Commit graph

512 commits

Author SHA1 Message Date
Calvin Leung Huang a581e96b78 Lazy-load plugin mounts (#3255)
* Lazy load plugins to avoid setup-unwrap cycle

* Remove commented blocks

* Refactor NewTestCluster, use single core cluster on basic plugin tests

* Set c.pluginDirectory in TestAddTestPlugin for setupPluginCatalog to work properly

* Add special path to mock plugin

* Move ensureCoresSealed to vault/testing.go

* Use same method for EnsureCoresSealed and Cleanup

* Bump ensureCoresSealed timeout to 60s

* Correctly handle nil opts on NewTestCluster

* Add metadata flag to APIClientMeta, use meta-enabled plugin when mounting to bootstrap

* Check metadata flag directly on the plugin process

* Plumb isMetadataMode down to PluginRunner

* Add NOOP shims when running in metadata mode

* Remove unused flag from the APIMetadata object

* Remove setupSecretPlugins and setupCredentialPlugins functions

* Move when we setup rollback manager to after the plugins are initialized

* Fix tests

* Fix merge issue

* start rollback manager after the credential setup

* Add guards against running certain client and server functions while in metadata mode

* Call initialize once a plugin is loaded on the fly

* Add more tests, update basic secret/auth plugin tests to trigger lazy loading

* Skip mount if plugin removed from catalog

* Fixup

* Remove commented line on LookupPlugin

* Fail on mount operation if plugin is re-added to catalog and mount is on existing path

* Check type and special paths on startBackend

* Fix merge conflicts

* Refactor PluginRunner run methods to use runCommon, fix TestSystemBackend_Plugin_auth
2017-09-01 01:02:03 -04:00
Jeff Mitchell d62937aaf3 Use TypeDurationSecond for TTL values in PKI. (#3270) 2017-08-31 15:46:13 -04:00
Jeff Mitchell 3edb337a00 Add option to set cluster TLS cipher suites. (#3228)
* Add option to set cluster TLS cipher suites.

Fixes #3227
2017-08-30 16:28:23 -04:00
Calvin Leung Huang b023d46cb8 Direct plugin logs through vault's logger (#3142)
* Direct plugin logs through vault's logger

* Pass in a logger in testConfig
2017-08-15 10:16:48 -04:00
Jeff Mitchell a133286609 Switch policies in AppRole to TypeCommaStringSlice (#3163) 2017-08-14 20:15:51 -04:00
Jeff Mitchell cca327feae Only use specified HTTP client for AWS creds if one is passed in. (#3161)
Probably fixes #3159
2017-08-14 12:43:11 -04:00
Brian Kassouf a023ab5152 Fix MySQL legacy username regression (#3141)
* Fix the mysql legacy username length

* Remove boolean parameter

* Add a MySQL 5.6 container to test the legacy MySQL plugin against

* Add database plugins to the make file

* Fix credsutil test
2017-08-10 18:28:18 -07:00
Calvin Leung Huang db9d9e6415 Store original request path in WrapInfo (#3100)
* Store original request path in WrapInfo as CreationPath

* Add wrapping_token_creation_path to CLI output

* Add CreationPath to AuditResponseWrapInfo

* Fix tests

* Add and fix tests, update API docs with new sample responses
2017-08-02 18:28:58 -04:00
Jeff Mitchell 7e3ff5e56c Add PROXY protocol support (#3098) 2017-08-02 18:24:12 -04:00
Jeff Mitchell 4885b3e502 Use RemoteCredProvider instead of EC2RoleProvider (#2983) 2017-07-31 18:27:16 -04:00
Jeff Mitchell 1bfc6d4fe7 Add a -dev-three-node option for devs. (#3081) 2017-07-31 11:28:06 -04:00
Calvin Leung Huang bb54e9c131 Backend plugin system (#2874)
* Add backend plugin changes

* Fix totp backend plugin tests

* Fix logical/plugin InvalidateKey test

* Fix plugin catalog CRUD test, fix NoopBackend

* Clean up commented code block

* Fix system backend mount test

* Set plugin_name to omitempty, fix handleMountTable config parsing

* Clean up comments, keep shim connections alive until cleanup

* Include pluginClient, disallow LookupPlugin call from within a plugin

* Add wrapper around backendPluginClient for proper cleanup

* Add logger shim tests

* Add logger, storage, and system shim tests

* Use pointer receivers for system view shim

* Use plugin name if no path is provided on mount

* Enable plugins for auth backends

* Add backend type attribute, move builtin/plugin/package

* Fix merge conflict

* Fix missing plugin name in mount config

* Add integration tests on enabling auth backend plugins

* Remove dependency cycle on mock-plugin

* Add passthrough backend plugin, use logical.BackendType to determine lease generation

* Remove vault package dependency on passthrough package

* Add basic impl test for passthrough plugin

* Incorporate feedback; set b.backend after shims creation on backendPluginServer

* Fix totp plugin test

* Add plugin backends docs

* Fix tests

* Fix builtin/plugin tests

* Remove flatten from PluginRunner fields

* Move mock plugin to logical/plugin, remove totp and passthrough plugins

* Move pluginMap into newPluginClient

* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck

* Change shim logger's Fatal to no-op

* Change BackendType to uint32, match UX backend types

* Change framework.Backend Setup signature

* Add Setup func to logical.Backend interface

* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments

* Remove commented var in plugin package

* RegisterLicense on logical.Backend interface (#3017)

