Commit graph

3398 commits

Author SHA1 Message Date
Sean Chittenden 60006f550f Various refactoring to clean up code organization
Brought to you by: Dept of 2nd thoughts before pushing enter on `git push`
2016-04-25 18:01:13 -07:00
Sean Chittenden 53f9cea87c Compare the correct values when validating check_timeout 2016-04-25 18:01:13 -07:00
Sean Chittenden e7f600b4e6 Improve error handling re: homedir expansion
Useful if the HOME envvar is not set because `vault` was launched in a clean environment (e.g. `env -i vault ...`).
2016-04-25 18:01:13 -07:00
Sean Chittenden 70ae7f73b4 Detect type conversion failure 2016-04-25 18:01:13 -07:00
Sean Chittenden ae66e65bcf Don't export the builtin backends 2016-04-25 18:01:13 -07:00
Sean Chittenden bd3335c1bd go fmt the PostgreSQL backend 2016-04-25 18:01:13 -07:00
Sean Chittenden 6b2c83564e Teach Vault how to register with Consul
Vault will now register itself with Consul.  The active node can be found using `active.vault.service.consul`.  All standby vaults are available via `standby.vault.service.consul`.  All unsealed vaults are considered healthy and available via `vault.service.consul`.  Change in status and registration is event driven and should happen at the speed of a write to Consul (~network RTT + ~1x fsync(2)).

Healthy/active:

```
curl -X GET 'http://127.0.0.1:8500/v1/health/service/vault?pretty' && echo;
[
    {
        "Node": {
            "Node": "vm1",
            "Address": "127.0.0.1",
            "TaggedAddresses": {
                "wan": "127.0.0.1"
            },
            "CreateIndex": 3,
            "ModifyIndex": 20
        },
        "Service": {
            "ID": "vault:127.0.0.1:8200",
            "Service": "vault",
            "Tags": [
                "active"
            ],
            "Address": "127.0.0.1",
            "Port": 8200,
            "EnableTagOverride": false,
            "CreateIndex": 17,
            "ModifyIndex": 20
        },
        "Checks": [
            {
                "Node": "vm1",
                "CheckID": "serfHealth",
                "Name": "Serf Health Status",
                "Status": "passing",
                "Notes": "",
                "Output": "Agent alive and reachable",
                "ServiceID": "",
                "ServiceName": "",
                "CreateIndex": 3,
                "ModifyIndex": 3
            },
            {
                "Node": "vm1",
                "CheckID": "vault-sealed-check",
                "Name": "Vault Sealed Status",
                "Status": "passing",
                "Notes": "Vault service is healthy when Vault is in an unsealed status and can become an active Vault server",
                "Output": "",
                "ServiceID": "vault:127.0.0.1:8200",
                "ServiceName": "vault",
                "CreateIndex": 19,
                "ModifyIndex": 19
            }
        ]
    }
]
```

Healthy/standby:

```
[snip]
        "Service": {
            "ID": "vault:127.0.0.2:8200",
            "Service": "vault",
            "Tags": [
                "standby"
            ],
            "Address": "127.0.0.2",
            "Port": 8200,
            "EnableTagOverride": false,
            "CreateIndex": 17,
            "ModifyIndex": 20
        },
        "Checks": [
            {
                "Node": "vm2",
                "CheckID": "serfHealth",
                "Name": "Serf Health Status",
                "Status": "passing",
                "Notes": "",
                "Output": "Agent alive and reachable",
                "ServiceID": "",
                "ServiceName": "",
                "CreateIndex": 3,
                "ModifyIndex": 3
            },
            {
                "Node": "vm2",
                "CheckID": "vault-sealed-check",
                "Name": "Vault Sealed Status",
                "Status": "passing",
                "Notes": "Vault service is healthy when Vault is in an unsealed status and can become an active Vault server",
                "Output": "",
                "ServiceID": "vault:127.0.0.2:8200",
                "ServiceName": "vault",
                "CreateIndex": 19,
                "ModifyIndex": 19
            }
        ]
    }
]
```

