Commit graph

188 commits

Author SHA1 Message Date
Jeff Mitchell d6a9a770c1 Sync some seal testing stuff 2017-10-23 13:42:04 -04:00
Vishal Nayak f7ed6732a5 Porting identity store (#3419)
* porting identity to OSS

* changes that glue things together

* add testing bits

* wrapped entity id

* fix mount error

* some more changes to core

* fix storagepacker tests

* fix some more tests

* fix mount tests

* fix http mount tests

* audit changes for identity

* remove upgrade structs on the oss side

* added go-memdb to vendor
2017-10-11 10:21:20 -07:00
Chris Hoffman 1029ad3b33 Rename "generic" secret backend to "kv" (#3292) 2017-09-15 09:02:29 -04:00
Chris Hoffman 9d73c81f38 Disable the sys/raw endpoint by default (#3329)
* disable raw endpoint by default

* adding docs

* config option raw -> raw_storage_endpoint

* docs updates

* adding listing on raw endpoint

* reworking tests for enabled raw endpoints

* root protecting base raw endpoint
2017-09-15 00:21:35 -04:00
Chris Hoffman 71952b7738 ExpirationManager restoration to load in the background (#3260) 2017-09-05 11:09:00 -04:00
Jeff Mitchell d7e933a072 Fix inverted skipinit logic 2017-09-04 18:39:57 -04:00
Jeff Mitchell 4785e56283 Fix nil pointer on test 2017-09-04 18:08:56 -04:00
Jeff Mitchell 0da8fa412d DoNotInit -> SkipInit 2017-09-04 16:29:43 -04:00
Jeff Mitchell cbb0313f78 Add option to NewTestCluster to not init 2017-09-04 16:28:21 -04:00
Calvin Leung Huang a581e96b78 Lazy-load plugin mounts (#3255)
* Lazy load plugins to avoid setup-unwrap cycle

* Remove commented blocks

* Refactor NewTestCluster, use single core cluster on basic plugin tests

* Set c.pluginDirectory in TestAddTestPlugin for setupPluginCatalog to work properly

* Add special path to mock plugin

* Move ensureCoresSealed to vault/testing.go

* Use same method for EnsureCoresSealed and Cleanup

* Bump ensureCoresSealed timeout to 60s

* Correctly handle nil opts on NewTestCluster

* Add metadata flag to APIClientMeta, use meta-enabled plugin when mounting to bootstrap

* Check metadata flag directly on the plugin process

* Plumb isMetadataMode down to PluginRunner

* Add NOOP shims when running in metadata mode

* Remove unused flag from the APIMetadata object

* Remove setupSecretPlugins and setupCredentialPlugins functions

* Move when we setup rollback manager to after the plugins are initialized

* Fix tests

* Fix merge issue

* start rollback manager after the credential setup

* Add guards against running certain client and server functions while in metadata mode

* Call initialize once a plugin is loaded on the fly

* Add more tests, update basic secret/auth plugin tests to trigger lazy loading

* Skip mount if plugin removed from catalog

* Fixup

* Remove commented line on LookupPlugin

* Fail on mount operation if plugin is re-added to catalog and mount is on existing path

* Check type and special paths on startBackend

* Fix merge conflicts

* Refactor PluginRunner run methods to use runCommon, fix TestSystemBackend_Plugin_auth
2017-09-01 01:02:03 -04:00
Jeff Mitchell 3edb337a00 Add option to set cluster TLS cipher suites. (#3228)
* Add option to set cluster TLS cipher suites.

Fixes #3227
2017-08-30 16:28:23 -04:00
Jeff Mitchell 48bf1d6edc Add core sealing to test cluster shutdown 2017-08-15 17:06:38 -04:00
Tony Cai 12a1681122 Fix minor typo (#3120) 2017-08-07 09:52:49 -04:00
Jeff Mitchell fdaaaadee2 Migrate physical backends into separate packages (#3106) 2017-08-03 13:24:27 -04:00
Brian Kassouf e0713b307d Add Testing Interface to test helpers (#3091)
* Add testing interface

* Add vendored files
2017-08-01 11:07:08 -07:00
Jeff Mitchell d0f329e124 Add leader cluster address to status/leader output. (#3061)
* Add leader cluster address to status/leader output. This helps in
identifying a particular node when all share the same redirect address.

