Commit graph

27 commits

Author SHA1 Message Date
Jeff Mitchell 642b88c76a go vet fixes 2018-02-05 14:26:31 -05:00
Brian Kassouf 2f19de0305 Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 01:44:44 -05:00
Jeff Mitchell d8009bced1 Merge branch 'master-oss' into sethvargo/cli-magic 2018-01-10 11:15:49 -05:00
Brian Kassouf 1c190d4bda
Pass context to backends (#3750)
* Start work on passing context to backends

* More work on passing context

* Unindent logical system

* Unindent token store

* Unindent passthrough

* Unindent cubbyhole

* Fix tests

* use requestContext in rollback and expiration managers
2018-01-08 10:31:38 -08:00
Seth Vargo c5665920f6
Standardize on "auth method"
This removes all references I could find to:

- credential provider
- authentication backend
- authentication provider
- auth provider
- auth backend

in favor of the unified:

- auth method
2017-10-24 09:32:15 -04:00
Jeff Mitchell 9077adb377 Sanitize policy behavior across backends (#3324)
Fixes #3323
Fixes #3318

* Fix tests

* Fix tests
2017-09-13 11:36:52 -04:00
Calvin Leung Huang bb54e9c131 Backend plugin system (#2874)
* Add backend plugin changes

* Fix totp backend plugin tests

* Fix logical/plugin InvalidateKey test

* Fix plugin catalog CRUD test, fix NoopBackend

* Clean up commented code block

* Fix system backend mount test

* Set plugin_name to omitempty, fix handleMountTable config parsing

* Clean up comments, keep shim connections alive until cleanup

* Include pluginClient, disallow LookupPlugin call from within a plugin

* Add wrapper around backendPluginClient for proper cleanup

* Add logger shim tests

* Add logger, storage, and system shim tests

* Use pointer receivers for system view shim

* Use plugin name if no path is provided on mount

* Enable plugins for auth backends

* Add backend type attribute, move builtin/plugin/package

* Fix merge conflict

* Fix missing plugin name in mount config

* Add integration tests on enabling auth backend plugins

* Remove dependency cycle on mock-plugin

* Add passthrough backend plugin, use logical.BackendType to determine lease generation

* Remove vault package dependency on passthrough package

* Add basic impl test for passthrough plugin

* Incorporate feedback; set b.backend after shims creation on backendPluginServer

* Fix totp plugin test

* Add plugin backends docs

* Fix tests

* Fix builtin/plugin tests

* Remove flatten from PluginRunner fields

* Move mock plugin to logical/plugin, remove totp and passthrough plugins

* Move pluginMap into newPluginClient

* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck

* Change shim logger's Fatal to no-op

* Change BackendType to uint32, match UX backend types

* Change framework.Backend Setup signature

* Add Setup func to logical.Backend interface

* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments

* Remove commented var in plugin package

* RegisterLicense on logical.Backend interface (#3017)

* Add RegisterLicense to logical.Backend interface

* Update RegisterLicense to use callback func on framework.Backend

* Refactor framework.Backend.RegisterLicense

* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs

* plugin: Revert BackendType to remove TypePassthrough and related references

* Fix typo in plugin backends docs
2017-07-20 13:28:40 -04:00
Jeff Mitchell f7df60b131 Allow accessing Warnings directly in Response. (#2806)
A change in copystructure has caused some panics due to the custom copy
function. I'm more nervous about production panics than I am about
keeping some bad code wiping out some existing warnings, so remove the
custom copy function and just allow direct setting of Warnings.
2017-06-05 10:52:43 -04:00
Jeff Mitchell 72db329d67 Add support for backup/multiple LDAP URLs. (#2350) 2017-02-08 14:59:24 -08:00
Vishal Nayak 5aba2d47b6 ldap: Minor enhancements, tests and doc update (#2272) 2017-01-23 10:56:43 -05:00
Brian Nuszkowski 3d66907966 Disallow passwords LDAP binds by default (#2103) 2016-12-01 10:11:40 -08:00
Jeff Mitchell f0203741ff Change default TTL from 30 to 32 to accommodate monthly operations (#1942) 2016-09-28 18:32:49 -04:00
Oren Shomron cd6d114e42 LDAP Auth Backend Overhaul
--------------------------

Added new configuration option to ldap auth backend - groupfilter.
GroupFilter accepts a Go template which will be used in conjunction with
GroupDN for finding the groups a user is a member of. The template will
be provided with context consisting of UserDN and Username.

Simplified group membership lookup significantly to support multiple use-cases:
  * Enumerating groups via memberOf attribute on user object
  * Previous default behavior of querying groups based on member/memberUid/uniqueMember attributes
  * Custom queries to support nested groups in AD via LDAP_MATCHING_RULE_IN_CHAIN matchind rule

There is now a new configuration option - groupattr - which specifies
how to resolve group membership from the objects returned by the primary groupfilter query.

Additional changes:
  * Clarify documentation for LDAP auth backend.
  * Reworked how default values are set, added tests
  * Removed Dial from LDAP config read. Network should not affect configuration.
2016-07-22 21:20:05 -04:00
Oren Shomron b8840ab9eb Support listing ldap group to policy mappings (Fixes #1270) 2016-05-14 20:00:40 -04:00
vishalnayak 95abdebb06 Added AcceptanceTest boolean to logical.TestCase 2016-04-05 15:10:44 -04:00
Jeff Mitchell 40325b8042 If no group DN is configured, still look for policies on local users and
return a warning, rather than just trying to do an LDAP search on an
empty string.
2016-04-02 13:11:36 -04:00
Jeff Mitchell 4c4a65ebd0 Properly check for policy equivalency during renewal.
This introduces a function that compares two string policy sets while
ignoring the presence of "default" (since it's added by core, not the
backend), and ensuring that ordering and/or duplication are not failure
conditions.

Fixes #1256
2016-03-24 09:41:51 -04:00
Jeff Mitchell d3f3122307 Add tests to ldap using the discover capability 2016-02-19 11:46:59 -05:00
Jeff Mitchell 154c326060 Add ldap tests that use a bind dn and bind password 2016-02-19 11:38:27 -05:00
Jeff Mitchell f3ce90164f WriteOperation -> UpdateOperation 2016-01-08 13:03:03 -05:00
Jeff Mitchell 6f4e42efed Add StaticSystemView to LDAP acceptance tests 2015-10-06 15:48:10 -04:00
Bradley Girardeau e8d26d244b ldap: change setting user policies to setting user groups 2015-07-20 11:33:39 -07:00
Bradley Girardeau 301a22295d ldap: add ability to set policies based on username as well as groups 2015-07-14 15:46:15 -07:00
Armon Dadgar 337997ab04 Fixing merge conflict 2015-06-29 14:50:55 -07:00
Giovanni Bajo 84388b2b20 auth/ldap: move username into the path (to allow per-user revokation on the path) 2015-05-09 22:06:28 +02:00
Giovanni Bajo a0f53f177c auth/ldap: document LDAP server used in tests 2015-05-09 22:04:20 +02:00
Giovanni Bajo b4093e2ddf auth/ldap: add acceptance tests 2015-05-09 22:04:20 +02:00