list support for postgres roles
2016-01-28 14:41:50 -05:00
7be090b185
Fix postgres backend test SQL for user priv checking
2016-01-28 14:41:13 -05:00
12bd2f430b
Ensure generatePolicy checks disk, not just the cache, now that we aren't eager loading
2016-01-28 13:10:59 -05:00
dd57a3f55d
Add listing of roles to ssh backend
2016-01-28 12:48:00 -05:00
dd1b94fbd6
Remove eager loading
2016-01-28 08:59:05 -05:00
be83340b14
Embed the cache directly
2016-01-27 21:59:20 -05:00
1ebae324ce
Merge pull request #942 from wikiwi/fix-ssh-open-con
...
Cleanly close SSH connections
2016-01-27 17:18:54 -05:00
01102f0d06
Merge pull request #975 from vetinari/ldapbind
...
Implement LDAP username/password binding support, as well as anonymous search.
2016-01-27 17:06:45 -05:00
48c9f79896
Implement locking in the transit backend.
...
This ensures that we can safely rotate and modify configuration
parameters with multiple requests in flight.
As a side effect we also get a cache, which should provide a nice
speedup since we don't need to decrypt/deserialize constantly, which
would happen even with the physical LRU.
2016-01-27 17:03:21 -05:00
d1b2bf3183
Move archive location; also detect first load of a policy after archive
...
is added and cause the keys to be copied to the archive.
2016-01-27 13:41:37 -05:00
369d0bbad0
Address review feedback
2016-01-27 13:41:37 -05:00
e5a58109ec
Store all keys in archive always
2016-01-27 13:41:37 -05:00
30ffc18c19
Add unit tests
2016-01-27 13:41:37 -05:00
5000711a67
Force min decrypt version to 1 if it's zero, which allows fixing problematic archiving logic
2016-01-27 13:41:37 -05:00
7a27dd5cb3
Fix logic bug when restoring keys
2016-01-27 13:41:37 -05:00
004b35be36
Fix decrementing instead of incrementing
2016-01-27 13:41:37 -05:00
beafe25508
Initial transit key archiving work
2016-01-27 13:41:37 -05:00
0db33274b7
discover bind dn with anonymous binds
2016-01-27 17:06:27 +01:00
4606cd1492
fix stupid c&p error
2016-01-26 16:15:25 +01:00
6a570345a0
add binddn/bindpath to search for the users bind DN
2016-01-26 15:56:41 +01:00
7390cd5264
Add a max_idle_connections parameter.
2016-01-25 14:47:07 -05:00
12c00b97ef
Allow backends to see taint status.
...
This can be seen via System(). In the PKI backend, if the CA is
reconfigured but not fully (e.g. an intermediate CSR is generated but no
corresponding cert set) and there are already leases (issued certs), the
CRL is unable to be built. As a result revocation fails. But in this
case we don't actually need revocation to be successful since the CRL is
useless after unmounting. By checking taint status we know if we can
simply fast-path out of revocation with a success in this case.
Fixes #946
2016-01-22 17:01:22 -05:00
70ef2e3398
STS now uses root vault user for keys
...
The secretAccessKeysRevoke revoke function now asserts that it is
not dealing with STS keys by checking a new internal data flag. Defaults
to IAM when the flag is not found.
Factored out genUsername into its own function to share between STS and
IAM secret creation functions.
Fixed bad call to "WriteOperation" instead of "UpdateOperation" in
aws/backend_test
2016-01-21 15:04:16 -05:00
4abca91d66
Renamed sts duration to ttl and added STS permissions note.
2016-01-21 14:28:34 -05:00
f251b13aaa
Removing debug print statement from sts code
2016-01-21 14:05:10 -05:00
1cf8153dfd
Fixed duration type and added acceptance test for sts
2016-01-21 14:05:10 -05:00
71afb7cff0
Configurable sts duration
2016-01-21 14:05:09 -05:00
8fecccde21
Add STS path to AWS backend.
...
The new STS path allows for obtaining the same credentials that you would get
from the AWS "creds" path, except it will also provide a security token, and
will not have an annoyingly long propagation time before returning to the user.
2016-01-21 14:05:09 -05:00
0f0949ab06
Merge pull request #895 from nickithewatt/aws-prexisting-policies
...
