Commit graph

145 commits

Author SHA1 Message Date
Nick Cabatoff 9e34c0b543
Add new method to access a client config's TLSConfig. (#20265) 2023-04-19 15:14:18 -04:00
Hamid Ghaf 27bb03bbc0
adding copyright header (#19555)
* adding copyright header

* fix fmt and a test
2023-03-15 09:00:52 -07:00
Leland Ursu 1b3083c98c
address various issues with the output-policy flag (#19160)
* update error message and properly handle list requests

* since we do agressive sanitizes we need to optionally check trailing slash

* added changelog record

* remove redundant path formating

* Update changelog/13106.txt

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* addressed comments from review

* also remove code that duplicates efforts in kv_list

* abstracted helper func for testing

* added test cases for the policy builder

* updated the changelog to the correct one

* removed calls that apear not to do anything given test case results

* fixed spacing issue in output string

* remove const representation of list url param

* addressed comments for pr

---------

Co-authored-by: lursu <leland.ursu@hashicorp.com>
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-02-21 10:12:45 -05:00
Nick Cabatoff 53afd2627b
Make API not depend on SDK (#18962) 2023-02-06 09:41:56 -05:00
Anton Averchenkov a4973bc45a
Remove timeout logic from ReadRaw functions and add ReadRawWithContext (#18708)
Removing the timeout logic from raw-response functions and adding documentation comments. The following functions are affected:

- `ReadRaw`
- `ReadRawWithContext` (newly added)
- `ReadRawWithData`
- `ReadRawWithDataWithContext`

The previous logic of using `ctx, _ = c.c.withConfiguredTimeout(ctx)` could cause a potential [context leak](https://pkg.go.dev/context):

> Failing to call the CancelFunc leaks the child and its children until the parent is canceled or the timer fires. The go vet tool checks that CancelFuncs are used on all control-flow paths.

Cancelling the context would have caused more issues since the context would be cancelled before the request body is closed.

Resolves: #18658
2023-01-17 15:41:59 -05:00
Peter Wilson 42ba1384ff
Added flag and env var which will disable client redirection (#17352)
* Added flag and env var which will disable client redirection

* Added changelog

* Docs fix for unsaved file, and test single request made

* Updated test for case when redirect is enabled, updated docs based on suggestions
2022-09-30 09:29:37 +01:00
Jason O'Donnell e3f942f51c
agent: add disable_keep_alives configurable (#16479)
agent: add disable_keep_alives config

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>
2022-07-28 12:59:49 -07:00
Marc Boudreau 03d75a7b60
Improving Handling of Unix Domain Socket Addresses (#11904)
* Removed redundant checks for same env var in ReadEnvironment, extracted Unix domain socket logic to function, and made use of this logic in SetAddress.  Adjusted unit tests to verify proper Unix domain socket handling.

* Adding case to revert from Unix domain socket dial function back to TCP

* Adding changelog file

* Only adjust DialContext if RoundTripper is an http.Transport

* Switching from read lock to normal lock

* only reset transport DialContext when setting different address type

* made ParseAddress a method on Config

* Adding additional tests to cover transitions to/from TCP to Unix

* Moved Config type method ParseAddress closer to type's other methods.

* make release note more end-user focused

* adopt review feedback to add comment about holding a lock
2022-06-21 15:16:58 -07:00
Jason O'Donnell dd2ced661b
agent: add disable_idle_connections configurable (#15986)
* agent: add disable_keep_alives configurable

* Add empty test

* Add website doc

* Change to disable_idle_connections

* Update tests and doc

* Add note about env

* Changelog

* Change to slice

* Remove unused disable keep alive methods

* Add invalid value test
2022-06-16 18:06:22 -04:00
Peter Wilson bcb30223bf
Added support for VAULT_PROXY_ADDR + Updated docs (#15377)
Updated documentation to describe the behavior when supplying `VAULT_HTTP_PROXY`. Also added support for `VAULT_PROXY_ADDR` as a 'better name' for `VAULT_HTTP_PROXY`.
2022-05-24 13:38:51 -04:00
Josh Black 416504d8c3
Add autopilot automated upgrades and redundancy zones (#15521) 2022-05-20 16:49:11 -04:00
VAL 0ef529b710
Global flag that outputs minimum policy HCL required for an operation (#14899)
* WIP: output policy

