d740fd4a6a
Add the ability for warnings to be added to responses. These are
...
marshalled into JSON or displayed from the CLI depending on the output
mode. This allows conferring information such as "no such policy exists"
when creating a token -- not an error, but something the user should be
aware of.
Fixes #676
2015-10-07 16:18:39 -04:00
2091842dca
Sort policies when checking for equality
2015-10-06 15:48:25 -04:00
62ac518ae7
Switch per-mount values to strings going in and seconds coming out, like other commands. Indicate deprecation of 'lease' in the token backend.
2015-09-25 10:41:21 -04:00
d526c8ce1c
Merge pull request #629 from hashicorp/token-create-sudo
...
TokenStore: Provide access based on sudo permissions and not policy name
2015-09-21 10:12:29 -04:00
1a01ab3608
Take ClientToken instead of Policies
2015-09-21 10:04:03 -04:00
ab7d35b95e
Fix up per-backend timing logic; also fix error in TypeDurationSecond in
...
GetOkErr.
2015-09-21 09:55:03 -04:00
02485e7175
Abstraced SudoPrivilege to take list of policies
2015-09-19 18:23:44 -04:00
a2799b235e
Using acl.RootPrivilege and rewrote mockTokenStore
2015-09-19 17:53:24 -04:00
b6d47dd784
fix broken tests
2015-09-19 12:33:52 -04:00
fb77ec3623
TokenStore: Provide access based on sudo permissions and not policy name
2015-09-19 11:14:51 -04:00
b655f6b858
Add HMAC capability to salt. Pass a salt into audit backends. Require it for audit.Hash.
2015-09-18 17:38:22 -04:00
801e531364
Enhance transit backend:
...
* Remove raw endpoint from transit
* Add multi-key structure
* Add enable, disable, rewrap, and rotate functionality
* Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function
* Unit tests for everything
2015-09-18 14:41:05 -04:00
7f640c4374
Error on violating SysView boundaries
2015-09-17 11:24:46 -04:00
6a4089b2a8
Vault userpass: Enable renewals for login tokens
2015-09-16 23:55:35 -04:00
77e7379ab5
Implement the cubbyhole backend
...
In order to implement this efficiently, I have introduced the concept of
"singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't
much reason to allow sys to be mounted at multiple places, and there
isn't much reason you'd need multiple per-token storage areas. By
restricting it to just one, I can store that particular mount instead of
iterating through them in order to call the appropriate revoke function.
Additionally, because revocation on the backend needs to be triggered by
the token store, the token store's salt is kept in the router and
client tokens going to the cubbyhole backend are double-salted by the
router. This allows the token store to drive when revocation happens
using its salted tokens.
2015-09-15 13:50:37 -04:00
104b29ab04
Rename View to StorageView to make it more distinct from SystemView
2015-09-15 13:50:37 -04:00
fb07cf9f53
Implement clean up routine to backend as some backends may require
...
e.g closing database connections on unmount to avoud connection
stacking.
2015-09-11 11:45:58 +03:00
39cfcccdac
Remove error returns from sysview TTL calls
2015-09-10 15:09:54 -04:00
488d33c70a
Rejig how dynamic values are represented in system view and location of some functions in various packages; create mount-tune command and API analogues; update documentation
2015-09-10 15:09:54 -04:00
4239f9d243
Add DynamicSystemView. This uses a pointer to a pointer to always have
...
up-to-date information. This allows remount to be implemented with the
same source and dest, allowing mount options to be changed on the fly.
If/when Vault gains the ability to HUP its configuration, this should
just work for the global values as well.
Need specific unit tests for this functionality.
2015-09-10 15:09:54 -04:00
d435048d9e
Switch StaticSystemView values to pointers, to support updating
2015-09-10 15:09:54 -04:00
696d0c7b1d
Plumb per-mount config options through API
2015-09-10 15:09:53 -04:00
9e5e8a8a4d
Whitespace fix
2015-08-27 12:14:51 -07:00
cdabe6350e
SystemConfig -> SystemView
2015-08-27 11:38:05 -07:00
b74fa8c888
Make DefaultSystemView StaticSystemView with statically-configured information. Export this from Framework to make it easy to override for testing.
2015-08-27 11:25:07 -07:00
7c2bbe4c7f
Use a SystemView interface and turn SystemConfig into DefaultSystemView
2015-08-27 10:36:44 -07:00
e58553e7d5
Plumb the system configuration information up into framework
2015-08-27 09:41:03 -07:00
2e07106c4b
Add some documentation to SystemConfig
2015-08-27 09:14:03 -07:00
992e357d07
Add some plumbing to allow specified system configuration information to
...
be retrieved by logical backends. First implemented is default/max TTL.
