Commit graph

613 commits

Author SHA1 Message Date
Joel Thompson 06dda97445 Look up proper AWS account ID on aws token renew (#3012)
Also properly handle renewing tokens when bound_iam_principal_arn has a
path component.

Fixes #2990
2017-07-17 10:59:18 -04:00
Gobin Sougrakpam 048f2c3ca4 Adding validation for certificates to be proper x509 PEM encoded (#3016) 2017-07-17 10:49:50 -04:00
Jeff Mitchell 6adee19987 Add approle role name to metadata (#2985) 2017-07-13 19:07:15 -04:00
Lars Lehtonen 3f0b15826a Fix swallowed errors in builtin (#2977) 2017-07-07 08:23:12 -04:00
Will May 23ff17c769 Allow Okta auth backend to specify TTL and max TTL values (#2915) 2017-07-05 09:42:37 -04:00
Joel Thompson 4a934915d7 Resolve AWS IAM unique IDs (#2814) 2017-06-07 10:27:11 -04:00
Jeff Mitchell 2cc4a761f7 Honor role period for IAM auth type in AWS backend (#2828)
Fixes #2825
2017-06-07 10:18:02 -04:00
Joel Thompson 7437ada31c Check if there's a bound iam arn when renewing (#2819)
Previously, the renew method would ALWAYS check to ensure the
authenticated IAM principal ARN matched the bound ARN.  However, there
is a valid use case in which no bound_iam_principal_arn is specified and
all bindings are done through inferencing. When a role is configured
like this, clients won't be able to renew their token because of the
check.

This now checks to ensure that the bound_iam_principal_arn is not empty
before requriing that it match the originally authenticated client.

Fixes #2781
2017-06-06 22:35:12 -04:00
Scott Sinclair 0c7d240968 Change split on instance profile name (#2802)
This now splits on the /, so we only get the last component of the instance profile name (ignoring paths)
2017-06-05 12:39:37 -04:00
Jeff Mitchell 7e02082f5f Use the oauth2 context ability to specify a clean http client. (#2808)
Hopefully fixes #2793
2017-06-05 12:27:01 -04:00
Jeff Mitchell b90c84a2c6 Add unsalted test to app-id 2017-06-05 11:37:16 -04:00
Jeff Mitchell f7df60b131 Allow accessing Warnings directly in Response. (#2806)
A change in copystructure has caused some panics due to the custom copy
function. I'm more nervous about production panics than I am about
keeping some bad code wiping out some existing warnings, so remove the
custom copy function and just allow direct setting of Warnings.
2017-06-05 10:52:43 -04:00
Jeff Mitchell 8f2ba268a0 Fix instantiation of salt funcs in app-id structs 2017-06-05 10:04:54 -04:00
Dan Stark 9f6b77598e Fixes typos in error message and comment for AWS auth CLI (#2798) 2017-06-02 17:35:25 -07:00
Andrew e33e489eee Improve EC2 describe instances performance (#2766)
Query the EC2 API for the instance ID rather than filter the results of
all instances.
2017-05-26 08:38:01 -04:00
Vishal Nayak 3c968260a8 Cert verification for non-CA certs (#2761)
* Cert verification for non-CA certs

* Added test case to ensure login fails with expired non-CA cert

* Address review feedback
2017-05-25 10:49:09 -04:00
Jeff Mitchell 9f681ea4cf Use auth-saved cert name during renewals to avoid a panic. (#2755) 2017-05-23 20:41:01 -04:00
emily aa40d2cff6 add gofmt checks to Vault and format existing code (#2745) 2017-05-19 08:34:17 -04:00
Jeff Mitchell d25aa9fc21 Don't write salts in initialization, look up on demand (#2702) 2017-05-09 17:51:09 -04:00
Jeff Mitchell 490b01d6d8 Add salt mutex to app-id (#2690) 2017-05-08 16:15:24 -04:00
Jeff Mitchell 6f6f242061 Add logic to skip initialization in some cases and some invalidation logic 2017-05-05 15:01:52 -04:00
Ben Gadbois 537342f038 Fixing printf (and similar) issues (#2666) 2017-05-01 23:34:10 -04:00
Michael Ansel 30b71cbbac Add constraints on the Common Name for certificate-based authentication (#2595)
* Refactor to consolidate constraints on the matching chain