Allow use of pre-existing policies for AWS users
2016-01-21 13:23:37 -05:00
f3e5e44cd0
Cleanly close SSH connections
2016-01-19 07:59:08 +01:00
9c5ad28632
Update deps, and adjust usage of go-uuid to match new return values
2016-01-13 13:40:08 -05:00
f3ce90164f
WriteOperation -> UpdateOperation
2016-01-08 13:03:03 -05:00
bde81080c9
Address issues with properly revoking a user via these additional REVOKE statements
2016-01-06 09:22:55 -05:00
62c22a5f73
Updated AWS policy help messages
2015-12-30 19:41:07 +00:00
cd4ca21b58
Allow use of pre-existing policies for AWS users
2015-12-30 18:05:54 +00:00
134b4d2a42
Built on GH-890 to add other types
2015-12-29 13:07:24 -05:00
b85c29349f
Merge pull request #890 from ironSource/pki-fix
...
fix CA compatibility with OpenSSL
2015-12-29 12:04:03 -06:00
fba756075a
fix CA compatibility with OpenSSL
2015-12-29 18:52:43 +02:00
1a324cf347
Make TokenHelper an interface and split exisiting functionality
...
Functionality is split into ExternalTokenHelper, which is used if a path
is given in a configuration file, and InternalTokenHelper which is used
otherwise. The internal helper no longer shells out to the same Vault
binary, instead performing the same actions with internal code. This
avoids problems using dev mode when there are spaces in paths or when
the binary is built in a container without a shell.
Fixes #850 among others
2015-12-22 10:23:30 -05:00
f2da5b639f
Migrate 'uuid' to 'go-uuid' to better fit HC naming convention
2015-12-16 12:56:20 -05:00
dd445a53a5
Update key usage logic
...
* Move to one place for both code paths
* Assign ExtKeyUsageAny to CA certs to help with validation with the
Windows Crypto API and Go's validation logic
Fixes #846
2015-12-14 14:23:51 -05:00
6ad1b75caf
Merge branch 'master' into pki-csrs
2015-12-01 00:09:23 -05:00
64cd58463b
Fix AWS tests
2015-12-01 00:05:04 -05:00
4eec9d69e8
Change allowed_base_domain to allowed_domains and allow_base_domain to
...
allow_bare_domains, for comma-separated multi-domain support.
2015-11-30 23:49:11 -05:00
b6c49ddf01
Remove token display names from input options as there isn't a viable
...
use-case for it at the moment
2015-11-30 18:07:42 -05:00
cf366bda9c
Greatly simplify and fix the name validation function, as well as fully
...
comment it.
2015-11-23 14:15:32 -05:00
22a6d6fa22
Merge branch 'master' into pki-csrs
2015-11-20 12:48:38 -05:00
25e359084c
Update documentation, some comments, make code cleaner, and make generated roots be revoked when their TTL is up
2015-11-19 17:14:22 -05:00
0dbe15cb87
Mostly revert changes to certutil as the embedded struct stuff was being
...
problematic.
2015-11-19 14:18:39 -05:00
af3d6ced8e
Update validator function for URIs. Change example of entering a CA to a
...
root cert generation. Other minor documentation updates. Fix private key
output in issue/sign.
2015-11-19 11:35:17 -05:00
f41a2e562a
fix tests
2015-11-19 10:13:28 -05:00
a95228e4ee
Split root and intermediate functionality into their own sections in the API. Update documentation. Add sign-verbatim endpoint.
2015-11-19 09:51:18 -05:00
26c8cf874d
Move public key comparison logic to its own function
2015-11-19 09:51:18 -05:00
4681d027c0
Move serial number generation and key validation into certutil; centralize format and key verification
2015-11-19 09:51:18 -05:00
c6ba4f24bc
Add URL validation
2015-11-19 09:51:18 -05:00
b14050bebc
Fix zero path length handling, and move common field defs elsewhere
2015-11-19 09:51:18 -05:00
8008451fb5
Fix logic around zero path length -- only restrict issuing intermediate CAs in this case
2015-11-19 09:51:18 -05:00
c461652b40
Address some feedback from review
2015-11-19 09:51:18 -05:00
ed62afec14
Large documentation updates, remove the pathlength path in favor of
...
making that a parameter at CA generation/sign time, and allow more
fields to be configured at CSR generation time.
