boundary

Commit Graph

Author	SHA1	Message	Date
Michael Gaffney	94cb79bbdd	See how Boundary would look with gofumpt applied (#853 ) * See how Boundary would look with https://github.com/mvdan/gofumpt applied Results of running `gofumpt -w -s .` * Update tools file and Makefile for gofumpt Co-authored-by: Jeff Mitchell <jeffrey.mitchell@gmail.com>	5 years ago
Louis Ruch	dbc796759b	ICU-934/Verify controller config block (#851 ) * Verify controller config block * update changelog	5 years ago
Jeff Mitchell	5b5602969f	Update go-keyring to use forked version (#846 ) This may help with #830.	5 years ago
Jeff Mitchell	6580d85388	Remove erronious IsGlobalUnicast check. (#845 ) Fixes the issue raised at https://www.boundaryproject.io/docs/configuration/worker#complete-configuration-example	5 years ago
Jeff Mitchell	e6c98f1454	Add logic to error on certain invalid listener configs (#838 ) This adds logic to error on certain invalid listener config: * If an address in the worker's "controller" set is unspecified or multicast or global unicast, error * If the controller's cluster address is unspecified, ensure public_cluster_addr is set This has been a source of some confusing behavior on some GitHub tickets and even on the team, so preventing it is probably a good idea. It also relaxes the restriction around controller address matching cluster address in single-server mode when using DNS names.	5 years ago
Jeff Mitchell	16f7dc1c96	Update connect unauthorized message to give a bit more detail	5 years ago
Jeff Mitchell	a6cca576a3	Attempt canceling sessions by the client (#831 ) * Attempt canceling sessions by the client In some circumstances (like a Ctrl-C), the client knows it's shutting down and the TOFU token will be lost. In this case it makes sense to cancel the session rather than have it time out. This introduces a command enum to the handshake message which can be used for the client to send commands to the worker -- in this case the only specified command is to cancel the session. It doesn't occur if the session is already timed out or if we can't authorize connections as this generally means the session is already invalid.	5 years ago
Jeff Mitchell	b809d3f12a	Add `kube` connect subcommand (#816 )	5 years ago
Jeff Mitchell	9a84e50493	Minor linting	5 years ago
Jeff Mitchell	833f29e352	Switch connection limit for default target to -1 (#814 ) This makes the initial testing workflow less confusing for users	5 years ago
Jeff Mitchell	d4a6efb363	Pass endpoint to the client (#811 ) This allows us to automatically set TLS parameters, useful for `boundary connect http` and some other features to come.	5 years ago
Todd Knight	aa4157639c	Change Format of API Error (#784 ) This is a wire breaking change for json errors since we have removed and renamed a few fields, and changed part of the structure of the returned json error. * Remove redundant fields in Status, details.error_id, details.TraceId and details.request_id from API errors. * Added wrapped errors and "ops" field to indicate the internal operation of the errors returned by the API. * Added error cli error reporting of Op and wrapped errors.	5 years ago
Jeff Mitchell	589c79831f	Create internal capability for json errors for connect (#809 ) * Create internal capability for json errors for connect * Update error codes	5 years ago
Todd Knight	f6e50006fc	Generate postgres.gen.go using schema version directory structure (#808 ) * Reorganize the db migration .sql scripts into individual schema version directories and generate the sql httpfs fakeFile accordingly. * Created a /dev schema version directory to hold db schema updates that have not been finalized. * Add an 'allow-development-migrations' flag to allow `boundary database init` to be executed even when there are schema updates in /dev.	5 years ago
Jeff Malnick	af2d9dfe90	fix: do not print info in output that could be JSON or YAML format (#799 ) * fix: print err msg for no credentials found to stderr	5 years ago
Jeff Malnick	11c7c8dbe8	feat: make auth token staleness and duration configurable (#777 ) * feat: make auth token time to live and staleness configurable * docs: add configuration docs for auth token TTL and staleness Co-authored-by: Jeff Mitchell <jeffrey.mitchell@gmail.com>	6 years ago
