Commit graph

577 commits

Author SHA1 Message Date
Chris Capurso 15b06780ab
remove nil response to 404 translation for PatchOperation (#13167)
* remove nil response to 404 translation for PatchOperation

* go get vault-plugin-secrets-kv@master
2021-11-23 13:57:22 -05:00
akshya96 f77223bfe5
Authenticate to "login" endpoint for non-existent mount path bug (#13162)
* changing response from missing client token to permission denied

* removing todo comment

* fix tests

* adding changelog

* fixing changelog
2021-11-22 17:06:59 -08:00
divyapola5 5236fe93aa
Add a new parameter "allowed_managed_keys" to mount config (#13202)
* Add a new parameter "allowed_managed_keys" to mount config

* Adjust formatting in mount.go

* Add changelog entry
2021-11-21 19:08:38 -06:00
Nick Cabatoff ff74f49047
Move to go 1.17 (#12868)
Also ensure that the go 1.17 breaking changes to net.ParseCIDR don't make us choke on stored CIDRs that were acceptable to older Go versions.
2021-10-21 09:32:03 -04:00
Chris Capurso 6e95c59762
change return in handler test to explicit nil (#12884) 2021-10-20 13:41:51 -04:00
Chris Capurso eb6df00992
add retry logic when kv is upgrading in handler test (#12864)
* add retry logic when kv is upgrading in handler test

* make retry func for kv cli test more generic

* use ticker for kv retry logic in tests
2021-10-20 08:44:56 -04:00
Austin Gebauer a302293c9a
Modify error response format for resources protected by OIDC access tokens (#12840) 2021-10-15 11:22:44 -07:00
Austin Gebauer 0551f91068
Adds OIDC Token and UserInfo endpoints (#12711) 2021-10-13 18:59:36 -07:00
Chris Capurso bbb4ab4a41
Add HTTP PATCH support to KV (#12687)
* handle HTTP PATCH requests as logical.PatchOperation

* update go.mod, go.sum

* a nil response for logical.PatchOperation should result in 404

* respond with 415 for incorrect MIME type in PATCH Content-Type header

* add abstraction to handle PatchOperation requests

* add ACLs for patch

* Adding JSON Merge support to the API client

* add HTTP PATCH tests to check high level response logic

* add permission-based 'kv patch' tests in prep to add HTTP PATCH

* adding more 'kv patch' CLI command tests

* fix TestHandler_Patch_NotFound

* Fix TestKvPatchCommand_StdinValue

* add audit log test for HTTP PATCH

* patch CLI changes

* add patch CLI tests

* change JSONMergePatch func to accept a ctx

* fix TestKVPatchCommand_RWMethodNotExists and TestKVPatchCommand_RWMethodSucceeds to specify -method flag

* go fmt

* add a test to verify patching works by default with the root token

* add changelog entry

* get vault-plugin-secrets-kv@add-patch-support

* PR feedback

* reorder some imports; go fmt

* add doc comment for HandlePatchOperation

* add json-patch@v5.5.0 to go.mod

* remove unnecessary cancelFunc for WriteBytes

* remove default for -method

* use stable version of json-patch; go mod tidy

* more PR feedback

* temp go get vault-plugin-secrets-kv@master until official release

Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>
2021-10-13 15:24:31 -04:00
hghaf099 ad2ef412cc
Customizing HTTP headers in the config file (#12485)
* Customizing HTTP headers in the config file

* Add changelog, fix bad imports

* fixing some bugs

* fixing interaction of custom headers and /ui

* Defining a member in core to set custom response headers

* missing additional file

* Some refactoring

* Adding automated tests for the feature

* Changing some error messages based on some recommendations

* Incorporating custom response headers struct into the request context

* removing some unused references

* fixing a test

* changing some error messages, removing a default header value from /ui

* fixing a test

* wrapping ResponseWriter to set the custom headers

* adding a new test

* some cleanup

* removing some extra lines

* Addressing comments

* fixing some agent tests

* skipping custom headers from agent listener config,
removing two of the default headers as they cause issues with Vault in UI mode
Adding X-Content-Type-Options to the ui default headers
Let Content-Type be set as before

* Removing default custom headers, and renaming some function varibles

* some refacotring

* Refactoring and addressing comments

* removing a function and fixing comments
2021-10-13 11:06:33 -04:00
Scott Miller 0f6543fb41
Upgrade go-limiter to fix building on 1.17 (#12358)
* Upgrade go-limiter

