boundary

Commit Graph

Author	SHA1	Message	Date
Jim	de88a871c6	feat: (api/cli): add custom type for duration	3 years ago
Johan Brandhorst-Satzkorn	4387a59ce5	sessionrecordings: add endpoint	3 years ago
Johan Brandhorst-Satzkorn	89befba55e	api: add state and error details fields to recordings	3 years ago
Todd	ee6a5f05b5	Add historical target and scope information to session recording	3 years ago
Todd	cfe0dc08d9	Add session recording service stuff	3 years ago
Johan Brandhorst-Satzkorn	281989e595	regenerate API files	3 years ago
Jim	70a950b7a3	feat (session recordings): Read, List and Download API	3 years ago
Louis Ruch	0d96a20024	feat(target): Add domain support for storage bucket association	3 years ago
Louis Ruch	8ea61054cd	feat(storage): Add support for Storage Bucket API	3 years ago
Jeff Mitchell	5a7cbaa989	Bump gkw dep	3 years ago
Jeff Mitchell	a6fe1a5815	Update gen templates for license/gen info (#3211 )	3 years ago
Jeff Mitchell	869310d7da	Only create WithAutomaticVersioning if versioning is used (#3210 ) This option did not respect whether or not versioning was enabled when writing it out during generation. This does mean that there is a breaking change for auth tokens, but as it was a no-op anyways it's easy to fix and not something I want to /v2 about.	3 years ago
Jeff Mitchell	20391e3503	Add default client port to targets and use in connect command (#2767 )	3 years ago
Hugo Vieira	45dc8251ec	feat(api): Support plugin host external_name field	3 years ago
Jim	86192f75eb	feature (auth/ldap): add LDAP auth method along with associated accounts and managed groups (#2912 ) * feature (auth): required schema changes for auth ldap method (#2669) chore (auth/ldap): move schema changes to next avail migration number * feature (auth/ldap): define AuthMethod and all its value objects (#2703) * feature (auth/ldap): storage protos * feature (auth/ldap): define AuthMethod and all its value objects * feature (auth/ldap): add repo and reading an auth method (#2718) * feature (auth/ldap): add Repository.CreateAuthMethod(...) and Repository.DeleteAuthMethod(...) (#2724) * feature (auth/ldap): add Repository.UpdateAuthMethod(...) (#2739) * feature (auth/ldap): add Account * feature (auth/ldap): add AuthMethod.EnableGroups * fix (auth/ldap): refactor AuthMethod.oplog to enforce proper constraints * feature (auth/ldap): add Account repo functions * refactor (auth/ldap): remove entry attributes from account Realized the entry attributes could have absolutely anything in them (including binary data) and since we absolutely don't have to have them there's just no reason to take on the risk. * feature (auth/ldap): add AuthMethod.UseTokenGroups * feature (auth/ldap): add Authenticate(...) * refactor (auth/ldap): ensure options take a context as the 1st parameter * feature (auth/ldap): add Account attribute maps * chore (auth/ldap): make fmt deltas * feature (auth/ldap): add managed groups (#2760) * tests (auth/ldap): add missing unit test to Repository.DeleteAccount(...) Add bits to test the delete operation when you're not able to generate oplog metadata * feature (auth/ldap): add managed groups fixup! feature (auth/ldap): add managed groups (#2760) * feature (auth/ldap): service proto definition (#2761) * feature (handlers/authmethods): add handlers for ldap auth method operations (#2794) * feature (auth/ldap): add Account attribute maps * chore (auth/ldap): update cap/ldap to latest version * feature (auth/ldap): add ldap api generation definitions * feature (authmethods): add ldap repo NewService(...) * feature (authmethods/ldap): add proper mask_mapping to protobufs * feature (authmethods): add support to get an ldap auth method * refactor (auth/ldap): export TestGenerateCA(...) * feature (authmethods): add support to create an ldap auth method * feature (authmethods): add support to delete an ldap auth method * feature (authmethods): add support to list ldap auth methods * refactor (auth/ldap): make urls optional for NewAuthMethod(...) * refactor (auth/ldap): export ldap.TestInvalidPem * chore: make fmt changes * fix (auth/ldap): properly handle group search config Add constraints and tests to ensure when an ldap AuthMethod.EnableGroups is true, and UseTokenGroups is false; that there's a GroupDn configured for finding a user's associated groups * feature (authmethods): add support to update an ldap auth methods * chore (db/ldap): tmp mv migrations so there's no conflict with ongoing work * feature (verifier): add ldap auth method to verifier bits * fix (controller): prevent panic when controller stops when there's no listener * feature (authmethods): add support to authenticate via ldap auth methods * chore (migrations): fix whitespace in stmt * chore: fmt fixup * tests (auth/ldap): invalid err msg * feature (cli/authmethods): add support for ldap auth-methods CRUD and authenticate (#2810) * feature (authmethods): add CLI support for ldap auth methods CRUD * tests (api/auth): ldap auth method classification tests * feature (authmethods): add CLI support for ldap auth authenticate * feature (auth/ldap): set request timeouts for ldap server connections * feature (handlers/authmethods): handle u_anon listing properly. * feature (account/handers): ldap account and managed group CRUDL APIs (#2852) * feature (auth/ldap) add repository Listing of ManagedGroupMemberAccount * feature (controller/handlers): add ldapRepoFn to accounts service * feature (auth/ldap) register ldap managed group subtype * feature (account/handlers): ldap account CRUDL APIs * feature (controller/handlers): add ldapRepo to managed groups service * feature (account/handlers): ldap managed group CRUDL APIs * docs (domain): add LDAP accounts, auth-methods and managed groups (#2857) * feature (ldap/cli) add ldap accounts and managed groups CRUDL commands (#2856) * fix (handlers/authmethods): fix ldap authorized actions (#2892) * feature (cli/ldap/authenticate): use primary auth method if none is provided (#2890) * fix (auth/ldap): support setting the state attribute * feature (cli/ldap/authenticate): use primary auth method if none is provided * feature (wh/ldap) add tests for new ldap auth method and accounts (#2919) * refactor (migrations/ldap): mv to correct directory * chore: add copyright headers * fix (api/authmethods/ldap): renumber new LdapAuthMethodAttributes field * fix (auth/ldap): allow the auth method state to be updated (#2951) * chore: update sdk and api versions for llb - this is tmp until merging * tests (managed groups): add required errContains for new test	3 years ago
