Commit graph

809 commits

Author SHA1 Message Date
Nick Cabatoff ff74f49047
Move to go 1.17 (#12868)
Also ensure that the go 1.17 breaking changes to net.ParseCIDR don't make us choke on stored CIDRs that were acceptable to older Go versions.
2021-10-21 09:32:03 -04:00
ludewigh 0b95a394d4
Fix auth/aws so that config/rotate-root saves new key pair to vault (#12715)
* test:  add test to verify Vault storage is updated

* bug: fix config/rotate-root to store new key

* choir: fix changelog name to match PR
2021-10-19 10:26:47 -04:00
Brian Kassouf c705adc79c
Fix some linting errors (#12860) 2021-10-18 17:29:47 -07:00
Rémi Lapeyre 308806eee3
Return 404 response when looking for a secret_id_accessor that does not exist (#12788)
* Return 404 response when looking for an secret_id_accessor that does not exist

Closes https://github.com/hashicorp/vault/issues/12660
2021-10-11 15:07:51 +01:00
Jacob Burroughs 65029f8c8f
Fix pkcs7 parsing in some cases (#12519)
* Fix pkcs7 parsing in some cases

brings in https://github.com/mozilla-services/pkcs7/pull/61 from upstream

In some cases but not all, aws includes a certificate in the pkcs7 response,
and currently vault fails to parse those certificates:
```
URL: PUT https://vault.example.com/v1/auth/aws/login
Code: 500. Errors
* failed to parse the BER encoded PKCS#7 signature: ber2der: Invalid BER format
```

This fixes logins on those instances.  Note we could not readily ascertain why
some instances have those certificates and others don't.

* Add changelog entry

* Correct missed line
2021-09-10 12:17:03 -04:00
Blake Hitchcock cf15a60a87
Send x-forwarded-for in Okta Push Factor request (#12320)
* Send x-forwarded-for in Okta Push Factor request

Why:

In order for Okta to properly report the location of the authentication
attempt, the X-Forwarded-For header must be included in the request to
Okta (if it exists).

This change addresses the need by:

* Duplicating the value of X-Forwarded-For if it's passed through to the
  auth backend

* Add changelog entry for 12320
2021-09-03 13:09:11 -07:00
Jason O'Donnell b55e1a31fc
creds/aws: Add support for DSA signature verification for EC2 (#12340)
* creds/aws: import pkcs7 verification package

* Add DSA support

* changelog

* Add DSA to correct verify function

* Remove unneeded tests

* Fix backend test

* Update builtin/credential/aws/pkcs7/README.md

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

* Update builtin/credential/aws/path_login.go

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
2021-08-19 09:16:31 -04:00
Lars Lehtonen 7f6602d017
builtin/credential/cert: fix dropped test error (#12184) 2021-07-28 13:19:23 -07:00
Jeff Mitchell 33ff878946
Move awsutil over to the go-secure-stdlib version (#12128)
Unlike the other libraries that were migrated, there are no usages of
this lib in any of our plugins, and the only other known usage was in
go-kms-wrapping, which has been updated. Aliasing it like the other libs
would still keep the aws-sdk-go dep in the sdk module because of the
function signatures. So I've simply removed it entirely here.
2021-07-20 20:42:00 -04:00
Jeff Mitchell fb473a8b9b
Swap out stepwise for external repo version (#12089) 2021-07-20 13:20:23 -04:00
Jeff Mitchell f7147025dd
Migrate to sdk/internalshared libs in go-secure-stdlib (#12090)
* Swap sdk/helper libs to go-secure-stdlib

* Migrate to go-secure-stdlib reloadutil

* Migrate to go-secure-stdlib kv-builder

* Migrate to go-secure-stdlib gatedwriter
2021-07-15 20:17:31 -04:00
vinay-gopalan c20b5f1040
[VAULT-1986] Cap AWS Token TTL based on Default Lease TTL (#12026)
* fix: cap token TTL at login time based on default lease TTL

* add changelog file

* patch: update warning messages to not include 'at login'

* patch: remove default lease capping and test

* update changelog

* patch: revert warning message
2021-07-15 10:05:38 -07:00
Lars Lehtonen 159272db7f
builtin/credential/approle: fix dropped test errors (#11990) 2021-07-05 11:00:12 -04:00
Marc Boudreau 3c35a25d36
Fix for Issue 11863 - Panic when creating/updating approle role with token_type (#11864)
* initializing resp variable with aa *logical.Response before using it to add warning for default-service or default-batch token type.  Also adding guard around code that sets resp to a new logical.Response further on in the function.

* adding changelog entry

* renaming changelog file to match PR number
2021-06-24 13:03:41 -04:00
John-Michael Faircloth 096a354626
approle: convert Callbacks to Operations (#11893)
* approle: convert Callbacks to Operations

The usage of oldstyle "Callbacks" is causing the `cannot write to readonly
storage` error message when `login` is attempted against a performance standby.

