Commit Graph

100 Commits

Author SHA1 Message Date
Jeff Mitchell 11ddd2290b Provide 'sys/step-down' and 'vault step-down'
This endpoint causes the node it's hit to step down from active duty.
It's a noop if the node isn't active or not running in HA mode. The node
will wait one second before attempting to reacquire the lock, to give
other nodes a chance to grab it.

Fixes #1093
2016-02-26 19:43:55 -05:00
Jeff Mitchell 973c888833 RootGeneration->GenerateRoot 2016-01-19 18:28:10 -05:00
Jeff Mitchell 3b994dbc7f Add the ability to generate root tokens via unseal keys. 2016-01-19 18:28:10 -05:00
Jeff Mitchell 455acc255b Have 'sys/renew' return the value provided in Secret.
Fixes a regression introduced in 0.3.
2016-01-07 11:35:09 -05:00
Jeff Mitchell a094eedce2 Add rekey nonce/backup. 2016-01-06 09:54:35 -05:00
Jeff Mitchell 1c7157e632 Reintroduce the ability to look up obfuscated values in the audit log
with a new endpoint '/sys/audit-hash', which returns the given input
string hashed with the given audit backend's hash function and salt
(currently, always HMAC-SHA256 and a backend-specific salt).

In the process of adding the HTTP handler, this also removes the custom
HTTP handlers for the other audit endpoints, which were simply
forwarding to the logical system backend. This means that the various
audit functions will now redirect correctly from a standby to master.
(Tests all pass.)

Fixes #784
2015-11-18 20:26:03 -05:00
Jeff Mitchell 77e7379ab5 Implement the cubbyhole backend
In order to implement this efficiently, I have introduced the concept of
"singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't
much reason to allow sys to be mounted at multiple places, and there
isn't much reason you'd need multiple per-token storage areas. By
restricting it to just one, I can store that particular mount instead of
iterating through them in order to call the appropriate revoke function.

Additionally, because revocation on the backend needs to be triggered by
the token store, the token store's salt is kept in the router and
client tokens going to the cubbyhole backend are double-salted by the
router. This allows the token store to drive when revocation happens
using its salted tokens.
2015-09-15 13:50:37 -04:00
Jeff Mitchell 86ccae7bd5 Fix mount config test by proxying mounts/ in addition to mounts 2015-09-10 15:09:54 -04:00
Jeff Mitchell 4596ed6484 Remove custom http/sys_auth handler in favor of logical. Unit tests
pass.
2015-08-28 13:42:01 -07:00
Jeff Mitchell 6bc86cfee1 Use logical passthrough for renew API calls 2015-08-26 13:22:16 -07:00
Jeff Mitchell 17cbd9e1ca If JSON decoding fails, make it clear that the problem is failing to
parse the JSON, rather than returning the possibly confusing error from
the JSON decoder.

Fixes #553.
2015-08-26 07:03:33 -07:00
Jeff Mitchell a8ef0e8a80 Remove cookie authentication. 2015-08-21 19:46:23 -07:00
Jeff Mitchell 271255b008 Send sys mounting logic directly to logical backend. Unit tests run. 2015-08-20 13:59:57 -07:00
Jeff Mitchell 15f57082e0 Begin factoring out sys paths into logical routes. Also, standardize on 307 as redirect code. 2015-08-20 13:20:35 -07:00
Caleb Tennis 4da080e769 This adds a new error class which can be used by logical backends to
specify more concrete error cases to make their way back up the stack.

Over time there is probably a cleaner way of doing this, but that's
looking like a more massive rewrite and this solves some issues in
the meantime.

