Commit graph

528 commits

Author SHA1 Message Date
Michael Golowka 635b957e76
Add x509 Client Auth to MongoDB Database Plugin (#8329)
* Mark deprecated plugins as deprecated

* Add redaction capability to database plugins

* Add x509 client auth

* Update vendored files

* Add integration test for x509 client auth

* Remove redaction logic pending further discussion

* Update vendored files

* Minor updates from code review

* Updated docs with x509 client auth

* Roles are required

* Disable x509 test because it doesn't work in CircleCI

* Add timeouts for container lifetime
2020-02-13 15:54:00 -07:00
Vishal Nayak c87d34d1a4
Seal migration with Raft (#8103)
* Seal migration after unsealing

* Refactor migration fields migrationInformation in core

* Perform seal migration as part of postUnseal

* Remove the sleep logic

* Use proper seal in the unseal function

* Fix migration from Auto to Shamir

* Fix the recovery config missing issue

* Address the non-ha migration case

* Fix the multi cluster case

* Avoid re-running seal migration

* Run the post migration code in new leaders

* Fix the issue of wrong recovery being set

* Address review feedback

* Add more complete testing coverage for seal migrations.   (#8247)

* Add more complete testing coverage for seal migrations.  Also remove VAULT_ACC gate from some tests that just depend on docker, cleanup dangling recovery config in storage after migration, and fix a call in adjustCoreForSealMigration that seems broken.

* Fix the issue of wrong recovery key being set

* Adapt tests to work with multiple cores.

* Add missing line to disable raft join.

Co-authored-by: Vishal Nayak <vishalnayak@users.noreply.github.com>

* Fix all known issues

* Remove warning

* Review feedback.

* Revert my previous change that broke raft tests.  We'll need to come back and at least comment
this once we better understand why it's needed.

* Don't allow migration between same types for now

* Disable auto to auto tests for now since it uses migration between same types which is not allowed

* Update vault/core.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Add migration logs

* Address review comments

* Add the recovery config check back

* Skip a few steps if migration is already done

* Return from waitForLeadership if migration fails

Co-authored-by: ncabatoff <nick.cabatoff@gmail.com>
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
2020-02-13 16:27:31 -05:00
Calvin Leung Huang dac3382e15
external_tests: ensure derived cores are stable before proceeding on tests (#8342)
* external_tests: ensure derived cores are stable before proceeding on tests

* testhelpers: add min duration tolerance when checking stability on derived core
2020-02-13 13:18:53 -08:00
Jeff Malnick 27ad920399
Add redshift database plugin (#8299)
* feat: add redshift database plugin

* build: update vendored libraries

* docs: add reference doc for redshift variant of the database secrets engine

* feat: set middlewear type name for better metrics naming (#8346)

Co-authored-by: Becca Petrin <beccapetrin@gmail.com>
2020-02-13 09:42:30 -08:00
Jeff Mitchell fedb451a12 Move reload and listenerutil into sdk 2020-02-13 10:40:02 -05:00
Jim Kalafut 2ee7b76469
Bundle MongoDB Atlas (#8309) 2020-02-07 14:09:39 -08:00
Jeff Mitchell d3adf1286d Migrate gated-writer to sdk 2020-01-23 14:00:15 -05:00
Jeff Mitchell 7826f8a284
Update gated-writer logic a bit (#8227)
This is to smooth some other changes coming once
https://github.com/hashicorp/go-hclog/pull/56 lands
2020-01-23 13:57:18 -05:00
ncabatoff db4345a2e6
Factor out mysqlhelper so we can create mysql docker containers in other tests. (#8167) 2020-01-16 17:51:10 -05:00
Vishal Nayak 8891f2ba88 Raft retry join (#7856)
* Raft retry join

* update

* Make retry join work with shamir seal

* Return upon context completion

* Update vault/raft.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Address some review comments

* send leader information slice as a parameter

* Make retry join work properly with Shamir case. This commit has a blocking issue