Sealed:

```
        "Checks": [
            {
                "Node": "vm2",
                "CheckID": "serfHealth",
                "Name": "Serf Health Status",
                "Status": "passing",
                "Notes": "",
                "Output": "Agent alive and reachable",
                "ServiceID": "",
                "ServiceName": "",
                "CreateIndex": 3,
                "ModifyIndex": 3
            },
            {
                "Node": "vm2",
                "CheckID": "vault-sealed-check",
                "Name": "Vault Sealed Status",
                "Status": "critical",
                "Notes": "Vault service is healthy when Vault is in an unsealed status and can become an active Vault server",
                "Output": "Vault Sealed",
                "ServiceID": "vault:127.0.0.2:8200",
                "ServiceName": "vault",
                "CreateIndex": 19,
                "ModifyIndex": 38
            }
        ]
```
2016-04-25 18:01:13 -07:00
Sean Chittenden 2060766107 Update vendor'ed version of hashicorp/consul/lib
Note: Godeps.json not updated
2016-04-25 18:00:54 -07:00
Sean Chittenden 230b59f34c Stub out service discovery functionality
Hook asynchronous notifications into Core to change the status of vault based on its active/standby, and sealed/unsealed status.
2016-04-25 18:00:54 -07:00
Sean Chittenden 0c23acb818 Comment nits 2016-04-25 18:00:54 -07:00
Jeff Mitchell d77f9e0583 Update vendoring 2016-04-26 00:18:04 +00:00
Jeff Mitchell 398ed86d04 Split out TestSeal 2016-04-26 00:14:16 +00:00
Jeff Mitchell 8d4e5aacae Change seal test name in command package 2016-04-26 00:12:14 +00:00
Jeff Mitchell f00beb4e32 Update azure backend for newer sdk 2016-04-26 00:08:07 +00:00
Jeff Mitchell 81137128b9 changelog++ 2016-04-25 19:56:18 +00:00
Jeff Mitchell a481bff2b1 Fix commenting S3 -> Azure 2016-04-25 19:53:07 +00:00
Jeff Mitchell c12dcba9bc Merge pull request #1266 from sepiroth887/azure_backend
added Azure Blobstore backend support
2016-04-25 15:53:09 -04:00
Jeff Mitchell 0f0a6ae368 Merge pull request #1282 from rileytg/patch-1
change github example team to admins
2016-04-25 15:45:01 -04:00
Jeff Mitchell 267b13c1ba Merge pull request #1326 from hashicorp/sethvargo/hint_noreauth
Hint that you don't need to run auth twice
2016-04-25 15:43:55 -04:00
Jeff Mitchell 164168a5c5 Merge pull request #1350 from hashicorp/sealtests
Add seal tests and update generate-root and others to handle dualseal.
2016-04-25 15:40:46 -04:00
Jeff Mitchell 98d09b0dc6 Add seal tests and update generate-root and others to handle dualseal. 2016-04-25 19:39:04 +00:00
Jeff Mitchell 30ba5b7887 Merge pull request #1291 from mmickan/ssh-keyinstall-perms
Ensure authorized_keys file is readable when uninstalling an ssh key
2016-04-25 14:00:37 -04:00
Jeff Mitchell f293b1bb98 Merge pull request #1328 from hashicorp/sethvargo/path-help
Add missing path-helps and clarify subpaths in tables
2016-04-25 13:53:06 -04:00
Jeff Mitchell a331f0e62f Merge pull request #1348 from hashicorp/sethvargo/referrer
Do not allow referrer to modify the parent
2016-04-23 09:45:19 -04:00
Seth Vargo da1735e396
Do not allow referrer to modify the parent
http://mathiasbynens.github.io/rel-noopener/
2016-04-22 23:41:09 -04:00
Vishal Nayak 8f5ba88186 Merge pull request #1343 from hashicorp/b-doc-wordsmith
Wordsmith the docs around the `list` command.
2016-04-20 19:09:38 -04:00
Sean Chittenden f6bec6e017 Wordsmith the docs around the list command.
Prompted by: feedback from conference attendees at PGConf '16
2016-04-20 18:13:58 -04:00
Jeff Mitchell e68de75e83 Next version will likely not be 0.6.0 2016-04-20 20:24:17 +00:00
Jeff Mitchell 04816ed25e changelog++ 2016-04-20 20:23:08 +00:00
