Commit graph

341 commits

Author SHA1 Message Date
vishalnayak 330ef396ca Vault SSH: Default lease of 5 min for SSH secrets 2015-08-12 17:10:35 -07:00
vishalnayak 2d23ffe3d2 Vault SSH: Exposed verify request/response messges to agent 2015-08-12 13:22:48 -07:00
vishalnayak f84347c542 Vault SSH: Added SSHAgent API 2015-08-12 10:48:58 -07:00
vishalnayak 93dfa67039 Merging changes from master 2015-08-12 09:28:16 -07:00
vishalnayak 0abf07cb91 Vault SSH: Website doc v1. Removed path_echo 2015-08-12 09:25:28 -07:00
Armon Dadgar d1a09e295a Merge pull request #509 from ekristen/github-fix
Reimplements #459
2015-08-11 10:06:10 -07:00
Armon Dadgar 3b9a6d5e33 Fixing merge conflict 2015-08-11 10:04:47 -07:00
Erik Kristensen 611965844b reimplements #459 2015-08-09 11:25:45 -06:00
Michael S. Fischer 21ab4d526c Provide working example of TLS certificate authentication
Fixes #474
2015-08-07 15:15:53 -07:00
Erik Kristensen ae34ec2bff adding basic tests 2015-08-06 17:50:34 -06:00
Erik Kristensen 2233f993ae initial pass at JWT secret backend 2015-08-06 17:49:44 -06:00
vishalnayak e5080a7f32 Merging with master 2015-08-06 18:44:40 -04:00
vishalnayak 32502977f6 Vault SSH: Automate OTP typing if sshpass is installed 2015-08-06 17:00:50 -04:00
vishalnayak 0af97b8291 Vault SSH: uninstall dynamic keys using script 2015-08-06 15:50:12 -04:00
vishalnayak 3dd8fe750d Vault SSH: Script to install dynamic keys in target 2015-08-06 14:48:19 -04:00
Paul Hinze fc9de56736 Update vault code to match latest aws-sdk-go APIs 2015-08-06 11:37:08 -05:00
Seth Vargo bfd4b818b8 Update to latest aws and move off of hashicorp/aws-sdk-go 2015-08-06 12:26:41 -04:00
vishalnayak 9aa075f3c7 Vault SSH: Added 'echo' path to SSH 2015-08-04 15:30:24 -04:00
vishalnayak 476da10f1c Vault SSH: Testing OTP creation 2015-08-03 19:04:07 -04:00
Erik Kristensen 26387f6535 remove newline 2015-08-03 16:34:24 -06:00
Erik Kristensen f9c49f4a57 fix bug #488 2015-08-03 15:47:30 -06:00
vishalnayak 8409ba7210 Vault SSH: CRUD tests for named keys 2015-08-03 16:18:14 -04:00
Rusty Ross 719ac6e714 update doc for app-id
make clearer in doc that user-id can accept multiple app-id mappngs as comma-separated values
2015-08-03 09:44:26 -07:00
vishalnayak b7c7befe68 Vault SSH: CRUD test for lookup API 2015-08-03 11:22:00 -04:00
vishalnayak c4bd85c241 Vault SSH: CRUD test for dynamic role 2015-07-31 15:17:40 -04:00
vishalnayak b592dcc3af Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault 2015-07-31 13:24:28 -04:00
vishalnayak c7ef0b95c2 Vault SSH: CRUD test case for OTP Role 2015-07-31 13:24:23 -04:00
Armon Dadgar 03728af495 Merge pull request #464 from bgirardeau/master
Add Multi-factor authentication with Duo
2015-07-30 17:51:31 -07:00
Bradley Girardeau aa55d36f03 Clean up naming and add documentation 2015-07-30 17:36:40 -07:00
vishalnayak 61c9f884a4 Vault SSH: Review Rework 2015-07-29 14:21:36 -04:00
Bradley Girardeau d26b77b4f4 mfa: code cleanup 2015-07-28 11:55:46 -07:00