* Add RegisterLicense to logical.Backend interface

* Update RegisterLicense to use callback func on framework.Backend

* Refactor framework.Backend.RegisterLicense

* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs

* plugin: Revert BackendType to remove TypePassthrough and related references

* Fix typo in plugin backends docs
2017-07-20 13:28:40 -04:00
Chris Hoffman a449424bde only check special characters on CLI when not in key=value format (#2998) 2017-07-12 13:28:57 -07:00
Tony Cai 07088fe8a0 Added HANA database plugin (#2811)
* Added HANA dynamic secret backend

* Added acceptance tests for HANA secret backend

* Add HANA backend as a logical backend to server

* Added documentation to HANA secret backend

* Added vendored libraries

* Go fmt

* Migrate hana credential creation to plugin

* Removed deprecated hana logical backend

* Migrated documentation for HANA database plugin

* Updated HANA DB plugin to use role name in credential generation

* Update HANA plugin tests

* If env vars are not configured, tests will skip rather than succeed

* Fixed some improperly named string variables

* Removed unused import

* Import SAP hdb driver
2017-07-07 13:11:23 -07:00
Vishal Nayak 5dbf30eb81 compressutil: Add Snappy support (#2987) 2017-07-07 14:43:45 -04:00
Chris Hoffman 551f91e8e2 properly unlock policy when returning key setting errors (#2974) 2017-07-05 11:47:15 -04:00
Dan Everton 32add0809e More efficient s3 paging (#2780) 2017-06-16 11:09:15 -04:00
Jeff Mitchell a7fca34076 Add ability to specify encryption key version in transit (#2821) 2017-06-06 16:02:54 -04:00
Brian Kassouf 606fe393be Use the role name in the db username (#2812) 2017-06-06 09:49:49 -04:00
Jeff Mitchell 3eebd5cf5a ed25519 support in transit (#2778) 2017-06-05 15:00:39 -04:00
Jeff Mitchell 0d4e7fba69 Remove non-gRPC request forwarding 2017-05-24 09:34:59 -04:00
vishalnayak 07704fa81c Fix index out of range bug in ParseKeyValues 2017-05-17 21:47:13 -04:00
Jeff Mitchell 858deb9ca4 Don't allow parent references in file paths 2017-05-12 13:52:33 -04:00
Calvin Leung Huang d52228c843 Add mongodb plugin to builtin list 2017-05-11 19:29:28 -04:00
Seth Rutner 3874b63af3 Fix typos in error message (#2692) 2017-05-10 10:28:35 -04:00
Jeff Mitchell 45eaa7ad01 Increase plugin wrapping token time to 60 seconds; 10 can be too short as seen in tests 2017-05-09 09:50:07 -04:00
Brian Kassouf 5ee0d696d4 Merge remote-tracking branch 'oss/master' into database-refactor 2017-05-04 10:45:18 -07:00
Brian Kassouf 29bfc0a0d4 PR comments 2017-05-04 10:41:59 -07:00
Brian Kassouf 0875e78a13 Feedback from PR 2017-05-03 17:37:34 -07:00
Brian Kassouf 223598c675 Add the other mysql plugin types with the correct username length settings 2017-05-03 13:33:56 -07:00
Brian Kassouf b60ff2048d Update docs and add cassandra as a builtin plugin 2017-05-02 17:04:49 -07:00
Brian Kassouf fdf045b3bd Fix a few PR comments 2017-05-02 15:59:08 -07:00
Brian Kassouf 29d9b831d3 Update the api for serving plugins and provide a utility to pass TLS data for commuinicating with the vault process 2017-05-02 14:40:11 -07:00
Ben Gadbois 537342f038 Fixing printf (and similar) issues (#2666) 2017-05-01 23:34:10 -04:00
Brian Kassouf 9a60ec9fda Update interface name from Wrapper to a more descriptive RunnerUtil 2017-05-01 14:59:55 -07:00
Vishal Nayak 8bb6c8caef Return error message for failure to parse CSR (#2657) 2017-04-28 08:30:24 -04:00
Brian Kassouf 6a1ae9160d Add mssql builtin plugin type 2017-04-26 10:34:45 -07:00
Brian Kassouf ce9688ce8c Change MlockDisabled to MlockEnabled 2017-04-24 12:21:49 -07:00
Brian Kassouf 657d433330 Update the ResponseWrapData function to return a wrapping.ResponseWrapInfo object 2017-04-24 12:15:01 -07:00
Brian Kassouf 6c8239ba03 Update the builtin keys; move catalog to core; protect against unset plugin directory 2017-04-24 10:30:33 -07:00
Brian Kassouf 6f9d178370 Calls to builtin plugins now go directly to the implementation instead of go-plugin 2017-04-20 18:46:41 -07:00
Brian Kassouf 2ab159569d Use the same TLS cert for the server and client 2017-04-19 15:46:07 -07:00
Brian Kassouf af9ff63e9a Merge remote-tracking branch 'oss/master' into database-refactor 2017-04-19 15:16:00 -07:00
Chris Hoffman 847c86f788 Rename ParseDedupAndSortStrings to ParseDedupLowercaseAndSortStrings (#2614) 2017-04-19 10:39:07 -04:00
Chris Hoffman 6afcf2aa7d List Handling in API and CLI (#2584) 2017-04-18 16:02:31 -04:00
Brian Kassouf 4e9f89430c Move plugins into main vault repo 2017-04-13 13:48:32 -07:00
Brian Kassouf cfe25e2a00 Add comments to the plugin runner 2017-04-12 17:35:53 -07:00
Brian Kassouf 8ccf10641b Merge branch 'master' into database-refactor 2017-04-12 14:29:10 -07:00
Brian Kassouf faaeb09065 Add remaining crud functions to plugin catalog and tests 2017-04-12 09:40:54 -07:00
Brian Kassouf 8071aed758 Mlock the plugin process 2017-04-10 17:12:52 -07:00
Brian Kassouf 93136ea51e Add backend test 2017-04-07 15:50:03 -07:00
Brian Kassouf 62d59e5f4e Move plugin code into sub directory 2017-04-06 12:20:10 -07:00
Brian Kassouf 2e23cf58b8 Add postgres builtin plugin 2017-04-05 17:19:29 -07:00
Brian Kassouf ca2c3d0c53 Refactor to use builtin plugins from an external repo 2017-04-05 16:20:31 -07:00
Brian Kassouf b071144c67 move builtin plugins list to the pluginutil 2017-04-05 11:00:13 -07:00
Jeff Mitchell 709389dd36 Use ParseStringSlice on PKI organization/organizational unit. (#2561)
After, separately dedup and use new flag to not lowercase value.

