vishalnayak
d0e4d77fce
address review feedback
2016-09-14 14:28:02 -04:00
vishalnayak
d7ce69c5eb
Remove the client nonce being empty check
2016-09-14 14:28:02 -04:00
vishalnayak
53c919b1d0
Generate the nonce by default
2016-09-14 14:28:02 -04:00
vishalnayak
455a4ae055
address review feedback
2016-09-14 12:08:35 -04:00
vishalnayak
b1392567d1
Use constant time comparisons for client nonce
2016-09-13 20:12:43 -04:00
vishalnayak
d2e66014ba
Address review feedback
2016-09-13 18:30:04 -04:00
Jeff Mitchell
29b67141eb
Only use running state for checking if instance is alive. ( #1885 )
...
Fixes #1884
2016-09-13 18:08:05 -04:00
vishalnayak
99a2655d8e
upgrade notes entry for approle constraint and warning on role read
2016-09-13 17:44:07 -04:00
vishalnayak
bef9c2ee61
Ensure at least one constraint on the role
2016-09-13 16:03:15 -04:00
Jeff Mitchell
197c7eae5f
Allow encrypting empty ciphertext values. ( #1881 )
...
Replaces #1874
2016-09-13 12:00:04 -04:00
vishalnayak
b599948e1c
Use uuid.GenerateRandomBytes
2016-09-09 14:17:09 -04:00
vishalnayak
127f61473b
Not exposing structs from the backend's package
2016-09-01 11:57:28 -04:00
Jeff Mitchell
1db0544b7a
Use unexported kdf const names
2016-08-31 07:19:58 -04:00
Vishal Nayak
c46a7391c0
Merge pull request #1799 from hashicorp/fix-role-locking
...
approle: fix racy updates problem for roles
2016-08-30 16:46:40 -04:00
vishalnayak
cdcfa4572f
Address review feedback
2016-08-30 16:36:58 -04:00
Jeff Mitchell
d2239d22d9
Use hkdf for transit key derivation for new keys ( #1812 )
...
Use hkdf for transit key derivation for new keys
2016-08-30 16:29:09 -04:00
vishalnayak
29b9295673
approle: fix racy updates problem for roles
2016-08-30 16:11:14 -04:00
vishalnayak
9dbc97028b
STS path field description update
2016-08-30 10:53:21 -04:00
vishalnayak
0b07ec7303
Added UpdateOperation to logical AWS STS path
2016-08-30 10:30:13 -04:00
Vishal Nayak
cdd1d96a64
Merge pull request #1804 from hashicorp/issue-1800
...
Mark STS secrets as non-renwable
2016-08-29 11:46:19 -04:00
navinanandaraj
8612b6139e
Fixes #1801 Reuse Cassandra session object for create creds ( #1802 )
2016-08-28 17:32:41 -04:00
Jeff Mitchell
f0537572a8
Mark STS secrets as non-renwable
...
Ping #1800
2016-08-28 14:27:56 -04:00
Jeff Mitchell
0b113f7916
Derive nonce fully in convergent mode ( #1796 )
...
Ping #1794
2016-08-26 17:01:56 -04:00
Jeff Mitchell
2f5876dfe9
Use key derivation for convergent nonce. ( #1794 )
...
Use key derivation for convergent nonce.
Fixes #1792
2016-08-26 14:11:03 -04:00
Jeff Mitchell
28739f3528
Decode secret internal data into struct and fix type assertion. ( #1781 )
2016-08-24 15:04:04 -04:00
Jeff Mitchell
d1284944c3
Merge pull request #1755 from hashicorp/logxi
...
