Commit graph

106 commits

Author SHA1 Message Date
Jeff Mitchell 2f9a7c6203
Add more perf standby guards (#6149) 2019-02-01 16:56:57 -05:00
Jim Kalafut d0e2badbae Run goimports across the repository (#6010)
The result will still pass gofmtcheck and won't trigger additional
changes if someone isn't using goimports, but it will avoid the
piecemeal imports changes we've been seeing.
2019-01-08 16:48:57 -08:00
Jeff Mitchell e11c7966fa
Change credential_types output to credential_type (#5975)
Fixes #5972
2019-01-04 14:49:53 -05:00
Becca Petrin 7bd22e6779
Run all builtins as plugins (#5536) 2018-11-06 17:21:24 -08:00
andrejvanderzee 585911c79e Added role-option max_sts_ttl to cap TTL for AWS STS credentials. (#5500)
* Added role-option max_sts_ttl to cap TTL for AWS STS credentials.

* Allow for setting max_sts_ttl to 0 after it has been set already.

* Fixed message in error response for default_sts_ttl > max_sts_ttl.
2018-10-20 10:36:47 -04:00
Jeff Mitchell c8dbab9c3d
Only return 200 if there are actually warnings in AWS roles create/update (#5487) 2018-10-09 16:52:47 -04:00
Becca Petrin 937cfff21a
Make builtin auth and secret plugins buildable (#5456) 2018-10-09 09:29:20 -07:00
Joel Thompson 6a9e6cc474 Allow specifying role-default TTLs in AWS secret engine (#5138)
* Allow specifying role-default TTLs in AWS secret engine

* Add an acceptance test

* Add docs for AWS secret role-default TTLs

* Rename default_ttl to default_sts_ttl

* Return default_ttl as int64 instead of time.Duration

* Fix broken tests

The merge of #5383 broke the tests due to some changes in the test style
that didn't actually cause a git merge conflict. This updates the tests
to the new style.
2018-10-02 10:14:16 -04:00
vishalnayak c91266950f Fix broken build 2018-09-27 10:58:04 -04:00
Joel Thompson 73112c49fb logical/aws: Harden WAL entry creation (#5202)
* logical/aws: Harden WAL entry creation

If AWS IAM user creation failed in any way, the WAL corresponding to the
IAM user would get left around and Vault would try to roll it back.
However, because the user never existed, the rollback failed. Thus, the
WAL would essentially get "stuck" and Vault would continually attempt to
roll it back, failing every time. A similar situation could arise if the
IAM user that Vault created got deleted out of band, or if Vault deleted
it but was unable to write the lease revocation back to storage (e.g., a
storage failure).

This attempts to harden it in two ways. One is by deleting the WAL log
entry if the IAM user creation fails. However, the WAL deletion could
still fail, and this wouldn't help where the user is deleted out of
band, so second, consider the user rolled back if the user just doesn't
exist, under certain circumstances.

Fixes #5190

* Fix segfault in expiration unit tests

TestExpiration_Tidy was passing in a leaseEntry that had a nil Secret,
which then caused a segfault as the changes to revokeEntry didn't check
whether Secret was nil; this is probably unlikely to occur in real life,
but good to be extra cautious.

* Fix potential segfault

Missed the else...

* Respond to PR feedback
2018-09-27 09:54:59 -05:00
Joel Thompson 5e6f8904d8 Add AWS Secret Engine Root Credential Rotation (#5140)
* Add AWS Secret Engine Root Credential Rotation

This allows the AWS Secret Engine to rotate its credentials used to
access AWS. This will only work when the AWS Secret Engine has been
provided explicit IAM credentials via the config/root endpoint, and
further, when the IAM credentials provided are the only access key on
the IAM user associated wtih the access key (because AWS allows a
maximum of 2 access keys per user).

Fixes #4385

* Add test for AWS root credential rotation

Also fix a typo in the root credential rotation code

* Add docs for AWS root rotation

* Add locks around reading and writing config/root

And wire the backend up in a bunch of places so the config can get the
lock

* Respond to PR feedback

* Fix casing in error messages

* Fix merge errors

* Fix locking bugs
2018-09-26 07:10:00 -07:00
Joel Thompson e66795a095 logical/aws: Run Acceptance Tests in Parallel (#5383)
* Parallelize a couple AWS acceptance tests

Starting an effort to paralleize AWS secret engine acceptance tests.
Currently they take over a minute to run, and this parallelizes the two
that explicitly call a 10-second sleep, reulting in a 10-second speedup
in test time.