Fixes #3042
2017-07-31 18:25:27 -04:00
Jeff Mitchell 2b05ab962c Use certIPs in all test certs, not just CA 2017-07-31 17:35:51 -04:00
Jeff Mitchell 5074ccb9f3 Fix up tests 2017-07-31 15:31:44 -04:00
Jeff Mitchell 1b603b8e22 Validate opts is not nil in NewTestCluster 2017-07-31 12:13:29 -04:00
Jeff Mitchell 1bfc6d4fe7 Add a -dev-three-node option for devs. (#3081) 2017-07-31 11:28:06 -04:00
Calvin Leung Huang bb54e9c131 Backend plugin system (#2874)
* Add backend plugin changes

* Fix totp backend plugin tests

* Fix logical/plugin InvalidateKey test

* Fix plugin catalog CRUD test, fix NoopBackend

* Clean up commented code block

* Fix system backend mount test

* Set plugin_name to omitempty, fix handleMountTable config parsing

* Clean up comments, keep shim connections alive until cleanup

* Include pluginClient, disallow LookupPlugin call from within a plugin

* Add wrapper around backendPluginClient for proper cleanup

* Add logger shim tests

* Add logger, storage, and system shim tests

* Use pointer receivers for system view shim

* Use plugin name if no path is provided on mount

* Enable plugins for auth backends

* Add backend type attribute, move builtin/plugin/package

* Fix merge conflict

* Fix missing plugin name in mount config

* Add integration tests on enabling auth backend plugins

* Remove dependency cycle on mock-plugin

* Add passthrough backend plugin, use logical.BackendType to determine lease generation

* Remove vault package dependency on passthrough package

* Add basic impl test for passthrough plugin

* Incorporate feedback; set b.backend after shims creation on backendPluginServer

* Fix totp plugin test

* Add plugin backends docs

* Fix tests

* Fix builtin/plugin tests

* Remove flatten from PluginRunner fields

* Move mock plugin to logical/plugin, remove totp and passthrough plugins

* Move pluginMap into newPluginClient

* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck

* Change shim logger's Fatal to no-op

* Change BackendType to uint32, match UX backend types

* Change framework.Backend Setup signature

* Add Setup func to logical.Backend interface

* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments

* Remove commented var in plugin package

* RegisterLicense on logical.Backend interface (#3017)

* Add RegisterLicense to logical.Backend interface

* Update RegisterLicense to use callback func on framework.Backend

* Refactor framework.Backend.RegisterLicense

* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs

* plugin: Revert BackendType to remove TypePassthrough and related references

* Fix typo in plugin backends docs
2017-07-20 13:28:40 -04:00
Jeff Mitchell 753b68fa1b Port TestCluster changes from proxy branch 2017-07-03 14:54:01 -04:00
vishalnayak 3f9ec7a2e2 fix expiration tests 2017-06-30 21:31:27 -04:00
Jeff Mitchell 034a1f91be Fix missed 10->100 conversion in tests 2017-06-29 01:45:48 -04:00
Jeff Mitchell 4502b649c6 Use more separation between test cluster ports for OSX' sake 2017-06-29 00:29:17 -04:00
Jeff Mitchell 9d4801b1e8 Revert grpc back a version (they introduced a panic) and clean up a bunch of old request forwarding stuff 2017-05-24 10:38:48 -04:00
Jeff Mitchell 7cc72a9066 Delay salt initialization for audit backends 2017-05-23 20:36:20 -04:00
Brian Kassouf f644c34c5b Remove unused TestCoreUnsealedWithListener function 2017-05-02 14:52:48 -07:00
Brian Kassouf 5e0c03415b Don't need to explictly set redirectAddrs 2017-05-02 14:44:14 -07:00
Brian Kassouf 29d9b831d3 Update the api for serving plugins and provide a utility to pass TLS data for commuinicating with the vault process 2017-05-02 14:40:11 -07:00
Brian Kassouf db91a80540 Update plugin test 2017-04-10 14:12:28 -07:00
Brian Kassouf 93136ea51e Add backend test 2017-04-07 15:50:03 -07:00
Brian Kassouf 29ae4602dc More work on getting tests to pass 2017-03-23 15:54:15 -07:00
Jeff Mitchell 09543dceeb Rejig core standby logic to check validity of barrier during active transition 2017-02-28 18:17:30 -05:00
Jeff Mitchell 2cc0906b33 Fix breakage for HTTP2 support due to changes in wrapping introduced in 1.8 (#2412) 2017-02-27 12:49:35 -05:00
Jeff Mitchell b29861f7bb Do some porting to make diffing easier 2017-02-24 10:45:29 -05:00
Jeff Mitchell f37b6492d1 More rep porting (#2391)
* More rep porting

* Add a bit more porting
2017-02-16 23:09:39 -05:00
Brian Kassouf 13ec9c5dbf Load leases into the expiration manager in parallel (#2370)
* Add a benchmark for exiration.Restore