Jim	a2692e0a68	update the deps (#3054 )	3 years ago
Johan Brandhorst-Satzkorn	3c29308673	chore: Add license headers to all files	3 years ago
Haotian	43f0ba89cf	feat(credentiallibraries): support vault ssh certificates	3 years ago
Todd	d66b92abe0	Add directly connected downstream workers to the worker resource api (#2831 )	3 years ago
Hugo Vieira	c82d2efb14	feat(cli): Implement address flag for boundary targets create/update This commit adds CLI support for addresses to be attached directly to a Target, for all current types of Target (ssh and tcp). It also clarifies the relevant documentation regarding the autogen of API option functionality.	3 years ago
Irena Rindos	834a2a88f7	feat(targets): Addition of egress and ingress worker filters (#2654 ) * feat(targets): Addition of egress and ingress worker filters	3 years ago
Johan Brandhorst-Satzkorn	edd323b73a	Key Rotation/Destruction (#2477 ) (#2607 ) * Key Rotation/Destruction (#2477) * fix: Correct kms.CreateKeys comment This method does not return anything. * feat(kms): Add new ListKeys method The new ListKeys method wraps the underlying KMS wrapper, returning all the keys in the scope specified. * feat(scopes): Add new scope actions for key management Adds list-keys, rotate-keys and revoke-keys actions for scopes. * feat(scopes): Add ListKeys API endpoint This new endpoint lists all keys in a scope * feat(api): Add ListKeys to Scopes client This has to be a custom function because it is a custom action and doesn't map well to any of the existing templates, or generalises well in a way that would make it reasonable to create a new template. * feat(cli): Add new scopes list-keys command * add RotateKeys function to the kms repository * Add Rotate Keys Endpoint to Scopes Api (#2360) * add rotate keys endpoint * add tests for RotateKeys endpoint * remove that one comment I forgot about * addressing more PR comments * Add Rotate Keys CLI Command (#2395) * add cli command and client * add bats tests * fix some info text and pr comments * write a new rotate keys description * Add Missing DEK Foreign Keys (#2408) * add missing fks * mark key as nullable in gorm * update tests to use a new wrapper with a real key_id * fix formatting in test and add keys for auth_token test * replace key values * revert postgres_40_01_test.go * style: reformat sql for readability * refactor: change type of key_id columns to kms_private_id * Store key_id and scope_id with oplog entries, re-type columns referencing data key version (#2431) * fix(db): Correct types of data key version referencers * fix(oplog): Fix missing error handling * feat(oplog): Store key_id and scope_id with oplog entries This migration truncates all existing oplog entries, as migrating existing data would have been complex and likely unnecessary. * Update view references * Always delete oplog entries when dropping keys * Fix rebase issues * Fix sql tests * Add schema for new kms destruction jobs (#2479) * feat: Add schema for new kms destruction jobs The schema lets us manage destruction jobs per-table while providing a guarantee that only one run is running at a time. * Apply suggestions from code review Co-authored-by: Michael Gaffney <mgaffney@users.noreply.github.com> * Fix table reference and tests Co-authored-by: Michael Gaffney <mgaffney@users.noreply.github.com> * update domain, api, and cli to all include key versions in outputs (#2472) * update domain, api, and cli to all include key versions in outputs * fix go sum * add migration to fix immutable error * fix final test issue as well as make gen issue * rebase and fix * address johan pr comments * make gen, didn't realize comments were included * update migrations based on new migration 55 file 03 * Move migrations to 56 * feat: Add key version rewrapping function registry (#2478) The new RegisterTableRewrapFn can be used by a domain to register a callback to use when rewrapping data in a specific table name. * feat(kms): Add scopeId to RewrapFn (#2539) This makes it much easier for rewrap functions to look up the correct wrapper and limit the number of rows searched. * Update Root Cert Proto Definition (#2542) * update root cert proto definition to properly identify public_key as the table primary key * add the test fix as well * Rewrap Functions for Encrypted Tables (#2532) * add oidc rewrap * add argon2 config rewrap * add auth token rewrapping * add worker auth cert rewrapping * check the err * add username password credential rewrapping * add ssh private key credential rewrapping * add vault client certificate rewrap function * add host catalog secret rewrap function * cleanup a little * add host vault token rewrap function * add session credential rewrap function * add session rewrap function * add worker auth rewrap function * update test to include full assert gamut * add session rewrap function TEST * bring all tests up to current standards, make more readable, and include full assert gamut * rework