Chris Thunes
16f52969f4
Fix memory issue caused by append of group slice to itself. ( #5611 )
...
The slice returned by `collectGroupsReverseDFS` is an updated copy of
the slice given to it when called. Appending `pGroups` to `groups`
therefore led to expontential memory usage as the slice was repeatedly
appended to itself.
Fixes #5605
2018-10-29 10:38:34 -04:00
Chris Hoffman
8c88eb3e2a
Add -dev-auto-seal option ( #5629 )
...
* adding a -dev-auto-seal option
* adding logger to TestSeal
2018-10-29 09:30:24 -04:00
Jeff Mitchell
f8ec4d59b8
Remove disableIndexing
2018-10-23 16:05:45 -04:00
Jeff Mitchell
8a274fba51
Add disable indexing to core object
2018-10-23 15:04:36 -04:00
Jeff Mitchell
a979f49cd7
Add disable-indexing
2018-10-23 15:03:17 -04:00
Jeff Mitchell
82992d6097
Seal migration (OSS) ( #781 )
2018-10-22 23:34:02 -07:00
Jeff Mitchell
89f0efb6a1
fmt
2018-10-20 21:09:51 -04:00
Jeff Mitchell
9f6dd376e2
Merge branch 'master-oss' into 1.0-beta-oss
2018-10-19 17:47:58 -04:00
Calvin Leung Huang
a08ccbffa7
[Review Only] Autoseal OSS port ( #757 )
...
* Port awskms autoseal
* Rename files
* WIP autoseal
* Fix protobuf conflict
* Expose some structs to properly allow encrypting stored keys
* Update awskms with the latest changes
* Add KeyGuard implementation to abstract encryption/decryption of keys
* Fully decouple seal.Access implementations from sealwrap structs
* Add extra line to proto files, comment update
* Update seal_access_entry.go
* govendor sync
* Add endpoint info to configureAWSKMSSeal
* Update comment
* Refactor structs
* Update make proto
* Remove remove KeyGuard, move encrypt/decrypt to autoSeal
* Add rest of seals, update VerifyRecoveryKeys, add deps
* Fix some merge conflicts via govendor updates
* Rename SealWrapEntry to EncryptedBlobInfo
* Remove barrier type upgrade check in oss
* Add key to EncryptedBlobInfo proto
* Update barrierTypeUpgradeCheck signature
2018-10-19 14:43:57 -07:00
Vishal Nayak
c677cd0790
Case insensitive identity names ( #5404 )
...
* case insensitive identity names
* TestIdentityStore_GroupHierarchyCases
* address review feedback
* Use errwrap.Contains instead of errwrap.ContainsType
* Warn about duplicate names all the time to help fix them
* Address review feedback
2018-10-19 12:47:26 -07:00
Chris Hoffman
09a4c8214f
safely clean up loaded map ( #5558 )
2018-10-19 15:21:42 -04:00
Jeff Mitchell
841c4fcdd1
Merge branch 'master-oss' into 1.0-beta-oss
2018-10-19 09:25:17 -04:00
Vishal Nayak
6ab030511c
Remove lookup check during alias removal ( #5524 )
...
* Possible fix for 5348
* Fix compilation
2018-10-18 07:53:12 -07:00
Vishal Nayak
5818977dca
Deprecate SHA1 in token store ( #770 )
...
* Deprecate SHA1 in token store
* Fallback to SHA1 for user selected IDs
* Fix existing tests
* Added warning
* Address some review feedback and remove root token prefix
* Tests for service token prefixing
* Salting utility tests
* Adjust OTP length for root token generation
* Fix tests
* Address review feedback
2018-10-17 13:23:04 -07:00
Jeff Mitchell
224fbd4a88
Merge branch 'master-oss' into 1.0-beta-oss
2018-10-16 10:08:03 -04:00
Jeff Mitchell
04e3f9b0f3
Add LastWAL in leader/health output ( #5523 )
2018-10-16 09:38:44 -04:00
Jeff Mitchell
a64fc7d7cb
Batch tokens ( #755 )
2018-10-15 12:56:24 -04:00
Vivek Lakshmanan
2c55777606
Fix expiration handling to not leak goroutines ( #5506 )
...
* Fix expiration handling to not leak goroutines
* Apply feedback
2018-10-12 19:02:59 -07:00
Jim Kalafut
123e34f4a7
Don't copy HA lock file during migration ( #5503 )
2018-10-12 09:29:15 -07:00
Calvin Leung Huang
b47e648ddf
Logger cleanup ( #5480 )
2018-10-09 09:43:17 -07:00
vishalnayak
baad5a66fd
Fix TestIdentityStore_GroupHierarchyCases
2018-10-05 05:46:09 -04:00
Vishal Nayak
fbec18fef0
Added test for verifying member group id deletion ( #5469 )
2018-10-04 10:38:41 -07:00
Sebastian Plattner
782f8dedd2
Fix remove Group Member in Identity Group not working ( #5466 )
2018-10-04 09:27:29 -07:00
Jeff Mitchell
ec2ab502fc
make fmt
2018-10-02 14:30:10 -04:00
Calvin Leung Huang
37c0b83669
Add denylist check when filtering passthrough headers ( #5436 )
...
* Add denylist check when filtering passthrough headers
* Minor comment update
2018-10-01 12:20:31 -07:00
Martin
03fb39033f
Add support for token passed Authorization Bearer header ( #5397 )
...
