Commit Graph

64 Commits

Author SHA1 Message Date
Hamid Ghaf 27bb03bbc0
adding copyright header (#19555)
* adding copyright header

* fix fmt and a test
2023-03-15 09:00:52 -07:00
Hamid Ghaf 8a624c1264
prevent memory leak when using control group factors in a policy (#17532)
* prevent a possible memory leak when using control group factors in a policy

* CL
2022-10-14 19:15:15 -04:00
Anton Averchenkov 166c618589
Fix linter issues in policy.go & acl.go (#16366) 2022-07-22 14:13:14 -04:00
Brian Kassouf b5472aadf3
Add list of granting policies audit logs (#15457)
* Add list of granting policies audit logs

* Add changelog
2022-05-16 16:23:08 -07:00
Chris Capurso bbb4ab4a41
Add HTTP PATCH support to KV (#12687)
* handle HTTP PATCH requests as logical.PatchOperation

* update go.mod, go.sum

* a nil response for logical.PatchOperation should result in 404

* respond with 415 for incorrect MIME type in PATCH Content-Type header

* add abstraction to handle PatchOperation requests

* add ACLs for patch

* Adding JSON Merge support to the API client

* add HTTP PATCH tests to check high level response logic

* add permission-based 'kv patch' tests in prep to add HTTP PATCH

* adding more 'kv patch' CLI command tests

* fix TestHandler_Patch_NotFound

* Fix TestKvPatchCommand_StdinValue

* add audit log test for HTTP PATCH

* patch CLI changes

* add patch CLI tests

* change JSONMergePatch func to accept a ctx

* fix TestKVPatchCommand_RWMethodNotExists and TestKVPatchCommand_RWMethodSucceeds to specify -method flag

* go fmt

* add a test to verify patching works by default with the root token

* add changelog entry

* get vault-plugin-secrets-kv@add-patch-support

* PR feedback

* reorder some imports; go fmt

* add doc comment for HandlePatchOperation

* add json-patch@v5.5.0 to go.mod

* remove unnecessary cancelFunc for WriteBytes

* remove default for -method

* use stable version of json-patch; go mod tidy

* more PR feedback

* temp go get vault-plugin-secrets-kv@master until official release

Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>
2021-10-13 15:24:31 -04:00
Jeff Mitchell f7147025dd
Migrate to sdk/internalshared libs in go-secure-stdlib (#12090)
* Swap sdk/helper libs to go-secure-stdlib

* Migrate to go-secure-stdlib reloadutil

* Migrate to go-secure-stdlib kv-builder

* Migrate to go-secure-stdlib gatedwriter
2021-07-15 20:17:31 -04:00
Hridoy Roy 1782b4e880
oss part of control groups upgrade (#11772)
* oss part of control groups upgrade

* changelog and docs

* formatting

* formatting
2021-06-07 09:15:35 -07:00
Lars Lehtonen 53dd619d2f
vault: deprecate errwrap.Wrapf() (#11577) 2021-05-11 13:12:54 -04:00
Brian Kassouf 303c2aee7c
Run a more strict formatter over the code (#11312)
* Update tooling

* Run gofumpt

* go mod vendor
2021-04-08 09:43:39 -07:00
Brian Kassouf 549faf47f2
Add identity templating helper to sdk/framework (#8088)
* Add identity templating helper to sdk/framework

* Cleanup a bit

* Fix length issue when groups/aliases are filtered due to ns

* review feedback
2020-01-06 10:16:52 -08:00
Jim Kalafut 2bf5db4fe8 Add OIDC token generation to Identity (#6900)
* Add OIDC token generation to Identity

There are a few open TODOs and some remaining cleanup, but this is
functionally complete and ready for review.

(Tests will being added soon.)

* Simplified key update endpoint

* Cache the config

* Fix Issuer handling

* Suppose base64-encoded templates (#6919)

* Cache JWKS and switch to go-cache (#6918)

* Address review comments

* Add warning if neither Issue nor api_addr are set

* adds tests (#6937)

* adds help synopsis and descriptions to the framework path for the oid… (#6930)

* adds help synopsis and descriptions to the framework path for the oidc backend

* Update vault/identity_store_oidc.go

Co-Authored-By: Jim Kalafut <jim@kalafut.net>

* Add Now parameter to PopulateStringInput

* Addressing review comments

* Refactor template processing to improve mode-specific handling

* adds a test for the periodic func (#6943)

* adds a test for the periodic func

* removes commented out code

* adds a comment

* Add comments
2019-06-21 10:23:39 -07:00
Jeff Mitchell 9ebc57581d
Switch to go modules (#6585)
* Switch to go modules

* Make fmt
2019-04-13 03:44:06 -04:00
Jeff Mitchell 8bcb533a1b
Create sdk/ and api/ submodules (#6583) 2019-04-12 17:54:35 -04:00
Jeff Mitchell aa6fafced9 Fix hasMountPath for segment wildcard mounts; introduce priority order (#6532)
* Add prioritization when multiple segment/glob rules can match.

