boundary

Commit Graph

Author	SHA1	Message	Date
Jeff Mitchell	77c3ce1cd2	Update nodeenrollment to v0.1.4	4 years ago
Jeff Mitchell	90c6b1bad8	Update nodeenrollment dep to 0.1.3	4 years ago
Jeff Mitchell	6ffef1e4b5	Update nodeenrollment dep	4 years ago
Louis Ruch	26bc992f38	chore(release): Update API and SDK deps	4 years ago
Jeff Mitchell	32d04b9ce7	Allow a worker to use KMS auth but accept PKI for proxy (#2206 ) This essentially worked for non-dev mode before but would create storage directories that weren't actually used or needed, and it didn't work in dev mode because it made assumptions about the presence of a worker auth kms or not. This fixes those behaviors.	4 years ago
Jeff Mitchell	cca044d8cb	Update nodeenrollment to v0.1.0	4 years ago
Jim	f6c4e3c896	feature (worker): add worker events around authentication (#2157 )	4 years ago
Jeff Mitchell	d1b3b2441f	Add node rotation (#2142 )	4 years ago
Jeff Mitchell	4117841cf9	Use persistent storage for worker auth credentials (#2139 )	4 years ago
Jeff Mitchell	caf19f867e	Rename some variables to remove Nodee	4 years ago
Jeff Mitchell	cd9b10721f	Pull in new nodeenrollment lib to fix some bugs	4 years ago
Jeff Mitchell	1ee2c0dde0	Switch nodeenrollment to staging branch	4 years ago
Jeff Mitchell	46e97a2b91	Update to new nodee lib bits (#2120 )	4 years ago
Jim	70c5da1048	feature (workers): add repository CreateWorker(...) (#2105 )	4 years ago
Jeff Mitchell	f6ef708466	Update against new nodeenrollment registration cache	4 years ago
Jeff Mitchell	1f550722a2	Sync against current library state	4 years ago
Jeff Mitchell	0581e164f1	Update nodeenrollment dep	4 years ago
Jeff Mitchell	2f06513a3a	Merge branch 'main' into llb-byow	4 years ago
Jeff Mitchell	e84a2e639f	Revert downgrade of go-kms-wrapping	4 years ago
Jim	785241237e	refactor (kms): adopt the go-kms-wrapping/extras/kms package (#2027 ) * feature (db): add Db.UnderlyingDB() This is needed to allow for integration with bits that need a dbw.DB feature (kms): add new go-kms-wrapping/extras/kms dependency * refactor (kms): schema changes required to adopt extras/kms pkg * refactor (kms/iam): rename to DeprecateCreateKeysTx(...) * refactor (kms): remove deprecated test * refactor (kms): refactor Kms type This refactor includes renaming the existing type to DeprecatedKms and then refactoring the Kms type to become a wrapper of go-kms-wrapping/extras/kms * refactor (kms): delete all the unneeded bits All this stuff is not needed now that we're using go-kms-wrapping/extras/kms * refactor (db): fixup tests after kms refactor * refactor (kms/tests): use testing.TB for test helpers Our test helper packages were not possible to use with benchmarks. This refactor switches to testing.TB to allow both tests and benchmarks to use the helpers. * tests (session benchmarks): refactor to use new Kms type * refactor (schema): rm test which relies on deprecated Kms code * refactor (kms): post rebase on main changes required * chore (kms refactor): re-add unit test from main * refactor (kms): uses migrations that don't include KMS schema changes	4 years ago
Jeff Mitchell	00e57db60f	Adapt to library changes	4 years ago
Jeff Mitchell	837eb9e6f1	Update nodeenrollment dep against new dev branch	4 years ago
Jeff Mitchell	ab4d542fad	Add multihop auth support (#32 )	4 years ago
Jeff Mitchell	f748af7b02	Initial BYOW auth PoC (#29 )	4 years ago
Jeff Mitchell	957fe19846	Bump to Go 1.18 (#2036 )	4 years ago
Johan Brandhorst-Satzkorn	f39553abb3	chore: Release prep for v0.8.0	4 years ago
Johan Brandhorst-Satzkorn	e864652b33	feat(sessions): Add list benchmarks The list benchmark tests uses pre-created database dumps to run its benchmarks. This benchmark will be used to guide optimizations around listing of sessions. Fixes https://hashicorp.atlassian.net/browse/ICU-4042	4 years ago
Johan Brandhorst-Satzkorn	6a37bd9710	Upgrade grpc-gateway version to v2.10.0 (#1954 ) This new version will let us hide fields from the OpenAPI output	4 years ago
Jim	addbfee593	chore: upgrade gofumpt to v0.3.1 (#2028 )	4 years ago
Johan Brandhorst-Satzkorn	b1d6a1da9a	Switch to buf for protobuf generation (#1944 ) * Install buf with go install This reduces the impact of using buf on our dependency closure, which was significant. It also avoids potential issues with building buf given our own internal dependency constraints. This has caused issues (including crashes!) in the past. See https://github.com/cockroachdb/cockroach/issues/67216#issuecomment-874176186 for more discussion on using tool dependencies generally, and https://github.com/bufbuild/buf/issues/52 for an example of where this sort of thing caused an issue for a user. * Upgrade buf version We should migrate to v1 sooner rather than later, as it has some breaking changes from v0. * Change buf lint/breaking commands These commands were moved up one level for v1 * Migrate to buf.yaml to v1 * Remove unused imports These were uncovered by using "buf lint". * Use buf v1.3.1 * Depend on googleapis and grpc-gateway via BSR * Switch to buf for proto generation * Remove third party dependency * Remove unused tools and scripts * Move local protos up one level * Temporarily don't fail on breaking changes * Generate CI config * Fix generation of controller.json * Replace use of deprecated flag * Remove unused import, regenerate files * Remove temporary skipping over breaking check	4 years ago
