f33d35f3de
Added a nil check for config and renamed org field internally.
2017-01-11 11:04:15 -06:00
a8f12dff01
Added a 'read' for github config
2017-01-10 18:21:31 -06:00
103b7ceab2
all: test: Fix govet warnings
...
Fix calls to t.Fatal() with formatting.
Fixed some calls to Fatalf() with wrong formatting
2016-12-21 19:44:07 +01:00
8fff7daf51
Don't panic when TLS is enabled but the initial dial doesn't return a connection ( #2188 )
...
Related to #2186
2016-12-15 15:49:30 -05:00
e818efde7c
ldap auth via cli defaults username to env ( #2137 )
...
try to guess the username from 'LOGNAME' or if it isn't set 'USER'
2016-12-02 19:08:32 +01:00
3d66907966
Disallow passwords LDAP binds by default ( #2103 )
2016-12-01 10:11:40 -08:00
2797c609b0
fix checking that users policies is not nil
2016-11-29 16:35:49 +03:00
cc374b3e2c
add support per user acl for ldap users
2016-11-29 13:32:59 +03:00
5eaef287a8
Close ldap connection to avoid leak ( #2130 )
2016-11-28 09:31:36 -08:00
890c19312f
Update path help for approle secret id TTL
2016-11-15 11:50:51 -05:00
637414a623
Added support for individual user policy mapping in github auth backend. ( #2079 )
2016-11-10 16:21:14 -05:00
aa68041231
Fix GitHub tests
2016-11-08 07:13:42 -05:00
50c8af0515
Add ldap tls_max_version config ( #2060 )
2016-11-07 13:43:39 -05:00
65f0ce8ca3
Remove the sanity check which is not proving to be useful
2016-10-27 19:11:26 -04:00
79d45355c8
Merge pull request #2004 from hashicorp/role-id-update
...
Fix regression caused by not creating a role_id secondary index
2016-10-26 16:29:46 -04:00
2ce8bc95eb
Deduplicate the policies in ldap backend
2016-10-14 17:20:50 -04:00
1487dce475
Fix regression caused by not creating a role_id secondary index
2016-10-14 12:56:29 -04:00
c45ab41b39
Update aws-ec2 configuration help
...
Updated to reflect enhanced functionality and clarify necessary
permissions.
2016-10-05 12:40:58 -07:00
0f8c132ede
Minor doc updates
2016-10-04 15:46:09 -04:00
2e1aa80f31
Address review feedback 2
2016-10-04 15:30:42 -04:00
59475d7f14
Address review feedback
2016-10-04 15:05:44 -04:00
348a09e05f
Add only relevant certificates
2016-10-03 20:34:28 -04:00
dbd364453e
aws-ec2 config endpoints support type option to distinguish certs
2016-10-03 20:25:07 -04:00
b105f8ccf3
Authenticate aws-ec2 instances using identity document and its RSA signature
2016-10-03 18:57:41 -04:00
4c74b646fe
Merge pull request #1947 from hashicorp/secret-id-lookup-delete
...
Introduce lookup and destroy endpoints for secret IDs and its accessors
2016-09-29 10:19:54 -04:00
34e76f8b41
Added website docs for lookup and destroy APIs
2016-09-28 22:11:48 -04:00
d20819949c
Make secret-id reading and deleting, a POST op instead of GET
2016-09-28 20:22:37 -04:00
2dd1f584e6
Update documentation for required AWS API permissions
...
In order for Vault to map IAM instance profiles to roles, Vault
must query the 'iam:GetInstanceProfile' API, so update the documentation
and help to include the additional permissions needed.
2016-09-28 16:50:20 -07:00
f0203741ff
Change default TTL from 30 to 32 to accommodate monthly operations ( #1942 )
2016-09-28 18:32:49 -04:00
5adfaa0d7d
Merge pull request #1939 from hashicorp/secret-id-upgrade
...
Respond secret_id_num_uses and deprecate SecretIDNumUses
2016-09-28 18:16:07 -04:00
e9142f418a
Added todo to remind removal of upgrade code
2016-09-28 18:17:13 -04:00
e01f99f042
Check for prefix match instead of exact match for IAM bound parameters
2016-09-28 18:08:28 -04:00
21d9731286
Don't reset the deprecated value yet
2016-09-28 15:48:50 -04:00
4a30a6b4f8
Merge pull request #1913 from hashicorp/bound-iam-instance-profile-arn
...
