boundary

Commit Graph

Author	SHA1	Message	Date
Jeff Mitchell	e0787f4de0	Simplify worker auth rotation timing logic (#3237 ) * Simplify worker auth rotation timing logic * Add some jitter	3 years ago
Jeff Mitchell	77fd51fb12	Add more logging to worker auth rotation and test flags This makes it much easier to figure out when and why rotation is happening and control it for tests/debugging. Remove cert skew Cherry-picked from release/0.12.x	3 years ago
Jeff Mitchell	037dc0cf18	Add missing nil check in test	3 years ago
Jeff Mitchell	f9f7ee2cc4	Fix build	3 years ago
Jeff Mitchell	bbe9719e19	Add tracking of worker used for injection (#3204 )	3 years ago
Elim Tsiagbey	a2f8d87bfb	Add support for setting, adding & deleting LDAP account assoicated to a user (#3198 )	3 years ago
Jeff Mitchell	c6d7dc01a0	Exit before filtering if no workers are listed (#3196 ) This is just an early error message to avoid running the filtering function if there are no workers to begin with.	3 years ago
Jim	667ea285be	feature (boundary dev): add support for dev ldap auth method (#3192 )	3 years ago
Jeff Mitchell	e7bf134710	Enhance tcp client port vet logic (#3175 )	3 years ago
Jeff Mitchell	20391e3503	Add default client port to targets and use in connect command (#2767 )	3 years ago
Damian Debkowski	c5b1b7bbc7	fix(handler): return human readable error for json cred w/ empty object (#3109 ) * fix(handler): return human readable error for json cred w/ empty object * fix(handler): sync error messages for create/update json cred * fix(handler): sync error logic for create/update json cred	3 years ago
Jim	a4f54cb98f	refactor (events): QOL fix: turn off events for tests. (#3163 )	3 years ago
Hugo Vieira	45dc8251ec	feat(api): Support plugin host external_name field	3 years ago
Jeff Mitchell	bdf7bf7702	Do not allow PKI-KMS workers to have names updated via API (#3143 ) Do not allow PKI-KMS workers to have names updated via API This would cause their public IDs to change, which we do not want. Descriptions are also disallowed, since those come from the config file. This also adds logic to allow upgrading from old KMS method to new, with a test. Co-authored-by: Irena Rindos <irenarindos@users.noreply.github.com>	3 years ago
Haotian	5b26634b8a	feat(ui): serve controller metadata from ui handler (#3120 ) * adds noop metadata function to OSS UI handler * removes old-style build tags for UI handler files	3 years ago
Jeff Mitchell	163ce184b8	KMS-PKI Workers (#3101 ) This adds a new mechanism for worker authentication that uses the third-party arbitration of the original KMS flow by leveraging recently-added capabilities in nodeenrollment to support a registration wrapper. This allows for workers to be registered to the system with just a name and a matching wrapper, while at the same time allowing these workers to be used for private Vault access and multi-hop as they contain per-worker encryption keys and support rotation. Nodes using this mode will generate and rotate credentials in-memory (using another recently added nodeenrollment capability) so will have a new set of keys on every startup. This has the side effect of ensuring that there is never a conflict or re-use of these credentials. Note that the normal test worker flow was using the now-deprecated KMS method; there is still a test that uses this (explicitly) but all other tests using test workers that did not specify a specific PKI flow now actually use this mechanism. This means there is fairly decent test coverage in a general sense, plus the specific tests updated/added for this feature. This also adds a new KMS type that can be used to have distinct KMSes for upstream authentication vs. accepting from downstream.	3 years ago
Elim Tsiagbey	16f48686a7	Refactor Target Repository (#3092 ) - Refactor the Target domain repository functions so that they no longer return 4 different types. `Target` struct now contains `HostSource` & `CredentialSources` with Getters & Setters - Extending `Target` to contain `HostSource` & `CredentialSources` enables `funcs` to just return `Target` instead of multiple return types. This also allows easy future refactors and extensions of `Target`	3 years ago
