boundary

Commit Graph

Author	SHA1	Message	Date
Johan Brandhorst-Satzkorn	9474b373b8	api: remove create from auth-tokens help (#3341 ) The auth-tokens help command included a reference to a non-existent auth-tokens create command. Replace the default help and also add a helpful pointer to the authenticate command.	3 years ago
Jeff Mitchell	3a9903a836	Don't attempt session teardown if the session is expired (#3312 ) This avoids a situation where teardown results in an error due to the worker not accepting the connection (since the credentials are invalid). Teardown is a best-effort way to avoid sessions that have long lifetimes ending up having to wait for expiration before cleanup, but if we're near expiration it doesn't really matter. Fixes ICU-9633	3 years ago
Jeff Mitchell	8322916fb4	Remove all deprecated Err/Wrap/E calls (#3286 )	3 years ago
Jeff Mitchell	feb3aea38f	Support multiple IDs in grants (#3263 ) This allows specifying multiple IDs in grants via an `ids` field, which will eventually become the normal way to specify IDs. Internally, each grant with multiple IDs turns into multiple ACL grants each with a single ID; to make this distinction clearer and allow for better separation of concerns an AclGrant type has been introduced, so really multiple IDs in a Grant turn into multiple AclGrants. The nice thing about doing it this way is that it becomes purely a parsing concern; no actual validation logic has changed. For backwards compatibility with grants already stored in roles, we do not error out if `id` is specified. However, eventually we will simply not support grants with `id` coming via the API; they will fail API validation, such that new grants will require the use of the updated `ids` field. A follow-on PR will plumb this through the service handlers/API/CLI, but I decided to do it in separate chunks to make reviewing easier, given that they are easily separable into the internal and external aspects of the change. * Add CLI/API checks around using ID in grants (#3264) * Plumb through some contexts to remove a lot of deprecated errors (#3268)	3 years ago
Johan Brandhorst-Satzkorn	ebcd6d2828	api: remove connection ID (#3298 ) Removing this until we figure out why it's sometimes missing. May add it back again later.	3 years ago
Jeff Mitchell	1b0330ad8e	Update dev worker auth flag names (#3265 ) This brings it in line with the updated names that have been settled on in light of deprecating the old KMS method.	3 years ago
Louis Ruch	281f217dcc	feat(plugins): Refactor host plugins to boundary plugins (#3262 )	3 years ago
Todd	2359d5b7a5	remove filter flags and options for session recordings	3 years ago
Todd	d1a5f3a2ff	Update attribute fields to be proto struct so generated api becomes map[string]any	3 years ago
irenarindos	4785f2388f	chore(session recording): update cmd typo	3 years ago
Louis Ruch	95398d3b65	fix(dev): Fix panic in controller-only dev mode panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0xb8 pc=0x16626b0] goroutine 1 [running]: github.com/hashicorp/boundary/internal/cmd/commands/dev.(Command).Run(0xc000b90000, {0xc00003e110, 0x1, 0x1}) github.com/hashicorp/boundary/internal/cmd/commands/dev/dev.go:484 +0x490 github.com/mitchellh/cli.(CLI).Run(0xc0003323c0) github.com/mitchellh/cli@v1.1.5/cli.go:262 +0x5f8 github.com/hashicorp/boundary/internal/cmd.RunCustom({0xc00003e100?, 0x60?, 0x0?}, 0x0?) github.com/hashicorp/boundary/internal/cmd/main.go:189 +0xa16 github.com/hashicorp/boundary/internal/cmd.Run(...) github.com/hashicorp/boundary/internal/cmd/main.go:95 main.main() github.com/hashicorp/boundary/cmd/boundary/main.go:16 +0xc7	3 years ago
Jim	468c58836b	feat(recordings/cli): more read detail info	3 years ago
Jim	d49fde2299	feat(cli/session-recordings): add download cmd	3 years ago
Johan Brandhorst-Satzkorn	98e0b9db98	commands: add created, updated to recordings	3 years ago
Louis Ruch	7207353066	docs(ssh): Update docs to reflect ssh default port is not required	3 years ago
Louis Ruch	78ca8beb77	fix(cli): Update storage CLI gen and help text	3 years ago
Johan Brandhorst-Satzkorn	15524f3408	api: add created, updated times to recordings	3 years ago
Jim	35a2296092	feat(cli): add session recordings: read and list cmds	3 years ago
Johan Brandhorst-Satzkorn	281989e595	regenerate API files	3 years ago
Louis Ruch	ba0dd857f3	feat(target): Add CLI support for storage bucket association	3 years ago
Louis Ruch	7ab3c66544	feat(storage): Add support for Storage Bucket CLI	3 years ago
Louis Ruch	798a1f952a	feat(storage): Add support for storage plugins	3 years ago
Louis Ruch	351444f1bd	refact(plugin): Move host loopback plugin into internal/plugin/loopback	3 years ago
Jim	20cf521cc0	feat(bsr): add bsr kms support in config, dev and tests	3 years ago
Louis Ruch	52fbc6410c	feat(storage): Add interface, options and errors	3 years ago
Jim	4d08c52afd	feat (authenticate/oidc): support outputting auth url (#3247 )	3 years ago
Jeff Mitchell	77fd51fb12	Add more logging to worker auth rotation and test flags This makes it much easier to figure out when and why rotation is happening and control it for tests/debugging. Remove cert skew Cherry-picked from release/0.12.x	3 years ago
Haotian	d4bcdd8a06	fix(cli): correctly print secrets in authorize-session for current vault credential source subtypes (#3218 ) * updates authorize-session case statement with current vault credential source types	3 years ago
Chris van Meer	2c23848da5	Remove quotations when not needed (#3207 )	3 years ago
Jeff Mitchell	a6fe1a5815	Update gen templates for license/gen info (#3211 )	3 years ago
Jim	667ea285be	feature (boundary dev): add support for dev ldap auth method (#3192 )	3 years ago
Jeff Mitchell	20391e3503	Add default client port to targets and use in connect command (#2767 )	3 years ago
Hugo Vieira	e467cbbfa2	feat(cmd): Display plugin host external name if present	3 years ago
