Commit Graph

10581 Commits

Author SHA1 Message Date
Brian Kassouf 17b46e2979
Fix key upgrade and raft tests (#6949) 2019-06-21 11:38:21 -06:00
Jim Kalafut 2bf5db4fe8 Add OIDC token generation to Identity (#6900)
* Add OIDC token generation to Identity

There are a few open TODOs and some remaining cleanup, but this is
functionally complete and ready for review.

(Tests will being added soon.)

* Simplified key update endpoint

* Cache the config

* Fix Issuer handling

* Suppose base64-encoded templates (#6919)

* Cache JWKS and switch to go-cache (#6918)

* Address review comments

* Add warning if neither Issue nor api_addr are set

* adds tests (#6937)

* adds help synopsis and descriptions to the framework path for the oid… (#6930)

* adds help synopsis and descriptions to the framework path for the oidc backend

* Update vault/identity_store_oidc.go

Co-Authored-By: Jim Kalafut <jim@kalafut.net>

* Add Now parameter to PopulateStringInput

* Addressing review comments

* Refactor template processing to improve mode-specific handling

* adds a test for the periodic func (#6943)

* adds a test for the periodic func

* removes commented out code

* adds a comment

* Add comments
2019-06-21 10:23:39 -07:00
Brian Kassouf 5d0c68ca74
Fix 32-bit builds (#6948) 2019-06-21 09:52:02 -06:00
Madalyn 8338b9b0e3
OpenAPI CRUD views (#6702)
Dynamically generate views from OpenAPI document to List/CRUD LDAP users and groups in the UI
2019-06-21 11:18:26 -04:00
Madalyn a2606ddccf
update OpenAPI output to use DisplayAttributes struct (#6928) 2019-06-21 11:08:08 -04:00
Jeff Mitchell 633a6099f2 Vendor and prep for beta 2019-06-20 23:43:02 -04:00
Jeff Mitchell fdc57104e1 Bump version for beta 2019-06-20 23:42:21 -04:00
Jeff Mitchell cd8058d498 More plugin updates 2019-06-20 23:37:41 -04:00
Jeff Mitchell 6b276e8cc0 Bump some more plugins 2019-06-20 23:26:39 -04:00
Jeff Mitchell 2f4f1558cf Bump sdk/api deps 2019-06-20 23:21:52 -04:00
Jeff Mitchell 7a4726ed22 Bump api go.mod 2019-06-20 23:21:14 -04:00
Jeff Mitchell 8db677ce27 Bump some plugin versions 2019-06-20 23:16:06 -04:00
Jeff Mitchell 35a2312a38 changelog++ 2019-06-20 23:12:23 -04:00
Jeff Mitchell 79caf580f7 changelog++ 2019-06-20 23:09:01 -04:00
Vishal Nayak 53035ce390
Raft CLI (#6893)
* raft cli

* Reuse the command's client

* Better response handling

* minor touchups
2019-06-20 21:32:00 -04:00
Jeff Mitchell 2f271c3bc0 Fix tests 2019-06-20 21:00:01 -04:00
Jeff Mitchell f70ddb9dee Make base predict test kmip friendly 2019-06-20 20:57:46 -04:00
Jeff Mitchell 07dcdc8b79 Sync 2019-06-20 20:55:10 -04:00
Jim Kalafut 6d08c94866
Update LDAP "groups" parameter to use TypeCommaStringSlice (#6942)
No functional change, but the updated type plays nicer with the
OpenAPI-driven UI.
2019-06-20 15:36:54 -07:00
Jeff Mitchell 3d231d985d Update vendor 2019-06-20 18:12:40 -04:00
Jeff Mitchell 44ea96e6e6 Update go.mod for new raft 2019-06-20 18:08:32 -04:00
Jeff Escalante 7e7deeaa15 Add lockfile for website (#6940)
* add package-lock

