mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-15 19:17:02 +02:00
Code Issues Projects Releases Wiki Activity
10,305 Commits 2,844 Branches 445 Tags 454 MiB
9be1128201
Commit Graph

1080 Commits

Author SHA1 Message Date
Chris Hoffman
628153979a
Converting key_usage and allowed_domains in PKI to CommaStringSlice (#3621) 2017-12-11 13:13:35 -05:00
Mohsen
77fc89088d Small typo relating to no_store in pki secret backend (#3662) 
* Removed typo :)

* Corrected typo in the website related to no_store
 2017-12-07 10:40:21 -05:00
Vishal Nayak
18311d253d
Transit: Refactor internal representation of key entry map (#3652) 
* convert internal map to index by string

* Add upgrade test for internal key entry map

* address review feedback
 2017-12-06 18:24:00 -05:00
Nicolas Corrarello
884e25035f
Adding SealWrap configuration, protecting the config/access path 
Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com>
 2017-11-29 21:53:21 +00:00
Nicolas Corrarello
12e77fac51
Rename policy into policies 2017-11-29 16:31:17 +00:00
Nicolas Corrarello
0780c6250b
Checking if client is not nil before deleting token 
Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com>
 2017-11-29 16:23:03 +00:00
Nicolas Corrarello
66840ac4db
%q quotes automatically 
Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com>
 2017-11-29 16:19:31 +00:00
Nicolas Corrarello
9d78bfa721
Refactoring check for empty accessor as per Vishals suggestion 
Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com>
 2017-11-29 15:58:39 +00:00
Nicolas Corrarello
a3df394134
Pull master into f-nomad 
Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com>
 2017-11-29 15:56:37 +00:00
Nicolas Corrarello
e6b3438d92
Return an error if accesor_id is nil 
Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com>
 2017-11-29 15:18:03 +00:00
Nicolas Corrarello
cfa0715d1e
Returning nil config if is actually nil, and catching the error before creating the client in backend.go 
Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com>
 2017-11-29 11:15:54 +00:00
Nicolas Corrarello
f8babf19ad
Moving LeaseConfig function to path_config_lease.go 
Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com>
 2017-11-29 11:07:17 +00:00
Nicolas Corrarello
1db26e73f4
Return error before creating a client if conf is nil 2017-11-29 11:01:31 +00:00
Nicolas Corrarello
a5f01d49e2
Sanitizing error outputs 2017-11-29 10:58:02 +00:00
Nicolas Corrarello
e3a73ead35
Renaming tokenRaw to accessorIDRaw to avoid confusion, as the token is not being used for revoking itself 2017-11-29 10:48:55 +00:00
Nicolas Corrarello
3134c7262d
Updating descriptions, defaults for roles 2017-11-29 10:44:40 +00:00
Nicolas Corrarello
a280884433
Validating that Address and Token are provided in path_config_access.go 2017-11-29 10:36:34 +00:00
Nicolas Corrarello
e1e63f8883
Removing legacy field scheme that belonged to the Consul API 2017-11-29 10:29:39 +00:00
Jeff Mitchell
0c3db8eaca Remove allow_base_domain from PKI role output. 
It was never used in a release, in favor of allow_bare_domains.

Fixes #1452 (again)
 2017-11-09 10:24:36 -05:00
Jeff Mitchell
4535c8c38d Don't read out an internal role member in PKI 2017-11-08 18:20:53 -05:00
Chris Hoffman
b2549f3922 adding ttl to secret, refactoring for consistency 2017-11-07 09:58:19 -05:00
Calvin Leung Huang
1cf3414352 Fix deprecated cassandra backend tests (#3543) 2017-11-06 17:15:45 -05:00
Chris Hoffman
26daf9d432 minor cleanup 2017-11-06 16:36:37 -05:00
Chris Hoffman
cbe172fb65 minor cleanup 2017-11-06 16:34:20 -05:00
Gregory Reshetniak
81e18aeccd added AWS enpoint handling (#3416) 2017-11-06 13:31:38 -05:00
Jeff Mitchell
33cf98026e
Add PKCS8 marshaling to PKI (#3518) 2017-11-06 12:05:07 -05:00
Nicolas Corrarello
d1e3eff618
Refactored Lease into the Backend configuration 2017-11-06 15:09:56 +00:00
Nicolas Corrarello
6560e3c24a
Attaching secretToken to backend 2017-11-06 14:28:30 +00:00
Calvin Leung Huang
ca76bc4f44
Return role info for each role on pathRoleList (#3532) 
* Return role info for each role on pathRoleList

* Change roles -> key_info, only return key_type

* Do not initialize result map in parseRole, refactor ListResponseWithInfo

* Add role list test
 2017-11-03 17:12:03 -04:00
Jeff Mitchell
8004f052da
Add some more SealWrap declarations (#3531) 2017-11-03 11:43:31 -04:00
Vishal Nayak
ced60dbc0c
Encrypt/Decrypt/Sign/Verify using RSA in Transit backend (#3489) 
* encrypt/decrypt/sign/verify RSA

