Commit graph

2215 commits

Author SHA1 Message Date
Becca Petrin c2894b8d05
Add Kerberos auth agent (#7999)
* add kerberos auth agent

* strip old comment

* changes from feedback

* strip appengine indirect dependency
2020-01-09 14:56:34 -08:00
Michel Vocks 02cdd8a6da
Fix DB root rotation replication issue (#8106)
* Fix DB root rotation replication issue

* Rebase and switch to new path forward options
2020-01-09 15:59:58 +01:00
Michel Vocks 1198fe848b
Fix potential panic in database credential role rotation (#8098) 2020-01-07 16:52:51 +01:00
catsby a15c6e3c72
remove redundant check and clarify code comment 2019-12-11 10:16:09 -06:00
Clint 80382d52d4
Transit: error when restoring to a name that looks like a path (#7998)
* Add test to verify #7663

* Validate name in transit key restore to not be a path
2019-12-11 09:32:22 -06:00
ncabatoff fde5e55ce9
Handle otherName SANs in CSRs (#6163)
If a CSR contains a SAN of type otherName, encoded in UTF-8, and the signing role specifies use_csr_sans, the otherName SAN will be included in the signed cert's SAN extension.

Allow single star in allowed_other_sans to match any OtherName.  Update documentation to clarify globbing behaviour.
2019-12-11 10:16:44 -05:00
Becca Petrin 535e88a629
Add an sts_region parameter to the AWS auth engine's client config (#7922) 2019-12-10 16:02:04 -08:00
Chris Hoffman ea0974b578
if storing the certificate, always generate/sign the certificate on the primary (#7904) 2019-12-05 13:50:28 -05:00
Calvin Leung Huang 7009dcc432
sdk/ldaputil: add request_timeout configuration option (#7909)
* sdk/ldaputil: add request_timeout configuration option

* go mod vendor
2019-11-20 11:26:13 -08:00
Brian Kassouf d7332c33d8
Fix issue deleting DB connections on Secondaries (#7853) 2019-11-11 09:04:24 -08:00
Jim Kalafut 59e526614d
Run go fmt (#7823) 2019-11-07 08:54:34 -08:00
Pascal Enz 33c1b7150f Rabbitmq topic permissions (#7751)
* Upgraded rabbit hole library to 2.0

* Added RabbitMQ topic permission support.

* Updated docs to cover RabbitMQ topic permissions.

* Improved comments and docs as suggested.
2019-10-30 14:19:49 -07:00
Denis Subbotin e9cdd451d1 Don't allow duplicate SAN names in PKI-issued certs (#7605)
* fix https://github.com/hashicorp/vault/issues/6571

* fix test TestBackend_OID_SANs because now SANs are alphabetic sorted
2019-10-28 12:31:56 -04:00
will-quan-bird 6456fd6222 allows emails@sign to be within the aws secrets engine path (#7553) 2019-10-25 09:01:01 -07:00
ncabatoff 13c00dfa38
Use docker instead of an external LDAP server that sometimes goes down (#7522) 2019-10-22 13:37:41 -04:00
Madalyn 977af116c8 Enable generated items for more auth methods (#7513)
* enable auth method item configuration in go code

* properly parse and list generated items

* make sure we only set name on attrs if a label comes from openAPI

* correctly construct paths object for method index route

* set sensitive property on password for userpass

* remove debugger statements

* pass method model to list route template to use paths on model for tabs

* update tab generation in generated item list, undo enabling userpass users

* enable openapi generated itams for certs and userpass, update ldap to no longer have action on list endpoint

* add editType to DisplayAttributes, pull tokenutil fields into field group

* show sensitive message for sensitive fields displayed in fieldGroupShow component

* grab sensitive and editType fields from displayAttrs in openapi-to-attrs util

* make sure we don't ask for paths for secret backends since that isn't setup yet

* fix styling of sensitive text for fieldGroupShow component

* update openapi-to-attrs util test to no longer include label by default, change debugger to console.err in path-help, remove dynamic ui auth methods from tab count test

* properly log errors to the console

* capitalize This value is sensitive...

* get rid of extra padding on bottom of fieldgroupshow

* make auth methods clickable and use new confirm ux

* Update sdk/framework/path.go

Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>

* Update sdk/framework/path.go

Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>

* add whitespace

* return intErr instead of err

* uncomment out helpUrl because we need it

* remove extra box class

* use const instead of let

* remove extra conditional since we already split the pathName later on

* ensure we request the correct url when listing generated items

* use const

* link to list and show pages

* remove dead code

* show nested item name instead of id

* add comments

* show tooltip for text-file inputs

* fix storybook

* remove extra filter

* add TODOs

* add comments

* comment out unused variables but leave them in function signature

* only link to auth methods that can be fully managed in the ui

* clean up comments

* only render tooltip if there is helpText

* rename id authMethodPath

* remove optionsForQuery since we don't need it

* add indentation

* standardize ConfirmMessage and show model name instead of id when editing

* standardize ConfirmMessage and show model name instead of id when editing

* add comments

* post to the correct updateUrl so we can edit users and groups

* use pop instead of slice

* add TODO for finding a better way to store ids

* ensure ids are handled the same way on list and show pages; fix editing and deleting

* add comment about difference between list and show urls

* use model.id instead of name since we do not need it

* remove dead code

* ensure list pages have page headers

* standardize using authMethodPath instead of method and remove dead code

* i love indentation

* remove more dead code

* use new Confirm

* show correct flash message when deleting an item

* update flash message for creating and updating

* use plus icon for creating group/user instead of an arrow
2019-10-17 16:19:14 -07:00
Lexman c86fe212c0
oss changes for entropy augmentation feature (#7670)
* oss changes for entropy augmentation feature

* fix oss command/server/config tests

* update go.sum

* fix logical_system and http/ tests

* adds vendored files

* removes unused variable
2019-10-17 10:33:00 -07:00
Jeff Mitchell 4b5572bf35 Don't continue in a few places in pki tidy if value is nil (#7589)
Fixes #7588
2019-10-15 09:55:08 -04:00
Jim Kalafut 03509f0226
Default to us-east-1 for CLI logins (#7622) 2019-10-14 11:55:10 -07:00
Jeff Mitchell 4252f5c9e4
Add AES128-GCM96 support to transit (#7555) 2019-10-03 16:11:43 -04:00
Jeff Mitchell 6d1e804a22
Add P384 and P521 support to Transit (#7551) 2019-10-03 12:32:43 -04:00
ncabatoff 71cb7cbf18
Fix issue with rotateCredentials deadlocking with itself (#7518) 2019-10-03 12:28:29 -04:00
Mike Jarmy afac13091b
Add a unit test for plugin initialization (#7158)
* stub out backend lazy load test

* stub out backend lazy-load test

* test startBackend

* test lazyLoadBackend

* clean up comments in test suite
2019-09-26 10:01:45 -04:00
Joel Thompson 551b7a5e5c secret/aws: Support permissions boundaries on iam_user creds (#6786)
* secrets/aws: Support permissions boundaries on iam_user creds

This allows configuring Vault to attach a permissions boundary policy to
IAM users that it creates, configured on a per-Vault-role basis.

* Fix indentation of policy in docs

Use spaces instead of tabs
2019-09-19 16:35:12 -07:00
Joel Thompson e8e59cd87c logical/aws: Clean up test user (#7459)
I probably left this cleanup commented out as part of debugging test
errors in #6789 and forgot to uncomment it, so actually cleaning up the
test user.
2019-09-13 11:05:43 -07:00
Joel Thompson 8a981004ec Add reading AWS root/config endpoint (#7245) 2019-09-13 10:07:04 -07:00
Joel Thompson ac18a44fae secret/aws: Pass policy ARNs to AssumedRole and FederationToken roles (#6789)
* secret/aws: Pass policy ARNs to AssumedRole and FederationToken roles

AWS now allows you to pass policy ARNs as well as, and in addition to,
policy documents for AssumeRole and GetFederationToken (see
https://aws.amazon.com/about-aws/whats-new/2019/05/session-permissions/).
Vault already collects policy ARNs for iam_user credential types; now it
will allow policy ARNs for assumed_role and federation_token credential
types and plumb them through to the appropriate AWS calls.

This brings along a minor breaking change. Vault roles of the
federation_token credential type are now required to have either a
policy_document or a policy_arns specified. This was implicit
previously; a missing policy_document would result in a validation error
from the AWS SDK when retrieving credentials. However, it would still
allow creating a role that didn't have a policy_document specified and
then later specifying it, after which retrieving the AWS credentials
would work. Similar workflows in which the Vault role didn't have a
policy_document specified for some period of time, such as deleting the
policy_document and then later adding it back, would also have worked
previously but will now be broken.

The reason for this breaking change is because a credential_type of
federation_token without either a policy_document or policy_arns
specified will return credentials that have equivalent permissions to
the credentials the Vault server itself is using. This is quite
dangerous (e.g., it could allow Vault clients access to retrieve
credentials that could modify Vault's underlying storage) and so should
be discouraged. This scenario is still possible when passing in an
appropriate policy_document or policy_arns parameter, but clients should
be explicitly aware of what they are doing and opt in to it by passing
in the appropriate role parameters.

* Error out on dangerous federation token retrieval

The AWS secrets role code now disallows creation of a dangerous role
configuration; however, pre-existing roles could have existed that would
trigger this now-dangerous code path, so also adding a check for this
configuration at credential retrieval time.

* Run makefmt

* Fix tests

* Fix comments/docs
2019-08-20 12:34:41 -07:00
Vishal Nayak 9b878b0717 go fmt on aws path role files 2019-08-16 11:25:33 -04:00
ncabatoff be7b9c2dc5 Since we run plenty of dockerized tests without requiring an env var to (#7291)
be set, let's make the Radius tests behave that way too.
2019-08-14 10:31:23 -04:00
Calvin Leung Huang 522fa83568 sdk/logical: handle empty token type string values as TokenTypeDefault (#7273)
* sdk/logical: handle empty token type string values as TokenTypeDefault

* add test case for missing token_type value
2019-08-14 09:45:40 -04:00
ncabatoff fab0f3298c Fix regression that causes panic when logging in via Radius. (#7290) 2019-08-13 17:11:24 -07:00
Joel Thompson e4b9efd37f logical/aws: Refactor role validation (#7276)
This refactors role validation for the AWS secrets engine to be in a
separate method. Previously, all validation was interspersed with the
parsing of parameters when creating/updating a role, which led to a high
degree of complexity. Now, all validation is centralized which makes it
easier to understand and also easier to test (and so a number of test
cases have been added).
2019-08-08 11:53:06 -07:00
ncabatoff f7690d1f6a
Handle TokenType serialized as string or as uint8. (#7233) 2019-08-05 16:51:14 -04:00
Becca Petrin 271bfdcda4
AWS credential plugin maintenance (#7114) 2019-07-31 16:11:35 -07:00
Jeff Mitchell 8cec74e256 Fix tests 2019-07-29 17:40:04 -04:00
Jeff Mitchell 022eaf1f5d
Port LDAP getCN changes to 1.2 branch (#7209) 2019-07-29 15:43:34 -04:00
Sam Salisbury e211a081ce
ci: remove travis config + all refs (#7122) 2019-07-25 11:10:31 +01:00
Nicolas Corrarello 446b564a2c Add maximum amount of random entropy requested (#7144)
* Add maximum amount of random characters requested at any given time

* Readability changes

* Removing sys/tools/random from the default policy

* Setting the maxBytes value as const

* Declaring maxBytes in the package to use it everywhere

* Using maxBytes in the error message
2019-07-24 18:22:23 -07:00
Nikolay Dyakov 137e1492e2 fix typo, to return correct error msg from updateUserPassword (#6861) 2019-07-24 12:58:26 -04:00
Jeff Mitchell 3c03f8d7e0
Don't try to revoke certs from PKI on perf standby (#7173)
It needs to do a write for the CRL and to move to the revoked prefix
2019-07-23 08:40:08 -04:00
Jeff Mitchell dbb25cfae4
Add req.Connection check in front of bound cidrs (#7163) 2019-07-22 12:44:34 -04:00
Jeff Mitchell 2f41018df8
Fix panic when logging in to userpass without a valid user (#7160) 2019-07-22 12:27:28 -04:00
Jeff Mitchell 7b8c0b58f1
Call goimports as well as gofmt when doing a make fmt (#7148)
Closes #7147
2019-07-18 21:04:56 -04:00
Brian Kassouf 94a263dcdf
Don't run Initialize on plugins on postUnseal (#7087)
* Don't run Initialize on plugins on postUnseal

* Add comments explaining that we do not want to initalize
2019-07-08 14:54:24 -07:00
Mike Jarmy e0ce2195cc AWS upgrade role entries (#7025)
* upgrade aws roles

* test upgrade aws roles

* Initialize aws credential backend at mount time

* add a TODO

* create end-to-end test for builtin/credential/aws

* fix bug in initializer

* improve comments

* add Initialize() to logical.Backend

* use Initialize() in Core.enableCredentialInternal()

* use InitializeRequest to call Initialize()

* improve unit testing for framework.Backend

* call logical.Backend.Initialize() from all of the places that it needs to be called.

