luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity
3,922 Commits 1 Branch 0 Tags 214 MiB
Commit Graph

176 Commits

Author SHA1 Message Date
Jeff Mitchell 05b0e0a866 Enable audit-logging of seal and step-down commands. 
This pulls the logical request building code into its own function so
that it's accessible from other HTTP handlers, then uses that with some
added logic to the Seal() and StepDown() commands to have meaningful
audit log entries.
 2016-05-20 17:03:54 +00:00
Jeff Mitchell c4431a7e30 Address most review feedback. Change responses to multierror to better return more useful values when there are multiple errors 2016-05-16 16:11:33 -04:00
Jeff Mitchell 560e9c30a3 Merge branch 'master-oss' into cubbyhole-the-world 2016-05-12 14:59:12 -04:00
Sean Chittenden 99a5213f0b Merge pull request #1355 from hashicorp/f-vault-service 
Vault/Consul Service refinement
 2016-05-12 11:48:29 -07:00
Jeff Mitchell c52d352332 Merge branch 'master-oss' into cubbyhole-the-world 2016-05-07 16:40:04 -04:00
Jeff Mitchell fe1f56de40 Make a non-caching but still locking variant of transit for when caches are disabled 2016-05-02 22:36:44 -04:00
Jeff Mitchell 8572190b64 Plumb disabling caches through the policy store 2016-05-02 22:36:44 -04:00
Jeff Mitchell 2ebe49d3a1 Change UseToken mechanics. 
Add locking around UseToken and Lookup. Have UseToken flag an entry that
needs to be revoked so that it can be done at the appropriate time, but
so that Lookup in the interm doesn't return a value.

The locking is a map of 4096 locks keyed off of the first three
characters of the token ID which should provide good distribution.
 2016-05-02 03:44:24 -04:00
Jeff Mitchell aba689a877 Add wrapping through core and change to use TTL instead of Duration. 2016-05-02 00:47:35 -04:00
Sean Chittenden 5068d68a13 Name the output parameters for Leader 2016-04-28 11:05:18 -07:00
Sean Chittenden 0b72906fc3 Change the interface of ServiceDiscovery 
Instead of passing state, signal that the state has changed and provide a callback handler that can query Core.
 2016-04-28 11:05:18 -07:00
Sean Chittenden 7fe0b2c6a1 Persistently retry to update service registration 
If the local Consul agent is not available while attempting to step down from active or up to active, retry once a second.  Allow for concurrent changes to the state with a single registration updater.  Fix standby initialization.
 2016-04-25 18:01:13 -07:00
Sean Chittenden 230b59f34c Stub out service discovery functionality 
Hook asynchronous notifications into Core to change the status of vault based on its active/standby, and sealed/unsealed status.
 2016-04-25 18:00:54 -07:00
Jeff Mitchell 53773f12e3 Register the token entry's path instead of the request path, to handle role suffixes correctly 2016-04-14 08:08:28 -04:00
Jeff Mitchell a4ff72841e Check for seal status when initing and change logic order to avoid defer 2016-04-14 01:13:59 +00:00
vishalnayak e3a1ee92b5 Utility Enhancements 2016-04-05 20:32:59 -04:00
Jeff Mitchell afae46feb7 SealInterface 2016-04-04 10:44:22 -04:00
Jeff Mitchell ddce1efd0d Two items: 
1: Fix path check in core to handle renew paths from the token store
that aren't simply renew/
2: Use token policy logic if token store role policies are empty
 2016-03-31 14:52:49 -04:00
Jeff Mitchell 8a5fc6b017 Sort and filter policies going into the create token entry, then use 
that as the definitive source for the response Auth object.
 2016-03-15 14:05:25 -04:00
Jeff Mitchell 90dd55b1e6 Sort policies before returning/storing, like we do in handleCreateCommon 2016-03-10 22:31:26 -05:00
vishalnayak 378db2bc3c Add default policy to response auth object 2016-03-10 19:55:38 -05:00
Jeff Mitchell fa2ba47a5c Merge branch 'master' into token-roles 2016-03-09 17:23:34 -05:00
Jeff Mitchell d4371d1393 Add accessor to returned auth 2016-03-09 17:15:42 -05:00
Jeff Mitchell cc1f5207b3 Merge branch 'master' into token-roles 2016-03-07 10:03:54 -05:00
Jeff Mitchell 9bf6c40974 Add default case for if the step down channel is blocked 2016-03-03 12:29:30 -05:00
Jeff Mitchell ef990a3681 Initial work on token roles 2016-03-01 12:41:40 -05:00
Jeff Mitchell 6a980b88fd Address review feedback 2016-02-28 21:51:50 -05:00
Jeff Mitchell 11ddd2290b Provide 'sys/step-down' and 'vault step-down' 
This endpoint causes the node it's hit to step down from active duty.
It's a noop if the node isn't active or not running in HA mode. The node
will wait one second before attempting to reacquire the lock, to give
other nodes a chance to grab it.

