Brian Kassouf
7fed43c035
Add the ability to glob allowed roles in the Database Backend ( #3387 )
...
* Add the ability to glob allowed roles in the Database Backend
* Make the error messages better
* Switch to the go-glob repo
2017-10-30 13:24:25 -07:00
Jeff Mitchell
7486df810c
Simplify TTL/MaxTTL logic in SSH CA paths and sane with the rest of how ( #3507 )
...
Vault parses/returns TTLs.
2017-10-30 15:05:47 -05:00
Jeff Mitchell
d8e2179a42
Rejig some error messages in pki
2017-10-27 12:02:18 -04:00
Jeff Mitchell
a25dae82dd
Final sync
2017-10-23 17:39:21 -04:00
Vishal Nayak
2ede750c78
return the actual error for base64 decoding failure ( #3397 )
2017-10-20 11:21:45 -04:00
Jeremy Voorhis
af24163abd
Implement signing of pre-hashed data ( #3448 )
...
Transit backend sign and verify endpoints now support algorithm=none
2017-10-11 11:48:51 -04:00
Jeff Mitchell
e3ce60eb1f
Allow entering PKI URLs as arrays. ( #3409 )
...
Fixes #3407
2017-10-03 16:13:57 -04:00
Nicolas Corrarello
40839d2163
Removing ignore to cleanup function
2017-09-29 09:35:17 +01:00
Nicolas Corrarello
6390021413
Working tests
2017-09-29 09:33:58 +01:00
Nicolas Corrarello
ad5f1018dd
Various fixes (Null pointer, wait for Nomad go up, Auth before policy creation)
2017-09-28 23:58:41 +01:00
Nicolas Corrarello
9a011781ec
Adding Global tokens to the data model
2017-09-28 23:57:48 +01:00
Nicolas Corrarello
ec972939c2
Added tests
2017-09-28 21:44:30 +01:00
Nicolas Corrarello
420b46fa08
Fixing data model
2017-09-20 17:14:35 -05:00
Nicolas Corrarello
129328e842
MVP of working Nomad Secret Backend
2017-09-20 15:59:35 -05:00
Jeff Mitchell
1076cea5d1
Tests were not actually forcing the intermediate to have a longer TTL
...
because of mount max TTL constraint. This ups the mount max to force the
test to work as expected.
2017-09-14 22:49:04 -04:00
Jeff Mitchell
cb6ac1e926
Change behavior of TTL in sign-intermediate ( #3325 )
...
* Fix using wrong public key in sign-self-issued
* Change behavior of TTL in sign-intermediate
This allows signing CA certs with an expiration past the signer's
NotAfter.
It also change sign-self-issued to replace the Issuer, since it's
potentially RFC legal but stacks won't validate it.
Ref: https://groups.google.com/d/msg/vault-tool/giP69-n2o20/FfhRpW1vAQAJ
2017-09-13 11:42:45 -04:00
Calvin Leung Huang
78b1dfd7bb
Handle errors from getRootConfig on aws logical backend ( #3294 )
2017-09-08 13:00:29 -04:00
Jeff Mitchell
7be6905eb0
Add a bit more delay to backend test in case Travis is loaded
2017-09-04 14:45:12 -04:00
Jeff Mitchell
abb2ab2918
Add pki/root/sign-self-issued. ( #3274 )
...
* Add pki/root/sign-self-issued.
This is useful for root CA rolling, and is also suitably dangerous.
Along the way I noticed we weren't setting the authority key IDs
anywhere, so I addressed that.
* Add tests
2017-08-31 23:07:15 -04:00
Jeff Mitchell
d62937aaf3
Use TypeDurationSecond for TTL values in PKI. ( #3270 )
2017-08-31 15:46:13 -04:00
Lars Lehtonen
13901b1346
fix swallowed errors in pki package tests ( #3215 )
2017-08-29 13:15:36 -04:00
Jeff Mitchell
340fe4e609
Add permitted dns domains to pki ( #3164 )
2017-08-15 16:10:36 -04:00
Jeff Mitchell
e4eb6e9020
Make PKI root generation idempotent-ish and add delete endpoint. ( #3165 )
2017-08-15 14:00:40 -04:00
Calvin Leung Huang
b023d46cb8
Direct plugin logs through vault's logger ( #3142 )
...
* Direct plugin logs through vault's logger
* Pass in a logger in testConfig
2017-08-15 10:16:48 -04:00
Brian Kassouf
2e80e6488f
Bump database plugin protocol version
2017-08-08 17:01:38 -07:00
Lars Lehtonen
71ffa3429f
Handle dropped checkok pattern in mysql package ( #3082 )
2017-08-02 19:34:58 -04:00
Chris Hoffman
77336f4ca2
adding warning for conflicting role and request parameters ( #3083 )
2017-08-02 10:02:40 -04:00
Jeff Mitchell
4885b3e502
Use RemoteCredProvider instead of EC2RoleProvider ( #2983 )
2017-07-31 18:27:16 -04:00
Jeff Mitchell
474f008b2d
Clean up plugin tests with CA info
2017-07-31 15:09:19 -04:00
Jeff Mitchell
1bfc6d4fe7
Add a -dev-three-node option for devs. ( #3081 )
2017-07-31 11:28:06 -04:00
Calvin Leung Huang
3e8aecc7d5
Add BackendType to existing backends ( #3078 )
2017-07-28 14:04:46 -04:00
Jeff Mitchell
45fd7dad60
Add note about ed25519 hashing to docs and path help.