all rewrap functions to utilize scope id * update comments, queries, sql refs, etc, in response to PR comments * forgot a comment * remove hmac updates and fix a couple comments again * Rewrapping Registered Tables Test (#2555) * add the registered table test as well as the two missing rewrap functions * address pr comments, add db r/w conversions, cmp.diff, sql comment, remove (now) faulty immutable test * Add ability to list key version destruction jobs, recurring jobs and destroying key versions (#2498) * feat(kms): Add ability to list data key version destruction jobs * feat(scopes): Add ListKeyVersionDestructionJobs * feat(cli): Add list-key-version-destruction-jobs * feat(kms): Add recurring job that performs table rewrapping The new recurring job runs for each job table with a registered rewrapping callback. It attempts to become the running run and start its rewrapping, gracefully handling sudden interruptions by resuming it's work if it finds evidence of sudden interruption. * feat(kms): Add recurring job for destroying key versions The new job monitors the database for data key version destruction jobs that have finished rewrapping all its data, performing the final data key version revocation. * feat(kms): Add DestroyKeyVersion DestroyKeyVersion immediately destroys a key version if it is a root key version or a data key version which encrypts no data. If the data key version encrypts data which needs to be rewrapped, it queues an asynchronous job to complete the rewrapping operation. * feat(scopes): Add DestroyKeyVersion API endpoint * feat(cli): Add scopes destroy-key-version CLI command * Ensure all secret updates include key ID (#2556) * feat(all): Ensure all secret updates include key ID When updating a secret, it is paramount that the key ID is also updated, as it is the only means we have of ensuring that we only destroy keys once there is no more data associated with the key. * Remove fix to session repository for now This breaks the current private key derivation method * add new encrypt/decrypt funcs and made necessary proto changes (#2557) * add new encrypt/decrypt funcs and made necessary proto changes * address all PR comments * fix test panic * add param checking to rewraps * fix(schema): Correctly organize migrations again * Review comments part 1 * Review comments part 2 * Review comments part 3 * Store cert private key, encrypt tofu token (#2583) * fix(session): store cert private key, encrypt tofu token Previously, we would derive a session certificate private key from the session key used in each project, and not store the key. We would also encrypt the tofu token with the database key but not store a reference to this key in the database. This change fixes this by replacing our key derivation with a key generation step, and instead store the generated key, encrypted, in the database. We also ensure that any new tofu tokens are encrypted with the same key. To handle existing sessions, we lazily rewrite the sessions whenever a user lists them. There is a minor risk that a user could end up destroying the database key that encrypts the tofu token before that session has been rewrapped, but this is going to be rare and temporary. * feat(session): Allow the random source for secrets to be configured * Review comments * Minor fixes * More minor fixes * More small fixes Co-authored-by: Danielle Miu <dani.miu@hashicorp.com> Co-authored-by: Danielle <29378233+DanielleMiu@users.noreply.github.com> Co-authored-by: Michael Gaffney <mike@gaffney.cc> Co-authored-by: Michael Gaffney <mgaffney@users.noreply.github.com> * fix(session): Unset session key ID when scope is deleted Unsetting the key ID allows the session to live beyond the lifetime of the scope, while allowing the scope to cascade delete its keys. * fix(migrations): Rewrite migration 56 tests These tests can no longer use the normal test helpers as they try to use the new oplog table structure, so we have to manually write all the interactions. * fix(migrations): Rename migration 58 file name This was the name used in the release branch, update it to the new migration number. * fix(e2e): Add some comments and debug to kms tests * fix(session): Handle empty project and user IDs in read When a project or user is deleted, the session is automatically canceled and the respective field on the session is unset. LookupSession did not handle this case gracefully, and would error on decryption in this state. Skip decrypting sessions that do not have either a user or project to avoid this error. The decrypted values are not used for a canceled session. * Fix worker test * Increase test timeout Co-authored-by: Danielle Miu <dani.miu@hashicorp.com> Co-authored-by: Danielle <29378233+DanielleMiu@users.noreply.github.com> Co-authored-by: Michael Gaffney <mike@gaffney.cc> Co-authored-by: Michael Gaffney <mgaffney@users.noreply.github.com>	3 years ago
Hugo Vieira	d206635d74	fix(connection): Make bytes up and down a signed 64-bit integer This fixes a theoretical issue with database interaction. Because the fields in the database are signed 64-bit integers, it's theoretically possible to overflow them if we're using unsigned 64-bit integers in the application code.	4 years ago
Johan Brandhorst-Satzkorn	f57454b6b9	Rewrite interface{} to any (#2535 ) * chore: Rewrite interface{} to any * Add ignore revs	4 years ago
Hugo	902ca3cccb	fix(genapi): uint64 fields failing to be unmarshalled (#2492 ) uint64 fields get marshalled into json by protobuf as strings, so we have to tell the json parser to look for strings when unmarshalling.	4 years ago
Damian Debkowski	546c5dc5be	feat: static json credentials (#2423 )	4 years ago
Jeff Mitchell	53b5e532d5	Remove deprecated methods/fields on targets (#2393 )	4 years ago