Jeff Mitchell	58a448fc6a	Put session ID in ALPN (#1966 ) This allows us to use SNI for actual host (e.g. routing) information. We don't have the client cert yet so we can't look at that, so this provides a way for us to convey the information needed to look up that session's TLS stack. Using SNI for hosts means we also run into the fact that we don't have automatic agreement in terms of SANs. So when generating the certs we now also pass worker address information to the function to be encoded in the cert. Finally, there is a change in how the websocket dialing happens, because http.RoundTripper tries to be too clever for its own good and overwrites NextProtos on a whim.	4 years ago
Todd	3eb22b073a	Defines the controller api metrics and registers them at controller startup (#1917 ) Co-authored-by: Hugo Vieira <hugoamvieira@users.noreply.github.com>	4 years ago
Johan Brandhorst-Satzkorn	803d916279	Update zalando/go-keyring with freebsd fix (#1938 )	4 years ago
Johan Brandhorst-Satzkorn	9dc8c45634	Revert version upgrade of dbus and go-keyring (#1936 ) * Revert version upgrade of dbus and go-keyring The combination of these versions were causing build errors on freebsd * Only revert zalando/go-keyring	4 years ago
Jeff Mitchell	c99907c6c5	Update keyring deps to remove deprecation warnings (#1924 )	4 years ago
Jeff Mitchell	20011021ee	Update against tagged sdk/api versions	4 years ago
Jeff Mitchell	7eb29261b2	Update to go-kms-wrapping version 2, and plugin-based KMS (#1901 )	4 years ago
Louis Ruch	64fd93e088	chore(release): Bump API version and changelog for 0.7.5	4 years ago
Louis Ruch	ecbeab9035	chore(release): bump api/sdk versions	4 years ago
Jim	591ec476e7	refactor: Update internal/db and oplog to use go-dbw package for database operations. (#1785 ) * chore: Add new dbw dependency * refactor: Convert to use dbw.DB * refactor (db): Change GetTicket(...) signature * feature (db tests): Added TestDeleteWhere(...) Adding this allows us to eliminate a leak of the gorm library * refactor: Add ctx to ScanRows(...) signature This is required to refactor all the deprecated errors pkg calls. This refactor required adding a context to quite a few call chains and in particular the job scheduler bits * feature (db/tests): Add support for test opt: WithTestLogLevel(...) This test only option allows callers to specify a log level for the underlying db package (where supported/applicable) when calling TestSetup(...) * refactor (db): Simplify Db type Only store the underlying DB and create the RW on demand when needed. * refactor (oplog): Port to using dbw pkg for db operations * refactor (db): Remove gormDB(...) func * tests (db): Add unit tests for TestDeleteWhere(...) * chore: make fmt changes to formatting	4 years ago
Jim	baa1d88f1f	feature: Add client ip to inbound request information (#1678 ) * feature: Add client ip to inbound request information * feature (workers): Add the user's client IP to a session's connection information (#1749)	4 years ago
Hugo Vieira	f1063a62a0	feature(config): add sockaddr template support	4 years ago
Jim	dba5bc88a0	chore: Upgrade gorm deps (#1747 )	4 years ago
Louis Ruch	bc0e23bdf1	chore: bump api/sdk versions	4 years ago
Jeff Mitchell	4bf86e6394	Update SDK/API versions to main branches after merge	5 years ago
Todd Knight	884e1f2d18	Merge branch 'main' into plugin-hostcatalogs # Conflicts: # go.mod # sdk/go.mod	5 years ago
Jeff Mitchell	962c9463fd	Update SDK/API modules	5 years ago
Jim	b96f57ec4e	fix (events): Only "sign" audit events (#1677 ) * chore: Update eventlogger dependency. We need the latest version, so we can limit the type of events that are signed. * fix (events): Only "sign" audit events	5 years ago
Jeff Mitchell	48ac8b8f0b	Merge branch 'main' into plugin-hostcatalogs	5 years ago
Jim	eecd878b36	feature: Add signing (hmac-sha256) of audit entries (#1666 )	5 years ago
Jeff Mitchell	80d41b9044	Merge branch 'main' into plugin-hostcatalogs	5 years ago
Todd	ec36528e97	Updating dependencies since the host plugins were updated. (#1649 )	5 years ago
Todd	1312628a1e	Add plugin set sync and orphaned host cleanup jobs (#1647 )	5 years ago
Jim	8ae6e9892f	feature (events/audit): Add auth info to audit events (#1644 )	5 years ago
Jeff Mitchell	b64761f38f	Add repository and functions around plugin host set membership (#1629 ) Co-authored-by: Todd <T.Alan.Knight@gmail.com>	5 years ago
Jeff Mitchell	b1a72bd445	Merge remote-tracking branch 'origin/main' into plugin-hostcatalogs	5 years ago