* update package lock
2019-06-20 17:53:12 -04:00
Jeff Mitchell 1ee99c0002
Don't return an error if storagepacker is told to delete no items (#6941)
Just be idempotent -- nothing to delete means nothing to do
2019-06-20 17:46:58 -04:00
Jeff Mitchell 7966231d88
Port some stuff (#6939)
* Port some fixes

* Sync some updates
2019-06-20 16:02:11 -04:00
Jeff Mitchell a68484107e Update vendor 2019-06-20 15:56:24 -04:00
Brian Kassouf ed14061578
Raft Storage Backend (#6888)
* Work on raft backend

* Add logstore locally

* Add encryptor and unsealable interfaces

* Add clustering support to raft

* Remove client and handler

* Bootstrap raft on init

* Cleanup raft logic a bit

* More raft work

* Work on TLS config

* More work on bootstrapping

* Fix build

* More work on bootstrapping

* More bootstrapping work

* fix build

* Remove consul dep

* Fix build

* merged oss/master into raft-storage

* Work on bootstrapping

* Get bootstrapping to work

* Clean up FMS and node-id

* Update local node ID logic

* Cleanup node-id change

* Work on snapshotting

* Raft: Add remove peer API (#906)

* Add remove peer API

* Add some comments

* Fix existing snapshotting (#909)

* Raft get peers API (#912)

* Read raft configuration

* address review feedback

* Use the Leadership Transfer API to step-down the active node (#918)

* Raft join and unseal using Shamir keys (#917)

* Raft join using shamir

* Store AEAD instead of master key

* Split the raft join process to answer the challenge after a successful unseal

* get the follower to standby state

* Make unseal work

* minor changes

* Some input checks

* reuse the shamir seal access instead of new default seal access

* refactor joinRaftSendAnswer function

* Synchronously send answer in auto-unseal case

* Address review feedback

* Raft snapshots (#910)

* Fix existing snapshotting

* implement the noop snapshotting

* Add comments and switch log libraries

* add some snapshot tests

* add snapshot test file

* add TODO

* More work on raft snapshotting

* progress on the ConfigStore strategy

* Don't use two buckets

* Update the snapshot store logic to hide the file logic

* Add more backend tests

* Cleanup code a bit

* [WIP] Raft recovery (#938)

* Add recovery functionality

* remove fmt.Printfs

* Fix a few fsm bugs

* Add max size value for raft backend (#942)

* Add max size value for raft backend

* Include physical.ErrValueTooLarge in the message

* Raft snapshot Take/Restore API  (#926)

* Inital work on raft snapshot APIs

* Always redirect snapshot install/download requests

* More work on the snapshot APIs

* Cleanup code a bit

* On restore handle special cases

* Use the seal to encrypt the sha sum file

* Add sealer mechanism and fix some bugs

* Call restore while state lock is held

* Send restore cb trigger through raft log

* Make error messages nicer

* Add test helpers

* Add snapshot test

* Add shamir unseal test

* Add more raft snapshot API tests

* Fix locking

* Change working to initalize

* Add underlying raw object to test cluster core

* Move leaderUUID to core

* Add raft TLS rotation logic (#950)

* Add TLS rotation logic

* Cleanup logic a bit

* Add/Remove from follower state on add/remove peer

* add comments

* Update more comments

* Update request_forwarding_service.proto

* Make sure we populate all nodes in the followerstate obj

* Update times

* Apply review feedback

* Add more raft config setting (#947)

* Add performance config setting

* Add more config options and fix tests

* Test Raft Recovery (#944)

* Test raft recovery

* Leave out a node during recovery

* remove unused struct

* Update physical/raft/snapshot_test.go

* Update physical/raft/snapshot_test.go

* fix vendoring

* Switch to new raft interface

* Remove unused files

* Switch a gogo -> proto instance

* Remove unneeded vault dep in go.sum

* Update helper/testhelpers/testhelpers.go

Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com>

* Update vault/cluster/cluster.go

* track active key within the keyring itself (#6915)