Jeff Mitchell	fc664eb35f	Improve grant validation (#3081 ) This adds several relationships into the resource package that are then made use of to improve the grant validation that runs during Parse. By understanding mappings between ID and resource type the validation checks can far better align with actual allowed grant formats so we can find several common misunderstandings before they simply result in an authorization failure. In the future some of these functions could be used in the logic in the actual ACL checks but it's not currently necessary and I don't want to lump that change in with this. Note that the tests have not meaningfully changed, but they _have_ had to be updated because the stricter validation is actually catching issues.	3 years ago
Jim	86192f75eb	feature (auth/ldap): add LDAP auth method along with associated accounts and managed groups (#2912 ) * feature (auth): required schema changes for auth ldap method (#2669) chore (auth/ldap): move schema changes to next avail migration number * feature (auth/ldap): define AuthMethod and all its value objects (#2703) * feature (auth/ldap): storage protos * feature (auth/ldap): define AuthMethod and all its value objects * feature (auth/ldap): add repo and reading an auth method (#2718) * feature (auth/ldap): add Repository.CreateAuthMethod(...) and Repository.DeleteAuthMethod(...) (#2724) * feature (auth/ldap): add Repository.UpdateAuthMethod(...) (#2739) * feature (auth/ldap): add Account * feature (auth/ldap): add AuthMethod.EnableGroups * fix (auth/ldap): refactor AuthMethod.oplog to enforce proper constraints * feature (auth/ldap): add Account repo functions * refactor (auth/ldap): remove entry attributes from account Realized the entry attributes could have absolutely anything in them (including binary data) and since we absolutely don't have to have them there's just no reason to take on the risk. * feature (auth/ldap): add AuthMethod.UseTokenGroups * feature (auth/ldap): add Authenticate(...) * refactor (auth/ldap): ensure options take a context as the 1st parameter * feature (auth/ldap): add Account attribute maps * chore (auth/ldap): make fmt deltas * feature (auth/ldap): add managed groups (#2760) * tests (auth/ldap): add missing unit test to Repository.DeleteAccount(...) Add bits to test the delete operation when you're not able to generate oplog metadata * feature (auth/ldap): add managed groups fixup! feature (auth/ldap): add managed groups (#2760) * feature (auth/ldap): service proto definition (#2761) * feature (handlers/authmethods): add handlers for ldap auth method operations (#2794) * feature (auth/ldap): add Account attribute maps * chore (auth/ldap): update cap/ldap to latest version * feature (auth/ldap): add ldap api generation definitions * feature (authmethods): add ldap repo NewService(...) * feature (authmethods/ldap): add proper mask_mapping to protobufs * feature (authmethods): add support to get an ldap auth method * refactor (auth/ldap): export TestGenerateCA(...) * feature (authmethods): add support to create an ldap auth method * feature (authmethods): add support to delete an ldap auth method * feature (authmethods): add support to list ldap auth methods * refactor (auth/ldap): make urls optional for NewAuthMethod(...) * refactor (auth/ldap): export ldap.TestInvalidPem * chore: make fmt changes * fix (auth/ldap): properly handle group search config Add constraints and tests to ensure when an ldap AuthMethod.EnableGroups is true, and UseTokenGroups is false; that there's a GroupDn configured for finding a user's associated groups * feature (authmethods): add support to update an ldap auth methods * chore (db/ldap): tmp mv migrations so there's no conflict with ongoing work * feature (verifier): add ldap auth method to verifier bits * fix (controller): prevent panic when controller stops when there's no listener * feature (authmethods): add support to authenticate via ldap auth methods * chore (migrations): fix whitespace in stmt * chore: fmt fixup * tests (auth/ldap): invalid err msg * feature (cli/authmethods): add support for ldap auth-methods CRUD and authenticate (#2810) * feature (authmethods): add CLI support for ldap auth methods