Jeff Mitchell	1782f6a4e4	Enhance worker connection security (#1641 ) This stores worker connection nonces within the database to ensure uniqueness of connections. Prior the connection required any attacker to be able to decrypt the incoming encrypted authentication message in order to replay (and if the attacker has access to the KMS you have bigger problems), but with this change even if an attacker does have access to the KMS key, they cannot reuse the same message. (If they're able to encrypt against the KMS key, they can still act as a worker with a new message, so this only really helps if they only have decryption capabilities.)	5 years ago
Jim	a679300b50	feature (events): Classify auth method request/resp messages for audit events. (#1640 ) * refactor (oidc): Stop emitting error for not found token id Stop emitting errors when authtoken repo.IssueAuthToken is called and there's if no pending token. It's not an "normal" state and not an error condition. * feature (audit tagging): Add tags for auth method requests/responses Including testing functions for asserting audit events created when a service is called	5 years ago
Todd	8795b20fe2	Delete actions for plugin based catalogs and sets (#1622 ) * Add ability to delete plugin based host catalogs and host sets * Add plugin host catalog and set tests for API.	5 years ago
Jeff Mitchell	0fd906d964	Merge branch 'main' into plugin-hostcatalogs	5 years ago
Jim	769416c2ff	refactor (controller): Use a grpc server for the grpc-gateway (#1576 ) * refactor (controller): Use a grpc server for the grpc-gateway This starts a grpc server for the grpc-gateway. The new gateway server uses an in-memory listener which also supports "dialing", so the http proxy can connect to the in-memory listener. This change allows us to use all grpc server features and was in part motivated by a need for an interceptor of inbound requests. With that said, having a "proper" grpc server for the gateway will provide a lot more flexibility and capabilities moving forward. The request context will still be verified via middleware in the http proxy (see wrapHandlerWithCommonFuncs). This verified context will be serialized into a protobuf and sent along to the grpc-gateway via metadata where an interceptor will add the verified request info to the request's context (see requestCtxInterceptor). The interceptor will verify the serialized request info via a shared ticket with it's companion in-memory http proxy. FYI: the ticket is simply random base62 string (see db.NewPrivateId). This change also necessitated a minor change to services. We need to return an empty response instead of nil, nil when there are no errors and the response is empty. * refactor (handlers): Rename gRPC Gateway filter Originally, this was called an OutgoingInterceptor, which is an unfortunate name since it's not an interceptor. Now that we're refactoring the gateway stuff and have proper interceptors, renaming this should remove ambiguity * refactor: Rework how 204 with empty msg is handled Recent changes to grpc gateway has necessitated a change to how 204s are handled by the gateway * tests (bats): Check status codes for delete operations	5 years ago
Jeff Mitchell	1c8e0ed1e1	Add scaffolding for external host plugins and convert aws/azure over (#1581 )	5 years ago
Jeff Mitchell	f6efde041d	Merge branch 'main' into plugin-hostcatalogs	5 years ago
Jim	3b99ded7ad	refactor: Update gorm deps (#1591 ) Our recent upstream PR was merged into gorm. We needed to change just a few bits to migrate our gorm dep back to the upstream source.	5 years ago
Jeff Mitchell	098c3e1f22	Update sdk dep from proper branch and fix building	5 years ago
Jeff Mitchell	158ab09952	Merge branch 'main' into plugin-hostcatalogs	5 years ago
Jim	c8b29ded1c	Events: Add outbound detail protobufs, request status code, and update event encrypt filter. (#1569 ) * feat (events): Add status code to audit events * feat (events): Add the resp proto msg to every audit event * chore (events): Update eventlogger dep This latest version will redact any map and/or map field which isn't explicitly classified via a Taggable interface * feat (events): Begin to add tagging to response proto msgs	5 years ago
Jim	8d6dee09a9	refact: Add db.DB wrapper and refact all test fixtures to use it. (#1535 ) * refact: Changes required for gorm v2 * refact: Add db.DB wrapper and refact all test fixtures to use it Stop leaking the gorm abstraction within our unit tests. * refact: Migrate direct calls to pq to pgx driver The refactor will remove the remaining direct dependencies on the pq driver which has been deprecated in favor of the pgx driver. It includes the addition of common.SqlOpen which is a wrapper around sql.Open, which is needed to deal with the driver name changing from "postgres" to "pgx" but in our code base the dialect and driver are synonyms.	5 years ago
Jim	136ac00b49	refact: Changes required for gorm v2 (#1528 )	5 years ago
