Commit graph

7741 commits

Author SHA1 Message Date
Jeff Mitchell 3d44060b5f Update interactive tutorial commands 2018-03-16 15:03:51 -04:00
Jeff Mitchell 61c26fdf57 Fix compile 2018-03-16 13:55:56 -04:00
Jeff Mitchell 1cef14036f Have deprecated commands pass on address and token helper too 2018-03-16 13:52:08 -04:00
Jeff Mitchell cc0b430b77 Use runopts-provided address if given, without overriding 2018-03-16 13:41:32 -04:00
Jin-wook Jeong 92ea5f9d66 Make credential plugin to work that is modified before vault startup and reloaded after vault startup. (#4121)
Set routeEntry.rootPaths, loginPaths after plugin reload using atomic values.
2018-03-16 10:35:19 -07:00
Jeff Mitchell 1b6c62ff53 Allow sending address through RunCustom 2018-03-16 13:14:32 -04:00
Jeff Mitchell e6bc62bfc6 Make help output use any custom stderr 2018-03-16 12:59:52 -04:00
Jeff Mitchell 3504ca61c8 Change base command template to runopts and allow specifying stdout/stderr 2018-03-16 12:31:26 -04:00
Jeff Mitchell 067052f304 Add RunCustom command to allow passing in a TokenHelper 2018-03-16 11:31:00 -04:00
Jeff Mitchell 7b58d3b2fa Use public forked big package for encrypted_key_storage file until Go 1.10 2018-03-16 10:30:05 -04:00
immutability 04d1202426 Plugins need setcap too for syscall mlock (#4138) 2018-03-16 06:05:01 -07:00
Yoko 2752855faa Fixed the hyperlink (#4140) 2018-03-15 19:24:26 -07:00
Yoko fb8d1566e6
updating the AppRole diagram (#4139)
Fixing the build error
2018-03-15 18:23:25 -07:00
Yoko 3a72bcc4ae
Approle diagram (#4132)
* Updates requested by the SE team

* Added links to AppRole blog and webinar

* Updated diagram

* Updated diagram
2018-03-15 17:16:59 -07:00
Jeff Mitchell 9f9eb11178 changelog++ 2018-03-15 12:25:29 -04:00
Jeff Mitchell f24dfe7bd3 changelog++ 2018-03-15 12:24:48 -04:00
Jeff Mitchell 83dea6204c
Honor mount-tuned ttl/max ttl for database credential generatoin (#4053) 2018-03-15 09:24:02 -07:00
Joel Thompson 39dc981301 auth/aws: Allow binding by EC2 instance IDs (#3816)
* auth/aws: Allow binding by EC2 instance IDs

This allows specifying a list of EC2 instance IDs that are allowed to
bind to the role. To keep style formatting with the other bindings, this
is still called bound_ec2_instance_id rather than bound_ec2_instance_ids
as I intend to convert the other bindings to accept lists as well (where
it makes sense) and keeping them with singular names would be the
easiest for backwards compatibility.

Partially fixes #3797
2018-03-15 09:19:28 -07:00
Jeff Mitchell 5c5954573a changelog++ 2018-03-15 12:18:00 -04:00
Brian Nuszkowski 76be90f384 Add PKCS1v15 as a RSA signature and verification option on the Transit secret engine (#4018)
Option to specify the RSA signature type, in specific add support for PKCS1v15
2018-03-15 09:17:02 -07:00
Jeff Mitchell 59b3e28151 Make the API docs around ed25519 more clear about what derivation means for this key type 2018-03-15 11:59:50 -04:00
Jim Kalafut 3f1ed4eb0d Fix description of parameter value globbing (#4131) 2018-03-14 17:03:00 -04:00
Edward Z. Yang ac98730578 Vault user needed to use STS Federation Tokens (#4108)
If you try to use role authorization to get an STS token, you'll get this error:

* Error generating STS keys: AccessDenied: Cannot call GetFederationToken with session credentials
2018-03-14 10:24:29 -04:00
Malte a0776eb703 Fix typo in recommended vault auth iam policy (#4128)
The resource arn for the `sts:AssumeRole` action is missing a `:` for the region and therefore invalid.
2018-03-14 03:45:21 -04:00
Joel Thompson 5c788e8642 docs: Alphabetize CLI commands (#4127)
status was appearing after token when it should be before
2018-03-14 01:44:41 -04:00
Jeff Mitchell 282156bae5 changelog++ 2018-03-13 10:40:50 -04:00
Jeff Mitchell 300ca9c6ee
Have Okta respect its set max_ttl. (#4111)
Fixes #4110
2018-03-13 10:39:51 -04:00
Joel Thompson 2f8e3c27f4 Accept temp creds in AWS secret backend acceptance tests (#4076)
* Accept temp creds in AWS secret backend acceptance tests

The AWS secret backend acceptance tests implicitly accepted long-lived
AWS credentials (i.e., AWS IAM user and/or root credentials) in two
ways:

1. It expected credentials to be passed in via the AWS_ACCESS_KEY_ID and
   AWS_SECRET_ACCESS_KEY environment variables. By not accepting
   AWS_SESSION_TOKEN or AWS_SECURITY_TOKEN, temporary credentials could
   not be passed in. (This also forced all credentials to be passed in
   via environment variables, which is a bit ugly).
2. The AWS sts:GetFederationToken call is only allowed from long-term
   credentials. This is called by the Vault code which the acceptance
   tests exercise.

1 is solved by deleting explicit references to credentials, which allows
the SDK to do one of the things it does best -- find credentials via the
default chain.

