vishalnayak
41cc7c4a15
Test path config/certificate
2016-04-26 10:22:28 -04:00
vishalnayak
5ff8d0cf96
Add existence check verification to config/client testcase
2016-04-26 10:22:28 -04:00
vishalnayak
3286194384
Testing pathImage
2016-04-26 10:22:28 -04:00
Jeff Mitchell
a8082a9a6e
allow_instance_reboot -> allow_instance_migration
2016-04-26 10:22:28 -04:00
Jeff Mitchell
075a81214e
Update image output to show allow_instance_reboot value and keep policies in a list
2016-04-26 10:22:28 -04:00
vishalnayak
91433fedf2
Changed the blacklist URL pattern to optionally accept base64 encoded role tags
2016-04-26 10:22:28 -04:00
vishalnayak
efcc07967e
Accept instance_id in the URL for whitelist endpoint
2016-04-26 10:22:28 -04:00
Jeff Mitchell
cf56895772
Switch around some logic to be more consistent/readable and respect max
...
TTL on initial token issuance.
2016-04-26 10:22:28 -04:00
vishalnayak
338054d49e
Return un-expired entries from blacklist and whitelist
2016-04-26 10:22:28 -04:00
vishalnayak
b6bd30b9fb
Test ConfigClient
2016-04-26 10:22:28 -04:00
vishalnayak
d3adc85886
AWS EC2 instances authentication backend
2016-04-26 10:22:28 -04:00
leon
81ac4c3fcf
- fixed merge with upstream master
2016-04-26 13:23:43 +03:00
leon
1991aebc0a
Merge remote-tracking branch 'upstream/master'
...
Conflicts:
builtin/credential/ldap/backend.go
2016-04-26 13:16:42 +03:00
Jeff Mitchell
30ba5b7887
Merge pull request #1291 from mmickan/ssh-keyinstall-perms
...
Ensure authorized_keys file is readable when uninstalling an ssh key
2016-04-25 14:00:37 -04:00
Adam Shannon
fb07d07ad9
all: Cleanup from running go vet
2016-04-13 14:38:29 -05:00
vishalnayak
06eeaecef6
Skip acceptance tests if VAULT_ACC is not set
2016-04-11 20:00:15 -04:00
Jeff Mitchell
d92b960f7a
Add list support to userpass users. Remove some unneeded existence
...
checks. Remove paths from requiring root.
Fixes #911
2016-04-09 18:28:55 -04:00
Kevin Pike
dd98b08d36
Do not provide a default lease
2016-04-08 09:50:47 -07:00
Kevin Pike
eeb145f049
List roles
2016-04-08 09:46:25 -07:00
Kevin Pike
a86e5e3cd9
Support verify_connection flag
2016-04-08 09:44:15 -07:00
Kevin Pike
706ed5839e
Fix username generation
2016-04-08 09:32:29 -07:00
Kevin Pike
e3db8c999e
Merge branch 'master' of github.com:doubledutch/vault
2016-04-08 09:25:28 -07:00
Kevin Pike
1102863f5a
Update comment
2016-04-08 09:07:06 -07:00
Kevin Pike
35f49107cd
Fix documentation typo
2016-04-08 09:05:38 -07:00
Kevin Pike
5460c24b94
Fix documentation typo
2016-04-08 09:05:06 -07:00
Kevin Pike
070fe56648
Rename uri to connection_uri
2016-04-08 09:04:42 -07:00
Kevin Pike
48d1f99afb
Merge remote-tracking branch 'upstream/master'
2016-04-08 08:57:10 -07:00
vishalnayak
e3a1ee92b5
Utility Enhancements
2016-04-05 20:32:59 -04:00
vishalnayak
fd8b023655
s/TF_ACC/VAULT_ACC
2016-04-05 15:24:59 -04:00
vishalnayak
95abdebb06
Added AcceptanceTest boolean to logical.TestCase
2016-04-05 15:10:44 -04:00
Mark Mickan
a55124f0b6
Ensure authorized_keys file is readable when uninstalling an ssh key
...
Without this change, if the user running the ssh key install script doesn't
have read access to the authorized_keys file when uninstalling a key, all
keys will be deleted from the authorized_keys file.
Fixes GH #1285
2016-04-05 17:26:21 +09:30
Jeff Mitchell
7df3ec46b0
Some fixups around error/warning in LDAP
2016-04-02 13:33:00 -04:00
Jeff Mitchell
40325b8042
If no group DN is configured, still look for policies on local users and
...
return a warning, rather than just trying to do an LDAP search on an
empty string.
2016-04-02 13:11:36 -04:00
Jeff Mitchell
7fd5a679ca
Fix potential error scoping issue.
...
Ping #1262
2016-03-30 19:48:23 -04:00
Jeff Mitchell
3cfcd4ddf1
Check for nil connection back from go-ldap, which apparently can happen even with no error
...
Ping #1262
2016-03-29 10:00:04 -04:00
Jeff Mitchell
17613f5fcf
Removing debugging comment
2016-03-24 09:48:13 -04:00
Jeff Mitchell
4c4a65ebd0
Properly check for policy equivalency during renewal.
...
This introduces a function that compares two string policy sets while
ignoring the presence of "default" (since it's added by core, not the
backend), and ensuring that ordering and/or duplication are not failure
conditions.
Fixes #1256
2016-03-24 09:41:51 -04:00
Jeff Mitchell
dfc5a745ee
Remove check for using CSR values with non-CA certificate.
...
The endpoint enforces whether the certificate is a CA or not anyways, so
this ends up not actually providing benefit and causing a bug.
Fixes #1250
2016-03-23 10:05:38 -04:00
leon
e7942062bd
- updated LDAP group search by iterating through all the attributes and searching for CN value instead of assuming the CN is always the first attribute from the RDN list
2016-03-21 19:44:08 +02:00
leon
a82114eeb2
- added another method to search LDAP groups by querying the userDN for memberOf attribute
2016-03-21 16:55:38 +02:00
Jeff Mitchell
3e3621841d
Merge pull request #1227 from hashicorp/issue-477
...
Don't renew cert-based tokens if the policies have changed.
2016-03-17 18:25:39 -04:00
Jeff Mitchell
1951a01998
Add ability to exclude adding the CN to SANs.
...
Fixes #1220
2016-03-17 16:28:40 -04:00
Jeff Mitchell
a8dd6aa4f1
Don't renew cert-based tokens if the policies have changed.
...
Also, add cert renewal testing.
Fixes #477
2016-03-17 14:22:24 -04:00
Jeff Mitchell
77e4ee76bb
Normalize userpass errors around bad user/pass
2016-03-16 15:19:55 -04:00
Jeff Mitchell
8a3f1ad13e
Use 400 instead of 500 for failing to provide a userpass password.
2016-03-16 15:14:28 -04:00
Vishal Nayak
2c0c901eac
Merge pull request #1216 from hashicorp/userpass-update
...
Userpass: Update the password and policies associated to user
2016-03-16 14:58:28 -04:00
vishalnayak
f9b1fc3aa0
Add comments to existence functions
2016-03-16 14:53:53 -04:00
vishalnayak
1951159b25
Addessing review comments
2016-03-16 14:21:14 -04:00
vishalnayak
239ad4ad7e
Refactor updating user values
2016-03-16 13:42:02 -04:00
vishalnayak
533b136fe7
Reduce the visibility of setUser
2016-03-16 11:39:52 -04:00
vishalnayak
2914ff7502
Use helper for existence check. Avoid panic by fetching default values for field data
2016-03-16 11:26:33 -04:00
Vishal Nayak
7db7b47fdd
Merge pull request #1210 from hashicorp/audit-id-path
...
Rename id to path and path to file_path, print audit backend paths
2016-03-15 20:13:21 -04:00
vishalnayak
39a0c8e91f
Read from 'path' to retain backward compatibility
2016-03-15 20:05:51 -04:00
vishalnayak
1e889bc08c
Input validations and field renaming
2016-03-15 17:47:13 -04:00
vishalnayak
a0958c9359
Refactor updating and creating userEntry into a helper function
2016-03-15 17:32:39 -04:00
vishalnayak
acd545f1ed
Fetch and store UserEntry to properly handle both create and update
2016-03-15 17:05:23 -04:00
vishalnayak
9609fe151b
Change path structure of password and policies endpoints in userpass
2016-03-15 16:46:12 -04:00
vishalnayak
8be36b6925
Reuse the variable instead of fetching 'name' again
2016-03-15 16:21:47 -04:00
vishalnayak
61b4cac458
Added paths to update policies and password
2016-03-15 16:12:55 -04:00
vishalnayak
731bb97db5
Tests for updating password and policies in userpass backend
2016-03-15 16:09:23 -04:00
vishalnayak
b7eb0a97e5
Userpass: Support updating policies and password
2016-03-15 15:18:21 -04:00
Jeff Mitchell
8aaf29b78d
Add forgotten test
2016-03-15 14:18:35 -04:00
Jeff Mitchell
8bf935bc2b
Add list support to certs in cert auth backend.
...
Fixes #1212
2016-03-15 14:07:40 -04:00
vishalnayak
71fc07833f
Rename id to path and path to file_path, print audit backend paths
2016-03-14 17:15:07 -04:00
Jeff Mitchell
d648306d52
Add the ability to specify the app-id in the login path.
...
This makes it easier to use prefix revocation for tokens.
Ping #424
2016-03-14 16:24:01 -04:00
Jeff Mitchell
9bfd24cd69
s/hash_accessor/hmac_accessor/g
2016-03-14 14:52:29 -04:00
vishalnayak
ea108fba18
Use accessor being set as the condition to restore non-hashed values
2016-03-14 11:23:30 -04:00
vishalnayak
e09819fedc
Added hash_accessor option to audit backends
2016-03-11 19:28:06 -05:00
Vishal Nayak
343e6f1671
Merge pull request #998 from chrishoffman/mssql
...
Sql Server (mssql) secret backend
2016-03-10 22:30:24 -05:00
Chris Hoffman
b1703fb18d
Cleaning up lease and lease duration vars and params
2016-03-10 21:15:18 -05:00
Chris Hoffman
ba94451875
Removing root protected endpoints
2016-03-10 21:08:39 -05:00
Chris Hoffman
dc7da4f4e8
Changing DROP USER query to a more compatible version
2016-03-10 21:06:50 -05:00
Chris Hoffman
5af33afd90
Adding verify_connection to config, docs updates, misc cleanup
2016-03-09 23:08:05 -05:00
Vishal Nayak
a6d8fc9d98
Merge pull request #1190 from grunzwei/master
...
fix github tests to use the provided GITHUB_ORG environment variable
2016-03-09 09:51:28 -05:00
Nathan Grunzweig
ae469cc796
fix github tests to use the provided GITHUB_ORG environment variable
...
(tests fail for non hashicorp people)
2016-03-09 15:34:03 +02:00
Jeff Mitchell
7a9122bbd1
Sanitize serial number in revocation path.
...
Ping #1180
2016-03-08 10:51:59 -05:00
Jeff Mitchell
34a9cb1a70
Add serial_number back to path_issue_sign responses in PKI
2016-03-08 09:25:48 -05:00
Jeff Mitchell
5a17735dcb
Add subject/authority key id to cert metadata
2016-03-07 14:59:00 -05:00
Jeff Mitchell
11dc3f328f
Add revocation information to PKI fetch output (non-raw only).