...
Fixes #3074
Closes #3076
2017-07-28 09:30:27 -04:00
Chris Hoffman
d404dfc494
fixing recovery from x/golang/crypto panics
2017-07-27 21:00:31 -04:00
Jeff Mitchell
0a2ac3160d
Recover during a request forward.
...
gRPC doesn't have a handler for recovering from a panic like a normal
HTTP request so a panic will actually kill Vault's listener. This
basically copies the net/http logic for managing this.
The SSH-specific logic is removed here as the underlying issue is caused
by the request forwarding mechanism.
2017-07-27 11:44:56 -04:00
Lars Lehtonen
72ee5e573c
Handle dropped checkok pattern in postgresql package ( #3046 )
2017-07-26 12:28:02 -04:00
Calvin Leung Huang
bb54e9c131
Backend plugin system ( #2874 )
...
* Add backend plugin changes
* Fix totp backend plugin tests
* Fix logical/plugin InvalidateKey test
* Fix plugin catalog CRUD test, fix NoopBackend
* Clean up commented code block
* Fix system backend mount test
* Set plugin_name to omitempty, fix handleMountTable config parsing
* Clean up comments, keep shim connections alive until cleanup
* Include pluginClient, disallow LookupPlugin call from within a plugin
* Add wrapper around backendPluginClient for proper cleanup
* Add logger shim tests
* Add logger, storage, and system shim tests
* Use pointer receivers for system view shim
* Use plugin name if no path is provided on mount
* Enable plugins for auth backends
* Add backend type attribute, move builtin/plugin/package
* Fix merge conflict
* Fix missing plugin name in mount config
* Add integration tests on enabling auth backend plugins
* Remove dependency cycle on mock-plugin
* Add passthrough backend plugin, use logical.BackendType to determine lease generation
* Remove vault package dependency on passthrough package
* Add basic impl test for passthrough plugin
* Incorporate feedback; set b.backend after shims creation on backendPluginServer
* Fix totp plugin test
* Add plugin backends docs
* Fix tests
* Fix builtin/plugin tests
* Remove flatten from PluginRunner fields
* Move mock plugin to logical/plugin, remove totp and passthrough plugins
* Move pluginMap into newPluginClient
* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck
* Change shim logger's Fatal to no-op
* Change BackendType to uint32, match UX backend types
* Change framework.Backend Setup signature
* Add Setup func to logical.Backend interface
* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments
* Remove commented var in plugin package
* RegisterLicense on logical.Backend interface (#3017 )
* Add RegisterLicense to logical.Backend interface
* Update RegisterLicense to use callback func on framework.Backend
* Refactor framework.Backend.RegisterLicense
* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs
* plugin: Revert BackendType to remove TypePassthrough and related references
* Fix typo in plugin backends docs
2017-07-20 13:28:40 -04:00
Lars Lehtonen
3f0b15826a
Fix swallowed errors in builtin ( #2977 )
2017-07-07 08:23:12 -04:00
Jeff Mitchell
873aacf23f
Don't panic in audit logs when reading transit keys. ( #2970 )
2017-07-05 11:25:10 -04:00
Brian Shumate
4d6ca4c884
DOCS: fix typo in ssh path help ( #2966 )
2017-07-04 13:59:34 -04:00
Jeff Mitchell
753b68fa1b
Port TestCluster changes from proxy branch
2017-07-03 14:54:01 -04:00
Brian Nuszkowski
45c7bc718f
Add the option to specify a specific key id format that is generated … ( #2888 )
2017-06-29 04:05:06 +01:00
Jeff Mitchell
0957500abe
Ensure TOTP codes cannot be reused. ( #2908 )
2017-06-23 16:21:34 +01:00
Jeff Mitchell
be383217b6
If recovering from panic ensure the cert returned is nil
2017-06-16 18:18:15 -04:00
Jeff Mitchell
60d743a5b9
Go's SSH library can panic without warning; recover.
...
Ping #2877 -- but don't close yet in case there are more places.
2017-06-16 18:16:45 -04:00
Matthew Irish
d26a8ebf5e
add min_encryption_version to the transit key response ( #2838 )
2017-06-08 13:07:18 -05:00
Jeff Mitchell
fdf92aeba5
Add listing to database connections. ( #2827 )
...
Fixes #2823
2017-06-07 10:03:17 -04:00
Jeff Mitchell
a7fca34076
Add ability to specify encryption key version in transit
( #2821 )
2017-06-06 16:02:54 -04:00
Brian Kassouf
606fe393be
Use the role name in the db username ( #2812 )
2017-06-06 09:49:49 -04:00
Jeff Mitchell
3eebd5cf5a
ed25519 support in transit ( #2778 )
2017-06-05 15:00:39 -04:00
Jeff Mitchell
f7df60b131
Allow accessing Warnings directly in Response. ( #2806 )
...
A change in copystructure has caused some panics due to the custom copy
function. I'm more nervous about production panics than I am about
keeping some bad code wiping out some existing warnings, so remove the
custom copy function and just allow direct setting of Warnings.
2017-06-05 10:52:43 -04:00
Jeff Mitchell
4693881fe9
Update some path-help in datakey
2017-05-23 10:04:32 -04:00
Vishal Nayak
2557693aa3
Added host key call back for ssh config ( #2752 )
2017-05-21 20:16:13 -04:00
emily
aa40d2cff6
add gofmt checks to Vault and format existing code ( #2745 )
2017-05-19 08:34:17 -04:00
sprohaska
90be96989a
logical/aws: Fix typo in warning message ( #2747 )
...
