Commit graph

200 commits

Author SHA1 Message Date
Jeff Mitchell 6a980b88fd Address review feedback 2016-02-28 21:51:50 -05:00
Jeff Mitchell 11ddd2290b Provide 'sys/step-down' and 'vault step-down'
This endpoint causes the node it's hit to step down from active duty.
It's a noop if the node isn't active or not running in HA mode. The node
will wait one second before attempting to reacquire the lock, to give
other nodes a chance to grab it.

Fixes #1093
2016-02-26 19:43:55 -05:00
vishalnayak a10888f1f1 Added comments to changes the error message 2016-02-03 11:35:47 -05:00
vishalnayak f1facb0f9f Throw error on sealing vault in standby mode 2016-02-03 10:58:33 -05:00
Jeff Mitchell 8b9fa042fe If the path is not correct, don't fail due to existence check, fail due to unsupported path 2016-01-23 14:05:09 -05:00
Jeff Mitchell 9cac7ccd0f Add some commenting 2016-01-22 10:13:49 -05:00
Jeff Mitchell 3955604d3e Address more list feedback 2016-01-22 10:07:32 -05:00
Jeff Mitchell b2bde47b01 Pull out setting the root token ID; use the new ParseUUID method in
go-uuid instead, and revoke if there is an error.
2016-01-19 19:44:33 -05:00
Jeff Mitchell 973c888833 RootGeneration->GenerateRoot 2016-01-19 18:28:10 -05:00
Jeff Mitchell 3b994dbc7f Add the ability to generate root tokens via unseal keys. 2016-01-19 18:28:10 -05:00
Jeff Mitchell 9857da207c Move rekey to its own files for cleanliness 2016-01-14 17:01:04 -05:00
Jeff Mitchell 9c5ad28632 Update deps, and adjust usage of go-uuid to match new return values 2016-01-13 13:40:08 -05:00
Jeff Mitchell d949043cac Merge pull request #914 from hashicorp/acl-rework
More granular ACL capabilities
2016-01-12 21:11:52 -05:00
Jeff Mitchell da87d490eb Add some commenting around create/update 2016-01-12 15:13:54 -05:00
Jeff Mitchell 9db22dcfad Address some more review feedback 2016-01-12 15:09:16 -05:00
Jeff Mitchell f6d2271a3c Use an array of keys so that if the same fingerprint is used none are lost when using PGP key backup 2016-01-08 14:29:23 -05:00
Jeff Mitchell 4f4ddbf017 Create more granular ACL capabilities.
This commit splits ACL policies into more fine-grained capabilities.
This both drastically simplifies the checking code and makes it possible
to support needed workflows that are not possible with the previous
method. It is backwards compatible; policies containing a "policy"
string are simply converted to a set of capabilities matching previous
behavior.

Fixes #724 (and others).
2016-01-08 13:05:14 -05:00
Jeff Mitchell f3ce90164f WriteOperation -> UpdateOperation 2016-01-08 13:03:03 -05:00
Jeff Mitchell 85509e7ba5 Simplify some logic and ensure that if key share backup fails, we fail
the operation as well.

Ping #907
2016-01-06 13:14:23 -05:00
Jeff Mitchell a094eedce2 Add rekey nonce/backup. 2016-01-06 09:54:35 -05:00
Jeff Mitchell 96cb7d0051 Commenting/format update 2015-12-18 10:34:54 -05:00
Jeff Mitchell 4482fdacfd If we have not yet completed post-unseal when running in single-node
mode, don't advertise that we are active.

Ping #872
2015-12-17 13:48:08 -05:00
Jeff Mitchell f2da5b639f Migrate 'uuid' to 'go-uuid' to better fit HC naming convention 2015-12-16 12:56:20 -05:00
Jeff Mitchell 7ce8aff906 Address review feedback 2015-12-14 17:58:30 -05:00
Jeff Mitchell ced0835574 Allow separate HA physical backend.
With no separate backend specified, HA will be attempted on the normal
physical backend.

