mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-18 04:27:02 +02:00
Code Issues Projects Releases Wiki Activity
10,543 Commits 2,844 Branches 445 Tags 454 MiB
68b40b814c
Commit Graph

1087 Commits

Author SHA1 Message Date
Laura Bennett
f5ed650966 whitespace error corrected 2016-07-20 12:00:05 -04:00
Nathan J. Mehl
83635c16b6 respond to feedback from @vishalnayak 
- split out usernameLength and displaynameLength truncation values,
  as they are different things

- fetch username and displayname lengths from the role, not from
  the request parameters

- add appropriate defaults for username and displayname lengths
 2016-07-20 06:36:51 -07:00
Laura Bennett
badaabc17d max_idle_connections added 2016-07-20 09:26:26 -04:00
Laura Bennett
b99c692f0d initial commit before rebase to stay current with master 2016-07-19 14:18:37 -04:00
Jeff Mitchell
8cbd94e13e Merge pull request #1414 from mhurne/mongodb-secret-backend 
Add mongodb secret backend
 2016-07-19 13:56:15 -04:00
Jeff Mitchell
33624201c2 Some minor linting 2016-07-19 13:54:18 -04:00
Matt Hurne
2f8a1daa7d Merge branch 'master' into mongodb-secret-backend 2016-07-19 12:47:58 -04:00
Matt Hurne
35472ba9f9 mongodb secret backend: Remove redundant type declarations 2016-07-19 12:35:14 -04:00
Matt Hurne
3c68002cc2 mongodb secret backend: Fix broken tests, clean up unused parameters 2016-07-19 12:26:23 -04:00
Vishal Nayak
3f0a1e4b88 Merge pull request #1629 from hashicorp/remove-verify-connection 
Remove unused VerifyConnection from storage entries of SQL backends
 2016-07-19 12:21:23 -04:00
Vishal Nayak
4e5c3631f4 Merge pull request #1583 from hashicorp/ssh-allowed-roles 
Add allowed_roles to ssh-helper-config and return role name from verify call
 2016-07-19 12:04:12 -04:00
vishalnayak
ca22b6cfdb Remove unused VerifyConnection from storage entries of SQL backends 2016-07-19 11:55:49 -04:00
Matt Hurne
a130c13c34 mongodb secret backend: Return lease ttl and max_ttl in lease read in seconds rather than as duration strings 2016-07-19 11:23:56 -04:00
Matt Hurne
8be8714e86 mongodb secret backend: Don't bother persisting verify_connection field in connection config 2016-07-19 11:20:45 -04:00
Matt Hurne
047db0ffef mongodb secret backend: Handle cases where stored username or db is not a string as expected when revoking credentials 2016-07-19 11:18:00 -04:00
Matt Hurne
d23ba11a0c Merge branch 'master' into mongodb-secret-backend 2016-07-19 10:38:45 -04:00
Jeff Mitchell
aa9c05002e Merge pull request #1573 from mickhansen/logical-postgresql-revoke-sequences 
handle revocations for roles that have privileges on sequences
 2016-07-18 13:30:42 -04:00
vishalnayak
5b458db104 Merge branch 'master-oss' into json-use-number 
Conflicts:
	http/handler.go
	logical/framework/field_data.go
	logical/framework/wal.go
	vault/logical_passthrough.go
 2016-07-15 19:21:55 -04:00
Vishal Nayak
1970ad74d7 Merge pull request #1610 from hashicorp/min-tls-ver-12 
Set minimum TLS version in all tls.Config objects
 2016-07-13 10:53:14 -06:00
vishalnayak
6977bdd490 Handled upgrade path for TLSMinVersion 2016-07-13 12:42:51 -04:00
Vishal Nayak
64bdeec926 Merge pull request #1607 from hashicorp/standardize-time 
Remove redundant invocations of UTC() call on `time.Time` objects
 2016-07-13 10:19:23 -06:00
vishalnayak
98d5684699 Address review feedback 2016-07-13 11:52:26 -04:00
vishalnayak
150cba24a7 Added tls_min_version to consul storage backend 2016-07-12 20:10:54 -04:00
Nathan J. Mehl
417cf49bb7 allow overriding the default truncation length for mysql usernames 
see https://github.com/hashicorp/vault/issues/1605
 2016-07-12 17:05:43 -07:00
vishalnayak
ee6ba1e85e Make 'tls_min_version' configurable 2016-07-12 19:32:47 -04:00
vishalnayak
f200a8568b Set minimum TLS version in all tls.Config objects 2016-07-12 17:06:28 -04:00
vishalnayak
9f208ae8f2 Revert 'risky' changes 2016-07-12 16:38:07 -04:00
Jeff Mitchell
7129fd5785 Switch to pester from go-retryablehttp to avoid swallowing 500 error messages 2016-07-11 21:37:46 +00:00
Mick Hansen
cc742a6fc5 incorporate code style guidelines 2016-07-11 13:35:35 +02:00
Mick Hansen
463294f4c6 handle revocations for roles that have privileges on sequences 2016-07-11 13:16:45 +02:00
Nathan J. Mehl
0648160276 use role name rather than token displayname in generated mysql usernames 
If a single token generates multiple myself roles, the generated mysql
username was previously prepended with the displayname of the vault
user; this makes the output of `show processlist` in mysql potentially
difficult to correlate with the roles actually in use without cross-
checking against the vault audit log.

See https://github.com/hashicorp/vault/pull/1603 for further discussion.
 2016-07-10 15:57:47 -07:00
Matt Hurne
0a5a815c68 mongodb secret backend: Improve safety of MongoDB roles storage 2016-07-09 21:12:42 -04:00
vishalnayak
f59a69bc52 Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC 2016-07-08 18:30:18 -04:00
Matt Hurne
0a4638080a Format code in mongodb secret backend 2016-07-07 23:16:11 -04:00
Matt Hurne
2c3b5513df mongodb secret backend: Improve and correct errors in documentation; improve "parameter is required" error response messages 2016-07-07 23:09:45 -04:00
Matt Hurne
611b08a5b9 mongodb secret backend: Refactor to eliminate unnecessary variable 2016-07-07 22:29:17 -04:00
Matt Hurne
afcff23362 mongodb secret backend: Consider a "user not found" response a success when removing a user from Mongo 2016-07-07 22:27:47 -04:00
Matt Hurne
67c2c0a1dd mongodb secret backend: Improve roles path help 2016-07-07 22:16:34 -04:00
Matt Hurne
8a6959211e mongodb secret backend: Remove default value for Mongo authentication DB for roles; validate that role name and authentication db were specified when creating a role 2016-07-07 22:09:00 -04:00
Matt Hurne
1fa764275b mongodb secret backend: Leverage framework.TypeDurationSecond to simplify storage of lease ttl and max_ttl 2016-07-07 21:48:44 -04:00
Matt Hurne
350ffcf79f mongodb secret backend: Verify existing Session is still working before reusing it 2016-07-07 21:37:44 -04:00
vishalnayak
c99cc155ff Fix transit tests 2016-07-06 22:04:08 -04:00
vishalnayak
ef97199360 Added JSON Decode and Encode helpers. 
Changed all the occurances of Unmarshal to use the helpers.
Fixed http/ package tests.
 2016-07-06 12:25:40 -04:00
vishalnayak
b632ef58e4 Add allowed_roles to ssh-helper-config and return role name from verify call 2016-07-05 11:14:29 -04:00
Matt Hurne
8dbefb68b0 Merge branch 'master' into mongodb-secret-backend 2016-07-05 09:33:12 -04:00
Matt Hurne
2aba34d41d mongodb secret backend: Add support for reading connection configuration; Dockerize tests 2016-07-05 09:32:38 -04:00
Sean Chittenden
f66cd75583
Move the parameter down to where the statement is executed. 2016-07-03 16:20:27 -07:00
Sean Chittenden
00ab56060a
Use lib/pq's QuoteIdentifier() on all identifiers and Prepare 
for all literals.
 2016-07-03 16:01:39 -07:00
Matt Hurne
7571487c7f Merge branch 'master' into mongodb-secret-backend 2016-07-01 20:39:13 -04:00
Jeff Mitchell
cec644f327 Shave off a lot of PKI testing time by not requiring key generation when testing CSRs. Also enable all tests all the time. 2016-07-01 17:28:48 -04:00
Jeff Mitchell
5762446724 Merge pull request #1581 from mp911de/cassandra_connect_timeout 
Support connect_timeout for Cassandra and align timeout.
 2016-07-01 22:33:24 +02:00
Mark Paluch
895eac0405 Address review feedback. 
Switch ConnectTimeout to framework.TypeDurationSecond  with a default of 5. Remove own parsing code.
 2016-07-01 22:26:08 +02:00
Mark Paluch
f85b2b11d3 Support connect_timeout for Cassandra and align timeout. 
The cassandra backend now supports a configurable connect timeout. The timeout is configured using the connect_timeout parameter in the session configuration.  Also align the timeout to 5 seconds which is the default for the Python and Java drivers.

