Commit Graph

1133 Commits

Author SHA1 Message Date
Jeff Mitchell 41649c1511 Clean up stored barrier keys after migration to shamir (#5671) 2018-11-05 14:06:39 -05:00
Calvin Leung Huang c5c6588f7e
Bump timeout due to potential backoff retry delay (#5663) 2018-11-02 13:22:15 -07:00
Jim Kalafut b1bc2a6b2b
Fix a few vet warnings (#5674) 2018-11-02 13:21:44 -07:00
Becca Petrin f99d65bdc3 fix typo in test name 2018-11-01 16:06:35 -07:00
Dilan Bellinghoven 5109be59a6 command/agent/sink/sink.go: This fix solves the problem where when multiple file sinks are specified in the agent HCL file, there is unexpected behavior (#5610) 2018-11-01 14:44:13 -07:00
Brian Shumate 9c06c53542 Fix typo (#5661) 2018-11-01 10:13:20 -04:00
Jim Kalafut 11d7f7eb13
Add memory profiling for custom builds (#5584) 2018-10-31 11:11:45 -07:00
Jeff Mitchell 605a7e30ad
Add the ability for secret IDs in agent approle to be wrapped (#5654) 2018-10-30 20:53:49 -04:00
Jeff Mitchell 6d20c8fce2
Add approle agent method removing secret ID file by default. (#5648)
Also, massively update tests.
2018-10-30 14:09:04 -04:00
Aleksey Zhukov 5361205d5b WIP Agent AppRole auto-auth (#5621) 2018-10-30 12:17:19 -04:00
Chris Hoffman 8c88eb3e2a
Add -dev-auto-seal option (#5629)
* adding a -dev-auto-seal option

* adding logger to TestSeal
2018-10-29 09:30:24 -04:00
Jeff Mitchell 2c17930aaf
Remove agent reauthentication on new credentials. (#5615)
Functionality is left in for use in testing (where it is indeed quite
useful).

Fixes #5522
2018-10-27 10:45:55 -07:00
Jim Kalafut fa462c72f9
Fix command panic by returning empty (not nil) map (#5603)
Fixes #5600
2018-10-24 13:08:40 -07:00
Jeff Mitchell 91a970b81d Fix build 2018-10-23 15:09:35 -04:00
Jeff Mitchell a979f49cd7 Add disable-indexing 2018-10-23 15:03:17 -04:00
Jeff Mitchell 2526ce2ce6 Fix build 2018-10-23 04:12:23 -04:00
Jeff Mitchell b2f2568a21 Merge branch 'master-oss' into 1.0-beta-oss 2018-10-23 04:02:28 -04:00
Jeff Mitchell fe770ed284 Change deprecation warning to 1.1 2018-10-23 02:44:57 -04:00
Chris Hoffman dec2eb88b6 adding gcpkms secrets engine (#784) 2018-10-22 23:39:25 -07:00
Jeff Mitchell 82992d6097
Seal migration (OSS) (#781) 2018-10-22 23:34:02 -07:00
Vishal Nayak 699b18ee09 Fix flag name for kv help text (#5580) 2018-10-22 15:22:43 -04:00
Calvin Leung Huang a08ccbffa7
[Review Only] Autoseal OSS port (#757)
* Port awskms autoseal

* Rename files

* WIP autoseal

* Fix protobuf conflict

* Expose some structs to properly allow encrypting stored keys

* Update awskms with the latest changes

* Add KeyGuard implementation to abstract encryption/decryption of keys

* Fully decouple seal.Access implementations from sealwrap structs

* Add extra line to proto files, comment update

* Update seal_access_entry.go

* govendor sync

* Add endpoint info to configureAWSKMSSeal

* Update comment

* Refactor structs

* Update make proto

* Remove remove KeyGuard, move encrypt/decrypt to autoSeal

* Add rest of seals, update VerifyRecoveryKeys, add deps

* Fix some merge conflicts via govendor updates

* Rename SealWrapEntry to EncryptedBlobInfo

* Remove barrier type upgrade check in oss

* Add key to EncryptedBlobInfo proto

* Update barrierTypeUpgradeCheck signature
2018-10-19 14:43:57 -07:00
Jeff Mitchell 224fbd4a88 Merge branch 'master-oss' into 1.0-beta-oss 2018-10-16 10:08:03 -04:00
Jeff Mitchell 04e3f9b0f3
Add LastWAL in leader/health output (#5523) 2018-10-16 09:38:44 -04:00
Jeff Mitchell a64fc7d7cb
Batch tokens (#755) 2018-10-15 12:56:24 -04:00
Jeff Mitchell af73c5872d
Buffer authhandler output channel to prevent hang on shutdown (#5507)
Fixes #5026
2018-10-15 11:02:53 -04:00
Jim Kalafut 123e34f4a7
Don't copy HA lock file during migration (#5503) 2018-10-12 09:29:15 -07:00
Jeff Mitchell 646bfc6d5d
Warn when users don't configure api_addr (#5496)
Fixes some sources of user strife
2018-10-10 14:52:00 -04:00
Calvin Leung Huang b47e648ddf
Logger cleanup (#5480) 2018-10-09 09:43:17 -07:00
Jim Kalafut bd4a7c57c6 Fix 'vault auth' panic (#5473)
Running 'vault auth' with no parameters was panicking:

panic: assignment to entry in nil map
	github.com/hashicorp/vault/command/login.go:255 +0xdee

