Commit graph

199 commits

Author SHA1 Message Date
Jeff Mitchell 1d99b7fd05
Properly watch quit context in expireID instead of locking first (#4970) 2018-07-20 17:00:09 -04:00
Brian Kassouf 57d9c335d8
Don't shutdown if we lose leadership during lease restoration (#4924)
* Don't shutdown if we lose leadership during lease restoration

* Update comment
2018-07-13 11:30:08 -07:00
Jeff Mitchell 98bf463a65 Make single-lease revocation behave like expiration (#4883)
This change makes it so that if a lease is revoked through user action,
we set the expiration time to now and update pending, just as we do with
tokens. This allows the normal retry logic to apply in these cases as
well, instead of just erroring out immediately. The idea being that once
you tell Vault to revoke something it should keep doing its darndest to
actually make that happen.
2018-07-11 15:45:35 -04:00
Jeff Mitchell e52b554c0b
Add an idle timeout for the server (#4760)
* Add an idle timeout for the server

Because tidy operations can be long-running, this also changes all tidy
operations to behave the same operationally (kick off the process, get a
warning back, log errors to server log) and makes them all run in a
goroutine.

This could mean a sort of hard stop if Vault gets sealed because the
function won't have the read lock. This should generally be okay
(running tidy again should pick back up where it left off), but future
work could use cleanup funcs to trigger the functions to stop.

* Fix up tidy test

* Add deadline to cluster connections and an idle timeout to the cluster server, plus add readheader/read timeout to api server
2018-06-16 18:21:33 -04:00
Jeff Mitchell 45da5a45ba
Store lease times suitable for export in pending (#4730)
* Store lease times suitable for export in pending

This essentially caches lease information for token lookups, preventing
going to disk over and over.

* Simplify logic
2018-06-11 11:58:56 -04:00
Jeff Mitchell 8916f6b625
Some atomic cleanup (#4732)
Taking inspiration from
https://github.com/golang/go/issues/17604#issuecomment-256384471
suggests that taking the address of a stack variable for use in atomics
works (at least, the race detector doesn't complain) but is doing it
wrong.

The only other change is a change in Leader() detecting if HA is enabled
to fast-path out. This value never changes after NewCore, so we don't
need to grab the read lock to check it.
2018-06-09 15:35:22 -04:00
Jeff Mitchell be64c859e1
Make sure updating pending and storage are done as a group (#4727) 2018-06-08 17:24:44 -04:00
Jeff Mitchell 575a606db7
Move TokenEntry into logical. (#4729)
This allows the HTTP logicalAuth handler to cache the value in the
logical.Request, avoiding a lookup later when performing acl
checks/counting a use.
2018-06-08 17:24:27 -04:00
Jeff Mitchell 5207099042 Offline token revocation fix 2018-06-05 18:53:27 -04:00
Calvin Leung Huang dd7520459e
Token revocation refactor (#4512)
* Hand off lease expiration to expiration manager via timers

* Use sync.Map as the cache to track token deletion state

* Add CreateOrFetchRevocationLeaseByToken to hand off token revocation to exp manager

* Update revoke and revoke-self handlers

* Fix tests

* revokeSalted: Move token entry deletion into the deferred func

* Fix test race

* Add blocking lease revocation test

* Remove test log

* Add HandlerFunc on NoopBackend, adjust locks, and add test

* Add sleep to allow for revocations to settle

* Various updates

* Rename some functions and variables to be more clear
* Change step-down and seal to use expmgr for revoke functionality like
during request handling
* Attempt to WAL the token as being invalid as soon as possible so that
further usage will fail even if revocation does not fully complete

* Address feedback

* Return invalid lease on negative TTL

* Revert "Return invalid lease on negative TTL"

This reverts commit a39597ecdc23cf7fc69fe003eef9f10d533551d8.

