Commit graph

1429 commits

Author SHA1 Message Date
Jeff Mitchell a9b1d699d0 Make sys/wrapping/lookup unauthenticated. (#3084)
We still perform validation on the token, so if the call makes it
through to this endpoint it's got a valid token (either explicitly
specified in data or as the request token). But this allows
introspection for sanity/safety checking without revoking the token in
the process.
2017-07-31 16:16:16 -04:00
Jeff Mitchell 5074ccb9f3 Fix up tests 2017-07-31 15:31:44 -04:00
Jeff Mitchell 474f008b2d Clean up plugin tests with CA info 2017-07-31 15:09:19 -04:00
Jeff Mitchell 1b603b8e22 Validate opts is not nil in NewTestCluster 2017-07-31 12:13:29 -04:00
Jeff Mitchell 1bfc6d4fe7 Add a -dev-three-node option for devs. (#3081) 2017-07-31 11:28:06 -04:00
Jeff Mitchell 935b6d7b5c Fix error message formatting and response body 2017-07-27 11:44:56 -04:00
Jeff Mitchell 0a2ac3160d Recover during a request forward.
gRPC doesn't have a handler for recovering from a panic like a normal
HTTP request so a panic will actually kill Vault's listener. This
basically copies the net/http logic for managing this.

The SSH-specific logic is removed here as the underlying issue is caused
by the request forwarding mechanism.
2017-07-27 11:44:56 -04:00
Lars Lehtonen b851d88d68 fix swallowed error in vault package. (#2993) 2017-07-26 12:15:54 -04:00
Chris Hoffman b89114b011 root protect /sys/revoke-force/* (#2876) 2017-07-25 11:59:43 -04:00
Calvin Leung Huang bb54e9c131 Backend plugin system (#2874)
* Add backend plugin changes

* Fix totp backend plugin tests

* Fix logical/plugin InvalidateKey test

* Fix plugin catalog CRUD test, fix NoopBackend

* Clean up commented code block

* Fix system backend mount test

* Set plugin_name to omitempty, fix handleMountTable config parsing

* Clean up comments, keep shim connections alive until cleanup

* Include pluginClient, disallow LookupPlugin call from within a plugin

* Add wrapper around backendPluginClient for proper cleanup

* Add logger shim tests

* Add logger, storage, and system shim tests

* Use pointer receivers for system view shim

* Use plugin name if no path is provided on mount

* Enable plugins for auth backends

* Add backend type attribute, move builtin/plugin/package

* Fix merge conflict

* Fix missing plugin name in mount config

* Add integration tests on enabling auth backend plugins

* Remove dependency cycle on mock-plugin

* Add passthrough backend plugin, use logical.BackendType to determine lease generation

* Remove vault package dependency on passthrough package

* Add basic impl test for passthrough plugin

* Incorporate feedback; set b.backend after shims creation on backendPluginServer

* Fix totp plugin test

* Add plugin backends docs

* Fix tests

* Fix builtin/plugin tests

* Remove flatten from PluginRunner fields

* Move mock plugin to logical/plugin, remove totp and passthrough plugins

* Move pluginMap into newPluginClient

* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck

* Change shim logger's Fatal to no-op

* Change BackendType to uint32, match UX backend types

* Change framework.Backend Setup signature

* Add Setup func to logical.Backend interface

* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments

* Remove commented var in plugin package

* RegisterLicense on logical.Backend interface (#3017)

* Add RegisterLicense to logical.Backend interface

* Update RegisterLicense to use callback func on framework.Backend

* Refactor framework.Backend.RegisterLicense

* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs

* plugin: Revert BackendType to remove TypePassthrough and related references

* Fix typo in plugin backends docs
2017-07-20 13:28:40 -04:00
Brian Kassouf b04e0a7a2a Dynamically load and invalidate the token store salt (#3021)
* Dynaically load and invalidate the token store salt

* Pass salt function into the router
2017-07-18 09:02:03 -07:00
Jeff Mitchell 96dbc98815 Add metrics counters for audit log failures (#3001)
Fixes #2863
2017-07-14 11:03:56 -04:00
Jeff Mitchell f3f4452334 Revert "Remove wrapping/wrap from default policy and add a note about guarantees (#2957)" (#3008)
This reverts commit b2d2459711d9cb7552daf1cc2330c07d31ef4f51.
2017-07-13 18:47:29 -04:00
Jeff Mitchell 2c6b7db279 Remove wrapping/wrap from default policy and add a note about guarantees (#2957) 2017-07-13 15:29:04 -07:00
Chris Hoffman d481e65c5a Cleaning up logical and auth unmount functions (#2994) 2017-07-13 10:57:14 -07:00
Chris Hoffman 6651f3aa33 checking for nil backends before attempting to rollback on a backend (#2997) 2017-07-12 13:12:55 -07:00
Chris Hoffman 8c179c246f Fixing reverse storage prefix lookup for auth entries (#2967)
* fixing reverse storage prefix for auth entries

* adding test
2017-07-04 14:00:36 -04:00
Lars Lehtonen d0a3f07b07 Stop Vault Package Tests From Swallowing Errors (#2960)
* Fix ignored error in TestAESGCMBarrier_MoveIntegrityV1().

* Fix ignored error in TestAESGCMBarrier_MoveIntegrityV2().

* Fix ignored err in TestExpiration_Tidy().

