Commit graph

354 commits

Author SHA1 Message Date
Armon Dadgar 4e3f0cddcf vault: Adding VerifyMaster to Barrier 2015-05-28 11:28:33 -07:00
Armon Dadgar 9f399eb9ff vault: prevent raw access to protected paths 2015-05-28 10:24:41 -07:00
Armon Dadgar 1a4256c20c vault: more logging around rotate 2015-05-27 17:56:55 -07:00
Armon Dadgar d0b93a6164 vault: adding sys/key-status and sys/rotate 2015-05-27 17:53:42 -07:00
Armon Dadgar 26cff2f42f vault: expose information about keys 2015-05-27 17:25:36 -07:00
Armon Dadgar 3e717907cd vault: testing barrier rekey 2015-05-27 17:17:03 -07:00
Armon Dadgar b93feb8a6b vault: first pass at rekey 2015-05-27 17:13:40 -07:00
Armon Dadgar 9e39fec4a5 vault: testing key rotation 2015-05-27 17:10:08 -07:00
Armon Dadgar ead96e8c99 vault: first pass at key rotation 2015-05-27 17:05:02 -07:00
Armon Dadgar 3d800fe7be vault: keyring api changes 2015-05-27 17:04:46 -07:00
Armon Dadgar 490bece0a0 vault: make keyring immutable 2015-05-27 16:58:55 -07:00
Armon Dadgar 28560a612f vault: test for backwards compatability 2015-05-27 16:42:42 -07:00
Armon Dadgar e8e9103300 vault: share keyring persistence code 2015-05-27 16:29:59 -07:00
Armon Dadgar 0e9136d14c vault: first pass at keyring integration 2015-05-27 16:01:25 -07:00
Armon Dadgar 50dc6a471e vault: adding path for keyring 2015-05-27 15:23:43 -07:00
Armon Dadgar 8c2a767f4f vault: Adding version to key entry 2015-05-27 15:23:31 -07:00
Armon Dadgar 1903518202 vault: Ensure we always set a key InstallTime 2015-05-27 14:37:40 -07:00
Armon Dadgar ef2f71e17f vault: Adding InstallTime to key in keyring 2015-05-27 14:37:40 -07:00
Armon Dadgar 57c763a3fa vault: Adding keyring 2015-05-27 14:37:40 -07:00
Armon Dadgar 70b3b37ffb vault: rename key epoch to term for clarity 2015-05-27 14:37:39 -07:00
Armon Dadgar daa5b9c1b5 vault: physical -> storage for clarity 2015-05-27 14:33:58 -07:00
Armon Dadgar 8ee5aebb3c vault: testing raw responses 2015-05-27 14:19:12 -07:00
Armon Dadgar ba7bfed1af vault: Expose MountPoint to secret backend. Fixes #248 2015-05-27 11:46:42 -07:00
Armon Dadgar d15eed47ad vault: reproducing GH-203 2015-05-15 17:48:03 -07:00
Armon Dadgar 3bcd32228d vault: lease renewal should not create new lease entry 2015-05-15 17:47:39 -07:00
Armon Dadgar 18795a4b26 vault: Adding test based on bug report 2015-05-15 17:19:41 -07:00
Armon Dadgar 0b84e86483 vault: Adding more logging 2015-05-15 17:19:32 -07:00
Armon Dadgar 8f4ddfd904 vault: adding test for e33a904 2015-05-11 11:16:21 -07:00
Armon Dadgar 843d9e6484 vault: verify login endpoint never returns a secret 2015-05-09 11:51:58 -07:00
Armon Dadgar 13ab31f4b5 vault: ensure InternalData is never returned from the core 2015-05-09 11:47:46 -07:00
Armon Dadgar c849aba53a vault: Adding InternalData to Auth 2015-05-09 11:39:54 -07:00
Armon Dadgar c7496772d4 vault: defer barrier initialization until as late as possible 2015-05-08 11:06:39 -07:00
Armon Dadgar a6eef6bba3 vault: Guard against an invalid seal config 2015-05-08 11:05:31 -07:00
Armon Dadgar 3500535db3 vault: fix detection of missing trailing slash. Fixes #157 2015-05-07 12:18:50 -07:00
Mitchell Hashimoto 727e0e90cd vault: validate advertise addr is valid URL [GH-106] 2015-05-02 13:28:33 -07:00
Seth Vargo c3a793ccdf Lowercase again 2015-04-30 14:27:32 -04:00
Aaron Bedra 57a7a41a42 Add test that ensure keylength check is working
Not likely to fail, but if it did would result in complete failure, so
probably good to have a test for it.
