Commit graph

706 commits

Author SHA1 Message Date
Seth Vargo acd4241740
Drop cli and meta packages
This centralizes all command-related things in the command package
2017-10-24 09:27:19 -04:00
Seth Vargo 50705bcce7
Unwrap cli.Ui to get to the underlying writer
This allows us to write without a newline character, since the Ui
interface doesn't expose a direct Write() method.
2017-10-24 09:26:45 -04:00
Seth Vargo 0f2905fd7c
Only print default values if they are non-zero 2017-10-24 09:26:44 -04:00
Seth Vargo 5093b8dff8
More arbitrary function for wrapping at a length 2017-10-24 09:26:44 -04:00
Seth Vargo 9347c110f2
Delegate usage to the UI 2017-10-24 09:26:44 -04:00
Seth Vargo 6c73d28967
Make predict it's own struct
The previous architecture would create an API client many times, slowing down the CLI exponentially for each new command added.
2017-10-24 09:26:44 -04:00
Seth Vargo bd3064327c
Separate "files" and "folders" in predictor 2017-10-24 09:26:44 -04:00
Seth Vargo 2f3acd9068
Remove coupling between Raw() and UI 2017-10-24 09:26:44 -04:00
Seth Vargo cb31f95e75
Add testing harness for a vault cluster 2017-10-24 09:26:44 -04:00
Seth Vargo 9064d52e66
Output JSON with spaces not tabs 2017-10-24 09:26:44 -04:00
Seth Vargo cc0140be80
Add start of base command, flags, prediction 2017-10-24 09:26:44 -04:00
Jeff Mitchell 65f664be47 Make compile 2017-10-23 17:41:44 -04:00
Jeff Mitchell a25dae82dd Final sync 2017-10-23 17:39:21 -04:00
Jeff Mitchell 6bafb02a5b Sync up server.go a bit 2017-10-10 12:27:51 -04:00
Jeff Mitchell 17a15cd594 Add option to disable client certificate requesting. (#3373)
Fixes #3372
2017-09-25 14:41:46 -04:00
Calvin Leung Huang 29911bfea8 Add support for stored shares and skip-init in dev mode (#3364) 2017-09-21 15:23:29 -04:00
Vishal Nayak e99640f462 Add 'pid_file' config option (#3321)
* add pid_file config option

* address review feedback

* address review comments
2017-09-16 17:09:37 -04:00
Chris Hoffman 1029ad3b33 Rename "generic" secret backend to "kv" (#3292) 2017-09-15 09:02:29 -04:00
Chris Hoffman 9d73c81f38 Disable the sys/raw endpoint by default (#3329)
* disable raw endpoint by default

* adding docs

* config option raw -> raw_storage_endpoint

* docs updates

* adding listing on raw endpoint

* reworking tests for enabled raw endpoints

* root protecting base raw endpoint
2017-09-15 00:21:35 -04:00
Chris Hoffman 91338d7aa2 Adding latency injector option to -dev mode for storage operations (#3289) 2017-09-11 14:49:08 -04:00
Jeff Mitchell 223c4fc325 Change auth helper interface to api.Secret. (#3263)
This allows us to properly handle wrapped responses.

Fixes #3217
2017-08-31 16:57:00 -04:00
Calvin Leung Huang 6f417d39da Normalize plugin_name option for mount and enable-auth (#3202) 2017-08-31 12:16:59 -04:00
Jeff Mitchell 3edb337a00 Add option to set cluster TLS cipher suites. (#3228)
* Add option to set cluster TLS cipher suites.

