boundary

Commit Graph

Author	SHA1	Message	Date
Johan Brandhorst-Satzkorn	eca27b00c9	internal/proto: rename refresh token to list token	2 years ago
Johan Brandhorst-Satzkorn	e2fd8f9701	internal/proto: refactor list proto definitions This aligns it more with the new domain use.	2 years ago
Johan Brandhorst-Satzkorn	5984f5bba6	handlers/targets: add pagination support	2 years ago
Johan Brandhorst-Satzkorn	84e5b9401d	proto: add pagination Refresh Token The ListRefreshToken type is used, in its marshalled form, for pagination requests. A new refresh token is returned which each invocation of a list method (unless there was no input refresh token and there were no results).	2 years ago
hc-github-team-es-release-engineering	9b56db8858	update year in license files (#4115 )	2 years ago
Elim Tsiagbey	8b8d2822df	feat(oidc): OIDC Prompt (#4053 ) Boundary OIDC method does not currently support passing in prompts during authentication. This change adds the capability of passing OIDC prompts. Prompts are optional OIDC parameters that determine the behaviour of the authentication server: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest ## Changes - New `auth_oidc_prompt` table which contains all the prompts for OIDC auth method - New `auth_oidc_prompt_enm` table which contains possible enum values for a prompt - Currently supported: - `none`: The Authorization Server MUST NOT display any authentication or consent user interface pages - `login`: The Authorization Server SHOULD prompt the End-User for reauthentication - `consent`: The Authorization Server SHOULD prompt the End-User for consent before returning information to the Client - `select_account`: The Authorization Server SHOULD prompt the End-User to select a user account - `oidc_auth_method_with_value_obj` view has been updated to return `prompt` value - Add `prompt` option for OIDC auth method CLI create and update - Pass configured prompt during OIDC authentication - Add `prompt` API validation for create and update	2 years ago
dani	c89777de41	Expose Valid Principals for Vault SSH Signed Certs (#3791 ) * allow additional valid principals when creating vault ssh signed cert cred lib * add additional_valid_principals field to credential libraries documentation page	3 years ago
Jeff Mitchell	fb4a5a98dc	Add some target fields and move some things around (#3879 ) In preparation for putting proxy code in the api package this creates some necessary fields in the target output and it pre-moves credential parsing and proxy handshake code to their new places. This will make the diff for the actual proxy code move quite a bit smaller. Co-authored-by: Johan Brandhorst-Satzkorn <johan.brandhorst@gmail.com>	3 years ago
dani	a7c1876d7b	remove deprecated option application-credential-source (#3728 ) Co-authored-by: Danielle Miu <29378233+DanielleMiu@users.noreply.github.com>	3 years ago
Sepehr	16d86d601a	Add additional observation tags, remove from version and authorized_action	3 years ago
April Ayres	23c969ed39	Add observability tags to plugin protobuf.	3 years ago
Sepehr	14af8e8cd7	observation tags proto messages	3 years ago
Jim	dc89ca28a1	feat: add API support for additional LDAP auth method fields. (#3679 ) * feat (auth/ldap): add Repo support for max page size and deref aliases (#3670) * chore: update cap/ldap dependency This latest version of cap/ldap adds support for MaxPageSize and DerefAliases * feat (auth/ldap): add MaxPageSize and DerefAliases to storage proto * feat (api/authmethods): add new ldap fields. Add support for maximum_page_size and dereference_aliases * feat (auth/ldap): schema changes to support new LDAP attributes * feat (auth/ldap): add Repo support for max page size and deref aliases * feat (handlers/ldap): add support for new fields (#3674) Added API support for new ldap fields: MaximumPageSize and DereferenceAliases * chore: add CHANGELOG entry for new api auth ldap fields	3 years ago
Johan Brandhorst-Satzkorn	bae219d461	Re-enable copywrite with hack (#3569 ) * Ignore license change commit from blame This changed almost all the files in the repo * Re-enable copywrite with hack Adds a hack that removes existing copyright headers from files before rerunning copywrite with directory specific configuration.	3 years ago
