mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-24 16:11:08 +02:00
Code Issues Projects Releases Wiki Activity
10,305 Commits 2,840 Branches 445 Tags
Commit Graph

1080 Commits

Author SHA1 Message Date
Dmitriy Gromov
ea1e29fa33 Renamed sts duration to ttl and added STS permissions note. 2016-01-21 14:28:34 -05:00
Dmitriy Gromov
b37a963841 Removing debug print statement from sts code 2016-01-21 14:05:10 -05:00
Dmitriy Gromov
6f50cd9439 Fixed duration type and added acceptance test for sts 2016-01-21 14:05:10 -05:00
Dmitriy Gromov
522e8a3450 Configurable sts duration 2016-01-21 14:05:09 -05:00
Jack DeLoach
d206599b80 Add STS path to AWS backend. 
The new STS path allows for obtaining the same credentials that you would get
from the AWS "creds" path, except it will also provide a security token, and
will not have an annoyingly long propagation time before returning to the user.
 2016-01-21 14:05:09 -05:00
Jeff Mitchell
4fc58e8b41 Merge pull request #895 from nickithewatt/aws-prexisting-policies 
Allow use of pre-existing policies for AWS users
 2016-01-21 13:23:37 -05:00
Chi Vinh Le
555834f83d Cleanly close SSH connections 2016-01-19 07:59:08 +01:00
Jeff Mitchell
21f91f73bb Update deps, and adjust usage of go-uuid to match new return values 2016-01-13 13:40:08 -05:00
Jeff Mitchell
45e32756ea WriteOperation -> UpdateOperation 2016-01-08 13:03:03 -05:00
Marcin Wielgoszewski
48660ddba5 Address issues with properly revoking a user via these additional REVOKE statements 2016-01-06 09:22:55 -05:00
Nicki Watt
79fb12c977 Updated AWS policy help messages 2015-12-30 19:41:07 +00:00
Nicki Watt
375a57b975 Allow use of pre-existing policies for AWS users 2015-12-30 18:05:54 +00:00
Jeff Mitchell
29f04250ff Built on GH-890 to add other types 2015-12-29 13:07:24 -05:00
Issac Goldstand
6149e1256e fix CA compatibility with OpenSSL 2015-12-29 18:52:43 +02:00
Jeff Mitchell
a0308e6858 Migrate 'uuid' to 'go-uuid' to better fit HC naming convention 2015-12-16 12:56:20 -05:00
Jeff Mitchell
555d621a2f Update key usage logic 
* Move to one place for both code paths
* Assign ExtKeyUsageAny to CA certs to help with validation with the
  Windows Crypto API and Go's validation logic

Fixes #846
 2015-12-14 14:23:51 -05:00
Jeff Mitchell
1c8cf4101a Merge branch 'master' into pki-csrs 2015-12-01 00:09:23 -05:00
Jeff Mitchell
5a5d4212af Fix AWS tests 2015-12-01 00:05:04 -05:00
Jeff Mitchell
bd03d3c422 Change allowed_base_domain to allowed_domains and allow_base_domain to 
allow_bare_domains, for comma-separated multi-domain support.
 2015-11-30 23:49:11 -05:00
Jeff Mitchell
703a0d65c0 Remove token display names from input options as there isn't a viable 
use-case for it at the moment
 2015-11-30 18:07:42 -05:00
Jeff Mitchell
6342699da3 Greatly simplify and fix the name validation function, as well as fully 
comment it.
 2015-11-23 14:15:32 -05:00
Jeff Mitchell
7eed5db86f Update documentation, some comments, make code cleaner, and make generated roots be revoked when their TTL is up 2015-11-19 17:14:22 -05:00
Jeff Mitchell
4f2f7a0e3b Mostly revert changes to certutil as the embedded struct stuff was being 
problematic.
 2015-11-19 14:18:39 -05:00
Jeff Mitchell
061539434f Update validator function for URIs. Change example of entering a CA to a 
root cert generation. Other minor documentation updates. Fix private key
output in issue/sign.
 2015-11-19 11:35:17 -05:00
Jeff Mitchell
fcbdb5f30a fix tests 2015-11-19 10:13:28 -05:00
Jeff Mitchell
3437af0711 Split root and intermediate functionality into their own sections in the API. Update documentation. Add sign-verbatim endpoint. 2015-11-19 09:51:18 -05:00
Jeff Mitchell
cb5514f3f3 Move public key comparison logic to its own function 2015-11-19 09:51:18 -05:00
Jeff Mitchell
b5423493ca Move serial number generation and key validation into certutil; centralize format and key verification 2015-11-19 09:51:18 -05:00
Jeff Mitchell
da34e7c4e7 Add URL validation 2015-11-19 09:51:18 -05:00
Jeff Mitchell
129235ba2e Fix zero path length handling, and move common field defs elsewhere 2015-11-19 09:51:18 -05:00
Jeff Mitchell
636fad0180 Fix logic around zero path length -- only restrict issuing intermediate CAs in this case 2015-11-19 09:51:18 -05:00
Jeff Mitchell
237285e822 Address some feedback from review 2015-11-19 09:51:18 -05:00
Jeff Mitchell
cf148d8cc6 Large documentation updates, remove the pathlength path in favor of 
making that a parameter at CA generation/sign time, and allow more
fields to be configured at CSR generation time.
 2015-11-19 09:51:18 -05:00
Jeff Mitchell
29d1f5030e Add path length paths and unit tests to verify same. 2015-11-19 09:51:18 -05:00
Jeff Mitchell
7f12ac0026 Add URLs methods to set OCSP/CRL/CA urls in issued certs, and tests. 2015-11-19 09:51:18 -05:00
Jeff Mitchell
4de2060a96 Add tests for using raw CSR values 2015-11-19 09:51:18 -05:00
Jeff Mitchell
a763391615 Change a few checks on names: 
- Allow an email address to be the common name of a cert even if email
protection isn't in the role if any name is set to true (this allows
certificates with a common name entry of an email address but used for
other purposes; here just for CA cert signing).