Fixes #2555
2017-04-04 08:54:18 -07:00
Brian Kassouf e8781b6a2b Plugin catalog 2017-04-03 17:52:29 -07:00
Brian Kassouf c50a6ebc39 Add functionaility to build db objects from disk so restarts work 2017-03-28 11:30:45 -07:00
Brian Kassouf 29ae4602dc More work on getting tests to pass 2017-03-23 15:54:15 -07:00
Brian Kassouf d453008dea Update the name of PluginUnwrapTokenEnv 2017-03-16 14:17:44 -07:00
Brian Kassouf f2df4ef0e7 Comment and slight refactor of the TLS plugin helper 2017-03-16 14:14:49 -07:00
Brian Kassouf 0a52ea5c69 Break tls code into helper library 2017-03-16 11:55:21 -07:00
Jeff Mitchell 3d162b63cc Use locks in a slice rather than a map, which is faster and makes things cleaner (#2446) 2017-03-07 11:21:32 -05:00
Jeff Mitchell 5119b173c4 Rename helper 'duration' to 'parseutil'. (#2449)
Add a ParseBool function that accepts various kinds of ways of
specifying booleans.

Have config use ParseBool for UI and disabling mlock/cache.
2017-03-07 11:21:22 -05:00
Brian Kassouf e62f5dbc31 Allowed/Denied parameters support for globs (#2438)
* Add check for globbed strings

* Add tests for the acl globbing

* Fix bad test case
2017-03-03 14:50:55 -08:00
Jeff Mitchell b1c2a930fe Clean up request forwarding logic 2017-03-01 18:17:06 -05:00
Jeff Mitchell eec66eaa3c Have duration.ParseDurationSecond handle json.Number 2017-03-01 08:32:05 -05:00
Jeff Mitchell 7f0a99e8eb Add max/min wrapping TTL ACL statements (#2411) 2017-02-27 14:42:00 -05:00
Saj Goonatilleke 01f3056b8b pki: Include private_key_type on DER-formatted responses from /pki/issue/ (#2405) 2017-02-24 11:17:59 -05:00
Jeff Mitchell c81582fea0 More porting from rep (#2388)
* More porting from rep

* Address review feedback
2017-02-16 16:29:30 -05:00
Jeff Mitchell 0c39b613c8 Port some replication bits to OSS (#2386) 2017-02-16 15:15:02 -05:00
Jeff Mitchell 0a9a6d3343 Move ReplicationState to consts 2017-02-16 13:37:21 -05:00
Brian Kassouf 13ec9c5dbf Load leases into the expiration manager in parallel (#2370)
* Add a benchmark for exiration.Restore

* Add benchmarks for consul Restore functions

* Add a parallel version of expiration.Restore

* remove debug code

* Up the MaxIdleConnsPerHost

* Add tests for etcd

* Return errors and ensure go routines are exited

* Refactor inmem benchmark

* Add s3 bench and refactor a bit

* Few tweaks

* Fix race with waitgroup.Add()