2015-11-19 09:51:18 -05:00
5970cb76b6
Add path length paths and unit tests to verify same.
2015-11-19 09:51:18 -05:00
ca844b1dc1
Add URLs methods to set OCSP/CRL/CA urls in issued certs, and tests.
2015-11-19 09:51:18 -05:00
4cb10abcc0
Add tests for using raw CSR values
2015-11-19 09:51:18 -05:00
83975314c7
Change a few checks on names:
...
- Allow an email address to be the common name of a cert even if email
protection isn't in the role if any name is set to true (this allows
certificates with a common name entry of an email address but used for
other purposes; here just for CA cert signing).
- Don't check the user part of an email against the hostname regex.
Emails can contain e.g. "+" and "_" and these should be allowed even
though they're not part of a valid hostname.
Also, fix a nil pointer issue.
2015-11-19 09:51:17 -05:00
deb5131cd3
Add config/urls CRUD operations to get and set the URLs encoded into
...
certificates for the issuing certificate URL, CRL distribution points,
and OCSP servers.
2015-11-19 09:51:17 -05:00
779efbbbc3
Change use_csr_subject to use_csr_values; copy not only the subject, but
...
also the alternate names and the extensions over as well.
2015-11-19 09:51:17 -05:00
76af733ee2
Remove setting serial number in the pkix Subject
2015-11-19 09:51:17 -05:00
54c5c232fd
Add a flag so that when signing CA certificates, the Subject (including names and extra names) can be used verbatim from the CSR
2015-11-19 09:51:17 -05:00
7c5a174493
Add capability to use the CSR's common name (by default for CA CSRs if
...
no common_name parameter is given, role-controlled for non-CA CSRs).
Fix logic around the CA/CRL endpoints. Now settable when generating a
self-signed root or setting a CA cert into the backend; if not set,
these values are not set in issued certs. Not required when signing an
intermediate cert (and in fact it was wrong to do so in the first
place).
2015-11-19 09:51:17 -05:00
54fccb2ff4
Add support for EC CA keys, output to base64-encoded DER instead of PEM, and tests for all of those. Also note that Go 1.5 is now required.
2015-11-19 09:51:17 -05:00
4261e594af
Address some minor PR feedback
2015-11-19 09:51:17 -05:00
69794c7078
Fix otto import of uuid
2015-11-19 09:51:17 -05:00
f16d8b8cd2
Cleanup, and add ability to sign CA CSRs that aren't destined for Vault
2015-11-19 09:51:17 -05:00
ea676ad4cc
Add tests for intermediate signing and CRL, and fix a couple things
...
Completes extra functionality.
2015-11-19 09:51:17 -05:00
b2df079446
Add unit tests to test signing logic, fix up test logic for names
2015-11-19 09:51:17 -05:00
fe7dbfaada
Handle email address alternative names, fix up tests, fix up logic around name verification
2015-11-19 09:51:17 -05:00
aa3d6dc85b
Add allow_base_domain to control whether or not the actual base domain is allowed as a cert common name and/or DNS SAN
2015-11-19 09:51:17 -05:00
7d2730d370
Add email protection flag plumbing and tests; don't call generate bundle when making an intermediate CSR since everything is now ignored
2015-11-19 09:51:17 -05:00
b3eb5c4957
Add sign method (untested)
2015-11-19 09:51:17 -05:00
6ea626e9ad
Don't show field names when not needed
2015-11-19 09:51:17 -05:00
1cec03d9ca
Implement CA cert/CSR generation. CA certs can be self-signed or
...
generate an intermediate CSR, which can be signed.
2015-11-19 09:51:17 -05:00
1c7157e632
Reintroduce the ability to look up obfuscated values in the audit log
...
with a new endpoint '/sys/audit-hash', which returns the given input
string hashed with the given audit backend's hash function and salt
(currently, always HMAC-SHA256 and a backend-specific salt).
In the process of adding the HTTP handler, this also removes the custom
HTTP handlers for the other audit endpoints, which were simply
forwarding to the logical system backend. This means that the various
audit functions will now redirect correctly from a standby to master.
(Tests all pass.)
Fixes #784
2015-11-18 20:26:03 -05:00
54d47957b5
Allow creating Consul management tokens
...