Bradley Girardeau 6697012dd3 mfa: improve edge cases and documentation 2015-07-27 21:14:00 -07:00
Bradley Girardeau 06863d08f0 mfa: add to userpass backend 2015-07-27 21:14:00 -07:00
Bradley Girardeau 4eb1beb31c ldap: add mfa support to CLI 2015-07-27 21:14:00 -07:00
Bradley Girardeau 8fa5a349a5 ldap: add mfa to LDAP login 2015-07-27 21:14:00 -07:00
Vishal Nayak 4b4df4271d Vault SSH: Refactoring 2015-07-27 16:42:03 -04:00
Vishal Nayak 2e7612a149 Vault SSH: admin_user/default_user fix 2015-07-27 15:03:10 -04:00
Vishal Nayak e9f507caf0 Vault SSH: Refactoring 2015-07-27 13:02:31 -04:00
Raymond Pete 1ca09a74b3 name slug check 2015-07-26 22:21:16 -04:00
Vishal Nayak b532ee0bf4 Vault SSH: Dynamic Key test case fix 2015-07-24 12:13:26 -04:00
Vishal Nayak e8daf2d0a5 Vault SSH: keys/ designated special path 2015-07-23 18:12:13 -04:00
Vishal Nayak e998face87 Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault 2015-07-23 17:20:34 -04:00
Vishal Nayak 791a250732 Vault SSH: Support OTP key type from CLI 2015-07-23 17:20:28 -04:00
Vishal Nayak 47197d4cb3 Vault SSH: Added vault server otp verify API 2015-07-22 16:00:58 -04:00
Vishal Nayak 93f7448487 Vault SSH: Vault agent support 2015-07-22 14:15:19 -04:00
Bradley Girardeau e8d26d244b ldap: change setting user policies to setting user groups 2015-07-20 11:33:39 -07:00
Vishal Nayak 27e66e175f Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault 2015-07-17 17:22:17 -04:00
Bradley Girardeau 301a22295d ldap: add ability to set policies based on username as well as groups 2015-07-14 15:46:15 -07:00
Bradley Girardeau 0e2edc2378 ldap: add ability to login with a userPrincipalName (user@upndomain) 2015-07-14 15:37:46 -07:00
Armon Dadgar 504a7ca7c1 auth/userpass: store password as hash instead of direct. Credit @kenbreeman 2015-07-13 15:09:24 +10:00
Armon Dadgar da4650ccb4 auth/userpass: protect against timing attack. Credit @kenbreeman 2015-07-13 15:01:18 +10:00
Armon Dadgar 599d5f1431 auth/app-id: protect against timing attack. Credit @kenbreeman 2015-07-13 14:58:18 +10:00
Vishal Nayak ed258f80c6 Vault SSH: Refactoring and fixes 2015-07-10 18:44:31 -06:00
Vishal Nayak 89a0e37a89 Vault SSH: Backend and CLI testing 2015-07-10 16:18:02 -06:00
Vishal Nayak 2901890df2 Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault 2015-07-10 09:56:21 -06:00
Vishal Nayak 3c7dd8611c Vault SSH: Test case skeleton 2015-07-10 09:56:14 -06:00
Armon Dadgar 96d6455ef5 audit: properly restore TLS state 2015-07-08 16:45:15 -06:00
Vishal Nayak 73414154f8 Vault SSH: Made port number configurable 2015-07-06 16:56:45 -04:00
Vishal Nayak 88a3c5d41a Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault 2015-07-06 11:05:08 -04:00
Armon Dadgar 0be3d419c8 secret/transit: address PR feedback 2015-07-05 19:58:31 -06:00
Armon Dadgar 8293457633 secret/transit: use base64 for context to allow binary 2015-07-05 14:37:51 -07:00
Armon Dadgar f0eec18cc7 secret/transit: testing key derivation 2015-07-05 14:30:45 -07:00
