Commit graph

922 commits

Author SHA1 Message Date
Brian Nuszkowski
ffdbcc4166 Return value when reading a SSH CA Role (#4098) 2018-03-07 23:26:33 -05:00
Jeff Mitchell
f54832b10a *Partially* revert "Remove now-unneeded PKCS8 code and update certutil tests for Go 1.10"
This partially reverts commit 83f6b21d3e.
2018-02-22 20:15:56 -05:00
Andrei Burd
8bb4bdab4d Handling nomad maxTokenNameLength = 64 (#4009) 2018-02-20 10:16:37 -05:00
Jeff Mitchell
2d22d8a99a Fix PKI tests by generating on-demand 2018-02-20 00:23:37 -05:00
Jeff Mitchell
83f6b21d3e Remove now-unneeded PKCS8 code and update certutil tests for Go 1.10 2018-02-19 22:46:17 -05:00
Robison Jacka
7a46918f8c Adding path roles test coverage for storing PKIX fields (#4003) 2018-02-18 16:22:35 -05:00
Robison Jacka
45a90a9fe3 Add test coverage for recently-added PKIX fields. (#4002) 2018-02-18 13:21:54 -05:00
Jeff Mitchell
fbcad150aa Fix missing CommonName in subject generation 2018-02-17 21:01:36 -05:00
Jeff Mitchell
a43a854740
Support other names in SANs (#3889) 2018-02-16 17:19:34 -05:00
Mohsen
9db39c8d09 Maximum number of retries aws sdk attempts for recoverable exceptions. (#3965) 2018-02-16 11:11:17 -05:00
Jeff Mitchell
ef00a69f11
Add ChaCha20-Poly1305 support to transit (#3975) 2018-02-14 11:59:46 -05:00
Jeff Mitchell
07f8ebbbf6
Various PKI updates (#3953) 2018-02-10 10:07:10 -05:00
Jeff Mitchell
71336d3596 Fix compile 2018-02-09 14:04:05 -05:00
Chris Hoffman
4120046ac8 Fix auditing for transit keys with backup/restore info (#3919) 2018-02-09 13:54:18 -05:00
Vishal Nayak
58cab5f59f added a flag to make common name optional if desired (#3940)
* added a flag to make common name optional if desired

* Cover one more case where cn can be empty

* remove skipping when empty; instead check for emptiness before calling validateNames

* Add verification before adding to DNS names to also fix #3918
2018-02-09 13:42:19 -05:00
John Eismeier
acc37c3cc9 Fix some typos (#3923) 2018-02-06 13:35:01 -05:00
Jeff Mitchell
7d73ac4c96 go vet fixes 2018-02-05 14:26:31 -05:00
Jeff Mitchell
1a3fa27dad
Don't run rollback and upgrade functionality if we are a replication secondary (#3900)
* Don't run rollback and upgrade functionality if we are a replication
secondary, but do if the mount is local.
2018-02-02 20:28:25 -05:00
Vishal Nayak
909b9ff574
Remove logical.Initialize() method (#3848)
* Remove logical.Initialize() method

* More cleanup

* Fix test
2018-01-25 20:19:27 -05:00
Calvin Leung Huang
c3c63313f3
Version protocol switch (#3833)
* Use version to determine plugin protocol to use

* Remove field from ServeOpts

* Fix missing assignment, handle errors

* contraint -> constraint

* Inject the version string from the vault side

* Fix the version check

* Add grpc support check to database plugins

* Default to use grpc unless missing env var or fail on contraint check

* Add GRPCSupport test

* Add greater than test case

* Add go-version dep
2018-01-23 17:29:26 -05:00
Brian Kassouf
8142b42d95 Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 01:44:44 -05:00
Brian Kassouf
03f6108822
gRPC Backend Plugins (#3808)
* Add grpc plugins

* Add grpc plugins

* Translate wrap info to/from proto

* Add nil checks

* Fix nil marshaling errors

* Provide logging through the go-plugin logger

* handle errors in the messages

* Update the TLS config so bidirectional connections work

* Add connectivity checks

* Restart plugin and add timeouts where context is not availible

* Add the response wrap data into the grpc system implementation

* Add leaseoptions to pb.Auth

* Add an error translator

* Add tests for translating the proto objects

* Fix rename of function

* Add tracing to plugins for easier debugging

* Handle plugin crashes with the go-plugin context

* Add test for grpcStorage

* Add tests for backend and system

* Bump go-plugin for GRPCBroker

* Remove RegisterLicense

* Add casing translations for new proto messages

* Use doneCtx in grpcClient

* Use doneCtx in grpcClient

* s/shutdown/shut down/
2018-01-18 13:49:20 -08:00
Jeff Mitchell
69eca11b62
Fix max_ttl not being honored in database backend when default_ttl is zero (#3814)
Fixes #3812
2018-01-18 01:43:38 -05:00
Chris Hoffman
c7b4fc314b Locking updates in database backend (#3774) 2018-01-17 19:21:59 -05:00
Chris Hoffman
3653e4bf1b
Converting OU and Organization role fields to CommaStringSlice (#3804) 2018-01-17 11:53:49 -05:00
Brian Kassouf
a2b9ce7de8
remove the Initialize wrap and call close explicitly (#3769) 2018-01-10 13:07:55 -08:00
Brian Kassouf
05f20305b2
secret/database: ensure plugins are closed if they cannot be initialized (#3768) 2018-01-09 13:14:50 -08:00
Brian Kassouf
2a3243546a
Update plugin deps to include context changes (#3765)
* Update plugin deps to include context changes