Fixes #1538
 2016-07-01 21:22:37 +02:00
Jeff Mitchell
7fc4ae959a Migrate Consul acceptance tests to Docker 2016-07-01 13:59:56 -04:00
Matt Hurne
c8cbd33f74 mongodb secret backend: Parse ssl URI option as a boolean rather than relying on string comparison 2016-07-01 13:55:06 -04:00
Jeff Mitchell
ef98d56fba Have SQL backends Ping() before access. 
If unsuccessful, reestablish connections as needed.
 2016-07-01 12:02:17 -04:00
Jeff Mitchell
b0844f9aea Always run transit acceptance tests 2016-07-01 11:45:56 -04:00
Jeff Mitchell
1ba78db242 Convert MySQL tests to Dockerized versions 2016-07-01 11:36:28 -04:00
Matt Hurne
339aec9751 mongodb secret backend: Refactor URI parsing logic to leverage url.Parse 2016-07-01 09:12:26 -04:00
Matt Hurne
3c666532c8 mongodb secret backend: Prefix all generated usernames with "vault-", and cleanly handle empty display names when generating usernames 2016-06-30 21:11:45 -04:00
Matt Hurne
2eb0e16e1c Merge branch 'master' into mongodb-secret-backend 2016-06-30 16:43:53 -04:00
Jeff Mitchell
dfd8a530db Add comment around bind to localhost 2016-06-30 13:49:11 -04:00
Jeff Mitchell
f9d40aa63b Dockerize Postgres secret backend acceptance tests 
Additionally enable them on all unit test runs.
 2016-06-30 13:46:39 -04:00
Jeff Mitchell
c4c948ff64 Use TRACE not WARN here 2016-06-30 12:41:56 -04:00
Matt Hurne
bbf0e27717 Persist verify_connection field in mongodb secret backend's connection config 2016-06-30 11:39:02 -04:00
Matt Hurne
f55955c2d8 Rename mongodb secret backend's 'ttl_max' lease configuration field to 'max_ttl' 2016-06-30 09:57:43 -04:00
Matt Hurne
7e3e246f55 Merge branch 'master' into mongodb-secret-backend 2016-06-30 09:02:30 -04:00
Jeff Mitchell
444c4d0a8c Fix test 2016-06-30 08:21:00 -04:00
Jeff Mitchell
f3ef5cd52d Change warn to trace for these messages 2016-06-29 21:04:02 -04:00
Jeff Mitchell
709f0e4093 Merge remote-tracking branch 'oss/master' into postgres-pl-lock 2016-06-29 17:40:34 -04:00
Jeff Mitchell
d9fa64a07c Add stmt close calls 2016-06-29 17:39:47 -04:00
Jeff Mitchell
fb9a4a15c5 Run prepare on the transaction, not the db 2016-06-29 17:20:41 -04:00
Matt Hurne
4c97b1982a Add mongodb secret backend 2016-06-29 08:33:06 -04:00
cara marie
8b11798807 removed option to create 1024 keybitlength certs 2016-06-28 16:56:14 -04:00
Jeff Mitchell
f24a17f343 Add more debug output 2016-06-28 11:03:56 -04:00
Jeff Mitchell
ccf36b81f1 Add some logging to enter/exit of some functions 2016-06-24 16:11:22 -04:00
Jeff Mitchell
307b30d6be Address review feedback 2016-06-23 10:18:03 -04:00
Jeff Mitchell
cd41344685 Add some more testing 2016-06-23 09:49:03 -04:00
Jeff Mitchell
48bd5db7af Set some basic key usages by default. 
Some programs (such as OpenVPN) don't like it if you don't include key
usages. This adds a default set that should suffice for most extended
usages. However, since things get twitchy when these are set in ways
various crypto stacks don't like, it's fully controllable by the user.

Fixes #1476
 2016-06-22 16:08:24 -04:00
Jeff Mitchell
13a778ab92 Revert "Use x509 package ext key usage instead of custom type" 
This reverts commit 0b2d8ff475.
 2016-06-22 13:07:31 -04:00
Jeff Mitchell
0b2d8ff475 Use x509 package ext key usage instead of custom type 2016-06-22 11:51:32 -04:00
Jeff Mitchell
7ffa7deb92 Do some internal renaming in PKI 2016-06-22 11:39:57 -04:00
Vishal Nayak
3291ce6551 Merge pull request #1515 from hashicorp/sql-config-reading 
Allow reading of config in sql backends
 2016-06-21 10:07:34 -04:00
vishalnayak
ff90768684 Added warnings when configuring connection info in sql backends 2016-06-21 09:58:57 -04:00
Vishal Nayak
513346a297 Merge pull request #1546 from hashicorp/secret-aws-roles 
Added list functionality to logical aws backend's roles
 2016-06-20 20:10:24 -04:00
vishalnayak
677028e161 Added test case for listing aws secret backend roles 2016-06-20 20:09:31 -04:00
vishalnayak
c37ef12834 Added list functionality to logical aws backend's roles 2016-06-20 19:51:04 -04:00
Vishal Nayak
55757decec Merge pull request #1514 from hashicorp/backend-return-objects 
Backend() functions should return 'backend' objects.
 2016-06-20 19:30:00 -04:00
Jeff Mitchell
1c15a56726 Add convergent encryption option to transit. 
Fixes #1537
 2016-06-20 13:17:48 -04:00
vishalnayak
799bb9c286 Address review feedback 2016-06-17 10:11:39 -04:00
vishalnayak
adbfef8561 Allow reading of config in sql backends 2016-06-11 11:48:40 -04:00
vishalnayak
cfe0aa860e Backend() functions should return 'backend' objects. 
If they return pointers to 'framework.Backend' objects, the receiver functions can't be tested.
 2016-06-10 15:53:02 -04:00
Laura Bennett
c21ef90dba Merge pull request #1498 from hashicorp/pki-list 
PKI List Functionality
 2016-06-08 15:42:50 -04:00
vishalnayak
07824acfae Fix broken test 2016-06-08 13:00:19 -04:00
vishalnayak
6d730e33bf Minor changes to the RabbitMQ acceptance tests 2016-06-08 12:50:43 -04:00
LLBennett
44b1f5fc25 Updates to the test based on feedback. 2016-06-08 16:49:10 +00:00
Laura Bennett
5d945067de Add PKI listing 2016-06-08 11:50:59 -04:00
Jeff Mitchell
9ceeb685e9 Add an explicit default for TTLs for rabbit creds 2016-06-08 11:35:09 -04:00
Jeff Mitchell
e16a46bca2 Fix some typos in rmq text and structure 2016-06-08 11:31:57 -04:00
vishalnayak
618a82567e Added pooled transport for rmq client. Added tests 2016-06-08 10:46:46 -04:00
Jeff Mitchell
d5fb9ee98d Migrate to go-uuid 2016-06-08 10:36:16 -04:00
vishalnayak
f216292e68 Polish the code 2016-06-08 10:25:03 -04:00
Vishal Nayak
8b15722fb4 Merge pull request #788 from doubledutch/master 
RabbitMQ Secret Backend
 2016-06-08 10:02:24 -04:00
Jeff Mitchell
196776b9b8 Make logical.InmemStorage a wrapper around physical.InmemBackend. 
This:

* Allows removing LockingInmemStorage since the physical backend already
  locks properly
* Makes listing work properly by adhering to expected semantics of only
  listing up to the next prefix separator
* Reduces duplicated code
 2016-06-06 12:03:08 -04:00
Jeff Mitchell
c2a8b09e7b Use backend function instead of separate backend creation in consul 2016-06-03 10:08:58 -04:00
Jeff Mitchell
551f4a8606 Change AWS/SSH to reuse backend creation code for test functions 2016-06-01 12:17:47 -04:00
Vishal Nayak
577a993223 Merge pull request #1445 from hashicorp/consul-fixups 
Reading consul access configuration in the consul secret backend.
 2016-06-01 12:11:12 -04:00
Jeff Mitchell
74a1e3bd61 Remove most Root paths 2016-05-31 23:42:54 +00:00
vishalnayak
d6d5dacb82 Set config access test case as an acceptance test and make travis happy 2016-05-31 13:27:34 -04:00
vishalnayak
445040e344 Add tests around writing and reading consul access configuration 2016-05-31 13:27:34 -04:00
Jeff Mitchell
539af86939 Add reading to consul config, and some better error handling. 2016-05-31 13:27:34 -04:00
vishalnayak
8ae663f498 Allow * to be set for allowed_users 2016-05-30 03:12:43 -04:00
vishalnayak
c945b8b3f2 Do not allow any username to login if allowed_users is not set 2016-05-30 03:01:47 -04:00
Jeff Mitchell
3bf1645e8f Return nil for pre-0.5.3 Consul tokens to avoid pathological behavior 2016-05-27 13:09:52 -04:00
Jeff Mitchell
ba5dc348d8 Add test for renew/revoke to Consul secret backend 2016-05-27 11:27:53 -04:00
Vishal Nayak
9c6aebf1c0 Merge pull request #1456 from hashicorp/consul-lease-renewal 
Fix the consul secret backends renewal revocation problem
 2016-05-26 13:59:45 -04:00
Jeff Mitchell
fba0f6e46c Add comment about the deletions 2016-05-26 10:33:35 -04:00
Jeff Mitchell
1632b8fadc Remove deprecated entries from PKI role output. 
Fixes #1452
 2016-05-26 10:32:04 -04:00
vishalnayak
2fa0773f3f s/logical.ErrorResponse/fmt.Errorf in revocation functions of secrets 2016-05-26 10:04:11 -04:00
vishalnayak
41aebe2dba Fix the consul secret backends renewal revocation problem 2016-05-25 23:24:16 -04:00
Kevin Pike
03cef8ad85 Update and document rabbitmq test envvars 2016-05-20 23:28:02 -07:00
Kevin Pike
8caffae70f Merge remote-tracking branch 'origin/master' into rabbitmq 2016-05-20 23:27:22 -07:00
Kevin Pike
36023720c6 Address feedback 2016-05-20 22:57:24 -07:00
Jeff Mitchell
8efe203a8e Don't use pointers to int64 in function calls when not necessary 2016-05-19 12:26:02 -04:00
Jeff Mitchell
8c3e9c4753 Merge pull request #1318 from steve-jansen/aws-logical-assume-role 
Add sts:AssumeRole support to the AWS secret backend
 2016-05-19 12:17:27 -04:00
Jeff Mitchell
5330aa734b Use Consul API client's DefaultNonPooledTransport. 
What we should probably do is create a client with a mutex and
invalidate it when parameters change rather than creating a client over
and over...that can be a TODO for later but for now this fix suffices.