* Outputs example policy HCL for given request

* Simplify conditional

* Add PATCH capability

* Use OpenAPI spec and regex patterns to determine if path is sudo

* Add test for isSudoPath

* Add changelog

* Fix broken CLI tests

* Add output-policy to client cloning code

* Smaller fixes from PR comments

* Clone client instead of saving and restoring custom values

* Fix test

* Address comments

* Don't unset output-policy flag on KV requests otherwise the preflight request will fail and not populate LastOutputPolicyError

* Print errors saved in buffer from preflight KV requests

* Unescape characters in request URL

* Rename methods and properties to improve readability

* Put KV-specificness at front of KV-specific error

* Simplify logic by doing more direct returns of strings and errors

* Use precompiled regexes and move OpenAPI call to tests

* Remove commented out code

* Remove legacy MFA paths

* Remove unnecessary use of client

* Move sudo paths map to plugin helper

* Remove unused error return

* Add explanatory comment

* Remove need to pass in address

* Make {name} regex less greedy

* Use method and path instead of info from retryablerequest

* Add test for IsSudoPaths, use more idiomatic naming

* Use precompiled regexes and move OpenAPI call to tests (#15170)

* Use precompiled regexes and move OpenAPI call to tests

* Remove commented out code

* Remove legacy MFA paths

* Remove unnecessary use of client

* Move sudo paths map to plugin helper

* Remove unused error return

* Add explanatory comment

* Remove need to pass in address

* Make {name} regex less greedy

* Use method and path instead of info from retryablerequest

* Add test for IsSudoPaths, use more idiomatic naming

* Make stderr writing more obvious, fix nil pointer deref
2022-04-27 16:35:18 -07:00
Vinny Mannello 3e6665f65d
[Vault-5736] Add (*Client).WithNamespace() for temporary namespace handling (#14963)
temporary namespace calls
2022-04-14 09:50:21 -07:00
VAL 5f80aec3c7
Don't clone OutputCurlString value (#14968)
* Don't clone OutputCurlString value, add flag to docs

* Add changelog
2022-04-08 09:58:50 -07:00
Anton Averchenkov 8db5c6c6cc
Add ability to pass certificate PEM bytes to vault/api (#14753) 2022-04-06 11:21:46 -04:00
Anton Averchenkov 1222375d1a
Add context-aware functions to vault/api (#14388) 2022-03-23 17:47:43 -04:00
Vinny Mannello 2290ca5e83
[VAULT-5003] Use net/http client in Sys().RaftSnapshotRestore (#14269)
Use net/http client when body could be too big for retryablehttp client
2022-03-14 10:13:33 -07:00
Josh Black e83471d7de
Login MFA (#14025)
* Login MFA

* ENT OSS segragation (#14088)

* Delete method id if not used in an MFA enforcement config (#14063)

* Delete an MFA methodID only if it is not used by an MFA enforcement config

* Fixing a bug: mfa/validate is an unauthenticated path, and goes through the handleLoginRequest path

* adding use_passcode field to DUO config (#14059)

* add changelog

* preventing replay attack on MFA passcodes (#14056)

* preventing replay attack on MFA passcodes

* using %w instead of %s for error

* Improve CLI command for login mfa (#14106)

CLI prints a warning message indicating the login request needs to get validated

* adding the validity period of a passcode to error messages (#14115)

* PR feedback

* duo to handle preventing passcode reuse

Co-authored-by: hghaf099 <83242695+hghaf099@users.noreply.github.com>
Co-authored-by: hamid ghaf <hamid@hashicorp.com>
2022-02-17 13:08:51 -08:00
Jordan Reimer b936db8332
Revert "MFA (#14049)" (#14135)
This reverts commit 5f17953b5980e6438215d5cb62c8575d16c63193.
2022-02-17 13:17:59 -07:00
Jordan Reimer 36ccfaa3aa
MFA (#14049)
* adds development workflow to mirage config