Fixes #3227
2017-08-30 16:28:23 -04:00
Brian Kassouf 23089dafbc Add basic autocompletion (#3223)
* Add basic autocompletion

* Add autocomplete to some common commands

* Autocomplete the generate-root flags

* Add information about autocomplete to the docs
2017-08-24 15:23:40 -07:00
Doyoon Kim 3ffebb7780 Moved PROXY protocol wrap to execute before the TLS wrap (#3195) 2017-08-23 12:00:09 -04:00
Seth Vargo ec9e187ce4 Thread stderr through too (#3211)
* Thread stderr through too

* Small docs typo
2017-08-21 17:23:29 -04:00
Jeff Mitchell 654e7d92ac Properly lowercase policy names. (#3210)
Previously we lowercased names on ingress but not on lookup or delete
which could cause unexpected results. Now, just unilaterally lowercase
policy names on write and delete. On get, to avoid the performance hit
of always lowercasing when not necessary since it's in the critical
path, we have a minor optimization -- we check the LRU first before
normalizing. For tokens, because they're already normalized when adding
policies during creation, this should always work; it might just be
slower for API calls.

Fixes #3187
2017-08-18 19:47:23 -04:00
Seth Vargo 51d8e5ff86 Do not revoke SSH key (#3208)
There is no secret to revoke - this produces an error on the CLI
2017-08-18 15:44:20 -04:00
Seth Vargo 2e3a9ebd06
Add host key checking for SSH CA 2017-08-18 12:59:09 -04:00
Seth Vargo 89cffaf25e
Revoke temporary cred after creation, update warning
/cc @vishalnayak
2017-08-18 12:59:09 -04:00
Seth Vargo 430fc22023
Initial pass at SSH CLI CA type authentication
1. The current implementation of the SSH command is heavily tied to the
assumptions of OTP/dynamic key types. The SSH CA backend is
fundamentally a different approach to login and authentication. As a
result, there was some restructuring of existing methods to share more
code and state.

2. Each authentication method (ca, otp, dynamic) are now fully-contained
in their own handle* function.

3. -mode and -role are going to be required for SSH CA, and I don't
think the magical UX (and overhead) of guessing them is a good UX. It's
confusing as to which role and how Vault guesses. We can reduce 66% of
the API calls and add more declaration to the CLI by making -mode and
-role required. This commit adds warnings for that deprecation, but
these values are both required for CA type authentication.

4. The principal and extensions are currently fixed, and I personally
believe that's good enough for the first pass at this. Until we
understand what configuration options users will want, I think we should
ship with all the local extensions enabled. Users who don't want that
can generate the key themselves directly (current behavior) or submit
PRs to make the map of extensions customizable.

5. Host key checking for the CA backend is not currently implemented.
It's not strictly required at setup, so I need to think about whether it
belongs here.

This is not ready for merge, but it's ready for early review.
2017-08-18 12:59:08 -04:00
Calvin Leung Huang ea6a1382ff Improve auth-enable output for plugin backends (#3189)
* Improve auth-enable output for plugin backends

* Unquote authType on final output
2017-08-16 14:31:16 -04:00
Jeff Mitchell c34a5b2e93 * Add ability to specify a plugin dir in dev mode (#3184)
* Change (with backwards compatibility) sha_256 to sha256 for plugin
registration
2017-08-16 11:17:50 -04:00
Seth Vargo f8922bf674 Update help output (spaces instead of tabs) (#3178) 2017-08-15 21:21:30 -04:00
Seth Vargo c1e6e0bdf2 Use SSHPASS envvar instead of -p for sshpass (#3177)
From the sshpass manpage:

> The -p option should be considered the least secure of all of sshpass's options. All system users can see the password in the command line with a simple "ps" command. Sshpass makes a minimal attempt to hide the password, but such attempts are doomed to create race conditions without actually solving the problem. Users of sshpass are encouraged to use one of the other password passing techniques, which are all more secure.