Proper naming for bound_iam_instance_profile_arn
2016-09-28 15:34:56 -04:00
31e450a175
Add some validation checks
2016-09-28 15:36:02 -04:00
9eabf75f5f
Fix the misplaced response warning
2016-09-28 14:20:03 -04:00
a2338f5970
Added testcase to check secret_id_num_uses
2016-09-28 13:58:53 -04:00
ba1d238f9b
Pull out reading and storing of secret ID into separate functions and handle upgrade properly
2016-09-28 12:42:26 -04:00
5eff59c410
Fix "SecretIDNumUses" in AppRole auth backend
...
There was a typo.
2016-09-27 17:26:52 +03:00
b1ee56a15b
Merge pull request #1910 from hashicorp/secret-id-cidr-list
...
CIDR restrictions on Secret ID
2016-09-26 10:22:48 -04:00
a4b119dc25
Merge pull request #1920 from legal90/fix-approle-delete
...
Fix panic on deleting the AppRole which doesn't exist
2016-09-26 10:05:33 -04:00
3f77013004
Fix panic on deleting the AppRole which doesn't exist
...
#pathRoleDelete should return silently if the specified AppRole doesn't exist
Fixes GH-1919
2016-09-26 16:55:08 +03:00
da5b5d3a8e
Address review feedback from @jefferai
2016-09-26 09:53:24 -04:00
d080107a87
Update docs to contain bound_iam_role_arn
2016-09-26 09:37:38 -04:00
bf0b7f218e
Implemented bound_iam_role_arn constraint
2016-09-23 21:35:36 -04:00
6bf871995b
Don't use time.Time in responses. ( #1912 )
...
This fixes #1911 but not directly; it doesn't address the cause of the
panic. However, it turns out that this is the correct fix anyways,
because it ensures that the value being logged is RFC3339 format, which
is what the time turns into in JSON but not the normal time string
value, so what we audit log (and HMAC) matches what we are returning.
2016-09-23 12:32:07 -04:00
e0c41f02c8
Fix incorrect naming of bound_iam_instance_profile_arn
2016-09-23 11:22:23 -04:00
aaadd4ad97
Store the CIDR list in the secret ID storage entry.
...
Use the stored information to validate the source address and credential issue time.
Correct the logic used to verify BoundCIDRList on the role.
Reverify the subset requirements between secret ID and role during credential issue time.
2016-09-21 20:19:26 -04:00
578b82acf5
Pass only valid inputs to validation methods
2016-09-21 15:44:54 -04:00
93604e1e2e
Added cidrutil helper
2016-09-21 13:58:32 -04:00
97dc0e9f64
Merge pull request #1897 from hashicorp/secret-id-accessor-locks
...
Safely manipulate secret id accessors
2016-09-19 11:37:38 -04:00
fefd3a6c0b
s/GetOctalFormatted/GetHexFormatted
2016-09-16 17:47:15 -04:00
ba72e7887a
Safely manipulate secret id accessors
2016-09-15 18:13:50 -04:00
61664bc653
Merge pull request #1886 from hashicorp/approle-upgrade-notes
...
upgrade notes entry for approle constraint and warning on role read
2016-09-15 12:14:01 -04:00
5597156886
check for nil role
2016-09-15 12:10:40 -04:00
92986bb2a0
Address review feedback
2016-09-15 11:41:52 -04:00
a1de742dce
s/disableReauthenticationNonce/reauthentication-disabled-nonce
2016-09-15 11:29:02 -04:00
9bca127631
Updated docs with nonce usage
2016-09-14 19:31:09 -04:00
857f921d76
Added comment
2016-09-14 18:27:35 -04:00
39796e8801
Disable reauthentication if nonce is explicitly set to empty
2016-09-14 17:58:00 -04:00
d0e4d77fce
address review feedback
2016-09-14 14:28:02 -04:00
d7ce69c5eb
Remove the client nonce being empty check
2016-09-14 14:28:02 -04:00
53c919b1d0
Generate the nonce by default
2016-09-14 14:28:02 -04:00
455a4ae055
address review feedback
2016-09-14 12:08:35 -04:00
b1392567d1
Use constant time comparisons for client nonce
2016-09-13 20:12:43 -04:00
d2e66014ba
Address review feedback
2016-09-13 18:30:04 -04:00
29b67141eb
Only use running state for checking if instance is alive. ( #1885 )
...
Fixes #1884
2016-09-13 18:08:05 -04:00
99a2655d8e
upgrade notes entry for approle constraint and warning on role read
2016-09-13 17:44:07 -04:00
bef9c2ee61
Ensure at least one constraint on the role
2016-09-13 16:03:15 -04:00
cdcfa4572f
Address review feedback
2016-08-30 16:36:58 -04:00
29b9295673
approle: fix racy updates problem for roles
2016-08-30 16:11:14 -04:00
d1284944c3
Merge pull request #1755 from hashicorp/logxi
...
