f3ab4971a6
Follow Vault convention on `DELETE` being idempotent ( #1903 )
...
* Follow Vault convention on `DELETE` being idempotent with
audit/auth/mounts deletes (a.k.a. disabling/unmounting).
2016-09-19 13:02:25 -04:00
e123f33a91
Add yml alias for yaml
2016-09-16 10:43:23 -04:00
722e26f27a
Add support for PGP encrypting the initial root token. ( #1883 )
2016-09-13 18:42:24 -04:00
640351b7d1
Update text of init/rekey around recovery values
2016-09-12 16:20:21 -04:00
7e5aef279c
Don't panic on bad auth path
...
Fixes #1860
2016-09-08 11:14:47 -04:00
1c6f2fd82b
Add response wrapping to list operations ( #1814 )
2016-09-02 01:13:14 -04:00
90737d3b44
Merge pull request #1836 from hashicorp/truncate-version-string
...
Remove the string 'Vault' from version information
2016-09-01 20:23:26 -04:00
fc4a5bae3c
Update audit-enable to show more examples ( #1842 )
...
* Update audit-enable to show more examples
* Update audit_enable.go
2016-09-01 20:14:29 -04:00
a438f5e950
Add more examples and cleanup docs for auth ( #1841 )
2016-09-01 19:56:30 -04:00
5bd665a842
Update atlas listener factory to use version with pre-release info.
2016-09-01 17:21:11 -04:00
f5447d8fa9
Avoid commas while printing policies
2016-09-01 16:32:27 -04:00
35800b0782
Don't output key/value header if there are no values to display. ( #1838 )
...
Fixes #1835
2016-09-01 15:58:16 -04:00
9c78c58948
Remove the string 'Vault' from version information
2016-09-01 14:54:04 -04:00
61f1eee72c
Remove hex output from keys; standardize on B64 for CLI output. This ( #1831 )
...
aligns with all other interactions which use B64 encoding for bytes.
2016-09-01 12:59:15 -04:00
ecf61e9ba4
Add a separator to list output
2016-08-30 16:48:55 -04:00
2ce4397deb
Plumb through the ability to set the storage read cache size. ( #1784 )
...
Plumb through the ability to set the storage read cache size.
Fixes #1772
2016-08-26 10:27:06 -04:00
1ee4cb4725
Strip trailing whitespace in token from file.
...
Fixes #1774
2016-08-23 20:22:45 -04:00
dd53c4b1d8
Don't validate a dev listen address as that makes a proper Docker
...
entrypoint difficult.
Fixes #1762
2016-08-23 08:34:43 -04:00
58b32e5432
Convert to logxi
2016-08-21 18:13:37 -04:00
bdcfe05517
Clustering enhancements ( #1747 )
2016-08-19 11:03:53 -04:00
56940c282b
Force dev on when dev-ha is on
2016-08-19 08:29:34 -04:00
62c69f8e19
Provide base64 keys in addition to hex encoded. ( #1734 )
...
* Provide base64 keys in addition to hex encoded.
Accept these at unseal/rekey time.
Also fix a bug where backup would not be honored when doing a rekey with
no operation currently ongoing.
2016-08-15 16:01:15 -04:00
37320f8798
Request forwarding ( #1721 )
...
Add request forwarding.
2016-08-15 09:42:42 -04:00
bcb4ab5422
Add periodic support for root/sudo tokens to auth/token/create
2016-08-12 21:14:12 -04:00
92f4fdf892
Add some info about -f to the "expects two arguments" error.
...