This PR changes the sshpass behavior to execute a subprocess with the
SSHPASS envvar (which is generally regarded as more secure) than using
the -p option.
2017-08-15 19:43:39 -04:00
Jeff Mitchell fdaaaadee2 Migrate physical backends into separate packages (#3106) 2017-08-03 13:24:27 -04:00
Gobin Sougrakpam 8e01c994bf tls_client_ca_file option for verifying client (#3034) 2017-08-03 07:33:06 -04:00
Calvin Leung Huang db9d9e6415 Store original request path in WrapInfo (#3100)
* Store original request path in WrapInfo as CreationPath

* Add wrapping_token_creation_path to CLI output

* Add CreationPath to AuditResponseWrapInfo

* Fix tests

* Add and fix tests, update API docs with new sample responses
2017-08-02 18:28:58 -04:00
Jeff Mitchell 7e3ff5e56c Add PROXY protocol support (#3098) 2017-08-02 18:24:12 -04:00
Brian Kassouf e0713b307d Add Testing Interface to test helpers (#3091)
* Add testing interface

* Add vendored files
2017-08-01 11:07:08 -07:00
Jeff Mitchell d39d1b4003 Add some useful variable output to three node dev startup 2017-08-01 11:50:41 -04:00
Jeff Mitchell 1f36e2a846 Use 1-based indexing for unseal keys in three node dev cluster 2017-08-01 11:12:45 -04:00
Jeff Mitchell d0f329e124 Add leader cluster address to status/leader output. (#3061)
* Add leader cluster address to status/leader output. This helps in
identifying a particular node when all share the same redirect address.

Fixes #3042
2017-07-31 18:25:27 -04:00
Jeff Mitchell 1bfc6d4fe7 Add a -dev-three-node option for devs. (#3081) 2017-07-31 11:28:06 -04:00
Calvin Leung Huang bb54e9c131 Backend plugin system (#2874)
* Add backend plugin changes

* Fix totp backend plugin tests

* Fix logical/plugin InvalidateKey test

* Fix plugin catalog CRUD test, fix NoopBackend

* Clean up commented code block

* Fix system backend mount test

* Set plugin_name to omitempty, fix handleMountTable config parsing

* Clean up comments, keep shim connections alive until cleanup

* Include pluginClient, disallow LookupPlugin call from within a plugin

* Add wrapper around backendPluginClient for proper cleanup

* Add logger shim tests

* Add logger, storage, and system shim tests

* Use pointer receivers for system view shim

* Use plugin name if no path is provided on mount

* Enable plugins for auth backends

* Add backend type attribute, move builtin/plugin/package

* Fix merge conflict

* Fix missing plugin name in mount config

* Add integration tests on enabling auth backend plugins

* Remove dependency cycle on mock-plugin

* Add passthrough backend plugin, use logical.BackendType to determine lease generation

* Remove vault package dependency on passthrough package

* Add basic impl test for passthrough plugin

* Incorporate feedback; set b.backend after shims creation on backendPluginServer

* Fix totp plugin test

* Add plugin backends docs

* Fix tests

* Fix builtin/plugin tests

* Remove flatten from PluginRunner fields

* Move mock plugin to logical/plugin, remove totp and passthrough plugins

* Move pluginMap into newPluginClient

* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck

* Change shim logger's Fatal to no-op

* Change BackendType to uint32, match UX backend types

* Change framework.Backend Setup signature

* Add Setup func to logical.Backend interface

* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments

* Remove commented var in plugin package

* RegisterLicense on logical.Backend interface (#3017)

* Add RegisterLicense to logical.Backend interface

* Update RegisterLicense to use callback func on framework.Backend

* Refactor framework.Backend.RegisterLicense

* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs

* plugin: Revert BackendType to remove TypePassthrough and related references

* Fix typo in plugin backends docs
2017-07-20 13:28:40 -04:00
Jeff Mitchell 76d1402a44 Add token-only. (#2971) 2017-07-12 15:04:34 -04:00
Jeff Mitchell d169918465 Create and persist human-friendly-ish mount accessors (#2918) 2017-06-26 18:14:36 +01:00
Jeff Mitchell d55d75a79f Convert listener arguments to map[string]interface{} (#2905)
This allows people to use more natural constructs, e.g. for tls_disable
it can be a bool, int, or string.
2017-06-22 20:29:53 +01:00
Jeff Mitchell 286392c2a2 Fix tests 2017-06-21 11:19:38 -04:00
Jeff Mitchell 069764ea8f Add option to have dev mode generic backend return leases 2017-06-21 10:42:50 -04:00
Chris Hoffman 7e7d766e21 Exclude /sys/leases/renew from registering with expiration manager (#2891)
* exclude /sys/leases/renew from registering with expiration manager

