Commit graph

6658 commits

Author SHA1 Message Date
Jonathan Freedman 4109473134 More Mount Conflict Detection (#2919) 2017-11-06 15:29:09 -05:00
Lars Lehtonen 8ccdaa1860 Fix swallowed errors in TestRollbackManager_Join() (#3327) 2017-11-06 14:34:27 -05:00
Jeff Mitchell 71b5aa22e5 changelog++ 2017-11-06 13:32:30 -05:00
Gregory Reshetniak 57c9afa357 added AWS enpoint handling (#3416) 2017-11-06 13:31:38 -05:00
Jeff Mitchell 119607dcb7
Seal wrap all root tokens and their leases (#3540) 2017-11-06 13:10:36 -05:00
Vishal Nayak 2af5b9274f
Return group memberships of entity during read (#3526)
* return group memberships of entity during read

* Add implied group memberships to read response of entity

* distinguish between all, direct and inherited group IDs of an entity

* address review feedback

* address review feedback

* s/implied/inherited in tests
2017-11-06 13:01:48 -05:00
Calvin Leung Huang d7305a4681
Add note on support for using rec keys on /sys/rekey (#3517) 2017-11-06 12:18:15 -05:00
Jason Antman af649c60d0 Add third party tools list to website (#3488) 2017-11-06 12:11:02 -05:00
Jeff Mitchell 7e80b4b7ad
Minor client refactoring (#3539) 2017-11-06 12:06:19 -05:00
Jeff Mitchell 5f254f0245 changelog++ 2017-11-06 12:05:44 -05:00
Jeff Mitchell 17310654a1
Add PKCS8 marshaling to PKI (#3518) 2017-11-06 12:05:07 -05:00
Calvin Leung Huang 93917743df
Update SSH list roles docs (#3536) 2017-11-03 18:00:46 -04:00
Jeff Mitchell 357b8df0c5 Merge branch 'master' of https://github.com/hashicorp/vault into master-oss 2017-11-03 17:30:40 -04:00
Jeff Mitchell 85ea7363d4 Update gocql dep 2017-11-03 17:30:34 -04:00
Calvin Leung Huang e91e2278e3 changelog++ 2017-11-03 17:24:20 -04:00
Calvin Leung Huang 512b254820
Return role info for each role on pathRoleList (#3532)
* Return role info for each role on pathRoleList

* Change roles -> key_info, only return key_type

* Do not initialize result map in parseRole, refactor ListResponseWithInfo

* Add role list test
2017-11-03 17:12:03 -04:00
Jeff Mitchell 7672b1d168 changelog++ 2017-11-03 13:40:19 -04:00
Jeff Mitchell 1b7a7d9b98 changelog++ 2017-11-03 13:38:55 -04:00
Ben Higgins f78ab356d4 vault: recover from standby losing etcd lease (#3031) (#3511)
This change makes these errors transient instead of permanent:

[ERROR] core: failed to acquire lock: error=etcdserver: requested lease not found

After this change, there can still be one of these errors when a
standby vault that lost its lease tries to become leader, but on the
next lock acquisition attempt a new session will be created. With this
new session, the standby will be able to become the leader.
2017-11-03 13:38:16 -04:00
Jeff Mitchell 9952ddaf69
Add some more SealWrap declarations (#3531) 2017-11-03 11:43:31 -04:00
Chris Hoffman 1e03e1bad3
Fix group/policy iterators with multiple groups (#3527)
* fixing some group iterators

* fix slice rewrite
2017-11-03 11:26:22 -04:00
Vishal Nayak e4e4a7ba67
Capabilities responds considering policies on entities and groups (#3522)
* Capabilities endpoint will now return considering policies on entities and groups

* refactor the policy derivation into a separate function

* Docs: Update docs to reflect the change in capabilities endpoint
2017-11-03 11:20:10 -04:00
Vishal Nayak 06923430cc
docs: s/persona/alias (#3529) 2017-11-03 11:17:59 -04:00
vishalnayak 472efb66b6 changelog++ 2017-11-03 10:48:39 -04:00
Vishal Nayak 52df62d4ff
Encrypt/Decrypt/Sign/Verify using RSA in Transit backend (#3489)
* encrypt/decrypt/sign/verify RSA