* implement backend.proto changes for logical.Backend.Initialize()

* persist current role storage version when upgrading aws roles

* format comments correctly

* improve comments

* use postUnseal funcs to initialize backends

* simplify test suite

* improve test suite

* simplify logic in aws role upgrade

* simplify aws credential initialization logic

* simplify logic in aws role upgrade

* use the core's activeContext for initialization

* refactor builtin/plugin/Backend

* use a goroutine to upgrade the aws roles

* misc improvements and cleanup

* do not run AWS role upgrade on DR Secondary

* always call logical.Backend.Initialize() when loading a plugin.

* improve comments

* on standbys and DR secondaries we do not want to run any kind of upgrade logic

* fix awsVersion struct

* clarify aws version upgrade

* make the upgrade logic for aws auth more explicit

* aws upgrade is now called from a switch

* fix fallthrough bug

* simplify logic

* simplify logic

* rename things

* introduce currentAwsVersion const to track aws version

* improve comments

* rearrange things once more

* conglomerate things into one function

* stub out aws auth initialize e2e test

* improve aws auth initialize e2e test

* finish aws auth initialize e2e test

* tinker with aws auth initialize e2e test

* tinker with aws auth initialize e2e test

* tinker with aws auth initialize e2e test

* fix typo in test suite

* simplify logic a tad

* rearrange assignment

* Fix a few lifecycle related issues in #7025 (#7075)

* Fix panic when plugin fails to load
2019-07-05 16:55:40 -07:00
Clint f27dc7d5f8 Combined Database backend: Add Static Account support to MongoDB (#7003)
* Implement SetCredentials for MongoDB, adding support for static accounts

* rework SetCredentials to split from CreateUser, and to parse the url for database

* Add integration test for mongodb static account rotation

* check the length of the password results to avoid out-of-bounds

* remove unused method

* use the pre-existing test helper for this. Add parse method to helper

* remove unused command
2019-07-05 14:57:01 -04:00
Jeff Mitchell fd856bdd24
Fix some compatibility (#7048) 2019-07-02 23:29:42 -04:00
Jeff Mitchell e36f626e75 Fix import cycle 2019-07-02 21:01:34 -04:00
Jeff Mitchell 7b672fee99
Add bound cidr checking at login time for remaining auths (#7046) 2019-07-02 17:44:38 -04:00
Jeff Mitchell ba29917e25 Fix github config path returning 500 instead of 404 2019-07-02 12:57:48 -04:00
Jeff Mitchell 126bdf2d02
Add UpgradeValue path to tokenutil (#7041)
This drastically reduces boilerplate for upgrading existing values
2019-07-02 09:52:05 -04:00
Jeff Mitchell 81770a4fe5 Fix some missing Period statements in recently tokenutilified auth method renewal funcs 2019-07-01 19:36:27 -04:00
Madalyn 910f615bf5
UI: Clean up Dynamic UI for CRUD (#6994) 2019-07-01 16:35:18 -04:00
Jeff Mitchell 25f676b42e
Switch cert to tokenutil (#7037) 2019-07-01 16:31:37 -04:00
Jeff Mitchell 18a4ab1db5
Update github to tokenutil (#7031)
* Update github to tokenutil

* Update phrasing
2019-07-01 16:31:30 -04:00
Jeff Mitchell e8f9ea2857
Tokenutilize radius (#7034) 2019-07-01 16:30:39 -04:00
Jeff Mitchell 9c81f88623
Tokenutilize Okta (#7032) 2019-07-01 16:30:30 -04:00
Jeff Mitchell 2bca5f439f
AppRole TokenUtil conversion (#7020) 2019-07-01 16:30:08 -04:00
Jeff Mitchell d5d2414b4b
Tokenutilize the AWS auth backend (#7027) 2019-07-01 16:29:34 -04:00
Jeff Mitchell 4e226a7c0e
Tokenutilize ldap (#7036) 2019-07-01 16:16:23 -04:00
Jeff Mitchell ebc1e64c62
Format requests/responses ahead of time in file audit (#7024)
This was inspired by #7022 but has the advantage of avoiding
double-locking and needing to perform lock upgrades while also
simplifying the logic and being faster.

Original, #7022, this:

goos: linux
goarch: amd64
pkg: github.com/hashicorp/vault/builtin/audit/file
BenchmarkAuditFile_request-4       30000             60734 ns/op
PASS
ok      github.com/hashicorp/vault/builtin/audit/file   2.428s

goos: linux
goarch: amd64
pkg: github.com/hashicorp/vault/builtin/audit/file
BenchmarkAuditFile_request-4       50000             34772 ns/op
PASS
ok      github.com/hashicorp/vault/builtin/audit/file   2.086s

goos: linux
goarch: amd64
pkg: github.com/hashicorp/vault/builtin/audit/file
BenchmarkAuditFile_request-4       50000             25302 ns/op
PASS
ok      github.com/hashicorp/vault/builtin/audit/file   1.542s

Fixes #7014
Closes #7022
2019-07-01 16:07:03 -04:00
Jeff Mitchell 45c0afa582 Fix up some displayattr text 2019-07-01 08:47:13 -04:00
Jeff Mitchell 5435645bb6
Fix upgrade logic with tokenutil (#7026)
If only a non-_token field is provided we don't want to clear out the
Token version of the params, we want to set both. Otherwise we can't
rely on using the Token version of the parameter when creating the Auth
struct.
2019-06-30 14:24:41 -04:00
Jeff Mitchell c3b7d35ecc
When using tokenutil, return []string not nil for empty slices (#7019)
This conveys type information instead of being a JSON null.
2019-06-29 16:36:21 -04:00
Jeff Mitchell 2e71ed0be2
Update userpass to use tokenutil's TokenParams (#6907)
* Update userpass to use tokenutil's TokenParams

* Use tokenutil deprecation helper
2019-06-28 18:20:53 -04:00
Jeff Mitchell 297a233b82 This breaks build (for a moment) because I want to pull this change out
of the tokenutil-userpass PR so that stands alone as a template.
2019-06-28 18:19:48 -04:00
Jeff Mitchell fe7bb0b630
Standardize how we format deprecated values in traditional path-help (#7007) 2019-06-27 14:52:52 -04:00
Clint 4b00597609
Combined Database backend: remove create/delete support (#6951)
* remove create/update database user for static accounts

* update tests after create/delete removed

* small cleanups

* update postgresql setcredentials test
2019-06-23 15:58:07 -05:00
Matthew Irish f0d7dc9a6d
UI - add kmip engine (#6936)
* add kmip engine

* adjust where kmip engine is mounted and sketch out routes

* add secret mount path service to share params to engines

* move list-controller and list-route mixins to core addon and adjust imports

* properly link kmip secrets from the secrets list page

* tweak routes and add list controllers

* stub out some models and adapters

* fix mixin exports

* move a bunch of components into the core addon

* use new empty yield in list-view in the namespace template

* scopes list using list-view and list-item components

* simplify and flatten routes, templates for all of the list pages

* role show route and template and scope create template

* add ember-router-helpers

* add more packages to the dependencies of the core addon

* add field-group-show component for listing fields from a model

* move more components to the shared addon

* make configure and configuration routes work and save a generated model

* save and list scopes

* role create, list, read

* list credentials properly

* move allowed attributes to field group

* show allowed operations on role details page

* add kmip logo to mount secrets engine list page

* add role edit page

* show all model attributes on role show page

* enable role edit

* fix newFields error by creating open api role model on the role list route

* only show selected fields on role edit page

* do not send scope and backend attrs to api

* move path-or-array to core addon

* move string-list component to core addon

* remove extra top border when there is only one field group

* add icons for all of the list pages

* update kmip config model so defaultValue doesn't error

* generate credentials

* credential create and show

* only show kmip when feature is enabled

* fix saving of TTL fields generated from Open API

* move masked-input and list-pagination components to core addon

* add param on edit form to allow for calling onSave after render happens

* polish credential show page and redirect there after generating credentials

* add externalLink for kmip engine

* add kmip-breadcrumb component

* use kmip-breadcrumb component

* add linkPrefix param to linked-block component to allow for routing programmatically inside an engine

* redirect to the right place when enabling kmip

* fix linting

* review feedback

* update signature for path-help usage

* fix ttl field expansion test

* remove role filed from role form, fix generate redirect

* remove field-group-show because it's in the core addon

* remove bottom rule from show pages

* fix Max TTL displayAttrs for ssh role

* update edit-form to take fields or attrs

* fix linting

* remove listenAddrs and set default val on ttl if a val is passed in
2019-06-21 16:05:45 -05:00
Madalyn a2606ddccf
update OpenAPI output to use DisplayAttributes struct (#6928) 2019-06-21 11:08:08 -04:00
Jim Kalafut 6d08c94866
Update LDAP "groups" parameter to use TypeCommaStringSlice (#6942)
No functional change, but the updated type plays nicer with the
OpenAPI-driven UI.
2019-06-20 15:36:54 -07:00
Jeff Mitchell 62158d65fe
Use a role cache to avoid separate locking paths (#6926)
* Use a role cache to avoid separate locking paths

Due to the various locked/nonlocked paths we had a case where we weren't
always checking for secondary status before trying to upgrade. This
broadly simplifies things by using a cache to store the current role
values (avoiding a lot of storage hits) and updating the cache on any
write, delete, or invalidation.
2019-06-20 10:31:31 -04:00
Clint b55303eddb
Combined Database Backend: Static Accounts (#6834)
* Add priority queue to sdk

* fix issue of storing pointers and now copy

* update to use copy structure

* Remove file, put Item struct def. into other file

* add link

* clean up docs

* refactor internal data structure to hide heap method implementations. Other cleanup after feedback

* rename PushItem and PopItem to just Push/Pop, after encapsulating the heap methods

* updates after feedback

* refactoring/renaming

* guard against pushing a nil item

* minor updates after feedback

* Add SetCredentials, GenerateCredentials gRPC methods to combined database backend gPRC

* Initial Combined database backend implementation of static accounts and automatic rotation

* vendor updates

* initial implementation of static accounts with Combined database backend, starting with PostgreSQL implementation

* add lock and setup of rotation queue

* vendor the queue

* rebase on new method signature of queue

* remove mongo tests for now

* update default role sql

* gofmt after rebase

* cleanup after rebasing to remove checks for ErrNotFound error

* rebase cdcr-priority-queue

* vendor dependencies with 'go mod vendor'

* website database docs for Static Role support

* document the rotate-role API endpoint

* postgres specific static role docs

* use constants for paths

* updates from review

* remove dead code

* combine and clarify error message for older plugins

* Update builtin/logical/database/backend.go

Co-Authored-By: Jim Kalafut <jim@kalafut.net>

* cleanups from feedback

* code and comment cleanups

* move db.RLock higher to protect db.GenerateCredentials call

* Return output with WALID if we failed to delete the WAL

* Update builtin/logical/database/path_creds_create.go

Co-Authored-By: Jim Kalafut <jim@kalafut.net>

* updates after running 'make fmt'

* update after running 'make proto'

* Update builtin/logical/database/path_roles.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update builtin/logical/database/path_roles.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* update comment and remove and rearrange some dead code

* Update website/source/api/secret/databases/index.html.md

Co-Authored-By: Jim Kalafut <jim@kalafut.net>

* cleanups after review

* Update sdk/database/dbplugin/grpc_transport.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* code cleanup after feedback

* remove PasswordLastSet; it's not used

* document GenerateCredentials and SetCredentials

* Update builtin/logical/database/path_rotate_credentials.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* wrap pop and popbykey in backend methods to protect against nil cred rotation queue

* use strings.HasPrefix instead of direct equality check for path

* Forgot to commit this

* updates after feedback

* re-purpose an outdated test to now check that static and dynamic roles cannot share a name

* check for unique name across dynamic and static roles

* refactor loadStaticWALs to return a map of name/setCredentialsWAL struct to consolidate where we're calling set credentials

* remove commented out code

* refactor to have loadstaticwals filter out wals for roles that no longer exist

* return error if nil input given

* add nil check for input into setStaticAccount

* Update builtin/logical/database/path_roles.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* add constant for queue tick time in seconds, used for comparrison in updates