Fixes #1428
 2016-05-18 00:47:42 +00:00
Sean Chittenden
1dc1d3b312 Merge pull request #1417 from hashicorp/b-pki-expire-ttl-unset 
Set entry's TTL before writing out the storage entry's config
 2016-05-15 10:02:03 -07:00
Sean Chittenden
339c0a4127
Speling police 2016-05-15 09:58:36 -07:00
Sean Chittenden
65a5582c38
Store clamped TTLs back in the role's config 2016-05-15 08:13:56 -07:00
Sean Chittenden
dc19a92820
Set entry's TTL before writing out the storage entry's config 2016-05-15 07:06:33 -07:00
vishalnayak
7a10134f87 Merge branch 'master-oss' into aws-auth-backend 2016-05-10 14:50:00 -04:00
Jeff Mitchell
9de0ea081a Don't revoke CA certificates with leases. 2016-05-09 19:53:28 -04:00
Jeff Mitchell
3ca09fdf30 Merge pull request #1346 from hashicorp/disable-all-caches 
Disable all caches
 2016-05-07 16:33:45 -04:00
Steve Jansen
69740e57e0 Adds sts:AssumeRole support to the AWS secret backend 
Support use cases where you want to provision STS tokens
using Vault, but, you need to call AWS APIs that are blocked
for federated tokens.  For example, STS federated tokens cannot
invoke IAM APIs, such as  Terraform scripts containing
`aws_iam_*` resources.
 2016-05-05 23:32:41 -04:00
Jeff Mitchell
42d9df95c1 Merge branch 'master-oss' into aws-auth-backend 2016-05-05 10:36:06 -04:00
Jeff Mitchell
88811a4776 Cleanups, add shared provider, ability to specify http client, and port S3 physical backend over 2016-05-03 17:01:02 -04:00
Jeff Mitchell
56cc74887f Region is required so error in awsutil if not set and set if empty in client code in logical/aws 2016-05-03 15:25:11 -04:00
Jeff Mitchell
56011c9443 Refactor AWS credential code into a function that returns a static->env->instance chain 2016-05-03 15:10:35 -04:00
Jeff Mitchell
e48cb2e840 Add some more tests around deletion and fix upsert status returning 2016-05-03 00:19:18 -04:00
Jeff Mitchell
027d570f7f Massively simplify lock handling based on feedback 2016-05-02 23:47:18 -04:00
Jeff Mitchell
bf7ad912e1 Remove some deferring 2016-05-02 22:36:44 -04:00
Jeff Mitchell
16267d5115 Change use-hint of lockAll and lockPolicy 2016-05-02 22:36:44 -04:00
Jeff Mitchell
5ec40a14f4 Address review feedback 2016-05-02 22:36:44 -04:00
Jeff Mitchell
c598a12ab9 Switch to lockManager 2016-05-02 22:36:44 -04:00
Jeff Mitchell
3ab71ca239 Address feedback 2016-05-02 22:36:44 -04:00
Jeff Mitchell
634cea72d7 Fix up commenting and some minor tidbits 2016-05-02 22:36:44 -04:00
Jeff Mitchell
32601f4424 Make a non-caching but still locking variant of transit for when caches are disabled 2016-05-02 22:36:44 -04:00
vishalnayak
81e4235fc0 Support periodic tidy callback and config endpoints. 2016-04-26 10:22:29 -04:00
Jeff Mitchell
77a2afa922 Merge pull request #1291 from mmickan/ssh-keyinstall-perms 
Ensure authorized_keys file is readable when uninstalling an ssh key
 2016-04-25 14:00:37 -04:00
Adam Shannon
e0df8e9e88 all: Cleanup from running go vet 2016-04-13 14:38:29 -05:00
vishalnayak
f61b277e36 Skip acceptance tests if VAULT_ACC is not set 2016-04-11 20:00:15 -04:00
Kevin Pike
450f8675e6 Do not provide a default lease 2016-04-08 09:50:47 -07:00
Kevin Pike
72f910e222 List roles 2016-04-08 09:46:25 -07:00
Kevin Pike
862afdb355 Support verify_connection flag 2016-04-08 09:44:15 -07:00
Kevin Pike
226a89d75e Fix username generation 2016-04-08 09:32:29 -07:00
Kevin Pike
a20f2bc6bd Merge branch 'master' of github.com:doubledutch/vault 2016-04-08 09:25:28 -07:00
Kevin Pike
5208a35236 Update comment 2016-04-08 09:07:06 -07:00
Kevin Pike
9f5fe082de Fix documentation typo 2016-04-08 09:05:38 -07:00
Kevin Pike
d4205eed24 Fix documentation typo 2016-04-08 09:05:06 -07:00
Kevin Pike
8d6ab3afa4 Rename uri to connection_uri 2016-04-08 09:04:42 -07:00
Kevin Pike
8497a6367f Merge remote-tracking branch 'upstream/master' 2016-04-08 08:57:10 -07:00
vishalnayak
d71dcf2da2 s/TF_ACC/VAULT_ACC 2016-04-05 15:24:59 -04:00
vishalnayak
ac5ceae0bd Added AcceptanceTest boolean to logical.TestCase 2016-04-05 15:10:44 -04:00
Mark Mickan
8deed677d2 Ensure authorized_keys file is readable when uninstalling an ssh key 
Without this change, if the user running the ssh key install script doesn't
have read access to the authorized_keys file when uninstalling a key, all
keys will be deleted from the authorized_keys file.

Fixes GH #1285
 2016-04-05 17:26:21 +09:30
Jeff Mitchell
2bc8cf4583 Remove check for using CSR values with non-CA certificate. 
The endpoint enforces whether the certificate is a CA or not anyways, so
this ends up not actually providing benefit and causing a bug.

Fixes #1250
 2016-03-23 10:05:38 -04:00
Jeff Mitchell
5b0d85dbf3 Add ability to exclude adding the CN to SANs. 
Fixes #1220
 2016-03-17 16:28:40 -04:00
Vishal Nayak
0b2477d7cb Merge pull request #998 from chrishoffman/mssql 
Sql Server (mssql) secret backend
 2016-03-10 22:30:24 -05:00
Chris Hoffman
b9c8f95746 Cleaning up lease and lease duration vars and params 2016-03-10 21:15:18 -05:00
Chris Hoffman
e6ce2164d2 Removing root protected endpoints 2016-03-10 21:08:39 -05:00
Chris Hoffman
bfa943c771 Changing DROP USER query to a more compatible version 2016-03-10 21:06:50 -05:00
Chris Hoffman
1d7fe31eac Adding verify_connection to config, docs updates, misc cleanup 2016-03-09 23:08:05 -05:00
Jeff Mitchell
09070c4aca Sanitize serial number in revocation path. 
Ping #1180
 2016-03-08 10:51:59 -05:00
Jeff Mitchell
c40c3b393f Add serial_number back to path_issue_sign responses in PKI 2016-03-08 09:25:48 -05:00
Jeff Mitchell
4cdc44bab5 Add revocation information to PKI fetch output (non-raw only). 
Fixes #1180
 2016-03-07 10:57:38 -05:00
Jeff Mitchell
a9f070323a Error rather than skip Consul acceptance tests if Consul isn't found 2016-03-07 10:09:36 -05:00
Chris Hoffman
ed5ca17b57 Adding mssql secret backend 2016-03-03 09:19:17 -05:00
Jeff Mitchell
404a7fafff Don't spawn consul servers when testing unless it's an acceptance test 2016-02-29 14:58:06 -05:00
Jeff Mitchell
581d2cfee0 Don't run transit fuzzing if not during acceptance tests 2016-02-29 14:44:04 -05:00
Jeff Mitchell
a86c1ba264 Only run PKI backend setup functions when TF_ACC is set 2016-02-29 14:41:14 -05:00
Jeff Mitchell
1f3b089a49 Apply hyphen/underscore replacement across the entire username. 
Handles app-id generated display names.

Fixes #1140
 2016-02-26 15:26:23 -05:00
Jeff Mitchell
ec75a24647 Be more explicit about buffer type 2016-02-24 22:05:39 -05:00
Jeff Mitchell
7ed0399e1f Add "tidy/" which allows removing expired certificates. 
A buffer is used to ensure that we only remove certificates that are
both expired and for which the buffer has past. Options allow removal
from revoked/ and/or certs/.
 2016-02-24 21:24:48 -05:00
vishalnayak
9280dda5f4 rename verify_cert as disable_binding and invert the logic 2016-02-24 21:01:21 -05:00
Matt Hurne
8bd0cc6391 Improve error message returned when client attempts to generate STS credentials for a managed policy; addresses #1113 2016-02-23 08:58:28 -05:00
Jeff Mitchell
50082a61d8 Merge pull request #1114 from hashicorp/dont-delete-certs 
Do not delete certs (or revocation information)
 2016-02-22 16:11:13 -05:00
Jeff Mitchell
db8b4287e3 Address review feedback 2016-02-22 16:11:01 -05:00
Jeff Mitchell
5176c75a0f Remove extra debugging from PKI tests 2016-02-22 13:39:05 -05:00
Jeff Mitchell
9685c94459 Do not delete certs (or revocation information) to avoid potential 
issues related to time synchronization. A function will be added to
allow operators to perform cleanup at chosen times.
 2016-02-22 13:36:17 -05:00
Jeff Mitchell
4c2c932816 Fix issue where leftover values after cn tests could trigger errors in ipsan tests 2016-02-22 13:35:57 -05:00
Vishal Nayak
7dac5efe27 Merge pull request #1112 from hashicorp/1089-postgres-connection-url 
postgres: connection_url fix
 2016-02-22 11:36:04 -05:00
Jeff Mitchell
7c60548b9a More improvements to PKI tests; allow setting a specific seed, output 
the seed to the console, and split generated steps to make it
understandable which seed is for which set of steps.
 2016-02-22 11:22:52 -05:00
vishalnayak
046d7f87b4 postgres: connection_url fix 2016-02-22 11:22:49 -05:00
Jeff Mitchell
ec97c6c8e2 Use more fuzziness in PKI backend tests 2016-02-22 10:59:37 -05:00
Jeff Mitchell
d993993f18 Better handle errors from fetchCertBySerial 2016-02-22 10:36:26 -05:00
Kevin Pike
6ac1a8c48b Update update operation and uuid references 2016-02-21 15:31:22 -08:00
Kevin Pike
79ed734a2f Merge branch 'master' into rabbitmq 2016-02-21 14:55:06 -08:00
Kevin Pike
d805f2ef57 Add RabbitMQ secret backend 2016-02-21 14:52:57 -08:00
Jeff Mitchell
d3af63193b Add tests for minimum key size checking. (This will also verify that the 
key type matches that of the role, since type assertions are required to
check the bit size). Like the rest, these are fuzz tests; I have
verified that the random seed will eventually hit error conditions if
ErrorOk is not set correctly when we expect an error.
 2016-02-19 21:39:40 -05:00
Jeff Mitchell
5da2949d45 Check role key type and bits when signing CSR. 
Two exceptions: signing an intermediate CA CSR, and signing a CSR via
the 'sign-verbatim' path.
 2016-02-19 20:50:49 -05:00
vishalnayak
992a32975c Cap the length midString in IAM user's username to 42 2016-02-19 18:31:10 -05:00
Vishal Nayak
d123d4c02e Merge pull request #1102 from hashicorp/shorten-aws-usernames 
Set limits on generated IAM user and STS token names.
 2016-02-19 18:25:29 -05:00
Jeff Mitchell
9b57078b26 Some minor changes in mysql commenting and names 2016-02-19 16:44:52 -05:00
Jeff Mitchell
63a8061e87 Set limits on generated IAM user and STS token names. 
Fixes #1031
Fixes #1063
 2016-02-19 16:35:06 -05:00
vishalnayak
b4cd7d019e mysql: fix error message 2016-02-19 16:07:06 -05:00
vishalnayak
20342d9049 Don't deprecate value field yet 2016-02-19 16:07:06 -05:00
vishalnayak
d8f72887fc Removed connectionString.ConnectionString 2016-02-19 16:07:05 -05:00
vishalnayak
5f19c77897 mysql: provide allow_verification option to disable connection_url check 2016-02-19 16:07:05 -05:00
Jeff Mitchell
ac3191ad02 Disallow 1024-bit RSA keys. 
Existing certificates are kept but roles with key bits < 2048 will need
to be updated as the signing/issuing functions now enforce this.
 2016-02-19 14:33:02 -05:00
Vishal Nayak
ba9c0dced1 Merge pull request #1086 from hashicorp/iss962-verify-otp-response-code 
SSH: Fix response code for ssh/verify
 2016-02-18 13:32:28 -05:00
vishalnayak
f5f9a9a056 ssh: Fix response code for ssh/verify 2016-02-16 19:46:29 -05:00
vishalnayak
3bad2a3af0 Pki: Respond user error when cert is not found instead of internal error 2016-02-16 17:58:57 -05:00
Jeff Mitchell
4923624593 Merge pull request #1061 from tomrittervg/tomrittervg-typos-1 
Fix some typos
 2016-02-11 15:12:09 -05:00
Jeff Mitchell
4ff2b119eb Merge pull request #1062 from tomrittervg/tomrittervg-AllowedBaseDomain-migration 
AllowedBaseDomain will stay non-empty in certain error conditions. None of these conditions should be hit anyways, but this provides an extra safety check.
 2016-02-11 15:07:54 -05:00
Jeff Mitchell
a1a7c11154 Merge pull request #1053 from mwielgoszewski/postgresql-revocation 
Fix PostgreSQL secret backend issues revoking users
 2016-02-11 12:52:37 -05:00
Tom Ritter
b6ef18cad0 Fix AllowedBaseDomain Migration 
AllowedBaseDomain is only zero-ed out if the domain is not found in the (new) AllowedDomains configuration setting. If the domain is found, AllowedBaseDomain is not emptied and this code will be run every single time.