* Fix ignored error in TestSystemBackend_policyCRUD().
2017-07-04 13:58:28 -04:00
Jeff Mitchell 753b68fa1b Port TestCluster changes from proxy branch 2017-07-03 14:54:01 -04:00
vishalnayak 79b5d2f5bb fix token store tests 2017-07-01 16:06:15 -04:00
vishalnayak e0404d17e9 fix router tests 2017-06-30 22:06:17 -04:00
vishalnayak 3f9ec7a2e2 fix expiration tests 2017-06-30 21:31:27 -04:00
Jeff Mitchell e52ec0aacf Bring TestCluster_ListenForRequests port numbers in line with spread out ports from earlier change 2017-06-30 13:31:57 -04:00
Vishal Nayak 4b26425609 Input validation for router mount (#2942)
* Added input validation for router mount

* Add path and type in returned errors
2017-06-29 17:00:13 -04:00
Jeff Mitchell 034a1f91be Fix missed 10->100 conversion in tests 2017-06-29 01:45:48 -04:00
Jeff Mitchell 4502b649c6 Use more separation between test cluster ports for OSX' sake 2017-06-29 00:29:17 -04:00
Jeff Mitchell d169918465 Create and persist human-friendly-ish mount accessors (#2918) 2017-06-26 18:14:36 +01:00
Jeff Mitchell a71cb52f1b Don't allow overriding token ID with the same token ID (#2917)
Fixes #2916
2017-06-24 01:52:48 +01:00
Jeff Mitchell d55d75a79f Convert listener arguments to map[string]interface{} (#2905)
This allows people to use more natural constructs, e.g. for tls_disable
it can be a bool, int, or string.
2017-06-22 20:29:53 +01:00
Jeff Mitchell 286392c2a2 Fix tests 2017-06-21 11:19:38 -04:00
Jeff Mitchell c414a525d2 Fix panic when attempting to renew auth token via sys/leases/renew (#2901)
This could occur when using the lease ID; this is unsupported but wasn't
checking for the existence of a secret in the lease.
2017-06-21 16:00:39 +01:00
Jeff Mitchell 069764ea8f Add option to have dev mode generic backend return leases 2017-06-21 10:42:50 -04:00
Chris Hoffman 7e7d766e21 Exclude /sys/leases/renew from registering with expiration manager (#2891)
* exclude /sys/leases/renew from registering with expiration manager

* adding sys/leases/renew to return full secret object, adding tests to catch renew errors
2017-06-20 12:34:00 -04:00
Jeff Mitchell fade02bb43 Fix root paths test 2017-06-17 01:51:42 -04:00
Jeff Mitchell cf7d56e8f3 Fix up CORS.
Ref #2021
2017-06-17 01:26:25 -04:00
Aaron Salvo 0303f51b68 Cors headers (#2021) 2017-06-17 00:04:55 -04:00
Jeff Mitchell 43d7547235 Address review feedback 2017-06-16 23:54:49 -04:00
vishalnayak 186e4af95e Fix the test error message 2017-06-16 23:54:49 -04:00
vishalnayak 4fe7fc4ef9 Added utility on router to fetch mount entry using its ID 2017-06-16 23:54:49 -04:00
Jeff Mitchell ab5014534e Clone policy permissions and then use existing values rather than policy values for modifications (#2826)
Should fix #2804
2017-06-07 13:49:51 -04:00
Brian Rodgers e9b52ed928 Log auth info on permission denied due to ACL (#2754) 2017-06-05 18:04:31 -04:00
Jeff Mitchell 605d74d889 Don't try to clean up upgrades if we're sealed 2017-06-05 16:00:56 -04:00
Jeff Mitchell fb9029e3dd Log heartbeat stopping 2017-06-05 15:57:04 -04:00
Jeff Mitchell f7df60b131 Allow accessing Warnings directly in Response. (#2806)
A change in copystructure has caused some panics due to the custom copy
function. I'm more nervous about production panics than I am about
keeping some bad code wiping out some existing warnings, so remove the
custom copy function and just allow direct setting of Warnings.
2017-06-05 10:52:43 -04:00
Jeff Mitchell 88c0367fa6 Add grpc keepalives as a fallback option for our heartbeating 2017-05-26 13:32:13 -04:00
Vishal Nayak 3696c9b779 Input checks for policy rules (#2771)
* Input checks for policy rules

