Commit Graph

650 Commits

Author SHA1 Message Date
Vladimir Dimitrov 34f01920e9
Added plugin reload function to api (#8777)
* Added plugin reload function to api

* Apply suggestions from code review

Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com>

* go mod vendor

* addressing comments

* addressing comments

* add docs

Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>
2020-05-04 11:14:23 -07:00
Scott Miller 2f0254d05a
Handle request errors during raft snapshot (#8861)
* Handle request errors during raft snapshot
2020-04-27 13:39:06 -05:00
Daniel Spangenberg 8007845ba4
Fix SRV Lookups (#8520)
* Pin HTTP Host header for all client requests
* Drop port map scheme
* Add SRV Lookup environment var
* Lookup SRV records only when env var is specified
* Add docs

Co-Authored-By: Michel Vocks <michelvocks@gmail.com>
2020-03-11 14:22:58 +01:00
Jeff Mitchell 7779c077e6 Bump API's SDK 2020-02-15 14:57:06 -05:00
Jeff Mitchell 509e25de21 Update api's sdk 2020-02-14 17:27:43 -05:00
Jeff Mitchell b0acc1d036 Update API's sdk 2020-02-13 10:40:35 -05:00
Michel Vocks f695eb737b
Add Consul TLS options to access API endpoint (#8253) 2020-01-29 09:44:35 +01:00
Michel Vocks 90f1d3813d
Fix redoing redirect response raft snapshot cli (#8211)
* Fix redoing redirect response raft snapshot cli

* Removed unnecessary lines of code

* go mod vendor
2020-01-27 11:25:52 +01:00
Jeff Mitchell 79ba7def56 Bump api's sdk 2020-01-10 20:40:44 -05:00
Jeff Mitchell a0694943cc
Migrate built in auto seal to go-kms-wrapping (#8118) 2020-01-10 20:39:52 -05:00
Becca Petrin c2894b8d05
Add Kerberos auth agent (#7999)
* add kerberos auth agent

* strip old comment

* changes from feedback

* strip appengine indirect dependency
2020-01-09 14:56:34 -08:00
Michel Vocks 73ae91fca8
Fix automatic token set for plugin unwrap requests (#8058)
* Fix automatic token set for plugin unwrap requests

* Change to ClearToken helper-method
2020-01-02 10:40:13 +01:00
Jeff Mitchell 33e4ef7654 Update api's sdk 2019-12-18 16:35:58 -05:00
Michel Vocks 0beb645830
Fix SRV lookup if address scheme is known (#8016) 2019-12-16 09:34:40 +01:00
Jeff Mitchell f2f984557e
Add ability to renew by accessor (#7817)
* Add renewing by accessor

* Add accessor renewing test and fix bug

* Update website docs

* Remove extra newline

* Add command-level test
2019-11-08 11:32:01 -05:00
Jeff Mitchell bde1fd9391 Bump API's SDK 2019-11-08 11:20:21 -05:00
Connor Poole 4588c56232 adding a write bytes method (#7611) 2019-11-07 17:54:05 -08:00
Jeff Mitchell 2b2e61db82
Revert change suggested by vet. See the comment for details. (#7815) 2019-11-06 17:03:37 -05:00
Jeff Mitchell 950dff9ad5
Update API to use lease_id in body of sys/leases/revoke call (#7777)
We didn't make this change earlier because not everyone would have had
an updated version of Vault with this API change but it's definitely
time.

Fixes https://github.com/hashicorp/vault-ssh-helper/issues/40
2019-11-05 16:14:28 -05:00
Jeff Mitchell 519d1b3cb8
Fix some vet issues in api package (#7789)
* Dropped cancel func
* Bad struct tag
2019-11-05 12:07:06 -05:00
Jeff Mitchell 5c3649defe Sync up Agent and API's renewers. (#7733)
* Sync up Agent and API's renewers.

This introduces a new type, LifetimeWatcher, which can handle both
renewable and non-renewable secrets, modeled after the version in Agent.
It allows the user to select behavior, with the new style being the
default when calling Start(), and old style if using the legacy Renew()
call.

No tests have been modified (except for reflect issues) and no other
code has been modified to make sure the changes are backwards
compatible.

Once this is accepted I'll pull the Agent version out.

* Move compat flags to NewRenewer

* Port agent to shared lifetime watcher lib
2019-10-28 17:28:59 -07:00
Joe Dollard 7f843c4c9b support setting the API client retry policy (#7331) 2019-10-28 15:54:59 -04:00
Lexman c86fe212c0
oss changes for entropy augmentation feature (#7670)
* oss changes for entropy augmentation feature

* fix oss command/server/config tests

* update go.sum

* fix logical_system and http/ tests

* adds vendored files

* removes unused variable
2019-10-17 10:33:00 -07:00
ncabatoff db43d22325
Do not allow the same header map to be shared across requests. (#7690) 2019-10-17 11:48:15 -04:00
Vishal Nayak 0d077d7945
Recovery Mode (#7559)
* Initial work

* rework

* s/dr/recovery

* Add sys/raw support to recovery mode (#7577)

* Factor the raw paths out so they can be run with a SystemBackend.

# Conflicts:
#	vault/logical_system.go

* Add handleLogicalRecovery which is like handleLogical but is only
sufficient for use with the sys-raw endpoint in recovery mode.  No
authentication is done yet.

* Integrate with recovery-mode.  We now handle unauthenticated sys/raw
requests, albeit on path v1/raw instead v1/sys/raw.

* Use sys/raw instead raw during recovery.

* Don't bother persisting the recovery token.  Authenticate sys/raw
requests with it.

* RecoveryMode: Support generate-root for autounseals (#7591)

* Recovery: Abstract config creation and log settings

* Recovery mode integration test. (#7600)

* Recovery: Touch up (#7607)

* Recovery: Touch up

* revert the raw backend creation changes

* Added recovery operation token prefix

* Move RawBackend to its own file

* Update API path and hit it using CLI flag on generate-root

* Fix a panic triggered when handling a request that yields a nil response. (#7618)

* Improve integ test to actually make changes while in recovery mode and
verify they're still there after coming back in regular mode.