2015-08-27 08:51:35 -07:00
5695d57ba0
Merge pull request #561 from hashicorp/fix-wild-cards
...
Allow hyphens in endpoint patterns of most backends
2015-08-21 11:40:42 -07:00
6c2927ede0
Vault: Fix wild card paths for all backends
2015-08-21 00:56:13 -07:00
ea9fbb90bc
Rejig Lease terminology internally; also, put a few JSON names back to their original values
2015-08-20 22:27:01 -07:00
93ef9a54bd
Internally refactor Lease/LeaseGracePeriod into TTL/GracePeriod
2015-08-20 18:00:51 -07:00
b57ce8e5c2
Change "lease" parameter in the generic backend to be "ttl" to reduce confusion. "lease" is now deprecated but will remain valid until 0.4.
...
Fixes #528 .
2015-08-20 16:41:25 -07:00
4abc488cec
Merge pull request #510 from ctennis/more_descriptive_errors
...
More descriptive errors with specific HTTP return codes
2015-08-11 10:11:26 -07:00
ae990884a6
Add a validation step in field data to error more quickly vs. allowing panics to happen when we go to get the data and convert it
2015-08-11 12:34:14 -04:00
4da080e769
This adds a new error class which can be used by logical backends to
...
specify more concrete error cases to make their way back up the stack.
Over time there is probably a cleaner way of doing this, but that's
looking like a more massive rewrite and this solves some issues in
the meantime.
Use a CodedError to return a more concrete HTTP return code for
operations you want to do so. Returning a regular error leaves
the existing behavior in place.
2015-08-10 13:27:25 -04:00
7750af7014
Fix a couple of typos
2015-08-09 15:20:06 -04:00
4409e704b5
Vault Test: Disabling mlock for logical.testing.Test()
2015-07-31 12:23:50 -04:00
c40cf7fcdf
logical/framework: handle nil duration value. Fixes #408
2015-07-08 16:55:52 -06:00
cf82f4d6d6
logical/testing: Allow factory to be provided instead of Backend
2015-06-30 18:08:43 -07:00
4b27e4d8c5
Remove SetLogger, and unify on framework.Setup
2015-06-30 17:45:20 -07:00
541014e315
logical: remove SetLogger method
2015-06-30 17:39:39 -07:00
5d69e7da90
Updating for backend API change
2015-06-30 17:36:12 -07:00
41b72a4d39
vault: provide view to backend initializer for setup
2015-06-30 17:30:43 -07:00
e892d728a2
logical/framework: support Salt in PathMap
2015-06-30 14:28:45 -07:00
6b23b14773
logical/framework: adding a new duration type to convert to seconds
2015-06-17 15:56:26 -07:00
f39b522681
logical/framework: allow the lease max to come from existing lease
2015-06-17 14:24:12 -07:00
cfab07b19f
logical/framework: simplify calculation of lease renew
2015-06-17 14:16:44 -07:00
ae02203624
logical: remove IncrementedLease, simplify ExpirationTime calculation
2015-06-17 13:59:09 -07:00
784f17a0a8
logical: Adding special fields to do raw HTTP
2015-05-27 14:09:47 -07:00
ba7bfed1af
vault: Expose MountPoint to secret backend. Fixes #248
2015-05-27 11:46:42 -07:00
7131f12fee
logical/testing: Fixing revoke in acceptance tests. Fixes #236
2015-05-27 11:19:15 -07:00
d58512b3f8
logical/framework: Fix help text in PathMap
2015-05-15 07:56:32 +10:00
283e8ccacb
logical/framework: Add delete to PathMap
2015-05-14 22:28:33 +10:00
896f9cd4d3
logical/framework: Add delete to PathStruct
2015-05-14 22:25:30 +10:00
5c63b70eea
logical/framework: PathMap is case insensitive by default
2015-05-11 10:27:04 -07:00
4e861f29bc
credential/github: case insensitive mappings
2015-05-11 10:24:39 -07:00
c849aba53a
vault: Adding InternalData to Auth
2015-05-09 11:39:54 -07:00
8ed48191fb
logical/framework: Generate help output even if no synopsis provided
2015-05-07 15:45:43 -07:00
81b12660c5
logical/framework: PathMap allows hyphens in keys [GH-119]
2015-05-02 13:17:42 -07:00
6287513c30
logical/testing: add return after fatal?