Use a CodedError to return a more concrete HTTP return code for
operations you want to do so.  Returning a regular error leaves
the existing behavior in place.
2015-08-10 13:27:25 -04:00
Nate Brown 31ab086063 Doing a little better with http response codes 2015-06-19 14:00:48 -07:00
Armon Dadgar 7964fa4d86 http: adding rekey handlers 2015-05-28 14:28:50 -07:00
Armon Dadgar af47c72639 http: adding key-status and rotate handlers 2015-05-27 18:02:50 -07:00
Ian Unruh 63199e5af4 HTTP should return 503 when sealed 2015-05-19 00:59:19 -07:00
Mitchell Hashimoto 42d6b2a916 http: allow header for auth token [GH-124] 2015-05-11 10:56:58 -07:00
Armon Dadgar cca4580db8 Merge pull request #29 from hashicorp/f-health
Adding sys/health for Consul HTTP health monitoring
2015-04-23 11:58:58 -07:00
Armon Dadgar 667a1bf2d8 http: adding sys/health endpoint 2015-04-23 11:53:31 -07:00
Mitchell Hashimoto bfaf52c34e http: fix redirect issues with trailing slashes 2015-04-22 07:55:40 +02:00
Armon Dadgar f9501c4981 http: Adding sys/leader endpoint 2015-04-20 11:59:24 -07:00
Armon Dadgar c7d521b2be http: pass raw request through 2015-04-19 14:36:50 -07:00
Armon Dadgar 6f5b4637fb http: support standby redirects 2015-04-19 13:47:57 -07:00
Mitchell Hashimoto a44eb0dcd0 http: renew endpoints 2015-04-13 20:42:07 -07:00
Mitchell Hashimoto 6015a8d7c2 http: handle errors better 2015-04-08 11:19:03 -07:00
Mitchell Hashimoto f9f7001242 http: remount 2015-04-07 10:54:58 -07:00
Mitchell Hashimoto 020af2fac2 http: help 2015-04-02 22:26:45 -07:00
Mitchell Hashimoto 6218c2729d http: audit endpoints 2015-04-01 18:36:13 -07:00
Mitchell Hashimoto c25b7010d9 http: all policy endpoints 2015-04-01 17:59:50 -07:00
Mitchell Hashimoto fce856d19c http: list policies 2015-04-01 17:43:58 -07:00
Mitchell Hashimoto 4e8efbbd48 http: respondCommon to do common responses 2015-03-31 21:29:53 -07:00
Mitchell Hashimoto 795e117867 http: detect errors in logical and return them properly 2015-03-31 21:24:20 -07:00
Mitchell Hashimoto aba7fc1910 http: auth handlers 2015-03-31 20:24:51 -07:00
Mitchell Hashimoto ed2cc3a769 http: revoke-prefix 2015-03-31 19:23:32 -07:00
Mitchell Hashimoto bbaa137f4e command/revoke: revoke 2015-03-31 19:21:02 -07:00
Mitchell Hashimoto e9b20c7ae3 http: handle redirects and set auth cookies 2015-03-30 21:06:15 -07:00
Mitchell Hashimoto cfce19d9a8 http: remove /sys/login 2015-03-30 20:28:52 -07:00
Mitchell Hashimoto e46cc7cc87 http: start implementing /sys/login (incomplete) 2015-03-30 12:21:06 -07:00
Mitchell Hashimoto 4cacaf62f0 http: support auth 2015-03-29 16:14:54 -07:00
Mitchell Hashimoto 4161f7a440 http: fix mount endpoints 2015-03-16 10:51:13 -07:00
Mitchell Hashimoto 0e61d88b31 http: /v1/sys/mount DELETE 2015-03-16 10:41:08 -07:00
Mitchell Hashimoto e3a796028e http: /v1/sys/mount endpoint 2015-03-16 10:36:43 -07:00
Mitchell Hashimoto 850349425a http: /sys/mounts 2015-03-15 21:18:25 -07:00
Mitchell Hashimoto 742923452b http: generic read/write endpoint for secrets 2015-03-15 19:35:04 -07:00
Mitchell Hashimoto d35b8eaa6f http: init endpoints 2015-03-12 12:37:54 -07:00
Mitchell Hashimoto 352ad00e68 http: prefix with v1 2015-03-12 10:47:31 -07:00
Mitchell Hashimoto cacb209471 http: start the API server 2015-03-11 23:05:16 -07:00