* Extend sleep on tests
2018-05-10 15:50:02 -04:00
Jeff Mitchell deafefc1c7
Add ability for revoke-prefix and revoke-force to work on single leases (#4450)
Ping #4143
2018-04-26 16:26:07 -04:00
Vishal Nayak 28e3eb9e2c
Errwrap everywhere (#4252)
* package api

* package builtin/credential

* package builtin/logical

* package command

* package helper

* package http and logical

* package physical

* package shamir

* package vault

* package vault

* address feedback

* more fixes
2018-04-05 11:49:21 -04:00
Jeff Mitchell f6f3153b3d
Allow not showing expirations, and don't log when skipToken (#4263)
The latter removes a case where a token being revoked would end up
logging twice.
2018-04-04 03:07:10 -04:00
Chris Hoffman a7ada08b3b
Core handling of TTLs (#4230)
* govet cleanup in token store

* adding general ttl handling to login requests

* consolidating TTL calculation to system view

* deprecate LeaseExtend

* deprecate LeaseExtend

* set the increment to the correct value

* move calculateTTL out of SystemView

* remove unused value

* add back clearing of lease id

* implement core ttl in some backends

* removing increment and issue time from lease options

* adding ttl tests, fixing some compile issue

* adding ttl tests

* fixing some explicit max TTL logic

* fixing up some tests

* removing unneeded test

* off by one errors...

* adding back some logic for bc

* adding period to return on renewal

* tweaking max ttl capping slightly

* use the appropriate precision for ttl calculation

* deprecate proto fields instead of delete

* addressing feedback

* moving TTL handling for backends to core

* mongo is a secret backend not auth

* adding estimated ttl for backends that also manage the expiration time

* set the estimate values before calling the renew request

* moving calculate TTL to framework, revert removal of increment and issue time from logical

* minor edits

* addressing feedback

* address more feedback
2018-04-03 12:20:20 -04:00
Becca Petrin 03cf302e9a Move to "github.com/hashicorp/go-hclog" (#4227)
* logbridge with hclog and identical output

* Initial search & replace

This compiles, but there is a fair amount of TODO
and commented out code, especially around the
plugin logclient/logserver code.

* strip logbridge

* fix majority of tests

* update logxi aliases

* WIP fixing tests

* more test fixes

* Update test to hclog

* Fix format

* Rename hclog -> log

* WIP making hclog and logxi love each other

* update logger_test.go

* clean up merged comments

* Replace RawLogger interface with a Logger

* Add some logger names

* Replace Trace with Debug

* update builtin logical logging patterns

* Fix build errors

* More log updates

* update log approach in command and builtin

* More log updates

* update helper, http, and logical directories

* Update loggers

* Log updates

* Update logging

* Update logging

* Update logging

* Update logging

* update logging in physical

* prefixing and lowercase

* Update logging

* Move phyisical logging name to server command

* Fix som tests

* address jims feedback so far

* incorporate brians feedback so far

* strip comments

* move vault.go to logging package

* update Debug to Trace

* Update go-plugin deps

* Update logging based on review comments

* Updates from review

* Unvendor logxi

* Remove null_logger.go
2018-04-02 17:46:59 -07:00
Jeff Mitchell e49c230f7b
Log revocations in revokeCommon rather than expireID (#4164)
Revocations that happen not as a result of direct expirations will
therefore be logged

Fixes #4156
2018-03-20 11:46:27 -04:00
Jeff Mitchell 55187255bd
Truncate token store issued token periods when greater than tuned max at (#4112)
issue time, not just renew time.
2018-03-09 10:53:04 -05:00
Jeff Mitchell a82b43081c Fix output in warning displaying nanoseconds instead of seconds 2018-03-08 16:14:20 -05:00
Brian Kassouf 9dba3590ac
Add context to the NewSalt function (#4102) 2018-03-08 11:21:11 -08:00
Gobin Sougrakpam 33e22c41ca Log warnings when too many leases are active (#3957) 2018-02-14 09:22:46 -05:00
Brian Kassouf 2f19de0305 Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 01:44:44 -05:00
Brian Kassouf 1c190d4bda
Pass context to backends (#3750)
* Start work on passing context to backends

