Commit graph

143 commits

Author SHA1 Message Date
Violet Hynes 047b3106ff
VAULT-6727 Adjust cert and approle role resolution, add more tests (#16341)
* VAULT-6727 Adjust cert and approle role resolution, add more tests

* VAULT-6727 Add new test
2022-07-20 09:24:06 -04:00
Violet Hynes 56ed9ca8ae
Start of implementation of the plumbing for role resolution logic on auth mounts (#16049)
* VAULT-6612 Initial scaffolding for role determination

* VAULT-6612 Simplify code

* Fix fmt error that somehow happened

* VAULT-6612 Refactor resolve role response
2022-06-21 09:31:36 -04:00
Chris Capurso 1454c8ea88
add value length check to approle createHMAC (#14746)
* add value length check to approle createHMAC

* add changelog entry

* fix changelog entry
2022-03-29 14:43:35 -04:00
Jordan Reimer b936db8332
Revert "MFA (#14049)" (#14135)
This reverts commit 5f17953b5980e6438215d5cb62c8575d16c63193.
2022-02-17 13:17:59 -07:00
Jordan Reimer 36ccfaa3aa
MFA (#14049)
* adds development workflow to mirage config

* adds mirage handler and factory for mfa workflow

* adds mfa handling to auth service and cluster adapter

* moves auth success logic from form to controller

* adds mfa form component

* shows delayed auth message for all methods

* adds new code delay to mfa form

* adds error views

* fixes merge conflict

* adds integration tests for mfa-form component

* fixes auth tests

* updates mfa response handling to align with backend

* updates mfa-form to handle multiple methods and constraints

* adds noDefault arg to Select component

* updates mirage mfa handler to align with backend and adds generator for various mfa scenarios

* adds tests

* flaky test fix attempt

* reverts test fix attempt

* adds changelog entry

* updates comments for todo items

* removes faker from mfa mirage factory and handler

* adds number to word helper

* fixes tests

* Revert "Merge branch 'main' into ui/mfa"

This reverts commit 8ee6a6aaa1b6c9ec16b985c10d91c3806819ec40, reversing
changes made to 2428dd6cca07bb41cda3f453619646ca3a88bfd0.

* format-ttl helper fix from main
2022-02-17 09:10:56 -07:00
Chris Capurso 6059b65ed9
fix approle login IPBelongsToCIDRBlocksSlice err handling (#14107)
* fix approle login IPBelongsToCIDRBlocksSlice err handling

* add changelog entry
2022-02-16 16:30:11 -05:00
Nick Cabatoff c01b993bd3
Fix regression in returning empty value for approle cidrlist. (#13235) 2021-11-23 12:13:47 -05:00
Nick Cabatoff ff74f49047
Move to go 1.17 (#12868)
Also ensure that the go 1.17 breaking changes to net.ParseCIDR don't make us choke on stored CIDRs that were acceptable to older Go versions.
2021-10-21 09:32:03 -04:00
Brian Kassouf c705adc79c
Fix some linting errors (#12860) 2021-10-18 17:29:47 -07:00
Rémi Lapeyre 308806eee3
Return 404 response when looking for a secret_id_accessor that does not exist (#12788)
* Return 404 response when looking for an secret_id_accessor that does not exist

Closes https://github.com/hashicorp/vault/issues/12660
2021-10-11 15:07:51 +01:00
Jeff Mitchell f7147025dd
Migrate to sdk/internalshared libs in go-secure-stdlib (#12090)
* Swap sdk/helper libs to go-secure-stdlib

* Migrate to go-secure-stdlib reloadutil

* Migrate to go-secure-stdlib kv-builder

* Migrate to go-secure-stdlib gatedwriter
2021-07-15 20:17:31 -04:00
Lars Lehtonen 159272db7f
builtin/credential/approle: fix dropped test errors (#11990) 2021-07-05 11:00:12 -04:00
Marc Boudreau 3c35a25d36
Fix for Issue 11863 - Panic when creating/updating approle role with token_type (#11864)
* initializing resp variable with aa *logical.Response before using it to add warning for default-service or default-batch token type.  Also adding guard around code that sets resp to a new logical.Response further on in the function.