Jeff Mitchell	08ce7ac889	Update azure plugin to fix tag-based filtering	5 years ago
Todd	e11a481256	Register Azure and AWS at controller start up (#1570 ) * Register Plugins. * Pass catalogs and persisted data when listing hosts for host sets. Register azure plugin at startup if not present.	5 years ago
Jim	f9c043c866	chore: Update sdk and api deps	5 years ago
Jeff Mitchell	f9c620a5d5	Merge branch 'main' into plugin-hostcatalogs	5 years ago
Jeff Mitchell	7c32d25dd8	Bump dockertest and atomic (#1545 )	5 years ago
Jeff Mitchell	7dff943a91	Bump some x deps up (#1544 )	5 years ago
Jeff Mitchell	8a2716c503	Update various grpc deps (#1541 )	5 years ago
Jeff Mitchell	8503d6c62e	Update protoc-go-inject-tag and pq deps (#1539 )	5 years ago
Jeff Mitchell	c82d37bfba	Updating dbassert (no code changes, just newer version number)	5 years ago
Jeff Mitchell	021f1ff55e	Update various dependencies (#1540 )	5 years ago
Jeff Mitchell	e07792cf74	Add endpoint preferencer (#1526 )	5 years ago
Jeff Mitchell	68867ef01e	Update api/sdk tags	5 years ago
Jeff Mitchell	e9a8ede0d6	Move wrapper package back to SDK (#1511 ) TF uses this, so SDK is a decent place for it. It doesn't create dependencies between it and API.	5 years ago
Jeff Mitchell	d7a990b62b	Bump api/sdk in main module	5 years ago
Jim	6ad8333b97	chore: update sdk and api deps	5 years ago
Jim	5f46207e76	Events: add redact/encrypt node for audit events to Eventer (#1490 ) * feat (events): Add new options needed for AuditConfig WithAuditWrapper and WithFilterOperations all for optional paramters when creating AuditConfig types. * refactor (event): Change EventerConfig.Sinks to a ptr We need to modify the SinkConfig.AuditConfig during the NewEventer factory, so we have to use a ptr not a ref. * feat (events): Add audit configuration types * feat (events): add audit config to sink configuration. * feat (events): add redact/encrypt node for audit events to Eventer Integrate the encrypt.Filter node from the eventlogger into the event.Eventer, so audit events can be redacted/encrypted based on data classifications. * test (events) Add test protobufs for events Add test protobufs along with a test service for testing the audit event encrypt node	5 years ago
Jeff Mitchell	b0dbd0182e	Add support for additional awskms parameters (#1468 ) This updates to the latest go-kms-wrapping tag to support these parameters and documents them.	5 years ago
Jeff Mitchell	f7894811f5	Update go-bexpr to allow colons in paths; add a test (#1453 )	5 years ago
Jeff Mitchell	c75c97a872	Normalize event configuration (#1444 ) * Normalize event configuration This updates event configuration stanzas to more closely match behavior for listeners and kmses: * Singular "sink" instead of "sinks" (probably not the most correct option, but a consistent option, and one that makes sense for HCL) * Allows sinks to have the type defined at the start of the block * Moves type-specific configuration to a specific named block Co-authored-by: Jim <jlambert@hashicorp.com>	5 years ago
Jim	3a3f956615	support new event formats of: hclog-text and hclog-json (#1440 )	5 years ago
Jim	6785055a4d	update to latest tagged version (#1436 )	5 years ago
Jim	cab3dd6986	update eventlogger dep which should eliminate a possible panic with the gated.Broker is nil (#1411 )	5 years ago
Jeff Mitchell	ed6c59a053	Update the rest of the shared libs locations	5 years ago
Jeff Mitchell	fccdf80161	Update API import	5 years ago
Jeff Mitchell	4900f249e6	Update parseutil import location	5 years ago
Jeff Mitchell	b533e12c1a	Update password import	5 years ago
Jeff Mitchell	ce52acb968	Update strutil import	5 years ago
Jeff Mitchell	44329d4ff9	Repoint mlock import	5 years ago
Jeff Mitchell	140c54e319	Repoint base62 import	5 years ago
Jeff Mitchell	051fe60718	Duplicate logging instead of using from shared secure libs, as it's going out of there and we'll be moving away from hclog anyways	5 years ago
Jeff Mitchell	2cbcf9a563	Update usage of shared-secure-libs (#1393 )	5 years ago
Jeff Mitchell	c9e4c877b8	Update shared-secure-libs for kms block fix (#1384 ) Fixes #1305	5 years ago
Jim	a68f131089	update api dep	5 years ago
Jim	2ac5e0a6ad	update sdk and api deps	5 years ago
Chris Marchesi	9f9acce972	[Merge to main] internal/servers/worker: Controller failure connection cleanup (#1330 ) (#1357 ) This commit adds some rudimentary functionality for cleaning up connections on controller failure, or more specifically, a failure to communicate with the controllers. In this scenario, when a status cannot be sent for any reason for longer than 30 seconds, the worker will close all connections that are normally not cleaned up (so for sessions that currently are not in the progress of being canceled or terminated). Status requests now time out after 10 seconds if they are not made successfully. Session status is not touched during this process, but natural cleanup or connectionless sessions will still occur. This should be okay, as the session should be added on re-connect if need be. A few other changes are made to cancelConnections: first, error logging has been moved to the function so that we can handle errors requesting cancellation directly within the function; this entails simply just locally marking these connections as closed with a warning. Second, there was a minor logging bug where closed connections were not properly being noted in the last trace log, this has been fixed. Additional changes: * Circle: Set acceptance test no_output_timeout to 30m	5 years ago