hashicorp-copywrite[bot]	29da0bcb92	[COMPLIANCE] License changes (#3567 ) * Adding explicit MPL license for sub-package. This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at https://hashi.co/bsl-blog, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * Update copyright file headers to BUS-1.1 * Rerun make gen This will pick up the last of the license changes * Revert "Rerun make gen" This reverts commit `dbe0968bff`. * Remove copywrite from generation script The current version of copywrite is not sophisticated enough to only apply the copywrite changes to certain subdirectories, so to avoid accidentally relicensing our api and sdk modules, we will stop running the copywrite script until such time that it can do the right thing. * License protobuf API as MPL The protobuf API files are used to generate the SDK, since we want the SDK to be MPL, the protobuf files must also be MPL. This extends to all protobuf files whose sources end up in the SDK directory, including: - internal/proto/controller/api - internal/proto/controller/custom_options - internal/proto/plugin It also includes the generated service directory in internal/gen/controller/api/services, since they are generated from the protobuf sources used for the SDK. * Change website license file name This makes the naming scheme consistent with the rest of the repository. * Add note on licensing to README * Set copywrite license to BUSL * Revert "Add note on licensing to README" This reverts commit `4d865a91a7`. --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> Co-authored-by: Johan Brandhorst-Satzkorn <johan.brandhorst@gmail.com>	3 years ago
Todd	86b2f4b90a	Strongly type API resource for session recording creation time value attributes (#3480 )	3 years ago
Todd	8d9222bec3	Add credential and libraries to session recording resource (#3374 )	3 years ago
Jeff Mitchell	feb3aea38f	Support multiple IDs in grants (#3263 ) This allows specifying multiple IDs in grants via an `ids` field, which will eventually become the normal way to specify IDs. Internally, each grant with multiple IDs turns into multiple ACL grants each with a single ID; to make this distinction clearer and allow for better separation of concerns an AclGrant type has been introduced, so really multiple IDs in a Grant turn into multiple AclGrants. The nice thing about doing it this way is that it becomes purely a parsing concern; no actual validation logic has changed. For backwards compatibility with grants already stored in roles, we do not error out if `id` is specified. However, eventually we will simply not support grants with `id` coming via the API; they will fail API validation, such that new grants will require the use of the updated `ids` field. A follow-on PR will plumb this through the service handlers/API/CLI, but I decided to do it in separate chunks to make reviewing easier, given that they are easily separable into the internal and external aspects of the change. * Add CLI/API checks around using ID in grants (#3264) * Plumb through some contexts to remove a lot of deprecated errors (#3268)	3 years ago
Johan Brandhorst-Satzkorn	ebcd6d2828	api: remove connection ID (#3298 ) Removing this until we figure out why it's sometimes missing. May add it back again later.	3 years ago
Johan Brandhorst-Satzkorn	610df9892b	all: propagate more history metadata (#3279 ) A few target and host properties were missed when reading historical data from the history tables.	3 years ago
Johan Brandhorst-Satzkorn	0c8177590f	Upgrade grpc-gateway dependency (#3257 ) * proto: correct classification of authz token The target authorization token had the invalid classification "private". Fortunately, classification is a fail-closed system, so this won't have exposed users authorization tokens, but we should still use the correct classification. Use "secret". * scripts: add Go script to remove gotags comments The new version of grpc-gateway includes our gotags comments in the generate swagger documentation. This script removes all mentions of these. * Upgrade grpc-gateway dependency Mainly we need this to fix generation of our docs side API docs, but it also includes a nice fix for the new Download RPC, i.e. it now contains the correct response schema (a binary stream).	3 years ago
Danielle Miu	1052118836	remove field masks from proto	3 years ago
Todd	d1a5f3a2ff	Update attribute fields to be proto struct so generated api becomes map[string]any	3 years ago
Louis Ruch	9a3006e42a	feat(storage): Include type plugin in API response for buckets	3 years ago
Johan Brandhorst-Satzkorn	3374d32a55	api: add created, updated times to conn, chan In addition to session recordings, connection and channel recordings now also include the created and updated time.	3 years ago
