150ad8405b
Remove logical.Initialize() method ( #3848 )
...
* Remove logical.Initialize() method
* More cleanup
* Fix test
2018-01-25 20:19:27 -05:00
2f19de0305
Add context to storage backends and wire it through a lot of places ( #3817 )
2018-01-19 01:44:44 -05:00
1c190d4bda
Pass context to backends ( #3750 )
...
* Start work on passing context to backends
* More work on passing context
* Unindent logical system
* Unindent token store
* Unindent passthrough
* Unindent cubbyhole
* Fix tests
* use requestContext in rollback and expiration managers
2018-01-08 10:31:38 -08:00
255212af23
Non-recursive DFS token tree revoke ( #2478 )
2017-12-11 16:51:37 -05:00
8f159b12b1
allowed/disallowed_policies as TypeCommaStringSlice ( #3641 )
...
Our docs apparently claim that this is a list, but the code is
string-only. This fixes that discrepancy.
2017-12-04 12:47:05 -05:00
2b78bc2a9b
Port over bits ( #3575 )
2017-11-13 15:31:32 -05:00
119607dcb7
Seal wrap all root tokens and their leases ( #3540 )
2017-11-06 13:10:36 -05:00
47dae8ffc7
Sync
2017-10-23 14:59:37 -04:00
f7ed6732a5
Porting identity store ( #3419 )
...
* porting identity to OSS
* changes that glue things together
* add testing bits
* wrapped entity id
* fix mount error
* some more changes to core
* fix storagepacker tests
* fix some more tests
* fix mount tests
* fix http mount tests
* audit changes for identity
* remove upgrade structs on the oss side
* added go-memdb to vendor
2017-10-11 10:21:20 -07:00
675cbe1bcd
Handle expiration manager being nil
2017-09-05 12:01:02 -04:00
71952b7738
ExpirationManager restoration to load in the background ( #3260 )
2017-09-05 11:09:00 -04:00
b851d88d68
fix swallowed error in vault package. ( #2993 )
2017-07-26 12:15:54 -04:00
b04e0a7a2a
Dynamically load and invalidate the token store salt ( #3021 )
...
* Dynaically load and invalidate the token store salt
* Pass salt function into the router
2017-07-18 09:02:03 -07:00
a71cb52f1b
Don't allow overriding token ID with the same token ID ( #2917 )
...
Fixes #2916
2017-06-24 01:52:48 +01:00
858deb9ca4
Don't allow parent references in file paths
2017-05-12 13:52:33 -04:00
d25aa9fc21
Don't write salts in initialization, look up on demand ( #2702 )
2017-05-09 17:51:09 -04:00
fa201f2505
auth/token/tidy log level update
2017-05-05 11:16:13 -04:00
b482043de1
Update debugging around tidy
2017-05-05 10:48:12 -04:00
f8295a301d
Merge branch 'master-oss' into sys-tidy-leases
2017-05-04 09:37:52 -04:00
3d9cf89ad6
Add the ability to view and list of leases metadata ( #2650 )
2017-05-03 22:03:42 -04:00
7f3891c734
Fix substitution of index/child in delete call
2017-05-03 15:09:13 -04:00
99884a8f13
Merge remote-tracking branch 'oss/master' into sys-tidy-leases
2017-05-03 15:02:42 -04:00
bb6b5f7aa6
Add taint flag for looking up by accessor
2017-05-03 13:08:50 -04:00
a1a0c2950f
logging updates
2017-05-03 12:58:10 -04:00
6aa7f9b7c9
Added logs when deletion fails so we can rely on server logs
2017-05-03 12:47:05 -04:00
bc5d5b7319
consistent logging
2017-05-03 12:45:22 -04:00
596ad2c8f7
Adhere to tainted status in salted accessor lookup
2017-05-03 12:36:10 -04:00
0553f7a8d1
change some logging output
2017-05-03 12:14:58 -04:00
c9bd54ad65
Less scary debugging