Use the newstyle "Operations" and additionally set the Forward
parameters to forward the request to the Active vault node.

* add changelog

* do not forward for alias lookahead operation

* remove forward fields and remove changelog

- Because this request is an UpdateOperation, it should have automatically been
routed to the primary/active by the router before it reaches the backend.
- changelog should not be needed as this change is only a refactor with
no user-facing behavior changes.
2021-06-21 13:38:22 -05:00
Jason O'Donnell 5ed63d4ce1
logical/aw: move sts signing request to awsutil (#11704) 2021-05-26 13:30:46 -04:00
Vishal Nayak 6ec8cd8f28
Tokenutil: Perform num uses check earlier (#11647)
* Perform num uses check earlier

* Add CL

* Ensure that login works
2021-05-19 14:06:08 -04:00
Michael Golowka 10b1ff8f69
AWS Auth: Update error message to include underlying error (#11638) 2021-05-17 13:56:35 -06:00
Lars Lehtonen d8f7dd364a
builtin: deprecate errwrap.Wrapf() throughout (#11430)
* audit: deprecate errwrap.Wrapf()

* builtin/audit/file: deprecate errwrap.Wrapf()

* builtin/crediential/app-id: deprecate errwrap.Wrapf()

* builtin/credential/approle: deprecate errwrap.Wrapf()

* builtin/credential/aws: deprecate errwrap.Wrapf()

* builtin/credentials/token: deprecate errwrap.Wrapf()

* builtin/credential/github: deprecate errwrap.Wrapf()

* builtin/credential/cert: deprecate errwrap.Wrapf()

* builtin/logical/transit: deprecate errwrap.Wrapf()

* builtin/logical/totp: deprecate errwrap.Wrapf()

* builtin/logical/ssh: deprecate errwrap.Wrapf()

* builtin/logical/rabbitmq: deprecate errwrap.Wrapf()

* builtin/logical/postgresql: deprecate errwrap.Wrapf()

* builtin/logical/pki: deprecate errwrap.Wrapf()

* builtin/logical/nomad: deprecate errwrap.Wrapf()

* builtin/logical/mssql: deprecate errwrap.Wrapf()

* builtin/logical/database: deprecate errwrap.Wrapf()

* builtin/logical/consul: deprecate errwrap.Wrapf()

* builtin/logical/cassandra: deprecate errwrap.Wrapf()

* builtin/logical/aws: deprecate errwrap.Wrapf()
2021-04-22 11:20:59 -04:00
Brian Kassouf 303c2aee7c
Run a more strict formatter over the code (#11312)
* Update tooling

* Run gofumpt

* go mod vendor
2021-04-08 09:43:39 -07:00
Brian Kassouf de0253056c
Fix a few static analysis findings (#11307) 2021-04-07 16:48:40 -07:00
Jim Kalafut 1785b1bd00
Replace deprecated terms in AWS Auth (#10997)
* Replace deprecated terms in AWS Auth

This PR is part of an effort to remove non-inclusive language throughout
Vault. The AWS Auth backend uses the "whitelist" and "blacklist" term
extensively, and these are the focus of the PR:

* Add new API endpoints that use the preferred terminology, while
  deprecating the old endpoints. These endpoints offer identical
  functionality and are basically aliases. This is the only functional
  change in the PR except for terms in error messages.
* Replace "whitelist" -> "access list", "blacklist" -> "deny list" in
  variable names, comments, etc.

Note that storage locations were *not* changed at this time, as that is
a more complex process involving versioning that we may tackle in a future
revision. We have reduced the occurrences of non-inclusive language,
however.

Reviewers should be sure to "Ignore Whitespace" in diffs, especially for
the tests, which were basically indented one level as part of looping
over the tests with both the old and new names.
2021-02-25 23:23:34 -08:00
Jim Kalafut 7e54bc15c2
Add TOTP support to Okta Auth (#10942) 2021-02-21 21:18:17 -08:00
Calvin Leung Huang b1c4b86d7f
approle: add ttl to the secret ID generation response (#10826)
* approle: add ttl to the secret ID generation response

* approle: move TTL derivation into helper func

* changelog: add changelog entry

* docs: update approle docs and api-docs pages
2021-02-03 16:32:16 -08:00
Nick Cabatoff ffe301a5df
Don't list certs if we were told which cert to use. (#10616) 2021-01-19 08:39:59 -05:00
Clint 4d81e3be4d
Improve consistency in error messages (#10537)
* Improve consistency in error messages

* add changelog entry
2020-12-11 15:21:53 -06:00
Mike Grass e1541a4569
Improve errors for aws login with an unbound ARN (#10036)
* Improve errors for aws login with an unbound ARN

* Factor hasWildcardBind into its own function

Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>
2020-10-22 11:24:47 -07:00
Danielle b821d35acb
approle: Include role_name in alias metadata (#9529)
This change allows people who are using templated policies to use the
role_name in their templates through {{
identity.entity.aliases.approle.metadata.role_name }}.

Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>
2020-10-16 14:01:57 -07:00
Theron Voran 52581cd472
Add logging during awskms auto-unseal (#9794)
Adds debug and warn logging around AWS credential chain generation,
specifically to help users debugging auto-unseal problems on AWS, by
logging which role is being used in the case of a webidentity token.

Adds a deferred call to flush the log output as well, to ensure logs
are output in the event of an initialization failure.
2020-09-28 14:06:49 -07:00
Billy Keyes 26e8627cfc
Use us-gov-west-1 for global APIs in aws-us-gov (#9947)
* Use us-gov-west-1 for global APIs in aws-us-gov

Certain partition-global AWS services, like IAM, seem to require
specific regions. In the regular 'aws' partition, this is us-east-1. In
the 'aws-us-gov' partition, this is us-gov-west-1. Providing
us-gov-east-1 returns an error from AWS:

  SignatureDoesNotMatch: Credential should be scoped to a valid region, not 'us-gov-east-1'.

This resolves a problem where AWS authentication could randomly fail
depending on the value cached by Vault at startup.
2020-09-25 17:13:26 -07:00
Lauren Voswinkel 201fc8fd4d
Add content-sha256 as a default allowed STS header (#10009)
Also, alphabetize those headers... just because.
2020-09-22 10:02:37 -07:00
Lauren Voswinkel 5740e1ff9e
5844 AWS Root Credential Rotation (#9921)
* strip redundant field type declarations

* root credential rotation for aws creds plugin

* Change location of mocks awsutil and update methods that no longer exist

* Update website/pages/docs/auth/aws.mdx

Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>

* Update sdk version to get the awsutil mock file

* Re-vendor modules to pass CI

* Use write lock for the entirety of AWS root cred rotation

* Update docs for AWS root cred rotation for clarity

Co-authored-by: Becca Petrin <beccapetrin@gmail.com>
Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>
2020-09-15 15:26:56 -07:00
ncabatoff b615da43d7
Run CI tests in docker instead of a machine. (#8948) 2020-09-15 10:01:26 -04:00
Scott Miller 4c4fb54806
Aws auth fixes (#9825)
* Bring over PSIRT-37 changes from ENT

* Add additional allowed headers

* Already had this one

* Change to string slice comma separated parsing

* Add allowed_sts_header_values to read output

* Only validate AWS related request headers

* one per line

* Import ordering

* Update test

* Add X-Amz-Credential

* Reorder imports
2020-08-25 17:37:59 -05:00
ncabatoff 0247a7533e
Upgrade to newer okta lib for pagination, fetch all groups using it (#9580) 2020-07-24 09:05:08 -04:00
Clint cbecc40e48
Stepwise docker env (#9292)
* add first stepwise test env, Docker, with example transit test

* update transit stepwise test

* add other tests that use stepwise

* cleanup test, make names different than just 'transit'

* return the stderr if compile fails with error

* minor cleanups

* minor cleanups

* go mod vendor

* cleanups

* remove some extra code, and un-export some fields/methods

* update vendor

* remove reference to vault.CoreConfig, which really wasn't used anyway

* update with go mod vendor

* restore Precheck method to test cases

* clean up some networking things; create networks with UUID, clean up during teardown