Fixes #714
2015-11-03 15:29:58 -05:00
5e72453b49
Use TypeDurationSecond instead of TypeString
2015-11-03 10:52:20 -05:00
154fc24777
Address first round of feedback from review
2015-11-03 10:52:20 -05:00
59cc61cc79
Add documentation for CRLs and some minor cleanup.
2015-11-03 10:52:20 -05:00
5d562693bd
Add tests for the crls path, and fix a couple bugs
2015-11-03 10:52:20 -05:00
b6b62f7dc1
Drastically simplify the method and logic; keep an in-memory cache and use that for most operations, only affecting the backend storage when needed.
2015-11-03 10:52:20 -05:00
c66f0918be
Add delete method, and ability to delete only one serial as well as an entire set.
2015-11-03 10:52:20 -05:00
be1a2266cc
Add CRLSets endpoints; write method is done. Add verification logic to
...
login path. Change certs "ttl" field to be a string to match common
backend behavior.
2015-11-03 10:52:19 -05:00
658bc0634a
Fix breaking API changes
2015-10-30 18:22:48 -04:00
80705b7963
If we fail to open a file path, show which it is in the error output
2015-10-30 14:30:21 -04:00
a0c5a24c79
Update Postgres tests and changelogify
2015-10-30 12:41:45 -04:00
2d8e3b35f2
Revoke permissions before dropping user in postgresql.
...
Currently permissions are not revoked, which can lead revocation to not
actually work properly. This attempts to revoke all permissions and only
then drop the role.
Fixes issue #699
2015-10-30 11:58:52 -04:00
528e859c4b
Fix wording
2015-10-29 12:58:29 -04:00
22c65c0c07
Use cleanhttp instead of bare http.Client
2015-10-22 14:37:12 -04:00
cba4e82682
Don't use http.DefaultClient
...
This strips out http.DefaultClient everywhere I could immediately find
it. Too many things use it and then modify it in incompatible ways.
Fixes #700 , I believe.
2015-10-15 17:54:00 -04:00
a9155ef85e
Use split-out hashicorp/uuid
2015-10-12 14:07:12 -04:00
6f4e42efed
Add StaticSystemView to LDAP acceptance tests
2015-10-06 15:48:10 -04:00
bf464b9a4b
Merge pull request #661 from hashicorp/maxopenconns
...
Parameterize max open connections in postgresql and mysql backends
2015-10-03 16:55:20 -04:00
a740c68eab
Added a test case. Removed setting of defaultTTL in config.
2015-10-03 15:36:57 -04:00
145aee229e
Merge branch 'master' of https://github.com/hashicorp/vault
2015-10-03 00:07:34 -04:00
8e7975edc8
Added ConnectionURL along with ConnectionString
2015-10-02 23:47:10 -04:00
e3f04dc444
Added testcases for config writes
2015-10-02 22:10:51 -04:00
645932a0df
Remove use of os/user as it cannot be run with CGO disabled
2015-10-02 18:43:38 -07:00
ea0aba8e47
Use SanitizeTTL in credential request path instead of config
2015-10-02 15:41:35 -04:00
69b478fff1
fix struct tags
2015-10-02 14:13:27 -04:00
3dd84446ab
Github backend: enable auth renewals
2015-10-02 13:33:19 -04:00
1f12482995
Fix ConnectionString JSON value
2015-10-02 12:07:31 -04:00
644a655920
mysql: made max_open_connections configurable
2015-10-01 21:15:56 -04:00
2051101c43
postgresql: Configurable max open connections to the database
2015-10-01 20:11:24 -04:00
c3bdde8abe
Add a static system view to github credential backend to fix acceptance tests
2015-09-29 18:55:59 -07:00
af27a99bb7
Remove JWT for the 0.3 release; it needs a lot of rework.
2015-09-24 16:23:44 -04:00
f10343921b
Start rejigging JWT
2015-09-24 16:20:22 -04:00
29c722dbb6
Enhance SSH backend documentation; remove getting of stored keys and have TTLs honor backends systemview values
2015-09-21 16:14:30 -04:00
3eb38d19ba
Update transit backend documentation, and also return the min decryption
...
value in a read operation on the key.
2015-09-21 16:13:43 -04:00
5dde76fa1c
Expand HMAC support in Salt; require an identifier be passed in to specify type but allow generation with and without. Add a StaticSalt ID for testing functions. Fix bugs; unit tests pass.
