Commit graph

1103 commits

Author SHA1 Message Date
Brian Kassouf 325c3acbb5
Update operator_rekey.go (#5983) 2018-12-20 09:05:50 -08:00
Jim Kalafut 2547d7fb6a
Simplify base62.Random (#5982)
Also move existing base62 encode/decode operations to their only points
of use.
2018-12-20 07:40:01 -08:00
Jeff Mitchell fff8976671 Update backwards compat fix from 5913 2018-12-12 15:36:28 -05:00
Calvin Leung Huang 351b707e18 cli/json: correctly output the number of key shares and threshold on stored keys (#5910) 2018-12-12 15:26:11 -05:00
Chris Hoffman 555b914695 adding -dev-kv-v1 flag for forcing kvv1 (#5919) 2018-12-12 12:07:18 -08:00
Calvin Leung Huang e71017e5a9 Set request token entry within fetchACLTokenEntryAndEntity (#5880) 2018-12-03 11:57:53 -05:00
Clint Shryock 37e75a95c7
fix typo in comment 2018-11-28 10:06:23 -06:00
Matthew Irish 08ca544273
plumb policy-override flag to the CLI (#5826) 2018-11-20 11:33:00 -06:00
Becca Petrin a96f1f75ee Restore plugin name for backwards compatibility (#5825)
* re-add plugin name for backwards compat

* add plugin name to table for backwards compat

* conditionally set the plugin name

* Update command/auth_list.go

Co-Authored-By: tyrannosaurus-becks <beccapetrin@posteo.net>

* Update command/secrets_list.go

Co-Authored-By: tyrannosaurus-becks <beccapetrin@posteo.net>

* update auth and secrets list commands

* add comments regarding deprecation
2018-11-19 16:41:17 -08:00
Julien Balestra a60ed6a53c agent: fix auth when multiple redirects (#5814) 2018-11-19 15:50:42 -08:00
Clint dfe585c7f7 Agent kube projected token (#5725)
* Add support for custom JWT path in Agent: kubernetes auth

- add support for "token_path" configuration
- add a reader for mocking in tests

* add documentation for token_path
2018-11-19 14:28:17 -08:00
Calvin Leung Huang ad3e105012
Mount tune options (#5809)
* Refactor mount tune to support upsert options values and unset options.

* Do not allow unsetting options map

* add secret tune version regression test

* Only accept valid options version

* s/meVersion/optVersion/
2018-11-19 14:23:25 -08:00
Brian Kassouf 33776b89c2
Wrap storage calls with encoding checks (#5819)
* Add encoding backend

* More work on encoding checks

* Update error message

* Update physical/encoding.go

* Disable key checks if configured
2018-11-19 13:13:16 -08:00
Jim Kalafut 824c02a234
Show migration check error (#5806) 2018-11-16 15:09:35 -08:00
Calvin Leung Huang 227a664b06 Continue on plugin registration error in dev mode (#5791)
* Continue on plugin registration error in dev mode

* Continue only on unknown type error

* Continue only on unknown type error

* Print plugin registration error on exit

Co-Authored-By: calvn <cleung2010@gmail.com>
2018-11-15 16:55:24 -08:00
Calvin Leung Huang e99957aed9
Support registering plugin with name only (#5787)
* Support registering plugin with name only

* Make RegisterPlugin backwards compatible

* Add CLI backwards compat command to plugin info and deregister

* Add server-side deprecation warnings if old read/dereg API endpoints are called

