b3c805e662
Audit the client token accessors ( #2037 )
2016-10-29 17:01:49 -04:00
6d00f0c483
Adds HUP support for audit log files to close and reopen. ( #1953 )
...
Adds HUP support for audit log files to close and reopen. This makes it
much easier to deal with normal log rotation methods.
As part of testing this I noticed that HUP and other items that come out
of command/server.go are going to stderr, which is where our normal log
lines go. This isn't so much problematic with our normal output but as
we officially move to supporting other formats this can cause
interleaving issues, so I moved those to stdout instead.
2016-09-30 12:04:50 -07:00
5657789627
Audit unwrapped response ( #1950 )
2016-09-29 12:03:47 -07:00
6bf871995b
Don't use time.Time in responses. ( #1912 )
...
This fixes #1911 but not directly; it doesn't address the cause of the
panic. However, it turns out that this is the correct fix anyways,
because it ensures that the value being logged is RFC3339 format, which
is what the time turns into in JSON but not the normal time string
value, so what we audit log (and HMAC) matches what we are returning.
2016-09-23 12:32:07 -04:00
0ff76e16d2
Transit and audit enhancements
2016-09-21 10:49:26 -04:00
4d9c909ae4
Merge pull request #1650 from hashicorp/request-uuid
...
Added unique identifier to each request. Closes hashicorp/vault#1617
2016-07-27 09:40:48 -04:00
ad66bd7502
fixes based proper interpretation of comments
2016-07-26 12:20:27 -04:00
d2cbe48aaf
Use RFC3339Nano for better precision
2016-07-25 14:11:57 -04:00
c14235b206
Merge branch 'master-oss' into json-use-number
...
Conflicts:
http/handler.go
logical/framework/field_data.go
logical/framework/wal.go
vault/logical_passthrough.go
2016-07-15 19:21:55 -04:00
8269f323d3
Revert 'risky' changes
2016-07-12 16:38:07 -04:00
e09b40e155
Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC
2016-07-08 18:30:18 -04:00
ad7cb2c8f1
Added JSON Decode and Encode helpers.
...
Changed all the occurances of Unmarshal to use the helpers.
Fixed http/ package tests.
2016-07-06 12:25:40 -04:00
e925987cb6
Add token accessor to wrap information if one exists
2016-06-13 23:58:17 +00:00
10b218d292
Use time.Time which does RFC3339 across the wire to handle time zones. Arguably we should change the API to always do this...
2016-06-07 16:01:09 -04:00
401456ea50
Add creation time to returned wrapped token info
...
This makes it easier to understand the expected lifetime without a
lookup call that uses the single use left on the token.
This also adds a couple of safety checks and for JSON uses int, rather
than int64, for the TTL for the wrapped token.
2016-06-07 15:00:35 -04:00
4c67a739b9
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-16 12:14:40 -04:00
7a4b31ce51
Speling police
2016-05-15 09:58:36 -07:00
c5008bcaac
Add more tests
2016-05-07 21:08:13 -04:00
31e1ed2417
Implement WrapInfo audit logging
2016-05-07 20:03:56 -04:00
bcbcd22657
Audit wrap info
2016-05-07 19:19:19 -04:00
5b67ce1bac
Add DisplayName to request audit object in response audit object
2016-05-07 18:57:38 -04:00
0602bb25f1
Remove redundant variables
2016-03-11 21:36:38 -05:00
e09819fedc
Added hash_accessor option to audit backends
2016-03-11 19:28:06 -05:00
8338bb82df
Enable printing of accessor in audit logs
2016-03-09 16:18:36 -05:00
ef84e04fd7
Add unit test for audit change
2016-01-26 12:47:04 -05:00
f0c66f0b8c
Use reflect.Value.String() rather than a type assertion.
...
Fixes a panic in hashstructure/auditing that can occur with custom
string types.
Fixes #973
2016-01-26 12:32:50 -05:00
4f4ddbf017
Create more granular ACL capabilities.
...
This commit splits ACL policies into more fine-grained capabilities.
