20c65b8300
Fix regression in 0.6.4 where token store roles could not properly wo… ( #2286 )
2017-01-18 16:11:25 -05:00
c9bd2a37f8
Don't sanitize disallowed_policies on token role
2017-01-17 21:34:14 -05:00
fa7d61baa3
Merge pull request #2202 from fcantournet/fix_govet_fatalf
...
all: test: Fix govet warnings
2017-01-17 16:45:35 -05:00
c37d17ed47
Adding interface methods to logical.Backend for parity ( #2242 )
2017-01-07 18:18:22 -05:00
103b7ceab2
all: test: Fix govet warnings
...
Fix calls to t.Fatal() with formatting.
Fixed some calls to Fatalf() with wrong formatting
2016-12-21 19:44:07 +01:00
9f60e9f88d
Add tidy expiration test
2016-12-16 17:04:28 -05:00
bae84e3864
TokenStore: Make the testcase dangle 100 accessors and let it tidy up
2016-12-16 15:41:41 -05:00
ba026aeaa1
TokenStore: Added tidy endpoint ( #2192 )
2016-12-16 15:29:27 -05:00
f6044764c0
Fix revocation of leases when num_uses goes to 0 ( #2190 )
2016-12-16 13:11:55 -05:00
8400b87473
Don't add default policy to child token if parent does not have it ( #2164 )
2016-12-16 00:36:39 -05:00
b45a481365
Wrapping enhancements ( #1927 )
2016-09-28 21:01:28 -07:00
f0203741ff
Change default TTL from 30 to 32 to accommodate monthly operations ( #1942 )
2016-09-28 18:32:49 -04:00
57b21acabb
Added unit tests for token entry upgrade
2016-09-26 18:17:50 -04:00
9fee9ce8ff
Don't allow tokens in paths. ( #1783 )
2016-08-24 15:59:43 -04:00
01702415c2
Ensure we don't use a token entry period of 0 in role comparisons.
...
When we added support for generating periodic tokens for root/sudo in
auth/token/create we used the token entry's period value to store the
shortest period found to eventually populate the TTL. The problem was
that we then assumed later that this value would be populated for
periodic tokens, when it wouldn't have been in the upgrade case.
Instead, use a temp var to store the proper value to use; populate
te.Period only if actually given; and check that it's not zero before
comparing against role value during renew.
2016-08-16 16:47:46 -04:00
40ece8fd7c
Add another test and fix some output
2016-08-14 07:17:14 -04:00
b6ef112382
Minor wording change
2016-08-13 15:45:13 -04:00
cdea4b3445
Add some tests and fix some bugs
2016-08-13 14:03:22 -04:00
bcb4ab5422
Add periodic support for root/sudo tokens to auth/token/create
2016-08-12 21:14:12 -04:00
0f40fba40d
Don't allow a root token that expires to create one that doesn't
2016-08-09 20:32:40 -04:00
e783bfe7e1
Minor changes to test cases
2016-08-05 20:22:07 -04:00
5ddd1c7223
Fix broken test case
2016-08-05 20:07:18 -04:00
02911c0e01
full updates based on feedback
2016-08-05 18:57:35 -04:00
52623a2395
test updates based on feedback
2016-08-05 18:56:22 -04:00
405eb0075a
fix an error, tests still broken
2016-08-05 17:58:48 -04:00
68d351c70c
addresses feedback, but tests broken
2016-08-05 10:04:02 -04:00
c626277632
initial commit for minor update to token-store
2016-08-03 14:32:17 -04:00
e7cb3fd990
Addressed review feedback
2016-08-02 16:53:06 -04:00
9947b33498
Added tests for disallowed_policies
2016-08-02 15:21:15 -04:00
a936914101
Address review feedback and fix existing tests
2016-08-02 14:10:20 -04:00
357f2d972f
Add some extra safety checking in accessor listing and update website
...
docs.
2016-08-01 13:12:06 -04:00
23ab63c78e
Add accessor list function to token store
2016-07-29 18:20:38 -04:00
e26487ced5
Add test for non-assignable policies
2016-07-25 16:00:18 -04:00
8269f323d3
Revert 'risky' changes
2016-07-12 16:38:07 -04:00
e09b40e155
Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC
2016-07-08 18:30:18 -04:00
90c2f5bb55
Fix some more too-tight timing in the token store tests
2016-07-01 11:59:39 -04:00
f3e6e4ee28
Fix timing in explicit max ttl test
2016-07-01 11:37:27 -04:00
2b4b6559e3
Merge pull request #1504 from hashicorp/token-store-roles-renewability
...