* More work on passing context

* Unindent logical system

* Unindent token store

* Unindent passthrough

* Unindent cubbyhole

* Fix tests

* use requestContext in rollback and expiration managers
2018-01-08 10:31:38 -08:00
Calvin Leung Huang 79cb82e133
Add logic for using Auth.Period when handling auth login/renew requests (#3677)
* Add logic for using Auth.Period when handling auth login/renew requests

* Set auth.TTL if not set in handleLoginRequest

* Always set auth.TTL = te.TTL on handleLoginRequest, check TTL and period against sys values on RenewToken

* Get sysView from le.Path, revert tests

* Add back auth.Policies

* Fix TokenStore tests, add resp warning when capping values

* Use switch for ttl/period check on RenewToken

* Move comments around
2017-12-15 13:30:05 -05:00
Brian Kassouf afe53eb862
Database gRPC plugins (#3666)
* Start work on context aware backends

* Start work on moving the database plugins to gRPC in order to pass context

* Add context to builtin database plugins

* use byte slice instead of string

* Context all the things

* Move proto messages to the dbplugin package

* Add a grpc mechanism for running backend plugins

* Serve the GRPC plugin

* Add backwards compatibility to the database plugins

* Remove backend plugin changes

* Remove backend plugin changes

* Cleanup the transport implementations

* If grpc connection is in an unexpected state restart the plugin

* Fix tests

* Fix tests

* Remove context from the request object, replace it with context.TODO

* Add a test to verify netRPC plugins still work

* Remove unused mapstructure call

* Code review fixes

* Code review fixes

* Code review fixes
2017-12-14 14:03:11 -08:00
Jeff Mitchell 20320cd71e
Move location of quit channel closing in exp manager (#3638)
* Move location of quit channel closing in exp manager

If it happens after stopping timers any timers firing before all timers
are stopped will still run the revocation function. With plugin
auto-crash-recovery this could end up instantiating a plugin that could
then try to unwrap a token from a nil token store.

This also plumbs in core so that we can grab a read lock during the
operation and check standby/sealed status before running it (after
grabbing the lock).

* Use context instead of checking core values directly

* Use official Go context in a few key places
2017-12-01 17:08:38 -05:00
Jeff Mitchell 119607dcb7
Seal wrap all root tokens and their leases (#3540) 2017-11-06 13:10:36 -05:00
Chris Hoffman 91338d7aa2 Adding latency injector option to -dev mode for storage operations (#3289) 2017-09-11 14:49:08 -04:00
Chris Hoffman 2002543245 Switching atomic vars to int32 to address panic on some architectures (#3314) 2017-09-11 11:17:22 -04:00
Chris Hoffman 71952b7738 ExpirationManager restoration to load in the background (#3260) 2017-09-05 11:09:00 -04:00
Brian Kassouf b04e0a7a2a Dynamically load and invalidate the token store salt (#3021)
* Dynaically load and invalidate the token store salt