* Add CN prefix/suffix constraint

* Maintain backwards compatibility (pick a random cert if multiple match)

* Vendor go-glob

* Replace cn_prefix/suffix with required_name/globbing

Move all the new tests to acceptance-capable tests instead of embedding in the CRL test

* Allow authenticating against a single cert

* Add new params to documentation

* Add CLI support for new param

* Refactor for style

* Support multiple (ORed) name patterns

* Rename required_names to allowed_names

* Update docs for parameter rename

* Use the new TypeCommaStringSlice
2017-04-30 11:37:10 -04:00
Jeff Mitchell 9a72b3162f Flip back to sstarcher go-okta post-merge 2017-04-28 17:21:49 -04:00
Jeff Mitchell 0f214cc502 Switch to jefferai/go-okta for now to work around Fatal lines in upstream (#2658)
Switch to jefferai/go-okta for now to work around Fatal lines in upstream
2017-04-28 08:39:51 -04:00
Joel Thompson e06a78a474 Create unified aws auth backend (#2441)
* Rename builtin/credential/aws-ec2 to aws

The aws-ec2 authentication backend is being expanded and will become the
generic aws backend. This is a small rename commit to keep the commit
history clean.

* Expand aws-ec2 backend to more generic aws

This adds the ability to authenticate arbitrary AWS IAM principals using
AWS's sts:GetCallerIdentity method. The AWS-EC2 auth backend is being to
just AWS with the expansion.

* Add missing aws auth handler to CLI

This was omitted from the previous commit

* aws auth backend general variable name cleanup

Also fixed a bug where allowed auth types weren't being checked upon
login, and added tests for it.

* Update docs for the aws auth backend

* Refactor aws bind validation

* Fix env var override in aws backend test

Intent is to override the AWS environment variables with the TEST_*
versions if they are set, but the reverse was happening.

* Update docs on use of IAM authentication profile

AWS now allows you to change the instance profile of a running instance,
so the use case of "a long-lived instance that's not in an instance
profile" no longer means you have to use the the EC2 auth method. You
can now just change the instance profile on the fly.

* Fix typo in aws auth cli help

* Respond to PR feedback

* More PR feedback

* Respond to additional PR feedback

* Address more feedback on aws auth PR

* Make aws auth_type immutable per role

* Address more aws auth PR feedback

* Address more iam auth PR feedback

* Rename aws-ec2.html.md to aws.html.md

Per PR feedback, to go along with new backend name.

* Add MountType to logical.Request

* Make default aws auth_type dependent upon MountType

When MountType is aws-ec2, default to ec2 auth_type for backwards
compatibility with legacy roles. Otherwise, default to iam.

* Pass MountPoint and MountType back up to the core

Previously the request router reset the MountPoint and MountType back to
the empty string before returning to the core. This ensures they get set
back to the correct values.
2017-04-24 15:15:50 -04:00
Chris Hoffman 847c86f788 Rename ParseDedupAndSortStrings to ParseDedupLowercaseAndSortStrings (#2614) 2017-04-19 10:39:07 -04:00
Chris Hoffman 938eab37b6 Do not lowercase groups attached to users in ldap (#2613) 2017-04-19 10:36:45 -04:00
Mitch Davis a051ec1b59 Use service bind for searching LDAP groups (#2534)
Fixes #2387
2017-04-18 15:52:05 -04:00
Vishal Nayak 09cd069435 Consider new bounds as a criteria to allow role creation (#2600)
* Consider new bounds as a criteria to allow role creation

* Added a test
2017-04-17 10:36:11 -04:00
vishalnayak 049e086b07 Fix typo. Closes GH-2528 2017-04-04 12:29:18 -04:00
Jeff Mitchell 709389dd36 Use ParseStringSlice on PKI organization/organizational unit. (#2561)
After, separately dedup and use new flag to not lowercase value.

