Jeff Mitchell
2cc4a761f7
Honor role period for IAM auth type in AWS backend ( #2828 )
...
Fixes #2825
2017-06-07 10:18:02 -04:00
Joel Thompson
7437ada31c
Check if there's a bound iam arn when renewing ( #2819 )
...
Previously, the renew method would ALWAYS check to ensure the
authenticated IAM principal ARN matched the bound ARN. However, there
is a valid use case in which no bound_iam_principal_arn is specified and
all bindings are done through inferencing. When a role is configured
like this, clients won't be able to renew their token because of the
check.
This now checks to ensure that the bound_iam_principal_arn is not empty
before requriing that it match the originally authenticated client.
Fixes #2781
2017-06-06 22:35:12 -04:00
Scott Sinclair
0c7d240968
Change split on instance profile name ( #2802 )
...
This now splits on the /, so we only get the last component of the instance profile name (ignoring paths)
2017-06-05 12:39:37 -04:00
Jeff Mitchell
f7df60b131
Allow accessing Warnings directly in Response. ( #2806 )
...
A change in copystructure has caused some panics due to the custom copy
function. I'm more nervous about production panics than I am about
keeping some bad code wiping out some existing warnings, so remove the
custom copy function and just allow direct setting of Warnings.
2017-06-05 10:52:43 -04:00
Dan Stark
9f6b77598e
Fixes typos in error message and comment for AWS auth CLI ( #2798 )
2017-06-02 17:35:25 -07:00
Andrew
e33e489eee
Improve EC2 describe instances performance ( #2766 )
...
Query the EC2 API for the instance ID rather than filter the results of
all instances.
2017-05-26 08:38:01 -04:00
Jeff Mitchell
d25aa9fc21
Don't write salts in initialization, look up on demand ( #2702 )
2017-05-09 17:51:09 -04:00
Jeff Mitchell
6f6f242061
Add logic to skip initialization in some cases and some invalidation logic
2017-05-05 15:01:52 -04:00
Ben Gadbois
537342f038
Fixing printf (and similar) issues ( #2666 )
2017-05-01 23:34:10 -04:00
Joel Thompson
e06a78a474
Create unified aws auth backend ( #2441 )
...
* Rename builtin/credential/aws-ec2 to aws
The aws-ec2 authentication backend is being expanded and will become the
generic aws backend. This is a small rename commit to keep the commit
history clean.
* Expand aws-ec2 backend to more generic aws
This adds the ability to authenticate arbitrary AWS IAM principals using
AWS's sts:GetCallerIdentity method. The AWS-EC2 auth backend is being to
just AWS with the expansion.
* Add missing aws auth handler to CLI
This was omitted from the previous commit
* aws auth backend general variable name cleanup
Also fixed a bug where allowed auth types weren't being checked upon
login, and added tests for it.
* Update docs for the aws auth backend
* Refactor aws bind validation
* Fix env var override in aws backend test
Intent is to override the AWS environment variables with the TEST_*
versions if they are set, but the reverse was happening.
* Update docs on use of IAM authentication profile
AWS now allows you to change the instance profile of a running instance,
so the use case of "a long-lived instance that's not in an instance
profile" no longer means you have to use the the EC2 auth method. You
can now just change the instance profile on the fly.
* Fix typo in aws auth cli help
* Respond to PR feedback
* More PR feedback
* Respond to additional PR feedback
* Address more feedback on aws auth PR
* Make aws auth_type immutable per role
* Address more aws auth PR feedback
* Address more iam auth PR feedback
* Rename aws-ec2.html.md to aws.html.md
Per PR feedback, to go along with new backend name.
* Add MountType to logical.Request
* Make default aws auth_type dependent upon MountType
When MountType is aws-ec2, default to ec2 auth_type for backwards
compatibility with legacy roles. Otherwise, default to iam.
* Pass MountPoint and MountType back up to the core
Previously the request router reset the MountPoint and MountType back to
the empty string before returning to the core. This ensures they get set
back to the correct values.