* adding sys/leases/renew to return full secret object, adding tests to catch renew errors
2017-06-20 12:34:00 -04:00
Jeff Mitchell cf7d56e8f3 Fix up CORS.
Ref #2021
2017-06-17 01:26:25 -04:00
Jeff Mitchell 33ca94773f Add DogStatsD metrics output. (#2883)
Fixes #2490
2017-06-16 23:51:46 -04:00
Jeff Mitchell fcc9f35c77 Add a no-store option to vault auth (#2809)
Fixes #2746
2017-06-05 16:36:28 -04:00
Jeff Mitchell 72a5b5e23b Fix tests 2017-05-25 09:00:49 -04:00
Jeff Mitchell 9d4801b1e8 Revert grpc back a version (they introduced a panic) and clean up a bunch of old request forwarding stuff 2017-05-24 10:38:48 -04:00
emily aa40d2cff6 add gofmt checks to Vault and format existing code (#2745) 2017-05-19 08:34:17 -04:00
Brian Kassouf 5ee0d696d4 Merge remote-tracking branch 'oss/master' into database-refactor 2017-05-04 10:45:18 -07:00
Jeff Mitchell ed24a1b5a5 Write always needs a path, even with force. (#2675)
Fixes #2674
2017-05-04 06:40:58 -04:00
Jeff Mitchell 3d939dbe50 Further Sethisize loglevel inputz 2017-04-25 11:14:25 -04:00
Jeff Mitchell 7283894f41 Sethisize log level 2017-04-25 11:12:38 -04:00
Brian Kassouf 6c8239ba03 Update the builtin keys; move catalog to core; protect against unset plugin directory 2017-04-24 10:30:33 -07:00
Brian Kassouf 6f9d178370 Calls to builtin plugins now go directly to the implementation instead of go-plugin 2017-04-20 18:46:41 -07:00
Brian Kassouf af9ff63e9a Merge remote-tracking branch 'oss/master' into database-refactor 2017-04-19 15:16:00 -07:00
Christoph Blecker c82e7a631c Add -self flag to token-revoke (#2596) 2017-04-17 12:40:51 -04:00
Brian Kassouf 8a3ef906d5 Update the plugin directory logic 2017-04-13 11:22:53 -07:00
Brian Kassouf 0cfe1ea81c Cleanup path files 2017-04-12 17:35:02 -07:00
Brian Kassouf 8ccf10641b Merge branch 'master' into database-refactor 2017-04-12 14:29:10 -07:00
Brian Kassouf 93136ea51e Add backend test 2017-04-07 15:50:03 -07:00
Brian Kassouf ca2c3d0c53 Refactor to use builtin plugins from an external repo 2017-04-05 16:20:31 -07:00
Brian Kassouf b071144c67 move builtin plugins list to the pluginutil 2017-04-05 11:00:13 -07:00
Brian Kassouf 11abcd52e6 Add a cli command to run builtin plugins 2017-04-04 17:12:02 -07:00
Brian Kassouf 0034074691 Execute builtin plugins 2017-04-04 14:43:39 -07:00
Jeff Mitchell a8d64c5721 Add some minor tweaks to the PR 2017-04-04 12:22:14 -04:00
Brian Kassouf e8781b6a2b Plugin catalog 2017-04-03 17:52:29 -07:00
Greg Parris ad9546104b Typo corrections and tweaks to commands' help info
* Normalize "X arguments expected" messages
* Use "Vault" when referring to the product and "vault" when referring to an instance of the product
* Various minor tweaks to improve readability and/or provide clarity
2017-03-25 12:51:12 -05:00
Jeff Mitchell 5d760d4090 Add option to require valid client certificates (#2457) 2017-03-08 10:21:31 -05:00
Jeff Mitchell f03d500808 Add option to disable caching per-backend. (#2455) 2017-03-08 09:20:09 -05:00
Jeff Mitchell b11f92ba5a Rename physical backend to storage and alias old value (#2456) 2017-03-08 09:17:00 -05:00
Jeff Mitchell 5119b173c4 Rename helper 'duration' to 'parseutil'. (#2449)
Add a ParseBool function that accepts various kinds of ways of
specifying booleans.

