Commit graph

273 commits

Author SHA1 Message Date
Jeff Mitchell 58b32e5432 Convert to logxi 2016-08-21 18:13:37 -04:00
Jeff Mitchell 2860dcc60f gofmt 2016-08-19 16:48:32 -04:00
Jeff Mitchell 9828f28091 Use a better value for capacity 2016-08-09 07:16:40 -04:00
Jeff Mitchell 3e6b48cca3 Initial dataonly work. 2016-08-08 11:55:24 -04:00
Jeff Mitchell 6389a3cc31 Ensure response data not nil in IsError 2016-08-02 14:54:34 -04:00
vishalnayak cff7aada7a Fix invalid input getting marked as internal error 2016-07-28 16:23:11 -04:00
Laura Bennett 4d9c909ae4 Merge pull request #1650 from hashicorp/request-uuid
Added unique identifier to each request. Closes hashicorp/vault#1617
2016-07-27 09:40:48 -04:00
vishalnayak a6907769b0 AppRole authentication backend 2016-07-26 09:32:41 -04:00
Laura Bennett ae8a90be30 adding ids 2016-07-25 16:54:43 -04:00
Laura Bennett e5737b6789 initial local commit 2016-07-23 21:46:28 -04:00
vishalnayak c14235b206 Merge branch 'master-oss' into json-use-number
Conflicts:
	http/handler.go
	logical/framework/field_data.go
	logical/framework/wal.go
	vault/logical_passthrough.go
2016-07-15 19:21:55 -04:00
Vishal Nayak c55fa03760 Merge pull request #1599 from hashicorp/use-go-uuid
Use go-uuid's GenerateUUID in PutWAL and discard logical.UUID()
2016-07-13 11:36:28 -06:00
Vishal Nayak 9f1e6c7b26 Merge pull request #1607 from hashicorp/standardize-time
Remove redundant invocations of UTC() call on `time.Time` objects
2016-07-13 10:19:23 -06:00
vishalnayak 8269f323d3 Revert 'risky' changes 2016-07-12 16:38:07 -04:00
Jeff Mitchell 5b210b2a1f Return a duration instead and port a few other places to use it 2016-07-11 18:19:35 +00:00
Jeff Mitchell ab6c2bc5e8 Factor out parsing duration second type and use it for parsing tune values too 2016-07-11 17:53:39 +00:00
vishalnayak e09b40e155 Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC 2016-07-08 18:30:18 -04:00
vishalnayak 581b293a26 Use go-uuid's GenerateUUID in PutWAL and discart logical.UUID() 2016-07-07 17:57:36 -04:00
vishalnayak 98fca2a31a Added json.Number as recognized type for FieldData 2016-07-06 18:54:18 -04:00
Jeff Mitchell 7023eafc67 Make the API client retry on 5xx errors.
This should help with transient issues. Full control over min/max delays
and number of retries (and ability to turn off) is provided in the API
and via env vars.

Fix tests.
2016-07-06 16:50:23 -04:00
vishalnayak ad7cb2c8f1 Added JSON Decode and Encode helpers.
Changed all the occurances of Unmarshal to use the helpers.
Fixed http/ package tests.
2016-07-06 12:25:40 -04:00
Jeff Mitchell 22e83ae7f5 Dockerize Postgres secret backend acceptance tests
Additionally enable them on all unit test runs.
2016-06-30 13:46:39 -04:00
Jeff Mitchell d00374fe3c Add a logger to testing backend config so it's available to backends during unit tests 2016-06-30 09:17:14 -04:00
Jeff Mitchell e925987cb6 Add token accessor to wrap information if one exists 2016-06-13 23:58:17 +00:00
vishalnayak 6c5e1969ac Added GetDefaultOrZero method to FieldData 2016-06-10 10:42:01 -04:00
Jeff Mitchell 10b218d292 Use time.Time which does RFC3339 across the wire to handle time zones. Arguably we should change the API to always do this... 2016-06-07 16:01:09 -04:00
Jeff Mitchell 401456ea50 Add creation time to returned wrapped token info
This makes it easier to understand the expected lifetime without a
lookup call that uses the single use left on the token.