Convert to logxi
2016-08-21 19:28:18 -04:00
58b32e5432
Convert to logxi
2016-08-21 18:13:37 -04:00
524ed6db37
Extract out common code
2016-08-21 15:46:11 -04:00
dfe73733d5
Seperate endpoints for read/delete using secret-id and accessor
2016-08-21 14:42:49 -04:00
2860dcc60f
gofmt
2016-08-19 16:48:32 -04:00
7ce631f1dc
Pretty print the warning
2016-08-18 16:09:10 -04:00
870ffd6fd8
Use shortestTTL value during renewals too
2016-08-18 15:43:58 -04:00
4f1c47478e
When TTL is not set, consider the system default TTL as well
2016-08-18 15:37:59 -04:00
56b8c33c95
aws-ec2: se max_ttl when ttl is not set, during login
2016-08-18 15:16:32 -04:00
b150c14caa
Address review feedback by @jefferai
2016-08-09 17:45:42 -04:00
8d261b1a78
Added ttl field to aws-ec2 auth backend role
2016-08-09 17:29:45 -04:00
1f198e9256
Return warning about ACLing the LDAP configuration endpoint.
...
Fixes #1263
2016-08-08 10:18:36 -04:00
9e204bd88c
Add arbitrary string slice parsing.
...
Like the KV function, this supports either separated strings or JSON
strings, base64-encoded or not.
Fixes #1619 in theory.
2016-08-03 14:24:16 -04:00
c025b292b5
Cleanup
2016-08-03 13:09:12 -04:00
a6907769b0
AppRole authentication backend
2016-07-26 09:32:41 -04:00
0cfb112e87
Explicitly set invalid request status when a password isn't included
2016-07-25 11:14:15 -04:00
dc4b85b55e
Don't return 500 for user error in userpass when setting password
2016-07-25 11:09:46 -04:00
d4c3e27c4e
Fix re-specification of filter
2016-07-25 09:08:29 -04:00
cd6d114e42
LDAP Auth Backend Overhaul
...
--------------------------
Added new configuration option to ldap auth backend - groupfilter.
GroupFilter accepts a Go template which will be used in conjunction with
GroupDN for finding the groups a user is a member of. The template will
be provided with context consisting of UserDN and Username.
Simplified group membership lookup significantly to support multiple use-cases:
* Enumerating groups via memberOf attribute on user object
* Previous default behavior of querying groups based on member/memberUid/uniqueMember attributes
* Custom queries to support nested groups in AD via LDAP_MATCHING_RULE_IN_CHAIN matchind rule
There is now a new configuration option - groupattr - which specifies
how to resolve group membership from the objects returned by the primary groupfilter query.
Additional changes:
* Clarify documentation for LDAP auth backend.
* Reworked how default values are set, added tests
* Removed Dial from LDAP config read. Network should not affect configuration.
2016-07-22 21:20:05 -04:00
68dcf677fa
Fix panic if no certificates are supplied by client
...
Fixes #1637
2016-07-21 10:20:41 -04:00
b353e44209
Fix build
2016-07-21 09:53:41 -04:00
d335038b40
Ensure we never return a nil set of trusted CA certs
...
Fixes #1637
2016-07-21 09:50:31 -04:00
c14235b206
Merge branch 'master-oss' into json-use-number
...
Conflicts:
http/handler.go
logical/framework/field_data.go
logical/framework/wal.go
vault/logical_passthrough.go
2016-07-15 19:21:55 -04:00
cdf58da43b
Merge pull request #1610 from hashicorp/min-tls-ver-12
...
Set minimum TLS version in all tls.Config objects
2016-07-13 10:53:14 -06:00
09a4142fd3
Handled upgrade path for TLSMinVersion
2016-07-13 12:42:51 -04:00
de19314f18
Address review feedback
2016-07-13 11:52:26 -04:00
407722a9b4
Added tls_min_version to consul storage backend
2016-07-12 20:10:54 -04:00
f34f0ef503
Make 'tls_min_version' configurable
2016-07-12 19:32:47 -04:00
46d34130ac
Set minimum TLS version in all tls.Config objects
2016-07-12 17:06:28 -04:00
e09b40e155
Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC
2016-07-08 18:30:18 -04:00
ad7cb2c8f1
Added JSON Decode and Encode helpers.
...
Changed all the occurances of Unmarshal to use the helpers.
Fixed http/ package tests.
