Jeff Mitchell
4e53f4b1a4
Use UseNumber() on json.Decoder to have numbers be json.Number objects
...
instead of float64. This fixes some display bugs.
2016-04-20 18:38:20 +00:00
Jeff Mitchell
055a8e04e4
Change recovery options in init to be 'key'-less
2016-04-18 17:02:07 +00:00
Jeff Mitchell
b4620d5d04
Add check against seal type to catch errors before we attempt to use the data
2016-04-15 18:16:48 -04:00
Sean Chittenden
069d9cf021
Fix SIGINT handling.
...
No signal handler was setup to receive SIGINT. I didn't investigate to
see if signal(2) mask was setup (ala `SIG_IGN`) or if sigprocmask(2) is
being used, but in either case, the correct behavior is to capture and
treat SIGINT the same as SIGTERM. At some point in the future these two
signals may affect the running process differently, but we will clarify
that difference in the future.
2016-04-15 10:03:22 -07:00
Jeff Mitchell
119238149b
Add Finalize method to seal.
2016-04-14 20:37:34 +00:00
vishalnayak
5c336297ad
Provide clarity for output statements of idempotent calls.
2016-04-14 15:46:45 +00:00
vishalnayak
b7178846c1
Clarify token-revoke operation
2016-04-14 15:34:01 +00:00
Seth Vargo
54c414abb2
Clarify delete operation
...
One thing that has been a point of confusion for users is Vault's
response when deleting a key that does not actually exist in the system.
For example, consider:
$ vault delete secret/foo
Success! Deleted 'secret/foo'
This message is misleading if the secret does not exist, especially if
the same command is run twice in a row.
Obviously the reason for this is clear - returning an error if a secret
does not exist would reveal the existence of a secret (the same reason
everything on S3 is a 403 or why GitHub repos 404 instead of 403 if you
do not have permission to view them).
I think we can make the UX a little bit better by adding just a few
words to the output:
$ vault delete secret/foo
Success! Deleted 'secret/foo' if it existed
This makes it clear that the operation was only performed if the secret
existed, but it does not reveal any more information.
2016-04-14 10:38:10 +01:00
Jeff Mitchell
a4ff72841e
Check for seal status when initing and change logic order to avoid defer
2016-04-14 01:13:59 +00:00
Seth Vargo
217035d081
Hint that you don't need to run auth twice
...
This came up twice, in two different training courses. The UX is a
little confusing here on the CLI. Users are used to running:
$ vault auth abcd-1234...
So when they auth using a method, the output leads them to believe the
need to "re-auth" as the generated token:
$ vault auth -method=userpass username=foo password=bar
Successfully authenticated!
token: defg-5678...
A number of users then run:
$ vault auth defg-5678
I've added some helpful text to hint this is not required if the method
is not "token".
2016-04-13 19:45:48 +01:00
Jeff Mitchell
759915bb55
Fix panic when using -field with read or write with a non-string value.
...
Fixes #1308
2016-04-07 22:16:33 +00:00
Sean Chittenden
58846f8eac
Reinstall the mlockall(2) command
...
Requested by: jefferai
2016-04-05 13:58:26 -07:00
Sean Chittenden
47c3202811
Unconditionally warn on systems w/o mlock support
...
If someone begins using Vault on Windows in dev mode, always hint so that this isn't a surprise when they get to production.
2016-04-05 12:32:53 -07:00
Jeff Mitchell
348be0e50b
Remove RevokePrefix from the API too as we simply do not support it any
...
longer.
2016-04-05 11:00:12 -04:00
Jeff Mitchell
9102b994aa
Sync some seal stuff
2016-04-04 13:46:33 -04:00
Jeff Mitchell
afae46feb7
SealInterface
2016-04-04 10:44:22 -04:00
Jeff Mitchell
1b7335cf4e
Fix up the meta common options text function to not strip leading space and fix up commands
2016-04-01 16:50:12 -04:00
Jeff Mitchell
b0888e8af1
Remove config from Meta; it's only used right now with the token helper.