* track active key within the keyring itself

* lookup and store using the active key ID

* update docstring

* minor refactor

* Small text fixes (#6912)

* Update physical/raft/raft.go

Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com>

* review feedback

* Move raft logical system into separate file

* Update help text a bit

* Enforce cluster addr is set and use it for raft bootstrapping

* Fix tests

* fix http test panic

* Pull in latest raft-snapshot library

* Add comment
2019-06-20 12:14:58 -07:00
Jeff Mitchell 81ef0bb190
Unify time.Duration handling across framework and parseutil (#6935)
This removes a lot of duplicated code and adds time.Duration support to
parseutil, needed by the jwt auth method.
2019-06-20 14:28:32 -04:00
Jeff Mitchell 55e9f46ca3
Allow Default for TimeDurationSecond values to be time.Duration (#6934) 2019-06-20 12:28:15 -04:00
Becca Petrin cd0f2ec5f6
Merge pull request #6913 from hashicorp/pcf-docs
PCF documentation
2019-06-20 09:28:06 -07:00
Matthew Irish 99899a3ebb
UI - cross-browser svg scaling fixes (#6933)
* fix icon sizing in firefox

* specify height becuase IE likes to make things way too tall
2019-06-20 10:55:23 -05:00
Aaron Bedra db25895001 Adds libvault to list of client libraries (#6890) 2019-06-20 08:01:12 -07:00
Brian Shumate 630de4d1ae Switch to simpler 'configured' (#6892) 2019-06-20 08:00:12 -07:00
Jeff Mitchell 2d27a41ddf changelog++ 2019-06-20 10:33:28 -04:00
Jeff Mitchell 62158d65fe
Use a role cache to avoid separate locking paths (#6926)
* Use a role cache to avoid separate locking paths

Due to the various locked/nonlocked paths we had a case where we weren't
always checking for secondary status before trying to upgrade. This
broadly simplifies things by using a cache to store the current role
values (avoiding a lot of storage hits) and updating the cache on any
write, delete, or invalidation.
2019-06-20 10:31:31 -04:00
Matthew Irish c9974b6478
changelog++ 2019-06-20 08:40:28 -05:00
Matthew Irish c49fb2e512
UI transit date fix (#6827)
* fix timestamp for aes-gcm and chacha-poly transit keys

* add test for transit-key serializer
2019-06-20 08:39:23 -05:00
Matthew Irish 65639d4038
changelog++ 2019-06-20 08:38:43 -05:00
Matthew Irish 757afb4de9
UI - no jquery (#6768)
* add no-jquery rule and move event listeners to ember-concurrency tasks

* remove unnecessary onchange and handleKeyDown actions

* add element.closest polyfill and convert linked-block to use native dom apis

* update pretender, fetch, page-object, add optional-features, remove ember/jquery

* turn off jquery inclusion

* remove jQuery.isPlainObject usage

* violatedDirective isn't always formatted the same

* use fetch and the ember-fetch adapter mixin

* move to fetch and lowercase headers for pretender

* display non-ember-data errors

* use new async fn test style and lowercase headers in auth service test

* setContext is not necessary with the new style tests and ember-cli-page-object - it actually triggers jquery usage

* update ember-fetch, ember-cli-pretender

* wait for permissions check

* lowercase header name in auth test

* refactor transit tests to one test per key type

* simplify pollCluster helper

* stop flakey tests by prefering the native fetch

* avoid uncaught TransitionAborted error by navigating directly to unseal

* unset model on controller after unloading it because controllers are singletons

* update yarn.lock
2019-06-20 08:37:27 -05:00
Jim Kalafut 122134b207
Add new structures for OpenAPI/UI enhancements (#6931) 2019-06-19 16:48:58 -07:00
Noelle Daley cc3c0f18d0
changelog++ 2019-06-19 16:16:52 -07:00
Noelle Daley 4fd783d3f4
Add HTTP Request Volume page (#6925)
* Add http request volume table (#6765)