* Fix waitgroup race condition

* Move wait above the info log

* Add helper/consts package to store consts that are needed in cyclic packages

* Remove not used benchmarks
2017-02-16 10:16:06 -08:00
Vishal Nayak eb4ef0f6e0 cidrutil: added test data points (#2378) 2017-02-16 00:51:02 -05:00
Jeff Mitchell 6c02e9357a Update protos 2017-02-02 16:20:32 -05:00
Roman Vynar 85eceef188
Fix cipher preferred order 2017-01-24 09:29:57 +02:00
Jeff Mitchell 42894754a6 Remove comments destined to be outdated 2017-01-23 13:49:15 -05:00
Roman Vynar 1615280efa Added tls_cipher_suites, tls_prefer_server_ciphers config options to listener (#2293) 2017-01-23 13:48:35 -05:00
joe miller 98df700495 allow roles to set OU value in certificates issued by the pki backend (#2251) 2017-01-23 12:44:45 -05:00
Chris Hoffman 7568a212b1 Adding support for exportable transit keys (#2133) 2017-01-23 11:04:43 -05:00
vishalnayak c9bd2a37f8 Don't sanitize disallowed_policies on token role 2017-01-17 21:34:14 -05:00
Félix Cantournet 103b7ceab2 all: test: Fix govet warnings
Fix calls to t.Fatal() with formatting.
Fixed some calls to Fatalf() with wrong formatting
2016-12-21 19:44:07 +01:00
Brian Nuszkowski 98a6e0fea3 Add Duo pushinfo capabilities (#2118) 2016-12-19 15:37:44 -05:00
Vishal Nayak 8400b87473 Don't add default policy to child token if parent does not have it (#2164) 2016-12-16 00:36:39 -05:00
Jeff Mitchell fc81a301b8 Don't say mlock is supported on OSX when it isn't. (#2120)
Fixes #2119
2016-11-22 12:56:36 -05:00
Jeff Mitchell ee29b329fb Bump proto files after update 2016-11-17 10:06:26 -05:00
vishalnayak ac9304e660 Remove the methods introduced to make the tests work from its older package 2016-10-26 20:03:51 -04:00
vishalnayak c14a6c8666 Move policy test to keysutil package 2016-10-26 19:57:28 -04:00
vishalnayak 6d1e1a3ba5 Pulled out transit's lock manager and policy structs into a helper 2016-10-26 19:52:31 -04:00
vishalnayak 69df3fb95e Added a few checks to the CIDR Subset checking util 2016-09-28 14:04:02 -04:00
Chris Hoffman d235acf809 Adding support for chained intermediate CAs in pki backend (#1694) 2016-09-27 17:50:17 -07:00
Vishal Nayak b1ee56a15b Merge pull request #1910 from hashicorp/secret-id-cidr-list
CIDR restrictions on Secret ID
2016-09-26 10:22:48 -04:00
Jeff Mitchell 72b9c4c649 Fix parsing env var, needed to be in the helper too 2016-09-23 13:20:26 -04:00
vishalnayak a31f9bb0e9 Fix zeroAddr check 2016-09-23 12:50:26 -04:00
vishalnayak f560e20b28 Address review feedback 2016-09-22 18:07:35 -04:00
vishalnayak 07b1b244d6 Use net.IPv4zero to check for zero address 2016-09-21 20:29:33 -04:00
vishalnayak aaadd4ad97 Store the CIDR list in the secret ID storage entry.
Use the stored information to validate the source address and credential issue time.
Correct the logic used to verify BoundCIDRList on the role.
Reverify the subset requirements between secret ID and role during credential issue time.
2016-09-21 20:19:26 -04:00
vishalnayak 93604e1e2e Added cidrutil helper 2016-09-21 13:58:32 -04:00
Jeff Mitchell 0ff76e16d2 Transit and audit enhancements 2016-09-21 10:49:26 -04:00
Jeff Mitchell 897d3c6d2c Rename GetOctalFormatted and add serial number to ParsedCertBundle. Basically a noop. 2016-09-16 11:05:43 -04:00
Jeff Mitchell 1d6552c625 Update logging formatting 2016-09-01 16:14:21 -04:00
vishalnayak cdcfa4572f Address review feedback 2016-08-30 16:36:58 -04:00
Jeff Mitchell 7e41d5ab45 Pass headers back when request forwarding (#1795) 2016-08-26 17:53:47 -04:00
Jeff Mitchell 58b32e5432 Convert to logxi 2016-08-21 18:13:37 -04:00
Jeff Mitchell 2860dcc60f gofmt 2016-08-19 16:48:32 -04:00
Jeff Mitchell bdcfe05517 Clustering enhancements (#1747) 2016-08-19 11:03:53 -04:00
Jeff Mitchell 5c33356d14 Protobuf for forwarding (#1743) 2016-08-17 16:15:15 -04:00
Jeff Mitchell 8d6244f8e7 Don't serialize the full connection state, instead just the peer certificates, and parse them on the other side 2016-08-17 10:29:53 -04:00
Jeff Mitchell 37320f8798 Request forwarding (#1721)
Add request forwarding.
2016-08-15 09:42:42 -04:00
James Nugent 2c14ff7385 build: Add support for building on Illumos
This commit adds support for building for Illumos-derived operating
systems. Regrettably, the cyrpto/ssh/terminal package does not include
implementations of the functions IsTerminal, MakeRaw or Restore for the
solaris OS. Consequently this commit implements them in Vault.

makeRaw(fd int) is based on the Illumos implementation of the getpass
function [1] for the correct flags. isTerminal(fd int) is based on the
Illumos libc implementation [2] of isatty.

[1] http://src.illumos.org/source/xref/illumos-gate/usr/src/lib/libast/common/uwin/getpass.c
[2] http://src.illumos.org/source/xref/illumos-gate/usr/src/lib/libbc/libc/gen/common/isatty.c
2016-08-13 00:20:15 -04:00
Jeff Mitchell c1a46349fa Change to keybase openpgp fork as it has important fixes 2016-08-11 08:31:43 -04:00
vishalnayak 185363d6e0 Address review feedback 2016-08-09 11:13:48 -04:00
vishalnayak b43cc03f0e Address review feedback from @jefferai 2016-08-09 10:47:55 -04:00
vishalnayak 78d57520fb Refactoring and test fixes 2016-08-09 03:43:03 -04:00
vishalnayak c81460add6 Added compressutil tests 2016-08-09 02:26:38 -04:00
vishalnayak f994c7ccd3 Tests for (de)compression in jsonutil 2016-08-09 00:50:19 -04:00
vishalnayak 29989fa4c1 Make generic utility for compression and decompression 2016-08-09 00:50:19 -04:00
vishalnayak 55ecad83bc Pull out compression code into compressutil 2016-08-09 00:50:19 -04:00
vishalnayak 5866cee5b4 Added utilities to compress the data 2016-08-09 00:50:19 -04:00
Jeff Mitchell 6ffdce7f40 Fix bugs and add test case for arbitrary string slice 2016-08-03 14:57:36 -04:00
Jeff Mitchell 9e204bd88c Add arbitrary string slice parsing.
Like the KV function, this supports either separated strings or JSON
strings, base64-encoded or not.