Fixes #2555
2017-04-04 08:54:18 -07:00
Jeff Mitchell 3d162b63cc Use locks in a slice rather than a map, which is faster and makes things cleaner (#2446) 2017-03-07 11:21:32 -05:00
Vishal Nayak 491a56fe9f AppRole: Support restricted use tokens (#2435)
* approle: added token_num_uses to the role

* approle: added RUD tests for token_num_uses on role

* approle: doc: added token_num_uses
2017-03-03 09:31:20 -05:00
Jeff Mitchell 47f8478a97 Fix github compile breakage after dep upgrade 2017-02-24 15:32:05 -05:00
Vishal Nayak b762c43fe2 Aws Ec2 additional binds for SubnetID, VpcID and Region (#2407)
* awsec2: Added bound_region

* awsec2: Added bound_subnet_id and bound_vpc_id

* Add bound_subnet_id and bound_vpc_id to docs

* Remove fmt.Printf

* Added crud test for aws ec2 role

* Address review feedback
2017-02-24 14:19:10 -05:00
Jeff Mitchell c81582fea0 More porting from rep (#2388)
* More porting from rep

* Address review feedback
2017-02-16 16:29:30 -05:00
Vishal Nayak eb4ef0f6e0 cidrutil: added test data points (#2378) 2017-02-16 00:51:02 -05:00
Vishal Nayak 81c95b36eb aws-ec2 auth: Return the role period in seconds (#2374)
* aws-ec2 auth: Return the role period in seconds

* cast return values to int64 for comparison with expected values
2017-02-15 10:57:57 -05:00
Jeff Mitchell 04b4a6aa50 Fix Okta auth issue when a user has no policies and/or groups set. (#2371)
Fixes #2367
2017-02-14 16:28:16 -05:00
vishalnayak 2bbc247ab4 use net.JoinHostPort 2017-02-08 18:39:09 -05:00
Jeff Mitchell 72db329d67 Add support for backup/multiple LDAP URLs. (#2350) 2017-02-08 14:59:24 -08:00
Jeff Mitchell a217be589c Merge pull request #2154 from fcantournet/default-ldap-username
ldap auth via cli defaults username to env (#2137)
2017-02-07 21:47:59 -08:00
Jeff Mitchell a2f07acbc4 Use Getenv instead of LookupEnv
This prevents returning empty username if LOGNAME is set but empty and USER is set but not empty.
2017-02-07 21:47:06 -08:00
Jeff Mitchell f05b482e46 Update error text 2017-02-07 21:44:23 -08:00
Jeff Mitchell 8f957579d8 Update some help text for RADIUS 2017-02-07 16:06:27 -05:00
Matteo Sessa 29d9d5676e RADIUS Authentication Backend (#2268) 2017-02-07 16:04:27 -05:00
Jeff Mitchell 5de633fd27 Make userpass help text mention radius too 2017-02-04 07:48:30 -05:00
Jeff Mitchell a8ea05f365 Add default mount param to userpass cli handler 2017-02-04 07:47:09 -05:00
Vishal Nayak 3457a11afd awsec2: support periodic tokens (#2324)
* awsec2: support periodic tokens

* awsec2: add api docs for 'period'
2017-02-02 13:28:01 -05:00
Vishal Nayak 14fcc4b6eb approle: secret-id listing lock sanity check (#2315)
* approle: secret-id listing lock sanity