Convert to logxi
2016-08-21 19:28:18 -04:00
Jeff Mitchell
58b32e5432
Convert to logxi
2016-08-21 18:13:37 -04:00
vishalnayak
524ed6db37
Extract out common code
2016-08-21 15:46:11 -04:00
vishalnayak
dfe73733d5
Seperate endpoints for read/delete using secret-id and accessor
2016-08-21 14:42:49 -04:00
Jeff Mitchell
2860dcc60f
gofmt
2016-08-19 16:48:32 -04:00
vishalnayak
7ce631f1dc
Pretty print the warning
2016-08-18 16:09:10 -04:00
vishalnayak
870ffd6fd8
Use shortestTTL value during renewals too
2016-08-18 15:43:58 -04:00
vishalnayak
4f1c47478e
When TTL is not set, consider the system default TTL as well
2016-08-18 15:37:59 -04:00
vishalnayak
56b8c33c95
aws-ec2: se max_ttl when ttl is not set, during login
2016-08-18 15:16:32 -04:00
Jeff Mitchell
638e61192a
Actually show the error occurring if a file audit log can't be opened
2016-08-15 16:26:36 -04:00
Jeff Mitchell
86874def5c
Parameter change
...
Both revocation times are UTC so clarify via parameter name that it's just a formatting difference. Also leave as a time.Time here, as it automatically marshals into RFC3339.
2016-08-14 21:43:57 -04:00
Jeff Mitchell
39cfd116b6
Cleanup
2016-08-13 11:52:09 -04:00
Jeff Mitchell
1b8711e7b7
Ensure utc value is not zero before adding
2016-08-13 11:50:57 -04:00
Jeff Mitchell
d6d08250ff
Ensure values to be encoded in a CRL are in UTC. This aligns with the
...
RFC. You might expect Go to ensure this in the CRL generation call,
but...it doesn't.
Fixes #1727
2016-08-13 08:40:09 -04:00
vishalnayak
b150c14caa
Address review feedback by @jefferai
2016-08-09 17:45:42 -04:00
vishalnayak
8d261b1a78
Added ttl field to aws-ec2 auth backend role
2016-08-09 17:29:45 -04:00
Jeff Mitchell
b69ed7ea93
Fix build
2016-08-08 17:00:59 -04:00
Jeff Mitchell
7f6c58b807
Address review feedback
2016-08-08 16:30:48 -04:00
Jeff Mitchell
0a67bcb5bd
Merge pull request #1696 from hashicorp/transit-convergent-specify-nonce
...
Require nonce specification for more flexibility
2016-08-08 11:41:10 -04:00
Jeff Mitchell
1f198e9256
Return warning about ACLing the LDAP configuration endpoint.
...
Fixes #1263
2016-08-08 10:18:36 -04:00
Jeff Mitchell
606ba64e23
Remove context-as-nonce, add docs, and properly support datakey
2016-08-07 15:53:40 -04:00
Jeff Mitchell
1976bc0534
Add unit tests for convergence in non-context mode
2016-08-07 15:16:36 -04:00
Jeff Mitchell
8b1d47037e
Refactor convergent encryption to make specifying a nonce in addition to context possible
2016-08-05 17:52:44 -04:00
Vincent Batoufflet
0b73c2ff9a
Fix PKI logical backend email alt_names
2016-08-04 12:10:34 +02:00
Jeff Mitchell
58e9cbbfc6
Add postgres test for block statements
2016-08-03 15:34:50 -04:00
Jeff Mitchell
9e204bd88c
Add arbitrary string slice parsing.
...
Like the KV function, this supports either separated strings or JSON
strings, base64-encoded or not.
Fixes #1619 in theory.
2016-08-03 14:24:16 -04:00
Jeff Mitchell
c025b292b5
Cleanup
2016-08-03 13:09:12 -04:00
vishalnayak
cff7aada7a
Fix invalid input getting marked as internal error
2016-07-28 16:23:11 -04:00
Jeff Mitchell
e0c5f5f5fa
Add convergence tests to transit backend
2016-07-28 11:30:52 -04:00
vishalnayak
a6907769b0
AppRole authentication backend
2016-07-26 09:32:41 -04:00
Jeff Mitchell
0cfb112e87
Explicitly set invalid request status when a password isn't included
2016-07-25 11:14:15 -04:00
Jeff Mitchell
dc4b85b55e
Don't return 500 for user error in userpass when setting password
2016-07-25 11:09:46 -04:00
Jeff Mitchell
d4c3e27c4e
Fix re-specification of filter
2016-07-25 09:08:29 -04:00
Oren Shomron
cd6d114e42
LDAP Auth Backend Overhaul
...