This also adds a couple of safety checks and for JSON uses int, rather
than int64, for the TTL for the wrapped token.
2016-06-07 15:00:35 -04:00
Jeff Mitchell 8f437d6142 Make logical.InmemStorage a wrapper around physical.InmemBackend.
This:

* Allows removing LockingInmemStorage since the physical backend already
  locks properly
* Makes listing work properly by adhering to expected semantics of only
  listing up to the next prefix separator
* Reduces duplicated code
2016-06-06 12:03:08 -04:00
Jeff Mitchell 72cfd19078 Add some comments to sanitize 2016-05-16 16:12:45 -04:00
Jeff Mitchell c4431a7e30 Address most review feedback. Change responses to multierror to better return more useful values when there are multiple errors 2016-05-16 16:11:33 -04:00
Jeff Mitchell 4c67a739b9 Merge branch 'master-oss' into cubbyhole-the-world 2016-05-16 12:14:40 -04:00
Sean Chittenden 7a4b31ce51
Speling police 2016-05-15 09:58:36 -07:00
vishalnayak 6f65d9293a Fix framework rollback manager tests 2016-05-14 19:35:36 -04:00
vishalnayak ddcaf26396 Merge branch 'master-oss' into aws-auth-backend 2016-05-10 14:50:00 -04:00
Jeff Mitchell 31e1ed2417 Implement WrapInfo audit logging 2016-05-07 20:03:56 -04:00
Jeff Mitchell 2295cadbf4 Make WrapInfo a pointer to match secret/auth in response 2016-05-07 19:17:51 -04:00
Jeff Mitchell c52d352332 Merge branch 'master-oss' into cubbyhole-the-world 2016-05-07 16:40:04 -04:00
Jeff Mitchell d77563994c Merge pull request #1346 from hashicorp/disable-all-caches
Disable all caches
2016-05-07 16:33:45 -04:00
Jeff Mitchell 75dbbff1a6 Merge branch 'master-oss' into cubbyhole-the-world 2016-05-05 20:45:36 -04:00
Jeff Mitchell 3e71221839 Merge remote-tracking branch 'origin/master' into aws-auth-backend 2016-05-05 10:04:52 -04:00
vishalnayak 92fe94546c Split SanitizeTTL method to support time.Duration parameters as well 2016-05-05 09:45:48 -04:00
Jeff Mitchell fe1f56de40 Make a non-caching but still locking variant of transit for when caches are disabled 2016-05-02 22:36:44 -04:00
Jeff Mitchell 8572190b64 Plumb disabling caches through the policy store 2016-05-02 22:36:44 -04:00
Jeff Mitchell 642163f8b0 Remove MountPoint from internal wrap object, for now at least 2016-05-02 10:29:51 -04:00
Jeff Mitchell aba689a877 Add wrapping through core and change to use TTL instead of Duration. 2016-05-02 00:47:35 -04:00
Jeff Mitchell d81806b446 Add:
* Request/Response field extension
* Parsing of header into request object
* Handling of duration/mount point within router
* Tests of router WrapDuration handling
2016-05-02 00:24:32 -04:00
vishalnayak 21854776af Added cooldown period for periodic tidying operation 2016-04-26 10:22:29 -04:00
vishalnayak 9aa8fb6cc1 Support periodic tidy callback and config endpoints. 2016-04-26 10:22:29 -04:00
Sean Chittenden aeea7628d6 Add a *log.Logger argument to physical.Factory
Logging in the backend is a good thing.  This is a noisy interface change but should be a functional noop.
2016-04-25 20:10:32 -07:00
Seth Vargo 86455b4720 Only show params if there are fields 2016-04-13 22:15:06 +01:00
vishalnayak a861125900 Added a TODO for 'Check' function 2016-04-06 12:51:49 -04:00
vishalnayak d9dcbe04d8 Fix ErrorOk handling 2016-04-06 12:29:04 -04:00
vishalnayak 1df5c4d0ce Use AcceptanceTest bool in Test() function 2016-04-05 16:48:11 -04:00
vishalnayak fd8b023655 s/TF_ACC/VAULT_ACC 2016-04-05 15:24:59 -04:00
vishalnayak 95abdebb06 Added AcceptanceTest boolean to logical.TestCase 2016-04-05 15:10:44 -04:00
Jeff Mitchell afae46feb7 SealInterface 2016-04-04 10:44:22 -04:00
vishalnayak ba9b5b8847 Fix SanitizeTTL check 2016-03-16 14:27:01 -04:00
vishalnayak 3861c88211 Accept params both as part of URL or as part of http body 2016-03-14 19:14:36 -04:00
vishalnayak 151c932875 AccessorID --> Accessor, accessor_id --> accessor 2016-03-09 06:23:31 -05:00
vishalnayak 913bbe7693 Error text corrections and minor refactoring 2016-03-08 22:27:24 -05:00
vishalnayak 301776012f Introduced AccessorID in TokenEntry and returning it along with token 2016-03-08 14:06:10 -05:00
Jeff Mitchell 7d41607b6e Add "tidy/" which allows removing expired certificates.
A buffer is used to ensure that we only remove certificates that are
both expired and for which the buffer has past. Options allow removal
from revoked/ and/or certs/.
2016-02-24 21:24:48 -05:00
Jeff Mitchell f9fb20bbe4 Make SanitizeTTL treat an empty string the same as a "0" string.
This causes a 0 TTL to be returned for the value, which is a clue to
other parts of Vault to use appropriate defaults. However, this makes
the defaults be used at lease allocation or extension time instead of
when parsing parameters.
2016-02-18 16:51:36 -05:00
Jeff Mitchell eb1deefac1 Introduce a locking inmem storage for unit tests that are doing concurrent things 2016-02-04 09:40:35 -05:00
Jeff Mitchell 627082b838 Remove grace periods 2016-01-31 19:33:16 -05:00
Jeff Mitchell d5584e12bc invert logic to prefer client increment 2016-01-29 20:02:15 -05:00
Jeff Mitchell 4619473175 Update proposed time 2016-01-29 19:31:37 -05:00
Jeff Mitchell 7353fa3e56 Adjust framework unit tests for new LeaseExtend 2016-01-29 19:31:37 -05:00
Jeff Mitchell f53136ab09 Update LeaseExtend 2016-01-29 19:31:37 -05:00
Jeff Mitchell 12c00b97ef Allow backends to see taint status.
This can be seen via System(). In the PKI backend, if the CA is
reconfigured but not fully (e.g. an intermediate CSR is generated but no
corresponding cert set) and there are already leases (issued certs), the
CRL is unable to be built. As a result revocation fails. But in this
case we don't actually need revocation to be successful since the CRL is
useless after unmounting. By checking taint status we know if we can
simply fast-path out of revocation with a success in this case.