Now it will show help.
2018-10-05 16:05:26 -07:00
JohnVonNeumann eba56f3f23 Update operator_init.go (#5441)
Minor grammar fix.
2018-10-01 17:19:13 -07:00
Jim Kalafut 43d498983c
Retry failing migration check instead of exiting (#5427) 2018-10-01 14:35:35 -07:00
Jeff Mitchell ef144c4c25 Send initialized information via sys/seal-status (#5424) 2018-09-27 14:03:37 -07:00
Jim Kalafut d9d93e42a8
Fix server command test (#5407)
The addition of CheckMigration to the server startup process means
that physical backends in this test need to be able to respond to Get() without error.
2018-09-26 14:52:11 -07:00
Jim Kalafut c1f7e4a276
Fix wording in log message (#5399) 2018-09-25 16:52:03 -07:00
Jim Kalafut 4c80debe63
Add physical backend migrator command (#5143) 2018-09-25 16:18:22 -07:00
Seth Vargo 743161abd4 Also format TTLs in non-secret responses (#5367) 2018-09-21 09:54:18 -04:00
Becca Petrin 74d4d0ccc0
add alicloud secrets engine (#5352) 2018-09-19 08:42:28 -07:00
Jeff Mitchell 43aebacfa8 Fix default_max_request_duration HCL name and update docs (#5321)
* Fix default_max_request_duration HCL name and update docs

* Update tcp.html.md
2018-09-18 14:30:21 -07:00
Jeff Mitchell 919b968c27
The big one (#5346) 2018-09-17 23:03:00 -04:00
Jim Kalafut eb6c165e29
Improve CLI error message (#5327) 2018-09-13 08:23:36 -07:00
Becca Petrin b2ff87c9c2
Poll for new creds in the AWS auth agent (#5300) 2018-09-12 13:30:57 -07:00
Becca Petrin 625592c5e6
update to match aws (#5315) 2018-09-11 11:10:50 -07:00
Jeff Mitchell 1837c571ec
Fix authhandler-based wrapping in agent (#5316) 2018-09-11 13:10:11 -04:00
Jeff Mitchell c28ed23972
Allow most parts of Vault's logging to have its level changed on-the-fly (#5280)
* Allow most parts of Vault's logging to have its level changed on-the-fly

* Use a const for not set
2018-09-05 15:52:54 -04:00
Becca Petrin 7e0e49656a Add AliCloud auth to the Vault Agent (#5179) 2018-09-05 11:56:30 -04:00
Jim Kalafut f03fc41ba2
Fix server test that fails build under 1.11 (#5264)
command/server_test.go:147:2: finished declared but not used
vet: typecheck failures
2018-09-04 11:35:28 -06:00
Brian Kassouf c603a8b811
Add performance standby status to status output (#5192)
* Add performance standby status to status output

* Update ha.go
2018-08-27 10:01:07 -07:00
Jeff Mitchell ac79655f8a Sync some changes over 2018-08-27 12:03:43 -04:00
Jeff Mitchell ae285d29a3 Sync over 2018-08-27 12:02:57 -04:00
Jeff Mitchell 9cd7c05269
Change deprecation warnings from 0.11 or later to 0.12. (#5176)
Also remove a deprecated parameter that we warned would be removed since
0.8.
2018-08-24 12:16:37 -04:00
Jeff Mitchell aec9a689a0 Sync over some stuff 2018-08-24 12:09:03 -04:00
Becca Petrin c0f2f21d97 Auth handler shutdown logic (#5170) 2018-08-24 09:17:14 -04:00
Jeff Mitchell 362a92945e Don't resetnamed 2018-08-23 15:04:18 -04:00
Calvin Leung Huang 5812a84c28
command/namespace: Move trailing slash check to the end (#5163) 2018-08-22 15:49:24 -07:00
Jeff Mitchell 66a0029195 Sync some ns stuff to api/command 2018-08-22 14:37:40 -04:00
Jeff Mitchell 3b01b29056
Pass in an ErrorLog to http.Server (#5135)
Fixes #5108
2018-08-21 11:23:18 -04:00
Jim Kalafut a8e81ce393 Initial import of Azure Secrets (#5120)
* Initial import of Azure Secrets

* Update vendor folder
2018-08-16 12:18:06 -07:00
Becca Petrin 8e8095163e Add alicloud auth (#5123)
* add alicloud auth commands

* add dependencies
2018-08-16 12:17:49 -07:00
Jeff Mitchell f1d72abb39 Remove injection into top routes (#5101) 2018-08-14 15:29:22 -04:00
Jeff Mitchell c3e063f2a6 Fix read test 2018-08-14 14:20:49 -04:00
Jeff Mitchell 74175b29af
Add support for passing args via `vault read` (#5093)
We support this in the API as of 0.10.2 so read should support it too.

Trivially tested with some log info:

`core: data: data="map[string]interface {}{"zip":[]string{"zap", "zap2"}}"`
2018-08-13 22:00:26 -04:00
Nándor István Krácser b9fab6375b Alibaba Object Storage support (#4783) 2018-08-13 17:03:24 -04:00
Jeff Mitchell 9d1a427949 Port over some ns stuff 2018-08-10 12:17:17 -04:00
Jeff Mitchell fb3c7eb449 Port some ns stuff over 2018-08-10 12:13:11 -04:00
Jeff Mitchell a6d0ae5890
Add exit-after-auth functionality to agent (#5013)
This allows it to authenticate once, then exit once all sinks have
reported success. Useful for things like an init container vs. a
sidecard container.

Also adds command-level testing of it.
2018-07-30 10:37:04 -04:00
Paul Nicholson c761a9a8f2 agent: kubernetes: add missing slash in token path (#5010) 2018-07-29 15:50:18 -04:00
Jeff Mitchell e72890e83f
VSI (#4985) 2018-07-24 22:02:27 -04:00
Jeff Mitchell 4261618d10 Add request timeouts in normal request path and to expirations (#4971)
* Add request timeouts in normal request path and to expirations

* Add ability to adjust default max request duration

* Some test fixes

* Ensure tests have defaults set for max request duration

* Add context cancel checking to inmem/file

* Fix tests

* Fix tests

* Set default max request duration to basically infinity for this release for BC

* Address feedback
2018-07-24 14:50:49 -07:00
Jeff Mitchell 9687ccc8fa Tackle #4929 a different way (#4932)
* Tackle #4929 a different way

This turns c.sealed into an atomic, which allows us to call sealInternal
without a lock. By doing so we can better control lock grabbing when a
condition causing the standby loop to get out of active happens. This
encapsulates that logic into two distinct pieces (although they could
be combined into one), and makes lock guarding more understandable.