...
Fixes #1180
2016-03-07 10:57:38 -05:00
Jeff Mitchell
67b85b8f7f
Error rather than skip Consul acceptance tests if Consul isn't found
2016-03-07 10:09:36 -05:00
Jeff Mitchell
4a3d3ef300
Use better error message on LDAP renew failure
2016-03-07 09:34:16 -05:00
Chris Hoffman
0b4a8f5b94
Adding mssql secret backend
2016-03-03 09:19:17 -05:00
vishalnayak
44208455f6
continue if non-CA policy is not found
2016-03-01 16:43:51 -05:00
vishalnayak
9a3ddc9696
Added ExtKeyUsageAny, changed big.Int comparison and fixed code flow
2016-03-01 16:37:01 -05:00
vishalnayak
cc1592e27a
corrections, policy matching changes and test cert changes
2016-03-01 16:37:01 -05:00
vishalnayak
09eef70853
Added testcase for cert writes
2016-03-01 16:37:01 -05:00
vishalnayak
f056e8a5a5
supporting non-ca certs for verification
2016-03-01 16:37:01 -05:00
vishalnayak
aee006ba2d
moved the test cert keys to appropriate test-fixtures folder
2016-02-29 15:49:08 -05:00
Jeff Mitchell
64ab16d137
Don't spawn consul servers when testing unless it's an acceptance test
2016-02-29 14:58:06 -05:00
Jeff Mitchell
f6092f8311
Don't run transit fuzzing if not during acceptance tests
2016-02-29 14:44:04 -05:00
Jeff Mitchell
2205133ae4
Only run PKI backend setup functions when TF_ACC is set
2016-02-29 14:41:14 -05:00
vishalnayak
cf672400d6
fixed the error log message
2016-02-29 10:41:10 -05:00
vishalnayak
dca18aec2e
replaced old certs, with new certs generated from PKI backend, containing IP SANs
2016-02-28 22:15:54 -05:00
Jeff Mitchell
7ae573b35b
Apply hyphen/underscore replacement across the entire username.
...
Handles app-id generated display names.
Fixes #1140
2016-02-26 15:26:23 -05:00
Jeff Mitchell
e2c15eb693
Merge pull request #1129 from hashicorp/pki-tidy
...
Add "pki/tidy" which allows removing expired certificates.
2016-02-25 10:39:54 -05:00
Jeff Mitchell
6b6005ee2e
Remove root token requirement from GitHub configuration
2016-02-25 08:51:53 -05:00
Jeff Mitchell
8ca847c9b3
Be more explicit about buffer type
2016-02-24 22:05:39 -05:00
Jeff Mitchell
7d41607b6e
Add "tidy/" which allows removing expired certificates.
...
A buffer is used to ensure that we only remove certificates that are
both expired and for which the buffer has past. Options allow removal
from revoked/ and/or certs/.
2016-02-24 21:24:48 -05:00
vishalnayak
69bcbb28aa
rename verify_cert as disable_binding and invert the logic
2016-02-24 21:01:21 -05:00
vishalnayak
902c780f2b
make the verification of certs in renewal configurable
2016-02-24 16:42:20 -05:00
vishalnayak
bc4710eb06
Cert: renewal enhancements
2016-02-24 14:31:38 -05:00
vishalnayak
053bbd97ea
check CIDR block for renewal as well
2016-02-24 10:55:31 -05:00
vishalnayak
978075a1b4
Added renewal capability to app-id backend
2016-02-24 10:40:15 -05:00
Matt Hurne
11187112bc
Improve error message returned when client attempts to generate STS credentials for a managed policy; addresses #1113
2016-02-23 08:58:28 -05:00
Jeff Mitchell
f56e4a604d
Merge pull request #1114 from hashicorp/dont-delete-certs
...
Do not delete certs (or revocation information)
2016-02-22 16:11:13 -05:00
Jeff Mitchell
4514192145
Address review feedback
2016-02-22 16:11:01 -05:00
Jeff Mitchell
f43ab6a25d
Remove extra debugging from PKI tests
2016-02-22 13:39:05 -05:00
Jeff Mitchell
f27eab1d28
Do not delete certs (or revocation information) to avoid potential
...
issues related to time synchronization. A function will be added to
allow operators to perform cleanup at chosen times.
2016-02-22 13:36:17 -05:00
Jeff Mitchell
51ced69bf8
Fix issue where leftover values after cn tests could trigger errors in ipsan tests
2016-02-22 13:35:57 -05:00
Vishal Nayak
949f8a6b69
Merge pull request #1112 from hashicorp/1089-postgres-connection-url
...
postgres: connection_url fix
2016-02-22 11:36:04 -05:00
Jeff Mitchell
4c327ca4cc
More improvements to PKI tests; allow setting a specific seed, output
...
the seed to the console, and split generated steps to make it
understandable which seed is for which set of steps.
2016-02-22 11:22:52 -05:00
vishalnayak
c9899a5300
postgres: connection_url fix
2016-02-22 11:22:49 -05:00
Jeff Mitchell
8d4c6f4c98
Use more fuzziness in PKI backend tests
2016-02-22 10:59:37 -05:00
Jeff Mitchell
392a26e9cd
Better handle errors from fetchCertBySerial
2016-02-22 10:36:26 -05:00
Kevin Pike
bcaac7f876
Update update operation and uuid references
2016-02-21 15:31:22 -08:00
Kevin Pike
264c9cc40e
Merge branch 'master' into rabbitmq
2016-02-21 14:55:06 -08:00
Kevin Pike
c755065415
Add RabbitMQ secret backend
2016-02-21 14:52:57 -08:00
Jeff Mitchell
fab2d8687a
Remove root requirement for certs/ and crls/ in TLS auth backend.
...
Fixes #468
2016-02-21 15:33:33 -05:00
Jeff Mitchell
58432c5d57
Add tests for minimum key size checking. (This will also verify that the
...
key type matches that of the role, since type assertions are required to
check the bit size). Like the rest, these are fuzz tests; I have
verified that the random seed will eventually hit error conditions if
ErrorOk is not set correctly when we expect an error.
2016-02-19 21:39:40 -05:00
Jeff Mitchell
c57b646848
Check role key type and bits when signing CSR.
...
Two exceptions: signing an intermediate CA CSR, and signing a CSR via
the 'sign-verbatim' path.
2016-02-19 20:50:49 -05:00
vishalnayak
c4abe72075
Cap the length midString in IAM user's username to 42
2016-02-19 18:31:10 -05:00
Vishal Nayak
773de69796
Merge pull request #1102 from hashicorp/shorten-aws-usernames
...
Set limits on generated IAM user and STS token names.
2016-02-19 18:25:29 -05:00
Jeff Mitchell
574542b683
Some minor changes in mysql commenting and names
2016-02-19 16:44:52 -05:00
Jeff Mitchell
25b9f9b4a6
Set limits on generated IAM user and STS token names.
...
Fixes #1031
Fixes #1063
2016-02-19 16:35:06 -05:00
vishalnayak
a16055c809
mysql: fix error message
2016-02-19 16:07:06 -05:00
vishalnayak
38b55bd8b1
Don't deprecate value field yet
2016-02-19 16:07:06 -05:00
vishalnayak
99f4969b20
Removed connectionString.ConnectionString
2016-02-19 16:07:05 -05:00
vishalnayak
380b662c3d
mysql: provide allow_verification option to disable connection_url check
2016-02-19 16:07:05 -05:00
Jeff Mitchell
6df75231b8
Merge pull request #1100 from hashicorp/issue-1030
...
Properly escape filter values in LDAP filters
2016-02-19 14:56:40 -05:00
Jeff Mitchell
7fc4ee1ed7
Disallow 1024-bit RSA keys.
...
Existing certificates are kept but roles with key bits < 2048 will need
to be updated as the signing/issuing functions now enforce this.
2016-02-19 14:33:02 -05:00
Jeff Mitchell
05b5ff69ed
Address some feedback on ldap escaping help text
2016-02-19 13:47:26 -05:00
Jeff Mitchell
d7b40b32db
Properly escape filter values.
...
Fixes #1030
2016-02-19 13:16:52 -05:00
Jeff Mitchell
c67871c36e
Update LDAP documentation with a note on escaping
2016-02-19 13:16:18 -05:00
Jeff Mitchell
d3f3122307
Add tests to ldap using the discover capability
2016-02-19 11:46:59 -05:00
Jeff Mitchell
154c326060
Add ldap tests that use a bind dn and bind password
2016-02-19 11:38:27 -05:00
Vishal Nayak
3e1a07d3d0
Merge pull request #1047 from hashicorp/vault-iss999-github-renewal
...
GitHub renewal enhancements
2016-02-18 16:47:15 -05:00
Vishal Nayak
ba134f5a7a
Merge pull request #1086 from hashicorp/iss962-verify-otp-response-code
...
SSH: Fix response code for ssh/verify
2016-02-18 13:32:28 -05:00
vishalnayak
a6f3b31a36
ssh: Fix response code for ssh/verify
2016-02-16 19:46:29 -05:00
vishalnayak
d9536043e7
Pki: Respond user error when cert is not found instead of internal error
2016-02-16 17:58:57 -05:00
vishalnayak
0b44d81a16
Github renewal enhancement
2016-02-11 20:42:42 -05:00
Jeff Mitchell
3378db0166
Merge pull request #1061 from tomrittervg/tomrittervg-typos-1
...
Fix some typos
2016-02-11 15:12:09 -05:00
Jeff Mitchell
880c9798b7
Merge pull request #1062 from tomrittervg/tomrittervg-AllowedBaseDomain-migration
...
AllowedBaseDomain will stay non-empty in certain error conditions. None of these conditions should be hit anyways, but this provides an extra safety check.
2016-02-11 15:07:54 -05:00
Jeff Mitchell
46b22745c6
Merge pull request #1053 from mwielgoszewski/postgresql-revocation
...
Fix PostgreSQL secret backend issues revoking users
2016-02-11 12:52:37 -05:00
Tom Ritter
a10dc14625
Fix AllowedBaseDomain Migration
...
AllowedBaseDomain is only zero-ed out if the domain is not found in the (new) AllowedDomains configuration setting. If the domain is found, AllowedBaseDomain is not emptied and this code will be run every single time.
//untested
2016-02-09 15:42:15 -06:00
Tom Ritter
940a58cb9d
Typo in error message in path_intermediate.go
2016-02-09 15:08:30 -06:00
Tom Ritter
e5952a1c28
Typo in policy.go
2016-02-08 12:00:06 -06:00
Jeff Mitchell
4771884c78
Add slack on NotBefore value for generated certs.
...
This fixes an issue where, due to clock skew, one system can get a cert
and try to use it before it thinks it's actually valid. The tolerance of
30 seconds should be high enough for pretty much any set of systems
using NTP.
Fixes #1035
2016-02-07 14:00:03 -05:00
Jeff Mitchell
eb1deefac1
Introduce a locking inmem storage for unit tests that are doing concurrent things
2016-02-04 09:40:35 -05:00
Jeff Mitchell
70eeaa1519
Add transit fuzz test
2016-02-03 17:36:15 -05:00
Vishal Nayak
d02930fd95
Merge pull request #1013 from hashicorp/fix-ssh-tests
...
