Commit Graph

10756 Commits

Author SHA1 Message Date
Brian Kassouf ed14061578
Raft Storage Backend (#6888)
* Work on raft backend

* Add logstore locally

* Add encryptor and unsealable interfaces

* Add clustering support to raft

* Remove client and handler

* Bootstrap raft on init

* Cleanup raft logic a bit

* More raft work

* Work on TLS config

* More work on bootstrapping

* Fix build

* More work on bootstrapping

* More bootstrapping work

* fix build

* Remove consul dep

* Fix build

* merged oss/master into raft-storage

* Work on bootstrapping

* Get bootstrapping to work

* Clean up FMS and node-id

* Update local node ID logic

* Cleanup node-id change

* Work on snapshotting

* Raft: Add remove peer API (#906)

* Add remove peer API

* Add some comments

* Fix existing snapshotting (#909)

* Raft get peers API (#912)

* Read raft configuration

* address review feedback

* Use the Leadership Transfer API to step-down the active node (#918)

* Raft join and unseal using Shamir keys (#917)

* Raft join using shamir

* Store AEAD instead of master key

* Split the raft join process to answer the challenge after a successful unseal

* get the follower to standby state

* Make unseal work

* minor changes

* Some input checks

* reuse the shamir seal access instead of new default seal access

* refactor joinRaftSendAnswer function

* Synchronously send answer in auto-unseal case

* Address review feedback

* Raft snapshots (#910)

* Fix existing snapshotting

* implement the noop snapshotting

* Add comments and switch log libraries

* add some snapshot tests

* add snapshot test file

* add TODO

* More work on raft snapshotting

* progress on the ConfigStore strategy

* Don't use two buckets

* Update the snapshot store logic to hide the file logic

* Add more backend tests

* Cleanup code a bit

* [WIP] Raft recovery (#938)

* Add recovery functionality

* remove fmt.Printfs

* Fix a few fsm bugs

* Add max size value for raft backend (#942)

* Add max size value for raft backend

* Include physical.ErrValueTooLarge in the message

* Raft snapshot Take/Restore API  (#926)

* Inital work on raft snapshot APIs

* Always redirect snapshot install/download requests

* More work on the snapshot APIs

* Cleanup code a bit

* On restore handle special cases

* Use the seal to encrypt the sha sum file

* Add sealer mechanism and fix some bugs

* Call restore while state lock is held

* Send restore cb trigger through raft log

* Make error messages nicer

* Add test helpers

* Add snapshot test

* Add shamir unseal test

* Add more raft snapshot API tests

* Fix locking

* Change working to initalize

* Add underlying raw object to test cluster core

* Move leaderUUID to core

* Add raft TLS rotation logic (#950)

* Add TLS rotation logic

* Cleanup logic a bit

* Add/Remove from follower state on add/remove peer

* add comments

* Update more comments

* Update request_forwarding_service.proto

* Make sure we populate all nodes in the followerstate obj

* Update times

* Apply review feedback

* Add more raft config setting (#947)

* Add performance config setting

* Add more config options and fix tests

* Test Raft Recovery (#944)

* Test raft recovery

* Leave out a node during recovery

* remove unused struct

* Update physical/raft/snapshot_test.go

* Update physical/raft/snapshot_test.go

* fix vendoring

* Switch to new raft interface

* Remove unused files

* Switch a gogo -> proto instance

* Remove unneeded vault dep in go.sum

* Update helper/testhelpers/testhelpers.go

Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com>

* Update vault/cluster/cluster.go

* track active key within the keyring itself (#6915)

* track active key within the keyring itself

* lookup and store using the active key ID

* update docstring

* minor refactor

* Small text fixes (#6912)

* Update physical/raft/raft.go

Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com>

* review feedback

* Move raft logical system into separate file

* Update help text a bit

* Enforce cluster addr is set and use it for raft bootstrapping

* Fix tests

* fix http test panic

* Pull in latest raft-snapshot library

* Add comment
2019-06-20 12:14:58 -07:00
Jeff Mitchell 81ef0bb190
Unify time.Duration handling across framework and parseutil (#6935)
This removes a lot of duplicated code and adds time.Duration support to
parseutil, needed by the jwt auth method.
2019-06-20 14:28:32 -04:00
Jeff Mitchell 55e9f46ca3
Allow Default for TimeDurationSecond values to be time.Duration (#6934) 2019-06-20 12:28:15 -04:00
Becca Petrin cd0f2ec5f6
Merge pull request #6913 from hashicorp/pcf-docs
PCF documentation
2019-06-20 09:28:06 -07:00
Matthew Irish 99899a3ebb
UI - cross-browser svg scaling fixes (#6933)
* fix icon sizing in firefox

