boundary

Commit Graph

Author	SHA1	Message	Date
Jeff Mitchell	7c3d5be4f6	Update format of secret to return both raw and decoded when possible (#1372 )	5 years ago
Jeff Mitchell	14c7993c2c	Rework single-value set-credentials-library logic (#1364 )	5 years ago
Todd Knight	13a65052b4	Allow set-credential-library when a single library id is provided. (#1363 )	5 years ago
Jim	3820503979	"make fmt" updates	5 years ago
Jeff Mitchell	86c9a90554	Update target credential library service, API, SDK, CLI (#1343 )	5 years ago
Michael Gaffney	df35699c4e	Integrate with Vault to retrieve and manage per session credentials (#1308 ) * Fix down migrations * Udpates due to merge * Sentinel values only have to be greater than 0 * Create credential related sdk structs and methods. * Post merge interface updating. * Removing scratch code that was not cleaned up. * updates * Convert client certificate and client certificate keys into pem blocks and validate. * Add newline at end of file. * Faster check for "s" at the end of a resource name when generating from templates. * make fmt * updates * Add dynamic credentials to a session * Refactor: move contents of file * updates * Updates * Add InvalidDynamicCredential error * Assign credentials * Allow updating client certificates seperate from the client certificate key. * Replace application purpose string with enum value * PR feedback / fix go test . * Delete dead code * Use common view * Refactor: extract interface and rename method * Refactor: move code to eliminate privPurpLibrary * Add comment to requestMap * Refactor: do not export methods on an unexported struct * Update internal/db/schema/migrations/postgres/10/03_vault_credential.up.sql Co-authored-by: Michael Gaffney <mgaffney@users.noreply.github.com> * Add comments to credential Purpose constants * Reorder switch statements to handle errors first * PR feedback * update * fix merge * Organizing the scheduler code and extract the individual store creation test helper function. * Run 'make fmt' * Create certificate when creating store. Allow vault address to be passed in as option * Refactor: rename database views and associated structs This change renames two database views and associated go structs to use a consistent naming pattern. Views ending in 'private' contain encrypted credentials needed for connecting to Vault. Views ending in 'public' mirror the 'private' views but do not include any encrypted values. This change does not include any changes to functionality or behavior. * Adding SAD target operations for credential libraries to the SDK. * Add status field and enumeration table for credential status * Refactor: rename Status to TokenStatus * Add status to vault credentials * Creating the template for the CLI and helper functions. * Add private database view for vault credentials * Add scope_id to view and cleanup TODO comment * Reformat embedded sql queries * Add vault client helpers * updates * white space * Add LookupLease test * CLI commands for Store work. Renamed fields in proto w/ vault prefix. * Test issue credentials with client TLS * Add additional checks to vault ping * Add an error for vault token capabilities and create a VaultToken error kind * Add support for working with Vault policies * Use Vault 1.7.2 for testing * Add testing helper for creating a vault client with a non-root token * Fix Vault renew lease test The Vault renew lease endpoint accepts an optional duration parameter for requesting the number of seconds to extend the lease by. However, Vault is not required to honor this request. * Add a var for the required capabilities of a boundary Vault token * Enhance the test helper for adding a policy to Vault * Allow the test role in postgresql to revoke credentials * Remove out of date comments * Enhance Vault test helpers for the database secrets engine * Reformat comments * Add a method for getting the capabilities of the current Vault token * Add revoke lease to internal Vault client * Reformat: combine err return line with check for nil line * Remove redundant checks in test code Remove checks in test code that are redundant with checks in the test harness. * Refactor CreateToken test helper to return the secret and the token * Fix build failures caused by signature change in vault.CreateToken * Fix Vault version and Vault API link in comments * ran `make gen` after merging from mgaffney-vault. * Remove Vault prefix from attribute fields in API, create a base CLI option for adding field prefixes. format now uses that prefix for error reporting. * Template now allows attaching attribute field prefixes. * Credential store uses PrefixAttributeFieldErrorsWithSubactionPrefix. * Fixing naming of vault flags and helper flags. * Updating more references to generated api methods. * Make the capabilities String method more readable * Add comment outlining PrintApiError usage of Options. * Refactor test to move declarations closer to first use * Fix comment * Implement revoke method on vault repository * Tests now verify certs, CA, and tokens, addresses can be updated in a store. * Added test for creating store with pk/cert in same field. * Allo updating certificates seperate from private key. Only contact backing vault service when updating token. * Fixing bad tests and removing