Jeff Mitchell
ed62afec14
Large documentation updates, remove the pathlength path in favor of
...
making that a parameter at CA generation/sign time, and allow more
fields to be configured at CSR generation time.
2015-11-19 09:51:18 -05:00
Jeff Mitchell
5970cb76b6
Add path length paths and unit tests to verify same.
2015-11-19 09:51:18 -05:00
Jeff Mitchell
ca844b1dc1
Add URLs methods to set OCSP/CRL/CA urls in issued certs, and tests.
2015-11-19 09:51:18 -05:00
Jeff Mitchell
4cb10abcc0
Add tests for using raw CSR values
2015-11-19 09:51:18 -05:00
Jeff Mitchell
83975314c7
Change a few checks on names:
...
- Allow an email address to be the common name of a cert even if email
protection isn't in the role if any name is set to true (this allows
certificates with a common name entry of an email address but used for
other purposes; here just for CA cert signing).
- Don't check the user part of an email against the hostname regex.
Emails can contain e.g. "+" and "_" and these should be allowed even
though they're not part of a valid hostname.
Also, fix a nil pointer issue.
2015-11-19 09:51:17 -05:00
Jeff Mitchell
deb5131cd3
Add config/urls CRUD operations to get and set the URLs encoded into
...
certificates for the issuing certificate URL, CRL distribution points,
and OCSP servers.
2015-11-19 09:51:17 -05:00
Jeff Mitchell
779efbbbc3
Change use_csr_subject to use_csr_values; copy not only the subject, but
...
also the alternate names and the extensions over as well.
2015-11-19 09:51:17 -05:00
Jeff Mitchell
76af733ee2
Remove setting serial number in the pkix Subject
2015-11-19 09:51:17 -05:00
Jeff Mitchell
54c5c232fd
Add a flag so that when signing CA certificates, the Subject (including names and extra names) can be used verbatim from the CSR
2015-11-19 09:51:17 -05:00
Jeff Mitchell
7c5a174493
Add capability to use the CSR's common name (by default for CA CSRs if
...
no common_name parameter is given, role-controlled for non-CA CSRs).
Fix logic around the CA/CRL endpoints. Now settable when generating a
self-signed root or setting a CA cert into the backend; if not set,
these values are not set in issued certs. Not required when signing an
intermediate cert (and in fact it was wrong to do so in the first
place).
2015-11-19 09:51:17 -05:00
Jeff Mitchell
54fccb2ff4
Add support for EC CA keys, output to base64-encoded DER instead of PEM, and tests for all of those. Also note that Go 1.5 is now required.
2015-11-19 09:51:17 -05:00
Jeff Mitchell
4261e594af
Address some minor PR feedback
2015-11-19 09:51:17 -05:00
Jeff Mitchell
69794c7078
Fix otto import of uuid
2015-11-19 09:51:17 -05:00
Jeff Mitchell
f16d8b8cd2
Cleanup, and add ability to sign CA CSRs that aren't destined for Vault
2015-11-19 09:51:17 -05:00
Jeff Mitchell
ea676ad4cc
Add tests for intermediate signing and CRL, and fix a couple things
...
Completes extra functionality.
2015-11-19 09:51:17 -05:00
Jeff Mitchell
b2df079446
Add unit tests to test signing logic, fix up test logic for names
2015-11-19 09:51:17 -05:00
Jeff Mitchell
fe7dbfaada
Handle email address alternative names, fix up tests, fix up logic around name verification
2015-11-19 09:51:17 -05:00
Jeff Mitchell
aa3d6dc85b
Add allow_base_domain to control whether or not the actual base domain is allowed as a cert common name and/or DNS SAN
2015-11-19 09:51:17 -05:00
Jeff Mitchell
7d2730d370
Add email protection flag plumbing and tests; don't call generate bundle when making an intermediate CSR since everything is now ignored
2015-11-19 09:51:17 -05:00
Jeff Mitchell
b3eb5c4957
Add sign method (untested)
2015-11-19 09:51:17 -05:00
Jeff Mitchell
6ea626e9ad
Don't show field names when not needed
2015-11-19 09:51:17 -05:00
Jeff Mitchell
1cec03d9ca
Implement CA cert/CSR generation. CA certs can be self-signed or
...
generate an intermediate CSR, which can be signed.
2015-11-19 09:51:17 -05:00
Jeff Mitchell
1c7157e632
Reintroduce the ability to look up obfuscated values in the audit log
...
with a new endpoint '/sys/audit-hash', which returns the given input
string hashed with the given audit backend's hash function and salt
(currently, always HMAC-SHA256 and a backend-specific salt).