2016-04-01 16:02:18 -04:00
Jeff Mitchell
a137081241
Move token helper out of meta
2016-04-01 14:23:15 -04:00
Jeff Mitchell
133d9c1008
Move meta into its own package
2016-04-01 13:16:05 -04:00
Jeff Mitchell
1be69ae235
Sort infokeys on startup and add more padding
2016-03-30 12:31:47 -04:00
Jeff Mitchell
528b25c5f4
Merge HA Backend objects
2016-03-21 16:56:13 -04:00
vishalnayak
119fa1653b
Restore the previous valid token if token authentication fails
2016-03-18 14:43:16 -04:00
Pradeep Chhetri
6d7cbc890d
Fix Typo
2016-03-18 14:06:49 +00:00
Jeff Mitchell
3dbac2e2cb
Add -field
and -format
to write command.
...
Fixes #1186
2016-03-17 14:57:30 -04:00
Vishal Nayak
7db7b47fdd
Merge pull request #1210 from hashicorp/audit-id-path
...
Rename id to path and path to file_path, print audit backend paths
2016-03-15 20:13:21 -04:00
vishalnayak
71fc07833f
Rename id to path and path to file_path, print audit backend paths
2016-03-14 17:15:07 -04:00
Jeff Mitchell
0e3764832a
Add test for listener reloading, and update website docs.
2016-03-14 14:05:47 -04:00
Jeff Mitchell
b3218d26d6
Properly scope config objects for reloading
2016-03-14 11:18:02 -04:00
Jeff Mitchell
84af6ec8ac
Don't generate an ID; use address for the ID. Generally speaking we'll need to sane against what's in the config
2016-03-11 17:28:03 -05:00
Jeff Mitchell
996c584192
Don't inline factory
2016-03-11 17:02:44 -05:00
Jeff Mitchell
9ce1be3b00
For not shutdown triggered...
2016-03-11 17:01:26 -05:00
Jeff Mitchell
d75ce9de9b
Retool to have reloading logic run in command/server
2016-03-11 16:47:03 -05:00
Jeff Mitchell
c6066af4c1
Add tests. This actually adds the initial tests for the TLS listener,
...
then layers reloading tests on top.
2016-03-11 14:05:52 -05:00
Jeff Mitchell
baf0763b3c
Add reload capability for Vault listener certs. No tests (other than
...
manual) yet, and no documentation yet.
2016-03-11 14:05:52 -05:00
Vishal Nayak
c70b4bbbb2
Merge pull request #1201 from hashicorp/accessor-cli-flags
...
Accessor CLI flags
2016-03-11 09:55:45 -05:00
vishalnayak
9659e3d148
Added test for token-revoke accessor flag
2016-03-10 21:38:27 -05:00
vishalnayak
0486fa1a3a
Added accessor flag to token-revoke CLI
2016-03-10 21:21:20 -05:00
vishalnayak
266af2a5e2
Added test for token-lookup accessor flag
2016-03-10 21:21:20 -05:00
vishalnayak
ed8a096596
Add accessor flag to token-lookup command and add lookup-accessor client API
2016-03-10 21:21:20 -05:00
Seth Vargo
30c8204da6
Remove log statement
2016-03-10 17:48:34 -05:00
Seth Vargo
68170d770a
Add missing fixture
2016-03-10 17:40:40 -05:00
Seth Vargo
b207fc403c
Fix failing config test
2016-03-10 17:36:10 -05:00
Seth Vargo
0adab4182f
Fix test fixtures
2016-03-10 16:51:08 -05:00
Seth Vargo
6739804118
Fix failing policy-write integration test
...
This was a flawed test. Previously the test passed in a fixture that
corresponded to a CLI config file, not an actual policy. The test
_should_ have been failing, but it wasn't. This commit adds a new
fixture.
2016-03-10 15:45:49 -05:00
Seth Vargo
b817b60183
Parse HCL keys in command config
2016-03-10 15:25:25 -05:00
Seth Vargo
f916ed349d
Print errors on extra keys in server config
...
This does NOT apply to the backend config, since each backend config
could have a variation of options that differ based off of the
configured backend itself. This may be an optimization that can be made
in the future, but I think each backend should be responsible for
performing its own configuration validation instead of overloading the
config itself with this functionality.
2016-03-10 15:25:25 -05:00
Jeff Mitchell
fa2ba47a5c
Merge branch 'master' into token-roles
2016-03-09 17:23:34 -05:00
Jeff Mitchell
6df72e6efd
Merge pull request #1168 from hashicorp/revoke-force
...