Irena Rindos	18dff62b7b	Merge BYOW GA branch to main (#2398 ) * feat(workers): Add ability to read and reinitialize cert authority (#2312) * feat(workers): Return Release Version on worker list and read (#2377) * feat(cli): Read and reinitialize worker certificate authority (#2387)	4 years ago
Louis Ruch	d7c4c648ec	bug(vault): Correctly handle credential stores with expired tokens (#2399 ) * bug(vault): Correctly handle credential stores with expired tokens Boundary makes use of a database view to perform CRUD operations on Vault credential stores and libraries. This view did not include credential stores with tokens that have expired in Vault, causing errors when attempting to perform any action against them.	4 years ago
Jeff Mitchell	01fb949d0b	Add controller-led worker auth flow (#2413 ) This adds an action to the API that allows pulling out an activation token that can be given to a worker in its config (directly or via env or file). The worker can pass this along with its normal request in place of its normal nonce and the server will automatically accept it. Co-authored-by: Irena Rindos <irenarindos@users.noreply.github.com>	4 years ago
Haotian	17ddc301a8	feat(cli): add/set/remove worker tags (#2266 ) * adds CLI commands for add/set/removing worker tags, and respective tests * adds StringSliceMapVar Flag to convert a string from the CLI to a map[string][]string value	4 years ago
Johan Brandhorst-Satzkorn	aef9073fa6	Upgrade to Go 1.19 (#2347 )	4 years ago
Jeff Mitchell	02dd28f587	Add support for SSH private key passphrases (#2331 ) This adds support for encrypted SSH keys via passphrase. Co-authored-by: Louis Ruch <louisruch@gmail.com> Co-authored-by: Michael Gaffney <mgaffney@users.noreply.github.com>	4 years ago
Jeff Mitchell	4bd249d347	Fix some missing net.JoinHostPort calls (#2305 )	4 years ago
Jeff Mitchell	a67085f663	Add methods to get attributes more easily in Go API (#2299 ) * Add methods to get attributes more easily in Go API * Add type check	4 years ago
irenarindos	4908aba546	feat(vault): Add unimplemented worker filter support to OSS	4 years ago
Timothy Messier	439566cd10	feat(target): Add ssh target support to sdk/api/cli This add the generated code and additional configuration to support sending the ssh target subtype to the api via the sdk or cli. The cli now supports an additional subcommand for the ssh target subtype: boundary targets create ssh boundary targets update ssh	4 years ago
Damian Debkowski	c2bfcc0664	refactor(api module): enforce typed definitions (#2238 )	4 years ago
Louis Ruch	a17e973712	feat(credentials): Refactor credential purposes (#2260 ) * feat(credentials): Refactor credential purposes * Application credentials have been refactored to Brokered credentials * Egress credentials have been refactored to Injected Application credentials Co-authored-by: Jeff Mitchell <jeffrey.mitchell@gmail.com>	4 years ago
Jeff Mitchell	271cc8f781	Add ssh private key to CLI (#2265 )	4 years ago
Haotian	28f53a64b4	feat(workers): implement worker service add/set/remove api tags	4 years ago
Jeff Mitchell	704d68848c	Merge remote-tracking branch 'origin/main' into llb-byow	4 years ago
Louis Ruch	68eb6e2bed	chore(targets): remove deprecated credential libraries on target resources (#1533 )	4 years ago
Jeff Mitchell	8335deb8b6	Update protos, generated code, and service handlers (#2188 ) * Update protos, generated code, and service handlers * Address review feedback	4 years ago
Louis Ruch	58d546cdd4	feat(credential): Add static credential store and username_password credential	4 years ago
Jeff Mitchell	5d3facf561	Merge remote-tracking branch 'origin/main' into llb-byow	4 years ago
Jeff Mitchell	b84001c07d	Add CLI for workers (#2164 )	4 years ago
Jeff Mitchell	5b978d7fa7	Adjust parameter naming (#2161 ) * Adjust parameter naming for some worker resource fields * Add eventing listener to event when authentication is successful from a downstream worker	4 years ago
Timothy Messier	e79714e93f	feat(session): Add include_termianted option to list endpoint	4 years ago
Jeff Mitchell	7c4f495c25	Add workers SDK API bits (#2159 )	4 years ago
Jeff Mitchell	1987264bc3	Migrate storage to database repo (#2132 )	4 years ago
Todd	472d7d520a	Remove the server_id from session table, change it to worker_id on session_connection (#2070 ) * Remove the server_id from session table, change it to worker_id on session_connection This is step 1 in updating the worker table. The worker is becoming a public resource so it must have a public id. We drop the server_id column on the session_connection table and add the worker_id column so we can use the wt_public_key type. Since db migrations are applied while the controller is offline, it should be safe to assume all session connections are not in a running state, thus allowing us to null out all the worker ids in the session_connection table. For now we don't have very good enforcement of the wt_public_id constraints, since the id is currently defined in the worker config, but this will soon change and the worker's id will be generated by the controller.	4 years ago
Jeff Mitchell	957fe19846	Bump to Go 1.18 (#2036 )	4 years ago
Todd	a1cf3234ed	url.PathEscape resource ids in the sdk before sending building a request. (#2035 )	4 years ago
Jeff Mitchell	3d9e541930	Switch request.WithContext to request.Clone (#2017 ) The Go docs now say to use request.Clone (introduced in Go 1.13) instead of request.WithContext (introduced in Go 1.7) as it deep copies instead of shallow copies.	4 years ago
Jeff Mitchell	7eb29261b2	Update to go-kms-wrapping version 2, and plugin-based KMS (#1901 )	4 years ago
Irena Rindos	a6f50e675c	fix(api): address base paths containing a v1 were being truncated	4 years ago
