9ef3d90349
still fixing git mistake
2016-07-25 10:11:51 -04:00
cc668b5c48
Fixing git mistake
2016-07-25 09:57:47 -04:00
7e29cf1cae
edits based on comments in PR
2016-07-25 09:46:10 -04:00
395f052870
minor error correction
2016-07-24 22:35:54 -04:00
9ea1c8b801
initial commit for nonAssignablePolicies
2016-07-24 22:27:41 -04:00
4945198334
reverting branch mistake
2016-07-24 21:56:52 -04:00
483e796177
website update for request uuuid
2016-07-24 21:23:12 -04:00
c63cdc23a1
Merge branch 'master' of https://github.com/hashicorp/vault into request-uuid
2016-07-23 21:47:08 -04:00
e5737b6789
initial local commit
2016-07-23 21:46:28 -04:00
4ab60f36a3
Rename err var to be more clear
2016-07-22 16:57:47 -04:00
331f229858
Added a cap of 256 for CreateLocks utility
2016-07-20 04:48:35 -04:00
50e8a189e9
Added helper to create locks
2016-07-19 21:37:28 -04:00
80a688c059
Ensure mount/auth tables are not nil when triggering rollback
...
During setup or teardown there could be a race condition so check for it
to avoid a potential panic.
2016-07-18 22:02:39 -04:00
df621911d7
Merge pull request #1624 from hashicorp/dynamodb-ha-off-default
...
Turn off DynamoDB HA by default.
2016-07-18 13:54:26 -04:00
028d024345
Add metrics around leadership
...
This can be helpful for detecting flapping.
Fixes #1544
2016-07-18 13:38:44 -04:00
a3ce0dcb0c
Turn off DynamoDB HA by default.
...
The semantics are wonky and have caused issues from people not reading
docs. It can be enabled but by default is off.
2016-07-18 13:19:58 -04:00
c14235b206
Merge branch 'master-oss' into json-use-number
...
Conflicts:
http/handler.go
logical/framework/field_data.go
logical/framework/wal.go
vault/logical_passthrough.go
2016-07-15 19:21:55 -04:00
9f1e6c7b26
Merge pull request #1607 from hashicorp/standardize-time
...
Remove redundant invocations of UTC() call on `time.Time` objects
2016-07-13 10:19:23 -06:00
8269f323d3
Revert 'risky' changes
2016-07-12 16:38:07 -04:00
5b210b2a1f
Return a duration instead and port a few other places to use it
2016-07-11 18:19:35 +00:00
ab6c2bc5e8
Factor out parsing duration second type and use it for parsing tune values too
2016-07-11 17:53:39 +00:00
fcb0b580ab
Fix broken build
2016-07-08 23:16:58 -04:00
55a667b8cd
Fix broken build
2016-07-08 20:30:27 -04:00
dc690d6233
Place error check before the response check in expiration test
2016-07-08 19:01:36 -04:00
e09b40e155
Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC
2016-07-08 18:30:18 -04:00
c7d72fea90
Do some extra checking in the modified renewal check
2016-07-08 10:34:49 -04:00
7023eafc67
Make the API client retry on 5xx errors.
...
This should help with transient issues. Full control over min/max delays
and number of retries (and ability to turn off) is provided in the API
and via env vars.
Fix tests.
2016-07-06 16:50:23 -04:00
ad7cb2c8f1
Added JSON Decode and Encode helpers.
...
Changed all the occurances of Unmarshal to use the helpers.
Fixed http/ package tests.
2016-07-06 12:25:40 -04:00
88c7292023
Fix broken test
2016-07-05 12:54:27 -04:00
8ce13b3f68
Add non-wrapped step
2016-07-05 12:11:40 -04:00
b6ca7e9423
Add response wrapping support to login endpoints.
...