* Modify quota system to pass contexts to upgraded go-limiter

* One more spot

* Add context vars to unit tests

* missed one
2021-09-01 16:28:47 -05:00
Clint 675e0c1383
Replace go-bindata-assetfs build dependency with native go:embed (#11208)
* copy over the webui

move web_ui to http

remove web ui files, add .gitkeep

updates, messing with gitkeep and ignoring web_ui

update ui scripts

gitkeep

ignore http/web_ui

Remove debugging

remove the jwt reference, that was from something else

restore old jwt plugin

move things around

Revert "move things around"

This reverts commit 2a35121850f5b6b82064ecf78ebee5246601c04f.

Update ui path handling to not need the web_ui name part

add desc

move the http.FS conversion internal to assetFS

update gitignore

remove bindata dep

clean up some comments

remove asset check script that's no longer needed

Update readme

remove more bindata things

restore asset check

update packagespec

update stub

stub the assetFS method and set uiBuiltIn to false for non-ui builds

update packagespec to build ui

* fail if assets aren't found

* tidy up vendor

* go mod tidy

* updating .circleci

* restore tools.go

* re-re-re-run make packages

* re-enable arm64

* Adding change log

* Removing a file

Co-authored-by: hamid ghaf <hamid@hashicorp.com>
2021-08-18 11:05:11 -04:00
akshya96 9defbb47e7
Vault 2176 snapshot config issue (#12317)
* removing redirect line from handler.go

* adding changelog entry

* adding changes
2021-08-16 10:12:00 -07:00
hghaf099 90c5b3c1c5
VAULT-1303 when a request to vault fails, show namespace if set (#12196)
* VAULT-1303 when a request to vault fails, show namespace if set

* Adding changelog

* Fix Changelog file name

* Set namespace in ResponseWriter headers if it is set

* Using consts.NamespaceHeaderName instead of the literal string
2021-07-30 12:32:05 -04:00
Jeff Mitchell f7147025dd
Migrate to sdk/internalshared libs in go-secure-stdlib (#12090)
* Swap sdk/helper libs to go-secure-stdlib

* Migrate to go-secure-stdlib reloadutil

* Migrate to go-secure-stdlib kv-builder

* Migrate to go-secure-stdlib gatedwriter
2021-07-15 20:17:31 -04:00
Nick Cabatoff f027a1b1ff
Revert #12061 due to failures in TestLogical_RequestSizeLimit (#12093) 2021-07-15 12:55:09 -04:00
hghaf099 f7635ec1b8
Add namespace in error (#12061)
* hghaf099-VAULT-1303-Adding namespace in error when it is set

* casting ResponseWriter in handleMonitor to logical.NamespaceResponseWriter

* Casting ResponseWriter conditionally for http.Flusher
Adding changelog

* Improving changlog message
2021-07-14 15:55:55 -04:00
Nick Cabatoff 2ce2617a8a
Reorganize request handling code so that we don't touch storage until we have the stateLock. (#11835) 2021-06-11 13:18:16 -04:00
Nick Cabatoff 2adef1f878
OSS parts of #1891 (sys/health license addition) (#11676) 2021-05-20 13:32:15 -04:00
Lars Lehtonen ed93de7c54
http: deprecate errwrap.Wrapf() (#11471) 2021-04-26 13:33:48 -04:00
Josh Black 06809930a3
Add HTTP response headers for hostname and raft node ID (if applicable) (#11289) 2021-04-20 15:25:04 -07:00
Nick Cabatoff a8023e0fdb
Add support for unauthenticated pprof access on a per-listener basis,… (#11324)
* Add support for unauthenticated pprof access on a per-listener basis, as we do for metrics.

* Add missing pprof sub-targets like 'allocs' and 'block'.  Capture the goroutine subtarget a second time in text form.  This is mostly a convenience, but also I think the pprof format might be a bit lossy?
2021-04-19 14:30:59 -04:00
Brian Kassouf 303c2aee7c
Run a more strict formatter over the code (#11312)
* Update tooling

* Run gofumpt

* go mod vendor
2021-04-08 09:43:39 -07:00
Scott Miller b13b27f37e
OSS side barrier encryption tracking and automatic rotation (#11007)
* Automatic barrier key rotation, OSS portion