Jeff Mitchell	163ce184b8	KMS-PKI Workers (#3101 ) This adds a new mechanism for worker authentication that uses the third-party arbitration of the original KMS flow by leveraging recently-added capabilities in nodeenrollment to support a registration wrapper. This allows for workers to be registered to the system with just a name and a matching wrapper, while at the same time allowing these workers to be used for private Vault access and multi-hop as they contain per-worker encryption keys and support rotation. Nodes using this mode will generate and rotate credentials in-memory (using another recently added nodeenrollment capability) so will have a new set of keys on every startup. This has the side effect of ensuring that there is never a conflict or re-use of these credentials. Note that the normal test worker flow was using the now-deprecated KMS method; there is still a test that uses this (explicitly) but all other tests using test workers that did not specify a specific PKI flow now actually use this mechanism. This means there is fairly decent test coverage in a general sense, plus the specific tests updated/added for this feature. This also adds a new KMS type that can be used to have distinct KMSes for upstream authentication vs. accepting from downstream.	3 years ago
Jim	86192f75eb	feature (auth/ldap): add LDAP auth method along with associated accounts and managed groups (#2912 ) * feature (auth): required schema changes for auth ldap method (#2669) chore (auth/ldap): move schema changes to next avail migration number * feature (auth/ldap): define AuthMethod and all its value objects (#2703) * feature (auth/ldap): storage protos * feature (auth/ldap): define AuthMethod and all its value objects * feature (auth/ldap): add repo and reading an auth method (#2718) * feature (auth/ldap): add Repository.CreateAuthMethod(...) and Repository.DeleteAuthMethod(...) (#2724) * feature (auth/ldap): add Repository.UpdateAuthMethod(...) (#2739) * feature (auth/ldap): add Account * feature (auth/ldap): add AuthMethod.EnableGroups * fix (auth/ldap): refactor AuthMethod.oplog to enforce proper constraints * feature (auth/ldap): add Account repo functions * refactor (auth/ldap): remove entry attributes from account Realized the entry attributes could have absolutely anything in them (including binary data) and since we absolutely don't have to have them there's just no reason to take on the risk. * feature (auth/ldap): add AuthMethod.UseTokenGroups * feature (auth/ldap): add Authenticate(...) * refactor (auth/ldap): ensure options take a context as the 1st parameter * feature (auth/ldap): add Account attribute maps * chore (auth/ldap): make fmt deltas * feature (auth/ldap): add managed groups (#2760) * tests (auth/ldap): add missing unit test to Repository.DeleteAccount(...) Add bits to test the delete operation when you're not able to generate oplog metadata * feature (auth/ldap): add managed groups fixup! feature (auth/ldap): add managed groups (#2760) * feature (auth/ldap): service proto definition (#2761) * feature (handlers/authmethods): add handlers for ldap auth method operations (#2794) * feature (auth/ldap): add Account attribute maps * chore (auth/ldap): update cap/ldap to latest version * feature (auth/ldap): add ldap api generation definitions * feature (authmethods): add ldap repo NewService(...) * feature (authmethods/ldap): add proper mask_mapping to protobufs * feature (authmethods): add support to get an ldap auth method * refactor (auth/ldap): export TestGenerateCA(...) * feature (authmethods): add support to create an ldap auth method * feature (authmethods): add support to delete an ldap auth method * feature (authmethods): add support to list ldap auth methods * refactor (auth/ldap): make urls optional for NewAuthMethod(...) * refactor (auth/ldap): export ldap.TestInvalidPem * chore: make fmt changes * fix (auth/ldap): properly handle group search config Add constraints and tests to ensure when an ldap AuthMethod.EnableGroups is true, and UseTokenGroups is false; that there's a GroupDn configured for finding a user's associated groups * feature (authmethods): add support to update an ldap auth methods * chore (db/ldap): tmp mv migrations so there's no conflict with ongoing work * feature (verifier): add ldap auth method to verifier bits * fix (controller): prevent panic when controller stops when there's no listener * feature (authmethods): add support to authenticate via ldap auth methods * chore (migrations): fix whitespace in stmt * chore: fmt fixup * tests (auth/ldap): invalid err msg * feature (cli/authmethods): add support for ldap auth-methods CRUD and authenticate (#2810) * feature (authmethods): add CLI support for ldap auth methods CRUD * tests (api/auth): ldap auth method classification tests * feature (authmethods): add CLI support for ldap auth authenticate * feature (auth/ldap): set request timeouts for ldap server connections * feature (handlers/authmethods): handle u_anon listing properly. * feature (account/handers): ldap account and managed group CRUDL APIs (#2852) * feature (auth/ldap) add repository Listing of ManagedGroupMemberAccount * feature (controller/handlers): add ldapRepoFn to accounts service * feature (auth/ldap) register ldap managed group subtype * feature (account/handlers): ldap account CRUDL APIs * feature (controller/handlers): add ldapRepo to managed groups service * feature (account/handlers): ldap managed group CRUDL APIs * docs (domain): add LDAP accounts, auth-methods and managed groups (#2857) * feature (ldap/cli) add ldap accounts and managed groups CRUDL commands (#2856) * fix (handlers/authmethods): fix ldap authorized actions (#2892) * feature (cli/ldap/authenticate): use primary auth method if none is provided (#2890) * fix (auth/ldap): support setting the state attribute * feature (cli/ldap/authenticate): use primary auth method if none is provided * feature (wh/ldap) add tests for new ldap auth method and accounts (#2919) * refactor (migrations/ldap): mv to correct directory * chore: add copyright headers * fix (api/authmethods/ldap): renumber new LdapAuthMethodAttributes field * fix (auth/ldap): allow the auth method state to be updated (#2951) * chore: update sdk and api versions for llb - this is tmp until merging * tests (managed groups): add required errContains for new test	3 years ago
Jeff Mitchell	b76b24a4ad	Move prefixes for many packages into the globals package (#3069 ) This is a prerequisite for some enhancements to grant validation	3 years ago
Jeff Mitchell	b7d810e475	Fix function signature (#3070 )	3 years ago
Jeff Mitchell	b2bab45c13	Port over changes (#3061 ) (#3062 )	3 years ago