Fixes #1587
2016-07-05 11:46:21 -04:00
90c2f5bb55
Fix some more too-tight timing in the token store tests
2016-07-01 11:59:39 -04:00
f3e6e4ee28
Fix timing in explicit max ttl test
2016-07-01 11:37:27 -04:00
09720bbd8e
Fix picking wrong token lock
2016-06-27 11:17:08 -04:00
2933c5ce08
Made default_lease_ttl and max_lease_ttl as int64 and fixed tests
2016-06-20 20:23:49 -04:00
0bdeea3a33
Fix the test cases
2016-06-20 18:56:19 -04:00
848b479a61
Added 'sys/auth/<path>/tune' endpoints.
...
Displaying 'Default TTL' and 'Max TTL' in the output of 'vault auth -methods'
2016-06-15 13:58:24 -04:00
368a17e978
Add some commenting
2016-06-14 05:54:09 +00:00
e925987cb6
Add token accessor to wrap information if one exists
2016-06-13 23:58:17 +00:00
1de6140d5c
Fix mah broken tests
2016-06-10 14:03:56 -04:00
9f6c5bc02a
cubbyhole-response-wrapping -> response-wrapping
2016-06-10 13:48:46 -04:00
e4ce81afa1
Remove unneeded Fields in passthrough
2016-06-09 10:33:24 -04:00
351f536913
Don't check parsability of a `ttl` key on write.
...
On read we already ignore bad values, so we shouldn't be restricting
this on write; doing so alters expected data-in-data-out behavior. In
addition, don't issue a warning if a given `ttl` value can't be parsed,
as this can quickly get annoying if it's on purpose.
The documentation has been updated/clarified to make it clear that this
is optional behavior that doesn't affect the status of the key as POD
and the `lease_duration` returned will otherwise default to the
system/mount defaults.
Fixes #1505
2016-06-08 20:14:36 -04:00
2b4b6559e3
Merge pull request #1504 from hashicorp/token-store-roles-renewability
...
Add renewable flag to token store roles
2016-06-08 15:56:54 -04:00
8a1bff7c11
Make out-of-bounds explicit max a cap+warning instead of an error
2016-06-08 15:25:17 -04:00
cf8f38bd4c
Add renewable flag to token store roles
2016-06-08 15:17:22 -04:00
65d8973864
Add explicit max TTL capability to token creation API
2016-06-08 14:49:48 -04:00
c0155ac02b
Add renewable flag and API setting for token creation
2016-06-08 11:14:30 -04:00
bb1e8ddaa2
Make token renewable status work properly on lookup
2016-06-08 09:19:39 -04:00
10b218d292
Use time.Time which does RFC3339 across the wire to handle time zones. Arguably we should change the API to always do this...
2016-06-07 16:01:09 -04:00
401456ea50
Add creation time to returned wrapped token info
...
This makes it easier to understand the expected lifetime without a
lookup call that uses the single use left on the token.
This also adds a couple of safety checks and for JSON uses int, rather
than int64, for the TTL for the wrapped token.
2016-06-07 15:00:35 -04:00
f8d70b64a0
Show renewable status for tokens in output
2016-06-01 17:30:31 -04:00
9dd4e5ec5b
Merge pull request #1235 from hashicorp/policies-validation
...
Strip out other policies if root is present
2016-06-01 12:08:22 -04:00
4fea41f7e5
Use entry.Type as a criteria for upgrade
2016-06-01 10:30:11 -04:00
875778a2d9
Modify just the type and not the path
2016-05-31 23:19:13 -04:00
1e4834bd20
Remove addDefault param from ParsePolicies
2016-05-31 13:39:58 -04:00
49b4c83580
Adding default policies while creating tokens
2016-05-31 13:39:58 -04:00
55fbfab4fe
Upgrade 'aws' auth table entry to 'aws-ec2'
2016-05-30 18:58:58 -04:00
8d19b4fb53
Add keyring zeroize function and add some more memzero calls in
...
appropriate places. Known to be best-effort, but may help in some cases.
Fixes #1446
2016-05-27 20:47:40 +00:00
1d94828e45
Re-enable rollback triggers for auth backends
2016-05-26 14:29:41 -04:00
644ac5f5e8
Merge pull request #1456 from hashicorp/consul-lease-renewal
...
