ab5014534e
Clone policy permissions and then use existing values rather than policy values for modifications ( #2826 )
...
Should fix #2804
2017-06-07 13:49:51 -04:00
e9b52ed928
Log auth info on permission denied due to ACL ( #2754 )
2017-06-05 18:04:31 -04:00
605d74d889
Don't try to clean up upgrades if we're sealed
2017-06-05 16:00:56 -04:00
fb9029e3dd
Log heartbeat stopping
2017-06-05 15:57:04 -04:00
f7df60b131
Allow accessing Warnings directly in Response. ( #2806 )
...
A change in copystructure has caused some panics due to the custom copy
function. I'm more nervous about production panics than I am about
keeping some bad code wiping out some existing warnings, so remove the
custom copy function and just allow direct setting of Warnings.
2017-06-05 10:52:43 -04:00
88c0367fa6
Add grpc keepalives as a fallback option for our heartbeating
2017-05-26 13:32:13 -04:00
3696c9b779
Input checks for policy rules ( #2771 )
...
* Input checks for policy rules
* Address review feedback
2017-05-26 10:48:41 -04:00
72a5b5e23b
Fix tests
2017-05-25 09:00:49 -04:00
df33f70df4
Heartbeat immediately upon connection
2017-05-24 21:45:51 -04:00
3d7db4248f
Rename peer cluster cache
2017-05-24 21:10:32 -04:00
5c230c796b
Add peer cluster address cache
2017-05-24 20:51:53 -04:00
bbe27aaedf
Add heartbeating and cluster address sharing to request forwarding ( #2762 )
2017-05-24 15:06:56 -04:00
9d4801b1e8
Revert grpc back a version (they introduced a panic) and clean up a bunch of old request forwarding stuff
2017-05-24 10:38:48 -04:00
0d4e7fba69
Remove non-gRPC request forwarding
2017-05-24 09:34:59 -04:00
7cc72a9066
Delay salt initialization for audit backends
2017-05-23 20:36:20 -04:00
aa40d2cff6
add gofmt checks to Vault and format existing code ( #2745 )
2017-05-19 08:34:17 -04:00
858deb9ca4
Don't allow parent references in file paths
2017-05-12 13:52:33 -04:00
d25aa9fc21
Don't write salts in initialization, look up on demand ( #2702 )
2017-05-09 17:51:09 -04:00
76ca5fc377
Allow non-strings to be used to set `ttl` field in generic. ( #2699 )
2017-05-09 14:05:00 -04:00
5b3d80042e
Fix mount test
2017-05-09 09:49:45 -04:00
e3c8be72cc
Fix local check on singleton required mounts
2017-05-09 08:36:10 -04:00
e0c2b37c2a
Add commenting to singletonMountTables
2017-05-08 13:39:18 -04:00
f50d345fa3
Fix imports.
...
Closes #2688
2017-05-08 10:23:29 -04:00
726bd6f379
Don't load a required mount if in secondary mode, let sync invalidate do that
2017-05-05 19:40:26 -04:00
3aafb3270c
Move singleton mount fetching function to mount.go and fix tests
2017-05-05 17:20:30 -04:00
b53331d345
Add token to singleton mounts
2017-05-05 16:45:48 -04:00
6f6f242061
Add logic to skip initialization in some cases and some invalidation logic
2017-05-05 15:01:52 -04:00
fa201f2505
auth/token/tidy log level update
2017-05-05 11:16:13 -04:00
55ef4f2566
Merge branch 'master-oss' into sys-tidy-leases
2017-05-05 10:53:41 -04:00
b482043de1
Update debugging around tidy
2017-05-05 10:48:12 -04:00
91e790867f
Address feedback
2017-05-05 10:26:40 -04:00
2d6dfbf147
Don't store the plugin directory prepended command in the barrier, prepend on get
2017-05-04 12:36:06 -07:00
5ee0d696d4
Merge remote-tracking branch 'oss/master' into database-refactor
2017-05-04 10:45:18 -07:00
b568ea751b
Move client token check in exp register to top
2017-05-04 12:45:57 -04:00
abd63096f8
Update comments
2017-05-04 12:44:31 -04:00
1a02f9be11
Fix up the tests
2017-05-04 12:41:15 -04:00
5683430cb7
Update Tidy function comment
2017-05-04 12:11:00 -04:00
d74b1b284a
Update commenting
2017-05-04 11:54:57 -04:00
9a91700263
Move tidy-leases to leases/tidy
2017-05-04 09:40:11 -04:00
f8295a301d
Merge branch 'master-oss' into sys-tidy-leases
2017-05-04 09:37:52 -04:00
3d9cf89ad6