Ping #1722
2016-08-12 15:47:16 -04:00
c1a46349fa
Change to keybase openpgp fork as it has important fixes
2016-08-11 08:31:43 -04:00
5771a539a5
Add HTTP test for renew and fix muxing
2016-08-08 20:01:08 -04:00
529e36636c
Rename mounttune.go
2016-08-08 16:22:28 -04:00
69c1121d29
Fix generate-root synopsis
2016-08-05 16:35:03 -04:00
e029d3c87a
Support execution of remote commands using 'vault ssh'
2016-08-01 14:53:00 -04:00
6ffefb649d
Close the shutdown channel instead of sending a value down
2016-08-01 11:58:45 -04:00
05b8ce8348
Address review feedback
2016-08-01 11:15:25 -04:00
5ed10f4074
Make the defer statement of waitgroup to execute last
2016-08-01 10:24:27 -04:00
ea2e677f02
Sharing shutdown message with physical consul backend
2016-07-31 10:09:16 -04:00
a8b4fc0d3c
Add waitgroup wait to allow physical consul to deregister checks
2016-07-30 13:17:29 -04:00
8b0b0d5922
Add cluster information to 'vault status'
2016-07-29 14:13:53 -04:00
e5e0431393
Added Vault version informationto the 'status' command
2016-07-28 17:37:35 -04:00
c7bcaa5bb6
Merge pull request #1655 from hashicorp/cluster-id
...
Vault cluster name and ID
2016-07-26 14:12:48 -04:00
41ed3de3b1
Report the simple version string
2016-07-26 10:21:24 -07:00
6e1d020c3a
Added cluster_name for existing config tests
2016-07-26 11:38:24 -04:00
7daa92f42c
Update cluster name during config merge
2016-07-26 11:11:12 -04:00
a3e6400697
Remove global name/id. Make only cluster name configurable.
2016-07-26 10:01:35 -04:00
c7dabe4def
Storing local and global cluster name/id to storage and returning them in health status
2016-07-26 02:32:42 -04:00
6519c224ac
Circonus integration for telemetry metrics
2016-07-22 15:49:23 -04:00
a7665723e3
Address review feedback
2016-07-22 11:31:55 -04:00
f53792efc7
Update docs on the init command
2016-07-22 11:22:10 -04:00
caab9d40f2
Merge pull request #1642 from hashicorp/init-service-discovery
...
Add service discovery to init command
2016-07-21 20:47:32 -04:00
b243ee256e
Address review feedback by @jefferai
2016-07-21 20:46:31 -04:00
bd8ff10462
Address review feedback from @sean
2016-07-21 19:04:43 -04:00
5316082675
Added documentation for init service discovery
2016-07-21 17:27:56 -04:00
f557457909
Added a separate flag consul-service to receive Consul service name
2016-07-21 16:51:38 -04:00
23800c5f1d
Add service discovery to init command
2016-07-21 16:17:29 -04:00
3ec81debe7
Trim leading/trailing space around PEM bundles.
...
Fixes #1634
2016-07-20 13:57:49 -04:00
9d68297ffa
Have human-oriented token duration and secret duration output display a more human-friendly format
2016-07-19 12:15:00 -04:00
a3ce0dcb0c
Turn off DynamoDB HA by default.
...
The semantics are wonky and have caused issues from people not reading
docs. It can be enabled but by default is off.
2016-07-18 13:19:58 -04:00
c14235b206
Merge branch 'master-oss' into json-use-number
...
Conflicts:
http/handler.go
logical/framework/field_data.go
logical/framework/wal.go
vault/logical_passthrough.go
2016-07-15 19:21:55 -04:00
f34f0ef503
Make 'tls_min_version' configurable
2016-07-12 19:32:47 -04:00
ad7cb2c8f1
Added JSON Decode and Encode helpers.
...
Changed all the occurances of Unmarshal to use the helpers.
Fixed http/ package tests.
2016-07-06 12:25:40 -04:00
61250157d7
Don't panic on an empty configuration during merge
2016-07-05 16:49:15 -04:00
2c1b9499fc
Add aliases for field flag to allow printing auth results.
...
Also fix the write command to use the shared function with aliases.
Fixes #1566
2016-06-27 23:19:09 -04:00
07ebfce1a4
Up sleep time during reload test to not fail under certain test conditions
2016-06-27 15:37:25 -04:00
a7e15a8c0e
Fix up external token helper tests
2016-06-22 10:04:43 -04:00
3f40d8cbc7
Correctly check for existence of external token_helper binaries
2016-06-21 19:32:19 -07:00
d4d47ce5e3
Merge pull request #1531 from hashicorp/auth-mount-tune-params
...
