Commit graph

1019 commits

Author SHA1 Message Date
vishalnayak bf6aa296b3 rekey: added check to ensure that length of PGP keys and the shares are matching 2017-01-11 13:29:10 -05:00
Jeff Mitchell 9923c753d0 Set c.standby true in non-HA context. (#2259)
This value is the key for some checks in core logic. In a non-HA
environment, if the core was sealed it would never be set back to true.
2017-01-11 11:13:09 -05:00
Vishal Nayak 7367158a2a Merge pull request #2252 from hashicorp/mountentry-clone
Adding Tainted to MountEntry.Clone
2017-01-10 10:28:13 -05:00
vishalnayak 28c3f4a192 Adding Tainted to MountEntry.Clone 2017-01-10 08:32:33 -05:00
Jeff Mitchell bb32853fcd Fix up exclusion rules for dynamic system view IsPrimary 2017-01-07 18:31:43 -05:00
Jeff Mitchell 9d89aae00c Fix up invalidations in noopbackend 2017-01-07 18:22:34 -05:00
Armon Dadgar c37d17ed47 Adding interface methods to logical.Backend for parity (#2242) 2017-01-07 18:18:22 -05:00
Jeff Mitchell 336dfed5c3 Rename gRPC request forwarding method 2017-01-06 17:08:43 -05:00
Jeff Mitchell 681e36c4af Split Unseal into Unseal and unsealInternal 2017-01-06 16:30:43 -05:00
Jeff Mitchell 9e5d1eaac9 Port some updates 2017-01-06 15:42:18 -05:00
Jeff Mitchell 64fc18e523 When a JWT wrapping token is returned, audit the inner token both for
request and response. This makes it far easier to properly check
validity elsewhere in Vault because we simply replace the request client
token with the inner value.
2017-01-04 23:50:24 -05:00
vishalnayak 066038bebd Fixed return types 2017-01-04 16:58:25 -05:00
Jeff Mitchell 0391475c70 Add read locks to LookupToken/ValidateWrappingToken (#2232) 2017-01-04 16:52:03 -05:00
Jeff Mitchell 3129187dc2 JWT wrapping tokens (#2172) 2017-01-04 16:44:03 -05:00
vishalnayak d70fb45fbb Removed unused methods 2017-01-03 12:51:35 -05:00
Félix Cantournet 103b7ceab2 all: test: Fix govet warnings
Fix calls to t.Fatal() with formatting.
Fixed some calls to Fatalf() with wrong formatting
2016-12-21 19:44:07 +01:00
Jeff Mitchell 9f60e9f88d Add tidy expiration test 2016-12-16 17:04:28 -05:00
vishalnayak bae84e3864 TokenStore: Make the testcase dangle 100 accessors and let it tidy up 2016-12-16 15:41:41 -05:00
Vishal Nayak ba026aeaa1 TokenStore: Added tidy endpoint (#2192) 2016-12-16 15:29:27 -05:00
Jeff Mitchell f6044764c0 Fix revocation of leases when num_uses goes to 0 (#2190) 2016-12-16 13:11:55 -05:00
Vishal Nayak 8400b87473 Don't add default policy to child token if parent does not have it (#2164) 2016-12-16 00:36:39 -05:00
Vishal Nayak e3f56f375c Add 'no-store' response header from all the API outlets (#2183) 2016-12-15 17:53:07 -05:00
mwoolsey 907e735541 Permissions were changed from a structure to and array of interfaces. Code optimization for acl.go. Fixed bug where multiple parameters would allow if second or following parameters were denied and there was a wildcard in allow. 2016-12-06 18:14:15 -08:00
mwoolsey c27817aba3 Merge branch 'master' of https://github.com/hashicorp/vault 2016-12-06 16:09:32 -08:00
Jeff Mitchell 7865143c1d Minor ports 2016-12-05 12:28:12 -05:00
Jeff Mitchell 710e8f2d4c Change Vault audit broker logic to successfully start when at least one (#2155)
backend is successfully loaded.

