Commit graph

1133 commits

Author SHA1 Message Date
Jeff Mitchell 1d982c234f
Fix some more test failures and recursive locking (#6549) 2019-04-08 13:40:54 -04:00
Calvin Leung Huang c336059812 agent/cache: add comment around APIProxy.Send return case 2019-04-05 13:58:12 -07:00
ncabatoff ef1926b5e4 Agent auto auth wrapping new config checks (#6479)
* Simplify Run(): the function that was being sent over a channel doesn't
need to close over anything except latestToken, and we don't need to
create a new one each iteration.  Instead just pass the relevant items,
namely the token and sink to work on.

* Disallow the following config combinations:
1. auto_auth.method.wrap_ttl > 0 and multiple file sinks
2. auto_auth.method.wrap_ttl > 0 and single file sink with wrap_ttl > 0
3. auto_auth.method.wrap_ttl > 0 and cache.use_auto_auth_token = true

* Expose errors that occur when APIProxy is forwarding request to Vault.

* Fix merge issues.
2019-04-05 16:12:54 -04:00
Becca Petrin 339cfcaaf8 merge master 2019-04-01 13:52:44 -07:00
Alessandro De Blasis c96362d466 agent: allow AppRole Auto-Auth when bind_secret_id = false (#6324)
* agent: allow AppRole Auto-Auth when bind_secret_id = false
2019-04-01 16:27:54 -04:00
ncabatoff d8043c544f Add support in Agent for running cache+auto_auth without any sinks (#6468)
* Add support in Agent for running cache+auto_auth without any sinks
configured.

* Add missing fixture.
2019-04-01 16:26:41 -04:00
Calvin Leung Huang c7a38cdd23 set configSeal.Type to the type specified via the env var if provided (#6453) 2019-03-25 16:52:20 -07:00
Jeff Mitchell 1182f31228 Correct migration case to Shamir where it's not explicit (#6458)
If you were migrating to Shamir but didn't specify a Shamir block
migration would fail. Being explicit is nice but it's also not really
obvious since you don't need the block normally.
2019-03-25 16:50:58 -07:00
Becca Petrin b3655627c4 fix typo (#6469) 2019-03-25 10:56:04 -07:00
stuio 2a678fa75a minor improvements to unseal inline docs (#6449) 2019-03-21 05:57:46 -07:00
T.K 453f1ac109 changed misspelled english words (#6432) 2019-03-19 09:32:45 -04:00
ncabatoff fab1fde145
Move listener config from 'cache' block to top-level 'listener' blocks. Allow cache without auto-auth. (#6421)
* Since we want to use the Agent listener for #6384, move listener config
from top-level 'cache' block to new top-level 'listeners' block.

* Make agent config allow cache and listener blocks without auto-auth
configured.
2019-03-15 14:58:53 -04:00
ncabatoff cb3e3e578d Fix windows build by moving references to SIGUSR2 into a file not built (#6422)
on windows.
2019-03-15 10:12:48 -07:00
ncabatoff 1fcfcbd8f2
Receiving a SIGUSR2 makes Vault log the running goroutines' stacks. (#6240)
* Receiving a SIGUSR2 makes Vault log the running goroutines' stacks.
2019-03-15 09:27:53 -04:00
Jim Kalafut 5220e90c60 Fix improperly formatted help output strings (#6414) 2019-03-14 13:57:28 -07:00
Iskander (Alex) Sharipov b4d30a1b6c all: fix no-op append calls (#6360)
Append call in form of `append(s)` has no effect,
it just returns `s`. Sometimes such invocation is a sign
of a programming error, so it's better to remove these.