Timothy Messier	b69d1c2e2e	fix(cli): Fallback parsing of un-typed credentials (#2989 ) The `boundary connect` subcommands attempt to parse the credentials to use for brokering. This allows the subcommands to insert the credentials automatically into the process called by the subcommand, i.e. `ssh` or `psql`. There is some fallback logic to try a best attempt at parsing the credential in cases where a credential type has not be set on the credential source. The bug was introduced with the recent change to the vault credential library subtype being renamed from `vault` to `vault-generic`. This fallback logic would only run if the credential source type was "vault" or "static", so if the vault credential library was created without specifying a credential-type, the credential would not be parsed and automatically passed to the sub-process. This fix removes the additional check on the credential source's type, instead it will attempt to parse the credential, relying just on the structure of the credential. This also fixes a similar bug in the table output of secrets when using `boundary connect` without a subcommand. The parsing of the credentials for display in the table was only running for `vault` or `static`. Blame: `db42eafd7a`	3 years ago
Eng Zer Jun	6403b0f389	test: use `t.TempDir` to create temporary test directory (#2922 ) This commit replaces `os.MkdirTemp` with `t.TempDir` in tests. The directory created by `t.TempDir` is automatically removed when the test and all its subtests [complete. Prior to this commit, temporary directory created using `os.MkdirTemp` needs to be removed manually by calling `os.RemoveAll`, which is omitted in some tests. The error handling boilerplate e.g. defer func() { if err := os.RemoveAll(dir); err != nil { t.Fatal(err) } } is also tedious, but `t.TempDir` handles this for us nicely. Reference: https://pkg.go.dev/testing#T.TempDir Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>	3 years ago
Haotian	f88547bbf5	fix(cli): update plural resource mentions in generated help texts (#2918 )	3 years ago
Johan Brandhorst-Satzkorn	3c29308673	chore: Add license headers to all files	3 years ago
Timothy Messier	89a55632ba	feat(cli): Add vault ssh certificate credential library	3 years ago
Haotian	43f0ba89cf	feat(credentiallibraries): support vault ssh certificates	3 years ago
Irena Rindos	a030c15403	Support HCPBInt in hcpb_cluster_id field (#2880 ) * initial commit	3 years ago
Jeff Malnick	a3c4cef648	Use primary auth method if no auth method ID is provided (#2725 ) * feat: default to using primary auth method with authenticating * Add ability to specify scope ID flag in authenticate method --------- Co-authored-by: Jeff Mitchell <jeffrey.mitchell@gmail.com>	3 years ago
Jeff Mitchell	19180af0eb	Fix target port handling (#2846 ) * Fix target port handling This fixes two issues that compounded on each other (see the Changelog update for more information): * The verification logic for hosts was not correct for update operations (in multiple ways) which meant that a host could be updated after creation to have a port. Targets had a previously fixed bug where they did not require a default port, which meant that ports could be used from hosts * A recent (unreleased) change had prioritized any port coming from the host over the default port, which would mean there was no way if a host had a port specified to use it in multiple targets. This fixes the update verification logic, and strikes a middle ground between breaking things and not by allowing existing addresses with ports to be used with targets but ignoring that port, instead requiring targets to have default port set at authorize time (currently there is backwards compat that does not require this due to the original optional port bug). * Update CHANGELOG.md Co-authored-by: Johan Brandhorst-Satzkorn <johan.brandhorst@gmail.com>	3 years ago
Todd	d66b92abe0	Add directly connected downstream workers to the worker resource api (#2831 )	3 years ago
Irena Rindos	e238893c21	Unset worker auth when Boundary dev uses a kms worker (#2786 )	3 years ago
Irena Rindos	af24972386	warn if controller and worker name are the same (#2773 )	3 years ago
Hugo Vieira	f85da3ee2b	feat(cmd): Create target using address on boundary dev / database init Creates a target using an address for boundary dev and when first init-ing boundary (boundary database init). It also makes this newly created target the default one (ttcp_1234567890). The target using host sources is now a secondary target (ttcp_0987654321).	3 years ago
Hugo Vieira	803cd278ae	fix(cmd): boundary connect SSH depending on a host id for ssh aliasing Targets are not guaranteed to have Host Ids anymore, so we now use Target Id when a Host Id is not present.	3 years ago
Hugo Vieira	c82d2efb14	feat(cli): Implement address flag for boundary targets create/update This commit adds CLI support for addresses to be attached directly to a Target, for all current types of Target (ssh and tcp). It also clarifies the relevant documentation regarding the autogen of API option functionality.	3 years ago
Irena Rindos	9135cc7668	In absence of ingress filter, use directly connected worker (#2757 ) * directly connected ingress filtering	3 years ago
Jeff Mitchell	098248be18	Add the ability for CLI map values to contain keys only, which map to JSON nulls (#2721 )	3 years ago
Jeff Mitchell	5353725278	Merge duplicated attr/secret/kv flag handling into one function (#2720 )	3 years ago
Jeff Mitchell	66dc82a7ba	Send message on dev mode SIGHUP so it doesn't just appear to have been swallowed	3 years ago
Irena Rindos	834a2a88f7	feat(targets): Addition of egress and ingress worker filters (#2654 ) * feat(targets): Addition of egress and ingress worker filters	3 years ago
Johan Brandhorst-Satzkorn	df02501dcc	Create new "previous-root" key purpose for root key migrations (#2639 ) (#2648 ) * Update go-kms-wrapping dependency * Apply changes suggested by Jeff * Fix listener test * Add note about config fix to CHANGELOG * Review comments Co-authored-by: Dan Heath <76443935+Dan-Heath@users.noreply.github.com> Co-authored-by: Dan Heath <76443935+Dan-Heath@users.noreply.github.com>	3 years ago