Louis Ruch	61fe77572e	chore: make tools & make gen	4 years ago
Louis Ruch	a90f1f4eb1	feat(target): Decode based on credential type	4 years ago
Louis Ruch	1cc35fb0df	feat: Credential library mapping API/SDK/CLI on create path * feat(sdk): Add fields to credential library proto Adds CredentialType and CredentialMappingOverrides to credential library SDK. * feat(api): Add fields to credenttial library service Adds support for CredentialType and CredentialMappingOverrides to the credential library service (API) * feat(cli): Add feilds for credential library cmd Adds support for CredentialType and CredentialMappingOverrides to the credential library cmd command.	4 years ago
Thor	8c842df8a8	Remove public_id and session id from Connection api (#1767 ) * removed public_id and session_id from Connection msg	4 years ago
Louis Ruch	b692e0e54c	api(session): Add connection to api input (#1763 )	4 years ago
Timothy Messier	0a4df95fdd	ci: Run sdk and api tests in ci This adds new makefile targets and configuration to run the tests in the api and sdk modules. These do not run by default since `go test ./...` does not cross module boundaries.	4 years ago
Jeff Mitchell	866bfceefc	Add secrets_hmac to host catalog output (#1712 ) Co-authored-by: Jim <jlambert@hashicorp.com>	4 years ago
Jeff Mitchell	b3fd23863f	Add external ID to host output (#1705 ) This also fixes a bug if no hosts were returned where the job would run over and over in a loop, and some other cleanup.	5 years ago
Jeff Mitchell	30e9f944a2	Add sync interval to host sets (#1680 ) This adds a parameter to host sets allowing the sync interval to be user-specified on a per-host-set basis. A value of -1 disables syncing; a value of null uses the current default.	5 years ago
Jeff Mitchell	3f3f6d974c	Update API go.mod to require Go 1.17	5 years ago
Jeff Mitchell	80d41b9044	Merge branch 'main' into plugin-hostcatalogs	5 years ago
Todd	808b986834	Read and List Plugin based Hosts (#1655 ) * Add ability to read and list hosts. Tests to follow. * Add tests for reading and listing as well as validation checks to not modify hosts. * Add IpAddress and DnsNames to the api resource. Populate the plugin info. * Adding go sdk tests for reading and listing hosts and ensuring update and deleting is disallowed.	5 years ago
Timothy Messier	1da403a2d2	feat(api): Add support for egress credentials for targets endpoint	5 years ago
Jeff Mitchell	158ab09952	Merge branch 'main' into plugin-hostcatalogs	5 years ago
Jeff Mitchell	7d71618df0	Add more host-catalog and host-set CLI support (#1567 ) Add more host-catalog and host-set CLI support Co-authored-by: Todd <T.Alan.Knight@gmail.com>	5 years ago
Jim	6c7333cbe0	chore: Update sdk dep	5 years ago
Jeff Mitchell	a834a14785	Add attribute flag building and parsing (#1562 ) This adds a few command sketches but that's not the main point of the PR and filling those out will come in a different PR. This adds a new flag type that can combine inputs to a single target slice, retaining the ability to distinguish where it came from but also keep ordering across different flag names. It also implements a function that does the heuristic parsing with fallback.	5 years ago
Todd	a4ea99047f	Remove Prefix Id and Plugin Name fields (#1563 ) * Remove Prefix Id and Plugin Name fields. Creating catalogs now require either the plugin id or the name of the plugin resource (but not both). Host Catalogs and Host Sets API resources now have a read only plugin field populated with plugin info. Host Catalogs have a plugin id field as a top level field.	5 years ago
Jeff Mitchell	01d4383c1b	Add preferred endpoints logic to API/handler/DB and some CLI bits (#1529 )	5 years ago
Jeff Mitchell	71cba858e3	Add secrets to host catalogs API struct (#1512 ) This also changes the address from a plugin from a scalar value to other fields, starting with an IP address array.	5 years ago
Jeff Mitchell	e9a8ede0d6	Move wrapper package back to SDK (#1511 ) TF uses this, so SDK is a decent place for it. It doesn't create dependencies between it and API.	5 years ago
Jeff Mitchell	8d8290b83e	Remove unneeded replace directive	5 years ago
Jeff Mitchell	081de3cf79	Migrate sdk/recovery to api/ and sdk/wrapper to internal (#1507 ) * `recovery` is only used by the API (and the main module, for decryption) * `wrapper` is only used by the CLI right now Moving these brings them closer to the code that uses them, and makes the SDK package a bit more clear in terms of functionality.	5 years ago
Jim	48c6195829	chore (api): update sdk dep	5 years ago
Jeff Mitchell	f8a51b987c	Migrate target host sets -> host sources (#1424 ) This follows the same model as https://github.com/hashicorp/boundary/pull/1413 See there and CHANGELOG for more details.	5 years ago
Jeff Mitchell	ab6f3eaeb4	Migrate credential-library nomenclature around targets to credential-source (#1413 ) See the CHANGELOG entry for more information. Co-authored-by: Jim <jlambert@hashicorp.com> Co-authored-by: Michael Gaffney <mgaffney@users.noreply.github.com>	5 years ago
Jeff Mitchell	528d54b4ad	Add token/userinfo claims to account read output (#1419 ) This is very useful when trying to write managed groups filters as you can directly look at the structure of the claims for the accounts you're trying to filter. The output of the claims in text format on the CLI currently leaves something to be desired. I started revamping some of the formatting functions and it quickly got very fragile. Fundamentally at this point we're likely better off -- now that we have a good idea what our output format/standards are like -- rewriting the formatting code. I'll take that as a tasker as I have a lot of ideas...	5 years ago
Jeff Mitchell	5b7544c81f	Update API against shared libs and sdk	5 years ago