--------------------------
Added new configuration option to ldap auth backend - groupfilter.
GroupFilter accepts a Go template which will be used in conjunction with
GroupDN for finding the groups a user is a member of. The template will
be provided with context consisting of UserDN and Username.
Simplified group membership lookup significantly to support multiple use-cases:
* Enumerating groups via memberOf attribute on user object
* Previous default behavior of querying groups based on member/memberUid/uniqueMember attributes
* Custom queries to support nested groups in AD via LDAP_MATCHING_RULE_IN_CHAIN matchind rule
There is now a new configuration option - groupattr - which specifies
how to resolve group membership from the objects returned by the primary groupfilter query.
Additional changes:
* Clarify documentation for LDAP auth backend.
* Reworked how default values are set, added tests
* Removed Dial from LDAP config read. Network should not affect configuration.
2016-07-22 21:20:05 -04:00
Jeff Mitchell
68dcf677fa
Fix panic if no certificates are supplied by client
...
Fixes #1637
2016-07-21 10:20:41 -04:00
Jeff Mitchell
b353e44209
Fix build
2016-07-21 09:53:41 -04:00
Jeff Mitchell
d335038b40
Ensure we never return a nil set of trusted CA certs
...
Fixes #1637
2016-07-21 09:50:31 -04:00
Laura Bennett
559b0a5006
Merge pull request #1635 from hashicorp/mysql-idle-conns
...
Added maximum idle connections to mysql to close hashicorp/vault#1616
2016-07-20 15:31:37 -04:00
Jeff Mitchell
b558c35943
Set defaults to handle upgrade cases.
...
Ping #1604
2016-07-20 14:07:19 -04:00
Jeff Mitchell
f2b6569b0b
Merge pull request #1604 from memory/mysql-displayname-2
...
concat role name and token displayname to form mysql username
2016-07-20 14:02:17 -04:00
Nathan J. Mehl
ea294f1d27
use both role name and token display name to form mysql username
2016-07-20 10:17:00 -07:00
Laura Bennett
e6bf4fa489
whitespace error corrected
2016-07-20 12:00:05 -04:00
Nathan J. Mehl
0483457ad2
respond to feedback from @vishalnayak
...
- split out usernameLength and displaynameLength truncation values,
as they are different things
- fetch username and displayname lengths from the role, not from
the request parameters
- add appropriate defaults for username and displayname lengths
2016-07-20 06:36:51 -07:00
Laura Bennett
7cdb8a28bc
max_idle_connections added
2016-07-20 09:26:26 -04:00
Laura Bennett
03c7eb7d18
initial commit before rebase to stay current with master
2016-07-19 14:18:37 -04:00
Jeff Mitchell
30ca541f99
Merge pull request #1414 from mhurne/mongodb-secret-backend
...
Add mongodb secret backend
2016-07-19 13:56:15 -04:00
Jeff Mitchell
3334b22993
Some minor linting
2016-07-19 13:54:18 -04:00
Matt Hurne
0f9ee8fbed
Merge branch 'master' into mongodb-secret-backend
2016-07-19 12:47:58 -04:00
Matt Hurne
072c5bc915
mongodb secret backend: Remove redundant type declarations
2016-07-19 12:35:14 -04:00
Matt Hurne
c7d42cb112
mongodb secret backend: Fix broken tests, clean up unused parameters
2016-07-19 12:26:23 -04:00
Vishal Nayak
fbb04349b5
Merge pull request #1629 from hashicorp/remove-verify-connection
...
Remove unused VerifyConnection from storage entries of SQL backends
2016-07-19 12:21:23 -04:00
Vishal Nayak
8a1bb1626a
Merge pull request #1583 from hashicorp/ssh-allowed-roles
...