Jeff Malnick	a7fca44809	Fix authz flag (#787 ) * Fix authz flag * add changelog bug fix for authz flag Co-authored-by: Jeff Mitchell <jeffrey.mitchell@gmail.com>	6 years ago
Jim	af6ef1b687	Refactor existing sentinel errors (#774 )	6 years ago
Jeff Mitchell	6d59ac1eda	Update synopsis for Connect command so it doesn't wrap on most terminals	6 years ago
Jeff Mitchell	e2e4631929	Add ability to set public cluster address (#761 )	6 years ago
Jeff Mitchell	f063b8601c	Fix IPv4-only check when no port is specified (#752 ) We have behavior that causes "0.0.0.0" to only listen on IPv4, however, it also assumed there was a port suffixed. This changes it so that it also works with a port-less address.	6 years ago
Jeff Mitchell	813d21565f	Allow authorize-session to be invoked with target name (#737 )	6 years ago
Jeff Mitchell	09b865ab28	Add `pass` cred storage support (#731 ) * Add `pass` cred storage support Make it the default on non-Windows/macOS Document the token storage behavior	6 years ago
Jim	547ae7c802	Fix database init when locale isn't english (#736 ) * use IsMissingTableError(error) * update changelog	6 years ago
Jeff Mitchell	1f48d97327	Support for Unix domain socket listeners (#705 ) The client already supports protocol-agnostic transport so handles unix:/// schemes.	6 years ago
Jeff Mitchell	97e8613eb7	Fix hyphenation of resource subcommand output (#689 ) * Fix hyphenation of resource subcommand output Fixes #686	6 years ago
Jeff Mitchell	f454fa9ef2	Don't return error code 1 if saving the value to the keyring (#668 )	6 years ago
Sam Salisbury	bcfd9d038f	version command: fix version string (#662 )	6 years ago
Jeff Mitchell	ef16b6177c	Update configuration docs (#661 ) * Update configuration docs * Fix public addr example	6 years ago
Jeff Mitchell	f7bd5e18f9	Fix spacing for scope output in account command	6 years ago
Jeff Mitchell	437f874d44	Fix spacing before Attributes when printing auth method	6 years ago
Jeff Mitchell	868a65ac3d	Don't show "Version v" on startup if empty (#653 ) We'll still show the SHA in this case	6 years ago
Jeff Mitchell	95404b2a56	Separate out protocol-specific functions (#610 ) Placing them into separate files slims down the main connect file and makes it more obvious where things need to be handled for future integrations.	6 years ago
Jeff Mitchell	a982fc9437	Remove proxy proto documentation for now (#606 ) We haven't tested it with the new lib yet. We can add this back whenever we get to testing it.	6 years ago
Jeff Mitchell	603b0582d7	Fix CLI help output and make more consistent (#605 )	6 years ago
Jeff Mitchell	bd271b707d	Add version command (#604 )	6 years ago
Jeff Mitchell	4833fbba23	Simplify worker->controller connection (#601 ) Go's TLS stack doesn't need a separate CA cert and in fact for sessions we don't use this. So simplify the worker connection to remove an unnecessary extra key generation.	6 years ago
Todd Knight	abe5e9b950	Add Termination Reason (#573 )	6 years ago
Jeff Mitchell	ae3a9e32cf	Remove proxy command You can now use -authz-token in `boundary connect` which also allows using the connect subcommands when you already have a token.	6 years ago
Jeff Mitchell	1cb66c69e7	Add workaround to allow autocomplete install/uninstall via a normal command (#576 )	6 years ago
Todd Knight	83314b7750	Accounts can update login-name. Fix help text for subtype resource update and creates. (#575 )	6 years ago
Jeff Mitchell	0be34df6cd	Minor typo fix	6 years ago
Todd Knight	6c6fb7a4d0	Format errors better for CLI (#552 ) * Start making errors easier to read for Table based CLI UI. * Add TODO about reporting "update_mask" related errors.	6 years ago
Jeff Mitchell	73872c5a7e	Switch default RDP client at runtime based on OS, support macOS (#551 ) * Add "open" support for RDP * Use mstsc.exe on Windows and as default as that also works natively via wsl2 * Add flags to not fork	6 years ago
Jeff Mitchell	9f11d12f6d	Fix a missing authorize rename	6 years ago
Jeff Mitchell	9237d6f787	Rename authorize to authorize-session (#531 ) As pointed out by Rob, this makes it clearer what the action actually is. We were sort of torn on it before, but I've definitely come around to it.	6 years ago
Jeff Mitchell	f8a2100603	Add various env vars to CLI (#528 ) * Add auth method ID env var * Add env var for host catalogs	6 years ago