* Address review feedback
2017-05-26 10:48:41 -04:00
Jeff Mitchell 72a5b5e23b Fix tests 2017-05-25 09:00:49 -04:00
Jeff Mitchell df33f70df4 Heartbeat immediately upon connection 2017-05-24 21:45:51 -04:00
Jeff Mitchell 3d7db4248f Rename peer cluster cache 2017-05-24 21:10:32 -04:00
Jeff Mitchell 5c230c796b Add peer cluster address cache 2017-05-24 20:51:53 -04:00
Jeff Mitchell bbe27aaedf Add heartbeating and cluster address sharing to request forwarding (#2762) 2017-05-24 15:06:56 -04:00
Jeff Mitchell 9d4801b1e8 Revert grpc back a version (they introduced a panic) and clean up a bunch of old request forwarding stuff 2017-05-24 10:38:48 -04:00
Jeff Mitchell 0d4e7fba69 Remove non-gRPC request forwarding 2017-05-24 09:34:59 -04:00
Jeff Mitchell 7cc72a9066 Delay salt initialization for audit backends 2017-05-23 20:36:20 -04:00
emily aa40d2cff6 add gofmt checks to Vault and format existing code (#2745) 2017-05-19 08:34:17 -04:00
Jeff Mitchell 858deb9ca4 Don't allow parent references in file paths 2017-05-12 13:52:33 -04:00
Jeff Mitchell d25aa9fc21 Don't write salts in initialization, look up on demand (#2702) 2017-05-09 17:51:09 -04:00
Jeff Mitchell 76ca5fc377 Allow non-strings to be used to set ttl field in generic. (#2699) 2017-05-09 14:05:00 -04:00
Jeff Mitchell 5b3d80042e Fix mount test 2017-05-09 09:49:45 -04:00
Jeff Mitchell e3c8be72cc Fix local check on singleton required mounts 2017-05-09 08:36:10 -04:00
Jeff Mitchell e0c2b37c2a Add commenting to singletonMountTables 2017-05-08 13:39:18 -04:00
Jeff Mitchell f50d345fa3 Fix imports.
Closes #2688
2017-05-08 10:23:29 -04:00
Jeff Mitchell 726bd6f379 Don't load a required mount if in secondary mode, let sync invalidate do that 2017-05-05 19:40:26 -04:00
Jeff Mitchell 3aafb3270c Move singleton mount fetching function to mount.go and fix tests 2017-05-05 17:20:30 -04:00
Jeff Mitchell b53331d345 Add token to singleton mounts 2017-05-05 16:45:48 -04:00
Jeff Mitchell 6f6f242061 Add logic to skip initialization in some cases and some invalidation logic 2017-05-05 15:01:52 -04:00
vishalnayak fa201f2505 auth/token/tidy log level update 2017-05-05 11:16:13 -04:00
Jeff Mitchell 55ef4f2566 Merge branch 'master-oss' into sys-tidy-leases 2017-05-05 10:53:41 -04:00
Jeff Mitchell b482043de1 Update debugging around tidy 2017-05-05 10:48:12 -04:00
Jeff Mitchell 91e790867f Address feedback 2017-05-05 10:26:40 -04:00
Brian Kassouf 2d6dfbf147 Don't store the plugin directory prepended command in the barrier, prepend on get 2017-05-04 12:36:06 -07:00
Brian Kassouf 5ee0d696d4 Merge remote-tracking branch 'oss/master' into database-refactor 2017-05-04 10:45:18 -07:00
Jeff Mitchell b568ea751b Move client token check in exp register to top 2017-05-04 12:45:57 -04:00
Jeff Mitchell abd63096f8 Update comments 2017-05-04 12:44:31 -04:00
vishalnayak 1a02f9be11 Fix up the tests 2017-05-04 12:41:15 -04:00
vishalnayak 5683430cb7 Update Tidy function comment 2017-05-04 12:11:00 -04:00
Jeff Mitchell d74b1b284a Update commenting 2017-05-04 11:54:57 -04:00
Jeff Mitchell 9a91700263 Move tidy-leases to leases/tidy 2017-05-04 09:40:11 -04:00
Jeff Mitchell f8295a301d Merge branch 'master-oss' into sys-tidy-leases 2017-05-04 09:37:52 -04:00
Chris Hoffman 3d9cf89ad6 Add the ability to view and list of leases metadata (#2650) 2017-05-03 22:03:42 -04:00
Jeff Mitchell 7250b3d01e Fix comment typo 2017-05-03 20:25:55 -04:00
Jeff Mitchell b7128f53a8 Add sys/leases/lookup and sys/leases/renew to the default policy 2017-05-03 20:22:16 -04:00
Jeff Mitchell 7f3891c734 Fix substitution of index/child in delete call 2017-05-03 15:09:13 -04:00
Jeff Mitchell 99884a8f13 Merge remote-tracking branch 'oss/master' into sys-tidy-leases 2017-05-03 15:02:42 -04:00
Jeff Mitchell 3b95e751c0 Add more cleanup if a lease fails to register and revoke tokens if registerauth fails 2017-05-03 14:29:57 -04:00
Jeff Mitchell bb6b5f7aa6 Add taint flag for looking up by accessor 2017-05-03 13:08:50 -04:00
vishalnayak a1a0c2950f logging updates 2017-05-03 12:58:10 -04:00
vishalnayak 6aa7f9b7c9 Added logs when deletion fails so we can rely on server logs 2017-05-03 12:47:05 -04:00
vishalnayak bc5d5b7319 consistent logging 2017-05-03 12:45:22 -04:00
Jeff Mitchell 596ad2c8f7 Adhere to tainted status in salted accessor lookup 2017-05-03 12:36:10 -04:00
Jeff Mitchell 5f18b1605a Two things:
1) Ensure that if we fail to generate a lease for a secret we attempt to revoke it

