mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-22 23:21:08 +02:00
Code Issues Projects Releases Wiki Activity
10,543 Commits 2,843 Branches 445 Tags
Commit Graph

1798 Commits

Author SHA1 Message Date
Jim Weber
1ec0a2d403 fixed an incorrect assignment 2016-10-03 21:51:40 -04:00
vishalnayak
dda2e81895 Add only relevant certificates 2016-10-03 20:34:28 -04:00
vishalnayak
437ddeaadc aws-ec2 config endpoints support type option to distinguish certs 2016-10-03 20:25:07 -04:00
Jim Weber
1b591fb6d5 More resilient around cases of missing role names and using the default when needed. 2016-10-03 20:20:00 -04:00
vishalnayak
1317753f18 Authenticate aws-ec2 instances using identity document and its RSA signature 2016-10-03 18:57:41 -04:00
Jim Weber
67d991f4ab Refactored logic some to make sure we can always fall back to default revoke statments 
Changed rolename to role
made default sql revoke statments a const
 2016-10-03 15:59:56 -04:00
Jim Weber
179c07075a fixed some more issues I had with the tests. 2016-10-03 15:58:09 -04:00
Jim Weber
aa5bb3b354 renamed rolname to role 2016-10-03 15:57:47 -04:00
Jim Weber
003d0df191 Reduced duplicated code and fixed comments and simple variable name mistakes 2016-10-03 14:53:05 -04:00
Jim Weber
10855b070f Added test for revoking mysql user with wild card host and non-wildcard host 2016-10-02 22:28:54 -04:00
Jim Weber
47465e782c saving role name to the Secret Internal data. Default revoke query added 
The rolename is now saved to the secret internal data for fetching
later during the user revocation process. No longer deriving the role
name from request path

Added support for default revoke SQL statements that will provide the
same functionality as before. If not revoke SQL statements are provided
the default statements are used.

Cleaned up personal ignores from the .gitignore file
 2016-10-02 18:53:16 -04:00
Jeff Mitchell
81cdd76a5c Adds HUP support for audit log files to close and reopen. (#1953) 
Adds HUP support for audit log files to close and reopen. This makes it
much easier to deal with normal log rotation methods.