2015-04-28 18:46:56 -07:00
c4a92a276d
logical/framework: Supporting list of path map
2015-04-23 21:44:04 -07:00
af4f9196b8
logical: allow specifying ConnState
2015-04-23 16:36:31 -07:00
f7a1b2ced9
credential/app-id: allow restriction by CIDR block [GH-10]
2015-04-17 10:14:39 -07:00
e643b48235
credential/app-id: support associating a name with app ID [GH-9]
2015-04-17 10:01:03 -07:00
cd3fa3be92
logical/framework: more flexible Pathmap and PolicyMap
2015-04-17 09:35:49 -07:00
910bf9c76d
logical/framework: PathStruct
2015-04-17 09:18:21 -07:00
9d2bd2bf29
logical: Adding a DisplayName for operators
2015-04-15 13:56:42 -07:00
463a32ba56
logical/framework: doc for defaultduration on secret
2015-04-13 20:42:06 -07:00
6272ad75dc
logical/framework: secret lease tests
2015-04-13 15:18:27 -07:00
209b275bfd
logical/framework: allow max session time
2015-04-11 16:41:08 -07:00
33d66f0130
vault: token store allows unlimited renew
2015-04-11 16:28:16 -07:00
d81707a222
logical/framework: more tests
2015-04-11 14:51:00 -07:00
a360ca4928
logical/framework: AuthRenew callback, add LeaseExtend
...
/cc @armon - Going with this "standard library" of callbacks approach
to make extending leases in a customizable way easy. See the docs/tests
above.
2015-04-11 14:46:09 -07:00
f996dcf964
logical: add LeaseOptions.IncrementedLease()
2015-04-10 21:35:17 -07:00
7139ad427e
logical: lease tests
2015-04-10 21:29:03 -07:00
992028e23e
vault: the expiration time should be relative to the issue time
2015-04-10 21:21:06 -07:00
2c5ac09b23
logical: note time zone of lease
2015-04-10 20:49:17 -07:00
f7dbb6966b
logical: Adding support for renew of Auth
2015-04-10 13:59:49 -07:00
5a3ab973e6
vault: Simplify common lease logic
2015-04-09 12:29:13 -07:00
4679febdf3
logical: Refactor LeaseOptions to share between Secret and Auth
2015-04-09 12:14:04 -07:00
7df486482b
vault: Adding LeaseIssue for renew to allow limiting maximum lease length
2015-04-09 11:54:32 -07:00
466c7575d3
Replace VaultID with LeaseID for terminology simplification
2015-04-08 13:35:32 -07:00
569991fcc5
credential/app-id
2015-04-04 18:41:49 -07:00
606b3dbff9
credential/github: improve help
2015-04-04 12:18:33 -07:00
7aee6269f7
vault: pass a logger around to logical backends
2015-04-04 11:39:58 -07:00
8dc9e0e0d5
logical/framework: better string values for types
2015-04-03 21:15:59 -07:00
ec9df0439b
logical/aws: help
2015-04-03 21:10:54 -07:00
246c2839b0
logical/framework: make help look nicer
2015-04-03 21:00:23 -07:00
0bbad03c70
logical/framework: support root help
2015-04-03 20:36:47 -07:00
b8d69a357c
vault: Use Auth for lease and renewable
2015-04-03 14:04:50 -07:00
2e3d6d6a0e
command/help
2015-04-02 22:42:05 -07:00
745bcb951d
logical: adding lease to auth
2015-04-02 17:25:22 -07:00
faa759ea1d
logical/framework: Panic if routing pattern is blank
2015-04-01 22:12:03 -07:00
c5a5c6e3a6
logical/framework: automatically anchor
2015-04-01 17:53:02 -07:00
04cf4ef093
logical/framework: add PolicyMap
2015-04-01 15:46:37 -07:00
4e94cf1ace
logical/testing: helper to test auth
2015-04-01 15:46:37 -07:00
906f81b588
logical: GoStringer for Auth
2015-04-01 15:46:37 -07:00
5676373742
logical/testing: support unauthenticated requests
2015-04-01 15:46:37 -07:00
83de0fd03d
logical/framework: PathMap can get missing things
2015-04-01 15:46:37 -07:00
856f1e854a
logical: validation should allow 0 leases
2015-03-31 21:11:23 -07:00
67e4bdf1e4
misc typos
2015-03-31 17:27:04 -07:00
af8a9cd2e5
logical/testing: tokens for acceptance tests
2015-03-31 17:26:31 -07:00
0943c2bf45
logical/framework: Added missing case for TypeMap
2015-03-31 16:45:08 -07:00
cb66c93a34
logical/framework: Adding TypeMap
2015-03-31 16:45:08 -07:00
d4509b0ee3
vault: keep the connection info around for auth
2015-03-30 20:55:01 -07:00
c9acfa17cb
vault: get rid of HangleLogin
2015-03-30 20:26:39 -07:00
65145cf435
logical: add Redirect to response
2015-03-30 17:56:24 -07:00
62ee621ea3
logical: move cred stuff over here
2015-03-30 17:46:18 -07:00
2c3657f4fe
logical: add credential info to logical backend structures
2015-03-30 14:23:32 -07:00
cb563b881c
logical: Special error for permission denied
2015-03-24 11:23:59 -07:00
4598e43140
vault: Adding ClientToken
2015-03-24 11:09:25 -07:00
27d33ad9f7
logical/framework: auto-extend leases if requested
2015-03-21 16:20:30 +01:00
f6d5e3f0f4
logical/testing: immediate rollback, ignore RollbackMinAge
2015-03-21 11:18:33 +01:00
17c58633d6
logical/framework: rollback should return error, easier API
2015-03-21 11:08:13 +01:00
a54d90ac1f
logical/framework: rollback needs to have access to request for storage
2015-03-21 11:03:59 +01:00
62d9bec8be
logical/aws
2015-03-20 19:03:20 +01:00
a0f59f682b
logical/framework: can specify InternalData for secret
2015-03-20 17:59:48 +01:00
d43f395050
logical/testing: rollback/revoke secrets, error dangling secrets
2015-03-20 17:20:55 +01:00
c349e97168
vault: clean up VaultID duplications, make secret responses clearer
...