Add the ability to view and list of leases metadata ( #2650 )
2017-05-03 22:03:42 -04:00
7250b3d01e
Fix comment typo
2017-05-03 20:25:55 -04:00
b7128f53a8
Add sys/leases/lookup and sys/leases/renew to the default policy
2017-05-03 20:22:16 -04:00
7f3891c734
Fix substitution of index/child in delete call
2017-05-03 15:09:13 -04:00
99884a8f13
Merge remote-tracking branch 'oss/master' into sys-tidy-leases
2017-05-03 15:02:42 -04:00
3b95e751c0
Add more cleanup if a lease fails to register and revoke tokens if registerauth fails
2017-05-03 14:29:57 -04:00
bb6b5f7aa6
Add taint flag for looking up by accessor
2017-05-03 13:08:50 -04:00
a1a0c2950f
logging updates
2017-05-03 12:58:10 -04:00
6aa7f9b7c9
Added logs when deletion fails so we can rely on server logs
2017-05-03 12:47:05 -04:00
bc5d5b7319
consistent logging
2017-05-03 12:45:22 -04:00
596ad2c8f7
Adhere to tainted status in salted accessor lookup
2017-05-03 12:36:10 -04:00
5f18b1605a
Two things:
...
1) Ensure that if we fail to generate a lease for a secret we attempt to revoke it
2) Ensure that any lease that is registered should never have a blank token
In theory, number 2 will let us a) find places where this *is* the case, and b) if errors are encountered when revoking tokens due to a blank client token, it suggests that the client token values are being stripped somewhere along the way, which is also instructive.
2017-05-03 12:17:09 -04:00
0553f7a8d1
change some logging output
2017-05-03 12:14:58 -04:00
c9bd54ad65
Less scary debugging
2017-05-03 11:15:59 -04:00
dd898ed2e1
Added summary logs to help better understand the consequence
2017-05-03 10:54:07 -04:00
9f682eb9cd
Test to check that leases with valid tokens are not being cleaned up
2017-05-02 18:12:03 -04:00
850cda7861
Added test to check the atomicity of the lease tidy operation
2017-05-02 18:06:59 -04:00
875658531b
Do not duplicate log lines for invalid leases
2017-05-02 17:56:15 -04:00
f644c34c5b
Remove unused TestCoreUnsealedWithListener function
2017-05-02 14:52:48 -07:00
5e0c03415b
Don't need to explictly set redirectAddrs
2017-05-02 14:44:14 -07:00
29d9b831d3
Update the api for serving plugins and provide a utility to pass TLS data for commuinicating with the vault process
2017-05-02 14:40:11 -07:00
403fd62c61
Check if multiple leases with same invalid token is getting cleaned up
2017-05-02 17:15:26 -04:00
5f70576715
Added steps to check if invalid token is properly cleaned up
2017-05-02 17:11:35 -04:00
668595b902
Added a test for tidying of empty token
2017-05-02 16:54:03 -04:00
68635e8a1c
Skip checking the validity of an empty client token
2017-05-02 16:53:41 -04:00
537342f038
Fixing printf (and similar) issues ( #2666 )
2017-05-01 23:34:10 -04:00
72d05cd8dd
Refactor locking code in lease tidy; add ending debug statements
2017-04-27 16:22:19 -04:00
d8e91ef616
refactor lock handling in token tidy function
2017-04-27 13:48:29 -04:00
f9c1426ac8
Use an atomic lock for tidy operation in token store
2017-04-27 11:41:33 -04:00
ac8aae36fe
Distinguish valid and invalid tokens using bool value in cache
2017-04-27 11:31:42 -04:00
58967c0bbd
Merge branch 'oss' into sys-tidy-leases
2017-04-27 11:23:48 -04:00
749ec4fab1
Some more logging updates
2017-04-27 11:20:55 -04:00
e64ba93d54
Cache only valid tokens
2017-04-27 11:08:11 -04:00
d256248095
Fix logging suggestions; put the policyStore nil check back in
2017-04-27 10:56:19 -04:00
1a60fede58
Updating revoke/renew to prefer PUT method ( #2646 )
2017-04-27 10:47:43 -04:00
50c0d520e1
Fix revoke tree test
2017-04-26 16:26:48 -07:00
3fd019574d
Fix logging levels
2017-04-26 17:29:04 -04:00
7c3e20e9c5
Fix the log statements
2017-04-26 17:17:19 -04:00
671353810b
Added caching of looked up tokens
2017-04-26 16:54:48 -04:00
9025ef16e4
Added logger to token store and logs to tidy function
