vishalnayak
1a01ab3608
Take ClientToken instead of Policies
2015-09-21 10:04:03 -04:00
vishalnayak
3b51ee1c48
Using core's logger
2015-09-19 19:01:36 -04:00
vishalnayak
02485e7175
Abstraced SudoPrivilege to take list of policies
2015-09-19 18:23:44 -04:00
vishalnayak
a2799b235e
Using acl.RootPrivilege and rewrote mockTokenStore
2015-09-19 17:53:24 -04:00
vishalnayak
b6d47dd784
fix broken tests
2015-09-19 12:33:52 -04:00
vishalnayak
fb77ec3623
TokenStore: Provide access based on sudo permissions and not policy name
2015-09-19 11:14:51 -04:00
Vishal Nayak
e27b824dcb
Merge pull request #623 from hashicorp/userpass-renewal
...
Vault userpass: Enable renewals for login tokens
2015-09-17 16:41:09 -04:00
vishalnayak
1f53376ae6
Userpass Bk: Added tests for TTL duration verifications
2015-09-17 16:33:26 -04:00
vishalnayak
a2e88414f5
Throw error if system view boundaries are violated
2015-09-17 15:47:36 -04:00
vishalnayak
4332eb9d05
Vault userpass: Enable renewals for login tokens
2015-09-17 14:35:50 -04:00
Jeff Mitchell
8f79e8be82
Add revoke-self endpoint.
...
Fixes #620 .
2015-09-17 13:22:30 -04:00
Vishal Nayak
5b6d6bf79a
Merge pull request #624 from hashicorp/vault-i583
...
CLI: Avoiding CR when printing specific fields
2015-09-17 11:47:51 -04:00
vishalnayak
fdf05e8ead
Adding type checking to ensure only BasicUi is affected
2015-09-17 11:37:21 -04:00
vishalnayak
7f640c4374
Error on violating SysView boundaries
2015-09-17 11:24:46 -04:00
vishalnayak
e885dff580
CLI: Avoiding CR when printing specific fields
2015-09-17 10:05:56 -04:00
Jeff Mitchell
91bcf83e5f
Merge pull request #606 from tsilen/renew-etcd-semaphore-key
...
Renew the semaphore key periodically
2015-09-17 10:00:06 -04:00
vishalnayak
6a4089b2a8
Vault userpass: Enable renewals for login tokens
2015-09-16 23:55:35 -04:00
Jeff Mitchell
b08f6e5540
Merge pull request #622 from Poohblah/log-level-help
...
improve documentation for available log levels
2015-09-16 15:15:36 -04:00
hendrenj
0532682816
improve documentation for available log levels
2015-09-16 11:01:33 -06:00
Jeff Mitchell
047ba90a44
Restrict orphan revocation to root tokens
2015-09-16 09:22:15 -04:00
Seth Vargo
5c363a1bd3
Merge pull request #621 from jklein/patch-1
...
Grammar fix
2015-09-15 20:54:24 +01:00
Jonathan Klein
dff6e468f9
Grammar fix
2015-09-15 15:53:27 -04:00
Jeff Mitchell
461609b754
Merge pull request #612 from hashicorp/f-cubby
...
Implement the cubbyhole backend
2015-09-15 14:04:07 -04:00
Jeff Mitchell
e7d5a18e94
Directly pass the cubbyhole backend to the token store and bypass logic in router
2015-09-15 13:50:37 -04:00
Jeff Mitchell
849b78daee
Move more cubby logic outside of router into auth setup
2015-09-15 13:50:37 -04:00
Jeff Mitchell
bdb8cf128d
Cleanup; remove everything but double-salting from the router and give
...
the token store cubby backend information for direct calling.
2015-09-15 13:50:37 -04:00
Jeff Mitchell
538852d6d6
Add documentation for cubbyhole
2015-09-15 13:50:37 -04:00
Jeff Mitchell
b50f7ec1b5
Remove noop checks in unmount/remount and restore previous behavior
2015-09-15 13:50:37 -04:00
Jeff Mitchell
77e7379ab5
Implement the cubbyhole backend
...
