scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-22 21:05:03 +00:00
Code Issues Packages Projects Releases Wiki Activity
18,722 Commits 2,630 Branches 341 Tags
auto-plugin-update/hashicorp/vault-plugin-database-redis-elasticache/auto-dependency-upgrades
Commit Graph

2656 Commits

Author SHA1 Message Date
Jeff Mitchell
3ac40a7ae5 Use capabilities to determine upsert-ability in transit. 2016-02-02 10:03:14 -05:00
Jeff Mitchell
216fe1b9da Revert "Re-add upsert into transit. Defaults to off and a new endpoint /config" 
This reverts commit dc27d012c0.
 2016-02-02 09:26:25 -05:00
Jeff Mitchell
dc27d012c0 Re-add upsert into transit. Defaults to off and a new endpoint /config 
can be used to turn it on for a given mount.
 2016-02-01 20:13:57 -05:00
Jeff Mitchell
d402292f85 Fix comment text 2016-02-01 17:20:16 -05:00
Jeff Mitchell
7fb8db2e6c Allow the format to be specified as pem_bundle, which creates a 
concatenated PEM file.

Fixes #992
 2016-02-01 13:19:41 -05:00
Jeff Mitchell
3b77905c75 Cassandra: 
* Add ability to change protocol version
* Remove config as a root path, use normal ACLs
* Update docs
 2016-02-01 10:27:26 -05:00
Jeff Mitchell
c60a9cd130 Remove grace periods 2016-01-31 19:33:16 -05:00
Jeff Mitchell
c067cdc926 Remove app-id renewal for the moment until verification logic is added 2016-01-31 19:12:20 -05:00
Jeff Mitchell
229973444d Match leases in the test 2016-01-29 20:45:38 -05:00
Jeff Mitchell
e63bcffa7a Fix userpass acceptance tests by giving it a system view 2016-01-29 20:14:14 -05:00
Jeff Mitchell
33f3e2727c Fix building of consul backend test 2016-01-29 20:03:38 -05:00
Jeff Mitchell
2eb08d3bde Make backends much more consistent: 
1) Use the new LeaseExtend
2) Use default values controlled by mount tuning/system defaults instead
of a random hard coded value
3) Remove grace periods
 2016-01-29 20:03:37 -05:00
Jeff Mitchell
fec6c51197 Merge pull request #979 from hashicorp/transit-locking 
Implement locking in the transit backend.
 2016-01-29 14:40:32 -05:00
Jeff Mitchell
42905b6a73 Update error return strings 2016-01-29 14:40:13 -05:00
Jeff Mitchell
ce44ccf68e Address final review feedback 2016-01-29 14:33:51 -05:00
Jeff Mitchell
99f193811a Only specify cert sign / CRL sign for CAs and only specify extended key 
usages for clients.

This will hopefully fully get rid of the various incompatible ways that
various browsers/libraries deal with key usages.

Fixes #987
 2016-01-29 10:26:35 -05:00
Jeff Mitchell
3b22ab02c6 Add listing of roles to PKI 2016-01-28 15:18:07 -05:00
Jeff Mitchell
abd71ce80e Add list support for mysql roles 2016-01-28 15:04:25 -05:00
Jeff Mitchell
9cf06240e0 Add list support for postgres roles 2016-01-28 14:41:50 -05:00
Jeff Mitchell
298892ef38 Fix postgres backend test SQL for user priv checking 2016-01-28 14:41:13 -05:00
Jeff Mitchell
5bfba62a77 Ensure generatePolicy checks disk, not just the cache, now that we aren't eager loading 2016-01-28 13:10:59 -05:00
Jeff Mitchell
886f641e5d Add listing of roles to ssh backend 2016-01-28 12:48:00 -05:00
Jeff Mitchell
65c3bc631b Remove eager loading 2016-01-28 08:59:05 -05:00
Jeff Mitchell
32aed5fa74 Embed the cache directly 2016-01-27 21:59:20 -05:00
Jeff Mitchell
4808c811ed Merge pull request #942 from wikiwi/fix-ssh-open-con 
Cleanly close SSH connections
 2016-01-27 17:18:54 -05:00
Jeff Mitchell
8bec044770 Merge pull request #975 from vetinari/ldapbind 
Implement LDAP username/password binding support, as well as anonymous search.
 2016-01-27 17:06:45 -05:00
Jeff Mitchell
46514e01fa Implement locking in the transit backend. 
This ensures that we can safely rotate and modify configuration
parameters with multiple requests in flight.