* Address feedback
2018-11-15 14:33:11 -08:00
Jeff Mitchell 3de2ebd256 Explicitly state that secrets move doesn't work across namespaces 2018-11-07 11:07:19 -05:00
Becca Petrin 7bd22e6779
Run all builtins as plugins (#5536) 2018-11-06 17:21:24 -08:00
Calvin Leung Huang ef8f40647a Bump timeout due to potential backoff retry delay (#5706) 2018-11-06 11:06:06 -08:00
Calvin Leung Huang 46f37f3363
Add HSMAutoDeprecated for ent upgrade (#5704) 2018-11-06 09:42:03 -08:00
Jeff Mitchell 41649c1511 Clean up stored barrier keys after migration to shamir (#5671) 2018-11-05 14:06:39 -05:00
Calvin Leung Huang c5c6588f7e
Bump timeout due to potential backoff retry delay (#5663) 2018-11-02 13:22:15 -07:00
Jim Kalafut b1bc2a6b2b
Fix a few vet warnings (#5674) 2018-11-02 13:21:44 -07:00
Becca Petrin f99d65bdc3 fix typo in test name 2018-11-01 16:06:35 -07:00
Dilan Bellinghoven 5109be59a6 command/agent/sink/sink.go: This fix solves the problem where when multiple file sinks are specified in the agent HCL file, there is unexpected behavior (#5610) 2018-11-01 14:44:13 -07:00
Brian Shumate 9c06c53542 Fix typo (#5661) 2018-11-01 10:13:20 -04:00
Jim Kalafut 11d7f7eb13
Add memory profiling for custom builds (#5584) 2018-10-31 11:11:45 -07:00
Jeff Mitchell 605a7e30ad
Add the ability for secret IDs in agent approle to be wrapped (#5654) 2018-10-30 20:53:49 -04:00
Jeff Mitchell 6d20c8fce2
Add approle agent method removing secret ID file by default. (#5648)
Also, massively update tests.
2018-10-30 14:09:04 -04:00
Aleksey Zhukov 5361205d5b WIP Agent AppRole auto-auth (#5621) 2018-10-30 12:17:19 -04:00
Chris Hoffman 8c88eb3e2a
Add -dev-auto-seal option (#5629)
* adding a -dev-auto-seal option

* adding logger to TestSeal
2018-10-29 09:30:24 -04:00
Jeff Mitchell 2c17930aaf
Remove agent reauthentication on new credentials. (#5615)
Functionality is left in for use in testing (where it is indeed quite
useful).

Fixes #5522
2018-10-27 10:45:55 -07:00
Jim Kalafut fa462c72f9
Fix command panic by returning empty (not nil) map (#5603)
Fixes #5600
2018-10-24 13:08:40 -07:00
Jeff Mitchell 91a970b81d Fix build 2018-10-23 15:09:35 -04:00
Jeff Mitchell a979f49cd7 Add disable-indexing 2018-10-23 15:03:17 -04:00
Jeff Mitchell 2526ce2ce6 Fix build 2018-10-23 04:12:23 -04:00
Jeff Mitchell b2f2568a21 Merge branch 'master-oss' into 1.0-beta-oss 2018-10-23 04:02:28 -04:00
Jeff Mitchell fe770ed284 Change deprecation warning to 1.1 2018-10-23 02:44:57 -04:00
Chris Hoffman dec2eb88b6 adding gcpkms secrets engine (#784) 2018-10-22 23:39:25 -07:00
Jeff Mitchell 82992d6097
Seal migration (OSS) (#781) 2018-10-22 23:34:02 -07:00
Vishal Nayak 699b18ee09 Fix flag name for kv help text (#5580) 2018-10-22 15:22:43 -04:00
Calvin Leung Huang a08ccbffa7
[Review Only] Autoseal OSS port (#757)
* Port awskms autoseal

