Jeff Mitchell
8f437d6142
Make logical.InmemStorage a wrapper around physical.InmemBackend.
...
This:
* Allows removing LockingInmemStorage since the physical backend already
locks properly
* Makes listing work properly by adhering to expected semantics of only
listing up to the next prefix separator
* Reduces duplicated code
2016-06-06 12:03:08 -04:00
Jeff Mitchell
50c011e79f
Use backend function instead of separate backend creation in consul
2016-06-03 10:08:58 -04:00
Jeff Mitchell
ca47478aed
Merge pull request #1479 from hashicorp/reuse-be-creation-tests
...
Change AWS/SSH to reuse backend creation code for test functions
2016-06-03 09:59:37 -04:00
vishalnayak
e9fbb9fabe
Remove failOnError method from cert tests
2016-06-01 16:01:28 -04:00
Jeff Mitchell
86d2c796b0
Change AWS/SSH to reuse backend creation code for test functions
2016-06-01 12:17:47 -04:00
Vishal Nayak
3c5fb471a4
Merge pull request #1445 from hashicorp/consul-fixups
...
Reading consul access configuration in the consul secret backend.
2016-06-01 12:11:12 -04:00
Vishal Nayak
3a460b9c4b
Merge pull request #1471 from hashicorp/rename-aws-auth
...
auth backend: rename `aws` as `aws-ec2`
2016-06-01 10:41:13 -04:00
vishalnayak
dbee3cd81b
Address review feedback
2016-06-01 10:36:58 -04:00
vishalnayak
4fea41f7e5
Use entry.Type as a criteria for upgrade
2016-06-01 10:30:11 -04:00
Jeff Mitchell
99c1e071f3
Remove most Root paths
2016-05-31 23:42:54 +00:00
vishalnayak
eefd9acbf0
Set config access test case as an acceptance test and make travis happy
2016-05-31 13:27:34 -04:00
vishalnayak
f64987a6cf
Add tests around writing and reading consul access configuration
2016-05-31 13:27:34 -04:00
Jeff Mitchell
036e7fa63e
Add reading to consul config, and some better error handling.
2016-05-31 13:27:34 -04:00
vishalnayak
a072f2807d
Rename aws as aws-ec2
2016-05-30 14:11:15 -04:00
vishalnayak
950c76c020
rename credential/aws as credential/aws-ec2
2016-05-30 14:11:15 -04:00
vishalnayak
30fa7f304b
Allow * to be set for allowed_users
2016-05-30 03:12:43 -04:00
vishalnayak
971b2cb7b7
Do not allow any username to login if allowed_users is not set
2016-05-30 03:01:47 -04:00
Jeff Mitchell
e01bce371d
Merge pull request #1462 from hashicorp/enable-auth-rollbacks
...
Re-enable rollback triggers for auth backends
2016-05-27 15:01:35 -04:00
Jeff Mitchell
39fe3200e3
Return nil for pre-0.5.3 Consul tokens to avoid pathological behavior
2016-05-27 13:09:52 -04:00
Jeff Mitchell
f035a320d0
Add test for renew/revoke to Consul secret backend
2016-05-27 11:27:53 -04:00
vishalnayak
1d94828e45
Re-enable rollback triggers for auth backends
2016-05-26 14:29:41 -04:00
Vishal Nayak
644ac5f5e8
Merge pull request #1456 from hashicorp/consul-lease-renewal
...
Fix the consul secret backends renewal revocation problem
2016-05-26 13:59:45 -04:00
vishalnayak
cfd337d06a
Fix broken cert backend test
2016-05-26 11:06:46 -04:00
Jeff Mitchell
05d1da0656
Add comment about the deletions
2016-05-26 10:33:35 -04:00
Jeff Mitchell
ccfa8d0567
Remove deprecated entries from PKI role output.
...
Fixes #1452
2016-05-26 10:32:04 -04:00
vishalnayak
c0e745dbfa
s/logical.ErrorResponse/fmt.Errorf in renewal functions of credential backends
2016-05-26 10:21:03 -04:00
vishalnayak
2ca846b401
s/logical.ErrorResponse/fmt.Errorf in revocation functions of secrets
2016-05-26 10:04:11 -04:00
vishalnayak
70b8530962
Fix the consul secret backends renewal revocation problem
2016-05-25 23:24:16 -04:00
Kevin Pike
cdfc6b46fd
Update and document rabbitmq test envvars
2016-05-20 23:28:02 -07:00
Kevin Pike
4eb20e4aa8
Merge remote-tracking branch 'origin/master' into rabbitmq
2016-05-20 23:27:22 -07:00
Kevin Pike
5783b02e36
Address feedback
2016-05-20 22:57:24 -07:00
Jeff Mitchell
8f592f3442
Don't use pointers to int64 in function calls when not necessary
2016-05-19 12:26:02 -04:00
Jeff Mitchell
a13807e759
Merge pull request #1318 from steve-jansen/aws-logical-assume-role
...
Add sts:AssumeRole support to the AWS secret backend
2016-05-19 12:17:27 -04:00
Jeff Mitchell
1bef0c3584
Merge pull request #1245 from LeonDaniel/master
...
Improved groups search for LDAP login
2016-05-19 12:13:29 -04:00
Jeff Mitchell
91b65a893e
Merge pull request #1430 from hashicorp/issue-1428
...
Use Consul API client's DefaultNonPooledTransport.
2016-05-17 20:59:50 -04:00
Jeff Mitchell
86e078ff98
Use Consul API client's DefaultNonPooledTransport.
...
What we should probably do is create a client with a mutex and
invalidate it when parameters change rather than creating a client over
and over...that can be a TODO for later but for now this fix suffices.
Fixes #1428
2016-05-18 00:47:42 +00:00
vishalnayak
65801942cb
Naming of the locked and nonLocked methods
2016-05-17 20:39:24 -04:00
Jeff Mitchell
ed574d63fe
Merge pull request #1416 from shomron/list_ldap_group_mappings
...
Support listing ldap group to policy mappings
2016-05-16 16:22:13 -04:00
Sean Chittenden
792950e16c
Merge pull request #1417 from hashicorp/b-pki-expire-ttl-unset
...
Set entry's TTL before writing out the storage entry's config
2016-05-15 10:02:03 -07:00
Sean Chittenden
7a4b31ce51
Speling police
2016-05-15 09:58:36 -07:00
Sean Chittenden
b0bba6d271
Store clamped TTLs back in the role's config
2016-05-15 08:13:56 -07:00
Sean Chittenden
539475714d
Set entry's TTL before writing out the storage entry's config
2016-05-15 07:06:33 -07:00
Oren Shomron
b8840ab9eb
Support listing ldap group to policy mappings ( Fixes #1270 )
2016-05-14 20:00:40 -04:00
Vishal Nayak
53fc941761
Merge pull request #1300 from hashicorp/aws-auth-backend
...