* Fix build issues

* Vendored version

* Add missing encs field, not sure where this got lost.
2021-02-25 14:27:25 -06:00
Nick Cabatoff c1ddfbb538
OSS parts of the new client controlled consistency feature (#10974) 2021-02-24 06:58:10 -05:00
swayne275 6e1b183f79
Shutdown Test Cores when Tests Complete (#10912)
* Shutdown Test Cores when Tests Complete

* go mod vendor
2021-02-12 13:04:48 -07:00
Vishal Nayak 53cb1deb38
Revert "Read-replica instead of non-voter (#10875)" (#10890)
This reverts commit fc745670cf34821f5834357d9caebc3351dbc1e7.
2021-02-10 16:41:58 -05:00
Vishal Nayak a2394e7353
Read-replica instead of non-voter (#10875) 2021-02-10 09:58:18 -05:00
Mark Gritter fd55aa8378
Implement sys/seal-status and sys/leader in system backend (#10725)
* Implement sys/seal-status and sys/leader as normal API calls
(so that they can be used in namespaces.)
* Added changelog.
2021-01-20 14:04:24 -06:00
Nick Cabatoff 8cbc63d572
Add configuration to specify a TLS ServerName to use in the TLS handshake when performing a raft join. (#10698) 2021-01-19 17:54:28 -05:00
Gunjan 4900283ad5
Fix: handle max_request_size<=0 (#10072)
* Fix: handle max_request_size<=0

Signed-off-by: guacamole <gunjanwalecha@gmail.com>

* created test cases for listener

Signed-off-by: guacamole <gunjanwalecha@gmail.com>

* added test case for negative value of MaxRequestSize

Signed-off-by: guacamole <gunjanwalecha@gmail.com>

Co-authored-by: Hridoy Roy <roy@hashicorp.com>
2021-01-19 11:28:28 -08:00
Mark Gritter d076d95d37
Feature flags API (#10613)
* Added sys/internal/ui/feature-flags endpoint.
* Added documentation for new API endpoint.
* Added integration test.
Co-authored-by: swayne275 <swayne@hashicorp.com>
2021-01-06 16:05:00 -06:00
Scott Miller 2eafeee15f
Avoid disclosing IP addresses in unauthenticated requests (#10579)
* removing extra information from the returned error, to avoid leaking it to unauthenticated requests

* removing extra information from the returned error, to avoid leaking it to unauthenticated requests

* Change the error message in a way that is retains the HTTP status code

Co-authored-by: bruj0 <ramakandra@gmail.com>
2020-12-22 10:30:03 -06:00
Scott G. Miller ffc375817e Revert "Disclosure of internal IP addresses from unauthenticated request (#10516)"
This reverts commit 9934f75f1daa21de3137c1cd16423a15d594709b.
2020-12-15 13:57:32 -06:00
Rodrigo D. L 1adb11c413
Disclosure of internal IP addresses from unauthenticated request (#10516)
* removing extra information from the returned error, to avoid leaking it to unauthenticated requests

* removing extra information from the returned error, to avoid leaking it to unauthenticated requests

Co-authored-by: Scott Miller <smiller@hashicorp.com>
2020-12-15 11:08:50 -06:00
Brian Kassouf 275ca323e8
core: Record the time a node became active (#10489)
* core: Record the time a node became active

* Update vault/core.go

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>

* Add omitempty field

* Update vendor

* Added CL entry and fixed test

* Fix test

* Fix command package tests

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2020-12-11 16:50:19 -08:00
Nick Cabatoff 84d566db9e
Be consistent with how we report init status. (#10498)
Also make half-joined raft peers consider storage to be initialized, whether or not they're sealed.
2020-12-08 13:55:34 -05:00
Vishal Nayak 7912ac9713 Fix build 2020-10-26 18:14:01 -04:00
Jeff Mitchell 3b93a18ef2
Consolidate locking for sys/health (#9876)
* Consolidate locking for sys/health

This avoids a second state lock read-lock on every sys/health hit

* Address review feedback

Co-authored-by: Vishal Nayak <vishalnayakv@gmail.com>
Co-authored-by: Vishal Nayak <vishalnayak@users.noreply.github.com>
2020-10-26 16:47:54 -04:00
Clint 95810d1360
Return logical.StatusBadRequest on requests with missing token (#8457)
* Add test for 400 status on missing token

* Return logical.StatusBadRequest on missing token

* remove commented out code

Co-authored-by: Vishal Nayak <vishalnayak@users.noreply.github.com>
2020-10-26 16:17:25 -04:00
Aleksandr Bezobchuk 95bbd8d920
Merge PR #10192: Auto-Join: Configurable Scheme & Port (and add k8s provider) 2020-10-23 16:13:09 -04:00
Nick Cabatoff 0d6a929a4c
Same seal migration oss (#10224)
* Refactoring and test improvements.