* specify height becuase IE likes to make things way too tall
2019-06-20 10:55:23 -05:00
Aaron Bedra db25895001 Adds libvault to list of client libraries (#6890) 2019-06-20 08:01:12 -07:00
Brian Shumate 630de4d1ae Switch to simpler 'configured' (#6892) 2019-06-20 08:00:12 -07:00
Jeff Mitchell 2d27a41ddf changelog++ 2019-06-20 10:33:28 -04:00
Jeff Mitchell 62158d65fe
Use a role cache to avoid separate locking paths (#6926)
* Use a role cache to avoid separate locking paths

Due to the various locked/nonlocked paths we had a case where we weren't
always checking for secondary status before trying to upgrade. This
broadly simplifies things by using a cache to store the current role
values (avoiding a lot of storage hits) and updating the cache on any
write, delete, or invalidation.
2019-06-20 10:31:31 -04:00
Matthew Irish c9974b6478
changelog++ 2019-06-20 08:40:28 -05:00
Matthew Irish c49fb2e512
UI transit date fix (#6827)
* fix timestamp for aes-gcm and chacha-poly transit keys

* add test for transit-key serializer
2019-06-20 08:39:23 -05:00
Matthew Irish 65639d4038
changelog++ 2019-06-20 08:38:43 -05:00
Matthew Irish 757afb4de9
UI - no jquery (#6768)
* add no-jquery rule and move event listeners to ember-concurrency tasks

* remove unnecessary onchange and handleKeyDown actions

* add element.closest polyfill and convert linked-block to use native dom apis

* update pretender, fetch, page-object, add optional-features, remove ember/jquery

* turn off jquery inclusion

* remove jQuery.isPlainObject usage

* violatedDirective isn't always formatted the same

* use fetch and the ember-fetch adapter mixin

* move to fetch and lowercase headers for pretender

* display non-ember-data errors

* use new async fn test style and lowercase headers in auth service test

* setContext is not necessary with the new style tests and ember-cli-page-object - it actually triggers jquery usage

* update ember-fetch, ember-cli-pretender

* wait for permissions check

* lowercase header name in auth test

* refactor transit tests to one test per key type

* simplify pollCluster helper

* stop flakey tests by prefering the native fetch

* avoid uncaught TransitionAborted error by navigating directly to unseal

* unset model on controller after unloading it because controllers are singletons

* update yarn.lock
2019-06-20 08:37:27 -05:00
Jim Kalafut 122134b207
Add new structures for OpenAPI/UI enhancements (#6931) 2019-06-19 16:48:58 -07:00
Noelle Daley cc3c0f18d0
changelog++ 2019-06-19 16:16:52 -07:00
Noelle Daley 4fd783d3f4
Add HTTP Request Volume page (#6925)
* Add http request volume table (#6765)

* init http metrics page

* remove flex-table-column

* add http requests table

* calculate percent change between each counter

* start percent change tests

* style request table

* show percent more/less glyph

* add percent more less tests

* add inline alert about recorded metrics

* make arrows diagonal

* remove conditional inside countersWithChange

* add better error msg

* use tagName and wrapping element a la glimmer components

* extend ClusterRouteBase so auth and seal checks happen

* make table accessible

* remove curlies

* add HttpRequestsTable to storybook

* make table accessible

* use qunit dom for better assertions

* remove EmptyState since we will never have 0 requests

* ensure counters is set in test context

* Http request volume/add barchart (#6814)

* Add http request volume table (#6765)

* init http metrics page

* remove flex-table-column

* add http requests table

* calculate percent change between each counter

* start percent change tests

* style request table

* show percent more/less glyph

* add percent more less tests

* add inline alert about recorded metrics

* make arrows diagonal

* remove conditional inside countersWithChange

* add better error msg

* use tagName and wrapping element a la glimmer components

* extend ClusterRouteBase so auth and seal checks happen

* make table accessible

* remove curlies

* add HttpRequestsTable to storybook

* make table accessible

* use qunit dom for better assertions

* remove EmptyState since we will never have 0 requests

* ensure counters is set in test context

* add http-requests-bar-chart

* add HttpRequestsBarChart tests

* add HttpRequestsBarChart to Storybook

* format total number of requests according to locale

* do not show extra minus sign when percent change is negative

* add link to request metrics in status bar menu

* only show bar chart if we have data for more than 1 month

* make ticks lighter

* ensure charts show data for correct month

* make example counters response look like the adapter response instead of the raw api response