* Disallow ambiguous "+*" in policy paths.
2019-04-10 17:46:17 -04:00
Jeff Mitchell 3dfa30acb4 Add ability to use path wildcard segments (#6164)
* Path globbing

* Add glob support at the beginning

* Ensure when evaluating an ACL that our path never has a leading slash. This already happens in the normal request path but not in tests; putting it here provides it for tests and extra safety in case the request path changes

* Simplify the algorithm, we don't really need to validate the prefix first as glob won't apply if it doesn't

* Add path segment wildcarding

* Disable path globbing for now

* Remove now-unneeded test

* Remove commented out globbing bits

* Remove more holdover glob bits

* Rename k var to something more clear
2019-02-14 18:31:43 -08:00
Jeff Mitchell c5d8391c38
Prefix path rename (#6089)
* Rename Prefix -> Path in internal struct

* Update test
2019-01-23 15:04:49 -05:00
Jeff Mitchell a11f2a3ba2
Rename glob -> prefix in ACL internals (#6086)
Really, it's a prefix
2019-01-23 13:55:40 -05:00
Jeff Mitchell 59bc9dd361 Add missing value to policy ShallowClone
Not related to a bug, just happened to notice it.
2019-01-23 13:20:04 -05:00
Jim Kalafut d0e2badbae Run goimports across the repository (#6010)
The result will still pass gofmtcheck and won't trigger additional
changes if someone isn't using goimports, but it will avoid the
piecemeal imports changes we've been seeing.
2019-01-08 16:48:57 -08:00
Jeff Mitchell 919b968c27
The big one (#5346) 2018-09-17 23:03:00 -04:00
Chris Hoffman 716fb03ab7
perform policy templating on each path (#5229) 2018-08-30 18:45:11 -04:00
Jeff Mitchell f5024770dc Allow comment key in policies 2018-08-24 09:42:47 -04:00
Jeff Mitchell ba0d029247
Restricts ACL templating to paths but allows failures (#5167)
When a templating failure happens, we now simply ignore that path,
rather than fail all access to all policies
2018-08-23 12:15:02 -04:00
Jeff Mitchell 71d92ef093 ACL Templating (#4994)
* Initial work on templating

* Add check for unbalanced closing in front

* Add missing templated assignment

* Add first cut of end-to-end test on templating.

* Make template errors be 403s and finish up testing

* Review feedback
2018-08-15 11:42:56 -07:00
Calvin Leung Huang c4abeb9ea5
Move checkHCLKeys into hclutil (#4749) 2018-06-12 12:38:08 -04:00
Vishal Nayak 28e3eb9e2c
Errwrap everywhere (#4252)
* package api

* package builtin/credential

* package builtin/logical

* package command

* package helper

* package http and logical

* package physical

* package shamir

* package vault

* package vault

* address feedback

* more fixes
2018-04-05 11:49:21 -04:00
Chris Hoffman 3d8d887676
Add ability to require parameters in ACLs (#3510) 2017-11-02 07:18:49 -04:00
Jeff Mitchell 8e9317792d Fix some merge/update bugs 2017-10-23 16:49:46 -04:00
Jeff Mitchell 47dae8ffc7 Sync 2017-10-23 14:59:37 -04:00
Jeff Mitchell ab5014534e Clone policy permissions and then use existing values rather than policy values for modifications (#2826)
Should fix #2804
2017-06-07 13:49:51 -04:00
Jeff Mitchell 5119b173c4 Rename helper 'duration' to 'parseutil'. (#2449)
Add a ParseBool function that accepts various kinds of ways of
specifying booleans.

Have config use ParseBool for UI and disabling mlock/cache.
2017-03-07 11:21:22 -05:00
Jeff Mitchell 7f0a99e8eb Add max/min wrapping TTL ACL statements (#2411) 2017-02-27 14:42:00 -05:00
Brian Kassouf 1c5264c66c ToLower parameter strings 2017-02-16 17:50:10 -08:00
Jeff Mitchell da9e62bc24 Remove "permissions" from ACL 2017-02-15 21:12:26 -05:00
Brian Kassouf 7ec19459a7 Remove extra comments 2017-01-20 11:38:40 -08:00
Brian Kassouf df800198e0 Remove some extra comments 2017-01-20 11:32:58 -08:00
Brian Kassouf 37f393ff94 Remove unneeded comment block 2017-01-19 18:18:06 -08:00
Brian Kassouf f3870061ee fix some of the tests and rename allowed/dissallowed paramaters 2017-01-19 16:40:19 -08:00
mwoolsey 907e735541 Permissions were changed from a structure to and array of interfaces. Code optimization for acl.go. Fixed bug where multiple parameters would allow if second or following parameters were denied and there was a wildcard in allow. 2016-12-06 18:14:15 -08:00
ChaseLEngel 2ea4caeffb Update acl and policy tests to use Permissions. 2016-10-21 23:45:39 -07:00
mwoolsey ed982675a1 permissions structure now holds a map of strings to empty structs. Modified acl.go to acommidate these changes 2016-10-21 19:35:55 -07:00
ChaseLEngel c6b63b5312 Implemented AllowOperation parameter permission checking for request data. 2016-10-21 18:38:05 -07:00
ChaseLEngel c2b512cf46 Changed AllowOperation to take logical.Request 2016-10-16 16:29:52 -07:00
ChaseLEngel bd7711bebf Merge allowed and disallowed parameters maps. 2016-10-16 15:24:32 -07:00
mwoolsey 93bb52b733 policy now includes whether a certain parameter can be updated 2016-10-15 16:44:57 -07:00
mwoolsey 231d3e7758 policy now includes whether a certain parameter can be updated 2016-10-15 16:43:55 -07:00
ChaseLEngel 119dd9653e Adding permissions to hcl config and decoding it. 2016-10-14 14:24:45 -07:00
ChaseLEngel bd5235960c Fixed permission conflicts 2016-10-14 10:33:12 -07:00
ChaseLEngel d480df7141 Fixed Policy Permissions intergration and spelling. 2016-10-14 10:22:00 -07:00
mwoolsey eb8b8a1def created structure for permissions and modified parsePaths in policy.go and newAcl/AllowOperation in acl.go 2016-10-14 10:17:25 -07:00