Have config use ParseBool for UI and disabling mlock/cache.
2017-03-07 11:21:22 -05:00
Jeff Mitchell 2cc0906b33 Fix breakage for HTTP2 support due to changes in wrapping introduced in 1.8 (#2412) 2017-02-27 12:49:35 -05:00
Sean Chittenden 42d1c28bf5
Change the default DisplayName for a Circonus check to be Vault instead of the InstanceID.
Trivial defaults change, committing direct to `master`.
2017-02-26 15:18:46 -08:00
Jeff Mitchell 3ab4a82e03 Don't try synthesizing cluster when not in dev mode 2017-02-24 12:50:26 -05:00
Jeff Mitchell b29861f7bb Do some porting to make diffing easier 2017-02-24 10:45:29 -05:00
Jeff Mitchell 37f3b2bafd Fix missing newline in status output 2017-02-17 11:23:20 -05:00
Jeff Mitchell c81582fea0 More porting from rep (#2388)
* More porting from rep

* Address review feedback
2017-02-16 16:29:30 -05:00
Jeff Mitchell e0c9bfd926 Add WithOptions methods to audit/auth enabling (#2383) 2017-02-16 11:37:27 -05:00
Jeff Mitchell 388d8cd191 Correct port parsing. (#2354)
* Correct port parsing.

Fixes #2351

* use strings.Contains instead of strings.HasSuffix

* Make the error message point to the wrong input
2017-02-08 13:50:17 -05:00
Roman Vynar 1615280efa Added tls_cipher_suites, tls_prefer_server_ciphers config options to listener (#2293) 2017-01-23 13:48:35 -05:00
Vishal Nayak fa7d61baa3 Merge pull request #2202 from fcantournet/fix_govet_fatalf
all: test: Fix govet warnings
2017-01-17 16:45:35 -05:00
Jeff Mitchell 69eb5066dd Multi value test seal (#2281) 2017-01-17 15:43:10 -05:00
Jeff Mitchell dd0e44ca10 Add nonce to unseal to allow seeing if the operation has reset (#2276) 2017-01-17 11:47:06 -05:00
vishalnayak adb6ac749f init: pgp-keys input validations 2017-01-11 23:32:38 -05:00
Jeff Mitchell 3129187dc2 JWT wrapping tokens (#2172) 2017-01-04 16:44:03 -05:00
Cameron Stokes b5f4558b7a Fix generate-root help and progress output. 2017-01-04 09:01:17 -08:00
Félix Cantournet 103b7ceab2 all: test: Fix govet warnings
Fix calls to t.Fatal() with formatting.
Fixed some calls to Fatalf() with wrong formatting
2016-12-21 19:44:07 +01:00
Jeff Mitchell dc0f751994 Change an output to an error 2016-12-06 07:56:45 -05:00
Jeff Mitchell 7865143c1d Minor ports 2016-12-05 12:28:12 -05:00
Vishal Nayak ad09acb479 Use Vault client's scheme for auto discovery (#2146) 2016-12-02 11:24:57 -05:00
Jeff Mitchell 0f5b847748 Fix panic when unwrapping if the server EOFs 2016-11-29 16:50:07 -05:00