2 is a little more complicated. Rather than pass in whatever creds the
acceptance test was run under to the backend, the acceptance test now
creates a new IAM user and gets an access key from it, then passes the
IAM user's creds back to the backend so that it can call
sts:GetFederationToken (and then tries to clean up afterwards).

* Fix Travis build failure

The Travis build was failing because the user creation was happening
regardless of whether it was running in acceptance test mode or not.
This moves the user creation into the acceptance test precheck, which
requires lazily evaluating the credentials when configuring the backend
in the STS accetpance test, and so moving that to a PreFlight closure.

* Reduce blind sleeps in AWS secret backend acceptance tests

This removes a blind "sleep 10 seconds and then attempt to reuse the
credential" codepath and instead just keeps attemtping to reuse the
credential for 10 seconds and fails if there aren't any successful uses
after 10 seconds. This adds a few seconds speedup of acceptance test
runs from my experiments.
2018-03-13 10:35:10 -04:00
Brian Shumate bbd4d7ab4c Docs: grammatical clarification around community supported note (#4122) 2018-03-13 10:32:28 -04:00
Marien Fressinaud 5f5faec977 [doc] Change auth token in getting-started (#4118)
In the authentication section of the getting started doc, the token used
to login doesn't match with the one displayed as the command result.

This commit makes sure that both tokens correspond to avoid distracting
newcomers.
2018-03-13 10:28:09 -04:00
vishalnayak 71fb22073a changelog++ 2018-03-10 03:37:29 -05:00
Calvin Leung Huang 3108860d4b
Audit HMAC values on AuthConfig (#4077)
* Add audit hmac values to AuthConfigInput and AuthConfigOutput, fix docs

* docs: Add ttl params to auth enable endpoint

* Rewording of go string to simply string

* Add audit hmac keys as CLI flags on auth/secrets enable

* Fix copypasta mistake

* Add audit hmac keys to auth and secrets list

* Only set config values if they exist

* Fix http sys/auth tests

* More auth plugin_name test fixes

* Pass API values into MountEntry's config when creating auth/secrets mount

* Update usage wording
2018-03-09 14:32:28 -05:00
Brian Kassouf e7b04e206b
helper/keysutil: Add a LoadPolicy function (#4116)
* helper/keysutil: Add a LoadPolicy function

* Use the load policy function in the lock manager
2018-03-09 11:01:24 -08:00
Alvin Huang ce7d62e125 bump middleman-hashicorp container to 0.3.32 (#4117) 2018-03-09 13:06:58 -05:00
Jeff Mitchell d6fcc0b244 changelog++ 2018-03-09 10:54:23 -05:00
Jeff Mitchell 55187255bd
Truncate token store issued token periods when greater than tuned max at (#4112)
issue time, not just renew time.
2018-03-09 10:53:04 -05:00
Jeff Mitchell 13c3c9ea55 changelog++ 2018-03-09 10:44:06 -05:00
Jeff Mitchell 8455e25604 Bump complete. Fixes #4094 2018-03-09 10:43:20 -05:00
Brian Kassouf 148883fc05
helper/keyutil: Add a NewPolicy function so unexported variables can be set (#4113)
* helper/keyutil: Add a NewPolicy function so unexported variables can be set

* Set the convergent version
2018-03-08 21:06:25 -08:00
Brian Kassouf f226fbbbb9
helper/keysutil: Add a storage implementation that uses policies to encrypt paths (#3989)
* helper/keysutil: Add a policy encrypted path storage

* Add vendored deps

* Fix spelling and paths that start with a /

* Add a key version template to change configure the ciphertext prefix

* Use big.Int for base58 instead of external lib

* Update go requirment to 1.10

* Add a version prefix cache

* Move logic to helper function

* Cache the template parts

* Add a storage prefix to policy

* Add an error if the policy passed in is nil

* Pull in the go1.10 version of the math/big package until we can update
2018-03-08 17:58:50 -08:00
Vishal Nayak 527eb418fe
approle: Use TypeCommaStringSlice for BoundCIDRList (#4078)
* Use TypeCommaStringSlice for Approle bound_cidr_list

* update docs

* Add comments in the test
2018-03-08 17:49:08 -05:00
Jeff Mitchell a82b43081c Fix output in warning displaying nanoseconds instead of seconds 2018-03-08 16:14:20 -05:00
Jeff Mitchell 9d2a0dc31f Update text around default policy to make it clear that it is user-modifiable 2018-03-08 15:48:11 -05:00
Brian Kassouf 9dba3590ac
Add context to the NewSalt function (#4102) 2018-03-08 11:21:11 -08:00
Jeff Mitchell ab01acc145 changelog++ 2018-03-08 13:09:07 -05:00
Jeff Mitchell f9f0261886
Populate AWS-generated tokens with default lease TTL to fix comparisons against role max (#4107)
* Populate AWS-generated tokens with default lease TTL to fix comparisons against role max

* Fix printing TTLs when capping them
2018-03-08 13:08:00 -05:00
Jeff Mitchell 52852b89cf
Revert "Fix AWS auth max_ttl being ignored when ttl is not set (#4086)" (#4105)
This reverts commit 135cb4e6871a75c3b996bf8ac719767560268732.
2018-03-08 11:08:32 -05:00
Kevin Wang f72540ce8e Fix AWS auth max_ttl being ignored when ttl is not set (#4086)
If ttl is not set, the value of `resp.Auth.TTL` is 0, resulting in the
max TTL check being skipped.

Also fixes the formatting of the warning message.
2018-03-08 11:07:51 -05:00
Jim Kalafut 079de043e3 Fix instruction in installation docs (#4097) 2018-03-08 11:02:04 -05:00
Viacheslav Vasilyev b06c25b552 Fix autoreplacing issue (#4103) 2018-03-08 11:01:46 -05:00