Auth tune endpoints and config settings output from CLI
2016-06-20 20:24:47 -04:00
949bb97ebc
Merge pull request #1532 from hashicorp/vault-auth-path
...
Added -path option to 'vault auth' command
2016-06-20 16:43:26 -04:00
3b308713ad
Added -path option to help output
2016-06-20 16:24:49 -04:00
9be9f73806
Concatenating the output instead of printing twice
2016-06-20 15:26:33 -04:00
91668dd21d
Fix the output format when warnings are present
2016-06-15 17:13:14 -04:00
53fede4b70
Added '-path' option to 'vault auth' command
2016-06-15 16:54:27 -04:00
848b479a61
Added 'sys/auth/<path>/tune' endpoints.
...
Displaying 'Default TTL' and 'Max TTL' in the output of 'vault auth -methods'
2016-06-15 13:58:24 -04:00
e925987cb6
Add token accessor to wrap information if one exists
2016-06-13 23:58:17 +00:00
65d8973864
Add explicit max TTL capability to token creation API
2016-06-08 14:49:48 -04:00
6ff0742aa6
Remove unneeded else
2016-06-08 13:55:31 -04:00
c0155ac02b
Add renewable flag and API setting for token creation
2016-06-08 11:14:30 -04:00
bb1e8ddaa2
Make token renewable status work properly on lookup
2016-06-08 09:19:39 -04:00
10b218d292
Use time.Time which does RFC3339 across the wire to handle time zones. Arguably we should change the API to always do this...
2016-06-07 16:01:09 -04:00
401456ea50
Add creation time to returned wrapped token info
...
This makes it easier to understand the expected lifetime without a
lookup call that uses the single use left on the token.
This also adds a couple of safety checks and for JSON uses int, rather
than int64, for the TTL for the wrapped token.
2016-06-07 15:00:35 -04:00
de8477244e
#1486 : Fixed sealed and leader checks for consul backend
2016-06-03 16:00:31 -07:00
5cefd6bd3a
Merge pull request #1470 from hashicorp/unwrap-in-api
...
Make Unwrap a first-party API command and refactor UnwrapCommand to u…
2016-06-03 13:25:10 -04:00
64c180510e
Add a metadata node_id field for Atlas usage and fix tests
2016-06-02 18:19:51 -04:00
0d9ea2a1a1
Initial Atlas listener implementation
2016-06-02 14:05:47 -04:00
c197414b3b
Prioritize dev flags over its env vars
2016-06-01 12:21:29 -04:00
4c08d43950
Address review feedback
2016-06-01 11:39:48 -04:00
8d50543a88
Supplying strictHostKeyChecking and userKnownHostsFile from env vars
2016-06-01 11:08:24 -04:00
315f9c868c
Provide option to disable host key checking
2016-06-01 11:08:24 -04:00
63aba520c6
Make Unwrap a first-party API command and refactor UnwrapCommand to use it
2016-05-27 21:04:30 +00:00
ff6f5ae75b
Add a non-nil check for 'port' field to be present in the response
2016-05-25 21:26:32 +00:00
199f99d031
Decode json.Number before handing to mapstructure
2016-05-25 19:02:31 +00:00
05b2d4534c
Add unwrap test function and some robustness around paths for the wrap lookup function
2016-05-19 11:49:46 -04:00
0da8762bd5
Add unwrap command, and change how the response is embedded (as a string, not an object)
2016-05-19 11:25:15 -04:00
dce8a8da42
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-19 02:43:22 +00:00
0168b74e03
Rename lease_duration to refresh_interval when there is no lease ID, and output ---- between header and values
2016-05-17 17:10:12 +00:00
c4431a7e30
Address most review feedback. Change responses to multierror to better return more useful values when there are multiple errors
2016-05-16 16:11:33 -04:00
4c67a739b9
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-16 12:14:40 -04:00
7a4b31ce51
Speling police
2016-05-15 09:58:36 -07:00
560e9c30a3
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-12 14:59:12 -04:00
885cc73b2e
Merge branch 'master-oss' into f-vault-service
2016-05-04 17:20:00 -04:00
99a5b4402d
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-04 14:42:14 -04:00
47a7ada7e8
Fix number of recovery shares output during init
2016-05-03 23:07:09 -04:00
2bbb39f4af
Properly handle sigint/hup
2016-05-03 14:30:58 -04:00
1ffd5653c6
Add wrap support to API/CLI
2016-05-02 02:03:23 -04:00
749b60d57d
Ensure seal finalizing happens even when using verify-only
2016-04-28 14:06:05 -04:00
0b72906fc3
Change the interface of ServiceDiscovery
...