* update path-help and doc

* Fix the bug which was breaking convergent encryption

* support both 2048 and 4096

* update doc to contain both 2048 and 4096

* Add test for encrypt, decrypt and rotate on RSA keys

* Support exporting RSA keys

* Add sign and verify test steps

* Remove 'RSA' from PEM header

* use the default salt length

* Add 'RSA' to PEM header since openssl is expecting that

* export rsa keys as signing-key as well

* Comment the reasoning behind the PEM headers

* remove comment

* update comment

* Parameterize hashing for RSA signing and verification

* Added test steps to check hash algo choice for RSA sign/verify

* fix test by using 'prehashed'
 2017-11-03 10:45:53 -04:00
Nicolas Corrarello
7015139ece Not storing the Nomad token as we have the accesor for administrative operations 2017-11-03 07:25:47 +00:00
Nicolas Corrarello
f3aaacc3fc Overhauling the client method and attaching it to the backend 2017-11-03 07:19:49 +00:00
Jeff Mitchell
87e98dce23
Check input size to avoid a panic (#3521) 2017-11-02 16:40:52 -05:00
Nicolas Corrarello
ca92922a91 Refactoring readAcessConfig to return a single type of error instead of two 2017-11-01 08:49:31 +00:00
Nicolas Corrarello
dcaec0a880 Refactored config error to just have a single error exit path 2017-11-01 08:41:58 +00:00
Nicolas Corrarello
c4bf80c84f Ignoring userErr as it will be nil anyway 2017-11-01 07:41:58 +00:00
Nicolas Corrarello
5d3513b568 tokenType can never be nil/empty string as there are default values 2017-11-01 07:36:14 +00:00
Nicolas Corrarello
ffb9343f5f Should return an error if trying create a management token with policies attached 2017-10-31 21:12:14 +00:00
Nicolas Corrarello
3a0d7ac9a6 Unifying Storage and API path in role 2017-10-31 21:06:10 +00:00
Nicolas Corrarello
482d73aebe Minor/Cosmetic fixes 2017-10-31 19:11:24 +00:00
Brian Kassouf
4121791cb9
Add the ability to glob allowed roles in the Database Backend (#3387) 
* Add the ability to glob allowed roles in the Database Backend

* Make the error messages better

* Switch to the go-glob repo
 2017-10-30 13:24:25 -07:00
Jeff Mitchell
3e81fe4c62
Simplify TTL/MaxTTL logic in SSH CA paths and sane with the rest of how (#3507) 
Vault parses/returns TTLs.
 2017-10-30 15:05:47 -05:00
Jeff Mitchell
6cfdd7b40c Rejig some error messages in pki 2017-10-27 12:02:18 -04:00
Jeff Mitchell
cd6d67d84b Final sync 2017-10-23 17:39:21 -04:00
Vishal Nayak
a5e0e42b6a return the actual error for base64 decoding failure (#3397) 2017-10-20 11:21:45 -04:00
Jeremy Voorhis
333bd83a3f Implement signing of pre-hashed data (#3448) 
Transit backend sign and verify endpoints now support algorithm=none
 2017-10-11 11:48:51 -04:00
Jeff Mitchell
04e8d163ba Allow entering PKI URLs as arrays. (#3409) 
Fixes #3407
 2017-10-03 16:13:57 -04:00
Nicolas Corrarello
222b9d1c52 Removing ignore to cleanup function 2017-09-29 09:35:17 +01:00
Nicolas Corrarello
7e5c465ecb Working tests 2017-09-29 09:33:58 +01:00
Nicolas Corrarello
bf68079051 Various fixes (Null pointer, wait for Nomad go up, Auth before policy creation) 2017-09-28 23:58:41 +01:00
Nicolas Corrarello
ca9ad73565 Adding Global tokens to the data model 2017-09-28 23:57:48 +01:00
Nicolas Corrarello
9338277c67 Added tests 2017-09-28 21:44:30 +01:00
Nicolas Corrarello
393e7bf7e8 Fixing data model 2017-09-20 17:14:35 -05:00
Nicolas Corrarello
4cda42ad8f MVP of working Nomad Secret Backend 2017-09-20 15:59:35 -05:00
Jeff Mitchell
2c6e64226c Tests were not actually forcing the intermediate to have a longer TTL 
because of mount max TTL constraint. This ups the mount max to force the
test to work as expected.
 2017-09-14 22:49:04 -04:00
Jeff Mitchell
f970aea9f8 Change behavior of TTL in sign-intermediate (#3325) 
* Fix using wrong public key in sign-self-issued

* Change behavior of TTL in sign-intermediate

This allows signing CA certs with an expiration past the signer's
NotAfter.

It also change sign-self-issued to replace the Issuer, since it's
potentially RFC legal but stacks won't validate it.

Ref: https://groups.google.com/d/msg/vault-tool/giP69-n2o20/FfhRpW1vAQAJ
 2017-09-13 11:42:45 -04:00
Calvin Leung Huang
8a65b1745b Handle errors from getRootConfig on aws logical backend (#3294) 2017-09-08 13:00:29 -04:00
Jeff Mitchell
cdc5b0b1da Add a bit more delay to backend test in case Travis is loaded 2017-09-04 14:45:12 -04:00
Jeff Mitchell
4ad96d9513 Add pki/root/sign-self-issued. (#3274) 
* Add pki/root/sign-self-issued.

This is useful for root CA rolling, and is also suitably dangerous.

Along the way I noticed we weren't setting the authority key IDs
anywhere, so I addressed that.

