Commit graph

1518 commits

Author SHA1 Message Date
Jeff Mitchell
be04e96779
Populate AWS-generated tokens with default lease TTL to fix comparisons against role max (#4107)
* Populate AWS-generated tokens with default lease TTL to fix comparisons against role max

* Fix printing TTLs when capping them
2018-03-08 13:08:00 -05:00
Jeff Mitchell
c12894310d
Revert "Fix AWS auth max_ttl being ignored when ttl is not set (#4086)" (#4105)
This reverts commit 135cb4e687.
2018-03-08 11:08:32 -05:00
Kevin Wang
135cb4e687 Fix AWS auth max_ttl being ignored when ttl is not set (#4086)
If ttl is not set, the value of `resp.Auth.TTL` is 0, resulting in the
max TTL check being skipped.

Also fixes the formatting of the warning message.
2018-03-08 11:07:51 -05:00
Brian Nuszkowski
ffdbcc4166 Return value when reading a SSH CA Role (#4098) 2018-03-07 23:26:33 -05:00
Calvin Leung Huang
01eecf9d1a
Non-HMAC audit values (#4033)
* Add non-hmac request keys

* Update comment

* Initial audit request keys implementation

* Add audit_non_hmac_response_keys

* Move where req.NonHMACKeys gets set

* Minor refactor

* Add params to auth tune endpoints

* Sync cache on loadCredentials

* Explicitly unset req.NonHMACKeys

* Do not error if entry is nil

* Add tests

* docs: Add params to api sections

* Refactor audit.Backend and Formatter interfaces, update audit broker methods

* Add audit_broker.go

* Fix method call params in audit backends

* Remove fields from logical.Request and logical.Response, pass keys via LogInput

* Use data.GetOk to allow unsetting existing values

* Remove debug lines

* Add test for unsetting values

* Address review feedback

* Initialize values in FormatRequest and FormatResponse using input values

* Update docs

* Use strutil.StrListContains

* Use strutil.StrListContains
2018-03-02 12:18:39 -05:00
Joel Thompson
8a115c73d9 auth/aws: Allow lists in binds (#3907)
* auth/aws: Allow lists in binds

In the aws auth method, allow a number of binds to take in lists
instead of a single string value. The intended semantic is that, for
each bind type set, clients must match at least one of each of the bind
types set in order to authenticate.
2018-03-02 11:09:14 -05:00
Jeff Mitchell
747a8c4a86 Remove structs/mapstructure tags from auth/aws 2018-02-27 15:27:49 -05:00
Jeff Mitchell
6189dc04ff Remove structs package from auth/aws 2018-02-27 13:22:47 -05:00
Joel Thompson
e4eccb389f auth/aws: Add functional test for detached RSA signature (#4031)
Previously the functional test was only testing the PCKS7-signed identity
document, not the detached RSA signature, so adding a test for that in the
functional test suite.
2018-02-22 20:55:45 -05:00
Jeff Mitchell
f54832b10a *Partially* revert "Remove now-unneeded PKCS8 code and update certutil tests for Go 1.10"
This partially reverts commit 83f6b21d3e.
2018-02-22 20:15:56 -05:00
Jeff Mitchell
831fbe293a Revert "Remove unneeded looping since Go 1.10 cover it already (#4010)"
This reverts commit 8aeba427d2.
2018-02-22 20:13:36 -05:00
Jeff Mitchell
e950b77544 Revert "Switch to a forked copy of pkcs7 to fix aws pkcs7 verification error (#4024)"
This reverts commit f75c7dd157.
2018-02-22 20:09:19 -05:00
Jeff Mitchell
f75c7dd157
Switch to a forked copy of pkcs7 to fix aws pkcs7 verification error (#4024)
Fixes #4014
2018-02-22 08:49:11 -05:00
Andrei Burd
8bb4bdab4d Handling nomad maxTokenNameLength = 64 (#4009) 2018-02-20 10:16:37 -05:00
Vishal Nayak
8aeba427d2 Remove unneeded looping since Go 1.10 cover it already (#4010) 2018-02-20 07:34:55 -05:00
Jeff Mitchell
2d22d8a99a Fix PKI tests by generating on-demand 2018-02-20 00:23:37 -05:00
Jeff Mitchell
83f6b21d3e Remove now-unneeded PKCS8 code and update certutil tests for Go 1.10 2018-02-19 22:46:17 -05:00
Robison Jacka
7a46918f8c Adding path roles test coverage for storing PKIX fields (#4003) 2018-02-18 16:22:35 -05:00
Robison Jacka
45a90a9fe3 Add test coverage for recently-added PKIX fields. (#4002) 2018-02-18 13:21:54 -05:00
Jeff Mitchell
fbcad150aa Fix missing CommonName in subject generation 2018-02-17 21:01:36 -05:00
Vishal Nayak
1deaed2ffe
Verify DNS SANs if PermittedDNSDomains is set (#3982)
* Verify DNS SANs if PermittedDNSDomains is set

