6f6f242061
Add logic to skip initialization in some cases and some invalidation logic
2017-05-05 15:01:52 -04:00
537342f038
Fixing printf (and similar) issues ( #2666 )
2017-05-01 23:34:10 -04:00
e06a78a474
Create unified aws auth backend ( #2441 )
...
* Rename builtin/credential/aws-ec2 to aws
The aws-ec2 authentication backend is being expanded and will become the
generic aws backend. This is a small rename commit to keep the commit
history clean.
* Expand aws-ec2 backend to more generic aws
This adds the ability to authenticate arbitrary AWS IAM principals using
AWS's sts:GetCallerIdentity method. The AWS-EC2 auth backend is being to
just AWS with the expansion.
* Add missing aws auth handler to CLI
This was omitted from the previous commit
* aws auth backend general variable name cleanup
Also fixed a bug where allowed auth types weren't being checked upon
login, and added tests for it.
* Update docs for the aws auth backend
* Refactor aws bind validation
* Fix env var override in aws backend test
Intent is to override the AWS environment variables with the TEST_*
versions if they are set, but the reverse was happening.
* Update docs on use of IAM authentication profile
AWS now allows you to change the instance profile of a running instance,
so the use case of "a long-lived instance that's not in an instance
profile" no longer means you have to use the the EC2 auth method. You
can now just change the instance profile on the fly.
* Fix typo in aws auth cli help
* Respond to PR feedback
* More PR feedback
* Respond to additional PR feedback
* Address more feedback on aws auth PR
* Make aws auth_type immutable per role
* Address more aws auth PR feedback
* Address more iam auth PR feedback
* Rename aws-ec2.html.md to aws.html.md
Per PR feedback, to go along with new backend name.
* Add MountType to logical.Request
* Make default aws auth_type dependent upon MountType
When MountType is aws-ec2, default to ec2 auth_type for backwards
compatibility with legacy roles. Otherwise, default to iam.
* Pass MountPoint and MountType back up to the core
Previously the request router reset the MountPoint and MountType back to
the empty string before returning to the core. This ensures they get set
back to the correct values.
2017-04-24 15:15:50 -04:00
950c76c020
rename credential/aws as credential/aws-ec2
2016-05-30 14:11:15 -04:00
1d94828e45
Re-enable rollback triggers for auth backends
2016-05-26 14:29:41 -04:00
c0e745dbfa
s/logical.ErrorResponse/fmt.Errorf in renewal functions of credential backends
2016-05-26 10:21:03 -04:00
65801942cb
Naming of the locked and nonLocked methods
2016-05-17 20:39:24 -04:00
4122ed860b
Rename 'role_name' to 'role'
2016-05-13 14:31:13 -04:00
be88306f92
Name the files based on changed path patterns
2016-05-12 11:52:07 -04:00
7e8a2d55d0
Update docs and path names to the new patterns
2016-05-12 11:45:10 -04:00
d09748a135
Fix the acceptance tests
2016-05-09 22:07:51 -04:00
95f3f08d29
Call client config internal from the locking method
2016-05-09 21:01:57 -04:00
4549625367
Update client code to use internal entry fetching
2016-05-09 23:26:00 +00:00
c16b0a4f41
Switch whitelist to use longest max TTL
2016-05-05 20:44:48 -04:00
7a6c76289a
Role tag updates
2016-05-05 15:32:14 -04:00
b58ad615f2
Fix HMAC being overwritten. Also some documentation, and add a lock to role operations
2016-05-05 14:51:09 -04:00
0eddeb5c94
Guard tidy functions
2016-05-05 14:28:46 -04:00
2d4c390f87
More updates to mutexes and adjust blacklisted roletag default safety buffer
2016-05-05 14:12:22 -04:00
8fef6e3ac0
Rename identity whitelist and roletag blacklist api endpoints
2016-05-05 13:34:50 -04:00
c69ba40d05
Move some mutexes around
2016-05-05 12:53:27 -04:00
f689e4712d
Update some mutexes in client config
2016-05-05 12:44:40 -04:00
c15c227774
Fall back to non-base64 cert if it can't be decoded (it's checked later anyways)
2016-05-05 11:36:28 -04:00
25913fb18c
Update commenting
2016-05-05 11:22:36 -04:00
15cbcedf1f
Make the roletag blacklist the longest duration, not least
2016-05-05 11:00:41 -04:00
e45d6c1120
Switch client code to shared awsutil code
2016-05-05 10:40:49 -04:00
b7c48ba109
Change image/ to a more flexible /role endpoint
2016-05-03 23:36:59 -04:00
9f2a111e85
Allow custom endpoint URLs to be supplied to make EC2 API calls
2016-05-02 17:21:52 -04:00
1c91f652d4
Remove unnecessary append call
2016-04-30 03:20:21 -04:00
23d8ce62a3
Ensure that the instance is running during renewal
2016-04-28 16:34:35 -04:00
2a2dc0befb
