Armon Dadgar
4d0700d12f
vault: Guard against blank tokens
2015-03-18 13:21:16 -07:00
Armon Dadgar
ded5dc71e9
vault: First pass token store
2015-03-18 13:19:19 -07:00
Armon Dadgar
51ce336753
vault: Adding PolicyStore
2015-03-18 12:17:03 -07:00
Armon Dadgar
061b6b24f1
vault: Refactor to use CollectKeys
2015-03-18 12:06:18 -07:00
Mitchell Hashimoto
d9bff7b674
vault: TODOs
2015-03-17 20:54:38 -05:00
Mitchell Hashimoto
6f9d63dea5
vault: comment mounts mapping in rollback manager
2015-03-17 20:53:28 -05:00
Mitchell Hashimoto
05f86ca957
vault: put uint32 at top of struct to avoid alignment issues
2015-03-17 20:46:10 -05:00
Mitchell Hashimoto
97dab0c285
vault: ignore backends that don't support rollback
2015-03-17 20:39:45 -05:00
Mitchell Hashimoto
e078b957d4
vault: start/stop rollback manager post/pre seal
2015-03-17 20:39:45 -05:00
Mitchell Hashimoto
c7b9148841
vault: RollbackManager
...
There are some major TODO items here, and it isn't hooked into the core
yet, but the basic functionality is there.
2015-03-17 20:39:45 -05:00
Mitchell Hashimoto
abe0859aa5
vault: use RWMutex on MountTable itself
2015-03-17 20:39:45 -05:00
Armon Dadgar
99abc11ec5
vault: Adding ACL representation
2015-03-17 18:31:20 -07:00
Armon Dadgar
ddab671bf4
vault: Adding policy parsing
2015-03-17 15:53:29 -07:00
Armon Dadgar
46ccb81db4
vault: Respect grace period for revocation
2015-03-16 17:09:18 -07:00
Armon Dadgar
a24192b728
vault: Support sys/revoke-prefix/
2015-03-16 16:33:48 -07:00
Armon Dadgar
f08659aaaa
vault: Adding sys/revoke
2015-03-16 16:26:34 -07:00
Armon Dadgar
57b4f970d2
vault: Test renew of bad ID
2015-03-16 16:14:53 -07:00
Armon Dadgar
e52f1ee960
vault: Testing sys/renew
2015-03-16 16:11:55 -07:00
Armon Dadgar
15b7dc2d02
vault: integration expiration manager with core
2015-03-16 15:28:50 -07:00
Armon Dadgar
5f1e3e5986
vault: Testing restore
2015-03-16 15:11:47 -07:00
Armon Dadgar
703bcd8190
vault: Testing revoke and renew
2015-03-16 15:11:47 -07:00
Armon Dadgar
b203c27326
vault: testing internal expiration manager methods
2015-03-16 15:11:47 -07:00
Armon Dadgar
11552f132b
vault: testing expiration manager persistence
2015-03-16 15:11:46 -07:00
Armon Dadgar
e85cd66b30
all: Removing fields from Lease
2015-03-16 13:29:51 -07:00
Armon Dadgar
18069d4cf7
vault: Handle a negetive renew increment
2015-03-16 11:52:38 -07:00
Armon Dadgar
bdfa320e01
vault: First pass at expiration manager
2015-03-16 11:35:43 -07:00
Armon Dadgar
c8d00f6aa2
vault: Adding barrier view scan method
2015-03-16 11:35:43 -07:00
Mitchell Hashimoto
de1e28a77c
vault: change to /sys/mounts
2015-03-16 10:52:35 -07:00
Mitchell Hashimoto
e3a796028e
http: /v1/sys/mount endpoint
2015-03-16 10:36:43 -07:00
Mitchell Hashimoto
12b12e578c
vault: fix merge conflict + pass tests
2015-03-15 19:38:23 -07:00
Armon Dadgar
ca358f64dd
vault: Merge conflict
2015-03-15 18:06:19 -07:00
Armon Dadgar
b96ac9f95f
vault: Assign renew time
2015-03-15 18:05:31 -07:00
Mitchell Hashimoto
9f0d59d03f
vault: system using the framework
2015-03-15 17:35:59 -07:00
Mitchell Hashimoto
edd13a5d24
vault: passthrough backend uses logical/framework
2015-03-15 17:07:54 -07:00
Mitchell Hashimoto
d4f54be927
vault: can pass in the backends
2015-03-15 16:25:38 -07:00
Mitchell Hashimoto
ece0be434e