AWS EC2 instances authentication backend
2016-05-14 19:42:03 -04:00
vishalnayak
4122ed860b
Rename 'role_name' to 'role'
2016-05-13 14:31:13 -04:00
vishalnayak
9147f99c43
Remove unused param from checkForValidChain
2016-05-12 15:07:10 -04:00
vishalnayak
85d9523f98
Perform CRL checking for non-CA registered certs
2016-05-12 14:37:07 -04:00
vishalnayak
be88306f92
Name the files based on changed path patterns
2016-05-12 11:52:07 -04:00
vishalnayak
7e8a2d55d0
Update docs and path names to the new patterns
2016-05-12 11:45:10 -04:00
vishalnayak
ddcaf26396
Merge branch 'master-oss' into aws-auth-backend
2016-05-10 14:50:00 -04:00
vishalnayak
d09748a135
Fix the acceptance tests
2016-05-09 22:07:51 -04:00
vishalnayak
95f3f08d29
Call client config internal from the locking method
2016-05-09 21:01:57 -04:00
Jeff Mitchell
d899f9d411
Don't revoke CA certificates with leases.
2016-05-09 19:53:28 -04:00
Jeff Mitchell
4549625367
Update client code to use internal entry fetching
2016-05-09 23:26:00 +00:00
Jeff Mitchell
d77563994c
Merge pull request #1346 from hashicorp/disable-all-caches
...
Disable all caches
2016-05-07 16:33:45 -04:00
Steve Jansen
597d59962c
Adds sts:AssumeRole support to the AWS secret backend
...
Support use cases where you want to provision STS tokens
using Vault, but, you need to call AWS APIs that are blocked
for federated tokens. For example, STS federated tokens cannot
invoke IAM APIs, such as Terraform scripts containing
`aws_iam_*` resources.
2016-05-05 23:32:41 -04:00
Jeff Mitchell
c16b0a4f41
Switch whitelist to use longest max TTL
2016-05-05 20:44:48 -04:00
Jeff Mitchell
7a6c76289a
Role tag updates
2016-05-05 15:32:14 -04:00
Jeff Mitchell
b58ad615f2
Fix HMAC being overwritten. Also some documentation, and add a lock to role operations
2016-05-05 14:51:09 -04:00
Jeff Mitchell
0eddeb5c94
Guard tidy functions
2016-05-05 14:28:46 -04:00
Jeff Mitchell
2d4c390f87
More updates to mutexes and adjust blacklisted roletag default safety buffer
2016-05-05 14:12:22 -04:00
Jeff Mitchell
8fef6e3ac0
Rename identity whitelist and roletag blacklist api endpoints
2016-05-05 13:34:50 -04:00
Jeff Mitchell
c69ba40d05
Move some mutexes around
2016-05-05 12:53:27 -04:00
Jeff Mitchell
f689e4712d
Update some mutexes in client config
2016-05-05 12:44:40 -04:00
Jeff Mitchell
c15c227774
Fall back to non-base64 cert if it can't be decoded (it's checked later anyways)
2016-05-05 11:36:28 -04:00
Jeff Mitchell
25913fb18c
Update commenting
2016-05-05 11:22:36 -04:00
Jeff Mitchell
15cbcedf1f
Make the roletag blacklist the longest duration, not least
2016-05-05 11:00:41 -04:00
Jeff Mitchell
e45d6c1120
Switch client code to shared awsutil code
2016-05-05 10:40:49 -04:00
Jeff Mitchell
4600ca8073
Merge branch 'master-oss' into aws-auth-backend
2016-05-05 10:36:06 -04:00
Jeff Mitchell
b6b9cd6f1f
Merge remote-tracking branch 'origin/master' into aws-cred-chain
2016-05-05 10:31:12 -04:00
Jeff Mitchell
3e71221839
Merge remote-tracking branch 'origin/master' into aws-auth-backend
2016-05-05 10:04:52 -04:00
vishalnayak
92fe94546c
Split SanitizeTTL method to support time.Duration parameters as well
2016-05-05 09:45:48 -04:00
vishalnayak
4ede1d6f08
Add the steps to generate the CRL test's test-fixture files
2016-05-04 05:48:34 -04:00
vishalnayak
b7c48ba109
Change image/ to a more flexible /role endpoint
2016-05-03 23:36:59 -04:00
Jeff Mitchell
1b0df1d46f
Cleanups, add shared provider, ability to specify http client, and port S3 physical backend over
2016-05-03 17:01:02 -04:00
Jeff Mitchell
7fbe5d2eaa
Region is required so error in awsutil if not set and set if empty in client code in logical/aws
2016-05-03 15:25:11 -04:00
Jeff Mitchell
a244ef8a00
Refactor AWS credential code into a function that returns a static->env->instance chain
2016-05-03 15:10:35 -04:00
Jeff Mitchell
45a120f491
Switch our tri-copy ca loading code to go-rootcerts
2016-05-03 12:23:25 -04:00
Jeff Mitchell
f21b88802f
Add some more tests around deletion and fix upsert status returning
2016-05-03 00:19:18 -04:00
Jeff Mitchell
7e1bdbe924
Massively simplify lock handling based on feedback
2016-05-02 23:47:18 -04:00
Jeff Mitchell
7f3613cc6e
Remove some deferring
2016-05-02 22:36:44 -04:00
Jeff Mitchell
fa0d389a95
Change use-hint of lockAll and lockPolicy
2016-05-02 22:36:44 -04:00
Jeff Mitchell
49c56f05e8
Address review feedback
2016-05-02 22:36:44 -04:00
Jeff Mitchell
3e5391aa9c
Switch to lockManager
2016-05-02 22:36:44 -04:00
Jeff Mitchell
08b91b776d
Address feedback
2016-05-02 22:36:44 -04:00
Jeff Mitchell
fedc8711a7
Fix up commenting and some minor tidbits
2016-05-02 22:36:44 -04:00
Jeff Mitchell
fe1f56de40
Make a non-caching but still locking variant of transit for when caches are disabled
2016-05-02 22:36:44 -04:00
vishalnayak
9f2a111e85
Allow custom endpoint URLs to be supplied to make EC2 API calls
2016-05-02 17:21:52 -04:00
vishalnayak
57e8fcd8c2
Extend the expiry of test-fixture certs of Cert backend
2016-05-02 12:34:46 -04:00
Jeff Mitchell
3d1c88f315
Make GitHub org comparison case insensitive.
