* agent: do not grap idLock writelock until caching entry
* agent: inflight cache using sync.Map
* agent: implement an inflight caching mechanism
* agent/lease: add lock for inflight cache to prevent simultaneous Set calls
* agent/lease: lock on a per-ID basis so unique requests can be processed independently
* agent/lease: add some concurrency tests
* test: use lease_id for uniqueness
* agent: remove env flags, add comments around locks
* agent: clean up test comment
* agent: clean up test comment
* agent: remove commented debug code
* agent/lease: word-smithing
* Update command/agent/cache/lease_cache.go
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* agent/lease: return the context error if the Done ch got closed
* agent/lease: fix data race in concurrency tests
* agent/lease: mockDelayProxier: return ctx.Err() if context got canceled
* agent/lease: remove unused inflightCacheLock
* agent/lease: test: bump context timeout to 3s
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* Added flag to disable X-Vault-Token header proxy if client passes the token
* Reveresed the flag value to better match the name intent
* Introduced UseAutoAuthTokenRaw for Cache to support triplicate value of true/false/force
Co-authored-by: Clint <catsby@users.noreply.github.com>
* Sync up Agent and API's renewers.
This introduces a new type, LifetimeWatcher, which can handle both
renewable and non-renewable secrets, modeled after the version in Agent.
It allows the user to select behavior, with the new style being the
default when calling Start(), and old style if using the legacy Renew()
call.
No tests have been modified (except for reflect issues) and no other
code has been modified to make sure the changes are backwards
compatible.
Once this is accepted I'll pull the Agent version out.
* Move compat flags to NewRenewer
* Port agent to shared lifetime watcher lib
* Simplify Run(): the function that was being sent over a channel doesn't
need to close over anything except latestToken, and we don't need to
create a new one each iteration. Instead just pass the relevant items,
namely the token and sink to work on.
* Disallow the following config combinations:
1. auto_auth.method.wrap_ttl > 0 and multiple file sinks
2. auto_auth.method.wrap_ttl > 0 and single file sink with wrap_ttl > 0
3. auto_auth.method.wrap_ttl > 0 and cache.use_auto_auth_token = true
* Expose errors that occur when APIProxy is forwarding request to Vault.
* Fix merge issues.
* Listener refactoring and file system permissions
* added listenerutil and move some common code there
* Added test for verifying socket file permissions
* Change default port of agent to 8200
* address review feedback
* Address review feedback
* Read socket options from listener config
* agent/caching: proxy redirect and non-json responses; update tests
* agent/caching: do not wrap error responses as internal errors, simply proxy them back as-is
* minor refactoring of APIProxy.Send logic
* add test case to ensure error response is not wrapped
* agent/caching: enable caching of leases generated by autoauth token
* add test for auth/token/create path
* update error message log
* Some minor updates
* add sleep timer for renewal logic to process
* Properly compute auto-auth token
* Use inmem sink to track auto-auth token
* update debug statement
* Only add inmem sink if using auto-auth token is allowed
* vault-agent-cache: squashed 250+ commits
* Add proper token revocation validations to the tests
* Add more test cases
* Avoid leaking by not closing request/response bodies; add comments
* Fix revoke orphan use case; update tests
* Add CLI test for making request over unix socket
* agent/cache: remove namespace-related tests
* Strip-off the auto-auth token from the lookup response
* Output listener details along with configuration
* Add scheme to API address output
* leasecache: use IndexNameLease for prefix lease revocations
* Make CLI accept the fully qualified unix address
* export VAULT_AGENT_ADDR=unix://path/to/socket
* unix:/ to unix://