Signed-off-by: Iskander Sharipov <quasilyte@gmail.com>
2019-03-14 13:40:30 -07:00
Philipp Bandow 1145308e87 ssh on windows: fix file handling problem (#6359) 2019-03-14 13:39:34 -07:00
Vishal Nayak f7907c2809 Agent: Listener refactoring and socket file system permissions (#6397)
* Listener refactoring and file system permissions

* added listenerutil and move some common code there

* Added test for verifying socket file permissions

* Change default port of agent to 8200

* address review feedback

* Address review feedback

* Read socket options from listener config
2019-03-14 11:53:14 -07:00
Michel Vocks d78c059626
Added warning for auto unseal init command (#6398)
* Added warning when init command uses auto unseal and -key-shares and -key-threshold was set

* Reworked

* Update command/operator_init.go

Co-Authored-By: michelvocks <michelvocks@gmail.com>
2019-03-13 18:06:39 +01:00
Calvin Leung Huang b7dcef399d
agent/caching: add X-Cache and Age headers (#6394)
* agent/caching: add X-Cache and Age headers, update Date header on cached resp

* Update command/agent/cache/lease_cache.go

Co-Authored-By: calvn <cleung2010@gmail.com>

* Update command/agent/cache/proxy.go

Co-Authored-By: calvn <cleung2010@gmail.com>
2019-03-12 13:21:02 -07:00
Calvin Leung Huang 86df7ee2d5
agent/caching: use locks on LeaseCache.Send (#6374)
* agent/caching: use locks on LeaseCache.Send to prevent running multiple renewer goroutines

* update comment
2019-03-07 15:50:12 -08:00
Jeff Mitchell cf350a48b7 HSM -> Auto Unseal in init help output 2019-03-07 15:10:50 -05:00
Jim Kalafut 9cd9c0624c
Fix hanging on empty keys during operator migrate (#6371) 2019-03-07 11:48:48 -08:00
Christopher McNabb 2ceb696d55 Use proper pathSeparator for the operating system (#6347)
* Use proper pathSeparator for the operating system

When running on Windows use the backslash as the path separator, other wise use the forward slash
2019-03-07 09:51:10 -05:00
Vishal Nayak 25b055505a
Avoid redundant client creation (#6361) 2019-03-06 22:09:55 -05:00
Calvin Leung Huang e6798347a7
Refactor handleCacheClear input params (#6350)
* Refactor handleCacheClear input params

* address review feedback

* fix handleCacheClear's token_accessor case
2019-03-06 18:08:19 -08:00
Calvin Leung Huang a74b0deac0
agent/caching: proxy redirect and non-json responses; update tests (#6353)
* agent/caching: proxy redirect and non-json responses; update tests

* agent/caching: do not wrap error responses as internal errors, simply proxy them back as-is

* minor refactoring of APIProxy.Send logic

* add test case to ensure error response is not wrapped
2019-03-06 17:23:20 -08:00
Vishal Nayak d0b9454518
Agent Cache doc updates (#6331)
* Agent Cache doc updates

* doc update

* Add renewal management section

* doc updates

* paraphrase the orphan token case
2019-03-05 15:19:52 -05:00
Vishal Nayak d8f39d54c9
Change agent's port to 8007 (#6348) 2019-03-05 12:57:17 -05:00
Vishal Nayak ffcd85e1af
Test request token overriding auto-auth case (#6346) 2019-03-05 12:49:58 -05:00
Becca Petrin 1909b20217 merge master 2019-03-05 09:39:53 -08:00
Vishal Nayak 59e8632d2d
Refactor respond error function (#6343) 2019-03-05 11:43:30 -05:00
Calvin Leung Huang d73216b5c3
Fix TestLeaseCache_SendCacheable (#6333) 2019-03-04 15:18:52 -08:00
Jeff Mitchell a83ed04730 Add ability to migrate autoseal to autoseal (#5930)
* Add ability to migrate autoseal to autoseal

This adds the ability to migrate from shamir to autoseal, autoseal to
shamir, or autoseal to autoseal, by allowing multiple seal stanzas. A
disabled stanza will be used as the config being migrated from; this can
also be used to provide an unwrap seal on ent over multiple unseals.

A new test is added to ensure that autoseal to autoseal works as
expected.