* Add tests
 2017-08-31 23:07:15 -04:00
Jeff Mitchell
f3a3e5ad8f Use TypeDurationSecond for TTL values in PKI. (#3270) 2017-08-31 15:46:13 -04:00
Lars Lehtonen
56f127300d fix swallowed errors in pki package tests (#3215) 2017-08-29 13:15:36 -04:00
Jeff Mitchell
e6b43f7278 Add permitted dns domains to pki (#3164) 2017-08-15 16:10:36 -04:00
Jeff Mitchell
2946d133af Make PKI root generation idempotent-ish and add delete endpoint. (#3165) 2017-08-15 14:00:40 -04:00
Calvin Leung Huang
e0c84d0f9f Direct plugin logs through vault's logger (#3142) 
* Direct plugin logs through vault's logger

* Pass in a logger in testConfig
 2017-08-15 10:16:48 -04:00
Brian Kassouf
6e6bd6ee5c Bump database plugin protocol version 2017-08-08 17:01:38 -07:00
Lars Lehtonen
cdc7a2dd0c Handle dropped checkok pattern in mysql package (#3082) 2017-08-02 19:34:58 -04:00
Chris Hoffman
915cd3a188 adding warning for conflicting role and request parameters (#3083) 2017-08-02 10:02:40 -04:00
Jeff Mitchell
54e3d61d6b Use RemoteCredProvider instead of EC2RoleProvider (#2983) 2017-07-31 18:27:16 -04:00
Jeff Mitchell
efe5a35c4a Clean up plugin tests with CA info 2017-07-31 15:09:19 -04:00
Jeff Mitchell
c6615e1b51 Add a -dev-three-node option for devs. (#3081) 2017-07-31 11:28:06 -04:00
Calvin Leung Huang
dd72c96dc8 Add BackendType to existing backends (#3078) 2017-07-28 14:04:46 -04:00
Jeff Mitchell
158c21905e Add note about ed25519 hashing to docs and path help. 
Fixes #3074
Closes #3076
 2017-07-28 09:30:27 -04:00
Chris Hoffman
0ac923d38b fixing recovery from x/golang/crypto panics 2017-07-27 21:00:31 -04:00
Jeff Mitchell
4a951fdeac Recover during a request forward. 
gRPC doesn't have a handler for recovering from a panic like a normal
HTTP request so a panic will actually kill Vault's listener. This
basically copies the net/http logic for managing this.

The SSH-specific logic is removed here as the underlying issue is caused
by the request forwarding mechanism.
 2017-07-27 11:44:56 -04:00
Lars Lehtonen
79b1c910fe Handle dropped checkok pattern in postgresql package (#3046) 2017-07-26 12:28:02 -04:00
Calvin Leung Huang
2b0f80b981 Backend plugin system (#2874) 
* Add backend plugin changes

* Fix totp backend plugin tests

* Fix logical/plugin InvalidateKey test

* Fix plugin catalog CRUD test, fix NoopBackend

* Clean up commented code block

* Fix system backend mount test

* Set plugin_name to omitempty, fix handleMountTable config parsing

* Clean up comments, keep shim connections alive until cleanup

* Include pluginClient, disallow LookupPlugin call from within a plugin

* Add wrapper around backendPluginClient for proper cleanup

* Add logger shim tests

* Add logger, storage, and system shim tests

* Use pointer receivers for system view shim

* Use plugin name if no path is provided on mount

* Enable plugins for auth backends

* Add backend type attribute, move builtin/plugin/package

* Fix merge conflict

* Fix missing plugin name in mount config

* Add integration tests on enabling auth backend plugins

* Remove dependency cycle on mock-plugin

* Add passthrough backend plugin, use logical.BackendType to determine lease generation

* Remove vault package dependency on passthrough package

* Add basic impl test for passthrough plugin

* Incorporate feedback; set b.backend after shims creation on backendPluginServer

* Fix totp plugin test

* Add plugin backends docs

* Fix tests

* Fix builtin/plugin tests

* Remove flatten from PluginRunner fields

* Move mock plugin to logical/plugin, remove totp and passthrough plugins

* Move pluginMap into newPluginClient

* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck

* Change shim logger's Fatal to no-op

* Change BackendType to uint32, match UX backend types

* Change framework.Backend Setup signature

* Add Setup func to logical.Backend interface

* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments

* Remove commented var in plugin package

* RegisterLicense on logical.Backend interface (#3017)