* Refuse to allow a second recovery token to be generated.

* Resize raft cluster to size 1 and start as leader (#7626)

* RecoveryMode: Setup raft cluster post unseal (#7635)

* Setup raft cluster post unseal in recovery mode

* Remove marking as unsealed as its not needed

* Address review comments

* Accept only one seal config in recovery mode as there is no scope for migration
2019-10-15 00:55:31 -04:00
Mike Jarmy 510d82551a
Vault Agent Cache Auto-Auth SSRF Protection (#7627)
* implement SSRF protection header

* add test for SSRF protection header

* cleanup

* refactor

* implement SSRF header on a per-listener basis

* cleanup

* cleanup

* creat unit test for agent SSRF

* improve unit test for agent SSRF

* add VaultRequest SSRF header to CLI

* fix unit test

* cleanup

* improve test suite

* simplify check for Vault-Request header

* add constant for Vault-Request header

* improve test suite

* change 'config' to 'agentConfig'

* Revert "change 'config' to 'agentConfig'"

This reverts commit 14ee72d21fff8027966ee3c89dd3ac41d849206f.

* do not remove header from request

* change header name to X-Vault-Request

* simplify http.Handler logic

* cleanup

* simplify http.Handler logic

* use stdlib errors package
2019-10-11 18:56:07 -04:00
Brian Kassouf 024c29c36a
OSS portions of raft non-voters (#7634)
* OSS portions of raft non-voters

* add file

* Update vault/raft.go

Co-Authored-By: Vishal Nayak <vishalnayak@users.noreply.github.com>
2019-10-11 11:56:59 -07:00
Nick Cabatoff 85e387439e go mod vendor and go mod tidy 2019-10-04 09:14:37 -04:00
Calvin Leung Huang 3f1c7c86a0
sys: add host-info endpoint (#7330)
* sys: add host-info endpoint, add client API method

* remove old commented handler

* add http tests, fix bugs

* query all partitions for disk usage

* fix Timestamp decoding

* add comments for clarification

* dont append a nil entry on disk usage query error

* remove HostInfo from the sdk api

We can use Logical().Read(...) to query this endpoint since the payload is contained with the data object. All warnings are preserved under Secret.Warnings.

* ensure that we're testing failure case against a standby node

* add and use TestWaitStandby to ensure core is on standby

* remove TestWaitStandby

* respond with local-only error

* move HostInfo into its own helper package

* fix imports; use new no-forward handler

* add cpu times to collection

* emit clearer multierrors/warnings by collection type

* add comments on HostInfo fields
2019-10-03 09:43:52 -07:00
Jeff Mitchell 1fd71ed774 Bump API's SDK 2019-09-19 09:42:45 -04:00
Matthew Irish 6e4cc02f4d
expose 'storage_type' on the sys/seal-status endpoint (#7486)
* expose 'storage_type' on the sys/seal-status endpoint

* add comments

* Update vault/core.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>
2019-09-18 14:07:18 -05:00
Jeff Mitchell fbfeda9576 Bump API's sdk 2019-09-18 09:10:23 -04:00
Mike Jarmy ecfcdc329e
use api.Config.Timeout instead of http.Client.Timeout for 60s request timeout default (#7469) 2019-09-13 08:28:58 -04:00
Jeff Mitchell 3190d37915 Update api's SDK 2019-09-04 12:45:30 -04:00
Jeff Mitchell faa4f6bb77 Bump retryablehttp again 2019-08-26 15:39:27 -04:00
Jeff Mitchell be5a2bde22 Bump go-retryablehttp version 2019-08-26 14:44:03 -04:00
Jeff Mitchell a8e9bdaaf4 Bump api's sdk 2019-08-05 18:02:15 -04:00
Jeff Mitchell 356faff9ab Update api's sdk 2019-07-30 00:23:57 -04:00
Jeff Mitchell 522c11e654 Update api's sdk version 2019-07-25 12:57:51 -04:00
Jeff Mitchell 5c898b8674 Pull in sdk 0.1.12 to api 2019-07-25 12:16:06 -04:00
Nick Cabatoff 3f1d1765ec Update sdk to grpc 1.22 for https://github.com/grpc/grpc-go/pull/2818 which caused intermittent ent test failures. 2019-07-24 11:45:58 -04:00
Jeff Mitchell 58dcca680a Bump API's SDK 2019-07-19 10:39:32 -04:00
Calvin Leung Huang e869893df3
logical: add support for passing data to delete (#7139)
* logical: add support for passing data to delete

* add back raft bit

* add back raft bit

* update error message

* fix command delete tests
2019-07-18 10:42:36 -07:00
Jeff Mitchell f522dd8f35
Add backwards compat support for API env vars (#7135)
Several env vars got renamed in
https://github.com/hashicorp/vault/pull/6306. This re-adds support for
those.

Indirectly addresses
https://github.com/hashicorp/consul-template/pull/1233 although they
should still update to the new values.
2019-07-17 06:29:25 -04:00
Jeff Mitchell b12a49f19f Bump api's sdk 2019-07-09 04:01:32 -04:00
Jeff Mitchell b86c920b6c Bump sdk in api 2019-07-08 19:04:47 -04:00
Jeff Mitchell 6be11db56e Update api's sdk 2019-07-03 00:13:12 -04:00
Jeff Mitchell 28b5670d49 Bump api's sdk 2019-07-02 22:18:09 -04:00
Jeff Mitchell 3168ae809b Bump sdk 2019-07-02 10:24:43 -04:00
Jeff Mitchell 5217bb882f Bump API's sdk 2019-07-02 09:52:36 -04:00
Jeff Mitchell fc4491890b Bump api's sdk import 2019-07-01 18:29:23 -04:00
Michel Vocks 2b5aca4300
Token identity support (#6267)
* Implemented token backend support for identity

* Fixed tests

* Refactored a few checks for the token entity overwrite. Fixed tests.