* Fix test

* Provide default shamir info if not given in config

* Linting feedback

* Remove context var that isn't used

* Don't run auto unseal watcher when in migration, and move SetCores to SetSealsForMigration func

* Slight logic cleanup

* Fix test build and fix bug

* Updates

* remove GetRecoveryKey function
2019-03-04 14:11:56 -08:00
Jeff Mitchell 718ae5a010 Minor syncs 2019-03-04 13:35:22 -05:00
Calvin Leung Huang c5aaf8dcb0
agent/caching: simplify orphan check; add orphan token creation tests (#6322) 2019-03-01 17:57:25 -08:00
Vishal Nayak ce42e9ea1f
Add locking around base context (#6321)
Got offline 👍 from Calvin.
2019-03-01 20:30:14 -05:00
Vishal Nayak a5195949d9
added client_key and client_cert options to the agent config (#6319) 2019-03-01 15:11:16 -05:00
Calvin Leung Huang 23395891d3
agent/caching: refactor ContextInfo (#6311)
* agent/caching: refactor ContextInfo

* use NewContextInfo in NewLeaseCache
2019-03-01 11:20:36 -08:00
vishalnayak d31c5fe4d9 Agent config vault block should be optional 2019-03-01 12:23:00 -05:00
Michel Vocks f2d022ac20
Print warning when 'tls_cipher_suites' includes blacklisted cipher suites (#6300)
* Implemented a warning when tls_cipher_suites includes only cipher suites which are not supprted by the HTTP/2 spec

* Added test for cipher suites

* Added hard fail on startup when all defined cipher suites are blacklisted. Added warning when some ciphers are blacklisted.

* Replaced hard failure with warning. Removed bad cipher util function and replaced it by external library.

* Added missing dependency. Fixed renaming of package name.
2019-03-01 16:48:06 +01:00
Vishal Nayak ac2b499fc9
Support reading Vault's address from Agent's config file (#6306)
* Support reading Vault's address from Agent's config file

* use consts and switch

* Add tls options to agent config vault block

* Update command/agent/config/config.go

Co-Authored-By: vishalnayak <vishalnayak@users.noreply.github.com>

* remove fmt.Printfs
2019-02-28 17:29:28 -05:00
Chris Hoffman 4f35c548fe Transit Autounseal (#5995)
* Adding Transit Autoseal

* adding tests

* adding more tests

* updating seal info

* send a value to test and set current key id

* updating message

* cleanup

* Adding tls config, addressing some feedback

* adding tls testing

* renaming config fields for tls
2019-02-28 13:13:56 -08:00
Calvin Leung Huang 5eb50a261e agent/caching: test renaming; add api-level cache-clear test (#6305)
* test renaming; add api-level cache-clear test

* fix import ordering
2019-02-28 10:05:55 -08:00
Calvin Leung Huang c07253999c
agent/caching: enable caching of leases generated by autoauth token (#6293)
* agent/caching: enable caching of leases generated by autoauth token

* add test for auth/token/create path

* update error message log

* Some minor updates

* add sleep timer for renewal logic to process
2019-02-27 13:14:58 -08:00
Vishal Nayak ffabeda5d9
Agent Caching: Remove response updates using renewal output (#6303)
* Agent Caching: Remove response updates using renewal output

* Use renewal output channel to log the fact
2019-02-27 14:33:45 -05:00
vishalnayak f04b4d1668 Change agent's default port number to 8100 2019-02-26 10:02:12 -05:00
Jim Kalafut ebb63652cd
Fix agent test (#6281) 2019-02-21 21:24:16 -08:00
Calvin Leung Huang fda590f538
agent/caching: use const for cache-clear path (#6271) 2019-02-21 14:53:34 -08:00
Calvin Leung Huang 8fc9138fe4
agent/caching: remove EvictByPrefix and EvictAll (#6269) 2019-02-21 14:52:10 -08:00
Becca Petrin 65b8ad9187 allow aws region in cli login 2019-02-20 16:43:21 -08:00
Brian Kassouf efe5671f36 make fmt 2019-02-20 12:12:21 -08:00
Vishal Nayak 779d49bab5
AgentCache: Properly compute auto-auth token (#6264)
* Properly compute auto-auth token

