b6b62f7dc1
Drastically simplify the method and logic; keep an in-memory cache and use that for most operations, only affecting the backend storage when needed.
2015-11-03 10:52:20 -05:00
c66f0918be
Add delete method, and ability to delete only one serial as well as an entire set.
2015-11-03 10:52:20 -05:00
be1a2266cc
Add CRLSets endpoints; write method is done. Add verification logic to
...
login path. Change certs "ttl" field to be a string to match common
backend behavior.
2015-11-03 10:52:19 -05:00
22c65c0c07
Use cleanhttp instead of bare http.Client
2015-10-22 14:37:12 -04:00
cba4e82682
Don't use http.DefaultClient
...
This strips out http.DefaultClient everywhere I could immediately find
it. Too many things use it and then modify it in incompatible ways.
Fixes #700 , I believe.
2015-10-15 17:54:00 -04:00
6f4e42efed
Add StaticSystemView to LDAP acceptance tests
2015-10-06 15:48:10 -04:00
a740c68eab
Added a test case. Removed setting of defaultTTL in config.
2015-10-03 15:36:57 -04:00
e3f04dc444
Added testcases for config writes
2015-10-02 22:10:51 -04:00
ea0aba8e47
Use SanitizeTTL in credential request path instead of config
2015-10-02 15:41:35 -04:00
3dd84446ab
Github backend: enable auth renewals
2015-10-02 13:33:19 -04:00
c3bdde8abe
Add a static system view to github credential backend to fix acceptance tests
2015-09-29 18:55:59 -07:00
b655f6b858
Add HMAC capability to salt. Pass a salt into audit backends. Require it for audit.Hash.
2015-09-18 17:38:22 -04:00
9c5dcac90c
Make TLS backend honor SystemView default values. Expose lease TTLs on read. Make auth command show lease TTL if one exists. Addresses most of #527
2015-09-18 14:01:28 -04:00
1f53376ae6
Userpass Bk: Added tests for TTL duration verifications
2015-09-17 16:33:26 -04:00
4332eb9d05
Vault userpass: Enable renewals for login tokens
2015-09-17 14:35:50 -04:00
77e7379ab5
Implement the cubbyhole backend
...
In order to implement this efficiently, I have introduced the concept of
"singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't
much reason to allow sys to be mounted at multiple places, and there
isn't much reason you'd need multiple per-token storage areas. By
restricting it to just one, I can store that particular mount instead of
iterating through them in order to call the appropriate revoke function.
Additionally, because revocation on the backend needs to be triggered by
the token store, the token store's salt is kept in the router and
client tokens going to the cubbyhole backend are double-salted by the
router. This allows the token store to drive when revocation happens
using its salted tokens.
2015-09-15 13:50:37 -04:00
104b29ab04
Rename View to StorageView to make it more distinct from SystemView
2015-09-15 13:50:37 -04:00
959a727acd
Don't re-use tls configuration, to fix a possible race issue during test
2015-09-03 13:04:32 -04:00
5fa76b5640
Add base_url option to GitHub auth provider to allow selecting a custom endpoint. Fixes #572 .
2015-08-28 06:28:43 -07:00
5695d57ba0
Merge pull request #561 from hashicorp/fix-wild-cards
...
Allow hyphens in endpoint patterns of most backends
2015-08-21 11:40:42 -07:00
6c2927ede0
Vault: Fix wild card paths for all backends
2015-08-21 00:56:13 -07:00
93ef9a54bd
Internally refactor Lease/LeaseGracePeriod into TTL/GracePeriod
2015-08-20 18:00:51 -07:00
133380915a
Disallow non-client X509 key usages for client TLS cert authentication.
2015-08-20 15:50:47 -07:00
d1a09e295a
Merge pull request #509 from ekristen/github-fix
...
Reimplements #459
2015-08-11 10:06:10 -07:00
611965844b
reimplements #459
2015-08-09 11:25:45 -06:00
21ab4d526c
Provide working example of TLS certificate authentication
...
Fixes #474
2015-08-07 15:15:53 -07:00
26387f6535
remove newline
2015-08-03 16:34:24 -06:00
f9c49f4a57
fix bug #488
2015-08-03 15:47:30 -06:00
719ac6e714
update doc for app-id
...
make clearer in doc that user-id can accept multiple app-id mappngs as comma-separated values
2015-08-03 09:44:26 -07:00
03728af495
Merge pull request #464 from bgirardeau/master
...