Jim	83c65d0d4b	update cap dependency (#1349 )	5 years ago
Michael Gaffney	df35699c4e	Integrate with Vault to retrieve and manage per session credentials (#1308 ) * Fix down migrations * Udpates due to merge * Sentinel values only have to be greater than 0 * Create credential related sdk structs and methods. * Post merge interface updating. * Removing scratch code that was not cleaned up. * updates * Convert client certificate and client certificate keys into pem blocks and validate. * Add newline at end of file. * Faster check for "s" at the end of a resource name when generating from templates. * make fmt * updates * Add dynamic credentials to a session * Refactor: move contents of file * updates * Updates * Add InvalidDynamicCredential error * Assign credentials * Allow updating client certificates seperate from the client certificate key. * Replace application purpose string with enum value * PR feedback / fix go test . * Delete dead code * Use common view * Refactor: extract interface and rename method * Refactor: move code to eliminate privPurpLibrary * Add comment to requestMap * Refactor: do not export methods on an unexported struct * Update internal/db/schema/migrations/postgres/10/03_vault_credential.up.sql Co-authored-by: Michael Gaffney <mgaffney@users.noreply.github.com> * Add comments to credential Purpose constants * Reorder switch statements to handle errors first * PR feedback * update * fix merge * Organizing the scheduler code and extract the individual store creation test helper function. * Run 'make fmt' * Create certificate when creating store. Allow vault address to be passed in as option * Refactor: rename database views and associated structs This change renames two database views and associated go structs to use a consistent naming pattern. Views ending in 'private' contain encrypted credentials needed for connecting to Vault. Views ending in 'public' mirror the 'private' views but do not include any encrypted values. This change does not include any changes to functionality or behavior. * Adding SAD target operations for credential libraries to the SDK. * Add status field and enumeration table for credential status * Refactor: rename Status to TokenStatus * Add status to vault credentials * Creating the template for the CLI and helper functions. * Add private database view for vault credentials * Add scope_id to view and cleanup TODO comment * Reformat embedded sql queries * Add vault client helpers * updates * white space * Add LookupLease test * CLI commands for Store work. Renamed fields in proto w/ vault prefix. * Test issue credentials with client TLS * Add additional checks to vault ping * Add an error for vault token capabilities and create a VaultToken error kind * Add support for working with Vault policies * Use Vault 1.7.2 for testing * Add testing helper for creating a vault client with a non-root token * Fix Vault renew lease test The Vault renew lease endpoint accepts an optional duration parameter for requesting the number of seconds to extend the lease by. However, Vault is not required to honor this request. * Add a var for the required capabilities of a boundary Vault token * Enhance the test helper for adding a policy to Vault * Allow the test role in postgresql to revoke credentials * Remove out of date comments * Enhance Vault test helpers for the database secrets engine * Reformat comments * Add a method for getting the capabilities of the current Vault token * Add revoke lease to internal Vault client * Reformat: combine err return line with check for nil line * Remove redundant checks in test code Remove checks in test code that are redundant with checks in the test harness. * Refactor CreateToken test helper to return the secret and the token * Fix build failures caused by signature change in vault.CreateToken * Fix Vault version and Vault API link in comments * ran `make gen` after merging from mgaffney-vault. * Remove Vault prefix from attribute fields in API, create a base CLI option for adding field prefixes. format now uses that prefix for error reporting. * Template now allows attaching attribute field prefixes. * Credential store uses PrefixAttributeFieldErrorsWithSubactionPrefix. * Fixing naming of vault flags and helper flags. * Updating more references to generated api methods. * Make the capabilities String method more readable * Add comment outlining PrintApiError