Add allowed_roles to ssh-helper-config and return role name from verify call
2016-07-19 12:04:12 -04:00
vishalnayak
7fb04a1bbd
Remove unused VerifyConnection from storage entries of SQL backends
2016-07-19 11:55:49 -04:00
Matt Hurne
316837857b
mongodb secret backend: Return lease ttl and max_ttl in lease read in seconds rather than as duration strings
2016-07-19 11:23:56 -04:00
Matt Hurne
f18d98272d
mongodb secret backend: Don't bother persisting verify_connection field in connection config
2016-07-19 11:20:45 -04:00
Matt Hurne
f8e6bcbb69
mongodb secret backend: Handle cases where stored username or db is not a string as expected when revoking credentials
2016-07-19 11:18:00 -04:00
Matt Hurne
75a5fbd8fe
Merge branch 'master' into mongodb-secret-backend
2016-07-19 10:38:45 -04:00
Jeff Mitchell
434ed2faf2
Merge pull request #1573 from mickhansen/logical-postgresql-revoke-sequences
...
handle revocations for roles that have privileges on sequences
2016-07-18 13:30:42 -04:00
vishalnayak
c14235b206
Merge branch 'master-oss' into json-use-number
...
Conflicts:
http/handler.go
logical/framework/field_data.go
logical/framework/wal.go
vault/logical_passthrough.go
2016-07-15 19:21:55 -04:00
Vishal Nayak
cdf58da43b
Merge pull request #1610 from hashicorp/min-tls-ver-12
...
Set minimum TLS version in all tls.Config objects
2016-07-13 10:53:14 -06:00
vishalnayak
09a4142fd3
Handled upgrade path for TLSMinVersion
2016-07-13 12:42:51 -04:00
Vishal Nayak
9f1e6c7b26
Merge pull request #1607 from hashicorp/standardize-time
...
Remove redundant invocations of UTC() call on `time.Time` objects
2016-07-13 10:19:23 -06:00
vishalnayak
de19314f18
Address review feedback
2016-07-13 11:52:26 -04:00
vishalnayak
407722a9b4
Added tls_min_version to consul storage backend
2016-07-12 20:10:54 -04:00
Nathan J. Mehl
314a5ecec0
allow overriding the default truncation length for mysql usernames
...
see https://github.com/hashicorp/vault/issues/1605
2016-07-12 17:05:43 -07:00
vishalnayak
f34f0ef503
Make 'tls_min_version' configurable
2016-07-12 19:32:47 -04:00
vishalnayak
46d34130ac
Set minimum TLS version in all tls.Config objects
2016-07-12 17:06:28 -04:00
vishalnayak
8269f323d3
Revert 'risky' changes
2016-07-12 16:38:07 -04:00
Jeff Mitchell
57cdb58374
Switch to pester from go-retryablehttp to avoid swallowing 500 error messages
2016-07-11 21:37:46 +00:00
Mick Hansen
9ee4542a7c
incorporate code style guidelines
2016-07-11 13:35:35 +02:00
Mick Hansen
c25788e1d4
handle revocations for roles that have privileges on sequences
2016-07-11 13:16:45 +02:00
Nathan J. Mehl
2cf4490b37
use role name rather than token displayname in generated mysql usernames
...
If a single token generates multiple myself roles, the generated mysql
username was previously prepended with the displayname of the vault
user; this makes the output of `show processlist` in mysql potentially
difficult to correlate with the roles actually in use without cross-
checking against the vault audit log.
See https://github.com/hashicorp/vault/pull/1603 for further discussion.