2017-05-03 11:15:59 -04:00
dd898ed2e1
Added summary logs to help better understand the consequence
2017-05-03 10:54:07 -04:00
537342f038
Fixing printf (and similar) issues ( #2666 )
2017-05-01 23:34:10 -04:00
72d05cd8dd
Refactor locking code in lease tidy; add ending debug statements
2017-04-27 16:22:19 -04:00
d8e91ef616
refactor lock handling in token tidy function
2017-04-27 13:48:29 -04:00
f9c1426ac8
Use an atomic lock for tidy operation in token store
2017-04-27 11:41:33 -04:00
749ec4fab1
Some more logging updates
2017-04-27 11:20:55 -04:00
d256248095
Fix logging suggestions; put the policyStore nil check back in
2017-04-27 10:56:19 -04:00
3fd019574d
Fix logging levels
2017-04-26 17:29:04 -04:00
7c3e20e9c5
Fix the log statements
2017-04-26 17:17:19 -04:00
9025ef16e4
Added logger to token store and logs to tidy function
2017-04-26 16:11:23 -04:00
5909d81b7b
Merge branch 'oss' into clean-stale-leases
2017-04-26 15:07:27 -04:00
4a4c981fb2
Update error message to distinguish tree revocation issue from non-tree
2017-04-26 14:06:45 -04:00
3ba162fea1
List should use a trailing slash
2017-04-21 15:37:43 -04:00
847c86f788
Rename ParseDedupAndSortStrings to ParseDedupLowercaseAndSortStrings ( #2614 )
2017-04-19 10:39:07 -04:00
709389dd36
Use ParseStringSlice on PKI organization/organizational unit. ( #2561 )
...
After, separately dedup and use new flag to not lowercase value.
Fixes #2555
2017-04-04 08:54:18 -07:00
5a6193a56e
Audit: Add token's use count to audit response ( #2437 )
...
* audit: Added token_num_uses to audit response
* Fixed jsonx tests
* Revert logical auth to NumUses instead of TokenNumUses
* s/TokenNumUses/NumUses
* Audit: Add num uses to audit requests as well
* Added RemainingUses to distinguish NumUses in audit requests
2017-03-08 17:36:50 -05:00
f54ff0f842
Add locking where possible while doing auth/token/tidy
2017-03-07 16:06:05 -05:00
3d162b63cc
Use locks in a slice rather than a map, which is faster and makes things cleaner ( #2446 )
2017-03-07 11:21:32 -05:00
5119b173c4
Rename helper 'duration' to 'parseutil'. ( #2449 )
...
Add a ParseBool function that accepts various kinds of ways of
specifying booleans.
Have config use ParseBool for UI and disabling mlock/cache.
2017-03-07 11:21:22 -05:00
f37b6492d1
More rep porting ( #2391 )
...
* More rep porting
* Add a bit more porting
2017-02-16 23:09:39 -05:00
20c65b8300
Fix regression in 0.6.4 where token store roles could not properly wo… ( #2286 )
2017-01-18 16:11:25 -05:00
c9bd2a37f8
Don't sanitize disallowed_policies on token role
2017-01-17 21:34:14 -05:00
ba026aeaa1
TokenStore: Added tidy endpoint ( #2192 )
2016-12-16 15:29:27 -05:00
f6044764c0
Fix revocation of leases when num_uses goes to 0 ( #2190 )
2016-12-16 13:11:55 -05:00
8400b87473
Don't add default policy to child token if parent does not have it ( #2164 )
2016-12-16 00:36:39 -05:00
b45a481365
Wrapping enhancements ( #1927 )
2016-09-28 21:01:28 -07:00
57b21acabb
Added unit tests for token entry upgrade
2016-09-26 18:17:50 -04:00
af888573be
Handle upgrade of deprecated fields in token entry
2016-09-26 15:47:48 -04:00
328de60338
Description consistency
2016-08-29 15:53:11 -04:00
ac38863884
Add back token/accessor URL parameters but return a warning.