Instead of passing state, signal that the state has changed and provide a callback handler that can query Core.
2016-04-28 11:05:18 -07:00
aeea7628d6
Add a *log.Logger argument to physical.Factory
...
Logging in the backend is a good thing. This is a noisy interface change but should be a functional noop.
2016-04-25 20:10:32 -07:00
f5183fa506
Collapse UpdateAdvertiseAddr() into RunServiceDiscovery()
2016-04-25 18:01:13 -07:00
3977057cc9
Disable service registration for consul HA tests
2016-04-25 18:01:13 -07:00
1f8397f0a3
Use spaces in tests to be consistent
...
The rest of the tests here use spaces, not tabs
2016-04-25 18:01:13 -07:00
60006f550f
Various refactoring to clean up code organization
...
Brought to you by: Dept of 2nd thoughts before pushing enter on `git push`
2016-04-25 18:01:13 -07:00
e7f600b4e6
Improve error handling re: homedir expansion
...
Useful if the HOME envvar is not set because `vault` was launched in a clean environment (e.g. `env -i vault ...`).
2016-04-25 18:01:13 -07:00
6b2c83564e
Teach Vault how to register with Consul
...
Vault will now register itself with Consul. The active node can be found using `active.vault.service.consul`. All standby vaults are available via `standby.vault.service.consul`. All unsealed vaults are considered healthy and available via `vault.service.consul`. Change in status and registration is event driven and should happen at the speed of a write to Consul (~network RTT + ~1x fsync(2)).
Healthy/active:
```
curl -X GET 'http://127.0.0.1:8500/v1/health/service/vault?pretty ' && echo;
[
{
"Node": {
"Node": "vm1",
"Address": "127.0.0.1",
"TaggedAddresses": {
"wan": "127.0.0.1"
},
"CreateIndex": 3,
"ModifyIndex": 20
},
"Service": {
"ID": "vault:127.0.0.1:8200",
"Service": "vault",
"Tags": [
"active"
],
"Address": "127.0.0.1",
"Port": 8200,
"EnableTagOverride": false,
"CreateIndex": 17,
"ModifyIndex": 20
},
"Checks": [
{
"Node": "vm1",
"CheckID": "serfHealth",
"Name": "Serf Health Status",
"Status": "passing",
"Notes": "",
"Output": "Agent alive and reachable",
"ServiceID": "",
"ServiceName": "",
"CreateIndex": 3,
"ModifyIndex": 3
},
{
"Node": "vm1",
"CheckID": "vault-sealed-check",
"Name": "Vault Sealed Status",
"Status": "passing",
"Notes": "Vault service is healthy when Vault is in an unsealed status and can become an active Vault server",
"Output": "",
"ServiceID": "vault:127.0.0.1:8200",
"ServiceName": "vault",
"CreateIndex": 19,
"ModifyIndex": 19
}
]
}
]
```
Healthy/standby:
```
[snip]
"Service": {
"ID": "vault:127.0.0.2:8200",
"Service": "vault",
"Tags": [
"standby"
],
"Address": "127.0.0.2",
"Port": 8200,
"EnableTagOverride": false,
"CreateIndex": 17,
"ModifyIndex": 20
},
"Checks": [
{
"Node": "vm2",
"CheckID": "serfHealth",
"Name": "Serf Health Status",
"Status": "passing",
"Notes": "",
"Output": "Agent alive and reachable",
"ServiceID": "",
"ServiceName": "",
"CreateIndex": 3,
"ModifyIndex": 3
},
{
"Node": "vm2",
"CheckID": "vault-sealed-check",
"Name": "Vault Sealed Status",
"Status": "passing",
"Notes": "Vault service is healthy when Vault is in an unsealed status and can become an active Vault server",
