cc1f5207b3
Merge branch 'master' into token-roles
2016-03-07 10:03:54 -05:00
da9152169b
changed response of expiration manager's renewtoken to logical.response
2016-03-04 14:56:51 -05:00
41dba5dd5d
Move descriptions into const block
2016-03-03 11:04:05 -05:00
7c5f810bc0
Address first round of feedback
2016-03-01 15:30:37 -05:00
8a500e0181
Add command and token store documentation for roles
2016-03-01 13:02:40 -05:00
54232eb980
Add other token role unit tests and some minor other changes.
2016-03-01 12:41:41 -05:00
df2e337e4c
Update tests to add expected role parameters
2016-03-01 12:41:40 -05:00
b8b59560dc
Add token role CRUD tests
2016-03-01 12:41:40 -05:00
ef990a3681
Initial work on token roles
2016-03-01 12:41:40 -05:00
bc4710eb06
Cert: renewal enhancements
2016-02-24 14:31:38 -05:00
ff3adce39e
Make "ttl" reflect the actual TTL of the token in lookup calls.
...
Add a new value "creation_ttl" which holds the value at creation time.
Fixes #986
2016-02-01 11:16:32 -05:00
d3a705f17b
Make backends much more consistent:
...
1) Use the new LeaseExtend
2) Use default values controlled by mount tuning/system defaults instead
of a random hard coded value
3) Remove grace periods
2016-01-29 20:03:37 -05:00
9c5ad28632
Update deps, and adjust usage of go-uuid to match new return values
2016-01-13 13:40:08 -05:00
a99787afeb
Don't allow a policy with no name, even though it is a valid slice member
2016-01-08 21:23:40 -05:00
f3ce90164f
WriteOperation -> UpdateOperation
2016-01-08 13:03:03 -05:00
d51d723c1f
Use int64 for converting time values, not int (will be float64 in JSON anyways, so no need to lose precision, plus could hit a 32-bit max in some edge cases)
2016-01-04 17:11:22 -05:00
e990b77d6e
Address review feedback; move storage of these values to the expiration manager
2016-01-04 16:43:07 -05:00
5ddd243144
Store a last renewal time in the token entry and return it upon lookup
...
of the token.
Fixes #889
2016-01-04 11:20:49 -05:00
df68e3bd4c
Filter out duplicate policies during token creation.
2015-12-30 15:18:30 -05:00
f2da5b639f
Migrate 'uuid' to 'go-uuid' to better fit HC naming convention
2015-12-16 12:56:20 -05:00
1a45696208
Add no-default-policy flag and API parameter to allow exclusion of the
...
default policy from a token create command.
2015-11-09 17:30:50 -05:00
d6693129de
Create a "default" policy with sensible rules.
...
It is forced to be included with each token, but can be changed (but not
deleted).
Fixes #732
2015-11-09 15:44:09 -05:00
5783f547ab
Display whether a token is an orphan on lookup.
2015-11-09 13:19:59 -05:00
7aa3faa626
Rename core's 'policy' to 'policyStore' for clarification
2015-11-06 12:07:42 -05:00
7d8371c4a3
Remove warning about nonexistent root policy by using GetPolicy instead
...
of the listing function.
2015-11-06 11:36:40 -05:00
6ccded7a2f
Add ability to create orphan tokens from the API
2015-11-03 15:12:21 -05:00
636d57a026
Make the token store's Create and RootToken functions non-exported.
...
Nothing requires them to be exported, and I don't want anything in the
future to think it's okay to simply create a root token when it likes.
2015-10-30 10:59:26 -04:00
a9155ef85e
Use split-out hashicorp/uuid
2015-10-12 14:07:12 -04:00
b5d674d94e
Add 301 redirect checking to the API client.
...
Vault doesn't generate these, but in some cases Go's internal HTTP
handler does. For instance, during a mount-tune command, finishing the
mount path with / (as in secret/) would cause the final URL path to
contain .../mounts/secret//tune. The double slash would trigger this
behavior in Go's handler and generate a 301. Since Vault generates 307s,
this would cause the client to think that everything was okay when in
fact nothing had happened.
2015-10-09 17:11:31 -04:00
d740fd4a6a
Add the ability for warnings to be added to responses. These are
...
marshalled into JSON or displayed from the CLI depending on the output
mode. This allows conferring information such as "no such policy exists"
when creating a token -- not an error, but something the user should be
aware of.