Fixes #395.
2015-12-14 07:59:58 -05:00
Jeff Mitchell bc4c18a1cf Rearchitect MountTable locking and fix rollback.
The rollback manager was using a saved MountTable rather than the
current table, causing it to attempt to rollback unmounted mounts, and
never rollback new mounts.

In fixing this, it became clear that bad things could happen to the
mount table...the table itself could be locked, but the table pointer
(which is what the rollback manager needs) could be modified at any time
without locking. This commit therefore also returns locking to a mutex
outside the table instead of inside, and plumbs RLock/RUnlock through to
the various places that are reading the table but not holding a write
lock.

Both unit tests and race detection pass.

Fixes #771
2015-11-11 11:54:52 -05:00
Jeff Mitchell d6693129de Create a "default" policy with sensible rules.
It is forced to be included with each token, but can be changed (but not
deleted).

Fixes #732
2015-11-09 15:44:09 -05:00
Jeff Mitchell 7aa3faa626 Rename core's 'policy' to 'policyStore' for clarification 2015-11-06 12:07:42 -05:00
Jeff Mitchell a9db12670a errwrap -> go-multierror + errwrap 2015-11-02 13:29:33 -05:00
Jeff Mitchell 7e9918ec8e Run preSeal if postUnseal fails.
This also ensures that every error path out of postUnseal returns an
error.

Fixes #733
2015-11-02 13:29:33 -05:00
Jeff Mitchell 94b7be702b Return data on a token with one use left if there is no Lease ID
Fixes #615
2015-10-30 12:35:42 -04:00
Jeff Mitchell 636d57a026 Make the token store's Create and RootToken functions non-exported.
Nothing requires them to be exported, and I don't want anything in the
future to think it's okay to simply create a root token when it likes.
2015-10-30 10:59:26 -04:00
Jeff Mitchell c1d8b97342 Add reset support to the unseal command.
Reset clears the provided unseal keys, allowing the process to be begun
again. Includes documentation and unit test changes.

Fixes #695
2015-10-28 15:59:39 -04:00
Jeff Mitchell 78b5fcdf51 Serialize changing the state of the expiration manager pointer and
calling emitMetrics from its own goroutine.

Fixes #694
2015-10-12 16:33:54 -04:00
Jeff Mitchell a9155ef85e Use split-out hashicorp/uuid 2015-10-12 14:07:12 -04:00
Jeff Mitchell 5fbaa0e64d Apply mount-tune properties to the token authentication backend.
Fixes #688.
2015-10-09 20:26:39 -04:00
Jeff Mitchell bd1dce7f95 Address review feedback for #684 2015-10-08 14:34:10 -04:00
Jeff Mitchell d58a3b601c Add a cleanLeaderPrefix function to clean up stale leader entries in core/leader
Fixes #679.
2015-10-08 14:04:58 -04:00
Jeff Mitchell 21644751ed Fix the key rotation upgrade check error message 2015-10-05 18:23:32 -04:00
Jeff Mitchell 8f27c250d6 Fix problematic logging statements.
Fixes #665.
2015-10-02 18:31:46 -07:00
Jeff Mitchell 81e535dc2d Minor updates to passthrough and additional tests 2015-09-21 16:57:41 -04:00
Jeff Mitchell 47e8c0070a Don't use leases on the generic backend...with a caveat.
You can now turn on and off the lease behavior in the generic backend by
using one of two factories. Core uses the normal one if it's not already
set, so unit tests can use the custom one and all stay working.

This also adds logic into core to check, when the response is coming
from a generic backend, whether that backend has leases enabled. This
adds some slight overhead.
2015-09-21 16:37:37 -04:00
Jeff Mitchell d775445efe Store token creation time and TTL. This can be used to properly populate
fields in 'lookup-self'. Importantly, this also makes credential
backends use the SystemView per-backend TTL values and fixes unit tests
to expect this.

Fully fixes #527
2015-09-18 16:39:35 -04:00
Jeff Mitchell 77e7379ab5 Implement the cubbyhole backend
In order to implement this efficiently, I have introduced the concept of
"singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't
much reason to allow sys to be mounted at multiple places, and there
isn't much reason you'd need multiple per-token storage areas. By
restricting it to just one, I can store that particular mount instead of
iterating through them in order to call the appropriate revoke function.