* Moved entity alias check up so that the entity and entity alias is only created when it has been specified in allowed_entity_aliases list

* go mod vendor

* Added glob pattern

* Optimized allowed entity alias check

* Added test for asterisk only

* Changed to glob pattern anywhere

* Changed response code in case of failure. Changed globbing pattern check. Added docs.

* Added missing token role get parameter. Added more samples

* Fixed failing tests

* Corrected some cosmetical review points

* Changed response code for invalid provided entity alias

* Fixed minor things

* Fixed failing test
2019-07-01 11:39:54 +02:00
Jeff Mitchell 346a31fddf
Add a deprecated helper to tokenutil and JSON output to path-help (#7006) 2019-06-27 12:56:31 -04:00
Alex Dadgar 831a3afca9
API Response returns specialized error type (#6984)
* Return specialized error type

* Add a helper for extracting gRPC codes from errors

* Fix spacing in example

* Drop grpc codes

* Fix storing of decoded errors
2019-06-26 11:35:08 -07:00
Vishal Nayak 9296ca1f8c
raft join tls (#6932) 2019-06-21 17:41:07 -04:00
Jeff Mitchell 7a4726ed22 Bump api go.mod 2019-06-20 23:21:14 -04:00
Vishal Nayak 53035ce390
Raft CLI (#6893)
* raft cli

* Reuse the command's client

* Better response handling

* minor touchups
2019-06-20 21:32:00 -04:00
Jeff Mitchell 1a7fee63e3 Update sdk in api/ 2019-06-18 14:50:21 -04:00
Jeff Mitchell c466791207 Bump API's SDK version 2019-06-18 12:23:16 -04:00
Jeff Mitchell 49ca5cec91 Bump api against latest sdk 2019-06-18 11:18:22 -04:00
Jeff Mitchell 51f3d3137f Update vendoring and api/sdk 2019-06-14 14:29:16 -04:00
Michel Vocks fcf1b9c54e
Fixed wrong rekey recovery backup client API URL (#6841)
* Fixed wrong rekey recovery backup client API URL

* Fixed wrong rekey recovery backup client API URL delete

* Changed output for recovery backup key delete
2019-06-11 10:05:44 +02:00
Michel Vocks 71e99d9490 Added missing entity_id to SecretAuth struct (#6819) 2019-06-04 10:04:20 -07:00
Lexman c497ac7da1 duplicates some constants defined in pluginutil to avoid depending on x/net/trace (#6703) 2019-05-08 16:21:23 -07:00
Brian Kassouf 04d0ddfdae
Add mount UUID to the secret and auth list API responses (#6633) 2019-04-24 12:27:43 -07:00
Jeff Mitchell fe8ead5f2d go mod tidy and go mod vendor 2019-04-23 20:58:55 -04:00
Jeff Mitchell 4dd880871e Update to SDK v0.1.8 2019-04-15 13:49:21 -04:00
Jeff Mitchell ffd6a87959 More rearranging of API and SDK 2019-04-15 13:38:08 -04:00
Jeff Mitchell 4567a11c02 Fix up package name 2019-04-15 12:22:58 -04:00
Jeff Mitchell f491851ed1 Move some things around in api/sdk 2019-04-15 12:14:20 -04:00
Jeff Mitchell d75b680bb1 Update go.sum in API 2019-04-15 10:49:41 -04:00
Jeff Mitchell c591f20836 Update API go mod with sdk tag 2019-04-12 17:56:53 -04:00
Jeff Mitchell 8bcb533a1b
Create sdk/ and api/ submodules (#6583) 2019-04-12 17:54:35 -04:00
Jeff Mitchell 9f0a6edfcb
Remove some instances of potential recursive locking (#6548) 2019-04-08 12:45:28 -04:00
ncabatoff 9670ec28b1 api.NewClient() now uses $VAULT_NAMESPACE as an input. (#6470)
* api.NewClient() now uses $VAULT_NAMESPACE as an input.

* Remove bogus comments.
2019-03-25 13:23:59 -05:00
Austin Green 7fd469af88 Correct variables in "got %v expect %v" errors (#6437) 2019-03-19 09:34:13 -07:00
Jeff Mitchell a0c8544071
Stop some curl whining (#6385)
GET is inferred, so make curl whine less by not printing it
2019-03-08 14:14:50 -05:00
Jeff Mitchell c4001cc40d This moves api_test package tests into vault/external_tests
This prevents projects importing Vault's API from then also importing
the rest of Vault.
2019-03-06 11:20:42 -05:00
Vishal Nayak 1fca0f7b6f Explicit setting of url fields (#6349) 2019-03-05 12:20:16 -08:00
Vishal Nayak ac2b499fc9
Support reading Vault's address from Agent's config file (#6306)
* Support reading Vault's address from Agent's config file

* use consts and switch

* Add tls options to agent config vault block

* Update command/agent/config/config.go

Co-Authored-By: vishalnayak <vishalnayak@users.noreply.github.com>

* remove fmt.Printfs
2019-02-28 17:29:28 -05:00
Vishal Nayak 5037185d5d
Agent Cache: Some review feedback (#6257)
* Revamp agent cache client

* Update command/agent.go

Co-Authored-By: vishalnayak <vishalnayak@users.noreply.github.com>

* Agent cache auto auth token lookup case (#6258)

* agent cache auto auth token lookup case

* Use Blake2b256Hash instead of SHA256

* agent/cache: update cache-clear endpoint; use bytes.NewReader instead (#6259)

* agent/cache: update cache-clear endpoint; use bytes.NewReader instead

* agent/cache: Fix TestCache_ComputeIndexID after switching to blake2b

* agent/cache: Only parse response body if it's non-nil (#6260)

* Differently disable agent address in the API client

* Remove DisableAgent
2019-02-19 16:53:29 -05:00
Vishal Nayak 614ec67b05
address some review back (#6237) 2019-02-15 13:40:03 -05:00
Vishal Nayak feb235d5f8
Vault Agent Cache (#6220)
* vault-agent-cache: squashed 250+ commits

