Commit graph

10840 commits

Author SHA1 Message Date
Clint 5309609758
Bump the Elasticsearch db dependency to latest, to pull in fixes to satisfy dbplugin.Database interface (#6929)
Merging despite the TravisCI tests failing, which do not support go modules
2019-06-19 17:40:07 -05:00
Jeff Mitchell 2a3649f73a changelog++ 2019-06-19 17:07:49 -04:00
Clint b55303eddb
Combined Database Backend: Static Accounts (#6834)
* Add priority queue to sdk

* fix issue of storing pointers and now copy

* update to use copy structure

* Remove file, put Item struct def. into other file

* add link

* clean up docs

* refactor internal data structure to hide heap method implementations. Other cleanup after feedback

* rename PushItem and PopItem to just Push/Pop, after encapsulating the heap methods

* updates after feedback

* refactoring/renaming

* guard against pushing a nil item

* minor updates after feedback

* Add SetCredentials, GenerateCredentials gRPC methods to combined database backend gPRC

* Initial Combined database backend implementation of static accounts and automatic rotation

* vendor updates

* initial implementation of static accounts with Combined database backend, starting with PostgreSQL implementation

* add lock and setup of rotation queue

* vendor the queue

* rebase on new method signature of queue

* remove mongo tests for now

* update default role sql

* gofmt after rebase

* cleanup after rebasing to remove checks for ErrNotFound error

* rebase cdcr-priority-queue

* vendor dependencies with 'go mod vendor'

* website database docs for Static Role support

* document the rotate-role API endpoint

* postgres specific static role docs

* use constants for paths

* updates from review

* remove dead code

* combine and clarify error message for older plugins

* Update builtin/logical/database/backend.go

Co-Authored-By: Jim Kalafut <jim@kalafut.net>

* cleanups from feedback

* code and comment cleanups

* move db.RLock higher to protect db.GenerateCredentials call

* Return output with WALID if we failed to delete the WAL

* Update builtin/logical/database/path_creds_create.go

Co-Authored-By: Jim Kalafut <jim@kalafut.net>

* updates after running 'make fmt'

* update after running 'make proto'

* Update builtin/logical/database/path_roles.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update builtin/logical/database/path_roles.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* update comment and remove and rearrange some dead code

* Update website/source/api/secret/databases/index.html.md

Co-Authored-By: Jim Kalafut <jim@kalafut.net>

* cleanups after review

* Update sdk/database/dbplugin/grpc_transport.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* code cleanup after feedback

* remove PasswordLastSet; it's not used

* document GenerateCredentials and SetCredentials

* Update builtin/logical/database/path_rotate_credentials.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* wrap pop and popbykey in backend methods to protect against nil cred rotation queue

* use strings.HasPrefix instead of direct equality check for path

* Forgot to commit this

* updates after feedback

* re-purpose an outdated test to now check that static and dynamic roles cannot share a name

* check for unique name across dynamic and static roles

* refactor loadStaticWALs to return a map of name/setCredentialsWAL struct to consolidate where we're calling set credentials

* remove commented out code

* refactor to have loadstaticwals filter out wals for roles that no longer exist

* return error if nil input given

* add nil check for input into setStaticAccount

* Update builtin/logical/database/path_roles.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* add constant for queue tick time in seconds, used for comparrison in updates

* Update builtin/logical/database/path_roles.go

Co-Authored-By: Jim Kalafut <jim@kalafut.net>

* code cleanup after review

* remove misplaced code comment

* remove commented out code

* create a queue in the Factory method, even if it's never used

* update path_roles to use a common set of fields, with specific overrides for dynamic/static roles by type

* document new method

* move rotation things into a specific file

* rename test file and consolidate some static account tests

* Update builtin/logical/database/path_roles.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update builtin/logical/database/rotation.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update builtin/logical/database/rotation.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update builtin/logical/database/rotation.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update builtin/logical/database/rotation.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update builtin/logical/database/rotation.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* update code comments, method names, and move more methods into rotation.go

* update comments to be capitalized

* remove the item from the queue before we try to destroy it

* findStaticWAL returns an error

* use lowercase keys when encoding WAL entries

* small cleanups

* remove vestigial static account check

* remove redundant DeleteWAL call in populate queue

* if we error on loading role, push back to queue with 10 second backoff

* poll in initqueue to make sure the backend is setup and can write/delete data

* add revoke_user_on_delete flag to allow users to opt-in to revoking the static database user on delete of the Vault role. Default false

* add code comments on read-only loop

* code comment updates

* re-push if error returned from find static wal

* add locksutil and acquire locks when pop'ing from the queue

* grab exclusive locks for updating static roles

* Add SetCredentials and GenerateCredentials stubs to mockPlugin

* add a switch in initQueue to listen for cancelation

* remove guard on zero time, it should have no affect

* create a new context in Factory to pass on and use for closing the backend queue

* restore master copy of vendor dir
2019-06-19 14:45:39 -05:00
Becca Petrin ca05e6668e
Update CHANGELOG.md 2019-06-19 11:34:44 -07:00
Becca Petrin b965ce035c
Merge pull request #6847 from hashicorp/pcf-auto-auth
Add PCF auth method, agent, and CLI handler
2019-06-19 11:32:03 -07:00
Becca Petrin 9eaefea18c fix test 2019-06-19 10:59:11 -07:00
Becca Petrin 8782f2f8bb revert more unnecessary dep changes 2019-06-19 10:47:25 -07:00
Becca Petrin 75d15ae627 revert unnecessary dep updates from bad merge 2019-06-19 10:43:09 -07:00
Becca Petrin ab156603bd merge master 2019-06-19 10:24:45 -07:00
Becca Petrin 8bbf6e6fc3 update to latest plugin dependencies 2019-06-19 10:04:49 -07:00
Becca Petrin 35faaef504 update field name to change from pr feedback 2019-06-19 09:54:18 -07:00
Jim Kalafut d3e47869b7
changelog++ 2019-06-19 08:37:24 -07:00
Sam Salisbury 49230ce5f0
Merge pull request #6924 from hashicorp/fix-netlify-tf
pin github and netlify providers and fix config
2019-06-19 16:01:52 +01:00
Alvin Huang 168a7ab1d5 pin github and netlify providers and fix config 2019-06-19 10:45:35 -04:00
Jeff Mitchell 3f1c510bc9
Fix a deadlock if a panic happens during request handling (#6920)
* Fix a deadlock if a panic happens during request handling