...
Fixes #1359
2016-05-02 00:18:31 -04:00
vishalnayak
1c91f652d4
Remove unnecessary append call
2016-04-30 03:20:21 -04:00
vishalnayak
fde768125c
Cert backend, CRL tests
2016-04-29 02:32:48 -04:00
vishalnayak
23d8ce62a3
Ensure that the instance is running during renewal
2016-04-28 16:34:35 -04:00
vishalnayak
2a2dc0befb
Added allow_instance_migration to the role tag
2016-04-28 11:43:48 -04:00
vishalnayak
4161d3ef4f
Change all time references to UTC
2016-04-28 10:19:29 -04:00
vishalnayak
e591632630
Fix the deadlock issue
2016-04-28 01:01:33 -04:00
vishalnayak
4712533f1d
minor updates
2016-04-28 00:35:49 -04:00
vishalnayak
e6a9a5957d
Refactor locks around config tidy endpoints
2016-04-27 22:32:43 -04:00
vishalnayak
b75a6e2f0f
Fix locking around config/client
2016-04-27 22:25:15 -04:00
vishalnayak
0e97b57beb
Fix the list response of role tags
2016-04-27 22:03:11 -04:00
vishalnayak
779d73ce2b
Removed existence check on blacklist/roletags, docs fixes
2016-04-27 21:29:32 -04:00
vishalnayak
d44326ded6
Remove unnecessary lock switching around flushCachedEC2Clients
2016-04-27 20:13:56 -04:00
vishalnayak
e1080f86ed
Remove recreate parameter from clientEC2
2016-04-27 20:01:39 -04:00
vishalnayak
441477f342
Added ami_id to token metadata
2016-04-27 11:32:05 -04:00
leon
b9c96bf7ce
- updated refactored functions in ldap backend to return error instead of ldap response and fixed interrupted search in ldap groups search func
2016-04-27 18:17:54 +03:00
leon
08be31e9ab
- refactored functionality in separate functions in ldap backend and used a separate ldap query to get ldap groups from userDN
2016-04-27 15:00:26 +03:00
vishalnayak
7144fd54f9
Added tests
2016-04-26 23:40:11 -04:00
vishalnayak
88942b0503
Added tests
2016-04-26 10:22:29 -04:00
vishalnayak
5a676a129e
Added tests
2016-04-26 10:22:29 -04:00
vishalnayak
e16f256b14
Added tests
2016-04-26 10:22:29 -04:00
vishalnayak
3a4021d6c4
Added tests
2016-04-26 10:22:29 -04:00
vishalnayak
de1a1be564
tidy endpoint fixes
2016-04-26 10:22:29 -04:00
vishalnayak
044d01fd69
HMAC Key per AMI ID and avoided secondary call to AWS to fetch the tags
2016-04-26 10:22:29 -04:00
vishalnayak
5996c3e9d8
Rework and refactoring
2016-04-26 10:22:29 -04:00
vishalnayak
3aeae62c00
Added mutex locking for config/certificate endpoint
2016-04-26 10:22:29 -04:00
vishalnayak
21854776af
Added cooldown period for periodic tidying operation
2016-04-26 10:22:29 -04:00
vishalnayak
9aa8fb6cc1
Support periodic tidy callback and config endpoints.
2016-04-26 10:22:29 -04:00
vishalnayak
2810196e0f
Use fullsailor/pkcs7 package instead of its fork. Fix tests
2016-04-26 10:22:29 -04:00
vishalnayak
5a2e1340df
Removed redundant AWS public certificate. Docs update.
2016-04-26 10:22:29 -04:00
vishalnayak
a456f2c3f6
Removed region
parameter from config/client
endpoint.
...
Region to create ec2 client objects is fetched from the identity document.
Maintaining a map of cached clients indexed by region.
2016-04-26 10:22:29 -04:00
vishalnayak
790b143c75
Instance ID can optionally be accepted as a the role tag parameter.
2016-04-26 10:22:29 -04:00
vishalnayak
58c485f519
Support providing multiple certificates.
...
Append all the certificates to the PKCS#7 parser during signature verification.
2016-04-26 10:22:29 -04:00
vishalnayak
9d4a7c5901
Docs update
2016-04-26 10:22:29 -04:00
vishalnayak
ba9c86c92d
Added acceptance test for login endpoint
2016-04-26 10:22:29 -04:00
vishalnayak
c2c1a5eedc
Added test case TestBackend_PathBlacklistRoleTag
2016-04-26 10:22:29 -04:00
vishalnayak
85c9176cb4
Return 4xx error at appropriate places
2016-04-26 10:22:29 -04:00
vishalnayak
1841ef0ebf
Tested pathImageTag
2016-04-26 10:22:29 -04:00
vishalnayak
80e3063334
Tested parseRoleTagValue
2016-04-26 10:22:29 -04:00
vishalnayak
dab1a00313
Make client nonce optional even during first login, when disallow_reauthentication is set
2016-04-26 10:22:29 -04:00
vishalnayak
e0cf8c5608
Rename 'name' to 'ami_id' for clarity
2016-04-26 10:22:29 -04:00
vishalnayak
092feca996
Moved HMAC parsing inside parseRoleTagValue
2016-04-26 10:22:29 -04:00
vishalnayak
ddfdf37d33
Properly handle empty client nonce case when disallow_reauthentication is set
2016-04-26 10:22:29 -04:00
vishalnayak
b8d9b18193
Added disallow_reauthentication feature
2016-04-26 10:22:29 -04:00
vishalnayak
a1d07cbff5
Remove todo and change clientNonce length limit to 128 chars
2016-04-26 10:22:28 -04:00
Jeff Mitchell
bb276d350a
Fix typo
2016-04-26 10:22:28 -04:00
Jeff Mitchell
a5aadc908d
Add environment and EC2 instance metadata role providers for AWS creds.
2016-04-26 10:22:28 -04:00
vishalnayak
012f9273f7
Remove certificate verification
2016-04-26 10:22:28 -04:00
vishalnayak
41cc7c4a15
Test path config/certificate
2016-04-26 10:22:28 -04:00
vishalnayak
5ff8d0cf96
Add existence check verification to config/client testcase
2016-04-26 10:22:28 -04:00
vishalnayak
3286194384
Testing pathImage
2016-04-26 10:22:28 -04:00
Jeff Mitchell
a8082a9a6e
allow_instance_reboot -> allow_instance_migration
2016-04-26 10:22:28 -04:00
Jeff Mitchell
075a81214e
Update image output to show allow_instance_reboot value and keep policies in a list
2016-04-26 10:22:28 -04:00
vishalnayak
91433fedf2
Changed the blacklist URL pattern to optionally accept base64 encoded role tags
2016-04-26 10:22:28 -04:00
vishalnayak
efcc07967e
Accept instance_id in the URL for whitelist endpoint
2016-04-26 10:22:28 -04:00
Jeff Mitchell
cf56895772
Switch around some logic to be more consistent/readable and respect max
...