Johan Brandhorst-Satzkorn	edd323b73a	Key Rotation/Destruction (#2477 ) (#2607 ) * Key Rotation/Destruction (#2477) * fix: Correct kms.CreateKeys comment This method does not return anything. * feat(kms): Add new ListKeys method The new ListKeys method wraps the underlying KMS wrapper, returning all the keys in the scope specified. * feat(scopes): Add new scope actions for key management Adds list-keys, rotate-keys and revoke-keys actions for scopes. * feat(scopes): Add ListKeys API endpoint This new endpoint lists all keys in a scope * feat(api): Add ListKeys to Scopes client This has to be a custom function because it is a custom action and doesn't map well to any of the existing templates, or generalises well in a way that would make it reasonable to create a new template. * feat(cli): Add new scopes list-keys command * add RotateKeys function to the kms repository * Add Rotate Keys Endpoint to Scopes Api (#2360) * add rotate keys endpoint * add tests for RotateKeys endpoint * remove that one comment I forgot about * addressing more PR comments * Add Rotate Keys CLI Command (#2395) * add cli command and client * add bats tests * fix some info text and pr comments * write a new rotate keys description * Add Missing DEK Foreign Keys (#2408) * add missing fks * mark key as nullable in gorm * update tests to use a new wrapper with a real key_id * fix formatting in test and add keys for auth_token test * replace key values * revert postgres_40_01_test.go * style: reformat sql for readability * refactor: change type of key_id columns to kms_private_id * Store key_id and scope_id with oplog entries, re-type columns referencing data key version (#2431) * fix(db): Correct types of data key version referencers * fix(oplog): Fix missing error handling * feat(oplog): Store key_id and scope_id with oplog entries This migration truncates all existing oplog entries, as migrating existing data would have been complex and likely unnecessary. * Update view references * Always delete oplog entries when dropping keys * Fix rebase issues * Fix sql tests * Add schema for new kms destruction jobs (#2479) * feat: Add schema for new kms destruction jobs The schema lets us manage destruction jobs per-table while providing a guarantee that only one run is running at a time. * Apply suggestions from code review Co-authored-by: Michael Gaffney <mgaffney@users.noreply.github.com> * Fix table reference and tests Co-authored-by: Michael Gaffney <mgaffney@users.noreply.github.com> * update domain, api, and cli to all include key versions in outputs (#2472) * update domain, api, and cli to all include key versions in outputs * fix go sum * add migration to fix immutable error * fix final test issue as well as make gen issue * rebase and fix * address johan pr comments * make gen, didn't realize comments were included * update migrations based on new migration 55 file 03 * Move migrations to 56 * feat: Add key version rewrapping function registry (#2478) The new RegisterTableRewrapFn can be used by a domain to register a callback to use when rewrapping data in a specific table name. * feat(kms): Add scopeId to RewrapFn (#2539) This makes it much easier for rewrap functions to look up the correct wrapper and limit the number of rows searched. * Update Root Cert Proto Definition (#2542) * update root cert proto definition to properly identify public_key as the table primary key * add the test fix as well * Rewrap Functions for Encrypted Tables (#2532) * add oidc rewrap * add argon2 config rewrap * add auth token rewrapping * add worker auth cert rewrapping * check the err * add username password credential rewrapping * add ssh private key credential rewrapping * add vault client certificate rewrap function * add host catalog secret rewrap function * cleanup a little * add host vault token rewrap function * add session credential rewrap function * add session rewrap function * add worker auth rewrap function * update test to include full assert gamut * add session rewrap function TEST * bring all tests up to current standards, make more readable, and include full assert gamut * rework all rewrap functions to utilize scope id * update comments, queries, sql refs, etc, in response to PR comments * forgot a comment * remove hmac updates and fix a couple comments again * Rewrapping Registered Tables Test (#2555) * add the registered table test as well as the two missing rewrap functions * address pr comments, add db r/w conversions, cmp.diff, sql comment, remove (now) faulty immutable test * Add ability to list key version destruction jobs, recurring jobs and destroying key versions (#2498) * feat(kms): Add ability to list data key version destruction jobs * feat(scopes): Add ListKeyVersionDestructionJobs * feat(cli): Add list-key-version-destruction-jobs * feat(kms): Add recurring job that performs table rewrapping The new recurring job runs for each job table with a registered rewrapping callback. It attempts to become the running run and start its rewrapping, gracefully handling sudden interruptions by resuming it's work if it finds evidence of sudden interruption. * feat(kms): Add recurring job for destroying key versions The new job monitors the database for data key version destruction jobs that have finished rewrapping all its data, performing the final data key version revocation. * feat(kms): Add DestroyKeyVersion DestroyKeyVersion immediately destroys a key version if it is a root key version or a data key version which encrypts no data. If the data key version encrypts data which needs to be rewrapped, it queues an asynchronous job to complete the rewrapping operation. * feat(scopes): Add DestroyKeyVersion API endpoint * feat(cli): Add scopes destroy-key-version CLI command * Ensure all secret updates include key ID (#2556) * feat(all): Ensure all secret updates include key ID When updating a secret, it is paramount that the key ID is also updated, as it is the only means we have of ensuring that we only destroy keys once there is no more data associated with the key. * Remove fix to session repository for now This breaks the current private key derivation method * add new encrypt/decrypt funcs and made necessary proto changes (#2557) * add new encrypt/decrypt funcs and made necessary proto changes * address all PR comments * fix test panic * add param checking to rewraps * fix(schema): Correctly organize migrations again * Review comments part 1 * Review