* Pass salt function into the router
2017-07-18 09:02:03 -07:00
Jeff Mitchell c414a525d2 Fix panic when attempting to renew auth token via sys/leases/renew (#2901)
This could occur when using the lease ID; this is unsupported but wasn't
checking for the existence of a secret in the lease.
2017-06-21 16:00:39 +01:00
Jeff Mitchell 858deb9ca4 Don't allow parent references in file paths 2017-05-12 13:52:33 -04:00
Jeff Mitchell b482043de1 Update debugging around tidy 2017-05-05 10:48:12 -04:00
Jeff Mitchell 91e790867f Address feedback 2017-05-05 10:26:40 -04:00
Jeff Mitchell b568ea751b Move client token check in exp register to top 2017-05-04 12:45:57 -04:00
Jeff Mitchell abd63096f8 Update comments 2017-05-04 12:44:31 -04:00
vishalnayak 1a02f9be11 Fix up the tests 2017-05-04 12:41:15 -04:00
vishalnayak 5683430cb7 Update Tidy function comment 2017-05-04 12:11:00 -04:00
Jeff Mitchell d74b1b284a Update commenting 2017-05-04 11:54:57 -04:00
Jeff Mitchell f8295a301d Merge branch 'master-oss' into sys-tidy-leases 2017-05-04 09:37:52 -04:00
Chris Hoffman 3d9cf89ad6 Add the ability to view and list of leases metadata (#2650) 2017-05-03 22:03:42 -04:00
Jeff Mitchell 3b95e751c0 Add more cleanup if a lease fails to register and revoke tokens if registerauth fails 2017-05-03 14:29:57 -04:00
Jeff Mitchell 596ad2c8f7 Adhere to tainted status in salted accessor lookup 2017-05-03 12:36:10 -04:00
Jeff Mitchell 5f18b1605a Two things:
1) Ensure that if we fail to generate a lease for a secret we attempt to revoke it

2) Ensure that any lease that is registered should never have a blank token

In theory, number 2 will let us a) find places where this *is* the case, and b) if errors are encountered when revoking tokens due to a blank client token, it suggests that the client token values are being stripped somewhere along the way, which is also instructive.
2017-05-03 12:17:09 -04:00
vishalnayak dd898ed2e1 Added summary logs to help better understand the consequence 2017-05-03 10:54:07 -04:00
vishalnayak 875658531b Do not duplicate log lines for invalid leases 2017-05-02 17:56:15 -04:00
vishalnayak 5f70576715 Added steps to check if invalid token is properly cleaned up 2017-05-02 17:11:35 -04:00
vishalnayak 68635e8a1c Skip checking the validity of an empty client token 2017-05-02 16:53:41 -04:00
vishalnayak 72d05cd8dd Refactor locking code in lease tidy; add ending debug statements 2017-04-27 16:22:19 -04:00
vishalnayak d8e91ef616 refactor lock handling in token tidy function 2017-04-27 13:48:29 -04:00
vishalnayak ac8aae36fe Distinguish valid and invalid tokens using bool value in cache 2017-04-27 11:31:42 -04:00
vishalnayak 749ec4fab1 Some more logging updates 2017-04-27 11:20:55 -04:00
vishalnayak e64ba93d54 Cache only valid tokens 2017-04-27 11:08:11 -04:00
vishalnayak d256248095 Fix logging suggestions; put the policyStore nil check back in 2017-04-27 10:56:19 -04:00
vishalnayak 3fd019574d Fix logging levels 2017-04-26 17:29:04 -04:00
vishalnayak 7c3e20e9c5 Fix the log statements 2017-04-26 17:17:19 -04:00
vishalnayak 671353810b Added caching of looked up tokens 2017-04-26 16:54:48 -04:00
vishalnayak 9025ef16e4 Added logger to token store and logs to tidy function 2017-04-26 16:11:23 -04:00
vishalnayak 27dd95156d Revoke lease that has empty token; added logs 2017-04-26 15:48:28 -04:00
vishalnayak b939d049e4 Added atomic lock to ensure a single tidy operation is in progress 2017-04-26 15:07:58 -04:00
vishalnayak 3522b67e14 Added sys/tidy-leases endpoint 2017-03-07 15:50:17 -05:00
Brian Kassouf 13ec9c5dbf Load leases into the expiration manager in parallel (#2370)
* Add a benchmark for exiration.Restore

* Add benchmarks for consul Restore functions

* Add a parallel version of expiration.Restore

* remove debug code

* Up the MaxIdleConnsPerHost

* Add tests for etcd

* Return errors and ensure go routines are exited

* Refactor inmem benchmark

* Add s3 bench and refactor a bit

* Few tweaks

* Fix race with waitgroup.Add()