TTL on initial token issuance.
2016-04-26 10:22:28 -04:00
vishalnayak
338054d49e
Return un-expired entries from blacklist and whitelist
2016-04-26 10:22:28 -04:00
vishalnayak
b6bd30b9fb
Test ConfigClient
2016-04-26 10:22:28 -04:00
vishalnayak
d3adc85886
AWS EC2 instances authentication backend
2016-04-26 10:22:28 -04:00
leon
81ac4c3fcf
- fixed merge with upstream master
2016-04-26 13:23:43 +03:00
leon
1991aebc0a
Merge remote-tracking branch 'upstream/master'
...
Conflicts:
builtin/credential/ldap/backend.go
2016-04-26 13:16:42 +03:00
Jeff Mitchell
30ba5b7887
Merge pull request #1291 from mmickan/ssh-keyinstall-perms
...
Ensure authorized_keys file is readable when uninstalling an ssh key
2016-04-25 14:00:37 -04:00
Adam Shannon
fb07d07ad9
all: Cleanup from running go vet
2016-04-13 14:38:29 -05:00
vishalnayak
06eeaecef6
Skip acceptance tests if VAULT_ACC is not set
2016-04-11 20:00:15 -04:00
Jeff Mitchell
d92b960f7a
Add list support to userpass users. Remove some unneeded existence
...
checks. Remove paths from requiring root.
Fixes #911
2016-04-09 18:28:55 -04:00
Kevin Pike
dd98b08d36
Do not provide a default lease
2016-04-08 09:50:47 -07:00
Kevin Pike
eeb145f049
List roles
2016-04-08 09:46:25 -07:00
Kevin Pike
a86e5e3cd9
Support verify_connection flag
2016-04-08 09:44:15 -07:00
Kevin Pike
706ed5839e
Fix username generation
2016-04-08 09:32:29 -07:00
Kevin Pike
e3db8c999e
Merge branch 'master' of github.com:doubledutch/vault
2016-04-08 09:25:28 -07:00
Kevin Pike
1102863f5a
Update comment
2016-04-08 09:07:06 -07:00
Kevin Pike
35f49107cd
Fix documentation typo
2016-04-08 09:05:38 -07:00
Kevin Pike
5460c24b94
Fix documentation typo
2016-04-08 09:05:06 -07:00
Kevin Pike
070fe56648
Rename uri to connection_uri
2016-04-08 09:04:42 -07:00
Kevin Pike
48d1f99afb
Merge remote-tracking branch 'upstream/master'
2016-04-08 08:57:10 -07:00
vishalnayak
e3a1ee92b5
Utility Enhancements
2016-04-05 20:32:59 -04:00
vishalnayak
fd8b023655
s/TF_ACC/VAULT_ACC
2016-04-05 15:24:59 -04:00
vishalnayak
95abdebb06
Added AcceptanceTest boolean to logical.TestCase
2016-04-05 15:10:44 -04:00
Mark Mickan
a55124f0b6
Ensure authorized_keys file is readable when uninstalling an ssh key
...
Without this change, if the user running the ssh key install script doesn't
have read access to the authorized_keys file when uninstalling a key, all
keys will be deleted from the authorized_keys file.
Fixes GH #1285
2016-04-05 17:26:21 +09:30
Jeff Mitchell
7df3ec46b0
Some fixups around error/warning in LDAP
2016-04-02 13:33:00 -04:00
Jeff Mitchell
40325b8042
If no group DN is configured, still look for policies on local users and
...
return a warning, rather than just trying to do an LDAP search on an
empty string.
2016-04-02 13:11:36 -04:00
Jeff Mitchell
7fd5a679ca
Fix potential error scoping issue.
...
Ping #1262
2016-03-30 19:48:23 -04:00
Jeff Mitchell
3cfcd4ddf1
Check for nil connection back from go-ldap, which apparently can happen even with no error
...
Ping #1262
2016-03-29 10:00:04 -04:00
Jeff Mitchell
17613f5fcf
Removing debugging comment
2016-03-24 09:48:13 -04:00
Jeff Mitchell
4c4a65ebd0
Properly check for policy equivalency during renewal.
...
This introduces a function that compares two string policy sets while
ignoring the presence of "default" (since it's added by core, not the
backend), and ensuring that ordering and/or duplication are not failure
conditions.
Fixes #1256
2016-03-24 09:41:51 -04:00
Jeff Mitchell
dfc5a745ee
Remove check for using CSR values with non-CA certificate.
...
The endpoint enforces whether the certificate is a CA or not anyways, so
this ends up not actually providing benefit and causing a bug.
Fixes #1250
2016-03-23 10:05:38 -04:00
leon
e7942062bd
- updated LDAP group search by iterating through all the attributes and searching for CN value instead of assuming the CN is always the first attribute from the RDN list
2016-03-21 19:44:08 +02:00
leon
a82114eeb2
- added another method to search LDAP groups by querying the userDN for memberOf attribute
2016-03-21 16:55:38 +02:00
Jeff Mitchell
3e3621841d
Merge pull request #1227 from hashicorp/issue-477
...
Don't renew cert-based tokens if the policies have changed.
2016-03-17 18:25:39 -04:00
Jeff Mitchell
1951a01998
Add ability to exclude adding the CN to SANs.
...
Fixes #1220
2016-03-17 16:28:40 -04:00
Jeff Mitchell
a8dd6aa4f1
Don't renew cert-based tokens if the policies have changed.
...
Also, add cert renewal testing.
Fixes #477
2016-03-17 14:22:24 -04:00
Jeff Mitchell
77e4ee76bb
Normalize userpass errors around bad user/pass
2016-03-16 15:19:55 -04:00
Jeff Mitchell
8a3f1ad13e
Use 400 instead of 500 for failing to provide a userpass password.
2016-03-16 15:14:28 -04:00
Vishal Nayak
2c0c901eac
Merge pull request #1216 from hashicorp/userpass-update
...