Todd Knight	e0ad9ffbfa	Make all date output be RFC1123. (#525 )	6 years ago
Todd Knight	d1d94c19c8	List sessions CLI reports correct target id and status (#511 ) * Including some missing session fields and improving reporting of sessions of CLI.	6 years ago
Jeff Mitchell	9bd6045c46	If the exec'd command executed on its own, don't print a term reason out, just pass through the code	6 years ago
Jeff Mitchell	3400e20fb6	Use the host_id as the HostAlias for SSH (#523 ) This tells SSH to use the (random, autogen'd) host ID when doing host key checking. That way we avoid having an IP/port mismatch every time we connect.	6 years ago
Jeff Mitchell	bf30a735dc	Clean up slash suffix on -host value	6 years ago
Jeff Mitchell	c3b4337b91	Add -path to boundary connect http	6 years ago
Jeff Mitchell	fa700dc002	Add account ID templating (#518 ) * Remove default role and create via the same mechanism as other initial resources	6 years ago
Jeff Mitchell	d851ab07d8	Add ability to pull user/account/auth-method ID from stored token (#517 )	6 years ago
Jeff Mitchell	6ddfe407a3	Update allowed formats of ACL strings (#508 )	6 years ago
Jeff Mitchell	4854f2c35f	Add boundary connect http (#516 )	6 years ago
Jeff Mitchell	d479f307a4	Minor tweak to role output formatting	6 years ago
Jeff Mitchell	a38f40606e	Create default roles in scopes to allow authentication and listing scopes/auth methods (#502 )	6 years ago
Jeff Mitchell	c1a1f8bb1b	Separate out docker dep into package (#482 ) This also then removes support for docker-based containing starting (for now) from platforms other than windows/darwin/linux as there are build issues on several.	6 years ago
Jim	fde96924af	refactor user account repo function names (#476 )	6 years ago
Jeff Mitchell	cf3fa4522d	Swap base58 libraries (#472 ) * Swap base58 libraries This doesn't reduce binary size but it removes a metric ton of dependencies.	6 years ago
Jeff Mitchell	c30fd5620e	Add account add/set/remove to CLI (#473 )	6 years ago
Jeff Mitchell	725abffebf	Add some more text to dev flags	6 years ago
Jeff Mitchell	bec3d702fb	Add -database-url to dev mode (#459 ) Create default dev mode login name of "admin" and password of "password"	6 years ago
Jeff Mitchell	220ca253be	Add boundary config get-token (#455 )	6 years ago
Jim	21ca0b6388	SetAssociatedAccounts, DisassociateAccounts, AssociateAccounts with support for multiple accounts. (#439 )	6 years ago
Jeff Mitchell	b60e356b6c	Add username to SSH as well (#441 )	6 years ago
Jeff Mitchell	61a0ae02c1	Bring go-alpnmux in house for now	6 years ago
Jeff Mitchell	b650695e82	Add rdp/postgres subcommands (#437 )	6 years ago
Todd Knight	fd0da998e8	SDK error revamp (#432 ) SDK methods now return 1 error. To differentiate between Client errors and Server errors I've also implemented the AsServerError function which returns an *api.Error if it is an error originating from the remote server or nil otherwise.	6 years ago
Jeff Mitchell	94f9d952be	Add connect -exec and ssh subcommand support (#434 )	6 years ago
Jeff Mitchell	e86c11db62	Add session lifecycle info to controller's INFO log. (#431 ) This required some plumbing, but nothing major.	6 years ago
Jeff Mitchell	10a41c914e	Force worker to use the local controller when running in combined mode (#429 )	6 years ago
Jeff Mitchell	41a3c66ea1	Add names to init output (#428 )	6 years ago
Jeff Mitchell	7fcbffbe88	Remove not-set value. (#427 ) I don't think the conditions exist here that necessitated it being introduced into Vault, but I do sometimes see a baffling condition where the address coming from the flag is empty. I don't think we need this so take it out.	6 years ago
Jeff Mitchell	31fe9292b3	Instantiate default resources (#425 )	6 years ago
Jeff Mitchell	8d8a7358f8	Add AdditionalVerification function (#423 )	6 years ago
Jeff Mitchell	03436a73de	Update CLI output functions to show scope info and cleanup (#416 )	6 years ago
Jeff Mitchell	38ce9d9eac	Combine controller and worker commands (#415 )	6 years ago
Jeff Mitchell	0a4669e96d	Remove dev mode from controller/worker, and streamline flags on dev command (#413 )	6 years ago
Jeff Mitchell	262ff06042	Add public address config option (#405 )	6 years ago
Christian Frichot	475c6cdebe	Fix updated help text for the authenticate base command so it aligns with the password subcommand (#401 )	6 years ago