* Fix waitgroup race condition

* Move wait above the info log

* Add helper/consts package to store consts that are needed in cyclic packages

* Remove not used benchmarks
2017-02-16 10:16:06 -08:00
Jeff Mitchell ddc977ba52 Add debug (#2341) 2017-02-06 18:30:13 -05:00
Jeff Mitchell 2c8d18ad8d Attempt to fix expiration test again 2017-01-24 11:17:48 -05:00
Jeff Mitchell b0f741d4a1 Add some extra lease debugging to try to figure out Travis timezone issue 2017-01-24 10:48:11 -05:00
Jeff Mitchell 9e5d1eaac9 Port some updates 2017-01-06 15:42:18 -05:00
Vishal Nayak ba026aeaa1 TokenStore: Added tidy endpoint (#2192) 2016-12-16 15:29:27 -05:00
Jeff Mitchell f6044764c0 Fix revocation of leases when num_uses goes to 0 (#2190) 2016-12-16 13:11:55 -05:00
Jeff Mitchell f0203741ff Change default TTL from 30 to 32 to accommodate monthly operations (#1942) 2016-09-28 18:32:49 -04:00
Jeff Mitchell 58b32e5432 Convert to logxi 2016-08-21 18:13:37 -04:00
vishalnayak c14235b206 Merge branch 'master-oss' into json-use-number
Conflicts:
	http/handler.go
	logical/framework/field_data.go
	logical/framework/wal.go
	vault/logical_passthrough.go
2016-07-15 19:21:55 -04:00
Vishal Nayak 9f1e6c7b26 Merge pull request #1607 from hashicorp/standardize-time
Remove redundant invocations of UTC() call on `time.Time` objects
2016-07-13 10:19:23 -06:00
vishalnayak e09b40e155 Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC 2016-07-08 18:30:18 -04:00
Jeff Mitchell 7023eafc67 Make the API client retry on 5xx errors.
This should help with transient issues. Full control over min/max delays
and number of retries (and ability to turn off) is provided in the API
and via env vars.

Fix tests.
2016-07-06 16:50:23 -04:00
vishalnayak ad7cb2c8f1 Added JSON Decode and Encode helpers.
Changed all the occurances of Unmarshal to use the helpers.
Fixed http/ package tests.
2016-07-06 12:25:40 -04:00
Jeff Mitchell bb1e8ddaa2 Make token renewable status work properly on lookup 2016-06-08 09:19:39 -04:00
vishalnayak 70b8530962 Fix the consul secret backends renewal revocation problem 2016-05-25 23:24:16 -04:00
Jeff Mitchell 75650ec1ad Keep the expiration manager from keeping old token entries.
The expiration manager would never be poked to remove token entries upon
token revocation, if that revocation was initiated in the token store
itself. It might have been to avoid deadlock, since during revocation of
tokens the expiration manager is called, which then calls back into the
token store, and so on.

This adds a way to skip that last call back into the token store if we
know that we're on the revocation path because we're in the middle of
revoking a token. That way the lease is cleaned up. This both prevents
log entries appearing for already-revoked tokens, and it also releases
timer/memory resources since we're not keeping the leases around.
2016-03-31 15:10:25 -04:00
Jeff Mitchell fa2ba47a5c Merge branch 'master' into token-roles 2016-03-09 17:23:34 -05:00
Jeff Mitchell 6df72e6efd Merge pull request #1168 from hashicorp/revoke-force
Add forced revocation.
2016-03-09 16:59:52 -05:00
Jeff Mitchell 4785bec59d Address review feedback 2016-03-09 11:07:13 -05:00
Jeff Mitchell 419598ede2 Warn on error when in force revoke mode 2016-03-08 11:05:46 -05:00
Jeff Mitchell cc1f5207b3 Merge branch 'master' into token-roles 2016-03-07 10:03:54 -05:00
vishalnayak 402444c002 review rework 2 2016-03-04 18:08:13 -05:00
vishalnayak 2f5e65ae24 review rework 2016-03-04 15:35:58 -05:00
vishalnayak 35e71f3ebc Place the response nil check before resp.IsError() 2016-03-04 15:13:04 -05:00
vishalnayak da9152169b changed response of expiration manager's renewtoken to logical.response 2016-03-04 14:56:51 -05:00
Jeff Mitchell cd86226845 Add forced revocation.
In some situations, it can be impossible to revoke leases (for instance,
if someone has gone and manually removed users created by Vault). This
can not only cause Vault to cycle trying to revoke them, but it also
prevents mounts from being unmounted, leaving them in a tainted state
where the only operations allowed are to revoke (or rollback), which
will never successfully complete.

