Commit graph

83 commits

Author SHA1 Message Date
Jeff Mitchell 4f4ddbf017 Create more granular ACL capabilities.
This commit splits ACL policies into more fine-grained capabilities.
This both drastically simplifies the checking code and makes it possible
to support needed workflows that are not possible with the previous
method. It is backwards compatible; policies containing a "policy"
string are simply converted to a set of capabilities matching previous
behavior.

Fixes #724 (and others).
2016-01-08 13:05:14 -05:00
Jeff Mitchell f3ce90164f WriteOperation -> UpdateOperation 2016-01-08 13:03:03 -05:00
Jeff Mitchell 1c7157e632 Reintroduce the ability to look up obfuscated values in the audit log
with a new endpoint '/sys/audit-hash', which returns the given input
string hashed with the given audit backend's hash function and salt
(currently, always HMAC-SHA256 and a backend-specific salt).

In the process of adding the HTTP handler, this also removes the custom
HTTP handlers for the other audit endpoints, which were simply
forwarding to the logical system backend. This means that the various
audit functions will now redirect correctly from a standby to master.
(Tests all pass.)

Fixes #784
2015-11-18 20:26:03 -05:00
Jeff Mitchell cf4b88c196 Write HMAC-SHA256'd client token to audited requests
Fixes #713
2015-10-29 13:26:18 -04:00
Jeff Mitchell c8a0eda224 Use hmac-sha256 for protecting secrets in audit entries 2015-09-19 11:29:31 -04:00
Jeff Mitchell 5dde76fa1c Expand HMAC support in Salt; require an identifier be passed in to specify type but allow generation with and without. Add a StaticSalt ID for testing functions. Fix bugs; unit tests pass. 2015-09-18 17:38:30 -04:00
Jeff Mitchell b655f6b858 Add HMAC capability to salt. Pass a salt into audit backends. Require it for audit.Hash. 2015-09-18 17:38:22 -04:00
Jeff Mitchell ea9fbb90bc Rejig Lease terminology internally; also, put a few JSON names back to their original values 2015-08-20 22:27:01 -07:00
Jeff Mitchell 93ef9a54bd Internally refactor Lease/LeaseGracePeriod into TTL/GracePeriod 2015-08-20 18:00:51 -07:00
Erik Kristensen a394678ec1 update tests 2015-08-05 08:44:48 -06:00
Erik Kristensen 2125017cb9 add a time field to the log entries 2015-08-05 07:47:39 -06:00
Armon Dadgar 496ebe561c vault: cleanups for the audit log changes 2015-06-29 15:27:28 -07:00
Armon Dadgar add8e1a3fd Fixing merge conflict 2015-06-29 15:19:04 -07:00
Mitchell Hashimoto 0809378c9b audit: some tests 2015-06-19 03:31:19 -07:00
Nate Brown 91611a32c9 Fixing tests 2015-06-18 20:14:20 -07:00
Nate Brown 3a860fe5c1 Actually not logging auth in the response if nil 2015-06-18 19:48:00 -07:00
Nate Brown 4ec685dc1a Logging authentication errors and bad token usage 2015-06-18 18:30:18 -07:00
Nate Brown c55f103c58 Adding error and remote_address to audit log lines 2015-06-18 17:17:18 -07:00
Mitchell Hashimoto a9f8d6243c audit: add display name to auth [GH-176] 2015-05-11 10:40:32 -07:00
Armon Dadgar 46636ea52c audit: Guard against a few nil pointer cases 2015-04-27 15:56:40 -07:00
Mitchell Hashimoto c18f3928df audit: add more tests for copying 2015-04-27 15:54:14 -07:00
Armon Dadgar a837db6570 audit: Document that arguments must not be modified 2015-04-27 14:24:11 -07:00
Mitchell Hashimoto e77e2d8c98 audit: docs 2015-04-22 07:42:37 +02:00
Mitchell Hashimoto 1b34aae7f1 audit: separate hashing from formatting to facilitate raw 2015-04-22 07:41:53 +02:00
Mitchell Hashimoto ed388c100d audit: hash all the req/resp structures 2015-04-21 16:20:31 +01:00
Mitchell Hashimoto 7edc41b6da audit: fix failing test 2015-04-21 16:15:04 +01:00
Mitchell Hashimoto 82252c0d34 audit: sanity sha1 test 2015-04-21 16:14:26 +01:00
Mitchell Hashimoto 97ff2ad09b audit: add SHA1 hash callback 2015-04-21 16:13:06 +01:00
Mitchell Hashimoto 2a6bb96276 audit: add hashstructure 2015-04-21 16:02:03 +01:00
Mitchell Hashimoto ee2b113831 audit/file: append 2015-04-19 22:43:39 -07:00
Mitchell Hashimoto 358845053b audit: JSON formatter 2015-04-13 14:12:03 -07:00
Armon Dadgar 0f40bb75c0 audit: Adding basic interface methods 2015-04-01 13:54:50 -07:00
Armon Dadgar 615e209296 audit: Basic interface 2015-03-27 13:43:23 -07:00