* Re-add context canceling to the non-HA version of sealInternal

* Return explicitly after stopCh triggered
2018-07-24 13:57:25 -07:00
Michael Russell c66544381a Make the SSH executable path configurable (#4937)
Making this configurable is useful for windows users which may not be
using the default `ssh` executable. It also means that users can point to a
specify SSH executable if multiple are available.
2018-07-17 17:47:07 -07:00
Julien Blache c8fb9ed6a8 FoundationDB physical backend (#4900) 2018-07-16 10:18:09 -04:00
Michael Russell b6dfe372fd Allow vault ssh to work with single ssh args like -v (#4825) 2018-07-16 10:11:56 -04:00
zhogov 5c472429c2 Fixed parsing of environment variables (#4925) 2018-07-13 10:45:35 -07:00
Seth Vargo 1259ee6743 Add plugin CLI for interacting with the plugin catalog (#4911)
* Add 'plugin list' command

* Add 'plugin register' command

* Add 'plugin deregister' command

* Use a shared plugin helper

* Add 'plugin read' command

* Rename to plugin info

* Add base plugin for help text

* Fix arg ordering

* Add docs

* Rearrange to alphabetize

* Fix arg ordering in example

* Don't use "sudo" in command description
2018-07-13 10:35:08 -07:00
Jeff Mitchell a2b88fa239
Turn off retries on CLI (#4918)
For the CLI it just ends up confusing people as to why it's "hanging"
before returning a 500. This can still be overridden with
VAULT_MAX_RETRIES.
2018-07-12 18:38:18 -04:00
Jeff Mitchell 8433bf26e9 Fix printable check key not being valid 2018-07-12 16:59:07 -04:00
Jeff Mitchell 954f6c4ece
Add config flag to disable non-printable character check (#4917) 2018-07-12 16:29:36 -04:00
Calvin Leung Huang f801f4b808
Add description flag to secrets and auth tune subcommands (#4894)
* Add description flag to secrets and auth tune subcommands

* Allow empty description to be provided in secret and auth mount tune

* Use flagNameDescription
2018-07-12 11:15:50 -04:00
Jeff Mitchell cd51a769ca Fix tests 2018-07-12 10:18:50 -04:00
Jeff Mitchell 5beb7ab1fd
Add in logic for handling a field of 'data' to `kv get` (#4895)
We do this for normal commands in PrintRawField but it needs some help
for KV v2.
2018-07-11 15:50:26 -04:00
Jeff Mitchell 98bf463a65 Make single-lease revocation behave like expiration (#4883)
This change makes it so that if a lease is revoked through user action,
we set the expiration time to now and update pending, just as we do with
tokens. This allows the normal retry logic to apply in these cases as
well, instead of just erroring out immediately. The idea being that once
you tell Vault to revoke something it should keep doing its darndest to
actually make that happen.
2018-07-11 15:45:35 -04:00
Jeff Mitchell 6e0e024d90
Allow lease_duration to be pulled out with -field (#4906)
* Allow lease_duration to be pulled out with -field

This also provides an easy way to verify that when -field is used we
don't string format the value.

This also changes the human string helper to accept more than one type
of incoming int.

* Address review feedback
2018-07-11 15:09:04 -04:00
Seth Vargo 87b60308f8 Special case handle TTLs from JSON responses (#4893) 2018-07-11 12:07:48 -04:00
Seth Vargo bfdc295ffb Properly parse envvars for bools (#4882)
Fixes GH-4875
2018-07-09 13:43:46 -07:00
Jeff Mitchell 1011f61bf2 Add JWT plugin 2018-07-09 16:21:47 -04:00
Seth Vargo 419e4ffa14 Ensure there's a newline between each warning (#4878)
It's really hard to see where one stops and another starts given
multiple warnings.
2018-07-09 10:57:53 -07:00
Jeff Mitchell 4a3fe87a39
Allow max request size to be user-specified (#4824)
* Allow max request size to be user-specified

This turned out to be way more impactful than I'd expected because I
felt like the right granularity was per-listener, since an org may want
to treat external clients differently from internal clients. It's pretty
straightforward though.

This also introduces actually using request contexts for values, which
so far we have not done (using our own logical.Request struct instead),
but this allows non-logical methods to still get this benefit.

* Switch to ioutil.ReadAll()
2018-07-06 15:44:56 -04:00
Chris Hoffman a1c8c8459b
Bump Deps (#4868)
* bump deps

* revert script changes

* adding govendor miss
2018-07-06 12:09:34 -04:00
Jeff Mitchell 5a0c44f4f4 Update generate-root output (#4807)
In current Vault server EncodedToken will always be populated regardless
of type (root, DR), so prioritize that, and properly refer to it as
Encoded Token instead of Root Token.