* adding changelog entry

* renaming changelog file to match PR number
2021-06-24 13:03:41 -04:00
John-Michael Faircloth 096a354626
approle: convert Callbacks to Operations (#11893)
* approle: convert Callbacks to Operations

The usage of oldstyle "Callbacks" is causing the `cannot write to readonly
storage` error message when `login` is attempted against a performance standby.

Use the newstyle "Operations" and additionally set the Forward
parameters to forward the request to the Active vault node.

* add changelog

* do not forward for alias lookahead operation

* remove forward fields and remove changelog

- Because this request is an UpdateOperation, it should have automatically been
routed to the primary/active by the router before it reaches the backend.
- changelog should not be needed as this change is only a refactor with
no user-facing behavior changes.
2021-06-21 13:38:22 -05:00
Vishal Nayak 6ec8cd8f28
Tokenutil: Perform num uses check earlier (#11647)
* Perform num uses check earlier

* Add CL

* Ensure that login works
2021-05-19 14:06:08 -04:00
Lars Lehtonen d8f7dd364a
builtin: deprecate errwrap.Wrapf() throughout (#11430)
* audit: deprecate errwrap.Wrapf()

* builtin/audit/file: deprecate errwrap.Wrapf()

* builtin/crediential/app-id: deprecate errwrap.Wrapf()

* builtin/credential/approle: deprecate errwrap.Wrapf()

* builtin/credential/aws: deprecate errwrap.Wrapf()

* builtin/credentials/token: deprecate errwrap.Wrapf()

* builtin/credential/github: deprecate errwrap.Wrapf()

* builtin/credential/cert: deprecate errwrap.Wrapf()

* builtin/logical/transit: deprecate errwrap.Wrapf()

* builtin/logical/totp: deprecate errwrap.Wrapf()

* builtin/logical/ssh: deprecate errwrap.Wrapf()

* builtin/logical/rabbitmq: deprecate errwrap.Wrapf()

* builtin/logical/postgresql: deprecate errwrap.Wrapf()

* builtin/logical/pki: deprecate errwrap.Wrapf()

* builtin/logical/nomad: deprecate errwrap.Wrapf()

* builtin/logical/mssql: deprecate errwrap.Wrapf()

* builtin/logical/database: deprecate errwrap.Wrapf()

* builtin/logical/consul: deprecate errwrap.Wrapf()

* builtin/logical/cassandra: deprecate errwrap.Wrapf()

* builtin/logical/aws: deprecate errwrap.Wrapf()
2021-04-22 11:20:59 -04:00
Brian Kassouf 303c2aee7c
Run a more strict formatter over the code (#11312)
* Update tooling

* Run gofumpt

* go mod vendor
2021-04-08 09:43:39 -07:00
Calvin Leung Huang b1c4b86d7f
approle: add ttl to the secret ID generation response (#10826)
* approle: add ttl to the secret ID generation response

* approle: move TTL derivation into helper func

* changelog: add changelog entry

* docs: update approle docs and api-docs pages
2021-02-03 16:32:16 -08:00
Danielle b821d35acb
approle: Include role_name in alias metadata (#9529)
This change allows people who are using templated policies to use the
role_name in their templates through {{
identity.entity.aliases.approle.metadata.role_name }}.

Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>
2020-10-16 14:01:57 -07:00
ncabatoff 4463428a24
Reduce blocking in approle tidy by grabbing only one lock at a time. (#8418)
Revamp race test to make it aware of when tidies start/stop, and to generate dangling accessors that need cleaning up.  Also run for longer but with slightly less concurrency to ensure the writes and the cleanup actually overlap.
2020-03-03 16:43:24 -05:00
Calvin Leung Huang 3ef01d49ab
approle: remove unneeded lock on list (#8223) 2020-01-22 16:03:26 -08:00
Calvin Leung Huang 522fa83568 sdk/logical: handle empty token type string values as TokenTypeDefault (#7273)
* sdk/logical: handle empty token type string values as TokenTypeDefault