* Rename files

* WIP autoseal

* Fix protobuf conflict

* Expose some structs to properly allow encrypting stored keys

* Update awskms with the latest changes

* Add KeyGuard implementation to abstract encryption/decryption of keys

* Fully decouple seal.Access implementations from sealwrap structs

* Add extra line to proto files, comment update

* Update seal_access_entry.go

* govendor sync

* Add endpoint info to configureAWSKMSSeal

* Update comment

* Refactor structs

* Update make proto

* Remove remove KeyGuard, move encrypt/decrypt to autoSeal

* Add rest of seals, update VerifyRecoveryKeys, add deps

* Fix some merge conflicts via govendor updates

* Rename SealWrapEntry to EncryptedBlobInfo

* Remove barrier type upgrade check in oss

* Add key to EncryptedBlobInfo proto

* Update barrierTypeUpgradeCheck signature
2018-10-19 14:43:57 -07:00
Jeff Mitchell 224fbd4a88 Merge branch 'master-oss' into 1.0-beta-oss 2018-10-16 10:08:03 -04:00
Jeff Mitchell 04e3f9b0f3
Add LastWAL in leader/health output (#5523) 2018-10-16 09:38:44 -04:00
Jeff Mitchell a64fc7d7cb
Batch tokens (#755) 2018-10-15 12:56:24 -04:00
Jeff Mitchell af73c5872d
Buffer authhandler output channel to prevent hang on shutdown (#5507)
Fixes #5026
2018-10-15 11:02:53 -04:00
Jim Kalafut 123e34f4a7
Don't copy HA lock file during migration (#5503) 2018-10-12 09:29:15 -07:00
Jeff Mitchell 646bfc6d5d
Warn when users don't configure api_addr (#5496)
Fixes some sources of user strife
2018-10-10 14:52:00 -04:00
Calvin Leung Huang b47e648ddf
Logger cleanup (#5480) 2018-10-09 09:43:17 -07:00
Jim Kalafut bd4a7c57c6 Fix 'vault auth' panic (#5473)
Running 'vault auth' with no parameters was panicking:

panic: assignment to entry in nil map
	github.com/hashicorp/vault/command/login.go:255 +0xdee

Now it will show help.
2018-10-05 16:05:26 -07:00
JohnVonNeumann eba56f3f23 Update operator_init.go (#5441)
Minor grammar fix.
2018-10-01 17:19:13 -07:00
Jim Kalafut 43d498983c
Retry failing migration check instead of exiting (#5427) 2018-10-01 14:35:35 -07:00
Jeff Mitchell ef144c4c25 Send initialized information via sys/seal-status (#5424) 2018-09-27 14:03:37 -07:00
Jim Kalafut d9d93e42a8
Fix server command test (#5407)
The addition of CheckMigration to the server startup process means
that physical backends in this test need to be able to respond to Get() without error.
2018-09-26 14:52:11 -07:00
Jim Kalafut c1f7e4a276
Fix wording in log message (#5399) 2018-09-25 16:52:03 -07:00
Jim Kalafut 4c80debe63
Add physical backend migrator command (#5143) 2018-09-25 16:18:22 -07:00
Seth Vargo 743161abd4 Also format TTLs in non-secret responses (#5367) 2018-09-21 09:54:18 -04:00
Becca Petrin 74d4d0ccc0
add alicloud secrets engine (#5352) 2018-09-19 08:42:28 -07:00
Jeff Mitchell 43aebacfa8 Fix default_max_request_duration HCL name and update docs (#5321)
* Fix default_max_request_duration HCL name and update docs

* Update tcp.html.md
2018-09-18 14:30:21 -07:00
Jeff Mitchell 919b968c27
The big one (#5346) 2018-09-17 23:03:00 -04:00
Jim Kalafut eb6c165e29
Improve CLI error message (#5327) 2018-09-13 08:23:36 -07:00
Becca Petrin b2ff87c9c2
Poll for new creds in the AWS auth agent (#5300) 2018-09-12 13:30:57 -07:00
Becca Petrin 625592c5e6
update to match aws (#5315) 2018-09-11 11:10:50 -07:00
Jeff Mitchell 1837c571ec
Fix authhandler-based wrapping in agent (#5316) 2018-09-11 13:10:11 -04:00
Jeff Mitchell c28ed23972
Allow most parts of Vault's logging to have its level changed on-the-fly (#5280)
* Allow most parts of Vault's logging to have its level changed on-the-fly

* Use a const for not set
2018-09-05 15:52:54 -04:00
Becca Petrin 7e0e49656a Add AliCloud auth to the Vault Agent (#5179) 2018-09-05 11:56:30 -04:00
Jim Kalafut f03fc41ba2
Fix server test that fails build under 1.11 (#5264)
command/server_test.go:147:2: finished declared but not used
vet: typecheck failures
2018-09-04 11:35:28 -06:00
Brian Kassouf c603a8b811
Add performance standby status to status output (#5192)
* Add performance standby status to status output

