luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
1557 commits 1 branch 0 tags 214 MiB
Commit graph

354 commits

Author SHA1 Message Date
Armon Dadgar 4473abd6ce vault: core enforcement of limited use tokens 2015-04-17 11:57:56 -07:00
Armon Dadgar 538c795f9b vault: Adding method to consume a limited use token 2015-04-17 11:51:04 -07:00
Armon Dadgar fd3948d476 vault: Tokens can have a use count specified 2015-04-17 11:34:25 -07:00
Armon Dadgar b65e1b3e22 vault: using a constant to make @mitchellh feel better 2015-04-15 17:19:59 -07:00
Aaron Bedra 95c37c1c4d Clarify Barrier encryption defaults. 
Declare the defaults in the comments to be what they are now (256 bit
key and default golang NONCE value). Make the key error message more
precise since. It isn't between 16 and 32, it is 16 OR 32.
 2015-04-15 18:24:23 -05:00
Armon Dadgar 818ce0a045 vault: token store allows specifying display_name 2015-04-15 14:24:07 -07:00
Armon Dadgar 76b69b2514 vault: thread the display name through 2015-04-15 14:12:34 -07:00
Armon Dadgar e6fd2f2ce5 vault: Default key size to 256bit. 2015-04-15 13:33:47 -07:00
Armon Dadgar 3ee434a783 vault: Allow AES key to be up to 256 bits. Fixes #7 2015-04-15 13:33:47 -07:00
Armon Dadgar 9f7143cf44 vault: expose the current leader 2015-04-14 16:53:40 -07:00
Armon Dadgar 445f64eb39 vault: leader should advertise address 2015-04-14 16:44:48 -07:00
Armon Dadgar ec8a41d2d2 vault: rename internal variable 2015-04-14 16:11:39 -07:00
Armon Dadgar 7579cf76ab vault: testing standby mode 2015-04-14 16:08:14 -07:00
Armon Dadgar 2820bec479 vault: testing standby mode 2015-04-14 16:06:58 -07:00
Armon Dadgar a0e1b90b81 vault: reject operation if standby 2015-04-14 14:09:11 -07:00
Armon Dadgar d7102e2661 vault: first pass at HA standby mode 2015-04-14 14:06:15 -07:00
Armon Dadgar 0be49a97b7 vault: stopExpiration should be idempotent 2015-04-14 13:32:56 -07:00
Armon Dadgar 255e0fbda4 vault: enable physical cache in core 2015-04-14 11:08:04 -07:00
Mitchell Hashimoto 0f15aef9bb vault: fix tests 2015-04-13 20:42:07 -07:00
Mitchell Hashimoto a44eb0dcd0 http: renew endpoints 2015-04-13 20:42:07 -07:00
Mitchell Hashimoto 209b275bfd logical/framework: allow max session time 2015-04-11 16:41:08 -07:00
Mitchell Hashimoto 33d66f0130 vault: token store allows unlimited renew 2015-04-11 16:28:16 -07:00
Mitchell Hashimoto a360ca4928 logical/framework: AuthRenew callback, add LeaseExtend 
/cc @armon - Going with this "standard library" of callbacks approach
to make extending leases in a customizable way easy. See the docs/tests
above.