* Add RegisterLicense to logical.Backend interface

* Update RegisterLicense to use callback func on framework.Backend

* Refactor framework.Backend.RegisterLicense

* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs

* plugin: Revert BackendType to remove TypePassthrough and related references

* Fix typo in plugin backends docs
 2017-07-20 13:28:40 -04:00
Lars Lehtonen
730bb03c77 Fix swallowed errors in builtin (#2977) 2017-07-07 08:23:12 -04:00
Jeff Mitchell
a7d0fb7d50 Don't panic in audit logs when reading transit keys. (#2970) 2017-07-05 11:25:10 -04:00
Brian Shumate
99fe56434e DOCS: fix typo in ssh path help (#2966) 2017-07-04 13:59:34 -04:00
Jeff Mitchell
f75f5b0add Port TestCluster changes from proxy branch 2017-07-03 14:54:01 -04:00
Brian Nuszkowski
5bc4dc7540 Add the option to specify a specific key id format that is generated … (#2888) 2017-06-29 04:05:06 +01:00
Jeff Mitchell
25757049d3 Ensure TOTP codes cannot be reused. (#2908) 2017-06-23 16:21:34 +01:00
Jeff Mitchell
f6155ea8c5 If recovering from panic ensure the cert returned is nil 2017-06-16 18:18:15 -04:00
Jeff Mitchell
0ee100e0ec Go's SSH library can panic without warning; recover. 
Ping #2877 -- but don't close yet in case there are more places.
 2017-06-16 18:16:45 -04:00
Matthew Irish
5190b87714 add min_encryption_version to the transit key response (#2838) 2017-06-08 13:07:18 -05:00
Jeff Mitchell
2daf018361 Add listing to database connections. (#2827) 
Fixes #2823
 2017-06-07 10:03:17 -04:00
Jeff Mitchell
bca213cf6d Add ability to specify encryption key version in transit (#2821) 2017-06-06 16:02:54 -04:00
Brian Kassouf
abc900157b Use the role name in the db username (#2812) 2017-06-06 09:49:49 -04:00
Jeff Mitchell
a52fae256a ed25519 support in transit (#2778) 2017-06-05 15:00:39 -04:00
Jeff Mitchell
83ecd0f9ad Allow accessing Warnings directly in Response. (#2806) 
A change in copystructure has caused some panics due to the custom copy
function. I'm more nervous about production panics than I am about
keeping some bad code wiping out some existing warnings, so remove the
custom copy function and just allow direct setting of Warnings.
 2017-06-05 10:52:43 -04:00
Jeff Mitchell
41d4c69b54 Update some path-help in datakey 2017-05-23 10:04:32 -04:00
Vishal Nayak
5d9277b2fb Added host key call back for ssh config (#2752) 2017-05-21 20:16:13 -04:00
emily
38ffde5a9d add gofmt checks to Vault and format existing code (#2745) 2017-05-19 08:34:17 -04:00
sprohaska
3ba9486ba9 logical/aws: Fix typo in warning message (#2747) 
Signed-off-by: Steffen Prohaska <prohaska@zib.de>
 2017-05-19 06:20:54 -04:00
Brian Kassouf
a51a0874b6 Update the error when no key can be found to a more clear error text (#2720) 2017-05-12 14:14:00 -04:00
Brian Kassouf
c55fd585f3 Add plugin level docs for what statements are supported and how they should be formatted 2017-05-11 11:59:58 -07:00
Seth Rutner
8675332afa Fix typos in error message (#2692) 2017-05-10 10:28:35 -04:00
Jeff Mitchell
eb0e7cd0d2 Don't write salts in initialization, look up on demand (#2702) 2017-05-09 17:51:09 -04:00
Jeff Mitchell
2e567bd5e7 Only run cassandra tests on Travis for right now 2017-05-09 08:36:20 -04:00
Jeff Mitchell
2fbd973001 Add logic to skip initialization in some cases and some invalidation logic 2017-05-05 15:01:52 -04:00
Brian Kassouf
fcd4f903c3 Merge remote-tracking branch 'oss/master' into database-refactor 2017-05-04 12:40:00 -07:00
Brian Kassouf
886f873ffc Update docs and return a better error message 2017-05-04 11:45:27 -07:00
mymercurialsky
461d658e88 Implemented TOTP Secret Backend (#2492) 
* Initialized basic outline of TOTP backend using Postgresql backend as template

* Updated TOTP backend.go's structure and help string

* Updated TOTP path_roles.go's structure and help strings

* Updated TOTP path_role_create.go's structure and help strings

* Fixed typo in path_roles.go

* Fixed errors in path_role_create.go and path_roles.go

* Added TOTP secret backend information to cli commands

* Fixed build errors in path_roles.go and path_role_create.go

* Changed field values of period and digits from uint to int, added uint conversion of period when generating passwords

* Initialized TOTP test file based on structure of postgresql test file

* Added enforcement of input values

* Added otp library to vendor folder

* Added test steps and cleaned up errors

* Modified read credential test step, not working yet

* Use of vendored package not allowed - Test error

* Removed vendor files for TOTP library

* Revert "Removed vendor files for TOTP library"

This reverts commit fcd030994b.

* Hopefully fixed vendor folder issue with TOTP Library

* Added additional tests for TOTP backend

* Cleaned up comments in TOTP backend_test.go

* Added default values of period, algorithm and digits to field schema

* Changed account_name and issuer fields to optional

* Removed MD5 as a hash algorithm option

* Implemented requested pull request changes

* Added ability to validate TOTP codes

* Added ability to have a key generated

* Added skew, qr size and key size parameters

* Reset vendor.json prior to merge

* Readded otp and barcode libraries to vendor.json

* Modified help strings for path_role_create.go

* Fixed test issue in testAccStepReadRole

* Cleaned up error formatting, variable names and path names. Also added some additional documentation

* Moveed barcode and url output to key creation function and did some additional cleanup based on requested changes

* Added ability to pass in TOTP urls

* Added additional tests for TOTP server functions

* Removed unused QRSize, URL and Generate members of keyEntry struct

* Removed unnecessary urlstring variable from pathKeyCreate

* Added website documentation for TOTP secret backend

* Added errors if generate is true and url or key is passed, removed logger from backend, and revised parameter documentation.