* Skip processing an empty secretIDHMAC item during the iteration

* approle: use dedicated lock for listing of secret-id-accessors
2017-02-01 18:13:49 -05:00
louism517 0548555219 Support for Cross-Account AWS Auth (#2148) 2017-02-01 14:16:03 -05:00
Shane Starcher 6033ea884c Okta implementation (#1966) 2017-01-26 19:08:52 -05:00
Vishal Nayak 5aba2d47b6 ldap: Minor enhancements, tests and doc update (#2272) 2017-01-23 10:56:43 -05:00
Vishal Nayak fa7d61baa3 Merge pull request #2202 from fcantournet/fix_govet_fatalf
all: test: Fix govet warnings
2017-01-17 16:45:35 -05:00
Vishal Nayak 1d7ded02b4 Merge pull request #2152 from mr-tron/master
Thanks for submitting this. I am going to merge this in and write tests.
2017-01-13 14:29:46 -05:00
Brian Rodgers f33d35f3de Added a nil check for config and renamed org field internally. 2017-01-11 11:04:15 -06:00
Brian Rodgers a8f12dff01 Added a 'read' for github config 2017-01-10 18:21:31 -06:00
Félix Cantournet 103b7ceab2 all: test: Fix govet warnings
Fix calls to t.Fatal() with formatting.
Fixed some calls to Fatalf() with wrong formatting
2016-12-21 19:44:07 +01:00
Jeff Mitchell 8fff7daf51 Don't panic when TLS is enabled but the initial dial doesn't return a connection (#2188)
Related to #2186
2016-12-15 15:49:30 -05:00
Félix Cantournet e818efde7c ldap auth via cli defaults username to env (#2137)
try to guess the username from 'LOGNAME' or if it isn't set 'USER'
2016-12-02 19:08:32 +01:00
Brian Nuszkowski 3d66907966 Disallow passwords LDAP binds by default (#2103) 2016-12-01 10:11:40 -08:00
Denis Subbotin 2797c609b0 fix checking that users policies is not nil 2016-11-29 16:35:49 +03:00
Denis Subbotin cc374b3e2c add support per user acl for ldap users 2016-11-29 13:32:59 +03:00
Thomas Soëte 5eaef287a8 Close ldap connection to avoid leak (#2130) 2016-11-28 09:31:36 -08:00
Jeff Mitchell 890c19312f Update path help for approle secret id TTL 2016-11-15 11:50:51 -05:00
Daniel Somerfield 637414a623 Added support for individual user policy mapping in github auth backend. (#2079) 2016-11-10 16:21:14 -05:00
Jeff Mitchell aa68041231 Fix GitHub tests 2016-11-08 07:13:42 -05:00
Glenn McAllister 50c8af0515 Add ldap tls_max_version config (#2060) 2016-11-07 13:43:39 -05:00
vishalnayak 65f0ce8ca3 Remove the sanity check which is not proving to be useful 2016-10-27 19:11:26 -04:00
Vishal Nayak 79d45355c8 Merge pull request #2004 from hashicorp/role-id-update
Fix regression caused by not creating a role_id secondary index
2016-10-26 16:29:46 -04:00
vishalnayak 2ce8bc95eb Deduplicate the policies in ldap backend 2016-10-14 17:20:50 -04:00
vishalnayak 1487dce475 Fix regression caused by not creating a role_id secondary index 2016-10-14 12:56:29 -04:00
Michael S. Fischer c45ab41b39 Update aws-ec2 configuration help
Updated to reflect enhanced functionality and clarify necessary
permissions.
2016-10-05 12:40:58 -07:00
vishalnayak 0f8c132ede Minor doc updates 2016-10-04 15:46:09 -04:00
vishalnayak 2e1aa80f31 Address review feedback 2 2016-10-04 15:30:42 -04:00
vishalnayak 59475d7f14 Address review feedback 2016-10-04 15:05:44 -04:00
vishalnayak 348a09e05f Add only relevant certificates 2016-10-03 20:34:28 -04:00
vishalnayak dbd364453e aws-ec2 config endpoints support type option to distinguish certs 2016-10-03 20:25:07 -04:00
vishalnayak b105f8ccf3 Authenticate aws-ec2 instances using identity document and its RSA signature 2016-10-03 18:57:41 -04:00
Vishal Nayak 4c74b646fe Merge pull request #1947 from hashicorp/secret-id-lookup-delete
