Commit graph

125 commits

Author SHA1 Message Date
Armon Dadgar 20c2375352 vault: Adding ACL enforcement 2015-03-24 11:37:07 -07:00
Armon Dadgar 43a99aec93 vault: Special case root policy 2015-03-24 11:27:21 -07:00
Armon Dadgar 4598e43140 vault: Adding ClientToken 2015-03-24 11:09:25 -07:00
Armon Dadgar 65ef4f1032 vault: wire tokens into expiration manager 2015-03-23 18:11:15 -07:00
Armon Dadgar 86c9bd9083 vault: Give expiration manager a token store reference 2015-03-23 18:00:14 -07:00
Armon Dadgar 6481ff9e34 vault: Generate a root token when initializing 2015-03-23 17:31:30 -07:00
Armon Dadgar cd3ee5cc03 vault: Remove core reference 2015-03-23 17:29:36 -07:00
Armon Dadgar 539554fc0b vault: only log expiration notice if useful 2015-03-23 17:27:46 -07:00
Armon Dadgar 3607eae208 vault: Adding method to generate root token 2015-03-23 17:16:37 -07:00
Armon Dadgar f40ed182c4 vault: Support policy CRUD 2015-03-23 14:43:31 -07:00
Armon Dadgar 192dcf7d39 vault: first pass at HandleLogin 2015-03-23 13:56:43 -07:00
Armon Dadgar 879a0501f8 vault: Track the token store in core 2015-03-23 13:41:05 -07:00
Armon Dadgar 56d99fe580 vault: token tracks generation path and meta data 2015-03-23 13:39:43 -07:00
Armon Dadgar 10e64d1e90 vault: extend router to handle login routing 2015-03-23 11:47:55 -07:00
Armon Dadgar a78b7207b9 vault: playing with credential store interface 2015-03-20 13:54:57 -07:00
Armon Dadgar 82e13e3c41 vault: implement the sys/auth* endpoints 2015-03-20 12:48:19 -07:00
Mitchell Hashimoto a0f59f682b logical/framework: can specify InternalData for secret 2015-03-20 17:59:48 +01:00
Mitchell Hashimoto 1ff229ca68 http: passing tests 2015-03-19 23:28:49 +01:00
Mitchell Hashimoto c349e97168 vault: clean up VaultID duplications, make secret responses clearer
/cc @armon - This is a reasonably major refactor that I think cleans up
a lot of the logic with secrets in responses. The reason for the
refactor is that while implementing Renew/Revoke in logical/framework I
found the existing API to be really awkward to work with.

Primarily, we needed a way to send down internal data for Vault core to
store since not all the data you need to revoke a key is always sent
down to the user (for example the user than AWS key belongs to).

At first, I was doing this manually in logical/framework with
req.Storage, but this is going to be such a common event that I think
its something core should assist with. Additionally, I think the added
context for secrets will be useful in the future when we have a Vault
API for returning orphaned out keys: we can also return the internal
data that might help an operator.

So this leads me to this refactor. I've removed most of the fields in
`logical.Response` and replaced it with a single `*Secret` pointer. If
this is non-nil, then the response represents a secret. The Secret
struct encapsulates all the lease info and such.

It also has some fields on it that are only populated at _request_ time
for Revoke/Renew operations. There is precedent for this sort of
behavior in the Go stdlib where http.Request/http.Response have fields
that differ based on client/server. I copied this style.

All core unit tests pass. The APIs fail for obvious reasons but I'll fix
that up in the next commit.
2015-03-19 23:11:42 +01:00
Mitchell Hashimoto 8039fc5c63 logical/framework: support renew 2015-03-19 20:20:57 +01:00
Mitchell Hashimoto d4b284fba4 logical/framework: revoke support 2015-03-19 19:41:41 +01:00
Armon Dadgar 7170bff4f9 vault: testing credential enable/disable 2015-03-19 10:39:47 -07:00
Armon Dadgar ca44529c9d vault: Change constant name 2015-03-19 09:56:39 -07:00
Armon Dadgar d88a41944e vault: Switch AuthTable to using MountTable 2015-03-19 09:54:57 -07:00
Mitchell Hashimoto 2a1ae18877 vault: convert to new callback style 2015-03-19 15:05:22 +01:00
Armon Dadgar bb8a014b6a vault: first pass at enable/disable auth backends 2015-03-18 19:36:17 -07:00
Armon Dadgar 8cc88981d6 vault: token store is a credential implementation 2015-03-18 19:11:52 -07:00
Armon Dadgar 421f73d332 vault: Removing mtype from router 2015-03-18 15:48:14 -07:00
Armon Dadgar b8da9c2ee2 vault: first pass at initializing credential backends 2015-03-18 15:46:07 -07:00
Armon Dadgar d2d1822931 vault: Adding hooks for auth loading 2015-03-18 15:30:31 -07:00
Armon Dadgar 21b9bdaf37 vault: Allow passing in credential backends 2015-03-18 15:21:41 -07:00
Armon Dadgar 10a67592cd vault: more protection of protected mount points 2015-03-18 15:16:52 -07:00
Armon Dadgar 6e22ca50eb vault: integrate policy and token store into core 2015-03-18 14:00:42 -07:00
Armon Dadgar 481a3a2a91 vault: testing token revocation 2015-03-18 13:50:36 -07:00
Armon Dadgar 4d0700d12f vault: Guard against blank tokens 2015-03-18 13:21:16 -07:00
Armon Dadgar ded5dc71e9 vault: First pass token store 2015-03-18 13:19:19 -07:00
Armon Dadgar 51ce336753 vault: Adding PolicyStore 2015-03-18 12:17:03 -07:00
Armon Dadgar 061b6b24f1 vault: Refactor to use CollectKeys 2015-03-18 12:06:18 -07:00
Mitchell Hashimoto d9bff7b674 vault: TODOs 2015-03-17 20:54:38 -05:00
Mitchell Hashimoto 6f9d63dea5 vault: comment mounts mapping in rollback manager 2015-03-17 20:53:28 -05:00
Mitchell Hashimoto 05f86ca957 vault: put uint32 at top of struct to avoid alignment issues 2015-03-17 20:46:10 -05:00
Mitchell Hashimoto 97dab0c285 vault: ignore backends that don't support rollback 2015-03-17 20:39:45 -05:00
Mitchell Hashimoto e078b957d4 vault: start/stop rollback manager post/pre seal 2015-03-17 20:39:45 -05:00
Mitchell Hashimoto c7b9148841 vault: RollbackManager
There are some major TODO items here, and it isn't hooked into the core
yet, but the basic functionality is there.
2015-03-17 20:39:45 -05:00
Mitchell Hashimoto abe0859aa5 vault: use RWMutex on MountTable itself 2015-03-17 20:39:45 -05:00
Armon Dadgar 99abc11ec5 vault: Adding ACL representation 2015-03-17 18:31:20 -07:00
Armon Dadgar ddab671bf4 vault: Adding policy parsing 2015-03-17 15:53:29 -07:00
Armon Dadgar 46ccb81db4 vault: Respect grace period for revocation 2015-03-16 17:09:18 -07:00
Armon Dadgar a24192b728 vault: Support sys/revoke-prefix/ 2015-03-16 16:33:48 -07:00
Armon Dadgar f08659aaaa vault: Adding sys/revoke 2015-03-16 16:26:34 -07:00