Fixes #1093
 2016-02-26 19:43:55 -05:00
vishalnayak a10888f1f1 Added comments to changes the error message 2016-02-03 11:35:47 -05:00
vishalnayak f1facb0f9f Throw error on sealing vault in standby mode 2016-02-03 10:58:33 -05:00
Jeff Mitchell 8b9fa042fe If the path is not correct, don't fail due to existence check, fail due to unsupported path 2016-01-23 14:05:09 -05:00
Jeff Mitchell 9cac7ccd0f Add some commenting 2016-01-22 10:13:49 -05:00
Jeff Mitchell 3955604d3e Address more list feedback 2016-01-22 10:07:32 -05:00
Jeff Mitchell b2bde47b01 Pull out setting the root token ID; use the new ParseUUID method in 
go-uuid instead, and revoke if there is an error.
 2016-01-19 19:44:33 -05:00
Jeff Mitchell 973c888833 RootGeneration->GenerateRoot 2016-01-19 18:28:10 -05:00
Jeff Mitchell 3b994dbc7f Add the ability to generate root tokens via unseal keys. 2016-01-19 18:28:10 -05:00
Jeff Mitchell 9857da207c Move rekey to its own files for cleanliness 2016-01-14 17:01:04 -05:00
Jeff Mitchell 9c5ad28632 Update deps, and adjust usage of go-uuid to match new return values 2016-01-13 13:40:08 -05:00
Jeff Mitchell d949043cac Merge pull request #914 from hashicorp/acl-rework 
More granular ACL capabilities
 2016-01-12 21:11:52 -05:00
Jeff Mitchell da87d490eb Add some commenting around create/update 2016-01-12 15:13:54 -05:00
Jeff Mitchell 9db22dcfad Address some more review feedback 2016-01-12 15:09:16 -05:00
Jeff Mitchell f6d2271a3c Use an array of keys so that if the same fingerprint is used none are lost when using PGP key backup 2016-01-08 14:29:23 -05:00
Jeff Mitchell 4f4ddbf017 Create more granular ACL capabilities. 
This commit splits ACL policies into more fine-grained capabilities.
This both drastically simplifies the checking code and makes it possible
to support needed workflows that are not possible with the previous
method. It is backwards compatible; policies containing a "policy"
string are simply converted to a set of capabilities matching previous
behavior.

Fixes #724 (and others).
 2016-01-08 13:05:14 -05:00
Jeff Mitchell f3ce90164f WriteOperation -> UpdateOperation 2016-01-08 13:03:03 -05:00
Jeff Mitchell 85509e7ba5 Simplify some logic and ensure that if key share backup fails, we fail 
the operation as well.

Ping #907
 2016-01-06 13:14:23 -05:00
Jeff Mitchell a094eedce2 Add rekey nonce/backup. 2016-01-06 09:54:35 -05:00
Jeff Mitchell 96cb7d0051 Commenting/format update 2015-12-18 10:34:54 -05:00
Jeff Mitchell 4482fdacfd If we have not yet completed post-unseal when running in single-node 
mode, don't advertise that we are active.

Ping #872
 2015-12-17 13:48:08 -05:00
Jeff Mitchell f2da5b639f Migrate 'uuid' to 'go-uuid' to better fit HC naming convention 2015-12-16 12:56:20 -05:00
Jeff Mitchell 7ce8aff906 Address review feedback 2015-12-14 17:58:30 -05:00