Commit graph

7588 commits

Author SHA1 Message Date
Chris Hoffman e4832fdbcf
Database Root Credential Rotation (#3976)
* redoing connection handling

* a little more cleanup

* empty implementation of rotation

* updating rotate signature

* signature update

* updating interfaces again :(

* changing back to interface

* adding templated url support and rotation for postgres

* adding correct username

* return updates

* updating statements to be a list

* adding error sanitizing middleware

* fixing log sanitizier

* adding postgres rotate test

* removing conf from rotate

* adding rotate command

* adding mysql rotate

* finishing up the endpoint in the db backend for rotate

* no more structs, just store raw config

* fixing tests

* adding db instance lock

* adding support for statement list in cassandra

* wip redoing interface to support BC

* adding falllback for Initialize implementation

* adding backwards compat for statements

* fix tests

* fix more tests

* fixing up tests, switching to new fields in statements

* fixing more tests

* adding mssql and mysql

* wrapping all the things in middleware, implementing templating for mongodb

* wrapping all db servers with error santizer

* fixing test

* store the name with the db instance

* adding rotate to cassandra

* adding compatibility translation to both server and plugin

* reordering a few things

* store the name with the db instance

* reordering

* adding a few more tests

* switch secret values from slice to map

* addressing some feedback

* reinstate execute plugin after resetting connection

* set database connection to closed

* switching secret values func to map[string]interface for potential future uses

* addressing feedback
2018-03-21 15:05:56 -04:00
Brian Kassouf cc625e19ee
Add options to mount tune and mount endpoints in preparation for versioning (#4155)
* Add some requirements for versioned k/v

* Add a warning message when an upgrade is triggered

* Add path help values

* Make the kv header a const

* Add the uid to mount entry instead of options map

* Pass the backend aware uuid to the mounts and plugins

* Fix comment

* Add options to secret/auth enable and tune CLI commands (#4170)

* Switch mount/tune options to use TypeKVPairs (#4171)

* switching options to TypeKVPairs, adding bool parse for versioned flag

* flipping bool check

* Fix leases coming back from non-leased pluin kv store

* add a test for updating mount options

* Fix tests
2018-03-21 12:04:27 -07:00
emily f9b6f4b1c5 Docs for Vault GCP secrets plugin (#4159) 2018-03-21 15:02:38 -04:00
Brian Shumate 1fcf0c6a38 Docs: update formatting / heading (#4175)
- Correct Generate Disaster Recovery Operation Token heading level
- Tighten up formatting/trailing spaces
2018-03-21 10:14:52 -04:00
Jeff Mitchell c25c60117a Fix file location for 0.9.6 upgrade guide 2018-03-20 22:34:41 -04:00
Jeff Mitchell f1aff69d92 Add 0.9.6 upgrade guide 2018-03-20 22:27:01 -04:00
Jeff Mitchell 3cf2478ef8
Cut version 0.9.6 2018-03-20 16:36:58 -04:00
Jeff Mitchell 4b491229ba Update hcl 2018-03-20 16:36:37 -04:00
Jeff Mitchell 1d23455829 changelog++ 2018-03-20 16:07:15 -04:00
Jeff Mitchell 487cb7a41a
We don't need to limit the size of ldap queries, so set a high limit (#4169)
Fixes #4162
2018-03-20 16:06:39 -04:00
Jeff Mitchell 8cb1bc3cd0 Fmt 2018-03-20 14:58:22 -04:00
Josh Soref 73b1fde82f Spelling (#4119) 2018-03-20 14:54:10 -04:00
Jeff Mitchell 396ccd8699 Push up changes to prep for release 2018-03-20 14:10:53 -04:00
Jeff Mitchell 4d48fd4add changelog++ 2018-03-20 11:47:41 -04:00
Jeff Mitchell e49c230f7b
Log revocations in revokeCommon rather than expireID (#4164)
Revocations that happen not as a result of direct expirations will
therefore be logged