unused code. * Adding tests for various ways of updating tokens. * Add private credential * Add token revocation job and cred renewal/revocation job * Regen after merge. * Fixing field mask related merge error. * Create Library CLI. Removes vault prefix from path. Adds a WithoutCleanup testOption for vault. * Set all credentials to revoked when a token is revoked * Fixing missed renaming update. * fix copy/paste error. * Fixing code generation errors after merge. * make gen after merge. * Update internal/cmd/commands/credentialstorescmd/vault_funcs.go Co-authored-by: Michael Gaffney <mgaffney@users.noreply.github.com> * Update internal/cmd/commands/credentialstorescmd/vault_funcs.go Co-authored-by: Michael Gaffney <mgaffney@users.noreply.github.com> * Update internal/cmd/commands/credentialstorescmd/vault_funcs.go Co-authored-by: Michael Gaffney <mgaffney@users.noreply.github.com> * Refactor: move migrations from 10 to 12 * Removing logic from transaction. * wrapping client errors in the calling op for CredentialStore's client() method. * Redact token * redact client key * updates * Add trigger to revoke credentials when session is canceled or terminated * Fixing some help text for some flags. * Add ability to load values from files (file://) or environment variables (env://). * Updating comments * fix bad merge * feedback * Adding issued credentials to sessions. * Error on capabilities * updates * Expose NewVaulTestServer * Add godoc * Adding generated SessionCredential struct for API. * Progress on building handler test for Authorize Session. * feedback * Update policies * Add 'revoke' as a status for Vault Tokens * Add delete_time to vault credential store * Create dynamic credentials at session creation time. * Tests pass with credentials attached to AuthorizedSession result. * Only call issue if there are credentials to issue. * Fixing output only issues. Adding type to credential library. * Fix test to clear un/pw generated. confirm generated un/pw changes from 1 authorize session call to another. * Update lookupTokenError * Add delete_time to private credential store * Refactor: move private store to separate file * Fixing tests for AuthorizeSession and verifying error cases. * Only create the credential repo if there are credentials to issue. * Rename Library field to CredentialLibrary. * Fixing missing change of Library to CredentialLibrary. * Removing Default SDK functions for fields which are required and update CLI to match. * Replace resource specific id variables with "id" and the input parmater for paths to be just a single string and the resource name as it should show up in the path. * Soft delete vault credential stores * Prevent new SQL functions from silently overwriting existing functions * Rename "Hmac" to "HMAC" in the human readable cli response table. * Fix tests * Add vault database cleanup jobs * Add ability to set the token period in the vault test harness * updates * Add not_null_columns func test * remove unused struct * Up no output timeout * Validate current vault token on addr update * Fix client cert change test * add cert test * Update revocation job where * Fix comment * Use Vault's default port in CLI help strings * Remove down migrations * Increase migration file numbers by 1 * Run make migrations * Move migrations from 12 to 10 * Increase Circle CI timeout for acceptance tests * Fix spelling mistake in error messages * ASD cmds for Target and returning credentials to AuthSession request (#1338) * Add Add/Set/Remove commands for libraries on Targets. Return credentials on AuthorizeSession request. Co-authored-by: Michael Gaffney <mgaffney@users.noreply.github.com> Co-authored-by: Louis Ruch <louisruch@gmail.com> Co-authored-by: Todd Knight <T.Alan.Knight@gmail.com> Co-authored-by: Jeff Mitchell <jeffrey.mitchell@gmail.com>	5 years ago
Jeff Mitchell	9c945b7021	Migrate ParseAddress to shared-secure-libs (#1313 )	5 years ago
Jim Lambert	aa41676dc9	make gen changes prior to staging release	5 years ago
Jeff Mitchell	054c0aa538	Update password generated account IDs (#1290 )	5 years ago
Jeff Mitchell	d6ef2732e7	Merge remote-tracking branch 'origin/main' into ICU-1573	5 years ago
Naohisa Murakami	237590831b	Fix comment in template for cli (#1281 )	5 years ago
Jeff Mitchell	ad93315b59	Add predictable account IDs in dev mode (#1271 )	5 years ago
Jeff Mitchell	306d4fb4d3	Add API/CLI for managed groups (#1265 )	5 years ago
Jeff Mitchell	179a49657e	Managed Groups service (#1262 )	5 years ago
Jeff Mitchell	7da892a054	Managed Groups OIDC Repo (#1254 )	5 years ago
Jeff Mitchell	15bd1a5245	Add initial SQL for managed groups (#1253 )	5 years ago
Jeff Mitchell	765829be6e	Update CORS to have an allowed_origin of `` by default (#1249 ) Update CORS to have an allowed_origin of `` by default Update changelog	5 years ago
Jeff Mitchell	13545e3171	Revert "internal/cmd/config: allow explicit origin list w/implicit CORS toggle (#1247 )" (#1248 ) This reverts commit `579fc621ec`.	5 years ago
Chris Marchesi	579fc621ec	internal/cmd/config: allow explicit origin list w/implicit CORS toggle (#1247 ) This ensures that cors_allowed_origins can be set when cors_enabled is not explicitly specified and allowed to be its default (currently true). The current behavior is to clobber this value when cors_enabled is not explicitly set, ultimately setting it to the default of "serve://boundary" only.	5 years ago