- Don't check the user part of an email against the hostname regex.
Emails can contain e.g. "+" and "_" and these should be allowed even
though they're not part of a valid hostname.

Also, fix a nil pointer issue.
 2015-11-19 09:51:17 -05:00
Jeff Mitchell
f8deb998ed Add config/urls CRUD operations to get and set the URLs encoded into 
certificates for the issuing certificate URL, CRL distribution points,
and OCSP servers.
 2015-11-19 09:51:17 -05:00
Jeff Mitchell
aae434576f Change use_csr_subject to use_csr_values; copy not only the subject, but 
also the alternate names and the extensions over as well.
 2015-11-19 09:51:17 -05:00
Jeff Mitchell
e8f1e8eb98 Remove setting serial number in the pkix Subject 2015-11-19 09:51:17 -05:00
Jeff Mitchell
a093508ceb Add a flag so that when signing CA certificates, the Subject (including names and extra names) can be used verbatim from the CSR 2015-11-19 09:51:17 -05:00
Jeff Mitchell
03e4ab785d Add capability to use the CSR's common name (by default for CA CSRs if 
no common_name parameter is given, role-controlled for non-CA CSRs).

Fix logic around the CA/CRL endpoints. Now settable when generating a
self-signed root or setting a CA cert into the backend; if not set,
these values are not set in issued certs. Not required when signing an
intermediate cert (and in fact it was wrong to do so in the first
place).
 2015-11-19 09:51:17 -05:00
Jeff Mitchell
4e73187837 Add support for EC CA keys, output to base64-encoded DER instead of PEM, and tests for all of those. Also note that Go 1.5 is now required. 2015-11-19 09:51:17 -05:00
Jeff Mitchell
62e4b89ea7 Address some minor PR feedback 2015-11-19 09:51:17 -05:00
Jeff Mitchell
f46b5b90c7 Fix otto import of uuid 2015-11-19 09:51:17 -05:00
Jeff Mitchell
76f94fe49b Cleanup, and add ability to sign CA CSRs that aren't destined for Vault 2015-11-19 09:51:17 -05:00
Jeff Mitchell
c33c43620f Add tests for intermediate signing and CRL, and fix a couple things 
Completes extra functionality.
 2015-11-19 09:51:17 -05:00
Jeff Mitchell
e45af0a17b Add unit tests to test signing logic, fix up test logic for names 2015-11-19 09:51:17 -05:00
Jeff Mitchell
10c2b9f76b Handle email address alternative names, fix up tests, fix up logic around name verification 2015-11-19 09:51:17 -05:00
Jeff Mitchell
41799529f7 Add allow_base_domain to control whether or not the actual base domain is allowed as a cert common name and/or DNS SAN 2015-11-19 09:51:17 -05:00