* adds mirage handler and factory for mfa workflow

* adds mfa handling to auth service and cluster adapter

* moves auth success logic from form to controller

* adds mfa form component

* shows delayed auth message for all methods

* adds new code delay to mfa form

* adds error views

* fixes merge conflict

* adds integration tests for mfa-form component

* fixes auth tests

* updates mfa response handling to align with backend

* updates mfa-form to handle multiple methods and constraints

* adds noDefault arg to Select component

* updates mirage mfa handler to align with backend and adds generator for various mfa scenarios

* adds tests

* flaky test fix attempt

* reverts test fix attempt

* adds changelog entry

* updates comments for todo items

* removes faker from mfa mirage factory and handler

* adds number to word helper

* fixes tests

* Revert "Merge branch 'main' into ui/mfa"

This reverts commit 8ee6a6aaa1b6c9ec16b985c10d91c3806819ec40, reversing
changes made to 2428dd6cca07bb41cda3f453619646ca3a88bfd0.

* format-ttl helper fix from main
2022-02-17 09:10:56 -07:00
Theron Voran 5d25d5c380
api/client: forward and inconsistent header const (#14067)
Adds constants for X-Vault-Forward and X-Vault-Inconsistent headers to
api/client.go
2022-02-16 10:02:32 -08:00
VAL ccf3c549fb
Correct return value explanation in docstring (#13931) 2022-02-08 09:54:59 -08:00
Rémi Lapeyre fb4b85d921
Add support for client certificates to -output-curl-string (#13660)
* Add support for client certificates to -output-curl-string

I did not write tests for this feature as -output-curl-string was not
already tested and this is a simple change. Because the name of the
certificates would be lost once loaded I added fields to Config to keep
track of them. I did not add a public method for the user to set them
explicitely as I don't think anyone would need this functionnality
outside of the Vault CLI.

Closes https://github.com/hashicorp/vault/issues/13376

* Add changelog

* Add lock in ConfigureTLS
2022-01-20 10:25:26 -08:00
Pratyoy Mukhopadhyay 85725ba3ec
OSS changes for ent pr (#13696) 2022-01-19 09:43:12 -08:00
Ben Ash ef8e4008a8
Add ability to optionally clone a Client's token (#13515) 2021-12-22 17:07:26 -05:00
Ben Ash fab2f630b4
Fix properly initialize replicateStateStore from SetReadYourWrites() (#13486)
Fixes an issue where the `replicateStateStore` was being set to `nil`
upon consecutive calls to `client.SetReadYourWrites(true)`.
2021-12-21 16:14:39 -05:00
Ben Ash 0b095588c6
api.Client: support isolated read-after-write (#12814)
- add new configuration option, ReadYourWrites, which enables a Client
  to provide cluster replication states to every request. A curated set
  of cluster replication states are stored in the replicationStateStore,
  and is shared across clones.
2021-10-14 14:51:31 -04:00
vinay-gopalan 458927c2ed
[VAULT-3157] Move mergeStates utils from Agent to api module (#12731)
* move merge and compare states to vault core

* move MergeState, CompareStates and ParseRequiredStates to api package

* fix merge state reference in API Proxy

* move mergeStates test to api package

* add changelog

* ghost commit to trigger CI

* rename CompareStates to CompareReplicationStates

* rename MergeStates and make compareStates and parseStates private methods

* improved error messaging in parseReplicationState

* export ParseReplicationState for enterprise files
2021-10-06 10:57:06 -07:00
Michael Boulding 79662d0842
Patch to support VAULT_HTTP_PROXY variable (#12582)
* patch to support VAULT_HTTP_PROXY variable