Introduce lookup and destroy endpoints for secret IDs and its accessors
2016-09-29 10:19:54 -04:00
vishalnayak 34e76f8b41 Added website docs for lookup and destroy APIs 2016-09-28 22:11:48 -04:00
vishalnayak d20819949c Make secret-id reading and deleting, a POST op instead of GET 2016-09-28 20:22:37 -04:00
Michael S. Fischer 2dd1f584e6 Update documentation for required AWS API permissions
In order for Vault to map IAM instance profiles to roles, Vault
must query the 'iam:GetInstanceProfile' API, so update the documentation
and help to include the additional permissions needed.
2016-09-28 16:50:20 -07:00
Jeff Mitchell f0203741ff Change default TTL from 30 to 32 to accommodate monthly operations (#1942) 2016-09-28 18:32:49 -04:00
Vishal Nayak 5adfaa0d7d Merge pull request #1939 from hashicorp/secret-id-upgrade
Respond secret_id_num_uses and deprecate SecretIDNumUses
2016-09-28 18:16:07 -04:00
vishalnayak e9142f418a Added todo to remind removal of upgrade code 2016-09-28 18:17:13 -04:00
vishalnayak e01f99f042 Check for prefix match instead of exact match for IAM bound parameters 2016-09-28 18:08:28 -04:00
vishalnayak 21d9731286 Don't reset the deprecated value yet 2016-09-28 15:48:50 -04:00
Vishal Nayak 4a30a6b4f8 Merge pull request #1913 from hashicorp/bound-iam-instance-profile-arn
Proper naming for bound_iam_instance_profile_arn
2016-09-28 15:34:56 -04:00
vishalnayak 31e450a175 Add some validation checks 2016-09-28 15:36:02 -04:00
vishalnayak 9eabf75f5f Fix the misplaced response warning 2016-09-28 14:20:03 -04:00
vishalnayak a2338f5970 Added testcase to check secret_id_num_uses 2016-09-28 13:58:53 -04:00
vishalnayak ba1d238f9b Pull out reading and storing of secret ID into separate functions and handle upgrade properly 2016-09-28 12:42:26 -04:00
Mikhail Zholobov 5eff59c410
Fix "SecretIDNumUses" in AppRole auth backend
There was a typo.
2016-09-27 17:26:52 +03:00
Vishal Nayak b1ee56a15b Merge pull request #1910 from hashicorp/secret-id-cidr-list
CIDR restrictions on Secret ID
2016-09-26 10:22:48 -04:00
Vishal Nayak a4b119dc25 Merge pull request #1920 from legal90/fix-approle-delete
Fix panic on deleting the AppRole which doesn't exist
2016-09-26 10:05:33 -04:00
Mikhail Zholobov 3f77013004
Fix panic on deleting the AppRole which doesn't exist
#pathRoleDelete should return silently if the specified  AppRole doesn't exist
Fixes GH-1919
2016-09-26 16:55:08 +03:00
vishalnayak da5b5d3a8e Address review feedback from @jefferai 2016-09-26 09:53:24 -04:00
vishalnayak d080107a87 Update docs to contain bound_iam_role_arn 2016-09-26 09:37:38 -04:00
vishalnayak bf0b7f218e Implemented bound_iam_role_arn constraint 2016-09-23 21:35:36 -04:00
Jeff Mitchell 6bf871995b Don't use time.Time in responses. (#1912)
This fixes #1911 but not directly; it doesn't address the cause of the
panic. However, it turns out that this is the correct fix anyways,
because it ensures that the value being logged is RFC3339 format, which
is what the time turns into in JSON but not the normal time string
value, so what we audit log (and HMAC) matches what we are returning.
2016-09-23 12:32:07 -04:00
vishalnayak e0c41f02c8 Fix incorrect naming of bound_iam_instance_profile_arn 2016-09-23 11:22:23 -04:00
vishalnayak aaadd4ad97 Store the CIDR list in the secret ID storage entry.
Use the stored information to validate the source address and credential issue time.
Correct the logic used to verify BoundCIDRList on the role.
Reverify the subset requirements between secret ID and role during credential issue time.