Fix the consul secret backends renewal revocation problem
2016-05-26 13:59:45 -04:00
a57996ac08
Add to auth/audit too
2016-05-26 13:38:51 -04:00
475b0e2d33
Add table/type checking to mounts table.
2016-05-26 12:55:00 -04:00
c0e745dbfa
s/logical.ErrorResponse/fmt.Errorf in renewal functions of credential backends
2016-05-26 10:21:03 -04:00
70b8530962
Fix the consul secret backends renewal revocation problem
2016-05-25 23:24:16 -04:00
417a56c42b
Disable rollback on auth for now and add workaround for its auth/ adding to entry paths
2016-05-25 17:53:45 -04:00
05b0e0a866
Enable audit-logging of seal and step-down commands.
...
This pulls the logical request building code into its own function so
that it's accessible from other HTTP handlers, then uses that with some
added logic to the Seal() and StepDown() commands to have meaningful
audit log entries.
2016-05-20 17:03:54 +00:00
0da8762bd5
Add unwrap command, and change how the response is embedded (as a string, not an object)
2016-05-19 11:25:15 -04:00
2e6ac4c37a
Remove wrap specs from backend response
2016-05-19 03:06:09 +00:00
c4431a7e30
Address most review feedback. Change responses to multierror to better return more useful values when there are multiple errors
2016-05-16 16:11:33 -04:00
4c67a739b9
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-16 12:14:40 -04:00
60975bf76e
Revert "Remove a few assumptions regarding bash(1) being located in /bin."
2016-05-15 15:22:21 -04:00
f91114fef5
Remove a few assumptions regarding bash(1) being located in /bin.
...
Use sh(1) where appropriate.
2016-05-15 11:41:14 -07:00
792950e16c
Merge pull request #1417 from hashicorp/b-pki-expire-ttl-unset
...
Set entry's TTL before writing out the storage entry's config
2016-05-15 10:02:03 -07:00
7a4b31ce51
Speling police
2016-05-15 09:58:36 -07:00
af4e2feda7
When testing, increase the time we wait for the stepdown to occur.
...
2s -> 5s, no functional change.
2016-05-15 07:30:40 -07:00
53fc941761
Merge pull request #1300 from hashicorp/aws-auth-backend
...
AWS EC2 instances authentication backend
2016-05-14 19:42:03 -04:00
560e9c30a3
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-12 14:59:12 -04:00
99a5213f0b
Merge pull request #1355 from hashicorp/f-vault-service
...
Vault/Consul Service refinement
2016-05-12 11:48:29 -07:00
af222a945a
Fix mount tune bounds checking
2016-05-12 07:22:00 -04:00
ce5614bf9b
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-11 19:29:52 -04:00
6ec1ca05c8
Fix bug around disallowing explicit max greater than sysview max
2016-05-11 18:46:55 -04:00
aecc3ad824
Add explicit maximum TTLs to token store roles.
2016-05-11 16:51:18 -04:00
ddcaf26396
Merge branch 'master-oss' into aws-auth-backend
2016-05-10 14:50:00 -04:00
2295cadbf4
Make WrapInfo a pointer to match secret/auth in response
2016-05-07 19:17:51 -04:00
c5085bc79f
Merge response fix over from mfatw
2016-05-07 16:41:24 -04:00
c52d352332
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-07 16:40:04 -04:00
d77563994c
Merge pull request #1346 from hashicorp/disable-all-caches
...