Fixes #1619 in theory.
2016-08-03 14:24:16 -04:00
Jeff Mitchell c025b292b5 Cleanup 2016-08-03 13:09:12 -04:00
vishalnayak cff7aada7a Fix invalid input getting marked as internal error 2016-07-28 16:23:11 -04:00
vishalnayak a6907769b0 AppRole authentication backend 2016-07-26 09:32:41 -04:00
Jeff Mitchell f1cc16b77f Remove manual selection of nextprotos from tls config coming from certutil; it's really not up to us to dictate third party requirements 2016-07-22 11:12:46 -04:00
vishalnayak 8dc3a830dc Address review feedback 2016-07-22 10:21:45 -04:00
vishalnayak 58bd985551 Address review feedback from @jefferai 2016-07-22 08:44:16 -04:00
vishalnayak 765d131b47 Added service-tags config option to provide additional tags to registered service 2016-07-22 04:41:48 -04:00
Vishal Nayak 9bb89431dc Merge pull request #1632 from hashicorp/lib-locks-create
Added helper to create locks
2016-07-21 10:23:34 -04:00
Jeff Mitchell 3ec81debe7 Trim leading/trailing space around PEM bundles.
Fixes #1634
2016-07-20 13:57:49 -04:00
vishalnayak ba4dc638bf Added test for CreateLocks 2016-07-20 05:37:38 -04:00
vishalnayak 331f229858 Added a cap of 256 for CreateLocks utility 2016-07-20 04:48:35 -04:00
vishalnayak 50e8a189e9 Added helper to create locks 2016-07-19 21:37:28 -04:00
vishalnayak c14235b206 Merge branch 'master-oss' into json-use-number
Conflicts:
	http/handler.go
	logical/framework/field_data.go
	logical/framework/wal.go
	vault/logical_passthrough.go
2016-07-15 19:21:55 -04:00
vishalnayak de19314f18 Address review feedback 2016-07-13 11:52:26 -04:00
vishalnayak f78f303787 git add tlsutil 2016-07-13 11:29:17 -04:00
vishalnayak f34f0ef503 Make 'tls_min_version' configurable 2016-07-12 19:32:47 -04:00
vishalnayak 46d34130ac Set minimum TLS version in all tls.Config objects 2016-07-12 17:06:28 -04:00
Jeff Mitchell 5b210b2a1f Return a duration instead and port a few other places to use it 2016-07-11 18:19:35 +00:00
Jeff Mitchell ab6c2bc5e8 Factor out parsing duration second type and use it for parsing tune values too 2016-07-11 17:53:39 +00:00
vishalnayak 10b5f6648b Added jsonutil functional tests 2016-07-07 12:12:51 -04:00
vishalnayak 14fd963d9f Input validations for jsonutil 2016-07-07 11:29:38 -04:00
vishalnayak 60912bdf65 Added jsonutil helper 2016-07-07 10:51:49 -04:00
vishalnayak ad7cb2c8f1 Added JSON Decode and Encode helpers.
Changed all the occurances of Unmarshal to use the helpers.
Fixed http/ package tests.
2016-07-06 12:25:40 -04:00
vishalnayak 1e4834bd20 Remove addDefault param from ParsePolicies 2016-05-31 13:39:58 -04:00
vishalnayak 49b4c83580 Adding default policies while creating tokens 2016-05-31 13:39:58 -04:00
Sean Chittenden 7a4b31ce51
Speling police 2016-05-15 09:58:36 -07:00
Sean Chittenden 8c9dadf82b
Don't build mlock for NetBSD
NetBSD doesn't have the right symbols defined in Go for mlockall support.  The OS supports it just fine, but the definitions aren't present in Go.  If someone wanted to they could add support XOR the values from `sys/mman.h` for `MCL_CURRENT | MCL_FUTURE` which is almost certainly `0x01 | 0x02` but we're not going to do that in code due to the maintenance of a one-off just for NetBSD.  PR's welcome.
2016-05-10 16:39:54 -07:00
Jeff Mitchell 80407eeba8 Fix up commenting 2016-05-05 10:31:50 -04:00
Jeff Mitchell b6b9cd6f1f Merge remote-tracking branch 'origin/master' into aws-cred-chain 2016-05-05 10:31:12 -04:00
vishalnayak 314a1f9406 Updates to policy and string helpers 2016-05-05 10:22:28 -04:00
vishalnayak 0cec22d27a Lower case all policy values in ParsePolicies before processing 2016-05-05 05:22:59 -04:00
Jeff Mitchell 1b0df1d46f Cleanups, add shared provider, ability to specify http client, and port S3 physical backend over 2016-05-03 17:01:02 -04:00
Jeff Mitchell 7fbe5d2eaa Region is required so error in awsutil if not set and set if empty in client code in logical/aws 2016-05-03 15:25:11 -04:00
Jeff Mitchell a244ef8a00 Refactor AWS credential code into a function that returns a static->env->instance chain 2016-05-03 15:10:35 -04:00
Adam Shannon fb07d07ad9 all: Cleanup from running go vet 2016-04-13 14:38:29 -05:00
Sean Chittenden 09ad6317ea Merge pull request #1297 from hashicorp/f-bsd-mlock
F bsd mlock
2016-04-06 13:57:34 -07:00
Sean Chittenden b178bfabd9 Fix the build targets
I'm not entirely sure why this didn't work, but explicitly list the unsupported platforms as identified by `go tool dist list`
2016-04-05 22:24:53 -07:00
vishalnayak e3a1ee92b5 Utility Enhancements 2016-04-05 20:32:59 -04:00
Sean Chittenden 2374129c33 Consolidate mlock calls into one place
In theory Android and NaCL could build Vault now, too.