comments part 2 * Review comments part 3 * Store cert private key, encrypt tofu token (#2583) * fix(session): store cert private key, encrypt tofu token Previously, we would derive a session certificate private key from the session key used in each project, and not store the key. We would also encrypt the tofu token with the database key but not store a reference to this key in the database. This change fixes this by replacing our key derivation with a key generation step, and instead store the generated key, encrypted, in the database. We also ensure that any new tofu tokens are encrypted with the same key. To handle existing sessions, we lazily rewrite the sessions whenever a user lists them. There is a minor risk that a user could end up destroying the database key that encrypts the tofu token before that session has been rewrapped, but this is going to be rare and temporary. * feat(session): Allow the random source for secrets to be configured * Review comments * Minor fixes * More minor fixes * More small fixes Co-authored-by: Danielle Miu <dani.miu@hashicorp.com> Co-authored-by: Danielle <29378233+DanielleMiu@users.noreply.github.com> Co-authored-by: Michael Gaffney <mike@gaffney.cc> Co-authored-by: Michael Gaffney <mgaffney@users.noreply.github.com> * fix(session): Unset session key ID when scope is deleted Unsetting the key ID allows the session to live beyond the lifetime of the scope, while allowing the scope to cascade delete its keys. * fix(migrations): Rewrite migration 56 tests These tests can no longer use the normal test helpers as they try to use the new oplog table structure, so we have to manually write all the interactions. * fix(migrations): Rename migration 58 file name This was the name used in the release branch, update it to the new migration number. * fix(e2e): Add some comments and debug to kms tests * fix(session): Handle empty project and user IDs in read When a project or user is deleted, the session is automatically canceled and the respective field on the session is unset. LookupSession did not handle this case gracefully, and would error on decryption in this state. Skip decrypting sessions that do not have either a user or project to avoid this error. The decrypted values are not used for a canceled session. * Fix worker test * Increase test timeout Co-authored-by: Danielle Miu <dani.miu@hashicorp.com> Co-authored-by: Danielle <29378233+DanielleMiu@users.noreply.github.com> Co-authored-by: Michael Gaffney <mike@gaffney.cc> Co-authored-by: Michael Gaffney <mgaffney@users.noreply.github.com>	3 years ago
Jeff Mitchell	0c96c6ff6c	Split grace period into multiple config values (#2578 ) (#2603 ) Co-authored-by: Todd <github@quaddi.com>	3 years ago
Irena Rindos	1e59aaf19b	fix host sets command sample command (#2596 )	4 years ago
Michael Li	067530cdbf	fix(test): Retry websocket connection due to flaky failure (#2584 ) We have observed several unit tests occasionally fail when trying to read a handshake due to the following error: failed to read protobuf message: failed to get reader: received close frame: status = StatusProtocolError and reason = "received header with unexpected rsv bits set: false:false:true" After an investigation, it's still unclear how this happens. We are opting to just retry to mitigate the flakiness.	4 years ago
Hugo Vieira	bfd65feb90	feat(cmd): Display session connection information	4 years ago
Johan Brandhorst-Satzkorn	f57454b6b9	Rewrite interface{} to any (#2535 ) * chore: Rewrite interface{} to any * Add ignore revs	4 years ago
Timothy Messier	d896f37493	Support reading multiple configuration files(#2504 ) feat(config): Support multiple files This updates the three subcommands that take a `-config` flag to to support multiple config files via a repeated `-config` flag. It updates the following subcommands: - `server` - `database init` - `database migrate` Note that the multiple file support only works if all config files are HCL, not JSON. Also note that the config files are concatenated together. There is no attempt to merge config files, so having the same stanza in multiple files can yield unexpected results, with only one of the stanzas being used. When used with these limitations understood, this provides a way to take different actions for different kinds of dynamic configuration changes. An example would be when using consul-template to render the configuration files for boundary. With the multi file support consul-template can render one config file for the controller stanza, and provide boundary with a dynamic database credential via vault. Then when the credential is rotated, consul-template can send boundary a SIGHUP to switch to the new credential without a restart. A separate template could be used to render a config for a stanza that does not support SIGHUP, such as the events stanza that gets its values via consul's KV. If these values change, consul-template can restart boundary so the new configuration is used. Co-authored-by: Timothy Messier <tim.messier@gmail.com> Co-authored-by: Jeff Mitchell <jeffrey.mitchell@gmail.com>	4 years ago
Louis Ruch	b31e6a8abc	cli(ssh): Use type instead of SubtypeFromId (#2497 )	4 years ago
Jeff Mitchell	6116dad2bc	Fix incorrect flag name (#2494 )	4 years ago
Louis Ruch	b7684a857a	feat(ssh): Use HostId as HostKeyAlias for connect ssh helper (#2490 )	4 years ago
Todd	06fd086004	Add health endpoint for worker (#2442 ) * Return worker process information in the health endpoint. Experimental: The worker_info and returned worker_process_info fields are experimental and can change or be removed without notice. When a user passes in "worker_info=1" or "worker_info=true" and a worker is running the returned json will be returned with a key named "worker_process_info" which value is a json object with information about the worker process.	4 years ago
Irena Rindos	d951e1ebc1	Worker graceful shutdown (#2455 ) * add graceful shutdown to worker	4 years ago
Damian Debkowski	546c5dc5be	feat: static json credentials (#2423 )	4 years ago
Jeff Mitchell	53b5e532d5	Remove deprecated methods/fields on targets (#2393 )	4 years ago
Louis Ruch	506fdfa5c3	cli(ssh): Do not print private key if consumed (#2451 )	4 years ago
Louis Ruch	50490d71ae	chore(targets): Improve help and errors around ssh targets (#2445 )	4 years ago