Add renewable flag to token store roles
2016-06-08 15:56:54 -04:00
8a1bff7c11
Make out-of-bounds explicit max a cap+warning instead of an error
2016-06-08 15:25:17 -04:00
cf8f38bd4c
Add renewable flag to token store roles
2016-06-08 15:17:22 -04:00
65d8973864
Add explicit max TTL capability to token creation API
2016-06-08 14:49:48 -04:00
f8d70b64a0
Show renewable status for tokens in output
2016-06-01 17:30:31 -04:00
49b4c83580
Adding default policies while creating tokens
2016-05-31 13:39:58 -04:00
ce5614bf9b
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-11 19:29:52 -04:00
6ec1ca05c8
Fix bug around disallowing explicit max greater than sysview max
2016-05-11 18:46:55 -04:00
aecc3ad824
Add explicit maximum TTLs to token store roles.
2016-05-11 16:51:18 -04:00
2ebe49d3a1
Change UseToken mechanics.
...
Add locking around UseToken and Lookup. Have UseToken flag an entry that
needs to be revoked so that it can be done at the appropriate time, but
so that Lookup in the interm doesn't return a value.
The locking is a map of 4096 locks keyed off of the first three
characters of the token ID which should provide good distribution.
2016-05-02 03:44:24 -04:00
81da06de05
Fix fetching parameters in token store when it's optionally in the URL
2016-04-28 15:15:37 -04:00
53773f12e3
Register the token entry's path instead of the request path, to handle role suffixes correctly
2016-04-14 08:08:28 -04:00
1db6808912
Construct token path from request to fix displaying TTLs when using
...
create-orphan.
2016-04-07 15:45:38 +00:00
2fd02b8dca
Remove auth/token/revoke-prefix in favor of sys/revoke-prefix.
2016-03-31 18:04:05 -04:00
7442867d53
Check for auth/ in the path of the prefix for revoke-prefix in the token
...
store.
2016-03-31 16:21:56 -04:00
fa2ba47a5c
Merge branch 'master' into token-roles
2016-03-09 17:23:34 -05:00
0c4d5960a9
In-URL accessor for auth/token/lookup-accessor endpoint
2016-03-09 14:54:52 -05:00
f478cc57e0
fix all the broken tests
2016-03-09 13:45:36 -05:00
007142262f
Provide accessor to revove-accessor in the URL itself
2016-03-09 13:08:37 -05:00
3b302817e5
Added tests for lookup-accessor and revoke-accessor endpoints
2016-03-09 12:50:26 -05:00
2ecdde1781
Address final feedback
2016-03-09 11:59:54 -05:00
7c5f810bc0
Address first round of feedback
2016-03-01 15:30:37 -05:00
54232eb980
Add other token role unit tests and some minor other changes.
2016-03-01 12:41:41 -05:00
df2e337e4c
Update tests to add expected role parameters
2016-03-01 12:41:40 -05:00
b8b59560dc
Add token role CRUD tests
2016-03-01 12:41:40 -05:00
ff3adce39e
Make "ttl" reflect the actual TTL of the token in lookup calls.
...
Add a new value "creation_ttl" which holds the value at creation time.
Fixes #986
2016-02-01 11:16:32 -05:00
b2bde47b01
Pull out setting the root token ID; use the new ParseUUID method in
...
go-uuid instead, and revoke if there is an error.
2016-01-19 19:44:33 -05:00
3b994dbc7f
Add the ability to generate root tokens via unseal keys.
2016-01-19 18:28:10 -05:00
9c5ad28632
Update deps, and adjust usage of go-uuid to match new return values
2016-01-13 13:40:08 -05:00
f3ce90164f
WriteOperation -> UpdateOperation
2016-01-08 13:03:03 -05:00
d51d723c1f
Use int64 for converting time values, not int (will be float64 in JSON anyways, so no need to lose precision, plus could hit a 32-bit max in some edge cases)
2016-01-04 17:11:22 -05:00
e990b77d6e
Address review feedback; move storage of these values to the expiration manager
2016-01-04 16:43:07 -05:00
5ddd243144
Store a last renewal time in the token entry and return it upon lookup
...
of the token.
