8fa5a349a5
ldap: add mfa to LDAP login
2015-07-27 21:14:00 -07:00
4b4df4271d
Vault SSH: Refactoring
2015-07-27 16:42:03 -04:00
2e7612a149
Vault SSH: admin_user/default_user fix
2015-07-27 15:03:10 -04:00
e9f507caf0
Vault SSH: Refactoring
2015-07-27 13:02:31 -04:00
1ca09a74b3
name slug check
2015-07-26 22:21:16 -04:00
b532ee0bf4
Vault SSH: Dynamic Key test case fix
2015-07-24 12:13:26 -04:00
e8daf2d0a5
Vault SSH: keys/ designated special path
2015-07-23 18:12:13 -04:00
e998face87
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-07-23 17:20:34 -04:00
791a250732
Vault SSH: Support OTP key type from CLI
2015-07-23 17:20:28 -04:00
47197d4cb3
Vault SSH: Added vault server otp verify API
2015-07-22 16:00:58 -04:00
93f7448487
Vault SSH: Vault agent support
2015-07-22 14:15:19 -04:00
e8d26d244b
ldap: change setting user policies to setting user groups
2015-07-20 11:33:39 -07:00
27e66e175f
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-07-17 17:22:17 -04:00
301a22295d
ldap: add ability to set policies based on username as well as groups
2015-07-14 15:46:15 -07:00
0e2edc2378
ldap: add ability to login with a userPrincipalName (user@upndomain)
2015-07-14 15:37:46 -07:00
504a7ca7c1
auth/userpass: store password as hash instead of direct. Credit @kenbreeman
2015-07-13 15:09:24 +10:00
da4650ccb4
auth/userpass: protect against timing attack. Credit @kenbreeman
2015-07-13 15:01:18 +10:00
599d5f1431
auth/app-id: protect against timing attack. Credit @kenbreeman
2015-07-13 14:58:18 +10:00
ed258f80c6
Vault SSH: Refactoring and fixes
2015-07-10 18:44:31 -06:00
89a0e37a89
Vault SSH: Backend and CLI testing
2015-07-10 16:18:02 -06:00
2901890df2
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-07-10 09:56:21 -06:00
3c7dd8611c
Vault SSH: Test case skeleton
2015-07-10 09:56:14 -06:00
96d6455ef5
audit: properly restore TLS state
2015-07-08 16:45:15 -06:00
73414154f8
Vault SSH: Made port number configurable
2015-07-06 16:56:45 -04:00
88a3c5d41a
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-07-06 11:05:08 -04:00
0be3d419c8
secret/transit: address PR feedback
2015-07-05 19:58:31 -06:00
8293457633
secret/transit: use base64 for context to allow binary
2015-07-05 14:37:51 -07:00
f0eec18cc7
secret/transit: testing key derivation
2015-07-05 14:30:45 -07:00
143cd0875e
secret/transit: support key derivation in encrypt/decrypt
2015-07-05 14:19:24 -07:00
ae9591004b
secret/transit: check for context for derived keys
2015-07-05 14:12:07 -07:00
b30dbce404
secret/transit: support derived keys
2015-07-05 14:11:02 -07:00
425b69be32
Vault SSH: PR review rework: Formatting/Refactoring
2015-07-02 19:52:47 -04:00
42050fe77b
ldap: add starttls support and option to specificy ca certificate
2015-07-02 15:49:51 -07:00
c0a62f28b1
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-07-02 17:23:13 -04:00
a1e2705173
Vault SSH: PR review rework
2015-07-02 17:23:09 -04:00
13c5fe0a16
Fix regexes to allow hyphens in role names, as the documentation shows
2015-07-01 20:39:18 -05:00
30a24eef2c
Vault SSH: review rework: formatted and moved code
2015-07-01 21:26:42 -04:00
67e543a863
Vault SSH: Regex supports hypen in key name and role names
2015-07-01 21:05:52 -04:00
bb16052141
Vault SSH: replaced concatenated strings by fmt.Sprintf
2015-07-01 20:35:11 -04:00
d691a95531
Vault SSH: PR review rework - 1
2015-07-01 11:58:49 -04:00
1f001d283f
For SSH backend, allow factory to be provided instead of Backend
2015-07-01 09:37:11 -04:00
3b0ff5b5f1
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-07-01 09:31:25 -04:00
b52d3e6506
cred/app-id: testing upgrade to salted keys
2015-06-30 18:37:10 -07:00
eeb717c901
cred/app-id: first pass at automatic upgrading to salting
2015-06-30 18:09:08 -07:00
4b27e4d8c5
Remove SetLogger, and unify on framework.Setup
2015-06-30 17:45:20 -07:00
5d69e7da90
Updating for backend API change
2015-06-30 17:36:12 -07:00
b0043737af
lease handling fix
2015-06-30 20:21:41 -04:00
8627f3c360
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-06-30 18:33:37 -04:00
5e5e6788be
Input validations, help strings, default_user support
2015-06-30 18:33:17 -04:00
8bc99f8c23
helper/uuid: single generateUUID definition
2015-06-30 12:38:32 -07:00
3c58773598
Merge pull request #380 from kgutwin/cert-cli
...