Todd	5f20eb60ad	Add Host and Catalogs to the API resource	3 years ago
Johan Brandhorst-Satzkorn	15524f3408	api: add created, updated times to recordings	3 years ago
Johan Brandhorst-Satzkorn	4387a59ce5	sessionrecordings: add endpoint	3 years ago
Johan Brandhorst-Satzkorn	89befba55e	api: add state and error details fields to recordings	3 years ago
Todd	ee6a5f05b5	Add historical target and scope information to session recording	3 years ago
Todd	cfe0dc08d9	Add session recording service stuff	3 years ago
Danielle Miu	bb82fa6507	update storage buckets to use a shared persisted secrets type. add options	3 years ago
Louis Ruch	0d96a20024	feat(target): Add domain support for storage bucket association	3 years ago
Todd	8f9e218e1c	refactor historical values in the session recording resource	3 years ago
Louis Ruch	8ea61054cd	feat(storage): Add support for Storage Bucket API	3 years ago
Johan Brandhorst-Satzkorn	7632143861	add session recording API definitions	3 years ago
Louis Ruch	def8e47f32	feat(storage): Add pluginInfo to storageBucket	3 years ago
Damian Debkowski	79eea06dd7	feat(proto): storage bucket plugin grpc definitions (#252 )	3 years ago
Jeff Mitchell	c149bc4a79	Allow slashes in authorize-session when using target name (#3249 ) This requires specifying `**` as the selector in the proto, which will match any segments and simply requires that the verb is the last part of the URL, which it already is.	3 years ago
Jeff Mitchell	20391e3503	Add default client port to targets and use in connect command (#2767 )	3 years ago
Hugo Vieira	45dc8251ec	feat(api): Support plugin host external_name field	3 years ago
Jim	982c9c263c	chore: update buf version to 1.15.1 (#3102 )	3 years ago
Jim	86192f75eb	feature (auth/ldap): add LDAP auth method along with associated accounts and managed groups (#2912 ) * feature (auth): required schema changes for auth ldap method (#2669) chore (auth/ldap): move schema changes to next avail migration number * feature (auth/ldap): define AuthMethod and all its value objects (#2703) * feature (auth/ldap): storage protos * feature (auth/ldap): define AuthMethod and all its value objects * feature (auth/ldap): add repo and reading an auth method (#2718) * feature (auth/ldap): add Repository.CreateAuthMethod(...) and Repository.DeleteAuthMethod(...) (#2724) * feature (auth/ldap): add Repository.UpdateAuthMethod(...) (#2739) * feature (auth/ldap): add Account * feature (auth/ldap): add AuthMethod.EnableGroups * fix (auth/ldap): refactor AuthMethod.oplog to enforce proper constraints * feature (auth/ldap): add Account repo functions * refactor (auth/ldap): remove entry attributes from account Realized the entry attributes could have absolutely anything in them (including binary data) and since we absolutely don't have to have them there's just no reason to take on the risk. * feature (auth/ldap): add AuthMethod.UseTokenGroups * feature (auth/ldap): add Authenticate(...) * refactor (auth/ldap): ensure options take a context as the 1st parameter * feature (auth/ldap): add Account attribute maps * chore (auth/ldap): make fmt deltas * feature (auth/ldap): add managed groups (#2760) * tests (auth/ldap): add missing unit test to Repository.DeleteAccount(...) Add bits to test the delete operation when you're not able to generate oplog metadata * feature (auth/ldap): add managed groups fixup! feature (auth/ldap): add managed groups (#2760) * feature (auth/ldap): service proto definition (#2761) * feature (handlers/authmethods): add handlers for ldap auth method operations (#2794) * feature (auth/ldap): add Account attribute maps * chore (auth/ldap): update cap/ldap to latest version * feature (auth/ldap): add ldap api generation definitions * feature (authmethods): add ldap repo NewService(...) * feature (authmethods/ldap): add proper mask_mapping to protobufs * feature (authmethods): add support to get an ldap auth method * refactor (auth/ldap): export TestGenerateCA(...) * feature (authmethods): add support to create an ldap auth method * feature (authmethods): add support to delete an ldap auth method * feature (authmethods): add support to list ldap auth methods * refactor (auth/ldap): make urls optional for NewAuthMethod(...) * refactor (auth/ldap): export ldap.TestInvalidPem * chore: make fmt changes * fix (auth/ldap): properly handle group search config Add constraints and tests to ensure when an ldap AuthMethod.EnableGroups is true, and