* Use inmem sink to track auto-auth token

* update debug statement

* Only add inmem sink if using auto-auth token is allowed
2019-02-20 02:11:05 -05:00
Vishal Nayak 5037185d5d
Agent Cache: Some review feedback (#6257)
* Revamp agent cache client

* Update command/agent.go

Co-Authored-By: vishalnayak <vishalnayak@users.noreply.github.com>

* Agent cache auto auth token lookup case (#6258)

* agent cache auto auth token lookup case

* Use Blake2b256Hash instead of SHA256

* agent/cache: update cache-clear endpoint; use bytes.NewReader instead (#6259)

* agent/cache: update cache-clear endpoint; use bytes.NewReader instead

* agent/cache: Fix TestCache_ComputeIndexID after switching to blake2b

* agent/cache: Only parse response body if it's non-nil (#6260)

* Differently disable agent address in the API client

* Remove DisableAgent
2019-02-19 16:53:29 -05:00
Vishal Nayak 614ec67b05
address some review back (#6237) 2019-02-15 13:40:03 -05:00
Jim Kalafut a7b6d9d2a8 Fix JWT end-to-end test (#6244) 2019-02-15 09:39:23 -08:00
Jim Kalafut a32c7b6d91 Fix agent test (#6243) 2019-02-15 09:27:57 -08:00
Chris Hoffman 999fbd3bca fixing operator unseal test (#6241) 2019-02-15 09:06:37 -08:00
Chris Hoffman a6841a5e94 fixing command server tests (#6242) 2019-02-15 09:06:20 -08:00
Calvin Leung Huang 4e31f955cb cacememdb: add LeaseToken and TokenParent tests for GetByPrefix 2019-02-15 07:55:09 -08:00
vishalnayak cdaac4a715 Fix cachememdb test 2019-02-15 10:34:19 -05:00
Vishal Nayak feb235d5f8
Vault Agent Cache (#6220)
* vault-agent-cache: squashed 250+ commits

* Add proper token revocation validations to the tests

* Add more test cases

* Avoid leaking by not closing request/response bodies; add comments

* Fix revoke orphan use case; update tests

* Add CLI test for making request over unix socket

* agent/cache: remove namespace-related tests

* Strip-off the auto-auth token from the lookup response

* Output listener details along with configuration

* Add scheme to API address output

* leasecache: use IndexNameLease for prefix lease revocations

* Make CLI accept the fully qualified unix address

* export VAULT_AGENT_ADDR=unix://path/to/socket

* unix:/ to unix://
2019-02-14 20:10:36 -05:00
Martin 9044173d6e Prometheus support on v1/sys/metrics endpoint (#5308)
* initial commit for prometheus and sys/metrics support

