diff --git a/logical/request.go b/logical/request.go index 3aa041d82..69063457d 100644 --- a/logical/request.go +++ b/logical/request.go @@ -117,10 +117,6 @@ type Request struct { // token supplied ClientTokenRemainingUses int `json:"client_token_remaining_uses" structs:"client_token_remaining_uses" mapstructure:"client_token_remaining_uses"` - // MFACreds holds the parsed MFA information supplied over the API as part of - // X-Vault-MFA header - MFACreds MFACreds `json:"mfa_creds" structs:"mfa_creds" mapstructure:"mfa_creds" sentinel:""` - // EntityID is the identity of the caller extracted out of the token used // to make this request EntityID string `json:"entity_id" structs:"entity_id" mapstructure:"entity_id" sentinel:""` diff --git a/vault/acl.go b/vault/acl.go index 5326d4828..4a6b3bb61 100644 --- a/vault/acl.go +++ b/vault/acl.go @@ -1,11 +1,14 @@ package vault import ( + "fmt" "reflect" "strings" "github.com/armon/go-radix" "github.com/hashicorp/errwrap" + multierror "github.com/hashicorp/go-multierror" + "github.com/hashicorp/vault/helper/identity" "github.com/hashicorp/vault/helper/strutil" "github.com/hashicorp/vault/logical" ) diff --git a/vault/auth.go b/vault/auth.go index 123758e4c..a88a16612 100644 --- a/vault/auth.go +++ b/vault/auth.go @@ -7,6 +7,7 @@ import ( "github.com/hashicorp/errwrap" "github.com/hashicorp/go-uuid" + "github.com/hashicorp/vault/helper/consts" "github.com/hashicorp/vault/helper/jsonutil" "github.com/hashicorp/vault/logical" ) @@ -162,6 +163,11 @@ func (c *Core) disableCredential(path string) error { return fmt.Errorf("no matching backend %s", fullPath) } + // Get the backend/mount entry for this path, used to remove ignored + // replication prefixes + backend := c.router.MatchingBackend(fullPath) + entry := c.router.MatchingMountEntry(fullPath) + // Mark the entry as tainted if err := c.taintCredEntry(path); err != nil { return err @@ -426,6 +432,7 @@ func (c *Core) setupCredentials() error { var err error var persistNeeded bool var view *BarrierView + var backendType logical.BackendType c.authLock.Lock() defer c.authLock.Unlock() @@ -464,7 +471,7 @@ func (c *Core) setupCredentials() error { } // Check for the correct backend type - backendType := backend.Type() + backendType = backend.Type() if entry.Type == "plugin" && backendType != logical.TypeCredential { return fmt.Errorf("cannot mount '%s' of type '%s' as an auth backend", entry.Config.PluginName, backendType) } diff --git a/vault/logical_system.go b/vault/logical_system.go index fc7289fd1..3638e5cdc 100644 --- a/vault/logical_system.go +++ b/vault/logical_system.go @@ -1521,12 +1521,6 @@ func (b *SystemBackend) handleUnmount( return nil, nil } - _, prefix, found := b.Core.router.MatchingStoragePrefixByAPIPath(path) - if !found { - b.Backend.Logger().Error("sys: unable to find storage for path", "path", path) - return handleError(fmt.Errorf("unable to find storage for path: %s", path)) - } - // Attempt unmount if err := b.Core.unmount(path); err != nil { b.Backend.Logger().Error("sys: unmount failed", "path", path, "error", err) @@ -2117,8 +2111,6 @@ func (b *SystemBackend) handlePoliciesSet(policyType PolicyType) func(*logical.R policy.Raw = string(polBytes) } - var enforcementLevel string - switch policyType { case PolicyTypeACL: p, err := ParseACLPolicy(policy.Raw) diff --git a/vault/mount.go b/vault/mount.go index c61a122ed..de1c9461a 100644 --- a/vault/mount.go +++ b/vault/mount.go @@ -15,6 +15,7 @@ import ( "github.com/hashicorp/vault/helper/jsonutil" "github.com/hashicorp/vault/helper/strutil" "github.com/hashicorp/vault/logical" + "github.com/mitchellh/copystructure" ) const ( @@ -739,7 +740,7 @@ func (c *Core) setupMounts() error { defer c.mountsLock.Unlock() var view *BarrierView - var err error + var backendType logical.BackendType for _, entry := range c.mounts.Entries { @@ -777,7 +778,7 @@ func (c *Core) setupMounts() error { } // Check for the correct backend type - backendType := backend.Type() + backendType = backend.Type() if entry.Type == "plugin" && backendType != logical.TypeLogical { return fmt.Errorf("cannot mount '%s' of type '%s' as a logical backend", entry.Config.PluginName, backendType) } diff --git a/vault/policy_store.go b/vault/policy_store.go index 85833b63a..6ac74c98b 100644 --- a/vault/policy_store.go +++ b/vault/policy_store.go @@ -232,7 +232,7 @@ func (ps *PolicyStore) invalidate(name string, policyType PolicyType) { } // Force a reload - p, err := ps.GetPolicy(name, policyType) + _, err := ps.GetPolicy(name, policyType) if err != nil { vlogger.Error("policy: error fetching policy after invalidation", "name", saneName) } @@ -270,13 +270,6 @@ func (ps *PolicyStore) setPolicyInternal(p *Policy) error { } switch p.Type { case PolicyTypeACL: - rgp, err := ps.rgpView.Get(entry.Key) - if err != nil { - return errwrap.Wrapf("failed looking up conflicting policy: {{err}}", err) - } - if rgp != nil { - return fmt.Errorf("cannot reuse policy names between ACLs and RGPs") - } if err := ps.aclView.Put(entry); err != nil { return errwrap.Wrapf("failed to persist policy: {{err}}", err) } diff --git a/vault/seal.go b/vault/seal.go index 11abb6a40..e1a3c3a62 100644 --- a/vault/seal.go +++ b/vault/seal.go @@ -321,27 +321,3 @@ func (s *SealConfig) Clone() *SealConfig { } return ret } - -type SealAccess struct { - seal Seal -} - -func (s *SealAccess) SetSeal(seal Seal) { - s.seal = seal -} - -func (s *SealAccess) StoredKeysSupported() bool { - return s.seal.StoredKeysSupported() -} - -func (s *SealAccess) BarrierConfig() (*SealConfig, error) { - return s.seal.BarrierConfig() -} - -func (s *SealAccess) RecoveryKeySupported() bool { - return s.seal.RecoveryKeySupported() -} - -func (s *SealAccess) RecoveryConfig() (*SealConfig, error) { - return s.seal.RecoveryConfig() -} diff --git a/vault/seal_access.go b/vault/seal_access.go new file mode 100644 index 000000000..3387f4ba8 --- /dev/null +++ b/vault/seal_access.go @@ -0,0 +1,39 @@ +package vault + +// SealAccess is a wrapper around Seal that exposes accessor methods +// through Core.SealAccess() while restricting the ability to modify +// Core.seal itself. +type SealAccess struct { + seal Seal +} + +func NewSealAccess(seal Seal) *SealAccess { + return &SealAccess{seal: seal} +} + +func (s *SealAccess) StoredKeysSupported() bool { + return s.seal.StoredKeysSupported() +} + +func (s *SealAccess) BarrierConfig() (*SealConfig, error) { + return s.seal.BarrierConfig() +} + +func (s *SealAccess) RecoveryKeySupported() bool { + return s.seal.RecoveryKeySupported() +} + +func (s *SealAccess) RecoveryConfig() (*SealConfig, error) { + return s.seal.RecoveryConfig() +} + +func (s *SealAccess) VerifyRecoveryKey(key []byte) error { + return s.seal.VerifyRecoveryKey(key) +} + +func (s *SealAccess) ClearCaches() { + s.seal.SetBarrierConfig(nil) + if s.RecoveryKeySupported() { + s.seal.SetRecoveryConfig(nil) + } +}