UseTokenGroups is false; that there's a GroupDn configured for finding a user's associated groups * feature (authmethods): add support to update an ldap auth methods * chore (db/ldap): tmp mv migrations so there's no conflict with ongoing work * feature (verifier): add ldap auth method to verifier bits * fix (controller): prevent panic when controller stops when there's no listener * feature (authmethods): add support to authenticate via ldap auth methods * chore (migrations): fix whitespace in stmt * chore: fmt fixup * tests (auth/ldap): invalid err msg * feature (cli/authmethods): add support for ldap auth-methods CRUD and authenticate (#2810) * feature (authmethods): add CLI support for ldap auth methods CRUD * tests (api/auth): ldap auth method classification tests * feature (authmethods): add CLI support for ldap auth authenticate * feature (auth/ldap): set request timeouts for ldap server connections * feature (handlers/authmethods): handle u_anon listing properly. * feature (account/handers): ldap account and managed group CRUDL APIs (#2852) * feature (auth/ldap) add repository Listing of ManagedGroupMemberAccount * feature (controller/handlers): add ldapRepoFn to accounts service * feature (auth/ldap) register ldap managed group subtype * feature (account/handlers): ldap account CRUDL APIs * feature (controller/handlers): add ldapRepo to managed groups service * feature (account/handlers): ldap managed group CRUDL APIs * docs (domain): add LDAP accounts, auth-methods and managed groups (#2857) * feature (ldap/cli) add ldap accounts and managed groups CRUDL commands (#2856) * fix (handlers/authmethods): fix ldap authorized actions (#2892) * feature (cli/ldap/authenticate): use primary auth method if none is provided (#2890) * fix (auth/ldap): support setting the state attribute * feature (cli/ldap/authenticate): use primary auth method if none is provided * feature (wh/ldap) add tests for new ldap auth method and accounts (#2919) * refactor (migrations/ldap): mv to correct directory * chore: add copyright headers * fix (api/authmethods/ldap): renumber new LdapAuthMethodAttributes field * fix (auth/ldap): allow the auth method state to be updated (#2951) * chore: update sdk and api versions for llb - this is tmp until merging * tests (managed groups): add required errContains for new test	3 years ago
Johan Brandhorst-Satzkorn	3c29308673	chore: Add license headers to all files	3 years ago
Haotian	43f0ba89cf	feat(credentiallibraries): support vault ssh certificates	3 years ago
Todd	d66b92abe0	Add directly connected downstream workers to the worker resource api (#2831 )	3 years ago
Damian Debkowski	1d3930a711	feat(handlers): Support address field on a Target	3 years ago
Hugo Vieira	c82d2efb14	feat(cli): Implement address flag for boundary targets create/update This commit adds CLI support for addresses to be attached directly to a Target, for all current types of Target (ssh and tcp). It also clarifies the relevant documentation regarding the autogen of API option functionality.	3 years ago
Irena Rindos	834a2a88f7	feat(targets): Addition of egress and ingress worker filters (#2654 ) * feat(targets): Addition of egress and ingress worker filters	3 years ago
Johan Brandhorst-Satzkorn	edd323b73a	Key Rotation/Destruction (#2477 ) (#2607 ) * Key Rotation/Destruction (#2477) * fix: Correct kms.CreateKeys comment This method does not return anything. * feat(kms): Add new ListKeys method The new ListKeys method wraps the underlying KMS wrapper, returning all the keys in the scope specified. * feat(scopes): Add new scope actions for key management Adds list-keys, rotate-keys and revoke-keys actions for scopes. * feat(scopes): Add ListKeys API endpoint This new endpoint lists all keys in a scope * feat(api): Add ListKeys to Scopes client This has to be a custom function because it is a custom action and doesn't map well to any of the existing templates, or generalises well in a way that would make it reasonable to create a new template. * feat(cli): Add new scopes list-keys command * add RotateKeys function to the kms repository * Add Rotate Keys Endpoint to Scopes Api (#2360) * add rotate keys endpoint * add tests for RotateKeys endpoint * remove that one comment I forgot about * addressing more PR comments * Add Rotate Keys CLI Command (#2395) * add cli command and client * add bats tests * fix some info text and pr comments * write a new rotate keys description * Add Missing DEK Foreign Keys (#2408) * add missing fks * mark key as nullable in gorm * update tests to use a new wrapper with a real key_id * fix formatting in test and add keys for auth_token test * replace key values * revert postgres_40_01_test.go * style: reformat sql for readability * refactor: change type of key_id columns to kms_private_id * Store key_id and scope_id with oplog entries, re-type columns referencing data key version (#2431) * fix(db): Correct types of data key version referencers * fix(oplog): Fix missing error handling * feat(oplog): Store key_id and scope_id with oplog entries This migration truncates all existing oplog entries, as migrating existing data would have been complex and likely unnecessary. * Update view references * Always delete oplog entries when dropping keys * Fix rebase issues * Fix sql tests * Add schema for new kms destruction jobs (#2479) * feat: Add schema for new kms destruction jobs The schema lets us manage destruction jobs per-table while providing a guarantee that only one run is running at a time. * Apply suggestions from code review Co-authored-by: Michael Gaffney <mgaffney@users.noreply.github.com> * Fix table reference and tests Co-authored-by: Michael Gaffney <mgaffney@users.noreply.github.com> * update domain, api, and cli to all include key versions in outputs (#2472) * update domain, api, and cli to all include key versions in outputs * fix go sum * add migration to fix immutable error * fix final test issue as well as make gen issue * rebase and fix * address johan pr comments * make gen, didn't realize comments were included * update migrations based on new migration 55 file 03 * Move migrations to 56 * feat: Add key version rewrapping function registry (#2478) The new RegisterTableRewrapFn can be used by a domain to register a callback to use when rewrapping data in a specific table name. * feat(kms): Add scopeId to RewrapFn (#2539) This makes it much easier for rewrap functions to look up the correct wrapper and limit the number of rows searched. * Update Root Cert Proto Definition (#2542) * update root cert proto definition to properly identify public_key as the table primary key * add the test fix as well * Rewrap Functions for Encrypted Tables (#2532) * add oidc rewrap * add argon2 config rewrap * add auth token rewrapping * add worker auth cert rewrapping * check the err * add username password credential rewrapping * add ssh private key credential rewrapping * add vault client certificate rewrap function * add host catalog secret rewrap function * cleanup a little * add host vault token rewrap function * add session credential rewrap function * add session rewrap function * add worker auth rewrap function * update test to include full assert gamut * add session rewrap function TEST * bring all tests up to current standards, make more readable, and include full assert gamut * rework all rewrap functions to utilize scope id * update comments, queries, sql refs, etc, in response to PR comments * forgot a comment * remove hmac updates and fix a couple comments again * Rewrapping Registered Tables Test (#2555) * add the registered table test as well as the two missing rewrap functions * address pr comments, add db r/w conversions, cmp.diff, sql comment, remove (now) faulty immutable test * Add ability to list key version destruction jobs, recurring jobs and destroying key versions (#2498) * feat(kms): Add ability to list data key version destruction jobs * feat(scopes): Add ListKeyVersionDestructionJobs * feat(cli): Add list-key-version-destruction-jobs * feat(kms): Add recurring job that performs table rewrapping The new recurring job runs for each job table with a registered rewrapping callback. It attempts to become the running run and start its rewrapping, gracefully handling sudden interruptions by resuming it's work if it finds evidence of sudden interruption. * feat(kms): Add recurring job for destroying key versions The new job monitors the database for data key version destruction jobs that have finished rewrapping all its data, performing the final data key version revocation. * feat(kms): Add DestroyKeyVersion DestroyKeyVersion immediately destroys a key version if it is a root key version or a data key version which encrypts no data. If the data key version encrypts data which needs to be rewrapped, it queues an asynchronous job to complete the rewrapping operation. * feat(scopes): Add DestroyKeyVersion API endpoint * feat(cli): Add scopes destroy-key-version