* Update builtin/logical/database/path_roles.go

Co-Authored-By: Jim Kalafut <jim@kalafut.net>

* code cleanup after review

* remove misplaced code comment

* remove commented out code

* create a queue in the Factory method, even if it's never used

* update path_roles to use a common set of fields, with specific overrides for dynamic/static roles by type

* document new method

* move rotation things into a specific file

* rename test file and consolidate some static account tests

* Update builtin/logical/database/path_roles.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update builtin/logical/database/rotation.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update builtin/logical/database/rotation.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update builtin/logical/database/rotation.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update builtin/logical/database/rotation.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update builtin/logical/database/rotation.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* update code comments, method names, and move more methods into rotation.go

* update comments to be capitalized

* remove the item from the queue before we try to destroy it

* findStaticWAL returns an error

* use lowercase keys when encoding WAL entries

* small cleanups

* remove vestigial static account check

* remove redundant DeleteWAL call in populate queue

* if we error on loading role, push back to queue with 10 second backoff

* poll in initqueue to make sure the backend is setup and can write/delete data

* add revoke_user_on_delete flag to allow users to opt-in to revoking the static database user on delete of the Vault role. Default false

* add code comments on read-only loop

* code comment updates

* re-push if error returned from find static wal

* add locksutil and acquire locks when pop'ing from the queue

* grab exclusive locks for updating static roles

* Add SetCredentials and GenerateCredentials stubs to mockPlugin

* add a switch in initQueue to listen for cancelation

* remove guard on zero time, it should have no affect

* create a new context in Factory to pass on and use for closing the backend queue

* restore master copy of vendor dir
2019-06-19 14:45:39 -05:00
Calvin Leung Huang 76cc52f48c
auth/aws: guard against malformed assumed role ARNs (#6917)
* auth/aws: guard against malformed assumed role ARNs

* revert helper func changes
2019-06-18 15:51:40 -07:00
Lexman 9aa4662cec transit cache is an Interface implemented by wrapped versions of sync… (#6225)
* transit cache is an Interface implemented by wrapped versions of syncmap and golang-lru

* transit cache is an Interface implemented by wrapped versions of syncmap and golang-lru

* changed some import paths to point to sdk

* Apply suggestions from code review

Co-Authored-By: Lexman42 <Lexman42@users.noreply.github.com>

* updates docs with information on transit/cache-config endpoint

* updates vendored files

* fixes policy tests to actually use a cache where expected and renames the struct and storage path used for cache configurations to be more generic

* updates document links

* fixed a typo in a documentation link

* changes cache_size to just size for the cache-config endpoint
2019-06-04 15:40:56 -07:00
ncabatoff ad28263b69
Allow plugins to submit audit requests/responses via extended SystemView (#6777)
Move audit.LogInput to sdk/logical.  Allow the Data values in audited
logical.Request and Response to implement OptMarshaler, in which case
we delegate hashing/serializing responsibility to them.  Add new
ClientCertificateSerialNumber audit request field.

SystemView can now be cast to ExtendedSystemView to expose the Auditor
interface, which allows submitting requests and responses to the audit
broker.
2019-05-22 18:52:53 -04:00
Jim Kalafut 8a0d423ed8
Fix gofmt (#6764) 2019-05-20 15:15:05 -07:00
Nick Cabatoff 7380c2fd9d Fix a test bug I introduced in 1d13290b361314466f76e251826f60c92aa67bb7 by failing to update my PR to the latest master before merging. 2019-05-09 11:59:22 -04:00
ncabatoff c48936c4fd
Refactor cert util (#6676)
Break dataBundle into two pieces: inputBundle, which contains data that
is specific to the pki backend, and creationBundle, which is a more
generic bundle of validated inputs given to certificate creation/signing routines.

Move functions that only take creationBundle to certutil and make them public.
2019-05-09 11:43:11 -04:00
Mark Gritter 4cab0047a1
Fix test to use stable order to generate expected result. (#6692) 2019-05-07 14:01:49 -05:00
Mark Gritter 56c46b852c
Merge branch 'master' into fix-ou-ordering 2019-05-02 18:59:17 -05:00
mgritter 2d3d6a856b gofmt fixes. 2019-05-02 16:29:41 -07:00
Jim Kalafut 2835131117
Apply suggestions from code review
Co-Authored-By: mgritter <mgritter@gmail.com>
2019-05-02 18:02:15 -05:00
mgritter 4e22fb6704 Ensure OU entries are not reordered. 2019-05-02 14:31:29 -07:00
Jim Kalafut 8bc9fa4583
Fix Okta auth to allow group names containing slashes (#6665)
This PR also adds CollectKeysPrefix which allows a more memory efficient
key scan for those cases where the result is immediately filtered by
prefix.
2019-05-01 14:56:18 -07:00
Calvin Leung Huang 93ee14844f cert/tests: fix tests due to cert expiry (#6647) 2019-04-26 16:49:30 -07:00
Becca Petrin 22a6e54957
Merge pull request #6380 from povils/aws_user_path
AWS add user_path option for role.
2019-04-23 09:05:35 -07:00
ncabatoff 06574da57a
Merge multiple functions for creating consul containers into one. (#6612)
Merge both functions for creating mongodb containers into one.
Add retries to docker container cleanups.
Require $VAULT_ACC be set to enable AWS tests.
2019-04-22 12:26:10 -04:00
Povilas Susinskas 67f5bbe88f AWS backend: Add user_path option for role. 2019-04-22 18:07:21 +02:00
Jeff Mitchell 5dcfe7bf5f
Fix a dropped Okta error (#6592) 2019-04-16 13:05:50 -04:00
Jeff Mitchell 213b9fd1cf Update to api 1.0.1 and sdk 0.1.8 2019-04-15 14:10:07 -04:00
Becca Petrin d3b7c3ccaf Add explanation to dbplugin.Database (#6581)
* add explanation to the database interface

* wordsmithing

* wrap comments, add comments for Type and Close methods

* will be stored, not with be stored

* update comment on the Type method
2019-04-15 08:39:44 -07:00
Jeff Mitchell 9ebc57581d
Switch to go modules (#6585)
* Switch to go modules

* Make fmt
2019-04-13 03:44:06 -04:00
Jeff Mitchell 1b5155080b Update protobufs, sdk changes 2019-04-12 23:13:14 -04:00
Jeff Mitchell 33faef3840 Fix some test breakages 2019-04-12 22:05:01 -04:00
Jeff Mitchell 28e2ce8577 Fix build breakages 2019-04-12 22:01:13 -04:00
Becca Petrin 6ded269700
Merge pull request #6268 from hashicorp/6234-aws-region
Add region to CLI for generating AWS login data
2019-04-12 16:15:38 -07:00
Jeff Mitchell 80c303ac83 Move ldaputil and tlsutil over to sdk 2019-04-12 18:26:54 -04:00
Jeff Mitchell a1796b3ece Move password to sdk 2019-04-12 18:12:13 -04:00
Jeff Mitchell 8d6ce1ffb5 Move policyutil to sdk 2019-04-12 18:08:46 -04:00
Jeff Mitchell 7ca424e8d2 Move cidrutil to sdk 2019-04-12 18:03:59 -04:00
Jeff Mitchell 8bcb533a1b
Create sdk/ and api/ submodules (#6583) 2019-04-12 17:54:35 -04:00
Becca Petrin 4a4eab50a1 Merge branch 'opensource-master' into 6234-aws-region 2019-04-03 11:37:33 -07:00
Jeff Mitchell 0e93244b14 Clean up test artifacts 2019-04-02 15:09:31 -04:00
Jeff Mitchell a6d6d55c03
Fix failing cert test due to cert expiration (#6520)
This introduces a way to just generate new certs for each test. It
doesn't port everything over but we can over time.
2019-04-02 14:49:42 -04:00
Brian Kassouf f53b728d38
Update plugin.go 2019-04-01 16:45:59 -07:00
Calvin Leung Huang 000066aff7
Update builtin/credential/aws/cli.go
Co-Authored-By: tyrannosaurus-becks <beccapetrin@posteo.net>
2019-04-01 15:37:02 -07:00
Becca Petrin 339cfcaaf8 merge master 2019-04-01 13:52:44 -07:00
Matt Greenfield 080d4652f0 Fix uri_sans param being ignored when use_csr_values=false (#6505) 2019-04-01 16:08:22 -04:00
T.K 453f1ac109 changed misspelled english words (#6432) 2019-03-19 09:32:45 -04:00
Iskander (Alex) Sharipov b4d30a1b6c all: fix no-op append calls (#6360)
Append call in form of `append(s)` has no effect,
it just returns `s`. Sometimes such invocation is a sign
of a programming error, so it's better to remove these.

Signed-off-by: Iskander Sharipov <quasilyte@gmail.com>
2019-03-14 13:40:30 -07:00
Matthew Bamber 4283e6a408 Fix SSH zero address OTP delete (#6390)
* Fix SSH zero address OTP delete

Fixed bug where SSH OTP roles could not be deleted if a zero-address role
previously existed, and there currently exist no zero-address roles.

Fixes #6382

* Eliminate zeroAddressRoles remove function
2019-03-14 08:56:40 -07:00
Martin 1b9327fe3f Fix inverted description for ldap/users$ and ldap/groups$ endpoints (#6406) 2019-03-13 11:02:45 -07:00
Jeff Mitchell 3b0d07a440
ToUpper base32 values for TOTP key ingress (#6400)
Fixes #6396
2019-03-12 11:07:03 -04:00
Becca Petrin 1909b20217 merge master 2019-03-05 09:39:53 -08:00
Jim Kalafut a34099b9bb
Use HashTypeMap and remove structs in batch HMAC (#6334) 2019-03-04 14:49:29 -08:00
martinwaite 04c174214c Batch hmac - (#5850) (#5875) 2019-03-04 12:26:20 -08:00
Becca Petrin 5829774e91
Support env vars for STS region (#6284) 2019-02-28 09:31:06 -08:00
Joel Thompson dbff485a1f Coax AWS SDK to use right region for STS 2019-02-20 22:57:39 -05:00
Becca Petrin 65b8ad9187 allow aws region in cli login 2019-02-20 16:43:21 -08:00
Brian Kassouf efe5671f36 make fmt 2019-02-20 12:12:21 -08:00
madalynrose 625f0c7546
Update OpenAPI responses to include information the UI can use (#6204) 2019-02-14 12:42:44 -05:00
Brian Kassouf 524b65cb9b
Remove netRPC based plugins (#6173)
* Remove netRPC backend plugins

* Remove netRPC database plugins

* Fix tests and comments
2019-02-12 09:31:03 -08:00
Clint 0db43e697b Add signed key constraints to SSH CA [continued] (#6030)
* Adds the ability to enforce particular ssh key types and minimum key
lengths when using Signed SSH Certificates via the SSH Secret Engine.
2019-02-11 13:03:26 -05:00
Becca Petrin ba3ed879f8
Use null strings in MSSQL to prevent errs (#6099) 2019-02-08 10:04:54 -08:00
Jeff Mitchell 82a85aa8c8 Make fmt 2019-02-08 09:12:55 -05:00
Naoki Ainoya a967078d80 add missing key bound_cidrs in pathCertRead Response (#6080) 2019-02-07 22:41:38 -05:00
Brian Nuszkowski 707c6d1813 Add SHA1 signing/verification support to transit engine (#6037)
* Add SHA1 signing/verification support to transit engine

* Update signing/verification endpoint documentation to include sha1 hash algorithm
2019-02-07 15:31:31 -08:00
Becca Petrin 3225a66d34 Return a more helpful error message for unknown db roles (#6157)
* return a more helpful err msg

* update test, print fmt

* fix other test failure
2019-02-07 11:16:23 -08:00
Becca Petrin 421a526e8f dont automatically accept mssql eula (#6169) 2019-02-05 14:11:06 -08:00
Jeff Mitchell 5f249d4005
Add allowed_response_headers (#6115) 2019-02-05 16:02:15 -05:00
Jeff Mitchell 2f9a7c6203
Add more perf standby guards (#6149) 2019-02-01 16:56:57 -05:00
Jeff Mitchell bbc1d53a5d Revert "Refactor common token fields and operations into a helper (#5953)"
This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 11:23:40 -05:00
Joel Thompson 33400e6e99 Fix typo in help text (#6136)
Small typo introduced in #6133
2019-01-31 08:53:54 -08:00
Jeff Mitchell 85a560abba
Refactor common token fields and operations into a helper (#5953) 2019-01-30 16:23:28 -05:00
Jeff Mitchell d8b0015d71 Add role ID to token metadata and internal data 2019-01-30 16:17:31 -05:00
Jeff Mitchell 47accf8086 Add role_id as an alias name source for AWS and change the defaults 2019-01-30 15:51:45 -05:00
Jeff Mitchell 5e126f6de8
Implement JWS-compatible signature marshaling (#6077)
This currently only applies to ECDSA signatures, and is a toggleable
option.
2019-01-23 12:31:34 -05:00
Jeff Mitchell 159f0c1b0a Fix typo in comment 2019-01-17 13:28:27 -05:00
Vishal Nayak 0c30f46587
Add option to configure ec2_alias values (#5846)
* Add option to configure ec2_alias values

* Doc updates

* Fix overwriting of previous config value

* s/configEntry/config

* Fix formatting

* Address review feedback

* Address review feedback
2019-01-09 18:28:29 -05:00
ncabatoff 3e3498073e Fix #5973 on windows by disregarding errors when querying legacy cert path. (#6013) 2019-01-08 18:08:21 -08:00
Jim Kalafut d0e2badbae Run goimports across the repository (#6010)
The result will still pass gofmtcheck and won't trigger additional
changes if someone isn't using goimports, but it will avoid the
piecemeal imports changes we've been seeing.
2019-01-08 16:48:57 -08:00
Jeff Mitchell e11c7966fa
Change credential_types output to credential_type (#5975)
Fixes #5972
2019-01-04 14:49:53 -05:00
Jeff Mitchell cb1a686e3b
Strip empty strings from database revocation stmts (#5955)
* Strip empty strings from database revocation stmts

It's technically valid to give empty strings as statements to run on
most databases. However, in the case of revocation statements, it's not
only generally inadvisable but can lead to lack of revocations when you
expect them. This strips empty strings from the array of revocation
statements.