...
CC @sethvargo
2016-08-29 15:15:57 -04:00
9fee9ce8ff
Don't allow tokens in paths. ( #1783 )
2016-08-24 15:59:43 -04:00
01702415c2
Ensure we don't use a token entry period of 0 in role comparisons.
...
When we added support for generating periodic tokens for root/sudo in
auth/token/create we used the token entry's period value to store the
shortest period found to eventually populate the TTL. The problem was
that we then assumed later that this value would be populated for
periodic tokens, when it wouldn't have been in the upgrade case.
Instead, use a temp var to store the proper value to use; populate
te.Period only if actually given; and check that it's not zero before
comparing against role value during renew.
2016-08-16 16:47:46 -04:00
c1aa89363a
Make time logic a bit clearer
2016-08-16 16:29:07 -04:00
cdea4b3445
Add some tests and fix some bugs
2016-08-13 14:03:22 -04:00
de60702d76
Don't check the role period again as we've checked it earlier and it may be greater than the te Period
2016-08-13 13:21:56 -04:00
bcb4ab5422
Add periodic support for root/sudo tokens to auth/token/create
2016-08-12 21:14:12 -04:00
0f40fba40d
Don't allow a root token that expires to create one that doesn't
2016-08-09 20:32:40 -04:00
d7f6218869
Move checking non-assignable policies above the actual token creation
2016-08-08 16:44:29 -04:00
da615642f5
Merge pull request #1687 from hashicorp/token-store-update
...
Minor update to token-store
2016-08-08 10:25:05 -04:00
e783bfe7e1
Minor changes to test cases
2016-08-05 20:22:07 -04:00
405eb0075a
fix an error, tests still broken
2016-08-05 17:58:48 -04:00
82b3d136e6
Don't mark never-expiring root tokens as renewable
2016-08-05 11:15:25 -04:00
68d351c70c
addresses feedback, but tests broken
2016-08-05 10:04:02 -04:00
c626277632
initial commit for minor update to token-store
2016-08-03 14:32:17 -04:00
0b2098de2f
Merge pull request #1681 from hashicorp/disallowed-policies
...
Support disallowed_policies in token roles
2016-08-02 17:32:53 -04:00
e7cb3fd990
Addressed review feedback
2016-08-02 16:53:06 -04:00
4f45910dfc
disallowed_policies doc update
2016-08-02 16:33:22 -04:00
31b36fe2c2
Use duration helper to allow not specifying duration units
2016-08-02 15:12:45 -04:00
a936914101
Address review feedback and fix existing tests
2016-08-02 14:10:20 -04:00
a0c711d0cf
Added disallowed_policies to token roles
2016-08-02 10:33:50 -04:00
357f2d972f
Add some extra safety checking in accessor listing and update website
...
docs.
2016-08-01 13:12:06 -04:00
6546005487
Fix typo
2016-07-29 23:24:04 -04:00
e606aab6e0
oops, fix createAccessor
2016-07-29 18:23:55 -04:00
23ab63c78e
Add accessor list function to token store
2016-07-29 18:20:38 -04:00
7e29cf1cae
edits based on comments in PR
2016-07-25 09:46:10 -04:00
9ea1c8b801
initial commit for nonAssignablePolicies
2016-07-24 22:27:41 -04:00
331f229858
Added a cap of 256 for CreateLocks utility
2016-07-20 04:48:35 -04:00
50e8a189e9
Added helper to create locks
2016-07-19 21:37:28 -04:00
c14235b206
Merge branch 'master-oss' into json-use-number
...
Conflicts:
http/handler.go
logical/framework/field_data.go
logical/framework/wal.go
vault/logical_passthrough.go
2016-07-15 19:21:55 -04:00
8269f323d3
Revert 'risky' changes
2016-07-12 16:38:07 -04:00
e09b40e155
Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC
2016-07-08 18:30:18 -04:00
ad7cb2c8f1
Added JSON Decode and Encode helpers.