* Updated website documentation and added QR example

* Added exported variable and ability to disable QR generation, cleaned up error reporting, changed default skew value, updated documentation and added additional tests

* Updated API documentation to inlude to exported variable and qr size option

* Cleaned up return statements in path_code, added error handling while validating codes and clarified documentation for generate parameters in path_keys
 2017-05-04 10:49:42 -07:00
Brian Kassouf
55f1f5116a Merge remote-tracking branch 'oss/master' into database-refactor 2017-05-04 10:45:18 -07:00
Brian Kassouf
c825362304 PR comments 2017-05-04 10:41:59 -07:00
Brian Kassouf
2af2b855f5 Feedback from PR 2017-05-03 17:37:34 -07:00
Brian Kassouf
a3619c4521 Update databse backend tests to use the APIClientMeta for the plugin conns 2017-05-03 16:34:09 -07:00
Calvin Leung Huang
207983f526 Minor comment update on cert_util 2017-05-03 16:13:54 -04:00
Chris Hoffman
cf4ef59477 Merge pull request #2575 from hashicorp/pki-colons-to-hyphens 
Change storage of PKI entries from colons to hyphens
 2017-05-03 15:07:15 -04:00
Chris Hoffman
29e5ce66bb Minor readability enhancements for migration path from old to new 2017-05-03 14:58:22 -04:00
Calvin Leung Huang
96bcd50de0 Include and use normalizeSerial func 2017-05-03 10:12:58 -04:00
Brian Kassouf
60753dcf12 Only wrap in tracing middleware if the logger is set to trace level 2017-05-02 17:19:49 -07:00
Brian Kassouf
1df8ec9ef7 Update the api for serving plugins and provide a utility to pass TLS data for commuinicating with the vault process 2017-05-02 14:40:11 -07:00
Calvin Leung Huang
8c03765bb5 Use variables for string replacements on cert_util 2017-05-02 14:11:57 -04:00
Brian Kassouf
6ddfe9aa7f Rename NewPluginServer to just Serve 2017-05-02 02:00:39 -07:00
Brian Kassouf
6ca436cdf5 Don't store an error response as a package variable 2017-05-01 15:30:56 -07:00
Brian Kassouf
b87f8a13ed Update interface name from Wrapper to a more descriptive RunnerUtil 2017-05-01 14:59:55 -07:00
Justin Gerace
2e8e9ed02d Add globbing support to the PKI backend's allowed_domains list (#2517) 2017-05-01 10:40:18 -04:00
Calvin Leung Huang
74965a87af Add test for ca and crl case 2017-04-28 08:55:28 -04:00
Vishal Nayak
c947e31d1b Return error message for failure to parse CSR (#2657) 2017-04-28 08:30:24 -04:00
Calvin Leung Huang
38a01b8e1b Refactor cert_util_test 2017-04-27 17:09:59 -04:00
Calvin Leung Huang
7fdf4acc6f Verify update operation was performed on revokeCert 2017-04-27 12:30:44 -04:00
Calvin Leung Huang
a5ddaabdba Rename tests, use HandleRequest() for existing paths 2017-04-27 09:47:56 -04:00
Brian Kassouf
2e2d3827da Add check to ensure we don't overwrite existing connections 2017-04-26 16:43:42 -07:00
Brian Kassouf
f92d6868a0 Add an error check to reset a plugin if it is closed 2017-04-26 15:55:34 -07:00
Brian Kassouf
6b050470fd Update to a RWMutex 2017-04-26 15:23:14 -07:00
Calvin Leung Huang
ced4c88050 Add remaining tests 2017-04-26 16:05:58 -04:00
Brian Kassouf
d8dbfc6a0c Update the error messages for renew and revoke 2017-04-26 10:29:16 -07:00
Brian Kassouf
37aacba0da Change ttl types to TypeDurationSecond 2017-04-26 10:02:37 -07:00
Calvin Leung Huang
4bf51ca52c Fix crl_util test 2017-04-26 09:58:34 -04:00
Calvin Leung Huang
c269fe1ce0 Tests for cert and crl util 2017-04-26 02:46:01 -04:00
Brian Kassouf
6131bdd3b9 Default deny when allowed roles is empty 2017-04-25 11:48:24 -07:00
Brian Kassouf
e18757628c Update the connection details data and fix allowedRoles 2017-04-25 11:11:10 -07:00
Brian Kassouf
58b0bbd477 Rename path_role_create to path_creds_create 2017-04-25 10:39:17 -07:00
Brian Kassouf
22612adefc Use TypeCommaStringSlice for allowed_roles 2017-04-25 10:26:23 -07:00
Brian Kassouf
6741811407 Update logging to new structure 2017-04-25 10:24:19 -07:00
Brian Kassouf
194695f1fa Don't uppercase ErrorResponses 2017-04-24 14:03:48 -07:00
Brian Kassouf
f6b96ccfa2 s/DatabaseType/Database/ 2017-04-24 13:59:12 -07:00
Brian Kassouf
f1fa617e03 Calls to builtin plugins now go directly to the implementation instead of go-plugin 2017-04-20 18:46:41 -07:00
Brian Kassouf
afc5be1c67 Merge remote-tracking branch 'oss/master' into database-refactor 2017-04-19 15:16:00 -07:00
Chris Hoffman
d6edfc2a25 Rename ParseDedupAndSortStrings to ParseDedupLowercaseAndSortStrings (#2614) 2017-04-19 10:39:07 -04:00
Chris Hoffman
6b55ab5db0 Mssql driver update (#2610) 
* Switching driver from mssql to sqlserver
* Adding explicit database to sp_msloginmappings call
 2017-04-18 17:49:59 -04:00
Jeff Mitchell
85b92811ab Update sign-verbatim to correctly set generate_lease (#2593) 2017-04-18 15:54:31 -04:00
Jeff Mitchell
866b384494 Parse and dedup but do not lowercase principals in SSH certs. (#2591) 2017-04-18 12:21:02 -04:00
Jeff Mitchell
dba2de57de Change storage of entries from colons to hyphens and add a 
lookup/migration path