* init http metrics page

* remove flex-table-column

* add http requests table

* calculate percent change between each counter

* start percent change tests

* style request table

* show percent more/less glyph

* add percent more less tests

* add inline alert about recorded metrics

* make arrows diagonal

* remove conditional inside countersWithChange

* add better error msg

* use tagName and wrapping element a la glimmer components

* extend ClusterRouteBase so auth and seal checks happen

* make table accessible

* remove curlies

* add HttpRequestsTable to storybook

* make table accessible

* use qunit dom for better assertions

* remove EmptyState since we will never have 0 requests

* ensure counters is set in test context

* Http request volume/add barchart (#6814)

* Add http request volume table (#6765)

* init http metrics page

* remove flex-table-column

* add http requests table

* calculate percent change between each counter

* start percent change tests

* style request table

* show percent more/less glyph

* add percent more less tests

* add inline alert about recorded metrics

* make arrows diagonal

* remove conditional inside countersWithChange

* add better error msg

* use tagName and wrapping element a la glimmer components

* extend ClusterRouteBase so auth and seal checks happen

* make table accessible

* remove curlies

* add HttpRequestsTable to storybook

* make table accessible

* use qunit dom for better assertions

* remove EmptyState since we will never have 0 requests

* ensure counters is set in test context

* add http-requests-bar-chart

* add HttpRequestsBarChart tests

* add HttpRequestsBarChart to Storybook

* format total number of requests according to locale

* do not show extra minus sign when percent change is negative

* add link to request metrics in status bar menu

* only show bar chart if we have data for more than 1 month

* make ticks lighter

* ensure charts show data for correct month

* make example counters response look like the adapter response instead of the raw api response

* ensure ui shows the same utc date as the api response

* add format-utc tests

* downgrade to d3 v4 to support ie11

* add gridlines

* move dasharray to css

* use scheduleOnce instead of debounce to prevent multiple re-renders

* add key function to bars

* add exit case when data is no longer in parsedCounters

* fix timestamp in table test

* fix timestamps

* use utcParse and fallback to isoParse for non-UTC dates

* fix bar chart tests
2019-06-19 16:14:25 -07:00
Clint 5309609758
Bump the Elasticsearch db dependency to latest, to pull in fixes to satisfy dbplugin.Database interface (#6929)
Merging despite the TravisCI tests failing, which do not support go modules
2019-06-19 17:40:07 -05:00
Jeff Mitchell 2a3649f73a changelog++ 2019-06-19 17:07:49 -04:00
Clint b55303eddb
Combined Database Backend: Static Accounts (#6834)
* Add priority queue to sdk

* fix issue of storing pointers and now copy

* update to use copy structure

* Remove file, put Item struct def. into other file

* add link

* clean up docs

* refactor internal data structure to hide heap method implementations. Other cleanup after feedback

* rename PushItem and PopItem to just Push/Pop, after encapsulating the heap methods

* updates after feedback

* refactoring/renaming

* guard against pushing a nil item

* minor updates after feedback

* Add SetCredentials, GenerateCredentials gRPC methods to combined database backend gPRC

* Initial Combined database backend implementation of static accounts and automatic rotation

* vendor updates

* initial implementation of static accounts with Combined database backend, starting with PostgreSQL implementation

* add lock and setup of rotation queue

* vendor the queue

* rebase on new method signature of queue

* remove mongo tests for now

* update default role sql

* gofmt after rebase

* cleanup after rebasing to remove checks for ErrNotFound error

* rebase cdcr-priority-queue

* vendor dependencies with 'go mod vendor'