* ensure ui shows the same utc date as the api response

* add format-utc tests

* downgrade to d3 v4 to support ie11

* add gridlines

* move dasharray to css

* use scheduleOnce instead of debounce to prevent multiple re-renders

* add key function to bars

* add exit case when data is no longer in parsedCounters

* fix timestamp in table test

* fix timestamps

* use utcParse and fallback to isoParse for non-UTC dates

* fix bar chart tests
2019-06-19 16:14:25 -07:00
Clint 5309609758
Bump the Elasticsearch db dependency to latest, to pull in fixes to satisfy dbplugin.Database interface (#6929)
Merging despite the TravisCI tests failing, which do not support go modules
2019-06-19 17:40:07 -05:00
Jeff Mitchell 2a3649f73a changelog++ 2019-06-19 17:07:49 -04:00
Clint b55303eddb
Combined Database Backend: Static Accounts (#6834)
* Add priority queue to sdk

* fix issue of storing pointers and now copy

* update to use copy structure

* Remove file, put Item struct def. into other file

* add link

* clean up docs

* refactor internal data structure to hide heap method implementations. Other cleanup after feedback

* rename PushItem and PopItem to just Push/Pop, after encapsulating the heap methods

* updates after feedback

* refactoring/renaming

* guard against pushing a nil item

* minor updates after feedback

* Add SetCredentials, GenerateCredentials gRPC methods to combined database backend gPRC

* Initial Combined database backend implementation of static accounts and automatic rotation

* vendor updates

* initial implementation of static accounts with Combined database backend, starting with PostgreSQL implementation

* add lock and setup of rotation queue

* vendor the queue

* rebase on new method signature of queue

* remove mongo tests for now

* update default role sql

* gofmt after rebase

* cleanup after rebasing to remove checks for ErrNotFound error

* rebase cdcr-priority-queue

* vendor dependencies with 'go mod vendor'

* website database docs for Static Role support

* document the rotate-role API endpoint

* postgres specific static role docs

* use constants for paths

* updates from review

* remove dead code

* combine and clarify error message for older plugins

* Update builtin/logical/database/backend.go

Co-Authored-By: Jim Kalafut <jim@kalafut.net>

* cleanups from feedback

* code and comment cleanups

* move db.RLock higher to protect db.GenerateCredentials call

* Return output with WALID if we failed to delete the WAL

* Update builtin/logical/database/path_creds_create.go

Co-Authored-By: Jim Kalafut <jim@kalafut.net>

* updates after running 'make fmt'

* update after running 'make proto'

* Update builtin/logical/database/path_roles.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update builtin/logical/database/path_roles.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* update comment and remove and rearrange some dead code

* Update website/source/api/secret/databases/index.html.md

Co-Authored-By: Jim Kalafut <jim@kalafut.net>

* cleanups after review

* Update sdk/database/dbplugin/grpc_transport.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* code cleanup after feedback

* remove PasswordLastSet; it's not used

* document GenerateCredentials and SetCredentials

* Update builtin/logical/database/path_rotate_credentials.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* wrap pop and popbykey in backend methods to protect against nil cred rotation queue

* use strings.HasPrefix instead of direct equality check for path

* Forgot to commit this

* updates after feedback

* re-purpose an outdated test to now check that static and dynamic roles cannot share a name

* check for unique name across dynamic and static roles

* refactor loadStaticWALs to return a map of name/setCredentialsWAL struct to consolidate where we're calling set credentials

* remove commented out code

* refactor to have loadstaticwals filter out wals for roles that no longer exist

* return error if nil input given

* add nil check for input into setStaticAccount

* Update builtin/logical/database/path_roles.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* add constant for queue tick time in seconds, used for comparrison in updates

* Update builtin/logical/database/path_roles.go

Co-Authored-By: Jim Kalafut <jim@kalafut.net>

* code cleanup after review

* remove misplaced code comment

* remove commented out code

* create a queue in the Factory method, even if it's never used

* update path_roles to use a common set of fields, with specific overrides for dynamic/static roles by type

* document new method

* move rotation things into a specific file

* rename test file and consolidate some static account tests

* Update builtin/logical/database/path_roles.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update builtin/logical/database/rotation.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update builtin/logical/database/rotation.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update builtin/logical/database/rotation.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update builtin/logical/database/rotation.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update builtin/logical/database/rotation.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* update code comments, method names, and move more methods into rotation.go

* update comments to be capitalized

* remove the item from the queue before we try to destroy it

* findStaticWAL returns an error

* use lowercase keys when encoding WAL entries

* small cleanups

* remove vestigial static account check

* remove redundant DeleteWAL call in populate queue

* if we error on loading role, push back to queue with 10 second backoff

* poll in initqueue to make sure the backend is setup and can write/delete data

* add revoke_user_on_delete flag to allow users to opt-in to revoking the static database user on delete of the Vault role. Default false

* add code comments on read-only loop

* code comment updates

* re-push if error returned from find static wal

* add locksutil and acquire locks when pop'ing from the queue

* grab exclusive locks for updating static roles

* Add SetCredentials and GenerateCredentials stubs to mockPlugin

* add a switch in initQueue to listen for cancelation

* remove guard on zero time, it should have no affect

* create a new context in Factory to pass on and use for closing the backend queue