* Support migrating from a given type of autoseal to that same type but with different parameters.
2020-10-23 14:16:04 -04:00
Brian Kassouf 84dbca38a1
Revert "Migrate internalshared out (#9727)" (#10141)
This reverts commit ee6391b691ac12ab6ca13c3912404f1d3a842bd6.
2020-10-13 16:38:21 -07:00
Aleksandr Bezobchuk d37be9af6e
Merge PR #10095: Integrated Storage Cloud Auto-Join 2020-10-13 16:26:39 -04:00
Jeff Mitchell e6881c8147
Migrate internalshared out (#9727)
* Migrate internalshared out

* fix merge issue

* fix merge issue

* go mod vendor

Co-authored-by: Brian Kassouf <bkassouf@hashicorp.com>
2020-10-12 11:56:24 -07:00
Ivan Lemeshev 8a2842b467
Fix panic in handleAuditNonLogical if vault is sealed (#9310) (#10103) 2020-10-07 08:30:36 -04:00
ncabatoff 30eba1eed1
Update retryablehttp to fix a data race (#9551) 2020-08-31 11:10:52 -04:00
Rodrigo D. L d0df8bfa21
adding new config flag disable_sentinel_trace (#9696) 2020-08-10 06:23:44 -04:00
Alexander Bezobchuk 1e262e5648
Merge PR #9581: Rate Limit Quota Headers 2020-07-29 15:15:05 -04:00
aphorise 7e2f80b8c4
Always provide version & storage type in status output (#9598) 2020-07-27 14:33:57 -04:00
Alexander Bezobchuk dfb28a8fcc
Merge PR #9390: http: revert resource quota changes 2020-07-07 00:05:28 -04:00
Vishal Nayak c6876fe00f
Resource Quotas: Rate Limiting (#9330) 2020-06-26 17:13:16 -04:00
Calvin Leung Huang c45bdca0b3
raft: add support for using backend for ha_storage (#9193)
* raft: initial work on raft ha storage support

* add note on join

* add todo note

* raft: add support for bootstrapping and joining existing nodes

* raft: gate bootstrap join by reading leader api address from storage

* raft: properly check for raft-only for certain conditionals

* raft: add bootstrap to api and cli

* raft: fix bootstrap cli command

* raft: add test for setting up new cluster with raft HA

* raft: extend TestRaft_HA_NewCluster to include inmem and consul backends

* raft: add test for updating an existing cluster to use raft HA

* raft: remove debug log lines, clean up verifyRaftPeers

* raft: minor cleanup

* raft: minor cleanup

* Update physical/raft/raft.go

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update vault/ha.go

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update vault/ha.go

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update vault/logical_system_raft.go

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update vault/raft.go

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update vault/raft.go

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* address feedback comments

* address feedback comments

* raft: refactor tls keyring logic

* address feedback comments

* Update vault/raft.go

Co-authored-by: Alexander Bezobchuk <alexanderbez@users.noreply.github.com>

* Update vault/raft.go

Co-authored-by: Alexander Bezobchuk <alexanderbez@users.noreply.github.com>

* address feedback comments

* testing: fix import ordering

* raft: rename var, cleanup comment line

* docs: remove ha_storage restriction note on raft

* docs: more raft HA interaction updates with migration and recovery mode

* docs: update the raft join command

* raft: update comments

* raft: add missing isRaftHAOnly check for clearing out state set earlier

* raft: update a few ha_storage config checks

* Update command/operator_raft_bootstrap.go

Co-authored-by: Vishal Nayak <vishalnayak@users.noreply.github.com>

* raft: address feedback comments

* raft: fix panic when checking for config.HAStorage.Type

* Update vault/raft.go

Co-authored-by: Alexander Bezobchuk <alexanderbez@users.noreply.github.com>

* Update website/pages/docs/commands/operator/raft.mdx

Co-authored-by: Alexander Bezobchuk <alexanderbez@users.noreply.github.com>

* raft: remove bootstrap cli command

* Update vault/raft.go

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update vault/raft.go

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* raft: address review feedback