List of targets derived from: `go tool dist list`
2016-04-05 13:57:29 -07:00
Sean Chittenden 308057a4a9 Switch Linux over to using the x/sys/unix package
Same syscall interface, but the `x/sys/unix` package is not frozen.  No functional change from this commit.
2016-04-05 12:19:46 -07:00
Sean Chittenden dcde117bcb go fmt was here, no functional change 2016-04-05 12:18:45 -07:00
Sean Chittenden 087e7c94d3 Add Vault support for the *BSDs, including Darwin
The `syscall` package has been frozen in favor of `x/sys`.  As a result, all of the BSDs are supported and do have `mlockall(2)` support in current versions of Go.
2016-04-05 12:18:19 -07:00
vishalnayak 95abdebb06 Added AcceptanceTest boolean to logical.TestCase 2016-04-05 15:10:44 -04:00
Jeff Mitchell c50276ec17 Fix using wrong var 2016-03-24 10:23:09 -04:00
Jeff Mitchell 4c4a65ebd0 Properly check for policy equivalency during renewal.
This introduces a function that compares two string policy sets while
ignoring the presence of "default" (since it's added by core, not the
backend), and ensuring that ordering and/or duplication are not failure
conditions.

Fixes #1256
2016-03-24 09:41:51 -04:00
Jeff Mitchell 786bce24b1 Remove us building Solaris binaries for the moment, as they don't build successfully 2016-03-16 15:47:55 -04:00
Tom Ritter 8901c0b67d Type in kdf.go 2016-02-08 14:39:46 -06:00
Jeff Mitchell 7a59af7d18 Fix lost code after rebase 2016-01-19 19:19:07 -05:00
Jeff Mitchell 973c888833 RootGeneration->GenerateRoot 2016-01-19 18:28:10 -05:00
Jeff Mitchell 3b100c5965 Address most of the review feedback 2016-01-19 18:28:10 -05:00
Jeff Mitchell 3b994dbc7f Add the ability to generate root tokens via unseal keys. 2016-01-19 18:28:10 -05:00
Jeff Mitchell 630b2d83a7 Allow ASCII-armored PGP pub keys to be passed into -pgp-keys.
Fixes #940
2016-01-18 17:01:52 -05:00
Jeff Mitchell 9c5ad28632 Update deps, and adjust usage of go-uuid to match new return values 2016-01-13 13:40:08 -05:00
Jeff Mitchell f3ce90164f WriteOperation -> UpdateOperation 2016-01-08 13:03:03 -05:00
Jeff Mitchell a094eedce2 Add rekey nonce/backup. 2016-01-06 09:54:35 -05:00
Jeff Mitchell 8d1e5cb50d Add returning which user names could not be looked up 2016-01-04 13:56:45 -05:00
Jeff Mitchell 90ec946dab Address review feedback. 2016-01-04 11:18:04 -05:00
Jeff Mitchell d11509830f Happy New Year everyone! (Add keybase support for PGP keys.)
Keys specified in rekey and init operations can now be sourced from
keybase.io by using "keybase:[username]" as the key.
2015-12-31 20:47:41 -05:00
Jeff Mitchell 4dac5f5a0e Merge pull request #829 from andrewstuart/master
Add parsing of pkcs#8-encoded bundles for pki/config/ca
2015-12-22 10:06:59 -05:00
Jeff Mitchell f2da5b639f Migrate 'uuid' to 'go-uuid' to better fit HC naming convention 2015-12-16 12:56:20 -05:00
Charles Phillips 4cb2941b77 [helper] support mlock on Solaris/SmartOS 2015-12-15 11:28:16 -08:00
Andrew Stuart c81e5c41d2
Update PrivateKeyType to string, update switch statement. 2015-12-14 11:16:47 -07:00
Andrew Stuart 100465fee8
Remove unnecessary cast 2015-12-14 06:17:20 -07:00
Andrew Stuart 567282170f
Remove printf call from test 2015-12-11 15:47:00 -07:00
Andrew Stuart ae9e842841
Merge branch 'pkcs8' 2015-12-11 15:22:43 -07:00
Andrew Stuart 43bd14a755
Add benchmark for certutil bundle parsing 2015-12-11 15:17:49 -07:00
Andrew Stuart 551591fb70
Remove debugging print statement in compareCertBundleToParsedCertBundle 2015-12-11 15:17:49 -07:00
Andrew Stuart b277eb9f14
Remove flag check before trying pkcs8 parsing. 2015-12-11 15:17:49 -07:00
Andrew Stuart 6f672a9589
Add pkcs8 flag setting in ParsePEMBundle 2015-12-11 15:17:49 -07:00
Andrew Stuart 4da225d39e
Update tests and finish implementation of PKCS8 handling 2015-12-11 15:17:49 -07:00
Andrew Stuart 25667df5f7
Update ParsePEMBundle to properly handle pkcs#8
Implementation based on be16001187/src/crypto/tls/tls.go (L273-L290)
2015-12-11 15:17:49 -07:00
Andrew Stuart 2861be29a4
Move to pem.Block.Type-based decoding 2015-12-11 14:57:33 -07:00
Andrew Stuart 9d97cc36c9
Add benchmark for certutil bundle parsing 2015-12-11 09:58:49 -07:00
Andrew Stuart e70b0b86e2
Merge branch 'master' into pkcs8 2015-12-10 21:02:59 -07:00
Andrew Stuart 572f587093
Update flag to field with format info 2015-12-10 21:02:31 -07:00
Andrew Stuart 889245c990
Remove debugging print statement in compareCertBundleToParsedCertBundle 2015-12-10 16:33:42 -07:00
Andrew Stuart cdeca4ed92
Remove flag check before trying pkcs8 parsing. 2015-12-09 19:41:32 -07:00
Andrew Stuart ef2be34985 Remove flag check before trying pkcs8 parsing. 2015-12-09 15:33:25 -07:00
Andrew Stuart a3b096e3fe Add pkcs8 flag setting in ParsePEMBundle 2015-12-09 15:33:25 -07:00
Andrew Stuart 7d274cbb0b Update tests and finish implementation of PKCS8 handling 2015-12-09 15:33:25 -07:00
Andrew Stuart db48b7fccf Update ParsePEMBundle to properly handle pkcs#8
Implementation based on be16001187/src/crypto/tls/tls.go (L273-L290)
2015-12-09 15:29:13 -07:00
Jeff Mitchell 22a6d6fa22 Merge branch 'master' into pki-csrs 2015-11-20 12:48:38 -05:00
Jeff Mitchell 0dbe15cb87 Mostly revert changes to certutil as the embedded struct stuff was being
problematic.
2015-11-19 14:18:39 -05:00
Jeff Mitchell f41a2e562a fix tests 2015-11-19 10:13:28 -05:00
Jeff Mitchell 26c8cf874d Move public key comparison logic to its own function 2015-11-19 09:51:18 -05:00
Jeff Mitchell 4681d027c0 Move serial number generation and key validation into certutil; centralize format and key verification 2015-11-19 09:51:18 -05:00
Jeff Mitchell 5510a2b16f Add unit tests for CSR bundle conversion 2015-11-19 09:51:18 -05:00
Jeff Mitchell 54fccb2ff4 Add support for EC CA keys, output to base64-encoded DER instead of PEM, and tests for all of those. Also note that Go 1.5 is now required. 2015-11-19 09:51:17 -05:00
Jeff Mitchell b2df079446 Add unit tests to test signing logic, fix up test logic for names 2015-11-19 09:51:17 -05:00
Jeff Mitchell 1cec03d9ca Implement CA cert/CSR generation. CA certs can be self-signed or
generate an intermediate CSR, which can be signed.
2015-11-19 09:51:17 -05:00
Jeff Mitchell 1c7157e632 Reintroduce the ability to look up obfuscated values in the audit log
with a new endpoint '/sys/audit-hash', which returns the given input
string hashed with the given audit backend's hash function and salt
(currently, always HMAC-SHA256 and a backend-specific salt).

