Commit graph

282 commits

Author SHA1 Message Date
Vishal Nayak 15b3d8738e Transit: backup/restore (#3637) 2017-12-14 12:51:50 -05:00
Vishal Nayak 48ac5caaa9
Transit: Refactor internal representation of key entry map (#3652)
* convert internal map to index by string

* Add upgrade test for internal key entry map

* address review feedback
2017-12-06 18:24:00 -05:00
Calvin Leung Huang 8f87854b86
Clarify api_addr related errors on VaultPluginTLSProvider (#3620)
* Mention api_addr on VaultPluginTLSProvider logs, update docs

* Clarify message and mention automatic api_address detection

* Change error message to use api_addr

* Change error messages to use api_addr
2017-12-05 12:01:35 -05:00
Jeff Mitchell 548629e8ef Port over some changes 2017-11-30 09:43:07 -05:00
Jeff Mitchell 2b78bc2a9b
Port over bits (#3575) 2017-11-13 15:31:32 -05:00
Jeff Mitchell fdaed84e82
Add ability to send seal wrap response info into cubbyhole request. (#3562)
Ref 84f80db4bf499ce7345615cc2def77e7d48bc690
2017-11-09 12:47:42 -05:00
Jeff Mitchell a2db5671c5 Add logbridge for testing 2017-11-07 15:50:09 -05:00
Jeff Mitchell 17310654a1
Add PKCS8 marshaling to PKI (#3518) 2017-11-06 12:05:07 -05:00
Vishal Nayak 52df62d4ff
Encrypt/Decrypt/Sign/Verify using RSA in Transit backend (#3489)
* encrypt/decrypt/sign/verify RSA

* update path-help and doc

* Fix the bug which was breaking convergent encryption

* support both 2048 and 4096

* update doc to contain both 2048 and 4096

* Add test for encrypt, decrypt and rotate on RSA keys

* Support exporting RSA keys

* Add sign and verify test steps

* Remove 'RSA' from PEM header

* use the default salt length

* Add 'RSA' to PEM header since openssl is expecting that

* export rsa keys as signing-key as well

* Comment the reasoning behind the PEM headers

* remove comment

* update comment

* Parameterize hashing for RSA signing and verification

* Added test steps to check hash algo choice for RSA sign/verify

* fix test by using 'prehashed'
2017-11-03 10:45:53 -04:00
Chris Hoffman 83ea47f706
fixing test after field rename (#3530) 2017-11-03 10:29:42 -04:00
Jeff Mitchell 3a2440a651
Check input size to avoid a panic (#3521) 2017-11-02 16:40:52 -05:00
Vishal Nayak 7bae606662
External identity groups (#3447)
* external identity groups

* add local LDAP groups as well to group aliases

* add group aliases for okta credential backend

* Fix panic in tests

* fix build failure

* remove duplicated struct tag

* add test steps to test out removal of group member during renewals

* Add comment for having a prefix check in router

* fix tests

* s/parent_id/canonical_id

* s/parent/canonical in comments and errors
2017-11-02 16:05:48 -04:00
Brian Kassouf 7fed43c035
Add the ability to glob allowed roles in the Database Backend (#3387)
* Add the ability to glob allowed roles in the Database Backend

* Make the error messages better

* Switch to the go-glob repo
2017-10-30 13:24:25 -07:00
Jeff Mitchell a80791ce7e Update proto 2017-10-23 17:45:05 -04:00
Jeff Mitchell c144f95be0 Sync over 2017-10-23 16:43:07 -04:00
Vishal Nayak 2ede750c78 return the actual error for base64 decoding failure (#3397) 2017-10-20 11:21:45 -04:00
Vishal Nayak f7ed6732a5 Porting identity store (#3419)
* porting identity to OSS

* changes that glue things together

* add testing bits

* wrapped entity id

* fix mount error

* some more changes to core

* fix storagepacker tests

* fix some more tests

* fix mount tests

* fix http mount tests

* audit changes for identity

* remove upgrade structs on the oss side

* added go-memdb to vendor
2017-10-11 10:21:20 -07:00
Jeff Mitchell 9077adb377 Sanitize policy behavior across backends (#3324)
Fixes #3323
Fixes #3318

* Fix tests

* Fix tests
2017-09-13 11:36:52 -04:00
Jeff Mitchell 481b4a8b7f Fix typo in transit error 2017-09-13 11:05:57 -04:00
Brian Kassouf a8d9426d9f Update locking components from DR replication changes (#3283)
* Update locking components from DR replication changes