2016-07-06 12:25:40 -04:00
51cd67115c
Run appid/cert auth tests always
2016-07-01 14:06:33 -04:00
5d707c41ff
Always run userpass acceptance tests
2016-07-01 11:37:38 -04:00
3e515c5885
Fix up breakage from bumping deps
2016-06-30 14:31:41 -04:00
5f5a81d8da
Fix broken build
2016-06-21 18:25:36 -04:00
e97f81ecaa
Print role name in the error message
2016-06-21 17:53:33 -04:00
78d4d5c8c3
Merge pull request #1523 from hashicorp/bind-account-id-aws-ec2
...
Added bound_account_id to aws-ec2 auth backend
2016-06-21 10:03:20 -04:00
f7a44a2643
Correct casing of abbreviations
2016-06-21 10:02:22 -04:00
69d562c5db
Merge pull request #1514 from hashicorp/backend-return-objects
...
Backend() functions should return 'backend' objects.
2016-06-20 19:30:00 -04:00
383be815b6
aws-ec2: added a nil check for storedIdentity in login renewal
2016-06-20 10:19:57 -04:00
dccfc413d4
Replace an 'if' block with 'switch'
2016-06-17 12:35:44 -04:00
8e03c1448b
Merge branch 'master-oss' into bind-account-id-aws-ec2
...
Conflicts:
builtin/credential/aws-ec2/backend_test.go
builtin/credential/aws-ec2/path_login.go
builtin/credential/aws-ec2/path_role.go
2016-06-14 14:46:08 -04:00
74e84113db
fixing the test for the wrong IAM Role ARN
2016-06-14 18:17:41 +00:00
0ffbef0ccd
added tests, nil validations and doccumentation
2016-06-14 16:58:50 +00:00
26f7fcf6a1
Added bound_account_id to aws-ec2 auth backend
2016-06-14 11:58:19 -04:00
2c5a8fb39f
fixing spaces
2016-06-14 14:57:46 +00:00
52a47e1c4f
adding IAM Role as constrain
2016-06-14 14:49:36 +00:00
b7eb28bb3a
Added bound_ami_id check
2016-06-13 08:56:39 -04:00
0760a89eb4
Backend() functions should return 'backend' objects.
...
If they return pointers to 'framework.Backend' objects, the receiver functions can't be tested.
2016-06-10 15:53:02 -04:00
c6a27f2fa8
s/VAULT_GITHUB_AUTH_TOKEN/VAULT_AUTH_GITHUB_TOKEN
2016-06-09 14:00:56 -04:00
b82033516e
Merge pull request #1510 from hashicorp/fix-gh-renew-panic
...
Fix panic when renewing a github token from a previous version of Vault
2016-06-09 13:54:20 -04:00
7c65dc9bf1
xInt->xRaw
2016-06-09 13:54:04 -04:00
308294db46
Added VAULT_GITHUB_AUTH_TOKEN env var to receive GitHub auth token
2016-06-09 13:45:56 -04:00
1715b3dcb8
Fix panic when renewing a github token from a previous version of Vault
2016-06-09 13:37:09 -04:00
ca47478aed
Merge pull request #1479 from hashicorp/reuse-be-creation-tests
...
Change AWS/SSH to reuse backend creation code for test functions
2016-06-03 09:59:37 -04:00
e9fbb9fabe
Remove failOnError method from cert tests
2016-06-01 16:01:28 -04:00
86d2c796b0
Change AWS/SSH to reuse backend creation code for test functions
2016-06-01 12:17:47 -04:00
3a460b9c4b
Merge pull request #1471 from hashicorp/rename-aws-auth
...
auth backend: rename `aws` as `aws-ec2`
2016-06-01 10:41:13 -04:00
dbee3cd81b
Address review feedback
2016-06-01 10:36:58 -04:00
4fea41f7e5
Use entry.Type as a criteria for upgrade
2016-06-01 10:30:11 -04:00
99c1e071f3
Remove most Root paths
2016-05-31 23:42:54 +00:00
a072f2807d
Rename aws as aws-ec2
2016-05-30 14:11:15 -04:00
950c76c020
rename credential/aws as credential/aws-ec2
2016-05-30 14:11:15 -04:00
1d94828e45
Re-enable rollback triggers for auth backends
2016-05-26 14:29:41 -04:00
cfd337d06a
Fix broken cert backend test
2016-05-26 11:06:46 -04:00
c0e745dbfa
s/logical.ErrorResponse/fmt.Errorf in renewal functions of credential backends
2016-05-26 10:21:03 -04:00
1bef0c3584
Merge pull request #1245 from LeonDaniel/master
...
Improved groups search for LDAP login
2016-05-19 12:13:29 -04:00
65801942cb
Naming of the locked and nonLocked methods
2016-05-17 20:39:24 -04:00
ed574d63fe
Merge pull request #1416 from shomron/list_ldap_group_mappings
...