Additionally, because revocation on the backend needs to be triggered by
the token store, the token store's salt is kept in the router and
client tokens going to the cubbyhole backend are double-salted by the
router. This allows the token store to drive when revocation happens
using its salted tokens.
2015-09-15 13:50:37 -04:00
Jeff Mitchell 699e12a1c6 When there is one use left and a Secret is being returned, instead
return a descriptive error indicating that the Secret cannot be returned
because when the token was revoked the secret was too. This prevents
confusion where credentials come back but cannot be used.

Fixes #615
2015-09-14 11:07:27 -04:00
Jeff Mitchell 39cfcccdac Remove error returns from sysview TTL calls 2015-09-10 15:09:54 -04:00
Jeff Mitchell 65ceb3439d Be consistent as both are the same pointer here 2015-09-10 15:09:54 -04:00
Jeff Mitchell c460ff10ca Push a lot of logic into Router to make a bunch of it nicer and enable a
lot of cleanup. Plumb config and calls to framework.Backend.Setup() into
logical_system and elsewhere, including tests.
2015-09-10 15:09:54 -04:00
Jeff Mitchell 488d33c70a Rejig how dynamic values are represented in system view and location of some functions in various packages; create mount-tune command and API analogues; update documentation 2015-09-10 15:09:54 -04:00
Jeff Mitchell 17c60d3e78 Add logic to core to fetch a SystemView for a given mount entry and use those values for default/max TTL. The SystemView will reflect system defaults if not set for that mount. 2015-09-10 15:09:53 -04:00
Jeff Mitchell 98d0d23d70 Ensure token store is available when looking up token 2015-09-01 08:21:47 -04:00
Jeff Mitchell 3f45f3f41b Rename config lease_duration parameters to lease_ttl in line with current standardization efforts 2015-08-27 07:50:24 -07:00
Jeff Mitchell cc232e6f79 Address comments from review. 2015-08-25 15:33:58 -07:00
Jeff Mitchell c887df93cc Add support for pgp-keys argument to rekey, as well as tests, plus
refactor common bits out of init.
2015-08-25 14:52:13 -07:00
Jeff Mitchell f57e7892e7 Don't store the given public keys in the seal config 2015-08-25 14:52:13 -07:00
Jeff Mitchell 2f3e245b0b Add support for "pgp-tokens" parameters to init.
There are thorough unit tests that read the returned
encrypted tokens, seal the vault, and unseal it
again to ensure all works as expected.
2015-08-25 14:52:13 -07:00
Jeff Mitchell 93ef9a54bd Internally refactor Lease/LeaseGracePeriod into TTL/GracePeriod 2015-08-20 18:00:51 -07:00
Jeff Mitchell db79dd8c22 Don't defer revocation when sealing, and clear out response/auth if there is a token use error 2015-08-20 10:37:42 -07:00
Jeff Mitchell 0e8e3660ff Fix #461 properly by defering potential revocation of a token until after the request is fully handled. 2015-08-20 10:14:13 -07:00
Karl Gutwin 151ec72d00 Add configuration options for default lease duration and max lease duration. 2015-07-30 09:42:49 -04:00
Armon Dadgar 41b72a4d39 vault: provide view to backend initializer for setup 2015-06-30 17:30:43 -07:00
Armon Dadgar 8bc99f8c23 helper/uuid: single generateUUID definition 2015-06-30 12:38:32 -07:00
Armon Dadgar 496ebe561c vault: cleanups for the audit log changes 2015-06-29 15:27:28 -07:00
Nate Brown b667ef4c71 Collapsing audit response logging to a single point 2015-06-18 19:48:26 -07:00