* raft: revert vendored sdk

* raft: don't send applied index and node ID info if we're HA-only

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
Co-authored-by: Alexander Bezobchuk <alexanderbez@users.noreply.github.com>
Co-authored-by: Vishal Nayak <vishalnayak@users.noreply.github.com>
2020-06-23 12:04:13 -07:00
Josh Black 6e92c8cbd2
Add a new "vault monitor" command (#8477)
Add a new "vault monitor" command

Co-authored-by: ncabatoff <ncabatoff@hashicorp.com>
Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>
Co-authored-by: Jeff Mitchell <jeffrey.mitchell@gmail.com>
2020-05-21 13:07:50 -07:00
Brian Kassouf 1bb0bd489d
storage/raft: Add committed and applied indexes to the status output (#9011)
* storage/raft: Add committed and applied indexes to the status output

* Update api vendor

* changelog++

* Update http/sys_leader.go

Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>

Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
2020-05-18 16:07:27 -07:00
Jeff Mitchell 1d3d89e2aa
Create configutil and move some common config and setup functions there (#8362) 2020-05-14 09:19:27 -04:00
Calvin Leung Huang 0509985408
http: ensure return after writing response by respondError (#8796) 2020-04-21 15:30:36 -07:00
Graham Jenson c2c42ba2e9
[Fix] correct make command in ui page (#7976) 2020-03-24 14:15:27 -07:00
Vitaly Velikodny 3ae6568512
Add missed description field for GET /sys/auth/:path/tune endpoint (#8193)
* fix #7623: add missed description field for GET /sys/auth/:path/tune endpoint

* fix #7623: allow empty description

* fix #7623: update tests with description field
2020-02-15 10:32:47 -08:00
Jim Kalafut f4cafabb62
Support processing parameters sent as a URL-encoded form (#8325) 2020-02-12 14:20:22 -08:00
Michel Vocks 3a4d330f64
Return error when a standby node receives a metrics request (#8280)
* Return error when a standby node receives a metrics request

* fix test

* Add documentation note
2020-02-07 09:30:25 +01:00
ncabatoff a0ac4bdd2a
Audit generate root requests and responses. (#8301) 2020-02-06 11:56:37 -05:00
Jim Kalafut f17fc4e5c1
Run goimports (#8251) 2020-01-27 21:11:00 -08:00
Vishal Nayak 8891f2ba88 Raft retry join (#7856)
* Raft retry join

* update

* Make retry join work with shamir seal

* Return upon context completion

* Update vault/raft.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Address some review comments

* send leader information slice as a parameter

* Make retry join work properly with Shamir case. This commit has a blocking issue

* Fix join goroutine exiting before the job is done

* Polishing changes

* Don't return after a successful join during unseal

* Added config parsing test

* Add test and fix bugs

* minor changes

* Address review comments

* Fix build error

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
2020-01-13 17:02:16 -08:00
Jim Kalafut 59e526614d
Run go fmt (#7823) 2019-11-07 08:54:34 -08:00
Brian Kassouf 0bc14636b0 Fix build 2019-10-28 17:40:44 -07:00
Jeff Mitchell 698b0dd025 If standbyok/perfstandbyok are provided to sys/health, honor the values (#7749)
Don't just use the presence of it to indicate behavior.

Fixes #7323

Also, fixes a bug where if an error was returned along with a status
code, the status code was being ignored.
2019-10-28 16:55:20 -07:00
ncabatoff 20b8f8d7d0
Don't try to use req if we got a nonzero status, it'll be nil. (#7728) 2019-10-24 13:37:13 -04:00
ncabatoff 1c98152fa0
Shamir seals now come in two varieties: legacy and new-style. (#7694)
Shamir seals now come in two varieties: legacy and new-style. Legacy
Shamir is automatically converted to new-style when a rekey operation
is performed. All new Vault initializations using Shamir are new-style.

New-style Shamir writes an encrypted master key to storage, just like
AutoUnseal. The stored master key is encrypted using the shared key that
is split via Shamir's algorithm. Thus when unsealing, we take the key
fragments given, combine them into a Key-Encryption-Key, and use that
to decrypt the master key on disk. Then the master key is used to read
the keyring that decrypts the barrier.
2019-10-18 14:46:00 -04:00
Calvin Leung Huang f5b63cc815
logical: remove unneeded error check in handleLogicalInternal (#7691) 2019-10-17 12:33:29 -07:00
Lexman c86fe212c0
oss changes for entropy augmentation feature (#7670)
* oss changes for entropy augmentation feature

* fix oss command/server/config tests

* update go.sum

* fix logical_system and http/ tests

* adds vendored files

* removes unused variable
2019-10-17 10:33:00 -07:00
Vishal Nayak 5004899eb2 Re-add removed paths from the recovery PR 2019-10-15 11:42:51 -04:00
Vishal Nayak 0d077d7945
Recovery Mode (#7559)
* Initial work

* rework

* s/dr/recovery

* Add sys/raw support to recovery mode (#7577)

* Factor the raw paths out so they can be run with a SystemBackend.