//untested
 2016-02-09 15:42:15 -06:00
Tom Ritter
88ae7ae9fe Typo in error message in path_intermediate.go 2016-02-09 15:08:30 -06:00
Tom Ritter
ccdbb5d910 Typo in policy.go 2016-02-08 12:00:06 -06:00
Jeff Mitchell
122773ba71 Add slack on NotBefore value for generated certs. 
This fixes an issue where, due to clock skew, one system can get a cert
and try to use it before it thinks it's actually valid. The tolerance of
30 seconds should be high enough for pretty much any set of systems
using NTP.

Fixes #1035
 2016-02-07 14:00:03 -05:00
Jeff Mitchell
f75e121d8c Introduce a locking inmem storage for unit tests that are doing concurrent things 2016-02-04 09:40:35 -05:00
Jeff Mitchell
f4df0d828e Add transit fuzz test 2016-02-03 17:36:15 -05:00
Vishal Nayak
eb482c4066 Merge pull request #1013 from hashicorp/fix-ssh-tests 
Fix SSH tests
 2016-02-02 14:22:09 -05:00
vishalnayak
6b5b96d795 Fix SSH test cases. 2016-02-02 12:32:50 -05:00
Jeff Mitchell
3ac40a7ae5 Use capabilities to determine upsert-ability in transit. 2016-02-02 10:03:14 -05:00
Jeff Mitchell
216fe1b9da Revert "Re-add upsert into transit. Defaults to off and a new endpoint /config" 
This reverts commit dc27d012c0.
 2016-02-02 09:26:25 -05:00
Jeff Mitchell
dc27d012c0 Re-add upsert into transit. Defaults to off and a new endpoint /config 
can be used to turn it on for a given mount.
 2016-02-01 20:13:57 -05:00
Jeff Mitchell
d402292f85 Fix comment text 2016-02-01 17:20:16 -05:00
Jeff Mitchell
7fb8db2e6c Allow the format to be specified as pem_bundle, which creates a 
concatenated PEM file.

Fixes #992
 2016-02-01 13:19:41 -05:00
Jeff Mitchell
3b77905c75 Cassandra: 
* Add ability to change protocol version
* Remove config as a root path, use normal ACLs
* Update docs
 2016-02-01 10:27:26 -05:00
Jeff Mitchell
c60a9cd130 Remove grace periods 2016-01-31 19:33:16 -05:00
Jeff Mitchell
229973444d Match leases in the test 2016-01-29 20:45:38 -05:00
Jeff Mitchell
33f3e2727c Fix building of consul backend test 2016-01-29 20:03:38 -05:00
Jeff Mitchell
2eb08d3bde Make backends much more consistent: 
1) Use the new LeaseExtend
2) Use default values controlled by mount tuning/system defaults instead
of a random hard coded value
3) Remove grace periods
 2016-01-29 20:03:37 -05:00
Jeff Mitchell
fec6c51197 Merge pull request #979 from hashicorp/transit-locking 
Implement locking in the transit backend.
 2016-01-29 14:40:32 -05:00
Jeff Mitchell
42905b6a73 Update error return strings 2016-01-29 14:40:13 -05:00
Jeff Mitchell
ce44ccf68e Address final review feedback 2016-01-29 14:33:51 -05:00
Jeff Mitchell
99f193811a Only specify cert sign / CRL sign for CAs and only specify extended key 
usages for clients.

This will hopefully fully get rid of the various incompatible ways that
various browsers/libraries deal with key usages.

Fixes #987
 2016-01-29 10:26:35 -05:00
Jeff Mitchell
3b22ab02c6 Add listing of roles to PKI 2016-01-28 15:18:07 -05:00
Jeff Mitchell
abd71ce80e Add list support for mysql roles 2016-01-28 15:04:25 -05:00
Jeff Mitchell
9cf06240e0 Add list support for postgres roles 2016-01-28 14:41:50 -05:00
Jeff Mitchell
298892ef38 Fix postgres backend test SQL for user priv checking 2016-01-28 14:41:13 -05:00
Jeff Mitchell
5bfba62a77 Ensure generatePolicy checks disk, not just the cache, now that we aren't eager loading 2016-01-28 13:10:59 -05:00
Jeff Mitchell
886f641e5d Add listing of roles to ssh backend 2016-01-28 12:48:00 -05:00
Jeff Mitchell
65c3bc631b Remove eager loading 2016-01-28 08:59:05 -05:00
Jeff Mitchell
32aed5fa74 Embed the cache directly 2016-01-27 21:59:20 -05:00
Jeff Mitchell
4808c811ed Merge pull request #942 from wikiwi/fix-ssh-open-con 
Cleanly close SSH connections
 2016-01-27 17:18:54 -05:00
Jeff Mitchell
46514e01fa Implement locking in the transit backend. 
This ensures that we can safely rotate and modify configuration
parameters with multiple requests in flight.

As a side effect we also get a cache, which should provide a nice
speedup since we don't need to decrypt/deserialize constantly, which
would happen even with the physical LRU.
 2016-01-27 17:03:21 -05:00
Jeff Mitchell
e6b2d45c03 Move archive location; also detect first load of a policy after archive 
is added and cause the keys to be copied to the archive.
 2016-01-27 13:41:37 -05:00
Jeff Mitchell
625e8091a5 Address review feedback 2016-01-27 13:41:37 -05:00
Jeff Mitchell
463cdd3d32 Store all keys in archive always 2016-01-27 13:41:37 -05:00
Jeff Mitchell
e729ace3f1 Add unit tests 2016-01-27 13:41:37 -05:00
Jeff Mitchell
8d5a0dbcdc Force min decrypt version to 1 if it's zero, which allows fixing problematic archiving logic 2016-01-27 13:41:37 -05:00
Jeff Mitchell
9f2310c15c Fix logic bug when restoring keys 2016-01-27 13:41:37 -05:00
Jeff Mitchell
ea9fb68a34 Fix decrementing instead of incrementing 2016-01-27 13:41:37 -05:00
Jeff Mitchell
ebe319c96b Initial transit key archiving work 2016-01-27 13:41:37 -05:00
Jeff Mitchell
aa65b3a21c Add a max_idle_connections parameter. 2016-01-25 14:47:07 -05:00
Jeff Mitchell
cf95982d80 Allow backends to see taint status. 
This can be seen via System(). In the PKI backend, if the CA is
reconfigured but not fully (e.g. an intermediate CSR is generated but no
corresponding cert set) and there are already leases (issued certs), the
CRL is unable to be built. As a result revocation fails. But in this
case we don't actually need revocation to be successful since the CRL is
useless after unmounting. By checking taint status we know if we can
simply fast-path out of revocation with a success in this case.

Fixes #946
 2016-01-22 17:01:22 -05:00
Dmitriy Gromov
df65547eca STS now uses root vault user for keys 
The secretAccessKeysRevoke revoke function now asserts that it is
not dealing with STS keys by checking a new internal data flag. Defaults
to IAM when the flag is not found.

Factored out genUsername into its own function to share between STS and
IAM secret creation functions.