Additionally refer to the nonce as the Operation nonce instead of the
Root generation operation nonce since it's used for both strategies.
2018-07-06 09:02:47 -04:00
Nándor István Krácser a40ff31777 vault kv metadata put doesn't need [DATA] (#4847) 2018-06-28 00:26:10 -07:00
Seth Vargo 0322f1bf43 Validate operator init args (#4838) 2018-06-26 10:15:00 -04:00
Vishal Nayak 57c7ecfcd4
Identity: Remove unused MemDB indexes and unused functions (#4817)
* refactor delete utility

* refactor delete alias utility

* remove MemDBUpsertAlias

* Remove MemDBAliasByCanonicalID

* remove MemDBAliasesByMetadata

* remove MemDBDeleteAliasByID

* Remove MemDBUpsertEntity and MemDBEntityByNameInTxn

* Remove is.MemDBEntitiesByBucketEntryKeyHash

* Remove MemDBEntitiesByBucketEntryKeyHash and MemDBEntityByMergedEntityID

* Remove MemDBEntities

* Remove validateMemberGroupID

* Remove validateEntityID, validateGroupID, deleteAliasFromEntity

* Remove updateAliasInEntity

* Remove satisfiesMetadataFilters and UpsertGroup

* Remove MemDBUpsertGroup

* Remove deleteGroupByID

* Remove deleleGroupByName

* Remove MemDBDeleteGroupByNameInTxn

* Remove MemDBGroupsByPolicy and MemDBGroupsByPolicyInTxn

* Remove MemDBGroupIterator

* Remove MemDBGroupsByBucketEntryKeyHash

* Remove deleteGroupAlias

* Remove metadata index from entities table

* Remove unneeded indexes from entity alias and group alias schema

* Remove unneeded index from groups table schema

* Fix test

* s/entity/lockEntity

* Don't expose the memdb instance outside identity store

* More txn.Abort() corrections

* switch back to deferring abort calls
2018-06-24 07:45:53 -04:00
Jeff Mitchell e52b554c0b
Add an idle timeout for the server (#4760)
* Add an idle timeout for the server

Because tidy operations can be long-running, this also changes all tidy
operations to behave the same operationally (kick off the process, get a
warning back, log errors to server log) and makes them all run in a
goroutine.

This could mean a sort of hard stop if Vault gets sealed because the
function won't have the read lock. This should generally be okay
(running tidy again should pick back up where it left off), but future
work could use cleanup funcs to trigger the functions to stop.

* Fix up tidy test

* Add deadline to cluster connections and an idle timeout to the cluster server, plus add readheader/read timeout to api server
2018-06-16 18:21:33 -04:00
Jeff Mitchell ebe3f09f82
Add `kv rollback` (#4774)
* Add `kv rollback`

Like `kv patch` this is more of a helper than anything else; it provides
a single command to fetch the current version (for CAS), read the
version you want to roll back to, and set it as the new version (using
CAS for safety).
2018-06-15 15:34:17 -04:00
Jeff Mitchell 734b46ea5b
Add a hidden combine-logs flag (#4766)
This can be used when errors are happening early on to avoid them being
swallowed by logGate.

This also does a bit of cleanup of format env var checking --
helper/logging internally looks for this so it was totally unnecessary
since moving to hclog.
2018-06-15 14:47:37 -04:00
Wim 3e1930e7c3 Use %q in error output for better visibility (#4771) 2018-06-14 18:19:22 -04:00
Michael Russell 063221b44a Allow vault ssh to accept ssh commands in any ssh compatible format (#4710)
* Allow vault ssh to accept ssh commands in any ssh compatible format

Previously vault ssh required ssh commands to be in the format
`username@hostname <flags> command`. While this works just fine for human
users this breaks a lot of automation workflows and is not compatible
with the options that the ssh client supports.

Motivation

We currently run ansible which uses vault ssh to connect to hosts.
Ansible generates ssh commands with the format `ssh <flags> -o User=username hostname
command`. While this is a valid ssh command it currently breaks with
vault because vault expects the format to be `username@hostname`. To work
around this we currently use a wrapper script to parse the correct username being set
by ansible and translate this into a vault ssh compatible `username@hostname` format

Changes

* You can now specify arguments in any order that ssh client allows. All
arguments are passed directly to the ssh command and the format isn't
modified in any way.
* The username and port are parsed from the specified ssh command. It
will accept all of the options supported by the ssh command and also
will properly prefer `-p` and `user@` if both options are specified.
* The ssh port is only added from the vault credentials if it hasn't
been specified on the command line
2018-06-14 09:54:48 -04:00
Jeff Mitchell 5d44c54947
Changes the way policies are reported in audit logs (#4747)
* This changes the way policies are reported in audit logs.

Previously, only policies tied to tokens would be reported. This could
make it difficult to perform after-the-fact analysis based on both the
initial response entry and further requests. Now, the full set of
applicable policies from both the token and any derived policies from
Identity are reported.

To keep things consistent, token authentications now also return the
full set of policies in api.Secret.Auth responses, so this both makes it
easier for users to understand their actual full set, and it matches
what the audit logs now report.
2018-06-14 09:49:33 -04:00
Calvin Leung Huang c4abeb9ea5
Move checkHCLKeys into hclutil (#4749) 2018-06-12 12:38:08 -04:00
Jeff Mitchell c1267ab16c
Fix writing to KVv2 root via `kv put` (#4726)
* Fix writing to KVv2 root via `kv put`

The check that adds the API path wasn't taking into account the root,
e.g. if it's mounted at `kv`, `kv` and `kv/` would end up creating an
extra copy of the mount path in front, leading to paths like
`kv/data/kv`.

* Output warnings if they come back and fix a panic in metadata_get

* Also add to metadata put/delete
2018-06-08 13:45:47 -04:00
Kevin Hicks ed7992e8ae update docs and help text to include 'operator' (#4712) 2018-06-06 21:11:21 -07:00
Jeff Mitchell 21a9b06983
Show mount accessors in normal secrets/auth list commands (#4676)
This makes them significantly easier to find/consume
2018-06-01 10:20:09 -04:00
Michael Russell 1b555b6d4c Only append the UserKnownHostsFile ssh flag when required (#4674)
Don't set a default value for the UserKnownHostsFile flag.
Only append `-o UserKnownHostsFile` to the ssh command if it
has been specified by the user or vault ssh has set it based on another
flag (such as flagHostKeyMountPoint)