* Fix tests
2018-01-08 12:26:13 -08:00
Brian Kassouf
78adac0a24
Pass context to backends (#3750)
* Start work on passing context to backends

* More work on passing context

* Unindent logical system

* Unindent token store

* Unindent passthrough

* Unindent cubbyhole

* Fix tests

* use requestContext in rollback and expiration managers
2018-01-08 10:31:38 -08:00
Will Glynn
416bb41b35 Document that AWS STS lease revocation is a no-op [fixes #3736] (#3760) 2018-01-08 10:28:07 -06:00
Brian Kassouf
6a74c119f3
secret/database: Fix upgrading database backend (#3714) 2017-12-18 19:38:47 -08:00
Chris Hoffman
abbb1c623a use defaultconfig as base, adding env var test 2017-12-17 10:51:39 -05:00
Chris Hoffman
737dbca37a fixing up config to allow environment vars supported by api client 2017-12-17 09:10:56 -05:00
Chris Hoffman
20aac4dc0a adding existence check for roles 2017-12-15 19:50:20 -05:00
Chris Hoffman
b82493f9de adding access config existence check and delete endpoint 2017-12-15 19:18:32 -05:00
Chris Hoffman
152b6e4305 address some feedback 2017-12-15 17:06:56 -05:00
Chris Hoffman
16e2edf389 Merge remote-tracking branch 'oss/master' into f-nomad
* oss/master:
  Defer reader.Close that is used to determine sha256
  changelog++
  Avoid unseal failure if plugin backends fail to setup during postUnseal (#3686)
  Add logic for using Auth.Period when handling auth login/renew requests (#3677)
  plugins/database: use context with plugins that use database/sql package (#3691)
  changelog++
  Fix plaintext backup in transit (#3692)
  Database gRPC plugins (#3666)
2017-12-15 17:05:42 -05:00
Brian Kassouf
a401cc7cb5
Database gRPC plugins (#3666)
* Start work on context aware backends

* Start work on moving the database plugins to gRPC in order to pass context

* Add context to builtin database plugins

* use byte slice instead of string

* Context all the things

* Move proto messages to the dbplugin package

* Add a grpc mechanism for running backend plugins

* Serve the GRPC plugin

* Add backwards compatibility to the database plugins

* Remove backend plugin changes

* Remove backend plugin changes

* Cleanup the transport implementations

* If grpc connection is in an unexpected state restart the plugin

* Fix tests

* Fix tests

* Remove context from the request object, replace it with context.TODO

* Add a test to verify netRPC plugins still work

* Remove unused mapstructure call

* Code review fixes

* Code review fixes

* Code review fixes
2017-12-14 14:03:11 -08:00
Jeff Mitchell
96b0c31de5
Merge branch 'master' into f-nomad 2017-12-14 16:44:28 -05:00
Jeff Mitchell
2146f88052
Update Consul to use the role's configured lease on renew. (#3684) 2017-12-14 13:28:19 -05:00
Vishal Nayak
c38f9884ce Transit: backup/restore (#3637) 2017-12-14 12:51:50 -05:00
Florent H. CARRÉ
c1c052f0c1 Hardening RSA keys for PKI and SSH (#3593) 2017-12-11 13:43:56 -05:00
Chris Hoffman
628153979a
Converting key_usage and allowed_domains in PKI to CommaStringSlice (#3621) 2017-12-11 13:13:35 -05:00
Mohsen
77fc89088d Small typo relating to no_store in pki secret backend (#3662)
* Removed typo :)

* Corrected typo in the website related to no_store
2017-12-07 10:40:21 -05:00
Vishal Nayak
18311d253d
Transit: Refactor internal representation of key entry map (#3652)
* convert internal map to index by string

* Add upgrade test for internal key entry map

* address review feedback
2017-12-06 18:24:00 -05:00
Nicolas Corrarello
884e25035f
Adding SealWrap configuration, protecting the config/access path
Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com>
2017-11-29 21:53:21 +00:00
Nicolas Corrarello
12e77fac51
Rename policy into policies 2017-11-29 16:31:17 +00:00
Nicolas Corrarello
0780c6250b
Checking if client is not nil before deleting token
Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com>
2017-11-29 16:23:03 +00:00
Nicolas Corrarello
66840ac4db
%q quotes automatically
Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com>
2017-11-29 16:19:31 +00:00
Nicolas Corrarello
9d78bfa721
Refactoring check for empty accessor as per Vishals suggestion
Signed-off-by: Nicolas Corrarello <nicolas@corrarello.com>
2017-11-29 15:58:39 +00:00