Armon Dadgar 143cd0875e secret/transit: support key derivation in encrypt/decrypt 2015-07-05 14:19:24 -07:00
Armon Dadgar ae9591004b secret/transit: check for context for derived keys 2015-07-05 14:12:07 -07:00
Armon Dadgar b30dbce404 secret/transit: support derived keys 2015-07-05 14:11:02 -07:00
Vishal Nayak 425b69be32 Vault SSH: PR review rework: Formatting/Refactoring 2015-07-02 19:52:47 -04:00
Bradley Girardeau 42050fe77b ldap: add starttls support and option to specificy ca certificate 2015-07-02 15:49:51 -07:00
Vishal Nayak c0a62f28b1 Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault 2015-07-02 17:23:13 -04:00
Vishal Nayak a1e2705173 Vault SSH: PR review rework 2015-07-02 17:23:09 -04:00
Jeff Mitchell 13c5fe0a16 Fix regexes to allow hyphens in role names, as the documentation shows 2015-07-01 20:39:18 -05:00
Vishal Nayak 30a24eef2c Vault SSH: review rework: formatted and moved code 2015-07-01 21:26:42 -04:00
Vishal Nayak 67e543a863 Vault SSH: Regex supports hypen in key name and role names 2015-07-01 21:05:52 -04:00
Vishal Nayak bb16052141 Vault SSH: replaced concatenated strings by fmt.Sprintf 2015-07-01 20:35:11 -04:00
Vishal Nayak d691a95531 Vault SSH: PR review rework - 1 2015-07-01 11:58:49 -04:00
Vishal Nayak 1f001d283f For SSH backend, allow factory to be provided instead of Backend 2015-07-01 09:37:11 -04:00
Vishal Nayak 3b0ff5b5f1 Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault 2015-07-01 09:31:25 -04:00
Armon Dadgar b52d3e6506 cred/app-id: testing upgrade to salted keys 2015-06-30 18:37:10 -07:00
Armon Dadgar eeb717c901 cred/app-id: first pass at automatic upgrading to salting 2015-06-30 18:09:08 -07:00
Armon Dadgar 4b27e4d8c5 Remove SetLogger, and unify on framework.Setup 2015-06-30 17:45:20 -07:00
Armon Dadgar 5d69e7da90 Updating for backend API change 2015-06-30 17:36:12 -07:00
Vishal Nayak b0043737af lease handling fix 2015-06-30 20:21:41 -04:00
Vishal Nayak 8627f3c360 Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault 2015-06-30 18:33:37 -04:00
Vishal Nayak 5e5e6788be Input validations, help strings, default_user support 2015-06-30 18:33:17 -04:00
Armon Dadgar 8bc99f8c23 helper/uuid: single generateUUID definition 2015-06-30 12:38:32 -07:00
Armon Dadgar 3c58773598 Merge pull request #380 from kgutwin/cert-cli
Enable TLS client cert authentication via the CLI
2015-06-30 11:44:28 -07:00
Armon Dadgar b1f7e2f0ea ldap: fixing merge conflict 2015-06-30 09:40:43 -07:00
Jeff Mitchell 762108d9eb Put timestamp back into the username. Since Cassandra doesn't support expiration, this can be used by scripts to manually clean up old users if revocation fails for some reason.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-30 11:15:46 -04:00
Jeff Mitchell 42b90fa9b9 Address some issues from code review.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-30 09:27:23 -04:00
Jeff Mitchell fccbc587c6 A Cassandra secrets backend.
Supports creation and deletion of users in Cassandra using flexible CQL queries.