* Update ha.go
2018-08-27 10:01:07 -07:00
Jeff Mitchell ac79655f8a Sync some changes over 2018-08-27 12:03:43 -04:00
Jeff Mitchell ae285d29a3 Sync over 2018-08-27 12:02:57 -04:00
Jeff Mitchell 9cd7c05269
Change deprecation warnings from 0.11 or later to 0.12. (#5176)
Also remove a deprecated parameter that we warned would be removed since
0.8.
2018-08-24 12:16:37 -04:00
Jeff Mitchell aec9a689a0 Sync over some stuff 2018-08-24 12:09:03 -04:00
Becca Petrin c0f2f21d97 Auth handler shutdown logic (#5170) 2018-08-24 09:17:14 -04:00
Jeff Mitchell 362a92945e Don't resetnamed 2018-08-23 15:04:18 -04:00
Calvin Leung Huang 5812a84c28
command/namespace: Move trailing slash check to the end (#5163) 2018-08-22 15:49:24 -07:00
Jeff Mitchell 66a0029195 Sync some ns stuff to api/command 2018-08-22 14:37:40 -04:00
Jeff Mitchell 3b01b29056
Pass in an ErrorLog to http.Server (#5135)
Fixes #5108
2018-08-21 11:23:18 -04:00
Jim Kalafut a8e81ce393 Initial import of Azure Secrets (#5120)
* Initial import of Azure Secrets

* Update vendor folder
2018-08-16 12:18:06 -07:00
Becca Petrin 8e8095163e Add alicloud auth (#5123)
* add alicloud auth commands

* add dependencies
2018-08-16 12:17:49 -07:00
Jeff Mitchell f1d72abb39 Remove injection into top routes (#5101) 2018-08-14 15:29:22 -04:00
Jeff Mitchell c3e063f2a6 Fix read test 2018-08-14 14:20:49 -04:00
Jeff Mitchell 74175b29af
Add support for passing args via vault read (#5093)
We support this in the API as of 0.10.2 so read should support it too.

Trivially tested with some log info:

`core: data: data="map[string]interface {}{"zip":[]string{"zap", "zap2"}}"`
2018-08-13 22:00:26 -04:00
Nándor István Krácser b9fab6375b Alibaba Object Storage support (#4783) 2018-08-13 17:03:24 -04:00
Jeff Mitchell 9d1a427949 Port over some ns stuff 2018-08-10 12:17:17 -04:00
Jeff Mitchell fb3c7eb449 Port some ns stuff over 2018-08-10 12:13:11 -04:00
Jeff Mitchell a6d0ae5890
Add exit-after-auth functionality to agent (#5013)
This allows it to authenticate once, then exit once all sinks have
reported success. Useful for things like an init container vs. a
sidecard container.

Also adds command-level testing of it.
2018-07-30 10:37:04 -04:00
Paul Nicholson c761a9a8f2 agent: kubernetes: add missing slash in token path (#5010) 2018-07-29 15:50:18 -04:00
Jeff Mitchell e72890e83f
VSI (#4985) 2018-07-24 22:02:27 -04:00
Jeff Mitchell 4261618d10 Add request timeouts in normal request path and to expirations (#4971)
* Add request timeouts in normal request path and to expirations

* Add ability to adjust default max request duration

* Some test fixes

* Ensure tests have defaults set for max request duration

* Add context cancel checking to inmem/file

* Fix tests

* Fix tests

* Set default max request duration to basically infinity for this release for BC

* Address feedback
2018-07-24 14:50:49 -07:00
Jeff Mitchell 9687ccc8fa Tackle #4929 a different way (#4932)
* Tackle #4929 a different way

This turns c.sealed into an atomic, which allows us to call sealInternal
without a lock. By doing so we can better control lock grabbing when a
condition causing the standby loop to get out of active happens. This
encapsulates that logic into two distinct pieces (although they could
be combined into one), and makes lock guarding more understandable.