CLI command * Ensure all secret updates include key ID (#2556) * feat(all): Ensure all secret updates include key ID When updating a secret, it is paramount that the key ID is also updated, as it is the only means we have of ensuring that we only destroy keys once there is no more data associated with the key. * Remove fix to session repository for now This breaks the current private key derivation method * add new encrypt/decrypt funcs and made necessary proto changes (#2557) * add new encrypt/decrypt funcs and made necessary proto changes * address all PR comments * fix test panic * add param checking to rewraps * fix(schema): Correctly organize migrations again * Review comments part 1 * Review comments part 2 * Review comments part 3 * Store cert private key, encrypt tofu token (#2583) * fix(session): store cert private key, encrypt tofu token Previously, we would derive a session certificate private key from the session key used in each project, and not store the key. We would also encrypt the tofu token with the database key but not store a reference to this key in the database. This change fixes this by replacing our key derivation with a key generation step, and instead store the generated key, encrypted, in the database. We also ensure that any new tofu tokens are encrypted with the same key. To handle existing sessions, we lazily rewrite the sessions whenever a user lists them. There is a minor risk that a user could end up destroying the database key that encrypts the tofu token before that session has been rewrapped, but this is going to be rare and temporary. * feat(session): Allow the random source for secrets to be configured * Review comments * Minor fixes * More minor fixes * More small fixes Co-authored-by: Danielle Miu <dani.miu@hashicorp.com> Co-authored-by: Danielle <29378233+DanielleMiu@users.noreply.github.com> Co-authored-by: Michael Gaffney <mike@gaffney.cc> Co-authored-by: Michael Gaffney <mgaffney@users.noreply.github.com> * fix(session): Unset session key ID when scope is deleted Unsetting the key ID allows the session to live beyond the lifetime of the scope, while allowing the scope to cascade delete its keys. * fix(migrations): Rewrite migration 56 tests These tests can no longer use the normal test helpers as they try to use the new oplog table structure, so we have to manually write all the interactions. * fix(migrations): Rename migration 58 file name This was the name used in the release branch, update it to the new migration number. * fix(e2e): Add some comments and debug to kms tests * fix(session): Handle empty project and user IDs in read When a project or user is deleted, the session is automatically canceled and the respective field on the session is unset. LookupSession did not handle this case gracefully, and would error on decryption in this state. Skip decrypting sessions that do not have either a user or project to avoid this error. The decrypted values are not used for a canceled session. * Fix worker test * Increase test timeout Co-authored-by: Danielle Miu <dani.miu@hashicorp.com> Co-authored-by: Danielle <29378233+DanielleMiu@users.noreply.github.com> Co-authored-by: Michael Gaffney <mike@gaffney.cc> Co-authored-by: Michael Gaffney <mgaffney@users.noreply.github.com>	3 years ago
Hugo Vieira	d206635d74	fix(connection): Make bytes up and down a signed 64-bit integer This fixes a theoretical issue with database interaction. Because the fields in the database are signed 64-bit integers, it's theoretically possible to overflow them if we're using unsigned 64-bit integers in the application code.	4 years ago
Damian Debkowski	546c5dc5be	feat: static json credentials (#2423 )	4 years ago
Jeff Mitchell	53b5e532d5	Remove deprecated methods/fields on targets (#2393 )	4 years ago
Irena Rindos	18dff62b7b	Merge BYOW GA branch to main (#2398 ) * feat(workers): Add ability to read and reinitialize cert authority (#2312) * feat(workers): Return Release Version on worker list and read (#2377) * feat(cli): Read and reinitialize worker certificate authority (#2387)	4 years ago
Louis Ruch	d7c4c648ec	bug(vault): Correctly handle credential stores with expired tokens (#2399 ) * bug(vault): Correctly handle credential stores with expired tokens Boundary makes use of a database view to perform CRUD operations on Vault credential stores and libraries. This view did not include credential stores with tokens that have expired in Vault, causing errors when attempting to perform any action against them.	4 years ago