2017-04-26 16:11:23 -04:00
27dd95156d
Revoke lease that has empty token; added logs
2017-04-26 15:48:28 -04:00
b939d049e4
Added atomic lock to ensure a single tidy operation is in progress
2017-04-26 15:07:58 -04:00
5909d81b7b
Merge branch 'oss' into clean-stale-leases
2017-04-26 15:07:27 -04:00
4a4c981fb2
Update error message to distinguish tree revocation issue from non-tree
2017-04-26 14:06:45 -04:00
b52b410a47
Update test to reflect the correct read response
2017-04-24 21:24:19 -07:00
e4e61ec18c
return a 404 when no plugin is found
2017-04-24 18:31:27 -07:00
cb1f1d418c
Only run Abs on the plugin directory if it's set
2017-04-24 16:20:20 -07:00
039bc19dd8
Fix test
2017-04-24 13:48:46 -07:00
5ff317eb8d
Update root paths test
2017-04-24 12:47:40 -07:00
ce9688ce8c
Change MlockDisabled to MlockEnabled
2017-04-24 12:21:49 -07:00
e06a78a474
Create unified aws auth backend ( #2441 )
...
* Rename builtin/credential/aws-ec2 to aws
The aws-ec2 authentication backend is being expanded and will become the
generic aws backend. This is a small rename commit to keep the commit
history clean.
* Expand aws-ec2 backend to more generic aws
This adds the ability to authenticate arbitrary AWS IAM principals using
AWS's sts:GetCallerIdentity method. The AWS-EC2 auth backend is being to
just AWS with the expansion.
* Add missing aws auth handler to CLI
This was omitted from the previous commit
* aws auth backend general variable name cleanup
Also fixed a bug where allowed auth types weren't being checked upon
login, and added tests for it.
* Update docs for the aws auth backend
* Refactor aws bind validation
* Fix env var override in aws backend test
Intent is to override the AWS environment variables with the TEST_*
versions if they are set, but the reverse was happening.
* Update docs on use of IAM authentication profile
AWS now allows you to change the instance profile of a running instance,
so the use case of "a long-lived instance that's not in an instance
profile" no longer means you have to use the the EC2 auth method. You
can now just change the instance profile on the fly.
* Fix typo in aws auth cli help
* Respond to PR feedback
* More PR feedback
* Respond to additional PR feedback
* Address more feedback on aws auth PR
* Make aws auth_type immutable per role
* Address more aws auth PR feedback
* Address more iam auth PR feedback
* Rename aws-ec2.html.md to aws.html.md
Per PR feedback, to go along with new backend name.
* Add MountType to logical.Request
* Make default aws auth_type dependent upon MountType
When MountType is aws-ec2, default to ec2 auth_type for backwards
compatibility with legacy roles. Otherwise, default to iam.
* Pass MountPoint and MountType back up to the core
Previously the request router reset the MountPoint and MountType back to
the empty string before returning to the core. This ensures they get set
back to the correct values.
2017-04-24 15:15:50 -04:00
657d433330
Update the ResponseWrapData function to return a wrapping.ResponseWrapInfo object
2017-04-24 12:15:01 -07:00
c4e2ad74c5
Update path for the plugin catalog in logical system
2017-04-24 11:35:32 -07:00
6c8239ba03
Update the builtin keys; move catalog to core; protect against unset plugin directory
2017-04-24 10:30:33 -07:00
3ba162fea1
List should use a trailing slash
2017-04-21 15:37:43 -04:00
4d0aac963d
Fix tests
2017-04-21 10:24:34 -07:00
30b06b593c
Fix tests
2017-04-21 09:10:26 -07:00
6f9d178370
Calls to builtin plugins now go directly to the implementation instead of go-plugin
2017-04-20 18:46:41 -07:00
af9ff63e9a
Merge remote-tracking branch 'oss/master' into database-refactor
2017-04-19 15:16:00 -07:00
847c86f788
Rename ParseDedupAndSortStrings to ParseDedupLowercaseAndSortStrings ( #2614 )
2017-04-19 10:39:07 -04:00
Jeff Mitchell