Userpass: Update the password and policies associated to user
2016-03-16 14:58:28 -04:00
vishalnayak
f9b1fc3aa0
Add comments to existence functions
2016-03-16 14:53:53 -04:00
vishalnayak
1951159b25
Addessing review comments
2016-03-16 14:21:14 -04:00
vishalnayak
239ad4ad7e
Refactor updating user values
2016-03-16 13:42:02 -04:00
vishalnayak
533b136fe7
Reduce the visibility of setUser
2016-03-16 11:39:52 -04:00
vishalnayak
2914ff7502
Use helper for existence check. Avoid panic by fetching default values for field data
2016-03-16 11:26:33 -04:00
Vishal Nayak
7db7b47fdd
Merge pull request #1210 from hashicorp/audit-id-path
...
Rename id to path and path to file_path, print audit backend paths
2016-03-15 20:13:21 -04:00
vishalnayak
39a0c8e91f
Read from 'path' to retain backward compatibility
2016-03-15 20:05:51 -04:00
vishalnayak
1e889bc08c
Input validations and field renaming
2016-03-15 17:47:13 -04:00
vishalnayak
a0958c9359
Refactor updating and creating userEntry into a helper function
2016-03-15 17:32:39 -04:00
vishalnayak
acd545f1ed
Fetch and store UserEntry to properly handle both create and update
2016-03-15 17:05:23 -04:00
vishalnayak
9609fe151b
Change path structure of password and policies endpoints in userpass
2016-03-15 16:46:12 -04:00
vishalnayak
8be36b6925
Reuse the variable instead of fetching 'name' again
2016-03-15 16:21:47 -04:00
vishalnayak
61b4cac458
Added paths to update policies and password
2016-03-15 16:12:55 -04:00
vishalnayak
731bb97db5
Tests for updating password and policies in userpass backend
2016-03-15 16:09:23 -04:00
vishalnayak
b7eb0a97e5
Userpass: Support updating policies and password
2016-03-15 15:18:21 -04:00
Jeff Mitchell
8aaf29b78d
Add forgotten test
2016-03-15 14:18:35 -04:00
Jeff Mitchell
8bf935bc2b
Add list support to certs in cert auth backend.
...
Fixes #1212
2016-03-15 14:07:40 -04:00
vishalnayak
71fc07833f
Rename id to path and path to file_path, print audit backend paths
2016-03-14 17:15:07 -04:00
Jeff Mitchell
d648306d52
Add the ability to specify the app-id in the login path.
...
This makes it easier to use prefix revocation for tokens.
Ping #424
2016-03-14 16:24:01 -04:00
Jeff Mitchell
9bfd24cd69
s/hash_accessor/hmac_accessor/g
2016-03-14 14:52:29 -04:00
vishalnayak
ea108fba18
Use accessor being set as the condition to restore non-hashed values
2016-03-14 11:23:30 -04:00
vishalnayak
e09819fedc
Added hash_accessor option to audit backends
2016-03-11 19:28:06 -05:00
Vishal Nayak
343e6f1671
Merge pull request #998 from chrishoffman/mssql
...
Sql Server (mssql) secret backend
2016-03-10 22:30:24 -05:00
Chris Hoffman
b1703fb18d
Cleaning up lease and lease duration vars and params
2016-03-10 21:15:18 -05:00
Chris Hoffman
ba94451875
Removing root protected endpoints
2016-03-10 21:08:39 -05:00
Chris Hoffman
dc7da4f4e8
Changing DROP USER query to a more compatible version
2016-03-10 21:06:50 -05:00
Chris Hoffman
5af33afd90
Adding verify_connection to config, docs updates, misc cleanup
2016-03-09 23:08:05 -05:00
Vishal Nayak
a6d8fc9d98
Merge pull request #1190 from grunzwei/master
...
fix github tests to use the provided GITHUB_ORG environment variable
2016-03-09 09:51:28 -05:00
Nathan Grunzweig
ae469cc796
fix github tests to use the provided GITHUB_ORG environment variable
...
(tests fail for non hashicorp people)
2016-03-09 15:34:03 +02:00
Jeff Mitchell
7a9122bbd1
Sanitize serial number in revocation path.
...
Ping #1180
2016-03-08 10:51:59 -05:00
Jeff Mitchell
34a9cb1a70
Add serial_number back to path_issue_sign responses in PKI
2016-03-08 09:25:48 -05:00
Jeff Mitchell
5a17735dcb
Add subject/authority key id to cert metadata
2016-03-07 14:59:00 -05:00
Jeff Mitchell
11dc3f328f
Add revocation information to PKI fetch output (non-raw only).
...
Fixes #1180
2016-03-07 10:57:38 -05:00
Jeff Mitchell
67b85b8f7f
Error rather than skip Consul acceptance tests if Consul isn't found
2016-03-07 10:09:36 -05:00
Jeff Mitchell
4a3d3ef300
Use better error message on LDAP renew failure
2016-03-07 09:34:16 -05:00
Chris Hoffman
0b4a8f5b94
Adding mssql secret backend
2016-03-03 09:19:17 -05:00
vishalnayak
44208455f6
continue if non-CA policy is not found
2016-03-01 16:43:51 -05:00
vishalnayak
9a3ddc9696
Added ExtKeyUsageAny, changed big.Int comparison and fixed code flow
2016-03-01 16:37:01 -05:00
vishalnayak
cc1592e27a
corrections, policy matching changes and test cert changes
2016-03-01 16:37:01 -05:00
vishalnayak
09eef70853
Added testcase for cert writes
2016-03-01 16:37:01 -05:00
vishalnayak
f056e8a5a5
supporting non-ca certs for verification
2016-03-01 16:37:01 -05:00
vishalnayak
aee006ba2d
moved the test cert keys to appropriate test-fixtures folder
2016-02-29 15:49:08 -05:00
Jeff Mitchell
64ab16d137
Don't spawn consul servers when testing unless it's an acceptance test
2016-02-29 14:58:06 -05:00
Jeff Mitchell
f6092f8311
Don't run transit fuzzing if not during acceptance tests
2016-02-29 14:44:04 -05:00
Jeff Mitchell
2205133ae4
Only run PKI backend setup functions when TF_ACC is set
2016-02-29 14:41:14 -05:00
vishalnayak
cf672400d6
fixed the error log message
2016-02-29 10:41:10 -05:00
vishalnayak
dca18aec2e
replaced old certs, with new certs generated from PKI backend, containing IP SANs
2016-02-28 22:15:54 -05:00
Jeff Mitchell
7ae573b35b
Apply hyphen/underscore replacement across the entire username.
...
Handles app-id generated display names.
Fixes #1140
2016-02-26 15:26:23 -05:00
Jeff Mitchell
e2c15eb693
Merge pull request #1129 from hashicorp/pki-tidy
...
Add "pki/tidy" which allows removing expired certificates.