Fixes https://github.com/hashicorp/vault/issues/4672
2018-06-01 09:56:22 -04:00
Michael Russell 4d1669938c Use hostname instead of the IP when running the actual ssh command (#4673)
This is implementing the same fix that was added for the CA mode for vault
ssh in https://github.com/hashicorp/vault/pull/3922
Using the IP address caused `Host` entries in the ssh_config to not
match anymore meaning you would need to hardcode all of your IP
addresses in your ssh config instead of using DNS to connect to hosts
2018-06-01 09:16:12 -04:00
Jeff Mitchell 9e7f381fca Sync over changes to config.go 2018-05-30 08:34:46 -04:00
emily 192c228931 Add GCP auth helper (#4654)
* update auth plugin vendoring

* add GCP auth helper and docs
2018-05-29 20:36:24 -04:00
Jeff Mitchell 7cf283cd2c Make the rekey verification message more complete 2018-05-29 14:59:19 -04:00
Jeff Mitchell 2971813684 Add verification nonce to non-verify status, if it exists, and name it verification nonce in the verify status for clarity 2018-05-29 13:18:52 -04:00
Jeff Mitchell c53717ba1c Fix panic and update some text 2018-05-29 13:13:47 -04:00
Jeff Mitchell 8b065344f8 Update CLI text 2018-05-29 12:42:33 -04:00
Jeff Mitchell bd0ac25eb9
Merge branch 'master' into rekey-verification 2018-05-29 10:19:57 -04:00
Kloppi313 365335f609 Typo in operator_rekey.go (#4646) 2018-05-29 09:28:08 -04:00
Jeff Mitchell 14b65ff4db
Builds on top of #4600 to provide CLI support (#4605) 2018-05-28 00:39:53 -04:00
Becca Petrin 94ae5d2567
Add Active Directory secrets plugin (#4635) 2018-05-25 11:37:41 -07:00
Becca Petrin abc0975d75
fix tests (#4636) 2018-05-24 13:57:25 -07:00
Jeff Mitchell 7749f3cb3f Prevent warnings from showing in individual commands when format is not table, in addition to the existing hiding of higher-level deprecation warnings 2018-05-23 17:13:39 -04:00
Jeff Mitchell 396457ce03
Don't use environment as a mechanism for floating format around. (#4622)
This turns out to not work very well for the demo server. Also,
it's kinda hacky.
2018-05-23 16:45:17 -04:00
Jeff Mitchell f1c3ddc566
Fix panic on deprecated audit-disable and some cleanup (#4619) 2018-05-23 12:34:48 -04:00
Jeff Mitchell 84eaebb774
Add missing flags to KV commands and simplify boilerplate (#4617) 2018-05-23 09:56:47 -04:00
Dan Brown 013e4e4d81 Fix typo (#4607) 2018-05-22 08:30:13 -04:00
Jeff Mitchell c011cefed4
Fix panic when running capabilities CLI command with multiple paths (#4553)
* Fix panic using 'vault token capabilities' with more than one path

Fixes #4552

* Add test
2018-05-11 11:58:12 -04:00
Tyler Marshall 407550bd89 Fix minor spelling mistake (#4548) 2018-05-10 13:42:01 -07:00
Jeff Mitchell af802275bd
Fix response wrapping from K/V version 2 (#4511)
This takes place in two parts, since working on this exposed an issue
with response wrapping when there is a raw body set. The changes are (in
diff order):

* A CurrentWrappingLookupFunc has been added to return the current
value. This is necessary for the lookahead call since we don't want the
lookahead call to be wrapped.

* Support for unwrapping < 0.6.2 tokens via the API/CLI has been
removed, because we now have backends returning 404s with data and can't
rely on the 404 trick. These can still be read manually via
cubbyhole/response.

* KV preflight version request now ensures that its calls is not
wrapped, and restores any given function after.

* When responding with a raw body, instead of always base64-decoding a
string value and erroring on failure, on failure we assume that it
simply wasn't a base64-encoded value and use it as is.

* A test that fails on master and works now that ensures that raw body
responses that are wrapped and then unwrapped return the expected
values.

* A flag for response data that indicates to the wrapping handling that
the data contained therein is already JSON decoded (more later).

* RespondWithStatusCode now defaults to a string so that the value is
HMAC'd during audit. The function always JSON encodes the body, so
before now it was always returning []byte which would skip HMACing. We
don't know what's in the data, so this is a "better safe than sorry"
issue. If different behavior is needed, backends can always manually
populate the data instead of relying on the helper function.

* We now check unwrapped data after unwrapping to see if there were raw
flags. If so, we try to detect whether the value can be unbase64'd. The
reason is that if it can it was probably originally a []byte and
shouldn't be audit HMAC'd; if not, it was probably originally a string
and should be. In either case, we then set the value as the raw body and
hit the flag indicating that it's already been JSON decoded so not to
try again before auditing. Doing it this way ensures the right typing.

* There is now a check to see if the data coming from unwrapping is
already JSON decoded and if so the decoding is skipped before setting
the audit response.
2018-05-10 15:40:03 -04:00
Shelby Moore f8e1f82225 Updated proxy protocol config validation (#4528) 2018-05-09 10:53:44 -04:00
Prem Sichanugrist 0057bdbee6 Fix misspelling in vault auth deprecation message (#4460) 2018-04-26 06:55:36 -04:00
Jeff Mitchell 26e83442fa
Add -no-print to 'vault login' (#4454)
Trivially manually tested

Closes #2758
2018-04-25 15:47:49 -04:00
Jeff Mitchell 5e9308ccad Fix help output in kv_patch 2018-04-25 03:21:13 -04:00
Brian Kassouf 817f816eb2
Fallback to version 1 if the vault server is too old to have the kv preflight endpoint (#4445) 2018-04-24 15:49:06 -07:00
Brian Kassouf 6d447d2671 Rename up path to internal/ui/mounts/<path> (#4435) 2018-04-23 18:16:10 -04:00
Brian Kassouf c7f9d185b0
Kv preflight (#4430)
* Update kv command to use a preflight check