Fixes #676
2015-10-07 16:18:39 -04:00
4a52de13e3
Add renew-self endpoint.
...
Fixes #455 .
2015-10-07 12:49:13 -04:00
3dd84446ab
Github backend: enable auth renewals
2015-10-02 13:33:19 -04:00
ca50012017
Format token lease/TTL as int in JSON API when looking up
2015-09-27 22:36:36 -04:00
62ac518ae7
Switch per-mount values to strings going in and seconds coming out, like other commands. Indicate deprecation of 'lease' in the token backend.
2015-09-25 10:41:21 -04:00
d526c8ce1c
Merge pull request #629 from hashicorp/token-create-sudo
...
TokenStore: Provide access based on sudo permissions and not policy name
2015-09-21 10:12:29 -04:00
1a01ab3608
Take ClientToken instead of Policies
2015-09-21 10:04:03 -04:00
02485e7175
Abstraced SudoPrivilege to take list of policies
2015-09-19 18:23:44 -04:00
a2799b235e
Using acl.RootPrivilege and rewrote mockTokenStore
2015-09-19 17:53:24 -04:00
fb77ec3623
TokenStore: Provide access based on sudo permissions and not policy name
2015-09-19 11:14:51 -04:00
b655f6b858
Add HMAC capability to salt. Pass a salt into audit backends. Require it for audit.Hash.
2015-09-18 17:38:22 -04:00
d775445efe
Store token creation time and TTL. This can be used to properly populate
...
fields in 'lookup-self'. Importantly, this also makes credential
backends use the SystemView per-backend TTL values and fixes unit tests
to expect this.
Fully fixes #527
2015-09-18 16:39:35 -04:00
8f79e8be82
Add revoke-self endpoint.
...
Fixes #620 .
2015-09-17 13:22:30 -04:00
047ba90a44
Restrict orphan revocation to root tokens
2015-09-16 09:22:15 -04:00
e7d5a18e94
Directly pass the cubbyhole backend to the token store and bypass logic in router
2015-09-15 13:50:37 -04:00
bdb8cf128d
Cleanup; remove everything but double-salting from the router and give
...
the token store cubby backend information for direct calling.
2015-09-15 13:50:37 -04:00
77e7379ab5
Implement the cubbyhole backend
...
In order to implement this efficiently, I have introduced the concept of
"singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't
much reason to allow sys to be mounted at multiple places, and there
isn't much reason you'd need multiple per-token storage areas. By
restricting it to just one, I can store that particular mount instead of
iterating through them in order to call the appropriate revoke function.
Additionally, because revocation on the backend needs to be triggered by
the token store, the token store's salt is kept in the router and
client tokens going to the cubbyhole backend are double-salted by the
router. This allows the token store to drive when revocation happens
using its salted tokens.
2015-09-15 13:50:37 -04:00
142cb563a6
Improve documentation of token renewal
2015-09-11 21:08:32 -04:00
c460ff10ca
Push a lot of logic into Router to make a bunch of it nicer and enable a
...
lot of cleanup. Plumb config and calls to framework.Backend.Setup() into
logical_system and elsewhere, including tests.
2015-09-10 15:09:54 -04:00
93ef9a54bd
Internally refactor Lease/LeaseGracePeriod into TTL/GracePeriod
2015-08-20 18:00:51 -07:00
fe8c1c514d
Add -no-verify option to CLI auth command, to avoid decrementing the token use count during auth.