* Fix plugin backend test

* Add a comment about needing the statelock:
2017-09-04 19:38:37 -04:00
Calvin Leung Huang a581e96b78 Lazy-load plugin mounts (#3255)
* Lazy load plugins to avoid setup-unwrap cycle

* Remove commented blocks

* Refactor NewTestCluster, use single core cluster on basic plugin tests

* Set c.pluginDirectory in TestAddTestPlugin for setupPluginCatalog to work properly

* Add special path to mock plugin

* Move ensureCoresSealed to vault/testing.go

* Use same method for EnsureCoresSealed and Cleanup

* Bump ensureCoresSealed timeout to 60s

* Correctly handle nil opts on NewTestCluster

* Add metadata flag to APIClientMeta, use meta-enabled plugin when mounting to bootstrap

* Check metadata flag directly on the plugin process

* Plumb isMetadataMode down to PluginRunner

* Add NOOP shims when running in metadata mode

* Remove unused flag from the APIMetadata object

* Remove setupSecretPlugins and setupCredentialPlugins functions

* Move when we setup rollback manager to after the plugins are initialized

* Fix tests

* Fix merge issue

* start rollback manager after the credential setup

* Add guards against running certain client and server functions while in metadata mode

* Call initialize once a plugin is loaded on the fly

* Add more tests, update basic secret/auth plugin tests to trigger lazy loading

* Skip mount if plugin removed from catalog

* Fixup

* Remove commented line on LookupPlugin

* Fail on mount operation if plugin is re-added to catalog and mount is on existing path

* Check type and special paths on startBackend

* Fix merge conflicts

* Refactor PluginRunner run methods to use runCommon, fix TestSystemBackend_Plugin_auth
2017-09-01 01:02:03 -04:00
Jeff Mitchell d62937aaf3 Use TypeDurationSecond for TTL values in PKI. (#3270) 2017-08-31 15:46:13 -04:00
Jeff Mitchell 3edb337a00 Add option to set cluster TLS cipher suites. (#3228)
* Add option to set cluster TLS cipher suites.

Fixes #3227
2017-08-30 16:28:23 -04:00
Calvin Leung Huang b023d46cb8 Direct plugin logs through vault's logger (#3142)
* Direct plugin logs through vault's logger

* Pass in a logger in testConfig
2017-08-15 10:16:48 -04:00
Jeff Mitchell a133286609 Switch policies in AppRole to TypeCommaStringSlice (#3163) 2017-08-14 20:15:51 -04:00
Jeff Mitchell cca327feae Only use specified HTTP client for AWS creds if one is passed in. (#3161)
Probably fixes #3159
2017-08-14 12:43:11 -04:00
Brian Kassouf a023ab5152 Fix MySQL legacy username regression (#3141)
* Fix the mysql legacy username length

* Remove boolean parameter

* Add a MySQL 5.6 container to test the legacy MySQL plugin against

* Add database plugins to the make file

* Fix credsutil test
2017-08-10 18:28:18 -07:00
Calvin Leung Huang db9d9e6415 Store original request path in WrapInfo (#3100)
* Store original request path in WrapInfo as CreationPath

* Add wrapping_token_creation_path to CLI output

* Add CreationPath to AuditResponseWrapInfo

* Fix tests

* Add and fix tests, update API docs with new sample responses
2017-08-02 18:28:58 -04:00
Jeff Mitchell 7e3ff5e56c Add PROXY protocol support (#3098) 2017-08-02 18:24:12 -04:00
Jeff Mitchell 4885b3e502 Use RemoteCredProvider instead of EC2RoleProvider (#2983) 2017-07-31 18:27:16 -04:00
Jeff Mitchell 1bfc6d4fe7 Add a -dev-three-node option for devs. (#3081) 2017-07-31 11:28:06 -04:00
Calvin Leung Huang bb54e9c131 Backend plugin system (#2874)
* Add backend plugin changes