It also makes two other changes:

* Return statements on read as empty but valid arrays rather than nulls,
so that typing information is inferred (this is more in line with the
rest of Vault these days)

* Changes field data for TypeStringSlice and TypeCommaStringSlice such
that a client-supplied value of `""` doesn't turn into `[]string{""}`
but rather `[]string{}`.

The latter and the explicit revocation statement changes are related,
and defense in depth.
2018-12-14 09:12:26 -05:00
Lukasz Jagiello 76008b2e1e Remove an empty line for /pki/ca_chain (#5779)
This PR fix #5778.

Easy test case to reproduce the problem:
https://play.golang.org/p/CAMdrOHT7C1

Since `certStr` is empty string during first iteration `strings.Join()`
will merge empty line with first CA cert.

Extra `strings.TrimSpace` call will remove that empty line, before
certificate will be return.
2018-12-12 15:38:35 -05:00
Jeff Mitchell e3c538e9cb Fix tests 2018-12-11 15:04:02 -05:00
Jeff Mitchell c178d05e07
Properly continue if cert entry is nil when tidying (#5933)
Fixes #5931
2018-12-11 11:28:14 -05:00
Jeff Mitchell 13b5c3be51
Fix SSH CA giving 500 if keys need to be deleted (#5897) 2018-12-04 13:29:11 -05:00
Brian Kassouf 0c6793d774
Update path_role.go (#5820) 2018-11-19 13:40:36 -08:00
Calvin Leung Huang e6ec67fb8f
Use inclusive range on cert role diff comparison (#5737) 2018-11-08 12:15:12 -08:00
Jeff Mitchell fa26beeaed fmt 2018-11-07 16:52:01 -05:00
Becca Petrin 7bd22e6779
Run all builtins as plugins (#5536) 2018-11-06 17:21:24 -08:00
Calvin Leung Huang b4503d02c6
Call wg.Add(1) outside of goroutine (#5716) 2018-11-06 16:36:13 -08:00
Calvin Leung Huang 20faa90ee3 Use Truncate instead of Round on duration diff (#5691) 2018-11-05 17:32:33 -05:00
Calvin Leung Huang 1a4e8fe53d Round time diff to nearest second to reduce flakiness (#5688) 2018-11-05 16:49:25 -05:00
Vishal Nayak 332e32294a
Remove namespace.TestContext and namespace.TestNamespace (#5682) 2018-11-05 11:11:32 -05:00
Nicolas Corrarello 0b44a55d22 Adding support for Consul 1.4 ACL system (#5586)
* Adding support for Consul 1.4 ACL system

* Working tests

* Fixed logic gate

* Fixed logical gate that evaluate empty policy or empty list of policy names

* Ensure tests are run against appropiate Consul versions

* Running tests against official container with a 1.4.0-rc1 tag

* policies can never be nil (as even if it is empty will be an empty array)

* addressing feedback, refactoring tests

* removing cast

* converting old lease field to ttl, adding max ttl

* cleanup

* adding missing test

* testing wrong version

* adding support for local tokens

* addressing feedback
2018-11-02 10:44:12 -04:00
Vishal Nayak 142a944bfd
Allow @ to be part of key name in TOTP secret engine (#5652)
* Allow @ to be part of key name in TOTP secret engine

* Allow @ for key name while generating the code
2018-10-31 12:57:18 -04:00
Jeff Mitchell 6c488921ff Fix website/path-help docs around pki/tidy 2018-10-30 21:33:30 -04:00
Balazs Nagy ca5c60642e Use tidy_revoked_certs instead of tidy_revocation_list (#5608) 2018-10-29 19:29:35 -04:00
Jeff Mitchell 8eca41ee2d Fix build 2018-10-27 14:06:20 -04:00
Jeff Mitchell a21a7e9eb4
Change ordering of user lookup vs. password hashing (#5614)
* Change ordering of user lookup vs. password hashing

This fixes a very minor information leak where someone could brute force
the existence of a username. It's not perfect as the underlying storage
plays a part but bcrypt's slowness puts that much more in the noise.
2018-10-27 10:43:08 -07:00
Jeff Mitchell 12f32ad22c Merge branch 'master-oss' into 1.0-beta-oss 2018-10-22 12:32:44 -04:00
Jeff Mitchell 89f0efb6a1 fmt 2018-10-20 21:09:51 -04:00
andrejvanderzee 585911c79e Added role-option max_sts_ttl to cap TTL for AWS STS credentials. (#5500)
* Added role-option max_sts_ttl to cap TTL for AWS STS credentials.

* Allow for setting max_sts_ttl to 0 after it has been set already.

* Fixed message in error response for default_sts_ttl > max_sts_ttl.
2018-10-20 10:36:47 -04:00
Matthew Irish 8073ebcd1e Merge branch 'oss-master' into 1.0-beta-oss 2018-10-19 20:40:36 -05:00
Brian Kassouf e943a60041
Plugin version negotiation (#5434)
* Plugin version updates

* Update datatbase plugins

* Revert netRPC deletions

* Revert netRPC deletions

* Update plugins to serve both versions

* Update database plugins

* Add Initialize back in

* revert pointer changes

* Add deprecation warning

* Update tests

* Update go-plugin

* Review Feedback
2018-10-19 15:56:17 -07:00
Jeff Mitchell 9f6dd376e2 Merge branch 'master-oss' into 1.0-beta-oss 2018-10-19 17:47:58 -04:00
Jeff Mitchell 5e2cc31cb6
Remove now-spurious ttl check and logic from sign-verbatim. (#5552)
This endpoint eventually goes through generateCreationBundle where we
already have the right checks.

Also add expiration to returned value to match output when using root
generation.

Fixes #5549
2018-10-19 11:13:59 -04:00
Chris Hoffman 6a462ea4d3
Only run cassandra test with VAULT_ACC set 2018-10-19 11:09:28 -04:00
Chris Hoffman a7b4d97e4a
trying to fix cassandra running on travis 2018-10-19 10:45:37 -04:00
Jeff Mitchell 841c4fcdd1 Merge branch 'master-oss' into 1.0-beta-oss 2018-10-19 09:25:17 -04:00
Evgeniy Zakharochkin 46948aef80 ability to add NAS Identifier header to radius request (#5465) 2018-10-18 13:41:14 -04:00
Jeff Mitchell d843e0b52c Merge branch 'master-oss' into 1.0-beta-oss 2018-10-18 10:28:14 -04:00
Vishal Nayak 4c8aa842ad
Return absolute paths while listing in LDAP backend (#5537) 2018-10-17 14:56:51 -07:00
Vishal Nayak ec7343b1c6
Transit: Key Trim (#5388)
* Support key trimming

* Add doc

* Move trimming to its own endpoint

* Remove trimmed_min_version field from config endpoint

* Fix description

* Doc updates

* Fix response json in docs

* Address review feedback

* s/min_version/min_available_version

* Commenting and error statement updates
2018-10-17 09:05:05 -07:00
Jeff Mitchell 8442fa272a Use TypeCommaStringSlice for SSH zeroaddress roles (#5528)
Fixes #5527
2018-10-16 23:33:12 -07:00
Jeff Mitchell a64fc7d7cb
Batch tokens (#755) 2018-10-15 12:56:24 -04:00
Jeff Mitchell 4217ced72d
Re-add default NotBefore duration in PKI (#5482)
Fixes #5481
2018-10-10 09:42:37 -04:00
Jeff Mitchell c8dbab9c3d
Only return 200 if there are actually warnings in AWS roles create/update (#5487) 2018-10-09 16:52:47 -04:00
Calvin Leung Huang b47e648ddf
Logger cleanup (#5480) 2018-10-09 09:43:17 -07:00
Calvin Leung Huang 1b8b9a49d4
Remove unnecessary test (#5483) 2018-10-09 09:40:47 -07:00
Becca Petrin 937cfff21a
Make builtin auth and secret plugins buildable (#5456) 2018-10-09 09:29:20 -07:00
Jeff Mitchell ff57c14bc2
Set allowed OIDs to any value when generaing a CA. (#5462)
* Set allowed OIDs to any value when generaing a CA.

Also, allow utf-8 in addition to utf8 as the OID type specifier, and
allow `*` to specify any OID of a supported type.

* Update PKI docs
2018-10-08 09:51:43 -04:00
Brian Kassouf 2995c06a53
Fix build (#5457) 2018-10-03 14:53:08 -07:00
Jeff Mitchell ec2ab502fc make fmt 2018-10-02 14:30:10 -04:00
sk4ry 0fab335eec Add ability to configure the NotBefore property of certificates in role api (#5325)
* Add ability to configure the NotBefore property of certificates in role api

* Update index.html.md

* converting field to time.Duration

* setting default back to 30s

* renaming the parameter not_before_duration to differentiate between the NotBefore datetime on the cert

* Update description
2018-10-02 11:10:43 -04:00
Joel Thompson 6a9e6cc474 Allow specifying role-default TTLs in AWS secret engine (#5138)
* Allow specifying role-default TTLs in AWS secret engine

* Add an acceptance test

* Add docs for AWS secret role-default TTLs

* Rename default_ttl to default_sts_ttl

* Return default_ttl as int64 instead of time.Duration

* Fix broken tests

The merge of #5383 broke the tests due to some changes in the test style
that didn't actually cause a git merge conflict. This updates the tests
to the new style.
2018-10-02 10:14:16 -04:00
Calvin Leung Huang 74c50adb58 logical/nomad: Reduce flakiness in prepareTestContainer (#5440) 2018-10-01 17:46:37 -07:00
Jeff Mitchell 13f98d9a4b
Fix reading Okta token parameter when config param exists (#5429)
Fixes #5409
2018-09-28 11:28:06 -04:00
joe miller d39ffc9e25 add allowed_organiztaional_units parameter to cert credential backend (#5252)
Specifying the `allowed_organiztaional_units` parameter to a cert auth
backend role will require client certificates to contain at least one of
a list of one or more "organizational units" (OU).

Example use cases:

Certificates are issued to entities in an organization arrangement by
organizational unit (OU). The OU may be a department, team, or any other logical
grouping of resources with similar roles. The entities within the OU
should be granted the same policies.

```
$ vault write auth/cert/certs/ou-engineering \
    certificate=@ca.pem \
    policies=engineering \
    allowed_organiztaional_units=engineering

$ vault write auth/cert/certs/ou-engineering \
    certificate=@ca.pem \
    policies=engineering \
    allowed_organiztaional_units=engineering,support
```
2018-09-27 19:04:55 -05:00
vishalnayak c91266950f Fix broken build 2018-09-27 10:58:04 -04:00
Joel Thompson 73112c49fb logical/aws: Harden WAL entry creation (#5202)
* logical/aws: Harden WAL entry creation

If AWS IAM user creation failed in any way, the WAL corresponding to the
IAM user would get left around and Vault would try to roll it back.
However, because the user never existed, the rollback failed. Thus, the
WAL would essentially get "stuck" and Vault would continually attempt to
roll it back, failing every time. A similar situation could arise if the
IAM user that Vault created got deleted out of band, or if Vault deleted
it but was unable to write the lease revocation back to storage (e.g., a
storage failure).