Christian Frichot	9e6c016223	Add JSON formatted output for authenticate password cli command (#402 )	6 years ago
Christian Frichot	874a7180ea	Fix segfault with boundary sessions help output (#403 )	6 years ago
Jeff Mitchell	e9b91f323f	Allow port to not be specified in listener address (#404 )	6 years ago
Jeff Mitchell	dd06615c2e	Add database initialization command (#400 )	6 years ago
Jeff Mitchell	35c3f5b717	Use 'at' for auth token prefix (#397 )	6 years ago
Jeff Mitchell	d3606e14b6	Set wrapper on client, not token, so it doesn't fail KMS recovery on update calls	6 years ago
Christian Frichot	72de1a6916	Fix WATCHTWER ENV variable names (#389 )	6 years ago
Jeff Mitchell	33b0021547	Add Sessions CLI command and add session cleanup to worker (#388 )	6 years ago
Jeff Mitchell	7ff4b7f106	Send connected RPC to controller (#386 )	6 years ago
Jeff Mitchell	4669c95999	Pass more session info around, make proxy UX nicer (#385 )	6 years ago
Jeff Mitchell	f7e48ec836	Plumb connection limit to proxy and output it (#384 )	6 years ago
Jeff Mitchell	edffc7863d	Change connection limit to -1 for unlimited so it works with TF (#383 ) * Migrate connection limit unlimited value to -1 * Fix authorization check	6 years ago
Jeff Mitchell	5214f14105	Work on connection authorization (#381 )	6 years ago
Jeff Mitchell	5bf555cca2	Remove connection idle timeout seconds for now (#379 )	6 years ago
Jeff Mitchell	e002326293	Plumb timeouts to worker and set appropriate deadlines (#378 )	6 years ago
Jeff Mitchell	0a3f9b8357	Rename connection idle timeout duration -> seconds and sessions max duration -> seconds (#376 )	6 years ago
Jeff Mitchell	62baef1b7e	Add multi connection parameters through targets and into session creation (#375 ) * Update protos and gen * Add new values to targets CLI command * Lots more plumbing of new parameters through everything * allow fields to be set to zero value. * Disallow set but empty name/description strings in create/update verifiers Co-authored-by: Jim Lambert <jlambert@hashicorp.com>	6 years ago
Jeff Mitchell	07a7e9750a	Tie together the database-driven session handling with the worker and add relevant CLI comands (#370 )	6 years ago
Jeff Mitchell	0a44ed3edd	Fix global scope lookup (#367 ) The changed auth logic + verify logic in the scope handler pass the parent ID for validation, which is correct, as a scope lives in its parent ID. However, the global scope has no parent, and the changes resulted in an empty ID being passed in rather than the global scope itself. This fixes that lookup.	6 years ago
Jeff Mitchell	37e9fed2e3	Allow not destroying dev databases (#366 ) This also shifts some logic around to better prepare for non-dev-mode workloads, although it does not actually call the KMS creation functions and initial auth method creation from non-dev commands yet.	6 years ago
Jeff Mitchell	c4e2b88022	Add database URL. (#365 ) * Add database URL. This allows specification of either a file://, env://, or other string. If it starts with file:// or env:// the actual value will be read from those resources. * Tidy up the KMS output * Also run migrations in test mode when specifying the URL	6 years ago
Jeff Mitchell	3c13e4765d	Verbose isn't actually used right now so don't expose it; fix some wording for scope id flag	6 years ago
Jeff Mitchell	570e52cabb	Add missing set-grants to role command	6 years ago
Jeff Mitchell	f4ad22b247	Move default port to a TCP target attribute (#361 )	6 years ago
Jeff Mitchell	eb88d0381a	Fix default port update handling	6 years ago
Jeff Mitchell	a598fdfb13	Fix targets CLI command	6 years ago
Jeff Mitchell	97985883df	Fix token storage	6 years ago
Jeff Mitchell	a00ee7a948	Add Result types to Go SDK and properly populate body/map fields (#358 )	6 years ago
Jeff Mitchell	1b2f73d1d4	Fix some old logic in some CLI commands (#357 )	6 years ago
Jeff Mitchell	6201357902	Use scope-specific token DEKs (#342 )	6 years ago
Todd Knight	33e7b4538e	WorkerCoordination and GetSession API refactoring (#354 ) * Possible api changes. * Worker API update. * Updating import alias name. * Moving session down a level as a member of the GetSessionResponse. * Marshal the auth flag into the GetSessionResponse proto instead of the session.	6 years ago