* website database docs for Static Role support

* document the rotate-role API endpoint

* postgres specific static role docs

* use constants for paths

* updates from review

* remove dead code

* combine and clarify error message for older plugins

* Update builtin/logical/database/backend.go

Co-Authored-By: Jim Kalafut <jim@kalafut.net>

* cleanups from feedback

* code and comment cleanups

* move db.RLock higher to protect db.GenerateCredentials call

* Return output with WALID if we failed to delete the WAL

* Update builtin/logical/database/path_creds_create.go

Co-Authored-By: Jim Kalafut <jim@kalafut.net>

* updates after running 'make fmt'

* update after running 'make proto'

* Update builtin/logical/database/path_roles.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update builtin/logical/database/path_roles.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* update comment and remove and rearrange some dead code

* Update website/source/api/secret/databases/index.html.md

Co-Authored-By: Jim Kalafut <jim@kalafut.net>

* cleanups after review

* Update sdk/database/dbplugin/grpc_transport.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* code cleanup after feedback

* remove PasswordLastSet; it's not used

* document GenerateCredentials and SetCredentials

* Update builtin/logical/database/path_rotate_credentials.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* wrap pop and popbykey in backend methods to protect against nil cred rotation queue

* use strings.HasPrefix instead of direct equality check for path

* Forgot to commit this

* updates after feedback

* re-purpose an outdated test to now check that static and dynamic roles cannot share a name

* check for unique name across dynamic and static roles

* refactor loadStaticWALs to return a map of name/setCredentialsWAL struct to consolidate where we're calling set credentials

* remove commented out code

* refactor to have loadstaticwals filter out wals for roles that no longer exist

* return error if nil input given

* add nil check for input into setStaticAccount

* Update builtin/logical/database/path_roles.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* add constant for queue tick time in seconds, used for comparrison in updates

* Update builtin/logical/database/path_roles.go

Co-Authored-By: Jim Kalafut <jim@kalafut.net>

* code cleanup after review

* remove misplaced code comment

* remove commented out code

* create a queue in the Factory method, even if it's never used

* update path_roles to use a common set of fields, with specific overrides for dynamic/static roles by type

* document new method

* move rotation things into a specific file

* rename test file and consolidate some static account tests

* Update builtin/logical/database/path_roles.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update builtin/logical/database/rotation.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update builtin/logical/database/rotation.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update builtin/logical/database/rotation.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update builtin/logical/database/rotation.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update builtin/logical/database/rotation.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* update code comments, method names, and move more methods into rotation.go

* update comments to be capitalized

* remove the item from the queue before we try to destroy it

* findStaticWAL returns an error

* use lowercase keys when encoding WAL entries

* small cleanups

* remove vestigial static account check

* remove redundant DeleteWAL call in populate queue

* if we error on loading role, push back to queue with 10 second backoff

* poll in initqueue to make sure the backend is setup and can write/delete data

* add revoke_user_on_delete flag to allow users to opt-in to revoking the static database user on delete of the Vault role. Default false

* add code comments on read-only loop

* code comment updates

* re-push if error returned from find static wal

* add locksutil and acquire locks when pop'ing from the queue

* grab exclusive locks for updating static roles

* Add SetCredentials and GenerateCredentials stubs to mockPlugin

* add a switch in initQueue to listen for cancelation

* remove guard on zero time, it should have no affect

* create a new context in Factory to pass on and use for closing the backend queue

* restore master copy of vendor dir
2019-06-19 14:45:39 -05:00
Becca Petrin ca05e6668e
Update CHANGELOG.md 2019-06-19 11:34:44 -07:00
Becca Petrin b965ce035c
Merge pull request #6847 from hashicorp/pcf-auto-auth
Add PCF auth method, agent, and CLI handler
2019-06-19 11:32:03 -07:00
Becca Petrin 9eaefea18c fix test 2019-06-19 10:59:11 -07:00
Becca Petrin 8782f2f8bb revert more unnecessary dep changes 2019-06-19 10:47:25 -07:00
Becca Petrin 75d15ae627 revert unnecessary dep updates from bad merge 2019-06-19 10:43:09 -07:00
Becca Petrin ab156603bd merge master 2019-06-19 10:24:45 -07:00