CRUD * tests (api/auth): ldap auth method classification tests * feature (authmethods): add CLI support for ldap auth authenticate * feature (auth/ldap): set request timeouts for ldap server connections * feature (handlers/authmethods): handle u_anon listing properly. * feature (account/handers): ldap account and managed group CRUDL APIs (#2852) * feature (auth/ldap) add repository Listing of ManagedGroupMemberAccount * feature (controller/handlers): add ldapRepoFn to accounts service * feature (auth/ldap) register ldap managed group subtype * feature (account/handlers): ldap account CRUDL APIs * feature (controller/handlers): add ldapRepo to managed groups service * feature (account/handlers): ldap managed group CRUDL APIs * docs (domain): add LDAP accounts, auth-methods and managed groups (#2857) * feature (ldap/cli) add ldap accounts and managed groups CRUDL commands (#2856) * fix (handlers/authmethods): fix ldap authorized actions (#2892) * feature (cli/ldap/authenticate): use primary auth method if none is provided (#2890) * fix (auth/ldap): support setting the state attribute * feature (cli/ldap/authenticate): use primary auth method if none is provided * feature (wh/ldap) add tests for new ldap auth method and accounts (#2919) * refactor (migrations/ldap): mv to correct directory * chore: add copyright headers * fix (api/authmethods/ldap): renumber new LdapAuthMethodAttributes field * fix (auth/ldap): allow the auth method state to be updated (#2951) * chore: update sdk and api versions for llb - this is tmp until merging * tests (managed groups): add required errContains for new test	3 years ago
Jeff Mitchell	b76b24a4ad	Move prefixes for many packages into the globals package (#3069 ) This is a prerequisite for some enhancements to grant validation	3 years ago
Todd	6adc0c86b5	Rename downstream router to receiver (#3068 ) This was done previously but these were missed.	3 years ago
Jeff Mitchell	b2bab45c13	Port over changes (#3061 ) (#3062 )	3 years ago
Johan Brandhorst-Satzkorn	18eed58ec5	fix(targets): Use correct error string in enterprise (#2984 ) In enterprise the error is different, so we need a different test error string to compare against. Create a variable that can be overwritten in the enterprise repo.	3 years ago
Johan Brandhorst-Satzkorn	8a0ee97f3b	fix(targets): Readd WorkerFilterDeprecationMessage (#2982 ) This variable is updated in the enterprise repo and needs to stay.	3 years ago
Johan Brandhorst-Satzkorn	ac3543bdfb	fix(targets): Use correct field name in deprecation warning (#2978 )	3 years ago
Todd	fe5b554370	AuthorizedDownstreamWorkers now separated from AuthorizedWorkers to maintain API compatibility (#2957 ) * AuthorizedDownstreamWorkers now separated from AuthorizedWorkers to maintain API compatibility	3 years ago
Johan Brandhorst-Satzkorn	cf412b95a2	fix: Support streaming HTTP responses (#2956 ) * all: Upgrade listenerutil dependency The new listenerutil implements http.Flusher, which is necessary for streaming responses from the grpc-gateway to work. * daemon/controller: Remove newline delimiter in streaming responses The default gRPC-Gateway HTTPBody marshaler uses newlines as a delimiter. This introduces newlines in our streamed responses. Wrapping the default marshaler lets us define a nil delimiter, which ensures our streaming responses are unaffected by the server side chunking.	3 years ago
Todd	1e89be1b1a	Downstream worker connections are tracked by worker id (#2949 ) When possible downstream workers will include their worker id information in the connections they establish with the upstream using the nodeenrollment library. The tracking listener now tracks connections that are connected in this same way instead of just connections of type *tls.Conn.	3 years ago
Damian Debkowski	cabe362534	fix(handler): return targetId as hostId for cli edge case support (#2920 )	3 years ago
Damian Debkowski	84b410974b	fix(handlers): return error when updating json cred w/ empty obj (#2903 ) * fix(handlers): return error when updating json cred w/ empty obj * chore(handlers): split cond stmt & refactor func name	3 years ago
Timothy Messier	e25b0e7888	fix(credentiallibraries): Fallback logic to support 0.11.x cli (#2910 )	3 years ago