vault: rename SystemBackend2 to SystemBackend
2015-03-15 14:54:49 -07:00
Mitchell Hashimoto
d1d1929192
vault: convert to logical.Request and friends
2015-03-15 14:53:41 -07:00
Mitchell Hashimoto
5ffcd02b7a
vault: convert system to logical.Backend
2015-03-15 14:42:05 -07:00
Mitchell Hashimoto
c3ae1b59a1
vault: Passthrough backend uses logical.Backend
2015-03-15 14:27:06 -07:00
Mitchell Hashimoto
c7e901ce45
vault: incremental change to get closer to logical structs
2015-03-15 14:27:06 -07:00
Mitchell Hashimoto
63a9eb321a
logical: put structs here, vault uses them
2015-03-15 14:27:06 -07:00
Mitchell Hashimoto
92910d18d1
vault: make mount functions private again, going to try something else
2015-03-14 18:31:31 -07:00
Mitchell Hashimoto
9d84e7bacc
vault: don't copy the key so it can be zeroed, document, add helper
2015-03-14 18:25:55 -07:00
Mitchell Hashimoto
866b91d858
vault: public TestCoreUnsealed, don't modify key in Unseal
...
/cc @armon - I do a key copy within Unseal now. It tripped me up for
quite awhile that that method actually modifies the param in-place and I
can't think of any scenario that is good for the user. Do you see any
issues here?
2015-03-14 17:47:11 -07:00
Mitchell Hashimoto
b2af154fb4
vault: make Mount related core functions public
...
/cc @armon - So I know the conversation we had related to this about
auth, but I think we still need to export these and do auth only at the
external API layer. If you're writing to the internal API, then all bets
are off.
The reason is simply that if you have access to the code, you can
already work around it anyways (you can disable auth or w/e), so a
compromised Vault source/binary is already a failure, and that is the
only thing that our previous unexported methods were protecting against.
If you write an external tool to access a Vault, it still needs to be
unsealed so _that_ is the primary security mechanism from an API
perspective. Once it is unsealed then the core API has full access to
the Vault, and identity/auth is only done at the external API layer, not
at the internal API layer.
The benefits of this approach is that it lets us still treat the "sys"
mount specially but at least have sys adopt helper/backend and use that
machinery and it can still be the only backend which actually has a
reference to *vault.Core to do core things (a key difference). So, an
AWS backend still will never be able to muck with things it can't, but
we're explicitly giving Sys (via struct initialization in Go itself)
a reference to *vault.Core.
2015-03-14 17:26:59 -07:00
Mitchell Hashimoto
f43a0290cf
vault: public testing methods
2015-03-13 12:53:09 -07:00
Armon Dadgar
9d5db1286d
vault: Track the renew time
2015-03-13 11:36:24 -07:00
Armon Dadgar
081358091a
vault: improve seal/unseal log messages
2015-03-13 11:34:40 -07:00
Armon Dadgar
f0d00e77ec
vault: Adding start/stop to expiration manager
2015-03-13 11:31:43 -07:00
Armon Dadgar
d744d4ee5e
vault: integrate expiration manager with core setup/teardown
2015-03-13 11:20:36 -07:00
Armon Dadgar
d0380e553d
vault: Support a pre-seal teardown
2015-03-13 11:16:24 -07:00
Armon Dadgar
5ce63ea7cd
vault: Adding lease registration
2015-03-13 10:56:03 -07:00
Armon Dadgar
affeefa7f8
vault: Validate lease values