* Make the existing ui endpoint return the allowed mounts

* Add kv subcommand tests

* Enable `-field` in `vault kv get/put` (#4426)

* Enable `-field` in `vault kv get/put`

Fixes #4424

* Unify nil value handling

* Use preflight helper

* Update vkv plugin

* Add all the mount info when authenticated

* Add fix the error message on put

* add metadata test

* No need to sort the capabilities

* Remove the kv client header

* kv patch command (#4432)

* Fix test

* Fix tests

* Use permission denied instead of entity disabled
2018-04-23 15:00:02 -07:00
Malhar Vora 45fe086107 Corrects description for mode option in ssh command (#4420)
Fixes #4375
2018-04-22 13:42:46 -04:00
Kevin Wang f1e46a0d76 Fix panic on kv put command with no arguments (#4389) 2018-04-18 15:45:49 -07:00
Jeff Mitchell 805b5e5160
X-Forwarded-For (#4380) 2018-04-17 18:52:09 -04:00
Krzysztof Nazarewski f325bae6d3 copy-paste fix (#4377) 2018-04-17 08:36:38 -04:00
Brian Kassouf f48c7f4940
cli/generate-root: Port a fix for dr tokens from ent (#4328) 2018-04-10 08:21:38 -07:00
Jeff Mitchell 9395f6c5d7
Add `-version` support to tuning commands. (#4323)
Although not used for any auth mounts right now, it seemed appropriate
to add it for parity since internally it maps to the same endpoint.
2018-04-09 21:12:09 -04:00
Jeff Mitchell b1136383c9 Only trigger version output if the version flag is the only flag set 2018-04-09 21:03:11 -04:00
Jeff Mitchell 2d5120fe2a Bump KV plugin and allow `-version` to work 2018-04-09 16:33:01 -04:00
Jeff Mitchell 4372548fd7
Simplify color handling quite a lot (#4289)
This always specifies a color UI, but explicitly marks the output as
noncolorable if we don't want color. This allows getting rid of our
hacky Output function in favor of cli's normal functions.
2018-04-09 16:18:17 -04:00
Jeff Mitchell 5b0885ae49 Add options to detail output to mounts/auth list CLI commands 2018-04-09 15:42:18 -04:00
Jeff Mitchell 0535f46e27 Make standard secret/ mount version 1, but upgrade to v2 in dev mode. 2018-04-09 15:37:36 -04:00
Becca Petrin abb621752f Clean up error string formatting (#4304) 2018-04-09 14:35:21 -04:00
Brian Kassouf a8b8ca136e
KV: Update 'versioned' naming to 'v2' (#4293)
* Update 'versioned' naming to 'v2'

* Make sure options are set

* Fix description of auth flag

* Review feedback
2018-04-09 09:39:32 -07:00
Calvin Leung Huang fb81016252
Fix output-related tests (#4288)
* Fix command tests

* More test fixes

* Use backticks to escape quoted strings

* More test fixes

* Fix mismatched error output failures

* Fix mismatched error output failures
2018-04-05 20:43:29 -04:00
Jeff Mitchell 0776c65e15
Move colorable statements to fix Windows support. (#4287)
This puts it in the main command level.

Fixes #4070
2018-04-05 13:28:02 -04:00
Calvin Leung Huang 63b2698289 Do not fail if api_addr and cluster_addr are empty (#4286) 2018-04-05 12:54:15 -04:00
Vishal Nayak 28e3eb9e2c
Errwrap everywhere (#4252)
* package api

* package builtin/credential

* package builtin/logical

* package command

* package helper

* package http and logical

* package physical

* package shamir

* package vault

* package vault

* address feedback

* more fixes
2018-04-05 11:49:21 -04:00
Jeff Mitchell a84e2bcc25
Don't allow api/cluster addresses to be the same. (#4272)
People make this mistake quite often and it causes real issues.
2018-04-04 16:15:07 -04:00
Brian Kassouf 43496861c5
command/kv: Update the 404 parsing logic (#4269) 2018-04-04 09:26:06 -07:00
Jeff Mitchell fe2fa0030f
Rejig 404 handling again. (#4264)
Done this way, existing tests pass, and it makes logical sense, so we're
likely to have the least impact like this.
2018-04-04 04:41:46 -04:00
Jeff Mitchell 599f691141
Allow returning warnings and other data in 404s in the Go API (#4256)
* Allow returning list information and other data in 404s.

On read it'll output data and/or warnings on a 404 if they exist. On
list, the same behavior; the actual 'vault list' command doesn't change
behavior though in terms of output unless there are no actual keys (so
it doesn't just magically show other data).

This corrects some assumptions in response_util and wrapping.go; it also
corrects a few places in the latter where it could leak a (useless)
token in some error cases.

* Use same 404 logic in delete/put too

* Add the same secret parsing logic to the KV request functions
2018-04-03 22:35:45 -04:00
Brian Kassouf 829fcb226c
Allow for comma separated strings in the TypeCommaIntSlice field type (#4257)
* Allow for comma separated strings in the TypeCommaIntSlice field type

* Explode versions on client side

* fix deleting versions
2018-04-03 17:58:42 -07:00
Chris Hoffman e293fe84c3 OSS: Adding UI handlers and configurable headers (#390)
* adding UI handlers and UI header configuration

* forcing specific static headers

* properly getting UI config value from config/environment

* fixing formatting in stub UI text

* use http.Header

* case-insensitive X-Vault header check

* fixing var name

* wrap both stubbed and real UI in header handler

* adding test for >1 keys
2018-04-03 09:34:01 -05:00
Becca Petrin 03cf302e9a Move to "github.com/hashicorp/go-hclog" (#4227)
* logbridge with hclog and identical output

* Initial search & replace

This compiles, but there is a fair amount of TODO
and commented out code, especially around the
plugin logclient/logserver code.