"Output": "",
"ServiceID": "vault:127.0.0.2:8200",
"ServiceName": "vault",
"CreateIndex": 19,
"ModifyIndex": 19
}
]
}
]
```
Sealed:
```
"Checks": [
{
"Node": "vm2",
"CheckID": "serfHealth",
"Name": "Serf Health Status",
"Status": "passing",
"Notes": "",
"Output": "Agent alive and reachable",
"ServiceID": "",
"ServiceName": "",
"CreateIndex": 3,
"ModifyIndex": 3
},
{
"Node": "vm2",
"CheckID": "vault-sealed-check",
"Name": "Vault Sealed Status",
"Status": "critical",
"Notes": "Vault service is healthy when Vault is in an unsealed status and can become an active Vault server",
"Output": "Vault Sealed",
"ServiceID": "vault:127.0.0.2:8200",
"ServiceName": "vault",
"CreateIndex": 19,
"ModifyIndex": 38
}
]
```
2016-04-25 18:01:13 -07:00
230b59f34c
Stub out service discovery functionality
...
Hook asynchronous notifications into Core to change the status of vault based on its active/standby, and sealed/unsealed status.
2016-04-25 18:00:54 -07:00
0c23acb818
Comment nits
2016-04-25 18:00:54 -07:00
8d4e5aacae
Change seal test name in command package
2016-04-26 00:12:14 +00:00
267b13c1ba
Merge pull request #1326 from hashicorp/sethvargo/hint_noreauth
...
Hint that you don't need to run auth twice
2016-04-25 15:43:55 -04:00
98d09b0dc6
Add seal tests and update generate-root and others to handle dualseal.
2016-04-25 19:39:04 +00:00
4e53f4b1a4
Use UseNumber() on json.Decoder to have numbers be json.Number objects
...
instead of float64. This fixes some display bugs.
2016-04-20 18:38:20 +00:00
055a8e04e4
Change recovery options in init to be 'key'-less
2016-04-18 17:02:07 +00:00
b4620d5d04
Add check against seal type to catch errors before we attempt to use the data
2016-04-15 18:16:48 -04:00
069d9cf021
Fix SIGINT handling.
...
No signal handler was setup to receive SIGINT. I didn't investigate to
see if signal(2) mask was setup (ala `SIG_IGN`) or if sigprocmask(2) is
being used, but in either case, the correct behavior is to capture and
treat SIGINT the same as SIGTERM. At some point in the future these two
signals may affect the running process differently, but we will clarify
that difference in the future.
2016-04-15 10:03:22 -07:00
119238149b
Add Finalize method to seal.
2016-04-14 20:37:34 +00:00
5c336297ad
Provide clarity for output statements of idempotent calls.
2016-04-14 15:46:45 +00:00
b7178846c1
Clarify token-revoke operation
2016-04-14 15:34:01 +00:00
54c414abb2
Clarify delete operation
...
One thing that has been a point of confusion for users is Vault's
response when deleting a key that does not actually exist in the system.
For example, consider:
$ vault delete secret/foo
Success! Deleted 'secret/foo'
This message is misleading if the secret does not exist, especially if
the same command is run twice in a row.
Obviously the reason for this is clear - returning an error if a secret
does not exist would reveal the existence of a secret (the same reason
everything on S3 is a 403 or why GitHub repos 404 instead of 403 if you
do not have permission to view them).