2015-09-18 17:38:30 -04:00
b655f6b858
Add HMAC capability to salt. Pass a salt into audit backends. Require it for audit.Hash.
2015-09-18 17:38:22 -04:00
01ee6c4fe1
Move no_plaintext to two separate paths for datakey.
2015-09-18 14:41:05 -04:00
448249108c
Add datakey generation to transit.
...
Can specify 128 bits (defaults to 256) and control whether or not
plaintext is returned (default true).
Unit tests for all of the new functionality.
2015-09-18 14:41:05 -04:00
61398f1b01
Remove enable/disable and make deletion_allowed a configurable property. On read, return the version and creation time of each key
2015-09-18 14:41:05 -04:00
801e531364
Enhance transit backend:
...
* Remove raw endpoint from transit
* Add multi-key structure
* Add enable, disable, rewrap, and rotate functionality
* Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function
* Unit tests for everything
2015-09-18 14:41:05 -04:00
9c5dcac90c
Make TLS backend honor SystemView default values. Expose lease TTLs on read. Make auth command show lease TTL if one exists. Addresses most of #527
2015-09-18 14:01:28 -04:00
1f53376ae6
Userpass Bk: Added tests for TTL duration verifications
2015-09-17 16:33:26 -04:00
4332eb9d05
Vault userpass: Enable renewals for login tokens
2015-09-17 14:35:50 -04:00
77e7379ab5
Implement the cubbyhole backend
...
In order to implement this efficiently, I have introduced the concept of
"singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't
much reason to allow sys to be mounted at multiple places, and there
isn't much reason you'd need multiple per-token storage areas. By
restricting it to just one, I can store that particular mount instead of
iterating through them in order to call the appropriate revoke function.
Additionally, because revocation on the backend needs to be triggered by
the token store, the token store's salt is kept in the router and
client tokens going to the cubbyhole backend are double-salted by the
router. This allows the token store to drive when revocation happens
using its salted tokens.
2015-09-15 13:50:37 -04:00
104b29ab04
Rename View to StorageView to make it more distinct from SystemView
2015-09-15 13:50:37 -04:00
83d0ab73f5
Define time zone explicitly in postgresql connection string.
2015-09-14 13:43:06 +03:00
a9aaee6f5a
Explicitly set timezone with PostgreSQL timestamps.
2015-09-14 13:43:06 +03:00
79f68c934a
Call ResetDB as Cleanup routine to close existing database connections
...
on backend unmount.
2015-09-11 11:45:58 +03:00
08f7fb9c8d
Merge pull request #580 from hashicorp/zeroaddress-path
...
Add root authenticated path to allow default CIDR to select roles
2015-09-10 15:28:49 -04:00
39cfcccdac
Remove error returns from sysview TTL calls
2015-09-10 15:09:54 -04:00
488d33c70a
Rejig how dynamic values are represented in system view and location of some functions in various packages; create mount-tune command and API analogues; update documentation
2015-09-10 15:09:54 -04:00
4239f9d243
Add DynamicSystemView. This uses a pointer to a pointer to always have
...
up-to-date information. This allows remount to be implemented with the
same source and dest, allowing mount options to be changed on the fly.
If/when Vault gains the ability to HUP its configuration, this should
just work for the global values as well.
Need specific unit tests for this functionality.
2015-09-10 15:09:54 -04:00
d435048d9e
Switch StaticSystemView values to pointers, to support updating
2015-09-10 15:09:54 -04:00
473c1d759d
Vault SSH: Testing credential creation on zero address roles
2015-09-10 11:55:07 -04:00
d26497267c
Vault SSH: Expected data for testRoleRead
2015-09-10 10:44:26 -04:00
475df43c59
Merge branch 'master' of https://github.com/hashicorp/vault
2015-09-10 10:03:17 -04:00
d6b40c576d
Vault SSH: Refactoring tests
2015-09-03 18:56:45 -04:00
17c266bfd3
Vault SSH: Refactor lookup test case
2015-09-03 18:43:53 -04:00
c8c472e461
Vault SSH: Testcase restructuring
2015-09-03 18:11:04 -04:00
959a727acd
Don't re-use tls configuration, to fix a possible race issue during test
2015-09-03 13:04:32 -04:00
3e7aa75d70
Vault SSH: make Zeroaddress entry Remove method private
2015-08-31 17:10:55 -04:00
9918105404
Vault SSH: Store roles as slice of strings
2015-08-31 17:03:46 -04:00
f21ad7da4c
Vault SSH: refactoring
2015-08-31 16:03:28 -04:00
59bf9e6f9f
Vault SSH: Refactoring backend_test
2015-08-30 14:30:59 -04:00
5e3f8d53f3
Vault SSH: ZeroAddress CRUD test
2015-08-30 14:20:16 -04:00
6427a7e41e
Vault SSH: Add read method for zeroaddress endpoint
2015-08-29 20:22:34 -04:00
dc4f97b61b
Vault SSH: Zeroaddress roles and CIDR overlap check
2015-08-29 15:24:15 -04:00
5fa76b5640
Add base_url option to GitHub auth provider to allow selecting a custom endpoint. Fixes #572 .