Jeff Mitchell	01fb949d0b	Add controller-led worker auth flow (#2413 ) This adds an action to the API that allows pulling out an activation token that can be given to a worker in its config (directly or via env or file). The worker can pass this along with its normal request in place of its normal nonce and the server will automatically accept it. Co-authored-by: Irena Rindos <irenarindos@users.noreply.github.com>	4 years ago
Jeff Mitchell	02dd28f587	Add support for SSH private key passphrases (#2331 ) This adds support for encrypted SSH keys via passphrase. Co-authored-by: Louis Ruch <louisruch@gmail.com> Co-authored-by: Michael Gaffney <mgaffney@users.noreply.github.com>	4 years ago
irenarindos	4908aba546	feat(vault): Add unimplemented worker filter support to OSS	4 years ago
Timothy Messier	439566cd10	feat(target): Add ssh target support to sdk/api/cli This add the generated code and additional configuration to support sending the ssh target subtype to the api via the sdk or cli. The cli now supports an additional subcommand for the ssh target subtype: boundary targets create ssh boundary targets update ssh	4 years ago
Louis Ruch	a17e973712	feat(credentials): Refactor credential purposes (#2260 ) * feat(credentials): Refactor credential purposes * Application credentials have been refactored to Brokered credentials * Egress credentials have been refactored to Injected Application credentials Co-authored-by: Jeff Mitchell <jeffrey.mitchell@gmail.com>	4 years ago
Louis Ruch	ef5ac07f02	Add ssh_private_key support for Vault libraries and targets (#2263 ) * Add support for ssh_private_key credential type in Vault libraries * Add support for ssh_private_key credential type * Support jsonpointer for Vault library mapping overrides	4 years ago
Jeff Mitchell	011e2e7425	Add ssh private key type and add type to static store (#2262 ) Co-authored-by: Louis Ruch <louisruch@gmail.com>	4 years ago
Haotian	28f53a64b4	feat(workers): implement worker service add/set/remove api tags	4 years ago
Damian Debkowski	3e9c99c217	refactor(user_password) rename all references of user_password to username_password (#2232 )	4 years ago
Louis Ruch	9671daf6e0	Revert "refactor(user_passsword) change all references of user_password into username_password (#2189 )" This reverts commit `ab58b24142`.	4 years ago
Damian Debkowski	ab58b24142	refactor(user_passsword) change all references of user_password into username_password (#2189 ) * (refactor) change all sql references of user_password to username_password * refactor(pkg) renamed pkg userpassword to usernamepassword * refactor(proto) updated protocol buffers to use UsernamePassword * refactor(code) updated references from UserPassword to UsernamePassword in golang files * refactor(test) updated unit tests to reference UsernamePassword changes * refactor(ddtest) updated references in dbtests to use UsernamePassword * chore(sql-test) fixed spelling issue * chore(sql) added and updated comments in migartion & tables. fixed indentations * chore(proto) updated comments to reflect username_password changes * refactor(tests) updated unit tests to replace user-password with username-password * refactor(cmd) updated cmd help text to use username * chore(tests) update test name & comments * fix(cmd) fixed cmd usage definition for credentials update * refactor(tests) removed out of scope changes * fix(sql) incremented sql migration id & updated migration comments	4 years ago
Jeff Mitchell	704d68848c	Merge remote-tracking branch 'origin/main' into llb-byow	4 years ago
Jeff Mitchell	bfd9565010	Merge remote-tracking branch 'origin/byow-attrib-consolidation' into llb-byow	4 years ago
Jeff Mitchell	3d42737789	Don't display active connection count if it's not authorized (#2200 )	4 years ago
Louis Ruch	68eb6e2bed	chore(targets): remove deprecated credential libraries on target resources (#1533 )	4 years ago
Jeff Mitchell	8335deb8b6	Update protos, generated code, and service handlers (#2188 ) * Update protos, generated code, and service handlers * Address review feedback	4 years ago
Louis Ruch	58d546cdd4	feat(credential): Add static credential store and username_password credential	4 years ago
Jeff Mitchell	5d3facf561	Merge remote-tracking branch 'origin/main' into llb-byow	4 years ago
Jeff Mitchell	5b978d7fa7	Adjust parameter naming (#2161 ) * Adjust parameter naming for some worker resource fields * Add eventing listener to event when authentication is successful from a downstream worker	4 years ago