Fixes #2083
2016-12-02 15:09:01 -05:00
Thomas Soëte 90b392c7fc Fix panic() in test suite (#2149)
As `base` could be nil, move check in `if base != nil`
2016-12-02 06:31:06 -05:00
Jeff Mitchell 49284031c6 Respect logger in TestCluster 2016-12-01 15:25:10 -05:00
mwoolsey 3e72e50fa5 Merge remote-tracking branch 'upstream/master' 2016-11-20 18:31:55 -08:00
Jeff Mitchell ee29b329fb Bump proto files after update 2016-11-17 10:06:26 -05:00
Jeff Mitchell e84a015487 Add extra logic around listener handling. (#2089) 2016-11-11 16:43:33 -05:00
Jeff Mitchell 6c1d2ffea9 Allow wrapping to be specified by backends, and take the lesser of the request/response times (#2088) 2016-11-11 15:12:11 -05:00
Jeff Mitchell 168d6e1a3d Fix other clustering tests on OSX 2016-11-08 10:55:41 -05:00
Jeff Mitchell e381c189e4 Fix cluster testing on OSX; see the inline comment for details 2016-11-08 10:31:35 -05:00
Jeff Mitchell 86edada67c Show the listener address when it's created for the cluster in the log 2016-11-08 10:31:15 -05:00
Jeff Mitchell 6f86e664a8 use a const for cluster test pause period 2016-11-08 10:30:44 -05:00
lemondrank c63d9e9f24 added AllowOperation tests 2016-11-07 12:28:41 -08:00
ChaseLEngel a847caa4ae Moved Operations out of test cases variable. 2016-11-07 12:08:17 -08:00
ChaseLEngel e349d64dbc Finished merge testing. 2016-11-06 15:16:08 -08:00
mwoolsey 42e0ecb0b8 narrowed the problem to: the Permissions struct in the TestPolicyMerge method is not being initialized 2016-11-06 13:38:25 -08:00
mwoolsey 2add5dbf3a Started the testing on merged pathCapabilites 2016-11-01 21:27:33 -07:00
ChaseLEngel 482ed0a659 Add merge testcases 2016-11-01 19:48:00 -07:00
lemondrank 975ac72822 started acl_test updates 2016-10-30 15:09:45 -07:00
Vishal Nayak b3c805e662 Audit the client token accessors (#2037) 2016-10-29 17:01:49 -04:00
mwoolsey b5669d73db Had to change what a wildcard value in a parameter mapped to, from a nil value to an empty struct 2016-10-28 12:54:37 -07:00
mwoolsey 3a0e01a5d7 Added the merging of wildcards to allowed and denied parameters. 2016-10-28 12:33:50 -07:00
Jeff Mitchell 0ed2dece6d Don't panic if postUnseal calls preSeal due to audit table never being set up. Also call cleanup funcs on auth backends. (#2043) 2016-10-28 15:32:32 -04:00
mwoolsey bcd0618623 updated testing on a policy to cover parameters in the policy 2016-10-28 10:18:31 -07:00
ChaseLEngel 2ea4caeffb Update acl and policy tests to use Permissions. 2016-10-21 23:45:39 -07:00
ChaseLEngel 353241e328 Fixing type assertions. 2016-10-21 21:12:02 -07:00
mwoolsey ed982675a1 permissions structure now holds a map of strings to empty structs. Modified acl.go to acommidate these changes 2016-10-21 19:35:55 -07:00
ChaseLEngel c6b63b5312 Implemented AllowOperation parameter permission checking for request data. 2016-10-21 18:38:05 -07:00
Vishal Nayak e06aaf20e1 Remove unused WrapListenersForClustering (#2007) 2016-10-18 10:20:09 -04:00
ChaseLEngel c2b512cf46 Changed AllowOperation to take logical.Request 2016-10-16 16:29:52 -07:00
ChaseLEngel bd7711bebf Merge allowed and disallowed parameters maps. 2016-10-16 15:24:32 -07:00
mwoolsey 93bb52b733 policy now includes whether a certain parameter can be updated 2016-10-15 16:44:57 -07:00
mwoolsey 231d3e7758 policy now includes whether a certain parameter can be updated 2016-10-15 16:43:55 -07:00
ChaseLEngel 119dd9653e Adding permissions to hcl config and decoding it. 2016-10-14 14:24:45 -07:00
ChaseLEngel bd5235960c Fixed permission conflicts 2016-10-14 10:33:12 -07:00
ChaseLEngel d480df7141 Fixed Policy Permissions intergration and spelling. 2016-10-14 10:22:00 -07:00
mwoolsey eb8b8a1def created structure for permissions and modified parsePaths in policy.go and newAcl/AllowOperation in acl.go 2016-10-14 10:17:25 -07:00
mwoolsey 4582f2268c working on modifying AllowOperation in acl.go 2016-10-10 11:21:25 -07:00
mwoolsey 6aa9a1d165 updated policy.go to include an expanded structure to add the ability to track allowed and disallowed params in the PathCapabilities structure. Updating Acl.go to interface with the updated PathCapabilites structure 2016-10-09 15:39:58 -07:00
Jeff Mitchell b5225fd000 Add KeyNotFoundError to seal file 2016-10-05 17:17:33 -04:00
Jeff Mitchell 6d00f0c483 Adds HUP support for audit log files to close and reopen. (#1953)
Adds HUP support for audit log files to close and reopen. This makes it
much easier to deal with normal log rotation methods.