# Conflicts:
#	vault/logical_system.go

* Add handleLogicalRecovery which is like handleLogical but is only
sufficient for use with the sys-raw endpoint in recovery mode.  No
authentication is done yet.

* Integrate with recovery-mode.  We now handle unauthenticated sys/raw
requests, albeit on path v1/raw instead v1/sys/raw.

* Use sys/raw instead raw during recovery.

* Don't bother persisting the recovery token.  Authenticate sys/raw
requests with it.

* RecoveryMode: Support generate-root for autounseals (#7591)

* Recovery: Abstract config creation and log settings

* Recovery mode integration test. (#7600)

* Recovery: Touch up (#7607)

* Recovery: Touch up

* revert the raw backend creation changes

* Added recovery operation token prefix

* Move RawBackend to its own file

* Update API path and hit it using CLI flag on generate-root

* Fix a panic triggered when handling a request that yields a nil response. (#7618)

* Improve integ test to actually make changes while in recovery mode and
verify they're still there after coming back in regular mode.

* Refuse to allow a second recovery token to be generated.

* Resize raft cluster to size 1 and start as leader (#7626)

* RecoveryMode: Setup raft cluster post unseal (#7635)

* Setup raft cluster post unseal in recovery mode

* Remove marking as unsealed as its not needed

* Address review comments

* Accept only one seal config in recovery mode as there is no scope for migration
2019-10-15 00:55:31 -04:00
Brian Kassouf 024c29c36a
OSS portions of raft non-voters (#7634)
* OSS portions of raft non-voters

* add file

* Update vault/raft.go

Co-Authored-By: Vishal Nayak <vishalnayak@users.noreply.github.com>
2019-10-11 11:56:59 -07:00
Calvin Leung Huang d8875b1991
sys/config: config state endpoint (#7424)
* sys/config: initial work on adding config state endpoint

* server/config: add tests, fix Sanitized method

* thread config through NewTestCluster's config to avoid panic on dev modes

* properly guard endpoint against request forwarding

* add http tests, guard against panics on nil RawConfig

* ensure non-nil rawConfig on NewTestCluster cores

* update non-forwarding logic

* fix imports; use no-forward handler

* add missing config test fixture; update gitignore

* return sanitized config as a map

* fix test, use deep.Equal to check for equality

* fix http test

* minor comment fix

* config: change Sanitized to return snake-cased keys, update tests

* core: hold rlock when reading config; add docstring

* update docstring
2019-10-08 10:57:15 -07:00
Michel Vocks a0c122926a
Unauth metrics: Fix missing parse form and error response (#7569)
* Unauth metrics: Fix missing parse form and error response

* Change metrics error response to text/plain content type always
2019-10-08 14:55:25 +02:00
Michel Vocks a7a6dd55a5
Add config parameter to allow unauthenticated metrics access (#7550)
* Implement config parameter to allow unathenticated metricss access

* Add unit test for unauthenticated metrics access parameter

* go mod tidy
2019-10-04 09:29:51 +02:00
Calvin Leung Huang 3f1c7c86a0
sys: add host-info endpoint (#7330)
* sys: add host-info endpoint, add client API method

* remove old commented handler

* add http tests, fix bugs

* query all partitions for disk usage

* fix Timestamp decoding

* add comments for clarification

* dont append a nil entry on disk usage query error

* remove HostInfo from the sdk api

We can use Logical().Read(...) to query this endpoint since the payload is contained with the data object. All warnings are preserved under Secret.Warnings.