This attempts to harden it in two ways. One is by deleting the WAL log
entry if the IAM user creation fails. However, the WAL deletion could
still fail, and this wouldn't help where the user is deleted out of
band, so second, consider the user rolled back if the user just doesn't
exist, under certain circumstances.

Fixes #5190

* Fix segfault in expiration unit tests

TestExpiration_Tidy was passing in a leaseEntry that had a nil Secret,
which then caused a segfault as the changes to revokeEntry didn't check
whether Secret was nil; this is probably unlikely to occur in real life,
but good to be extra cautious.

* Fix potential segfault

Missed the else...

* Respond to PR feedback
2018-09-27 09:54:59 -05:00
Joel Thompson 2dc468f4d1 auth/aws: Make identity alias configurable (#5247)
* auth/aws: Make identity alias configurable

This is inspired by #4178, though not quite exactly what is requested
there. Rather than just use RoleSessionName as the Identity alias, the
full ARN is uses as the Alias. This mitigates against concerns that an
AWS role with an insufficiently secured trust policy could allow an
attacker to generate arbitrary RoleSessionNames in AssumeRole calls to
impersonate anybody in the Identity store that had an alias set up.
By using the full ARN, the owner of the identity store has to explicitly
trust specific AWS roles in specific AWS accounts to generate an
appropriate RoleSessionName to map back to an identity.

Fixes #4178

* Respond to PR feedback

* Remove CreateOperation

Response to PR feedback
2018-09-26 08:27:12 -07:00
Joel Thompson 5e6f8904d8 Add AWS Secret Engine Root Credential Rotation (#5140)
* Add AWS Secret Engine Root Credential Rotation

This allows the AWS Secret Engine to rotate its credentials used to
access AWS. This will only work when the AWS Secret Engine has been
provided explicit IAM credentials via the config/root endpoint, and
further, when the IAM credentials provided are the only access key on
the IAM user associated wtih the access key (because AWS allows a
maximum of 2 access keys per user).

Fixes #4385

* Add test for AWS root credential rotation

Also fix a typo in the root credential rotation code

* Add docs for AWS root rotation

* Add locks around reading and writing config/root

And wire the backend up in a bunch of places so the config can get the
lock

* Respond to PR feedback

* Fix casing in error messages

* Fix merge errors

* Fix locking bugs
2018-09-26 07:10:00 -07:00
Joel Thompson e66795a095 logical/aws: Run Acceptance Tests in Parallel (#5383)
* Parallelize a couple AWS acceptance tests

Starting an effort to paralleize AWS secret engine acceptance tests.
Currently they take over a minute to run, and this parallelizes the two
that explicitly call a 10-second sleep, reulting in a 10-second speedup
in test time.

* Parameterize IAM user name

Probably not needed, but future-proofing the code

* Make remainder of tests parallel

AWS_ACCOUNT_ID environment variable is no longer being used; global
mutable state is a recipe for disaster when trying to run things in
parallel, and parallelizing the tests exposed a race condition in which
they were depending on the AWS_ACCOUNT_ID environment variable to be set
before they were run.

AWS_DEFAULT_REGION is still left as an environment variable because it
is required by AWS SDKs, but its configuration is now protected by a
sync.Once to ensure it only ever gets called a single time.

* Replace generateUnique*Name with testhelpers method
2018-09-25 17:10:53 -07:00
Clint fec3b70374
Allow force restore for Transit Key Restores (#5382)
* Add test file for testing path_restore in Transit backend. Fails because 'force' is not implemented yet

* initial implementation of 'force', to force restore of existing transit key atomically
2018-09-25 15:20:59 -05:00
Jeff Mitchell 33065a60db Fix compilation/protobuf 2018-09-22 17:58:39 -04:00
Calvin Leung Huang 189b893b35
Add ability to provide env vars to plugins (#5359)
* Add ability to provide env vars to plugins

* Update docs

* Update docs with examples

* Refactor TestAddTestPlugin, remove TestAddTestPluginTempDir
2018-09-20 10:50:29 -07:00
Clint 5882156f53
Translate AWS Rate limiting errors to 502 errors (#5270)
* Initial implemntation of returning 529 for rate limits

- bump aws iam and sts packages to v1.14.31 to get mocking interface
- promote the iam and sts clients to the aws backend struct, for mocking in tests
- this also promotes some functions to methods on the Backend struct, so
  that we can use the injected client

Generating creds requires reading config/root for credentials to contact
IAM. Here we make pathConfigRoot a method on aws/backend so we can clear
the clients on successful update of config/root path. Adds a mutex to
safely clear the clients

* refactor locking and unlocking into methods on *backend

* refactor/simply the locking

* check client after grabbing lock
2018-09-18 15:26:06 -05:00
Jeff Mitchell 919b968c27
The big one (#5346) 2018-09-17 23:03:00 -04:00
Brian Kassouf a2608a3b61
Fix approle tidy on performance standbys (#5338)
* Fix approle tidy on performance standbys

* Forward PKI and AWS also
2018-09-17 09:53:23 -07:00
Clint 5f5af90dfe
Update AWS auth backend iam_request_headers to be TypeHeader (#5320)
Update AWS Auth backend to use TypeHeader for iam request headers

- Remove parseIamRequestHeaders function and test, no longer needed with new TypeHeader
- Update AWS auth login docs
2018-09-12 16:16:16 -05:00
Becca Petrin b2ff87c9c2
Poll for new creds in the AWS auth agent (#5300) 2018-09-12 13:30:57 -07:00
Jim Kalafut e1a326152d
Switch to strings.EqualFold (#5284) 2018-09-11 16:22:29 -07:00
Jeff Mitchell c28ed23972
Allow most parts of Vault's logging to have its level changed on-the-fly (#5280)
* Allow most parts of Vault's logging to have its level changed on-the-fly

* Use a const for not set
2018-09-05 15:52:54 -04:00
Jeff Mitchell f8da8a556f Fix PKI test; add deprecated parameter as synonym 2018-09-05 12:33:31 -04:00
Jason Watson d126d94779 Fix small warning message typo: paramemter (#5232) 2018-09-05 11:56:09 -04:00
Jeff Mitchell c9b06f3b62
Remove certificates from store if tidying revoked certificates (#5231)
This will cause them to be removed even if they have not expired yet,
whereas before it would simply leave them in the store until they were
expired, but remove from revocation info.
2018-09-05 11:47:27 -04:00
Jeff Mitchell 7191bca71a
Re-add injecting into top routes (#5244) 2018-09-05 11:45:17 -04:00
Jeff Mitchell 9b4a847891
Fix nil pointer if the embedded revocation statements from a role are nil (#5268)
Fixes #5262
2018-09-05 11:41:37 -04:00
Joel Thompson acc85de6b9 auth/aws: Fix outdated help texts (#5253) 2018-09-04 10:55:02 -07:00
Becca Petrin 7a8c116fb1
undo make fmt (#5265) 2018-09-04 09:29:18 -07:00
Becca Petrin ed7639b0ec
run make fmt (#5261) 2018-09-04 09:12:59 -07:00
Jeff Mitchell 5d408afec2
Fix sign-verbatim PKI endpoint not honoring extra subject names (#5245)
Related to #2394
2018-09-01 09:08:45 -07:00
Calvin Leung Huang 9988ace85e gofmt files (#5233) 2018-08-31 09:15:40 -07:00
Jeff Mitchell e58a8a63a7
Add the ability to specify token CIDR restrictions on secret IDs. (#5136)
Fixes #5034
2018-08-21 11:54:04 -04:00
Jeff Mitchell 051bb9fc13
Two PKI improvements: (#5134)
* Disallow adding CA's serial to revocation list
* Allow disabling revocation list generation. This returns an empty (but
signed) list, but does not affect tracking of revocations so turning it
back on will populate the list properly.
2018-08-21 11:20:57 -04:00
Clint 96d8bd4bf7 [WIP] Support custom max Nomad token name length [supersedes https://github.com/hashicorp/vault/pull/4361] (#5117)
* Nomad: updating max token length to 256

* Initial support for supporting custom max token name length for Nomad

* simplify/correct tests

* document nomad max_token_name_length

* removed support for max token length env var. Rename field for clarity

* cleanups after removing env var support

* move RandomWithPrefix to testhelpers

* fix spelling

* Remove default 256 value. Use zero as a sentinel value and ignore it

* update docs
2018-08-16 15:48:23 -04:00
Joel Thompson 0941c7a24a Make AWS credential types more explicit (#4360)
* Make AWS credential types more explicit

The AWS secret engine had a lot of confusing overloading with role
paramemters and how they mapped to each of the three credential types
supported. This now adds parameters to remove the overloading while
maintaining backwards compatibility.

With the change, it also becomes easier to add other feature requests.
Attaching multiple managed policies to IAM users and adding a policy
document to STS AssumedRole credentials is now also supported.

Fixes #4229
Fixes #3751
Fixes #2817

* Add missing write action to STS endpoint

* Allow unsetting policy_document with empty string

This allows unsetting the policy_document by passing in an empty string.
Previously, it would fail because the empty string isn't a valid JSON
document.

* Respond to some PR feedback

* Refactor and simplify role reading/upgrading

This gets rid of the duplicated role upgrade code between both role
reading and role writing by handling the upgrade all in the role
reading.

* Eliminate duplicated AWS secret test code

The testAccStepReadUser and testAccStepReadSTS were virtually identical,
so they are consolidated into a single method with the path passed in.

* Switch to use AWS ARN parser
2018-08-16 06:38:13 -04:00
Jim Kalafut 2da7d30097
Fix DB role statement update (#5058)
The backwards compatibility logic was preventing updates to role
statements from taking effect. This change removes persistence of
deprecated statement fields.
2018-08-10 09:00:52 -07:00
Calvin Leung Huang b5c8b3d4c5 Clean up container on connection failure, switch to ory/dockertest on package postgresql (#5050) 2018-08-07 09:56:33 -07:00
Jim Kalafut 212b00593d
Improve error message formatting (#5029)
Fixes #4999
2018-08-01 16:20:56 -07:00
Jeff Mitchell 34a0ae1e5d
Update path_tidy_user_id_test.go 2018-07-25 03:37:24 -04:00
Jeff Mitchell 7e6faf021d Fix race in test 2018-07-25 00:18:32 -04:00
Jeff Mitchell 9bfd73bfc6 Modify approle tidy to validate dangling accessors (#4981) 2018-07-24 14:00:53 -07:00
Jeff Mitchell d144f2935e Two-pronged fix for renew policy checking (#4960)
1) In backends, ensure they are now using TokenPolicies
2) Don't reassign auth.Policies until after expmgr registration as we
don't need them at that point

Fixes #4829
2018-07-24 12:03:11 -07:00
andrejvanderzee c1c9e23fc5 Fixed writing config attribute 'max_retries' for existing client configs for aws auth method. (#4980) 2018-07-24 10:09:44 -04:00
Jeff Mitchell 9775340547 Log nil secret IDs instead of swallowing error 2018-07-23 17:46:20 -04:00
Jeff Mitchell 50ea7f3825 Fix context shadowing during radius login (#4941)
Fixes #4938
2018-07-17 11:17:07 -07:00
Becca Petrin ba39deb411 fix possible panic (#4942) 2018-07-17 11:15:28 -07:00
Jeff Mitchell 8b966f7027 Remove some unnecessary default statements 2018-07-13 09:33:26 -04:00
dmicanzerofox a3d067c00b PKI Tidy Revocation List optionally Tidy Revoked Certs that are Unexpired (#4916) 2018-07-13 09:32:32 -04:00
Jeff Mitchell 92ed8fa571 Fix test 2018-07-12 08:29:04 -04:00
Jeff Mitchell 4b354e1110
Re-add dockertest and fix up imports and update script (#4909) 2018-07-11 17:49:13 -04:00
Jeff Mitchell 4d1a6690f5
Use Go's in-built permitted DNS domain logic (#4908)
Fixes #4863
2018-07-11 17:35:46 -04:00
Jeff Mitchell 98bf463a65 Make single-lease revocation behave like expiration (#4883)
This change makes it so that if a lease is revoked through user action,
we set the expiration time to now and update pending, just as we do with
tokens. This allows the normal retry logic to apply in these cases as
well, instead of just erroring out immediately. The idea being that once
you tell Vault to revoke something it should keep doing its darndest to
actually make that happen.
2018-07-11 15:45:35 -04:00
Jeff Mitchell 935c045cfa
Fix permitted dns domain handling (#4905)
It should not require a period to indicate subdomains being allowed

Fixes #4863
2018-07-11 12:44:49 -04:00
Jeff Mitchell 28890ee198 Make proto
It appears the only thing that actually change is that the tag got
`proto3` values added.
2018-07-10 20:49:48 -04:00
Jim Kalafut eb70ad032a Fix interface conversion panic during database creds revoke (#4850) 2018-06-28 09:42:04 -07:00
Jeff Mitchell 3fee2cc8dd Simplify logic 2018-06-19 23:07:56 -04:00
Calvin Leung Huang ac4be8d44d Do not fail login if no policies are mapped to the user or group (#4798)
* Do not fail login if no policies are mapped to the user or group

* Remove debug line

* Remove restriction in radius
2018-06-19 23:00:22 -04:00
Becca Petrin 73cbbe2a9f Add bound cidrs to tokens in AppRole (#4680) 2018-06-19 22:57:11 -04:00
Chris Hoffman 52f9f7412c
correct delete path for tidy operations (#4799) 2018-06-19 20:58:12 -04:00
Jeff Mitchell cffb1183a8
Database updates (#4787)
* Database updates

* Add create/update distinction for connection config
* Add create/update distinction for role config
* Add db name and revocation statements to leases to give revocation a
shot at working if the role has been deleted

Fixes #3544
Fixes #4782

* Add create/update info to docs
2018-06-19 11:24:28 -04:00
Vishal Nayak 69eff9c354
return 404 when role does exist on update operations (#4778) 2018-06-18 09:29:05 -04:00
Jeff Mitchell e52b554c0b
Add an idle timeout for the server (#4760)
* Add an idle timeout for the server

Because tidy operations can be long-running, this also changes all tidy
operations to behave the same operationally (kick off the process, get a
warning back, log errors to server log) and makes them all run in a
goroutine.