* Fix join goroutine exiting before the job is done

* Polishing changes

* Don't return after a successful join during unseal

* Added config parsing test

* Add test and fix bugs

* minor changes

* Address review comments

* Fix build error

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
2020-01-13 17:02:16 -08:00
Jeff Mitchell a0694943cc
Migrate built in auto seal to go-kms-wrapping (#8118) 2020-01-10 20:39:52 -05:00
Becca Petrin 6291c75175
Add support for AWS instance metadata v2 (#8062)
* add support for aws instance metadata v2

* use GetDynamicData instead
2020-01-10 09:31:16 -08:00
Becca Petrin c2894b8d05
Add Kerberos auth agent (#7999)
* add kerberos auth agent

* strip old comment

* changes from feedback

* strip appengine indirect dependency
2020-01-09 14:56:34 -08:00
Brian Kassouf 549faf47f2
Add identity templating helper to sdk/framework (#8088)
* Add identity templating helper to sdk/framework

* Cleanup a bit

* Fix length issue when groups/aliases are filtered due to ns

* review feedback
2020-01-06 10:16:52 -08:00
Michel Vocks a3fd1a5f3c Add accept header check for prometheus mime type (#7958)
* Add accept header check for prometheus mime type

* Fix small header filter bug. Add test
2019-12-11 11:59:19 -08:00
Becca Petrin a7383b6d86
Add Kerberos SPNEGO auth plugin (#7908) 2019-12-11 11:18:37 -08:00
Calvin Leung Huang 7009dcc432
sdk/ldaputil: add request_timeout configuration option (#7909)
* sdk/ldaputil: add request_timeout configuration option

* go mod vendor
2019-11-20 11:26:13 -08:00
Brian Kassouf daf1d7f7ab Fix build for openbsd 2019-11-11 20:10:21 -08:00
Jim Kalafut 59e526614d
Run go fmt (#7823) 2019-11-07 08:54:34 -08:00
Calvin Leung Huang 8c31e45860
hostutil: query stats with context, update gopsutil, refactor tests (#7769)
* hostutil: query stats with context, update gopsutil, refactor tests

* go mod vendor

* minor comment wording
2019-11-01 10:12:22 -07:00
ncabatoff 13c00dfa38
Use docker instead of an external LDAP server that sometimes goes down (#7522) 2019-10-22 13:37:41 -04:00
Calvin Leung Huang ec00698866
hostutil: disable host info collection on openbsd (#7699) 2019-10-18 12:08:35 -07:00
ncabatoff 1c98152fa0
Shamir seals now come in two varieties: legacy and new-style. (#7694)
Shamir seals now come in two varieties: legacy and new-style. Legacy
Shamir is automatically converted to new-style when a rekey operation
is performed. All new Vault initializations using Shamir are new-style.

New-style Shamir writes an encrypted master key to storage, just like
AutoUnseal. The stored master key is encrypted using the shared key that
is split via Shamir's algorithm. Thus when unsealing, we take the key
fragments given, combine them into a Key-Encryption-Key, and use that
to decrypt the master key on disk. Then the master key is used to read
the keyring that decrypts the barrier.
2019-10-18 14:46:00 -04:00
Vishal Nayak 0d077d7945
Recovery Mode (#7559)
* Initial work

* rework

* s/dr/recovery

* Add sys/raw support to recovery mode (#7577)

* Factor the raw paths out so they can be run with a SystemBackend.

# Conflicts:
#	vault/logical_system.go

* Add handleLogicalRecovery which is like handleLogical but is only
sufficient for use with the sys-raw endpoint in recovery mode.  No
authentication is done yet.

* Integrate with recovery-mode.  We now handle unauthenticated sys/raw
requests, albeit on path v1/raw instead v1/sys/raw.

* Use sys/raw instead raw during recovery.

* Don't bother persisting the recovery token.  Authenticate sys/raw
requests with it.

* RecoveryMode: Support generate-root for autounseals (#7591)

* Recovery: Abstract config creation and log settings

* Recovery mode integration test. (#7600)

* Recovery: Touch up (#7607)

* Recovery: Touch up

* revert the raw backend creation changes

* Added recovery operation token prefix

* Move RawBackend to its own file

* Update API path and hit it using CLI flag on generate-root

* Fix a panic triggered when handling a request that yields a nil response. (#7618)

* Improve integ test to actually make changes while in recovery mode and
verify they're still there after coming back in regular mode.