Still TODO: tests on migration path

Fixes #2552
 2017-04-18 11:14:23 -04:00
Jeff Mitchell
f698db479c Fix cassandra dep breakage 2017-04-17 11:51:42 -04:00
Jeff Mitchell
f92b173295 Verify that a CSR specifies IP SANs before checking whether it's allowed (#2574) 2017-04-13 13:40:31 -04:00
Brian Kassouf
b20c17745c Add allowed_roles parameter and checks 2017-04-13 10:33:34 -07:00
Brian Kassouf
4c75326aad Cleanup path files 2017-04-12 17:35:02 -07:00
Brian Kassouf
03e2bcbc79 Update Type() to return an error 2017-04-12 16:41:06 -07:00
Brian Kassouf
f2401c0128 Merge branch 'master' into database-refactor 2017-04-12 14:29:10 -07:00
Brian Kassouf
8f75c30311 Update help text and comments 2017-04-11 11:50:34 -07:00
Brian Kassouf
da4d9a8b4f Remove unnecessary abstraction 2017-04-10 18:38:34 -07:00
Brian Kassouf
de36d61e5a Mlock the plugin process 2017-04-10 17:12:52 -07:00
Brian Kassouf
f54c4de98a Add a flag to tell plugins to verify the connection was successful 2017-04-10 15:36:59 -07:00
Brian Kassouf
64efc505c8 Update plugin test 2017-04-10 14:12:28 -07:00
Brian Kassouf
73f66f89cd Update the interface for plugins removing functions for creating creds 2017-04-10 12:24:16 -07:00
Brian Kassouf
3c1c388589 Update backend tests 2017-04-10 10:35:16 -07:00
Brian Kassouf
9ae5a2aede Add backend test 2017-04-07 15:50:03 -07:00
Shivaram Lingamneni
7cbc5d6e05 implement a no_store option for pki roles (#2565) 2017-04-07 11:25:47 -07:00
Jeff Mitchell
14c0000169 Update SSH CA documentation 
Fixes #2551
Fixes #2569
 2017-04-07 11:59:25 -04:00
Brian Kassouf
8e77bd98d8 Move plugin code into sub directory 2017-04-06 12:20:10 -07:00
Brian Kassouf
8a2e29c607 Refactor to use builtin plugins from an external repo 2017-04-05 16:20:31 -07:00
Calvin Leung Huang
73a2cdf6a5 Do not mark conn as initialized until the end (#2567) 2017-04-04 14:26:59 -07:00
Brian Kassouf
df944f2d92 Don't return strings, always structs 2017-04-04 11:33:58 -07:00
Calvin Leung Huang
8e3cb50bfc Database refactor invalidate (#2566) 
* WIP on invalidate function

* cassandraConnectionProducer has Close()

* Delete database from connections map on successful db.Close()

* Move clear connection into its own func

* Use const for database config path
 2017-04-04 11:32:42 -07:00
Jeff Mitchell
cfd522e0f0 Use ParseStringSlice on PKI organization/organizational unit. (#2561) 
After, separately dedup and use new flag to not lowercase value.

Fixes #2555
 2017-04-04 08:54:18 -07:00
Brian Kassouf
1faa5fc020 On change of configuration rotate the database type 2017-04-03 18:30:38 -07:00
Brian Kassouf
b54e1cd295 Merge branch 'database-refactor' of github.com:hashicorp/vault into database-refactor 2017-04-03 17:52:41 -07:00
Brian Kassouf
ac519abecf Plugin catalog 2017-04-03 17:52:29 -07:00
Calvin Leung Huang
2b08521ab6 Database refactor mssql (#2562) 
* WIP on mssql secret backend refactor