Support listing ldap group to policy mappings
2016-05-16 16:22:13 -04:00
7a4b31ce51
Speling police
2016-05-15 09:58:36 -07:00
b8840ab9eb
Support listing ldap group to policy mappings ( Fixes #1270 )
2016-05-14 20:00:40 -04:00
53fc941761
Merge pull request #1300 from hashicorp/aws-auth-backend
...
AWS EC2 instances authentication backend
2016-05-14 19:42:03 -04:00
4122ed860b
Rename 'role_name' to 'role'
2016-05-13 14:31:13 -04:00
9147f99c43
Remove unused param from checkForValidChain
2016-05-12 15:07:10 -04:00
85d9523f98
Perform CRL checking for non-CA registered certs
2016-05-12 14:37:07 -04:00
be88306f92
Name the files based on changed path patterns
2016-05-12 11:52:07 -04:00
7e8a2d55d0
Update docs and path names to the new patterns
2016-05-12 11:45:10 -04:00
d09748a135
Fix the acceptance tests
2016-05-09 22:07:51 -04:00
95f3f08d29
Call client config internal from the locking method
2016-05-09 21:01:57 -04:00
4549625367
Update client code to use internal entry fetching
2016-05-09 23:26:00 +00:00
c16b0a4f41
Switch whitelist to use longest max TTL
2016-05-05 20:44:48 -04:00
7a6c76289a
Role tag updates
2016-05-05 15:32:14 -04:00
b58ad615f2
Fix HMAC being overwritten. Also some documentation, and add a lock to role operations
2016-05-05 14:51:09 -04:00
0eddeb5c94
Guard tidy functions
2016-05-05 14:28:46 -04:00
2d4c390f87
More updates to mutexes and adjust blacklisted roletag default safety buffer
2016-05-05 14:12:22 -04:00
8fef6e3ac0
Rename identity whitelist and roletag blacklist api endpoints
2016-05-05 13:34:50 -04:00
c69ba40d05
Move some mutexes around
2016-05-05 12:53:27 -04:00
f689e4712d
Update some mutexes in client config
2016-05-05 12:44:40 -04:00
c15c227774
Fall back to non-base64 cert if it can't be decoded (it's checked later anyways)
2016-05-05 11:36:28 -04:00
25913fb18c
Update commenting
2016-05-05 11:22:36 -04:00
15cbcedf1f
Make the roletag blacklist the longest duration, not least
2016-05-05 11:00:41 -04:00
e45d6c1120
Switch client code to shared awsutil code
2016-05-05 10:40:49 -04:00
3e71221839
Merge remote-tracking branch 'origin/master' into aws-auth-backend
2016-05-05 10:04:52 -04:00
92fe94546c
Split SanitizeTTL method to support time.Duration parameters as well
2016-05-05 09:45:48 -04:00
4ede1d6f08
Add the steps to generate the CRL test's test-fixture files
2016-05-04 05:48:34 -04:00
b7c48ba109
Change image/ to a more flexible /role endpoint
2016-05-03 23:36:59 -04:00
45a120f491
Switch our tri-copy ca loading code to go-rootcerts
2016-05-03 12:23:25 -04:00
9f2a111e85
Allow custom endpoint URLs to be supplied to make EC2 API calls
2016-05-02 17:21:52 -04:00
57e8fcd8c2
Extend the expiry of test-fixture certs of Cert backend
2016-05-02 12:34:46 -04:00
3d1c88f315
Make GitHub org comparison case insensitive.
...