Fix SSH tests
2016-02-02 14:22:09 -05:00
vishalnayak
f2e8ac0658
Fix SSH test cases.
2016-02-02 12:32:50 -05:00
Jeff Mitchell
159754acf2
Use capabilities to determine upsert-ability in transit.
2016-02-02 10:03:14 -05:00
Jeff Mitchell
5ef8839e48
Revert "Re-add upsert into transit. Defaults to off and a new endpoint /config"
...
This reverts commit dc27d012c0357f93bfd5bd8d480f3e229166307a.
2016-02-02 09:26:25 -05:00
Jeff Mitchell
1d385b4de3
Re-add upsert into transit. Defaults to off and a new endpoint /config
...
can be used to turn it on for a given mount.
2016-02-01 20:13:57 -05:00
Jeff Mitchell
20f45678e6
Fix comment text
2016-02-01 17:20:16 -05:00
Jeff Mitchell
fc6d23a54e
Allow the format to be specified as pem_bundle, which creates a
...
concatenated PEM file.
Fixes #992
2016-02-01 13:19:41 -05:00
Jeff Mitchell
af73d965a4
Cassandra:
...
* Add ability to change protocol version
* Remove config as a root path, use normal ACLs
* Update docs
2016-02-01 10:27:26 -05:00
Jeff Mitchell
627082b838
Remove grace periods
2016-01-31 19:33:16 -05:00
Jeff Mitchell
61eec74b4e
Remove app-id renewal for the moment until verification logic is added
2016-01-31 19:12:20 -05:00
Jeff Mitchell
470ea58d73
Match leases in the test
2016-01-29 20:45:38 -05:00
Jeff Mitchell
bf13d68372
Fix userpass acceptance tests by giving it a system view
2016-01-29 20:14:14 -05:00
Jeff Mitchell
bab1220fb8
Fix building of consul backend test
2016-01-29 20:03:38 -05:00
Jeff Mitchell
d3a705f17b
Make backends much more consistent:
...
1) Use the new LeaseExtend
2) Use default values controlled by mount tuning/system defaults instead
of a random hard coded value
3) Remove grace periods
2016-01-29 20:03:37 -05:00
Jeff Mitchell
02cd4d7bf6
Merge pull request #979 from hashicorp/transit-locking
...
Implement locking in the transit backend.
2016-01-29 14:40:32 -05:00
Jeff Mitchell
073e755aa6
Update error return strings
2016-01-29 14:40:13 -05:00
Jeff Mitchell
3396b42c6c
Address final review feedback
2016-01-29 14:33:51 -05:00
Jeff Mitchell
cb1928451b
Only specify cert sign / CRL sign for CAs and only specify extended key
...
usages for clients.
This will hopefully fully get rid of the various incompatible ways that
various browsers/libraries deal with key usages.
Fixes #987
2016-01-29 10:26:35 -05:00
Jeff Mitchell
2015118958
Add listing of roles to PKI
2016-01-28 15:18:07 -05:00
Jeff Mitchell
f8a375777b
Add list support for mysql roles
2016-01-28 15:04:25 -05:00
Jeff Mitchell
62e3ac83f8
Add list support for postgres roles
2016-01-28 14:41:50 -05:00
Jeff Mitchell
7be090b185
Fix postgres backend test SQL for user priv checking
2016-01-28 14:41:13 -05:00
Jeff Mitchell
12bd2f430b
Ensure generatePolicy checks disk, not just the cache, now that we aren't eager loading
2016-01-28 13:10:59 -05:00
Jeff Mitchell
dd57a3f55d
Add listing of roles to ssh backend
2016-01-28 12:48:00 -05:00
Jeff Mitchell
dd1b94fbd6
Remove eager loading
2016-01-28 08:59:05 -05:00
Jeff Mitchell
be83340b14
Embed the cache directly
2016-01-27 21:59:20 -05:00
Jeff Mitchell
1ebae324ce
Merge pull request #942 from wikiwi/fix-ssh-open-con
...
Cleanly close SSH connections
2016-01-27 17:18:54 -05:00
Jeff Mitchell
01102f0d06
Merge pull request #975 from vetinari/ldapbind
...
Implement LDAP username/password binding support, as well as anonymous search.
2016-01-27 17:06:45 -05:00
Jeff Mitchell
48c9f79896
Implement locking in the transit backend.
...
This ensures that we can safely rotate and modify configuration
parameters with multiple requests in flight.
As a side effect we also get a cache, which should provide a nice
speedup since we don't need to decrypt/deserialize constantly, which
would happen even with the physical LRU.
2016-01-27 17:03:21 -05:00
Jeff Mitchell
d1b2bf3183
Move archive location; also detect first load of a policy after archive
...
is added and cause the keys to be copied to the archive.
2016-01-27 13:41:37 -05:00
Jeff Mitchell
369d0bbad0
Address review feedback
2016-01-27 13:41:37 -05:00
Jeff Mitchell
e5a58109ec
Store all keys in archive always
2016-01-27 13:41:37 -05:00
Jeff Mitchell
30ffc18c19
Add unit tests
2016-01-27 13:41:37 -05:00
Jeff Mitchell
5000711a67
Force min decrypt version to 1 if it's zero, which allows fixing problematic archiving logic
2016-01-27 13:41:37 -05:00
Jeff Mitchell
7a27dd5cb3
Fix logic bug when restoring keys
2016-01-27 13:41:37 -05:00
Jeff Mitchell
004b35be36
Fix decrementing instead of incrementing
2016-01-27 13:41:37 -05:00
Jeff Mitchell
beafe25508
Initial transit key archiving work
2016-01-27 13:41:37 -05:00
Hanno Hecker
0db33274b7
discover bind dn with anonymous binds
2016-01-27 17:06:27 +01:00
Hanno Hecker
4606cd1492
fix stupid c&p error
2016-01-26 16:15:25 +01:00
Hanno Hecker
6a570345a0
add binddn/bindpath to search for the users bind DN
2016-01-26 15:56:41 +01:00
Jeff Mitchell
7390cd5264
Add a max_idle_connections parameter.
2016-01-25 14:47:07 -05:00
Jeff Mitchell
12c00b97ef
Allow backends to see taint status.
...
This can be seen via System(). In the PKI backend, if the CA is
reconfigured but not fully (e.g. an intermediate CSR is generated but no
corresponding cert set) and there are already leases (issued certs), the
CRL is unable to be built. As a result revocation fails. But in this
case we don't actually need revocation to be successful since the CRL is
useless after unmounting. By checking taint status we know if we can
simply fast-path out of revocation with a success in this case.
Fixes #946
2016-01-22 17:01:22 -05:00
Dmitriy Gromov
70ef2e3398
STS now uses root vault user for keys
...
The secretAccessKeysRevoke revoke function now asserts that it is
not dealing with STS keys by checking a new internal data flag. Defaults
to IAM when the flag is not found.
Factored out genUsername into its own function to share between STS and
IAM secret creation functions.
Fixed bad call to "WriteOperation" instead of "UpdateOperation" in
aws/backend_test
2016-01-21 15:04:16 -05:00
Dmitriy Gromov
4abca91d66
Renamed sts duration to ttl and added STS permissions note.
2016-01-21 14:28:34 -05:00
Dmitriy Gromov
f251b13aaa
Removing debug print statement from sts code
2016-01-21 14:05:10 -05:00
Dmitriy Gromov
1cf8153dfd
Fixed duration type and added acceptance test for sts
2016-01-21 14:05:10 -05:00
Dmitriy Gromov
71afb7cff0
Configurable sts duration
2016-01-21 14:05:09 -05:00
Jack DeLoach
8fecccde21
Add STS path to AWS backend.
...
The new STS path allows for obtaining the same credentials that you would get
from the AWS "creds" path, except it will also provide a security token, and
will not have an annoyingly long propagation time before returning to the user.
2016-01-21 14:05:09 -05:00
Jeff Mitchell
0f0949ab06
Merge pull request #895 from nickithewatt/aws-prexisting-policies
...
Allow use of pre-existing policies for AWS users
2016-01-21 13:23:37 -05:00
Chi Vinh Le
f3e5e44cd0
Cleanly close SSH connections
2016-01-19 07:59:08 +01:00
Jeff Mitchell
9c5ad28632
Update deps, and adjust usage of go-uuid to match new return values
2016-01-13 13:40:08 -05:00
Jeff Mitchell
f3ce90164f
WriteOperation -> UpdateOperation
2016-01-08 13:03:03 -05:00
Marcin Wielgoszewski
bde81080c9
Address issues with properly revoking a user via these additional REVOKE statements
2016-01-06 09:22:55 -05:00
Nicki Watt
62c22a5f73
Updated AWS policy help messages
2015-12-30 19:41:07 +00:00
Nicki Watt
cd4ca21b58
Allow use of pre-existing policies for AWS users
2015-12-30 18:05:54 +00:00
Jeff Mitchell
134b4d2a42
Built on GH-890 to add other types
2015-12-29 13:07:24 -05:00
Jeff Mitchell
b85c29349f
Merge pull request #890 from ironSource/pki-fix
...
fix CA compatibility with OpenSSL
2015-12-29 12:04:03 -06:00
Issac Goldstand
fba756075a
fix CA compatibility with OpenSSL
2015-12-29 18:52:43 +02:00
Jeff Mitchell
1a324cf347
Make TokenHelper an interface and split exisiting functionality
...
Functionality is split into ExternalTokenHelper, which is used if a path
is given in a configuration file, and InternalTokenHelper which is used
otherwise. The internal helper no longer shells out to the same Vault
binary, instead performing the same actions with internal code. This
avoids problems using dev mode when there are spaces in paths or when
the binary is built in a container without a shell.
Fixes #850 among others
2015-12-22 10:23:30 -05:00
Jeff Mitchell
f2da5b639f
Migrate 'uuid' to 'go-uuid' to better fit HC naming convention
2015-12-16 12:56:20 -05:00
Jeff Mitchell
dd445a53a5
Update key usage logic
...
* Move to one place for both code paths
* Assign ExtKeyUsageAny to CA certs to help with validation with the
Windows Crypto API and Go's validation logic
Fixes #846
2015-12-14 14:23:51 -05:00
Jeff Mitchell
6ad1b75caf
Merge branch 'master' into pki-csrs
2015-12-01 00:09:23 -05:00
Jeff Mitchell
64cd58463b
Fix AWS tests
2015-12-01 00:05:04 -05:00
Jeff Mitchell
4eec9d69e8
Change allowed_base_domain to allowed_domains and allow_base_domain to
...
allow_bare_domains, for comma-separated multi-domain support.
2015-11-30 23:49:11 -05:00
Jeff Mitchell
b6c49ddf01
Remove token display names from input options as there isn't a viable
...
use-case for it at the moment
2015-11-30 18:07:42 -05:00
Jeff Mitchell
cf366bda9c
Greatly simplify and fix the name validation function, as well as fully
...
comment it.
2015-11-23 14:15:32 -05:00
Jeff Mitchell
22a6d6fa22
Merge branch 'master' into pki-csrs
2015-11-20 12:48:38 -05:00
Jeff Mitchell
25e359084c
Update documentation, some comments, make code cleaner, and make generated roots be revoked when their TTL is up
2015-11-19 17:14:22 -05:00
Jeff Mitchell
0dbe15cb87
Mostly revert changes to certutil as the embedded struct stuff was being
...
problematic.