Signed-off-by: Steffen Prohaska <prohaska@zib.de>
2017-05-19 06:20:54 -04:00
Brian Kassouf
533dbe5d4c
Update the error when no key can be found to a more clear error text ( #2720 )
2017-05-12 14:14:00 -04:00
Brian Kassouf
1460c2fcc7
Add plugin level docs for what statements are supported and how they should be formatted
2017-05-11 11:59:58 -07:00
Seth Rutner
3874b63af3
Fix typos in error message ( #2692 )
2017-05-10 10:28:35 -04:00
Jeff Mitchell
d25aa9fc21
Don't write salts in initialization, look up on demand ( #2702 )
2017-05-09 17:51:09 -04:00
Jeff Mitchell
185ba8a1c3
Only run cassandra tests on Travis for right now
2017-05-09 08:36:20 -04:00
Jeff Mitchell
6f6f242061
Add logic to skip initialization in some cases and some invalidation logic
2017-05-05 15:01:52 -04:00
Brian Kassouf
7dcec6e68f
Merge remote-tracking branch 'oss/master' into database-refactor
2017-05-04 12:40:00 -07:00
Brian Kassouf
82b58d5b9c
Update docs and return a better error message
2017-05-04 11:45:27 -07:00
mymercurialsky
4c0e3c5d2f
Implemented TOTP Secret Backend ( #2492 )
...
* Initialized basic outline of TOTP backend using Postgresql backend as template
* Updated TOTP backend.go's structure and help string
* Updated TOTP path_roles.go's structure and help strings
* Updated TOTP path_role_create.go's structure and help strings
* Fixed typo in path_roles.go
* Fixed errors in path_role_create.go and path_roles.go
* Added TOTP secret backend information to cli commands
* Fixed build errors in path_roles.go and path_role_create.go
* Changed field values of period and digits from uint to int, added uint conversion of period when generating passwords
* Initialized TOTP test file based on structure of postgresql test file
* Added enforcement of input values
* Added otp library to vendor folder
* Added test steps and cleaned up errors
* Modified read credential test step, not working yet
* Use of vendored package not allowed - Test error
* Removed vendor files for TOTP library
* Revert "Removed vendor files for TOTP library"
This reverts commit fcd030994bc1741dbf490f3995944e091b11da61.
* Hopefully fixed vendor folder issue with TOTP Library
* Added additional tests for TOTP backend
* Cleaned up comments in TOTP backend_test.go
* Added default values of period, algorithm and digits to field schema
* Changed account_name and issuer fields to optional
* Removed MD5 as a hash algorithm option
* Implemented requested pull request changes
* Added ability to validate TOTP codes
* Added ability to have a key generated
* Added skew, qr size and key size parameters
* Reset vendor.json prior to merge
* Readded otp and barcode libraries to vendor.json
* Modified help strings for path_role_create.go
* Fixed test issue in testAccStepReadRole
* Cleaned up error formatting, variable names and path names. Also added some additional documentation
* Moveed barcode and url output to key creation function and did some additional cleanup based on requested changes
* Added ability to pass in TOTP urls
* Added additional tests for TOTP server functions
* Removed unused QRSize, URL and Generate members of keyEntry struct
* Removed unnecessary urlstring variable from pathKeyCreate
* Added website documentation for TOTP secret backend
* Added errors if generate is true and url or key is passed, removed logger from backend, and revised parameter documentation.
* Updated website documentation and added QR example
* Added exported variable and ability to disable QR generation, cleaned up error reporting, changed default skew value, updated documentation and added additional tests
* Updated API documentation to inlude to exported variable and qr size option
* Cleaned up return statements in path_code, added error handling while validating codes and clarified documentation for generate parameters in path_keys
2017-05-04 10:49:42 -07:00
Brian Kassouf
5ee0d696d4
Merge remote-tracking branch 'oss/master' into database-refactor
2017-05-04 10:45:18 -07:00
Brian Kassouf
29bfc0a0d4
PR comments
2017-05-04 10:41:59 -07:00
Brian Kassouf
0875e78a13
Feedback from PR
2017-05-03 17:37:34 -07:00
Brian Kassouf
cbcb8635a4
Update databse backend tests to use the APIClientMeta for the plugin conns
2017-05-03 16:34:09 -07:00
Calvin Leung Huang
26cf09ab15
Minor comment update on cert_util
2017-05-03 16:13:54 -04:00
Chris Hoffman
1c14d207b5
Merge pull request #2575 from hashicorp/pki-colons-to-hyphens
...