2015-03-13 10:56:03 -07:00
Armon Dadgar
e77ce26d31
vault: spec out expiration manager API
2015-03-12 18:38:22 -07:00
Armon Dadgar
15de847389
vault: Setup expiration manager on unseal
2015-03-12 12:44:30 -07:00
Armon Dadgar
6c759416d0
vault: special view path for system
2015-03-12 12:44:30 -07:00
Armon Dadgar
ef82fe04c6
vault: Support sub-views
2015-03-12 12:44:30 -07:00
Armon Dadgar
b17607e51f
vault: support remount
2015-03-12 12:09:30 -07:00
Armon Dadgar
3ed3e23d93
vault: Improve error when unseal key is wrong
2015-03-12 11:27:41 -07:00
Armon Dadgar
aa0ca02b8c
vault: sanity check key length
2015-03-12 11:20:38 -07:00
Mitchell Hashimoto
718065c733
vault: the config has to be exported
2015-03-12 10:22:12 -07:00
Armon Dadgar
11b76b064c
vault: Verify paths that are root
2015-03-11 18:47:15 -07:00
Armon Dadgar
67dc52f40f
vault: testing new system endpoints
2015-03-11 18:34:33 -07:00
Armon Dadgar
719eded495
vault: testing mount/unmount
2015-03-11 18:29:49 -07:00
Armon Dadgar
0ca093fb2d
vault: First pass at mount/unmount
2015-03-11 18:19:45 -07:00
Armon Dadgar
59052069bc
vault: Router can check for matching mounts
2015-03-11 18:19:45 -07:00
Armon Dadgar
91462a61a2
vault: Adding mounts table endpoint
2015-03-11 16:12:15 -07:00
Armon Dadgar
b212890043
vault: Setup the mount tables after load
2015-03-11 15:50:42 -07:00
Armon Dadgar
10afebabdd
vault: Moving generic backend into package
2015-03-11 15:50:42 -07:00
Armon Dadgar
c6009345d1
vault: Testing mount table setup
2015-03-11 15:33:25 -07:00
Armon Dadgar
f54e4e0f6a
vault: Loading mount tables on start
2015-03-11 15:19:41 -07:00
Armon Dadgar
370693ebb4
vault: Adding UUID method
2015-03-11 15:13:07 -07:00
Armon Dadgar
fdad9e9ce3
vault: Test routing while sealed
2015-03-11 14:31:55 -07:00
Armon Dadgar
a6508b4010
vault: Testing core unseal
2015-03-11 14:25:16 -07:00
Armon Dadgar
faa337dcbe
vault: Testing initialization
2015-03-11 11:57:05 -07:00
Armon Dadgar
8fdac427a7
vault: Test initialization simple
2015-03-11 11:52:01 -07:00
Armon Dadgar
6794e59e2b
vault: First pass at Unseal
2015-03-11 11:43:36 -07:00
Armon Dadgar
8c49152c78
vault: Support secret sharing
2015-03-11 11:34:08 -07:00
Armon Dadgar
53b4e3281a
vault: First pass at initialization
2015-03-09 17:45:34 -07:00
Armon Dadgar
da34cbb39a
vault: Adding core skeleton
2015-03-09 16:33:27 -07:00
Armon Dadgar
ff5834ddb4
vault: Adding mount type
2015-03-09 16:12:07 -07:00
Armon Dadgar
a453d8fbf8
vault: Adding router
2015-03-05 17:23:56 -08:00
Armon Dadgar
51cc19e92f
logical: Adding generic backend
2015-03-05 16:35:09 -08:00
Armon Dadgar
e997fd31ea
vault: more logical details
2015-03-05 15:31:40 -08:00
Armon Dadgar
0de1ac001f
vault: Skeleton logical backend interface
2015-03-05 15:24:00 -08:00
Armon Dadgar
a249149329
vault: Adding a barrier view
2015-03-05 14:34:05 -08:00
Armon Dadgar
9d2d0298ea
vault: Basic test for barrier confidentiality and integrity
2015-03-05 14:03:00 -08:00
Armon Dadgar
ea7f4a45e6
vault: Structure the barrier init file
2015-03-05 13:57:45 -08:00
Armon Dadgar
7326959d25
vault: Double Unseal should be a no-op
2015-03-05 13:29:23 -08:00
Armon Dadgar
e8abe8b0cd
vault: First pass at a barrier
2015-03-05 13:27:35 -08:00
Armon Dadgar
0cac63234a
vault: Adding utility methods
2015-03-05 11:44:03 -08:00