This both drastically simplifies the checking code and makes it possible
to support needed workflows that are not possible with the previous
method. It is backwards compatible; policies containing a "policy"
string are simply converted to a set of capabilities matching previous
behavior.
Fixes #724 (and others).
2016-01-08 13:05:14 -05:00
f3ce90164f
WriteOperation -> UpdateOperation
2016-01-08 13:03:03 -05:00
1c7157e632
Reintroduce the ability to look up obfuscated values in the audit log
...
with a new endpoint '/sys/audit-hash', which returns the given input
string hashed with the given audit backend's hash function and salt
(currently, always HMAC-SHA256 and a backend-specific salt).
In the process of adding the HTTP handler, this also removes the custom
HTTP handlers for the other audit endpoints, which were simply
forwarding to the logical system backend. This means that the various
audit functions will now redirect correctly from a standby to master.
(Tests all pass.)
Fixes #784
2015-11-18 20:26:03 -05:00
cf4b88c196
Write HMAC-SHA256'd client token to audited requests
...
Fixes #713
2015-10-29 13:26:18 -04:00
c8a0eda224
Use hmac-sha256 for protecting secrets in audit entries
2015-09-19 11:29:31 -04:00
5dde76fa1c
Expand HMAC support in Salt; require an identifier be passed in to specify type but allow generation with and without. Add a StaticSalt ID for testing functions. Fix bugs; unit tests pass.
2015-09-18 17:38:30 -04:00
b655f6b858
Add HMAC capability to salt. Pass a salt into audit backends. Require it for audit.Hash.
2015-09-18 17:38:22 -04:00
ea9fbb90bc
Rejig Lease terminology internally; also, put a few JSON names back to their original values
2015-08-20 22:27:01 -07:00
93ef9a54bd
Internally refactor Lease/LeaseGracePeriod into TTL/GracePeriod
2015-08-20 18:00:51 -07:00
a394678ec1
update tests
2015-08-05 08:44:48 -06:00
2125017cb9
add a time field to the log entries
2015-08-05 07:47:39 -06:00
496ebe561c
vault: cleanups for the audit log changes
2015-06-29 15:27:28 -07:00
add8e1a3fd
Fixing merge conflict
2015-06-29 15:19:04 -07:00
0809378c9b
audit: some tests
2015-06-19 03:31:19 -07:00
91611a32c9
Fixing tests
2015-06-18 20:14:20 -07:00
3a860fe5c1
Actually not logging auth in the response if nil
2015-06-18 19:48:00 -07:00
4ec685dc1a
Logging authentication errors and bad token usage
2015-06-18 18:30:18 -07:00
c55f103c58
Adding error and remote_address to audit log lines
2015-06-18 17:17:18 -07:00
a9f8d6243c
audit: add display name to auth [GH-176]
2015-05-11 10:40:32 -07:00
46636ea52c
audit: Guard against a few nil pointer cases
2015-04-27 15:56:40 -07:00
c18f3928df
audit: add more tests for copying
2015-04-27 15:54:14 -07:00
a837db6570
audit: Document that arguments must not be modified
2015-04-27 14:24:11 -07:00
e77e2d8c98
audit: docs
2015-04-22 07:42:37 +02:00
1b34aae7f1
audit: separate hashing from formatting to facilitate raw
2015-04-22 07:41:53 +02:00
ed388c100d
audit: hash all the req/resp structures
2015-04-21 16:20:31 +01:00
7edc41b6da
audit: fix failing test
2015-04-21 16:15:04 +01:00
82252c0d34
audit: sanity sha1 test
2015-04-21 16:14:26 +01:00
97ff2ad09b
audit: add SHA1 hash callback
2015-04-21 16:13:06 +01:00
2a6bb96276
audit: add hashstructure
2015-04-21 16:02:03 +01:00
ee2b113831
audit/file: append
2015-04-19 22:43:39 -07:00
358845053b
audit: JSON formatter
2015-04-13 14:12:03 -07:00
0f40bb75c0
audit: Adding basic interface methods
2015-04-01 13:54:50 -07:00
615e209296
audit: Basic interface
2015-03-27 13:43:23 -07:00
Vishal Nayak