* Add proper token revocation validations to the tests

* Add more test cases

* Avoid leaking by not closing request/response bodies; add comments

* Fix revoke orphan use case; update tests

* Add CLI test for making request over unix socket

* agent/cache: remove namespace-related tests

* Strip-off the auto-auth token from the lookup response

* Output listener details along with configuration

* Add scheme to API address output

* leasecache: use IndexNameLease for prefix lease revocations

* Make CLI accept the fully qualified unix address

* export VAULT_AGENT_ADDR=unix://path/to/socket

* unix:/ to unix://
2019-02-14 20:10:36 -05:00
Jeff Mitchell 5f249d4005
Add allowed_response_headers (#6115) 2019-02-05 16:02:15 -05:00
Jeff Mitchell 82ee4176e6
Add the ability to print curl commands from CLI (#6113) 2019-02-01 17:13:51 -05:00
Jeff Mitchell f7a35d4f49 Add missing performance_standby field to API 2019-01-17 18:15:00 -05:00
Jeff Mitchell 28bd394d8b
Fix a couple of instances where we are using LIST verb (#6026)
* Fix a couple of instances where we are using LIST verb

We specify it for the wrapping lookup function but for broader
compatibility with proxies and such we want to filter it to a GET. In a
couple of places we weren't doing that, so this updates those locations.
2019-01-10 19:57:00 -05:00
Jim Kalafut d0e2badbae Run goimports across the repository (#6010)
The result will still pass gofmtcheck and won't trigger additional
changes if someone isn't using goimports, but it will avoid the
piecemeal imports changes we've been seeing.
2019-01-08 16:48:57 -08:00
Jeff Mitchell fff8976671 Update backwards compat fix from 5913 2018-12-12 15:36:28 -05:00
Nándor István Krácser 8bd1ce1864 Fix list plugins backward compatibility mechanism (#5913) 2018-12-12 15:33:09 -05:00
Becca Petrin a96f1f75ee Restore plugin name for backwards compatibility (#5825)
* re-add plugin name for backwards compat

* add plugin name to table for backwards compat

* conditionally set the plugin name

* Update command/auth_list.go

Co-Authored-By: tyrannosaurus-becks <beccapetrin@posteo.net>

* Update command/secrets_list.go

Co-Authored-By: tyrannosaurus-becks <beccapetrin@posteo.net>

* update auth and secrets list commands

* add comments regarding deprecation
2018-11-19 16:41:17 -08:00
Calvin Leung Huang 907dd834ff Revert deprecated plugin var names (#5822)
* Revert field back to ListPluginsResponse.Names

* Revert field back to MountConfig.PluginName and APIMountConfig.PluginName
2018-11-19 15:23:48 -08:00
Calvin Leung Huang e99957aed9
Support registering plugin with name only (#5787)
* Support registering plugin with name only

* Make RegisterPlugin backwards compatible

* Add CLI backwards compat command to plugin info and deregister

* Add server-side deprecation warnings if old read/dereg API endpoints are called

* Address feedback
2018-11-15 14:33:11 -08:00
Sander van Harmelen d4328a6684 Use a pooled HTTP client for the Vault CLI (#5734)
As the CLI client is initialized with a specific Vault address, is makes
sense to use the pooled HTTP client here. This will prevent setting up
new TCP sessions for each API call that the client needs to make.
2018-11-09 10:46:57 -05:00
Becca Petrin 7bd22e6779
Run all builtins as plugins (#5536) 2018-11-06 17:21:24 -08:00
Jeff Mitchell 3b8d0ed72c Update comment on API client's clone method 2018-11-01 12:26:18 -04:00
Vishal Nayak d3d6034ee5 Use sys/policies/acl instead of sys/policy/ (#5583) 2018-10-29 13:11:19 -04:00
Jeff Mitchell 82992d6097
Seal migration (OSS) (#781) 2018-10-22 23:34:02 -07:00
Jeff Mitchell 224fbd4a88 Merge branch 'master-oss' into 1.0-beta-oss 2018-10-16 10:08:03 -04:00
Jeff Mitchell 04e3f9b0f3
Add LastWAL in leader/health output (#5523) 2018-10-16 09:38:44 -04:00
Jeff Mitchell a64fc7d7cb
Batch tokens (#755) 2018-10-15 12:56:24 -04:00
Jeff Mitchell ef144c4c25 Send initialized information via sys/seal-status (#5424) 2018-09-27 14:03:37 -07:00
Martin 79ab601cdb use constant where x-vault-token was still hardcoded (#5392) 2018-09-25 09:34:40 -07:00
Jeff Mitchell 4b45d8210f
Possibly fix Nomad capabilities issue (#5360) 2018-09-19 13:06:37 -04:00
Brian Kassouf c603a8b811
Add performance standby status to status output (#5192)
* Add performance standby status to status output

* Update ha.go
2018-08-27 10:01:07 -07:00
Jeff Mitchell aec9a689a0 Sync over some stuff 2018-08-24 12:09:03 -04:00
Jeff Mitchell 66a0029195 Sync some ns stuff to api/command 2018-08-22 14:37:40 -04:00
Jeff Mitchell f1d72abb39 Remove injection into top routes (#5101) 2018-08-14 15:29:22 -04:00
Jeff Mitchell 74175b29af
Add support for passing args via `vault read` (#5093)
We support this in the API as of 0.10.2 so read should support it too.