Add Multi-factor authentication with Duo
2015-07-30 17:51:31 -07:00
aa55d36f03
Clean up naming and add documentation
2015-07-30 17:36:40 -07:00
d26b77b4f4
mfa: code cleanup
2015-07-28 11:55:46 -07:00
6697012dd3
mfa: improve edge cases and documentation
2015-07-27 21:14:00 -07:00
06863d08f0
mfa: add to userpass backend
2015-07-27 21:14:00 -07:00
4eb1beb31c
ldap: add mfa support to CLI
2015-07-27 21:14:00 -07:00
8fa5a349a5
ldap: add mfa to LDAP login
2015-07-27 21:14:00 -07:00
1ca09a74b3
name slug check
2015-07-26 22:21:16 -04:00
e8d26d244b
ldap: change setting user policies to setting user groups
2015-07-20 11:33:39 -07:00
301a22295d
ldap: add ability to set policies based on username as well as groups
2015-07-14 15:46:15 -07:00
0e2edc2378
ldap: add ability to login with a userPrincipalName (user@upndomain)
2015-07-14 15:37:46 -07:00
504a7ca7c1
auth/userpass: store password as hash instead of direct. Credit @kenbreeman
2015-07-13 15:09:24 +10:00
da4650ccb4
auth/userpass: protect against timing attack. Credit @kenbreeman
2015-07-13 15:01:18 +10:00
599d5f1431
auth/app-id: protect against timing attack. Credit @kenbreeman
2015-07-13 14:58:18 +10:00
42050fe77b
ldap: add starttls support and option to specificy ca certificate
2015-07-02 15:49:51 -07:00
b52d3e6506
cred/app-id: testing upgrade to salted keys
2015-06-30 18:37:10 -07:00
eeb717c901
cred/app-id: first pass at automatic upgrading to salting
2015-06-30 18:09:08 -07:00
4b27e4d8c5
Remove SetLogger, and unify on framework.Setup
2015-06-30 17:45:20 -07:00
5d69e7da90
Updating for backend API change
2015-06-30 17:36:12 -07:00
3c58773598
Merge pull request #380 from kgutwin/cert-cli
...
Enable TLS client cert authentication via the CLI
2015-06-30 11:44:28 -07:00
b1f7e2f0ea
ldap: fixing merge conflict
2015-06-30 09:40:43 -07:00
0062d923cc
Better error messages.
2015-06-30 08:59:38 -04:00
a54ba31635
Merge remote-tracking branch 'upstream/master' into cert-cli
2015-06-30 08:31:00 -04:00
dafcc5b2ce
enable CLI cert login
2015-06-29 23:29:41 -04:00
c0e1843263
change skipsslverify to insecure_tls
2015-06-29 19:23:31 -06:00
337997ab04
Fixing merge conflict
2015-06-29 14:50:55 -07:00
e81f966842
Set SkipSSLVerify default to false, add warning in help message
2015-06-24 13:38:14 -06:00
d3225dae07
cleanup the code a bit
2015-06-24 10:09:29 -06:00
84371ea734
allow skipping SSL verification on ldap auth
2015-06-24 10:05:45 -06:00
45d3c512fb
builtin: fixing API change in logical framework
2015-06-17 14:34:11 -07:00
4bf84392ec
credential/github: get rid of stray tab
2015-06-16 10:05:51 -07:00
0ecf05c043
command/auth, github: improve cli docs
...
/cc @sethvargo
2015-06-16 10:05:11 -07:00
e3d3012795
Record the common name in TLS metadata
...
It is useful to be able to save the client cert's Common Name for auditing purposes when using a central CA.
This adds a "common_name" value to the Metadata structure passed from login.