2017-04-24 15:15:50 -04:00
vishalnayak
950c76c020
rename credential/aws as credential/aws-ec2
2016-05-30 14:11:15 -04:00
vishalnayak
1d94828e45
Re-enable rollback triggers for auth backends
2016-05-26 14:29:41 -04:00
vishalnayak
c0e745dbfa
s/logical.ErrorResponse/fmt.Errorf in renewal functions of credential backends
2016-05-26 10:21:03 -04:00
vishalnayak
65801942cb
Naming of the locked and nonLocked methods
2016-05-17 20:39:24 -04:00
vishalnayak
4122ed860b
Rename 'role_name' to 'role'
2016-05-13 14:31:13 -04:00
vishalnayak
be88306f92
Name the files based on changed path patterns
2016-05-12 11:52:07 -04:00
vishalnayak
7e8a2d55d0
Update docs and path names to the new patterns
2016-05-12 11:45:10 -04:00
vishalnayak
d09748a135
Fix the acceptance tests
2016-05-09 22:07:51 -04:00
vishalnayak
95f3f08d29
Call client config internal from the locking method
2016-05-09 21:01:57 -04:00
Jeff Mitchell
4549625367
Update client code to use internal entry fetching
2016-05-09 23:26:00 +00:00
Jeff Mitchell
c16b0a4f41
Switch whitelist to use longest max TTL
2016-05-05 20:44:48 -04:00
Jeff Mitchell
7a6c76289a
Role tag updates
2016-05-05 15:32:14 -04:00
Jeff Mitchell
b58ad615f2
Fix HMAC being overwritten. Also some documentation, and add a lock to role operations
2016-05-05 14:51:09 -04:00
Jeff Mitchell
0eddeb5c94
Guard tidy functions
2016-05-05 14:28:46 -04:00
Jeff Mitchell
2d4c390f87
More updates to mutexes and adjust blacklisted roletag default safety buffer
2016-05-05 14:12:22 -04:00
Jeff Mitchell
8fef6e3ac0
Rename identity whitelist and roletag blacklist api endpoints
2016-05-05 13:34:50 -04:00
Jeff Mitchell
c69ba40d05
Move some mutexes around
2016-05-05 12:53:27 -04:00
Jeff Mitchell
f689e4712d
Update some mutexes in client config
2016-05-05 12:44:40 -04:00
Jeff Mitchell
c15c227774
Fall back to non-base64 cert if it can't be decoded (it's checked later anyways)
2016-05-05 11:36:28 -04:00
Jeff Mitchell
25913fb18c
Update commenting
2016-05-05 11:22:36 -04:00
Jeff Mitchell
15cbcedf1f
Make the roletag blacklist the longest duration, not least
2016-05-05 11:00:41 -04:00
Jeff Mitchell
e45d6c1120
Switch client code to shared awsutil code
2016-05-05 10:40:49 -04:00
vishalnayak
b7c48ba109
Change image/ to a more flexible /role endpoint
2016-05-03 23:36:59 -04:00
vishalnayak
9f2a111e85
Allow custom endpoint URLs to be supplied to make EC2 API calls
2016-05-02 17:21:52 -04:00
vishalnayak
1c91f652d4
Remove unnecessary append call
2016-04-30 03:20:21 -04:00
vishalnayak
23d8ce62a3
Ensure that the instance is running during renewal
2016-04-28 16:34:35 -04:00
vishalnayak
2a2dc0befb
Added allow_instance_migration to the role tag
2016-04-28 11:43:48 -04:00
vishalnayak
4161d3ef4f
Change all time references to UTC
2016-04-28 10:19:29 -04:00
vishalnayak
e591632630
Fix the deadlock issue
2016-04-28 01:01:33 -04:00
vishalnayak
4712533f1d
minor updates
2016-04-28 00:35:49 -04:00
vishalnayak
e6a9a5957d
Refactor locks around config tidy endpoints
2016-04-27 22:32:43 -04:00
vishalnayak
b75a6e2f0f
Fix locking around config/client
2016-04-27 22:25:15 -04:00
vishalnayak
0e97b57beb
Fix the list response of role tags
2016-04-27 22:03:11 -04:00
vishalnayak
779d73ce2b
Removed existence check on blacklist/roletags, docs fixes
2016-04-27 21:29:32 -04:00
vishalnayak
d44326ded6
Remove unnecessary lock switching around flushCachedEC2Clients
2016-04-27 20:13:56 -04:00
vishalnayak
e1080f86ed
Remove recreate parameter from clientEC2
2016-04-27 20:01:39 -04:00
vishalnayak
441477f342
Added ami_id to token metadata
2016-04-27 11:32:05 -04:00
vishalnayak
7144fd54f9
Added tests
2016-04-26 23:40:11 -04:00
vishalnayak
88942b0503
Added tests
2016-04-26 10:22:29 -04:00
vishalnayak
5a676a129e
Added tests
2016-04-26 10:22:29 -04:00
vishalnayak
e16f256b14
Added tests
2016-04-26 10:22:29 -04:00
vishalnayak
3a4021d6c4
Added tests
2016-04-26 10:22:29 -04:00
vishalnayak
de1a1be564
tidy endpoint fixes
2016-04-26 10:22:29 -04:00
vishalnayak
044d01fd69
HMAC Key per AMI ID and avoided secondary call to AWS to fetch the tags
2016-04-26 10:22:29 -04:00
vishalnayak
5996c3e9d8
Rework and refactoring
2016-04-26 10:22:29 -04:00
vishalnayak
3aeae62c00
Added mutex locking for config/certificate endpoint
2016-04-26 10:22:29 -04:00
vishalnayak
21854776af
Added cooldown period for periodic tidying operation
2016-04-26 10:22:29 -04:00
vishalnayak
9aa8fb6cc1
Support periodic tidy callback and config endpoints.