* add test case for missing token_type value
2019-08-14 09:45:40 -04:00
ncabatoff f7690d1f6a
Handle TokenType serialized as string or as uint8. (#7233) 2019-08-05 16:51:14 -04:00
Jeff Mitchell fd856bdd24
Fix some compatibility (#7048) 2019-07-02 23:29:42 -04:00
Jeff Mitchell 126bdf2d02
Add UpgradeValue path to tokenutil (#7041)
This drastically reduces boilerplate for upgrading existing values
2019-07-02 09:52:05 -04:00
Jeff Mitchell 2bca5f439f
AppRole TokenUtil conversion (#7020) 2019-07-01 16:30:08 -04:00
Jeff Mitchell 213b9fd1cf Update to api 1.0.1 and sdk 0.1.8 2019-04-15 14:10:07 -04:00
Jeff Mitchell 9ebc57581d
Switch to go modules (#6585)
* Switch to go modules

* Make fmt
2019-04-13 03:44:06 -04:00
Jeff Mitchell 28e2ce8577 Fix build breakages 2019-04-12 22:01:13 -04:00
Jeff Mitchell 8d6ce1ffb5 Move policyutil to sdk 2019-04-12 18:08:46 -04:00
Jeff Mitchell 7ca424e8d2 Move cidrutil to sdk 2019-04-12 18:03:59 -04:00
Jeff Mitchell 8bcb533a1b
Create sdk/ and api/ submodules (#6583) 2019-04-12 17:54:35 -04:00
Jeff Mitchell 2f9a7c6203
Add more perf standby guards (#6149) 2019-02-01 16:56:57 -05:00
Jeff Mitchell bbc1d53a5d Revert "Refactor common token fields and operations into a helper (#5953)"
This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 11:23:40 -05:00
Jeff Mitchell 85a560abba
Refactor common token fields and operations into a helper (#5953) 2019-01-30 16:23:28 -05:00
Jim Kalafut d0e2badbae Run goimports across the repository (#6010)
The result will still pass gofmtcheck and won't trigger additional
changes if someone isn't using goimports, but it will avoid the
piecemeal imports changes we've been seeing.
2019-01-08 16:48:57 -08:00
Brian Kassouf 0c6793d774
Update path_role.go (#5820) 2018-11-19 13:40:36 -08:00
Becca Petrin 7bd22e6779
Run all builtins as plugins (#5536) 2018-11-06 17:21:24 -08:00
Calvin Leung Huang b4503d02c6
Call wg.Add(1) outside of goroutine (#5716) 2018-11-06 16:36:13 -08:00
Jeff Mitchell a64fc7d7cb
Batch tokens (#755) 2018-10-15 12:56:24 -04:00
Becca Petrin 937cfff21a
Make builtin auth and secret plugins buildable (#5456) 2018-10-09 09:29:20 -07:00
Brian Kassouf a2608a3b61
Fix approle tidy on performance standbys (#5338)
* Fix approle tidy on performance standbys

* Forward PKI and AWS also
2018-09-17 09:53:23 -07:00
Jeff Mitchell e58a8a63a7
Add the ability to specify token CIDR restrictions on secret IDs. (#5136)
Fixes #5034
2018-08-21 11:54:04 -04:00
Jeff Mitchell 34a0ae1e5d
Update path_tidy_user_id_test.go 2018-07-25 03:37:24 -04:00
Jeff Mitchell 7e6faf021d Fix race in test 2018-07-25 00:18:32 -04:00
Jeff Mitchell 9bfd73bfc6 Modify approle tidy to validate dangling accessors (#4981) 2018-07-24 14:00:53 -07:00
Jeff Mitchell 9775340547 Log nil secret IDs instead of swallowing error 2018-07-23 17:46:20 -04:00
Jeff Mitchell 92ed8fa571 Fix test 2018-07-12 08:29:04 -04:00
Jeff Mitchell 98bf463a65 Make single-lease revocation behave like expiration (#4883)
This change makes it so that if a lease is revoked through user action,
we set the expiration time to now and update pending, just as we do with
tokens. This allows the normal retry logic to apply in these cases as
well, instead of just erroring out immediately. The idea being that once
you tell Vault to revoke something it should keep doing its darndest to
actually make that happen.
2018-07-11 15:45:35 -04:00
Becca Petrin 73cbbe2a9f Add bound cidrs to tokens in AppRole (#4680) 2018-06-19 22:57:11 -04:00