2015-06-14 23:18:21 +01:00
2e1bce27a9
Allow dot in LDAP login username
2015-05-20 11:54:15 -07:00
cc966d6b52
auth/cert: Guard against empty certs. Fixes #214
2015-05-18 16:11:09 -07:00
56659a2db2
cred/app-id: ensure consistent error message
2015-05-15 11:45:57 -07:00
8cff23f29b
cred/app-id: stricter validation and error messaging
2015-05-15 11:40:45 -07:00
6746a24c78
credential/app-id: Test DeleteOperation
2015-05-14 22:30:02 +10:00
a3fe4b889f
Fix Error message
2015-05-12 14:32:09 +09:00
1ca0b2340c
credential/app-id: add hash of user/app ID to metadata for logs
2015-05-11 10:46:11 -07:00
5406d3189e
Merge pull request #184 from hashicorp/b-github-casing
...
credential/github: case insensitive mappings
2015-05-11 10:27:45 -07:00
5c63b70eea
logical/framework: PathMap is case insensitive by default
2015-05-11 10:27:04 -07:00
4e861f29bc
credential/github: case insensitive mappings
2015-05-11 10:24:39 -07:00
8156b88353
auth/ldap: move password into InternalData
2015-05-09 22:06:34 +02:00
84388b2b20
auth/ldap: move username into the path (to allow per-user revokation on the path)
2015-05-09 22:06:28 +02:00
5e899e7de2
auth/ldap: fix pasto
2015-05-09 22:06:22 +02:00
1e1219dfcc
auth/ldap: implement login renew
2015-05-09 22:04:20 +02:00
a0f53f177c
auth/ldap: document LDAP server used in tests
2015-05-09 22:04:20 +02:00
b4093e2ddf
auth/ldap: add acceptance tests
2015-05-09 22:04:20 +02:00
02d3b1c74c
auth/ldap: add support for groups with unique members
2015-05-09 22:04:20 +02:00
c313ff2802
auth/ldap: implement authorization via LDAP groups
2015-05-09 22:04:20 +02:00
dc6b4ab9db
auth/ldap: add configuration path for groups
2015-05-09 22:04:20 +02:00
7e39da2e67
Attempt connection to LDAP server at login time.
...
Also switch to a LDAP library fork which fixes a panic when
shutting down a connection immediately.
2015-05-09 22:04:19 +02:00
7492c5712a
Initial implementation of the LDAP credential backend
2015-05-09 22:04:19 +02:00
f3c3f4717a
Remove references to -var
2015-05-08 11:45:29 -04:00
a6a4bee2ee
cred/app-id: Add help synopsis to login path
2015-05-07 15:45:43 -07:00
04015fdf55
Fix output from GitHub help
2015-05-07 14:13:12 -04:00
582677b134
Fix documentation typo.
2015-04-28 22:15:56 -07:00
9087471bad
credential/cert: support leasing and renewal
2015-04-24 12:58:39 -07:00
3a9e20748b
credential/cert: default display name
2015-04-24 10:52:17 -07:00
7b4ceeb7e6
credential/cert: more validation on cert setup
2015-04-24 10:39:44 -07:00
d57c8ea0f0
credential/cert: return logical error if invalid
2015-04-24 10:36:25 -07:00
ae272b83ce
credential/cert: major refactor
2015-04-24 10:31:57 -07:00
28b18422b7
credential/cert: First pass at public key credential backend
2015-04-23 21:46:21 -07:00
0b7e7190b5
credentials/userpass: integrate into auth cli
2015-04-19 15:17:24 -07:00
c5cadc026d
credential/userpass: renewal
2015-04-19 15:12:50 -07:00
0ae9eadfd3
credential/userpass: help
2015-04-19 15:07:11 -07:00
0aec679bb4
credential/userpass: login
2015-04-19 15:06:29 -07:00
fedda20c41
credential/userpass: configuring users
2015-04-19 14:59:30 -07:00
20324a0c9c
website: more auth
2015-04-18 13:45:50 -07:00
f7a1b2ced9
credential/app-id: allow restriction by CIDR block [GH-10]
2015-04-17 10:14:39 -07:00
e643b48235
credential/app-id: support associating a name with app ID [GH-9]
2015-04-17 10:01:03 -07:00
37af1683c6
credential/*: adhere to new API
2015-04-17 09:40:28 -07:00
cf2faa06ae
credential/github: Set the github username as the display name
2015-04-15 14:30:46 -07:00
62f4d1dd0e
credential/github: CLI handler
2015-04-06 09:53:43 -07:00
569991fcc5
credential/app-id
2015-04-04 18:41:49 -07:00
606b3dbff9
credential/github: improve help
2015-04-04 12:18:33 -07:00
12a75dd304
credential/github: auth with github
2015-04-01 15:46:37 -07:00
Jeff Mitchell