Fixes #4156
2018-03-20 11:46:27 -04:00
Jason Martin b3e5ec865d README Spelling error (#4165) 2018-03-20 11:45:56 -04:00
Jeff Mitchell 933f1e4b87 Sync 2018-03-20 10:42:57 -04:00
Jeff Mitchell c9e79964c9 changelog++ 2018-03-20 10:10:48 -04:00
Jeff Mitchell 48a6ce618a
Add ability to set CA:true when generating intermediate CSR. (#4163)
Fixes #3883
2018-03-20 10:09:59 -04:00
Calvin Leung Huang f86881c295
Unauthenticated endpoint to list secret and auth mounts (#4134)
* Add audit hmac values to AuthConfigInput and AuthConfigOutput, fix docs

* docs: Add ttl params to auth enable endpoint

* Rewording of go string to simply string

* Add audit hmac keys as CLI flags on auth/secrets enable

* Fix copypasta mistake

* WIP on auth-list endpoint

* Rename variable to be singular, add CLI flag, show value in auth and secrets list

* Add audit hmac keys to auth and secrets list

* Only set config values if they exist

* Fix http sys/auth tests

* More auth plugin_name test fixes

* Rename tag internal_ui_show_mount to _ui_show_mount

* Add tests

* Make endpoint unauthed

* Rename field to listing_visibility

* Add listing-visibility to cli tune commands

* Use ListingVisiblityType

* Fix type conversion

* Do not actually change token's value on testHttpGet

* Remove unused ListingVisibilityAuth, use const in pathInternalUIMountsRead
2018-03-19 23:16:33 -04:00
Jeff Mitchell 414097018a Add a check on incoming policy identifiers
cc #4125
2018-03-19 22:10:18 -04:00
Jeff Mitchell 91e36e5a00 changelog++ 2018-03-19 22:05:55 -04:00
Rémi Pauchet 40e226184b Support certificate policies in the pki backend (#4125) 2018-03-19 22:05:21 -04:00
Jeff Mitchell 8697d80d2e
More cleanup of TTL handling in PKI (#4158)
* Max role's max_ttl parameter a TypeDurationString like ttl
* Don't clamp values at write time in favor of evaluating at issue time,
as is the current best practice
* Lots of general cleanup of logic to fix missing cases
2018-03-19 21:01:41 -04:00
Jeff Mitchell 9e46f0f84a Explicitly call out that we use aes-256 gcm-96 for the barrier.
Fixes #2913
2018-03-19 19:53:12 -04:00
Jeff Mitchell 9d030aaf37 Note that you can set a CA chain when using set-signed.
Fixes #2246
2018-03-19 19:44:07 -04:00
Jeff Mitchell 735efccd6e Make the error message that comes from parsing the config file more
useful.

Fixes #2080
2018-03-19 19:40:51 -04:00
Jeff Mitchell c3569011b7 changelog++ 2018-03-19 18:36:13 -04:00
Yoko 4a25c18134
Transit rewrap (#4091)
* Adding new guides

* Replaced backend with engine

* Grammar for the encryption guide

* Grammar and Markdown style for the Transite Rewrap guide

See
https://github.com/hashicorp/engineering-docs/blob/master/writing/markdown.md
for notes on numbered Markdown lists.

* grammar and wording updates for ref arch guide

* Updating replication diagram

* Removing multi-tenant pattern guide

* Added a note 'Enterprise Only'

* Removing multi-tenant pattern guide

* Modified the topic order

* Grammar and Markdown formatting

* Grammar, Markdown syntax, and phrasing

* Grammar and Markdown syntax

* Replaced 'backend' with appropriate terms

* Added a note clarifying that replication is an enterprise-only feature

* Updated the diagram & added additional resource links

* update some grammar and ordering

* Removed the inaccurate text in index for EaaS
2018-03-19 14:56:45 -07:00
Jeff Mitchell cc48513cbb changelog++ 2018-03-19 15:53:58 -04:00
Nicholas Watkins 475d5910e8 Allow configuration of dynamodb storage to specify the max retries of aws sdk (#4115) 2018-03-19 15:53:23 -04:00
Jeff Mitchell 0b62264b68 changelog++ 2018-03-19 15:49:13 -04:00
Jeff Mitchell 90248c79b2
Update lease renewer logic (#4090)
* Add grace period calculation logic to renewer

* Update lease renewer logic.