Trivially tested with some log info:

`core: data: data="map[string]interface {}{"zip":[]string{"zap", "zap2"}}"`
2018-08-13 22:00:26 -04:00
Jeff Mitchell fb3c7eb449 Port some ns stuff over 2018-08-10 12:13:11 -04:00
Jeff Mitchell 3403c7ad9c Add headers accessor and ns function 2018-08-09 18:29:03 -04:00
Jeff Mitchell 67b160eb42 Add json tag to names response for sys_plugins 2018-08-09 18:02:03 -04:00
Calvin Leung Huang b5c8b3d4c5 Clean up container on connection failure, switch to ory/dockertest on package postgresql (#5050) 2018-08-07 09:56:33 -07:00
Jeff Mitchell 982fd6f9c8 Fix stepdown body closing 2018-08-04 11:50:29 -04:00
Brian Kassouf beda7845f6
API: Add context to each raw request call (#4987) 2018-07-24 15:49:55 -07:00
Seth Vargo 1259ee6743 Add plugin CLI for interacting with the plugin catalog (#4911)
* Add 'plugin list' command

* Add 'plugin register' command

* Add 'plugin deregister' command

* Use a shared plugin helper

* Add 'plugin read' command

* Rename to plugin info

* Add base plugin for help text

* Fix arg ordering

* Add docs

* Rearrange to alphabetize

* Fix arg ordering in example

* Don't use "sudo" in command description
2018-07-13 10:35:08 -07:00
Calvin Leung Huang f801f4b808
Add description flag to secrets and auth tune subcommands (#4894)
* Add description flag to secrets and auth tune subcommands

* Allow empty description to be provided in secret and auth mount tune

* Use flagNameDescription
2018-07-12 11:15:50 -04:00
Jeff Mitchell cd51a769ca Fix tests 2018-07-12 10:18:50 -04:00
Jeff Mitchell 4b354e1110
Re-add dockertest and fix up imports and update script (#4909) 2018-07-11 17:49:13 -04:00
Jeff Mitchell 98bf463a65 Make single-lease revocation behave like expiration (#4883)
This change makes it so that if a lease is revoked through user action,
we set the expiration time to now and update pending, just as we do with
tokens. This allows the normal retry logic to apply in these cases as
well, instead of just erroring out immediately. The idea being that once
you tell Vault to revoke something it should keep doing its darndest to
actually make that happen.
2018-07-11 15:45:35 -04:00
Jeff Mitchell 5d44c54947
Changes the way policies are reported in audit logs (#4747)
* This changes the way policies are reported in audit logs.

Previously, only policies tied to tokens would be reported. This could
make it difficult to perform after-the-fact analysis based on both the
initial response entry and further requests. Now, the full set of
applicable policies from both the token and any derived policies from
Identity are reported.

To keep things consistent, token authentications now also return the
full set of policies in api.Secret.Auth responses, so this both makes it
easier for users to understand their actual full set, and it matches
what the audit logs now report.
2018-06-14 09:49:33 -04:00
Calvin Leung Huang c4abeb9ea5
Move checkHCLKeys into hclutil (#4749) 2018-06-12 12:38:08 -04:00
Jeff Mitchell c7981e6417
Clean up request logic and use retryable's more efficient handling (#4670) 2018-06-01 09:12:43 -04:00
Jeff Mitchell b7005ad62d Fix missing verification nonce field 2018-05-29 16:13:08 -04:00
Jeff Mitchell bd0ac25eb9
Merge branch 'master' into rekey-verification 2018-05-29 10:19:57 -04:00
Jeff Mitchell 14b65ff4db
Builds on top of #4600 to provide CLI support (#4605) 2018-05-28 00:39:53 -04:00
Jeff Mitchell 35cb9bc517
Redo API client locking (#4551)
* Redo API client locking

This assigns local values when in critical paths, allowing a single API
client to much more quickly and safely pipeline requests.

Additionally, in order to take that paradigm all the way it changes how
timeouts are set. It now uses a context value set on the request instead
of configuring the timeout in the http client per request, which was
also potentially quite racy.

Trivially tested with
VAULT_CLIENT_TIMEOUT=2 vault write pki/root/generate/internal key_type=rsa key_bits=8192
2018-05-25 14:38:06 -04:00
Jeff Mitchell c55a2ec486 Finish api tests for verification 2018-05-20 19:01:24 -04:00
Jeff Mitchell e07fd14eb7 More work on recovery test 2018-05-20 18:42:14 -04:00
Jeff Mitchell acce3997a8 Start of seal improvements for testing 2018-05-20 17:49:37 -04:00
Jeff Mitchell cd70d1ca92 Refactor test to add recovery support 2018-05-20 17:38:04 -04:00
Jeff Mitchell 6340add8c1 Finish non-recovery test 2018-05-20 02:42:15 -04:00
Jeff Mitchell b5868a1de7 Add some more test structure and update test 2018-05-20 00:02:45 -04:00
Jeff Mitchell 72af2d49f9 Update rekey methods to indicate proper error codes in responses 2018-05-19 23:43:48 -04:00
Jeff Mitchell f7e37de648 Re-add capability to unwrap pre-0.6.2 wrapping tokens 2018-05-15 20:01:58 -04:00
Lucy Davinhart 4b8589a9b8 Fix syntax errors causing api package to fail tests (#4555) 2018-05-11 16:28:03 -04:00
Jeff Mitchell c011cefed4
Fix panic when running capabilities CLI command with multiple paths (#4553)
* Fix panic using 'vault token capabilities' with more than one path

Fixes #4552

* Add test
2018-05-11 11:58:12 -04:00
Jeff Mitchell 03b3914151 Fix fmt 2018-05-11 11:50:10 -04:00
Robbie McKinstry 9765779622 Client side rate limiting (#4421) 2018-05-11 10:42:06 -04:00
Jeff Mitchell af802275bd
Fix response wrapping from K/V version 2 (#4511)
This takes place in two parts, since working on this exposed an issue
with response wrapping when there is a raw body set. The changes are (in
diff order):

* A CurrentWrappingLookupFunc has been added to return the current
value. This is necessary for the lookahead call since we don't want the
lookahead call to be wrapped.

* Support for unwrapping < 0.6.2 tokens via the API/CLI has been
removed, because we now have backends returning 404s with data and can't
rely on the 404 trick. These can still be read manually via
cubbyhole/response.

* KV preflight version request now ensures that its calls is not
wrapped, and restores any given function after.

* When responding with a raw body, instead of always base64-decoding a
string value and erroring on failure, on failure we assume that it
simply wasn't a base64-encoded value and use it as is.