Added allow_instance_migration to the role tag
2016-04-28 11:43:48 -04:00
4161d3ef4f
Change all time references to UTC
2016-04-28 10:19:29 -04:00
e591632630
Fix the deadlock issue
2016-04-28 01:01:33 -04:00
4712533f1d
minor updates
2016-04-28 00:35:49 -04:00
e6a9a5957d
Refactor locks around config tidy endpoints
2016-04-27 22:32:43 -04:00
b75a6e2f0f
Fix locking around config/client
2016-04-27 22:25:15 -04:00
0e97b57beb
Fix the list response of role tags
2016-04-27 22:03:11 -04:00
779d73ce2b
Removed existence check on blacklist/roletags, docs fixes
2016-04-27 21:29:32 -04:00
d44326ded6
Remove unnecessary lock switching around flushCachedEC2Clients
2016-04-27 20:13:56 -04:00
e1080f86ed
Remove recreate parameter from clientEC2
2016-04-27 20:01:39 -04:00
441477f342
Added ami_id to token metadata
2016-04-27 11:32:05 -04:00
7144fd54f9
Added tests
2016-04-26 23:40:11 -04:00
88942b0503
Added tests
2016-04-26 10:22:29 -04:00
5a676a129e
Added tests
2016-04-26 10:22:29 -04:00
e16f256b14
Added tests
2016-04-26 10:22:29 -04:00
3a4021d6c4
Added tests
2016-04-26 10:22:29 -04:00
de1a1be564
tidy endpoint fixes
2016-04-26 10:22:29 -04:00
044d01fd69
HMAC Key per AMI ID and avoided secondary call to AWS to fetch the tags
2016-04-26 10:22:29 -04:00
5996c3e9d8
Rework and refactoring
2016-04-26 10:22:29 -04:00
3aeae62c00
Added mutex locking for config/certificate endpoint
2016-04-26 10:22:29 -04:00
21854776af
Added cooldown period for periodic tidying operation
2016-04-26 10:22:29 -04:00
9aa8fb6cc1
Support periodic tidy callback and config endpoints.
2016-04-26 10:22:29 -04:00
2810196e0f
Use fullsailor/pkcs7 package instead of its fork. Fix tests
2016-04-26 10:22:29 -04:00
5a2e1340df
Removed redundant AWS public certificate. Docs update.
2016-04-26 10:22:29 -04:00
a456f2c3f6
Removed `region` parameter from `config/client` endpoint.
...
Region to create ec2 client objects is fetched from the identity document.
Maintaining a map of cached clients indexed by region.
2016-04-26 10:22:29 -04:00
790b143c75
Instance ID can optionally be accepted as a the role tag parameter.
2016-04-26 10:22:29 -04:00
58c485f519
Support providing multiple certificates.
...
Append all the certificates to the PKCS#7 parser during signature verification.
2016-04-26 10:22:29 -04:00
9d4a7c5901
Docs update
2016-04-26 10:22:29 -04:00
ba9c86c92d
Added acceptance test for login endpoint
2016-04-26 10:22:29 -04:00
c2c1a5eedc
Added test case TestBackend_PathBlacklistRoleTag
2016-04-26 10:22:29 -04:00
85c9176cb4
Return 4xx error at appropriate places
2016-04-26 10:22:29 -04:00
1841ef0ebf
Tested pathImageTag
2016-04-26 10:22:29 -04:00
80e3063334
Tested parseRoleTagValue
2016-04-26 10:22:29 -04:00
dab1a00313
Make client nonce optional even during first login, when disallow_reauthentication is set
2016-04-26 10:22:29 -04:00
e0cf8c5608
Rename 'name' to 'ami_id' for clarity
2016-04-26 10:22:29 -04:00
092feca996
Moved HMAC parsing inside parseRoleTagValue
2016-04-26 10:22:29 -04:00
ddfdf37d33
Properly handle empty client nonce case when disallow_reauthentication is set
2016-04-26 10:22:29 -04:00
b8d9b18193
Added disallow_reauthentication feature
2016-04-26 10:22:29 -04:00
a1d07cbff5
Remove todo and change clientNonce length limit to 128 chars
2016-04-26 10:22:28 -04:00
bb276d350a
Fix typo
2016-04-26 10:22:28 -04:00
a5aadc908d
Add environment and EC2 instance metadata role providers for AWS creds.
2016-04-26 10:22:28 -04:00
012f9273f7
Remove certificate verification
2016-04-26 10:22:28 -04:00
41cc7c4a15
Test path config/certificate
2016-04-26 10:22:28 -04:00
5ff8d0cf96
Add existence check verification to config/client testcase
2016-04-26 10:22:28 -04:00
3286194384
Testing pathImage
2016-04-26 10:22:28 -04:00
a8082a9a6e
allow_instance_reboot -> allow_instance_migration
2016-04-26 10:22:28 -04:00
075a81214e
Update image output to show allow_instance_reboot value and keep policies in a list
2016-04-26 10:22:28 -04:00
91433fedf2
Changed the blacklist URL pattern to optionally accept base64 encoded role tags
2016-04-26 10:22:28 -04:00
efcc07967e
Accept instance_id in the URL for whitelist endpoint
2016-04-26 10:22:28 -04:00
cf56895772
Switch around some logic to be more consistent/readable and respect max
...
TTL on initial token issuance.
2016-04-26 10:22:28 -04:00
338054d49e
Return un-expired entries from blacklist and whitelist
2016-04-26 10:22:28 -04:00
b6bd30b9fb
Test ConfigClient
2016-04-26 10:22:28 -04:00
d3adc85886
AWS EC2 instances authentication backend
2016-04-26 10:22:28 -04:00
Jeff Mitchell