 2015-04-11 14:46:09 -07:00
Mitchell Hashimoto 5eff7f1b57 vault: upper bound on test 2015-04-10 21:22:17 -07:00
Mitchell Hashimoto 992028e23e vault: the expiration time should be relative to the issue time 2015-04-10 21:21:06 -07:00
Armon Dadgar f2c0f79435 vault: Split SecurityBarrier interface to BarrierStorage 2015-04-10 16:43:35 -07:00
Armon Dadgar a6d974c74e vault: revoking a token should revoke all secrets it has generated 2015-04-10 15:12:04 -07:00
Armon Dadgar c22d18a5be vault: re-use revokeSalted to share logic 2015-04-10 15:06:54 -07:00
Armon Dadgar 1e2863e2b8 vault: remove unused RevokeAll method 2015-04-10 14:59:49 -07:00
Armon Dadgar b10fbc4d83 vault: Adding token based revocation 2015-04-10 14:48:08 -07:00
Armon Dadgar 98679ee7b8 vault: Split expiration manager views to index by token 2015-04-10 14:21:23 -07:00
Armon Dadgar 39c51ede2e vault: testing renewAuthEntry 2015-04-10 14:07:06 -07:00
Armon Dadgar 13836e8612 vault: groundwork to allow auth renew 2015-04-10 13:59:49 -07:00
Armon Dadgar e7fe48c33f vault: refactor expiration timer management 2015-04-09 12:39:12 -07:00
Armon Dadgar 5a3ab973e6 vault: Simplify common lease logic 2015-04-09 12:29:13 -07:00
Armon Dadgar 4679febdf3 logical: Refactor LeaseOptions to share between Secret and Auth 2015-04-09 12:14:04 -07:00
Armon Dadgar 7df486482b vault: Adding LeaseIssue for renew to allow limiting maximum lease length 2015-04-09 11:54:32 -07:00
Mitchell Hashimoto 9a034c4ab8 vault: lookup-self should allow unauthenticated requests 2015-04-08 22:09:47 -07:00
Armon Dadgar 8ebc29d1b9 vault: audit broker profiles each backend 2015-04-08 17:09:36 -07:00
Armon Dadgar e25886859e vault: router generates metrics per operation 2015-04-08 17:09:10 -07:00
Armon Dadgar 82c5d9c478 vault: Enforce non-renewability 2015-04-08 17:03:46 -07:00
Armon Dadgar 512b3d7afd vault: Adding metrics profiling 2015-04-08 16:43:17 -07:00
Armon Dadgar 429ad7e5cb vault: Handle auth entry without lease 2015-04-08 15:43:26 -07:00
Armon Dadgar 466c7575d3 Replace VaultID with LeaseID for terminology simplification 2015-04-08 13:35:32 -07:00
Mitchell Hashimoto 7e4f47a9e6 vault: proper meta parameter for vaultstorage (tests pass now) 2015-04-07 14:37:50 -07:00
Mitchell Hashimoto 9378d0388a vault: token store inehrits policies by default 2015-04-07 14:19:52 -07:00
Mitchell Hashimoto 8dce065972 vault: use mapstructure to decode token args 
JSON sends as interface{}, so we can't decode directly into types.
 2015-04-07 14:16:35 -07:00
Armon Dadgar a8d4319ad5 vault: Update LRU on GetPolicy 2015-04-06 16:43:05 -07:00
Armon Dadgar f022ec97c4 vault: Adding policy LRU cache 2015-04-06 16:41:48 -07:00
Armon Dadgar 493ee49e4d vault: unify the token renew response 2015-04-06 16:35:39 -07:00
Mitchell Hashimoto 7aee6269f7 vault: pass a logger around to logical backends 2015-04-04 11:39:58 -07:00
Mitchell Hashimoto 246c2839b0 logical/framework: make help look nicer 2015-04-03 21:00:23 -07:00
Mitchell Hashimoto 8ff435ba1a vault: fix issue with wrong path getting passed through 2015-04-03 20:48:04 -07:00
Mitchell Hashimoto df8dbe9677 vault: allow mount point queries without trailing / 2015-04-03 20:45:00 -07:00
Armon Dadgar 148fe3d864 vault: Adding Hash function to MountTable 2015-04-03 17:46:57 -07:00
Armon Dadgar d74c4c1c33 vault: Remove log about rollback 2015-04-03 17:11:24 -07:00
Armon Dadgar 3250bfad0a vault: test credential unmount does cleanup 2015-04-03 16:15:34 -07:00