Fixed bad call to "WriteOperation" instead of "UpdateOperation" in
aws/backend_test
 2016-01-21 15:04:16 -05:00
Dmitriy Gromov
ea1e29fa33 Renamed sts duration to ttl and added STS permissions note. 2016-01-21 14:28:34 -05:00
Dmitriy Gromov
b37a963841 Removing debug print statement from sts code 2016-01-21 14:05:10 -05:00
Dmitriy Gromov
6f50cd9439 Fixed duration type and added acceptance test for sts 2016-01-21 14:05:10 -05:00
Dmitriy Gromov
522e8a3450 Configurable sts duration 2016-01-21 14:05:09 -05:00
Jack DeLoach
d206599b80 Add STS path to AWS backend. 
The new STS path allows for obtaining the same credentials that you would get
from the AWS "creds" path, except it will also provide a security token, and
will not have an annoyingly long propagation time before returning to the user.
 2016-01-21 14:05:09 -05:00
Jeff Mitchell
4fc58e8b41 Merge pull request #895 from nickithewatt/aws-prexisting-policies 
Allow use of pre-existing policies for AWS users
 2016-01-21 13:23:37 -05:00
Chi Vinh Le
555834f83d Cleanly close SSH connections 2016-01-19 07:59:08 +01:00
Jeff Mitchell
21f91f73bb Update deps, and adjust usage of go-uuid to match new return values 2016-01-13 13:40:08 -05:00
Jeff Mitchell
45e32756ea WriteOperation -> UpdateOperation 2016-01-08 13:03:03 -05:00
Marcin Wielgoszewski
48660ddba5 Address issues with properly revoking a user via these additional REVOKE statements 2016-01-06 09:22:55 -05:00
Nicki Watt
79fb12c977 Updated AWS policy help messages 2015-12-30 19:41:07 +00:00
Nicki Watt
375a57b975 Allow use of pre-existing policies for AWS users 2015-12-30 18:05:54 +00:00
Jeff Mitchell
29f04250ff Built on GH-890 to add other types 2015-12-29 13:07:24 -05:00
Issac Goldstand
6149e1256e fix CA compatibility with OpenSSL 2015-12-29 18:52:43 +02:00
Jeff Mitchell
a0308e6858 Migrate 'uuid' to 'go-uuid' to better fit HC naming convention 2015-12-16 12:56:20 -05:00
Jeff Mitchell
555d621a2f Update key usage logic 
* Move to one place for both code paths
* Assign ExtKeyUsageAny to CA certs to help with validation with the
  Windows Crypto API and Go's validation logic

Fixes #846
 2015-12-14 14:23:51 -05:00
Jeff Mitchell
1c8cf4101a Merge branch 'master' into pki-csrs 2015-12-01 00:09:23 -05:00
Jeff Mitchell
5a5d4212af Fix AWS tests 2015-12-01 00:05:04 -05:00
Jeff Mitchell
bd03d3c422 Change allowed_base_domain to allowed_domains and allow_base_domain to 
allow_bare_domains, for comma-separated multi-domain support.
 2015-11-30 23:49:11 -05:00
Jeff Mitchell
703a0d65c0 Remove token display names from input options as there isn't a viable 
use-case for it at the moment
 2015-11-30 18:07:42 -05:00
Jeff Mitchell
6342699da3 Greatly simplify and fix the name validation function, as well as fully 
comment it.
 2015-11-23 14:15:32 -05:00
Jeff Mitchell
7eed5db86f Update documentation, some comments, make code cleaner, and make generated roots be revoked when their TTL is up 2015-11-19 17:14:22 -05:00
Jeff Mitchell
4f2f7a0e3b Mostly revert changes to certutil as the embedded struct stuff was being 
problematic.
 2015-11-19 14:18:39 -05:00
Jeff Mitchell
061539434f Update validator function for URIs. Change example of entering a CA to a 
root cert generation. Other minor documentation updates. Fix private key
output in issue/sign.
 2015-11-19 11:35:17 -05:00
Jeff Mitchell
fcbdb5f30a fix tests 2015-11-19 10:13:28 -05:00
Jeff Mitchell
3437af0711 Split root and intermediate functionality into their own sections in the API. Update documentation. Add sign-verbatim endpoint. 2015-11-19 09:51:18 -05:00
Jeff Mitchell
cb5514f3f3 Move public key comparison logic to its own function 2015-11-19 09:51:18 -05:00
Jeff Mitchell
b5423493ca Move serial number generation and key validation into certutil; centralize format and key verification 2015-11-19 09:51:18 -05:00
Jeff Mitchell
da34e7c4e7 Add URL validation 2015-11-19 09:51:18 -05:00
Jeff Mitchell
129235ba2e Fix zero path length handling, and move common field defs elsewhere 2015-11-19 09:51:18 -05:00
Jeff Mitchell
636fad0180 Fix logic around zero path length -- only restrict issuing intermediate CAs in this case 2015-11-19 09:51:18 -05:00
Jeff Mitchell
237285e822 Address some feedback from review 2015-11-19 09:51:18 -05:00
Jeff Mitchell
cf148d8cc6 Large documentation updates, remove the pathlength path in favor of 
making that a parameter at CA generation/sign time, and allow more
fields to be configured at CSR generation time.
 2015-11-19 09:51:18 -05:00
Jeff Mitchell
29d1f5030e Add path length paths and unit tests to verify same. 2015-11-19 09:51:18 -05:00
Jeff Mitchell
7f12ac0026 Add URLs methods to set OCSP/CRL/CA urls in issued certs, and tests. 2015-11-19 09:51:18 -05:00
Jeff Mitchell
4de2060a96 Add tests for using raw CSR values 2015-11-19 09:51:18 -05:00
Jeff Mitchell
a763391615 Change a few checks on names: 
- Allow an email address to be the common name of a cert even if email
protection isn't in the role if any name is set to true (this allows
certificates with a common name entry of an email address but used for
other purposes; here just for CA cert signing).

- Don't check the user part of an email against the hostname regex.
Emails can contain e.g. "+" and "_" and these should be allowed even
though they're not part of a valid hostname.

Also, fix a nil pointer issue.
 2015-11-19 09:51:17 -05:00
Jeff Mitchell
f8deb998ed Add config/urls CRUD operations to get and set the URLs encoded into 
certificates for the issuing certificate URL, CRL distribution points,
and OCSP servers.
 2015-11-19 09:51:17 -05:00
Jeff Mitchell
aae434576f Change use_csr_subject to use_csr_values; copy not only the subject, but 
also the alternate names and the extensions over as well.
 2015-11-19 09:51:17 -05:00
Jeff Mitchell
e8f1e8eb98 Remove setting serial number in the pkix Subject 2015-11-19 09:51:17 -05:00
Jeff Mitchell
a093508ceb Add a flag so that when signing CA certificates, the Subject (including names and extra names) can be used verbatim from the CSR 2015-11-19 09:51:17 -05:00
Jeff Mitchell
03e4ab785d Add capability to use the CSR's common name (by default for CA CSRs if 
no common_name parameter is given, role-controlled for non-CA CSRs).

Fix logic around the CA/CRL endpoints. Now settable when generating a
self-signed root or setting a CA cert into the backend; if not set,
these values are not set in issued certs. Not required when signing an
intermediate cert (and in fact it was wrong to do so in the first
place).
 2015-11-19 09:51:17 -05:00
Jeff Mitchell
4e73187837 Add support for EC CA keys, output to base64-encoded DER instead of PEM, and tests for all of those. Also note that Go 1.5 is now required. 2015-11-19 09:51:17 -05:00
Jeff Mitchell
62e4b89ea7 Address some minor PR feedback 2015-11-19 09:51:17 -05:00
Jeff Mitchell
f46b5b90c7 Fix otto import of uuid 2015-11-19 09:51:17 -05:00
Jeff Mitchell
76f94fe49b Cleanup, and add ability to sign CA CSRs that aren't destined for Vault 2015-11-19 09:51:17 -05:00
Jeff Mitchell
c33c43620f Add tests for intermediate signing and CRL, and fix a couple things 
Completes extra functionality.
 2015-11-19 09:51:17 -05:00
Jeff Mitchell
e45af0a17b Add unit tests to test signing logic, fix up test logic for names 2015-11-19 09:51:17 -05:00
Jeff Mitchell
10c2b9f76b Handle email address alternative names, fix up tests, fix up logic around name verification 2015-11-19 09:51:17 -05:00
Jeff Mitchell
41799529f7 Add allow_base_domain to control whether or not the actual base domain is allowed as a cert common name and/or DNS SAN 2015-11-19 09:51:17 -05:00
Jeff Mitchell
4cf1508898 Add email protection flag plumbing and tests; don't call generate bundle when making an intermediate CSR since everything is now ignored 2015-11-19 09:51:17 -05:00
Jeff Mitchell
62049cd059 Add sign method (untested) 2015-11-19 09:51:17 -05:00
Jeff Mitchell
667d5cafd3 Don't show field names when not needed 2015-11-19 09:51:17 -05:00
Jeff Mitchell
55fc4ba898 Implement CA cert/CSR generation. CA certs can be self-signed or 
generate an intermediate CSR, which can be signed.
 2015-11-19 09:51:17 -05:00
Kevin Pike
af4768cefc rabbitmq secret backend 2015-11-18 21:21:52 -08:00
Jeff Mitchell
07c0146542 Allow creating Consul management tokens 
Fixes #714
 2015-11-03 15:29:58 -05:00
Seth Vargo
3e2c4ffb7b Fix breaking API changes 2015-10-30 18:22:48 -04:00
Jeff Mitchell
8a11c2d3c7 Update Postgres tests and changelogify 2015-10-30 12:41:45 -04:00
Jeff Mitchell
d066aea418 Revoke permissions before dropping user in postgresql. 
Currently permissions are not revoked, which can lead revocation to not
actually work properly. This attempts to revoke all permissions and only
then drop the role.

Fixes issue #699
 2015-10-30 11:58:52 -04:00
Jeff Mitchell
d3aebadc3c Fix wording 2015-10-29 12:58:29 -04:00
Jeff Mitchell
5c0a16b16a Use cleanhttp instead of bare http.Client 2015-10-22 14:37:12 -04:00
Jeff Mitchell
0dbbef1ac0 Don't use http.DefaultClient 
This strips out http.DefaultClient everywhere I could immediately find
it. Too many things use it and then modify it in incompatible ways.

