Commit graph

1594 commits

Author SHA1 Message Date
Chris Thunes 16f52969f4 Fix memory issue caused by append of group slice to itself. (#5611)
The slice returned by `collectGroupsReverseDFS` is an updated copy of
the slice given to it when called. Appending `pGroups` to `groups`
therefore led to expontential memory usage as the slice was repeatedly
appended to itself.

Fixes #5605
2018-10-29 10:38:34 -04:00
Chris Hoffman 8c88eb3e2a
Add -dev-auto-seal option (#5629)
* adding a -dev-auto-seal option

* adding logger to TestSeal
2018-10-29 09:30:24 -04:00
Jeff Mitchell f8ec4d59b8 Remove disableIndexing 2018-10-23 16:05:45 -04:00
Jeff Mitchell 8a274fba51 Add disable indexing to core object 2018-10-23 15:04:36 -04:00
Jeff Mitchell a979f49cd7 Add disable-indexing 2018-10-23 15:03:17 -04:00
Jeff Mitchell 82992d6097
Seal migration (OSS) (#781) 2018-10-22 23:34:02 -07:00
Jeff Mitchell 89f0efb6a1 fmt 2018-10-20 21:09:51 -04:00
Jeff Mitchell 9f6dd376e2 Merge branch 'master-oss' into 1.0-beta-oss 2018-10-19 17:47:58 -04:00
Calvin Leung Huang a08ccbffa7
[Review Only] Autoseal OSS port (#757)
* Port awskms autoseal

* Rename files

* WIP autoseal

* Fix protobuf conflict

* Expose some structs to properly allow encrypting stored keys

* Update awskms with the latest changes

* Add KeyGuard implementation to abstract encryption/decryption of keys

* Fully decouple seal.Access implementations from sealwrap structs

* Add extra line to proto files, comment update

* Update seal_access_entry.go

* govendor sync

* Add endpoint info to configureAWSKMSSeal

* Update comment

* Refactor structs

* Update make proto

* Remove remove KeyGuard, move encrypt/decrypt to autoSeal

* Add rest of seals, update VerifyRecoveryKeys, add deps

* Fix some merge conflicts via govendor updates

* Rename SealWrapEntry to EncryptedBlobInfo

* Remove barrier type upgrade check in oss

* Add key to EncryptedBlobInfo proto

* Update barrierTypeUpgradeCheck signature
2018-10-19 14:43:57 -07:00
Vishal Nayak c677cd0790
Case insensitive identity names (#5404)
* case insensitive identity names

* TestIdentityStore_GroupHierarchyCases

* address review feedback

* Use errwrap.Contains instead of errwrap.ContainsType

* Warn about duplicate names all the time to help fix them

* Address review feedback
2018-10-19 12:47:26 -07:00
Chris Hoffman 09a4c8214f
safely clean up loaded map (#5558) 2018-10-19 15:21:42 -04:00
Jeff Mitchell 841c4fcdd1 Merge branch 'master-oss' into 1.0-beta-oss 2018-10-19 09:25:17 -04:00
Vishal Nayak 6ab030511c
Remove lookup check during alias removal (#5524)
* Possible fix for 5348

* Fix compilation
2018-10-18 07:53:12 -07:00
Vishal Nayak 5818977dca
Deprecate SHA1 in token store (#770)
* Deprecate SHA1 in token store

* Fallback to SHA1 for user selected IDs

* Fix existing tests

* Added warning

* Address some review feedback and remove root token prefix

* Tests for service token prefixing

* Salting utility tests

* Adjust OTP length for root token generation

* Fix tests

* Address review feedback
2018-10-17 13:23:04 -07:00
Jeff Mitchell 224fbd4a88 Merge branch 'master-oss' into 1.0-beta-oss 2018-10-16 10:08:03 -04:00
Jeff Mitchell 04e3f9b0f3
Add LastWAL in leader/health output (#5523) 2018-10-16 09:38:44 -04:00
Jeff Mitchell a64fc7d7cb
Batch tokens (#755) 2018-10-15 12:56:24 -04:00
Vivek Lakshmanan 2c55777606 Fix expiration handling to not leak goroutines (#5506)
* Fix expiration handling to not leak goroutines

* Apply feedback
2018-10-12 19:02:59 -07:00
Jim Kalafut 123e34f4a7
Don't copy HA lock file during migration (#5503) 2018-10-12 09:29:15 -07:00
Calvin Leung Huang b47e648ddf
Logger cleanup (#5480) 2018-10-09 09:43:17 -07:00
vishalnayak baad5a66fd Fix TestIdentityStore_GroupHierarchyCases 2018-10-05 05:46:09 -04:00
Vishal Nayak fbec18fef0
Added test for verifying member group id deletion (#5469) 2018-10-04 10:38:41 -07:00
Sebastian Plattner 782f8dedd2 Fix remove Group Member in Identity Group not working (#5466) 2018-10-04 09:27:29 -07:00
Jeff Mitchell ec2ab502fc make fmt 2018-10-02 14:30:10 -04:00
Calvin Leung Huang 37c0b83669
Add denylist check when filtering passthrough headers (#5436)
* Add denylist check when filtering passthrough headers

* Minor comment update
2018-10-01 12:20:31 -07:00
Martin 03fb39033f Add support for token passed Authorization Bearer header (#5397)
* Support Authorization Bearer as token header