Add forced revocation.
2016-03-09 16:59:52 -05:00
vishalnayak
151c932875
AccessorID --> Accessor, accessor_id --> accessor
2016-03-09 06:23:31 -05:00
vishalnayak
301776012f
Introduced AccessorID in TokenEntry and returning it along with token
2016-03-08 14:06:10 -05:00
vishalnayak
3b463c2d4e
use errwrap to check the type of error message, fix typos
2016-03-07 18:36:26 -05:00
Jeff Mitchell
cc1f5207b3
Merge branch 'master' into token-roles
2016-03-07 10:03:54 -05:00
vishalnayak
73943546c3
Documentation for capabilities and capabilities-self APIs
2016-03-07 06:13:56 -05:00
vishalnayak
aab24113b0
test cases for capabilities endpoint
2016-03-05 00:03:55 -05:00
vishalnayak
9946a2d8b5
refactoring changes due to acl.Capabilities
2016-03-04 18:55:48 -05:00
vishalnayak
7fe871e60a
Removing the 'Message' field
2016-03-04 10:36:03 -05:00
vishalnayak
3730e095ac
testcase changes
2016-03-04 10:36:03 -05:00
vishalnayak
b67ab8ab7c
Test files for capabilities endpoint
2016-03-04 10:36:03 -05:00
vishalnayak
816f1f8631
self review rework
2016-03-04 10:36:03 -05:00
vishalnayak
286e63a648
Handled root token use case
2016-03-04 10:36:03 -05:00
vishalnayak
07f9486ecb
Added capabilities and capabilities-self endpoints to http muxer
2016-03-04 10:36:03 -05:00
vishalnayak
5749a6718c
Added sys/capabililties endpoint
2016-03-04 10:36:02 -05:00
Jeff Mitchell
0998e1cdf9
Update help text exporting dev mode listen address.
...
Ping #1160
2016-03-03 18:10:14 -05:00
Jeff Mitchell
3e7bca82a1
Merge pull request #1146 from hashicorp/step-down
...
Provide 'sys/step-down' and 'vault step-down'
2016-03-03 12:30:08 -05:00
Jeff Mitchell
69c853fd2f
Add the ability to specify dev mode address via CLI flag and envvar.
...
Fixes #1160
2016-03-03 10:48:52 -05:00
Jeff Mitchell
750b33c51b
Add ability to control dev root token id with
...
VAULT_DEV_ROOT_TOKEN_ID env var, and change the CLI flag to match.
Ping #1160
2016-03-03 10:24:44 -05:00
Jeff Mitchell
cd86226845
Add forced revocation.
...
In some situations, it can be impossible to revoke leases (for instance,
if someone has gone and manually removed users created by Vault). This
can not only cause Vault to cycle trying to revoke them, but it also
prevents mounts from being unmounted, leaving them in a tainted state
where the only operations allowed are to revoke (or rollback), which
will never successfully complete.
This adds a new endpoint that works similarly to `revoke-prefix` but
ignores errors coming from a backend upon revocation (it does not ignore
errors coming from within the expiration manager, such as errors
accessing the data store). This can be used to force Vault to abandon
leases.
Like `revoke-prefix`, this is a very sensitive operation and requires
`sudo`. It is implemented as a separate endpoint, rather than an
argument to `revoke-prefix`, to ensure that control can be delegated
appropriately, as even most administrators should not normally have
this privilege.
Fixes #1135
2016-03-03 10:13:59 -05:00
Jeff Mitchell
8011148fb5
Allow specifying an initial root token ID in dev mode.
...
Ping #1160
2016-03-02 12:03:26 -05:00
Jeff Mitchell
521a956e4d
Address review feedback
2016-03-01 20:25:40 -05:00
Jeff Mitchell
addf92e185
Allow token-renew
to not be given a token; it will then use the
...
renew-self endpoint. Otherwise it will use the renew endpoint, even if
the token matches the client token.
Adds an -increment flag to allow increments even with no token passed
in.
Fixes #1150
2016-03-01 17:02:48 -05:00
Jeff Mitchell
8a500e0181
Add command and token store documentation for roles
2016-03-01 13:02:40 -05:00
Jeff Mitchell
ef990a3681
Initial work on token roles
2016-03-01 12:41:40 -05:00
vishalnayak
6314057b9a
fix typo
2016-03-01 11:48:17 -05:00
Jeff Mitchell
11ddd2290b
Provide 'sys/step-down' and 'vault step-down'
...