2016-02-25 10:39:54 -05:00
Jeff Mitchell
6b6005ee2e
Remove root token requirement from GitHub configuration
2016-02-25 08:51:53 -05:00
Jeff Mitchell
8ca847c9b3
Be more explicit about buffer type
2016-02-24 22:05:39 -05:00
Jeff Mitchell
7d41607b6e
Add "tidy/" which allows removing expired certificates.
...
A buffer is used to ensure that we only remove certificates that are
both expired and for which the buffer has past. Options allow removal
from revoked/ and/or certs/.
2016-02-24 21:24:48 -05:00
vishalnayak
69bcbb28aa
rename verify_cert as disable_binding and invert the logic
2016-02-24 21:01:21 -05:00
vishalnayak
902c780f2b
make the verification of certs in renewal configurable
2016-02-24 16:42:20 -05:00
vishalnayak
bc4710eb06
Cert: renewal enhancements
2016-02-24 14:31:38 -05:00
vishalnayak
053bbd97ea
check CIDR block for renewal as well
2016-02-24 10:55:31 -05:00
vishalnayak
978075a1b4
Added renewal capability to app-id backend
2016-02-24 10:40:15 -05:00
Matt Hurne
11187112bc
Improve error message returned when client attempts to generate STS credentials for a managed policy; addresses #1113
2016-02-23 08:58:28 -05:00
Jeff Mitchell
f56e4a604d
Merge pull request #1114 from hashicorp/dont-delete-certs
...
Do not delete certs (or revocation information)
2016-02-22 16:11:13 -05:00
Jeff Mitchell
4514192145
Address review feedback
2016-02-22 16:11:01 -05:00
Jeff Mitchell
f43ab6a25d
Remove extra debugging from PKI tests
2016-02-22 13:39:05 -05:00
Jeff Mitchell
f27eab1d28
Do not delete certs (or revocation information) to avoid potential
...
issues related to time synchronization. A function will be added to
allow operators to perform cleanup at chosen times.
2016-02-22 13:36:17 -05:00
Jeff Mitchell
51ced69bf8
Fix issue where leftover values after cn tests could trigger errors in ipsan tests
2016-02-22 13:35:57 -05:00
Vishal Nayak
949f8a6b69
Merge pull request #1112 from hashicorp/1089-postgres-connection-url
...
postgres: connection_url fix
2016-02-22 11:36:04 -05:00
Jeff Mitchell
4c327ca4cc
More improvements to PKI tests; allow setting a specific seed, output
...
the seed to the console, and split generated steps to make it
understandable which seed is for which set of steps.
2016-02-22 11:22:52 -05:00
vishalnayak
c9899a5300
postgres: connection_url fix
2016-02-22 11:22:49 -05:00
Jeff Mitchell
8d4c6f4c98
Use more fuzziness in PKI backend tests
2016-02-22 10:59:37 -05:00
Jeff Mitchell
392a26e9cd
Better handle errors from fetchCertBySerial
2016-02-22 10:36:26 -05:00
Kevin Pike
bcaac7f876
Update update operation and uuid references
2016-02-21 15:31:22 -08:00
Kevin Pike
264c9cc40e
Merge branch 'master' into rabbitmq
2016-02-21 14:55:06 -08:00
Kevin Pike
c755065415
Add RabbitMQ secret backend
2016-02-21 14:52:57 -08:00
Jeff Mitchell
fab2d8687a
Remove root requirement for certs/ and crls/ in TLS auth backend.
...
Fixes #468
2016-02-21 15:33:33 -05:00
Jeff Mitchell
58432c5d57
Add tests for minimum key size checking. (This will also verify that the
...
key type matches that of the role, since type assertions are required to
check the bit size). Like the rest, these are fuzz tests; I have
verified that the random seed will eventually hit error conditions if
ErrorOk is not set correctly when we expect an error.
2016-02-19 21:39:40 -05:00
Jeff Mitchell
c57b646848
Check role key type and bits when signing CSR.
...
Two exceptions: signing an intermediate CA CSR, and signing a CSR via
the 'sign-verbatim' path.
2016-02-19 20:50:49 -05:00
vishalnayak
c4abe72075
Cap the length midString in IAM user's username to 42
2016-02-19 18:31:10 -05:00
Vishal Nayak
773de69796
Merge pull request #1102 from hashicorp/shorten-aws-usernames
...
Set limits on generated IAM user and STS token names.
2016-02-19 18:25:29 -05:00
Jeff Mitchell
574542b683
Some minor changes in mysql commenting and names
2016-02-19 16:44:52 -05:00
Jeff Mitchell
25b9f9b4a6
Set limits on generated IAM user and STS token names.
...
Fixes #1031
Fixes #1063
2016-02-19 16:35:06 -05:00
vishalnayak
a16055c809
mysql: fix error message
2016-02-19 16:07:06 -05:00
vishalnayak
38b55bd8b1
Don't deprecate value field yet
2016-02-19 16:07:06 -05:00
vishalnayak
99f4969b20
Removed connectionString.ConnectionString
2016-02-19 16:07:05 -05:00
vishalnayak
380b662c3d
mysql: provide allow_verification option to disable connection_url check
2016-02-19 16:07:05 -05:00
Jeff Mitchell
6df75231b8
Merge pull request #1100 from hashicorp/issue-1030
...
Properly escape filter values in LDAP filters
2016-02-19 14:56:40 -05:00
Jeff Mitchell
7fc4ee1ed7
Disallow 1024-bit RSA keys.
...
Existing certificates are kept but roles with key bits < 2048 will need
to be updated as the signing/issuing functions now enforce this.
2016-02-19 14:33:02 -05:00
Jeff Mitchell
05b5ff69ed
Address some feedback on ldap escaping help text
2016-02-19 13:47:26 -05:00
Jeff Mitchell
d7b40b32db
Properly escape filter values.
...
Fixes #1030
2016-02-19 13:16:52 -05:00
Jeff Mitchell
c67871c36e
Update LDAP documentation with a note on escaping
2016-02-19 13:16:18 -05:00
Jeff Mitchell
d3f3122307
Add tests to ldap using the discover capability
2016-02-19 11:46:59 -05:00
Jeff Mitchell
154c326060
Add ldap tests that use a bind dn and bind password
2016-02-19 11:38:27 -05:00
Vishal Nayak
3e1a07d3d0
Merge pull request #1047 from hashicorp/vault-iss999-github-renewal
...
GitHub renewal enhancements
2016-02-18 16:47:15 -05:00
Vishal Nayak
ba134f5a7a
Merge pull request #1086 from hashicorp/iss962-verify-otp-response-code
...