* add requestAuth test

* remove spew debug output in test

* Add Authorization in CORS Allowed headers

* use const where applicable

* use less allocations in bearer token checking

* address PR comments on tests and apply last commit

* reorder error checking in a TestHandler_requestAuth
2018-10-01 10:33:21 -07:00
Vishal Nayak 8e66e474ca Ensure old group alias is removed when a new one is written (#5350) 2018-10-01 10:06:10 -07:00
Jeff Mitchell ef144c4c25 Send initialized information via sys/seal-status (#5424) 2018-09-27 14:03:37 -07:00
Joel Thompson 73112c49fb logical/aws: Harden WAL entry creation (#5202)
* logical/aws: Harden WAL entry creation

If AWS IAM user creation failed in any way, the WAL corresponding to the
IAM user would get left around and Vault would try to roll it back.
However, because the user never existed, the rollback failed. Thus, the
WAL would essentially get "stuck" and Vault would continually attempt to
roll it back, failing every time. A similar situation could arise if the
IAM user that Vault created got deleted out of band, or if Vault deleted
it but was unable to write the lease revocation back to storage (e.g., a
storage failure).

This attempts to harden it in two ways. One is by deleting the WAL log
entry if the IAM user creation fails. However, the WAL deletion could
still fail, and this wouldn't help where the user is deleted out of
band, so second, consider the user rolled back if the user just doesn't
exist, under certain circumstances.

Fixes #5190

* Fix segfault in expiration unit tests

TestExpiration_Tidy was passing in a leaseEntry that had a nil Secret,
which then caused a segfault as the changes to revokeEntry didn't check
whether Secret was nil; this is probably unlikely to occur in real life,
but good to be extra cautious.

* Fix potential segfault

Missed the else...

* Respond to PR feedback
2018-09-27 09:54:59 -05:00
Brian Kassouf f5d0541d5d
Fix Capabilities check when in a child namespace (#5406) 2018-09-26 15:10:36 -07:00
Brian Kassouf 8f212d702d
replication: Fix DR API checks when using a token (#5398) 2018-09-25 13:27:57 -07:00
Vishal Nayak 68a496dde4
Support operating on entities and groups by their names (#5355)
* Support operating on entities and groups by their names

* address review feedback
2018-09-25 12:28:28 -07:00
Martin 79ab601cdb use constant where x-vault-token was still hardcoded (#5392) 2018-09-25 09:34:40 -07:00
Calvin Leung Huang ed1e41ba5c
Short-circuit TestBackend_PluginMainEnv on plain test run (#5393) 2018-09-25 09:22:34 -07:00
Jeff Mitchell 33065a60db Fix compilation/protobuf 2018-09-22 17:58:39 -04:00
andrejvanderzee dc6ea9ecbb Fix for using ExplicitMaxTTL in auth method plugins. (#5379)
* Fix for using ExplicitMaxTTL in auth method plugins.

* Reverted pb.go files for readability of PR.

* Fixed indenting of comment.

* Reverted unintended change by go test.
2018-09-21 14:31:29 -07:00
Jim Kalafut 343c72dbe1
Detect and bypass cycles during token revocation (#5364)
Fixes #4803
2018-09-20 14:56:38 -07:00
Calvin Leung Huang 189b893b35
Add ability to provide env vars to plugins (#5359)
* Add ability to provide env vars to plugins

* Update docs

* Update docs with examples

* Refactor TestAddTestPlugin, remove TestAddTestPluginTempDir
2018-09-20 10:50:29 -07:00
Jeff Mitchell 919b968c27
The big one (#5346) 2018-09-17 23:03:00 -04:00
Jeff Mitchell f692c1e3a9 Revert "Detect and bypass cycles during token revocation (#5335)"
This reverts commit 00314eb4d1c5609a1935f653dc6f2fc83c0bfcc0.
2018-09-17 14:10:57 -04:00
Jim Kalafut 0ae6ec52b8
Detect and bypass cycles during token revocation (#5335)
Fixes #4803
2018-09-17 08:55:12 -07:00
Becca Petrin b2ff87c9c2
Poll for new creds in the AWS auth agent (#5300) 2018-09-12 13:30:57 -07:00
vishalnayak e421972efb Remove group alias mdmdb update outside of UpsertGroupInTxn 2018-09-06 12:19:00 -04:00
Martin d51f3a45f7 Fix group alias loading when identity memdb is initialized (#5289) 2018-09-06 09:17:44 -07:00
Jeff Mitchell 95bdbbe85e
Port fix over that ensures we use the right step-down context (#5290) 2018-09-06 12:03:26 -04:00
Jeff Mitchell c28ed23972
Allow most parts of Vault's logging to have its level changed on-the-fly (#5280)
* Allow most parts of Vault's logging to have its level changed on-the-fly

* Use a const for not set
2018-09-05 15:52:54 -04:00
Jeff Mitchell c9e2cd93e8
Move logic around a bit to avoid holding locks when not necessary (#5277)
Also, ensure we are error checking the rand call
2018-09-05 11:49:32 -04:00
Chris Hoffman e2ed8d3d61
Fixing capabilities check for templated policies (#5250)
* fixing capabilities check for templated policies

* remove unnecessary change

* formatting
2018-09-04 14:18:59 -04:00
Brian Shumate 45f1ca162f Log 'marked as sealed' at INFO instead (#5260) 2018-09-04 10:53:40 -07:00
Becca Petrin 7a8c116fb1
undo make fmt (#5265) 2018-09-04 09:29:18 -07:00