mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-28 10:01:11 +02:00
Code Issues Projects Releases Wiki Activity
14,369 Commits 2,836 Branches 445 Tags
Commit Graph

1244 Commits

Author SHA1 Message Date
Jeff Mitchell
a763391615 Change a few checks on names: 
- Allow an email address to be the common name of a cert even if email
protection isn't in the role if any name is set to true (this allows
certificates with a common name entry of an email address but used for
other purposes; here just for CA cert signing).

- Don't check the user part of an email against the hostname regex.
Emails can contain e.g. "+" and "_" and these should be allowed even
though they're not part of a valid hostname.

Also, fix a nil pointer issue.
 2015-11-19 09:51:17 -05:00
Jeff Mitchell
f8deb998ed Add config/urls CRUD operations to get and set the URLs encoded into 
certificates for the issuing certificate URL, CRL distribution points,
and OCSP servers.
 2015-11-19 09:51:17 -05:00
Jeff Mitchell
aae434576f Change use_csr_subject to use_csr_values; copy not only the subject, but 
also the alternate names and the extensions over as well.
 2015-11-19 09:51:17 -05:00
Jeff Mitchell
e8f1e8eb98 Remove setting serial number in the pkix Subject 2015-11-19 09:51:17 -05:00
Jeff Mitchell
a093508ceb Add a flag so that when signing CA certificates, the Subject (including names and extra names) can be used verbatim from the CSR 2015-11-19 09:51:17 -05:00
Jeff Mitchell
03e4ab785d Add capability to use the CSR's common name (by default for CA CSRs if 
no common_name parameter is given, role-controlled for non-CA CSRs).

Fix logic around the CA/CRL endpoints. Now settable when generating a
self-signed root or setting a CA cert into the backend; if not set,
these values are not set in issued certs. Not required when signing an
intermediate cert (and in fact it was wrong to do so in the first
place).
 2015-11-19 09:51:17 -05:00
Jeff Mitchell
4e73187837 Add support for EC CA keys, output to base64-encoded DER instead of PEM, and tests for all of those. Also note that Go 1.5 is now required. 2015-11-19 09:51:17 -05:00
Jeff Mitchell
62e4b89ea7 Address some minor PR feedback 2015-11-19 09:51:17 -05:00
Jeff Mitchell
f46b5b90c7 Fix otto import of uuid 2015-11-19 09:51:17 -05:00
Jeff Mitchell
76f94fe49b Cleanup, and add ability to sign CA CSRs that aren't destined for Vault 2015-11-19 09:51:17 -05:00
Jeff Mitchell
c33c43620f Add tests for intermediate signing and CRL, and fix a couple things 
Completes extra functionality.
 2015-11-19 09:51:17 -05:00
Jeff Mitchell
e45af0a17b Add unit tests to test signing logic, fix up test logic for names 2015-11-19 09:51:17 -05:00
Jeff Mitchell
10c2b9f76b Handle email address alternative names, fix up tests, fix up logic around name verification 2015-11-19 09:51:17 -05:00
Jeff Mitchell
41799529f7 Add allow_base_domain to control whether or not the actual base domain is allowed as a cert common name and/or DNS SAN 2015-11-19 09:51:17 -05:00
Jeff Mitchell
4cf1508898 Add email protection flag plumbing and tests; don't call generate bundle when making an intermediate CSR since everything is now ignored 2015-11-19 09:51:17 -05:00
Jeff Mitchell
62049cd059 Add sign method (untested) 2015-11-19 09:51:17 -05:00
Jeff Mitchell
667d5cafd3 Don't show field names when not needed 2015-11-19 09:51:17 -05:00
Jeff Mitchell
55fc4ba898 Implement CA cert/CSR generation. CA certs can be self-signed or 
generate an intermediate CSR, which can be signed.
 2015-11-19 09:51:17 -05:00
Kevin Pike
af4768cefc rabbitmq secret backend 2015-11-18 21:21:52 -08:00
Jeff Mitchell
07c0146542 Allow creating Consul management tokens 
Fixes #714
 2015-11-03 15:29:58 -05:00
Seth Vargo
3e2c4ffb7b Fix breaking API changes 2015-10-30 18:22:48 -04:00
Jeff Mitchell
8a11c2d3c7 Update Postgres tests and changelogify 2015-10-30 12:41:45 -04:00
Jeff Mitchell
d066aea418 Revoke permissions before dropping user in postgresql. 
Currently permissions are not revoked, which can lead revocation to not
actually work properly. This attempts to revoke all permissions and only
then drop the role.