2) Ensure that any lease that is registered should never have a blank token

In theory, number 2 will let us a) find places where this *is* the case, and b) if errors are encountered when revoking tokens due to a blank client token, it suggests that the client token values are being stripped somewhere along the way, which is also instructive.
2017-05-03 12:17:09 -04:00
Jeff Mitchell 0553f7a8d1 change some logging output 2017-05-03 12:14:58 -04:00
Jeff Mitchell c9bd54ad65 Less scary debugging 2017-05-03 11:15:59 -04:00
vishalnayak dd898ed2e1 Added summary logs to help better understand the consequence 2017-05-03 10:54:07 -04:00
vishalnayak 9f682eb9cd Test to check that leases with valid tokens are not being cleaned up 2017-05-02 18:12:03 -04:00
vishalnayak 850cda7861 Added test to check the atomicity of the lease tidy operation 2017-05-02 18:06:59 -04:00
vishalnayak 875658531b Do not duplicate log lines for invalid leases 2017-05-02 17:56:15 -04:00
Brian Kassouf f644c34c5b Remove unused TestCoreUnsealedWithListener function 2017-05-02 14:52:48 -07:00
Brian Kassouf 5e0c03415b Don't need to explictly set redirectAddrs 2017-05-02 14:44:14 -07:00
Brian Kassouf 29d9b831d3 Update the api for serving plugins and provide a utility to pass TLS data for commuinicating with the vault process 2017-05-02 14:40:11 -07:00
vishalnayak 403fd62c61 Check if multiple leases with same invalid token is getting cleaned up 2017-05-02 17:15:26 -04:00
vishalnayak 5f70576715 Added steps to check if invalid token is properly cleaned up 2017-05-02 17:11:35 -04:00
vishalnayak 668595b902 Added a test for tidying of empty token 2017-05-02 16:54:03 -04:00
vishalnayak 68635e8a1c Skip checking the validity of an empty client token 2017-05-02 16:53:41 -04:00
Ben Gadbois 537342f038 Fixing printf (and similar) issues (#2666) 2017-05-01 23:34:10 -04:00
vishalnayak 72d05cd8dd Refactor locking code in lease tidy; add ending debug statements 2017-04-27 16:22:19 -04:00
vishalnayak d8e91ef616 refactor lock handling in token tidy function 2017-04-27 13:48:29 -04:00
vishalnayak f9c1426ac8 Use an atomic lock for tidy operation in token store 2017-04-27 11:41:33 -04:00
vishalnayak ac8aae36fe Distinguish valid and invalid tokens using bool value in cache 2017-04-27 11:31:42 -04:00
vishalnayak 58967c0bbd Merge branch 'oss' into sys-tidy-leases 2017-04-27 11:23:48 -04:00
vishalnayak 749ec4fab1 Some more logging updates 2017-04-27 11:20:55 -04:00
vishalnayak e64ba93d54 Cache only valid tokens 2017-04-27 11:08:11 -04:00
vishalnayak d256248095 Fix logging suggestions; put the policyStore nil check back in 2017-04-27 10:56:19 -04:00
Chris Hoffman 1a60fede58 Updating revoke/renew to prefer PUT method (#2646) 2017-04-27 10:47:43 -04:00
Brian Kassouf 50c0d520e1 Fix revoke tree test 2017-04-26 16:26:48 -07:00
vishalnayak 3fd019574d Fix logging levels 2017-04-26 17:29:04 -04:00
vishalnayak 7c3e20e9c5 Fix the log statements 2017-04-26 17:17:19 -04:00
vishalnayak 671353810b Added caching of looked up tokens 2017-04-26 16:54:48 -04:00
vishalnayak 9025ef16e4 Added logger to token store and logs to tidy function 2017-04-26 16:11:23 -04:00
vishalnayak 27dd95156d Revoke lease that has empty token; added logs 2017-04-26 15:48:28 -04:00
vishalnayak b939d049e4 Added atomic lock to ensure a single tidy operation is in progress 2017-04-26 15:07:58 -04:00
vishalnayak 5909d81b7b Merge branch 'oss' into clean-stale-leases 2017-04-26 15:07:27 -04:00
Jeff Mitchell 4a4c981fb2 Update error message to distinguish tree revocation issue from non-tree 2017-04-26 14:06:45 -04:00
Brian Kassouf b52b410a47 Update test to reflect the correct read response 2017-04-24 21:24:19 -07:00
Brian Kassouf e4e61ec18c return a 404 when no plugin is found 2017-04-24 18:31:27 -07:00
Brian Kassouf cb1f1d418c Only run Abs on the plugin directory if it's set 2017-04-24 16:20:20 -07:00
Brian Kassouf 039bc19dd8 Fix test 2017-04-24 13:48:46 -07:00
Brian Kassouf 5ff317eb8d Update root paths test 2017-04-24 12:47:40 -07:00
Brian Kassouf ce9688ce8c Change MlockDisabled to MlockEnabled 2017-04-24 12:21:49 -07:00
Joel Thompson e06a78a474 Create unified aws auth backend (#2441)
* Rename builtin/credential/aws-ec2 to aws

The aws-ec2 authentication backend is being expanded and will become the
generic aws backend. This is a small rename commit to keep the commit
history clean.

* Expand aws-ec2 backend to more generic aws

This adds the ability to authenticate arbitrary AWS IAM principals using
AWS's sts:GetCallerIdentity method. The AWS-EC2 auth backend is being to
just AWS with the expansion.

* Add missing aws auth handler to CLI

This was omitted from the previous commit

* aws auth backend general variable name cleanup

Also fixed a bug where allowed auth types weren't being checked upon
login, and added tests for it.

* Update docs for the aws auth backend

* Refactor aws bind validation

* Fix env var override in aws backend test

Intent is to override the AWS environment variables with the TEST_*
versions if they are set, but the reverse was happening.

* Update docs on use of IAM authentication profile

AWS now allows you to change the instance profile of a running instance,
so the use case of "a long-lived instance that's not in an instance
profile" no longer means you have to use the the EC2 auth method. You
can now just change the instance profile on the fly.

* Fix typo in aws auth cli help

* Respond to PR feedback

* More PR feedback

* Respond to additional PR feedback

* Address more feedback on aws auth PR

* Make aws auth_type immutable per role

* Address more aws auth PR feedback

* Address more iam auth PR feedback

* Rename aws-ec2.html.md to aws.html.md

Per PR feedback, to go along with new backend name.

* Add MountType to logical.Request

* Make default aws auth_type dependent upon MountType

When MountType is aws-ec2, default to ec2 auth_type for backwards
compatibility with legacy roles. Otherwise, default to iam.

* Pass MountPoint and MountType back up to the core

Previously the request router reset the MountPoint and MountType back to
the empty string before returning to the core. This ensures they get set
back to the correct values.
2017-04-24 15:15:50 -04:00
Brian Kassouf 657d433330 Update the ResponseWrapData function to return a wrapping.ResponseWrapInfo object 2017-04-24 12:15:01 -07:00
Brian Kassouf c4e2ad74c5 Update path for the plugin catalog in logical system 2017-04-24 11:35:32 -07:00
Brian Kassouf 6c8239ba03 Update the builtin keys; move catalog to core; protect against unset plugin directory 2017-04-24 10:30:33 -07:00
Jeff Mitchell 3ba162fea1 List should use a trailing slash 2017-04-21 15:37:43 -04:00
Brian Kassouf 4d0aac963d Fix tests 2017-04-21 10:24:34 -07:00
Brian Kassouf 30b06b593c Fix tests 2017-04-21 09:10:26 -07:00
Brian Kassouf 6f9d178370 Calls to builtin plugins now go directly to the implementation instead of go-plugin 2017-04-20 18:46:41 -07:00
Brian Kassouf af9ff63e9a Merge remote-tracking branch 'oss/master' into database-refactor 2017-04-19 15:16:00 -07:00
Chris Hoffman 847c86f788 Rename ParseDedupAndSortStrings to ParseDedupLowercaseAndSortStrings (#2614) 2017-04-19 10:39:07 -04:00
Brian Kassouf 8ccf10641b Merge branch 'master' into database-refactor 2017-04-12 14:29:10 -07:00
Brian Kassouf 3cd5dd1839 Fix RootPaths test 2017-04-12 14:22:52 -07:00
Brian Kassouf 433004f75e Add test for logical_system plugin-catalog handling 2017-04-12 10:39:18 -07:00
Brian Kassouf c3724c6f17 Add path help and comments for plugin-catalog 2017-04-12 10:01:36 -07:00
Brian Kassouf faaeb09065 Add remaining crud functions to plugin catalog and tests 2017-04-12 09:40:54 -07:00
Brian Kassouf 8071aed758 Mlock the plugin process 2017-04-10 17:12:52 -07:00
Brian Kassouf db91a80540 Update plugin test 2017-04-10 14:12:28 -07:00
Brian Kassouf 93136ea51e Add backend test 2017-04-07 15:50:03 -07:00
Brian Kassouf ca2c3d0c53 Refactor to use builtin plugins from an external repo 2017-04-05 16:20:31 -07:00
Brian Kassouf b071144c67 move builtin plugins list to the pluginutil 2017-04-05 11:00:13 -07:00
Brian Kassouf 11abcd52e6 Add a cli command to run builtin plugins 2017-04-04 17:12:02 -07:00
Brian Kassouf 0034074691 Execute builtin plugins 2017-04-04 14:43:39 -07:00
Jeff Mitchell 709389dd36 Use ParseStringSlice on PKI organization/organizational unit. (#2561)
After, separately dedup and use new flag to not lowercase value.