* A test that fails on master and works now that ensures that raw body
responses that are wrapped and then unwrapped return the expected
values.

* A flag for response data that indicates to the wrapping handling that
the data contained therein is already JSON decoded (more later).

* RespondWithStatusCode now defaults to a string so that the value is
HMAC'd during audit. The function always JSON encodes the body, so
before now it was always returning []byte which would skip HMACing. We
don't know what's in the data, so this is a "better safe than sorry"
issue. If different behavior is needed, backends can always manually
populate the data instead of relying on the helper function.

* We now check unwrapped data after unwrapping to see if there were raw
flags. If so, we try to detect whether the value can be unbase64'd. The
reason is that if it can it was probably originally a []byte and
shouldn't be audit HMAC'd; if not, it was probably originally a string
and should be. In either case, we then set the value as the raw body and
hit the flag indicating that it's already been JSON decoded so not to
try again before auditing. Doing it this way ensures the right typing.

* There is now a check to see if the data coming from unwrapping is
already JSON decoded and if so the decoding is skipped before setting
the audit response.
2018-05-10 15:40:03 -04:00
Jeff Mitchell a287830985 Update comment around legacy bool in API 2018-05-09 20:35:51 -04:00
Jeff Mitchell aa80a7e502 Change retry timing to be a little less long 2018-05-09 18:33:51 -04:00
Jeff Mitchell 6d9fce63c6 Adjust MaxRetries for retryablehttp 2018-05-09 18:24:41 -04:00
Jeff Mitchell 2dc9276e4c Update go-retryablehttp and use PassthroughErrorHandler 2018-05-09 18:11:08 -04:00
Jeff Mitchell 7f886b5675 Update go-retryablehttp vendor 2018-05-09 17:44:53 -04:00
Jeff Mitchell 2eb463aa8c Remove outdated renewer test 2018-05-09 12:33:20 -04:00
Jeff Mitchell 2ecc42ed22 Grace is deprecated so mark as such 2018-05-09 10:02:06 -04:00
Calvin Leung Huang 8708fe8d6c Move timeout declaration outside of for loop, break out early if renewed cleanly (#4522) 2018-05-07 13:47:55 -07:00
Jeff Mitchell 58bc941b71 Fix #4472 a better way
Unlike switch, select will randomly choose from among multiple cases if
more than one are satisfiable.
2018-05-07 16:13:04 -04:00
Jeff Mitchell e2bb955673 Revert "Close the doneCh in the renewer when we return from Renew. (#4513)"
This reverts commit 79c708f8b6df13766830d4690e3688ccb49dc335.
2018-05-07 16:11:39 -04:00
Jeff Mitchell 714ecf86fc
Close the doneCh in the renewer when we return from Renew. (#4513)
Closes #4472
2018-05-04 13:25:08 -04:00
Calvin Leung Huang 7d214d2a3a
Purge opened connections on retries during tests (#4452) 2018-04-26 11:28:58 -04:00
Calvin Leung Huang 969a95f6ed
Refactor renewer tests (#4433) 2018-04-24 01:26:10 -04:00
Jeff Mitchell acad9fcec3 Purge structs from API.
Its use provides no value (in the current code, not generally) and has
already caused one bug (#4325).
2018-04-09 22:23:56 -04:00
Jeff Mitchell d089ff613b
Don't run every tune function every time tune is called. (#4325) 2018-04-09 22:17:37 -04:00
Calvin Leung Huang 172cb7ee6a
Extend the TTL on the token for renewer auth test (#4297) 2018-04-06 12:24:01 -04:00
Calvin Leung Huang fb81016252
Fix output-related tests (#4288)
* Fix command tests

* More test fixes

* Use backticks to escape quoted strings

* More test fixes

* Fix mismatched error output failures

* Fix mismatched error output failures
2018-04-05 20:43:29 -04:00
Vishal Nayak 28e3eb9e2c
Errwrap everywhere (#4252)
* package api

* package builtin/credential

* package builtin/logical

* package command

* package helper

* package http and logical

* package physical

* package shamir

* package vault

* package vault

* address feedback

* more fixes
2018-04-05 11:49:21 -04:00
Jeff Mitchell fe2fa0030f
Rejig 404 handling again. (#4264)
Done this way, existing tests pass, and it makes logical sense, so we're
likely to have the least impact like this.
2018-04-04 04:41:46 -04:00
Jeff Mitchell 1481dd35b5 Revert "On 404 if there is no actual body, return orig err. (#4262)"
This reverts commit 389c88482059a1db90a0e8ad985b1a0eeda13070.
2018-04-04 03:50:24 -04:00
Jeff Mitchell 4f2e26bbe7
On 404 if there is no actual body, return orig err. (#4262)
This keeps better backwards compat; we'll only swallow the original
error if there's actually other data or warnings returned.
2018-04-04 01:57:08 -04:00
Jeff Mitchell 409524a829 Stretch the renewer test a bit to give Travis some more time to deal with it 2018-04-03 22:36:14 -04:00
Jeff Mitchell 599f691141
Allow returning warnings and other data in 404s in the Go API (#4256)
* Allow returning list information and other data in 404s.

On read it'll output data and/or warnings on a 404 if they exist. On
list, the same behavior; the actual 'vault list' command doesn't change
behavior though in terms of output unless there are no actual keys (so
it doesn't just magically show other data).

This corrects some assumptions in response_util and wrapping.go; it also
corrects a few places in the latter where it could leak a (useless)
token in some error cases.

* Use same 404 logic in delete/put too

* Add the same secret parsing logic to the KV request functions
2018-04-03 22:35:45 -04:00
Alex Dadgar 6a824383b6 Don't swallow logical.Unwrap error (#4258)
This PR fixes the error handling in the api packages logical.Unwrap
method. Previously if there was an error making the request to Vault,
the error was only returned if there was an HTTP response and the status
code was not a 404.