2015-11-19 14:18:39 -05:00
Jeff Mitchell
af3d6ced8e
Update validator function for URIs. Change example of entering a CA to a
...
root cert generation. Other minor documentation updates. Fix private key
output in issue/sign.
2015-11-19 11:35:17 -05:00
Jeff Mitchell
f41a2e562a
fix tests
2015-11-19 10:13:28 -05:00
Jeff Mitchell
a95228e4ee
Split root and intermediate functionality into their own sections in the API. Update documentation. Add sign-verbatim endpoint.
2015-11-19 09:51:18 -05:00
Jeff Mitchell
26c8cf874d
Move public key comparison logic to its own function
2015-11-19 09:51:18 -05:00
Jeff Mitchell
4681d027c0
Move serial number generation and key validation into certutil; centralize format and key verification
2015-11-19 09:51:18 -05:00
Jeff Mitchell
c6ba4f24bc
Add URL validation
2015-11-19 09:51:18 -05:00
Jeff Mitchell
b14050bebc
Fix zero path length handling, and move common field defs elsewhere
2015-11-19 09:51:18 -05:00
Jeff Mitchell
8008451fb5
Fix logic around zero path length -- only restrict issuing intermediate CAs in this case
2015-11-19 09:51:18 -05:00
Jeff Mitchell
c461652b40
Address some feedback from review
2015-11-19 09:51:18 -05:00
Jeff Mitchell
ed62afec14
Large documentation updates, remove the pathlength path in favor of
...
making that a parameter at CA generation/sign time, and allow more
fields to be configured at CSR generation time.
2015-11-19 09:51:18 -05:00
Jeff Mitchell
5970cb76b6
Add path length paths and unit tests to verify same.
2015-11-19 09:51:18 -05:00
Jeff Mitchell
ca844b1dc1
Add URLs methods to set OCSP/CRL/CA urls in issued certs, and tests.
2015-11-19 09:51:18 -05:00
Jeff Mitchell
4cb10abcc0
Add tests for using raw CSR values
2015-11-19 09:51:18 -05:00
Jeff Mitchell
83975314c7
Change a few checks on names:
...
- Allow an email address to be the common name of a cert even if email
protection isn't in the role if any name is set to true (this allows
certificates with a common name entry of an email address but used for
other purposes; here just for CA cert signing).
- Don't check the user part of an email against the hostname regex.
Emails can contain e.g. "+" and "_" and these should be allowed even
though they're not part of a valid hostname.
Also, fix a nil pointer issue.
2015-11-19 09:51:17 -05:00
Jeff Mitchell
deb5131cd3
Add config/urls CRUD operations to get and set the URLs encoded into
...
certificates for the issuing certificate URL, CRL distribution points,
and OCSP servers.
2015-11-19 09:51:17 -05:00
Jeff Mitchell
779efbbbc3
Change use_csr_subject to use_csr_values; copy not only the subject, but
...
also the alternate names and the extensions over as well.
2015-11-19 09:51:17 -05:00
Jeff Mitchell
76af733ee2
Remove setting serial number in the pkix Subject
2015-11-19 09:51:17 -05:00
Jeff Mitchell
54c5c232fd
Add a flag so that when signing CA certificates, the Subject (including names and extra names) can be used verbatim from the CSR
2015-11-19 09:51:17 -05:00
Jeff Mitchell
7c5a174493
Add capability to use the CSR's common name (by default for CA CSRs if
...
no common_name parameter is given, role-controlled for non-CA CSRs).
Fix logic around the CA/CRL endpoints. Now settable when generating a
self-signed root or setting a CA cert into the backend; if not set,
these values are not set in issued certs. Not required when signing an
intermediate cert (and in fact it was wrong to do so in the first
place).
2015-11-19 09:51:17 -05:00
Jeff Mitchell
54fccb2ff4
Add support for EC CA keys, output to base64-encoded DER instead of PEM, and tests for all of those. Also note that Go 1.5 is now required.
2015-11-19 09:51:17 -05:00
Jeff Mitchell
4261e594af
Address some minor PR feedback
2015-11-19 09:51:17 -05:00
Jeff Mitchell
69794c7078
Fix otto import of uuid
2015-11-19 09:51:17 -05:00
Jeff Mitchell
f16d8b8cd2
Cleanup, and add ability to sign CA CSRs that aren't destined for Vault
2015-11-19 09:51:17 -05:00
Jeff Mitchell
ea676ad4cc
Add tests for intermediate signing and CRL, and fix a couple things
...
Completes extra functionality.
2015-11-19 09:51:17 -05:00
Jeff Mitchell
b2df079446
Add unit tests to test signing logic, fix up test logic for names
2015-11-19 09:51:17 -05:00
Jeff Mitchell
fe7dbfaada
Handle email address alternative names, fix up tests, fix up logic around name verification
2015-11-19 09:51:17 -05:00
Jeff Mitchell
aa3d6dc85b
Add allow_base_domain to control whether or not the actual base domain is allowed as a cert common name and/or DNS SAN
2015-11-19 09:51:17 -05:00
Jeff Mitchell
7d2730d370
Add email protection flag plumbing and tests; don't call generate bundle when making an intermediate CSR since everything is now ignored
2015-11-19 09:51:17 -05:00
Jeff Mitchell
b3eb5c4957
Add sign method (untested)
2015-11-19 09:51:17 -05:00
Jeff Mitchell
6ea626e9ad
Don't show field names when not needed
2015-11-19 09:51:17 -05:00
Jeff Mitchell
1cec03d9ca
Implement CA cert/CSR generation. CA certs can be self-signed or
...
generate an intermediate CSR, which can be signed.
2015-11-19 09:51:17 -05:00
Kevin Pike
34dcbe176e
rabbitmq secret backend
2015-11-18 21:21:52 -08:00
Jeff Mitchell
1c7157e632
Reintroduce the ability to look up obfuscated values in the audit log
...
with a new endpoint '/sys/audit-hash', which returns the given input
string hashed with the given audit backend's hash function and salt
(currently, always HMAC-SHA256 and a backend-specific salt).
In the process of adding the HTTP handler, this also removes the custom
HTTP handlers for the other audit endpoints, which were simply
forwarding to the logical system backend. This means that the various
audit functions will now redirect correctly from a standby to master.
(Tests all pass.)
Fixes #784
2015-11-18 20:26:03 -05:00
Jeff Mitchell
54d47957b5
Allow creating Consul management tokens
...
Fixes #714
2015-11-03 15:29:58 -05:00
Jeff Mitchell
5e72453b49
Use TypeDurationSecond instead of TypeString
2015-11-03 10:52:20 -05:00
Jeff Mitchell
154fc24777
Address first round of feedback from review
2015-11-03 10:52:20 -05:00
Jeff Mitchell
59cc61cc79
Add documentation for CRLs and some minor cleanup.
2015-11-03 10:52:20 -05:00
Jeff Mitchell
5d562693bd
Add tests for the crls path, and fix a couple bugs
2015-11-03 10:52:20 -05:00
Jeff Mitchell
b6b62f7dc1
Drastically simplify the method and logic; keep an in-memory cache and use that for most operations, only affecting the backend storage when needed.
2015-11-03 10:52:20 -05:00
Jeff Mitchell
c66f0918be
Add delete method, and ability to delete only one serial as well as an entire set.
2015-11-03 10:52:20 -05:00
Jeff Mitchell
be1a2266cc
Add CRLSets endpoints; write method is done. Add verification logic to
...
login path. Change certs "ttl" field to be a string to match common
backend behavior.
2015-11-03 10:52:19 -05:00
Seth Vargo
658bc0634a
Fix breaking API changes
2015-10-30 18:22:48 -04:00
Jeff Mitchell
80705b7963
If we fail to open a file path, show which it is in the error output
2015-10-30 14:30:21 -04:00
Jeff Mitchell
a0c5a24c79
Update Postgres tests and changelogify
2015-10-30 12:41:45 -04:00
Jeff Mitchell
2d8e3b35f2
Revoke permissions before dropping user in postgresql.
...
Currently permissions are not revoked, which can lead revocation to not
actually work properly. This attempts to revoke all permissions and only
then drop the role.
Fixes issue #699
2015-10-30 11:58:52 -04:00
Jeff Mitchell
528e859c4b
Fix wording
2015-10-29 12:58:29 -04:00
Jeff Mitchell
22c65c0c07
Use cleanhttp instead of bare http.Client
2015-10-22 14:37:12 -04:00
Jeff Mitchell
cba4e82682
Don't use http.DefaultClient
...
This strips out http.DefaultClient everywhere I could immediately find
it. Too many things use it and then modify it in incompatible ways.
Fixes #700 , I believe.
2015-10-15 17:54:00 -04:00
Jeff Mitchell
a9155ef85e
Use split-out hashicorp/uuid
2015-10-12 14:07:12 -04:00
Jeff Mitchell
6f4e42efed
Add StaticSystemView to LDAP acceptance tests
2015-10-06 15:48:10 -04:00
Vishal Nayak
bf464b9a4b
Merge pull request #661 from hashicorp/maxopenconns
...
Parameterize max open connections in postgresql and mysql backends
2015-10-03 16:55:20 -04:00
vishalnayak
a740c68eab
Added a test case. Removed setting of defaultTTL in config.
2015-10-03 15:36:57 -04:00
vishalnayak
145aee229e
Merge branch 'master' of https://github.com/hashicorp/vault
2015-10-03 00:07:34 -04:00
vishalnayak
8e7975edc8
Added ConnectionURL along with ConnectionString
2015-10-02 23:47:10 -04:00
vishalnayak
e3f04dc444
Added testcases for config writes
2015-10-02 22:10:51 -04:00
Jeff Mitchell
645932a0df
Remove use of os/user as it cannot be run with CGO disabled
2015-10-02 18:43:38 -07:00
vishalnayak
ea0aba8e47
Use SanitizeTTL in credential request path instead of config
2015-10-02 15:41:35 -04:00
vishalnayak
69b478fff1
fix struct tags
2015-10-02 14:13:27 -04:00
vishalnayak
3dd84446ab
Github backend: enable auth renewals
2015-10-02 13:33:19 -04:00
vishalnayak
1f12482995
Fix ConnectionString JSON value
2015-10-02 12:07:31 -04:00
vishalnayak
644a655920
mysql: made max_open_connections configurable
2015-10-01 21:15:56 -04:00
vishalnayak
2051101c43
postgresql: Configurable max open connections to the database
2015-10-01 20:11:24 -04:00
Jeff Mitchell
c3bdde8abe
Add a static system view to github credential backend to fix acceptance tests
2015-09-29 18:55:59 -07:00
Jeff Mitchell
af27a99bb7
Remove JWT for the 0.3 release; it needs a lot of rework.
2015-09-24 16:23:44 -04:00
Jeff Mitchell
f10343921b
Start rejigging JWT
2015-09-24 16:20:22 -04:00
Jeff Mitchell
29c722dbb6
Enhance SSH backend documentation; remove getting of stored keys and have TTLs honor backends systemview values
2015-09-21 16:14:30 -04:00
Jeff Mitchell
3eb38d19ba
Update transit backend documentation, and also return the min decryption
...
value in a read operation on the key.