Fixes #946
2016-01-22 17:01:22 -05:00
Jeff Mitchell 8069fa7972 Address some listing review feedback 2016-01-22 10:07:32 -05:00
Jeff Mitchell 5341cb69cc Updates and documentation 2016-01-22 10:07:32 -05:00
Jeff Mitchell f9bbe0fb04 Use logical operations instead of strings for comparison 2016-01-12 21:16:31 -05:00
Jeff Mitchell 9db22dcfad Address some more review feedback 2016-01-12 15:09:16 -05:00
Jeff Mitchell 4f4ddbf017 Create more granular ACL capabilities.
This commit splits ACL policies into more fine-grained capabilities.
This both drastically simplifies the checking code and makes it possible
to support needed workflows that are not possible with the previous
method. It is backwards compatible; policies containing a "policy"
string are simply converted to a set of capabilities matching previous
behavior.

Fixes #724 (and others).
2016-01-08 13:05:14 -05:00
Jeff Mitchell f3ce90164f WriteOperation -> UpdateOperation 2016-01-08 13:03:03 -05:00
Jeff Mitchell 2d8e3b35f2 Revoke permissions before dropping user in postgresql.
Currently permissions are not revoked, which can lead revocation to not
actually work properly. This attempts to revoke all permissions and only
then drop the role.

Fixes issue #699
2015-10-30 11:58:52 -04:00
Jeff Mitchell 35a7f0de22 Add '.' to GenericNameRegex; it cannot appear as the first or last
character. This allows its usage in a number of extra path-based
variables.