Fixes #889
2016-01-04 11:20:49 -05:00
df68e3bd4c
Filter out duplicate policies during token creation.
2015-12-30 15:18:30 -05:00
f2da5b639f
Migrate 'uuid' to 'go-uuid' to better fit HC naming convention
2015-12-16 12:56:20 -05:00
1a45696208
Add no-default-policy flag and API parameter to allow exclusion of the
...
default policy from a token create command.
2015-11-09 17:30:50 -05:00
5783f547ab
Display whether a token is an orphan on lookup.
2015-11-09 13:19:59 -05:00
6ccded7a2f
Add ability to create orphan tokens from the API
2015-11-03 15:12:21 -05:00
636d57a026
Make the token store's Create and RootToken functions non-exported.
...
Nothing requires them to be exported, and I don't want anything in the
future to think it's okay to simply create a root token when it likes.
2015-10-30 10:59:26 -04:00
a9155ef85e
Use split-out hashicorp/uuid
2015-10-12 14:07:12 -04:00
4a52de13e3
Add renew-self endpoint.
...
Fixes #455 .
2015-10-07 12:49:13 -04:00
ca50012017
Format token lease/TTL as int in JSON API when looking up
2015-09-27 22:36:36 -04:00
62ac518ae7
Switch per-mount values to strings going in and seconds coming out, like other commands. Indicate deprecation of 'lease' in the token backend.
2015-09-25 10:41:21 -04:00
d526c8ce1c
Merge pull request #629 from hashicorp/token-create-sudo
...
TokenStore: Provide access based on sudo permissions and not policy name
2015-09-21 10:12:29 -04:00
a2799b235e
Using acl.RootPrivilege and rewrote mockTokenStore
2015-09-19 17:53:24 -04:00
b6d47dd784
fix broken tests
2015-09-19 12:33:52 -04:00
d775445efe
Store token creation time and TTL. This can be used to properly populate
...
fields in 'lookup-self'. Importantly, this also makes credential
backends use the SystemView per-backend TTL values and fixes unit tests
to expect this.
Fully fixes #527
2015-09-18 16:39:35 -04:00
8f79e8be82
Add revoke-self endpoint.
...
Fixes #620 .
2015-09-17 13:22:30 -04:00
047ba90a44
Restrict orphan revocation to root tokens
2015-09-16 09:22:15 -04:00
c460ff10ca
Push a lot of logic into Router to make a bunch of it nicer and enable a
...
lot of cleanup. Plumb config and calls to framework.Backend.Setup() into
logical_system and elsewhere, including tests.
2015-09-10 15:09:54 -04:00
93ef9a54bd
Internally refactor Lease/LeaseGracePeriod into TTL/GracePeriod
2015-08-20 18:00:51 -07:00
ffeb6ea76c
vault: allow increment to be duration string. Fixes #340
2015-06-17 15:58:20 -07:00
ae421f75b7
vault: fixing issues with token renewal
2015-06-17 14:28:13 -07:00
538c795f9b
vault: Adding method to consume a limited use token
2015-04-17 11:51:04 -07:00
fd3948d476
vault: Tokens can have a use count specified
2015-04-17 11:34:25 -07:00
818ce0a045
vault: token store allows specifying display_name
2015-04-15 14:24:07 -07:00
5eff7f1b57
vault: upper bound on test
2015-04-10 21:22:17 -07:00
992028e23e
vault: the expiration time should be relative to the issue time
2015-04-10 21:21:06 -07:00
a6d974c74e
vault: revoking a token should revoke all secrets it has generated
2015-04-10 15:12:04 -07:00
1e2863e2b8
vault: remove unused RevokeAll method
2015-04-10 14:59:49 -07:00
13836e8612
vault: groundwork to allow auth renew
2015-04-10 13:59:49 -07:00
4679febdf3
logical: Refactor LeaseOptions to share between Secret and Auth
2015-04-09 12:14:04 -07:00
82c5d9c478
vault: Enforce non-renewability
2015-04-08 17:03:46 -07:00
Jeff Mitchell