2015-09-21 16:13:43 -04:00
Jeff Mitchell
5dde76fa1c
Expand HMAC support in Salt; require an identifier be passed in to specify type but allow generation with and without. Add a StaticSalt ID for testing functions. Fix bugs; unit tests pass.
2015-09-18 17:38:30 -04:00
Jeff Mitchell
b655f6b858
Add HMAC capability to salt. Pass a salt into audit backends. Require it for audit.Hash.
2015-09-18 17:38:22 -04:00
Jeff Mitchell
01ee6c4fe1
Move no_plaintext to two separate paths for datakey.
2015-09-18 14:41:05 -04:00
Jeff Mitchell
448249108c
Add datakey generation to transit.
...
Can specify 128 bits (defaults to 256) and control whether or not
plaintext is returned (default true).
Unit tests for all of the new functionality.
2015-09-18 14:41:05 -04:00
Jeff Mitchell
61398f1b01
Remove enable/disable and make deletion_allowed a configurable property. On read, return the version and creation time of each key
2015-09-18 14:41:05 -04:00
Jeff Mitchell
801e531364
Enhance transit backend:
...
* Remove raw endpoint from transit
* Add multi-key structure
* Add enable, disable, rewrap, and rotate functionality
* Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function
* Unit tests for everything
2015-09-18 14:41:05 -04:00
Jeff Mitchell
9c5dcac90c
Make TLS backend honor SystemView default values. Expose lease TTLs on read. Make auth command show lease TTL if one exists. Addresses most of #527
2015-09-18 14:01:28 -04:00
vishalnayak
1f53376ae6
Userpass Bk: Added tests for TTL duration verifications
2015-09-17 16:33:26 -04:00
vishalnayak
4332eb9d05
Vault userpass: Enable renewals for login tokens
2015-09-17 14:35:50 -04:00
Jeff Mitchell
77e7379ab5
Implement the cubbyhole backend
...
In order to implement this efficiently, I have introduced the concept of
"singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't
much reason to allow sys to be mounted at multiple places, and there
isn't much reason you'd need multiple per-token storage areas. By
restricting it to just one, I can store that particular mount instead of
iterating through them in order to call the appropriate revoke function.
Additionally, because revocation on the backend needs to be triggered by
the token store, the token store's salt is kept in the router and
client tokens going to the cubbyhole backend are double-salted by the
router. This allows the token store to drive when revocation happens
using its salted tokens.
2015-09-15 13:50:37 -04:00
Jeff Mitchell
104b29ab04
Rename View to StorageView to make it more distinct from SystemView
2015-09-15 13:50:37 -04:00
Lassi Pölönen
83d0ab73f5
Define time zone explicitly in postgresql connection string.
2015-09-14 13:43:06 +03:00
Lassi Pölönen
a9aaee6f5a
Explicitly set timezone with PostgreSQL timestamps.
2015-09-14 13:43:06 +03:00
Lassi Pölönen
79f68c934a
Call ResetDB as Cleanup routine to close existing database connections
...
on backend unmount.
2015-09-11 11:45:58 +03:00
Vishal Nayak
08f7fb9c8d
Merge pull request #580 from hashicorp/zeroaddress-path
...
Add root authenticated path to allow default CIDR to select roles
2015-09-10 15:28:49 -04:00
Jeff Mitchell
39cfcccdac
Remove error returns from sysview TTL calls
2015-09-10 15:09:54 -04:00
Jeff Mitchell
488d33c70a
Rejig how dynamic values are represented in system view and location of some functions in various packages; create mount-tune command and API analogues; update documentation
2015-09-10 15:09:54 -04:00
Jeff Mitchell
4239f9d243
Add DynamicSystemView. This uses a pointer to a pointer to always have
...
up-to-date information. This allows remount to be implemented with the
same source and dest, allowing mount options to be changed on the fly.
If/when Vault gains the ability to HUP its configuration, this should
just work for the global values as well.
Need specific unit tests for this functionality.
2015-09-10 15:09:54 -04:00
Jeff Mitchell
d435048d9e
Switch StaticSystemView values to pointers, to support updating
2015-09-10 15:09:54 -04:00
vishalnayak
473c1d759d
Vault SSH: Testing credential creation on zero address roles
2015-09-10 11:55:07 -04:00
vishalnayak
d26497267c
Vault SSH: Expected data for testRoleRead
2015-09-10 10:44:26 -04:00
vishalnayak
475df43c59
Merge branch 'master' of https://github.com/hashicorp/vault
2015-09-10 10:03:17 -04:00
vishalnayak
d6b40c576d
Vault SSH: Refactoring tests
2015-09-03 18:56:45 -04:00
vishalnayak
17c266bfd3
Vault SSH: Refactor lookup test case
2015-09-03 18:43:53 -04:00
vishalnayak
c8c472e461
Vault SSH: Testcase restructuring
2015-09-03 18:11:04 -04:00
Jeff Mitchell
959a727acd
Don't re-use tls configuration, to fix a possible race issue during test
2015-09-03 13:04:32 -04:00
vishalnayak
3e7aa75d70
Vault SSH: make Zeroaddress entry Remove method private
2015-08-31 17:10:55 -04:00
vishalnayak
9918105404
Vault SSH: Store roles as slice of strings
2015-08-31 17:03:46 -04:00
vishalnayak
f21ad7da4c
Vault SSH: refactoring
2015-08-31 16:03:28 -04:00
vishalnayak
59bf9e6f9f
Vault SSH: Refactoring backend_test
2015-08-30 14:30:59 -04:00
vishalnayak
5e3f8d53f3
Vault SSH: ZeroAddress CRUD test
2015-08-30 14:20:16 -04:00
vishalnayak
6427a7e41e
Vault SSH: Add read method for zeroaddress endpoint
2015-08-29 20:22:34 -04:00
vishalnayak
dc4f97b61b
Vault SSH: Zeroaddress roles and CIDR overlap check
2015-08-29 15:24:15 -04:00
Jeff Mitchell
5fa76b5640
Add base_url option to GitHub auth provider to allow selecting a custom endpoint. Fixes #572 .
2015-08-28 06:28:43 -07:00
Vishal Nayak
d4609dea28
Merge pull request #578 from hashicorp/exclude-cidr-list
...
Vault SSH: Added exclude_cidr_list option to role
2015-08-28 07:59:46 -04:00
vishalnayak
b12a2f0013
Vault SSH: Added exclude_cidr_list option to role
2015-08-27 23:19:55 -04:00
Jeff Mitchell
a4fc4a8e90
Deprecate lease -> ttl in PKI backend, and default to system TTL values if not given. This prevents issuing certificates with a longer duration than the maximum lease TTL configured in Vault. Fixes #470 .
2015-08-27 12:24:37 -07:00
vishalnayak
fbff20d9ab
Vault SSH: Docs for default CIDR value
2015-08-27 13:10:15 -04:00
vishalnayak
5063a0608b
Vault SSH: Default CIDR for roles
2015-08-27 13:04:15 -04:00
vishalnayak
702a869010
Vault SSH: Provide key option specifications for dynamic keys
2015-08-27 11:41:29 -04:00
vishalnayak
5b08e01bb1
Vault SSH: Create .ssh directory if not present. Closes #573
2015-08-27 08:45:34 -04:00
Jeff Mitchell
9db8a5c744
Merge pull request #567 from hobbeswalsh/master
...
Spaces in displayName break AWS IAM
2015-08-26 12:37:52 -04:00
Robin Walsh
34b84367b5
Adding one more test (for no-op case)
2015-08-26 09:26:20 -07:00
Robin Walsh
4b7c2cc114
Adding unit test for normalizeDisplayName()
2015-08-26 09:23:33 -07:00
Jeff Mitchell
2098446d47
Ensure that the 'file' audit backend can successfully open its given path before returning success. Fixes #550 .
2015-08-26 09:13:10 -07:00
Jeff Mitchell
2d8bfff02b
Explicitly check for blank leases in AWS, and give a better error message if lease_max cannot be parsed. Fixes #569 .
2015-08-26 09:04:47 -07:00
Robin Walsh
8530f14fee
s/string replacement/regexp replacement
2015-08-24 17:00:54 -07:00
Robin Walsh
69f5abdc91
spaces in displayName break AWS IAM
2015-08-24 16:12:45 -07:00
vishalnayak
c35d78b3cb
Vault SSH: Documentation update
2015-08-24 14:18:37 -04:00
vishalnayak
e6987beb61
Vault SSH: Replace args with named vars
2015-08-24 14:07:07 -04:00
vishalnayak
eb91a3451b
Merging with master
2015-08-24 13:55:20 -04:00
vishalnayak
44c07cff5b
Vault SSH: Cleanup of aux files in install script
2015-08-24 13:50:46 -04:00
Jeff Mitchell
f7845234b4
Merge pull request #555 from hashicorp/toggleable-hostname-enforcement
...
Allow enforcement of hostnames to be toggleable for certificates.
2015-08-21 19:23:09 -07:00
Jeff Mitchell
5695d57ba0
Merge pull request #561 from hashicorp/fix-wild-cards
...
Allow hyphens in endpoint patterns of most backends
2015-08-21 11:40:42 -07:00
vishalnayak
6822af68e1
Vault SSH: Undo changes which does not belong to wild card changes
2015-08-21 09:58:15 -07:00
vishalnayak
6c2927ede0
Vault: Fix wild card paths for all backends
2015-08-21 00:56:13 -07:00
Jeff Mitchell
93ef9a54bd
Internally refactor Lease/LeaseGracePeriod into TTL/GracePeriod
2015-08-20 18:00:51 -07:00
vishalnayak
0ffad79548
Vault SSH: Make the script readable
2015-08-20 16:12:17 -07:00
Jeff Mitchell
133380915a
Disallow non-client X509 key usages for client TLS cert authentication.
2015-08-20 15:50:47 -07:00
Jeff Mitchell
41b85a1c83
Allow enforcement of hostnames to be toggleable for certificates. Fixes #451 .
2015-08-20 14:33:37 -07:00
Vishal Nayak
beca9f1596
Merge pull request #385 from hashicorp/vishal/vault
...
SSH Secret Backend for Vault
2015-08-20 10:03:15 -07:00
Bernhard K. Weisshuhn
8a5361ea79
skip revoke permissions step on cassandra rollback (drop user is enough)
2015-08-20 11:15:43 +02:00
Bernhard K. Weisshuhn
86cde438a5
avoid dashes in generated usernames for cassandra to avoid quoting issues
2015-08-20 11:15:28 +02:00
vishalnayak
451d2b0532
Vault SSH: Removing script file
2015-08-19 12:59:52 -07:00
vishalnayak
76ed3bec74
Vault SSH: 1024 is default key size and removed 4096
2015-08-19 12:51:33 -07:00
vishalnayak
5b1ba99757
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-08-18 19:00:38 -07:00
vishalnayak
251cd997ad
Vault SSH: TLS client creation test
2015-08-18 19:00:27 -07:00
Armon Dadgar
aefb92b74c
Merge pull request #534 from ctennis/lease_reader
...
Fix #533 , add a reader for lease values (#529 ) and an acceptance test for mysql to prove it works
2015-08-18 19:00:18 -07:00
Jeff Mitchell
3cc4bd0b96
Fix AWS, again, and update Godeps.