* Parameterize IAM user name

Probably not needed, but future-proofing the code

* Make remainder of tests parallel

AWS_ACCOUNT_ID environment variable is no longer being used; global
mutable state is a recipe for disaster when trying to run things in
parallel, and parallelizing the tests exposed a race condition in which
they were depending on the AWS_ACCOUNT_ID environment variable to be set
before they were run.

AWS_DEFAULT_REGION is still left as an environment variable because it
is required by AWS SDKs, but its configuration is now protected by a
sync.Once to ensure it only ever gets called a single time.

* Replace generateUnique*Name with testhelpers method
2018-09-25 17:10:53 -07:00
Clint 5882156f53
Translate AWS Rate limiting errors to 502 errors (#5270)
* Initial implemntation of returning 529 for rate limits

- bump aws iam and sts packages to v1.14.31 to get mocking interface
- promote the iam and sts clients to the aws backend struct, for mocking in tests
- this also promotes some functions to methods on the Backend struct, so
  that we can use the injected client

Generating creds requires reading config/root for credentials to contact
IAM. Here we make pathConfigRoot a method on aws/backend so we can clear
the clients on successful update of config/root path. Adds a mutex to
safely clear the clients

* refactor locking and unlocking into methods on *backend

* refactor/simply the locking

* check client after grabbing lock
2018-09-18 15:26:06 -05:00
Jason Watson d126d94779 Fix small warning message typo: paramemter (#5232) 2018-09-05 11:56:09 -04:00
Joel Thompson 0941c7a24a Make AWS credential types more explicit (#4360)
* Make AWS credential types more explicit

The AWS secret engine had a lot of confusing overloading with role
paramemters and how they mapped to each of the three credential types
supported. This now adds parameters to remove the overloading while
maintaining backwards compatibility.

With the change, it also becomes easier to add other feature requests.
Attaching multiple managed policies to IAM users and adding a policy
document to STS AssumedRole credentials is now also supported.

Fixes #4229
Fixes #3751
Fixes #2817

* Add missing write action to STS endpoint

* Allow unsetting policy_document with empty string

This allows unsetting the policy_document by passing in an empty string.
Previously, it would fail because the empty string isn't a valid JSON
document.

* Respond to some PR feedback

* Refactor and simplify role reading/upgrading

This gets rid of the duplicated role upgrade code between both role
reading and role writing by handling the upgrade all in the role
reading.

* Eliminate duplicated AWS secret test code

The testAccStepReadUser and testAccStepReadSTS were virtually identical,
so they are consolidated into a single method with the path passed in.

* Switch to use AWS ARN parser
2018-08-16 06:38:13 -04:00
Calvin Leung Huang c7dddaf537
Skip CI acceptance tests on missing required values (#4346)
* Skip dynamic key acceptance test if vaultssh user not present

* Skip aws acceptance test if required environment variables are missing
2018-04-13 10:18:06 -04:00
Becca Petrin abb621752f Clean up error string formatting (#4304) 2018-04-09 14:35:21 -04:00
Vishal Nayak 28e3eb9e2c
Errwrap everywhere (#4252)
* package api

* package builtin/credential

* package builtin/logical

* package command

* package helper

* package http and logical

* package physical

* package shamir

* package vault

* package vault

* address feedback

* more fixes
2018-04-05 11:49:21 -04:00
Chris Hoffman a7ada08b3b
Core handling of TTLs (#4230)
* govet cleanup in token store

* adding general ttl handling to login requests

* consolidating TTL calculation to system view

* deprecate LeaseExtend

* deprecate LeaseExtend

* set the increment to the correct value

* move calculateTTL out of SystemView

* remove unused value

* add back clearing of lease id

* implement core ttl in some backends

* removing increment and issue time from lease options

* adding ttl tests, fixing some compile issue

* adding ttl tests

* fixing some explicit max TTL logic

* fixing up some tests

* removing unneeded test

* off by one errors...