Armon Dadgar 82eda2b169 vault: Do early check for missing backend 2015-04-03 16:09:06 -07:00
Armon Dadgar 0dee7d29ec vault: disable credential backend revokes tokens 2015-04-03 16:07:45 -07:00
Armon Dadgar 56d0b51be0 vault: Reuse mount table methods 2015-04-03 16:00:46 -07:00
Armon Dadgar 683d01e984 vault: Refactor common methods 2015-04-03 15:59:30 -07:00
Armon Dadgar eaa483ff87 vault: Enforce default and max length leasing 2015-04-03 15:42:34 -07:00
Armon Dadgar 0ba7c64c0f vault: Verify client token is not passed through in the plain 2015-04-03 15:39:56 -07:00
Armon Dadgar 002b2ad589 vault: Provide salted client token to logical backends 2015-04-03 14:42:39 -07:00
Armon Dadgar e4854ca59b vault: Allow deep paths for audit backends 2015-04-03 14:27:33 -07:00
Armon Dadgar 2f3e511507 vault: Allow deep paths for auth mounting 2015-04-03 14:24:00 -07:00
Armon Dadgar b8d69a357c vault: Use Auth for lease and renewable 2015-04-03 14:04:50 -07:00
Armon Dadgar 2feba52f40 vault: Adding auth/token/renew endpoint 2015-04-03 12:11:49 -07:00
Armon Dadgar adaa83b48c vault: Adding RenewToken to expiration manager 2015-04-03 11:58:10 -07:00
Armon Dadgar c82fbbb8c3 vault: Support prefix based token revocation 2015-04-03 11:40:08 -07:00
Armon Dadgar eec6c27fae vault: Special case auth/token/create 2015-04-02 18:05:23 -07:00
Armon Dadgar c6479642e9 vault: integrate login with expiration manager 2015-04-02 17:52:11 -07:00
Armon Dadgar 1b19a8ee1b vault: Rename RegisterLogin to RegisterAuth 2015-04-02 17:45:42 -07:00
Armon Dadgar d0ac9e5711 vault: Expose SaltID from token store 2015-04-02 17:39:38 -07:00
Armon Dadgar c54534875a vault: testing remount cleanup 2015-04-02 12:04:37 -07:00
Armon Dadgar f397cd3fb1 vault: remount does appropriate cleanup 2015-04-02 12:03:00 -07:00
Armon Dadgar 3a8dc4dff9 vault: Adding Untaint to router 2015-04-02 12:01:53 -07:00
Armon Dadgar bfe7a1e901 vault: testing unmount cleanup 2015-04-02 11:47:44 -07:00
Armon Dadgar 0b5572a2f7 vault: ensure unmount properly cleans up state 2015-04-02 11:18:06 -07:00
Armon Dadgar 3e427910fb vault: Support tainting router paths 2015-04-02 11:18:06 -07:00
Armon Dadgar c718408055 vault: Added MatchingView method 2015-04-02 11:18:06 -07:00
Armon Dadgar d5e5499ddd vault: Adding ClearView method 2015-04-02 11:18:05 -07:00
Armon Dadgar d5403d6673 vault: TODO cleanups 2015-04-01 22:13:08 -07:00
Armon Dadgar f231a6c67d vault: rollback supports joining an inflight operation 2015-04-01 22:12:03 -07:00
Armon Dadgar c3aed5589e vault: Adding intermediate taint step to unmount 2015-04-01 22:12:03 -07:00
Mitchell Hashimoto 6218c2729d http: audit endpoints 2015-04-01 18:36:13 -07:00
Armon Dadgar 114c1e1dea vault: Adding the raw/ endpoints to sys 2015-04-01 17:45:00 -07:00
Armon Dadgar 28bc849fd9 vault: Attach policy name if missing 2015-04-01 17:45:00 -07:00
Armon Dadgar 6933f94acd vault: Prevent UUID injection on sys mount path 2015-04-01 17:45:00 -07:00
Mitchell Hashimoto a8912e82d8 enable github 2015-04-01 15:48:56 -07:00
Armon Dadgar 4138e43f00 vault: Adding audit trail for login 2015-04-01 14:48:37 -07:00
Armon Dadgar 3d3e18793b vault: Integrate audit logging with core 2015-04-01 14:33:48 -07:00
Armon Dadgar b657b74a97 vault: Minor rework for clarity 2015-04-01 14:11:26 -07:00
Armon Dadgar c83f46606b vault: Simpify token checking logic 2015-04-01 14:03:17 -07:00