During request handling, if a panic is created, deferred functions are
run but otherwise execution stops. #5889 changed some locks to
non-defers but had the side effect of causing the read lock to not be
released if the request panicked. This fixes that and addresses a few
other potential places where things could go wrong:

1) In sealInitCommon we always now defer a function that unlocks the
read lock if it hasn't been unlocked already
2) In StepDown we defer the RUnlock but we also had two error cases that
were calling it manually. These are unlikely to be hit but if they were
I believe would cause a panic.

* Add panic recovery test
2019-06-19 09:40:57 -04:00
Jim Kalafut 8217548bc1
changelog++ 2019-06-18 17:14:20 -07:00
Calvin Leung Huang 89cf760e47
changelog++ 2019-06-18 15:57:19 -07:00
Calvin Leung Huang 76cc52f48c
auth/aws: guard against malformed assumed role ARNs (#6917)
* auth/aws: guard against malformed assumed role ARNs

* revert helper func changes
2019-06-18 15:51:40 -07:00
Becca Petrin 3c9c47f97d
Update CHANGELOG.md 2019-06-18 14:34:30 -07:00
Becca Petrin 500df379fd
Merge pull request #6916 from hashicorp/fix-es-db-plugin-compilation
Fix TestPluginCatalog_List
2019-06-18 14:16:41 -07:00
Becca Petrin f6703c3630 fix test 2019-06-18 14:04:08 -07:00
Jeff Mitchell 630380700b changelog++ 2019-06-18 16:44:19 -04:00
Jeff Mitchell 8603573611 Update group alias handling to better protect against namespace differences
Also, allow canonical ID to be switched
2019-06-18 16:43:30 -04:00
Yoko ba82b04b15
Added a note about JWT (#6899) 2019-06-18 12:36:51 -07:00
Jeff Mitchell 659f97a0b7 Update api and sdk to remove direct gogo dep 2019-06-18 14:51:13 -04:00
Jeff Mitchell 1a7fee63e3 Update sdk in api/ 2019-06-18 14:50:21 -04:00
Jeff Mitchell 2ff5380179 Remove gogo proto from where it snuck in 2019-06-18 14:45:42 -04:00
Becca Petrin 57b2fbbd78 add to sidebar 2019-06-18 11:08:38 -07:00
Becca Petrin 2451fa8fd7
Merge pull request #6911 from hashicorp/fix-aws-region-test
Fix failing AWS region test
2019-06-18 10:14:04 -07:00
Becca Petrin 63f38d0fd4 fix failing region test 2019-06-18 09:50:38 -07:00
Becca Petrin 50b2439b2b
Merge pull request #6908 from hashicorp/fix-test-predict-plugins
Fix test predict plugins
2019-06-18 09:39:25 -07:00
Becca Petrin 1034e564f1 fix test 2019-06-18 09:36:25 -07:00
Becca Petrin 7be6286966 fix typo 2019-06-18 09:32:14 -07:00
Jeff Mitchell 1e5398efb3 Update api/sdk in main repo 2019-06-18 12:24:15 -04:00
Jeff Mitchell c466791207 Bump API's SDK version 2019-06-18 12:23:16 -04:00
Jeff Mitchell fde6a90edc Return integers, not floats, when reading token params 2019-06-18 12:22:12 -04:00
Jeff Mitchell 8ae4149703 Update description field for some token store role values to be accurate 2019-06-18 11:33:56 -04:00
Jeff Mitchell 6ddac3ad33 Bump api/sdk dep 2019-06-18 11:19:15 -04:00
Jeff Mitchell 49ca5cec91 Bump api against latest sdk 2019-06-18 11:18:22 -04:00
Jeff Mitchell c0db3df73d Update go-plugin dep 2019-06-18 10:53:38 -04:00
Jeff Mitchell 334efe4743 changelog++ 2019-06-18 10:29:51 -04:00
Jeff Mitchell d65a716b63 Add a force capability to delete in the policy store
This allows us to truly delete policies when we've either invalidated it
(which since they're singletons/default should only happen when we're
doing a namespace delete) or are doing a namespace delete on the local
node.
2019-06-18 10:25:57 -04:00
Becca Petrin 3fc63eb9d5 add api docs 2019-06-17 16:56:14 -07:00
Becca Petrin cd1b53b350 add agent docs 2019-06-17 15:24:10 -07:00
Becca Petrin 2cc7545351
Merge pull request #6897 from hashicorp/add-es-docs-to-list
Add ElasticSearch docs to sidebars
2019-06-17 15:21:46 -07:00
Becca Petrin 30d7f742b3 fix more typos 2019-06-17 15:09:43 -07:00
Becca Petrin 1ca20773c2 fix typos 2019-06-17 15:08:37 -07:00
Becca Petrin a420b966bb add docs 2019-06-17 15:00:30 -07:00
Jeff Mitchell 1e1e7c9321 Fix some tests 2019-06-17 17:02:34 -04:00
Becca Petrin ca165ffdef add es docs to sidebars 2019-06-17 12:05:57 -07:00