* strip logbridge

* fix majority of tests

* update logxi aliases

* WIP fixing tests

* more test fixes

* Update test to hclog

* Fix format

* Rename hclog -> log

* WIP making hclog and logxi love each other

* update logger_test.go

* clean up merged comments

* Replace RawLogger interface with a Logger

* Add some logger names

* Replace Trace with Debug

* update builtin logical logging patterns

* Fix build errors

* More log updates

* update log approach in command and builtin

* More log updates

* update helper, http, and logical directories

* Update loggers

* Log updates

* Update logging

* Update logging

* Update logging

* Update logging

* update logging in physical

* prefixing and lowercase

* Update logging

* Move phyisical logging name to server command

* Fix som tests

* address jims feedback so far

* incorporate brians feedback so far

* strip comments

* move vault.go to logging package

* update Debug to Trace

* Update go-plugin deps

* Update logging based on review comments

* Updates from review

* Unvendor logxi

* Remove null_logger.go
2018-04-02 17:46:59 -07:00
Seth Vargo b48a9878e7 Add HA support to the Google Cloud Storage backend (#4226) 2018-03-30 12:36:37 -04:00
Vishal Nayak 55f13263c3
reintroduce flagMFA (#4223) 2018-03-30 12:11:10 -04:00
Seth Vargo b2d2c9236d Add dev flags for local plugin testing (#4188) 2018-03-28 17:36:55 -04:00
Jeff Mitchell 08f4bcab62 Merge branch '0.10-beta' into master-oss 2018-03-28 14:40:09 -04:00
Seth Vargo f0dd5ae61f Always use a local test server (#4207)
Some commands didn't setup a local test server since they didn't need
it. Other commands didn't setup a local test server because Seth forgot.

Long story short, I kept seeing weird requests to my Vault server when I
ran tests, and that should never happen. This ensures all test requests
will go to a test Vault instance.

Benchmarks show this adds 0.4s to the command test suite.
2018-03-28 10:34:37 -04:00
Jeff Mitchell 2f90e0c2e1 Merge branch 'master-oss' into 0.10-beta 2018-03-27 12:40:30 -04:00
Seth Vargo b665909b09 Add API functions and completions for plugins (#4194) 2018-03-26 13:40:33 -04:00
Jim Kalafut 7842557e62 Fix minor docs and help text issues (#4184) 2018-03-22 09:29:59 -04:00
Jeff Mitchell 22fc62dbd5 Fix some command help output formatting 2018-03-21 23:58:16 -04:00
Jeff Mitchell 85a86acfc9 Fix tests 2018-03-21 23:50:44 -04:00
Jeff Mitchell 2bb4e7535a Add gcp secrets 2018-03-21 23:07:16 -04:00
Brian Kassouf 3324d6dd12 Add kv backend (#4181) 2018-03-21 22:56:52 -04:00
Calvin Leung Huang 25792df5a9
Passthrough request headers (#4172)
* Add passthrough request headers for secret/auth mounts

* Update comments

* Fix SyncCache deletion of passthrough_request_headers

* Remove debug line

* Case-insensitive header comparison

* Remove unnecessary allocation

* Short-circuit filteredPassthroughHeaders if there's nothing to filter

* Add whitelistedHeaders list

* Update router logic after merge

* Add whitelist test

* Add lowercase x-vault-kv-client to whitelist

* Add back const

* Refactor whitelist logic
2018-03-21 19:56:47 -04:00
Brian Kassouf 5c84c36915
command/kv: Add a "kv" subcommand for using the key-value store (#4168)
* Add more cli subcommands

* Add metadata commands

* Add more subcommands

* Update cli

* Move archive commands to delete

* Add helpers for making http calls to the kv backend

* rename cli header

* Format the various maps from kv

* Add list command

* Update help text

* Add a command to enable versioning on a backend

* Rename enable-versions command

* Some review feedback

* Fix listing of top level keys

* Fix issue when metadata is nil

* Add test for lising top level keys

* Fix some typos

* Add a note about deleting all versions
2018-03-21 15:02:41 -07:00
Chris Hoffman 695eae6ede
adding azure auth plugin (#4180) 2018-03-21 17:35:31 -04:00
Brian Kassouf cc625e19ee
Add options to mount tune and mount endpoints in preparation for versioning (#4155)
* Add some requirements for versioned k/v

* Add a warning message when an upgrade is triggered

* Add path help values

* Make the kv header a const

* Add the uid to mount entry instead of options map

* Pass the backend aware uuid to the mounts and plugins

* Fix comment

* Add options to secret/auth enable and tune CLI commands (#4170)

* Switch mount/tune options to use TypeKVPairs (#4171)

* switching options to TypeKVPairs, adding bool parse for versioned flag

* flipping bool check

* Fix leases coming back from non-leased pluin kv store

* add a test for updating mount options

* Fix tests
2018-03-21 12:04:27 -07:00
Josh Soref 73b1fde82f Spelling (#4119) 2018-03-20 14:54:10 -04:00
Calvin Leung Huang f86881c295
Unauthenticated endpoint to list secret and auth mounts (#4134)
* Add audit hmac values to AuthConfigInput and AuthConfigOutput, fix docs

* docs: Add ttl params to auth enable endpoint

* Rewording of go string to simply string

* Add audit hmac keys as CLI flags on auth/secrets enable

* Fix copypasta mistake

* WIP on auth-list endpoint

* Rename variable to be singular, add CLI flag, show value in auth and secrets list

* Add audit hmac keys to auth and secrets list

* Only set config values if they exist

* Fix http sys/auth tests

* More auth plugin_name test fixes

* Rename tag internal_ui_show_mount to _ui_show_mount

* Add tests

* Make endpoint unauthed

* Rename field to listing_visibility

* Add listing-visibility to cli tune commands

* Use ListingVisiblityType

* Fix type conversion

* Do not actually change token's value on testHttpGet

* Remove unused ListingVisibilityAuth, use const in pathInternalUIMountsRead
2018-03-19 23:16:33 -04:00
Jeff Mitchell 735efccd6e Make the error message that comes from parsing the config file more
useful.