2015-08-18 18:12:51 -07:00
vishalnayak
9324db7979
Vault SSH: verify echo test
2015-08-18 16:48:50 -07:00
vishalnayak
0c0ca91d2e
Vault SSH: Fix backend test cases
2015-08-18 15:40:52 -07:00
vishalnayak
b91ebbc6e2
Vault SSH: Documentation update and minor refactoring changes.
2015-08-17 18:22:03 -07:00
vishalnayak
9db318fc55
Vault SSH: Website page for SSH backend
2015-08-14 12:41:26 -07:00
vishalnayak
b2f29c517b
Vault SSH: Install script is optional now. Default script will be for Linux host.
2015-08-13 17:07:43 -07:00
vishalnayak
7f9babed2a
Vault SSH: CLI embellishments
2015-08-13 16:55:47 -07:00
vishalnayak
d670b50e78
Vault SSH: Introduced allowed_users option. Added helpers getKey and getOTP
2015-08-13 14:18:30 -07:00
Caleb Tennis
a36910799e
Fix #533 , add a reader for lease values ( #529 ) and an acceptance test for mysql to prove it works
2015-08-13 15:33:06 -04:00
vishalnayak
2320bfb1e4
Vault SSH: Helper for OTP creation and role read
2015-08-13 11:12:30 -07:00
vishalnayak
c11bcecbbb
Vault SSH: Mandate default_user. Other refactoring
2015-08-13 10:36:31 -07:00
vishalnayak
8e946f27cc
Vault SSH: cidr to cidr_list
2015-08-13 08:46:55 -07:00
vishalnayak
7d3025fd6e
Vault SSH: Default lease duration, policy/ to role/
2015-08-12 17:36:27 -07:00
vishalnayak
330ef396ca
Vault SSH: Default lease of 5 min for SSH secrets
2015-08-12 17:10:35 -07:00
vishalnayak
2d23ffe3d2
Vault SSH: Exposed verify request/response messges to agent
2015-08-12 13:22:48 -07:00
vishalnayak
f84347c542
Vault SSH: Added SSHAgent API
2015-08-12 10:48:58 -07:00
vishalnayak
93dfa67039
Merging changes from master
2015-08-12 09:28:16 -07:00
vishalnayak
0abf07cb91
Vault SSH: Website doc v1. Removed path_echo
2015-08-12 09:25:28 -07:00
Armon Dadgar
d1a09e295a
Merge pull request #509 from ekristen/github-fix
...
Reimplements #459
2015-08-11 10:06:10 -07:00
Armon Dadgar
3b9a6d5e33
Fixing merge conflict
2015-08-11 10:04:47 -07:00
Erik Kristensen
611965844b
reimplements #459
2015-08-09 11:25:45 -06:00
Michael S. Fischer
21ab4d526c
Provide working example of TLS certificate authentication
...
Fixes #474
2015-08-07 15:15:53 -07:00
Erik Kristensen
ae34ec2bff
adding basic tests
2015-08-06 17:50:34 -06:00
Erik Kristensen
2233f993ae
initial pass at JWT secret backend
2015-08-06 17:49:44 -06:00
vishalnayak
e5080a7f32
Merging with master
2015-08-06 18:44:40 -04:00
vishalnayak
32502977f6
Vault SSH: Automate OTP typing if sshpass is installed
2015-08-06 17:00:50 -04:00
vishalnayak
0af97b8291
Vault SSH: uninstall dynamic keys using script
2015-08-06 15:50:12 -04:00
vishalnayak
3dd8fe750d
Vault SSH: Script to install dynamic keys in target
2015-08-06 14:48:19 -04:00
Paul Hinze
fc9de56736
Update vault code to match latest aws-sdk-go APIs
2015-08-06 11:37:08 -05:00
Seth Vargo
bfd4b818b8
Update to latest aws and move off of hashicorp/aws-sdk-go
2015-08-06 12:26:41 -04:00
vishalnayak
9aa075f3c7
Vault SSH: Added 'echo' path to SSH
2015-08-04 15:30:24 -04:00
vishalnayak
476da10f1c
Vault SSH: Testing OTP creation
2015-08-03 19:04:07 -04:00
Erik Kristensen
26387f6535
remove newline
2015-08-03 16:34:24 -06:00
Erik Kristensen
f9c49f4a57
fix bug #488
2015-08-03 15:47:30 -06:00
vishalnayak
8409ba7210
Vault SSH: CRUD tests for named keys
2015-08-03 16:18:14 -04:00
Rusty Ross
719ac6e714
update doc for app-id
...
make clearer in doc that user-id can accept multiple app-id mappngs as comma-separated values
2015-08-03 09:44:26 -07:00
vishalnayak
b7c7befe68
Vault SSH: CRUD test for lookup API
2015-08-03 11:22:00 -04:00
vishalnayak
c4bd85c241
Vault SSH: CRUD test for dynamic role
2015-07-31 15:17:40 -04:00
vishalnayak
b592dcc3af
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-07-31 13:24:28 -04:00
vishalnayak
c7ef0b95c2
Vault SSH: CRUD test case for OTP Role
2015-07-31 13:24:23 -04:00
Armon Dadgar
03728af495
Merge pull request #464 from bgirardeau/master
...
Add Multi-factor authentication with Duo
2015-07-30 17:51:31 -07:00
Bradley Girardeau
aa55d36f03
Clean up naming and add documentation
2015-07-30 17:36:40 -07:00
vishalnayak
61c9f884a4
Vault SSH: Review Rework
2015-07-29 14:21:36 -04:00
Bradley Girardeau
d26b77b4f4
mfa: code cleanup
2015-07-28 11:55:46 -07:00
Bradley Girardeau
6697012dd3
mfa: improve edge cases and documentation
2015-07-27 21:14:00 -07:00
Bradley Girardeau
06863d08f0
mfa: add to userpass backend
2015-07-27 21:14:00 -07:00
Bradley Girardeau
4eb1beb31c
ldap: add mfa support to CLI
2015-07-27 21:14:00 -07:00
Bradley Girardeau
8fa5a349a5
ldap: add mfa to LDAP login
2015-07-27 21:14:00 -07:00
Vishal Nayak
4b4df4271d
Vault SSH: Refactoring
2015-07-27 16:42:03 -04:00
Vishal Nayak
2e7612a149
Vault SSH: admin_user/default_user fix
2015-07-27 15:03:10 -04:00
Vishal Nayak
e9f507caf0
Vault SSH: Refactoring
2015-07-27 13:02:31 -04:00
Raymond Pete
1ca09a74b3
name slug check
2015-07-26 22:21:16 -04:00
Vishal Nayak
b532ee0bf4
Vault SSH: Dynamic Key test case fix
2015-07-24 12:13:26 -04:00
Vishal Nayak
e8daf2d0a5
Vault SSH: keys/ designated special path
2015-07-23 18:12:13 -04:00
Vishal Nayak
e998face87
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-07-23 17:20:34 -04:00
Vishal Nayak
791a250732
Vault SSH: Support OTP key type from CLI
2015-07-23 17:20:28 -04:00
Vishal Nayak
47197d4cb3
Vault SSH: Added vault server otp verify API
2015-07-22 16:00:58 -04:00
Vishal Nayak
93f7448487
Vault SSH: Vault agent support
2015-07-22 14:15:19 -04:00
Bradley Girardeau
e8d26d244b
ldap: change setting user policies to setting user groups
2015-07-20 11:33:39 -07:00
Vishal Nayak
27e66e175f
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-07-17 17:22:17 -04:00
Bradley Girardeau
301a22295d
ldap: add ability to set policies based on username as well as groups
2015-07-14 15:46:15 -07:00
Bradley Girardeau
0e2edc2378
ldap: add ability to login with a userPrincipalName (user@upndomain)
2015-07-14 15:37:46 -07:00
Armon Dadgar
504a7ca7c1
auth/userpass: store password as hash instead of direct. Credit @kenbreeman
2015-07-13 15:09:24 +10:00
Armon Dadgar
da4650ccb4
auth/userpass: protect against timing attack. Credit @kenbreeman
2015-07-13 15:01:18 +10:00
Armon Dadgar
599d5f1431
auth/app-id: protect against timing attack. Credit @kenbreeman
2015-07-13 14:58:18 +10:00
Vishal Nayak
ed258f80c6
Vault SSH: Refactoring and fixes
2015-07-10 18:44:31 -06:00
Vishal Nayak
89a0e37a89
Vault SSH: Backend and CLI testing
2015-07-10 16:18:02 -06:00
Vishal Nayak
2901890df2
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-07-10 09:56:21 -06:00
Vishal Nayak
3c7dd8611c
Vault SSH: Test case skeleton
2015-07-10 09:56:14 -06:00
Armon Dadgar
96d6455ef5
audit: properly restore TLS state
2015-07-08 16:45:15 -06:00
Vishal Nayak
73414154f8
Vault SSH: Made port number configurable
2015-07-06 16:56:45 -04:00
Vishal Nayak
88a3c5d41a
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-07-06 11:05:08 -04:00
Armon Dadgar
0be3d419c8
secret/transit: address PR feedback
2015-07-05 19:58:31 -06:00
Armon Dadgar
8293457633
secret/transit: use base64 for context to allow binary
2015-07-05 14:37:51 -07:00
Armon Dadgar
f0eec18cc7
secret/transit: testing key derivation
2015-07-05 14:30:45 -07:00
Armon Dadgar
143cd0875e
secret/transit: support key derivation in encrypt/decrypt
2015-07-05 14:19:24 -07:00
Armon Dadgar
ae9591004b
secret/transit: check for context for derived keys
2015-07-05 14:12:07 -07:00
Armon Dadgar
b30dbce404
secret/transit: support derived keys
2015-07-05 14:11:02 -07:00
Vishal Nayak
425b69be32
Vault SSH: PR review rework: Formatting/Refactoring
2015-07-02 19:52:47 -04:00
Bradley Girardeau
42050fe77b
ldap: add starttls support and option to specificy ca certificate
2015-07-02 15:49:51 -07:00
Vishal Nayak
c0a62f28b1
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-07-02 17:23:13 -04:00
Vishal Nayak
a1e2705173
Vault SSH: PR review rework
2015-07-02 17:23:09 -04:00
Jeff Mitchell
13c5fe0a16
Fix regexes to allow hyphens in role names, as the documentation shows
2015-07-01 20:39:18 -05:00
Vishal Nayak
30a24eef2c
Vault SSH: review rework: formatted and moved code
2015-07-01 21:26:42 -04:00
Vishal Nayak
67e543a863
Vault SSH: Regex supports hypen in key name and role names
2015-07-01 21:05:52 -04:00
Vishal Nayak
bb16052141
Vault SSH: replaced concatenated strings by fmt.Sprintf
2015-07-01 20:35:11 -04:00
Vishal Nayak
d691a95531
Vault SSH: PR review rework - 1
2015-07-01 11:58:49 -04:00
Vishal Nayak
1f001d283f
For SSH backend, allow factory to be provided instead of Backend
2015-07-01 09:37:11 -04:00
Vishal Nayak
3b0ff5b5f1
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-07-01 09:31:25 -04:00
Armon Dadgar
b52d3e6506
cred/app-id: testing upgrade to salted keys
2015-06-30 18:37:10 -07:00
Armon Dadgar
eeb717c901
cred/app-id: first pass at automatic upgrading to salting
2015-06-30 18:09:08 -07:00
Armon Dadgar
4b27e4d8c5
Remove SetLogger, and unify on framework.Setup
2015-06-30 17:45:20 -07:00
Armon Dadgar
5d69e7da90
Updating for backend API change
2015-06-30 17:36:12 -07:00
Vishal Nayak
b0043737af
lease handling fix
2015-06-30 20:21:41 -04:00
Vishal Nayak
8627f3c360
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-06-30 18:33:37 -04:00
Vishal Nayak
5e5e6788be
Input validations, help strings, default_user support
2015-06-30 18:33:17 -04:00
Armon Dadgar
8bc99f8c23
helper/uuid: single generateUUID definition
2015-06-30 12:38:32 -07:00
Armon Dadgar
3c58773598
Merge pull request #380 from kgutwin/cert-cli
...