2016-09-21 20:19:26 -04:00
vishalnayak 578b82acf5 Pass only valid inputs to validation methods 2016-09-21 15:44:54 -04:00
vishalnayak 93604e1e2e Added cidrutil helper 2016-09-21 13:58:32 -04:00
Vishal Nayak 97dc0e9f64 Merge pull request #1897 from hashicorp/secret-id-accessor-locks
Safely manipulate secret id accessors
2016-09-19 11:37:38 -04:00
vishalnayak fefd3a6c0b s/GetOctalFormatted/GetHexFormatted 2016-09-16 17:47:15 -04:00
vishalnayak ba72e7887a Safely manipulate secret id accessors 2016-09-15 18:13:50 -04:00
Vishal Nayak 61664bc653 Merge pull request #1886 from hashicorp/approle-upgrade-notes
upgrade notes entry for approle constraint and warning on role read
2016-09-15 12:14:01 -04:00
vishalnayak 5597156886 check for nil role 2016-09-15 12:10:40 -04:00
vishalnayak 92986bb2a0 Address review feedback 2016-09-15 11:41:52 -04:00
vishalnayak a1de742dce s/disableReauthenticationNonce/reauthentication-disabled-nonce 2016-09-15 11:29:02 -04:00
vishalnayak 9bca127631 Updated docs with nonce usage 2016-09-14 19:31:09 -04:00
vishalnayak 857f921d76 Added comment 2016-09-14 18:27:35 -04:00
vishalnayak 39796e8801 Disable reauthentication if nonce is explicitly set to empty 2016-09-14 17:58:00 -04:00
vishalnayak d0e4d77fce address review feedback 2016-09-14 14:28:02 -04:00
vishalnayak d7ce69c5eb Remove the client nonce being empty check 2016-09-14 14:28:02 -04:00
vishalnayak 53c919b1d0 Generate the nonce by default 2016-09-14 14:28:02 -04:00
vishalnayak 455a4ae055 address review feedback 2016-09-14 12:08:35 -04:00
vishalnayak b1392567d1 Use constant time comparisons for client nonce 2016-09-13 20:12:43 -04:00
vishalnayak d2e66014ba Address review feedback 2016-09-13 18:30:04 -04:00
Jeff Mitchell 29b67141eb Only use running state for checking if instance is alive. (#1885)
Fixes #1884
2016-09-13 18:08:05 -04:00
vishalnayak 99a2655d8e upgrade notes entry for approle constraint and warning on role read 2016-09-13 17:44:07 -04:00
vishalnayak bef9c2ee61 Ensure at least one constraint on the role 2016-09-13 16:03:15 -04:00
vishalnayak cdcfa4572f Address review feedback 2016-08-30 16:36:58 -04:00
vishalnayak 29b9295673 approle: fix racy updates problem for roles 2016-08-30 16:11:14 -04:00
Jeff Mitchell d1284944c3 Merge pull request #1755 from hashicorp/logxi
Convert to logxi
2016-08-21 19:28:18 -04:00
Jeff Mitchell 58b32e5432 Convert to logxi 2016-08-21 18:13:37 -04:00
vishalnayak 524ed6db37 Extract out common code 2016-08-21 15:46:11 -04:00
vishalnayak dfe73733d5 Seperate endpoints for read/delete using secret-id and accessor 2016-08-21 14:42:49 -04:00
Jeff Mitchell 2860dcc60f gofmt 2016-08-19 16:48:32 -04:00
vishalnayak 7ce631f1dc Pretty print the warning 2016-08-18 16:09:10 -04:00
vishalnayak 870ffd6fd8 Use shortestTTL value during renewals too 2016-08-18 15:43:58 -04:00
vishalnayak 4f1c47478e When TTL is not set, consider the system default TTL as well 2016-08-18 15:37:59 -04:00
vishalnayak 56b8c33c95 aws-ec2: se max_ttl when ttl is not set, during login 2016-08-18 15:16:32 -04:00
vishalnayak b150c14caa Address review feedback by @jefferai 2016-08-09 17:45:42 -04:00
vishalnayak 8d261b1a78 Added ttl field to aws-ec2 auth backend role 2016-08-09 17:29:45 -04:00
Jeff Mitchell 1f198e9256 Return warning about ACLing the LDAP configuration endpoint.
Fixes #1263
2016-08-08 10:18:36 -04:00
Jeff Mitchell 9e204bd88c Add arbitrary string slice parsing.
Like the KV function, this supports either separated strings or JSON
strings, base64-encoded or not.