* Refuse to allow a second recovery token to be generated.

* Resize raft cluster to size 1 and start as leader (#7626)

* RecoveryMode: Setup raft cluster post unseal (#7635)

* Setup raft cluster post unseal in recovery mode

* Remove marking as unsealed as its not needed

* Address review comments

* Accept only one seal config in recovery mode as there is no scope for migration
2019-10-15 00:55:31 -04:00
Brian Kassouf 024c29c36a
OSS portions of raft non-voters (#7634)
* OSS portions of raft non-voters

* add file

* Update vault/raft.go

Co-Authored-By: Vishal Nayak <vishalnayak@users.noreply.github.com>
2019-10-11 11:56:59 -07:00
Gerardo Di Giacomo 884067097c fixed panic in #7485 (#7546) 2019-10-09 10:22:46 -04:00
Michel Vocks a0c122926a
Unauth metrics: Fix missing parse form and error response (#7569)
* Unauth metrics: Fix missing parse form and error response

* Change metrics error response to text/plain content type always
2019-10-08 14:55:25 +02:00
Calvin Leung Huang 3f1c7c86a0
sys: add host-info endpoint (#7330)
* sys: add host-info endpoint, add client API method

* remove old commented handler

* add http tests, fix bugs

* query all partitions for disk usage

* fix Timestamp decoding

* add comments for clarification

* dont append a nil entry on disk usage query error

* remove HostInfo from the sdk api

We can use Logical().Read(...) to query this endpoint since the payload is contained with the data object. All warnings are preserved under Secret.Warnings.

* ensure that we're testing failure case against a standby node

* add and use TestWaitStandby to ensure core is on standby

* remove TestWaitStandby

* respond with local-only error

* move HostInfo into its own helper package

* fix imports; use new no-forward handler

* add cpu times to collection

* emit clearer multierrors/warnings by collection type

* add comments on HostInfo fields
2019-10-03 09:43:52 -07:00
Jim Kalafut 6a18155968
Add OCI auth to builtin plugin registry (#7436) 2019-09-05 13:50:12 -07:00
Becca Petrin 64ecf46fb6
rename pcf to cf maintaining backwards compat (#7346) 2019-08-26 09:55:08 -07:00
ncabatoff 366add2979
Generalization of the PhysicalFactory notion introduced by Raft (#7217)
Generalization of the PhysicalFactory notion introduced by Raft, so it can be used by other storage backends in tests.  These are the OSS changes needed for my rework of the ent integ tests and cluster helpers.
2019-08-23 15:51:25 -04:00
ncabatoff ec2a1a11a6
Make -dev-four-cluster an ent-only option and remove ent-specific testhelpers (#7215) 2019-08-23 11:53:18 -04:00
ncabatoff c1d557144c
Eliminate a race stemming from each core's monitoring goroutine sharing the client for the active node. (#7255) 2019-08-05 21:39:38 -04:00
Jeff Mitchell f0a9d9910f
Revert "Generalize and improve testcluster-building code (#7177)" (#7212)
This reverts commit d177fc7dd1aa7beda8b1c5bf5a8a4e85d725cca5.
2019-07-30 01:04:06 -04:00
ncabatoff 7512a71a4c
Generalize and improve testcluster-building code (#7177)
There are a few different things happening in this change.  First, some code that previously lived in enterprise has moved here: this includes some helper code for manipulating clusters and for building storage backends.  Second, the existing cluster-building code using inmem storage has been generalized to allow various storage backends. Third, added support for creating two-cluster DR setups. Finally, there are tweaks to handle edge cases that
result in intermittent failures, or to eliminate sleeps in favour of polling to detect state changes.