* adding back some logic for bc

* adding period to return on renewal

* tweaking max ttl capping slightly

* use the appropriate precision for ttl calculation

* deprecate proto fields instead of delete

* addressing feedback

* moving TTL handling for backends to core

* mongo is a secret backend not auth

* adding estimated ttl for backends that also manage the expiration time

* set the estimate values before calling the renew request

* moving calculate TTL to framework, revert removal of increment and issue time from logical

* minor edits

* addressing feedback

* address more feedback
2018-04-03 12:20:20 -04:00
Josh Soref 73b1fde82f Spelling (#4119) 2018-03-20 14:54:10 -04:00
Joel Thompson 2f8e3c27f4 Accept temp creds in AWS secret backend acceptance tests (#4076)
* Accept temp creds in AWS secret backend acceptance tests

The AWS secret backend acceptance tests implicitly accepted long-lived
AWS credentials (i.e., AWS IAM user and/or root credentials) in two
ways:

1. It expected credentials to be passed in via the AWS_ACCESS_KEY_ID and
   AWS_SECRET_ACCESS_KEY environment variables. By not accepting
   AWS_SESSION_TOKEN or AWS_SECURITY_TOKEN, temporary credentials could
   not be passed in. (This also forced all credentials to be passed in
   via environment variables, which is a bit ugly).
2. The AWS sts:GetFederationToken call is only allowed from long-term
   credentials. This is called by the Vault code which the acceptance
   tests exercise.

1 is solved by deleting explicit references to credentials, which allows
the SDK to do one of the things it does best -- find credentials via the
default chain.

2 is a little more complicated. Rather than pass in whatever creds the
acceptance test was run under to the backend, the acceptance test now
creates a new IAM user and gets an access key from it, then passes the
IAM user's creds back to the backend so that it can call
sts:GetFederationToken (and then tries to clean up afterwards).

* Fix Travis build failure

The Travis build was failing because the user creation was happening
regardless of whether it was running in acceptance test mode or not.
This moves the user creation into the acceptance test precheck, which
requires lazily evaluating the credentials when configuring the backend
in the STS accetpance test, and so moving that to a PreFlight closure.

* Reduce blind sleeps in AWS secret backend acceptance tests

This removes a blind "sleep 10 seconds and then attempt to reuse the
credential" codepath and instead just keeps attemtping to reuse the
credential for 10 seconds and fails if there aren't any successful uses
after 10 seconds. This adds a few seconds speedup of acceptance test
runs from my experiments.
2018-03-13 10:35:10 -04:00
Mohsen 41b07a0987 Maximum number of retries aws sdk attempts for recoverable exceptions. (#3965) 2018-02-16 11:11:17 -05:00
Jeff Mitchell fc6564e4ee
Don't run rollback and upgrade functionality if we are a replication secondary (#3900)
* Don't run rollback and upgrade functionality if we are a replication
secondary, but do if the mount is local.
2018-02-02 20:28:25 -05:00
Brian Kassouf 2f19de0305 Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 01:44:44 -05:00
Brian Kassouf 1c190d4bda
Pass context to backends (#3750)
* Start work on passing context to backends

* More work on passing context

* Unindent logical system

* Unindent token store

* Unindent passthrough

* Unindent cubbyhole

* Fix tests

* use requestContext in rollback and expiration managers
2018-01-08 10:31:38 -08:00
Will Glynn 282f648597 Document that AWS STS lease revocation is a no-op [fixes #3736] (#3760) 2018-01-08 10:28:07 -06:00
Gregory Reshetniak 57c9afa357 added AWS enpoint handling (#3416) 2017-11-06 13:31:38 -05:00
Jeff Mitchell 9952ddaf69
Add some more SealWrap declarations (#3531) 2017-11-03 11:43:31 -04:00
Calvin Leung Huang 78b1dfd7bb Handle errors from getRootConfig on aws logical backend (#3294) 2017-09-08 13:00:29 -04:00
Jeff Mitchell 4885b3e502 Use RemoteCredProvider instead of EC2RoleProvider (#2983) 2017-07-31 18:27:16 -04:00
Calvin Leung Huang 3e8aecc7d5 Add BackendType to existing backends (#3078) 2017-07-28 14:04:46 -04:00
Calvin Leung Huang bb54e9c131 Backend plugin system (#2874)
* Add backend plugin changes