...
Changed all the occurances of Unmarshal to use the helpers.
Fixed http/ package tests.
2016-07-06 12:25:40 -04:00
09720bbd8e
Fix picking wrong token lock
2016-06-27 11:17:08 -04:00
2b4b6559e3
Merge pull request #1504 from hashicorp/token-store-roles-renewability
...
Add renewable flag to token store roles
2016-06-08 15:56:54 -04:00
8a1bff7c11
Make out-of-bounds explicit max a cap+warning instead of an error
2016-06-08 15:25:17 -04:00
cf8f38bd4c
Add renewable flag to token store roles
2016-06-08 15:17:22 -04:00
65d8973864
Add explicit max TTL capability to token creation API
2016-06-08 14:49:48 -04:00
c0155ac02b
Add renewable flag and API setting for token creation
2016-06-08 11:14:30 -04:00
f8d70b64a0
Show renewable status for tokens in output
2016-06-01 17:30:31 -04:00
1e4834bd20
Remove addDefault param from ParsePolicies
2016-05-31 13:39:58 -04:00
49b4c83580
Adding default policies while creating tokens
2016-05-31 13:39:58 -04:00
c0e745dbfa
s/logical.ErrorResponse/fmt.Errorf in renewal functions of credential backends
2016-05-26 10:21:03 -04:00
c4431a7e30
Address most review feedback. Change responses to multierror to better return more useful values when there are multiple errors
2016-05-16 16:11:33 -04:00
4c67a739b9
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-16 12:14:40 -04:00
7a4b31ce51
Speling police
2016-05-15 09:58:36 -07:00
ce5614bf9b
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-11 19:29:52 -04:00
6ec1ca05c8
Fix bug around disallowing explicit max greater than sysview max
2016-05-11 18:46:55 -04:00
aecc3ad824
Add explicit maximum TTLs to token store roles.
2016-05-11 16:51:18 -04:00
1b190c9c62
Don't check if numuses is -1 with a read lock, it shouldn't come in with that from lookup anyways
2016-05-02 15:31:28 -04:00
324bb9cfac
Use a 256-level mutex map instead of 4096, and optimize the case for tokens that are not limited use
2016-05-02 14:57:17 -04:00
2ebe49d3a1
Change UseToken mechanics.
...
Add locking around UseToken and Lookup. Have UseToken flag an entry that
needs to be revoked so that it can be done at the appropriate time, but
so that Lookup in the interm doesn't return a value.
The locking is a map of 4096 locks keyed off of the first three
characters of the token ID which should provide good distribution.
2016-05-02 03:44:24 -04:00
81da06de05
Fix fetching parameters in token store when it's optionally in the URL
2016-04-28 15:15:37 -04:00
98d09b0dc6
Add seal tests and update generate-root and others to handle dualseal.
2016-04-25 19:39:04 +00:00
ae2d000de4
Make period output nicer -- seconds rather than duration
2016-04-14 06:10:22 -04:00
1db6808912
Construct token path from request to fix displaying TTLs when using
...
create-orphan.
2016-04-07 15:45:38 +00:00
f2880561d1
Ensure we only use sysview's max if it's not zero. It never should be, but safety.
2016-04-07 15:27:14 +00:00
e3a1ee92b5
Utility Enhancements
2016-04-05 20:32:59 -04:00
7d20380c42
Merge pull request #1280 from hashicorp/remove-ts-revoke-prefix
...
Remove auth/token/revoke-prefix in favor of sys/revoke-prefix.
2016-04-01 09:48:52 -04:00
2b2541e13f
Merge pull request #1277 from hashicorp/suprious-revoke-timer-logs
...
Keep the expiration manager from keeping old token entries.
2016-03-31 20:16:31 -04:00
2fd02b8dca
Remove auth/token/revoke-prefix in favor of sys/revoke-prefix.