* Support Authorization Bearer as token header
* add requestAuth test
* remove spew debug output in test
* Add Authorization in CORS Allowed headers
* use const where applicable
* use less allocations in bearer token checking
* address PR comments on tests and apply last commit
* reorder error checking in a TestHandler_requestAuth
2018-10-01 10:33:21 -07:00
Vishal Nayak
8e66e474ca
Ensure old group alias is removed when a new one is written ( #5350 )
2018-10-01 10:06:10 -07:00
Jeff Mitchell
ef144c4c25
Send initialized information via sys/seal-status ( #5424 )
2018-09-27 14:03:37 -07:00
Joel Thompson
73112c49fb
logical/aws: Harden WAL entry creation ( #5202 )
...
* logical/aws: Harden WAL entry creation
If AWS IAM user creation failed in any way, the WAL corresponding to the
IAM user would get left around and Vault would try to roll it back.
However, because the user never existed, the rollback failed. Thus, the
WAL would essentially get "stuck" and Vault would continually attempt to
roll it back, failing every time. A similar situation could arise if the
IAM user that Vault created got deleted out of band, or if Vault deleted
it but was unable to write the lease revocation back to storage (e.g., a
storage failure).
This attempts to harden it in two ways. One is by deleting the WAL log
entry if the IAM user creation fails. However, the WAL deletion could
still fail, and this wouldn't help where the user is deleted out of
band, so second, consider the user rolled back if the user just doesn't
exist, under certain circumstances.
Fixes #5190
* Fix segfault in expiration unit tests
TestExpiration_Tidy was passing in a leaseEntry that had a nil Secret,
which then caused a segfault as the changes to revokeEntry didn't check
whether Secret was nil; this is probably unlikely to occur in real life,
but good to be extra cautious.
* Fix potential segfault
Missed the else...
* Respond to PR feedback
2018-09-27 09:54:59 -05:00
Brian Kassouf
f5d0541d5d
Fix Capabilities check when in a child namespace ( #5406 )
2018-09-26 15:10:36 -07:00
Brian Kassouf
8f212d702d
replication: Fix DR API checks when using a token ( #5398 )
2018-09-25 13:27:57 -07:00
Vishal Nayak
68a496dde4
Support operating on entities and groups by their names ( #5355 )
...
* Support operating on entities and groups by their names
* address review feedback
2018-09-25 12:28:28 -07:00
Martin
79ab601cdb
use constant where x-vault-token was still hardcoded ( #5392 )
2018-09-25 09:34:40 -07:00
Calvin Leung Huang
ed1e41ba5c
Short-circuit TestBackend_PluginMainEnv on plain test run ( #5393 )
2018-09-25 09:22:34 -07:00
Jeff Mitchell
33065a60db
Fix compilation/protobuf
2018-09-22 17:58:39 -04:00
andrejvanderzee
dc6ea9ecbb
Fix for using ExplicitMaxTTL in auth method plugins. ( #5379 )
...
* Fix for using ExplicitMaxTTL in auth method plugins.
* Reverted pb.go files for readability of PR.
* Fixed indenting of comment.
* Reverted unintended change by go test.
2018-09-21 14:31:29 -07:00
Jim Kalafut
343c72dbe1
Detect and bypass cycles during token revocation ( #5364 )
...
Fixes #4803
2018-09-20 14:56:38 -07:00
Calvin Leung Huang
189b893b35
Add ability to provide env vars to plugins ( #5359 )
...
* Add ability to provide env vars to plugins
* Update docs
* Update docs with examples
* Refactor TestAddTestPlugin, remove TestAddTestPluginTempDir
2018-09-20 10:50:29 -07:00
Jeff Mitchell
919b968c27
The big one ( #5346 )
2018-09-17 23:03:00 -04:00
Jeff Mitchell
f692c1e3a9
Revert "Detect and bypass cycles during token revocation ( #5335 )"
...
This reverts commit 00314eb4d1c5609a1935f653dc6f2fc83c0bfcc0.
2018-09-17 14:10:57 -04:00
Jim Kalafut
0ae6ec52b8
Detect and bypass cycles during token revocation ( #5335 )
...
Fixes #4803
2018-09-17 08:55:12 -07:00
Becca Petrin
b2ff87c9c2
Poll for new creds in the AWS auth agent ( #5300 )
2018-09-12 13:30:57 -07:00
vishalnayak
e421972efb
Remove group alias mdmdb update outside of UpsertGroupInTxn
2018-09-06 12:19:00 -04:00
Martin
d51f3a45f7
Fix group alias loading when identity memdb is initialized ( #5289 )
2018-09-06 09:17:44 -07:00
Jeff Mitchell
95bdbbe85e
Port fix over that ensures we use the right step-down context ( #5290 )
2018-09-06 12:03:26 -04:00
Jeff Mitchell
c28ed23972
Allow most parts of Vault's logging to have its level changed on-the-fly ( #5280 )
...
* Allow most parts of Vault's logging to have its level changed on-the-fly
* Use a const for not set
2018-09-05 15:52:54 -04:00
Jeff Mitchell
c9e2cd93e8
Move logic around a bit to avoid holding locks when not necessary ( #5277 )
...
Also, ensure we are error checking the rand call
2018-09-05 11:49:32 -04:00
Chris Hoffman
e2ed8d3d61
Fixing capabilities check for templated policies ( #5250 )
...
* fixing capabilities check for templated policies
* remove unnecessary change
* formatting
2018-09-04 14:18:59 -04:00
Brian Shumate
45f1ca162f
Log 'marked as sealed' at INFO instead ( #5260 )
2018-09-04 10:53:40 -07:00
Becca Petrin
7a8c116fb1
undo make fmt ( #5265 )
2018-09-04 09:29:18 -07:00