In the process of adding the HTTP handler, this also removes the custom
HTTP handlers for the other audit endpoints, which were simply
forwarding to the logical system backend. This means that the various
audit functions will now redirect correctly from a standby to master.
(Tests all pass.)
Fixes #784
2015-11-18 20:26:03 -05:00
Jeff Mitchell
45e7e61d71
Update audit documentation around what hash is used
2015-11-18 10:42:42 -05:00
Jeff Mitchell
7ab0c2e917
Update deps
2015-11-18 10:36:57 -05:00
Jeff Mitchell
29135b65ca
Changelogify
2015-11-18 10:34:50 -05:00
Jeff Mitchell
4a1a02a123
Merge pull request #780 from vicki-c/master
...
Port to new etcd client with TLS support
2015-11-18 10:33:09 -05:00
Vicki Cheung
eb464ed79d
rejecting etcd addresses without url scheme
2015-11-17 15:18:50 -08:00
Vicki Cheung
4a3bcc2adc
adding check in etcd backend to validate machine urls
2015-11-16 14:35:04 -08:00
Vicki Cheung
dc4374ab79
adding etcd client dependencies
2015-11-16 13:30:27 -08:00
Vicki Cheung
dfe284af43
adding PermitPool to etcd backend
2015-11-15 22:38:21 -08:00
Vicki Cheung
a21c8fab26
porting to new etcd client
2015-11-15 22:12:06 -08:00
Jeff Mitchell
0b3c7b177a
Merge pull request #775 from hashicorp/issue-771
...
Rearchitect MountTable locking and fix rollback.
2015-11-15 17:33:30 -05:00
Jeff Mitchell
bece637eb7
Address feedback from review
2015-11-15 17:32:57 -05:00
Jeff Mitchell
bc4c18a1cf
Rearchitect MountTable locking and fix rollback.
...
The rollback manager was using a saved MountTable rather than the
current table, causing it to attempt to rollback unmounted mounts, and
never rollback new mounts.
In fixing this, it became clear that bad things could happen to the
mount table...the table itself could be locked, but the table pointer
(which is what the rollback manager needs) could be modified at any time
without locking. This commit therefore also returns locking to a mutex
outside the table instead of inside, and plumbs RLock/RUnlock through to
the various places that are reading the table but not holding a write
lock.
Both unit tests and race detection pass.
Fixes #771
2015-11-11 11:54:52 -05:00
Jeff Mitchell
fa646a1eb1
Bump version to 0.4-dev instead of 0.3.1-dev
2015-11-10 10:28:40 -05:00
Jeff Mitchell
847707f4af
Merge pull request #772 from hashicorp/origin/new_header
...
New Header Redesign
2015-11-10 10:16:49 -05:00
captainill
28ae7b2466
edit this page
2015-11-09 21:10:49 -08:00
captainill
d931c62d94
sidebar
2015-11-09 21:08:05 -08:00
captainill
2af4092734
redesign header bulk
2015-11-09 20:58:06 -08:00
Jeff Mitchell
201adad4ae
Merge pull request #762 from hashicorp/issue-732
...
Create a "default" policy with sensible rules.
2015-11-09 17:44:09 -05:00
Jeff Mitchell
1a45696208
Add no-default-policy flag and API parameter to allow exclusion of the
...
default policy from a token create command.
2015-11-09 17:30:50 -05:00
Jeff Mitchell
d6693129de
Create a "default" policy with sensible rules.
...
It is forced to be included with each token, but can be changed (but not
deleted).
Fixes #732
2015-11-09 15:44:09 -05:00
Jeff Mitchell
1a621b7000
Minor test fix
2015-11-09 15:37:30 -05:00
Jeff Mitchell
c9e3699751
Merge pull request #769 from hashicorp/issue-769
...
Don't require root tokens for mount and policy endpoints.
2015-11-09 15:29:56 -05:00
Jeff Mitchell
8673f36b34
Don't require root tokens for mount and policy endpoints.
2015-11-09 15:29:21 -05:00
Jeff Mitchell
5d5d58ffe4
Fix unmount help output
2015-11-09 15:23:49 -05:00
Jeff Mitchell
9d9bf9f2f8
Merge pull request #768 from hashicorp/issue-765
...
Print version on startup.
2015-11-09 13:53:33 -05:00
Jeff Mitchell
75f1c1e40c
Print version on startup.
...
Fixes #765
2015-11-09 13:52:55 -05:00
Jeff Mitchell
3717b31b63
Merge pull request #766 from hashicorp/issue-766
...
Display whether a token is an orphan on lookup.
2015-11-09 13:20:42 -05:00