Fixes #2555
2017-04-04 08:54:18 -07:00
Brian Kassouf e8781b6a2b Plugin catalog 2017-04-03 17:52:29 -07:00
Brian Kassouf 29ae4602dc More work on getting tests to pass 2017-03-23 15:54:15 -07:00
Brian Kassouf eb6117cbb2 Work on TLS communication over plugins 2017-03-15 17:14:48 -07:00
Vishal Nayak 5a6193a56e Audit: Add token's use count to audit response (#2437)
* audit: Added token_num_uses to audit response

* Fixed jsonx tests

* Revert logical auth to NumUses instead of TokenNumUses

* s/TokenNumUses/NumUses

* Audit: Add num uses to audit requests as well

* Added RemainingUses to distinguish NumUses in audit requests
2017-03-08 17:36:50 -05:00
Jeff Mitchell f03d500808 Add option to disable caching per-backend. (#2455) 2017-03-08 09:20:09 -05:00
vishalnayak f54ff0f842 Add locking where possible while doing auth/token/tidy 2017-03-07 16:06:05 -05:00
vishalnayak 3522b67e14 Added sys/tidy-leases endpoint 2017-03-07 15:50:17 -05:00
Jeff Mitchell 3d162b63cc Use locks in a slice rather than a map, which is faster and makes things cleaner (#2446) 2017-03-07 11:21:32 -05:00
Jeff Mitchell 5119b173c4 Rename helper 'duration' to 'parseutil'. (#2449)
Add a ParseBool function that accepts various kinds of ways of
specifying booleans.

Have config use ParseBool for UI and disabling mlock/cache.
2017-03-07 11:21:22 -05:00
Jeff Mitchell 8462d945d3 Add some nil checks to mounting 2017-03-04 16:43:18 -05:00
Jeff Mitchell e7f418c903 Fix poison pill location 2017-03-04 10:21:27 -05:00
Brian Kassouf e62f5dbc31 Allowed/Denied parameters support for globs (#2438)
* Add check for globbed strings

* Add tests for the acl globbing

* Fix bad test case
2017-03-03 14:50:55 -08:00
Jeff Mitchell 25428971c8 Add poison pill 2017-03-03 15:05:25 -05:00
Vishal Nayak 491a56fe9f AppRole: Support restricted use tokens (#2435)
* approle: added token_num_uses to the role

* approle: added RUD tests for token_num_uses on role

* approle: doc: added token_num_uses
2017-03-03 09:31:20 -05:00
Jeff Mitchell a585f709d3 Understand local when persisting mount tables, to avoid invalidations when not necessary (#2427) 2017-03-02 14:37:59 -05:00
Jeff Mitchell bb05f2d8f8 Fix double-lock 2017-03-02 10:54:31 -05:00
Jeff Mitchell 31cddc43e1 Use own mutex for updating cluster parameters and fix leader UUID bug 2017-03-02 10:50:54 -05:00
Jeff Mitchell beb3067787 Add some trace level information about new cluster status 2017-03-02 10:21:35 -05:00
Jeff Mitchell 36c84df326 Large update to request forwarding handling. (#2426) 2017-03-02 10:03:49 -05:00
Jeff Mitchell 90389323a2 Some more forwarding client cleanup 2017-03-01 20:59:20 -05:00
Jeff Mitchell b1c2a930fe Clean up request forwarding logic 2017-03-01 18:17:06 -05:00
Brian Kassouf 259e686d4c Update TestSeal to ignore setting the config to nil 2017-03-01 14:10:06 -08:00
Jeff Mitchell 00cfaf7f64 Rejig signature of last remote wal 2017-03-01 12:42:10 -05:00
Jeff Mitchell 6ebb2cc958 Add last remote WAL bits 2017-03-01 12:40:36 -05:00
Jeff Mitchell f2282247ef Add seal cache purging back into postUnseal 2017-02-28 18:36:28 -05:00
Jeff Mitchell 09543dceeb Rejig core standby logic to check validity of barrier during active transition 2017-02-28 18:17:30 -05:00
Jeff Mitchell 7f0a99e8eb Add max/min wrapping TTL ACL statements (#2411) 2017-02-27 14:42:00 -05:00
Jeff Mitchell 2cc0906b33 Fix breakage for HTTP2 support due to changes in wrapping introduced in 1.8 (#2412) 2017-02-27 12:49:35 -05:00
Jeff Mitchell 8091a10c38 Make rollback attempts trace level instead of debug level 2017-02-27 09:41:56 -05:00
Jeff Mitchell b29861f7bb Do some porting to make diffing easier 2017-02-24 10:45:29 -05:00
Jeff Mitchell 4e045d000c Create upgrade path for cubbyhole's local status 2017-02-24 10:05:44 -05:00
Jeff Mitchell 0e1b1e33be Add comment around not allowing users to create JWT wrapping tokens 2017-02-22 11:13:40 -05:00
Brian Kassouf 9a9b89f16f Update confusing comment 2017-02-21 16:06:00 -08:00
Brian Kassouf dd5b541db6 Added test for the empty values array case 2017-02-21 16:02:00 -08:00
Brian Kassouf a25132cec4 On merge favor values that have additive privileges 2017-02-21 15:53:27 -08:00
Brian Kassouf 9ec8dd3d17 PR feedback 2017-02-21 15:02:39 -08:00
Brian Kassouf f992103615 Merge branch 'master' into acl-parameters-permission 2017-02-21 14:46:06 -08:00
Jeff Mitchell 496420a5ab Make cubbyhole local instead of replicated. (#2397)
This doesn't really change behavior, just what it looks like in the UX.
However, it does make tests more complicated. Most were fixed by adding
a sorting function, which is generally useful anyways.
2017-02-18 13:51:05 -05:00
Jeff Mitchell 4a966726e5 Make reindex a root path as well 2017-02-16 23:36:06 -05:00
Jeff Mitchell f3bee3550c Remove now-unnecessary stanza from default policy 2017-02-16 23:30:38 -05:00
Jeff Mitchell 674a0a48bf Fix rep path fetching method into a function 2017-02-16 23:23:21 -05:00
Jeff Mitchell f37b6492d1 More rep porting (#2391)
* More rep porting