Jeff Mitchell	2cbcf9a563	Update usage of shared-secure-libs (#1393 )	5 years ago
Jeff Mitchell	7c3d5be4f6	Update format of secret to return both raw and decoded when possible (#1372 )	5 years ago
Jim	4c0276b4af	update sdk dep	5 years ago
Jeff Mitchell	86c9a90554	Update target credential library service, API, SDK, CLI (#1343 )	5 years ago
Michael Gaffney	df35699c4e	Integrate with Vault to retrieve and manage per session credentials (#1308 ) * Fix down migrations * Udpates due to merge * Sentinel values only have to be greater than 0 * Create credential related sdk structs and methods. * Post merge interface updating. * Removing scratch code that was not cleaned up. * updates * Convert client certificate and client certificate keys into pem blocks and validate. * Add newline at end of file. * Faster check for "s" at the end of a resource name when generating from templates. * make fmt * updates * Add dynamic credentials to a session * Refactor: move contents of file * updates * Updates * Add InvalidDynamicCredential error * Assign credentials * Allow updating client certificates seperate from the client certificate key. * Replace application purpose string with enum value * PR feedback / fix go test . * Delete dead code * Use common view * Refactor: extract interface and rename method * Refactor: move code to eliminate privPurpLibrary * Add comment to requestMap * Refactor: do not export methods on an unexported struct * Update internal/db/schema/migrations/postgres/10/03_vault_credential.up.sql Co-authored-by: Michael Gaffney <mgaffney@users.noreply.github.com> * Add comments to credential Purpose constants * Reorder switch statements to handle errors first * PR feedback * update * fix merge * Organizing the scheduler code and extract the individual store creation test helper function. * Run 'make fmt' * Create certificate when creating store. Allow vault address to be passed in as option * Refactor: rename database views and associated structs This change renames two database views and associated go structs to use a consistent naming pattern. Views ending in 'private' contain encrypted credentials needed for connecting to Vault. Views ending in 'public' mirror the 'private' views but do not include any encrypted values. This change does not include any changes to functionality or behavior. * Adding SAD target operations for credential libraries to the SDK. * Add status field and enumeration table for credential status * Refactor: rename Status to TokenStatus * Add status to vault credentials * Creating the template for the CLI and helper functions. * Add private database view for vault credentials * Add scope_id to view and cleanup TODO comment * Reformat embedded sql queries * Add vault client helpers * updates * white space * Add LookupLease test * CLI commands for Store work. Renamed fields in proto w/ vault prefix. * Test issue credentials with client TLS * Add additional checks to vault ping * Add an error for vault token capabilities and create a VaultToken error kind * Add support for working with Vault policies * Use Vault 1.7.2 for testing * Add testing helper for creating a vault client with a non-root token * Fix Vault renew lease test The Vault renew lease endpoint accepts an optional duration parameter for requesting the number of seconds to extend the lease by. However, Vault is not required to honor this request. * Add a var for the required capabilities of a boundary Vault token * Enhance the test helper for adding a policy to Vault * Allow the test role in postgresql to revoke credentials * Remove out of date comments * Enhance Vault test helpers for the database secrets engine * Reformat comments * Add a method for getting the capabilities of the current Vault token * Add revoke lease to internal Vault client * Reformat: combine err return line with check for nil line * Remove redundant checks in test code Remove checks in test code that are redundant with checks in the test harness. * Refactor CreateToken test helper to return the secret and the token * Fix build failures caused by signature change in vault.CreateToken * Fix Vault version and Vault API link in comments * ran `make gen` after merging from mgaffney-vault. * Remove Vault prefix from attribute fields in API, create a base CLI option for adding field prefixes. format now uses that prefix for error reporting. * Template now allows attaching attribute field prefixes. * Credential store uses PrefixAttributeFieldErrorsWithSubactionPrefix. * Fixing naming of vault flags and helper flags. * Updating more references to generated api methods. * Make the capabilities String method more readable * Add comment outlining PrintApiError usage of Options. * Refactor test to move declarations closer to first use * Fix comment * Implement revoke method on vault repository * Tests now verify certs, CA, and tokens, addresses can be updated in a store. * Added test for creating store with pk/cert in same field. * Allo updating certificates seperate from private key. Only contact backing vault service when updating token. * Fixing bad tests and removing unused code. * Adding tests for various ways of updating tokens. * Add private credential * Add token revocation job and cred renewal/revocation job * Regen after merge. * Fixing field mask related merge error. * Create Library CLI. Removes vault prefix from path. Adds a WithoutCleanup testOption for vault. * Set all credentials to revoked when a token is revoked * Fixing missed renaming update. * fix copy/paste error. * Fixing code generation errors after merge. * make gen after merge. * Update internal/cmd/commands/credentialstorescmd/vault_funcs.go Co-authored-by: Michael Gaffney <mgaffney@users.noreply.github.com> * Update internal/cmd/commands/credentialstorescmd/vault_funcs.go