* simplify the proxy replacement

* internal code review

* rename to VAULT_HTTP_PROXY, apply within ReadEnvironment

* clean up some unintended whitespace changes

* add docs for the new env variable and a changelog entry

Co-authored-by: Dave Du Cros <davidducros@gmail.com>
2021-10-06 09:40:31 -07:00
Jinlong Chen 666b78911f
Fix client.go (#12608)
Modify one annotation.
2021-09-22 13:07:40 -07:00
Ben Ash e899e2adfa
Add ability to optionally clone an api.Client's headers (#12117) 2021-07-19 17:15:31 -04:00
Jeff Mitchell f7147025dd
Migrate to sdk/internalshared libs in go-secure-stdlib (#12090)
* Swap sdk/helper libs to go-secure-stdlib

* Migrate to go-secure-stdlib reloadutil

* Migrate to go-secure-stdlib kv-builder

* Migrate to go-secure-stdlib gatedwriter
2021-07-15 20:17:31 -04:00
Richard Patel 864d52b9af
Support tls-skip-verify for output-curl-string (#11713) 2021-06-14 11:09:29 -04:00
Rajwinder Mahal 5870c3daa5
api/client: allow configurable values for RetryWaitMin and RetryWaitMax (#11773) 2021-06-11 15:15:21 -04:00
Calvin Leung Huang 8cb48018b7
api/client: provide the ability to set a logger on retryablehttp.Client (#11696)
* api/client: provide the ability to set a logger on retryablehttp.Client

* go mod tidy; fix import ordering

* go mod vendor
2021-05-27 10:25:25 -07:00
Brian Kassouf 303c2aee7c
Run a more strict formatter over the code (#11312)
* Update tooling

* Run gofumpt

* go mod vendor
2021-04-08 09:43:39 -07:00
Andrej van der Zee df159d7622
Respect VAULT_MAX_RETRIES from environment in DefaultConfig() (#10883) 2021-03-02 10:39:20 -08:00
Ace Eldeib 9584c989ca
don't panic on connection errors in DefaultRetryPolicy (#11002)
fixes #11001
2021-02-25 13:16:17 -05:00
Nick Cabatoff c1ddfbb538
OSS parts of the new client controlled consistency feature (#10974) 2021-02-24 06:58:10 -05:00
Josh Black a7aac342bd
Only set the namespace if the env var isn't present (#1519) (#10556) 2020-12-14 11:40:48 -08:00
Josh Black 67ffd0b6de
Fix client.Clone() to include the address. (#10077) 2020-11-06 11:27:35 -08:00
Billie Cleek 009ef0b8a4
document response wrapping behavior (#8156)
Document response wrapping behavior so that it's clear how
WrappingLookupFuncs should behave.
2020-06-08 10:50:48 -04:00
Jeff Mitchell 62ec73340c Update comment in client about canceling the WithTimeout context 2020-05-08 14:48:26 -04:00
Daniel Spangenberg 8007845ba4
Fix SRV Lookups (#8520)
* Pin HTTP Host header for all client requests
* Drop port map scheme
* Add SRV Lookup environment var
* Lookup SRV records only when env var is specified
* Add docs

Co-Authored-By: Michel Vocks <michelvocks@gmail.com>
2020-03-11 14:22:58 +01:00
Becca Petrin c2894b8d05
Add Kerberos auth agent (#7999)
* add kerberos auth agent

* strip old comment

* changes from feedback

* strip appengine indirect dependency
2020-01-09 14:56:34 -08:00
Michel Vocks 0beb645830
Fix SRV lookup if address scheme is known (#8016) 2019-12-16 09:34:40 +01:00
Jeff Mitchell 2b2e61db82
Revert change suggested by vet. See the comment for details. (#7815) 2019-11-06 17:03:37 -05:00
Jeff Mitchell 519d1b3cb8
Fix some vet issues in api package (#7789)
* Dropped cancel func
* Bad struct tag
2019-11-05 12:07:06 -05:00
Joe Dollard 7f843c4c9b support setting the API client retry policy (#7331) 2019-10-28 15:54:59 -04:00
ncabatoff db43d22325
Do not allow the same header map to be shared across requests. (#7690) 2019-10-17 11:48:15 -04:00