In the process of adding the HTTP handler, this also removes the custom
HTTP handlers for the other audit endpoints, which were simply
forwarding to the logical system backend. This means that the various
audit functions will now redirect correctly from a standby to master.
(Tests all pass.)

Fixes #784
2015-11-18 20:26:03 -05:00
Jeff Mitchell c66f0918be Add delete method, and ability to delete only one serial as well as an entire set. 2015-11-03 10:52:20 -05:00
Mitchell Hashimoto 2917e6be2f helper/password: interrupt should exit readline 2015-10-16 16:01:19 -07:00
Jeff Mitchell a9155ef85e Use split-out hashicorp/uuid 2015-10-12 14:07:12 -04:00
Jeff Mitchell ad840233eb Allow base64-encoded keys to be used on the CLI for init/rekey.
Fixes #653.
2015-10-06 12:47:01 -04:00
Jeff Mitchell 8d71601221 Changes to salt to clean up HMAC stuff. 2015-09-18 18:13:10 -04:00
Jeff Mitchell 5dde76fa1c Expand HMAC support in Salt; require an identifier be passed in to specify type but allow generation with and without. Add a StaticSalt ID for testing functions. Fix bugs; unit tests pass. 2015-09-18 17:38:30 -04:00
Jeff Mitchell b655f6b858 Add HMAC capability to salt. Pass a salt into audit backends. Require it for audit.Hash. 2015-09-18 17:38:22 -04:00
Jeff Mitchell 8669a87fdd When using PGP encryption on unseal keys, encrypt the hexencoded string rather than the raw bytes. 2015-08-26 07:59:50 -07:00
Jeff Mitchell cc232e6f79 Address comments from review. 2015-08-25 15:33:58 -07:00
Jeff Mitchell c887df93cc Add support for pgp-keys argument to rekey, as well as tests, plus
refactor common bits out of init.
2015-08-25 14:52:13 -07:00
Bradley Girardeau aa55d36f03 Clean up naming and add documentation 2015-07-30 17:36:40 -07:00
Bradley Girardeau d26b77b4f4 mfa: code cleanup 2015-07-28 11:55:46 -07:00
Bradley Girardeau 6697012dd3 mfa: improve edge cases and documentation 2015-07-27 21:14:00 -07:00
Bradley Girardeau 15c9e0cfc3 mfa duo: better error messages 2015-07-27 21:14:00 -07:00
Bradley Girardeau e45f957bcc mfa: add test cases for MFA, Duo 2015-07-27 21:14:00 -07:00
Bradley Girardeau 5cf78d8ba2 mfa: add MFA wrapper with Duo second factor 2015-07-27 21:14:00 -07:00
Armon Dadgar 81f39fbc16 helper/kdf: changing argument name for clarity 2015-07-05 14:01:56 -07:00
Armon Dadgar bd347e0430 helper/kdf: adding lib for key derivation from NIST800-108 2015-07-05 14:01:21 -07:00
Armon Dadgar 3084f64e5c helper/salt: track if salt was generated 2015-06-30 16:47:49 -07:00
Armon Dadgar a2eb1210a7 helper/salt: adding little helper for salting 2015-06-30 14:04:18 -07:00
Armon Dadgar 8bc99f8c23 helper/uuid: single generateUUID definition 2015-06-30 12:38:32 -07:00
Armon Dadgar 3902626163 Merge pull request #310 from jefferai/f-pki
Initial PKI backend implementation
2015-06-21 11:12:22 +01:00
Steve Wills 7244094509 allow building on FreeBSD
Allow this file to build on FreeBSD
2015-06-19 16:59:24 -04:00
Jeff Mitchell 390f769d1a Add unit tests for certutil, and fix a whitespace stripping issue.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-19 16:06:56 -04:00
Jeff Mitchell a6fc48b854 A few things:
* Add comments to every non-obvious (e.g. not basic read/write handler type) function
* Remove revoked/ endpoint, at least for now
* Add configurable CRL lifetime
* Cleanup
* Address some comments from code review