This could mean a sort of hard stop if Vault gets sealed because the
function won't have the read lock. This should generally be okay
(running tidy again should pick back up where it left off), but future
work could use cleanup funcs to trigger the functions to stop.

* Fix up tidy test

* Add deadline to cluster connections and an idle timeout to the cluster server, plus add readheader/read timeout to api server
2018-06-16 18:21:33 -04:00
Mr Talbot 5551a63221 pki: add ext_key_usage to mirror key_usage and add to sign-verbatim (#4777)
* pki: add ext_key_usage parameter to role

* pki: add key_usage and ext_key_usage parameter to sign-verbatim

* pki: cleanup code as per comments
2018-06-15 18:20:43 -04:00
Jeff Mitchell 91ca3d4b7f
Add URI SANs (#4767) 2018-06-15 15:32:25 -04:00
Jeff Mitchell 5d44c54947
Changes the way policies are reported in audit logs (#4747)
* This changes the way policies are reported in audit logs.

Previously, only policies tied to tokens would be reported. This could
make it difficult to perform after-the-fact analysis based on both the
initial response entry and further requests. Now, the full set of
applicable policies from both the token and any derived policies from
Identity are reported.

To keep things consistent, token authentications now also return the
full set of policies in api.Secret.Auth responses, so this both makes it
easier for users to understand their actual full set, and it matches
what the audit logs now report.
2018-06-14 09:49:33 -04:00
Jeff Mitchell 76b0d11793
Redo transit locking (#4720)
This massively simplifies transit locking behavior by pushing some
locking down to the Policy level, and embedding either a local or global
lock in the Policy depending on whether caching is enabled or not.
2018-06-12 12:24:12 -04:00
Vishal Nayak cb3c689798
Fix panic due to metadata being nil (#4719)
* Fix panic due to metadata being nil

* added a nil check

* Added a test

* ensure metadata is never nil

* Remove unnecessary allocation

* revert back to early initialization
2018-06-11 11:22:26 -04:00
Jeff Mitchell b65959c8a0 Fix build 2018-06-11 11:21:37 -04:00
Jeff Mitchell 8d3503a048
Add context handling to Consul operations (#4739) 2018-06-11 11:03:00 -04:00
Jeff Mitchell 8916f6b625
Some atomic cleanup (#4732)
Taking inspiration from
https://github.com/golang/go/issues/17604#issuecomment-256384471
suggests that taking the address of a stack variable for use in atomics
works (at least, the race detector doesn't complain) but is doing it
wrong.

The only other change is a change in Leader() detecting if HA is enabled
to fast-path out. This value never changes after NewCore, so we don't
need to grab the read lock to check it.
2018-06-09 15:35:22 -04:00
Jeff Mitchell 4b7d2bed01 Transit convergent v3 2018-06-05 18:53:39 -04:00
Vishal Nayak 11e2fd2fce approle: Fix role name case sensitivity issue 2018-06-05 18:53:27 -04:00
Jeff Mitchell 0138351ea4
Return generic messages if pre-login ldap operations fail (#4700)
This avoids leaking any information about valid usernames.
2018-06-05 11:23:10 -04:00
Marcin Wielgoszewski 9316c96364 Add support for x.509 Name Serial Number attribute in subject of certificates (#4694) 2018-06-04 23:18:39 -04:00
Chris Hoffman 5344b7c5ae
adding option go_package to protos (#4687)
* adding option go_package to protos

* switching proto output dir to relative paths
2018-06-04 10:19:26 -04:00
Becca Petrin b558b388ce strip checking cidrs on renewals (#4682) 2018-06-03 09:22:54 -04:00
Alex Ionescu 7c31dacea2 Custom extended key usage for PKI. (#4667)
Custom extended key usage for PKI
2018-06-01 09:13:54 -04:00
Jeff Mitchell c4b53bc805 Block travis from running ldap tests as the test server is often failing 2018-05-30 08:46:25 -04:00
Brian Kassouf 893d874291 Update proto files (#4651) 2018-05-29 18:23:51 -04:00
Jeff Mitchell 244cb0bf9a
Ensure safety_buffer in PKI is greater than zero (#4643)
Fixes #4641
2018-05-28 12:08:22 -04:00
Jeff Mitchell 3e95305efa Fix mistaken extra Period value 2018-05-25 11:54:36 -04:00
Nicholas Jackson 17460461a0 Breakout parameters for x.509 certificate login (#4463) 2018-05-25 10:34:46 -04:00
Becca Petrin 4c1d8013f3
move fields and field parsing to helper (#4603) 2018-05-21 17:04:26 -07:00
Becca Petrin fb04064967
Restrict userpass logins & tokens by CIDR (#4557) 2018-05-21 11:47:28 -07:00
Jeff Mitchell 72200603c6
Fix role writing not allowing key_type of any (#4596)
Fixes #4595
2018-05-19 10:24:43 -07:00
Becca Petrin 910925457f
Move LDAP client and config code to helper (#4532) 2018-05-10 14:12:42 -07:00
Becca Petrin e4656c1264
Shorten code by using ParseAddrs (#4546) 2018-05-10 13:21:55 -07:00
Becca Petrin 76c717b081
Restrict cert auth by CIDR (#4478) 2018-05-09 15:39:55 -07:00
Jeff Mitchell 072cd783b5 Fix another PKI test 2018-05-09 12:51:34 -04:00
Jeff Mitchell 573b403b5e Fix PKI test 2018-05-09 12:47:00 -04:00
Jeff Mitchell e5f4ca83a0
Update PKI to natively use time.Duration (#4493)
* Update PKI to natively use time.Duration

Among other things this now means PKI will output durations in seconds
like other backends, instead of as Go strings.

* Add a warning when refusing to blow away an existing root instead of just returning success

* Fix another issue found while debugging this...

The reason it wasn't caught on tests in the first place is that the ttl
and max ttl were only being compared if in addition to a provided csr, a
role was also provided. This was because the check was in the role !=
nil block instead of outside of it. This has been fixed, which made the
problem occur in all sign-verbatim cases and the changes in this PR have
now verified the fix.
2018-05-09 10:29:54 -04:00
Vishal Nayak df8484f7af
approle: Make invalid role_id a 400 error instead of 500 (#4470)
* make invalid role_id a 400 error

* remove single-use validateCredentials function

* remove single-use validateBindSecretID function

* adjust the error message for CIDR check failure

* locking updates as review feedback
2018-05-04 10:15:16 -04:00
Jeff Mitchell b1d44a7dee
Fix alias data being used for cert auth (serial number -> common name) (#4495)
Fixes #4475
2018-05-04 10:08:23 -04:00
Jeff Mitchell c0ed57feae
Revert "proto changes (#4503)" (#4504)
This reverts commit 14594bd76e04ff09c442738800be5fdebc45512f.
2018-05-03 15:38:53 -04:00
Vishal Nayak 7549ea0d12
proto changes (#4503) 2018-05-03 15:23:14 -04:00
Becca Petrin d51acbde68
New proto version (#4501) 2018-05-03 10:19:39 -07:00
Robison Jacka b78b9c7ebf Iterating over CSR extensions, and skipping BasicConstraints, since those should be defined by the endpoint that's performing the signing. (#4469) 2018-05-01 11:22:49 -04:00
Calvin Leung Huang 44b44f7f54
Early skip mssql test if not on acceptance, defer Teardown() early in testing.Test (#4457) 2018-04-26 12:17:44 -04:00
Calvin Leung Huang 7d214d2a3a
Purge opened connections on retries during tests (#4452) 2018-04-26 11:28:58 -04:00
vishalnayak 9ef3a36007 s/enable_local_secret_ids/local_secret_ids 2018-04-24 17:52:42 -04:00
vishalnayak 965a16f888 remove unneeded comments 2018-04-24 16:28:25 -04:00
vishalnayak b91d53fd76 refactor to be able to defer lock.Unlock() 2018-04-24 16:17:24 -04:00
vishalnayak f3dd8b3d17 fix typo 2018-04-24 16:03:18 -04:00
vishalnayak b16ee7b32d remove unneeded setting of secret ID prefix 2018-04-24 15:55:40 -04:00
vishalnayak 7832e06fdc Add field read test 2018-04-24 15:48:07 -04:00
vishalnayak 10579f5d8d Fix api path for reading the field 2018-04-24 14:28:03 -04:00
vishalnayak 7039f6dccd Merge branch 'master-oss' into approle-local-secretid 2018-04-24 11:03:39 -04:00
vishalnayak c46e021543 Add tests 2018-04-24 11:02:11 -04:00
vishalnayak aade040e50 Add immutability test 2018-04-24 10:05:17 -04:00
vishalnayak 97c03c5a65 Add enable_local_secret_ids to role read response 2018-04-24 09:53:36 -04:00
Alex Samorukov cb52f3eb80 Use locking to avoid parallel script execution (#4358) 2018-04-23 18:04:22 -04:00
vishalnayak 6b7a042003 error on enable_local_secret_ids update after role creation 2018-04-23 17:05:53 -04:00
vishalnayak 644892c53c naming changes 2018-04-23 16:52:09 -04:00
vishalnayak a369a4edb6 Upgrade secret ID prefix and fix tests 2018-04-23 16:31:51 -04:00
vishalnayak d14cd4a51e segregate local and non-local accessor entries 2018-04-23 16:19:05 -04:00
vishalnayak 7efbee2a12 Fix the tidy operation to consider both local and non-local secretID cleanups 2018-04-23 16:02:55 -04:00
vishalnayak 743e3ace13 fix path regex and role storage 2018-04-23 14:08:30 -04:00
vishalnayak 1680b56d43 add prefix to LocalStorage 2018-04-23 14:08:30 -04:00
vishalnayak 97b821b231 local secret IDs 2018-04-23 14:08:30 -04:00
Calvin Leung Huang 31633654ee Explicitly use 5.7 and below to test mysql backends (#4429) 2018-04-23 13:03:02 -04:00
Becca Petrin b3b7fba67e
Release database resources on each iteration of a loop (#4305) 2018-04-17 16:31:09 -07:00
Calvin Leung Huang c7dddaf537
Skip CI acceptance tests on missing required values (#4346)
* Skip dynamic key acceptance test if vaultssh user not present

* Skip aws acceptance test if required environment variables are missing
2018-04-13 10:18:06 -04:00
Becca Petrin da1cfb86e9 run make fmt 2018-04-11 14:25:09 -07:00
Becca Petrin 8569c8c235 Merge branch 'opensource-master' into struct-tags 2018-04-11 13:04:08 -07:00
Becca Petrin dab933ccaf deviate from snake case 2018-04-11 13:03:33 -07:00
Calvin Leung Huang 2dc4aa05f0 Dockerize radius auth backend acceptance tests (#4276) 2018-04-11 14:26:35 -04:00
Becca Petrin fcfe036e60 fix 2 minor struct tag issues 2018-04-10 16:11:44 -07:00
Calvin Leung Huang bacf136785 Fix pki tests (#4318) 2018-04-09 15:19:05 -04:00
Becca Petrin abb621752f Clean up error string formatting (#4304) 2018-04-09 14:35:21 -04:00
Chris Hoffman 19f9f6ee89
Root Credential Rotation Docs (#4312)
* updating root credential docs