* Use DNSNames check and not PermittedDNSDomains on leaf certificate

* Document the check

* Add RFC link

* Test for success case

* fix the parameter name

* rename the test

* remove unneeded commented code
2018-02-16 17:42:29 -05:00
Jeff Mitchell
a43a854740
Support other names in SANs (#3889) 2018-02-16 17:19:34 -05:00
Mohsen
9db39c8d09 Maximum number of retries aws sdk attempts for recoverable exceptions. (#3965) 2018-02-16 11:11:17 -05:00
Brian Nuszkowski
0e2d214864 Add Okta specific MFA workflow to Okta auth method (#3980)
* Add Okta specific MFA workflow to Okta auth method. Note this only
supports Okta Push.
2018-02-14 20:28:19 -05:00
Brian Nuszkowski
7a628e64ca Disable redirects on the http client that calls AWS STS api, which (#3983)
is used in the AWS IAM auth method.

Co-authored-by: Max Justicz <max@justi.cz>
2018-02-14 20:27:13 -05:00
Jeff Mitchell
ef00a69f11
Add ChaCha20-Poly1305 support to transit (#3975) 2018-02-14 11:59:46 -05:00
Nicolas Troncoso
6e6b0eb086 Turns the okta groups array into a coma separated string (#3956) 2018-02-13 08:18:43 -05:00
Jeff Mitchell
07f8ebbbf6
Various PKI updates (#3953) 2018-02-10 10:07:10 -05:00
Jeff Mitchell
a9a322aa39
Adds the ability to bypass Okta MFA checks. (#3944)
* Adds the ability to bypass Okta MFA checks.

Unlike before, the administrator opts-in to this behavior, and is
suitably warned.

Fixes #3872
2018-02-09 17:03:49 -05:00
Jeff Mitchell
71336d3596 Fix compile 2018-02-09 14:04:05 -05:00
Chris Hoffman
4120046ac8 Fix auditing for transit keys with backup/restore info (#3919) 2018-02-09 13:54:18 -05:00
Vishal Nayak
58cab5f59f added a flag to make common name optional if desired (#3940)
* added a flag to make common name optional if desired

* Cover one more case where cn can be empty

* remove skipping when empty; instead check for emptiness before calling validateNames

* Add verification before adding to DNS names to also fix #3918
2018-02-09 13:42:19 -05:00
Vishal Nayak
0587540fea
avoid masking of role tag response (#3941) 2018-02-07 20:43:05 -05:00
Vishal Nayak
462caf4c6d
AppRole: Cleanup accessor indexes and dangling accessor indexes (#3924)
* Cleanup accessor indexes and dangling accessor indexes

* Add a test that exercises the accessor cleanup
2018-02-06 15:44:48 -05:00
John Eismeier
acc37c3cc9 Fix some typos (#3923) 2018-02-06 13:35:01 -05:00
Jeff Mitchell
7d73ac4c96 go vet fixes 2018-02-05 14:26:31 -05:00
Joel Thompson
9584ff537f auth/aws: Switch role tag processing from strings.Contains to strings.HasPrefix (#3906)
strings.HasPrefix is more correct; if a tag part value ended up
containing the expected prefix of another part, it could cause incorrect
parsing. I don't think that these values would be semantically legal
today, but it's probably better to be defensive.
2018-02-04 19:37:03 -05:00
Jeff Mitchell
7ada9f634a
Differentiate between user/internal error in AppRole login. (#3902)
* Differentiate between user/internal error in AppRole login.