* Fix totp backend plugin tests

* Fix logical/plugin InvalidateKey test

* Fix plugin catalog CRUD test, fix NoopBackend

* Clean up commented code block

* Fix system backend mount test

* Set plugin_name to omitempty, fix handleMountTable config parsing

* Clean up comments, keep shim connections alive until cleanup

* Include pluginClient, disallow LookupPlugin call from within a plugin

* Add wrapper around backendPluginClient for proper cleanup

* Add logger shim tests

* Add logger, storage, and system shim tests

* Use pointer receivers for system view shim

* Use plugin name if no path is provided on mount

* Enable plugins for auth backends

* Add backend type attribute, move builtin/plugin/package

* Fix merge conflict

* Fix missing plugin name in mount config

* Add integration tests on enabling auth backend plugins

* Remove dependency cycle on mock-plugin

* Add passthrough backend plugin, use logical.BackendType to determine lease generation

* Remove vault package dependency on passthrough package

* Add basic impl test for passthrough plugin

* Incorporate feedback; set b.backend after shims creation on backendPluginServer

* Fix totp plugin test

* Add plugin backends docs

* Fix tests

* Fix builtin/plugin tests

* Remove flatten from PluginRunner fields

* Move mock plugin to logical/plugin, remove totp and passthrough plugins

* Move pluginMap into newPluginClient

* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck

* Change shim logger's Fatal to no-op

* Change BackendType to uint32, match UX backend types

* Change framework.Backend Setup signature

* Add Setup func to logical.Backend interface

* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments

* Remove commented var in plugin package

* RegisterLicense on logical.Backend interface (#3017)

* Add RegisterLicense to logical.Backend interface

* Update RegisterLicense to use callback func on framework.Backend

* Refactor framework.Backend.RegisterLicense

* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs

* plugin: Revert BackendType to remove TypePassthrough and related references

* Fix typo in plugin backends docs
2017-07-20 13:28:40 -04:00
Chris Hoffman a449424bde only check special characters on CLI when not in key=value format (#2998) 2017-07-12 13:28:57 -07:00
Tony Cai 07088fe8a0 Added HANA database plugin (#2811)
* Added HANA dynamic secret backend

* Added acceptance tests for HANA secret backend

* Add HANA backend as a logical backend to server

* Added documentation to HANA secret backend

* Added vendored libraries

* Go fmt

* Migrate hana credential creation to plugin

* Removed deprecated hana logical backend

* Migrated documentation for HANA database plugin

* Updated HANA DB plugin to use role name in credential generation

* Update HANA plugin tests

* If env vars are not configured, tests will skip rather than succeed

* Fixed some improperly named string variables

* Removed unused import

* Import SAP hdb driver
2017-07-07 13:11:23 -07:00
Vishal Nayak 5dbf30eb81 compressutil: Add Snappy support (#2987) 2017-07-07 14:43:45 -04:00
Chris Hoffman 551f91e8e2 properly unlock policy when returning key setting errors (#2974) 2017-07-05 11:47:15 -04:00
Dan Everton 32add0809e More efficient s3 paging (#2780) 2017-06-16 11:09:15 -04:00
Jeff Mitchell a7fca34076 Add ability to specify encryption key version in transit (#2821) 2017-06-06 16:02:54 -04:00
Brian Kassouf 606fe393be Use the role name in the db username (#2812) 2017-06-06 09:49:49 -04:00
Jeff Mitchell 3eebd5cf5a ed25519 support in transit (#2778) 2017-06-05 15:00:39 -04:00
Jeff Mitchell 0d4e7fba69 Remove non-gRPC request forwarding 2017-05-24 09:34:59 -04:00
vishalnayak 07704fa81c Fix index out of range bug in ParseKeyValues 2017-05-17 21:47:13 -04:00
Jeff Mitchell 858deb9ca4 Don't allow parent references in file paths 2017-05-12 13:52:33 -04:00
Calvin Leung Huang d52228c843 Add mongodb plugin to builtin list 2017-05-11 19:29:28 -04:00
Seth Rutner 3874b63af3 Fix typos in error message (#2692) 2017-05-10 10:28:35 -04:00
Jeff Mitchell 45eaa7ad01 Increase plugin wrapping token time to 60 seconds; 10 can be too short as seen in tests 2017-05-09 09:50:07 -04:00
Brian Kassouf 5ee0d696d4 Merge remote-tracking branch 'oss/master' into database-refactor 2017-05-04 10:45:18 -07:00
Brian Kassouf 29bfc0a0d4 PR comments 2017-05-04 10:41:59 -07:00
Brian Kassouf 0875e78a13 Feedback from PR 2017-05-03 17:37:34 -07:00
Brian Kassouf 223598c675 Add the other mysql plugin types with the correct username length settings 2017-05-03 13:33:56 -07:00