* more docs updates

* more docs updates
2018-04-09 12:20:29 -04:00
Calvin Leung Huang 656a762e0a
Dockerize mssql secret backend tests (#4290)
* Dockerize mssql secret backend tests

* Extend total mysql container timeout to 1 minute
2018-04-09 10:46:52 -04:00
Matthew Irish cff34e983f
UI - pki updates (#4291)
* add require_cn to pki roles
* add policy_identifiers and basic_constraints_valid_for_non_ca to pki role form
* add new fields to the PKI docs
* add add_basic_constraints field
2018-04-08 21:09:29 -05:00
Chris Hoffman 71c0b749b5
Fix deadlock in root credential rotation (#4309)
* fix deadlock in root credential rotation

* add more logging of errors

* adding cassandra test
2018-04-08 13:34:59 -04:00
Chris Hoffman 40dc317f41
Prevent returning password in reads of connection config info (#4300)
* prevent returning password in reads of connection config info

* fixing a test

* masking password in connection url on reads

* addressing feedback

* removing extra check
2018-04-07 11:06:04 -04:00
Vishal Nayak 28e3eb9e2c
Errwrap everywhere (#4252)
* package api

* package builtin/credential

* package builtin/logical

* package command

* package helper

* package http and logical

* package physical

* package shamir

* package vault

* package vault

* address feedback

* more fixes
2018-04-05 11:49:21 -04:00
Vishal Nayak ef60ded908
TypeDurationSecond for ttl and max_ttl (#4268)
* use typedurationsecond for ttl and max_ttl

* address review feedback
2018-04-04 17:47:18 -04:00
Calvin Leung Huang f392620cb8
Dockerize rabbitmq secret backend (#4271) 2018-04-04 16:09:26 -04:00
Chris Hoffman 8250da87a9
Fix a few missing TTL core changes (#4265)
* Fix missing ttl handling in backends

* fix test
2018-04-04 06:43:21 -04:00
Chris Hoffman a7ada08b3b
Core handling of TTLs (#4230)
* govet cleanup in token store

* adding general ttl handling to login requests

* consolidating TTL calculation to system view

* deprecate LeaseExtend

* deprecate LeaseExtend

* set the increment to the correct value

* move calculateTTL out of SystemView

* remove unused value

* add back clearing of lease id

* implement core ttl in some backends

* removing increment and issue time from lease options

* adding ttl tests, fixing some compile issue

* adding ttl tests

* fixing some explicit max TTL logic

* fixing up some tests

* removing unneeded test

* off by one errors...

* adding back some logic for bc

* adding period to return on renewal

* tweaking max ttl capping slightly

* use the appropriate precision for ttl calculation

* deprecate proto fields instead of delete

* addressing feedback

* moving TTL handling for backends to core

* mongo is a secret backend not auth

* adding estimated ttl for backends that also manage the expiration time

* set the estimate values before calling the renew request

* moving calculate TTL to framework, revert removal of increment and issue time from logical

* minor edits

* addressing feedback

* address more feedback
2018-04-03 12:20:20 -04:00
Jeff Mitchell f5ba4796f5
Case insensitive behavior for LDAP (#4238) 2018-04-03 09:52:43 -04:00
Becca Petrin 03cf302e9a Move to "github.com/hashicorp/go-hclog" (#4227)
* logbridge with hclog and identical output

* Initial search & replace

This compiles, but there is a fair amount of TODO
and commented out code, especially around the
plugin logclient/logserver code.

* strip logbridge

* fix majority of tests

* update logxi aliases

* WIP fixing tests

* more test fixes

* Update test to hclog

* Fix format

* Rename hclog -> log

* WIP making hclog and logxi love each other

* update logger_test.go

* clean up merged comments

* Replace RawLogger interface with a Logger

* Add some logger names

* Replace Trace with Debug

* update builtin logical logging patterns

* Fix build errors

* More log updates

* update log approach in command and builtin

* More log updates

* update helper, http, and logical directories

* Update loggers

* Log updates

* Update logging

* Update logging

* Update logging

* Update logging

* update logging in physical

* prefixing and lowercase

* Update logging

* Move phyisical logging name to server command

* Fix som tests

* address jims feedback so far

* incorporate brians feedback so far

* strip comments

* move vault.go to logging package

* update Debug to Trace

* Update go-plugin deps

* Update logging based on review comments

* Updates from review

* Unvendor logxi

* Remove null_logger.go
2018-04-02 17:46:59 -07:00
Ben Feld 3f5d60b54b Fixed typo and adjusted line wrapping in backend help (#4239) 2018-04-02 13:51:26 -07:00
Calvin Leung Huang 610c137a3d
Remove sensitive fields when reading config data (#4216)
* Remove sensitive fields when reading config data

* Do not use structs; build and return map explicitly

* Revert tag in postgresql

* Fix tests
2018-03-30 10:17:39 -04:00
Jeff Mitchell 7a6f582168
1.10 Updates (#4218) 2018-03-29 15:32:16 -04:00
Jeff Mitchell 6484b9b164
Continue and warn when tidying in pki if an entry or value is nil (#4214)
Ref #4177
2018-03-29 15:27:51 -04:00
Jeff Mitchell e4d277fc0b Sanitizize some error capitalization 2018-03-29 10:14:42 -04:00
Chris Hoffman e4832fdbcf
Database Root Credential Rotation (#3976)
* redoing connection handling

* a little more cleanup

* empty implementation of rotation

* updating rotate signature

* signature update

* updating interfaces again :(

* changing back to interface

* adding templated url support and rotation for postgres

* adding correct username

* return updates

* updating statements to be a list

* adding error sanitizing middleware

* fixing log sanitizier

* adding postgres rotate test

* removing conf from rotate

* adding rotate command

* adding mysql rotate

* finishing up the endpoint in the db backend for rotate

* no more structs, just store raw config

* fixing tests

* adding db instance lock

* adding support for statement list in cassandra

* wip redoing interface to support BC

* adding falllback for Initialize implementation

* adding backwards compat for statements

* fix tests

* fix more tests

* fixing up tests, switching to new fields in statements

* fixing more tests

* adding mssql and mysql

* wrapping all the things in middleware, implementing templating for mongodb

* wrapping all db servers with error santizer

* fixing test

* store the name with the db instance

* adding rotate to cassandra

* adding compatibility translation to both server and plugin

* reordering a few things

* store the name with the db instance

* reordering

* adding a few more tests

* switch secret values from slice to map

* addressing some feedback

* reinstate execute plugin after resetting connection

* set database connection to closed

* switching secret values func to map[string]interface for potential future uses

* addressing feedback
2018-03-21 15:05:56 -04:00
Jeff Mitchell 487cb7a41a
We don't need to limit the size of ldap queries, so set a high limit (#4169)
Fixes #4162
2018-03-20 16:06:39 -04:00
Josh Soref 73b1fde82f Spelling (#4119) 2018-03-20 14:54:10 -04:00
Jeff Mitchell 48a6ce618a
Add ability to set CA:true when generating intermediate CSR. (#4163)
Fixes #3883
2018-03-20 10:09:59 -04:00
Jeff Mitchell 414097018a Add a check on incoming policy identifiers
cc #4125
2018-03-19 22:10:18 -04:00
Rémi Pauchet 40e226184b Support certificate policies in the pki backend (#4125) 2018-03-19 22:05:21 -04:00
Jeff Mitchell 8697d80d2e
More cleanup of TTL handling in PKI (#4158)
* Max role's max_ttl parameter a TypeDurationString like ttl
* Don't clamp values at write time in favor of evaluating at issue time,
as is the current best practice
* Lots of general cleanup of logic to fix missing cases
2018-03-19 21:01:41 -04:00
Jeff Mitchell 2e50667b12
Codify using strings.Join and strings.TrimSpace around PEM handling to ensure newline sanity (#4148)
Fixes #4136
2018-03-18 16:00:51 -04:00
Joel Thompson 3e2006eb13 Allow non-prefix-matched IAM role and instance profile ARNs in AWS auth backend (#4071)
* Update aws auth docs with new semantics

Moving away from implicitly globbed bound_iam_role_arn and
bound_iam_instance_profile_arn variables to make them explicit

* Refactor tests to reduce duplication

auth/aws EC2 login tests had the same flow duplicated a few times, so
refactoring to reduce duplication

* Add tests for aws auth explicit wildcard constraints

* Remove implicit prefix matching from AWS auth backend

In the aws auth backend, bound_iam_role_arn and
bound_iam_instance_profile_arn were ALWAYS prefix matched, and there was
no way to opt out of this implicit prefix matching. This now makes the
implicit prefix matching an explicit opt-in feature by requiring users
to specify a * at the end of an ARN if they want the prefix matching.
2018-03-17 21:24:49 -04:00
Jeff Mitchell 83dea6204c
Honor mount-tuned ttl/max ttl for database credential generatoin (#4053) 2018-03-15 09:24:02 -07:00
Joel Thompson 39dc981301 auth/aws: Allow binding by EC2 instance IDs (#3816)
* auth/aws: Allow binding by EC2 instance IDs

This allows specifying a list of EC2 instance IDs that are allowed to
bind to the role. To keep style formatting with the other bindings, this
is still called bound_ec2_instance_id rather than bound_ec2_instance_ids
as I intend to convert the other bindings to accept lists as well (where
it makes sense) and keeping them with singular names would be the
easiest for backwards compatibility.

Partially fixes #3797
2018-03-15 09:19:28 -07:00
Brian Nuszkowski 76be90f384 Add PKCS1v15 as a RSA signature and verification option on the Transit secret engine (#4018)
Option to specify the RSA signature type, in specific add support for PKCS1v15
2018-03-15 09:17:02 -07:00
Jeff Mitchell 300ca9c6ee
Have Okta respect its set max_ttl. (#4111)
Fixes #4110
2018-03-13 10:39:51 -04:00
Joel Thompson 2f8e3c27f4 Accept temp creds in AWS secret backend acceptance tests (#4076)
* Accept temp creds in AWS secret backend acceptance tests

The AWS secret backend acceptance tests implicitly accepted long-lived
AWS credentials (i.e., AWS IAM user and/or root credentials) in two
ways:

1. It expected credentials to be passed in via the AWS_ACCESS_KEY_ID and
   AWS_SECRET_ACCESS_KEY environment variables. By not accepting
   AWS_SESSION_TOKEN or AWS_SECURITY_TOKEN, temporary credentials could
   not be passed in. (This also forced all credentials to be passed in
   via environment variables, which is a bit ugly).
2. The AWS sts:GetFederationToken call is only allowed from long-term
   credentials. This is called by the Vault code which the acceptance
   tests exercise.

1 is solved by deleting explicit references to credentials, which allows
the SDK to do one of the things it does best -- find credentials via the
default chain.

2 is a little more complicated. Rather than pass in whatever creds the
acceptance test was run under to the backend, the acceptance test now
creates a new IAM user and gets an access key from it, then passes the
IAM user's creds back to the backend so that it can call
sts:GetFederationToken (and then tries to clean up afterwards).

* Fix Travis build failure

The Travis build was failing because the user creation was happening
regardless of whether it was running in acceptance test mode or not.
This moves the user creation into the acceptance test precheck, which
requires lazily evaluating the credentials when configuring the backend
in the STS accetpance test, and so moving that to a PreFlight closure.

* Reduce blind sleeps in AWS secret backend acceptance tests

This removes a blind "sleep 10 seconds and then attempt to reuse the
credential" codepath and instead just keeps attemtping to reuse the
credential for 10 seconds and fails if there aren't any successful uses
after 10 seconds. This adds a few seconds speedup of acceptance test
runs from my experiments.
2018-03-13 10:35:10 -04:00
Vishal Nayak 527eb418fe
approle: Use TypeCommaStringSlice for BoundCIDRList (#4078)
* Use TypeCommaStringSlice for Approle bound_cidr_list

* update docs

* Add comments in the test
2018-03-08 17:49:08 -05:00
Brian Kassouf 9dba3590ac
Add context to the NewSalt function (#4102) 2018-03-08 11:21:11 -08:00
Jeff Mitchell f9f0261886
Populate AWS-generated tokens with default lease TTL to fix comparisons against role max (#4107)
* Populate AWS-generated tokens with default lease TTL to fix comparisons against role max

* Fix printing TTLs when capping them
2018-03-08 13:08:00 -05:00
Jeff Mitchell 52852b89cf
Revert "Fix AWS auth max_ttl being ignored when ttl is not set (#4086)" (#4105)
This reverts commit 135cb4e6871a75c3b996bf8ac719767560268732.
2018-03-08 11:08:32 -05:00
Kevin Wang f72540ce8e Fix AWS auth max_ttl being ignored when ttl is not set (#4086)
If ttl is not set, the value of `resp.Auth.TTL` is 0, resulting in the
max TTL check being skipped.