Change storage of PKI entries from colons to hyphens
2017-05-03 15:07:15 -04:00
Chris Hoffman
e34a45fdcd
Minor readability enhancements for migration path from old to new
2017-05-03 14:58:22 -04:00
Calvin Leung Huang
a00a7815f6
Include and use normalizeSerial func
2017-05-03 10:12:58 -04:00
Brian Kassouf
7ae8f02f4b
Only wrap in tracing middleware if the logger is set to trace level
2017-05-02 17:19:49 -07:00
Brian Kassouf
29d9b831d3
Update the api for serving plugins and provide a utility to pass TLS data for commuinicating with the vault process
2017-05-02 14:40:11 -07:00
Calvin Leung Huang
2b7a66e23b
Use variables for string replacements on cert_util
2017-05-02 14:11:57 -04:00
Brian Kassouf
c8bbea9f37
Rename NewPluginServer to just Serve
2017-05-02 02:00:39 -07:00
Brian Kassouf
b3819c433b
Don't store an error response as a package variable
2017-05-01 15:30:56 -07:00
Brian Kassouf
9a60ec9fda
Update interface name from Wrapper to a more descriptive RunnerUtil
2017-05-01 14:59:55 -07:00
Justin Gerace
403efeb5ae
Add globbing support to the PKI backend's allowed_domains list ( #2517 )
2017-05-01 10:40:18 -04:00
Calvin Leung Huang
ff4cf41ebb
Add test for ca and crl case
2017-04-28 08:55:28 -04:00
Vishal Nayak
8bb6c8caef
Return error message for failure to parse CSR ( #2657 )
2017-04-28 08:30:24 -04:00
Calvin Leung Huang
802d030506
Refactor cert_util_test
2017-04-27 17:09:59 -04:00
Calvin Leung Huang
b5990321bf
Verify update operation was performed on revokeCert
2017-04-27 12:30:44 -04:00
Calvin Leung Huang
3b27a9c12c
Rename tests, use HandleRequest() for existing paths
2017-04-27 09:47:56 -04:00
Brian Kassouf
53752c3002
Add check to ensure we don't overwrite existing connections
2017-04-26 16:43:42 -07:00
Brian Kassouf
081101c7cf
Add an error check to reset a plugin if it is closed
2017-04-26 15:55:34 -07:00
Brian Kassouf
d0cad5345a
Update to a RWMutex
2017-04-26 15:23:14 -07:00
Calvin Leung Huang
628e5d594b
Add remaining tests
2017-04-26 16:05:58 -04:00
Brian Kassouf
4782d9d2af
Update the error messages for renew and revoke
2017-04-26 10:29:16 -07:00
Brian Kassouf
892812d67d
Change ttl types to TypeDurationSecond
2017-04-26 10:02:37 -07:00
Calvin Leung Huang
d24757f2e0
Fix crl_util test
2017-04-26 09:58:34 -04:00
Calvin Leung Huang
18ed2d6097
Tests for cert and crl util
2017-04-26 02:46:01 -04:00
Brian Kassouf
e3e5f12f9e
Default deny when allowed roles is empty
2017-04-25 11:48:24 -07:00
Brian Kassouf
207d01fd39
Update the connection details data and fix allowedRoles
2017-04-25 11:11:10 -07:00
Brian Kassouf
eb0f831d6a
Rename path_role_create to path_creds_create
2017-04-25 10:39:17 -07:00
Brian Kassouf
3d3e4eb5a4
Use TypeCommaStringSlice for allowed_roles
2017-04-25 10:26:23 -07:00
Brian Kassouf
bed1c17b1e
Update logging to new structure
2017-04-25 10:24:19 -07:00
Brian Kassouf
f25b367732
Don't uppercase ErrorResponses
2017-04-24 14:03:48 -07:00
Brian Kassouf
378ae98809
s/DatabaseType/Database/
2017-04-24 13:59:12 -07:00
Brian Kassouf
6f9d178370
Calls to builtin plugins now go directly to the implementation instead of go-plugin
2017-04-20 18:46:41 -07:00
Brian Kassouf
af9ff63e9a
Merge remote-tracking branch 'oss/master' into database-refactor
2017-04-19 15:16:00 -07:00
Chris Hoffman
847c86f788
Rename ParseDedupAndSortStrings to ParseDedupLowercaseAndSortStrings ( #2614 )
2017-04-19 10:39:07 -04:00
Chris Hoffman
2ee593c6ea
Mssql driver update ( #2610 )
...
* Switching driver from mssql to sqlserver
* Adding explicit database to sp_msloginmappings call
2017-04-18 17:49:59 -04:00
Jeff Mitchell
4995c69763
Update sign-verbatim to correctly set generate_lease ( #2593 )
2017-04-18 15:54:31 -04:00
Jeff Mitchell
0897da93f0
Parse and dedup but do not lowercase principals in SSH certs. ( #2591 )
2017-04-18 12:21:02 -04:00
Jeff Mitchell
822d86ad90
Change storage of entries from colons to hyphens and add a
...
lookup/migration path
Still TODO: tests on migration path
Fixes #2552
2017-04-18 11:14:23 -04:00
Jeff Mitchell
e8adc13826
Fix cassandra dep breakage
2017-04-17 11:51:42 -04:00
Jeff Mitchell
79fb8bdf69
Verify that a CSR specifies IP SANs before checking whether it's allowed ( #2574 )
2017-04-13 13:40:31 -04:00
Brian Kassouf
883c80540a
Add allowed_roles parameter and checks
2017-04-13 10:33:34 -07:00
Brian Kassouf
0cfe1ea81c
Cleanup path files
2017-04-12 17:35:02 -07:00
Brian Kassouf
a9a05f5bba
Update Type() to return an error
2017-04-12 16:41:06 -07:00
Brian Kassouf
8ccf10641b
Merge branch 'master' into database-refactor
2017-04-12 14:29:10 -07:00
Brian Kassouf
128f25c13d
Update help text and comments
2017-04-11 11:50:34 -07:00
Brian Kassouf
c85b7be22f
Remove unnecessary abstraction
2017-04-10 18:38:34 -07:00
Brian Kassouf
8071aed758
Mlock the plugin process
2017-04-10 17:12:52 -07:00
Brian Kassouf
f6ff3b1146
Add a flag to tell plugins to verify the connection was successful
2017-04-10 15:36:59 -07:00
Brian Kassouf
db91a80540
Update plugin test
2017-04-10 14:12:28 -07:00
Brian Kassouf
bbbd81220c
Update the interface for plugins removing functions for creating creds
2017-04-10 12:24:16 -07:00
Brian Kassouf
459e3eda4e
Update backend tests
2017-04-10 10:35:16 -07:00
Brian Kassouf
93136ea51e
Add backend test
2017-04-07 15:50:03 -07:00
Shivaram Lingamneni
2117dfd717
implement a no_store option for pki roles ( #2565 )
2017-04-07 11:25:47 -07:00
Jeff Mitchell
f805618a2c
Update SSH CA documentation
...