The new code returns all errors but does special case handling if the
response code is a 404.
2018-04-03 17:11:01 -04:00
Becca Petrin 03cf302e9a Move to "github.com/hashicorp/go-hclog" (#4227)
* logbridge with hclog and identical output

* Initial search & replace

This compiles, but there is a fair amount of TODO
and commented out code, especially around the
plugin logclient/logserver code.

* strip logbridge

* fix majority of tests

* update logxi aliases

* WIP fixing tests

* more test fixes

* Update test to hclog

* Fix format

* Rename hclog -> log

* WIP making hclog and logxi love each other

* update logger_test.go

* clean up merged comments

* Replace RawLogger interface with a Logger

* Add some logger names

* Replace Trace with Debug

* update builtin logical logging patterns

* Fix build errors

* More log updates

* update log approach in command and builtin

* More log updates

* update helper, http, and logical directories

* Update loggers

* Log updates

* Update logging

* Update logging

* Update logging

* Update logging

* update logging in physical

* prefixing and lowercase

* Update logging

* Move phyisical logging name to server command

* Fix som tests

* address jims feedback so far

* incorporate brians feedback so far

* strip comments

* move vault.go to logging package

* update Debug to Trace

* Update go-plugin deps

* Update logging based on review comments

* Updates from review

* Unvendor logxi

* Remove null_logger.go
2018-04-02 17:46:59 -07:00
Jeff Mitchell 2f90e0c2e1 Merge branch 'master-oss' into 0.10-beta 2018-03-27 12:40:30 -04:00
Seth Vargo b665909b09 Add API functions and completions for plugins (#4194) 2018-03-26 13:40:33 -04:00
Jeff Mitchell 9fdd367c6e Remove unnecessary Options field in MountConfigOutput 2018-03-22 00:05:19 -04:00
Calvin Leung Huang 25792df5a9
Passthrough request headers (#4172)
* Add passthrough request headers for secret/auth mounts

* Update comments

* Fix SyncCache deletion of passthrough_request_headers

* Remove debug line

* Case-insensitive header comparison

* Remove unnecessary allocation

* Short-circuit filteredPassthroughHeaders if there's nothing to filter

* Add whitelistedHeaders list

* Update router logic after merge

* Add whitelist test

* Add lowercase x-vault-kv-client to whitelist

* Add back const

* Refactor whitelist logic
2018-03-21 19:56:47 -04:00
Brian Kassouf cc625e19ee
Add options to mount tune and mount endpoints in preparation for versioning (#4155)
* Add some requirements for versioned k/v

* Add a warning message when an upgrade is triggered

* Add path help values

* Make the kv header a const

* Add the uid to mount entry instead of options map

* Pass the backend aware uuid to the mounts and plugins

* Fix comment

* Add options to secret/auth enable and tune CLI commands (#4170)

* Switch mount/tune options to use TypeKVPairs (#4171)

* switching options to TypeKVPairs, adding bool parse for versioned flag

* flipping bool check

* Fix leases coming back from non-leased pluin kv store

* add a test for updating mount options

* Fix tests
2018-03-21 12:04:27 -07:00
Josh Soref 73b1fde82f Spelling (#4119) 2018-03-20 14:54:10 -04:00
Calvin Leung Huang f86881c295
Unauthenticated endpoint to list secret and auth mounts (#4134)
* Add audit hmac values to AuthConfigInput and AuthConfigOutput, fix docs

* docs: Add ttl params to auth enable endpoint

* Rewording of go string to simply string

* Add audit hmac keys as CLI flags on auth/secrets enable

* Fix copypasta mistake

* WIP on auth-list endpoint

* Rename variable to be singular, add CLI flag, show value in auth and secrets list

* Add audit hmac keys to auth and secrets list

* Only set config values if they exist

* Fix http sys/auth tests

* More auth plugin_name test fixes

* Rename tag internal_ui_show_mount to _ui_show_mount

* Add tests

* Make endpoint unauthed

* Rename field to listing_visibility

* Add listing-visibility to cli tune commands

* Use ListingVisiblityType

* Fix type conversion

* Do not actually change token's value on testHttpGet

* Remove unused ListingVisibilityAuth, use const in pathInternalUIMountsRead
2018-03-19 23:16:33 -04:00
Jeff Mitchell 90248c79b2
Update lease renewer logic (#4090)
* Add grace period calculation logic to renewer

* Update lease renewer logic.

It is believed by myself and members of the Nomad team that this logic
should be much more robust in terms of causing large numbers of new
secret acquisitions caused by a static grace period. See comments in the
code for details.

Fixes #3414

* Fix some commenting and fix tests

* Add more time to test so that integ tests don't time out

* Fix some review feedback
2018-03-19 15:48:24 -04:00
Calvin Leung Huang 3108860d4b
Audit HMAC values on AuthConfig (#4077)
* Add audit hmac values to AuthConfigInput and AuthConfigOutput, fix docs

* docs: Add ttl params to auth enable endpoint

* Rewording of go string to simply string

* Add audit hmac keys as CLI flags on auth/secrets enable

* Fix copypasta mistake

* Add audit hmac keys to auth and secrets list

* Only set config values if they exist

* Fix http sys/auth tests

* More auth plugin_name test fixes

* Pass API values into MountEntry's config when creating auth/secrets mount

* Update usage wording
2018-03-09 14:32:28 -05:00
Nándor István Krácser f3573c9eea Fix typo (remove +is) (#4104) 2018-03-08 11:01:07 -05:00
Calvin Leung Huang e2fb199ce5
Non-HMAC audit values (#4033)
* Add non-hmac request keys

* Update comment

* Initial audit request keys implementation

* Add audit_non_hmac_response_keys

* Move where req.NonHMACKeys gets set

* Minor refactor

* Add params to auth tune endpoints

* Sync cache on loadCredentials

* Explicitly unset req.NonHMACKeys

* Do not error if entry is nil

* Add tests

* docs: Add params to api sections

* Refactor audit.Backend and Formatter interfaces, update audit broker methods

* Add audit_broker.go

* Fix method call params in audit backends

* Remove fields from logical.Request and logical.Response, pass keys via LogInput