Fixes #2080
2018-03-19 19:40:51 -04:00
Calvin Leung Huang edfe77ff85
Add non-hmac flags for cli secrets/auth tune commands (#4151)
* Add non-hmac params for cli secrets/auth tune

* Fix value assignment mismatch
2018-03-19 09:56:57 -04:00
Jeff Mitchell 61c26fdf57 Fix compile 2018-03-16 13:55:56 -04:00
Jeff Mitchell 1cef14036f Have deprecated commands pass on address and token helper too 2018-03-16 13:52:08 -04:00
Jeff Mitchell cc0b430b77 Use runopts-provided address if given, without overriding 2018-03-16 13:41:32 -04:00
Jeff Mitchell 1b6c62ff53 Allow sending address through RunCustom 2018-03-16 13:14:32 -04:00
Jeff Mitchell e6bc62bfc6 Make help output use any custom stderr 2018-03-16 12:59:52 -04:00
Jeff Mitchell 3504ca61c8 Change base command template to runopts and allow specifying stdout/stderr 2018-03-16 12:31:26 -04:00
Jeff Mitchell 067052f304 Add RunCustom command to allow passing in a TokenHelper 2018-03-16 11:31:00 -04:00
Calvin Leung Huang 3108860d4b
Audit HMAC values on AuthConfig (#4077)
* Add audit hmac values to AuthConfigInput and AuthConfigOutput, fix docs

* docs: Add ttl params to auth enable endpoint

* Rewording of go string to simply string

* Add audit hmac keys as CLI flags on auth/secrets enable

* Fix copypasta mistake

* Add audit hmac keys to auth and secrets list

* Only set config values if they exist

* Fix http sys/auth tests

* More auth plugin_name test fixes

* Pass API values into MountEntry's config when creating auth/secrets mount

* Update usage wording
2018-03-09 14:32:28 -05:00
Lukasz Jagiello 6530a5e396 Vault status formatting (#4073)
```
:~# vault status
Key                     Value
---                     -----
Seal Type               shamir
Sealed                  false
Total Shares            8
Threshold               2
Version                 0.9.5
Cluster Name            vault-cluster-8c85f1aa
Cluster ID              aaaaaaaa-1111-2222-3333-444444444444
HA Enabled              true
HA Cluster              https://10.0.0.1:8201
HA Mode                 standby
Active Node Address:    https://10.0.0.1:8200
```

`Active Node Address:` - is the only one with a colon at the end.

This PR fix that output style issue.
2018-03-05 07:40:59 -05:00
Jeff Mitchell e073e7fc68 Don't output warning about not storing the token if the user uses
-token-only during `vault login`.
2018-03-01 21:02:54 -05:00
Jeff Mitchell ba459d238e
Fix confusing error messages around help for 'vault auth' (#4058)
Fixes #4056
2018-03-01 10:55:24 -05:00
Paddy 2b2bc2a911 Create a new command/config subpackage. (#4055)
* Create a new command/config subpackage.

This PR extracts the functions associated with loading and parsing
configs, and the DefaultTokenHelper, into a command/config subpackage,
just like TokenHelpers are in the command/token subpackage. The goal is
to allow other clients (in this case, the Vault and Nomad Terraform
providers, but in theory any client that wants to lean on Vault's
default behaviour) to reuse this logic and not drift from Vault, without
vendoring the entirety of Vault.

To retain backwards compatibility, I didn't remove any functions from
the command package; I just copied them into the command/config package,
and update the functions in the command package to call through to the
config package.
2018-02-28 20:09:21 -05:00
Bharath B 699f9246e6 Config parameter "tls_disable_client_certs" is wrongly evaluated. (#4049) 2018-02-28 10:07:23 -05:00
Jeff Mitchell f1bd0cbe74
Use atomic values in seal to avoid some data races (#4040) 2018-02-23 17:18:48 -05:00
Calvin Leung Huang 1bb4d165e7
Add TTL related config options on auth enable (#4019) 2018-02-22 10:26:29 -05:00
Jeff Mitchell 4bff53c771 Force trace mode in three-node 2018-02-22 01:44:19 -05:00
Jeff Mitchell 4669f37c78 Add four cluster flag 2018-02-22 00:23:37 -05:00
Max Walther e58855cdd4 Fix bug with vault cli when reading an individual field containing a Printf formatting verb (#4005) 2018-02-19 09:29:45 -05:00
Jeff Mitchell 8451b195d4
Handle missed error case in seal status output format (#4001)
Fixes #3998
2018-02-17 20:52:42 -05:00
Jeff Mitchell 5a1312ef30 Also exclude init command from race detector 2018-02-16 11:09:36 -05:00
Jeff Mitchell 8c8e006276
Allow formatted data when using -field and -format together. (#3987)
* Allow formatted data when using -field and -format together.

As a special case, allows "data" to be passed in to get the entire data
struct output.

* If data exists in the output map use that instead when special casing
2018-02-15 09:11:56 -05:00
Seth Vargo cd930b1173 Add support for Google Cloud Spanner (#3977) 2018-02-14 20:31:20 -05:00
Jeff Mitchell a787f97a9c
Re-add lost stored-shares parameter to operator rekey command. (#3974)
Also change the rekey API to not require explicitly setting values to 1.

Fixes #3969
2018-02-14 16:10:45 -05:00
Seth Vargo d838195241 Remove mlock warning when mlock is explicitly disabled (#3979) 2018-02-14 15:11:33 -05:00
Jeff Mitchell 76972f32ad
Add newline on non-ttl output (#3967)
Output is formatted with newlines in mind, so without this those get
lost and things get funky due to multiple outputs running together.
2018-02-13 14:46:57 -05:00