Enable TLS client cert authentication via the CLI
2015-06-30 11:44:28 -07:00
Armon Dadgar
b1f7e2f0ea
ldap: fixing merge conflict
2015-06-30 09:40:43 -07:00
Jeff Mitchell
762108d9eb
Put timestamp back into the username. Since Cassandra doesn't support expiration, this can be used by scripts to manually clean up old users if revocation fails for some reason.
...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-30 11:15:46 -04:00
Jeff Mitchell
42b90fa9b9
Address some issues from code review.
...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-30 09:27:23 -04:00
Jeff Mitchell
fccbc587c6
A Cassandra secrets backend.
...
Supports creation and deletion of users in Cassandra using flexible CQL queries.
TLS, including client authentication, is supported.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-30 09:04:01 -04:00
Karl Gutwin
0062d923cc
Better error messages.
2015-06-30 08:59:38 -04:00
Karl Gutwin
a54ba31635
Merge remote-tracking branch 'upstream/master' into cert-cli
2015-06-30 08:31:00 -04:00
Karl Gutwin
dafcc5b2ce
enable CLI cert login
2015-06-29 23:29:41 -04:00
Vishal Nayak
f7a0c17100
merge changes from master
2015-06-29 22:01:43 -04:00
Vishal Nayak
91ed2dcdc2
Refactoring changes
2015-06-29 22:00:08 -04:00
esell
c0e1843263
change skipsslverify to insecure_tls
2015-06-29 19:23:31 -06:00
Armon Dadgar
12d3aee58e
audit: fixing panic caused by tls connection state. Fixes #322
2015-06-29 17:16:17 -07:00
Armon Dadgar
add8e1a3fd
Fixing merge conflict
2015-06-29 15:19:04 -07:00
Armon Dadgar
337997ab04
Fixing merge conflict
2015-06-29 14:50:55 -07:00
Vishal Nayak
0f2c1f867e
SCP in pure GO and CIDR parsing fix
2015-06-29 11:49:34 -04:00
Vishal Nayak
29696d4b6b
Creating SSH keys and removal of files in pure 'go'
2015-06-26 15:43:27 -04:00
Vishal Nayak
8c15e2313b
ssh/lookup implementation and refactoring
2015-06-25 21:47:32 -04:00
Vishal Nayak
f39df58eef
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-06-24 18:13:26 -04:00
Vishal Nayak
b237a3bcc2
POC: Rework. Doing away with policy file.
2015-06-24 18:13:12 -04:00
esell
e81f966842
Set SkipSSLVerify default to false, add warning in help message
2015-06-24 13:38:14 -06:00
esell
d3225dae07
cleanup the code a bit
2015-06-24 10:09:29 -06:00
esell
84371ea734
allow skipping SSL verification on ldap auth
2015-06-24 10:05:45 -06:00
Jeff Mitchell
e086879fa3
Merge remote-tracking branch 'upstream/master' into f-pki
2015-06-19 13:01:26 -04:00
Vishal Nayak
f8d164f477
SSHs to multiple users by registering the respective host keys
2015-06-19 12:59:36 -04:00
Jeff Mitchell
a6fc48b854
A few things:
...
* Add comments to every non-obvious (e.g. not basic read/write handler type) function
* Remove revoked/ endpoint, at least for now
* Add configurable CRL lifetime
* Cleanup
* Address some comments from code review
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-19 12:48:18 -04:00
Nate Brown
4ec685dc1a
Logging authentication errors and bad token usage
2015-06-18 18:30:18 -07:00
Vishal Nayak
90605c6079
merging with master
2015-06-18 20:51:11 -04:00
Vishal Nayak
8d98968a54
Roles, key renewal handled. End-to-end basic flow working.
2015-06-18 20:48:41 -04:00
Jeff Mitchell
34f495a354
Refactor to allow only issuing CAs to be set and not have things blow up. This is useful/important for e.g. the Cassandra backend, where you may want to do TLS with a specific CA cert for server validation, but not actually do client authentication with a client cert.
...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-18 15:22:58 -04:00
Vishal Nayak
2aed5f8798
Implementation for storing and deleting the host information in Vault
2015-06-17 22:10:47 -04:00
Armon Dadgar
d34861b811
secret/transit: allow policies to be upserted
2015-06-17 18:51:05 -07:00
Armon Dadgar
f53d31a580
secret/transit: Use special endpoint to get underlying keys. Fixes #219
2015-06-17 18:42:23 -07:00
Vishal Nayak
cfef144dc2
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-06-17 20:34:56 -04:00
Vishal Nayak
303a7cef9a
Received OTK in SSH client. Forked SSH process from CLI. Added utility file for SSH.
2015-06-17 20:33:03 -04:00
Armon Dadgar
45d3c512fb
builtin: fixing API change in logical framework
2015-06-17 14:34:11 -07:00
Armon Dadgar
30de4ea80d
secret/postgres: Ensure sane username length. Fixes #326
2015-06-17 13:31:56 -07:00
Jeff Mitchell
29e7ec3e21
A lot of refactoring: move PEM bundle parsing into helper/certutil, so that it is usable by other backends that want to use it to get the necessary data for TLS auth.
...
Also, enhance the raw cert bundle => parsed cert bundle to make it more useful and perform more validation checks.
More refactoring could be done within the PKI backend itself, but that can wait.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-17 16:07:20 -04:00
Vishal Nayak
3ed73d98c2
Added: Ssh CLI command and API, config lease impl, sshConnect path to backend, http handler for Ssh connect
2015-06-17 12:39:49 -04:00
Vishal Nayak
08c921c75e
Vault SSH: POC Stage 1. Skeleton implementation.
2015-06-16 16:58:54 -04:00
Jeff Mitchell
49f1fdbdcc
Merge branch 'master' into f-pki
2015-06-16 13:43:25 -04:00
Jeff Mitchell
03b0675350
A bunch of cleanup and moving around. logical/certutil is a package that now has helper functions
...
useful for other parts of Vault (including the API) to take advantage of.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-16 13:43:12 -04:00
Mitchell Hashimoto
4bf84392ec
credential/github: get rid of stray tab
2015-06-16 10:05:51 -07:00
Mitchell Hashimoto
0ecf05c043
command/auth, github: improve cli docs
...
/cc @sethvargo
2015-06-16 10:05:11 -07:00
Christian Svensson
e3d3012795
Record the common name in TLS metadata
...
It is useful to be able to save the client cert's Common Name for auditing purposes when using a central CA.
This adds a "common_name" value to the Metadata structure passed from login.
2015-06-14 23:18:21 +01:00
Jeff Mitchell
ae1cbc1a7a
Erp, forgot this feedback...
...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-11 23:16:13 -04:00
Jeff Mitchell
7cf1f186ed
Add locking for revocation/CRL generation. I originally was going to use an RWMutex but punted, because it's not worth trying to save some milliseconds with the possibility of getting something wrong. So the entire operations are now wrapped, which is minimally slower but very safe.
...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-11 22:28:13 -04:00
Jeff Mitchell
018c0ec7f5
Address most of Armon's initial feedback.
...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-11 21:57:05 -04:00
Jeff Mitchell
1513e2baa4
Add acceptance tests
...
* CA bundle uploading
* Basic role creation
* Common Name restrictions
* IP SAN restrictions
* EC + RSA keys
* Various key usages
* Lease times
* CA fetching in various formats
* DNS SAN handling
Also, fix a bug when trying to get code signing certificates.
Not tested:
* Revocation (I believe this is impossible with the current testing framework)
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-08 00:06:09 -04:00
Jeff Mitchell
0d832de65d
Initial PKI backend implementation.
...
Complete:
* Up-to-date API documents
* Backend configuration (root certificate and private key)
* Highly granular role configuration
* Certificate generation
* CN checking against role
* IP and DNS subject alternative names
* Server, client, and code signing usage types
* Later certificate (but not private key) retrieval
* CRL creation and update
* CRL/CA bare endpoints (for cert extensions)
* Revocation (both Vault-native and by serial number)
* CRL force-rotation endpoint
Missing:
* OCSP support (can't implement without changes in Vault)
* Unit tests
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-08 00:06:09 -04:00
Jonathan Sokolowski
348924eaab
logical/consul: Combine policy and lease into single storage struct
2015-05-28 09:36:23 +10:00
Jonathan Sokolowski
6b0820d709
logical/consul: custom lease time for roles
2015-05-27 09:53:46 +10:00
Ian Unruh
2e1bce27a9
Allow dot in LDAP login username
2015-05-20 11:54:15 -07:00
Armon Dadgar
cc966d6b52
auth/cert: Guard against empty certs. Fixes #214
2015-05-18 16:11:09 -07:00
Armon Dadgar
56659a2db2
cred/app-id: ensure consistent error message
2015-05-15 11:45:57 -07:00
Armon Dadgar
8cff23f29b
cred/app-id: stricter validation and error messaging
2015-05-15 11:40:45 -07:00
Jonathan Sokolowski
6746a24c78
credential/app-id: Test DeleteOperation
2015-05-14 22:30:02 +10:00
Etourneau Gwenn
a3fe4b889f
Fix Error message
2015-05-12 14:32:09 +09:00
Mitchell Hashimoto
1ca0b2340c
credential/app-id: add hash of user/app ID to metadata for logs
2015-05-11 10:46:11 -07:00
Mitchell Hashimoto
5406d3189e
Merge pull request #184 from hashicorp/b-github-casing
...
credential/github: case insensitive mappings
2015-05-11 10:27:45 -07:00
Mitchell Hashimoto
5c63b70eea
logical/framework: PathMap is case insensitive by default
2015-05-11 10:27:04 -07:00
Mitchell Hashimoto
4e861f29bc
credential/github: case insensitive mappings
2015-05-11 10:24:39 -07:00
Giovanni Bajo
8156b88353
auth/ldap: move password into InternalData
2015-05-09 22:06:34 +02:00
Giovanni Bajo
84388b2b20
auth/ldap: move username into the path (to allow per-user revokation on the path)
2015-05-09 22:06:28 +02:00
Giovanni Bajo
5e899e7de2
auth/ldap: fix pasto
2015-05-09 22:06:22 +02:00
Giovanni Bajo
1e1219dfcc
auth/ldap: implement login renew
2015-05-09 22:04:20 +02:00
Giovanni Bajo
a0f53f177c
auth/ldap: document LDAP server used in tests
2015-05-09 22:04:20 +02:00
Giovanni Bajo
b4093e2ddf
auth/ldap: add acceptance tests
2015-05-09 22:04:20 +02:00
Giovanni Bajo
02d3b1c74c
auth/ldap: add support for groups with unique members
2015-05-09 22:04:20 +02:00
Giovanni Bajo
c313ff2802
auth/ldap: implement authorization via LDAP groups
2015-05-09 22:04:20 +02:00
Giovanni Bajo
dc6b4ab9db
auth/ldap: add configuration path for groups
2015-05-09 22:04:20 +02:00
Giovanni Bajo
7e39da2e67
Attempt connection to LDAP server at login time.