Fixes #1359
2016-05-02 00:18:31 -04:00
1c91f652d4
Remove unnecessary append call
2016-04-30 03:20:21 -04:00
fde768125c
Cert backend, CRL tests
2016-04-29 02:32:48 -04:00
23d8ce62a3
Ensure that the instance is running during renewal
2016-04-28 16:34:35 -04:00
2a2dc0befb
Added allow_instance_migration to the role tag
2016-04-28 11:43:48 -04:00
4161d3ef4f
Change all time references to UTC
2016-04-28 10:19:29 -04:00
e591632630
Fix the deadlock issue
2016-04-28 01:01:33 -04:00
4712533f1d
minor updates
2016-04-28 00:35:49 -04:00
e6a9a5957d
Refactor locks around config tidy endpoints
2016-04-27 22:32:43 -04:00
b75a6e2f0f
Fix locking around config/client
2016-04-27 22:25:15 -04:00
0e97b57beb
Fix the list response of role tags
2016-04-27 22:03:11 -04:00
779d73ce2b
Removed existence check on blacklist/roletags, docs fixes
2016-04-27 21:29:32 -04:00
d44326ded6
Remove unnecessary lock switching around flushCachedEC2Clients
2016-04-27 20:13:56 -04:00
e1080f86ed
Remove recreate parameter from clientEC2
2016-04-27 20:01:39 -04:00
441477f342
Added ami_id to token metadata
2016-04-27 11:32:05 -04:00
b9c96bf7ce
- updated refactored functions in ldap backend to return error instead of ldap response and fixed interrupted search in ldap groups search func
2016-04-27 18:17:54 +03:00
08be31e9ab
- refactored functionality in separate functions in ldap backend and used a separate ldap query to get ldap groups from userDN
2016-04-27 15:00:26 +03:00
7144fd54f9
Added tests
2016-04-26 23:40:11 -04:00
88942b0503
Added tests
2016-04-26 10:22:29 -04:00
5a676a129e
Added tests
2016-04-26 10:22:29 -04:00
e16f256b14
Added tests
2016-04-26 10:22:29 -04:00
3a4021d6c4
Added tests
2016-04-26 10:22:29 -04:00
de1a1be564
tidy endpoint fixes
2016-04-26 10:22:29 -04:00
044d01fd69
HMAC Key per AMI ID and avoided secondary call to AWS to fetch the tags
2016-04-26 10:22:29 -04:00
5996c3e9d8
Rework and refactoring
2016-04-26 10:22:29 -04:00
3aeae62c00
Added mutex locking for config/certificate endpoint
2016-04-26 10:22:29 -04:00
21854776af
Added cooldown period for periodic tidying operation
2016-04-26 10:22:29 -04:00
9aa8fb6cc1
Support periodic tidy callback and config endpoints.
2016-04-26 10:22:29 -04:00
2810196e0f
Use fullsailor/pkcs7 package instead of its fork. Fix tests
2016-04-26 10:22:29 -04:00
5a2e1340df
Removed redundant AWS public certificate. Docs update.
2016-04-26 10:22:29 -04:00
a456f2c3f6
Removed `region` parameter from `config/client` endpoint.
...
Region to create ec2 client objects is fetched from the identity document.
Maintaining a map of cached clients indexed by region.
2016-04-26 10:22:29 -04:00
790b143c75
Instance ID can optionally be accepted as a the role tag parameter.
2016-04-26 10:22:29 -04:00
58c485f519
Support providing multiple certificates.
...
Append all the certificates to the PKCS#7 parser during signature verification.
2016-04-26 10:22:29 -04:00
9d4a7c5901
Docs update
2016-04-26 10:22:29 -04:00
ba9c86c92d
Added acceptance test for login endpoint
2016-04-26 10:22:29 -04:00
c2c1a5eedc
Added test case TestBackend_PathBlacklistRoleTag
2016-04-26 10:22:29 -04:00
85c9176cb4
Return 4xx error at appropriate places
2016-04-26 10:22:29 -04:00
1841ef0ebf
Tested pathImageTag
2016-04-26 10:22:29 -04:00
80e3063334
Tested parseRoleTagValue
2016-04-26 10:22:29 -04:00
dab1a00313
Make client nonce optional even during first login, when disallow_reauthentication is set
2016-04-26 10:22:29 -04:00
e0cf8c5608
Rename 'name' to 'ami_id' for clarity
2016-04-26 10:22:29 -04:00
092feca996
Moved HMAC parsing inside parseRoleTagValue
2016-04-26 10:22:29 -04:00
ddfdf37d33
Properly handle empty client nonce case when disallow_reauthentication is set
2016-04-26 10:22:29 -04:00
b8d9b18193
Added disallow_reauthentication feature
2016-04-26 10:22:29 -04:00
a1d07cbff5
Remove todo and change clientNonce length limit to 128 chars
2016-04-26 10:22:28 -04:00
bb276d350a
Fix typo
2016-04-26 10:22:28 -04:00
a5aadc908d
Add environment and EC2 instance metadata role providers for AWS creds.
2016-04-26 10:22:28 -04:00
012f9273f7
Remove certificate verification
2016-04-26 10:22:28 -04:00
41cc7c4a15
Test path config/certificate
2016-04-26 10:22:28 -04:00
5ff8d0cf96
Add existence check verification to config/client testcase
2016-04-26 10:22:28 -04:00
3286194384
Testing pathImage
2016-04-26 10:22:28 -04:00
a8082a9a6e
allow_instance_reboot -> allow_instance_migration
2016-04-26 10:22:28 -04:00
075a81214e
Update image output to show allow_instance_reboot value and keep policies in a list
2016-04-26 10:22:28 -04:00
91433fedf2
Changed the blacklist URL pattern to optionally accept base64 encoded role tags
2016-04-26 10:22:28 -04:00
efcc07967e
Accept instance_id in the URL for whitelist endpoint
2016-04-26 10:22:28 -04:00
cf56895772
Switch around some logic to be more consistent/readable and respect max
...