Co-authored-by: Michael Gaffney <mgaffney@users.noreply.github.com> * Update internal/cmd/commands/credentialstorescmd/vault_funcs.go Co-authored-by: Michael Gaffney <mgaffney@users.noreply.github.com> * Refactor: move migrations from 10 to 12 * Removing logic from transaction. * wrapping client errors in the calling op for CredentialStore's client() method. * Redact token * redact client key * updates * Add trigger to revoke credentials when session is canceled or terminated * Fixing some help text for some flags. * Add ability to load values from files (file://) or environment variables (env://). * Updating comments * fix bad merge * feedback * Adding issued credentials to sessions. * Error on capabilities * updates * Expose NewVaulTestServer * Add godoc * Adding generated SessionCredential struct for API. * Progress on building handler test for Authorize Session. * feedback * Update policies * Add 'revoke' as a status for Vault Tokens * Add delete_time to vault credential store * Create dynamic credentials at session creation time. * Tests pass with credentials attached to AuthorizedSession result. * Only call issue if there are credentials to issue. * Fixing output only issues. Adding type to credential library. * Fix test to clear un/pw generated. confirm generated un/pw changes from 1 authorize session call to another. * Update lookupTokenError * Add delete_time to private credential store * Refactor: move private store to separate file * Fixing tests for AuthorizeSession and verifying error cases. * Only create the credential repo if there are credentials to issue. * Rename Library field to CredentialLibrary. * Fixing missing change of Library to CredentialLibrary. * Removing Default SDK functions for fields which are required and update CLI to match. * Replace resource specific id variables with "id" and the input parmater for paths to be just a single string and the resource name as it should show up in the path. * Soft delete vault credential stores * Prevent new SQL functions from silently overwriting existing functions * Rename "Hmac" to "HMAC" in the human readable cli response table. * Fix tests * Add vault database cleanup jobs * Add ability to set the token period in the vault test harness * updates * Add not_null_columns func test * remove unused struct * Up no output timeout * Validate current vault token on addr update * Fix client cert change test * add cert test * Update revocation job where * Fix comment * Use Vault's default port in CLI help strings * Remove down migrations * Increase migration file numbers by 1 * Run make migrations * Move migrations from 12 to 10 * Increase Circle CI timeout for acceptance tests * Fix spelling mistake in error messages * ASD cmds for Target and returning credentials to AuthSession request (#1338) * Add Add/Set/Remove commands for libraries on Targets. Return credentials on AuthorizeSession request. Co-authored-by: Michael Gaffney <mgaffney@users.noreply.github.com> Co-authored-by: Louis Ruch <louisruch@gmail.com> Co-authored-by: Todd Knight <T.Alan.Knight@gmail.com> Co-authored-by: Jeff Mitchell <jeffrey.mitchell@gmail.com>	5 years ago
Jeff Mitchell	306d4fb4d3	Add API/CLI for managed groups (#1265 )	5 years ago
Jeff Mitchell	179a49657e	Managed Groups service (#1262 )	5 years ago
Jim	2437cdcc8d	OIDC: add support for account claim maps (#1186 )	5 years ago
Jim	25e657fa51	Ongoing OIDC: support to request additional OIDC scopes from the IdP (#1175 )	5 years ago
Jeff Mitchell	4690225c1e	Update delete action behavior and JSON format output (#1155 ) This PR changes delete behavior: * On success, a 204 is returned rather than a 200 with an empty JSON object * The CLI now passes through the 404 error if encountered instead of swallowing it It also updates formatting for JSON to use the response body, which means that the item (or items) in the JSON format are actually the format across the wire, instead of being reinterpreted by unmarshaling into the Go SDK and then remarshaling.	5 years ago
Jeff Mitchell	77a85636c2	If we're going to use replace directives, use SDK too	5 years ago
Jim	75108cbc8b	Ongoing OIDC: return the primary account info along with the user. (#1145 )	5 years ago
Jeff Mitchell	941e74388a	Fix curl string building (#1106 ) I'm not sure why it was doing it the other way with assuming the string being built would always have a space at the end, but, this way is easier to understand and fixes a bug where there wasn't a space being left between some fields.	5 years ago
Todd Knight	14c222709c	Make oidc auth callback redirect on most errors (#1105 )	5 years ago
Todd Knight	71673ea161	Pass disable_discovered_config_validation in the API change-state call (#1100 )	5 years ago
Jeff Mitchell	f05f37d0fa	Fix panic in non-generated API calls when printing as JSON (#1095 ) Fixes #992	5 years ago
Jim	dd0f34bc35	Add new OIDC auth method. (#1090 ) Co-authored-by: Todd Knight <T.Alan.Knight@gmail.com> Co-authored-by: Jeff Mitchell <jeffrey.mitchell@gmail.com> Co-authored-by: Michael Gaffney <mgaffney@users.noreply.github.com>	5 years ago
Jeff Mitchell	6605b4c9f8	Revamp authenticate (#1025 )	5 years ago
Jeff Mitchell	845f582213	Update api's sdk	5 years ago
Jeff Mitchell	519efa6dd1	Add -filter to CLI listing and website docs (#967 ) * Add -filter to CLI listing. This doesn't include docs/Changelog yet, that will come shortly. * Add changelog * Add website docs and fix a curl output bug	5 years ago
Jeff Mitchell	f5490e95a6	Sync API deps to main in preparation for tag	5 years ago
Jeff Mitchell	ea23737258	Port over API bits from #962 (#965 )	5 years ago
Todd Knight	cac1e60e11	Add filters to listing different resources in the go sdk. (#957 )	5 years ago
Jeff Mitchell	46f0f55a28	Update SDK in API	5 years ago