This adds a new endpoint that works similarly to `revoke-prefix` but
ignores errors coming from a backend upon revocation (it does not ignore
errors coming from within the expiration manager, such as errors
accessing the data store). This can be used to force Vault to abandon
leases.

Like `revoke-prefix`, this is a very sensitive operation and requires
`sudo`. It is implemented as a separate endpoint, rather than an
argument to `revoke-prefix`, to ensure that control can be delegated
appropriately, as even most administrators should not normally have
this privilege.

Fixes #1135
2016-03-03 10:13:59 -05:00
Jeff Mitchell 54232eb980 Add other token role unit tests and some minor other changes. 2016-03-01 12:41:41 -05:00
vishalnayak bc4710eb06 Cert: renewal enhancements 2016-02-24 14:31:38 -05:00
Jeff Mitchell 9c5ad28632 Update deps, and adjust usage of go-uuid to match new return values 2016-01-13 13:40:08 -05:00
Jeff Mitchell e990b77d6e Address review feedback; move storage of these values to the expiration manager 2016-01-04 16:43:07 -05:00
Jeff Mitchell f2da5b639f Migrate 'uuid' to 'go-uuid' to better fit HC naming convention 2015-12-16 12:56:20 -05:00
Jeff Mitchell 395d6bead4 Fix removing secondary index from exp manager.
Due to a typo, revoking ensures that index entries are created rather
than removed. This adds a failing, then fixed test case (and helper
function) to ensure that index entries are properly removed on revoke.

Fixes #749
2015-11-04 10:50:31 -05:00
Jeff Mitchell 78b5fcdf51 Serialize changing the state of the expiration manager pointer and
calling emitMetrics from its own goroutine.

Fixes #694
2015-10-12 16:33:54 -04:00
Jeff Mitchell a9155ef85e Use split-out hashicorp/uuid 2015-10-12 14:07:12 -04:00
Jeff Mitchell 77e7379ab5 Implement the cubbyhole backend
In order to implement this efficiently, I have introduced the concept of
"singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't
much reason to allow sys to be mounted at multiple places, and there
isn't much reason you'd need multiple per-token storage areas. By
restricting it to just one, I can store that particular mount instead of
iterating through them in order to call the appropriate revoke function.

Additionally, because revocation on the backend needs to be triggered by
the token store, the token store's salt is kept in the router and
client tokens going to the cubbyhole backend are double-salted by the
router. This allows the token store to drive when revocation happens
using its salted tokens.
2015-09-15 13:50:37 -04:00
Jeff Mitchell c460ff10ca Push a lot of logic into Router to make a bunch of it nicer and enable a
lot of cleanup. Plumb config and calls to framework.Backend.Setup() into
logical_system and elsewhere, including tests.
2015-09-10 15:09:54 -04:00
Jeff Mitchell 3f45f3f41b Rename config lease_duration parameters to lease_ttl in line with current standardization efforts 2015-08-27 07:50:24 -07:00
Jeff Mitchell ea9fbb90bc Rejig Lease terminology internally; also, put a few JSON names back to their original values 2015-08-20 22:27:01 -07:00