2015-08-28 06:28:43 -07:00
d4609dea28
Merge pull request #578 from hashicorp/exclude-cidr-list
...
Vault SSH: Added exclude_cidr_list option to role
2015-08-28 07:59:46 -04:00
b12a2f0013
Vault SSH: Added exclude_cidr_list option to role
2015-08-27 23:19:55 -04:00
a4fc4a8e90
Deprecate lease -> ttl in PKI backend, and default to system TTL values if not given. This prevents issuing certificates with a longer duration than the maximum lease TTL configured in Vault. Fixes #470 .
2015-08-27 12:24:37 -07:00
fbff20d9ab
Vault SSH: Docs for default CIDR value
2015-08-27 13:10:15 -04:00
5063a0608b
Vault SSH: Default CIDR for roles
2015-08-27 13:04:15 -04:00
702a869010
Vault SSH: Provide key option specifications for dynamic keys
2015-08-27 11:41:29 -04:00
5b08e01bb1
Vault SSH: Create .ssh directory if not present. Closes #573
2015-08-27 08:45:34 -04:00
9db8a5c744
Merge pull request #567 from hobbeswalsh/master
...
Spaces in displayName break AWS IAM
2015-08-26 12:37:52 -04:00
34b84367b5
Adding one more test (for no-op case)
2015-08-26 09:26:20 -07:00
4b7c2cc114
Adding unit test for normalizeDisplayName()
2015-08-26 09:23:33 -07:00
2098446d47
Ensure that the 'file' audit backend can successfully open its given path before returning success. Fixes #550 .
2015-08-26 09:13:10 -07:00
2d8bfff02b
Explicitly check for blank leases in AWS, and give a better error message if lease_max cannot be parsed. Fixes #569 .
2015-08-26 09:04:47 -07:00
8530f14fee
s/string replacement/regexp replacement
2015-08-24 17:00:54 -07:00
69f5abdc91
spaces in displayName break AWS IAM
2015-08-24 16:12:45 -07:00
c35d78b3cb
Vault SSH: Documentation update
2015-08-24 14:18:37 -04:00
e6987beb61
Vault SSH: Replace args with named vars
2015-08-24 14:07:07 -04:00
eb91a3451b
Merging with master
2015-08-24 13:55:20 -04:00
44c07cff5b
Vault SSH: Cleanup of aux files in install script
2015-08-24 13:50:46 -04:00
f7845234b4
Merge pull request #555 from hashicorp/toggleable-hostname-enforcement
...
Allow enforcement of hostnames to be toggleable for certificates.
2015-08-21 19:23:09 -07:00
5695d57ba0
Merge pull request #561 from hashicorp/fix-wild-cards
...
Allow hyphens in endpoint patterns of most backends
2015-08-21 11:40:42 -07:00
6822af68e1
Vault SSH: Undo changes which does not belong to wild card changes
2015-08-21 09:58:15 -07:00
6c2927ede0
Vault: Fix wild card paths for all backends
2015-08-21 00:56:13 -07:00
93ef9a54bd
Internally refactor Lease/LeaseGracePeriod into TTL/GracePeriod
2015-08-20 18:00:51 -07:00
0ffad79548
Vault SSH: Make the script readable
2015-08-20 16:12:17 -07:00
133380915a
Disallow non-client X509 key usages for client TLS cert authentication.
2015-08-20 15:50:47 -07:00
41b85a1c83
Allow enforcement of hostnames to be toggleable for certificates. Fixes #451 .