* Re-add context canceling to the non-HA version of sealInternal

* Return explicitly after stopCh triggered
2018-07-24 13:57:25 -07:00
Michael Russell c66544381a Make the SSH executable path configurable (#4937)
Making this configurable is useful for windows users which may not be
using the default `ssh` executable. It also means that users can point to a
specify SSH executable if multiple are available.
2018-07-17 17:47:07 -07:00
Julien Blache c8fb9ed6a8 FoundationDB physical backend (#4900) 2018-07-16 10:18:09 -04:00
Michael Russell b6dfe372fd Allow vault ssh to work with single ssh args like -v (#4825) 2018-07-16 10:11:56 -04:00
zhogov 5c472429c2 Fixed parsing of environment variables (#4925) 2018-07-13 10:45:35 -07:00
Seth Vargo 1259ee6743 Add plugin CLI for interacting with the plugin catalog (#4911)
* Add 'plugin list' command

* Add 'plugin register' command

* Add 'plugin deregister' command

* Use a shared plugin helper

* Add 'plugin read' command

* Rename to plugin info

* Add base plugin for help text

* Fix arg ordering

* Add docs

* Rearrange to alphabetize

* Fix arg ordering in example

* Don't use "sudo" in command description
2018-07-13 10:35:08 -07:00
Jeff Mitchell a2b88fa239
Turn off retries on CLI (#4918)
For the CLI it just ends up confusing people as to why it's "hanging"
before returning a 500. This can still be overridden with
VAULT_MAX_RETRIES.
2018-07-12 18:38:18 -04:00
Jeff Mitchell 8433bf26e9 Fix printable check key not being valid 2018-07-12 16:59:07 -04:00
Jeff Mitchell 954f6c4ece
Add config flag to disable non-printable character check (#4917) 2018-07-12 16:29:36 -04:00
Calvin Leung Huang f801f4b808
Add description flag to secrets and auth tune subcommands (#4894)
* Add description flag to secrets and auth tune subcommands

* Allow empty description to be provided in secret and auth mount tune

* Use flagNameDescription
2018-07-12 11:15:50 -04:00
Jeff Mitchell cd51a769ca Fix tests 2018-07-12 10:18:50 -04:00
Jeff Mitchell 5beb7ab1fd
Add in logic for handling a field of 'data' to kv get (#4895)
We do this for normal commands in PrintRawField but it needs some help
for KV v2.
2018-07-11 15:50:26 -04:00
Jeff Mitchell 98bf463a65 Make single-lease revocation behave like expiration (#4883)
This change makes it so that if a lease is revoked through user action,
we set the expiration time to now and update pending, just as we do with
tokens. This allows the normal retry logic to apply in these cases as
well, instead of just erroring out immediately. The idea being that once
you tell Vault to revoke something it should keep doing its darndest to
actually make that happen.
2018-07-11 15:45:35 -04:00
Jeff Mitchell 6e0e024d90
Allow lease_duration to be pulled out with -field (#4906)
* Allow lease_duration to be pulled out with -field

This also provides an easy way to verify that when -field is used we
don't string format the value.

This also changes the human string helper to accept more than one type
of incoming int.

* Address review feedback
2018-07-11 15:09:04 -04:00
Seth Vargo 87b60308f8 Special case handle TTLs from JSON responses (#4893) 2018-07-11 12:07:48 -04:00
Seth Vargo bfdc295ffb Properly parse envvars for bools (#4882)
Fixes GH-4875
2018-07-09 13:43:46 -07:00
Jeff Mitchell 1011f61bf2 Add JWT plugin 2018-07-09 16:21:47 -04:00
Seth Vargo 419e4ffa14 Ensure there's a newline between each warning (#4878)
It's really hard to see where one stops and another starts given
multiple warnings.
2018-07-09 10:57:53 -07:00
Jeff Mitchell 4a3fe87a39
Allow max request size to be user-specified (#4824)
* Allow max request size to be user-specified

This turned out to be way more impactful than I'd expected because I
felt like the right granularity was per-listener, since an org may want
to treat external clients differently from internal clients. It's pretty
straightforward though.

This also introduces actually using request contexts for values, which
so far we have not done (using our own logical.Request struct instead),
but this allows non-logical methods to still get this benefit.

* Switch to ioutil.ReadAll()
2018-07-06 15:44:56 -04:00
Chris Hoffman a1c8c8459b
Bump Deps (#4868)
* bump deps

* revert script changes

* adding govendor miss
2018-07-06 12:09:34 -04:00
Jeff Mitchell 5a0c44f4f4 Update generate-root output (#4807)
In current Vault server EncodedToken will always be populated regardless
of type (root, DR), so prioritize that, and properly refer to it as
Encoded Token instead of Root Token.