Armon Dadgar cd681d7226 vault: Extending AuditBroker to support new audit methods 2015-04-01 13:55:07 -07:00
Mitchell Hashimoto 08a9216aa7 vault: register vault ID even fi no lease 2015-03-31 21:04:10 -07:00
Mitchell Hashimoto 2c9ebecda7 vault: register zero lease entries with the expiration manager 
/cc @armon - would appreciate a review on this one
 2015-03-31 21:01:12 -07:00
Mitchell Hashimoto aba7fc1910 http: auth handlers 2015-03-31 20:24:51 -07:00
Armon Dadgar dda8dec5bf vault: Adding sys/ paths to enable/disable audit backends 2015-03-31 16:45:08 -07:00
Armon Dadgar 7ca462c028 vault: Adding enable/disable audit methods 2015-03-31 15:26:07 -07:00
Armon Dadgar d817e31d67 vault: Sanity check keys in the barrier view 2015-03-31 13:32:24 -07:00
Armon Dadgar a6bc60c7d6 vault: Adding AuditBroker and basic tests 2015-03-31 13:22:40 -07:00
Armon Dadgar 0a7df0b3d4 vault: Adding options to mount table 2015-03-31 13:14:08 -07:00
Mitchell Hashimoto 1dcb37c6b6 vault: lookup-self for TokenStore to look up your own store 2015-03-31 12:51:00 -07:00
Mitchell Hashimoto 63f259cc8d vault: lookup without a token looks up self 2015-03-31 12:50:07 -07:00
Mitchell Hashimoto 6a72ea61d5 vault: convert TokenStore to logical/framework 2015-03-31 12:48:19 -07:00
Mitchell Hashimoto c8294170cc vault: test bad key to seal 2015-03-31 10:00:04 -07:00
Mitchell Hashimoto 0666bda865 vault: require root token for seal 2015-03-31 09:59:02 -07:00
Mitchell Hashimoto 04c80a81bc vault: add seal to the sys backend 2015-03-31 09:36:13 -07:00
Mitchell Hashimoto d4509b0ee3 vault: keep the connection info around for auth 2015-03-30 20:55:01 -07:00
Mitchell Hashimoto c9acfa17cb vault: get rid of HangleLogin 2015-03-30 20:26:39 -07:00
Mitchell Hashimoto 69593cde56 remove credential/ lots of tests faililng 2015-03-30 18:07:05 -07:00
Mitchell Hashimoto 62ee621ea3 logical: move cred stuff over here 2015-03-30 17:46:18 -07:00
Mitchell Hashimoto e9a3a34c27 vault: tests passing 2015-03-29 16:18:08 -07:00
Mitchell Hashimoto 4cacaf62f0 http: support auth 2015-03-29 16:14:54 -07:00
Armon Dadgar 5517910829 vault: Make audit/ a protected path 2015-03-27 14:00:57 -07:00
Armon Dadgar 042db7798e vault: Adding basic audit table load/unload 2015-03-27 14:00:38 -07:00
Armon Dadgar 609ac4c562 vault: Allow passing in audit factory methods 2015-03-27 13:45:13 -07:00
Armon Dadgar 9a4946f115 vault: Testing core ACL enforcement 2015-03-24 15:55:27 -07:00
Armon Dadgar 23864839bb vault: testing root privilege restrictions 2015-03-24 15:52:07 -07:00
Armon Dadgar fe402cdd87 vault: ignore a nil policy object, as it has no permissions 2015-03-24 15:49:17 -07:00
Armon Dadgar b354f03cb2 vault: adding auth/token/lookup/ support 2015-03-24 15:39:33 -07:00
Armon Dadgar 4a4d1d3e45 vault: adding auth/token/revoke/ and auth/token/revoke-orphan/ 2015-03-24 15:30:09 -07:00
Armon Dadgar 26f05f7a20 vault: Passthrough of client token to token store 2015-03-24 15:12:52 -07:00
Armon Dadgar 6fd3cae2c2 vault: Adding auth/token/create endpoint 2015-03-24 15:10:46 -07:00
Armon Dadgar b5332404d1 vault: Allow providing token ID during creation 2015-03-24 14:22:50 -07:00
Armon Dadgar b41d2e6368 vault: utility string set methods 2015-03-24 13:56:07 -07:00
Armon Dadgar 493fbc12fc vault: utility string search methods 2015-03-24 13:44:47 -07:00
Armon Dadgar 49df1570d6 vault: test missing and invalid tokens 2015-03-24 11:57:08 -07:00