* Add RevokeUser test, and use sqlserver driver internally

* Remove debug statements

* Fix code comment
 2017-04-03 09:59:30 -07:00
Brian Kassouf
1d3d3b7803 fix for plugin commands that have more than one paramater 2017-03-28 14:37:57 -07:00
Brian Kassouf
8ef78f0610 Add comments to connection and credential producers 2017-03-28 13:08:11 -07:00
Brian Kassouf
947fd66480 Cleanup the db factory code and add comments 2017-03-28 12:57:30 -07:00
Brian Kassouf
0c562fa3d7 Update tests 2017-03-28 12:20:17 -07:00
Brian Kassouf
6de5cfad5e Add functionaility to build db objects from disk so restarts work 2017-03-28 11:30:45 -07:00
Brian Kassouf
d93378bb29 Fix for checking types of database on update 2017-03-28 10:04:42 -07:00
Brian Kassouf
b2c4555c1f Wrap the database calls with tracing information 2017-03-27 15:17:28 -07:00
Brian Kassouf
ca026c6cfd Remove the unused sync.Once object 2017-03-27 11:46:20 -07:00
Brian Kassouf
e870e399a2 More work on getting tests to pass 2017-03-23 15:54:15 -07:00
Brian Kassouf
a1b72465dd Remove unsused code block 2017-03-22 17:09:39 -07:00
Brian Kassouf
cab491f7b7 s/postgres/mysql/ 2017-03-22 16:44:33 -07:00
Brian Kassouf
73e553af95 Add test files for postgres and mysql databases 2017-03-22 16:39:08 -07:00
Brian Kassouf
9aaec25a4e Add a error message for empty creation statement 2017-03-22 12:40:16 -07:00
Brian Kassouf
1be813605f Fix race with deleting the connection 2017-03-22 09:54:19 -07:00
Brian Kassouf
2d6f36df17 Add a delete method 2017-03-21 17:19:30 -07:00
Brian Kassouf
2fdb3422a9 Verify connections regardless of if this connections is already existing 2017-03-21 16:05:59 -07:00
Vishal Nayak
16d41a8b28 sshca: ensure atleast cert type is allowed (#2508) 2017-03-19 18:58:48 -04:00
Brian Kassouf
ff6749b198 Comment and fix plugin Type function 2017-03-16 18:24:56 -07:00
Brian Kassouf
404596e261 Change the handshake config from the default 2017-03-16 17:51:25 -07:00
Brian Kassouf
4043f533b8 Add a secure config to verify the checksum of the plugin 2017-03-16 16:20:18 -07:00
Brian Kassouf
2ef1cbf3a6 Comment and slight refactor of the TLS plugin helper 2017-03-16 14:14:49 -07:00
Brian Kassouf
3890f194a4 Break tls code into helper library 2017-03-16 11:55:21 -07:00
Jeff Mitchell
3f67ab489a Ensure CN check is made when exclude_cn_from_sans is used 
Fixes #2363
 2017-03-16 11:41:13 -04:00
Jeff Mitchell
a5d1808efe Always include a hash of the public key and "vault" (to know where it (#2498) 
came from) when generating a cert for SSH.

Follow on from #2494
 2017-03-16 11:14:17 -04:00
Mike Okner
6f84f7ffd0 Adding allow_user_key_ids field to SSH role config (#2494) 
Adding a boolean field that determines whether users will be allowed to
set the ID of the signed SSH key or whether it will always be the token
display name.  Preventing users from changing the ID and always using
the token name is useful for auditing who actually used a key to access
a remote host since sshd logs key IDs.
 2017-03-16 08:45:11 -04:00
Brian Kassouf
5b05f62fa3 Work on TLS communication over plugins 2017-03-15 17:14:48 -07:00
Jeff Mitchell
688104e69a Allow roles to specify whether CSR SANs should be used instead of (#2489) 
request values. Fix up some documentation.

Fixes #2451
Fixes #2488
 2017-03-15 14:38:18 -04:00
Jeff Mitchell
799000be20 Set CA chain when intermediate does not have an authority key ID. 
This is essentially an approved review of the code provided in #2465.

Fixes #2465
 2017-03-15 11:52:02 -04:00
Brian Kassouf
a6ae4bd356 wrap plugin database type with metrics middleware 2017-03-14 13:12:47 -07:00
Brian Kassouf
143166b1ba Add a metrics middleware 2017-03-14 13:11:28 -07:00
Stanislav Grozev
70b30b40d4 Reads on unconfigured SSH CA public key return 400 2017-03-14 10:21:48 -04:00
Stanislav Grozev
5f3397bff5 Reads on ssh/config/ca return the public keys 
If configured/generated.
 2017-03-14 10:21:48 -04:00
Stanislav Grozev
d22796c644 If generating an SSH CA signing key - return the public part 
So that the user can actually use the SSH CA, by adding the public key
to their respective sshd_config/authorized_keys, etc.
 2017-03-14 10:21:48 -04:00
Brian Kassouf
c111b02568 Add a way to initalize plugins and builtin databases the same way. 2017-03-13 14:39:55 -07:00
Brian Kassouf
a0d207e254 Add checksum attribute 2017-03-10 14:10:42 -08:00
Brian Kassouf
72a878b180 Rename reset to close 2017-03-09 22:35:45 -08:00
Brian Kassouf
b63147b7c2 Add special path to enforce root on plugin configuration 2017-03-09 21:31:29 -08:00
Brian Kassouf
3766ab14e5 Add plugin file 2017-03-09 17:43:58 -08:00
Brian Kassouf
d4ea6c1768 Add plugin features 2017-03-09 17:43:37 -08:00
Vishal Nayak
9af1ca3d2c doc: ssh allowed_users update (#2462) 
* doc: ssh allowed_users update

* added some more context in default_user field
 2017-03-09 10:34:55 -05:00
vishalnayak
3bd667a931 Fix typo 2017-03-08 17:49:39 -05:00
Brian Kassouf
00359cdea4 Update secrets fields 2017-03-08 14:46:53 -08:00
Vishal Nayak
a4e41f6568 SSH CA enhancements (#2442) 
* Use constants for storage paths