Kevin Maris	8a8b2fb8e1	Fix nil TLSClientConfig (#901 )	5 years ago
Jeff Mitchell	9879841e00	Update SDK in API	5 years ago
Jeff Mitchell	6cd97a4a6e	Add support for recursive listing (#885 )	5 years ago
Jeff Mitchell	6b58a3317d	Add recursive listing to roles (#881 ) This also lays the framework for adding recursive listing to the rest of the resources.	5 years ago
Jeff Mitchell	717a3b52ee	Add worker tagging (#862 ) This allows workers to have tags assigned to them, which can then be filtered to control which targets they are allowed to serve.	5 years ago
Jeff Mitchell	dcb15cffbd	Add authorized actions output on resources (#870 )	5 years ago
Jeff Mitchell	27919ab11b	Groundwork for returning authorized actions (#860 ) This returns authorized actions on targets to users when they perform an operation on a target, including listing. It also prevents users from seeing values in listing targets on which they have no permissions.	5 years ago
Jeff Mitchell	9de928318d	Skip curl output when using automatic versioning and reading (#858 ) This makes it so that the actual output is the update/delete. Fixes #856	5 years ago
Michael Gaffney	94cb79bbdd	See how Boundary would look with gofumpt applied (#853 ) * See how Boundary would look with https://github.com/mvdan/gofumpt applied Results of running `gofumpt -w -s .` * Update tools file and Makefile for gofumpt Co-authored-by: Jeff Mitchell <jeffrey.mitchell@gmail.com>	5 years ago
Jeff Mitchell	d4a6efb363	Pass endpoint to the client (#811 ) This allows us to automatically set TLS parameters, useful for `boundary connect http` and some other features to come.	5 years ago
Todd Knight	aa4157639c	Change Format of API Error (#784 ) This is a wire breaking change for json errors since we have removed and renamed a few fields, and changed part of the structure of the returned json error. * Remove redundant fields in Status, details.error_id, details.TraceId and details.request_id from API errors. * Added wrapped errors and "ops" field to indicate the internal operation of the errors returned by the API. * Added error cli error reporting of Op and wrapped errors.	5 years ago
Jeff Mitchell	813d21565f	Allow authorize-session to be invoked with target name (#737 )	6 years ago
Jeff Mitchell	09b865ab28	Add `pass` cred storage support (#731 ) * Add `pass` cred storage support Make it the default on non-Windows/macOS Document the token storage behavior	6 years ago
Jim	b8c527c6cd	handle v1 as a prefix/suffix, not just a cut set to be trimmed (#723 )	6 years ago
Todd Knight	abe5e9b950	Add Termination Reason (#573 )	6 years ago
Jeff Mitchell	5bc8c8d921	Fix API test	6 years ago
Jeff Mitchell	26e86ef56a	Update API deps	6 years ago
Jeff Mitchell	fc09e2c21b	Remove api mod dep for now	6 years ago
Jeff Mitchell	6993d10118	Update main's api/sdk mods	6 years ago
Jeff Mitchell	5cbfcf8eb6	Shuffle things around out of new modules	6 years ago
Jeff Mitchell	23f7306b62	Add api module	6 years ago
Todd Knight	6c6fb7a4d0	Format errors better for CLI (#552 ) * Start making errors easier to read for Table based CLI UI. * Add TODO about reporting "update_mask" related errors.	6 years ago
Jeff Mitchell	9237d6f787	Rename authorize to authorize-session (#531 ) As pointed out by Rob, this makes it clearer what the action actually is. We were sort of torn on it before, but I've definitely come around to it.	6 years ago
Jeff Mitchell	6ddfe407a3	Update allowed formats of ACL strings (#508 )	6 years ago
Jeff Mitchell	cefea936c3	Update ACLs to allow type=*. (#504 )	6 years ago
Jeff Mitchell	a38f40606e	Create default roles in scopes to allow authentication and listing scopes/auth methods (#502 )	6 years ago
Jeff Mitchell	b1fc9fd547	Sanitize protos (#471 )	6 years ago
Todd Knight	0e5a849402	Adding Add\|Set\|Remove Accounts on the user resource (#461 )	6 years ago
Jeff Mitchell	ba216f894b	Update docs and default address	6 years ago
Jeff Mitchell	220ca253be	Add boundary config get-token (#455 )	6 years ago
Todd Knight	fd0da998e8	SDK error revamp (#432 ) SDK methods now return 1 error. To differentiate between Client errors and Server errors I've also implemented the AsServerError function which returns an *api.Error if it is an error originating from the remote server or nil otherwise.	6 years ago
Kent 'picat' Gruber	9e06d7eec2	Fix unused error in api/client.Client.Do during redirect (#430 ) Previously the error declared during the retryablehttp.Client.Do was being "overshadowed" by the error declared when a redirect was missing the result location. By declaring the loc outside the call assignment, we can properly "reuse" the error and resulting check after a redirect.	6 years ago
Jeff Mitchell	e86c11db62	Add session lifecycle info to controller's INFO log. (#431 ) This required some plumbing, but nothing major.	6 years ago
Todd Knight	2f8d7f0a32	API Errors: Hide and log internal errors (#411 )	6 years ago
Todd Knight	21f5cc274f	Don't return nil, nil for API service methods. Add tests for updating w/ wrong version. (#396 )	6 years ago
Jeff Mitchell	d3606e14b6	Set wrapper on client, not token, so it doesn't fail KMS recovery on update calls	6 years ago
Jeff Mitchell	9b2646eaf9	Fix retry behavior with KMS recovery and misleading error message (#391 )	6 years ago
Jeff Mitchell	5370111336	Omit private key from session output	6 years ago
Todd Knight	e937b0ea27	Sessions Read/List/Cancel API and SDK (#369 )	6 years ago
Jeff Mitchell	edffc7863d	Change connection limit to -1 for unlimited so it works with TF (#383 ) * Migrate connection limit unlimited value to -1 * Fix authorization check	6 years ago
Jeff Mitchell	5bf555cca2	Remove connection idle timeout seconds for now (#379 )	6 years ago

1 2 3 4 5 ...

350 Commits (6e277e025f885be32fecaaa2a2ebca561c373bd7)