2016-07-10 15:57:47 -07:00
Matt Hurne
6505e85dae
mongodb secret backend: Improve safety of MongoDB roles storage
2016-07-09 21:12:42 -04:00
vishalnayak
e09b40e155
Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC
2016-07-08 18:30:18 -04:00
Matt Hurne
bb8a45eb8b
Format code in mongodb secret backend
2016-07-07 23:16:11 -04:00
Matt Hurne
8d5a7992c1
mongodb secret backend: Improve and correct errors in documentation; improve "parameter is required" error response messages
2016-07-07 23:09:45 -04:00
Matt Hurne
eee6f04e40
mongodb secret backend: Refactor to eliminate unnecessary variable
2016-07-07 22:29:17 -04:00
Matt Hurne
ce845df43c
mongodb secret backend: Consider a "user not found" response a success when removing a user from Mongo
2016-07-07 22:27:47 -04:00
Matt Hurne
138d74f745
mongodb secret backend: Improve roles path help
2016-07-07 22:16:34 -04:00
Matt Hurne
7f9d91acb6
mongodb secret backend: Remove default value for Mongo authentication DB for roles; validate that role name and authentication db were specified when creating a role
2016-07-07 22:09:00 -04:00
Matt Hurne
de84cdabe6
mongodb secret backend: Leverage framework.TypeDurationSecond to simplify storage of lease ttl and max_ttl
2016-07-07 21:48:44 -04:00
Matt Hurne
6d7c9f5424
mongodb secret backend: Verify existing Session is still working before reusing it
2016-07-07 21:37:44 -04:00
vishalnayak
db3670c353
Fix transit tests
2016-07-06 22:04:08 -04:00
vishalnayak
ad7cb2c8f1
Added JSON Decode and Encode helpers.
...
Changed all the occurances of Unmarshal to use the helpers.
Fixed http/ package tests.
2016-07-06 12:25:40 -04:00
vishalnayak
5367a7223d
Add allowed_roles to ssh-helper-config and return role name from verify call
2016-07-05 11:14:29 -04:00
Matt Hurne
769d20c770
Merge branch 'master' into mongodb-secret-backend
2016-07-05 09:33:12 -04:00
Matt Hurne
ba9c97b915
mongodb secret backend: Add support for reading connection configuration; Dockerize tests
2016-07-05 09:32:38 -04:00
Sean Chittenden
2e828383e0
Move the parameter down to where the statement is executed.
2016-07-03 16:20:27 -07:00
Sean Chittenden
08fb1a30d4
Use `lib/pq`'s `QuoteIdentifier()` on all identifiers and Prepare
...
for all literals.
2016-07-03 16:01:39 -07:00
Matt Hurne
292c2fad69
Merge branch 'master' into mongodb-secret-backend
2016-07-01 20:39:13 -04:00
Jeff Mitchell
4a8d9eb942
Shave off a lot of PKI testing time by not requiring key generation when testing CSRs. Also enable all tests all the time.
2016-07-01 17:28:48 -04:00
Jeff Mitchell
369dcff5f9
Merge pull request #1581 from mp911de/cassandra_connect_timeout
...
Support connect_timeout for Cassandra and align timeout.
2016-07-01 22:33:24 +02:00
Mark Paluch
ab63c938c4
Address review feedback.
...
Switch ConnectTimeout to framework.TypeDurationSecond with a default of 5. Remove own parsing code.
2016-07-01 22:26:08 +02:00
Mark Paluch
3859f7938a
Support connect_timeout for Cassandra and align timeout.
...
The cassandra backend now supports a configurable connect timeout. The timeout is configured using the connect_timeout parameter in the session configuration. Also align the timeout to 5 seconds which is the default for the Python and Java drivers.
Fixes #1538
2016-07-01 21:22:37 +02:00
Jeff Mitchell
51cd67115c
Run appid/cert auth tests always
2016-07-01 14:06:33 -04:00
Jeff Mitchell
db211a4b61
Migrate Consul acceptance tests to Docker
2016-07-01 13:59:56 -04:00
Matt Hurne
cdde4071d7
mongodb secret backend: Parse ssl URI option as a boolean rather than relying on string comparison
2016-07-01 13:55:06 -04:00
Jeff Mitchell
a2e95614d6
Have SQL backends Ping() before access.
...
If unsuccessful, reestablish connections as needed.
