Commit graph

3670 commits

Author SHA1 Message Date
Mitchell Hashimoto 92910d18d1 vault: make mount functions private again, going to try something else 2015-03-14 18:31:31 -07:00
Mitchell Hashimoto 9d84e7bacc vault: don't copy the key so it can be zeroed, document, add helper 2015-03-14 18:25:55 -07:00
captainill 29adca9afa Merge branch 'master' of github.com:hashicorp/vault 2015-03-14 18:17:18 -07:00
captainill 77bbbb18f3 docs sidebar new animation/cleanup 2015-03-14 18:16:58 -07:00
Mitchell Hashimoto 866b91d858 vault: public TestCoreUnsealed, don't modify key in Unseal
/cc @armon - I do a key copy within Unseal now. It tripped me up for
quite awhile that that method actually modifies the param in-place and I
can't think of any scenario that is good for the user. Do you see any
issues here?
2015-03-14 17:47:11 -07:00
captainill c2bcd6092f fix js 2015-03-14 17:37:22 -07:00
Mitchell Hashimoto b2af154fb4 vault: make Mount related core functions public
/cc @armon - So I know the conversation we had related to this about
auth, but I think we still need to export these and do auth only at the
external API layer. If you're writing to the internal API, then all bets
are off.

The reason is simply that if you have access to the code, you can
already work around it anyways (you can disable auth or w/e), so a
compromised Vault source/binary is already a failure, and that is the
only thing that our previous unexported methods were protecting against.

If you write an external tool to access a Vault, it still needs to be
unsealed so _that_ is the primary security mechanism from an API
perspective. Once it is unsealed then the core API has full access to
the Vault, and identity/auth is only done at the external API layer, not
at the internal API layer.

The benefits of this approach is that it lets us still treat the "sys"
mount specially but at least have sys adopt helper/backend and use that
machinery and it can still be the only backend which actually has a
reference to *vault.Core to do core things (a key difference). So, an
AWS backend still will never be able to muck with things it can't, but
we're explicitly giving Sys (via struct initialization in Go itself)
a reference to *vault.Core.
2015-03-14 17:26:59 -07:00
Mitchell Hashimoto 857e00bcdc helper/backend: start acceptance test framework 2015-03-14 17:18:19 -07:00
Mitchell Hashimoto accd8c29ca helper/backend: auto-generate help route 2015-03-14 10:12:50 -07:00
Mitchell Hashimoto e8e55ef8b1 helper/backend: one callback per operation 2015-03-14 00:19:25 -07:00
Mitchell Hashimoto 7f87d9ea6f helper/backend: HandleRequest works 2015-03-13 23:58:20 -07:00
Mitchell Hashimoto d17c3d87d3 helper/backend: store captures for a path 2015-03-13 23:48:49 -07:00
Mitchell Hashimoto c4e35ffb7d helper/backend: cache route regexps (98% speedup)
benchmark                 old ns/op     new ns/op     delta
BenchmarkBackendRoute     49144         589           -98.80%
2015-03-13 23:25:17 -07:00
Mitchell Hashimoto e5871abf77 helper/backend: benchmark route 2015-03-13 23:22:48 -07:00
Mitchell Hashimoto 0751c5db12 helper/backend: basic path routing (naive) 2015-03-13 23:17:25 -07:00
Mitchell Hashimoto a68eb1a994 helper/backend: add default values 2015-03-13 21:15:20 -07:00
Mitchell Hashimoto 33a08fbfa0 helper/backend: start this thing 2015-03-13 21:11:19 -07:00
Mitchell Hashimoto fd8f84e00e command/unseal: tests 2015-03-13 20:17:55 -07:00
Mitchell Hashimoto e473c655ac website: imageoptim 2015-03-13 12:58:21 -07:00
Mitchell Hashimoto c84a9bcaed command/seal-status 2015-03-13 12:53:09 -07:00
Mitchell Hashimoto 5c2915ba52 command/init: tests 2015-03-13 12:53:09 -07:00
Mitchell Hashimoto 1bd0772986 http: make TestServer public 2015-03-13 12:53:09 -07:00
Mitchell Hashimoto f43a0290cf vault: public testing methods 2015-03-13 12:53:09 -07:00
Mitchell Hashimoto 5c8a2812fe command/init: make the output a little nicer 2015-03-13 12:53:09 -07:00
Mitchell Hashimoto 3c3e96575f command/init 2015-03-13 12:53:08 -07:00
Mitchell Hashimoto c0ede206bb api: use /v1 prefix 2015-03-13 12:53:08 -07:00
Mitchell Hashimoto f71f29b801 command/server: initial working 2015-03-13 12:53:08 -07:00
Mitchell Hashimoto cb3e91b338 command/sever: copy the TCP keep alive listener 2015-03-13 12:53:08 -07:00
Mitchell Hashimoto 393c6c6c20 command/server: support TLS 2015-03-13 12:53:08 -07:00
Mitchell Hashimoto 61224ce312 command/server: tcp listener 2015-03-13 12:53:08 -07:00
Armon Dadgar 9d5db1286d vault: Track the renew time 2015-03-13 11:36:24 -07:00
Armon Dadgar 081358091a vault: improve seal/unseal log messages 2015-03-13 11:34:40 -07:00
Armon Dadgar f0d00e77ec vault: Adding start/stop to expiration manager 2015-03-13 11:31:43 -07:00
Armon Dadgar d744d4ee5e vault: integrate expiration manager with core setup/teardown 2015-03-13 11:20:36 -07:00
Armon Dadgar d0380e553d vault: Support a pre-seal teardown 2015-03-13 11:16:24 -07:00
Armon Dadgar 5ce63ea7cd vault: Adding lease registration 2015-03-13 10:56:03 -07:00
Armon Dadgar affeefa7f8 vault: Validate lease values 2015-03-13 10:56:03 -07:00
Jack Pearkes e6892ed5ae Merge pull request #1 from hashicorp/add-website
Initial Website Import
2015-03-13 10:40:07 -07:00
Jack Pearkes 442ac631d8 website: initial import 2015-03-13 10:38:41 -07:00
Armon Dadgar e77ce26d31 vault: spec out expiration manager API 2015-03-12 18:38:22 -07:00
Mitchell Hashimoto 86c7a4c155 command/server: load config from flags 2015-03-12 15:30:07 -07:00
Mitchell Hashimoto d88c20e293 command/server: add config loading 2015-03-12 15:21:11 -07:00
Mitchell Hashimoto 39b42bb862 physical: fix failing test 2015-03-12 14:30:31 -07:00
Armon Dadgar 15de847389 vault: Setup expiration manager on unseal 2015-03-12 12:44:30 -07:00
Armon Dadgar 6c759416d0 vault: special view path for system 2015-03-12 12:44:30 -07:00
Armon Dadgar ef82fe04c6 vault: Support sub-views 2015-03-12 12:44:30 -07:00
Mitchell Hashimoto 128c742a65 api: add init 2015-03-12 12:42:40 -07:00
Mitchell Hashimoto d35b8eaa6f http: init endpoints 2015-03-12 12:37:54 -07:00
Armon Dadgar b17607e51f vault: support remount 2015-03-12 12:09:30 -07:00
Armon Dadgar 3ed3e23d93 vault: Improve error when unseal key is wrong 2015-03-12 11:27:41 -07:00