Also: generalize TestClusterOptions.PhysicalFactory so it can be used either
as a per-core factory (for raft) or a per-cluster factory (for other
storage backends.)
2019-07-26 16:42:51 -04:00
Jeff Mitchell 87d70a9a44 Pull over testhelpers change 2019-07-25 08:33:12 -04:00
Jeff Mitchell f97550833f Make fmt 2019-07-24 12:41:28 -04:00
ncabatoff b5b5b982ff
Generate traffic to ensure wal segments are sent to standbys (#7182)
We're waiting to see standbys receive wals but aren't generating traffic, so the condition is never satisfied.  Fixed by continuously updating a KV value.  It's a little weird to do so in each of the
goroutines, but there's no harm and it's simplest.
2019-07-24 12:39:03 -04:00
ncabatoff 1047a6b81e
Various improvements to testhelpers. (#7174)
Various improvements to testhelpers.  
* WaitForActiveNodeAndPerfStandbys is used to make sure a cluster is fully ready, i.e. both its active node and perf standbys are in a good state. 
* WaitForReplicationStatus is like WaitForReplicationState but uses the API, part of a general
effort to move us away from interacting with Core directly in these tests.
* WaitForPerfReplicationWorking is similar to some code that exists in ent already: it writes to the primary and waits to see that appear on the secondary.
2019-07-23 15:12:04 -04:00
Jeff Mitchell 0b32a3c501 Abstract out adding external plugins 2019-07-22 13:14:56 -04:00
Jeff Mitchell 19f669a52f Sync some changes that weren't properly pulled over 2019-07-22 13:11:00 -04:00
Jim Kalafut 62e2aeb952
Rename entity group membership template parameters (#7099) 2019-07-19 10:08:47 -07:00
Jeff Mitchell 7b8c0b58f1
Call goimports as well as gofmt when doing a make fmt (#7148)
Closes #7147
2019-07-18 21:04:56 -04:00
Clint f27dc7d5f8 Combined Database backend: Add Static Account support to MongoDB (#7003)
* Implement SetCredentials for MongoDB, adding support for static accounts

* rework SetCredentials to split from CreateUser, and to parse the url for database

* Add integration test for mongodb static account rotation

* check the length of the password results to avoid out-of-bounds

* remove unused method

* use the pre-existing test helper for this. Add parse method to helper

* remove unused command
2019-07-05 14:57:01 -04:00
Brian Kassouf 4d7d0d729a
storage/raft: When restoring a snapshot preseal first (#7011)
* storage/raft: When restoring a snapshot preseal first

* best-effort allow standbys to apply the restoreOp before sealing active node

* Don't cache the raft tls key

* Update physical/raft/raft.go

* Move pending raft peers to core

* Fix race on close bool

* Extend the leaderlease time for tests

* Update raft deps

* Fix audit hashing

* Fix race with auditing
2019-07-03 13:56:30 -07:00
Jeff Mitchell 924ec944b5 Add connection to test request 2019-07-02 21:04:54 -04:00
Brian Kassouf 62e14c280d
storage/raft: fix races in tests (#6996)
* storage/raft: fix races in tests

* Fix another test race
2019-06-27 10:00:03 -07:00
Jeff Mitchell cf93f60bb1
Allow turning on client auth in test clusters (#6958) 2019-06-23 21:50:27 -04:00
Jim Kalafut 2bf5db4fe8 Add OIDC token generation to Identity (#6900)
* Add OIDC token generation to Identity

There are a few open TODOs and some remaining cleanup, but this is
functionally complete and ready for review.

(Tests will being added soon.)

* Simplified key update endpoint

* Cache the config

* Fix Issuer handling

* Suppose base64-encoded templates (#6919)

* Cache JWKS and switch to go-cache (#6918)

* Address review comments

* Add warning if neither Issue nor api_addr are set

* adds tests (#6937)

* adds help synopsis and descriptions to the framework path for the oid… (#6930)

* adds help synopsis and descriptions to the framework path for the oidc backend

* Update vault/identity_store_oidc.go

Co-Authored-By: Jim Kalafut <jim@kalafut.net>

* Add Now parameter to PopulateStringInput

* Addressing review comments

* Refactor template processing to improve mode-specific handling

* adds a test for the periodic func (#6943)

* adds a test for the periodic func

* removes commented out code

* adds a comment

* Add comments
2019-06-21 10:23:39 -07:00
Jeff Mitchell 1ee99c0002
Don't return an error if storagepacker is told to delete no items (#6941)
Just be idempotent -- nothing to delete means nothing to do
2019-06-20 17:46:58 -04:00