As part of testing this I noticed that HUP and other items that come out
of command/server.go are going to stderr, which is where our normal log
lines go. This isn't so much problematic with our normal output but as
we officially move to supporting other formats this can cause
interleaving issues, so I moved those to stdout instead.
2016-09-30 12:04:50 -07:00
Jeff Mitchell 85315ff188 Rejig where the reload functions live 2016-09-30 00:07:22 -04:00
Jeff Mitchell 4a505bfa3e Update text around cubbyhole/response 2016-09-29 17:44:15 -04:00
Jeff Mitchell 5657789627 Audit unwrapped response (#1950) 2016-09-29 12:03:47 -07:00
Jeff Mitchell b45a481365 Wrapping enhancements (#1927) 2016-09-28 21:01:28 -07:00
Jeff Mitchell f0203741ff Change default TTL from 30 to 32 to accommodate monthly operations (#1942) 2016-09-28 18:32:49 -04:00
vishalnayak 57b21acabb Added unit tests for token entry upgrade 2016-09-26 18:17:50 -04:00
vishalnayak af888573be Handle upgrade of deprecated fields in token entry 2016-09-26 15:47:48 -04:00
Jeff Mitchell f3ab4971a6 Follow Vault convention on DELETE being idempotent (#1903)
* Follow Vault convention on `DELETE` being idempotent with
audit/auth/mounts deletes (a.k.a. disabling/unmounting).
2016-09-19 13:02:25 -04:00
Jeff Mitchell 722e26f27a Add support for PGP encrypting the initial root token. (#1883) 2016-09-13 18:42:24 -04:00
Jeff Mitchell fffee5611a Rejig locks during unmount/remount. (#1855) 2016-09-13 11:50:14 -04:00
Jeff Mitchell 1c6f2fd82b Add response wrapping to list operations (#1814) 2016-09-02 01:13:14 -04:00
Jeff Mitchell 19d64a476a Apply fix from #1827 to rekey 2016-09-01 17:42:28 -04:00
Jeff Mitchell 5bd93b62d4 Return bad request error on providing same key for root generation (#1833)
Fixes #1827
2016-09-01 17:40:01 -04:00
vishalnayak 328de60338 Description consistency 2016-08-29 15:53:11 -04:00
Jeff Mitchell ac38863884 Add back token/accessor URL parameters but return a warning.
CC @sethvargo
2016-08-29 15:15:57 -04:00
vishalnayak aec05fdf02 Remove the upgrade code to update the mount table from 'aws' to 'aws-ec2' 2016-08-29 11:53:52 -04:00
Jeff Mitchell 7e41d5ab45 Pass headers back when request forwarding (#1795) 2016-08-26 17:53:47 -04:00
Jeff Mitchell 2ce4397deb Plumb through the ability to set the storage read cache size. (#1784)
Plumb through the ability to set the storage read cache size.

Fixes #1772
2016-08-26 10:27:06 -04:00
Jeff Mitchell 9fee9ce8ff Don't allow tokens in paths. (#1783) 2016-08-24 15:59:43 -04:00
Jeff Mitchell b89073f7e6 Error when an invalid (as opposed to incorrect) unseal key is given. (#1782)
Fixes #1777
2016-08-24 14:15:25 -04:00
Jeff Mitchell 58b32e5432 Convert to logxi 2016-08-21 18:13:37 -04:00
Jeff Mitchell 2bb8adcbde Cleanup and avoid unnecessary advertisement parsing in leader check 2016-08-19 14:49:11 -04:00
Jeff Mitchell b7acf5b5ab Rename proto service stuff and change log levels for some messages 2016-08-19 11:49:25 -04:00
Jeff Mitchell bdcfe05517 Clustering enhancements (#1747) 2016-08-19 11:03:53 -04:00
vishalnayak 87c42a796b s/advertisement/redirect 2016-08-19 10:52:14 -04:00
Jeff Mitchell 01702415c2 Ensure we don't use a token entry period of 0 in role comparisons.