Ping #244
2015-10-13 16:04:10 -04:00
Jeff Mitchell c7cec2aabc Add unit tests 2015-10-07 20:17:06 -04:00
Jeff Mitchell 10d24779c0 Rename GetWarnings->Warnings for responses 2015-10-07 16:18:39 -04:00
Jeff Mitchell d740fd4a6a Add the ability for warnings to be added to responses. These are
marshalled into JSON or displayed from the CLI depending on the output
mode. This allows conferring information such as "no such policy exists"
when creating a token -- not an error, but something the user should be
aware of.

Fixes #676
2015-10-07 16:18:39 -04:00
Jeff Mitchell 2091842dca Sort policies when checking for equality 2015-10-06 15:48:25 -04:00
Jeff Mitchell 62ac518ae7 Switch per-mount values to strings going in and seconds coming out, like other commands. Indicate deprecation of 'lease' in the token backend. 2015-09-25 10:41:21 -04:00
Vishal Nayak d526c8ce1c Merge pull request #629 from hashicorp/token-create-sudo
TokenStore: Provide access based on sudo permissions and not policy name
2015-09-21 10:12:29 -04:00
vishalnayak 1a01ab3608 Take ClientToken instead of Policies 2015-09-21 10:04:03 -04:00
Jeff Mitchell ab7d35b95e Fix up per-backend timing logic; also fix error in TypeDurationSecond in
GetOkErr.
2015-09-21 09:55:03 -04:00
vishalnayak 02485e7175 Abstraced SudoPrivilege to take list of policies 2015-09-19 18:23:44 -04:00
vishalnayak a2799b235e Using acl.RootPrivilege and rewrote mockTokenStore 2015-09-19 17:53:24 -04:00
vishalnayak b6d47dd784 fix broken tests 2015-09-19 12:33:52 -04:00
vishalnayak fb77ec3623 TokenStore: Provide access based on sudo permissions and not policy name 2015-09-19 11:14:51 -04:00
Jeff Mitchell b655f6b858 Add HMAC capability to salt. Pass a salt into audit backends. Require it for audit.Hash. 2015-09-18 17:38:22 -04:00
Jeff Mitchell 801e531364 Enhance transit backend:
* Remove raw endpoint from transit
* Add multi-key structure
* Add enable, disable, rewrap, and rotate functionality
* Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function
* Unit tests for everything
2015-09-18 14:41:05 -04:00
vishalnayak 7f640c4374 Error on violating SysView boundaries 2015-09-17 11:24:46 -04:00
vishalnayak 6a4089b2a8 Vault userpass: Enable renewals for login tokens 2015-09-16 23:55:35 -04:00
Jeff Mitchell 77e7379ab5 Implement the cubbyhole backend
In order to implement this efficiently, I have introduced the concept of
"singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't
much reason to allow sys to be mounted at multiple places, and there
isn't much reason you'd need multiple per-token storage areas. By
restricting it to just one, I can store that particular mount instead of
iterating through them in order to call the appropriate revoke function.

Additionally, because revocation on the backend needs to be triggered by
the token store, the token store's salt is kept in the router and
client tokens going to the cubbyhole backend are double-salted by the
router. This allows the token store to drive when revocation happens
using its salted tokens.
2015-09-15 13:50:37 -04:00
Jeff Mitchell 104b29ab04 Rename View to StorageView to make it more distinct from SystemView 2015-09-15 13:50:37 -04:00
Lassi Pölönen fb07cf9f53 Implement clean up routine to backend as some backends may require
e.g closing database connections on unmount to avoud connection
stacking.
2015-09-11 11:45:58 +03:00
Jeff Mitchell 39cfcccdac Remove error returns from sysview TTL calls 2015-09-10 15:09:54 -04:00
Jeff Mitchell 488d33c70a Rejig how dynamic values are represented in system view and location of some functions in various packages; create mount-tune command and API analogues; update documentation 2015-09-10 15:09:54 -04:00
Jeff Mitchell 4239f9d243 Add DynamicSystemView. This uses a pointer to a pointer to always have
up-to-date information. This allows remount to be implemented with the
same source and dest, allowing mount options to be changed on the fly.
If/when Vault gains the ability to HUP its configuration, this should
just work for the global values as well.

Need specific unit tests for this functionality.
2015-09-10 15:09:54 -04:00