SSH: Fix response code for ssh/verify
2016-02-18 13:32:28 -05:00
vishalnayak
a6f3b31a36
ssh: Fix response code for ssh/verify
2016-02-16 19:46:29 -05:00
vishalnayak
d9536043e7
Pki: Respond user error when cert is not found instead of internal error
2016-02-16 17:58:57 -05:00
vishalnayak
0b44d81a16
Github renewal enhancement
2016-02-11 20:42:42 -05:00
Jeff Mitchell
3378db0166
Merge pull request #1061 from tomrittervg/tomrittervg-typos-1
...
Fix some typos
2016-02-11 15:12:09 -05:00
Jeff Mitchell
880c9798b7
Merge pull request #1062 from tomrittervg/tomrittervg-AllowedBaseDomain-migration
...
AllowedBaseDomain will stay non-empty in certain error conditions. None of these conditions should be hit anyways, but this provides an extra safety check.
2016-02-11 15:07:54 -05:00
Jeff Mitchell
46b22745c6
Merge pull request #1053 from mwielgoszewski/postgresql-revocation
...
Fix PostgreSQL secret backend issues revoking users
2016-02-11 12:52:37 -05:00
Tom Ritter
a10dc14625
Fix AllowedBaseDomain Migration
...
AllowedBaseDomain is only zero-ed out if the domain is not found in the (new) AllowedDomains configuration setting. If the domain is found, AllowedBaseDomain is not emptied and this code will be run every single time.
//untested
2016-02-09 15:42:15 -06:00
Tom Ritter
940a58cb9d
Typo in error message in path_intermediate.go
2016-02-09 15:08:30 -06:00
Tom Ritter
e5952a1c28
Typo in policy.go
2016-02-08 12:00:06 -06:00
Jeff Mitchell
4771884c78
Add slack on NotBefore value for generated certs.
...
This fixes an issue where, due to clock skew, one system can get a cert
and try to use it before it thinks it's actually valid. The tolerance of
30 seconds should be high enough for pretty much any set of systems
using NTP.
Fixes #1035
2016-02-07 14:00:03 -05:00
Jeff Mitchell
eb1deefac1
Introduce a locking inmem storage for unit tests that are doing concurrent things
2016-02-04 09:40:35 -05:00
Jeff Mitchell
70eeaa1519
Add transit fuzz test
2016-02-03 17:36:15 -05:00
Vishal Nayak
d02930fd95
Merge pull request #1013 from hashicorp/fix-ssh-tests
...
Fix SSH tests
2016-02-02 14:22:09 -05:00
vishalnayak
f2e8ac0658
Fix SSH test cases.
2016-02-02 12:32:50 -05:00
Jeff Mitchell
159754acf2
Use capabilities to determine upsert-ability in transit.
2016-02-02 10:03:14 -05:00
Jeff Mitchell
5ef8839e48
Revert "Re-add upsert into transit. Defaults to off and a new endpoint /config"
...
This reverts commit dc27d012c0357f93bfd5bd8d480f3e229166307a.
2016-02-02 09:26:25 -05:00
Jeff Mitchell
1d385b4de3
Re-add upsert into transit. Defaults to off and a new endpoint /config
...
can be used to turn it on for a given mount.
2016-02-01 20:13:57 -05:00
Jeff Mitchell
20f45678e6
Fix comment text
2016-02-01 17:20:16 -05:00
Jeff Mitchell
fc6d23a54e
Allow the format to be specified as pem_bundle, which creates a
...
concatenated PEM file.
Fixes #992
2016-02-01 13:19:41 -05:00
Jeff Mitchell
af73d965a4
Cassandra:
...
* Add ability to change protocol version
* Remove config as a root path, use normal ACLs
* Update docs
2016-02-01 10:27:26 -05:00
Jeff Mitchell
627082b838
Remove grace periods
2016-01-31 19:33:16 -05:00
Jeff Mitchell
61eec74b4e
Remove app-id renewal for the moment until verification logic is added
2016-01-31 19:12:20 -05:00
Jeff Mitchell
470ea58d73
Match leases in the test
2016-01-29 20:45:38 -05:00
Jeff Mitchell
bf13d68372
Fix userpass acceptance tests by giving it a system view
2016-01-29 20:14:14 -05:00
Jeff Mitchell
bab1220fb8
Fix building of consul backend test
2016-01-29 20:03:38 -05:00
Jeff Mitchell
d3a705f17b
Make backends much more consistent:
...
1) Use the new LeaseExtend
2) Use default values controlled by mount tuning/system defaults instead
of a random hard coded value
3) Remove grace periods
2016-01-29 20:03:37 -05:00
Jeff Mitchell
02cd4d7bf6
Merge pull request #979 from hashicorp/transit-locking
...
Implement locking in the transit backend.
2016-01-29 14:40:32 -05:00
Jeff Mitchell
073e755aa6
Update error return strings
2016-01-29 14:40:13 -05:00
Jeff Mitchell
3396b42c6c
Address final review feedback
2016-01-29 14:33:51 -05:00
Jeff Mitchell
cb1928451b
Only specify cert sign / CRL sign for CAs and only specify extended key
...
usages for clients.
This will hopefully fully get rid of the various incompatible ways that
various browsers/libraries deal with key usages.
Fixes #987
2016-01-29 10:26:35 -05:00
Jeff Mitchell
2015118958
Add listing of roles to PKI
2016-01-28 15:18:07 -05:00
Jeff Mitchell
f8a375777b
Add list support for mysql roles
2016-01-28 15:04:25 -05:00
Jeff Mitchell
62e3ac83f8
Add list support for postgres roles
2016-01-28 14:41:50 -05:00
Jeff Mitchell
7be090b185
Fix postgres backend test SQL for user priv checking
2016-01-28 14:41:13 -05:00
Jeff Mitchell
12bd2f430b
Ensure generatePolicy checks disk, not just the cache, now that we aren't eager loading
2016-01-28 13:10:59 -05:00
Jeff Mitchell
dd57a3f55d
Add listing of roles to ssh backend
2016-01-28 12:48:00 -05:00
Jeff Mitchell
dd1b94fbd6
Remove eager loading
2016-01-28 08:59:05 -05:00
Jeff Mitchell
be83340b14
Embed the cache directly
2016-01-27 21:59:20 -05:00
Jeff Mitchell
1ebae324ce
Merge pull request #942 from wikiwi/fix-ssh-open-con
...
Cleanly close SSH connections
2016-01-27 17:18:54 -05:00
Jeff Mitchell
01102f0d06
Merge pull request #975 from vetinari/ldapbind
...