Armon Dadgar 20c2375352 vault: Adding ACL enforcement 2015-03-24 11:37:07 -07:00
Armon Dadgar 43a99aec93 vault: Special case root policy 2015-03-24 11:27:21 -07:00
Armon Dadgar 4598e43140 vault: Adding ClientToken 2015-03-24 11:09:25 -07:00
Armon Dadgar 65ef4f1032 vault: wire tokens into expiration manager 2015-03-23 18:11:15 -07:00
Armon Dadgar 86c9bd9083 vault: Give expiration manager a token store reference 2015-03-23 18:00:14 -07:00
Armon Dadgar 6481ff9e34 vault: Generate a root token when initializing 2015-03-23 17:31:30 -07:00
Armon Dadgar cd3ee5cc03 vault: Remove core reference 2015-03-23 17:29:36 -07:00
Armon Dadgar 539554fc0b vault: only log expiration notice if useful 2015-03-23 17:27:46 -07:00
Armon Dadgar 3607eae208 vault: Adding method to generate root token 2015-03-23 17:16:37 -07:00
Armon Dadgar f40ed182c4 vault: Support policy CRUD 2015-03-23 14:43:31 -07:00
Armon Dadgar 192dcf7d39 vault: first pass at HandleLogin 2015-03-23 13:56:43 -07:00
Armon Dadgar 879a0501f8 vault: Track the token store in core 2015-03-23 13:41:05 -07:00
Armon Dadgar 56d99fe580 vault: token tracks generation path and meta data 2015-03-23 13:39:43 -07:00
Armon Dadgar 10e64d1e90 vault: extend router to handle login routing 2015-03-23 11:47:55 -07:00
Armon Dadgar a78b7207b9 vault: playing with credential store interface 2015-03-20 13:54:57 -07:00
Armon Dadgar 82e13e3c41 vault: implement the sys/auth* endpoints 2015-03-20 12:48:19 -07:00
Mitchell Hashimoto a0f59f682b logical/framework: can specify InternalData for secret 2015-03-20 17:59:48 +01:00
Mitchell Hashimoto 1ff229ca68 http: passing tests 2015-03-19 23:28:49 +01:00
Mitchell Hashimoto c349e97168 vault: clean up VaultID duplications, make secret responses clearer 
/cc @armon - This is a reasonably major refactor that I think cleans up
a lot of the logic with secrets in responses. The reason for the
refactor is that while implementing Renew/Revoke in logical/framework I
found the existing API to be really awkward to work with.

Primarily, we needed a way to send down internal data for Vault core to
store since not all the data you need to revoke a key is always sent
down to the user (for example the user than AWS key belongs to).

At first, I was doing this manually in logical/framework with
req.Storage, but this is going to be such a common event that I think
its something core should assist with. Additionally, I think the added
context for secrets will be useful in the future when we have a Vault
API for returning orphaned out keys: we can also return the internal
data that might help an operator.

So this leads me to this refactor. I've removed most of the fields in
`logical.Response` and replaced it with a single `*Secret` pointer. If
this is non-nil, then the response represents a secret. The Secret
struct encapsulates all the lease info and such.

It also has some fields on it that are only populated at _request_ time
for Revoke/Renew operations. There is precedent for this sort of
behavior in the Go stdlib where http.Request/http.Response have fields
that differ based on client/server. I copied this style.

All core unit tests pass. The APIs fail for obvious reasons but I'll fix
that up in the next commit.
 2015-03-19 23:11:42 +01:00
Mitchell Hashimoto 8039fc5c63 logical/framework: support renew 2015-03-19 20:20:57 +01:00
Mitchell Hashimoto d4b284fba4 logical/framework: revoke support 2015-03-19 19:41:41 +01:00