* Fix totp backend plugin tests

* Fix logical/plugin InvalidateKey test

* Fix plugin catalog CRUD test, fix NoopBackend

* Clean up commented code block

* Fix system backend mount test

* Set plugin_name to omitempty, fix handleMountTable config parsing

* Clean up comments, keep shim connections alive until cleanup

* Include pluginClient, disallow LookupPlugin call from within a plugin

* Add wrapper around backendPluginClient for proper cleanup

* Add logger shim tests

* Add logger, storage, and system shim tests

* Use pointer receivers for system view shim

* Use plugin name if no path is provided on mount

* Enable plugins for auth backends

* Add backend type attribute, move builtin/plugin/package

* Fix merge conflict

* Fix missing plugin name in mount config

* Add integration tests on enabling auth backend plugins

* Remove dependency cycle on mock-plugin

* Add passthrough backend plugin, use logical.BackendType to determine lease generation

* Remove vault package dependency on passthrough package

* Add basic impl test for passthrough plugin

* Incorporate feedback; set b.backend after shims creation on backendPluginServer

* Fix totp plugin test

* Add plugin backends docs

* Fix tests

* Fix builtin/plugin tests

* Remove flatten from PluginRunner fields

* Move mock plugin to logical/plugin, remove totp and passthrough plugins

* Move pluginMap into newPluginClient

* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck

* Change shim logger's Fatal to no-op

* Change BackendType to uint32, match UX backend types

* Change framework.Backend Setup signature

* Add Setup func to logical.Backend interface

* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments

* Remove commented var in plugin package

* RegisterLicense on logical.Backend interface (#3017)

* Add RegisterLicense to logical.Backend interface

* Update RegisterLicense to use callback func on framework.Backend

* Refactor framework.Backend.RegisterLicense

* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs

* plugin: Revert BackendType to remove TypePassthrough and related references

* Fix typo in plugin backends docs
2017-07-20 13:28:40 -04:00
Lars Lehtonen 3f0b15826a Fix swallowed errors in builtin (#2977) 2017-07-07 08:23:12 -04:00
sprohaska 90be96989a logical/aws: Fix typo in warning message (#2747)
Signed-off-by: Steffen Prohaska <prohaska@zib.de>
2017-05-19 06:20:54 -04:00
Jeff Mitchell c81582fea0 More porting from rep (#2388)
* More porting from rep

* Address review feedback
2017-02-16 16:29:30 -05:00
Félix Cantournet 103b7ceab2 all: test: Fix govet warnings
Fix calls to t.Fatal() with formatting.
Fixed some calls to Fatalf() with wrong formatting
2016-12-21 19:44:07 +01:00
vishalnayak 9dbc97028b STS path field description update 2016-08-30 10:53:21 -04:00
vishalnayak 0b07ec7303 Added UpdateOperation to logical AWS STS path 2016-08-30 10:30:13 -04:00
Jeff Mitchell f0537572a8 Mark STS secrets as non-renwable
Ping #1800
2016-08-28 14:27:56 -04:00
Jeff Mitchell 2860dcc60f gofmt 2016-08-19 16:48:32 -04:00
vishalnayak e09b40e155 Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC 2016-07-08 18:30:18 -04:00
Vishal Nayak 711c05a319 Merge pull request #1546 from hashicorp/secret-aws-roles
Added list functionality to logical aws backend's roles
2016-06-20 20:10:24 -04:00
vishalnayak 1976c9e75b Added test case for listing aws secret backend roles 2016-06-20 20:09:31 -04:00
vishalnayak 8b490e44a1 Added list functionality to logical aws backend's roles 2016-06-20 19:51:04 -04:00
vishalnayak 0760a89eb4 Backend() functions should return 'backend' objects.
If they return pointers to 'framework.Backend' objects, the receiver functions can't be tested.
2016-06-10 15:53:02 -04:00
Jeff Mitchell 99c1e071f3 Remove most Root paths 2016-05-31 23:42:54 +00:00
Jeff Mitchell 8f592f3442 Don't use pointers to int64 in function calls when not necessary 2016-05-19 12:26:02 -04:00
Jeff Mitchell a13807e759 Merge pull request #1318 from steve-jansen/aws-logical-assume-role
Add sts:AssumeRole support to the AWS secret backend
2016-05-19 12:17:27 -04:00
Steve Jansen 597d59962c Adds sts:AssumeRole support to the AWS secret backend
Support use cases where you want to provision STS tokens
using Vault, but, you need to call AWS APIs that are blocked
for federated tokens.  For example, STS federated tokens cannot
invoke IAM APIs, such as  Terraform scripts containing
`aws_iam_*` resources.
2016-05-05 23:32:41 -04:00
Jeff Mitchell 4600ca8073 Merge branch 'master-oss' into aws-auth-backend 2016-05-05 10:36:06 -04:00