2016-04-26 10:22:29 -04:00
vishalnayak
2810196e0f
Use fullsailor/pkcs7 package instead of its fork. Fix tests
2016-04-26 10:22:29 -04:00
vishalnayak
5a2e1340df
Removed redundant AWS public certificate. Docs update.
2016-04-26 10:22:29 -04:00
vishalnayak
a456f2c3f6
Removed region
parameter from config/client
endpoint.
...
Region to create ec2 client objects is fetched from the identity document.
Maintaining a map of cached clients indexed by region.
2016-04-26 10:22:29 -04:00
vishalnayak
790b143c75
Instance ID can optionally be accepted as a the role tag parameter.
2016-04-26 10:22:29 -04:00
vishalnayak
58c485f519
Support providing multiple certificates.
...
Append all the certificates to the PKCS#7 parser during signature verification.
2016-04-26 10:22:29 -04:00
vishalnayak
9d4a7c5901
Docs update
2016-04-26 10:22:29 -04:00
vishalnayak
ba9c86c92d
Added acceptance test for login endpoint
2016-04-26 10:22:29 -04:00
vishalnayak
c2c1a5eedc
Added test case TestBackend_PathBlacklistRoleTag
2016-04-26 10:22:29 -04:00
vishalnayak
85c9176cb4
Return 4xx error at appropriate places
2016-04-26 10:22:29 -04:00
vishalnayak
1841ef0ebf
Tested pathImageTag
2016-04-26 10:22:29 -04:00
vishalnayak
80e3063334
Tested parseRoleTagValue
2016-04-26 10:22:29 -04:00
vishalnayak
dab1a00313
Make client nonce optional even during first login, when disallow_reauthentication is set
2016-04-26 10:22:29 -04:00
vishalnayak
e0cf8c5608
Rename 'name' to 'ami_id' for clarity
2016-04-26 10:22:29 -04:00
vishalnayak
092feca996
Moved HMAC parsing inside parseRoleTagValue
2016-04-26 10:22:29 -04:00
vishalnayak
ddfdf37d33
Properly handle empty client nonce case when disallow_reauthentication is set
2016-04-26 10:22:29 -04:00
vishalnayak
b8d9b18193
Added disallow_reauthentication feature
2016-04-26 10:22:29 -04:00
vishalnayak
a1d07cbff5
Remove todo and change clientNonce length limit to 128 chars
2016-04-26 10:22:28 -04:00
Jeff Mitchell
bb276d350a
Fix typo
2016-04-26 10:22:28 -04:00
Jeff Mitchell
a5aadc908d
Add environment and EC2 instance metadata role providers for AWS creds.
2016-04-26 10:22:28 -04:00
vishalnayak
012f9273f7
Remove certificate verification
2016-04-26 10:22:28 -04:00
vishalnayak
41cc7c4a15
Test path config/certificate
2016-04-26 10:22:28 -04:00
vishalnayak
5ff8d0cf96
Add existence check verification to config/client testcase
2016-04-26 10:22:28 -04:00
vishalnayak
3286194384
Testing pathImage
2016-04-26 10:22:28 -04:00
Jeff Mitchell
a8082a9a6e
allow_instance_reboot -> allow_instance_migration
2016-04-26 10:22:28 -04:00
Jeff Mitchell
075a81214e
Update image output to show allow_instance_reboot value and keep policies in a list
2016-04-26 10:22:28 -04:00
vishalnayak
91433fedf2
Changed the blacklist URL pattern to optionally accept base64 encoded role tags
2016-04-26 10:22:28 -04:00
vishalnayak
efcc07967e
Accept instance_id in the URL for whitelist endpoint
2016-04-26 10:22:28 -04:00
Jeff Mitchell
cf56895772
Switch around some logic to be more consistent/readable and respect max
...
TTL on initial token issuance.
2016-04-26 10:22:28 -04:00
vishalnayak
338054d49e
Return un-expired entries from blacklist and whitelist
2016-04-26 10:22:28 -04:00
vishalnayak
b6bd30b9fb
Test ConfigClient
2016-04-26 10:22:28 -04:00
vishalnayak
d3adc85886
AWS EC2 instances authentication backend
2016-04-26 10:22:28 -04:00