...
Also switch to a LDAP library fork which fixes a panic when
shutting down a connection immediately.
2015-05-09 22:04:19 +02:00
Giovanni Bajo
7492c5712a
Initial implementation of the LDAP credential backend
2015-05-09 22:04:19 +02:00
Seth Vargo
f3c3f4717a
Remove references to -var
2015-05-08 11:45:29 -04:00
Armon Dadgar
a6a4bee2ee
cred/app-id: Add help synopsis to login path
2015-05-07 15:45:43 -07:00
Seth Vargo
04015fdf55
Fix output from GitHub help
2015-05-07 14:13:12 -04:00
Armon Dadgar
b07d0bc56f
audit/file: Create file if it does not exist. Fixes #148
2015-05-06 11:33:06 -07:00
Mitchell Hashimoto
deab183cbd
token/disk: write token with 0600
2015-05-02 13:34:01 -07:00
Trevor Pounds
582677b134
Fix documentation typo.
2015-04-28 22:15:56 -07:00
Armon Dadgar
848433a355
audit/file: add log_raw parameter and default to hashing
2015-04-27 15:56:41 -07:00
Armon Dadgar
f01e14351a
audit/syslog: switch defaults
2015-04-27 15:56:41 -07:00
Armon Dadgar
de7a81a8fb
audit/syslog: Copy structure before hashing to avoid breaking result
2015-04-27 15:56:40 -07:00
Armon Dadgar
1b659d41ff
audit/syslog: Hash everything by default, optionally disable
2015-04-27 15:56:40 -07:00
Armon Dadgar
bb1dd509d7
audit/syslog: first pass
2015-04-27 15:56:40 -07:00
Armon Dadgar
434305a6c2
secret/aws: Using roles instead of policy
2015-04-27 14:20:28 -07:00
Armon Dadgar
5edf8cf3a8
Do not root protect role configurations
2015-04-27 14:07:20 -07:00
Armon Dadgar
12e8c0f8cf
secret/postgres: secret/mysql: roles endpoints root protected
2015-04-27 14:04:10 -07:00
Armon Dadgar
816d981d1a
secret/consul: replace policy with roles, and prefix the token path
2015-04-27 13:59:56 -07:00
Armon Dadgar
6a38090822
secret/transit: rename policy to keys
2015-04-27 13:52:47 -07:00
Armon Dadgar
793e6efef4
secret/transit: Adding more help. Fixes #41
2015-04-27 12:47:09 -07:00
Armon Dadgar
27c73da308
audit/file: Attempt to create directory path. Fixes #38
2015-04-27 12:40:32 -07:00
Armon Dadgar
a753fadcb4
secret/postgresql: testing support for multiple statements
2015-04-27 12:00:07 -07:00
Armon Dadgar
1c8288c3da
secret/postgresql: support multiple sql statements
2015-04-27 11:31:27 -07:00
Armon Dadgar
50879eb2e5
mysql: cleanup
2015-04-27 11:31:11 -07:00
Armon Dadgar
9cae5520a0
logical/consul: Added missing policy endpoints
2015-04-27 11:08:37 -07:00
Armon Dadgar
1d95694a7c
secret/mysql: improve the example statement
2015-04-25 12:58:50 -07:00
Armon Dadgar
503241eeee
secret/mysql: adding acceptance test
2015-04-25 12:56:23 -07:00
Armon Dadgar
e378f5c4a2
secret/mysql: fixing mysql oddities
2015-04-25 12:56:11 -07:00
Armon Dadgar
57e66f3b6c
secret/mysql: initial pass at mysql secret backend
2015-04-25 12:05:26 -07:00
Armon Dadgar
9087471bad
credential/cert: support leasing and renewal
2015-04-24 12:58:39 -07:00
Armon Dadgar
3a9e20748b
credential/cert: default display name
2015-04-24 10:52:17 -07:00
Armon Dadgar
7b4ceeb7e6
credential/cert: more validation on cert setup
2015-04-24 10:39:44 -07:00
Armon Dadgar
d57c8ea0f0
credential/cert: return logical error if invalid
2015-04-24 10:36:25 -07:00
Armon Dadgar
ae272b83ce
credential/cert: major refactor
2015-04-24 10:31:57 -07:00
Armon Dadgar
28b18422b7
credential/cert: First pass at public key credential backend
2015-04-23 21:46:21 -07:00
Mitchell Hashimoto
ee2b113831
audit/file: append
2015-04-19 22:43:39 -07:00
Mitchell Hashimoto
0b7e7190b5
credentials/userpass: integrate into auth cli
2015-04-19 15:17:24 -07:00
Mitchell Hashimoto
c5cadc026d
credential/userpass: renewal
2015-04-19 15:12:50 -07:00
Mitchell Hashimoto
0ae9eadfd3
credential/userpass: help
2015-04-19 15:07:11 -07:00
Mitchell Hashimoto
0aec679bb4
credential/userpass: login
2015-04-19 15:06:29 -07:00
Mitchell Hashimoto
fedda20c41
credential/userpass: configuring users
2015-04-19 14:59:30 -07:00
Mitchell Hashimoto
17676af663
logical/postgresql: when renewing, alter the valid until
2015-04-18 22:55:33 -07:00
Mitchell Hashimoto
4e21f702a8
logical/consul: leasing
2015-04-18 22:29:46 -07:00
Mitchell Hashimoto
517236ea50
logical/consul: config/access is the new path for config
2015-04-18 22:28:53 -07:00
Mitchell Hashimoto
23a156b414
logical/aws: leasing/renewal support
2015-04-18 22:25:37 -07:00
Mitchell Hashimoto
2a8dfd85f4
logical/aws: fix build
2015-04-18 22:22:35 -07:00
Mitchell Hashimoto
208dd1e8be
logical/aws: move root creds config to config/root
2015-04-18 22:21:31 -07:00
Mitchell Hashimoto
f61626f7a6
logical/aws: support read/delete policies
2015-04-18 22:13:12 -07:00
Mitchell Hashimoto
79ccb2f412
logical/postgresql: support deleting roles and reading them
2015-04-18 21:59:59 -07:00
Mitchell Hashimoto
84bca3ef28
logical/postgresql: renew for secret
2015-04-18 21:47:19 -07:00
Mitchell Hashimoto
e1e5c47362
logical/postgresql: leasing
2015-04-18 21:45:05 -07:00
Mitchell Hashimoto
8edc4d1241
logical/postgres: no session limit
2015-04-18 18:42:57 -07:00
Mitchell Hashimoto
39b8ae1b31
logical/postgers: update docs properly
2015-04-18 18:42:26 -07:00
Mitchell Hashimoto
6e10c415ef
logical/postgresql: leases
2015-04-18 18:40:03 -07:00
Mitchell Hashimoto
2120235a2e
logical/postgresql: create DB credentials
2015-04-18 18:37:27 -07:00
Mitchell Hashimoto
d0eb1b9a74
logical/postgresql: creating roles
2015-04-18 18:09:33 -07:00
Mitchell Hashimoto
d96b64286a
logical/postgresql: connection
2015-04-18 17:34:36 -07:00
Mitchell Hashimoto
20324a0c9c
website: more auth
2015-04-18 13:45:50 -07:00
Mitchell Hashimoto
f7a1b2ced9
credential/app-id: allow restriction by CIDR block [GH-10]
2015-04-17 10:14:39 -07:00
Mitchell Hashimoto
e643b48235
credential/app-id: support associating a name with app ID [GH-9]
2015-04-17 10:01:03 -07:00
Mitchell Hashimoto
37af1683c6
credential/*: adhere to new API
2015-04-17 09:40:28 -07:00
Armon Dadgar
07bffafbbd
Adding transit logical backend
2015-04-15 17:08:12 -07:00
Armon Dadgar
381aa0f7af
logical/aws: Use display name for IAM username
2015-04-15 15:05:00 -07:00
Armon Dadgar
489e79ffd3
logical/consul: Use the DisplayName for the ACL token name
2015-04-15 15:03:05 -07:00
Armon Dadgar
cf2faa06ae
credential/github: Set the github username as the display name
2015-04-15 14:30:46 -07:00
Mitchell Hashimoto
ef95d9a10e
audit/file: use JSON formatter to write output
2015-04-13 14:12:14 -07:00
Mitchell Hashimoto
48205d166b
rename vault id to lease id all over
2015-04-10 20:35:14 -07:00
Mitchell Hashimoto
62f4d1dd0e
credential/github: CLI handler
2015-04-06 09:53:43 -07:00
Mitchell Hashimoto
569991fcc5
credential/app-id
2015-04-04 18:41:49 -07:00
Mitchell Hashimoto
8bfa12297d
builtin/audit: add file audit
2015-04-04 18:10:25 -07:00
Mitchell Hashimoto
606b3dbff9
credential/github: improve help
2015-04-04 12:18:33 -07:00
Mitchell Hashimoto
8dc9e0e0d5
logical/framework: better string values for types
2015-04-03 21:15:59 -07:00
Mitchell Hashimoto
ec9df0439b
logical/aws: help
2015-04-03 21:10:54 -07:00
Mitchell Hashimoto
0bbad03c70
logical/framework: support root help
2015-04-03 20:36:47 -07:00
Mitchell Hashimoto
12a75dd304
credential/github: auth with github
2015-04-01 15:46:37 -07:00
Mitchell Hashimoto
486c3d7f30
logical/aws: policy doesn't need to be base64
2015-03-31 17:26:41 -07:00
Mitchell Hashimoto
712d144ec7
token/disk: fix args parsing
2015-03-30 23:21:17 -07:00
Mitchell Hashimoto
b12feccf38
logical/*: fix compilation errors
2015-03-30 20:30:07 -07:00
Mitchell Hashimoto
e40d0874e1
command/auth: tests work wihtout vault installed
2015-03-30 11:07:31 -07:00
Mitchell Hashimoto
27bc188758
token/disk: implement unencrypted disk store
2015-03-30 09:21:59 -07:00
Mitchell Hashimoto
db65fd7b95
command: unit tests pass
2015-03-29 16:20:34 -07:00
Mitchell Hashimoto
3270349456
logical/consul: actual test that the token works
2015-03-21 17:23:44 +01:00
Mitchell Hashimoto
55a3423c60
logical/consul
2015-03-21 17:19:37 +01:00
Mitchell Hashimoto
05246433bb
logical/aws: refactor access key create to the secret file
2015-03-21 11:49:56 +01:00
Mitchell Hashimoto
665cbaa3e4
logical/aws: remove debug I was using to test rollback :)
2015-03-21 11:20:22 +01:00
Mitchell Hashimoto
9e4b9d593b
logical/aws: WAL entry for users, rollback
2015-03-21 11:18:46 +01:00
Mitchell Hashimoto
86a6062ba2
main: enable AWS backend
2015-03-20 19:32:18 +01:00
Mitchell Hashimoto
62d9bec8be
logical/aws
2015-03-20 19:03:20 +01:00