Commit Graph

37 Commits

Author SHA1 Message Date
Vishal Nayak 0d077d7945
Recovery Mode (#7559)
* Initial work

* rework

* s/dr/recovery

* Add sys/raw support to recovery mode (#7577)

* Factor the raw paths out so they can be run with a SystemBackend.

# Conflicts:
#	vault/logical_system.go

* Add handleLogicalRecovery which is like handleLogical but is only
sufficient for use with the sys-raw endpoint in recovery mode.  No
authentication is done yet.

* Integrate with recovery-mode.  We now handle unauthenticated sys/raw
requests, albeit on path v1/raw instead v1/sys/raw.

* Use sys/raw instead raw during recovery.

* Don't bother persisting the recovery token.  Authenticate sys/raw
requests with it.

* RecoveryMode: Support generate-root for autounseals (#7591)

* Recovery: Abstract config creation and log settings

* Recovery mode integration test. (#7600)

* Recovery: Touch up (#7607)

* Recovery: Touch up

* revert the raw backend creation changes

* Added recovery operation token prefix

* Move RawBackend to its own file

* Update API path and hit it using CLI flag on generate-root

* Fix a panic triggered when handling a request that yields a nil response. (#7618)

* Improve integ test to actually make changes while in recovery mode and
verify they're still there after coming back in regular mode.

* Refuse to allow a second recovery token to be generated.

* Resize raft cluster to size 1 and start as leader (#7626)

* RecoveryMode: Setup raft cluster post unseal (#7635)

* Setup raft cluster post unseal in recovery mode

* Remove marking as unsealed as its not needed

* Address review comments

* Accept only one seal config in recovery mode as there is no scope for migration
2019-10-15 00:55:31 -04:00
Jeff Mitchell 9ebc57581d
Switch to go modules (#6585)
* Switch to go modules

* Make fmt
2019-04-13 03:44:06 -04:00
Jeff Mitchell 8bcb533a1b
Create sdk/ and api/ submodules (#6583) 2019-04-12 17:54:35 -04:00
Jeff Mitchell 00295cd598
Save the original request body for forwarding (#6538)
* Save the original request body for forwarding

If we are forwarding a request after initial parsing the request body is
already consumed. As a result a forwarded call containing a request body
will have the body be nil. This saves the original request body for a
given request via a TeeReader and uses that in cases of forwarding past
body consumption.
2019-04-05 14:36:34 -04:00
Jeff Mitchell be2c8d0665 Fix tests 2018-05-29 17:02:52 -04:00
Jeff Mitchell b7005ad62d Fix missing verification nonce field 2018-05-29 16:13:08 -04:00
Jeff Mitchell c53717ba1c Fix panic and update some text 2018-05-29 13:13:47 -04:00
Jeff Mitchell 2d05e072b9 Fix a null pointer and update status threshold 2018-05-29 12:04:30 -04:00
Jeff Mitchell 14b65ff4db
Builds on top of #4600 to provide CLI support (#4605) 2018-05-28 00:39:53 -04:00
Jeff Mitchell 7e7163f826 Factor out a bunch of shared code 2018-05-21 17:46:32 -04:00
Jeff Mitchell 462afbd0b9 Address review feedback 2018-05-21 14:47:00 -04:00
Jeff Mitchell e07fd14eb7 More work on recovery test 2018-05-20 18:42:14 -04:00
Jeff Mitchell 6340add8c1 Finish non-recovery test 2018-05-20 02:42:15 -04:00
Jeff Mitchell 72af2d49f9 Update rekey methods to indicate proper error codes in responses 2018-05-19 23:43:48 -04:00
Jeff Mitchell e1339af520 Fix existing tests 2018-05-19 22:04:45 -04:00
Jeff Mitchell a9d8be3c4d WIP 2018-05-19 21:31:45 -04:00
Vishal Nayak 28e3eb9e2c
Errwrap everywhere (#4252)
* package api

* package builtin/credential

* package builtin/logical

* package command

* package helper

* package http and logical

* package physical

* package shamir

* package vault

* package vault

* address feedback

* more fixes
2018-04-05 11:49:21 -04:00
Jeff Mitchell a787f97a9c
Re-add lost stored-shares parameter to operator rekey command. (#3974)
Also change the rekey API to not require explicitly setting values to 1.

Fixes #3969
2018-02-14 16:10:45 -05:00
Jeff Mitchell 33b68ebf3d Remove context from a few extraneous places 2018-01-19 03:44:06 -05:00
Brian Kassouf 2f19de0305 Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 01:44:44 -05:00
Jeff Mitchell a25dae82dd Final sync 2017-10-23 17:39:21 -04:00
Brian Kassouf a8d9426d9f Update locking components from DR replication changes (#3283)
* Update locking components from DR replication changes

* Fix plugin backend test

* Add a comment about needing the statelock:
2017-09-04 19:38:37 -04:00
Jeff Mitchell cd73714ff9 Fix error message grammar 2017-03-14 17:10:43 -04:00
Jeff Mitchell 0c39b613c8 Port some replication bits to OSS (#2386) 2017-02-16 15:15:02 -05:00
Jeff Mitchell 69eb5066dd Multi value test seal (#2281) 2017-01-17 15:43:10 -05:00
vishalnayak ba180a8e2b rekey: pgp keys input validation 2017-01-12 00:05:41 -05:00
Thomas Soëte c29e5c8bad Use 'http.MaxBytesReader' to limit request size (#2131)
Fix 'connection reset by peer' error introduced by 300b72e
2016-12-01 10:59:00 -08:00
Jeff Mitchell 5b79e5c115 Redirect rekey operation from standby to master (#1868) 2016-09-13 11:59:12 -04:00
Jeff Mitchell 62c69f8e19 Provide base64 keys in addition to hex encoded. (#1734)
* Provide base64 keys in addition to hex encoded.

Accept these at unseal/rekey time.

Also fix a bug where backup would not be honored when doing a rekey with
no operation currently ongoing.
2016-08-15 16:01:15 -04:00
Jeff Mitchell 98d09b0dc6 Add seal tests and update generate-root and others to handle dualseal. 2016-04-25 19:39:04 +00:00
Jeff Mitchell afae46feb7 SealInterface 2016-04-04 10:44:22 -04:00
Jeff Mitchell 5f5542cb91 Return status for rekey/root generation at init time. This mitigates a
(very unlikely) potential timing attack between init-ing and fetching
status.

Fixes #1054
2016-02-12 14:24:36 -05:00
Jeff Mitchell 386aa408b7 Remove need for PUT in rekey. We've decided that POST and PUT are to
stay as synonyms for writes, so there's no reason to limit it for this
operation.
2016-01-14 16:52:34 -05:00
Jeff Mitchell a094eedce2 Add rekey nonce/backup. 2016-01-06 09:54:35 -05:00
Jeff Mitchell cc232e6f79 Address comments from review. 2015-08-25 15:33:58 -07:00
Jeff Mitchell c887df93cc Add support for pgp-keys argument to rekey, as well as tests, plus
refactor common bits out of init.
2015-08-25 14:52:13 -07:00
Armon Dadgar 7964fa4d86 http: adding rekey handlers 2015-05-28 14:28:50 -07:00