custodia.git/custodia, branch master Unnamed repository; edit this file 'description' to name the repository. Allow non prefixed forwarding 2015-10-19T16:18:34+00:00 Simo Sorce simo@redhat.com 2015-10-16T18:24:06+00:00 53ecda8cd57495db38ce21d140040de1fb5572b6 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Christian Heimes <cheimes@redhat.com> 
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
Add support for using listening on TCP sockets 2015-10-19T16:18:30+00:00 Christian Heimes cheimes@redhat.com 2015-10-06T13:44:13+00:00 92e35e55d82e7cbb125da0c32eacec080eea2a54 The server can be now configured using a new parameter called "server_url". Setting server_url to "http://0.0.0.0:80/" will make the server listen on TCP port 80, while setting it to "http+unix://%2fsocket" will make the server listen on the unix socket named "/socket". The backwards compatible "server_socket" is retained and used if no server_url is provided. The request dict has a new field "client_id" that contains either a PID or a peer name. In the future the field can be augmented with a TLS client cert DN or other similar identifier. Signed-off-by: Christian Heimes <cheimes@redhat.com> Signed-off-by: Simo Sorce <simo@redhat.com> 
The server can be now configured using a new parameter called
"server_url".

Setting server_url to "http://0.0.0.0:80/" will make the server listen
on TCP port 80, while setting it to "http+unix://%2fsocket" will make
the server listen on the unix socket named "/socket".

The backwards compatible "server_socket" is retained and used if no
server_url is provided.

The request dict has a new field "client_id" that contains either a
PID or a peer name. In the future the field can be augmented with a
TLS client cert DN or other similar identifier.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
Add forwarder plugin 2015-10-19T16:18:26+00:00 Simo Sorce simo@redhat.com 2015-10-03T01:30:35+00:00 b20b47b100b2716273a5abfe2850e994c1d3e69d This pugin allows to mangle and forward requests to another custodia server, locally or on the network. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Christian Heimes <cheimes@redhat.com> 
This pugin allows to mangle and forward requests to another custodia
server, locally or on the network.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
Add auditing to auth/authz modules 2015-10-19T16:18:16+00:00 Simo Sorce simo@redhat.com 2015-10-05T17:46:24+00:00 9f9e8ab04f7478688d41c9bcb6ec3e3a7913fd8d Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Christian Heimes <cheimes@redhat.com> 
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
Add client classes to query custodia servers 2015-10-19T16:18:10+00:00 Simo Sorce simo@redhat.com 2015-10-01T22:19:02+00:00 a94ac9cec35e12765bba61409cf4db88f564af4c This makes it simpler to use a custodia server, whether exposed over HTTP, HTTPS or a unix socket with the http+unix schema. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Christian Heimes <cheimes@redhat.com> 
This makes it simpler to use a custodia server, whether exposed over
HTTP, HTTPS or a unix socket with the http+unix schema.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
Add simple Keys-in-Header based authentication 2015-10-19T16:18:03+00:00 Simo Sorce simo@redhat.com 2015-10-01T13:58:40+00:00 58d434e0fea2b2f9544e7ef1fba07bf50e07b7c0 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Christian Heimes <cheimes@redhat.com> 
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
etcdstore: prevent path traversal attacks 2015-10-19T16:17:58+00:00 Christian Heimes christian@python.org 2015-10-01T11:30:13+00:00 785fc87f38b4811bc4ce43a0a9b2267ee7d500b4 A new internal method _absolute_key() is used to join key name and name space. etcd treats the key space like a file system so the method checks the key for '//', '.', and '..' to prevent invalid paths and path traversal attacks. Signed-off-by: Christian Heimes <cheimes@redhat.com> Signed-off-by: Simo Sorce <simo@redhat.com> 
A new internal method _absolute_key() is used to join key name and name
space. etcd treats the key space like a file system so the method checks
the key for '//', '.', and '..' to prevent invalid paths and path traversal
attacks.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
Implement ETCD based Store 2015-10-19T16:17:48+00:00 Simo Sorce simo@redhat.com 2015-09-25T02:26:45+00:00 0ca07419bbc2c4e499b4c37d2183d82b2640e816 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Christian Heimes <cheimes@redhat.com> 
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
Extend store interface to create namespaces 2015-10-19T16:17:42+00:00 Simo Sorce simo@redhat.com 2015-09-28T14:23:24+00:00 1d813cc53b9c03636967600f0e31e0cafb14813c Use a new verb, "span" to create namespaces/containers. This will be needed for the Etcd plugin which need to distinguish between a directory and a key. The sqlite/enclite just pass the request to their set() method. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Christian Heimes <cheimes@redhat.com> 
Use a new verb, "span" to create namespaces/containers.
This will be needed for the Etcd plugin which need to distinguish between
a directory and a key.
The sqlite/enclite just pass the request to their set() method.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>
Add UserNameSpace auths plugin 2015-10-19T16:17:37+00:00 Simo Sorce simo@redhat.com 2015-10-06T00:09:02+00:00 bd2e62767e6287dcaf5275362338682fc555d4ce Moves the secrets.Namespaces plugin to the proper authorizers file and fixes it to properly enforce the user-named namespace is being used. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Christian Heimes <cheimes@redhat.com> 
Moves the secrets.Namespaces plugin to the proper authorizers file and
fixes it to properly enforce the user-named namespace is being used.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Christian Heimes <cheimes@redhat.com>