* Add benchmarks for consul Restore functions

* Add a parallel version of expiration.Restore

* remove debug code

* Up the MaxIdleConnsPerHost

* Add tests for etcd

* Return errors and ensure go routines are exited

* Refactor inmem benchmark

* Add s3 bench and refactor a bit

* Few tweaks

* Fix race with waitgroup.Add()

* Fix waitgroup race condition

* Move wait above the info log

* Add helper/consts package to store consts that are needed in cyclic packages

* Remove not used benchmarks
2017-02-16 10:16:06 -08:00
Jeff Mitchell 69eb5066dd Multi value test seal (#2281) 2017-01-17 15:43:10 -05:00
Jeff Mitchell 252e1f1e84 Port over some work to make the system views a bit nicer 2017-01-13 14:51:27 -05:00
vishalnayak adb6ac749f init: pgp-keys input validations 2017-01-11 23:32:38 -05:00
Armon Dadgar c37d17ed47 Adding interface methods to logical.Backend for parity (#2242) 2017-01-07 18:18:22 -05:00
Thomas Soëte 90b392c7fc Fix panic() in test suite (#2149)
As `base` could be nil, move check in `if base != nil`
2016-12-02 06:31:06 -05:00
Jeff Mitchell 49284031c6 Respect logger in TestCluster 2016-12-01 15:25:10 -05:00
Jeff Mitchell e381c189e4 Fix cluster testing on OSX; see the inline comment for details 2016-11-08 10:31:35 -05:00
Jeff Mitchell 6d00f0c483 Adds HUP support for audit log files to close and reopen. (#1953)
Adds HUP support for audit log files to close and reopen. This makes it
much easier to deal with normal log rotation methods.

As part of testing this I noticed that HUP and other items that come out
of command/server.go are going to stderr, which is where our normal log
lines go. This isn't so much problematic with our normal output but as
we officially move to supporting other formats this can cause
interleaving issues, so I moved those to stdout instead.
2016-09-30 12:04:50 -07:00
Jeff Mitchell b45a481365 Wrapping enhancements (#1927) 2016-09-28 21:01:28 -07:00
Jeff Mitchell f0203741ff Change default TTL from 30 to 32 to accommodate monthly operations (#1942) 2016-09-28 18:32:49 -04:00
Jeff Mitchell 722e26f27a Add support for PGP encrypting the initial root token. (#1883) 2016-09-13 18:42:24 -04:00
Jeff Mitchell 58b32e5432 Convert to logxi 2016-08-21 18:13:37 -04:00
Jeff Mitchell bdcfe05517 Clustering enhancements (#1747) 2016-08-19 11:03:53 -04:00
Jeff Mitchell 37320f8798 Request forwarding (#1721)
Add request forwarding.
2016-08-15 09:42:42 -04:00
Jeff Mitchell a57996ac08 Add to auth/audit too 2016-05-26 13:38:51 -04:00
Jeff Mitchell 60975bf76e Revert "Remove a few assumptions regarding bash(1) being located in /bin." 2016-05-15 15:22:21 -04:00
Sean Chittenden f91114fef5
Remove a few assumptions regarding bash(1) being located in /bin.
Use sh(1) where appropriate.
2016-05-15 11:41:14 -07:00
Jeff Mitchell 0b8e3457d3 Move TestSeal funcs to sealtesting 2016-04-27 20:59:06 +00:00
Sean Chittenden aeea7628d6 Add a *log.Logger argument to physical.Factory
Logging in the backend is a good thing.  This is a noisy interface change but should be a functional noop.
2016-04-25 20:10:32 -07:00
Jeff Mitchell 98d09b0dc6 Add seal tests and update generate-root and others to handle dualseal. 2016-04-25 19:39:04 +00:00
Adam Shannon fb07d07ad9 all: Cleanup from running go vet 2016-04-13 14:38:29 -05:00
Jeff Mitchell afae46feb7 SealInterface 2016-04-04 10:44:22 -04:00
Jeff Mitchell 973c888833 RootGeneration->GenerateRoot 2016-01-19 18:28:10 -05:00
Jeff Mitchell 3b994dbc7f Add the ability to generate root tokens via unseal keys. 2016-01-19 18:28:10 -05:00
Jeff Mitchell 9db22dcfad Address some more review feedback 2016-01-12 15:09:16 -05:00
Jeff Mitchell 4f4ddbf017 Create more granular ACL capabilities.
This commit splits ACL policies into more fine-grained capabilities.
This both drastically simplifies the checking code and makes it possible
to support needed workflows that are not possible with the previous
method. It is backwards compatible; policies containing a "policy"
string are simply converted to a set of capabilities matching previous
behavior.