Fixes #1619 in theory.
2016-08-03 14:24:16 -04:00
Jeff Mitchell c025b292b5 Cleanup 2016-08-03 13:09:12 -04:00
vishalnayak a6907769b0 AppRole authentication backend 2016-07-26 09:32:41 -04:00
Jeff Mitchell 0cfb112e87 Explicitly set invalid request status when a password isn't included 2016-07-25 11:14:15 -04:00
Jeff Mitchell dc4b85b55e Don't return 500 for user error in userpass when setting password 2016-07-25 11:09:46 -04:00
Jeff Mitchell d4c3e27c4e Fix re-specification of filter 2016-07-25 09:08:29 -04:00
Oren Shomron cd6d114e42 LDAP Auth Backend Overhaul
--------------------------

Added new configuration option to ldap auth backend - groupfilter.
GroupFilter accepts a Go template which will be used in conjunction with
GroupDN for finding the groups a user is a member of. The template will
be provided with context consisting of UserDN and Username.

Simplified group membership lookup significantly to support multiple use-cases:
  * Enumerating groups via memberOf attribute on user object
  * Previous default behavior of querying groups based on member/memberUid/uniqueMember attributes
  * Custom queries to support nested groups in AD via LDAP_MATCHING_RULE_IN_CHAIN matchind rule

There is now a new configuration option - groupattr - which specifies
how to resolve group membership from the objects returned by the primary groupfilter query.