* Add a bit more porting
2017-02-16 23:09:39 -05:00
Brian Kassouf 1c5264c66c ToLower parameter strings 2017-02-16 17:50:10 -08:00
Jeff Mitchell 494b4c844b More porting from rep (#2389)
* More porting from rep

* Address feedback
2017-02-16 20:13:19 -05:00
Brian Kassouf 07799f665d Simplify the merging of two policies 2017-02-16 16:30:08 -08:00
Brian Kassouf 7229bdfd38 Remove debug code 2017-02-16 16:14:30 -08:00
Brian Kassouf 136730cb01 Update logic to fix a few edge cases: 2017-02-16 15:20:11 -08:00
Jeff Mitchell c81582fea0 More porting from rep (#2388)
* More porting from rep

* Address review feedback
2017-02-16 16:29:30 -05:00
Jeff Mitchell 0c39b613c8 Port some replication bits to OSS (#2386) 2017-02-16 15:15:02 -05:00
Jeff Mitchell 0a9a6d3343 Move ReplicationState to consts 2017-02-16 13:37:21 -05:00
Brian Kassouf 13ec9c5dbf Load leases into the expiration manager in parallel (#2370)
* Add a benchmark for exiration.Restore

* Add benchmarks for consul Restore functions

* Add a parallel version of expiration.Restore

* remove debug code

* Up the MaxIdleConnsPerHost

* Add tests for etcd

* Return errors and ensure go routines are exited

* Refactor inmem benchmark

* Add s3 bench and refactor a bit

* Few tweaks

* Fix race with waitgroup.Add()

* Fix waitgroup race condition

* Move wait above the info log

* Add helper/consts package to store consts that are needed in cyclic packages

* Remove not used benchmarks
2017-02-16 10:16:06 -08:00
Brian Kassouf 8d880f5181 Remove duplicate test case 2017-02-15 22:38:33 -08:00
Brian Kassouf f1d5b60b97 s/has/has been/ 2017-02-15 22:19:35 -08:00
Brian Kassouf c80593387c Remove unnecessary else condition 2017-02-15 22:18:20 -08:00
Brian Kassouf c9ae260cdf Merge branch 'acl-parameters-permission' of github.com:hashicorp/vault into acl-parameters-permission 2017-02-15 22:13:28 -08:00
Brian Kassouf 24d8710233 Fix the issue of returning on the first paramater check. Added tests for this case. 2017-02-15 22:13:18 -08:00
Jeff Mitchell 978772a47a Merge branch 'master-oss' into acl-parameters-permission 2017-02-16 00:46:40 -05:00
Jeff Mitchell e60b24431a Fix audit test and make audited headers more robust in map checks 2017-02-16 00:44:20 -05:00
Jeff Mitchell da9e62bc24 Remove "permissions" from ACL 2017-02-15 21:12:26 -05:00
Jeff Mitchell 51f7114648 Merge branch 'master-oss' into acl-parameters-permission 2017-02-15 20:37:58 -05:00
Jeff Mitchell acb7391b12 Compare headers case-insensitively for auditing
Fixes #2362
2017-02-15 20:35:35 -05:00
Jeff Mitchell 2fd59ad308 Merge branch 'master-oss' into acl-parameters-permission 2017-02-08 01:59:52 -05:00
Jeff Mitchell 4b2b28e085 Push test functions to a var for overriding 2017-02-07 20:44:31 -05:00
Jeff Mitchell f1cfb060f6 Remove errant unlock of state lock 2017-02-07 11:08:52 -05:00
Jeff Mitchell ddc977ba52 Add debug (#2341) 2017-02-06 18:30:13 -05:00
Jeff Mitchell 67f96bc64e Rejig check for HA/Sealed in Leader to check for sealed first. (#2342)
Fixes #2334
2017-02-06 18:29:56 -05:00
Brian Kassouf 8ef4bc32dd Update the help text for auditing headers (#2330)
* Update the help text for auditing headers

* Update help name
2017-02-03 10:08:31 -08:00
Jeff Mitchell 6c02e9357a Update protos 2017-02-02 16:20:32 -05:00
Brian Kassouf 6701ba8a10 Configure the request headers that are output to the audit log (#2321)
* Add /sys/config/audited-headers endpoint for configuring the headers that will be audited