In order to implement this efficiently, I have introduced the concept of
"singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't
much reason to allow sys to be mounted at multiple places, and there
isn't much reason you'd need multiple per-token storage areas. By
restricting it to just one, I can store that particular mount instead of
iterating through them in order to call the appropriate revoke function.
Additionally, because revocation on the backend needs to be triggered by
the token store, the token store's salt is kept in the router and
client tokens going to the cubbyhole backend are double-salted by the
router. This allows the token store to drive when revocation happens
using its salted tokens.
2015-09-15 13:50:37 -04:00
Jeff Mitchell
104b29ab04
Rename View to StorageView to make it more distinct from SystemView
2015-09-15 13:50:37 -04:00
Tuomas Silen
5e8b3a28e4
Rename error return var
2015-09-15 11:18:43 +03:00
Jeff Mitchell
f489c1c24e
Ensure that the response body of logical calls is closed, even if there is an error.
2015-09-14 18:22:33 -04:00
Jeff Mitchell
38a75503ad
Merge pull request #607 from lassizci/postgresql-timezone
...
Explicitly set timezone with PostgreSQL timestamps.
2015-09-14 11:55:02 -04:00
Jeff Mitchell
699e12a1c6
When there is one use left and a Secret is being returned, instead
...
return a descriptive error indicating that the Secret cannot be returned
because when the token was revoked the secret was too. This prevents
confusion where credentials come back but cannot be used.
Fixes #615
2015-09-14 11:07:27 -04:00
Lassi Pölönen
83d0ab73f5
Define time zone explicitly in postgresql connection string.
2015-09-14 13:43:06 +03:00
Lassi Pölönen
a9aaee6f5a
Explicitly set timezone with PostgreSQL timestamps.
2015-09-14 13:43:06 +03:00
Tuomas Silen
42d3f90e37
Further cleanup, use named return vals
2015-09-14 13:30:15 +03:00
Vishal Nayak
2fa1916521
Merge pull request #613 from hashicorp/doc-token-renewal
...
Improve documentation of token renewal
2015-09-11 21:38:34 -04:00
vishalnayak
c5a3b0c681
Typo fix
2015-09-11 21:36:20 -04:00
vishalnayak
142cb563a6
Improve documentation of token renewal
2015-09-11 21:08:32 -04:00
Jeff Mitchell
99f372e3a6
Merge pull request #608 from lassizci/backend-cleanup
...
Provide a cleanup method for backends; if defined, will be run just before unloading.
2015-09-11 10:52:04 -04:00
Tuomas Silen
7f384b2312
Cleanup defer func
2015-09-11 16:30:12 +03:00
Tuomas Silen
2652db825a
Use defer to close the channel in case of error
2015-09-11 16:17:23 +03:00
Lassi Pölönen
d3aec0ba31
Cleanup routines should now use routeEntry instead of mountEntry.
2015-09-11 13:40:31 +03:00
Lassi Pölönen
79f68c934a
Call ResetDB as Cleanup routine to close existing database connections
...
on backend unmount.
2015-09-11 11:45:58 +03:00
Lassi Pölönen
fb07cf9f53
Implement clean up routine to backend as some backends may require
...
e.g closing database connections on unmount to avoud connection
stacking.
2015-09-11 11:45:58 +03:00
Vishal Nayak
08f7fb9c8d
Merge pull request #580 from hashicorp/zeroaddress-path
...
Add root authenticated path to allow default CIDR to select roles
2015-09-10 15:28:49 -04:00
Jeff Mitchell
65414dc07e
Merge pull request #585 from hashicorp/per-backend-ttls
...
Per backend configuration
2015-09-10 15:27:07 -04:00
Jeff Mitchell
39cfcccdac
Remove error returns from sysview TTL calls
2015-09-10 15:09:54 -04:00
Jeff Mitchell
65ceb3439d
Be consistent as both are the same pointer here
2015-09-10 15:09:54 -04:00