When we added support for generating periodic tokens for root/sudo in
auth/token/create we used the token entry's period value to store the
shortest period found to eventually populate the TTL. The problem was
that we then assumed later that this value would be populated for
periodic tokens, when it wouldn't have been in the upgrade case.

Instead, use a temp var to store the proper value to use; populate
te.Period only if actually given; and check that it's not zero before
comparing against role value during renew.
2016-08-16 16:47:46 -04:00
Jeff Mitchell c1aa89363a Make time logic a bit clearer 2016-08-16 16:29:07 -04:00
Jeff Mitchell 02d9702fbd Add local into handler path for forwarded requests 2016-08-16 11:46:37 -04:00
Jeff Mitchell 62c69f8e19 Provide base64 keys in addition to hex encoded. (#1734)
* Provide base64 keys in addition to hex encoded.

Accept these at unseal/rekey time.

Also fix a bug where backup would not be honored when doing a rekey with
no operation currently ongoing.
2016-08-15 16:01:15 -04:00
Jeff Mitchell 37320f8798 Request forwarding (#1721)
Add request forwarding.
2016-08-15 09:42:42 -04:00
Jeff Mitchell 40ece8fd7c Add another test and fix some output 2016-08-14 07:17:14 -04:00
Jeff Mitchell b6ef112382 Minor wording change 2016-08-13 15:45:13 -04:00
Jeff Mitchell cdea4b3445 Add some tests and fix some bugs 2016-08-13 14:03:22 -04:00
Jeff Mitchell de60702d76 Don't check the role period again as we've checked it earlier and it may be greater than the te Period 2016-08-13 13:21:56 -04:00
Jeff Mitchell bcb4ab5422 Add periodic support for root/sudo tokens to auth/token/create 2016-08-12 21:14:12 -04:00
Jeff Mitchell c1a46349fa Change to keybase openpgp fork as it has important fixes 2016-08-11 08:31:43 -04:00
vishalnayak 3895ea4c2b Address review feedback from @jefferai 2016-08-10 15:22:12 -04:00
vishalnayak 95f9c62523 Fix Cluster object being returned as nil when unsealed 2016-08-10 15:09:16 -04:00
Jeff Mitchell 0f40fba40d Don't allow a root token that expires to create one that doesn't 2016-08-09 20:32:40 -04:00
vishalnayak b5d55a9f47 Fix broken mount_test 2016-08-09 12:06:59 -04:00
Jeff Mitchell 4246ab1220 Change local cluster info path 2016-08-09 11:28:42 -04:00
Vishal Nayak c27a52069c Merge pull request #1693 from hashicorp/mount-table-compress
Added utilities to compress the JSON encoded string.
2016-08-09 11:23:14 -04:00
Jeff Mitchell cc10fd7a7e Use config file cluster name after automatic gen 2016-08-09 11:03:50 -04:00
vishalnayak b43cc03f0e Address review feedback from @jefferai 2016-08-09 10:47:55 -04:00
Jeff Mitchell 94c9fc3b49 Minor test fix 2016-08-09 07:13:29 -04:00
vishalnayak 78d57520fb Refactoring and test fixes 2016-08-09 03:43:03 -04:00
vishalnayak 5866cee5b4 Added utilities to compress the data 2016-08-09 00:50:19 -04:00
Jeff Mitchell d2124486ef Merge pull request #1702 from hashicorp/renew-post-body
Add ability to specify renew lease ID in POST body.