Additional changes:
  * Clarify documentation for LDAP auth backend.
  * Reworked how default values are set, added tests
  * Removed Dial from LDAP config read. Network should not affect configuration.
2016-07-22 21:20:05 -04:00
Jeff Mitchell 68dcf677fa Fix panic if no certificates are supplied by client
Fixes #1637
2016-07-21 10:20:41 -04:00
Jeff Mitchell b353e44209 Fix build 2016-07-21 09:53:41 -04:00
Jeff Mitchell d335038b40 Ensure we never return a nil set of trusted CA certs
Fixes #1637
2016-07-21 09:50:31 -04:00
vishalnayak c14235b206 Merge branch 'master-oss' into json-use-number
Conflicts:
	http/handler.go
	logical/framework/field_data.go
	logical/framework/wal.go
	vault/logical_passthrough.go
2016-07-15 19:21:55 -04:00
Vishal Nayak cdf58da43b Merge pull request #1610 from hashicorp/min-tls-ver-12
Set minimum TLS version in all tls.Config objects
2016-07-13 10:53:14 -06:00
vishalnayak 09a4142fd3 Handled upgrade path for TLSMinVersion 2016-07-13 12:42:51 -04:00
vishalnayak de19314f18 Address review feedback 2016-07-13 11:52:26 -04:00
vishalnayak 407722a9b4 Added tls_min_version to consul storage backend 2016-07-12 20:10:54 -04:00
vishalnayak f34f0ef503 Make 'tls_min_version' configurable 2016-07-12 19:32:47 -04:00
vishalnayak 46d34130ac Set minimum TLS version in all tls.Config objects 2016-07-12 17:06:28 -04:00
vishalnayak e09b40e155 Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC 2016-07-08 18:30:18 -04:00
vishalnayak ad7cb2c8f1 Added JSON Decode and Encode helpers.
Changed all the occurances of Unmarshal to use the helpers.
Fixed http/ package tests.
2016-07-06 12:25:40 -04:00
Jeff Mitchell 51cd67115c Run appid/cert auth tests always 2016-07-01 14:06:33 -04:00
Jeff Mitchell 5d707c41ff Always run userpass acceptance tests 2016-07-01 11:37:38 -04:00
Jeff Mitchell 3e515c5885 Fix up breakage from bumping deps 2016-06-30 14:31:41 -04:00
vishalnayak 5f5a81d8da Fix broken build 2016-06-21 18:25:36 -04:00
vishalnayak e97f81ecaa Print role name in the error message 2016-06-21 17:53:33 -04:00
Vishal Nayak 78d4d5c8c3 Merge pull request #1523 from hashicorp/bind-account-id-aws-ec2
Added bound_account_id to aws-ec2 auth backend
2016-06-21 10:03:20 -04:00
vishalnayak f7a44a2643 Correct casing of abbreviations 2016-06-21 10:02:22 -04:00
Vishal Nayak 69d562c5db Merge pull request #1514 from hashicorp/backend-return-objects
Backend() functions should return 'backend' objects.
2016-06-20 19:30:00 -04:00
vishalnayak 383be815b6 aws-ec2: added a nil check for storedIdentity in login renewal 2016-06-20 10:19:57 -04:00
vishalnayak dccfc413d4 Replace an 'if' block with 'switch' 2016-06-17 12:35:44 -04:00
vishalnayak 8e03c1448b Merge branch 'master-oss' into bind-account-id-aws-ec2
Conflicts:
	builtin/credential/aws-ec2/backend_test.go
	builtin/credential/aws-ec2/path_login.go
	builtin/credential/aws-ec2/path_role.go
2016-06-14 14:46:08 -04:00
Ivan Fuyivara 74e84113db fixing the test for the wrong IAM Role ARN 2016-06-14 18:17:41 +00:00
Ivan Fuyivara 0ffbef0ccd added tests, nil validations and doccumentation 2016-06-14 16:58:50 +00:00
vishalnayak 26f7fcf6a1 Added bound_account_id to aws-ec2 auth backend 2016-06-14 11:58:19 -04:00
Ivan Fuyivara 2c5a8fb39f fixing spaces 2016-06-14 14:57:46 +00:00
root 52a47e1c4f adding IAM Role as constrain 2016-06-14 14:49:36 +00:00
vishalnayak b7eb28bb3a Added bound_ami_id check 2016-06-13 08:56:39 -04:00
vishalnayak 0760a89eb4 Backend() functions should return 'backend' objects.
If they return pointers to 'framework.Backend' objects, the receiver functions can't be tested.
2016-06-10 15:53:02 -04:00
vishalnayak c6a27f2fa8 s/VAULT_GITHUB_AUTH_TOKEN/VAULT_AUTH_GITHUB_TOKEN 2016-06-09 14:00:56 -04:00
Jeff Mitchell b82033516e Merge pull request #1510 from hashicorp/fix-gh-renew-panic
Fix panic when renewing a github token from a previous version of Vault
2016-06-09 13:54:20 -04:00
Jeff Mitchell 7c65dc9bf1 xInt->xRaw 2016-06-09 13:54:04 -04:00
vishalnayak 308294db46 Added VAULT_GITHUB_AUTH_TOKEN env var to receive GitHub auth token 2016-06-09 13:45:56 -04:00
Jeff Mitchell 1715b3dcb8 Fix panic when renewing a github token from a previous version of Vault 2016-06-09 13:37:09 -04:00
Jeff Mitchell ca47478aed Merge pull request #1479 from hashicorp/reuse-be-creation-tests
Change AWS/SSH to reuse backend creation code for test functions
2016-06-03 09:59:37 -04:00
vishalnayak e9fbb9fabe Remove failOnError method from cert tests 2016-06-01 16:01:28 -04:00
Jeff Mitchell 86d2c796b0 Change AWS/SSH to reuse backend creation code for test functions 2016-06-01 12:17:47 -04:00
Vishal Nayak 3a460b9c4b Merge pull request #1471 from hashicorp/rename-aws-auth
auth backend: rename `aws` as `aws-ec2`
2016-06-01 10:41:13 -04:00
vishalnayak dbee3cd81b Address review feedback 2016-06-01 10:36:58 -04:00
vishalnayak 4fea41f7e5 Use entry.Type as a criteria for upgrade 2016-06-01 10:30:11 -04:00
Jeff Mitchell 99c1e071f3 Remove most Root paths 2016-05-31 23:42:54 +00:00
vishalnayak a072f2807d Rename aws as aws-ec2 2016-05-30 14:11:15 -04:00
vishalnayak 950c76c020 rename credential/aws as credential/aws-ec2 2016-05-30 14:11:15 -04:00
vishalnayak 1d94828e45 Re-enable rollback triggers for auth backends 2016-05-26 14:29:41 -04:00
vishalnayak cfd337d06a Fix broken cert backend test 2016-05-26 11:06:46 -04:00
vishalnayak c0e745dbfa s/logical.ErrorResponse/fmt.Errorf in renewal functions of credential backends 2016-05-26 10:21:03 -04:00
Jeff Mitchell 1bef0c3584 Merge pull request #1245 from LeonDaniel/master
Improved groups search for LDAP login
2016-05-19 12:13:29 -04:00
vishalnayak 65801942cb Naming of the locked and nonLocked methods 2016-05-17 20:39:24 -04:00
Jeff Mitchell ed574d63fe Merge pull request #1416 from shomron/list_ldap_group_mappings
Support listing ldap group to policy mappings
2016-05-16 16:22:13 -04:00
Sean Chittenden 7a4b31ce51
Speling police 2016-05-15 09:58:36 -07:00
Oren Shomron b8840ab9eb Support listing ldap group to policy mappings (Fixes #1270) 2016-05-14 20:00:40 -04:00
Vishal Nayak 53fc941761 Merge pull request #1300 from hashicorp/aws-auth-backend
AWS EC2 instances authentication backend
2016-05-14 19:42:03 -04:00
vishalnayak 4122ed860b Rename 'role_name' to 'role' 2016-05-13 14:31:13 -04:00