This endpoint causes the node it's hit to step down from active duty.
It's a noop if the node isn't active or not running in HA mode. The node
will wait one second before attempting to reacquire the lock, to give
other nodes a chance to grab it.
Fixes #1093
2016-02-26 19:43:55 -05:00
Grégoire Paris
6de1a0ecd7
add missing verb
2016-02-26 14:43:56 +01:00
Jeff Mitchell
efc48f2473
Fix CLI formatter to show warnings again on CLI list output.
2016-02-24 21:45:58 -05:00
Jeff Mitchell
5a35ee2ddd
Merge pull request #1080 from jkanywhere/improve-formatter
...
Refactor formatting of output
2016-02-24 21:36:57 -05:00
vanhalt
a387725e96
help sentence improved
2016-02-22 09:38:30 -06:00
vanhalt
31862dc5c2
When writing from a file it must be a JSON file
...
Making clear from write help text that when writing secrets
using @file, the file must be a JSON file.
2016-02-21 19:02:09 -06:00
vanhalt
d0489e16c1
Fixing auth-enable help text
...
auth-enable command help in the "Auth Enable Options" is suggesting
the usage of a non-existing command called 'auth-list' instead of
the correct one "auth -methods"
2016-02-21 14:54:50 -06:00
Vishal Nayak
597ba98895
Merge pull request #1099 from hashicorp/fix-ssh-cli
...
ssh: use resolved IP address while executing ssh command
2016-02-19 13:02:34 -05:00
Jeff Mitchell
28857cb419
Fix mixed whitespacing in ssh help text
2016-02-19 12:47:58 -05:00
vishalnayak
bccbf2b87e
ssh: use resolved IP address while executing ssh command
2016-02-19 12:19:10 -05:00
Ron Kuris
c4c6bbf33c
Refactor formatting of output
...
This change is almost perfectly compatible with the existing code,
except it's a little shorter because it uses a list of a available
formatters that must implement a `command.Formatter` interface.
Also added some basic formatting tests.
2016-02-16 12:27:29 -08:00
Ryan Hileman
1e65c4a01f
don't panic when config directory is empty
2016-02-12 16:40:19 -08:00
Jeff Mitchell
5f5542cb91
Return status for rekey/root generation at init time. This mitigates a
...
(very unlikely) potential timing attack between init-ing and fetching
status.
Fixes #1054
2016-02-12 14:24:36 -05:00
Jeff Mitchell
ba71ff7b0c
Update documentation for status command to reflect new return codes
2016-02-08 11:36:08 -05:00
Jeff Mitchell
da2360c7f4
On the CLI, ensure listing ends with /.
2016-02-03 21:08:46 -05:00
Jeff Mitchell
38c51f9412
Fix build tag
2016-02-03 08:41:31 -05:00
Jeff Mitchell
7e0d4bef3e
Add test for HA availability to command/server
2016-02-02 17:47:02 -05:00
Jeff Mitchell
a2bb51e7de
remove unneeded assignment
2016-02-02 15:11:35 -05:00
Jeff Mitchell
a5bf677bb3
Ensure that we fall back to Backend if HABackend is not specified.
2016-02-02 15:09:58 -05:00
Jeff Mitchell
cb046c4ce2
Fix command status test with new return value
2016-01-29 19:31:01 -05:00
Jeff Mitchell
2712a10750
Return 2 for sealed instead of 1 to match the new init -check behavior
2016-01-29 10:55:31 -05:00
Jeff Mitchell
7cf93c0e37
Don't return 1 when flags don't parse for status command, as all other errors return 2; 1 is for when the vault is sealed
2016-01-29 10:53:56 -05:00
James Tancock
5d7537ff85
Docs typo in server command
2016-01-28 08:26:49 +00:00
Jeff Mitchell
3b7a533b5a
Fix test on 1.6 by comparing to nil instead of a nil-defined map
2016-01-22 21:26:06 -05:00
Jeff Mitchell
d95adc731a
Add -check flag to init.
...