2016-08-08 20:01:25 -04:00
Jeff Mitchell c86fd0353c urllease_id -> url_lease_id 2016-08-08 18:34:00 -04:00
Jeff Mitchell 065da5fd69 Migrate default policy to a const 2016-08-08 18:33:31 -04:00
Jeff Mitchell 5a48611a62 Add test for both paths in backend 2016-08-08 18:32:18 -04:00
Jeff Mitchell 56b7f595aa Fix parsing optional URL param 2016-08-08 18:08:25 -04:00
Jeff Mitchell ab71b981ad Add ability to specify renew lease ID in POST body. 2016-08-08 18:00:44 -04:00
Jeff Mitchell 13b7d37a0b Remove change to naming return values 2016-08-08 17:56:14 -04:00
Jeff Mitchell a583f8a3f8 Use policyutil sanitizing 2016-08-08 17:42:25 -04:00
Jeff Mitchell 4f0310ed96 Don't allow root from authentication backends either.
We've disabled this in the token store, but it makes no sense to have
that disabled but have it enabled elsewhere. It's the same issue across
all, so simply remove the ability altogether.
2016-08-08 17:32:37 -04:00
Jeff Mitchell 796c93a8b0 Add sys/renew to default policy 2016-08-08 17:32:30 -04:00
Jeff Mitchell d7f6218869 Move checking non-assignable policies above the actual token creation 2016-08-08 16:44:29 -04:00
Laura Bennett da615642f5 Merge pull request #1687 from hashicorp/token-store-update
Minor update to token-store
2016-08-08 10:25:05 -04:00
Jeff Mitchell ac62b18d56 Make capabilities-self part of the default policy.
Fixes #1695
2016-08-08 10:00:01 -04:00
vishalnayak e783bfe7e1 Minor changes to test cases 2016-08-05 20:22:07 -04:00
vishalnayak 5ddd1c7223 Fix broken test case 2016-08-05 20:07:18 -04:00
Laura Bennett 02911c0e01 full updates based on feedback 2016-08-05 18:57:35 -04:00
Laura Bennett 52623a2395 test updates based on feedback 2016-08-05 18:56:22 -04:00
Laura Bennett 405eb0075a fix an error, tests still broken 2016-08-05 17:58:48 -04:00
Jeff Mitchell 82b3d136e6 Don't mark never-expiring root tokens as renewable 2016-08-05 11:15:25 -04:00
Laura Bennett 68d351c70c addresses feedback, but tests broken 2016-08-05 10:04:02 -04:00
Jeff Mitchell 4b2b5363d4 Switch some errors that ought to be 500 to 500 2016-08-04 09:11:24 -04:00
Laura Bennett c626277632 initial commit for minor update to token-store 2016-08-03 14:32:17 -04:00
Jeff Mitchell a7ed50dbc8 coreClusterPath -> coreLocalClusterPath 2016-08-03 09:50:21 -04:00
Vishal Nayak 0b2098de2f Merge pull request #1681 from hashicorp/disallowed-policies
Support disallowed_policies in token roles
2016-08-02 17:32:53 -04:00
vishalnayak e7cb3fd990 Addressed review feedback 2016-08-02 16:53:06 -04:00
vishalnayak 4f45910dfc disallowed_policies doc update 2016-08-02 16:33:22 -04:00
vishalnayak 9947b33498 Added tests for disallowed_policies 2016-08-02 15:21:15 -04:00
Jeff Mitchell 31b36fe2c2 Use duration helper to allow not specifying duration units 2016-08-02 15:12:45 -04:00
vishalnayak a936914101 Address review feedback and fix existing tests 2016-08-02 14:10:20 -04:00
vishalnayak a0c711d0cf Added disallowed_policies to token roles 2016-08-02 10:33:50 -04:00
Jeff Mitchell 357f2d972f Add some extra safety checking in accessor listing and update website
docs.
2016-08-01 13:12:06 -04:00
Jeff Mitchell 6546005487 Fix typo 2016-07-29 23:24:04 -04:00
Jeff Mitchell e606aab6e0 oops, fix createAccessor 2016-07-29 18:23:55 -04:00
Jeff Mitchell 23ab63c78e Add accessor list function to token store 2016-07-29 18:20:38 -04:00
vishalnayak cff7aada7a Fix invalid input getting marked as internal error 2016-07-28 16:23:11 -04:00
Laura Bennett 4d9c909ae4 Merge pull request #1650 from hashicorp/request-uuid
Added unique identifier to each request. Closes hashicorp/vault#1617
2016-07-27 09:40:48 -04:00
vishalnayak c17534d527 Fix request_id test failures 2016-07-26 18:30:13 -04:00
Laura Bennett fb1b032040 fixing id in buildLogicalRequest 2016-07-26 15:50:37 -04:00