Fixes #2551
Fixes #2569
2017-04-07 11:59:25 -04:00
Brian Kassouf
62d59e5f4e
Move plugin code into sub directory
2017-04-06 12:20:10 -07:00
Brian Kassouf
ca2c3d0c53
Refactor to use builtin plugins from an external repo
2017-04-05 16:20:31 -07:00
Calvin Leung Huang
2255884a4c
Do not mark conn as initialized until the end ( #2567 )
2017-04-04 14:26:59 -07:00
Brian Kassouf
305ccd54f7
Don't return strings, always structs
2017-04-04 11:33:58 -07:00
Calvin Leung Huang
9dd666c7e6
Database refactor invalidate ( #2566 )
...
* WIP on invalidate function
* cassandraConnectionProducer has Close()
* Delete database from connections map on successful db.Close()
* Move clear connection into its own func
* Use const for database config path
2017-04-04 11:32:42 -07:00
Jeff Mitchell
709389dd36
Use ParseStringSlice on PKI organization/organizational unit. ( #2561 )
...
After, separately dedup and use new flag to not lowercase value.
Fixes #2555
2017-04-04 08:54:18 -07:00
Brian Kassouf
b506bd7790
On change of configuration rotate the database type
2017-04-03 18:30:38 -07:00
Brian Kassouf
d7dd0ab35c
Merge branch 'database-refactor' of github.com:hashicorp/vault into database-refactor
2017-04-03 17:52:41 -07:00
Brian Kassouf
e8781b6a2b
Plugin catalog
2017-04-03 17:52:29 -07:00
Calvin Leung Huang
aa15a1d3a9
Database refactor mssql ( #2562 )
...
* WIP on mssql secret backend refactor
* Add RevokeUser test, and use sqlserver driver internally
* Remove debug statements
* Fix code comment
2017-04-03 09:59:30 -07:00
Brian Kassouf
210fa77e3c
fix for plugin commands that have more than one paramater
2017-03-28 14:37:57 -07:00
Brian Kassouf
50729a4528
Add comments to connection and credential producers
2017-03-28 13:08:11 -07:00
Brian Kassouf
b09526e1c9
Cleanup the db factory code and add comments
2017-03-28 12:57:30 -07:00
Brian Kassouf
6b877039e7
Update tests
2017-03-28 12:20:17 -07:00
Brian Kassouf
c50a6ebc39
Add functionaility to build db objects from disk so restarts work
2017-03-28 11:30:45 -07:00
Brian Kassouf
02b0230f19
Fix for checking types of database on update
2017-03-28 10:04:42 -07:00
Brian Kassouf
494f963581
Wrap the database calls with tracing information
2017-03-27 15:17:28 -07:00
Brian Kassouf
2799586f45
Remove the unused sync.Once object
2017-03-27 11:46:20 -07:00
Brian Kassouf
29ae4602dc
More work on getting tests to pass
2017-03-23 15:54:15 -07:00
Brian Kassouf
c0223d888e
Remove unsused code block
2017-03-22 17:09:39 -07:00
Brian Kassouf
1068076703
s/postgres/mysql/
2017-03-22 16:44:33 -07:00
Brian Kassouf
dac1bb210b
Add test files for postgres and mysql databases
2017-03-22 16:39:08 -07:00
Brian Kassouf
ae9961b811
Add a error message for empty creation statement
2017-03-22 12:40:16 -07:00
Brian Kassouf
c55bef85d3
Fix race with deleting the connection
2017-03-22 09:54:19 -07:00
Brian Kassouf
85ef468d46
Add a delete method
2017-03-21 17:19:30 -07:00
Brian Kassouf
83ff132705
Verify connections regardless of if this connections is already existing
2017-03-21 16:05:59 -07:00
Vishal Nayak
003ef004c6
sshca: ensure atleast cert type is allowed ( #2508 )
2017-03-19 18:58:48 -04:00
Brian Kassouf
a4e5e0f8c9
Comment and fix plugin Type function
2017-03-16 18:24:56 -07:00
Brian Kassouf
417770a58f
Change the handshake config from the default
2017-03-16 17:51:25 -07:00
Brian Kassouf
2873825848
Add a secure config to verify the checksum of the plugin
2017-03-16 16:20:18 -07:00
Brian Kassouf
f2df4ef0e7
Comment and slight refactor of the TLS plugin helper
2017-03-16 14:14:49 -07:00
Brian Kassouf
0a52ea5c69
Break tls code into helper library
2017-03-16 11:55:21 -07:00
Jeff Mitchell
24886c1006
Ensure CN check is made when exclude_cn_from_sans is used
...
