Commit graph

26 commits

Author SHA1 Message Date
Chris Hoffman a7ada08b3b
Core handling of TTLs (#4230)
* govet cleanup in token store

* adding general ttl handling to login requests

* consolidating TTL calculation to system view

* deprecate LeaseExtend

* deprecate LeaseExtend

* set the increment to the correct value

* move calculateTTL out of SystemView

* remove unused value

* add back clearing of lease id

* implement core ttl in some backends

* removing increment and issue time from lease options

* adding ttl tests, fixing some compile issue

* adding ttl tests

* fixing some explicit max TTL logic

* fixing up some tests

* removing unneeded test

* off by one errors...

* adding back some logic for bc

* adding period to return on renewal

* tweaking max ttl capping slightly

* use the appropriate precision for ttl calculation

* deprecate proto fields instead of delete

* addressing feedback

* moving TTL handling for backends to core

* mongo is a secret backend not auth

* adding estimated ttl for backends that also manage the expiration time

* set the estimate values before calling the renew request

* moving calculate TTL to framework, revert removal of increment and issue time from logical

* minor edits

* addressing feedback

* address more feedback
2018-04-03 12:20:20 -04:00
Brian Kassouf 9dba3590ac
Add context to the NewSalt function (#4102) 2018-03-08 11:21:11 -08:00
Calvin Leung Huang e2fb199ce5
Non-HMAC audit values (#4033)
* Add non-hmac request keys

* Update comment

* Initial audit request keys implementation

* Add audit_non_hmac_response_keys

* Move where req.NonHMACKeys gets set

* Minor refactor

* Add params to auth tune endpoints

* Sync cache on loadCredentials

* Explicitly unset req.NonHMACKeys

* Do not error if entry is nil

* Add tests

* docs: Add params to api sections

* Refactor audit.Backend and Formatter interfaces, update audit broker methods

* Add audit_broker.go

* Fix method call params in audit backends

* Remove fields from logical.Request and logical.Response, pass keys via LogInput

* Use data.GetOk to allow unsetting existing values

* Remove debug lines

* Add test for unsetting values

* Address review feedback

* Initialize values in FormatRequest and FormatResponse using input values

* Update docs

* Use strutil.StrListContains

* Use strutil.StrListContains
2018-03-02 12:18:39 -05:00
Brian Kassouf 2f19de0305 Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 01:44:44 -05:00
Jeff Mitchell 2b78bc2a9b
Port over bits (#3575) 2017-11-13 15:31:32 -05:00
Jeff Mitchell 92e3758291 Don't hash time.Time values in return data maps, they may be useful for reconciling values and are not generally secret 2017-05-08 14:19:42 -04:00
Mitchell Hashimoto c29ee275ce audit: hash time.Time values in map fields (#2689)
This enables audit.Hash to hash time.Time values that may exist as
direct fields in the map. This will error (instead of panic) for any
time.Time values that don't occur within map values. For example, this
does not support a time.Time within a slice. If that needs to be
supported then modifications will need to be made.

This also requires an update to reflectwalk (included in this PR). This
is a minimal change that allows SkipEntry to signal to skip an entire
struct. We do this because we don't want to walk any of time.Time since
we handle it directly.
2017-05-08 14:06:08 -04:00
Brian Kassouf 657d433330 Update the ResponseWrapData function to return a wrapping.ResponseWrapInfo object 2017-04-24 12:15:01 -07:00
Jeff Mitchell 3129187dc2 JWT wrapping tokens (#2172) 2017-01-04 16:44:03 -05:00
vishalnayak e09b40e155 Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC 2016-07-08 18:30:18 -04:00
Jeff Mitchell e925987cb6 Add token accessor to wrap information if one exists 2016-06-13 23:58:17 +00:00
Jeff Mitchell 10b218d292 Use time.Time which does RFC3339 across the wire to handle time zones. Arguably we should change the API to always do this... 2016-06-07 16:01:09 -04:00
Jeff Mitchell 401456ea50 Add creation time to returned wrapped token info
This makes it easier to understand the expected lifetime without a
lookup call that uses the single use left on the token.

This also adds a couple of safety checks and for JSON uses int, rather
than int64, for the TTL for the wrapped token.
2016-06-07 15:00:35 -04:00
Jeff Mitchell c5008bcaac Add more tests 2016-05-07 21:08:13 -04:00
Jeff Mitchell ef84e04fd7 Add unit test for audit change 2016-01-26 12:47:04 -05:00
Jeff Mitchell 1c7157e632 Reintroduce the ability to look up obfuscated values in the audit log
with a new endpoint '/sys/audit-hash', which returns the given input
string hashed with the given audit backend's hash function and salt
(currently, always HMAC-SHA256 and a backend-specific salt).

In the process of adding the HTTP handler, this also removes the custom
HTTP handlers for the other audit endpoints, which were simply
forwarding to the logical system backend. This means that the various
audit functions will now redirect correctly from a standby to master.
(Tests all pass.)

Fixes #784
2015-11-18 20:26:03 -05:00
Jeff Mitchell c8a0eda224 Use hmac-sha256 for protecting secrets in audit entries 2015-09-19 11:29:31 -04:00
Jeff Mitchell 5dde76fa1c Expand HMAC support in Salt; require an identifier be passed in to specify type but allow generation with and without. Add a StaticSalt ID for testing functions. Fix bugs; unit tests pass. 2015-09-18 17:38:30 -04:00
Jeff Mitchell ea9fbb90bc Rejig Lease terminology internally; also, put a few JSON names back to their original values 2015-08-20 22:27:01 -07:00
Jeff Mitchell 93ef9a54bd Internally refactor Lease/LeaseGracePeriod into TTL/GracePeriod 2015-08-20 18:00:51 -07:00
Mitchell Hashimoto 0809378c9b audit: some tests 2015-06-19 03:31:19 -07:00
Mitchell Hashimoto c18f3928df audit: add more tests for copying 2015-04-27 15:54:14 -07:00
Mitchell Hashimoto e77e2d8c98 audit: docs 2015-04-22 07:42:37 +02:00
Mitchell Hashimoto 1b34aae7f1 audit: separate hashing from formatting to facilitate raw 2015-04-22 07:41:53 +02:00
Mitchell Hashimoto 82252c0d34 audit: sanity sha1 test 2015-04-21 16:14:26 +01:00
Mitchell Hashimoto 2a6bb96276 audit: add hashstructure 2015-04-21 16:02:03 +01:00