Nate Brown 4ec685dc1a Logging authentication errors and bad token usage 2015-06-18 18:30:18 -07:00
Armon Dadgar dbf6cf6e6d vault: support core shutdown 2015-06-17 18:23:59 -07:00
Armon Dadgar 5c75a6c5c7 vault: ensure token renew does not double register 2015-06-17 15:22:50 -07:00
Armon Dadgar daffef08db vault: reload master key before keyring 2015-05-29 14:30:03 -07:00
Armon Dadgar 4f5fde039f vault: all rekey commands should fail as standby 2015-05-29 11:52:37 -07:00
Armon Dadgar 5aaad32af8 vault: ensure upgrades are cleaned up 2015-05-28 16:52:06 -07:00
Armon Dadgar db0afc9ebe vault: move upgrade logic out of core 2015-05-28 16:43:44 -07:00
Armon Dadgar 82ef0b1ac7 vault: handle read of key upgrades 2015-05-28 16:11:31 -07:00
Armon Dadgar c60970e743 vault: prevent rekey on standby 2015-05-28 15:26:35 -07:00
Armon Dadgar 01e890653c vault: more logging 2015-05-28 14:15:06 -07:00
Armon Dadgar 0877160754 vault: minor rekey cleanups 2015-05-28 12:07:52 -07:00
Armon Dadgar 361c722c5c vault: first pass at rekey 2015-05-28 11:40:01 -07:00
Armon Dadgar 3bcd32228d vault: lease renewal should not create new lease entry 2015-05-15 17:47:39 -07:00
Armon Dadgar 843d9e6484 vault: verify login endpoint never returns a secret 2015-05-09 11:51:58 -07:00
Armon Dadgar 13ab31f4b5 vault: ensure InternalData is never returned from the core 2015-05-09 11:47:46 -07:00
Armon Dadgar c7496772d4 vault: defer barrier initialization until as late as possible 2015-05-08 11:06:39 -07:00
Armon Dadgar a6eef6bba3 vault: Guard against an invalid seal config 2015-05-08 11:05:31 -07:00
Mitchell Hashimoto 727e0e90cd vault: validate advertise addr is valid URL [GH-106] 2015-05-02 13:28:33 -07:00
Mitchell Hashimoto e80111502b vault: way more verbose error if mlock fails [GH-59] 2015-04-28 18:56:16 -07:00
Mitchell Hashimoto b5f8f3b05a vault: add helper/mlock for doing mlock 2015-04-28 14:59:43 -07:00
Mitchell Hashimoto 2e55c3de68 vault: ability to toggle mlock on core 2015-04-27 16:40:14 -07:00
Armon Dadgar 2f0995d650 vault: Swap the HAEnabled check with the sealed check 2015-04-20 12:19:09 -07:00
Armon Dadgar c5f914cb34 vault: Lock memory when possible 2015-04-19 13:42:47 -07:00
Armon Dadgar 4473abd6ce vault: core enforcement of limited use tokens 2015-04-17 11:57:56 -07:00
Armon Dadgar b65e1b3e22 vault: using a constant to make @mitchellh feel better 2015-04-15 17:19:59 -07:00
Armon Dadgar 76b69b2514 vault: thread the display name through 2015-04-15 14:12:34 -07:00
Armon Dadgar 9f7143cf44 vault: expose the current leader 2015-04-14 16:53:40 -07:00
Armon Dadgar 445f64eb39 vault: leader should advertise address 2015-04-14 16:44:48 -07:00
Armon Dadgar ec8a41d2d2 vault: rename internal variable 2015-04-14 16:11:39 -07:00
Armon Dadgar 2820bec479 vault: testing standby mode 2015-04-14 16:06:58 -07:00
Armon Dadgar a0e1b90b81 vault: reject operation if standby 2015-04-14 14:09:11 -07:00
Armon Dadgar d7102e2661 vault: first pass at HA standby mode 2015-04-14 14:06:15 -07:00
Armon Dadgar 255e0fbda4 vault: enable physical cache in core 2015-04-14 11:08:04 -07:00
Armon Dadgar 512b3d7afd vault: Adding metrics profiling 2015-04-08 16:43:17 -07:00
Armon Dadgar 466c7575d3 Replace VaultID with LeaseID for terminology simplification 2015-04-08 13:35:32 -07:00
Armon Dadgar eaa483ff87 vault: Enforce default and max length leasing 2015-04-03 15:42:34 -07:00