I think we can make the UX a little bit better by adding just a few
words to the output:
$ vault delete secret/foo
Success! Deleted 'secret/foo' if it existed
This makes it clear that the operation was only performed if the secret
existed, but it does not reveal any more information.
2016-04-14 10:38:10 +01:00
a4ff72841e
Check for seal status when initing and change logic order to avoid defer
2016-04-14 01:13:59 +00:00
217035d081
Hint that you don't need to run auth twice
...
This came up twice, in two different training courses. The UX is a
little confusing here on the CLI. Users are used to running:
$ vault auth abcd-1234...
So when they auth using a method, the output leads them to believe the
need to "re-auth" as the generated token:
$ vault auth -method=userpass username=foo password=bar
Successfully authenticated!
token: defg-5678...
A number of users then run:
$ vault auth defg-5678
I've added some helpful text to hint this is not required if the method
is not "token".
2016-04-13 19:45:48 +01:00
759915bb55
Fix panic when using -field with read or write with a non-string value.
...
Fixes #1308
2016-04-07 22:16:33 +00:00
58846f8eac
Reinstall the mlockall(2) command
...
Requested by: jefferai
2016-04-05 13:58:26 -07:00
47c3202811
Unconditionally warn on systems w/o mlock support
...
If someone begins using Vault on Windows in dev mode, always hint so that this isn't a surprise when they get to production.
2016-04-05 12:32:53 -07:00
348be0e50b
Remove RevokePrefix from the API too as we simply do not support it any
...
longer.
2016-04-05 11:00:12 -04:00
9102b994aa
Sync some seal stuff
2016-04-04 13:46:33 -04:00
afae46feb7
SealInterface
2016-04-04 10:44:22 -04:00
1b7335cf4e
Fix up the meta common options text function to not strip leading space and fix up commands
2016-04-01 16:50:12 -04:00
b0888e8af1
Remove config from Meta; it's only used right now with the token helper.
2016-04-01 16:02:18 -04:00
a137081241
Move token helper out of meta
2016-04-01 14:23:15 -04:00
133d9c1008
Move meta into its own package
2016-04-01 13:16:05 -04:00
1be69ae235
Sort infokeys on startup and add more padding
2016-03-30 12:31:47 -04:00
528b25c5f4
Merge HA Backend objects
2016-03-21 16:56:13 -04:00
119fa1653b
Restore the previous valid token if token authentication fails
2016-03-18 14:43:16 -04:00
6d7cbc890d
Fix Typo
2016-03-18 14:06:49 +00:00
3dbac2e2cb
Add `-field` and `-format` to write command.
...
Fixes #1186
2016-03-17 14:57:30 -04:00
7db7b47fdd
Merge pull request #1210 from hashicorp/audit-id-path
...
Rename id to path and path to file_path, print audit backend paths
2016-03-15 20:13:21 -04:00
71fc07833f
Rename id to path and path to file_path, print audit backend paths
2016-03-14 17:15:07 -04:00
0e3764832a
Add test for listener reloading, and update website docs.
2016-03-14 14:05:47 -04:00
b3218d26d6
Properly scope config objects for reloading
2016-03-14 11:18:02 -04:00
84af6ec8ac
Don't generate an ID; use address for the ID. Generally speaking we'll need to sane against what's in the config
2016-03-11 17:28:03 -05:00
996c584192
Don't inline factory
2016-03-11 17:02:44 -05:00
9ce1be3b00
For not shutdown triggered...
2016-03-11 17:01:26 -05:00
d75ce9de9b
Retool to have reloading logic run in command/server
2016-03-11 16:47:03 -05:00
c6066af4c1
Add tests. This actually adds the initial tests for the TLS listener,
...
then layers reloading tests on top.
2016-03-11 14:05:52 -05:00
baf0763b3c
Add reload capability for Vault listener certs. No tests (other than
...
manual) yet, and no documentation yet.
2016-03-11 14:05:52 -05:00
Jeff Mitchell