* Use data.GetOk to allow unsetting existing values

* Remove debug lines

* Add test for unsetting values

* Address review feedback

* Initialize values in FormatRequest and FormatResponse using input values

* Update docs

* Use strutil.StrListContains

* Use strutil.StrListContains
2018-03-02 12:18:39 -05:00
Calvin Leung Huang 1bb4d165e7
Add TTL related config options on auth enable (#4019) 2018-02-22 10:26:29 -05:00
Calvin Leung Huang 60732577f5
CLI Enhancements (#3897)
* Use Colored UI if stdout is a tty

* Add format options to operator unseal

* Add format test on operator unseal

* Add -no-color output flag, and use BasicUi if no-color flag is provided

* Move seal status formatting logic to OutputSealStatus

* Apply no-color to warnings from DeprecatedCommands as well

* Add OutputWithFormat to support arbitrary data, add format option to auth list

* Add ability to output arbitrary list data on TableFormatter

* Clear up switch logic on format

* Add format option for list-related commands

* Add format option to rest of commands that returns a client API response

* Remove initOutputYAML and initOutputJSON, and use OutputWithFormat instead

* Remove outputAsYAML and outputAsJSON, and use OutputWithFormat instead

* Remove -no-color flag, use env var exclusively to toggle colored output

* Fix compile

* Remove -no-color flag in main.go

* Add missing FlagSetOutputFormat

* Fix generate-root/decode test

* Migrate init functions to main.go

* Add no-color flag back as hidden

* Handle non-supported data types for TableFormatter.OutputList

* Pull formatting much further up to remove the need to use c.flagFormat (#3950)

* Pull formatting much further up to remove the need to use c.flagFormat

Also remove OutputWithFormat as the logic can cause issues.

* Use const for env var

* Minor updates

* Remove unnecessary check

* Fix SSH output and some tests

* Fix tests

* Make race detector not run on generate root since it kills Travis these days

* Update docs

* Update docs

* Address review feedback

* Handle --format as well as -format
2018-02-12 18:12:16 -05:00
Gobin Sougrakpam 62ac4dfca0 Fix renewAuth to use the increment value (#3904) 2018-02-05 12:22:49 -05:00
Jeff Mitchell bab8db3328
Don't allow non-printable characters in the API client's token (#3841) 2018-01-24 19:57:49 -05:00
Jeff Mitchell 8e8675053b Sync some bits over 2018-01-22 21:44:49 -05:00
Jeff Mitchell ffc15201dd Allow API to return health response when in a custom state 2018-01-17 23:50:37 -05:00
Jeff Mitchell 842e3cb5dd Add replication mode sys health information to Go API 2018-01-17 22:50:37 -05:00
Paweł Słomka b994e83c65 Cleanup of deprecated commands in tests, docs (#3788) 2018-01-15 15:19:28 -05:00
Jeff Mitchell d1803098ae Merge branch 'master-oss' into sethvargo/cli-magic 2018-01-03 14:02:31 -05:00
Jeff Mitchell 2225b20ec9 Fix up comment 2017-12-18 10:11:24 -05:00
jaloren 82fd89b3b3 Support Incrementing Lease TTL in Renew api (#3688) 2017-12-18 10:09:59 -05:00
Chris Hoffman 0bacec0184
adding recovery info to seal status (#3706) 2017-12-18 09:58:14 -05:00
Jeff Mitchell 548629e8ef Port over some changes 2017-11-30 09:43:07 -05:00
Brian Kassouf 58dc99ac95 Update the path for generating DR Operation tokens (#3578) 2017-11-13 20:28:34 -05:00
Chris Hoffman 9e79e9b397
generate token functions to share common names (#3576) 2017-11-13 15:44:26 -05:00
Jeff Mitchell 2b78bc2a9b
Port over bits (#3575) 2017-11-13 15:31:32 -05:00
Jeff Mitchell d55f94f4a3
Plumb more seal wrap stuff through and move to outside layer of mount options (#3572) 2017-11-13 11:22:22 -05:00
Jeff Mitchell e4750fc793 Fix typo in test (and failure) 2017-11-13 10:35:36 -05:00
Jeff Mitchell 57f60c4f9f Fix client test 2017-11-12 12:34:56 -05:00
Jeff Mitchell 8efa6756c3
Make -client-cert and -client-key work when the server doesn't know (#3568)
about the CA used to sign the cert.

Stop swallowing an error in meta.

Fixes #2946
2017-11-10 18:16:50 -05:00
Jeff Mitchell 0798ccdd7c Populate config error in three node test function 2017-11-10 17:44:25 -05:00
Brian Kassouf ab3b625a3b
Add API methods for creating a DR Operation Token and make generate root accept strategy types (#3565)
* Add API and Command code for generating a DR Operation Token

* Update generate root to accept different token strategies
2017-11-10 10:19:42 -08:00
Jeff Mitchell 7e80b4b7ad
Minor client refactoring (#3539) 2017-11-06 12:06:19 -05:00
Jeff Mitchell d229d7d5b0
Redo API locking (#3508)
* Redo the API client quite a bit to make the behavior of NewClient more
predictable and add locking to make it safer to use with Clone() and if
multiple goroutines for some reason decide to change things.

Along the way I discovered that currently, the x/net/http2 package is
broke with the built-in h2 support in released Go. For those using
DefaultConfig (the vast majority of cases) this will be a non-event.
Others can manually call http2.ConfigureTransport as needed. We should
keep an eye on commits on that repo and consider more updates before
release. Alternately we could go back revisions but miss out on bug
fixes; my theory is that this is not a purposeful break and I'll be
following up on this in the Go issue tracker.

In a few tests that don't use NewTestCluster, either for legacy or other
reasons, ensure that http2.ConfigureTransport is called.

* Use tls config cloning

* Don't http2.ConfigureServer anymore as current Go seems to work properly without requiring the http2 package

* Address feedback
2017-11-02 09:30:04 -05:00