/cc @armon - This is a reasonably major refactor that I think cleans up
a lot of the logic with secrets in responses. The reason for the
refactor is that while implementing Renew/Revoke in logical/framework I
found the existing API to be really awkward to work with.
Primarily, we needed a way to send down internal data for Vault core to
store since not all the data you need to revoke a key is always sent
down to the user (for example the user than AWS key belongs to).
At first, I was doing this manually in logical/framework with
req.Storage, but this is going to be such a common event that I think
its something core should assist with. Additionally, I think the added
context for secrets will be useful in the future when we have a Vault
API for returning orphaned out keys: we can also return the internal
data that might help an operator.
So this leads me to this refactor. I've removed most of the fields in
`logical.Response` and replaced it with a single `*Secret` pointer. If
this is non-nil, then the response represents a secret. The Secret
struct encapsulates all the lease info and such.
It also has some fields on it that are only populated at _request_ time
for Revoke/Renew operations. There is precedent for this sort of
behavior in the Go stdlib where http.Request/http.Response have fields
that differ based on client/server. I copied this style.
All core unit tests pass. The APIs fail for obvious reasons but I'll fix
that up in the next commit.
2015-03-19 23:11:42 +01:00
8039fc5c63
logical/framework: support renew
2015-03-19 20:20:57 +01:00
d4b284fba4
logical/framework: revoke support
2015-03-19 19:41:41 +01:00
b655a78b78
logical/framework: can specify renew/revoke functins for secret
2015-03-19 15:07:45 +01:00
c7ed24282b
logical/framework: add methods to look up secret and gen response
2015-03-19 14:59:01 +01:00
c21bc26731
logical/framework: use custom request wrapper
2015-03-19 14:39:25 +01:00
21b9bdaf37
vault: Allow passing in credential backends
2015-03-18 15:21:41 -07:00
7d03852f7c
logical/framework: test for minimum age
2015-03-17 20:42:35 -05:00
14a48f6e92
logical/framework: only rollback old enough WAL entries
2015-03-17 20:39:46 -05:00
378968d56e
logical/framework: WAL entry supports "kind"
2015-03-17 20:39:46 -05:00
b8e2272421
logical/framework: rollback support
2015-03-17 20:39:46 -05:00
4016aba7ad
logical/framework: WAL should live here
2015-03-17 20:39:45 -05:00
4e905d2850
logical: WAL methods
2015-03-17 20:39:45 -05:00
c7b9148841
vault: RollbackManager
...
There are some major TODO items here, and it isn't hooked into the core
yet, but the basic functionality is there.
2015-03-17 20:39:45 -05:00
e85cd66b30
all: Removing fields from Lease
2015-03-16 13:29:51 -07:00
9f0d59d03f
vault: system using the framework
2015-03-15 17:35:59 -07:00
5fbe17e8df
logical/testing: acceptance testttttttt
2015-03-15 16:52:19 -07:00
11f8423b4f
logical/framework, logical/testing
2015-03-15 16:39:49 -07:00
d1d1929192
vault: convert to logical.Request and friends
2015-03-15 14:53:41 -07:00
c3ae1b59a1
vault: Passthrough backend uses logical.Backend
2015-03-15 14:27:06 -07:00
63a9eb321a
logical: put structs here, vault uses them
2015-03-15 14:27:06 -07:00
10afebabdd
vault: Moving generic backend into package
2015-03-11 15:50:42 -07:00
51cc19e92f
logical: Adding generic backend
2015-03-05 16:35:09 -08:00
Jeff Mitchell