Jeff Mitchell 521a3865dc Merge pull request #1342 from hashicorp/use-json-number
Use UseNumber() on json.Decoder to have numbers be json.Number objects
2016-04-20 16:22:01 -04:00
Jeff Mitchell 4e53f4b1a4 Use UseNumber() on json.Decoder to have numbers be json.Number objects
instead of float64. This fixes some display bugs.
2016-04-20 18:38:20 +00:00
Jeff Mitchell ee8dd1ab6a Add vault-php-sdk to libraries page 2016-04-20 13:59:39 +00:00
Jeff Mitchell 62058a0ff8 Update tests for change in raw blacklisting 2016-04-19 20:26:26 +00:00
Jeff Mitchell 556039344a There's no good story around accessing any of core via /sys/raw, so blacklist it all 2016-04-19 16:01:15 +00:00
Jeff Mitchell 055a8e04e4 Change recovery options in init to be 'key'-less 2016-04-18 17:02:07 +00:00
Jeff Mitchell b4620d5d04 Add check against seal type to catch errors before we attempt to use the data 2016-04-15 18:16:48 -04:00
Jeff Mitchell d7ba52f86b Backtick "region" in S3 config 2016-04-15 17:03:35 -04:00
Jeff Mitchell d844be4df5 Merge pull request #1336 from hashicorp/b-sigint-handler
Fix SIGINT handling.
2016-04-15 13:14:37 -04:00
Jeff Mitchell 9bc24be343 Move recovery info behind the barrier 2016-04-15 17:04:29 +00:00
Sean Chittenden 069d9cf021 Fix SIGINT handling.
No signal handler was setup to receive SIGINT.  I didn't investigate to
see if signal(2) mask was setup (ala `SIG_IGN`) or if sigprocmask(2) is
being used, but in either case, the correct behavior is to capture and
treat SIGINT the same as SIGTERM.  At some point in the future these two
signals may affect the running process differently, but we will clarify
that difference in the future.
2016-04-15 10:03:22 -07:00
Jeff Mitchell 119238149b Add Finalize method to seal. 2016-04-14 20:37:34 +00:00
Vishal Nayak eae78f2ef7 Merge pull request #1332 from hashicorp/fix-revocation-output
Clarify output of idempotent calls
2016-04-14 11:52:28 -04:00
vishalnayak 5c336297ad Provide clarity for output statements of idempotent calls. 2016-04-14 15:46:45 +00:00
vishalnayak b7178846c1 Clarify token-revoke operation 2016-04-14 15:34:01 +00:00
Jeff Mitchell 148e6926f9 changelog++ 2016-04-14 08:11:02 -04:00
Jeff Mitchell 1a044e0b57 Merge pull request #1331 from hashicorp/fix-role-suffix-renew
Register the token entry's path instead of the request path, to handl…
2016-04-14 08:09:46 -04:00
Jeff Mitchell 53773f12e3 Register the token entry's path instead of the request path, to handle role suffixes correctly 2016-04-14 08:08:28 -04:00
Jeff Mitchell bb0dd624e1 Merge pull request #1330 from hashicorp/sethvargo/clarify_delete
Clarify delete operation
2016-04-14 06:11:53 -04:00
Jeff Mitchell ae2d000de4 Make period output nicer -- seconds rather than duration 2016-04-14 06:10:22 -04:00
Seth Vargo 54c414abb2
Clarify delete operation
One thing that has been a point of confusion for users is Vault's
response when deleting a key that does not actually exist in the system.
For example, consider:

    $ vault delete secret/foo
    Success! Deleted 'secret/foo'

This message is misleading if the secret does not exist, especially if
the same command is run twice in a row.

Obviously the reason for this is clear - returning an error if a secret
does not exist would reveal the existence of a secret (the same reason
everything on S3 is a 403 or why GitHub repos 404 instead of 403 if you
do not have permission to view them).

I think we can make the UX a little bit better by adding just a few
words to the output:

    $ vault delete secret/foo
    Success! Deleted 'secret/foo' if it existed

This makes it clear that the operation was only performed if the secret
existed, but it does not reveal any more information.
2016-04-14 10:38:10 +01:00