Michael Gaffney	21033a6174	Refactor: multiple rename to fix the spelling of subtype (#1227 ) The definition of 'subtype' is 'a secondary or subordinate type'. The 'T' should not be capitalized (unless it is referring to a type of submarine, which its not).	5 years ago
Jeff Mitchell	7ee8ddba6a	True up some spelling	5 years ago
Jeff Mitchell	6f34da8923	Add cleanup of dead connections no longer reported by a worker (#1220 )	5 years ago
Alexey Dubkov	a33d1922a1	Fix cmd help for groups: rename user to member (#1212 )	5 years ago
denniskniep	5ba8377106	Remove text in oidc command on json format (#1213 ) Fixes #1193 Fixes that the openid connect authenticate command formatted as json returns disturbing text. Therefore it can not be piped and parsed by another tool	5 years ago
Jeff Mitchell	c22631fbca	Fix `boundary database init` respecting format flag (#1204 ) The output was ready for json format but the flag wasn't included.	5 years ago
Jeff Mitchell	22d5c88a0b	Add Output Fields support (#1192 )	5 years ago
Jeff Mitchell	f32e7f9144	Add ability for the controller/worker name to be read from env/file (#1181 )	5 years ago
Michael Gaffney	f130563da7	Run make fmt	5 years ago
Jim	2437cdcc8d	OIDC: add support for account claim maps (#1186 )	5 years ago
Dylan Scott	4ae5003763	PR #1001 : Postgres Connection Pooling Control (#1015 )	5 years ago
s-christoff	9ceeb3bd65	Add -container-image flag (#1112 )	5 years ago
Michael Gaffney	ecc9d6d649	Run make fmt	5 years ago
Todd Knight	5d17bd9eec	Error on `boundary database migrate` if the db hasn't been initialized (#1184 )	5 years ago
Jim	8d317023f8	OIDC: make callback URL paths deterministic. (#1188 )	5 years ago
Jim	25e657fa51	Ongoing OIDC: support to request additional OIDC scopes from the IdP (#1175 )	5 years ago
Jeff Mitchell	4690225c1e	Update delete action behavior and JSON format output (#1155 ) This PR changes delete behavior: * On success, a 204 is returned rather than a 200 with an empty JSON object * The CLI now passes through the 404 error if encountered instead of swallowing it It also updates formatting for JSON to use the response body, which means that the item (or items) in the JSON format are actually the format across the wire, instead of being reinterpreted by unmarshaling into the Go SDK and then remarshaling.	5 years ago
Jeff Mitchell	e6af51943d	Add read:self and delete:self to auth tokens and add logout command (#1162 )	5 years ago
Jeff Mitchell	727d1c7085	Add "no-op" action and use it as default for scope permissions (#1138 ) Because of listing visibility, if no actions are assigned to a user for an individual resource, it's excluded from the list. This is fine and good. However, when we made a change in 0.2.0 to restrict the information returned from listing for the anonymous user for scopes and auth methods, it exposed the fact that because of the way this visibility works we had to add `read` to scopes by default -- thereby rather defeating the purpose of restricting what goes back to `u_anon` requests. The purpose of "no-op" is to never be used for real actions within the API, but as something that can be granted to specifically enable visibility for the targeted user. This makes the controls over list visibility much more granular.	5 years ago
Jim	75108cbc8b	Ongoing OIDC: return the primary account info along with the user. (#1145 )	5 years ago
Jeff Mitchell	46d7613e2d	Remove extra s in item table output for auth methods and host catalogs	5 years ago
Jeff Mitchell	c54aedcf1a	By default, add Boundary Desktop's origin to allowed CORS origins (#1121 ) This also adds support for a flag to disable this behavior. Fixes #1093	5 years ago
Todd Knight	dc881e65d4	Fix alignment for `Is Primary For Scope` field and values for listing.	5 years ago
Jim	6c003c94f7	add "Is Primary" to auth method CLI output (#1115 )	5 years ago
Todd Knight	072b950540	Filter inactive and private oidc auth methods from unauthenticated list requests (#1110 )	5 years ago
Todd Knight	53ec3c44bc	Auth Method Listing matches other resources, remove repeated "Version" field. (#1107 )	5 years ago
Jeff Mitchell	90b30bad25	Use 202 for token polling endpoint instead of 204 (#1103 )	5 years ago
Todd Knight	71673ea161	Pass disable_discovered_config_validation in the API change-state call (#1100 )	5 years ago
Jeff Mitchell	f05f37d0fa	Fix panic in non-generated API calls when printing as JSON (#1095 ) Fixes #992	5 years ago
Jim	dd0f34bc35	Add new OIDC auth method. (#1090 ) Co-authored-by: Todd Knight <T.Alan.Knight@gmail.com> Co-authored-by: Jeff Mitchell <jeffrey.mitchell@gmail.com> Co-authored-by: Michael Gaffney <mgaffney@users.noreply.github.com>	5 years ago
Jeff Mitchell	6c48f6ea77	Use pointers for any Uber atomic values (#1044 ) BK clued me into the fact that for some types, similar alignment problems exist as with the normal atomic package (e.g. 64-bit types on 32-bit architectures) if they are not pointer values. So change the few places they weren't pointers to pointers. None of these are 64-bit, but it feels like best practice for using the library and should just standardize on it.	5 years ago

1 2 3 4 5 ...

278 Commits (ec7577c5fed546ceb2dd4def8e42dfb096cea4e2)