usage of Options. * Refactor test to move declarations closer to first use * Fix comment * Implement revoke method on vault repository * Tests now verify certs, CA, and tokens, addresses can be updated in a store. * Added test for creating store with pk/cert in same field. * Allo updating certificates seperate from private key. Only contact backing vault service when updating token. * Fixing bad tests and removing unused code. * Adding tests for various ways of updating tokens. * Add private credential * Add token revocation job and cred renewal/revocation job * Regen after merge. * Fixing field mask related merge error. * Create Library CLI. Removes vault prefix from path. Adds a WithoutCleanup testOption for vault. * Set all credentials to revoked when a token is revoked * Fixing missed renaming update. * fix copy/paste error. * Fixing code generation errors after merge. * make gen after merge. * Update internal/cmd/commands/credentialstorescmd/vault_funcs.go Co-authored-by: Michael Gaffney <mgaffney@users.noreply.github.com> * Update internal/cmd/commands/credentialstorescmd/vault_funcs.go Co-authored-by: Michael Gaffney <mgaffney@users.noreply.github.com> * Update internal/cmd/commands/credentialstorescmd/vault_funcs.go Co-authored-by: Michael Gaffney <mgaffney@users.noreply.github.com> * Refactor: move migrations from 10 to 12 * Removing logic from transaction. * wrapping client errors in the calling op for CredentialStore's client() method. * Redact token * redact client key * updates * Add trigger to revoke credentials when session is canceled or terminated * Fixing some help text for some flags. * Add ability to load values from files (file://) or environment variables (env://). * Updating comments * fix bad merge * feedback * Adding issued credentials to sessions. * Error on capabilities * updates * Expose NewVaulTestServer * Add godoc * Adding generated SessionCredential struct for API. * Progress on building handler test for Authorize Session. * feedback * Update policies * Add 'revoke' as a status for Vault Tokens * Add delete_time to vault credential store * Create dynamic credentials at session creation time. * Tests pass with credentials attached to AuthorizedSession result. * Only call issue if there are credentials to issue. * Fixing output only issues. Adding type to credential library. * Fix test to clear un/pw generated. confirm generated un/pw changes from 1 authorize session call to another. * Update lookupTokenError * Add delete_time to private credential store * Refactor: move private store to separate file * Fixing tests for AuthorizeSession and verifying error cases. * Only create the credential repo if there are credentials to issue. * Rename Library field to CredentialLibrary. * Fixing missing change of Library to CredentialLibrary. * Removing Default SDK functions for fields which are required and update CLI to match. * Replace resource specific id variables with "id" and the input parmater for paths to be just a single string and the resource name as it should show up in the path. * Soft delete vault credential stores * Prevent new SQL functions from silently overwriting existing functions * Rename "Hmac" to "HMAC" in the human readable cli response table. * Fix tests * Add vault database cleanup jobs * Add ability to set the token period in the vault test harness * updates * Add not_null_columns func test * remove unused struct * Up no output timeout * Validate current vault token on addr update * Fix client cert change test * add cert test * Update revocation job where * Fix comment * Use Vault's default port in CLI help strings * Remove down migrations * Increase migration file numbers by 1 * Run make migrations * Move migrations from 12 to 10 * Increase Circle CI timeout for acceptance tests * Fix spelling mistake in error messages * ASD cmds for Target and returning credentials to AuthSession request (#1338) * Add Add/Set/Remove commands for libraries on Targets. Return credentials on AuthorizeSession request. Co-authored-by: Michael Gaffney <mgaffney@users.noreply.github.com> Co-authored-by: Louis Ruch <louisruch@gmail.com> Co-authored-by: Todd Knight <T.Alan.Knight@gmail.com> Co-authored-by: Jeff Mitchell <jeffrey.mitchell@gmail.com>	5 years ago
Jeff Mitchell	09bdb498bd	Update grpc, grpc-gateway, and a few other deps (#1325 )	5 years ago
Jeff Mitchell	8c63ede9cc	Update some deps (#1324 )	5 years ago
Jim Lambert	aa41676dc9	make gen changes prior to staging release	5 years ago
Jeff Mitchell	d6ef2732e7	Merge remote-tracking branch 'origin/main' into ICU-1573	5 years ago
Jim	cc2c71a261	base types for events package (#1275 )	5 years ago
Jeff Mitchell	6c9b9e948e	Add the bits to actually read filters and assign values to users (#1261 )	5 years ago
Jim	a1b338f253	bump dependency to get a fix for https://github.com/coreos/go-oidc/pull/259 (#1238 )	5 years ago
Jim	e064e26f58	update cap dependency (#1231 )	5 years ago