Fixes #949
2016-01-22 13:06:40 -05:00
Jeff Mitchell
be1b4c8a46
Only allow listing on folders and enforce this. Also remove string sorting from Consul backend as it's not a requirement and other backends don't do it.
2016-01-22 10:07:32 -05:00
Jeff Mitchell
e412ac8461
Remove bare option, prevent writes ending in slash, and return an exact file match as "."
2016-01-22 10:07:32 -05:00
Jeff Mitchell
455931873a
Address some review feedback
2016-01-22 10:07:32 -05:00
Jeff Mitchell
5341cb69cc
Updates and documentation
2016-01-22 10:07:32 -05:00
Jeff Mitchell
10c307763e
Add list capability, which will work with the generic and cubbyhole
...
backends for the moment. This is pretty simple; it just adds the actual
capability to make a list call into both the CLI and the HTTP handler.
The real meat was already in those backends.
2016-01-22 10:07:32 -05:00
Jeff Mitchell
9adfdfd6e7
Add -decode flag verification
2016-01-21 12:18:57 -05:00
Jeff Mitchell
973c888833
RootGeneration->GenerateRoot
2016-01-19 18:28:10 -05:00
Jeff Mitchell
3b100c5965
Address most of the review feedback
2016-01-19 18:28:10 -05:00
Jeff Mitchell
3b994dbc7f
Add the ability to generate root tokens via unseal keys.
2016-01-19 18:28:10 -05:00
Jeff Mitchell
630b2d83a7
Allow ASCII-armored PGP pub keys to be passed into -pgp-keys.
...
Fixes #940
2016-01-18 17:01:52 -05:00
Jeff Mitchell
8cb23835d7
Fix read panic when an empty argument is given.
...
Fixes #923
2016-01-12 08:46:49 -05:00
Jeff Mitchell
a2bd31d493
Fix up PGP tests from earlier code fixes
2016-01-08 22:21:41 -05:00
Jeff Mitchell
676008b2c5
Lotsa warnings if you choose not to be safe
2016-01-08 17:35:07 -05:00
Jeff Mitchell
26e1837a82
Some minor rekey backup fixes
2016-01-08 14:09:40 -05:00
Jeff Mitchell
a094eedce2
Add rekey nonce/backup.
2016-01-06 09:54:35 -05:00
Jeff Mitchell
80866d036d
update init/rekey documentation around keybase entries
2016-01-04 14:17:51 -05:00
Jeff Mitchell
5ef7efffe3
Disable cmd/server tests for now so we can get Travis back on track
2015-12-31 08:48:53 -05:00
Jeff Mitchell
c642feebe2
Remove some outdated comments
2015-12-30 21:00:27 -05:00
Jeff Mitchell
0509ad9c29
Use RenewSelf instead of Renew if the token we're renewing is the same as the client
2015-12-30 14:41:50 -05:00
Nicki Watt
442d538deb
Make token-lookup functionality available via Vault CLI
2015-12-29 20:18:59 +00:00
Jeff Mitchell
fefa696a33
Merge pull request #886 from ooesili/ssh-error-fetching-username
...
Stop panic when vault ssh username fetching fails
2015-12-29 12:17:51 -06:00
Jeff Mitchell
fa1676882f
Merge pull request #853 from hashicorp/issue-850
...
Make TokenHelper an interface and split exisiting functionality
2015-12-29 12:01:49 -06:00
Jeff Mitchell
6cdb8aeb4f
Merge branch 'master' into f-disable-tls
2015-12-29 12:59:02 -05:00
Nicki Watt
eb4aaad082
Using LookupSelf() API method instead of raw HTTP call for auth command
2015-12-28 01:38:00 +00:00
Wesley Merkel
5a368fa9de
Stop panic when vault ssh username fetching fails
2015-12-26 15:09:07 -07:00
Wim
e8e492f574
Fix ipv6 address advertisement
2015-12-22 21:40:36 +01:00
Jeff Mitchell
1a324cf347
Make TokenHelper an interface and split exisiting functionality
...
Functionality is split into ExternalTokenHelper, which is used if a path
is given in a configuration file, and InternalTokenHelper which is used
otherwise. The internal helper no longer shells out to the same Vault
binary, instead performing the same actions with internal code. This
avoids problems using dev mode when there are spaces in paths or when
the binary is built in a container without a shell.