TLS, including client authentication, is supported.

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-30 09:04:01 -04:00
Karl Gutwin 0062d923cc Better error messages. 2015-06-30 08:59:38 -04:00
Karl Gutwin a54ba31635 Merge remote-tracking branch 'upstream/master' into cert-cli 2015-06-30 08:31:00 -04:00
Karl Gutwin dafcc5b2ce enable CLI cert login 2015-06-29 23:29:41 -04:00
Vishal Nayak f7a0c17100 merge changes from master 2015-06-29 22:01:43 -04:00
Vishal Nayak 91ed2dcdc2 Refactoring changes 2015-06-29 22:00:08 -04:00
esell c0e1843263 change skipsslverify to insecure_tls 2015-06-29 19:23:31 -06:00
Armon Dadgar 12d3aee58e audit: fixing panic caused by tls connection state. Fixes #322 2015-06-29 17:16:17 -07:00
Armon Dadgar add8e1a3fd Fixing merge conflict 2015-06-29 15:19:04 -07:00
Armon Dadgar 337997ab04 Fixing merge conflict 2015-06-29 14:50:55 -07:00
Vishal Nayak 0f2c1f867e SCP in pure GO and CIDR parsing fix 2015-06-29 11:49:34 -04:00
Vishal Nayak 29696d4b6b Creating SSH keys and removal of files in pure 'go' 2015-06-26 15:43:27 -04:00
Vishal Nayak 8c15e2313b ssh/lookup implementation and refactoring 2015-06-25 21:47:32 -04:00
Vishal Nayak f39df58eef Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault 2015-06-24 18:13:26 -04:00
Vishal Nayak b237a3bcc2 POC: Rework. Doing away with policy file. 2015-06-24 18:13:12 -04:00
esell e81f966842 Set SkipSSLVerify default to false, add warning in help message 2015-06-24 13:38:14 -06:00
esell d3225dae07 cleanup the code a bit 2015-06-24 10:09:29 -06:00
esell 84371ea734 allow skipping SSL verification on ldap auth 2015-06-24 10:05:45 -06:00
Jeff Mitchell e086879fa3 Merge remote-tracking branch 'upstream/master' into f-pki 2015-06-19 13:01:26 -04:00
Vishal Nayak f8d164f477 SSHs to multiple users by registering the respective host keys 2015-06-19 12:59:36 -04:00
Jeff Mitchell a6fc48b854 A few things:
* Add comments to every non-obvious (e.g. not basic read/write handler type) function
* Remove revoked/ endpoint, at least for now
* Add configurable CRL lifetime
* Cleanup
* Address some comments from code review

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-19 12:48:18 -04:00
Nate Brown 4ec685dc1a Logging authentication errors and bad token usage 2015-06-18 18:30:18 -07:00
Vishal Nayak 90605c6079 merging with master 2015-06-18 20:51:11 -04:00
Vishal Nayak 8d98968a54 Roles, key renewal handled. End-to-end basic flow working. 2015-06-18 20:48:41 -04:00
Jeff Mitchell 34f495a354 Refactor to allow only issuing CAs to be set and not have things blow up. This is useful/important for e.g. the Cassandra backend, where you may want to do TLS with a specific CA cert for server validation, but not actually do client authentication with a client cert.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-18 15:22:58 -04:00
Vishal Nayak 2aed5f8798 Implementation for storing and deleting the host information in Vault 2015-06-17 22:10:47 -04:00
Armon Dadgar d34861b811 secret/transit: allow policies to be upserted 2015-06-17 18:51:05 -07:00
Armon Dadgar f53d31a580 secret/transit: Use special endpoint to get underlying keys. Fixes #219 2015-06-17 18:42:23 -07:00
Vishal Nayak cfef144dc2 Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault 2015-06-17 20:34:56 -04:00
Vishal Nayak 303a7cef9a Received OTK in SSH client. Forked SSH process from CLI. Added utility file for SSH. 2015-06-17 20:33:03 -04:00
Armon Dadgar 45d3c512fb builtin: fixing API change in logical framework 2015-06-17 14:34:11 -07:00
Armon Dadgar 30de4ea80d secret/postgres: Ensure sane username length. Fixes #326 2015-06-17 13:31:56 -07:00
Jeff Mitchell 29e7ec3e21 A lot of refactoring: move PEM bundle parsing into helper/certutil, so that it is usable by other backends that want to use it to get the necessary data for TLS auth.
Also, enhance the raw cert bundle => parsed cert bundle to make it more useful and perform more validation checks.

More refactoring could be done within the PKI backend itself, but that can wait.

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-17 16:07:20 -04:00
Vishal Nayak 3ed73d98c2 Added: Ssh CLI command and API, config lease impl, sshConnect path to backend, http handler for Ssh connect 2015-06-17 12:39:49 -04:00
Vishal Nayak 08c921c75e Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 16:58:54 -04:00
Jeff Mitchell 49f1fdbdcc Merge branch 'master' into f-pki 2015-06-16 13:43:25 -04:00
Jeff Mitchell 03b0675350 A bunch of cleanup and moving around. logical/certutil is a package that now has helper functions
useful for other parts of Vault (including the API) to take advantage of.

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-16 13:43:12 -04:00
Mitchell Hashimoto 4bf84392ec credential/github: get rid of stray tab 2015-06-16 10:05:51 -07:00
Mitchell Hashimoto 0ecf05c043 command/auth, github: improve cli docs
/cc @sethvargo
2015-06-16 10:05:11 -07:00
Christian Svensson e3d3012795 Record the common name in TLS metadata
It is useful to be able to save the client cert's Common Name for auditing purposes when using a central CA.