* restore master copy of vendor dir
2019-06-19 14:45:39 -05:00
Becca Petrin ca05e6668e
Update CHANGELOG.md 2019-06-19 11:34:44 -07:00
Becca Petrin b965ce035c
Merge pull request #6847 from hashicorp/pcf-auto-auth
Add PCF auth method, agent, and CLI handler
2019-06-19 11:32:03 -07:00
Becca Petrin 9eaefea18c fix test 2019-06-19 10:59:11 -07:00
Becca Petrin 8782f2f8bb revert more unnecessary dep changes 2019-06-19 10:47:25 -07:00
Becca Petrin 75d15ae627 revert unnecessary dep updates from bad merge 2019-06-19 10:43:09 -07:00
Becca Petrin ab156603bd merge master 2019-06-19 10:24:45 -07:00
Becca Petrin 8bbf6e6fc3 update to latest plugin dependencies 2019-06-19 10:04:49 -07:00
Becca Petrin 35faaef504 update field name to change from pr feedback 2019-06-19 09:54:18 -07:00
Jim Kalafut d3e47869b7
changelog++ 2019-06-19 08:37:24 -07:00
Sam Salisbury 49230ce5f0
Merge pull request #6924 from hashicorp/fix-netlify-tf
pin github and netlify providers and fix config
2019-06-19 16:01:52 +01:00
Alvin Huang 168a7ab1d5 pin github and netlify providers and fix config 2019-06-19 10:45:35 -04:00
Jeff Mitchell 3f1c510bc9
Fix a deadlock if a panic happens during request handling (#6920)
* Fix a deadlock if a panic happens during request handling

During request handling, if a panic is created, deferred functions are
run but otherwise execution stops. #5889 changed some locks to
non-defers but had the side effect of causing the read lock to not be
released if the request panicked. This fixes that and addresses a few
other potential places where things could go wrong:

1) In sealInitCommon we always now defer a function that unlocks the
read lock if it hasn't been unlocked already
2) In StepDown we defer the RUnlock but we also had two error cases that
were calling it manually. These are unlikely to be hit but if they were
I believe would cause a panic.

* Add panic recovery test
2019-06-19 09:40:57 -04:00
Jim Kalafut 8217548bc1
changelog++ 2019-06-18 17:14:20 -07:00
Calvin Leung Huang 89cf760e47
changelog++ 2019-06-18 15:57:19 -07:00
Calvin Leung Huang 76cc52f48c
auth/aws: guard against malformed assumed role ARNs (#6917)
* auth/aws: guard against malformed assumed role ARNs

* revert helper func changes
2019-06-18 15:51:40 -07:00
Becca Petrin 3c9c47f97d
Update CHANGELOG.md 2019-06-18 14:34:30 -07:00
Becca Petrin 500df379fd
Merge pull request #6916 from hashicorp/fix-es-db-plugin-compilation
Fix TestPluginCatalog_List
2019-06-18 14:16:41 -07:00
Becca Petrin f6703c3630 fix test 2019-06-18 14:04:08 -07:00
Jeff Mitchell 630380700b changelog++ 2019-06-18 16:44:19 -04:00
Jeff Mitchell 8603573611 Update group alias handling to better protect against namespace differences
Also, allow canonical ID to be switched
2019-06-18 16:43:30 -04:00
Yoko ba82b04b15
Added a note about JWT (#6899) 2019-06-18 12:36:51 -07:00
Jeff Mitchell 659f97a0b7 Update api and sdk to remove direct gogo dep 2019-06-18 14:51:13 -04:00
Jeff Mitchell 1a7fee63e3 Update sdk in api/ 2019-06-18 14:50:21 -04:00
Jeff Mitchell 2ff5380179 Remove gogo proto from where it snuck in 2019-06-18 14:45:42 -04:00
Becca Petrin 57b2fbbd78 add to sidebar 2019-06-18 11:08:38 -07:00
Becca Petrin 2451fa8fd7
Merge pull request #6911 from hashicorp/fix-aws-region-test
Fix failing AWS region test
2019-06-18 10:14:04 -07:00
Becca Petrin 63f38d0fd4 fix failing region test 2019-06-18 09:50:38 -07:00
Becca Petrin 50b2439b2b
Merge pull request #6908 from hashicorp/fix-test-predict-plugins
Fix test predict plugins
2019-06-18 09:39:25 -07:00
Becca Petrin 1034e564f1 fix test 2019-06-18 09:36:25 -07:00
Becca Petrin 7be6286966 fix typo 2019-06-18 09:32:14 -07:00
Jeff Mitchell 1e5398efb3 Update api/sdk in main repo 2019-06-18 12:24:15 -04:00