2015-08-18 19:22:17 -07:00
579c1433a2
vault: use helper/salt library to share code
2015-06-30 14:08:21 -07:00
8bc99f8c23
helper/uuid: single generateUUID definition
2015-06-30 12:38:32 -07:00
4ec685dc1a
Logging authentication errors and bad token usage
2015-06-18 18:30:18 -07:00
ffeb6ea76c
vault: allow increment to be duration string. Fixes #340
2015-06-17 15:58:20 -07:00
ae421f75b7
vault: fixing issues with token renewal
2015-06-17 14:28:13 -07:00
a2bd832519
vault: token create should return various metadata for logging
2015-04-25 20:21:35 -07:00
538c795f9b
vault: Adding method to consume a limited use token
2015-04-17 11:51:04 -07:00
fd3948d476
vault: Tokens can have a use count specified
2015-04-17 11:34:25 -07:00
818ce0a045
vault: token store allows specifying display_name
2015-04-15 14:24:07 -07:00
76b69b2514
vault: thread the display name through
2015-04-15 14:12:34 -07:00
209b275bfd
logical/framework: allow max session time
2015-04-11 16:41:08 -07:00
33d66f0130
vault: token store allows unlimited renew
2015-04-11 16:28:16 -07:00
a6d974c74e
vault: revoking a token should revoke all secrets it has generated
2015-04-10 15:12:04 -07:00
c22d18a5be
vault: re-use revokeSalted to share logic
2015-04-10 15:06:54 -07:00
1e2863e2b8
vault: remove unused RevokeAll method
2015-04-10 14:59:49 -07:00
13836e8612
vault: groundwork to allow auth renew
2015-04-10 13:59:49 -07:00
4679febdf3
logical: Refactor LeaseOptions to share between Secret and Auth
2015-04-09 12:14:04 -07:00
9a034c4ab8
vault: lookup-self should allow unauthenticated requests
2015-04-08 22:09:47 -07:00
512b3d7afd
vault: Adding metrics profiling
2015-04-08 16:43:17 -07:00
466c7575d3
Replace VaultID with LeaseID for terminology simplification
2015-04-08 13:35:32 -07:00
7e4f47a9e6
vault: proper meta parameter for vaultstorage (tests pass now)
2015-04-07 14:37:50 -07:00
9378d0388a
vault: token store inehrits policies by default
2015-04-07 14:19:52 -07:00
8dce065972
vault: use mapstructure to decode token args
...
JSON sends as interface{}, so we can't decode directly into types.
2015-04-07 14:16:35 -07:00
493ee49e4d
vault: unify the token renew response
2015-04-06 16:35:39 -07:00
b8d69a357c
vault: Use Auth for lease and renewable
2015-04-03 14:04:50 -07:00
2feba52f40
vault: Adding auth/token/renew endpoint
2015-04-03 12:11:49 -07:00
c82fbbb8c3
vault: Support prefix based token revocation
2015-04-03 11:40:08 -07:00
d0ac9e5711
vault: Expose SaltID from token store
2015-04-02 17:39:38 -07:00
1dcb37c6b6
vault: lookup-self for TokenStore to look up your own store
2015-03-31 12:51:00 -07:00
63f259cc8d
vault: lookup without a token looks up self
2015-03-31 12:50:07 -07:00
6a72ea61d5
vault: convert TokenStore to logical/framework
2015-03-31 12:48:19 -07:00
c9acfa17cb
vault: get rid of HangleLogin
2015-03-30 20:26:39 -07:00
69593cde56
remove credential/ lots of tests faililng
2015-03-30 18:07:05 -07:00
62ee621ea3
logical: move cred stuff over here
2015-03-30 17:46:18 -07:00
b354f03cb2
vault: adding auth/token/lookup/ support
2015-03-24 15:39:33 -07:00
4a4d1d3e45
vault: adding auth/token/revoke/ and auth/token/revoke-orphan/
2015-03-24 15:30:09 -07:00
6fd3cae2c2
vault: Adding auth/token/create endpoint
2015-03-24 15:10:46 -07:00
b5332404d1
vault: Allow providing token ID during creation
2015-03-24 14:22:50 -07:00
cd3ee5cc03
vault: Remove core reference
2015-03-23 17:29:36 -07:00
3607eae208
vault: Adding method to generate root token
2015-03-23 17:16:37 -07:00
56d99fe580
vault: token tracks generation path and meta data
2015-03-23 13:39:43 -07:00
a78b7207b9
vault: playing with credential store interface
2015-03-20 13:54:57 -07:00
8cc88981d6
vault: token store is a credential implementation
2015-03-18 19:11:52 -07:00
6e22ca50eb
vault: integrate policy and token store into core
2015-03-18 14:00:42 -07:00
4d0700d12f
vault: Guard against blank tokens
2015-03-18 13:21:16 -07:00
ded5dc71e9
vault: First pass token store
2015-03-18 13:19:19 -07:00
Jeff Mitchell