2015-04-30 13:12:47 -05:00
Seth Vargo 2de4965598 Use lowercase 2015-04-30 13:37:47 -04:00
Aaron Bedra ea0c41aa81 Add test to verify unique encrypted values
It wasn't immediately clear that the proper random seeding was taking
place. This ensures that the same plaintext encrypted twice does not
result in the same ciphertext. It will also be a good test to keep
around incase of future regressions.
2015-04-30 12:15:41 -05:00
Seth Vargo f17d65507f Use UTC in tests 2015-04-28 22:18:00 -04:00
Seth Vargo 95c8001388 Disable mlock in tests 2015-04-28 22:18:00 -04:00
Mitchell Hashimoto eef1a10e8e vault: fix more test race conditions 2015-04-28 19:17:45 -07:00
Mitchell Hashimoto e80111502b vault: way more verbose error if mlock fails [GH-59] 2015-04-28 18:56:16 -07:00
Mitchell Hashimoto b5f8f3b05a vault: add helper/mlock for doing mlock 2015-04-28 14:59:43 -07:00
Mitchell Hashimoto 2e55c3de68 vault: ability to toggle mlock on core 2015-04-27 16:40:14 -07:00
Armon Dadgar a2bd832519 vault: token create should return various metadata for logging 2015-04-25 20:21:35 -07:00
Armon Dadgar f1d8730c46 vault: restrict mlockall to just linux for now. Fixes #31 2015-04-23 16:10:50 -07:00
Armon Dadgar 2f0995d650 vault: Swap the HAEnabled check with the sealed check 2015-04-20 12:19:09 -07:00
Armon Dadgar c5f914cb34 vault: Lock memory when possible 2015-04-19 13:42:47 -07:00
Armon Dadgar a03268bc32 vault: Adding an epoch prefix to keys to support eventual online key rotation 2015-04-17 16:51:13 -07:00
Armon Dadgar 4473abd6ce vault: core enforcement of limited use tokens 2015-04-17 11:57:56 -07:00
Armon Dadgar 538c795f9b vault: Adding method to consume a limited use token 2015-04-17 11:51:04 -07:00
Armon Dadgar fd3948d476 vault: Tokens can have a use count specified 2015-04-17 11:34:25 -07:00
Armon Dadgar b65e1b3e22 vault: using a constant to make @mitchellh feel better 2015-04-15 17:19:59 -07:00
Aaron Bedra 95c37c1c4d Clarify Barrier encryption defaults.
Declare the defaults in the comments to be what they are now (256 bit
key and default golang NONCE value). Make the key error message more
precise since. It isn't between 16 and 32, it is 16 OR 32.
2015-04-15 18:24:23 -05:00
Armon Dadgar 818ce0a045 vault: token store allows specifying display_name 2015-04-15 14:24:07 -07:00
Armon Dadgar 76b69b2514 vault: thread the display name through 2015-04-15 14:12:34 -07:00
Armon Dadgar e6fd2f2ce5 vault: Default key size to 256bit. 2015-04-15 13:33:47 -07:00
Armon Dadgar 3ee434a783 vault: Allow AES key to be up to 256 bits. Fixes #7 2015-04-15 13:33:47 -07:00
Armon Dadgar 9f7143cf44 vault: expose the current leader 2015-04-14 16:53:40 -07:00
Armon Dadgar 445f64eb39 vault: leader should advertise address 2015-04-14 16:44:48 -07:00
Armon Dadgar ec8a41d2d2 vault: rename internal variable 2015-04-14 16:11:39 -07:00
Armon Dadgar 7579cf76ab vault: testing standby mode 2015-04-14 16:08:14 -07:00
Armon Dadgar 2820bec479 vault: testing standby mode 2015-04-14 16:06:58 -07:00
Armon Dadgar a0e1b90b81 vault: reject operation if standby 2015-04-14 14:09:11 -07:00
Armon Dadgar d7102e2661 vault: first pass at HA standby mode 2015-04-14 14:06:15 -07:00
Armon Dadgar 0be49a97b7 vault: stopExpiration should be idempotent 2015-04-14 13:32:56 -07:00
Armon Dadgar 255e0fbda4 vault: enable physical cache in core 2015-04-14 11:08:04 -07:00
Mitchell Hashimoto 0f15aef9bb vault: fix tests 2015-04-13 20:42:07 -07:00
Mitchell Hashimoto a44eb0dcd0 http: renew endpoints 2015-04-13 20:42:07 -07:00
Mitchell Hashimoto 209b275bfd logical/framework: allow max session time 2015-04-11 16:41:08 -07:00
Mitchell Hashimoto 33d66f0130 vault: token store allows unlimited renew 2015-04-11 16:28:16 -07:00
Mitchell Hashimoto a360ca4928 logical/framework: AuthRenew callback, add LeaseExtend
/cc @armon - Going with this "standard library" of callbacks approach
to make extending leases in a customizable way easy. See the docs/tests
above.