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-19 12:48:18 -04:00
Jeff Mitchell 34f495a354 Refactor to allow only issuing CAs to be set and not have things blow up. This is useful/important for e.g. the Cassandra backend, where you may want to do TLS with a specific CA cert for server validation, but not actually do client authentication with a client cert.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-18 15:22:58 -04:00
Jeff Mitchell 9e00ca769a Restructure a little bit to make the helper library fully standalone. This makes it easier to move around later if desired, and for use by external programs.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-18 06:42:57 -04:00
Jeff Mitchell 29e7ec3e21 A lot of refactoring: move PEM bundle parsing into helper/certutil, so that it is usable by other backends that want to use it to get the necessary data for TLS auth.
Also, enhance the raw cert bundle => parsed cert bundle to make it more useful and perform more validation checks.

More refactoring could be done within the PKI backend itself, but that can wait.

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-17 16:07:20 -04:00
Mitchell Hashimoto 8d39d21ac2 helper/kv-builder: blank values should not panic 2015-06-16 10:00:02 -07:00
Mark Junker 787a4bc4b5 Fixes #83 2015-04-29 10:20:09 +02:00
Mitchell Hashimoto b5f8f3b05a vault: add helper/mlock for doing mlock 2015-04-28 14:59:43 -07:00
Mitchell Hashimoto fa80e90b1a helper/passsword: fix windows compilation 2015-04-28 09:23:48 -07:00
Mitchell Hashimoto 8e3746d347 helper/kv-builder 2015-04-07 22:30:25 -07:00
Mitchell Hashimoto 481628c41f command/auth: framework for supporting more auth methods 2015-04-05 20:50:18 -07:00
Mitchell Hashimoto afc71d2a7b command/server: cleaner output 2015-04-04 12:06:41 -07:00
Mitchell Hashimoto 2e9e4ee93d helper/password: catch ctrl-c if possible 2015-04-01 17:27:29 -07:00
Mitchell Hashimoto 11f8423b4f logical/framework, logical/testing 2015-03-15 16:39:49 -07:00
Mitchell Hashimoto a0232eedd7 helper/backend: use logical package 2015-03-15 14:57:19 -07:00
Mitchell Hashimoto 857e00bcdc helper/backend: start acceptance test framework 2015-03-14 17:18:19 -07:00
Mitchell Hashimoto accd8c29ca helper/backend: auto-generate help route 2015-03-14 10:12:50 -07:00
Mitchell Hashimoto e8e55ef8b1 helper/backend: one callback per operation 2015-03-14 00:19:25 -07:00
Mitchell Hashimoto 7f87d9ea6f helper/backend: HandleRequest works 2015-03-13 23:58:20 -07:00
Mitchell Hashimoto d17c3d87d3 helper/backend: store captures for a path 2015-03-13 23:48:49 -07:00
Mitchell Hashimoto c4e35ffb7d helper/backend: cache route regexps (98% speedup)
benchmark                 old ns/op     new ns/op     delta
BenchmarkBackendRoute     49144         589           -98.80%
2015-03-13 23:25:17 -07:00
Mitchell Hashimoto e5871abf77 helper/backend: benchmark route 2015-03-13 23:22:48 -07:00
Mitchell Hashimoto 0751c5db12 helper/backend: basic path routing (naive) 2015-03-13 23:17:25 -07:00
Mitchell Hashimoto a68eb1a994 helper/backend: add default values 2015-03-13 21:15:20 -07:00
Mitchell Hashimoto 33a08fbfa0 helper/backend: start this thing 2015-03-13 21:11:19 -07:00
Mitchell Hashimoto d88c20e293 command/server: add config loading 2015-03-12 15:21:11 -07:00
Mitchell Hashimoto a524ef6537 helper/password: for reading passwords securely 2015-03-04 00:31:35 -08:00