Fixes #724 (and others).
2016-01-08 13:05:14 -05:00
Jeff Mitchell 1c7157e632 Reintroduce the ability to look up obfuscated values in the audit log
with a new endpoint '/sys/audit-hash', which returns the given input
string hashed with the given audit backend's hash function and salt
(currently, always HMAC-SHA256 and a backend-specific salt).

In the process of adding the HTTP handler, this also removes the custom
HTTP handlers for the other audit endpoints, which were simply
forwarding to the logical system backend. This means that the various
audit functions will now redirect correctly from a standby to master.
(Tests all pass.)

Fixes #784
2015-11-18 20:26:03 -05:00
Jeff Mitchell 47e8c0070a Don't use leases on the generic backend...with a caveat.
You can now turn on and off the lease behavior in the generic backend by
using one of two factories. Core uses the normal one if it's not already
set, so unit tests can use the custom one and all stay working.

This also adds logic into core to check, when the response is coming
from a generic backend, whether that backend has leases enabled. This
adds some slight overhead.
2015-09-21 16:37:37 -04:00
Jeff Mitchell 5dde76fa1c Expand HMAC support in Salt; require an identifier be passed in to specify type but allow generation with and without. Add a StaticSalt ID for testing functions. Fix bugs; unit tests pass. 2015-09-18 17:38:30 -04:00
Jeff Mitchell b655f6b858 Add HMAC capability to salt. Pass a salt into audit backends. Require it for audit.Hash. 2015-09-18 17:38:22 -04:00
Lassi Pölönen fb07cf9f53 Implement clean up routine to backend as some backends may require
e.g closing database connections on unmount to avoud connection
stacking.
2015-09-11 11:45:58 +03:00
Jeff Mitchell c460ff10ca Push a lot of logic into Router to make a bunch of it nicer and enable a
lot of cleanup. Plumb config and calls to framework.Backend.Setup() into
logical_system and elsewhere, including tests.
2015-09-10 15:09:54 -04:00
Jeff Mitchell 488d33c70a Rejig how dynamic values are represented in system view and location of some functions in various packages; create mount-tune command and API analogues; update documentation 2015-09-10 15:09:54 -04:00
vishalnayak 9324db7979 Vault SSH: verify echo test 2015-08-18 16:48:50 -07:00
Vishal Nayak ed258f80c6 Vault SSH: Refactoring and fixes 2015-07-10 18:44:31 -06:00
Vishal Nayak 89a0e37a89 Vault SSH: Backend and CLI testing 2015-07-10 16:18:02 -06:00
Vishal Nayak 3c7dd8611c Vault SSH: Test case skeleton 2015-07-10 09:56:14 -06:00
Armon Dadgar 541014e315 logical: remove SetLogger method 2015-06-30 17:39:39 -07:00
Armon Dadgar 41b72a4d39 vault: provide view to backend initializer for setup 2015-06-30 17:30:43 -07:00
Nate Brown 4ec685dc1a Logging authentication errors and bad token usage 2015-06-18 18:30:18 -07:00
Armon Dadgar 8ee5aebb3c vault: testing raw responses 2015-05-27 14:19:12 -07:00
Seth Vargo 95c8001388 Disable mlock in tests 2015-04-28 22:18:00 -04:00
Mitchell Hashimoto 6218c2729d http: audit endpoints 2015-04-01 18:36:13 -07:00
Mitchell Hashimoto aba7fc1910 http: auth handlers 2015-03-31 20:24:51 -07:00
Mitchell Hashimoto e9a3a34c27 vault: tests passing 2015-03-29 16:18:08 -07:00
Mitchell Hashimoto 4cacaf62f0 http: support auth 2015-03-29 16:14:54 -07:00
Armon Dadgar 20c2375352 vault: Adding ACL enforcement 2015-03-24 11:37:07 -07:00
Mitchell Hashimoto 9d84e7bacc vault: don't copy the key so it can be zeroed, document, add helper 2015-03-14 18:25:55 -07:00
Mitchell Hashimoto 866b91d858 vault: public TestCoreUnsealed, don't modify key in Unseal
/cc @armon - I do a key copy within Unseal now. It tripped me up for
quite awhile that that method actually modifies the param in-place and I
can't think of any scenario that is good for the user. Do you see any
issues here?
2015-03-14 17:47:11 -07:00
Mitchell Hashimoto f43a0290cf vault: public testing methods 2015-03-13 12:53:09 -07:00