Fixes #700, I believe.
 2015-10-15 17:54:00 -04:00
Jeff Mitchell
0ea4271ddb Use split-out hashicorp/uuid 2015-10-12 14:07:12 -04:00
Vishal Nayak
e217795abd Merge pull request #661 from hashicorp/maxopenconns 
Parameterize max open connections in postgresql and mysql backends
 2015-10-03 16:55:20 -04:00
vishalnayak
8dc5bdf0e3 Added ConnectionURL along with ConnectionString 2015-10-02 23:47:10 -04:00
Jeff Mitchell
5088eb322c Remove use of os/user as it cannot be run with CGO disabled 2015-10-02 18:43:38 -07:00
vishalnayak
af61803256 fix struct tags 2015-10-02 14:13:27 -04:00
vishalnayak
fd72fbd342 Fix ConnectionString JSON value 2015-10-02 12:07:31 -04:00
vishalnayak
93c4cccc6e mysql: made max_open_connections configurable 2015-10-01 21:15:56 -04:00
vishalnayak
bc5ad114e4 postgresql: Configurable max open connections to the database 2015-10-01 20:11:24 -04:00
Jeff Mitchell
6c21b3b693 Remove JWT for the 0.3 release; it needs a lot of rework. 2015-09-24 16:23:44 -04:00
Jeff Mitchell
3dee178392 Start rejigging JWT 2015-09-24 16:20:22 -04:00
Jeff Mitchell
fa53293b7b Enhance SSH backend documentation; remove getting of stored keys and have TTLs honor backends systemview values 2015-09-21 16:14:30 -04:00
Jeff Mitchell
08a81a3364 Update transit backend documentation, and also return the min decryption 
value in a read operation on the key.
 2015-09-21 16:13:43 -04:00
Jeff Mitchell
a4ca14cfbc Add HMAC capability to salt. Pass a salt into audit backends. Require it for audit.Hash. 2015-09-18 17:38:22 -04:00
Jeff Mitchell
fa6cbba286 Move no_plaintext to two separate paths for datakey. 2015-09-18 14:41:05 -04:00
Jeff Mitchell
b8fe460170 Add datakey generation to transit. 
Can specify 128 bits (defaults to 256) and control whether or not
plaintext is returned (default true).

Unit tests for all of the new functionality.
 2015-09-18 14:41:05 -04:00
Jeff Mitchell
82d1f28fb6 Remove enable/disable and make deletion_allowed a configurable property. On read, return the version and creation time of each key 2015-09-18 14:41:05 -04:00
Jeff Mitchell
46073e4470 Enhance transit backend: 
* Remove raw endpoint from transit
* Add multi-key structure
* Add enable, disable, rewrap, and rotate functionality
* Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function
* Unit tests for everything
 2015-09-18 14:41:05 -04:00
Jeff Mitchell
11cea42ec7 Rename View to StorageView to make it more distinct from SystemView 2015-09-15 13:50:37 -04:00
Lassi Pölönen
1a6f778623 Define time zone explicitly in postgresql connection string. 2015-09-14 13:43:06 +03:00
Lassi Pölönen
ea2a6361eb Explicitly set timezone with PostgreSQL timestamps. 2015-09-14 13:43:06 +03:00
Lassi Pölönen
a769c1231b Call ResetDB as Cleanup routine to close existing database connections 
on backend unmount.
 2015-09-11 11:45:58 +03:00
Vishal Nayak
73416e1a0d Merge pull request #580 from hashicorp/zeroaddress-path 
Add root authenticated path to allow default CIDR to select roles
 2015-09-10 15:28:49 -04:00
Jeff Mitchell
4eb9cd4c28 Remove error returns from sysview TTL calls 2015-09-10 15:09:54 -04:00
Jeff Mitchell
dd8ac00daa Rejig how dynamic values are represented in system view and location of some functions in various packages; create mount-tune command and API analogues; update documentation 2015-09-10 15:09:54 -04:00
Jeff Mitchell
aadf039368 Add DynamicSystemView. This uses a pointer to a pointer to always have 
up-to-date information. This allows remount to be implemented with the
same source and dest, allowing mount options to be changed on the fly.
If/when Vault gains the ability to HUP its configuration, this should
just work for the global values as well.