Jeff Mitchell	a23d68b0dd	Bump some deps (#1228 )	5 years ago
Jim Lambert	3564956572	update api dep	5 years ago
Jeff Mitchell	77a85636c2	If we're going to use replace directives, use SDK too	5 years ago
Jim	75108cbc8b	Ongoing OIDC: return the primary account info along with the user. (#1145 )	5 years ago
Jeff Mitchell	a90a64d787	Use Go 1.16 native embedding and remove go-bindata (#1151 ) Co-authored-by: Sam Salisbury <samsalisbury@gmail.com>	5 years ago
Jim	9b36dbb628	replace go mod statements for api and sdk (#1146 )	5 years ago
Jeff Mitchell	1558b8e52b	Bump PQ dep (#1137 )	5 years ago
Jeff Mitchell	be10cc4b42	Update grpc/proto deps (#1136 ) * Update grpc/proto deps * Make gen	5 years ago
Jeff Mitchell	8332eb10c5	Update websocket, vault/sdk, and hclog deps (#1135 )	5 years ago
Jeff Mitchell	e860e5f778	Bump to Go 1.16	5 years ago
Jeff Mitchell	ba693bbafc	Bump shared-secure-libs	5 years ago
Jeff Mitchell	a71725f9c5	Bump go-mod-upgrade	5 years ago
Jeff Mitchell	e002209a5c	Remove replace directive	5 years ago
Jim Lambert	5df064d7b4	new api tag added as dep	5 years ago
Jim	dd0f34bc35	Add new OIDC auth method. (#1090 ) Co-authored-by: Todd Knight <T.Alan.Knight@gmail.com> Co-authored-by: Jeff Mitchell <jeffrey.mitchell@gmail.com> Co-authored-by: Michael Gaffney <mgaffney@users.noreply.github.com>	5 years ago
Jeff Mitchell	06206de387	Remove go-swagger from the set of tools This indirectly removes a dependency on broken mongodb-driver 1.4.5; see https://jira.mongodb.org/browse/GODRIVER-1851	5 years ago
Jeff Mitchell	fcbf372881	Bump proto/grpc deps (#1017 ) * Bump proto/grpc deps * Back out buf change * Run make gen	5 years ago
Jeff Mitchell	d148dddb16	Update go-fumpt and multierror	5 years ago
Jeff Mitchell	559d304b59	Bump go-mod-upgrade	5 years ago
Jeff Mitchell	1047e7dab3	Update main's api/sdk	5 years ago
Jeff Mitchell	9fbb552031	Update shared-secure-libs to support tls_max_version	5 years ago
Jeff Mitchell	72aa110f72	CLI JSON updates (#962 ) See Changelog for details.	5 years ago
Jeff Mitchell	b967ff7f05	Pull in new API tag	5 years ago
Todd Knight	909026ed3d	API filter tests (#958 ) * API filter tests. Requires that PR https://github.com/hashicorp/boundary/pull/957 is merged and tagged first. * Updating /api dependency.	5 years ago
Jeff Mitchell	2ed1643e3a	Dep updates (pgx, dktest) (#956 ) * Dep updates: * pgx * dktest * Remove pgx	5 years ago
Jeff Mitchell	09e57a6624	Dep update: (#955 ) * grpc-gateway and friends * buf * go-swagger * protoc-gen-go-grpc/genproto	5 years ago
Todd Knight	97b404032b	Add ability to filter List*Requests (#952 )	5 years ago
Jeff Mitchell	d7afd08148	Update API dep	5 years ago
Jeff Mitchell	377d837df3	Update gen	5 years ago
Jeff Mitchell	1ce09069a5	Move worker selection above session creation (#929 ) This prevents a session being created when no workers are available to handle it.	5 years ago
Jeff Mitchell	e9da3a871d	Switch on CORS by default if not specified (#928 )	5 years ago
Jeff Mitchell	5266eb3269	Don't error worker filters if a key isn't found, treat it as a non-match (#900 )	5 years ago
Jeff Mitchell	c6fa737e51	Add a duplicate authenticate:login API verb (#912 )	5 years ago
Jeff Mitchell	08686ef6f5	Update Jeff libs :-)	5 years ago
Jeff Mitchell	0b44583859	Update API in main	5 years ago
Jeff Mitchell	5de4befb58	Upgrade some deps (#886 ) These are Jeff-managed deps, and the changelogs have been evaluated.	5 years ago
Jeff Mitchell	717a3b52ee	Add worker tagging (#862 ) This allows workers to have tags assigned to them, which can then be filtered to control which targets they are allowed to serve.	5 years ago
Jeff Mitchell	2bafd8a07c	Bump go-mod-upgrade	5 years ago
Jeff Mitchell	46644300d9	Switch to execabs for os/exec in connect cmd (#873 ) * Switch to execabs for os/exec in connect cmd This is more of an abundance-of-caution change (e.g. defense in depth) but it doesn't seem like we should be using binaries from the current directory for `boundary connect` executions (unless given an explicit path). * Update changelog	5 years ago
Todd Knight	ec6151d174	Organize DB Schema Migration Code and DB Init Checks (#842 ) Create Schema Manager and propagate contexts into the DB calls downstream. Add checks at controller startup and database init for correct schema version and schema migration dirty bit being set.	5 years ago
Michael Gaffney	94cb79bbdd	See how Boundary would look with gofumpt applied (#853 ) * See how Boundary would look with https://github.com/mvdan/gofumpt applied Results of running `gofumpt -w -s .` * Update tools file and Makefile for gofumpt Co-authored-by: Jeff Mitchell <jeffrey.mitchell@gmail.com>	5 years ago
Jeff Mitchell	77525298bd	Use modified version of keyring lib	5 years ago
Jeff Mitchell	5b5602969f	Update go-keyring to use forked version (#846 ) This may help with #830.	5 years ago
Jeff Mitchell	6a6b95dd01	Update go.mod API ref	5 years ago
Jeff Mitchell	11b821a200	Bump deps (#818 )	5 years ago