As part of testing this I noticed that HUP and other items that come out
of command/server.go are going to stderr, which is where our normal log
lines go. This isn't so much problematic with our normal output but as
we officially move to supporting other formats this can cause
interleaving issues, so I moved those to stdout instead.
 2016-09-30 12:04:50 -07:00
Vishal Nayak
adf868d3a0 Merge pull request #1947 from hashicorp/secret-id-lookup-delete 
Introduce lookup and destroy endpoints for secret IDs and its accessors
 2016-09-29 10:19:54 -04:00
vishalnayak
d672d3c5dc Added website docs for lookup and destroy APIs 2016-09-28 22:11:48 -04:00
vishalnayak
11614805e0 Make secret-id reading and deleting, a POST op instead of GET 2016-09-28 20:22:37 -04:00
Michael S. Fischer
e6b39d4b3f Update documentation for required AWS API permissions 
In order for Vault to map IAM instance profiles to roles, Vault
must query the 'iam:GetInstanceProfile' API, so update the documentation
and help to include the additional permissions needed.
 2016-09-28 16:50:20 -07:00
Jeff Mitchell
c748ff322f Change default TTL from 30 to 32 to accommodate monthly operations (#1942) 2016-09-28 18:32:49 -04:00
Vishal Nayak
c68b7bd4fe Merge pull request #1939 from hashicorp/secret-id-upgrade 
Respond secret_id_num_uses and deprecate SecretIDNumUses
 2016-09-28 18:16:07 -04:00
vishalnayak
f1f66279c4 Added todo to remind removal of upgrade code 2016-09-28 18:17:13 -04:00
vishalnayak
1887fbcd7f Check for prefix match instead of exact match for IAM bound parameters 2016-09-28 18:08:28 -04:00
vishalnayak
5c5871ee5a Don't reset the deprecated value yet 2016-09-28 15:48:50 -04:00
Vishal Nayak
692bbc0a12 Merge pull request #1913 from hashicorp/bound-iam-instance-profile-arn 
Proper naming for bound_iam_instance_profile_arn
 2016-09-28 15:34:56 -04:00
vishalnayak
ec1d635769 Add some validation checks 2016-09-28 15:36:02 -04:00
vishalnayak
2964c925d3 Fix the misplaced response warning 2016-09-28 14:20:03 -04:00
vishalnayak
a716e20261 Added testcase to check secret_id_num_uses 2016-09-28 13:58:53 -04:00
vishalnayak
020237779e Pull out reading and storing of secret ID into separate functions and handle upgrade properly 2016-09-28 12:42:26 -04:00
Laura Bennett
4cfe098ce4 Merge pull request #1931 from hashicorp/cass-consistency 
Adding consistency into cassandra
 2016-09-27 21:12:02 -04:00
Chris Hoffman
10c8024fa3 Adding support for chained intermediate CAs in pki backend (#1694) 2016-09-27 17:50:17 -07:00
Laura Bennett
8b41676dbc minor updates 2016-09-27 20:35:11 -04:00
Laura Bennett
011d65f59c added parsing at role creation 2016-09-27 16:01:51 -04:00
Laura Bennett
dc4fdf37d7 initial commit for consistency added into cassandra 2016-09-27 13:25:18 -04:00
Mikhail Zholobov
89d2d67a5b
Fix "SecretIDNumUses" in AppRole auth backend 
There was a typo.
 2016-09-27 17:26:52 +03:00
Vishal Nayak
92cb781be9 Merge pull request #1910 from hashicorp/secret-id-cidr-list 
CIDR restrictions on Secret ID
 2016-09-26 10:22:48 -04:00
Vishal Nayak
a31ab07615 Merge pull request #1920 from legal90/fix-approle-delete 
Fix panic on deleting the AppRole which doesn't exist
 2016-09-26 10:05:33 -04:00
Mikhail Zholobov
9667cd9377
Fix panic on deleting the AppRole which doesn't exist 
#pathRoleDelete should return silently if the specified  AppRole doesn't exist
Fixes GH-1919
 2016-09-26 16:55:08 +03:00
vishalnayak
c94415d824 Address review feedback from @jefferai 2016-09-26 09:53:24 -04:00
vishalnayak
a83acd402e Update docs to contain bound_iam_role_arn 2016-09-26 09:37:38 -04:00
vishalnayak
2bd8903cf4 Implemented bound_iam_role_arn constraint 2016-09-23 21:35:36 -04:00
Jim Weber
eebd592f78 Getting role name from the creds path used in revocation 2016-09-23 16:57:08 -04:00
Jim Weber
f56f0b174c secretCredsRevoke command no longer uses hardcoded query 
The removal of a user from the db is now handled similar to the
creation. The SQL is read out of a key from the role and then executed
with values substituted for username.
 2016-09-23 16:05:49 -04:00
Jim Weber
235d67e451 Added support for a revokeSQL key value pair to the role 2016-09-23 16:00:23 -04:00
Jeff Mitchell
bba2ea63f1 Don't use time.Time in responses. (#1912) 
This fixes #1911 but not directly; it doesn't address the cause of the
panic. However, it turns out that this is the correct fix anyways,
because it ensures that the value being logged is RFC3339 format, which
is what the time turns into in JSON but not the normal time string
value, so what we audit log (and HMAC) matches what we are returning.
 2016-09-23 12:32:07 -04:00
vishalnayak
0b233b3fa1 Fix incorrect naming of bound_iam_instance_profile_arn 2016-09-23 11:22:23 -04:00
vishalnayak
fb2f7f27ba Fix ssh tests 2016-09-22 11:37:55 -04:00
vishalnayak
8ce3fa75ba Store the CIDR list in the secret ID storage entry. 
Use the stored information to validate the source address and credential issue time.
Correct the logic used to verify BoundCIDRList on the role.
Reverify the subset requirements between secret ID and role during credential issue time.
 2016-09-21 20:19:26 -04:00
vishalnayak
7f89bb5f68 Pass only valid inputs to validation methods 2016-09-21 15:44:54 -04:00
vishalnayak
c93bded97b Added cidrutil helper 2016-09-21 13:58:32 -04:00
Jeff Mitchell
902067d620 Ensure upgrades have a valid HMAC key 2016-09-21 11:10:57 -04:00
Jeff Mitchell
8482118ac6 Transit and audit enhancements 2016-09-21 10:49:26 -04:00
Chris Hoffman
cd567eb480 Renaming ttl_max -> max_ttl in mssql backend (#1905) 2016-09-20 12:39:02 -04:00