* Upgrade path for public key storage

* Fix calculateValidPrincipals, upgrade ca_private_key, and other changes

* Remove a print statement

* Added tests for upgrade case

* Make exporting consistent in creation bundle

* unexporting and constants

* Move keys into a struct instead of plain string

* minor changes
 2017-03-08 17:36:21 -05:00
Brian Kassouf
cd68899a4a Fix renew and revoke calls 2017-03-07 17:21:44 -08:00
Brian Kassouf
73200db1d9 Add defaults to the cassandra databse type 2017-03-07 17:00:52 -08:00
Brian Kassouf
78fdc2ad24 Pass statements object 2017-03-07 16:48:17 -08:00
Brian Kassouf
01300e026b Remove unused sql object 2017-03-07 15:34:23 -08:00
Brian Kassouf
1d23bbbe28 Remove double lock 2017-03-07 15:33:05 -08:00
Brian Kassouf
c823ad0597 Update locking functionaility 2017-03-07 13:48:29 -08:00
Jeff Mitchell
df575f0b3a Rename helper 'duration' to 'parseutil'. (#2449) 
Add a ParseBool function that accepts various kinds of ways of
specifying booleans.

Have config use ParseBool for UI and disabling mlock/cache.
 2017-03-07 11:21:22 -05:00
Brian Kassouf
354233f91d rename mysql variable 2017-03-03 15:07:41 -08:00
Brian Kassouf
4d335099de Make db instances immutable and add a reset path to tear down and create a new database instance with an updated config 2017-03-03 14:38:49 -08:00
Brian Kassouf
fa8da4cf91 Fix mysql connections 2017-03-03 14:38:49 -08:00
Brian Kassouf
e442917e26 Add mysql into the factory 2017-03-03 14:38:48 -08:00
Brian Kassouf
5e2cffcdd0 Add max connection lifetime param and set consistancy on cassandra session 2017-03-03 14:38:48 -08:00
Brian Kassouf
cee3dc9b9e s/Statement/Statements/ 2017-03-03 14:38:48 -08:00
Brian Kassouf
bfbb104e19 Add mysql database type 2017-03-03 14:38:48 -08:00
Brian Kassouf
ad17d113c7 More work on refactor and cassandra database 2017-03-03 14:38:48 -08:00
Brian Kassouf
3d77a9a6f4 Begin work on database refactor 2017-03-03 14:38:48 -08:00
Vishal Nayak
8491db3ce6 ssh: Added DeleteOperation to config/ca (#2434) 
* ssh: Added DeleteOperation to config/ca

* Address review feedback
 2017-03-03 10:19:45 -05:00
Jeff Mitchell
5fe459f91a Update SSH CA logic/tests 2017-03-02 16:39:22 -05:00
Vishal Nayak
93b74ebe71 Refactor the generate_signing_key processing (#2430) 2017-03-02 16:22:06 -05:00
Jeff Mitchell
1c821e448d Update error text to make it more obvious what the issue is when valid principals aren't found 2017-03-02 15:56:08 -05:00
Jeff Mitchell
db29bde264 Fix a bunch of errors from returning 5xx, and parse more duration types 2017-03-02 15:38:34 -05:00
Will May
ffb5ee7fda Changes from code review 2017-03-02 14:36:13 -05:00
Will May
f9d853f7f0 Allow internal generation of the signing SSH key pair 2017-03-02 14:36:13 -05:00
Vishal Nayak
d30a833db7 Rework ssh ca (#2419) 
* docs: input format for default_critical_options and default_extensions

* s/sshca/ssh

* Added default_critical_options and default_extensions to the read endpoint of role

* Change default time return value to 0
 2017-03-01 15:50:23 -05:00
Will May
7d9cb5bffe Changes from code review 
Major changes are:
* Remove duplicate code
* Check the public key used to configure the backend is a valid one
 2017-03-01 15:19:18 -05:00
Will May
59397250da Changes from code review 
Major changes are:
* Change `allow_{user,host}_certificates` to default to false
* Add separate `allowed_domains` role property
 2017-03-01 15:19:18 -05:00
Will May
1d59b965cb Add ability to create SSH certificates 2017-03-01 15:19:18 -05:00
vishalnayak
041817b300 Fix broken build caused due to resolve merge conflicts 2017-02-24 12:41:20 -05:00
Vishal Nayak
e3016053b3 PKI: Role switch to control lease generation (#2403) 
* pki: Make generation of leases optional

* pki: add tests for upgrading generate_lease

* pki: add tests for leased and non-leased certs

* docs++ pki generate_lease

* Generate lease is applicable for both issuing and signing

* pki: fix tests

* Address review feedback

* Address review feedback
 2017-02-24 12:12:40 -05:00
Saj Goonatilleke
9cd9fbbad3 pki: Include private_key_type on DER-formatted responses from /pki/issue/ (#2405) 2017-02-24 11:17:59 -05:00
Jeff Mitchell
8acbdefdf2 More porting from rep (#2388) 
* More porting from rep

* Address review feedback
 2017-02-16 16:29:30 -05:00
Jeff Mitchell
98c7bd6c03 Port some replication bits to OSS (#2386) 2017-02-16 15:15:02 -05:00
Jeff Mitchell
28883acc16 Fix copypasta, thanks tests 2017-02-16 01:32:39 -05:00
Jeff Mitchell
5e5d9baabe Add Organization support to PKI backend. (#2380) 
Fixes #2369
 2017-02-16 01:04:29 -05:00
Vishal Nayak
a9121ff733 transit: change batch input format (#2331) 
* transit: change batch input format

* transit: no json-in-json for batch response

* docs: transit: update batch input format

* transit: fix tests after changing response format
 2017-02-06 14:56:16 -05:00