* vendor stepwise

* Update sdk/testing/stepwise/environments/docker/environment.go

haha thanks :D

Co-authored-by: Michael Golowka <72365+pcman312@users.noreply.github.com>

* Update sdk/testing/stepwise/environments/docker/environment.go

Great catch, thanks

Co-authored-by: Michael Golowka <72365+pcman312@users.noreply.github.com>

* fix redundant name

* update error message in test

* Update builtin/credential/userpass/stepwise_test.go

More explicit error checking and responding

Co-authored-by: Michael Golowka <72365+pcman312@users.noreply.github.com>

* Update builtin/logical/aws/stepwise_test.go

`test` -> `testFunc`

Co-authored-by: Michael Golowka <72365+pcman312@users.noreply.github.com>

* Update builtin/logical/transit/stepwise_test.go

Co-authored-by: Michael Golowka <72365+pcman312@users.noreply.github.com>

* fix typos

* update error messages to provide clarity

* Update sdk/testing/stepwise/environments/docker/environment.go

Co-authored-by: Michael Golowka <72365+pcman312@users.noreply.github.com>

* update error handling / collection in Teardown

* panic if GenerateUUID returns an error

* Update sdk/testing/stepwise/environments/docker/environment.go

Co-authored-by: Michael Golowka <72365+pcman312@users.noreply.github.com>

* Update builtin/credential/userpass/stepwise_test.go

Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>

* Update builtin/logical/aws/stepwise_test.go

Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>

* Update builtin/logical/transit/stepwise_test.go

Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>

* Update sdk/testing/stepwise/environments/docker/environment.go

Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>

* import ordering

* standardize on dc from rc for cluster

* lowercase name

* CreateAPIClient -> NewAPIClient

* testWait -> ensure

* go mod cleanup

* cleanups

* move fields and method around

* make start and dockerclusternode private; use better random serial number

* use better random for SerialNumber

* add a timeout to the context used for terminating the docker container

* Use a constant for the Docker client version

* rearrange import statements

Co-authored-by: Michael Golowka <72365+pcman312@users.noreply.github.com>
Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>
2020-06-26 17:52:31 -05:00
Josh Black 6e92c8cbd2
Add a new "vault monitor" command (#8477)
Add a new "vault monitor" command

Co-authored-by: ncabatoff <ncabatoff@hashicorp.com>
Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>
Co-authored-by: Jeff Mitchell <jeffrey.mitchell@gmail.com>
2020-05-21 13:07:50 -07:00
Becca Petrin d7a6011b3e
Fix AWS auth renewals (#8991)
* fix aws auth renewals

* Update builtin/credential/aws/path_login.go

Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>

* debug log missing account_ids

* strip tests and related changes

Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
2020-05-18 11:10:36 -07:00
Jeff Mitchell 1d3d89e2aa
Create configutil and move some common config and setup functions there (#8362) 2020-05-14 09:19:27 -04:00
Becca Petrin 3b420b0735
Add helper for aliasmetadata and add to AWS auth (#8783)
* add aliasmetadata sdk helper and add to aws auth

* split into ec2_metadata and iam_metadata fields

* fix tests

* strip pointer

* add test of default metadata

* more test <3

* switch from interface to custom marshallers

* add tests for marshalling

* store nil when selected fields are default

* separate loop into pieces

* separate acc test into multiple

* Update builtin/credential/aws/path_login.go

Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>

* changes from feedback

* update aws test

* refactor to also populate auth metadata

* update how jsonification is tested

* only add populated metadata values

* add auth_type to ec2 logins

Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
2020-04-27 10:06:07 -07:00
Calvin Leung Huang e9f73e66c2
userpass: fix upgrade value for token_bound_cidrs (#8826) 2020-04-23 14:00:21 -07:00
ncabatoff c5f3996855
The new okta library doesn't prepend /api/v1 to our URL paths like the old one does (we still use the old one in the absence of an API token, since the new one doesn't support that.) Make our shim prepend /api/v1 to manual requests for the new library like the old library does, and remove explicit /api/v1 from our request paths. (#8807) 2020-04-23 14:35:26 -04:00
Michael Golowka 9c3e4daa33
Improve error outputs (#8740)
Makes "ldap operation failed" error messages a little more useful. Also
makes the errors unique so it's easier to debug where an error is coming
from when one occurs.
2020-04-14 14:08:07 -06:00
Becca Petrin 2ce9ada9cb
Retry on transient failures during AWS IAM auth login attempts (#8727)
* use retryer for failed aws auth attempts

* fixes from testing
2020-04-13 14:28:14 -07:00
Becca Petrin 1f5d2f7bbb
Always pick us-east-1 for the "aws" partition (#8679)
* always pick us-east-1 for aws partition

* Update builtin/credential/aws/backend.go

Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>

Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
2020-04-03 15:08:56 -07:00
Becca Petrin a69167ac11
add debug logging for client selection (#8556) 2020-03-16 13:36:47 -07:00
Jorge Heleno a9e864f5e3
Add LDAP anonymous group search and client certs (#8365) 2020-03-06 10:27:09 -08:00
ncabatoff 4463428a24
Reduce blocking in approle tidy by grabbing only one lock at a time. (#8418)
Revamp race test to make it aware of when tidies start/stop, and to generate dangling accessors that need cleaning up.  Also run for longer but with slightly less concurrency to ensure the writes and the cleanup actually overlap.
2020-03-03 16:43:24 -05:00
Michel Vocks 985acc4ce5
Fix ldap client upndomain (#8333) 2020-02-14 10:26:30 -08:00
Jim Kalafut 4fba1901a6
Stabilize the selection of region from partition in AWS Auth (#8161)
AWS client object caches are by region. Some AWS API calls don't care
what region's client they use, but the existing getAnyRegionForAwsPartition
scheme was returning a random region, which in turn triggered maintaining many
more client objects than are necessary (e.g. 18 regions in the main AWS
partition). This can be an issue for heavy STS users bumping up against
STS rate limits, since 18 sets of creds are being cached and renewed per
STS role.
2020-02-13 22:21:58 -08:00