2016-07-01 12:02:17 -04:00
Jeff Mitchell
e50e331ffc
Always run transit acceptance tests
2016-07-01 11:45:56 -04:00
Jeff Mitchell
5313ae8a1b
Merge pull request #1578 from hashicorp/dockerize-mysql-acc-tests
...
Convert MySQL tests to Dockerized versions
2016-07-01 17:38:52 +02:00
Jeff Mitchell
5d707c41ff
Always run userpass acceptance tests
2016-07-01 11:37:38 -04:00
Jeff Mitchell
8d984c111d
Convert MySQL tests to Dockerized versions
2016-07-01 11:36:28 -04:00
Matt Hurne
46bf080409
mongodb secret backend: Refactor URI parsing logic to leverage url.Parse
2016-07-01 09:12:26 -04:00
Matt Hurne
6f05d6f21f
mongodb secret backend: Prefix all generated usernames with "vault-", and cleanly handle empty display names when generating usernames
2016-06-30 21:11:45 -04:00
Matt Hurne
acf4b0b637
Merge branch 'master' into mongodb-secret-backend
2016-06-30 16:43:53 -04:00
Jeff Mitchell
2488d520a4
Merge branch 'master-oss' into dockerize-pg-secret-tests
2016-06-30 14:31:52 -04:00
Jeff Mitchell
3e515c5885
Fix up breakage from bumping deps
2016-06-30 14:31:41 -04:00
Jeff Mitchell
8da8881825
Add comment around bind to localhost
2016-06-30 13:49:11 -04:00
Jeff Mitchell
22e83ae7f5
Dockerize Postgres secret backend acceptance tests
...
Additionally enable them on all unit test runs.
2016-06-30 13:46:39 -04:00
Jeff Mitchell
619ddc38b7
Use TRACE not WARN here
2016-06-30 12:41:56 -04:00
Matt Hurne
7879812f76
Persist verify_connection field in mongodb secret backend's connection config
2016-06-30 11:39:02 -04:00
Matt Hurne
350b69670c
Rename mongodb secret backend's 'ttl_max' lease configuration field to 'max_ttl'
2016-06-30 09:57:43 -04:00
Matt Hurne
05cc4f2761
Merge branch 'master' into mongodb-secret-backend
2016-06-30 09:02:30 -04:00
Jeff Mitchell
16d4f79c71
Fix test
2016-06-30 08:21:00 -04:00
Jeff Mitchell
5df2dd30c5
Change warn to trace for these messages
2016-06-29 21:04:02 -04:00
Jeff Mitchell
cf178d3c9e
Merge remote-tracking branch 'oss/master' into postgres-pl-lock
2016-06-29 17:40:34 -04:00
Jeff Mitchell
934e60c3c9
Add stmt close calls
2016-06-29 17:39:47 -04:00
Jeff Mitchell
a56f79adcb
Run prepare on the transaction, not the db
2016-06-29 17:20:41 -04:00
Matt Hurne
5e8c912048
Add mongodb secret backend
2016-06-29 08:33:06 -04:00
cara marie
11c205e19b
removed option to create 1024 keybitlength certs
2016-06-28 16:56:14 -04:00
Jeff Mitchell
43df682365
Add more debug output
2016-06-28 11:03:56 -04:00
Jeff Mitchell
0802497c8a
Add some logging to enter/exit of some functions
2016-06-24 16:11:22 -04:00
Jeff Mitchell
9dc0599a30
Address review feedback
2016-06-23 10:18:03 -04:00
Jeff Mitchell
d7029fc49a
Add some more testing
2016-06-23 09:49:03 -04:00
Jeff Mitchell
45a442e593
Set some basic key usages by default.
...
Some programs (such as OpenVPN) don't like it if you don't include key
usages. This adds a default set that should suffice for most extended
usages. However, since things get twitchy when these are set in ways
various crypto stacks don't like, it's fully controllable by the user.
Fixes #1476
2016-06-22 16:08:24 -04:00