Additionally refer to the nonce as the Operation nonce instead of the
Root generation operation nonce since it's used for both strategies.
2018-07-06 09:02:47 -04:00
Nándor István Krácser a40ff31777 vault kv metadata put doesn't need [DATA] (#4847) 2018-06-28 00:26:10 -07:00
Seth Vargo 0322f1bf43 Validate operator init args (#4838) 2018-06-26 10:15:00 -04:00
Vishal Nayak 57c7ecfcd4
Identity: Remove unused MemDB indexes and unused functions (#4817)
* refactor delete utility

* refactor delete alias utility

* remove MemDBUpsertAlias

* Remove MemDBAliasByCanonicalID

* remove MemDBAliasesByMetadata

* remove MemDBDeleteAliasByID

* Remove MemDBUpsertEntity and MemDBEntityByNameInTxn

* Remove is.MemDBEntitiesByBucketEntryKeyHash

* Remove MemDBEntitiesByBucketEntryKeyHash and MemDBEntityByMergedEntityID

* Remove MemDBEntities

* Remove validateMemberGroupID

* Remove validateEntityID, validateGroupID, deleteAliasFromEntity

* Remove updateAliasInEntity

* Remove satisfiesMetadataFilters and UpsertGroup

* Remove MemDBUpsertGroup

* Remove deleteGroupByID

* Remove deleleGroupByName

* Remove MemDBDeleteGroupByNameInTxn

* Remove MemDBGroupsByPolicy and MemDBGroupsByPolicyInTxn

* Remove MemDBGroupIterator

* Remove MemDBGroupsByBucketEntryKeyHash

* Remove deleteGroupAlias

* Remove metadata index from entities table

* Remove unneeded indexes from entity alias and group alias schema

* Remove unneeded index from groups table schema

* Fix test

* s/entity/lockEntity

* Don't expose the memdb instance outside identity store

* More txn.Abort() corrections

* switch back to deferring abort calls
2018-06-24 07:45:53 -04:00
Jeff Mitchell e52b554c0b
Add an idle timeout for the server (#4760)
* Add an idle timeout for the server

Because tidy operations can be long-running, this also changes all tidy
operations to behave the same operationally (kick off the process, get a
warning back, log errors to server log) and makes them all run in a
goroutine.

This could mean a sort of hard stop if Vault gets sealed because the
function won't have the read lock. This should generally be okay
(running tidy again should pick back up where it left off), but future
work could use cleanup funcs to trigger the functions to stop.

* Fix up tidy test

* Add deadline to cluster connections and an idle timeout to the cluster server, plus add readheader/read timeout to api server
2018-06-16 18:21:33 -04:00
Jeff Mitchell ebe3f09f82
Add kv rollback (#4774)
* Add `kv rollback`

Like `kv patch` this is more of a helper than anything else; it provides
a single command to fetch the current version (for CAS), read the
version you want to roll back to, and set it as the new version (using
CAS for safety).
2018-06-15 15:34:17 -04:00
Jeff Mitchell 734b46ea5b
Add a hidden combine-logs flag (#4766)
This can be used when errors are happening early on to avoid them being
swallowed by logGate.

This also does a bit of cleanup of format env var checking --
helper/logging internally looks for this so it was totally unnecessary
since moving to hclog.
2018-06-15 14:47:37 -04:00
Wim 3e1930e7c3 Use %q in error output for better visibility (#4771) 2018-06-14 18:19:22 -04:00
Michael Russell 063221b44a Allow vault ssh to accept ssh commands in any ssh compatible format (#4710)
* Allow vault ssh to accept ssh commands in any ssh compatible format

Previously vault ssh required ssh commands to be in the format
`username@hostname <flags> command`. While this works just fine for human
users this breaks a lot of automation workflows and is not compatible
with the options that the ssh client supports.