Implement LDAP username/password binding support, as well as anonymous search.
2016-01-27 17:06:45 -05:00
Jeff Mitchell
48c9f79896
Implement locking in the transit backend.
...
This ensures that we can safely rotate and modify configuration
parameters with multiple requests in flight.
As a side effect we also get a cache, which should provide a nice
speedup since we don't need to decrypt/deserialize constantly, which
would happen even with the physical LRU.
2016-01-27 17:03:21 -05:00
Jeff Mitchell
d1b2bf3183
Move archive location; also detect first load of a policy after archive
...
is added and cause the keys to be copied to the archive.
2016-01-27 13:41:37 -05:00
Jeff Mitchell
369d0bbad0
Address review feedback
2016-01-27 13:41:37 -05:00
Jeff Mitchell
e5a58109ec
Store all keys in archive always
2016-01-27 13:41:37 -05:00
Jeff Mitchell
30ffc18c19
Add unit tests
2016-01-27 13:41:37 -05:00
Jeff Mitchell
5000711a67
Force min decrypt version to 1 if it's zero, which allows fixing problematic archiving logic
2016-01-27 13:41:37 -05:00
Jeff Mitchell
7a27dd5cb3
Fix logic bug when restoring keys
2016-01-27 13:41:37 -05:00
Jeff Mitchell
004b35be36
Fix decrementing instead of incrementing
2016-01-27 13:41:37 -05:00
Jeff Mitchell
beafe25508
Initial transit key archiving work
2016-01-27 13:41:37 -05:00
Hanno Hecker
0db33274b7
discover bind dn with anonymous binds
2016-01-27 17:06:27 +01:00
Hanno Hecker
4606cd1492
fix stupid c&p error
2016-01-26 16:15:25 +01:00
Hanno Hecker
6a570345a0
add binddn/bindpath to search for the users bind DN
2016-01-26 15:56:41 +01:00
Jeff Mitchell
7390cd5264
Add a max_idle_connections parameter.
2016-01-25 14:47:07 -05:00
Jeff Mitchell
12c00b97ef
Allow backends to see taint status.
...
This can be seen via System(). In the PKI backend, if the CA is
reconfigured but not fully (e.g. an intermediate CSR is generated but no
corresponding cert set) and there are already leases (issued certs), the
CRL is unable to be built. As a result revocation fails. But in this
case we don't actually need revocation to be successful since the CRL is
useless after unmounting. By checking taint status we know if we can
simply fast-path out of revocation with a success in this case.
Fixes #946
2016-01-22 17:01:22 -05:00
Dmitriy Gromov
70ef2e3398
STS now uses root vault user for keys
...
The secretAccessKeysRevoke revoke function now asserts that it is
not dealing with STS keys by checking a new internal data flag. Defaults
to IAM when the flag is not found.
Factored out genUsername into its own function to share between STS and
IAM secret creation functions.
Fixed bad call to "WriteOperation" instead of "UpdateOperation" in
aws/backend_test
2016-01-21 15:04:16 -05:00
Dmitriy Gromov
4abca91d66
Renamed sts duration to ttl and added STS permissions note.
2016-01-21 14:28:34 -05:00
Dmitriy Gromov
f251b13aaa
Removing debug print statement from sts code
2016-01-21 14:05:10 -05:00
Dmitriy Gromov
1cf8153dfd
Fixed duration type and added acceptance test for sts
2016-01-21 14:05:10 -05:00
Dmitriy Gromov
71afb7cff0
Configurable sts duration
2016-01-21 14:05:09 -05:00
Jack DeLoach
8fecccde21
Add STS path to AWS backend.
...
The new STS path allows for obtaining the same credentials that you would get
from the AWS "creds" path, except it will also provide a security token, and
will not have an annoyingly long propagation time before returning to the user.
2016-01-21 14:05:09 -05:00
Jeff Mitchell
0f0949ab06
Merge pull request #895 from nickithewatt/aws-prexisting-policies
...
Allow use of pre-existing policies for AWS users
2016-01-21 13:23:37 -05:00
Chi Vinh Le
f3e5e44cd0
Cleanly close SSH connections
2016-01-19 07:59:08 +01:00
Jeff Mitchell
9c5ad28632
Update deps, and adjust usage of go-uuid to match new return values
2016-01-13 13:40:08 -05:00
Jeff Mitchell
f3ce90164f
WriteOperation -> UpdateOperation
2016-01-08 13:03:03 -05:00
Marcin Wielgoszewski
bde81080c9
Address issues with properly revoking a user via these additional REVOKE statements
2016-01-06 09:22:55 -05:00
Nicki Watt
62c22a5f73
Updated AWS policy help messages
2015-12-30 19:41:07 +00:00
Nicki Watt
cd4ca21b58
Allow use of pre-existing policies for AWS users
2015-12-30 18:05:54 +00:00
Jeff Mitchell
134b4d2a42
Built on GH-890 to add other types
2015-12-29 13:07:24 -05:00
Jeff Mitchell
b85c29349f
Merge pull request #890 from ironSource/pki-fix
...
fix CA compatibility with OpenSSL
2015-12-29 12:04:03 -06:00
Issac Goldstand
fba756075a
fix CA compatibility with OpenSSL
2015-12-29 18:52:43 +02:00
Jeff Mitchell
1a324cf347
Make TokenHelper an interface and split exisiting functionality
...
Functionality is split into ExternalTokenHelper, which is used if a path
is given in a configuration file, and InternalTokenHelper which is used
otherwise. The internal helper no longer shells out to the same Vault
binary, instead performing the same actions with internal code. This
avoids problems using dev mode when there are spaces in paths or when
the binary is built in a container without a shell.
Fixes #850 among others
2015-12-22 10:23:30 -05:00
Jeff Mitchell
f2da5b639f
Migrate 'uuid' to 'go-uuid' to better fit HC naming convention
2015-12-16 12:56:20 -05:00
Jeff Mitchell
dd445a53a5
Update key usage logic
...
* Move to one place for both code paths
* Assign ExtKeyUsageAny to CA certs to help with validation with the
Windows Crypto API and Go's validation logic
Fixes #846
2015-12-14 14:23:51 -05:00
Jeff Mitchell
6ad1b75caf
Merge branch 'master' into pki-csrs
2015-12-01 00:09:23 -05:00
Jeff Mitchell
64cd58463b
Fix AWS tests
2015-12-01 00:05:04 -05:00
Jeff Mitchell
4eec9d69e8
Change allowed_base_domain to allowed_domains and allow_base_domain to
...
allow_bare_domains, for comma-separated multi-domain support.
2015-11-30 23:49:11 -05:00