TTL on initial token issuance.
2016-04-26 10:22:28 -04:00
338054d49e
Return un-expired entries from blacklist and whitelist
2016-04-26 10:22:28 -04:00
b6bd30b9fb
Test ConfigClient
2016-04-26 10:22:28 -04:00
d3adc85886
AWS EC2 instances authentication backend
2016-04-26 10:22:28 -04:00
81ac4c3fcf
- fixed merge with upstream master
2016-04-26 13:23:43 +03:00
1991aebc0a
Merge remote-tracking branch 'upstream/master'
...
Conflicts:
builtin/credential/ldap/backend.go
2016-04-26 13:16:42 +03:00
fb07d07ad9
all: Cleanup from running go vet
2016-04-13 14:38:29 -05:00
d92b960f7a
Add list support to userpass users. Remove some unneeded existence
...
checks. Remove paths from requiring root.
Fixes #911
2016-04-09 18:28:55 -04:00
e3a1ee92b5
Utility Enhancements
2016-04-05 20:32:59 -04:00
95abdebb06
Added AcceptanceTest boolean to logical.TestCase
2016-04-05 15:10:44 -04:00
7df3ec46b0
Some fixups around error/warning in LDAP
2016-04-02 13:33:00 -04:00
40325b8042
If no group DN is configured, still look for policies on local users and
...
return a warning, rather than just trying to do an LDAP search on an
empty string.
2016-04-02 13:11:36 -04:00
7fd5a679ca
Fix potential error scoping issue.
...
Ping #1262
2016-03-30 19:48:23 -04:00
3cfcd4ddf1
Check for nil connection back from go-ldap, which apparently can happen even with no error
...
Ping #1262
2016-03-29 10:00:04 -04:00
17613f5fcf
Removing debugging comment
2016-03-24 09:48:13 -04:00
4c4a65ebd0
Properly check for policy equivalency during renewal.
...
This introduces a function that compares two string policy sets while
ignoring the presence of "default" (since it's added by core, not the
backend), and ensuring that ordering and/or duplication are not failure
conditions.
Fixes #1256
2016-03-24 09:41:51 -04:00
e7942062bd
- updated LDAP group search by iterating through all the attributes and searching for CN value instead of assuming the CN is always the first attribute from the RDN list
2016-03-21 19:44:08 +02:00
a82114eeb2
- added another method to search LDAP groups by querying the userDN for memberOf attribute
2016-03-21 16:55:38 +02:00
a8dd6aa4f1
Don't renew cert-based tokens if the policies have changed.
...
Also, add cert renewal testing.
Fixes #477
2016-03-17 14:22:24 -04:00
77e4ee76bb
Normalize userpass errors around bad user/pass
2016-03-16 15:19:55 -04:00
8a3f1ad13e
Use 400 instead of 500 for failing to provide a userpass password.
2016-03-16 15:14:28 -04:00
f9b1fc3aa0
Add comments to existence functions
2016-03-16 14:53:53 -04:00
1951159b25
Addessing review comments
2016-03-16 14:21:14 -04:00
239ad4ad7e
Refactor updating user values
2016-03-16 13:42:02 -04:00
533b136fe7
Reduce the visibility of setUser
2016-03-16 11:39:52 -04:00
2914ff7502
Use helper for existence check. Avoid panic by fetching default values for field data
2016-03-16 11:26:33 -04:00
1e889bc08c
Input validations and field renaming
2016-03-15 17:47:13 -04:00
a0958c9359
Refactor updating and creating userEntry into a helper function
2016-03-15 17:32:39 -04:00
acd545f1ed
Fetch and store UserEntry to properly handle both create and update
2016-03-15 17:05:23 -04:00
9609fe151b
Change path structure of password and policies endpoints in userpass
2016-03-15 16:46:12 -04:00
8be36b6925
Reuse the variable instead of fetching 'name' again
2016-03-15 16:21:47 -04:00
61b4cac458
Added paths to update policies and password
2016-03-15 16:12:55 -04:00
731bb97db5
Tests for updating password and policies in userpass backend
2016-03-15 16:09:23 -04:00
b7eb0a97e5
Userpass: Support updating policies and password
2016-03-15 15:18:21 -04:00
8aaf29b78d
Add forgotten test
2016-03-15 14:18:35 -04:00
8bf935bc2b
Add list support to certs in cert auth backend.
...
Fixes #1212
2016-03-15 14:07:40 -04:00
d648306d52
Add the ability to specify the app-id in the login path.
...
This makes it easier to use prefix revocation for tokens.