Motivation

We currently run ansible which uses vault ssh to connect to hosts.
Ansible generates ssh commands with the format `ssh <flags> -o User=username hostname
command`. While this is a valid ssh command it currently breaks with
vault because vault expects the format to be `username@hostname`. To work
around this we currently use a wrapper script to parse the correct username being set
by ansible and translate this into a vault ssh compatible `username@hostname` format

Changes

* You can now specify arguments in any order that ssh client allows. All
arguments are passed directly to the ssh command and the format isn't
modified in any way.
* The username and port are parsed from the specified ssh command. It
will accept all of the options supported by the ssh command and also
will properly prefer `-p` and `user@` if both options are specified.
* The ssh port is only added from the vault credentials if it hasn't
been specified on the command line
2018-06-14 09:54:48 -04:00
Jeff Mitchell 5d44c54947
Changes the way policies are reported in audit logs (#4747)
* This changes the way policies are reported in audit logs.

Previously, only policies tied to tokens would be reported. This could
make it difficult to perform after-the-fact analysis based on both the
initial response entry and further requests. Now, the full set of
applicable policies from both the token and any derived policies from
Identity are reported.

To keep things consistent, token authentications now also return the
full set of policies in api.Secret.Auth responses, so this both makes it
easier for users to understand their actual full set, and it matches
what the audit logs now report.
2018-06-14 09:49:33 -04:00
Calvin Leung Huang c4abeb9ea5
Move checkHCLKeys into hclutil (#4749) 2018-06-12 12:38:08 -04:00
Jeff Mitchell c1267ab16c
Fix writing to KVv2 root via kv put (#4726)
* Fix writing to KVv2 root via `kv put`

The check that adds the API path wasn't taking into account the root,
e.g. if it's mounted at `kv`, `kv` and `kv/` would end up creating an
extra copy of the mount path in front, leading to paths like
`kv/data/kv`.

* Output warnings if they come back and fix a panic in metadata_get

* Also add to metadata put/delete
2018-06-08 13:45:47 -04:00
Kevin Hicks ed7992e8ae update docs and help text to include 'operator' (#4712) 2018-06-06 21:11:21 -07:00
Jeff Mitchell 21a9b06983
Show mount accessors in normal secrets/auth list commands (#4676)
This makes them significantly easier to find/consume
2018-06-01 10:20:09 -04:00
Michael Russell 1b555b6d4c Only append the UserKnownHostsFile ssh flag when required (#4674)
Don't set a default value for the UserKnownHostsFile flag.
Only append `-o UserKnownHostsFile` to the ssh command if it
has been specified by the user or vault ssh has set it based on another
flag (such as flagHostKeyMountPoint)

Fixes https://github.com/hashicorp/vault/issues/4672
2018-06-01 09:56:22 -04:00
Michael Russell 4d1669938c Use hostname instead of the IP when running the actual ssh command (#4673)
This is implementing the same fix that was added for the CA mode for vault
ssh in https://github.com/hashicorp/vault/pull/3922
Using the IP address caused `Host` entries in the ssh_config to not
match anymore meaning you would need to hardcode all of your IP
addresses in your ssh config instead of using DNS to connect to hosts
2018-06-01 09:16:12 -04:00
Jeff Mitchell 9e7f381fca Sync over changes to config.go 2018-05-30 08:34:46 -04:00
emily 192c228931 Add GCP auth helper (#4654)
* update auth plugin vendoring

