Commit graph

558 commits

Author SHA1 Message Date
Vishal Nayak 45bb1f0adc
Verify DNS SANs if PermittedDNSDomains is set (#3982)
* Verify DNS SANs if PermittedDNSDomains is set

* Use DNSNames check and not PermittedDNSDomains on leaf certificate

* Document the check

* Add RFC link

* Test for success case

* fix the parameter name

* rename the test

* remove unneeded commented code
2018-02-16 17:42:29 -05:00
Mohsen 41b07a0987 Maximum number of retries aws sdk attempts for recoverable exceptions. (#3965) 2018-02-16 11:11:17 -05:00
Brian Nuszkowski 51fe1aa7ba Add Okta specific MFA workflow to Okta auth method (#3980)
* Add Okta specific MFA workflow to Okta auth method. Note this only
supports Okta Push.
2018-02-14 20:28:19 -05:00
Brian Nuszkowski 7ba8bb9516 Disable redirects on the http client that calls AWS STS api, which (#3983)
is used in the AWS IAM auth method.

Co-authored-by: Max Justicz <max@justi.cz>
2018-02-14 20:27:13 -05:00
Nicolas Troncoso 2a8159c2ae Turns the okta groups array into a coma separated string (#3956) 2018-02-13 08:18:43 -05:00
Jeff Mitchell 6f025fe2ab
Adds the ability to bypass Okta MFA checks. (#3944)
* Adds the ability to bypass Okta MFA checks.

Unlike before, the administrator opts-in to this behavior, and is
suitably warned.

Fixes #3872
2018-02-09 17:03:49 -05:00
Vishal Nayak 9d163f5aa4
avoid masking of role tag response (#3941) 2018-02-07 20:43:05 -05:00
Vishal Nayak 41ac1e4b53
AppRole: Cleanup accessor indexes and dangling accessor indexes (#3924)
* Cleanup accessor indexes and dangling accessor indexes

* Add a test that exercises the accessor cleanup
2018-02-06 15:44:48 -05:00
John Eismeier d2534c4bde Fix some typos (#3923) 2018-02-06 13:35:01 -05:00
Jeff Mitchell 642b88c76a go vet fixes 2018-02-05 14:26:31 -05:00
Joel Thompson 4f49318b33 auth/aws: Switch role tag processing from strings.Contains to strings.HasPrefix (#3906)
strings.HasPrefix is more correct; if a tag part value ended up
containing the expected prefix of another part, it could cause incorrect
parsing. I don't think that these values would be semantically legal
today, but it's probably better to be defensive.
2018-02-04 19:37:03 -05:00
Jeff Mitchell b6614b651f
Differentiate between user/internal error in AppRole login. (#3902)
* Differentiate between user/internal error in AppRole login.

This allows us to properly pass through internal errors back up into
core.

* Separate out error cases
2018-02-02 20:34:32 -05:00
Jeff Mitchell fc6564e4ee
Don't run rollback and upgrade functionality if we are a replication secondary (#3900)
* Don't run rollback and upgrade functionality if we are a replication
secondary, but do if the mount is local.
2018-02-02 20:28:25 -05:00
Vishal Nayak effdc09a71 Add the actual error object to the message (#3901) 2018-02-02 19:06:08 -05:00
John Eismeier 6d18e0da3d Propose small spelling change (#3890) 2018-02-01 12:51:38 -05:00
Josh Giles 94fe8600b6 Return Okta config TTLs in seconds, not nanos. (#3871) 2018-02-01 12:44:57 -05:00
Jeff Mitchell f3d1e8170b Prep for 0.9.2 2018-01-26 13:59:01 -05:00
Joel Thompson 2cd8051607 auth/aws: Fix error with empty bound_iam_principal_arn (#3843)
* auth/aws: Fix error with empty bound_iam_principal_arn

In cases where there doesn't need to be a bound_iam_principal_arn, i.e.,
either auth_type is ec2 or there are other bindings with the iam
auth_type, but it is specified explicitly anyway, Vault tried to parse
it to resolve to internal unique IDs. This now checks to ensure that
bound_iam_principal_arn is non-empty before attempting to resolve it.

Fixes #3837

* Fix extraneous newline
2018-01-24 23:08:05 -05:00
Brian Kassouf 2f19de0305 Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 01:44:44 -05:00
Calvin Leung Huang f59069c22f
Don't call LeaseExtend on login renewal paths when period is provided (#3803)
* Don't call LeaseExtend on login renewal paths when period is provided

* WIP tests

* NoopBackend accept backend ttl values

* Test period value on credentials backend

* Use t.Fatalf instead

* Remove mockCoreExpiration

* Add login renewal test for approle backend

* Add resp.Auth.Period check on aws and cert backend tests

* Pass in approle's period via role's period

* Correctly set period in valid-role's role

* Add period renewal test using TestCluster and approle backend

* Check for ttl values after renewals on test
2018-01-18 12:19:18 -05:00
samiam c59b5a1a88 Write password prompts to stderr to avoid co-mingling stdout (#3781) (#3782) 2018-01-18 12:14:19 -05:00
Jeff Mitchell b281e76089 Move around some logic to be neater 2018-01-18 11:47:24 -05:00
Vishal Nayak b826c56686
SHA2-256 salting for AppID (#3806)
* Use SHA2-256 hash with prefix to upgrade the paths

* test the SHA1 upgrade to SHA256

* Remove hash identifier and the delimiter; use 's' instead

* Added API test to verify the correctness of the fix

* Fix broken test

* remove unneeded test
2018-01-17 19:48:32 -05:00
Josh Giles 9c46431b80 Support JSON lists for Okta user groups+policies. (#3801)
* Support JSON lists for Okta user groups+policies.