Johan Brandhorst-Satzkorn	3c29308673	chore: Add license headers to all files	3 years ago
Timothy Messier	718e183a1e	fix(credentiallibraries): Correctly populate attrs for vault-generic (#2901 )	3 years ago
Irena Rindos	4114b41527	Filter managed workers from egress workers when the host address is unsafe (#2899 )	3 years ago
Hugo	e455e31f9e	fix(target): Incorrectly allowing whitespace on Target's address field (#2862 )	3 years ago
Timothy Messier	12a53bbfa9	feat(target): Allow vault ssh cert library as credential source This allows the new vault ssh certificate credential library to be used as an injected application credential source.	3 years ago
Timothy Messier	1aaaf4af1d	feat(controller): Translate ssh certificate credentials for worker	3 years ago
Haotian	43f0ba89cf	feat(credentiallibraries): support vault ssh certificates	3 years ago
Johan Brandhorst-Satzkorn	55259029f1	Add job run cleaner (#2866 ) * chore: remove duplicate import * feat: Add job run cleaner The new job cleans job runs older than a configured interval. Configure the job to clean jobs older than 1 minute.	3 years ago
Jeff Mitchell	19180af0eb	Fix target port handling (#2846 ) * Fix target port handling This fixes two issues that compounded on each other (see the Changelog update for more information): * The verification logic for hosts was not correct for update operations (in multiple ways) which meant that a host could be updated after creation to have a port. Targets had a previously fixed bug where they did not require a default port, which meant that ports could be used from hosts * A recent (unreleased) change had prioritized any port coming from the host over the default port, which would mean there was no way if a host had a port specified to use it in multiple targets. This fixes the update verification logic, and strikes a middle ground between breaking things and not by allowing existing addresses with ports to be used with targets but ignoring that port, instead requiring targets to have default port set at authorize time (currently there is backwards compat that does not require this due to the original optional port bug). * Update CHANGELOG.md Co-authored-by: Johan Brandhorst-Satzkorn <johan.brandhorst@gmail.com>	3 years ago
Todd	d66b92abe0	Add directly connected downstream workers to the worker resource api (#2831 )	3 years ago
Todd	87b09d5e27	Rename router to receiver for secondary connections (#2816 )	3 years ago
Todd	b359561e51	Filter WorkerList by feature and go from version string to version.Info (#2807 )	3 years ago
Jim	e64163ad1d	fix (controller): prevent panic when controller stops when there's no listener (#2793 )	3 years ago
Irena Rindos	d3d1fa0b55	initial commit (#2768 )	3 years ago
Hugo Vieira	f85da3ee2b	feat(cmd): Create target using address on boundary dev / database init Creates a target using an address for boundary dev and when first init-ing boundary (boundary database init). It also makes this newly created target the default one (ttcp_1234567890). The target using host sources is now a secondary target (ttcp_0987654321).	3 years ago
Damian Debkowski	1d3930a711	feat(handlers): Support address field on a Target	3 years ago
Johan Brandhorst-Satzkorn	61c90c5623	Add grant parsing fuzz test (#2534 ) * testing(perms): Add Parse fuzz test I ran this for a few minutes and it didn't discover anything catastrophic. * Add roundtrip tests * Fix invalid unicode parsing, empty output fields * Do the unicode conversion once on input * Remove incorrect fix for empty output fields * Allow empty output_fields This is the same behavior as output_fields=, * Add tests back, make JSON behaviour consistent * Rework the output fields mechanism to fix some bugs such as properly handling no fields * Change signature of Fields Co-authored-by: Jeff Mitchell <jeffrey.mitchell@gmail.com>	3 years ago
Irena Rindos	9135cc7668	In absence of ingress filter, use directly connected worker (#2757 ) * directly connected ingress filtering	3 years ago
Irena Rindos	24bbf57a19	AuthorizeConnection with filters (#2734 ) * AuthorizeConnection with filters	3 years ago

1 2 3 4

199 Commits (ace2def49dce2971ce37db44d94faac0e2289bb7)