This allows us to properly pass through internal errors back up into
core.

* Separate out error cases
2018-02-02 20:34:32 -05:00
Jeff Mitchell
1a3fa27dad
Don't run rollback and upgrade functionality if we are a replication secondary (#3900)
* Don't run rollback and upgrade functionality if we are a replication
secondary, but do if the mount is local.
2018-02-02 20:28:25 -05:00
Vishal Nayak
7a4e7c8242 Add the actual error object to the message (#3901) 2018-02-02 19:06:08 -05:00
John Eismeier
ce1b43cd48 Propose small spelling change (#3890) 2018-02-01 12:51:38 -05:00
Josh Giles
75b9e2174a Return Okta config TTLs in seconds, not nanos. (#3871) 2018-02-01 12:44:57 -05:00
Jeff Mitchell
d9eb24d671 Prep for 0.9.2 2018-01-26 13:59:01 -05:00
Vishal Nayak
909b9ff574
Remove logical.Initialize() method (#3848)
* Remove logical.Initialize() method

* More cleanup

* Fix test
2018-01-25 20:19:27 -05:00
Joel Thompson
5f4ee049f9 auth/aws: Fix error with empty bound_iam_principal_arn (#3843)
* auth/aws: Fix error with empty bound_iam_principal_arn

In cases where there doesn't need to be a bound_iam_principal_arn, i.e.,
either auth_type is ec2 or there are other bindings with the iam
auth_type, but it is specified explicitly anyway, Vault tried to parse
it to resolve to internal unique IDs. This now checks to ensure that
bound_iam_principal_arn is non-empty before attempting to resolve it.

Fixes #3837

* Fix extraneous newline
2018-01-24 23:08:05 -05:00
Calvin Leung Huang
c3c63313f3
Version protocol switch (#3833)
* Use version to determine plugin protocol to use

* Remove field from ServeOpts

* Fix missing assignment, handle errors

* contraint -> constraint

* Inject the version string from the vault side

* Fix the version check

* Add grpc support check to database plugins

* Default to use grpc unless missing env var or fail on contraint check

* Add GRPCSupport test

* Add greater than test case

* Add go-version dep
2018-01-23 17:29:26 -05:00
Brian Kassouf
8142b42d95 Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 01:44:44 -05:00
Brian Kassouf
03f6108822
gRPC Backend Plugins (#3808)
* Add grpc plugins

* Add grpc plugins

* Translate wrap info to/from proto

* Add nil checks

* Fix nil marshaling errors

* Provide logging through the go-plugin logger

* handle errors in the messages

* Update the TLS config so bidirectional connections work

* Add connectivity checks

* Restart plugin and add timeouts where context is not availible

* Add the response wrap data into the grpc system implementation

* Add leaseoptions to pb.Auth

* Add an error translator

* Add tests for translating the proto objects

* Fix rename of function

* Add tracing to plugins for easier debugging

* Handle plugin crashes with the go-plugin context

* Add test for grpcStorage

* Add tests for backend and system

* Bump go-plugin for GRPCBroker

* Remove RegisterLicense

* Add casing translations for new proto messages

* Use doneCtx in grpcClient

* Use doneCtx in grpcClient

* s/shutdown/shut down/
2018-01-18 13:49:20 -08:00
Calvin Leung Huang
2069614486
Don't call LeaseExtend on login renewal paths when period is provided (#3803)
* Don't call LeaseExtend on login renewal paths when period is provided

* WIP tests

* NoopBackend accept backend ttl values

* Test period value on credentials backend

* Use t.Fatalf instead

* Remove mockCoreExpiration

* Add login renewal test for approle backend

* Add resp.Auth.Period check on aws and cert backend tests

* Pass in approle's period via role's period

* Correctly set period in valid-role's role

* Add period renewal test using TestCluster and approle backend

* Check for ttl values after renewals on test
2018-01-18 12:19:18 -05:00
samiam
4ddd1f2668 Write password prompts to stderr to avoid co-mingling stdout (#3781) (#3782) 2018-01-18 12:14:19 -05:00