Fixes issue #699
 2015-10-30 11:58:52 -04:00
Jeff Mitchell
d3aebadc3c Fix wording 2015-10-29 12:58:29 -04:00
Jeff Mitchell
5c0a16b16a Use cleanhttp instead of bare http.Client 2015-10-22 14:37:12 -04:00
Jeff Mitchell
0dbbef1ac0 Don't use http.DefaultClient 
This strips out http.DefaultClient everywhere I could immediately find
it. Too many things use it and then modify it in incompatible ways.

Fixes #700, I believe.
 2015-10-15 17:54:00 -04:00
Jeff Mitchell
0ea4271ddb Use split-out hashicorp/uuid 2015-10-12 14:07:12 -04:00
Vishal Nayak
e217795abd Merge pull request #661 from hashicorp/maxopenconns 
Parameterize max open connections in postgresql and mysql backends
 2015-10-03 16:55:20 -04:00
vishalnayak
8dc5bdf0e3 Added ConnectionURL along with ConnectionString 2015-10-02 23:47:10 -04:00
Jeff Mitchell
5088eb322c Remove use of os/user as it cannot be run with CGO disabled 2015-10-02 18:43:38 -07:00
vishalnayak
af61803256 fix struct tags 2015-10-02 14:13:27 -04:00
vishalnayak
fd72fbd342 Fix ConnectionString JSON value 2015-10-02 12:07:31 -04:00
vishalnayak
93c4cccc6e mysql: made max_open_connections configurable 2015-10-01 21:15:56 -04:00
vishalnayak
bc5ad114e4 postgresql: Configurable max open connections to the database 2015-10-01 20:11:24 -04:00
Jeff Mitchell
6c21b3b693 Remove JWT for the 0.3 release; it needs a lot of rework. 2015-09-24 16:23:44 -04:00
Jeff Mitchell
3dee178392 Start rejigging JWT 2015-09-24 16:20:22 -04:00
Jeff Mitchell
fa53293b7b Enhance SSH backend documentation; remove getting of stored keys and have TTLs honor backends systemview values 2015-09-21 16:14:30 -04:00
Jeff Mitchell
08a81a3364 Update transit backend documentation, and also return the min decryption 
value in a read operation on the key.
 2015-09-21 16:13:43 -04:00
Jeff Mitchell
a4ca14cfbc Add HMAC capability to salt. Pass a salt into audit backends. Require it for audit.Hash. 2015-09-18 17:38:22 -04:00
Jeff Mitchell
fa6cbba286 Move no_plaintext to two separate paths for datakey. 2015-09-18 14:41:05 -04:00
Jeff Mitchell
b8fe460170 Add datakey generation to transit. 
Can specify 128 bits (defaults to 256) and control whether or not
plaintext is returned (default true).

Unit tests for all of the new functionality.
 2015-09-18 14:41:05 -04:00
Jeff Mitchell
82d1f28fb6 Remove enable/disable and make deletion_allowed a configurable property. On read, return the version and creation time of each key 2015-09-18 14:41:05 -04:00
Jeff Mitchell
46073e4470 Enhance transit backend: 
* Remove raw endpoint from transit
* Add multi-key structure
* Add enable, disable, rewrap, and rotate functionality
* Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function
* Unit tests for everything
 2015-09-18 14:41:05 -04:00
Jeff Mitchell
11cea42ec7 Rename View to StorageView to make it more distinct from SystemView 2015-09-15 13:50:37 -04:00
Lassi Pölönen
1a6f778623 Define time zone explicitly in postgresql connection string. 2015-09-14 13:43:06 +03:00
Lassi Pölönen
ea2a6361eb Explicitly set timezone with PostgreSQL timestamps. 2015-09-14 13:43:06 +03:00
Lassi Pölönen
a769c1231b Call ResetDB as Cleanup routine to close existing database connections 
on backend unmount.
 2015-09-11 11:45:58 +03:00
Vishal Nayak
73416e1a0d Merge pull request #580 from hashicorp/zeroaddress-path 
Add root authenticated path to allow default CIDR to select roles
 2015-09-10 15:28:49 -04:00
Jeff Mitchell
4eb9cd4c28 Remove error returns from sysview TTL calls 2015-09-10 15:09:54 -04:00
Jeff Mitchell
dd8ac00daa Rejig how dynamic values are represented in system view and location of some functions in various packages; create mount-tune command and API analogues; update documentation 2015-09-10 15:09:54 -04:00