It is believed by myself and members of the Nomad team that this logic
should be much more robust in terms of causing large numbers of new
secret acquisitions caused by a static grace period. See comments in the
code for details.

Fixes #3414

* Fix some commenting and fix tests

* Add more time to test so that integ tests don't time out

* Fix some review feedback
2018-03-19 15:48:24 -04:00
Jacob Crowther 35ccbe504c Add Cryptr to related tools (#4126) 2018-03-19 14:46:54 -04:00
Jeff Mitchell 3a5e1792c0 Update path-help to make clear you shouldn't put things in the URL.
Remove from website docs as those have been long deprecated.
2018-03-19 11:50:16 -04:00
Calvin Leung Huang edfe77ff85
Add non-hmac flags for cli secrets/auth tune commands (#4151)
* Add non-hmac params for cli secrets/auth tune

* Fix value assignment mismatch
2018-03-19 09:56:57 -04:00
vishalnayak 050a848cfb changelog++ 2018-03-18 18:32:47 -04:00
Vishal Nayak a420d19bff
Remove limit on the couchdb listing (#4149) 2018-03-18 18:31:15 -04:00
Jeff Mitchell 2e50667b12
Codify using strings.Join and strings.TrimSpace around PEM handling to ensure newline sanity (#4148)
Fixes #4136
2018-03-18 16:00:51 -04:00
Brian Kassouf 5e0da6d871
helper/keysutil: Add a Wrapper object to wrap storage objects (#4147) 2018-03-18 12:59:07 -07:00
vishalnayak fe0a077e17 s/Methods/Method 2018-03-18 15:46:57 -04:00
Jeff Mitchell 60adb4297f Update SealWrapStorage in passthrough to use newer style glob for matching all 2018-03-18 14:25:15 -04:00
Jeff Mitchell a6063977b9 changelog++ 2018-03-17 21:29:56 -04:00
Jeff Mitchell 6e93a6c4fb
Properly forward (or specifically don't) sys calls that result in read only errors (#4129)
Prior to this policy writes against a performance secondary would not
succeed because the read-only error was swallowed by handleError. In
addition to fixing this, it adds a similar function that explicitly
doesn't trigger forwarding. This is useful for things that are local to
the secondary such as raw operations and lease management.
2018-03-17 21:29:17 -04:00
Jeff Mitchell 058b1210ce changelog++ 2018-03-17 21:27:18 -04:00
Joel Thompson 3e2006eb13 Allow non-prefix-matched IAM role and instance profile ARNs in AWS auth backend (#4071)
* Update aws auth docs with new semantics

Moving away from implicitly globbed bound_iam_role_arn and
bound_iam_instance_profile_arn variables to make them explicit

* Refactor tests to reduce duplication

auth/aws EC2 login tests had the same flow duplicated a few times, so
refactoring to reduce duplication

* Add tests for aws auth explicit wildcard constraints

* Remove implicit prefix matching from AWS auth backend

In the aws auth backend, bound_iam_role_arn and
bound_iam_instance_profile_arn were ALWAYS prefix matched, and there was
no way to opt out of this implicit prefix matching. This now makes the
implicit prefix matching an explicit opt-in feature by requiring users
to specify a * at the end of an ARN if they want the prefix matching.
2018-03-17 21:24:49 -04:00
Roger Berlind 753f8a8545 Fixed broken k8s TokenReview API link (#4144) 2018-03-17 21:23:41 -04:00
Jeff Mitchell 3d44060b5f Update interactive tutorial commands 2018-03-16 15:03:51 -04:00
Jeff Mitchell 61c26fdf57 Fix compile 2018-03-16 13:55:56 -04:00
Jeff Mitchell 1cef14036f Have deprecated commands pass on address and token helper too 2018-03-16 13:52:08 -04:00