* add GCP auth helper and docs
2018-05-29 20:36:24 -04:00
Jeff Mitchell 7cf283cd2c Make the rekey verification message more complete 2018-05-29 14:59:19 -04:00
Jeff Mitchell 2971813684 Add verification nonce to non-verify status, if it exists, and name it verification nonce in the verify status for clarity 2018-05-29 13:18:52 -04:00
Jeff Mitchell c53717ba1c Fix panic and update some text 2018-05-29 13:13:47 -04:00
Jeff Mitchell 8b065344f8 Update CLI text 2018-05-29 12:42:33 -04:00
Jeff Mitchell bd0ac25eb9
Merge branch 'master' into rekey-verification 2018-05-29 10:19:57 -04:00
Kloppi313 365335f609 Typo in operator_rekey.go (#4646) 2018-05-29 09:28:08 -04:00
Jeff Mitchell 14b65ff4db
Builds on top of #4600 to provide CLI support (#4605) 2018-05-28 00:39:53 -04:00
Becca Petrin 94ae5d2567
Add Active Directory secrets plugin (#4635) 2018-05-25 11:37:41 -07:00
Becca Petrin abc0975d75
fix tests (#4636) 2018-05-24 13:57:25 -07:00
Jeff Mitchell 7749f3cb3f Prevent warnings from showing in individual commands when format is not table, in addition to the existing hiding of higher-level deprecation warnings 2018-05-23 17:13:39 -04:00
Jeff Mitchell 396457ce03
Don't use environment as a mechanism for floating format around. (#4622)
This turns out to not work very well for the demo server. Also,
it's kinda hacky.
2018-05-23 16:45:17 -04:00
Jeff Mitchell f1c3ddc566
Fix panic on deprecated audit-disable and some cleanup (#4619) 2018-05-23 12:34:48 -04:00
Jeff Mitchell 84eaebb774
Add missing flags to KV commands and simplify boilerplate (#4617) 2018-05-23 09:56:47 -04:00
Dan Brown 013e4e4d81 Fix typo (#4607) 2018-05-22 08:30:13 -04:00
Jeff Mitchell c011cefed4
Fix panic when running capabilities CLI command with multiple paths (#4553)
* Fix panic using 'vault token capabilities' with more than one path

Fixes #4552

* Add test
2018-05-11 11:58:12 -04:00
Tyler Marshall 407550bd89 Fix minor spelling mistake (#4548) 2018-05-10 13:42:01 -07:00
Jeff Mitchell af802275bd
Fix response wrapping from K/V version 2 (#4511)
This takes place in two parts, since working on this exposed an issue
with response wrapping when there is a raw body set. The changes are (in
diff order):

* A CurrentWrappingLookupFunc has been added to return the current
value. This is necessary for the lookahead call since we don't want the
lookahead call to be wrapped.

* Support for unwrapping < 0.6.2 tokens via the API/CLI has been
removed, because we now have backends returning 404s with data and can't
rely on the 404 trick. These can still be read manually via
cubbyhole/response.

* KV preflight version request now ensures that its calls is not
wrapped, and restores any given function after.

* When responding with a raw body, instead of always base64-decoding a
string value and erroring on failure, on failure we assume that it
simply wasn't a base64-encoded value and use it as is.

* A test that fails on master and works now that ensures that raw body
responses that are wrapped and then unwrapped return the expected
values.

* A flag for response data that indicates to the wrapping handling that
the data contained therein is already JSON decoded (more later).

* RespondWithStatusCode now defaults to a string so that the value is
HMAC'd during audit. The function always JSON encodes the body, so
before now it was always returning []byte which would skip HMACing. We
don't know what's in the data, so this is a "better safe than sorry"
issue. If different behavior is needed, backends can always manually
populate the data instead of relying on the helper function.

* We now check unwrapped data after unwrapping to see if there were raw
flags. If so, we try to detect whether the value can be unbase64'd. The
reason is that if it can it was probably originally a []byte and
shouldn't be audit HMAC'd; if not, it was probably originally a string
and should be. In either case, we then set the value as the raw body and
hit the flag indicating that it's already been JSON decoded so not to
try again before auditing. Doing it this way ensures the right typing.

* There is now a check to see if the data coming from unwrapping is
already JSON decoded and if so the decoding is skipped before setting
the audit response.
2018-05-10 15:40:03 -04:00
Shelby Moore f8e1f82225 Updated proxy protocol config validation (#4528) 2018-05-09 10:53:44 -04:00
Prem Sichanugrist 0057bdbee6 Fix misspelling in vault auth deprecation message (#4460) 2018-04-26 06:55:36 -04:00
Jeff Mitchell 26e83442fa
Add -no-print to 'vault login' (#4454)
Trivially manually tested

Closes #2758
2018-04-25 15:47:49 -04:00
Jeff Mitchell 5e9308ccad Fix help output in kv_patch 2018-04-25 03:21:13 -04:00
Brian Kassouf 817f816eb2
Fallback to version 1 if the vault server is too old to have the kv preflight endpoint (#4445) 2018-04-24 15:49:06 -07:00
Brian Kassouf 6d447d2671 Rename up path to internal/ui/mounts/<path> (#4435) 2018-04-23 18:16:10 -04:00