Disable all caches
2016-05-07 16:33:45 -04:00
3e71221839
Merge remote-tracking branch 'origin/master' into aws-auth-backend
2016-05-05 10:04:52 -04:00
885cc73b2e
Merge branch 'master-oss' into f-vault-service
2016-05-04 17:20:00 -04:00
09f06554cb
Address some review feedback
2016-05-04 16:03:53 -04:00
99a5b4402d
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-04 14:42:14 -04:00
1bc2abecd5
Properly persist auth mount tuning
2016-05-03 14:24:04 -04:00
6f7409bb49
Slightly nicer check for LRU in policy store
2016-05-02 22:36:44 -04:00
fe1f56de40
Make a non-caching but still locking variant of transit for when caches are disabled
2016-05-02 22:36:44 -04:00
8572190b64
Plumb disabling caches through the policy store
2016-05-02 22:36:44 -04:00
1b190c9c62
Don't check if numuses is -1 with a read lock, it shouldn't come in with that from lookup anyways
2016-05-02 15:31:28 -04:00
324bb9cfac
Use a 256-level mutex map instead of 4096, and optimize the case for tokens that are not limited use
2016-05-02 14:57:17 -04:00
642163f8b0
Remove MountPoint from internal wrap object, for now at least
2016-05-02 10:29:51 -04:00
2ebe49d3a1
Change UseToken mechanics.
...
Add locking around UseToken and Lookup. Have UseToken flag an entry that
needs to be revoked so that it can be done at the appropriate time, but
so that Lookup in the interm doesn't return a value.
The locking is a map of 4096 locks keyed off of the first three
characters of the token ID which should provide good distribution.
2016-05-02 03:44:24 -04:00
1ffd5653c6
Add wrap support to API/CLI
2016-05-02 02:03:23 -04:00
aba689a877
Add wrapping through core and change to use TTL instead of Duration.
2016-05-02 00:47:35 -04:00
d81806b446
Add:
...
* Request/Response field extension
* Parsing of header into request object
* Handling of duration/mount point within router
* Tests of router WrapDuration handling
2016-05-02 00:24:32 -04:00
4182d711c3
Merge branch 'master-oss' into aws-auth-backend
2016-04-29 14:23:16 +00:00
81da06de05
Fix fetching parameters in token store when it's optionally in the URL
2016-04-28 15:15:37 -04:00
5068d68a13
Name the output parameters for Leader
2016-04-28 11:05:18 -07:00
0b72906fc3
Change the interface of ServiceDiscovery
...
Instead of passing state, signal that the state has changed and provide a callback handler that can query Core.
2016-04-28 11:05:18 -07:00
4a409ebb81
Fix some rekey testing expected seal type logic
2016-04-28 17:13:03 +00:00
91c41f12d4
minor fix for expected barrier type in rekey test
2016-04-28 16:52:32 +00:00
1027b51d17
Built tag-ify sealtesting
2016-04-28 00:47:44 +00:00
0b8e3457d3
Move TestSeal funcs to sealtesting
2016-04-27 20:59:06 +00:00
9aa8fb6cc1
Support periodic tidy callback and config endpoints.
2016-04-26 10:22:29 -04:00
aeea7628d6
Add a *log.Logger argument to physical.Factory
...
Logging in the backend is a good thing. This is a noisy interface change but should be a functional noop.
2016-04-25 20:10:32 -07:00
7fe0b2c6a1
Persistently retry to update service registration
...
If the local Consul agent is not available while attempting to step down from active or up to active, retry once a second. Allow for concurrent changes to the state with a single registration updater. Fix standby initialization.
2016-04-25 18:01:13 -07:00
230b59f34c
Stub out service discovery functionality
...
Hook asynchronous notifications into Core to change the status of vault based on its active/standby, and sealed/unsealed status.
2016-04-25 18:00:54 -07:00
398ed86d04
Split out TestSeal
2016-04-26 00:14:16 +00:00
98d09b0dc6
Add seal tests and update generate-root and others to handle dualseal.
2016-04-25 19:39:04 +00:00
f293b1bb98
Merge pull request #1328 from hashicorp/sethvargo/path-help
...
Add missing path-helps and clarify subpaths in tables
2016-04-25 13:53:06 -04:00
62058a0ff8
Update tests for change in raw blacklisting
2016-04-19 20:26:26 +00:00
556039344a
There's no good story around accessing any of core via /sys/raw, so blacklist it all
2016-04-19 16:01:15 +00:00
b4620d5d04
Add check against seal type to catch errors before we attempt to use the data
2016-04-15 18:16:48 -04:00
9bc24be343
Move recovery info behind the barrier
2016-04-15 17:04:29 +00:00
119238149b
Add Finalize method to seal.