Ping #424
2016-03-14 16:24:01 -04:00
a6d8fc9d98
Merge pull request #1190 from grunzwei/master
...
fix github tests to use the provided GITHUB_ORG environment variable
2016-03-09 09:51:28 -05:00
ae469cc796
fix github tests to use the provided GITHUB_ORG environment variable
...
(tests fail for non hashicorp people)
2016-03-09 15:34:03 +02:00
5a17735dcb
Add subject/authority key id to cert metadata
2016-03-07 14:59:00 -05:00
4a3d3ef300
Use better error message on LDAP renew failure
2016-03-07 09:34:16 -05:00
44208455f6
continue if non-CA policy is not found
2016-03-01 16:43:51 -05:00
9a3ddc9696
Added ExtKeyUsageAny, changed big.Int comparison and fixed code flow
2016-03-01 16:37:01 -05:00
cc1592e27a
corrections, policy matching changes and test cert changes
2016-03-01 16:37:01 -05:00
09eef70853
Added testcase for cert writes
2016-03-01 16:37:01 -05:00
f056e8a5a5
supporting non-ca certs for verification
2016-03-01 16:37:01 -05:00
aee006ba2d
moved the test cert keys to appropriate test-fixtures folder
2016-02-29 15:49:08 -05:00
cf672400d6
fixed the error log message
2016-02-29 10:41:10 -05:00
dca18aec2e
replaced old certs, with new certs generated from PKI backend, containing IP SANs
2016-02-28 22:15:54 -05:00
6b6005ee2e
Remove root token requirement from GitHub configuration
2016-02-25 08:51:53 -05:00
69bcbb28aa
rename verify_cert as disable_binding and invert the logic
2016-02-24 21:01:21 -05:00
902c780f2b
make the verification of certs in renewal configurable
2016-02-24 16:42:20 -05:00
bc4710eb06
Cert: renewal enhancements
2016-02-24 14:31:38 -05:00
053bbd97ea
check CIDR block for renewal as well
2016-02-24 10:55:31 -05:00
978075a1b4
Added renewal capability to app-id backend
2016-02-24 10:40:15 -05:00
fab2d8687a
Remove root requirement for certs/ and crls/ in TLS auth backend.
...
Fixes #468
2016-02-21 15:33:33 -05:00
6df75231b8
Merge pull request #1100 from hashicorp/issue-1030
...
Properly escape filter values in LDAP filters
2016-02-19 14:56:40 -05:00
05b5ff69ed
Address some feedback on ldap escaping help text
2016-02-19 13:47:26 -05:00
d7b40b32db
Properly escape filter values.
...
Fixes #1030
2016-02-19 13:16:52 -05:00
c67871c36e
Update LDAP documentation with a note on escaping
2016-02-19 13:16:18 -05:00
d3f3122307
Add tests to ldap using the discover capability
2016-02-19 11:46:59 -05:00
154c326060
Add ldap tests that use a bind dn and bind password
2016-02-19 11:38:27 -05:00
0b44d81a16
Github renewal enhancement
2016-02-11 20:42:42 -05:00
61eec74b4e
Remove app-id renewal for the moment until verification logic is added
2016-01-31 19:12:20 -05:00
bf13d68372
Fix userpass acceptance tests by giving it a system view
2016-01-29 20:14:14 -05:00
d3a705f17b
Make backends much more consistent:
...
1) Use the new LeaseExtend
2) Use default values controlled by mount tuning/system defaults instead
of a random hard coded value
3) Remove grace periods
2016-01-29 20:03:37 -05:00
0db33274b7
discover bind dn with anonymous binds
2016-01-27 17:06:27 +01:00
4606cd1492
fix stupid c&p error
2016-01-26 16:15:25 +01:00
6a570345a0
add binddn/bindpath to search for the users bind DN
2016-01-26 15:56:41 +01:00
8fecccde21
Add STS path to AWS backend.
...
The new STS path allows for obtaining the same credentials that you would get
from the AWS "creds" path, except it will also provide a security token, and
will not have an annoyingly long propagation time before returning to the user.
2016-01-21 14:05:09 -05:00
f3ce90164f
WriteOperation -> UpdateOperation
2016-01-08 13:03:03 -05:00
5e72453b49
Use TypeDurationSecond instead of TypeString
2015-11-03 10:52:20 -05:00
154fc24777
Address first round of feedback from review
2015-11-03 10:52:20 -05:00
59cc61cc79
Add documentation for CRLs and some minor cleanup.
2015-11-03 10:52:20 -05:00
5d562693bd
Add tests for the crls path, and fix a couple bugs
2015-11-03 10:52:20 -05:00
Brian Rodgers