2016-03-31 18:04:05 -04:00
7442867d53
Check for auth/ in the path of the prefix for revoke-prefix in the token
...
store.
2016-03-31 16:21:56 -04:00
75650ec1ad
Keep the expiration manager from keeping old token entries.
...
The expiration manager would never be poked to remove token entries upon
token revocation, if that revocation was initiated in the token store
itself. It might have been to avoid deadlock, since during revocation of
tokens the expiration manager is called, which then calls back into the
token store, and so on.
This adds a way to skip that last call back into the token store if we
know that we're on the revocation path because we're in the middle of
revoking a token. That way the lease is cleaned up. This both prevents
log entries appearing for already-revoked tokens, and it also releases
timer/memory resources since we're not keeping the leases around.
2016-03-31 15:10:25 -04:00
ddce1efd0d
Two items:
...
1: Fix path check in core to handle renew paths from the token store
that aren't simply renew/
2: Use token policy logic if token store role policies are empty
2016-03-31 14:52:49 -04:00
3861c88211
Accept params both as part of URL or as part of http body
2016-03-14 19:14:36 -04:00
85a888d588
Enable token to be supplied in the body for lookup call
2016-03-14 18:56:00 -04:00
fa2ba47a5c
Merge branch 'master' into token-roles
2016-03-09 17:23:34 -05:00
0c4d5960a9
In-URL accessor for auth/token/lookup-accessor endpoint
2016-03-09 14:54:52 -05:00
2528ffbc18
Restore old regex expressions for token endpoints
2016-03-09 14:08:52 -05:00
f478cc57e0
fix all the broken tests
2016-03-09 13:45:36 -05:00
007142262f
Provide accessor to revove-accessor in the URL itself
2016-03-09 13:08:37 -05:00
2ecdde1781
Address final feedback
2016-03-09 11:59:54 -05:00
c4a2c5b56e
Added tests for 'sys/capabilities-accessor' endpoint
2016-03-09 11:29:09 -05:00
4785bec59d
Address review feedback
2016-03-09 11:07:13 -05:00
2e07f45bfa
Use role's allowed policies if none are given
2016-03-09 10:42:04 -05:00
926e7513d7
Added docs for /sys/capabilities-accessor
2016-03-09 09:48:32 -05:00
7407c27778
Add docs for new token endpoints
2016-03-09 09:31:09 -05:00
6a992272cd
New prefix for accessor indexes
2016-03-09 09:09:09 -05:00
151c932875
AccessorID --> Accessor, accessor_id --> accessor
2016-03-09 06:23:31 -05:00
913bbe7693
Error text corrections and minor refactoring
2016-03-08 22:27:24 -05:00
62777c9f7e
ErrUserInput --> StatusBadRequest
2016-03-08 21:47:24 -05:00
2737c81b39
Lay the foundation for returning proper HTTP status codes
2016-03-08 18:27:03 -05:00
8c6afea1d0
Implemented /auth/token/revoke-accessor in token_store
2016-03-08 18:07:27 -05:00
a7adab25bc
Implemented lookup-accessor as a token_store endpoint
2016-03-08 17:38:19 -05:00
f19ee68fdb
placeholders for revoke-accessor and lookup-accessor
2016-03-08 15:13:29 -05:00
a7c97fcd18
Clear the accessor index during revocation
2016-03-08 14:06:10 -05:00
c0fb69a8b1
Create indexing from Accessor ID to Token ID
2016-03-08 14:06:10 -05:00
301776012f
Introduced AccessorID in TokenEntry and returning it along with token
2016-03-08 14:06:10 -05:00
6b0f79f499
Address review feedback
2016-03-07 10:07:04 -05:00
cc1f5207b3
Merge branch 'master' into token-roles
2016-03-07 10:03:54 -05:00
da9152169b
changed response of expiration manager's renewtoken to logical.response
2016-03-04 14:56:51 -05:00
41dba5dd5d
Move descriptions into const block
2016-03-03 11:04:05 -05:00
Vishal Nayak