Fixes #2363
2017-03-16 11:41:13 -04:00
Jeff Mitchell
ae8967d635
Always include a hash of the public key and "vault" (to know where it ( #2498 )
...
came from) when generating a cert for SSH.
Follow on from #2494
2017-03-16 11:14:17 -04:00
Mike Okner
95df7beed9
Adding allow_user_key_ids field to SSH role config ( #2494 )
...
Adding a boolean field that determines whether users will be allowed to
set the ID of the signed SSH key or whether it will always be the token
display name. Preventing users from changing the ID and always using
the token name is useful for auditing who actually used a key to access
a remote host since sshd logs key IDs.
2017-03-16 08:45:11 -04:00
Brian Kassouf
eb6117cbb2
Work on TLS communication over plugins
2017-03-15 17:14:48 -07:00
Jeff Mitchell
12e5132779
Allow roles to specify whether CSR SANs should be used instead of ( #2489 )
...
request values. Fix up some documentation.
Fixes #2451
Fixes #2488
2017-03-15 14:38:18 -04:00
Jeff Mitchell
7ab6844eb4
Set CA chain when intermediate does not have an authority key ID.
...
This is essentially an approved review of the code provided in #2465 .
Fixes #2465
2017-03-15 11:52:02 -04:00
Brian Kassouf
3ecb344878
wrap plugin database type with metrics middleware
2017-03-14 13:12:47 -07:00
Brian Kassouf
822a3eb20a
Add a metrics middleware
2017-03-14 13:11:28 -07:00
Stanislav Grozev
662b372364
Reads on unconfigured SSH CA public key return 400
2017-03-14 10:21:48 -04:00
Stanislav Grozev
7d59d7d3ac
Reads on ssh/config/ca return the public keys
...
If configured/generated.
2017-03-14 10:21:48 -04:00
Stanislav Grozev
830de2dbbd
If generating an SSH CA signing key - return the public part
...
So that the user can actually use the SSH CA, by adding the public key
to their respective sshd_config/authorized_keys, etc.
2017-03-14 10:21:48 -04:00
Brian Kassouf
2054fff890
Add a way to initalize plugins and builtin databases the same way.
2017-03-13 14:39:55 -07:00
Brian Kassouf
71b81aad23
Add checksum attribute
2017-03-10 14:10:42 -08:00
Brian Kassouf
a11911d4d4
Rename reset to close
2017-03-09 22:35:45 -08:00
Brian Kassouf
fda45f531d
Add special path to enforce root on plugin configuration
2017-03-09 21:31:29 -08:00
Brian Kassouf
748c70cfb4
Add plugin file
2017-03-09 17:43:58 -08:00
Brian Kassouf
9099231229
Add plugin features
2017-03-09 17:43:37 -08:00
Vishal Nayak
220beb2cde
doc: ssh allowed_users update ( #2462 )
...
* doc: ssh allowed_users update
* added some more context in default_user field
2017-03-09 10:34:55 -05:00
vishalnayak
f085cd71ab
Fix typo
2017-03-08 17:49:39 -05:00
Brian Kassouf
b7128f8370
Update secrets fields
2017-03-08 14:46:53 -08:00
Vishal Nayak
766c2e6ee0
SSH CA enhancements ( #2442 )
...
* Use constants for storage paths
* Upgrade path for public key storage
* Fix calculateValidPrincipals, upgrade ca_private_key, and other changes
* Remove a print statement
* Added tests for upgrade case
* Make exporting consistent in creation bundle
* unexporting and constants
* Move keys into a struct instead of plain string
* minor changes
2017-03-08 17:36:21 -05:00
Brian Kassouf
2fb6bf9882
Fix renew and revoke calls
2017-03-07 17:21:44 -08:00
Brian Kassouf
b7c3b4b0d7
Add defaults to the cassandra databse type
2017-03-07 17:00:52 -08:00
Brian Kassouf
3976a2a0a6
Pass statements object
2017-03-07 16:48:17 -08:00
Brian Kassouf
843d584254
Remove unused sql object
2017-03-07 15:34:23 -08:00
Brian Kassouf
919155ab12
Remove double lock
2017-03-07 15:33:05 -08:00
Brian Kassouf
c959882b93
Update locking functionaility
2017-03-07 13:48:29 -08:00
Jeff Mitchell
5119b173c4
Rename helper 'duration' to 'parseutil'. ( #2449 )
...
Add a ParseBool function that accepts various kinds of ways of
specifying booleans.
Have config use ParseBool for UI and disabling mlock/cache.
2017-03-07 11:21:22 -05:00
Brian Kassouf
bc53e119ca
rename mysql variable
2017-03-03 15:07:41 -08:00
Brian Kassouf
bba832e6bf
Make db instances immutable and add a reset path to tear down and create a new database instance with an updated config
2017-03-03 14:38:49 -08:00
Brian Kassouf
29e07ac9e8
Fix mysql connections
2017-03-03 14:38:49 -08:00
Brian Kassouf
24ddea9954
Add mysql into the factory
2017-03-03 14:38:48 -08:00
Brian Kassouf
8e8f260d96
Add max connection lifetime param and set consistancy on cassandra session
2017-03-03 14:38:48 -08:00
Brian Kassouf
1f009518cd
s/Statement/Statements/
2017-03-03 14:38:48 -08:00
Brian Kassouf
46aa7142c1
Add mysql database type
2017-03-03 14:38:48 -08:00
Brian Kassouf
2ec5ab5616
More work on refactor and cassandra database
2017-03-03 14:38:48 -08:00
Brian Kassouf
acdcd79af3
Begin work on database refactor
2017-03-03 14:38:48 -08:00
Vishal Nayak
4b81bcb379
ssh: Added DeleteOperation to config/ca ( #2434 )
...