Also fixes the formatting of the warning message.
2018-03-08 11:07:51 -05:00
Brian Nuszkowski 40e7e24c04 Return value when reading a SSH CA Role (#4098) 2018-03-07 23:26:33 -05:00
Calvin Leung Huang e2fb199ce5
Non-HMAC audit values (#4033)
* Add non-hmac request keys

* Update comment

* Initial audit request keys implementation

* Add audit_non_hmac_response_keys

* Move where req.NonHMACKeys gets set

* Minor refactor

* Add params to auth tune endpoints

* Sync cache on loadCredentials

* Explicitly unset req.NonHMACKeys

* Do not error if entry is nil

* Add tests

* docs: Add params to api sections

* Refactor audit.Backend and Formatter interfaces, update audit broker methods

* Add audit_broker.go

* Fix method call params in audit backends

* Remove fields from logical.Request and logical.Response, pass keys via LogInput

* Use data.GetOk to allow unsetting existing values

* Remove debug lines

* Add test for unsetting values

* Address review feedback

* Initialize values in FormatRequest and FormatResponse using input values

* Update docs

* Use strutil.StrListContains

* Use strutil.StrListContains
2018-03-02 12:18:39 -05:00
Joel Thompson e4949d644b auth/aws: Allow lists in binds (#3907)
* auth/aws: Allow lists in binds

In the aws auth method, allow a number of binds to take in lists
instead of a single string value. The intended semantic is that, for
each bind type set, clients must match at least one of each of the bind
types set in order to authenticate.
2018-03-02 11:09:14 -05:00
Jeff Mitchell 121d5718ea Remove structs/mapstructure tags from auth/aws 2018-02-27 15:27:49 -05:00
Jeff Mitchell c695023bab Remove structs package from auth/aws 2018-02-27 13:22:47 -05:00
Joel Thompson b0592d2161 auth/aws: Add functional test for detached RSA signature (#4031)
Previously the functional test was only testing the PCKS7-signed identity
document, not the detached RSA signature, so adding a test for that in the
functional test suite.
2018-02-22 20:55:45 -05:00
Jeff Mitchell cf7c86e0f8 *Partially* revert "Remove now-unneeded PKCS8 code and update certutil tests for Go 1.10"
This partially reverts commit 83f6b21d3ef930df0352a4ae7b1e971790e3eb22.
2018-02-22 20:15:56 -05:00
Jeff Mitchell 9584a085b6 Revert "Remove unneeded looping since Go 1.10 cover it already (#4010)"
This reverts commit 8aeba427d239613bf78b7d1ce96900da74d2bd5d.
2018-02-22 20:13:36 -05:00
Jeff Mitchell 15c3bffcc9 Revert "Switch to a forked copy of pkcs7 to fix aws pkcs7 verification error (#4024)"
This reverts commit f75c7dd15784831aef0bd9fda8a230b0a08556f3.
2018-02-22 20:09:19 -05:00
Jeff Mitchell 67e614bac4
Switch to a forked copy of pkcs7 to fix aws pkcs7 verification error (#4024)
Fixes #4014
2018-02-22 08:49:11 -05:00
Andrei Burd 90f3788ce5 Handling nomad maxTokenNameLength = 64 (#4009) 2018-02-20 10:16:37 -05:00
Vishal Nayak bfed4af48f Remove unneeded looping since Go 1.10 cover it already (#4010) 2018-02-20 07:34:55 -05:00
Jeff Mitchell 0f26cb9b8d Fix PKI tests by generating on-demand 2018-02-20 00:23:37 -05:00
Jeff Mitchell ce8f652ef9 Remove now-unneeded PKCS8 code and update certutil tests for Go 1.10 2018-02-19 22:46:17 -05:00
Robison Jacka 9541e8f643 Adding path roles test coverage for storing PKIX fields (#4003) 2018-02-18 16:22:35 -05:00
Robison Jacka 71d939894b Add test coverage for recently-added PKIX fields. (#4002) 2018-02-18 13:21:54 -05:00
Jeff Mitchell a408a03495 Fix missing CommonName in subject generation 2018-02-17 21:01:36 -05:00
Vishal Nayak 45bb1f0adc
Verify DNS SANs if PermittedDNSDomains is set (#3982)
* Verify DNS SANs if PermittedDNSDomains is set

* Use DNSNames check and not PermittedDNSDomains on leaf certificate

* Document the check

* Add RFC link

* Test for success case

* fix the parameter name

* rename the test

* remove unneeded commented code
2018-02-16 17:42:29 -05:00
Jeff Mitchell f29bde0052
Support other names in SANs (#3889) 2018-02-16 17:19:34 -05:00
Mohsen 41b07a0987 Maximum number of retries aws sdk attempts for recoverable exceptions. (#3965) 2018-02-16 11:11:17 -05:00
Brian Nuszkowski 51fe1aa7ba Add Okta specific MFA workflow to Okta auth method (#3980)
* Add Okta specific MFA workflow to Okta auth method. Note this only
supports Okta Push.
2018-02-14 20:28:19 -05:00
Brian Nuszkowski 7ba8bb9516 Disable redirects on the http client that calls AWS STS api, which (#3983)
is used in the AWS IAM auth method.

Co-authored-by: Max Justicz <max@justi.cz>
2018-02-14 20:27:13 -05:00
Jeff Mitchell 35906aaa6c
Add ChaCha20-Poly1305 support to transit (#3975) 2018-02-14 11:59:46 -05:00
Nicolas Troncoso 2a8159c2ae Turns the okta groups array into a coma separated string (#3956) 2018-02-13 08:18:43 -05:00
Jeff Mitchell 8655a1c135
Various PKI updates (#3953) 2018-02-10 10:07:10 -05:00
Jeff Mitchell 6f025fe2ab
Adds the ability to bypass Okta MFA checks. (#3944)
* Adds the ability to bypass Okta MFA checks.

Unlike before, the administrator opts-in to this behavior, and is
suitably warned.

Fixes #3872
2018-02-09 17:03:49 -05:00
Jeff Mitchell bd3cdd8095 Fix compile 2018-02-09 14:04:05 -05:00
Chris Hoffman 898026c58f Fix auditing for transit keys with backup/restore info (#3919) 2018-02-09 13:54:18 -05:00
Vishal Nayak 80ffd07b8b added a flag to make common name optional if desired (#3940)
* added a flag to make common name optional if desired

* Cover one more case where cn can be empty

* remove skipping when empty; instead check for emptiness before calling validateNames

* Add verification before adding to DNS names to also fix #3918
2018-02-09 13:42:19 -05:00
Vishal Nayak 9d163f5aa4
avoid masking of role tag response (#3941) 2018-02-07 20:43:05 -05:00
Vishal Nayak 41ac1e4b53
AppRole: Cleanup accessor indexes and dangling accessor indexes (#3924)
* Cleanup accessor indexes and dangling accessor indexes

* Add a test that exercises the accessor cleanup
2018-02-06 15:44:48 -05:00
John Eismeier d2534c4bde Fix some typos (#3923) 2018-02-06 13:35:01 -05:00
Jeff Mitchell 642b88c76a go vet fixes 2018-02-05 14:26:31 -05:00
Joel Thompson 4f49318b33 auth/aws: Switch role tag processing from strings.Contains to strings.HasPrefix (#3906)
strings.HasPrefix is more correct; if a tag part value ended up
containing the expected prefix of another part, it could cause incorrect
parsing. I don't think that these values would be semantically legal
today, but it's probably better to be defensive.
2018-02-04 19:37:03 -05:00
Jeff Mitchell b6614b651f
Differentiate between user/internal error in AppRole login. (#3902)
* Differentiate between user/internal error in AppRole login.

This allows us to properly pass through internal errors back up into
core.

* Separate out error cases
2018-02-02 20:34:32 -05:00
Jeff Mitchell fc6564e4ee
Don't run rollback and upgrade functionality if we are a replication secondary (#3900)
* Don't run rollback and upgrade functionality if we are a replication
secondary, but do if the mount is local.
2018-02-02 20:28:25 -05:00
Vishal Nayak effdc09a71 Add the actual error object to the message (#3901) 2018-02-02 19:06:08 -05:00
John Eismeier 6d18e0da3d Propose small spelling change (#3890) 2018-02-01 12:51:38 -05:00
Josh Giles 94fe8600b6 Return Okta config TTLs in seconds, not nanos. (#3871) 2018-02-01 12:44:57 -05:00
Jeff Mitchell f3d1e8170b Prep for 0.9.2 2018-01-26 13:59:01 -05:00
Vishal Nayak 150ad8405b
Remove logical.Initialize() method (#3848)
* Remove logical.Initialize() method

* More cleanup

* Fix test
2018-01-25 20:19:27 -05:00
Joel Thompson 2cd8051607 auth/aws: Fix error with empty bound_iam_principal_arn (#3843)
* auth/aws: Fix error with empty bound_iam_principal_arn

In cases where there doesn't need to be a bound_iam_principal_arn, i.e.,
either auth_type is ec2 or there are other bindings with the iam
auth_type, but it is specified explicitly anyway, Vault tried to parse
it to resolve to internal unique IDs. This now checks to ensure that
bound_iam_principal_arn is non-empty before attempting to resolve it.

Fixes #3837

* Fix extraneous newline
2018-01-24 23:08:05 -05:00
Calvin Leung Huang 385140ee6b
Version protocol switch (#3833)
* Use version to determine plugin protocol to use

* Remove field from ServeOpts

* Fix missing assignment, handle errors

* contraint -> constraint

* Inject the version string from the vault side

* Fix the version check

* Add grpc support check to database plugins

* Default to use grpc unless missing env var or fail on contraint check

* Add GRPCSupport test

* Add greater than test case

* Add go-version dep
2018-01-23 17:29:26 -05:00
Brian Kassouf 2f19de0305 Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 01:44:44 -05:00
Brian Kassouf 7050c1ca41
gRPC Backend Plugins (#3808)
* Add grpc plugins

* Add grpc plugins

* Translate wrap info to/from proto

* Add nil checks

* Fix nil marshaling errors

* Provide logging through the go-plugin logger

* handle errors in the messages

* Update the TLS config so bidirectional connections work

* Add connectivity checks

* Restart plugin and add timeouts where context is not availible

* Add the response wrap data into the grpc system implementation

* Add leaseoptions to pb.Auth

* Add an error translator

* Add tests for translating the proto objects

* Fix rename of function

* Add tracing to plugins for easier debugging

* Handle plugin crashes with the go-plugin context

* Add test for grpcStorage

* Add tests for backend and system

* Bump go-plugin for GRPCBroker

* Remove RegisterLicense

* Add casing translations for new proto messages

* Use doneCtx in grpcClient

* Use doneCtx in grpcClient

* s/shutdown/shut down/
2018-01-18 13:49:20 -08:00
Calvin Leung Huang f59069c22f
Don't call LeaseExtend on login renewal paths when period is provided (#3803)
* Don't call LeaseExtend on login renewal paths when period is provided

* WIP tests

* NoopBackend accept backend ttl values

* Test period value on credentials backend

* Use t.Fatalf instead

* Remove mockCoreExpiration

* Add login renewal test for approle backend

* Add resp.Auth.Period check on aws and cert backend tests

* Pass in approle's period via role's period

* Correctly set period in valid-role's role

* Add period renewal test using TestCluster and approle backend

* Check for ttl values after renewals on test
2018-01-18 12:19:18 -05:00
samiam c59b5a1a88 Write password prompts to stderr to avoid co-mingling stdout (#3781) (#3782) 2018-01-18 12:14:19 -05:00
Jeff Mitchell b281e76089 Move around some logic to be neater 2018-01-18 11:47:24 -05:00
Jeff Mitchell c231479a18
Fix max_ttl not being honored in database backend when default_ttl is zero (#3814)
Fixes #3812
2018-01-18 01:43:38 -05:00
Vishal Nayak b826c56686
SHA2-256 salting for AppID (#3806)
* Use SHA2-256 hash with prefix to upgrade the paths

* test the SHA1 upgrade to SHA256

* Remove hash identifier and the delimiter; use 's' instead

* Added API test to verify the correctness of the fix

* Fix broken test

* remove unneeded test
2018-01-17 19:48:32 -05:00