* ensure that we're testing failure case against a standby node

* add and use TestWaitStandby to ensure core is on standby

* remove TestWaitStandby

* respond with local-only error

* move HostInfo into its own helper package

* fix imports; use new no-forward handler

* add cpu times to collection

* emit clearer multierrors/warnings by collection type

* add comments on HostInfo fields
2019-10-03 09:43:52 -07:00
Calvin Leung Huang f4fd84d52b
sys: add pprof endpoint (#7473)
* sys/pprof: add pprof routes to the system backend

* sys/pprof: add pprof paths to handler with local-only check

* fix trailing slash on pprof index endpoint

* use new no-forward handler on pprof

* go mod tidy

* add pprof external tests

* disallow streaming requests to exceed DefaultMaxRequestDuration

* add max request duration test
2019-09-19 13:44:37 -07:00
Matthew Irish 6e4cc02f4d
expose 'storage_type' on the sys/seal-status endpoint (#7486)
* expose 'storage_type' on the sys/seal-status endpoint

* add comments

* Update vault/core.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>
2019-09-18 14:07:18 -05:00
Calvin Leung Huang 801e15ffe3
http: add handleLogicalNoForward handler for local-only requests (#7482)
* http: add handleLogicalNoForward handler for local-only requests

* fix missing no-forward case; add docstring

* add docstring for handleLogicalInternal

* fix docstring reference

* fix comment on not-ok case
2019-09-16 17:50:28 -07:00
Calvin Leung Huang ec64b7c672
logical/request: store the entire http.Request object instead (#7412)
This allows logical operations (along with a non-nil response writer) to
process http handler funcs within the operation function while keeping
auth and audit checks that the logical request flow provides.
2019-09-06 12:40:15 -07:00
Brian Kassouf c2905773e4
Add download headers to snapshot take API (#7369)
* Add download headers to snapshot take API

* Add content type
2019-09-06 10:34:36 -07:00
Calvin Leung Huang bcb0109e26
http/raft: fix JoinRequest.LeaderCACert json tag (#7393) 2019-08-29 14:37:01 -07:00
ncabatoff 439ea99c83
Follow what documentation says we should do if we're a perf standby and perfstandbyok=true (#7241)
Follow what documentation says we should do if we're a perf standby and perfstandbyok=true, i.e. return 200 instead of 429.
2019-08-05 16:44:41 -04:00
Calvin Leung Huang e869893df3
logical: add support for passing data to delete (#7139)
* logical: add support for passing data to delete

* add back raft bit

* add back raft bit

* update error message

* fix command delete tests
2019-07-18 10:42:36 -07:00
Lexman 119854a865
adds Cache-Control header to oidc .well-known endpoints (#7108) 2019-07-15 11:04:45 -07:00
Calvin Leung Huang 5428ab50ee audit: log invalid wrapping token request/response (#6541)
* audit: log invalid wrapping token request/response

* Update helper/consts/error.go

Co-Authored-By: calvn <cleung2010@gmail.com>

* update error comments

* Update vault/wrapping.go

Co-Authored-By: calvn <cleung2010@gmail.com>

* update comment

* move validateWrappingToken out of http and into logical

* minor refactor, add test cases

* comment rewording

* refactor validateWrappingToken to perform audit logging

* move ValidateWrappingToken back to wrappingVerificationFunc

* Fix tests

* Review feedback
2019-07-05 14:15:14 -07:00
Vishal Nayak 13935f00af
Fix Join (#6974) 2019-06-24 18:49:28 -04:00
Vishal Nayak 06f30a7947
Move tls config creation to tlsutil (#6956)
* Move tls config creation to tlsutil

* Update sdk/helper/tlsutil/tlsutil.go

Co-Authored-By: Jim Kalafut <jim@kalafut.net>

* address review comments
2019-06-22 21:51:52 -04:00
Vishal Nayak 9296ca1f8c
raft join tls (#6932) 2019-06-21 17:41:07 -04:00
Brian Kassouf ed14061578
Raft Storage Backend (#6888)
* Work on raft backend

* Add logstore locally

* Add encryptor and unsealable interfaces

* Add clustering support to raft

* Remove client and handler

* Bootstrap raft on init

* Cleanup raft logic a bit

* More raft work

* Work on TLS config

* More work on bootstrapping

* Fix build

* More work on bootstrapping

* More bootstrapping work

* fix build

* Remove consul dep

* Fix build

* merged oss/master into raft-storage

* Work on bootstrapping

* Get bootstrapping to work

* Clean up FMS and node-id

* Update local node ID logic

* Cleanup node-id change

* Work on snapshotting

* Raft: Add remove peer API (#906)

* Add remove peer API

* Add some comments

* Fix existing snapshotting (#909)

* Raft get peers API (#912)