* ssh: Added DeleteOperation to config/ca
* Address review feedback
2017-03-03 10:19:45 -05:00
Jeff Mitchell
55e69277ce
Update SSH CA logic/tests
2017-03-02 16:39:22 -05:00
Vishal Nayak
a1331278ff
Refactor the generate_signing_key processing ( #2430 )
2017-03-02 16:22:06 -05:00
Jeff Mitchell
fa474924aa
Update error text to make it more obvious what the issue is when valid principals aren't found
2017-03-02 15:56:08 -05:00
Jeff Mitchell
eca68d5913
Fix a bunch of errors from returning 5xx, and parse more duration types
2017-03-02 15:38:34 -05:00
Will May
70bfdb5ae9
Changes from code review
2017-03-02 14:36:13 -05:00
Will May
36b3d89604
Allow internal generation of the signing SSH key pair
2017-03-02 14:36:13 -05:00
Vishal Nayak
3795d2ea64
Rework ssh ca ( #2419 )
...
* docs: input format for default_critical_options and default_extensions
* s/sshca/ssh
* Added default_critical_options and default_extensions to the read endpoint of role
* Change default time return value to 0
2017-03-01 15:50:23 -05:00
Will May
9f75f84175
Changes from code review
...
Major changes are:
* Remove duplicate code
* Check the public key used to configure the backend is a valid one
2017-03-01 15:19:18 -05:00
Will May
ff1ff02bd7
Changes from code review
...
Major changes are:
* Change `allow_{user,host}_certificates` to default to false
* Add separate `allowed_domains` role property
2017-03-01 15:19:18 -05:00
Will May
099d561b20
Add ability to create SSH certificates
2017-03-01 15:19:18 -05:00
vishalnayak
2e911fc650
Fix broken build caused due to resolve merge conflicts
2017-02-24 12:41:20 -05:00
Vishal Nayak
c6f138bb9a
PKI: Role switch to control lease generation ( #2403 )
...
* pki: Make generation of leases optional
* pki: add tests for upgrading generate_lease
* pki: add tests for leased and non-leased certs
* docs++ pki generate_lease
* Generate lease is applicable for both issuing and signing
* pki: fix tests
* Address review feedback
* Address review feedback
2017-02-24 12:12:40 -05:00
Saj Goonatilleke
01f3056b8b
pki: Include private_key_type on DER-formatted responses from /pki/issue/ ( #2405 )
2017-02-24 11:17:59 -05:00
Jeff Mitchell
c81582fea0
More porting from rep ( #2388 )
...
* More porting from rep
* Address review feedback
2017-02-16 16:29:30 -05:00
Jeff Mitchell
0c39b613c8
Port some replication bits to OSS ( #2386 )
2017-02-16 15:15:02 -05:00
Jeff Mitchell
c96fe56d44
Fix copypasta, thanks tests
2017-02-16 01:32:39 -05:00
Jeff Mitchell
817bec0955
Add Organization support to PKI backend. ( #2380 )
...
Fixes #2369
2017-02-16 01:04:29 -05:00
Vishal Nayak
7f2717b74a
transit: change batch input format ( #2331 )
...
* transit: change batch input format
* transit: no json-in-json for batch response
* docs: transit: update batch input format
* transit: fix tests after changing response format
2017-02-06 14:56:16 -05:00
Vishal Nayak
5fb28f53cb
Transit: Support batch encryption and decryption ( #2143 )
...
* Transit: Support batch encryption
* Address review feedback
* Make the normal flow go through as a batch request
* Transit: Error out if encryption fails during batch processing
* Transit: Infer the 'derived' parameter based on 'context' being set
* Transit: Batch encryption doc updates
* Transit: Return a JSON string instead of []byte
* Transit: Add batch encryption tests
* Remove plaintext empty check
* Added tests for batch encryption, more coming..
* Added more batch encryption tests
* Check for base64 decoding of plaintext before encrypting
* Transit: Support batch decryption
* Transit: Added tests for batch decryption
* Transit: Doc update for batch decryption
* Transit: Sync the path-help and website docs for decrypt endpoint
* Add batch processing for rewrap
* transit: input validation for context
* transit: add rewrap batch option to docs
* Remove unnecessary variables from test
* transit: Added tests for rewrap use cases
* Address review feedback
* Address review feedback
* Address review feedback
* transit: move input checking out of critical path
* transit: allow empty plaintexts for batch encryption
* transit: use common structs for batch processing
* transit: avoid duplicate creation of structs; add omitempty to response structs
* transit: address review feedback
* transit: fix tests
* address review feedback
* transit: fix tests
* transit: rewrap encrypt user error should not error out
* transit: error out for internal errors
2017-02-02 14:24:20 -05:00
Jeff Mitchell
47274eca88
Add cleanup functions to multiple DB backends. ( #2313 )
...
Ensure it's called on unmount, not just for seal.