2016-04-14 20:37:34 +00:00
53773f12e3
Register the token entry's path instead of the request path, to handle role suffixes correctly
2016-04-14 08:08:28 -04:00
ae2d000de4
Make period output nicer -- seconds rather than duration
2016-04-14 06:10:22 -04:00
a4ff72841e
Check for seal status when initing and change logic order to avoid defer
2016-04-14 01:13:59 +00:00
03c09341a4
Add missing path-helps and clarify subpaths in tables
2016-04-13 22:15:54 +01:00
fb07d07ad9
all: Cleanup from running go vet
2016-04-13 14:38:29 -05:00
1db6808912
Construct token path from request to fix displaying TTLs when using
...
create-orphan.
2016-04-07 15:45:38 +00:00
f2880561d1
Ensure we only use sysview's max if it's not zero. It never should be, but safety.
2016-04-07 15:27:14 +00:00
09ad6317ea
Merge pull request #1297 from hashicorp/f-bsd-mlock
...
F bsd mlock
2016-04-06 13:57:34 -07:00
e3a1ee92b5
Utility Enhancements
2016-04-05 20:32:59 -04:00
087e7c94d3
Add Vault support for the *BSDs, including Darwin
...
The `syscall` package has been frozen in favor of `x/sys`. As a result, all of the BSDs are supported and do have `mlockall(2)` support in current versions of Go.
2016-04-05 12:18:19 -07:00
afae46feb7
SealInterface
2016-04-04 10:44:22 -04:00
7d20380c42
Merge pull request #1280 from hashicorp/remove-ts-revoke-prefix
...
Remove auth/token/revoke-prefix in favor of sys/revoke-prefix.
2016-04-01 09:48:52 -04:00
2b2541e13f
Merge pull request #1277 from hashicorp/suprious-revoke-timer-logs
...
Keep the expiration manager from keeping old token entries.
2016-03-31 20:16:31 -04:00
2fd02b8dca
Remove auth/token/revoke-prefix in favor of sys/revoke-prefix.
2016-03-31 18:04:05 -04:00
7442867d53
Check for auth/ in the path of the prefix for revoke-prefix in the token
...
store.
2016-03-31 16:21:56 -04:00
75650ec1ad
Keep the expiration manager from keeping old token entries.
...
The expiration manager would never be poked to remove token entries upon
token revocation, if that revocation was initiated in the token store
itself. It might have been to avoid deadlock, since during revocation of
tokens the expiration manager is called, which then calls back into the
token store, and so on.
This adds a way to skip that last call back into the token store if we
know that we're on the revocation path because we're in the middle of
revoking a token. That way the lease is cleaned up. This both prevents
log entries appearing for already-revoked tokens, and it also releases
timer/memory resources since we're not keeping the leases around.
2016-03-31 15:10:25 -04:00
ddce1efd0d
Two items:
...
1: Fix path check in core to handle renew paths from the token store
that aren't simply renew/
2: Use token policy logic if token store role policies are empty
2016-03-31 14:52:49 -04:00
034ffd8af3
Fix capabilities test case
2016-03-18 12:55:18 -04:00
6831e2a8fd
Sort the capabilities before returning
2016-03-18 12:40:17 -04:00
a6f6cbd95a
Tests for capabilites in system backend
2016-03-18 11:58:06 -04:00
d959ffc301
Rename PrepareRequest to PrepareRequestFunc
2016-03-18 10:37:49 -04:00
fbfe72f286
Removed http/sys_capabilties_test.go
2016-03-18 09:48:45 -04:00
55f03b5d25
Add separate path for capabilities-self to enable ACL
2016-03-17 22:52:03 -04:00
68367f60c8
Fix broken testcases
2016-03-17 21:03:32 -04:00
d348735322
Fix help descriptions
2016-03-17 21:03:32 -04:00
f275cd2e9c
Fixed capabilities API to receive logical response
2016-03-17 21:03:32 -04:00
a5d79d587a
Refactoring the capabilities function
2016-03-17 21:03:32 -04:00
Laura Bennett