Enable TLS client cert authentication via the CLI
2015-06-30 11:44:28 -07:00
b1f7e2f0ea
ldap: fixing merge conflict
2015-06-30 09:40:43 -07:00
762108d9eb
Put timestamp back into the username. Since Cassandra doesn't support expiration, this can be used by scripts to manually clean up old users if revocation fails for some reason.
...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-30 11:15:46 -04:00
42b90fa9b9
Address some issues from code review.
...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-30 09:27:23 -04:00
fccbc587c6
A Cassandra secrets backend.
...
Supports creation and deletion of users in Cassandra using flexible CQL queries.
TLS, including client authentication, is supported.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-30 09:04:01 -04:00
0062d923cc
Better error messages.
2015-06-30 08:59:38 -04:00
a54ba31635
Merge remote-tracking branch 'upstream/master' into cert-cli
2015-06-30 08:31:00 -04:00
dafcc5b2ce
enable CLI cert login
2015-06-29 23:29:41 -04:00
f7a0c17100
merge changes from master
2015-06-29 22:01:43 -04:00
91ed2dcdc2
Refactoring changes
2015-06-29 22:00:08 -04:00
c0e1843263
change skipsslverify to insecure_tls
2015-06-29 19:23:31 -06:00
12d3aee58e
audit: fixing panic caused by tls connection state. Fixes #322
2015-06-29 17:16:17 -07:00
add8e1a3fd
Fixing merge conflict
2015-06-29 15:19:04 -07:00
337997ab04
Fixing merge conflict
2015-06-29 14:50:55 -07:00
0f2c1f867e
SCP in pure GO and CIDR parsing fix
2015-06-29 11:49:34 -04:00
29696d4b6b
Creating SSH keys and removal of files in pure 'go'
2015-06-26 15:43:27 -04:00
8c15e2313b
ssh/lookup implementation and refactoring
2015-06-25 21:47:32 -04:00
f39df58eef
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-06-24 18:13:26 -04:00
b237a3bcc2
POC: Rework. Doing away with policy file.
2015-06-24 18:13:12 -04:00
e81f966842
Set SkipSSLVerify default to false, add warning in help message
2015-06-24 13:38:14 -06:00
d3225dae07
cleanup the code a bit
2015-06-24 10:09:29 -06:00
84371ea734
allow skipping SSL verification on ldap auth
2015-06-24 10:05:45 -06:00
e086879fa3
Merge remote-tracking branch 'upstream/master' into f-pki
2015-06-19 13:01:26 -04:00
f8d164f477
SSHs to multiple users by registering the respective host keys
2015-06-19 12:59:36 -04:00
a6fc48b854
A few things:
...
* Add comments to every non-obvious (e.g. not basic read/write handler type) function
* Remove revoked/ endpoint, at least for now
* Add configurable CRL lifetime
* Cleanup
* Address some comments from code review
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-19 12:48:18 -04:00
4ec685dc1a
Logging authentication errors and bad token usage
2015-06-18 18:30:18 -07:00
90605c6079
merging with master
2015-06-18 20:51:11 -04:00
8d98968a54
Roles, key renewal handled. End-to-end basic flow working.