* Remove some debug lines

* Add a persistant layer and refactor a bit

* update the api endpoints to be more restful

* Add comments and clean up a few functions

* Remove unneeded hash structure functionaility

* Fix existing tests

* Add tests

* Add test for Applying the header config

* Add Benchmark for the ApplyConfig method

* ResetTimer on the benchmark:

* Update the headers comment

* Add test for audit broker

* Use hyphens instead of camel case

* Add size paramater to the allocation of the result map

* Fix the tests for the audit broker

* PR feedback

* update the path and permissions on config/* paths

* Add docs file

* Fix TestSystemBackend_RootPaths test
2017-02-02 11:49:20 -08:00
Jeff Mitchell 47274eca88 Add cleanup functions to multiple DB backends. (#2313)
Ensure it's called on unmount, not just for seal.
2017-02-01 14:05:25 -05:00
Jeff Mitchell 67410ab230 Make TLS 1.2 *explicitly* required for cluster communications 2017-01-31 13:30:25 -05:00
Brian Kassouf 3c0de664a4 Fix keyring test 2017-01-24 12:58:14 -08:00
Jeff Mitchell 061bd6012d Fix keyring copypasta test failure 2017-01-24 14:00:13 -05:00
Jeff Mitchell 31ce37188b Fix keyring tests, working around Go nil timezone bug in DeepEqual
See https://github.com/golang/go/issues/10089
2017-01-24 12:33:28 -05:00
Jeff Mitchell 2c8d18ad8d Attempt to fix expiration test again 2017-01-24 11:17:48 -05:00
Jeff Mitchell b0f741d4a1 Add some extra lease debugging to try to figure out Travis timezone issue 2017-01-24 10:48:11 -05:00
Jeff Mitchell d75b5f01ec Use the same time object in the serialization test 2017-01-24 10:32:40 -05:00
Jeff Mitchell 77bc6fa481 Use time.Now rather than using time as a struct 2017-01-24 10:21:41 -05:00
Jeff Mitchell 43acbea6a9 Add some newlines to a failing test to make it easier to spot differences 2017-01-23 14:08:29 -05:00
Brian Kassouf 7ec19459a7 Remove extra comments 2017-01-20 11:38:40 -08:00
Brian Kassouf df800198e0 Remove some extra comments 2017-01-20 11:32:58 -08:00
Brian Kassouf e1424c631e Add logic to merge the two arrays and refactor the test around merging 2017-01-20 11:16:46 -08:00
Brian Kassouf 090736d4df Clean up logic a bit and add some comments 2017-01-19 18:41:15 -08:00
Brian Kassouf 37f393ff94 Remove unneeded comment block 2017-01-19 18:18:06 -08:00
Brian Kassouf 1580296ae5 Update tests to check parsing of types 2017-01-19 18:13:39 -08:00
Brian Kassouf 5ccb3e052b Add tests for boolean values 2017-01-19 17:41:02 -08:00
Brian Kassouf 68a1780052 Format dynamic_system_view.go 2017-01-19 16:54:08 -08:00
Brian Kassouf f3870061ee fix some of the tests and rename allowed/dissallowed paramaters 2017-01-19 16:40:19 -08:00
Brian Kassouf 25b49b8bae Add test cases for map and integer types 2017-01-18 17:11:25 -08:00
Jeff Mitchell 20c65b8300 Fix regression in 0.6.4 where token store roles could not properly wo… (#2286) 2017-01-18 16:11:25 -05:00
vishalnayak c9bd2a37f8 Don't sanitize disallowed_policies on token role 2017-01-17 21:34:14 -05:00
Brian Kassouf be10ef9d42 Use deepequals and write tests for the allow/disallow values 2017-01-17 16:40:21 -08:00
Vishal Nayak fa7d61baa3 Merge pull request #2202 from fcantournet/fix_govet_fatalf
all: test: Fix govet warnings
2017-01-17 16:45:35 -05:00
Jeff Mitchell 69eb5066dd Multi value test seal (#2281) 2017-01-17 15:43:10 -05:00
Jeff Mitchell 2052e406d2 Move router mount back below table persistence 2017-01-17 15:15:28 -05:00
Jeff Mitchell 8e62acbd59 Sync the locking behavior between logical/auth backend (#2280) 2017-01-17 13:02:29 -05:00
Jeff Mitchell dd0e44ca10 Add nonce to unseal to allow seeing if the operation has reset (#2276) 2017-01-17 11:47:06 -05:00
Brian Kassouf 1d3cae860b Start to check the values with allowed/dissallowed lists in policy. 2017-01-16 17:48:22 -08:00
Brian Kassouf ae116ada25 Merge branch 'master' into acl-parameters-permission 2017-01-13 16:44:10 -08:00
Brian Kassouf 3d47e5ebc7 add initialize method to noopbackend 2017-01-13 13:12:27 -08:00
Jeff Mitchell 252e1f1e84 Port over some work to make the system views a bit nicer 2017-01-13 14:51:27 -05:00
Jeff Mitchell d869c0d6a6 Rejig IsPrimary again 2017-01-12 15:59:00 -05:00
Jeff Mitchell ec4f069da4 Fix building some test code without build tags 2017-01-12 15:21:47 -05:00
Jeff Mitchell 32f9ccb6c8 Rejig dynamic system view to build without tags 2017-01-12 15:13:47 -05:00
Vishal Nayak 00ffd80fcd Merge pull request #2236 from hashicorp/pgp-keys-check
rekey: added check to ensure that length of PGP keys and the shares are matching
2017-01-12 11:19:08 -05:00
vishalnayak daacf23c38 rekey: remove the check from vault/rekey.go in favor of check in http layer 2017-01-12 00:07:49 -05:00
vishalnayak adb6ac749f init: pgp-keys input validations 2017-01-11 23:32:38 -05:00
vishalnayak 0778a2eba7 core: adding error server logs for failure to update mount table 2017-01-11 20:21:34 -05:00
vishalnayak bf6aa296b3 rekey: added check to ensure that length of PGP keys and the shares are matching 2017-01-11 13:29:10 -05:00
Jeff Mitchell 9923c753d0 Set c.standby true in non-HA context. (#2259)
This value is the key for some checks in core logic. In a non-HA
environment, if the core was sealed it would never be set back to true.
2017-01-11 11:13:09 -05:00
Vishal Nayak 7367158a2a Merge pull request #2252 from hashicorp/mountentry-clone
Adding Tainted to MountEntry.Clone
2017-01-10 10:28:13 -05:00
vishalnayak 28c3f4a192 Adding Tainted to MountEntry.Clone 2017-01-10 08:32:33 -05:00
Jeff Mitchell bb32853fcd Fix up exclusion rules for dynamic system view IsPrimary 2017-01-07 18:31:43 -05:00
Jeff Mitchell 9d89aae00c Fix up invalidations in noopbackend 2017-01-07 18:22:34 -05:00
Armon Dadgar c37d17ed47 Adding interface methods to logical.Backend for parity (#2242) 2017-01-07 18:18:22 -05:00
Jeff Mitchell 336dfed5c3 Rename gRPC request forwarding method 2017-01-06 17:08:43 -05:00
Jeff Mitchell 681e36c4af Split Unseal into Unseal and unsealInternal 2017-01-06 16:30:43 -05:00
Jeff Mitchell 9e5d1eaac9 Port some updates 2017-01-06 15:42:18 -05:00
Jeff Mitchell 64fc18e523 When a JWT wrapping token is returned, audit the inner token both for
request and response. This makes it far easier to properly check
validity elsewhere in Vault because we simply replace the request client
token with the inner value.
2017-01-04 23:50:24 -05:00
vishalnayak 066038bebd Fixed return types 2017-01-04 16:58:25 -05:00
Jeff Mitchell 0391475c70 Add read locks to LookupToken/ValidateWrappingToken (#2232) 2017-01-04 16:52:03 -05:00
Jeff Mitchell 3129187dc2 JWT wrapping tokens (#2172) 2017-01-04 16:44:03 -05:00
vishalnayak d70fb45fbb Removed unused methods 2017-01-03 12:51:35 -05:00
Félix Cantournet 103b7ceab2 all: test: Fix govet warnings
Fix calls to t.Fatal() with formatting.
Fixed some calls to Fatalf() with wrong formatting
2016-12-21 19:44:07 +01:00
Jeff Mitchell 9f60e9f88d Add tidy expiration test 2016-12-16 17:04:28 -05:00
vishalnayak bae84e3864 TokenStore: Make the testcase dangle 100 accessors and let it tidy up 2016-12-16 15:41:41 -05:00
Vishal Nayak ba026aeaa1 TokenStore: Added tidy endpoint (#2192) 2016-12-16 15:29:27 -05:00
Jeff Mitchell f6044764c0 Fix revocation of leases when num_uses goes to 0 (#2190) 2016-12-16 13:11:55 -05:00
Vishal Nayak 8400b87473 Don't add default policy to child token if parent does not have it (#2164) 2016-12-16 00:36:39 -05:00
Vishal Nayak e3f56f375c Add 'no-store' response header from all the API outlets (#2183) 2016-12-15 17:53:07 -05:00
mwoolsey 907e735541 Permissions were changed from a structure to and array of interfaces. Code optimization for acl.go. Fixed bug where multiple parameters would allow if second or following parameters were denied and there was a wildcard in allow. 2016-12-06 18:14:15 -08:00
mwoolsey c27817aba3 Merge branch 'master' of https://github.com/hashicorp/vault 2016-12-06 16:09:32 -08:00
Jeff Mitchell 7865143c1d Minor ports 2016-12-05 12:28:12 -05:00
Jeff Mitchell 710e8f2d4c Change Vault audit broker logic to successfully start when at least one (#2155)
backend is successfully loaded.