Migrate the manually-parsed comma-separated string field types for user
groups and user policies to TypeCommaStringSlice. This means user
endpoints now accept proper lists as input for these fields in addition
to comma-separated string values. The value for reads remains a list.

Update the Okta API documentation for users and groups to reflect that
both user group and user/group policy fields are list-valued.

Update the Okta acceptance tests to cover passing a list value for the
user policy field, and require the OKTA_API_TOKEN env var to be set
(required for the "everyone" policy tests to pass).

* Fix typo, add comma-separated docs.
2018-01-16 18:20:19 -05:00
Dominik Müller e18e4036c7 add allowed_names to cert-response (#3779) 2018-01-16 13:41:58 -05:00
Paweł Słomka b994e83c65 Cleanup of deprecated commands in tests, docs (#3788) 2018-01-15 15:19:28 -05:00
Jeff Mitchell d8009bced1 Merge branch 'master-oss' into sethvargo/cli-magic 2018-01-10 11:15:49 -05:00
Jeff Mitchell 9c70985c3a
Add json.Number parsing for iam_request_header values (#3770)
Fixes #3763
2018-01-10 09:56:38 -06:00
Brian Kassouf 1c190d4bda
Pass context to backends (#3750)
* Start work on passing context to backends

* More work on passing context

* Unindent logical system

* Unindent token store

* Unindent passthrough

* Unindent cubbyhole

* Fix tests

* use requestContext in rollback and expiration managers
2018-01-08 10:31:38 -08:00
Jeff Mitchell d1803098ae Merge branch 'master-oss' into sethvargo/cli-magic 2018-01-03 14:02:31 -05:00
Brian Shumate 2481803ac5 Update some approle related help output (#3747) 2018-01-03 13:56:14 -05:00
Brian Nuszkowski aa4d5a942e Add the ability to pass in mfa parameters when authenticating via the… (#3729) 2017-12-26 13:40:44 -05:00
Calvin Leung Huang c4e951efb8 Add period and max_ttl to cert role creation (#3642) 2017-12-18 15:29:45 -05:00
Chris Hoffman b1aee36251
short circuit cert extensions check (#3712) 2017-12-18 13:19:05 -05:00
Travis Cosgrave cf3e284396 Use Custom Cert Extensions as Cert Auth Constraint (#3634) 2017-12-18 12:53:44 -05:00
Jeff Mitchell 08f73e4a50
Merge pull request #3695 from hashicorp/creds-period-logic 2017-12-18 12:40:03 -05:00
immutability e7faad641c Add Duo MFA to the Github backend (#3696) 2017-12-18 09:59:17 -05:00
Calvin Leung Huang 997a1453e7 Use shortMaxTTL on Ec2 paths 2017-12-15 17:29:40 -05:00
Calvin Leung Huang fe7ce434e4 Update logic on renew paths 2017-12-15 16:26:42 -05:00
Calvin Leung Huang 643451d46a Update login logic for aws creds backend 2017-12-15 16:18:19 -05:00
Calvin Leung Huang ba19b99f55 Update login logic for aws creds backend 2017-12-15 16:01:40 -05:00
Calvin Leung Huang 79cb82e133
Add logic for using Auth.Period when handling auth login/renew requests (#3677)
* Add logic for using Auth.Period when handling auth login/renew requests

* Set auth.TTL if not set in handleLoginRequest

* Always set auth.TTL = te.TTL on handleLoginRequest, check TTL and period against sys values on RenewToken

* Get sysView from le.Path, revert tests

* Add back auth.Policies

* Fix TokenStore tests, add resp warning when capping values

* Use switch for ttl/period check on RenewToken

* Move comments around
2017-12-15 13:30:05 -05:00
Vishal Nayak 513d12ab7c Fix the casing problem in approle (#3665) 2017-12-11 16:41:17 -05:00
Brad Sickles 295e11d40d Adding mfa support to okta auth backend. (#3653) 2017-12-07 14:17:42 -05:00
Dominik Müller bc523fc294 add allowed_names to cert-response (#3654) 2017-12-06 16:50:02 -05:00
Jeff Mitchell bfc37f0847
Re-add some functionality lost during last dep update (#3636) 2017-12-01 10:18:26 -05:00
Joel Thompson 6f5aeeeae2 auth/aws: Check credential availability before auth (#3465)
Checks to ensure we can get a valid credential from the credential chain
when using the vault CLI to do AWS auth.

Fixes #3383
2017-11-13 15:43:24 -05:00
Vishal Nayak 8654c06b26
avoid empty group alias names (#3567) 2017-11-10 16:51:37 -05:00
Vishal Nayak 61d617df81
Avoid race conditions in AppRole (#3561)
* avoid race conditions in approle

* return a warning from role read if secondary index is missing

* Create a role ID index if a role is missing one

* Fix locking in approle read and add test

* address review feedback
2017-11-10 11:32:04 -05:00
Joel Thompson 2c8cd19e14 auth/aws: Make disallow_reauthentication and allow_instance_migration mutually exclusive (#3291) 2017-11-06 17:12:07 -05:00