Louis Ruch	5812a42ba3	feat(scheduler): set intervals from config (#2443 )	4 years ago
Jeff Mitchell	9002930d65	Adapt shared lock skip logic to dbswap branch (#2437 )	4 years ago
Hugo Vieira	bed6e1a0ff	feat(server): Reload database on SIGHUP If the database url is updated on Boundary's config and then a SIGHUP triggered, we now connect to the new database, ensure it's OK to use and use that one going forwards instead. This allows a controller to be deployed in a more dynamic infrastructure where, for example, database credentials could change, without having to restart the controller. In this case only a database url config change and a SIGHUP signal to all controllers would be required. This uses an atomic.Pointer to store wrapped DB objects. This allows atomically swapping to the new object. A timeout is introduced so that if the object is swapped after the existing one has been looked up it isn't immediately invalidated. The timeout is a maximum; a ticker once a second that looks at stats to determine how many database connections are still in use and then closes the driver as soon as none are in use. This could be done with mutexes to avoid checking stats in a loop, but that carries its own risk: if a write lock is attempted to be acquired while a query is holding a read lock, the write lock will block, and any subsequent read locks will also block since write locks take priority. As a result, if a query is long-running or timing out, all other queries in the system will become blocked. Our default user request timeout is 90 seconds and some jobs have no timeout at all, so this is not a purely theoretical concern, even if it's unlikely. Refs: #2435 Co-authored-by: Jeff Mitchell <jeffrey.mitchell@gmail.com>	4 years ago
Hugo Vieira	8ab9ffbcac	refact(cmd): Encapsulate some functionality on Command and Server This commit extracts 3 separate pieces of functionality into their own function/method: - Extracts the database opening with the intention to have a function that performs all that functionality but returns the created database object rather than setting it to the Server structure. - Extracts database validation logic, to provide a common code path for upcoming functionality. - Expose schema manager on the Command struct as well as providing common functions to acquire shared lock/close.	4 years ago
Hugo Vieira	621f8a9ff2	fix(schema): Database connection not cleanly closed This commit introduces closing the Schema Manager's underlying driver connection. We were only releasing the shared lock but not actually cleaning up the db connection and relied on the fact that the process would exit to do that for us.	4 years ago
Timothy Messier	047a66e87d	fix(worker): Improper reload when running as controller and worker (#2438 ) In cases where the server was started with both a controller and worker stanza, the reload of the config was not properly setting the initial upstream value on the new config. In this case the value is derived from other config values and not necessarily set directly. This now properly initializes the new config so that initial upstream is set in the same manner as the first load. Blame: `5d0cdf680f`	4 years ago
Todd	0b942f4493	Only clear tags in set-worker-tags when "null" is set as the value of the -tag flag. (#2434 )	4 years ago
Irena Rindos	18dff62b7b	Merge BYOW GA branch to main (#2398 ) * feat(workers): Add ability to read and reinitialize cert authority (#2312) * feat(workers): Return Release Version on worker list and read (#2377) * feat(cli): Read and reinitialize worker certificate authority (#2387)	4 years ago
Irena Rindos	cee5ff7599	Minor documentation fixes for controller-led (#2432 ) * Minor documentation fixes	4 years ago
Jeff Mitchell	16c9e9b592	Add ability to skip shared lock acquisition	4 years ago
Louis Ruch	d7c4c648ec	bug(vault): Correctly handle credential stores with expired tokens (#2399 ) * bug(vault): Correctly handle credential stores with expired tokens Boundary makes use of a database view to perform CRUD operations on Vault credential stores and libraries. This view did not include credential stores with tokens that have expired in Vault, causing errors when attempting to perform any action against them.	4 years ago
Jeff Mitchell	01fb949d0b	Add controller-led worker auth flow (#2413 ) This adds an action to the API that allows pulling out an activation token that can be given to a worker in its config (directly or via env or file). The worker can pass this along with its normal request in place of its normal nonce and the server will automatically accept it. Co-authored-by: Irena Rindos <irenarindos@users.noreply.github.com>	4 years ago
Timothy Messier	5d0cdf680f	feat(worker): Support reloading of initial upstreams on SIGHUP (#2417 ) On a SIGHUP, if the worker's `initial_upstreams` config option has changed, it will use the new values as the address to send its status. Any previously discovered upstream addresses from previous status requests are dropped. Once a successful status request is made to the new addresses, the worker will resume its normal behavior of using the addresses from the response to the status request. This allows a worker to be deployed in a more stable way in a dynamic environment where controller IPs could change. In particular this helps with a case where all controllers are replaced with new controllers running on new IPs. To illustrate with an example, suppose there is an instance group of controllers instances. And there are worker instances that have their config rendered from consul-template that sets `initial_upstreams` to the IPs of the controller instances. If all controller instances are restarted or replaced at the same time and assigned new IPs, a new config will be rendered for the worker. Previously the only way for the worker to use the new value would be for the worker process to be restarted. Otherwise the worker would only know about the previous IPs and would fail to connect to the new controllers. However, a restart would mean any active sessions and session connections on the worker instance would be terminated. With this update, consul-template can send a SIGHUP to the worker, the worker will connect to the new controllers and resume normal status reporting, allowing the sessions and session connections to remain. The same principles would apply for other examples of dynamic environments such as nomad and kubernetes. See: https://github.com/hashicorp/consul-template https://www.nomadproject.io/docs/job-specification/template	4 years ago