Need specific unit tests for this functionality.
 2015-09-10 15:09:54 -04:00
Jeff Mitchell
6e0cee3ef4 Switch StaticSystemView values to pointers, to support updating 2015-09-10 15:09:54 -04:00
vishalnayak
484d854de0 Vault SSH: Testing credential creation on zero address roles 2015-09-10 11:55:07 -04:00
vishalnayak
32fc41cbac Vault SSH: Expected data for testRoleRead 2015-09-10 10:44:26 -04:00
vishalnayak
005e996784 Vault SSH: Refactoring tests 2015-09-03 18:56:45 -04:00
vishalnayak
b978db0aba Vault SSH: Refactor lookup test case 2015-09-03 18:43:53 -04:00
vishalnayak
543f659c8e Vault SSH: Testcase restructuring 2015-09-03 18:11:04 -04:00
vishalnayak
4748b97061 Vault SSH: make Zeroaddress entry Remove method private 2015-08-31 17:10:55 -04:00
vishalnayak
22ff8fc8ad Vault SSH: Store roles as slice of strings 2015-08-31 17:03:46 -04:00
vishalnayak
f67a12266e Vault SSH: refactoring 2015-08-31 16:03:28 -04:00
vishalnayak
0a4e27a1d5 Vault SSH: Refactoring backend_test 2015-08-30 14:30:59 -04:00
vishalnayak
f72befc9c6 Vault SSH: ZeroAddress CRUD test 2015-08-30 14:20:16 -04:00
vishalnayak
afdbc043e7 Vault SSH: Add read method for zeroaddress endpoint 2015-08-29 20:22:34 -04:00
vishalnayak
79be357030 Vault SSH: Zeroaddress roles and CIDR overlap check 2015-08-29 15:24:15 -04:00
Vishal Nayak
4d3f68a631 Merge pull request #578 from hashicorp/exclude-cidr-list 
Vault SSH: Added exclude_cidr_list option to role
 2015-08-28 07:59:46 -04:00
vishalnayak
1226251d14 Vault SSH: Added exclude_cidr_list option to role 2015-08-27 23:19:55 -04:00
Jeff Mitchell
f84c8b8681 Deprecate lease -> ttl in PKI backend, and default to system TTL values if not given. This prevents issuing certificates with a longer duration than the maximum lease TTL configured in Vault. Fixes #470. 2015-08-27 12:24:37 -07:00
vishalnayak
06ac073684 Vault SSH: Docs for default CIDR value 2015-08-27 13:10:15 -04:00
vishalnayak
140013aebd Vault SSH: Default CIDR for roles 2015-08-27 13:04:15 -04:00
vishalnayak
630f348dbf Vault SSH: Provide key option specifications for dynamic keys 2015-08-27 11:41:29 -04:00
vishalnayak
91ce8b31ab Vault SSH: Create .ssh directory if not present. Closes #573 2015-08-27 08:45:34 -04:00
Jeff Mitchell
0d885535e6 Merge pull request #567 from hobbeswalsh/master 
Spaces in displayName break AWS IAM
 2015-08-26 12:37:52 -04:00
Robin Walsh
52eeb8551e Adding one more test (for no-op case) 2015-08-26 09:26:20 -07:00
Robin Walsh
e67b8d42ca Adding unit test for normalizeDisplayName() 2015-08-26 09:23:33 -07:00
Jeff Mitchell
8a0915b8ef Explicitly check for blank leases in AWS, and give a better error message if lease_max cannot be parsed. Fixes #569. 2015-08-26 09:04:47 -07:00
Robin Walsh
2cf6af79d6 s/string replacement/regexp replacement 2015-08-24 17:00:54 -07:00
Robin Walsh
e0cfb891af spaces in displayName break AWS IAM 2015-08-24 16:12:45 -07:00
vishalnayak
0843c3400b Vault SSH: Documentation update 2015-08-24 14:18:37 -04:00
vishalnayak
2d5070ba50 Vault SSH: Replace args with named vars 2015-08-24 14:07:07 -04:00
vishalnayak
c33e4d24e1 Merging with master 2015-08-24 13:55:20 -04:00
vishalnayak
00c69bfacb Vault SSH: Cleanup of aux files in install script 2015-08-24 13:50:46 -04:00
Jeff Mitchell
3da9f81bdd Merge pull request #555 from hashicorp/toggleable-hostname-enforcement 
Allow enforcement of hostnames to be toggleable for certificates.
 2015-08-21 19:23:09 -07:00
Jeff Mitchell
99041b5b6d Merge pull request #561 from hashicorp/fix-wild-cards 
Allow hyphens in endpoint patterns of most backends
 2015-08-21 11:40:42 -07:00
vishalnayak
923fe4125c Vault SSH: Undo changes which does not belong to wild card changes 2015-08-21 09:58:15 -07:00
vishalnayak
41678f18ae Vault: Fix wild card paths for all backends 2015-08-21 00:56:13 -07:00
Jeff Mitchell
97112665e8 Internally refactor Lease/LeaseGracePeriod into TTL/GracePeriod 2015-08-20 18:00:51 -07:00
vishalnayak
acb883c4b8 Vault SSH: Make the script readable 2015-08-20 16:12:17 -07:00
Jeff Mitchell
b8a72cfd47 Allow enforcement of hostnames to be toggleable for certificates. Fixes #451. 2015-08-20 14:33:37 -07:00
Vishal Nayak
41db9d25c7 Merge pull request #385 from hashicorp/vishal/vault 
SSH Secret Backend for Vault
 2015-08-20 10:03:15 -07:00
Bernhard K. Weisshuhn
08aafee5b6 skip revoke permissions step on cassandra rollback (drop user is enough) 2015-08-20 11:15:43 +02:00
Bernhard K. Weisshuhn
e0e0c43202 avoid dashes in generated usernames for cassandra to avoid quoting issues 2015-08-20 11:15:28 +02:00
vishalnayak
de30c66fea Vault SSH: Removing script file 2015-08-19 12:59:52 -07:00
vishalnayak
36bf873a47 Vault SSH: 1024 is default key size and removed 4096 2015-08-19 12:51:33 -07:00
vishalnayak
215bce546e Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault 2015-08-18 19:00:38 -07:00
vishalnayak
d6c5031169 Vault SSH: TLS client creation test 2015-08-18 19:00:27 -07:00
Armon Dadgar
e4bb074fc2 Merge pull request #534 from ctennis/lease_reader 
Fix #533, add a reader for lease values (#529) and an acceptance test for mysql to prove it works
 2015-08-18 19:00:18 -07:00
Jeff Mitchell
5ffb403857 Fix AWS, again, and update Godeps. 2015-08-18 18:12:51 -07:00
vishalnayak
99736663e2 Vault SSH: verify echo test 2015-08-18 16:48:50 -07:00
vishalnayak
a4437a0371 Vault SSH: Fix backend test cases 2015-08-18 15:40:52 -07:00
vishalnayak
d63726b41b Vault SSH: Documentation update and minor refactoring changes. 2015-08-17 18:22:03 -07:00
vishalnayak
a98b3befd9 Vault SSH: Website page for SSH backend 2015-08-14 12:41:26 -07:00
vishalnayak
52d4c0be9c Vault SSH: Install script is optional now. Default script will be for Linux host. 2015-08-13 17:07:43 -07:00
vishalnayak
ffaf80167d Vault SSH: CLI embellishments 2015-08-13 16:55:47 -07:00
vishalnayak
3958136a78 Vault SSH: Introduced allowed_users option. Added helpers getKey and getOTP 2015-08-13 14:18:30 -07:00
Caleb Tennis
d009d79696 Fix #533, add a reader for lease values (#529) and an acceptance test for mysql to prove it works 2015-08-13 15:33:06 -04:00
vishalnayak
9b1ea2f20c Vault SSH: Helper for OTP creation and role read 2015-08-13 11:12:30 -07:00
vishalnayak
3d77058773 Vault SSH: Mandate default_user. Other refactoring 2015-08-13 10:36:31 -07:00
vishalnayak
2dd82aeb9a Vault SSH: cidr to cidr_list 2015-08-13 08:46:55 -07:00
vishalnayak
1a1ce742dd Vault SSH: Default lease duration, policy/ to role/ 2015-08-12 17:36:27 -07:00
vishalnayak
d1b75e9d28 Vault SSH: Default lease of 5 min for SSH secrets 2015-08-12 17:10:35 -07:00
vishalnayak
f74a0c9bfa Vault SSH: Exposed verify request/response messges to agent 2015-08-12 13:22:48 -07:00
vishalnayak
67b705565e Vault SSH: Added SSHAgent API 2015-08-12 10:48:58 -07:00
vishalnayak
2ac3cabf87 Merging changes from master 2015-08-12 09:28:16 -07:00
vishalnayak
18db544d26 Vault SSH: Website doc v1. Removed path_echo 2015-08-12 09:25:28 -07:00
Erik Kristensen
d6f8a699cb adding basic tests 2015-08-06 17:50:34 -06:00
Erik Kristensen
d877b713e9 initial pass at JWT secret backend 2015-08-06 17:49:44 -06:00
vishalnayak
b5c3624f2e Merging with master 2015-08-06 18:44:40 -04:00
vishalnayak
044a2257e7 Vault SSH: Automate OTP typing if sshpass is installed 2015-08-06 17:00:50 -04:00
vishalnayak
0542fd8389 Vault SSH: uninstall dynamic keys using script 2015-08-06 15:50:12 -04:00
vishalnayak
c26782acad Vault SSH: Script to install dynamic keys in target 2015-08-06 14:48:19 -04:00
Paul Hinze
0d4aa51855 Update vault code to match latest aws-sdk-go APIs 2015-08-06 11:37:08 -05:00
Seth Vargo
070d45456a Update to latest aws and move off of hashicorp/aws-sdk-go 2015-08-06 12:26:41 -04:00
vishalnayak
607732261b Vault SSH: Added 'echo' path to SSH 2015-08-04 15:30:24 -04:00
vishalnayak
f50193efe1 Vault SSH: Testing OTP creation 2015-08-03 19:04:07 -04:00
vishalnayak
552853d995 Vault SSH: CRUD tests for named keys 2015-08-03 16:18:14 -04:00
vishalnayak
2b76d37f14 Vault SSH: CRUD test for lookup API 2015-08-03 11:22:00 -04:00
vishalnayak
e9826c635c Vault SSH: CRUD test for dynamic role 2015-07-31 15:17:40 -04:00
vishalnayak
8dbbb8b8e6 Vault SSH: CRUD test case for OTP Role 2015-07-31 13:24:23 -04:00
vishalnayak
9aa02ad560 Vault SSH: Review Rework 2015-07-29 14:21:36 -04:00
Vishal Nayak
11a6c6de12 Vault SSH: Refactoring 2015-07-27 16:42:03 -04:00
Vishal Nayak
6a91529f4e Vault SSH: admin_user/default_user fix 2015-07-27 15:03:10 -04:00
Vishal Nayak
6c5548ca7b Vault SSH: Refactoring 2015-07-27 13:02:31 -04:00
Vishal Nayak
0a4854e542 Vault SSH: Dynamic Key test case fix 2015-07-24 12:13:26 -04:00
Vishal Nayak
9d4c5f718b Vault SSH: keys/ designated special path 2015-07-23 18:12:13 -04:00
Vishal Nayak
3a1eaf1869 Vault SSH: Support OTP key type from CLI 2015-07-23 17:20:28 -04:00
Vishal Nayak
795d1a8d40 Vault SSH: Added vault server otp verify API 2015-07-22 16:00:58 -04:00
Vishal Nayak
ef05fe4051 Vault SSH: Vault agent support 2015-07-22 14:15:19 -04:00
Vishal Nayak
47a9f548fe Vault SSH: Refactoring and fixes 2015-07-10 18:44:31 -06:00
Vishal Nayak
eb0f119491 Vault SSH: Backend and CLI testing 2015-07-10 16:18:02 -06:00
Vishal Nayak
c25525a22a Vault SSH: Test case skeleton 2015-07-10 09:56:14 -06:00
Vishal Nayak
6f86d32089 Vault SSH: Made port number configurable 2015-07-06 16:56:45 -04:00
Vishal Nayak
2bc139dfd1 Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault 2015-07-06 11:05:08 -04:00
Armon Dadgar
c062345146 secret/transit: address PR feedback 2015-07-05 19:58:31 -06:00
Armon Dadgar
f2c7ba9357 secret/transit: use base64 for context to allow binary 2015-07-05 14:37:51 -07:00
Armon Dadgar
3af435d4b5 secret/transit: testing key derivation 2015-07-05 14:30:45 -07:00
Armon Dadgar
1ef4049f17 secret/transit: support key derivation in encrypt/decrypt 2015-07-05 14:19:24 -07:00
Armon Dadgar
d50eb96448 secret/transit: check for context for derived keys 2015-07-05 14:12:07 -07:00
Armon Dadgar
0a7fe56e0a secret/transit: support derived keys 2015-07-05 14:11:02 -07:00
Vishal Nayak
280efd28f6 Vault SSH: PR review rework: Formatting/Refactoring 2015-07-02 19:52:47 -04:00
Vishal Nayak
5868213267 Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault 2015-07-02 17:23:13 -04:00
Vishal Nayak
fbaea45101 Vault SSH: PR review rework 2015-07-02 17:23:09 -04:00
Jeff Mitchell
db1b4aadf9 Fix regexes to allow hyphens in role names, as the documentation shows 2015-07-01 20:39:18 -05:00
Vishal Nayak
2ebd10cdf4 Vault SSH: review rework: formatted and moved code 2015-07-01 21:26:42 -04:00
Vishal Nayak
e6e243b4ca Vault SSH: Regex supports hypen in key name and role names 2015-07-01 21:05:52 -04:00
Vishal Nayak
57174693ce Vault SSH: replaced concatenated strings by fmt.Sprintf 2015-07-01 20:35:11 -04:00
Vishal Nayak
13ab7fc40b Vault SSH: PR review rework - 1 2015-07-01 11:58:49 -04:00
Vishal Nayak
af03222a3e For SSH backend, allow factory to be provided instead of Backend 2015-07-01 09:37:11 -04:00
Vishal Nayak
b6293662f2 Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault 2015-07-01 09:31:25 -04:00
Armon Dadgar
6a9dc00e57 Remove SetLogger, and unify on framework.Setup 2015-06-30 17:45:20 -07:00
Armon Dadgar
22f543f837 Updating for backend API change 2015-06-30 17:36:12 -07:00
Vishal Nayak
d258b1819a lease handling fix 2015-06-30 20:21:41 -04:00
Vishal Nayak
b821a8e872 Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault 2015-06-30 18:33:37 -04:00
Vishal Nayak
2163818bd6 Input validations, help strings, default_user support 2015-06-30 18:33:17 -04:00
Armon Dadgar
e9f05fbe4f helper/uuid: single generateUUID definition 2015-06-30 12:38:32 -07:00
Jeff Mitchell
5df856b519 Put timestamp back into the username. Since Cassandra doesn't support expiration, this can be used by scripts to manually clean up old users if revocation fails for some reason. 
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
 2015-06-30 11:15:46 -04:00
Jeff Mitchell
035c430eb2 Address some issues from code review. 
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
 2015-06-30 09:27:23 -04:00
Jeff Mitchell
1faaf20b92 A Cassandra secrets backend. 
Supports creation and deletion of users in Cassandra using flexible CQL queries.

TLS, including client authentication, is supported.