2015-06-18 20:48:41 -04:00
34f495a354
Refactor to allow only issuing CAs to be set and not have things blow up. This is useful/important for e.g. the Cassandra backend, where you may want to do TLS with a specific CA cert for server validation, but not actually do client authentication with a client cert.
...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-18 15:22:58 -04:00
2aed5f8798
Implementation for storing and deleting the host information in Vault
2015-06-17 22:10:47 -04:00
d34861b811
secret/transit: allow policies to be upserted
2015-06-17 18:51:05 -07:00
f53d31a580
secret/transit: Use special endpoint to get underlying keys. Fixes #219
2015-06-17 18:42:23 -07:00
cfef144dc2
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-06-17 20:34:56 -04:00
303a7cef9a
Received OTK in SSH client. Forked SSH process from CLI. Added utility file for SSH.
2015-06-17 20:33:03 -04:00
45d3c512fb
builtin: fixing API change in logical framework
2015-06-17 14:34:11 -07:00
30de4ea80d
secret/postgres: Ensure sane username length. Fixes #326
2015-06-17 13:31:56 -07:00
29e7ec3e21
A lot of refactoring: move PEM bundle parsing into helper/certutil, so that it is usable by other backends that want to use it to get the necessary data for TLS auth.
...
Also, enhance the raw cert bundle => parsed cert bundle to make it more useful and perform more validation checks.
More refactoring could be done within the PKI backend itself, but that can wait.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-17 16:07:20 -04:00
3ed73d98c2
Added: Ssh CLI command and API, config lease impl, sshConnect path to backend, http handler for Ssh connect
2015-06-17 12:39:49 -04:00
08c921c75e
Vault SSH: POC Stage 1. Skeleton implementation.
2015-06-16 16:58:54 -04:00
49f1fdbdcc
Merge branch 'master' into f-pki
2015-06-16 13:43:25 -04:00
03b0675350
A bunch of cleanup and moving around. logical/certutil is a package that now has helper functions
...
useful for other parts of Vault (including the API) to take advantage of.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-16 13:43:12 -04:00
4bf84392ec
credential/github: get rid of stray tab
2015-06-16 10:05:51 -07:00
0ecf05c043
command/auth, github: improve cli docs
...
/cc @sethvargo
2015-06-16 10:05:11 -07:00
e3d3012795
Record the common name in TLS metadata
...
It is useful to be able to save the client cert's Common Name for auditing purposes when using a central CA.
This adds a "common_name" value to the Metadata structure passed from login.
2015-06-14 23:18:21 +01:00
ae1cbc1a7a
Erp, forgot this feedback...
...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-11 23:16:13 -04:00
7cf1f186ed
Add locking for revocation/CRL generation. I originally was going to use an RWMutex but punted, because it's not worth trying to save some milliseconds with the possibility of getting something wrong. So the entire operations are now wrapped, which is minimally slower but very safe.
...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-11 22:28:13 -04:00
018c0ec7f5
Address most of Armon's initial feedback.
...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-11 21:57:05 -04:00
1513e2baa4
Add acceptance tests
...
* CA bundle uploading
* Basic role creation
* Common Name restrictions
* IP SAN restrictions
* EC + RSA keys
* Various key usages
* Lease times
* CA fetching in various formats
* DNS SAN handling
Also, fix a bug when trying to get code signing certificates.
Not tested:
* Revocation (I believe this is impossible with the current testing framework)
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-08 00:06:09 -04:00
0d832de65d
Initial PKI backend implementation.
...
Complete:
* Up-to-date API documents
* Backend configuration (root certificate and private key)
* Highly granular role configuration
* Certificate generation
* CN checking against role
* IP and DNS subject alternative names
* Server, client, and code signing usage types
* Later certificate (but not private key) retrieval
* CRL creation and update
* CRL/CA bare endpoints (for cert extensions)
* Revocation (both Vault-native and by serial number)
* CRL force-rotation endpoint
Missing:
* OCSP support (can't implement without changes in Vault)
* Unit tests
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-08 00:06:09 -04:00
348924eaab
logical/consul: Combine policy and lease into single storage struct
2015-05-28 09:36:23 +10:00
Bradley Girardeau