This adds a "common_name" value to the Metadata structure passed from login.
2015-06-14 23:18:21 +01:00
Jeff Mitchell ae1cbc1a7a Erp, forgot this feedback...
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-11 23:16:13 -04:00
Jeff Mitchell 7cf1f186ed Add locking for revocation/CRL generation. I originally was going to use an RWMutex but punted, because it's not worth trying to save some milliseconds with the possibility of getting something wrong. So the entire operations are now wrapped, which is minimally slower but very safe.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-11 22:28:13 -04:00
Jeff Mitchell 018c0ec7f5 Address most of Armon's initial feedback.
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-11 21:57:05 -04:00
Jeff Mitchell 1513e2baa4 Add acceptance tests
* CA bundle uploading
* Basic role creation
* Common Name restrictions
* IP SAN restrictions
* EC + RSA keys
* Various key usages
* Lease times
* CA fetching in various formats
* DNS SAN handling

Also, fix a bug when trying to get code signing certificates.

Not tested:
* Revocation (I believe this is impossible with the current testing framework)

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-08 00:06:09 -04:00
Jeff Mitchell 0d832de65d Initial PKI backend implementation.
Complete:
* Up-to-date API documents
* Backend configuration (root certificate and private key)
* Highly granular role configuration
* Certificate generation
* CN checking against role
* IP and DNS subject alternative names
* Server, client, and code signing usage types
* Later certificate (but not private key) retrieval
* CRL creation and update
* CRL/CA bare endpoints (for cert extensions)
* Revocation (both Vault-native and by serial number)
* CRL force-rotation endpoint

Missing:
* OCSP support (can't implement without changes in Vault)
* Unit tests

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
2015-06-08 00:06:09 -04:00
Jonathan Sokolowski 348924eaab logical/consul: Combine policy and lease into single storage struct 2015-05-28 09:36:23 +10:00
Jonathan Sokolowski 6b0820d709 logical/consul: custom lease time for roles 2015-05-27 09:53:46 +10:00
Ian Unruh 2e1bce27a9 Allow dot in LDAP login username 2015-05-20 11:54:15 -07:00
Armon Dadgar cc966d6b52 auth/cert: Guard against empty certs. Fixes #214 2015-05-18 16:11:09 -07:00
Armon Dadgar 56659a2db2 cred/app-id: ensure consistent error message 2015-05-15 11:45:57 -07:00
Armon Dadgar 8cff23f29b cred/app-id: stricter validation and error messaging 2015-05-15 11:40:45 -07:00
Jonathan Sokolowski 6746a24c78 credential/app-id: Test DeleteOperation 2015-05-14 22:30:02 +10:00
Etourneau Gwenn a3fe4b889f Fix Error message 2015-05-12 14:32:09 +09:00
Mitchell Hashimoto 1ca0b2340c credential/app-id: add hash of user/app ID to metadata for logs 2015-05-11 10:46:11 -07:00
Mitchell Hashimoto 5406d3189e Merge pull request #184 from hashicorp/b-github-casing
credential/github: case insensitive mappings
2015-05-11 10:27:45 -07:00
Mitchell Hashimoto 5c63b70eea logical/framework: PathMap is case insensitive by default 2015-05-11 10:27:04 -07:00
Mitchell Hashimoto 4e861f29bc credential/github: case insensitive mappings 2015-05-11 10:24:39 -07:00
Giovanni Bajo 8156b88353 auth/ldap: move password into InternalData 2015-05-09 22:06:34 +02:00
Giovanni Bajo 84388b2b20 auth/ldap: move username into the path (to allow per-user revokation on the path) 2015-05-09 22:06:28 +02:00
Giovanni Bajo 5e899e7de2 auth/ldap: fix pasto 2015-05-09 22:06:22 +02:00
Giovanni Bajo 1e1219dfcc auth/ldap: implement login renew 2015-05-09 22:04:20 +02:00
Giovanni Bajo a0f53f177c auth/ldap: document LDAP server used in tests 2015-05-09 22:04:20 +02:00