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
 2015-06-30 09:04:01 -04:00
Vishal Nayak
756be6976d Refactoring changes 2015-06-29 22:00:08 -04:00
Vishal Nayak
208e068138 SCP in pure GO and CIDR parsing fix 2015-06-29 11:49:34 -04:00
Vishal Nayak
5da639feff Creating SSH keys and removal of files in pure 'go' 2015-06-26 15:43:27 -04:00
Vishal Nayak
7dbad8386c ssh/lookup implementation and refactoring 2015-06-25 21:47:32 -04:00
Vishal Nayak
e90fb0cc09 Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault 2015-06-24 18:13:26 -04:00
Vishal Nayak
4b07eba487 POC: Rework. Doing away with policy file. 2015-06-24 18:13:12 -04:00
Jeff Mitchell
d8ed14a603 Merge remote-tracking branch 'upstream/master' into f-pki 2015-06-19 13:01:26 -04:00
Vishal Nayak
9d709bd5a9 SSHs to multiple users by registering the respective host keys 2015-06-19 12:59:36 -04:00
Jeff Mitchell
435aefc072 A few things: 
* Add comments to every non-obvious (e.g. not basic read/write handler type) function
* Remove revoked/ endpoint, at least for now
* Add configurable CRL lifetime
* Cleanup
* Address some comments from code review

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
 2015-06-19 12:48:18 -04:00
Vishal Nayak
5cd9b7a7d8 merging with master 2015-06-18 20:51:11 -04:00
Vishal Nayak
fe5bb20e92 Roles, key renewal handled. End-to-end basic flow working. 2015-06-18 20:48:41 -04:00
Jeff Mitchell
23ba605068 Refactor to allow only issuing CAs to be set and not have things blow up. This is useful/important for e.g. the Cassandra backend, where you may want to do TLS with a specific CA cert for server validation, but not actually do client authentication with a client cert. 
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
 2015-06-18 15:22:58 -04:00
Vishal Nayak
f2ace92e98 Implementation for storing and deleting the host information in Vault 2015-06-17 22:10:47 -04:00
Armon Dadgar
96119946f3 secret/transit: allow policies to be upserted 2015-06-17 18:51:05 -07:00
Armon Dadgar
9238c6def3 secret/transit: Use special endpoint to get underlying keys. Fixes #219 2015-06-17 18:42:23 -07:00
Vishal Nayak
c1880de3d1 Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault 2015-06-17 20:34:56 -04:00
Vishal Nayak
fa83fe89f0 Received OTK in SSH client. Forked SSH process from CLI. Added utility file for SSH. 2015-06-17 20:33:03 -04:00
Armon Dadgar
28dd283c93 builtin: fixing API change in logical framework 2015-06-17 14:34:11 -07:00
Armon Dadgar
05fa4a4a48 secret/postgres: Ensure sane username length. Fixes #326 2015-06-17 13:31:56 -07:00
Jeff Mitchell
31e680048e A lot of refactoring: move PEM bundle parsing into helper/certutil, so that it is usable by other backends that want to use it to get the necessary data for TLS auth. 
Also, enhance the raw cert bundle => parsed cert bundle to make it more useful and perform more validation checks.

More refactoring could be done within the PKI backend itself, but that can wait.

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
 2015-06-17 16:07:20 -04:00
Vishal Nayak
fb866f9059 Added: Ssh CLI command and API, config lease impl, sshConnect path to backend, http handler for Ssh connect 2015-06-17 12:39:49 -04:00
Vishal Nayak
647f3a59d9 Vault SSH: POC Stage 1. Skeleton implementation. 2015-06-16 16:58:54 -04:00
Jeff Mitchell
a2b3e1302a A bunch of cleanup and moving around. logical/certutil is a package that now has helper functions 
useful for other parts of Vault (including the API) to take advantage of.

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
 2015-06-16 13:43:12 -04:00
Jeff Mitchell
8b55d33722 Erp, forgot this feedback... 
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
 2015-06-11 23:16:13 -04:00
Jeff Mitchell
64c8a437e9 Add locking for revocation/CRL generation. I originally was going to use an RWMutex but punted, because it's not worth trying to save some milliseconds with the possibility of getting something wrong. So the entire operations are now wrapped, which is minimally slower but very safe. 
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
 2015-06-11 22:28:13 -04:00
Jeff Mitchell
722eca1367 Address most of Armon's initial feedback. 
Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
 2015-06-11 21:57:05 -04:00
Jeff Mitchell
20ac7a46f7 Add acceptance tests 
* CA bundle uploading
* Basic role creation
* Common Name restrictions
* IP SAN restrictions
* EC + RSA keys
* Various key usages
* Lease times
* CA fetching in various formats
* DNS SAN handling

Also, fix a bug when trying to get code signing certificates.

Not tested:
* Revocation (I believe this is impossible with the current testing framework)

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
 2015-06-08 00:06:09 -04:00
Jeff Mitchell
530b67bbb9 Initial PKI backend implementation. 
Complete:
* Up-to-date API documents
* Backend configuration (root certificate and private key)
* Highly granular role configuration
* Certificate generation
* CN checking against role
* IP and DNS subject alternative names
* Server, client, and code signing usage types
* Later certificate (but not private key) retrieval
* CRL creation and update
* CRL/CA bare endpoints (for cert extensions)
* Revocation (both Vault-native and by serial number)
* CRL force-rotation endpoint

Missing:
* OCSP support (can't implement without changes in Vault)
* Unit tests

Commit contents (C)2015 Akamai Technologies, Inc. <opensource@akamai.com>
 2015-06-08 00:06:09 -04:00
Jonathan Sokolowski
dd7d64dd80 logical/consul: Combine policy and lease into single storage struct 2015-05-28 09:36:23 +10:00
Jonathan Sokolowski
6814b0d63e logical/consul: custom lease time for roles 2015-05-27 09:53:46 +10:00
Armon Dadgar
478a5965ee secret/aws: Using roles instead of policy 2015-04-27 14:20:28 -07:00
Armon Dadgar
aaf10cd624 Do not root protect role configurations 2015-04-27 14:07:20 -07:00
Armon Dadgar
3330d43d44 secret/postgres: secret/mysql: roles endpoints root protected 2015-04-27 14:04:10 -07:00
Armon Dadgar
f159750509 secret/consul: replace policy with roles, and prefix the token path 2015-04-27 13:59:56 -07:00
Armon Dadgar
d425ca22df secret/transit: rename policy to keys 2015-04-27 13:52:47 -07:00
Armon Dadgar
39f014e0b6 secret/transit: Adding more help. Fixes #41 2015-04-27 12:47:09 -07:00
Armon Dadgar
212aa9fb5b secret/postgresql: testing support for multiple statements 2015-04-27 12:00:07 -07:00
Armon Dadgar
db5f74f6b4 secret/postgresql: support multiple sql statements 2015-04-27 11:31:27 -07:00
Armon Dadgar
9a156ac246 mysql: cleanup 2015-04-27 11:31:11 -07:00
Armon Dadgar
d69a7ba697 logical/consul: Added missing policy endpoints 2015-04-27 11:08:37 -07:00
Armon Dadgar
56adae843b secret/mysql: improve the example statement 2015-04-25 12:58:50 -07:00
Armon Dadgar
b1e3ec15a5 secret/mysql: adding acceptance test 2015-04-25 12:56:23 -07:00
Armon Dadgar
c237c8c258 secret/mysql: fixing mysql oddities 2015-04-25 12:56:11 -07:00
Armon Dadgar
d9e313c120 secret/mysql: initial pass at mysql secret backend 2015-04-25 12:05:26 -07:00
Mitchell Hashimoto
8bc94fffd0 logical/postgresql: when renewing, alter the valid until 2015-04-18 22:55:33 -07:00
Mitchell Hashimoto
3bec79d857 logical/consul: leasing 2015-04-18 22:29:46 -07:00
Mitchell Hashimoto
b37f8332ed logical/consul: config/access is the new path for config 2015-04-18 22:28:53 -07:00
Mitchell Hashimoto
ec452d8b9a logical/aws: leasing/renewal support 2015-04-18 22:25:37 -07:00
Mitchell Hashimoto
a9ef546459 logical/aws: fix build 2015-04-18 22:22:35 -07:00
Mitchell Hashimoto
06c4e52377 logical/aws: move root creds config to config/root 2015-04-18 22:21:31 -07:00
Mitchell Hashimoto
710a5b1464 logical/aws: support read/delete policies 2015-04-18 22:13:12 -07:00
Mitchell Hashimoto
65de2d6375 logical/postgresql: support deleting roles and reading them 2015-04-18 21:59:59 -07:00
Mitchell Hashimoto
9798b5106a logical/postgresql: renew for secret 2015-04-18 21:47:19 -07:00
Mitchell Hashimoto
22d959e313 logical/postgresql: leasing 2015-04-18 21:45:05 -07:00
Mitchell Hashimoto
0e5a5880e5 logical/postgres: no session limit 2015-04-18 18:42:57 -07:00
Mitchell Hashimoto
90936ff77c logical/postgers: update docs properly 2015-04-18 18:42:26 -07:00
Mitchell Hashimoto
2312cef959 logical/postgresql: leases 2015-04-18 18:40:03 -07:00
Mitchell Hashimoto
f640048fad logical/postgresql: create DB credentials 2015-04-18 18:37:27 -07:00
Mitchell Hashimoto
979e42be35 logical/postgresql: creating roles 2015-04-18 18:09:33 -07:00
Mitchell Hashimoto
adbc734791 logical/postgresql: connection 2015-04-18 17:34:36 -07:00
Armon Dadgar
d02028a0e4 Adding transit logical backend 2015-04-15 17:08:12 -07:00
Armon Dadgar
59073cf775 logical/aws: Use display name for IAM username 2015-04-15 15:05:00 -07:00
Armon Dadgar
006cb08853 logical/consul: Use the DisplayName for the ACL token name 2015-04-15 15:03:05 -07:00
Mitchell Hashimoto
c30d877fa4 rename vault id to lease id all over 2015-04-10 20:35:14 -07:00
Mitchell Hashimoto
d9e38470a8 logical/framework: better string values for types 2015-04-03 21:15:59 -07:00
Mitchell Hashimoto
105e68387a logical/aws: help 2015-04-03 21:10:54 -07:00
Mitchell Hashimoto
e56b16b6d7 logical/framework: support root help 2015-04-03 20:36:47 -07:00
Mitchell Hashimoto
630da54522 logical/aws: policy doesn't need to be base64 2015-03-31 17:26:41 -07:00
Mitchell Hashimoto
7fa65ef5b0 logical/*: fix compilation errors 2015-03-30 20:30:07 -07:00
Mitchell Hashimoto
39f2da0fbe command: unit tests pass 2015-03-29 16:20:34 -07:00
Mitchell Hashimoto
3b702cc14d logical/consul: actual test that the token works 2015-03-21 17:23:44 +01:00
Mitchell Hashimoto
07f8e262fe logical/consul 2015-03-21 17:19:37 +01:00
Mitchell Hashimoto
c3342cd344 logical/aws: refactor access key create to the secret file 2015-03-21 11:49:56 +01:00
Mitchell Hashimoto
f08879971e logical/aws: remove debug I was using to test rollback :) 2015-03-21 11:20:22 +01:00
Mitchell Hashimoto
f99f6c910e logical/aws: WAL entry for users, rollback 2015-03-21 11:18:46 +01:00
Mitchell Hashimoto
ac8570c809 main: enable AWS backend 2015-03-20 19:32:18 +01:00
Mitchell Hashimoto
3456d9276c logical/aws 2015-03-20 19:03:20 +01:00