Jeff Mitchell	2914b4c14c	Use base58 for a few more user-facing values (#356 )	6 years ago
Jeff Mitchell	1f80edbffc	Add missing default-port flag to targets command (#355 )	6 years ago
Jeff Mitchell	c689af4306	Implement a TOFU mechanism on auth to worker (#348 ) This sets us up to better support multiple connections per session at some future point.	6 years ago
Jeff Mitchell	ff0d49b6e4	Use previous method of getting recovery wrapper	6 years ago
Jeff Mitchell	f8237fb945	Move some packages into SDK, out of internal	6 years ago
Jeff Mitchell	36f975a952	Add some recovery KMS functions needed for external clients (#339 )	6 years ago
Todd Knight	c3ecea172d	Generate new version of SDK resources and Add Tests (#331 )	6 years ago
Jeff Mitchell	23156afa11	Add in most of the proxy flow (#326 )	6 years ago
Jeff Mitchell	1822c47ef5	Migrate KMS code to the new database DEKs (#324 )	6 years ago
Jeff Mitchell	a4c20164f3	Add add/remove/set hosts functions to host-sets command (#316 )	6 years ago
Jeff Mitchell	514856c020	Fix broken CLI output	6 years ago
Jeff Mitchell	b8c8d29008	Switch ordering of CLI create/update vs static commands (#314 )	6 years ago
Jeff Mitchell	1f065316ee	Initial (#313 )	6 years ago
Jeff Mitchell	20aef738c4	Add host-catalogs CLI command. (#312 )	6 years ago
Jeff Mitchell	17ecb6f2ce	Separate accounts/host catalogs/host sets into their own packages (#311 )	6 years ago
Jeff Mitchell	936c970635	Remove unneeded and breaking test	6 years ago
Jeff Mitchell	28df6eb7b0	Update config encrypt/decrypt CLI command (#309 ) This updates the command to our emergent standards. It also enables using a separate config file for a config kms, which allows non-string values to be encrypted. This allowed some nice cleanup as well.	6 years ago
Jeff Mitchell	b53812a5c1	Add ability to skip automatic auth method creation (#306 ) This is useful if you, for instance, want Terraform to be 100% responsible for creation of resources (outside of the static ones that cannot be removed or modified, like u_anon). This will mean using the recovery mechanism for initial setup, but that isn't an issue once TF supports that :-)	6 years ago
Jeff Mitchell	490be8a7e4	Add ability to skip role creation on scope create (#308 ) * Initial work on scope creation skipping * Fix things	6 years ago
Jeff Mitchell	8f579c75c3	paum -> ampw (#303 )	6 years ago
Jeff Mitchell	74544f6324	Encrypt tokens on the way out and decrypt on the way in (#302 ) * Encrypt tokens on the way out and decrypt on the way in This isn't a security feature related to tokens specifically; it's so that we can discard cryptographically bad tokens before we ever hit the DB. This way we can't pass through a DDoS to the database due to fetching obviously invalid token values. I'm using base58 to encode the resulting value as there aren't great base62 options, and allowing base64 / and + values can hamper usability by creating copying/highlighting breaks.	6 years ago
Jeff Mitchell	ac4d9fa311	Add nonce storage and replay prevention test (#293 )	6 years ago
Jeff Mitchell	414a2ab2c3	Remove some dead, dead, dead, dead code	6 years ago
Jeff Mitchell	b47cca0329	Add (non-db aspects of) the recovery key workflow (#286 )	6 years ago
Todd Knight	d5678c4f80	Handler for Host CRUDL actions (#287 )	6 years ago
Jim	9570897032	basic keys mgmt repo (#264 )	6 years ago
Jeff Mitchell	adfc5681be	Auth methods CLI (#277 )	6 years ago
Jeff Mitchell	282177afc2	Remove the default org (#270 )	6 years ago
Jeff Mitchell	fff15bc9f3	Rename KMS purpose 'controller' to 'root'	6 years ago
Jeff Mitchell	efaf58b568	Add users CLI command and do some cleanup (#269 )	6 years ago
Jeff Mitchell	6080d93f8f	Add authtokens CLI command (#268 )	6 years ago
Jeff Mitchell	d3a1cd949b	Update password auth method flags to fit current standards	6 years ago
Jeff Mitchell	bb6b189513	Create a default role on new scope creation (#265 )	6 years ago
Jeff Mitchell	e89e9d1349	Add groups CLI command (#266 )	6 years ago
Jeff Mitchell	b75a6fc5e5	Update scopes CLI command in the model of the roles command (#262 ) * Update scopes CLI command in the model of the roles command * Pull help functions to helper methods	6 years ago
Jeff Mitchell	5d104a7a01	Migrate off Vault's internalshared folder to the separated-out repo	6 years ago

1 2 3 4 5 ...

296 Commits (02ff2db66e015aed51a2b9d1735dcc8036d9bfba)