2015-04-11 14:46:09 -07:00
Mitchell Hashimoto 5eff7f1b57 vault: upper bound on test 2015-04-10 21:22:17 -07:00
Mitchell Hashimoto 992028e23e vault: the expiration time should be relative to the issue time 2015-04-10 21:21:06 -07:00
Armon Dadgar f2c0f79435 vault: Split SecurityBarrier interface to BarrierStorage 2015-04-10 16:43:35 -07:00
Armon Dadgar a6d974c74e vault: revoking a token should revoke all secrets it has generated 2015-04-10 15:12:04 -07:00
Armon Dadgar c22d18a5be vault: re-use revokeSalted to share logic 2015-04-10 15:06:54 -07:00
Armon Dadgar 1e2863e2b8 vault: remove unused RevokeAll method 2015-04-10 14:59:49 -07:00
Armon Dadgar b10fbc4d83 vault: Adding token based revocation 2015-04-10 14:48:08 -07:00
Armon Dadgar 98679ee7b8 vault: Split expiration manager views to index by token 2015-04-10 14:21:23 -07:00
Armon Dadgar 39c51ede2e vault: testing renewAuthEntry 2015-04-10 14:07:06 -07:00
Armon Dadgar 13836e8612 vault: groundwork to allow auth renew 2015-04-10 13:59:49 -07:00
Armon Dadgar e7fe48c33f vault: refactor expiration timer management 2015-04-09 12:39:12 -07:00
Armon Dadgar 5a3ab973e6 vault: Simplify common lease logic 2015-04-09 12:29:13 -07:00
Armon Dadgar 4679febdf3 logical: Refactor LeaseOptions to share between Secret and Auth 2015-04-09 12:14:04 -07:00
Armon Dadgar 7df486482b vault: Adding LeaseIssue for renew to allow limiting maximum lease length 2015-04-09 11:54:32 -07:00
Mitchell Hashimoto 9a034c4ab8 vault: lookup-self should allow unauthenticated requests 2015-04-08 22:09:47 -07:00
Armon Dadgar 8ebc29d1b9 vault: audit broker profiles each backend 2015-04-08 17:09:36 -07:00
Armon Dadgar e25886859e vault: router generates metrics per operation 2015-04-08 17:09:10 -07:00
Armon Dadgar 82c5d9c478 vault: Enforce non-renewability 2015-04-08 17:03:46 -07:00
Armon Dadgar 512b3d7afd vault: Adding metrics profiling 2015-04-08 16:43:17 -07:00
Armon Dadgar 429ad7e5cb vault: Handle auth entry without lease 2015-04-08 15:43:26 -07:00
Armon Dadgar 466c7575d3 Replace VaultID with LeaseID for terminology simplification 2015-04-08 13:35:32 -07:00
Mitchell Hashimoto 7e4f47a9e6 vault: proper meta parameter for vaultstorage (tests pass now) 2015-04-07 14:37:50 -07:00
Mitchell Hashimoto 9378d0388a vault: token store inehrits policies by default 2015-04-07 14:19:52 -07:00
Mitchell Hashimoto 8dce065972 vault: use mapstructure to decode token args
JSON sends as interface{}, so we can't decode directly into types.
2015-04-07 14:16:35 -07:00
Armon Dadgar a8d4319ad5 vault: Update LRU on GetPolicy 2015-04-06 16:43:05 -07:00
Armon Dadgar f022ec97c4 vault: Adding policy LRU cache 2015-04-06 16:41:48 -07:00
Armon Dadgar 493ee49e4d vault: unify the token renew response 2015-04-06 16:35:39 -07:00