* update path-help and doc

* Fix the bug which was breaking convergent encryption

* support both 2048 and 4096

* update doc to contain both 2048 and 4096

* Add test for encrypt, decrypt and rotate on RSA keys

* Support exporting RSA keys

* Add sign and verify test steps

* Remove 'RSA' from PEM header

* use the default salt length

* Add 'RSA' to PEM header since openssl is expecting that

* export rsa keys as signing-key as well

* Comment the reasoning behind the PEM headers

* remove comment

* update comment

* Parameterize hashing for RSA signing and verification

* Added test steps to check hash algo choice for RSA sign/verify

* fix test by using 'prehashed'
2017-11-03 10:45:53 -04:00
Chris Hoffman 83ea47f706
fixing test after field rename (#3530) 2017-11-03 10:29:42 -04:00
Chris Hoffman 5aac027469
fix unseal reset test (#3528) 2017-11-03 09:31:39 -04:00
Chris Hoffman 16059b4e94
Fix policy lookup when entity is part of multiple groups (#3524) 2017-11-03 07:19:29 -04:00
Vishal Nayak a7acc23034
docs: Add config/ca delete operation (#3525) 2017-11-03 06:19:21 -04:00
Jeff Mitchell 87c3fb2d54 changelog++ 2017-11-02 17:41:52 -04:00
Jeff Mitchell 3a2440a651
Check input size to avoid a panic (#3521) 2017-11-02 16:40:52 -05:00
Vishal Nayak 707e270f54
Added lookup endpoint for entity (#3519)
* Added lookup endpoint for entity

* Address review comments
2017-11-02 16:38:15 -04:00
Calvin Leung Huang 0762ac14cf aws_region->region on awskms config 2017-11-02 16:31:16 -04:00
Vishal Nayak 7bae606662
External identity groups (#3447)
* external identity groups

* add local LDAP groups as well to group aliases

* add group aliases for okta credential backend

* Fix panic in tests

* fix build failure

* remove duplicated struct tag

* add test steps to test out removal of group member during renewals

* Add comment for having a prefix check in router

* fix tests

* s/parent_id/canonical_id

* s/parent/canonical in comments and errors
2017-11-02 16:05:48 -04:00
Jeff Mitchell 710243ab26 Fix some tests 2017-11-02 15:35:06 -04:00
Jeff Mitchell 595c9032c8 changelog++ 2017-11-02 10:38:43 -04:00
Jeff Mitchell d229d7d5b0
Redo API locking (#3508)
* Redo the API client quite a bit to make the behavior of NewClient more
predictable and add locking to make it safer to use with Clone() and if
multiple goroutines for some reason decide to change things.

Along the way I discovered that currently, the x/net/http2 package is
broke with the built-in h2 support in released Go. For those using
DefaultConfig (the vast majority of cases) this will be a non-event.
Others can manually call http2.ConfigureTransport as needed. We should
keep an eye on commits on that repo and consider more updates before
release. Alternately we could go back revisions but miss out on bug
fixes; my theory is that this is not a purposeful break and I'll be
following up on this in the Go issue tracker.

In a few tests that don't use NewTestCluster, either for legacy or other
reasons, ensure that http2.ConfigureTransport is called.

* Use tls config cloning

* Don't http2.ConfigureServer anymore as current Go seems to work properly without requiring the http2 package

* Address feedback
2017-11-02 09:30:04 -05:00
Jeff Mitchell 1ba4e828b4
Ensure revocation happens before seal/step-down since token store isn't (#3500)
available after when using single-use tokens.

Fixes #3497
2017-11-02 08:47:02 -05:00
Jeff Mitchell 3be99466d6
Change some instances of adding headers to setting headers, since really (#3501)
we want to replace anything that might be there (e.g. for request
forwarding and content-type).

Hopefully fixes #3485
2017-11-02 07:31:50 -05:00
Chris Hoffman 3d8d887676
Add ability to require parameters in ACLs (#3510) 2017-11-02 07:18:49 -04:00
Jeff Mitchell e0669746b6
Add seal type to seal-status output. (#3516) 2017-11-01 21:00:41 -05:00
Jeff Mitchell e670447947 Use an atomic store in expiration loading test to fix race detector 2017-11-01 15:52:59 -04:00
Vishal Nayak 859cdd35fd
fix deadlock while loading groups (#3515) 2017-11-01 14:14:21 -04:00
Jeff Mitchell 7f58c55fbc changelog++ 2017-10-31 21:59:33 -04:00
Jeff Mitchell d548181d50
Fix memory leak when a connection would hit the cluster port and go away (#3513) 2017-10-31 20:58:45 -05:00
Brian Kassouf 7974be031c
Update CHANGELOG.md 2017-10-30 13:26:15 -07:00
Brian Kassouf 7fed43c035
Add the ability to glob allowed roles in the Database Backend (#3387)
* Add the ability to glob allowed roles in the Database Backend

* Make the error messages better

* Switch to the go-glob repo
2017-10-30 13:24:25 -07:00
Jeff Mitchell 6680bab684 changelog++ 2017-10-30 16:08:18 -04:00
Jeff Mitchell 7486df810c
Simplify TTL/MaxTTL logic in SSH CA paths and sane with the rest of how (#3507)
Vault parses/returns TTLs.
2017-10-30 15:05:47 -05:00
Nathan Valentine 0345dca20f Should these names not reference Vault? (#3506)
Since we are in the Vault docs, should these names not reference Vault instead of Nomad?
2017-10-30 11:04:38 -05:00