2015-08-20 14:33:37 -07:00
beca9f1596
Merge pull request #385 from hashicorp/vishal/vault
...
SSH Secret Backend for Vault
2015-08-20 10:03:15 -07:00
8a5361ea79
skip revoke permissions step on cassandra rollback (drop user is enough)
2015-08-20 11:15:43 +02:00
86cde438a5
avoid dashes in generated usernames for cassandra to avoid quoting issues
2015-08-20 11:15:28 +02:00
451d2b0532
Vault SSH: Removing script file
2015-08-19 12:59:52 -07:00
76ed3bec74
Vault SSH: 1024 is default key size and removed 4096
2015-08-19 12:51:33 -07:00
5b1ba99757
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-08-18 19:00:38 -07:00
251cd997ad
Vault SSH: TLS client creation test
2015-08-18 19:00:27 -07:00
aefb92b74c
Merge pull request #534 from ctennis/lease_reader
...
Fix #533 , add a reader for lease values (#529 ) and an acceptance test for mysql to prove it works
2015-08-18 19:00:18 -07:00
3cc4bd0b96
Fix AWS, again, and update Godeps.
2015-08-18 18:12:51 -07:00
9324db7979
Vault SSH: verify echo test
2015-08-18 16:48:50 -07:00
0c0ca91d2e
Vault SSH: Fix backend test cases
2015-08-18 15:40:52 -07:00
b91ebbc6e2
Vault SSH: Documentation update and minor refactoring changes.
2015-08-17 18:22:03 -07:00
9db318fc55
Vault SSH: Website page for SSH backend
2015-08-14 12:41:26 -07:00
b2f29c517b
Vault SSH: Install script is optional now. Default script will be for Linux host.
2015-08-13 17:07:43 -07:00
7f9babed2a
Vault SSH: CLI embellishments
2015-08-13 16:55:47 -07:00
d670b50e78
Vault SSH: Introduced allowed_users option. Added helpers getKey and getOTP
2015-08-13 14:18:30 -07:00
a36910799e
Fix #533 , add a reader for lease values ( #529 ) and an acceptance test for mysql to prove it works
2015-08-13 15:33:06 -04:00
2320bfb1e4
Vault SSH: Helper for OTP creation and role read
2015-08-13 11:12:30 -07:00
c11bcecbbb
Vault SSH: Mandate default_user. Other refactoring
2015-08-13 10:36:31 -07:00
8e946f27cc
Vault SSH: cidr to cidr_list
2015-08-13 08:46:55 -07:00
7d3025fd6e
Vault SSH: Default lease duration, policy/ to role/
2015-08-12 17:36:27 -07:00
330ef396ca
Vault SSH: Default lease of 5 min for SSH secrets
2015-08-12 17:10:35 -07:00
2d23ffe3d2
Vault SSH: Exposed verify request/response messges to agent
2015-08-12 13:22:48 -07:00
f84347c542
Vault SSH: Added SSHAgent API
2015-08-12 10:48:58 -07:00
93dfa67039
Merging changes from master
2015-08-12 09:28:16 -07:00
0abf07cb91
Vault SSH: Website doc v1. Removed path_echo
2015-08-12 09:25:28 -07:00
d1a09e295a
Merge pull request #509 from ekristen/github-fix
...
Reimplements #459
2015-08-11 10:06:10 -07:00
3b9a6d5e33
Fixing merge conflict
2015-08-11 10:04:47 -07:00
611965844b
reimplements #459
2015-08-09 11:25:45 -06:00
21ab4d526c
Provide working example of TLS certificate authentication
...
Fixes #474
2015-08-07 15:15:53 -07:00
ae34ec2bff
adding basic tests
2015-08-06 17:50:34 -06:00
2233f993ae
initial pass at JWT secret backend
2015-08-06 17:49:44 -06:00
e5080a7f32
Merging with master
2015-08-06 18:44:40 -04:00
32502977f6
Vault SSH: Automate OTP typing if sshpass is installed
2015-08-06 17:00:50 -04:00
0af97b8291
Vault SSH: uninstall dynamic keys using script
2015-08-06 15:50:12 -04:00
3dd8fe750d
Vault SSH: Script to install dynamic keys in target
2015-08-06 14:48:19 -04:00
Jeff Mitchell