As a side effect we also get a cache, which should provide a nice
speedup since we don't need to decrypt/deserialize constantly, which
would happen even with the physical LRU.
 2016-01-27 17:03:21 -05:00
Jeff Mitchell
e6b2d45c03 Move archive location; also detect first load of a policy after archive 
is added and cause the keys to be copied to the archive.
 2016-01-27 13:41:37 -05:00
Jeff Mitchell
625e8091a5 Address review feedback 2016-01-27 13:41:37 -05:00
Jeff Mitchell
463cdd3d32 Store all keys in archive always 2016-01-27 13:41:37 -05:00
Jeff Mitchell
e729ace3f1 Add unit tests 2016-01-27 13:41:37 -05:00
Jeff Mitchell
8d5a0dbcdc Force min decrypt version to 1 if it's zero, which allows fixing problematic archiving logic 2016-01-27 13:41:37 -05:00
Jeff Mitchell
9f2310c15c Fix logic bug when restoring keys 2016-01-27 13:41:37 -05:00
Jeff Mitchell
ea9fb68a34 Fix decrementing instead of incrementing 2016-01-27 13:41:37 -05:00
Jeff Mitchell
ebe319c96b Initial transit key archiving work 2016-01-27 13:41:37 -05:00
Hanno Hecker
ba9b20d275 discover bind dn with anonymous binds 2016-01-27 17:06:27 +01:00
Hanno Hecker
a702f849bc fix stupid c&p error 2016-01-26 16:15:25 +01:00
Hanno Hecker
11aee85c0b add binddn/bindpath to search for the users bind DN 2016-01-26 15:56:41 +01:00
Jeff Mitchell
aa65b3a21c Add a max_idle_connections parameter. 2016-01-25 14:47:07 -05:00
Jeff Mitchell
cf95982d80 Allow backends to see taint status. 
This can be seen via System(). In the PKI backend, if the CA is
reconfigured but not fully (e.g. an intermediate CSR is generated but no
corresponding cert set) and there are already leases (issued certs), the
CRL is unable to be built. As a result revocation fails. But in this
case we don't actually need revocation to be successful since the CRL is
useless after unmounting. By checking taint status we know if we can
simply fast-path out of revocation with a success in this case.

Fixes #946
 2016-01-22 17:01:22 -05:00
Dmitriy Gromov
df65547eca STS now uses root vault user for keys 
The secretAccessKeysRevoke revoke function now asserts that it is
not dealing with STS keys by checking a new internal data flag. Defaults
to IAM when the flag is not found.

Factored out genUsername into its own function to share between STS and
IAM secret creation functions.

Fixed bad call to "WriteOperation" instead of "UpdateOperation" in
aws/backend_test
 2016-01-21 15:04:16 -05:00
Dmitriy Gromov
ea1e29fa33 Renamed sts duration to ttl and added STS permissions note. 2016-01-21 14:28:34 -05:00
Dmitriy Gromov
b37a963841 Removing debug print statement from sts code 2016-01-21 14:05:10 -05:00
Dmitriy Gromov
6f50cd9439 Fixed duration type and added acceptance test for sts 2016-01-21 14:05:10 -05:00
Dmitriy Gromov
522e8a3450 Configurable sts duration 2016-01-21 14:05:09 -05:00
Jack DeLoach
d206599b80 Add STS path to AWS backend. 
The new STS path allows for obtaining the same credentials that you would get
from the AWS "creds" path, except it will also provide a security token, and
will not have an annoyingly long propagation time before returning to the user.
 2016-01-21 14:05:09 -05:00
Jeff Mitchell
4fc58e8b41 Merge pull request #895 from nickithewatt/aws-prexisting-policies 
Allow use of pre-existing policies for AWS users
 2016-01-21 13:23:37 -05:00
Chi Vinh Le
555834f83d Cleanly close SSH connections 2016-01-19 07:59:08 +01:00
Jeff Mitchell
21f91f73bb Update deps, and adjust usage of go-uuid to match new return values 2016-01-13 13:40:08 -05:00
Jeff Mitchell
45e32756ea WriteOperation -> UpdateOperation 2016-01-08 13:03:03 -05:00