* Read raft configuration

* address review feedback

* Use the Leadership Transfer API to step-down the active node (#918)

* Raft join and unseal using Shamir keys (#917)

* Raft join using shamir

* Store AEAD instead of master key

* Split the raft join process to answer the challenge after a successful unseal

* get the follower to standby state

* Make unseal work

* minor changes

* Some input checks

* reuse the shamir seal access instead of new default seal access

* refactor joinRaftSendAnswer function

* Synchronously send answer in auto-unseal case

* Address review feedback

* Raft snapshots (#910)

* Fix existing snapshotting

* implement the noop snapshotting

* Add comments and switch log libraries

* add some snapshot tests

* add snapshot test file

* add TODO

* More work on raft snapshotting

* progress on the ConfigStore strategy

* Don't use two buckets

* Update the snapshot store logic to hide the file logic

* Add more backend tests

* Cleanup code a bit

* [WIP] Raft recovery (#938)

* Add recovery functionality

* remove fmt.Printfs

* Fix a few fsm bugs

* Add max size value for raft backend (#942)

* Add max size value for raft backend

* Include physical.ErrValueTooLarge in the message

* Raft snapshot Take/Restore API  (#926)

* Inital work on raft snapshot APIs

* Always redirect snapshot install/download requests

* More work on the snapshot APIs

* Cleanup code a bit

* On restore handle special cases

* Use the seal to encrypt the sha sum file

* Add sealer mechanism and fix some bugs

* Call restore while state lock is held

* Send restore cb trigger through raft log

* Make error messages nicer

* Add test helpers

* Add snapshot test

* Add shamir unseal test

* Add more raft snapshot API tests

* Fix locking

* Change working to initalize

* Add underlying raw object to test cluster core

* Move leaderUUID to core

* Add raft TLS rotation logic (#950)

* Add TLS rotation logic

* Cleanup logic a bit

* Add/Remove from follower state on add/remove peer

* add comments

* Update more comments

* Update request_forwarding_service.proto

* Make sure we populate all nodes in the followerstate obj

* Update times

* Apply review feedback

* Add more raft config setting (#947)

* Add performance config setting

* Add more config options and fix tests

* Test Raft Recovery (#944)

* Test raft recovery

* Leave out a node during recovery

* remove unused struct

* Update physical/raft/snapshot_test.go

* Update physical/raft/snapshot_test.go

* fix vendoring

* Switch to new raft interface

* Remove unused files

* Switch a gogo -> proto instance

* Remove unneeded vault dep in go.sum

* Update helper/testhelpers/testhelpers.go

Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com>

* Update vault/cluster/cluster.go

* track active key within the keyring itself (#6915)

* track active key within the keyring itself

* lookup and store using the active key ID

* update docstring

* minor refactor

* Small text fixes (#6912)

* Update physical/raft/raft.go

Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com>

* review feedback

* Move raft logical system into separate file

* Update help text a bit

* Enforce cluster addr is set and use it for raft bootstrapping

* Fix tests

* fix http test panic

* Pull in latest raft-snapshot library

* Add comment
2019-06-20 12:14:58 -07:00
Brian Kassouf 04d0ddfdae
Add mount UUID to the secret and auth list API responses (#6633) 2019-04-24 12:27:43 -07:00
Jeff Mitchell 213b9fd1cf Update to api 1.0.1 and sdk 0.1.8 2019-04-15 14:10:07 -04:00
Jeff Mitchell 9ebc57581d
Switch to go modules (#6585)
* Switch to go modules

* Make fmt
2019-04-13 03:44:06 -04:00
Jeff Mitchell 8bcb533a1b
Create sdk/ and api/ submodules (#6583) 2019-04-12 17:54:35 -04:00
Jeff Mitchell 2fbf560fd2 Remove out-of-date comment 2019-04-08 16:49:10 -04:00
Jeff Mitchell a308bad657 Fix a potential panic due to ioutil.ReadAll not being safe with nil readers 2019-04-08 16:48:44 -04:00
Jeff Mitchell 991373c969 Fix tests 2019-04-08 12:44:12 -04:00
Jeff Mitchell 00295cd598
Save the original request body for forwarding (#6538)
* Save the original request body for forwarding

If we are forwarding a request after initial parsing the request body is
already consumed. As a result a forwarded call containing a request body
will have the body be nil. This saves the original request body for a
given request via a TeeReader and uses that in cases of forwarding past
body consumption.
2019-04-05 14:36:34 -04:00