Fixes #2083
2016-12-02 15:09:01 -05:00
Thomas Soëte 90b392c7fc Fix panic() in test suite (#2149)
As `base` could be nil, move check in `if base != nil`
2016-12-02 06:31:06 -05:00
Jeff Mitchell 49284031c6 Respect logger in TestCluster 2016-12-01 15:25:10 -05:00
mwoolsey 3e72e50fa5 Merge remote-tracking branch 'upstream/master' 2016-11-20 18:31:55 -08:00
Jeff Mitchell ee29b329fb Bump proto files after update 2016-11-17 10:06:26 -05:00
Jeff Mitchell e84a015487 Add extra logic around listener handling. (#2089) 2016-11-11 16:43:33 -05:00
Jeff Mitchell 6c1d2ffea9 Allow wrapping to be specified by backends, and take the lesser of the request/response times (#2088) 2016-11-11 15:12:11 -05:00
Jeff Mitchell 168d6e1a3d Fix other clustering tests on OSX 2016-11-08 10:55:41 -05:00
Jeff Mitchell e381c189e4 Fix cluster testing on OSX; see the inline comment for details 2016-11-08 10:31:35 -05:00
Jeff Mitchell 86edada67c Show the listener address when it's created for the cluster in the log 2016-11-08 10:31:15 -05:00
Jeff Mitchell 6f86e664a8 use a const for cluster test pause period 2016-11-08 10:30:44 -05:00
lemondrank c63d9e9f24 added AllowOperation tests 2016-11-07 12:28:41 -08:00
ChaseLEngel a847caa4ae Moved Operations out of test cases variable. 2016-11-07 12:08:17 -08:00
ChaseLEngel e349d64dbc Finished merge testing. 2016-11-06 15:16:08 -08:00
mwoolsey 42e0ecb0b8 narrowed the problem to: the Permissions struct in the TestPolicyMerge method is not being initialized 2016-11-06 13:38:25 -08:00