Jeff Mitchell	a39bad1ab0	Bump api package in go.mod	6 years ago
Jeff Mitchell	a37ba007f2	Update deps (#772 ) * Update deps This also updates for the new (and required) paradigm for registering service implementations as spelled out in https://github.com/grpc/grpc-go/issues/3385 * Roll back dockertest	6 years ago
Todd Knight	6e5aff3d5b	Add buf breaking change detection to makefile (#756 ) * Add buf breaking change detection to makefile. * Bump buf version to latest and fixed some deprecation and new flag warnings.	6 years ago
Jeff Mitchell	09b865ab28	Add `pass` cred storage support (#731 ) * Add `pass` cred storage support Make it the default on non-Windows/macOS Document the token storage behavior	6 years ago
Jeff Mitchell	837e9eb0cc	Fix up authenticate docs (#627 )	6 years ago
Jeff Mitchell	7f00e61ab0	Migrate to newer grpc utilities and bump deps (#593 ) * Migrate to newer grpc utilities and bump deps * Revert grpc back as it was an accidental tag	6 years ago
Jeff Mitchell	77c837342e	Use api/sdk tags	6 years ago
Jeff Mitchell	6993d10118	Update main's api/sdk mods	6 years ago
Jeff Mitchell	5cbfcf8eb6	Shuffle things around out of new modules	6 years ago
Jeff Mitchell	70a8051974	Update mod file	6 years ago
Jeff Mitchell	617921ef65	Bump deps (#522 )	6 years ago
Jeff Mitchell	70fa231377	Update dbassert	6 years ago
Jeff Mitchell	c1a1f8bb1b	Separate out docker dep into package (#482 ) This also then removes support for docker-based containing starting (for now) from platforms other than windows/darwin/linux as there are build issues on several.	6 years ago
Jeff Mitchell	cf3fa4522d	Swap base58 libraries (#472 ) * Swap base58 libraries This doesn't reduce binary size but it removes a metric ton of dependencies.	6 years ago
Jeff Mitchell	446286e251	Bump deps (#435 )	6 years ago
Jeff Mitchell	61a0ae02c1	Bring go-alpnmux in house for now	6 years ago
Jeff Mitchell	05c2e38f03	Bump deps (#364 ) * Bump deps * Revert go-kms-wrapping as the vault team broke it :-(	6 years ago
Jeff Mitchell	23156afa11	Add in most of the proxy flow (#326 )	6 years ago
Jeff Mitchell	74544f6324	Encrypt tokens on the way out and decrypt on the way in (#302 ) * Encrypt tokens on the way out and decrypt on the way in This isn't a security feature related to tokens specifically; it's so that we can discard cryptographically bad tokens before we ever hit the DB. This way we can't pass through a DDoS to the database due to fetching obviously invalid token values. I'm using base58 to encode the resulting value as there aren't great base62 options, and allowing base64 / and + values can hamper usability by creating copying/highlighting breaks.	6 years ago
Jeff Mitchell	bc32272ca7	Update go-retryablehttp, strcase, gorm	6 years ago
Jeff Mitchell	414a2ab2c3	Remove some dead, dead, dead, dead code	6 years ago
Jeff Mitchell	b47cca0329	Add (non-db aspects of) the recovery key workflow (#286 )	6 years ago
Jim	9570897032	basic keys mgmt repo (#264 )	6 years ago
Todd Knight	23b437894a	Masks can now update attribute fields. (#271 )	6 years ago
Jeff Mitchell	5d104a7a01	Migrate off Vault's internalshared folder to the separated-out repo	6 years ago
Jeff Mitchell	203e2b5dc2	Initial worker porting steps (#232 )	6 years ago
Jeff Mitchell	6661117d4c	The name. The name. The name!	6 years ago
Jeff Mitchell	f1b3ad373e	Go mod tidy	6 years ago
Michael Gaffney	bdb31cf8b5	Bump deps (#245 )	6 years ago
Jeff Mitchell	f07bb9dae6	Fix breakage after change to template from previous PR	6 years ago
Jeff Mitchell	df4730b1a0	Minor fixes and first API test changeover (#243 )	6 years ago
Jeff Mitchell	908a299ea3	Convert SDK to the new options API (#238 )	6 years ago
Jeff Mitchell	c0f3a72bac	go mod tidy	6 years ago
Todd Knight	f47046f158	Update Watchtower to use grpc-gateway v2 (#204 ) * Migration to grpc gateway v2.	6 years ago
Michael Gaffney	799242fce4	Bump deps and run 'make gen' (#212 )	6 years ago
Jeff Mitchell	dec1f07266	Update deps and make proto	6 years ago
Jeff Mitchell	fa5f45260b	Bump Vault dep	6 years ago
Todd Knight	28dbcd84bd	Authenticate Handler API and SDK, and much more (#183 )	6 years ago
Jeff Mitchell	4decf9502a	Fix handler test by moving it to a new file with a build tag	6 years ago
Jeff Mitchell	316b250a24	Use dockertest v3 consistently (#167 )	6 years ago
Jeff Mitchell	8da4effd5e	Add mechanism for bundling UI assets. (#153 ) * Add mechanism for bundling UI assets. The scripts/uigen.sh script will check out the UI repo, build assets, create a static assets file, and clean up. The dev Makefile target has been modified to run this script if no assets file is found. There is also a build-ui target that will unilaterally update (the dev target only builds if the file isn't found, but doesn't update). The handler has been updated to add the default org ID as a header if the request path is "/". Co-authored-by: Randall Morey <randall@randallmorey.com>	6 years ago

... 2 3 4 5 6 ...

384 Commits (c2bc19c71fac7c3ccf106b3cdf0c19fb7ecf899d)