Haotian	17ddc301a8	feat(cli): add/set/remove worker tags (#2266 ) * adds CLI commands for add/set/removing worker tags, and respective tests * adds StringSliceMapVar Flag to convert a string from the CLI to a map[string][]string value	4 years ago
Irena Rindos	b43e61c8c7	bug(workers): Create worker-led panics on invalid token (#2388 ) * Check for error before returning result	4 years ago
Timothy Messier	79866a287f	feat(schema): Add support for migration hooks This adds the ability to define hooks that will run prior to a schema migration. The hooks should only be used when a migration would fail due to data being in an invalid state, likely due to a bug in the previous schema definition. For example if a column was missing a constraint, and a new migration is attempting to add the constraint, there might already be values that violate the new constraint. In such cases, we would want the user to make a decision to address the data, and need to provide them with details about what data is problematic in case they want to manually address the problem. To help the user, if there is a sane way to address the data, we should provide an option to automatically "repair" the data, allowing the migration to continue. However, this still should be an explicit opt-in from the user, and we need to clearly describe what the repair option would do to the user so they understand the consequences of opting in. To accomplish this each migration can be provided a hook that contains a CheckFunc, RepairFunc, and RepairDescription. These functions must operate at the point-in-time of the migration immediately preceding the current migration, as as such they should not use and domain packages or repositories, instead they should use direct sql with the sql library. The description is used to explain what the RepairFunc will do. Hooks should be defined in `internal/db/schema/migrations/oss/oss.go` and registered with the schema edition. See the example in `internal/db/schema/manager_example_test.go` for more details.	4 years ago
Jeff Mitchell	02dd28f587	Add support for SSH private key passphrases (#2331 ) This adds support for encrypted SSH keys via passphrase. Co-authored-by: Louis Ruch <louisruch@gmail.com> Co-authored-by: Michael Gaffney <mgaffney@users.noreply.github.com>	4 years ago
Louis Ruch	dcccaf1bcf	bug(cmd): Ensure RunShutdownFuncs is called when an early error occurs (#2333 ) * bug(cmd): Ensure RunShutdownFuncs is called when an early error occurs	4 years ago
Jeff Mitchell	fa17fdf9d7	Update wording and fix a missing prompt (#2329 )	4 years ago
Jeff Mitchell	fe2ee7ef4a	Change behavior of `-token` and `-password` to support env/file only (#2327 ) * Revert "Remove `-token` flag (#2303)" This reverts commit `65cff995d7`. * Change behavior of -token * Add use of MustParsePath * Update changelog * Use errors.Is	4 years ago
Louis Ruch	53dbd51f14	Only consume ssh brokered credentials if the target is tcp (#2323 )	4 years ago
Jeff Mitchell	26ffa705e5	Add parsepath logic to password in various places (#2325 ) * Add parsepath logic to password in various places: * Account password create/set/change * Authenticate Also fixes a bug where confirmation on a change-password call would run for the current password instead of the new one.	4 years ago
Jeff Mitchell	8800ec9c94	Reorganize logic to allow a poison pill (#2317 )	4 years ago
Louis Ruch	fc25178827	bug(server): Start ops listener even if controller is nil (#2314 )	4 years ago
Damian Debkowski	2db5840790	fix(cli) check error value in executeExtraActionsImpl funcs (#2293 )	4 years ago
irenarindos	4908aba546	feat(vault): Add unimplemented worker filter support to OSS	4 years ago
Damian Debkowski	1e44ed3d92	fix(cli) check error value from command func (#2286 )	4 years ago
Jeff Mitchell	5117cf9548	Add some safety checks in server command (#2288 )	4 years ago
Timothy Messier	439566cd10	feat(target): Add ssh target support to sdk/api/cli This add the generated code and additional configuration to support sending the ssh target subtype to the api via the sdk or cli. The cli now supports an additional subcommand for the ssh target subtype: boundary targets create ssh boundary targets update ssh	4 years ago
Damian Debkowski	c2bfcc0664	refactor(api module): enforce typed definitions (#2238 )	4 years ago
Louis Ruch	d6c1402223	bug(cli): Correctly generate private key file (#2274 )	4 years ago
Louis Ruch	7d1a989ea7	feat(cli): Support using brokered private key in ssh subcommand (#2267 ) * feat(cli): Support using brokered private key in ssh subcommand	4 years ago
Louis Ruch	a17e973712	feat(credentials): Refactor credential purposes (#2260 ) * feat(credentials): Refactor credential purposes * Application credentials have been refactored to Brokered credentials * Egress credentials have been refactored to Injected Application credentials Co-authored-by: Jeff Mitchell <jeffrey.mitchell@gmail.com>	4 years ago
Jeff Mitchell	271cc8f781	Add ssh private key to CLI (#2265 )	4 years ago
Jeff Mitchell	7ab7c8eaf4	Have fallback eventing use json format (#2216 ) * Have fallback eventing use json format The server will initialize a logger via InitFallbackLogger(...) after setting up the server's logging (and honoring the related cmd flags). This fallback logger will be used if when no eventer is initialized. If no fallback logger is initialized, then a event.defaultLogger() will be used if no eventer is defined. Co-authored-by: Jim <jlambert@hashicorp.com>	4 years ago
Timothy Messier	fd5d15af27	feat(config): Add database config options for idle connection management (#2176 ) This adds two new config options for the `database` stanza: - `max_idle_connections` - `max_idle_time` These correspond to settings for the underlying `sql.DB` instance. They can be used to have finer control over the controller's database connection pool. For example this can be used to mitigate the high connection overhead when connecting to postgres by setting a high `max_idle_connections` and either setting `max_idle_time` to zero or to a high duration. Alternatively, if using a connection pool like pgpool-II or pgbouncer, `max_idle_connections` can be set to 0. See: https://pkg.go.dev/database/sql#DB.SetMaxIdleConns https://pkg.go.dev/database/sql#DB.SetConnMaxIdleTime https://www.pgpool.net/mediawiki/index.php/Main_Page https://www.pgbouncer.org/	4 years ago