Timothy Messier	e79714e93f	feat(session): Add include_termianted option to list endpoint	4 years ago
Jeff Mitchell	7c4f495c25	Add workers SDK API bits (#2159 )	4 years ago
Todd	1e3c941be1	Add active session count to the worker (#2145 )	4 years ago
Jim	fdf43fc4fe	feature (worker): add CreateWorker(...) service (aka API) (#2143 )	4 years ago
Todd	43bcbba47f	Implement UpdateWorker service method (#2133 )	4 years ago
Todd	abbfe45419	Add the Read/List service functions (#2123 )	4 years ago
Todd	fa2efe9878	Create the Worker API resource and the CRUDL operation definitions for a worker. (#2114 )	4 years ago
Todd	472d7d520a	Remove the server_id from session table, change it to worker_id on session_connection (#2070 ) * Remove the server_id from session table, change it to worker_id on session_connection This is step 1 in updating the worker table. The worker is becoming a public resource so it must have a public id. We drop the server_id column on the session_connection table and add the worker_id column so we can use the wt_public_key type. Since db migrations are applied while the controller is offline, it should be safe to assume all session connections are not in a running state, thus allowing us to null out all the worker ids in the session_connection table. For now we don't have very good enforcement of the wt_public_id constraints, since the id is currently defined in the worker config, but this will soon change and the worker's id will be generated by the controller.	4 years ago
Johan Brandhorst-Satzkorn	8cef1017e9	fix(session): Fix typo in connection documentation (#2075 )	4 years ago
Johan Brandhorst-Satzkorn	f69fbf2255	feat(proto): Format protobuf files with buf (#2033 ) Formats all protobuf files with buf format. This ensures a consistent style across all our protobuf files, similar to gofumpt.	4 years ago
Timothy Messier	3be5c44907	feat(target): Classify resources for audit events	4 years ago
Timothy Messier	c8be4a9890	refact(target): Switch subtype attributes to oneof This updates the target resources to use a oneof for attributes. This allows requests to the targets service to leverage the new subtypes.AttributeTransformerInterceptor so that attributes are strongly typed prior to the service handler.	4 years ago
Johan Brandhorst-Satzkorn	8c452b0991	feat(authmethods): Add classification to all fields	4 years ago
Timothy Messier	2ade7f34a8	feat(users): Classify resources for audit events	4 years ago
Timothy Messier	006fa3a85a	feat(session): Classify resources for audit events	4 years ago
Timothy Messier	38a3960047	feat(role): Classify resources for audit events	4 years ago
Timothy Messier	6ad9aba505	feat(credentialstore): Classify resources for audit events	4 years ago
Timothy Messier	9d3a57cbb0	refact(credentialstore): Switch subtype attributes to oneof This updates the credential store resources to use a oneof for attributes. This allows requests to the credential store service to leverage the new subtypes.AttributeTransformerInterceptor so that attributes are strongly typed prior to the service handler.	4 years ago
Timothy Messier	00e57b20a2	feat(credentiallibrary): Classify resources for audit events	4 years ago
Timothy Messier	3d4ba0389e	refact(credentiallibrary): Switch subtype attributes to oneof This updates the credential library resources to use a oneof for attributes. This allows requests to the credential library service to leverage the new subtypes.AttributeTransformerInterceptor so that attributes are strongly typed prior to the service handler.	4 years ago
Timothy Messier	95315a3e0a	feat(groups): Classify resources for audit events	4 years ago
Timothy Messier	e2eca03d26	feat(managedgroups): Classify resources for audit events	4 years ago
Timothy Messier	5d6cb0009d	refact(managed-groups): Switch subtype attributes to oneof This updates the credential store resources to use a oneof for attributes. This allows requests to the credential store service to leverage the new subtypes.AttributeTransformerInterceptor so that attributes are strongly typed prior to the service handler.	4 years ago
Johan Brandhorst-Satzkorn	fc6cddfc7f	feat(authtokens): Add classification to all fields (#1996 )	4 years ago
Johan Brandhorst-Satzkorn	d51ce41db8	feat(hostsets): Classify all proto fields	4 years ago
Johan Brandhorst-Satzkorn	8fa3e8dee0	feat(hostcatalogs): Classify all proto fields	4 years ago

1 2 3 4

161 Commits (69fc3a47d07969c3e29e1fcd6a9b6d818052d47a)