* Throw an error if prometheusRetentionTime is 0,add prometheus in devmode

* return when format=prometheus is used and prom is disable

* parse prometheus_retention_time from string instead of int

* Initialize config.Telemetry if nil

* address PR issues

* add sys/metrics framework.Path in a factory

* Apply requiredMountTable entries's MountConfig to existing core table

* address pr comments

* enable prometheus sink by default

* Move Metric-related code in a separate metricsutil helper
2019-02-14 12:46:59 -08:00
Jim Kalafut 8be2951472 Fix unit tests broken with JWT plugin update 2019-02-14 12:14:18 -08:00
Jeff Mitchell e5ca13d0be
Don't add kv by default in non-dev scenarios (#6109)
It's retained for tests though since most rely on it.
2019-02-14 11:55:32 -08:00
Jeff Mitchell 6e182c3237 Remove deprecated CLI commands (#6112) 2019-02-14 11:54:47 -08:00
Calvin Leung Huang 77d737c8b2 Merge branch 'master-oss' into 1.1-beta 2019-02-11 14:47:22 -08:00
Jim Kalafut df4139df51
Create alias and command for OIDC (#6206) 2019-02-11 13:37:55 -08:00
Giacomo Tirabassi 820f27fd29 remove panicking and added usage (#6208) 2019-02-11 11:19:08 -08:00
Jeff Mitchell d883af3d30
If the log level isn't set, don't display "(not set)" (#6183) 2019-02-07 03:48:50 -05:00
Jeff Mitchell 5f249d4005
Add allowed_response_headers (#6115) 2019-02-05 16:02:15 -05:00
Jeff Mitchell de8d45d9db Fix test build 2019-02-05 12:26:25 -05:00
Jeff Mitchell 82ee4176e6
Add the ability to print curl commands from CLI (#6113) 2019-02-01 17:13:51 -05:00
Brian Kassouf aaca35be94
Updates to recovery keys (#6152) 2019-02-01 11:29:55 -08:00
Jeff Mitchell 0874b552cb Fix build 2019-01-23 16:52:06 -05:00
Seth Vargo 98ad431d6d Continuously attempt to unseal if sealed keys are supported (#6039)
* Add helper for checking if an error is a fatal error

The double-double negative was really confusing, and this pattern is used a few places in Vault. This negates the double negative, making the devx a bit easier to follow.

* Check return value of UnsealWithStoredKeys in sys/init

* Return proper error types when attempting unseal with stored key

Prior to this commit, "nil" could have meant unsupported auto-unseal, a transient error, or success. This updates the function to return the correct error type, signaling to the caller whether they should retry or fail.

* Continuously attempt to unseal if sealed keys are supported

This fixes a bug that occurs on bootstrapping an initial cluster. Given a collection of Vault nodes and an initialized storage backend, they will all go into standby waiting for initialization. After one node is initialized, the other nodes had no mechanism by which they "re-check" to see if unseal keys are present. This adds a goroutine to the server command which continually waits for unseal keys to exist. It exits in the following conditions:

- the node is unsealed
- the node does not support stored keys
- a fatal error occurs (as defined by Vault)
- the server is shutting down

In all other situations, the routine wakes up at the specified interval and attempts to unseal with the stored keys.
2019-01-23 16:34:34 -05:00
Noel Cower 4f05192be3 Merge all configuration fields (#6028)
This changes (*Config).Merge to merge all fields of a Config.
Previously, when merging Configs, some configuration fields were
ignored and completely lost, including APIAddr, ClusterAddr, and
a couple boolean fields. This only occurs when using multiple config
files and does not affect single config files (even when loading from
a directory -- Merge is only called after a second file is loaded).

- Fix APIAddr not being merged.
- Fix ClusterAddr not being merged.
- Fix DisablePrintableCheck not being merged.
- Fix DisableClustering not being merged. The DisableClusteringRaw
  value is also preserved so that it can be used in overrides for
  storage fields.
- Use merged top-level config as storage field overrides.
- Update config dir test fixtures to set some fields missed by
  (*Config).Merge previously.
2019-01-23 11:27:21 -05:00
nathan r. hruby bfcf30fc72 add influx plugin (#6021) 2019-01-09 17:25:40 -08:00
Jim Kalafut d0e2badbae Run goimports across the repository (#6010)
The result will still pass gofmtcheck and won't trigger additional
changes if someone isn't using goimports, but it will avoid the
piecemeal imports changes we've been seeing.
2019-01-08 16:48:57 -08:00
Pawel Gorczynski 953be252cd Extended info message regarding VAULT_ADDR env variable for Windows when running server -dev (#5970)
* Improved info message for Windows when running `server -dev`

Improvement for https://github.com/hashicorp/vault/issues/3405

* output updated to:

You may need to set the following environment variable:
PowerShell:
    $env:VAULT_ADDR="http://127.0.0.1:8200"
cmd.exe:
    set VAULT_ADDR=http://127.0.0.1:8200
2018-12-20 10:27:21 -08:00
Brian Kassouf 325c3acbb5
Update operator_rekey.go (#5983) 2018-12-20 09:05:50 -08:00
Jim Kalafut 2547d7fb6a
Simplify base62.Random (#5982)
Also move existing base62 encode/decode operations to their only points
of use.
2018-12-20 07:40:01 -08:00
Jeff Mitchell fff8976671 Update backwards compat fix from 5913 2018-12-12 15:36:28 -05:00
Calvin Leung Huang 351b707e18 cli/json: correctly output the number of key shares and threshold on stored keys (#5910) 2018-12-12 15:26:11 -05:00
Chris Hoffman 555b914695 adding -dev-kv-v1 flag for forcing kvv1 (#5919) 2018-12-12 12:07:18 -08:00
Calvin Leung Huang e71017e5a9 Set request token entry within fetchACLTokenEntryAndEntity (#5880) 2018-12-03 11:57:53 -05:00
Clint Shryock 37e75a95c7
fix typo in comment 2018-11-28 10:06:23 -06:00
Matthew Irish 08ca544273
plumb policy-override flag to the CLI (#5826) 2018-11-20 11:33:00 -06:00
Becca Petrin a96f1f75ee Restore plugin name for backwards compatibility (#5825)
* re-add plugin name for backwards compat

* add plugin name to table for backwards compat

* conditionally set the plugin name

* Update command/auth_list.go

Co-Authored-By: tyrannosaurus-becks <beccapetrin@posteo.net>

* Update command/secrets_list.go

Co-Authored-By: tyrannosaurus-becks <beccapetrin@posteo.net>

* update auth and secrets list commands

* add comments regarding deprecation
2018-11-19 16:41:17 -08:00
Julien Balestra a60ed6a53c agent: fix auth when multiple redirects (#5814) 2018-11-19 15:50:42 -08:00
Clint dfe585c7f7 Agent kube projected token (#5725)
* Add support for custom JWT path in Agent: kubernetes auth

- add support for "token_path" configuration
- add a reader for mocking in tests

* add documentation for token_path
2018-11-19 14:28:17 -08:00
Calvin Leung Huang ad3e105012
Mount tune options (#5809)
* Refactor mount tune to support upsert options values and unset options.

* Do not allow unsetting options map

* add secret tune version regression test

* Only accept valid options version

* s/meVersion/optVersion/
2018-11-19 14:23:25 -08:00
Brian Kassouf 33776b89c2
Wrap storage calls with encoding checks (#5819)
* Add encoding backend

* More work on encoding checks

* Update error message

* Update physical/encoding.go

* Disable key checks if configured
2018-11-19 13:13:16 -08:00
Jim Kalafut 824c02a234
Show migration check error (#5806) 2018-11-16 15:09:35 -08:00
Calvin Leung Huang 227a664b06 Continue on plugin registration error in dev mode (#5791)
* Continue on plugin registration error in dev mode

* Continue only on unknown type error

* Continue only on unknown type error

* Print plugin registration error on exit

Co-Authored-By: calvn <cleung2010@gmail.com>
2018-11-15 16:55:24 -08:00
Calvin Leung Huang e99957aed9
Support registering plugin with name only (#5787)
* Support registering plugin with name only

* Make RegisterPlugin backwards compatible

* Add CLI backwards compat command to plugin info and deregister

* Add server-side deprecation warnings if old read/dereg API endpoints are called

* Address feedback
2018-11-15 14:33:11 -08:00
Jeff Mitchell 3de2ebd256 Explicitly state that secrets move doesn't work across namespaces 2018-11-07 11:07:19 -05:00
Becca Petrin 7bd22e6779
Run all builtins as plugins (#5536) 2018-11-06 17:21:24 -08:00
Calvin Leung Huang ef8f40647a Bump timeout due to potential backoff retry delay (#5706) 2018-11-06 11:06:06 -08:00
Calvin Leung Huang 46f37f3363
Add HSMAutoDeprecated for ent upgrade (#5704) 2018-11-06 09:42:03 -08:00