Fixes #850 among others
2015-12-22 10:23:30 -05:00
Jeff Mitchell
5017907785
Move telemetry metrics up to fix one possible race, but deeper problems in go-metrics can't be solved with this
2015-12-17 16:38:17 -05:00
Jeff Mitchell
db7a2083bf
Allow setting the advertise address via an environment variable.
...
Fixes #581
2015-12-14 21:22:55 -05:00
Jeff Mitchell
1e653442cd
Ensure advertise address detection runs without a specified HA backend
...
Ping #840
2015-12-14 21:13:27 -05:00
Jeff Mitchell
521ea42f6b
Merge pull request #840 from hashicorp/issue-395
...
Allow separate HA physical backend.
2015-12-14 20:56:47 -05:00
Jeff Mitchell
7ce8aff906
Address review feedback
2015-12-14 17:58:30 -05:00
Mathias Lafeldt
b00b476c7a
Show error if output format is invalid
...
Rather than silently using table as a fallback.
2015-12-14 17:14:22 +01:00
Jeff Mitchell
ced0835574
Allow separate HA physical backend.
...
With no separate backend specified, HA will be attempted on the normal
physical backend.
Fixes #395 .
2015-12-14 07:59:58 -05:00
Jeff Mitchell
e941f699d3
Merge pull request #832 from mlafeldt/yaml-ouput
...
Allow to output secrets in YAML format
2015-12-11 12:04:41 -05:00
Mathias Lafeldt
61d4ef70f4
Allow to output secrets in YAML format
...
This can be done with https://github.com/ghodss/yaml , which reuses
existing JSON struct tags for YAML.
2015-12-10 11:32:31 +01:00
Mathias Lafeldt
607d12174d
Output secrets sorted by key
...
Instead of printing them in random order each time `vault read` is invoked.
2015-12-10 10:08:23 +01:00
Armon Dadgar
985717b428
server: sanity check value for 'tls_disable'
2015-11-25 11:37:57 -08:00
Jeff Mitchell
1a45696208
Add no-default-policy flag and API parameter to allow exclusion of the
...
default policy from a token create command.
2015-11-09 17:30:50 -05:00
Jeff Mitchell
5d5d58ffe4
Fix unmount help output
2015-11-09 15:23:49 -05:00
Jeff Mitchell
75f1c1e40c
Print version on startup.
...
Fixes #765
2015-11-09 13:52:55 -05:00
Jeff Mitchell
32e23bea71
Move environment variable reading logic to API.
...
This allows the same environment variables to be read, parsed, and used
from any API client as was previously handled in the CLI. The CLI now
uses the API environment variable reading capability, then overrides any
values from command line flags, if necessary.
Fixes #618
2015-11-04 10:28:00 -05:00
Jeff Mitchell
c1d8b97342
Add reset support to the unseal command.
...
Reset clears the provided unseal keys, allowing the process to be begun
again. Includes documentation and unit test changes.
Fixes #695
2015-10-28 15:59:39 -04:00
Jeff Mitchell
7b25204a19
Fix cache disabling
2015-10-28 13:05:56 -04:00
voutasaurus
1da78942e8
Modifies documentation in output of vault server -dev
...
Environment variable setting is different in windows
2015-10-22 00:48:46 -07:00
Jeff Mitchell
cba4e82682
Don't use http.DefaultClient
...
This strips out http.DefaultClient everywhere I could immediately find
it. Too many things use it and then modify it in incompatible ways.
Fixes #700 , I believe.
2015-10-15 17:54:00 -04:00
Jeff Mitchell
9f0b1547bb
Allow disabling the physical storage cache with 'disable_cache'.
...
Fixes #674 .
2015-10-12 13:00:32 -04:00
Jeff Mitchell
b8455be005
Support and use TTL instead of lease for token creation
2015-10-09 19:52:13 -04:00
Jeff Mitchell
ee92124357
Fix output of token-create help to use ttl instead of lease
2015-10-09 19:40:30 -04:00
Jeff Mitchell
aa3055f816
Fix mount-tune CLI output
2015-10-09 16:03:31 -04:00
Jeff Mitchell
d39580b38c
Update CLI help text for init/rekey regarding base64-encoded keys
2015-10-08 11:09:30 -04:00