Commit graph

99 commits

Author SHA1 Message Date
Jeff Mitchell
831fbe293a Revert "Remove unneeded looping since Go 1.10 cover it already (#4010)"
This reverts commit 8aeba427d2.
2018-02-22 20:13:36 -05:00
Vishal Nayak
8aeba427d2 Remove unneeded looping since Go 1.10 cover it already (#4010) 2018-02-20 07:34:55 -05:00
Vishal Nayak
1deaed2ffe
Verify DNS SANs if PermittedDNSDomains is set (#3982)
* Verify DNS SANs if PermittedDNSDomains is set

* Use DNSNames check and not PermittedDNSDomains on leaf certificate

* Document the check

* Add RFC link

* Test for success case

* fix the parameter name

* rename the test

* remove unneeded commented code
2018-02-16 17:42:29 -05:00
John Eismeier
acc37c3cc9 Fix some typos (#3923) 2018-02-06 13:35:01 -05:00
Jeff Mitchell
7d73ac4c96 go vet fixes 2018-02-05 14:26:31 -05:00
Brian Kassouf
8142b42d95 Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 01:44:44 -05:00
Calvin Leung Huang
2069614486
Don't call LeaseExtend on login renewal paths when period is provided (#3803)
* Don't call LeaseExtend on login renewal paths when period is provided

* WIP tests

* NoopBackend accept backend ttl values

* Test period value on credentials backend

* Use t.Fatalf instead

* Remove mockCoreExpiration

* Add login renewal test for approle backend

* Add resp.Auth.Period check on aws and cert backend tests

* Pass in approle's period via role's period

* Correctly set period in valid-role's role

* Add period renewal test using TestCluster and approle backend

* Check for ttl values after renewals on test
2018-01-18 12:19:18 -05:00
Jeff Mitchell
66206f264e Move around some logic to be neater 2018-01-18 11:47:24 -05:00
Dominik Müller
e28d924550 add allowed_names to cert-response (#3779) 2018-01-16 13:41:58 -05:00
Jeff Mitchell
0a2c911c03 Merge branch 'master-oss' into sethvargo/cli-magic 2018-01-10 11:15:49 -05:00
Brian Kassouf
78adac0a24
Pass context to backends (#3750)
* Start work on passing context to backends

* More work on passing context

* Unindent logical system

* Unindent token store

* Unindent passthrough

* Unindent cubbyhole

* Fix tests

* use requestContext in rollback and expiration managers
2018-01-08 10:31:38 -08:00
Jeff Mitchell
d6552a11cc Merge branch 'master-oss' into sethvargo/cli-magic 2018-01-03 14:02:31 -05:00
Calvin Leung Huang
40b8314c4d Add period and max_ttl to cert role creation (#3642) 2017-12-18 15:29:45 -05:00
Chris Hoffman
563edbe1f6
short circuit cert extensions check (#3712) 2017-12-18 13:19:05 -05:00
Travis Cosgrave
95328e2fb4 Use Custom Cert Extensions as Cert Auth Constraint (#3634) 2017-12-18 12:53:44 -05:00
Dominik Müller
534ea1771d add allowed_names to cert-response (#3654) 2017-12-06 16:50:02 -05:00
Seth Vargo
b8e4b0d515
Standardize on "auth method"
This removes all references I could find to:

- credential provider
- authentication backend
- authentication provider
- auth provider
- auth backend

in favor of the unified:

- auth method
2017-10-24 09:32:15 -04:00
Seth Vargo
1794af3873
Update credential help
Use "vault login" instead of "vault auth" and use "method" consistently over provider.
2017-10-24 09:30:47 -04:00
Seth Vargo
d71b7e6824
Update help output for cert auth 2017-10-24 09:26:44 -04:00
Jeff Mitchell
cd6d67d84b Final sync 2017-10-23 17:39:21 -04:00
Vishal Nayak
605182d0f4 add entity aliases from credential backends (#3457) 2017-10-15 15:13:12 -04:00
Jeff Mitchell
2f6c2b88bb Sanitize policy behavior across backends (#3324)
Fixes #3323
Fixes #3318

* Fix tests

* Fix tests
2017-09-13 11:36:52 -04:00
Lars Lehtonen
70d16fb072 Fix goroutine logging in cert test (#3224) 2017-09-01 16:55:16 -04:00
Jeff Mitchell
79b63deaf5 Change auth helper interface to api.Secret. (#3263)
This allows us to properly handle wrapped responses.

Fixes #3217
2017-08-31 16:57:00 -04:00
Calvin Leung Huang
dd72c96dc8 Add BackendType to existing backends (#3078) 2017-07-28 14:04:46 -04:00
Calvin Leung Huang
2b0f80b981 Backend plugin system (#2874)
* Add backend plugin changes

* Fix totp backend plugin tests

* Fix logical/plugin InvalidateKey test

* Fix plugin catalog CRUD test, fix NoopBackend

* Clean up commented code block

* Fix system backend mount test

* Set plugin_name to omitempty, fix handleMountTable config parsing

* Clean up comments, keep shim connections alive until cleanup

* Include pluginClient, disallow LookupPlugin call from within a plugin

* Add wrapper around backendPluginClient for proper cleanup

* Add logger shim tests

* Add logger, storage, and system shim tests

* Use pointer receivers for system view shim

* Use plugin name if no path is provided on mount

* Enable plugins for auth backends

* Add backend type attribute, move builtin/plugin/package

* Fix merge conflict

* Fix missing plugin name in mount config

* Add integration tests on enabling auth backend plugins

* Remove dependency cycle on mock-plugin

* Add passthrough backend plugin, use logical.BackendType to determine lease generation