Damian Debkowski	3e9c99c217	refactor(user_password) rename all references of user_password to username_password (#2232 )	4 years ago
Todd	19b549c44a	Rename package servers to server (#2222 )	4 years ago
Louis Ruch	9671daf6e0	Revert "refactor(user_passsword) change all references of user_password into username_password (#2189 )" This reverts commit `ab58b24142`.	4 years ago
Damian Debkowski	ab58b24142	refactor(user_passsword) change all references of user_password into username_password (#2189 ) * (refactor) change all sql references of user_password to username_password * refactor(pkg) renamed pkg userpassword to usernamepassword * refactor(proto) updated protocol buffers to use UsernamePassword * refactor(code) updated references from UserPassword to UsernamePassword in golang files * refactor(test) updated unit tests to reference UsernamePassword changes * refactor(ddtest) updated references in dbtests to use UsernamePassword * chore(sql-test) fixed spelling issue * chore(sql) added and updated comments in migartion & tables. fixed indentations * chore(proto) updated comments to reflect username_password changes * refactor(tests) updated unit tests to replace user-password with username-password * refactor(cmd) updated cmd help text to use username * chore(tests) update test name & comments * fix(cmd) fixed cmd usage definition for credentials update * refactor(tests) removed out of scope changes * fix(sql) incremented sql migration id & updated migration comments	4 years ago
Jeff Mitchell	a589c32269	Minor capitalization change	4 years ago
Jeff Mitchell	32d04b9ce7	Allow a worker to use KMS auth but accept PKI for proxy (#2206 ) This essentially worked for non-dev mode before but would create storage directories that weren't actually used or needed, and it didn't work in dev mode because it made assumptions about the presence of a worker auth kms or not. This fixes those behaviors.	4 years ago
Jeff Mitchell	9a4545e59e	Fix eventing and worker name setup (#2204 ) * Don't automatically create worker names, as this is now invalid for PKI workers * Fix a check in dev that clears out name/description in exactly the wrong cases * Change eventing setup to use a hostname-based ID instead of the name (which could change on every start anyways)	4 years ago
Jeff Mitchell	704d68848c	Merge remote-tracking branch 'origin/main' into llb-byow	4 years ago
Jeff Mitchell	bfd9565010	Merge remote-tracking branch 'origin/byow-attrib-consolidation' into llb-byow	4 years ago
Jeff Mitchell	3d42737789	Don't display active connection count if it's not authorized (#2200 )	4 years ago
Jeff Mitchell	4efbce3112	Add description updating via worker status (#2197 )	4 years ago
Louis Ruch	5ef9496e0a	feat(cli): Support credential brokering with sshpass (#2191 )	4 years ago
Louis Ruch	68eb6e2bed	chore(targets): remove deprecated credential libraries on target resources (#1533 )	4 years ago
Todd	beecbbb8a2	Upsert creates a new KMS and Updates PKI workers (#2187 )	4 years ago
irenarindos	80752e9a24	cli(workers): Add extra help func	4 years ago
Jeff Mitchell	8335deb8b6	Update protos, generated code, and service handlers (#2188 ) * Update protos, generated code, and service handlers * Address review feedback	4 years ago
Louis Ruch	4b365db634	feat(target): Add support for static credentials during authorize-session	4 years ago
Louis Ruch	58d546cdd4	feat(credential): Add static credential store and username_password credential	4 years ago
Haotian	40ba275759	feat(worker): add 'initial_upstreams' field to worker config to prepare to replace 'controllers' field. Update worker config description on website.	4 years ago
Jeff Mitchell	8a131ef4f7	Fix missing guardrail for worker kms auth population (#2172 ) * Fix missing guardrail for worker kms auth population	4 years ago
Jeff Mitchell	5d3facf561	Merge remote-tracking branch 'origin/main' into llb-byow	4 years ago
Louis Ruch	c4285b29cc	fix(target): Correctly return egress credentials assocaited with target (#2167 )	4 years ago
Irena Rindos	f7dbf2a532	Merge pull request #2163 from hashicorp/irindos-clusterid-upstreams feat(worker): Map cluster ID in config to upstream address	4 years ago
Jeff Mitchell	5a7291131f	Make current key update on rotation	4 years ago
Jeff Mitchell	b84001c07d	Add CLI for workers (#2164 )	4 years ago
irenarindos	256498d40f	fixup! feat(worker): Map cluster ID in config to upstream address	4 years ago
Jeff Mitchell	5b978d7fa7	Adjust parameter naming (#2161 ) * Adjust parameter naming for some worker resource fields * Add eventing listener to event when authentication is successful from a downstream worker	4 years ago
irenarindos	3aa7d11419	feat(worker): Map cluster ID in config to upstream address	4 years ago
Timothy Messier	e79714e93f	feat(session): Add include_termianted option to list endpoint	4 years ago
irenarindos	594e6e82b5	feat(worker): save workerAuth request to a file	4 years ago
Jeff Mitchell	9736b79d4e	Remove temporary node authorization functions (#2147 )	4 years ago
Jeff Mitchell	d1b3b2441f	Add node rotation (#2142 )	4 years ago
Jeff Mitchell	aa0afd325a	Remove 'ephemeral' from KMS auth method bits (#2141 )	4 years ago
Jeff Mitchell	4117841cf9	Use persistent storage for worker auth credentials (#2139 )	4 years ago
Jeff Mitchell	caf19f867e	Rename some variables to remove Nodee	4 years ago
Haotian	631c174f47	feat(worker): implements WorkerAuthStorage wrapper for worker credential encryption (#2076 ) * Adds WorkerAuthStorage wrapper for worker credential encryption using nodeenrollment library. * Adds AuthStoragePath field in worker config and dev mode to specify directory to store credentials.	4 years ago
Todd	731a45eba6	Merge the worker_status table with the worker table (#2111 )	4 years ago
Jeff Mitchell	46e97a2b91	Update to new nodee lib bits (#2120 )	4 years ago
Jim	70c5da1048	feature (workers): add repository CreateWorker(...) (#2105 )	4 years ago

1 2 3 4 5 ...

569 Commits (c2bc19c71fac7c3ccf106b3cdf0c19fb7ecf899d)