2017-02-01 14:05:25 -05:00
Jeff Mitchell
f1a5a858d3
Make export errors a bit more meaningful
2017-01-30 09:25:50 -05:00
Jeff Mitchell
2e15dc93df
Have transit exporting return the same structure regardless of one key or many
2017-01-28 10:37:35 -05:00
Brian Kassouf
e788780709
Migrate cassandra test from acceptance to dockertest ( #2295 )
2017-01-25 15:37:55 -05:00
Jeff Mitchell
f43a041bf2
Revert "Disable PKI OU tests to fix the build"
...
This reverts commit b1ab7c5603180af9073caab1b3022ca438dc12be.
2017-01-24 09:58:28 -05:00
vishalnayak
c8b6ab7223
Disable PKI OU tests to fix the build
2017-01-24 06:25:56 -05:00
joe miller
98df700495
allow roles to set OU value in certificates issued by the pki backend ( #2251 )
2017-01-23 12:44:45 -05:00
Chris Hoffman
7568a212b1
Adding support for exportable transit keys ( #2133 )
2017-01-23 11:04:43 -05:00
Vishal Nayak
fa7d61baa3
Merge pull request #2202 from fcantournet/fix_govet_fatalf
...
all: test: Fix govet warnings
2017-01-17 16:45:35 -05:00
Matthew Irish
cb8bbc4fbd
Transit key actions ( #2254 )
...
* add supports_* for transit key reads
* update transit docs with new supports_* fields
2017-01-11 10:05:06 -06:00
joe miller
78dacc154a
sign-verbatim should set use_csr_common_name to true ( #2243 )
2017-01-10 09:47:59 -05:00
Jeff Mitchell
80dc5819d3
Use dockertest.v2 ( #2247 )
...
New dockertest has a totally different API and will require some serious
refactoring. This will tide over until then by pinning the API version.
2017-01-09 13:46:54 -05:00
Félix Cantournet
103b7ceab2
all: test: Fix govet warnings
...
Fix calls to t.Fatal() with formatting.
Fixed some calls to Fatalf() with wrong formatting
2016-12-21 19:44:07 +01:00
vishalnayak
1816446f46
Address review feedback
2016-12-20 11:19:47 -05:00
vishalnayak
b3e323bbcc
pki: Avoiding a storage read
2016-12-20 11:07:20 -05:00
vishalnayak
2e23f1a992
pki: Appended error to error message
2016-12-19 10:49:32 -05:00
vishalnayak
ba1cc709bd
PKI: Added error to the error message
2016-12-19 10:47:29 -05:00
Jeff Mitchell
bb54bd40f6
normalize some capitlization in error messages
2016-12-15 19:02:33 -05:00
Jeff Mitchell
6ee61af87f
Fix nil value panic when Consul returns a user error ( #2145 )
2016-12-01 10:22:32 -08:00
vascop
ba3dc07bb3
Fix typo and remove trailing whitespace. ( #2074 )
2016-11-08 09:32:23 -05:00
Jeff Mitchell
26fa2655b1
Add listing to Consul secret roles ( #2065 )
2016-11-04 12:35:16 -04:00
vishalnayak
dc93e57cf1
Return the revocation_sql from role read all the time
2016-10-27 12:24:31 -04:00
vishalnayak
e0fb8c17ce
Added revocation_sql to the website docs
2016-10-27 12:15:08 -04:00
vishalnayak
c14a6c8666
Move policy test to keysutil package
2016-10-26 19:57:28 -04:00
vishalnayak
6d1e1a3ba5
Pulled out transit's lock manager and policy structs into a helper
2016-10-26 19:52:31 -04:00
vishalnayak
931c96d1ba
ssh: Use temporary file to store the identity file
2016-10-18 12:50:12 -04:00
Chris Hoffman
4b6e82afcb
Add ability to list keys in transit backend ( #1987 )
2016-10-18 10:13:01 -04:00
Laura Bennett
5ce9737eb4
address feedback
2016-10-10 12:16:55 -04:00
Laura Bennett
e5a7e3d6cb
initial commit to fix empty consistency option issue
2016-10-08 20:22:26 -04:00
Jeff Mitchell
70a9fc47b4
Don't use quoted identifier for the username
2016-10-05 14:31:19 -04:00
Jeff Mitchell
7f9a88d8db
Postgres revocation sql, beta mode ( #1972 )
2016-10-05 13:52:59 -04:00
vishalnayak
de5dec6b15
Refactor mysql's revoke SQL
2016-10-04 19:30:25 -04:00
Vishal Nayak
1ab7023483
Merge pull request #1914 from jpweber/mysql-revoke
...
Mysql revoke with non-wildcard hosts
2016-10-04 17:44:15 -04:00
Jim Weber
87f206b536
removed an unused ok variable. Added warning and force use for default queries if role is nil
2016-10-04 17:15:29 -04:00
Jim Weber
cc38f3253a
fixed an incorrect assignment
2016-10-03 21:51:40 -04:00
Jim Weber
ac78ddc178
More resilient around cases of missing role names and using the default when needed.
2016-10-03 20:20:00 -04:00
Jim Weber
0a7f1089ca
Refactored logic some to make sure we can always fall back to default revoke statments
...
Changed rolename to role
made default sql revoke statments a const
2016-10-03 15:59:56 -04:00
Jim Weber
704fccaf2e
fixed some more issues I had with the tests.
2016-10-03 15:58:09 -04:00
Jim Weber
a2d6624a69
renamed rolname to role
2016-10-03 15:57:47 -04:00
Jim Weber
bfb0c2d3ff
Reduced duplicated code and fixed comments and simple variable name mistakes
2016-10-03 14:53:05 -04:00