* Remove vault package dependency on passthrough package

* Add basic impl test for passthrough plugin

* Incorporate feedback; set b.backend after shims creation on backendPluginServer

* Fix totp plugin test

* Add plugin backends docs

* Fix tests

* Fix builtin/plugin tests

* Remove flatten from PluginRunner fields

* Move mock plugin to logical/plugin, remove totp and passthrough plugins

* Move pluginMap into newPluginClient

* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck

* Change shim logger's Fatal to no-op

* Change BackendType to uint32, match UX backend types

* Change framework.Backend Setup signature

* Add Setup func to logical.Backend interface

* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments

* Remove commented var in plugin package

* RegisterLicense on logical.Backend interface (#3017)

* Add RegisterLicense to logical.Backend interface

* Update RegisterLicense to use callback func on framework.Backend

* Refactor framework.Backend.RegisterLicense

* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs

* plugin: Revert BackendType to remove TypePassthrough and related references

* Fix typo in plugin backends docs
2017-07-20 13:28:40 -04:00
Vishal Nayak
6a73552a88 Cert verification for non-CA certs (#2761)
* Cert verification for non-CA certs

* Added test case to ensure login fails with expired non-CA cert

* Address review feedback
2017-05-25 10:49:09 -04:00
Jeff Mitchell
6164690818 Use auth-saved cert name during renewals to avoid a panic. (#2755) 2017-05-23 20:41:01 -04:00
Michael Ansel
8da4405c99 Add constraints on the Common Name for certificate-based authentication (#2595)
* Refactor to consolidate constraints on the matching chain

* Add CN prefix/suffix constraint

* Maintain backwards compatibility (pick a random cert if multiple match)

* Vendor go-glob

* Replace cn_prefix/suffix with required_name/globbing

Move all the new tests to acceptance-capable tests instead of embedding in the CRL test

* Allow authenticating against a single cert

* Add new params to documentation

* Add CLI support for new param

* Refactor for style

* Support multiple (ORed) name patterns

* Rename required_names to allowed_names

* Update docs for parameter rename

* Use the new TypeCommaStringSlice
2017-04-30 11:37:10 -04:00
Jeff Mitchell
8acbdefdf2 More porting from rep (#2388)
* More porting from rep

* Address review feedback
2017-02-16 16:29:30 -05:00
Félix Cantournet
0d6d4211b8 all: test: Fix govet warnings
Fix calls to t.Fatal() with formatting.
Fixed some calls to Fatalf() with wrong formatting
2016-12-21 19:44:07 +01:00
Jeff Mitchell
c748ff322f Change default TTL from 30 to 32 to accommodate monthly operations (#1942) 2016-09-28 18:32:49 -04:00
vishalnayak
c44f1c9817 s/GetOctalFormatted/GetHexFormatted 2016-09-16 17:47:15 -04:00
Jeff Mitchell
68345eb770 Convert to logxi 2016-08-21 18:13:37 -04:00
Jeff Mitchell
357ecb4dfe gofmt 2016-08-19 16:48:32 -04:00
Jeff Mitchell
c664c4091b Fix panic if no certificates are supplied by client
Fixes #1637
2016-07-21 10:20:41 -04:00
Jeff Mitchell
2701ea16d1 Fix build 2016-07-21 09:53:41 -04:00
Jeff Mitchell
d16cefa544 Ensure we never return a nil set of trusted CA certs
Fixes #1637
2016-07-21 09:50:31 -04:00
Jeff Mitchell
b45da486dc Run appid/cert auth tests always 2016-07-01 14:06:33 -04:00
vishalnayak
65de9cb01a Remove failOnError method from cert tests 2016-06-01 16:01:28 -04:00
vishalnayak
25e90e7577 Fix broken cert backend test 2016-05-26 11:06:46 -04:00
vishalnayak
80faa2f4ed s/logical.ErrorResponse/fmt.Errorf in renewal functions of credential backends 2016-05-26 10:21:03 -04:00
vishalnayak
14750c9964 Remove unused param from checkForValidChain 2016-05-12 15:07:10 -04:00
vishalnayak
28e6f885ca Perform CRL checking for non-CA registered certs 2016-05-12 14:37:07 -04:00
vishalnayak
a74332bb7e Add the steps to generate the CRL test's test-fixture files 2016-05-04 05:48:34 -04:00
Jeff Mitchell
d3f1176e03 Switch our tri-copy ca loading code to go-rootcerts 2016-05-03 12:23:25 -04:00
vishalnayak
e032f9144c Extend the expiry of test-fixture certs of Cert backend 2016-05-02 12:34:46 -04:00
vishalnayak
bbb3efdc67 Cert backend, CRL tests 2016-04-29 02:32:48 -04:00
Adam Shannon
e0df8e9e88 all: Cleanup from running go vet 2016-04-13 14:38:29 -05:00
vishalnayak
5f1829af67 Utility Enhancements 2016-04-05 20:32:59 -04:00