Commit graph

9814 commits

Author SHA1 Message Date
Seth Vargo 98ad431d6d Continuously attempt to unseal if sealed keys are supported (#6039)
* Add helper for checking if an error is a fatal error

The double-double negative was really confusing, and this pattern is used a few places in Vault. This negates the double negative, making the devx a bit easier to follow.

* Check return value of UnsealWithStoredKeys in sys/init

* Return proper error types when attempting unseal with stored key

Prior to this commit, "nil" could have meant unsupported auto-unseal, a transient error, or success. This updates the function to return the correct error type, signaling to the caller whether they should retry or fail.

* Continuously attempt to unseal if sealed keys are supported

This fixes a bug that occurs on bootstrapping an initial cluster. Given a collection of Vault nodes and an initialized storage backend, they will all go into standby waiting for initialization. After one node is initialized, the other nodes had no mechanism by which they "re-check" to see if unseal keys are present. This adds a goroutine to the server command which continually waits for unseal keys to exist. It exits in the following conditions:

- the node is unsealed
- the node does not support stored keys
- a fatal error occurs (as defined by Vault)
- the server is shutting down

In all other situations, the routine wakes up at the specified interval and attempts to unseal with the stored keys.
2019-01-23 16:34:34 -05:00
Jeff Mitchell c5d8391c38
Prefix path rename (#6089)
* Rename Prefix -> Path in internal struct

* Update test
2019-01-23 15:04:49 -05:00
Jeff Mitchell 4a76aa0f12 changelog++ 2019-01-23 14:35:51 -05:00
Jeff Mitchell 3f1a7d4fdd
Update to latest etcd and use the new repository packages (#6087)
This will be necessary for go mod work

Additionally, the srv api has changed. This adapts to it.
2019-01-23 14:35:03 -05:00
Jeff Mitchell a11f2a3ba2
Rename glob -> prefix in ACL internals (#6086)
Really, it's a prefix
2019-01-23 13:55:40 -05:00
Jeff Mitchell 59bc9dd361 Add missing value to policy ShallowClone
Not related to a bug, just happened to notice it.
2019-01-23 13:20:04 -05:00
Jeff Mitchell 155fa5114b changelog++ 2019-01-23 12:33:10 -05:00
Jeff Mitchell 5e126f6de8
Implement JWS-compatible signature marshaling (#6077)
This currently only applies to ECDSA signatures, and is a toggleable
option.
2019-01-23 12:31:34 -05:00
Noel Cower 4f05192be3 Merge all configuration fields (#6028)
This changes (*Config).Merge to merge all fields of a Config.
Previously, when merging Configs, some configuration fields were
ignored and completely lost, including APIAddr, ClusterAddr, and
a couple boolean fields. This only occurs when using multiple config
files and does not affect single config files (even when loading from
a directory -- Merge is only called after a second file is loaded).

- Fix APIAddr not being merged.
- Fix ClusterAddr not being merged.
- Fix DisablePrintableCheck not being merged.
- Fix DisableClustering not being merged. The DisableClusteringRaw
  value is also preserved so that it can be used in overrides for
  storage fields.
- Use merged top-level config as storage field overrides.
- Update config dir test fixtures to set some fields missed by
  (*Config).Merge previously.
2019-01-23 11:27:21 -05:00
Jim Kalafut f097b8d934
Update existing alias metadata during authentication (#6068) 2019-01-23 08:26:50 -08:00
Becca Petrin aac271ed7f swap the forked aliyun sdk for the original (#6024) 2019-01-23 11:24:51 -05:00
Stuart Moore 1e836c1f67 Typo fix in gcpckms.go (#6081) 2019-01-23 07:52:31 -05:00
Jeff Mitchell c7ac2e449a Sync up code 2019-01-22 17:44:13 -05:00
Jeff Mitchell 797c622567 Sync seal testing 2019-01-22 17:23:20 -05:00
Jeff Mitchell 9653f9e379 Sync logical_system 2019-01-22 17:21:53 -05:00
Jeff Mitchell 2836dd0d53 Update testhelpers to allow passing in custom handler 2019-01-22 17:16:26 -05:00
Clint c940f5fcc7
Merge pull request #6070 from gitirabassi/master
Small fixes to docs and indexes for InfluxDB plugin
2019-01-22 12:20:10 -06:00
Thomas L. Kula 319324f731 Incredibly tiny comment fix on secret.go (#6078) 2019-01-21 16:57:39 -05:00
Jim Kalafut 0374a1ed6d
Add Sprintf capability to logical.ErrorResponse (#6076)
Roughly 25% of calls to logical.ErrorResponse() include an inner fmt.Sprintf() call.
This PR would simplify these cases:

`return logical.ErrorResponse(fmt.Sprintf("unable to read role '%s'", role))`

  could become

`return logical.ErrorResponse("unable to read role '%s'", role)`

With only a single parameter passed in, behavior is unchanged.
2019-01-18 15:12:38 -08:00
Becca Petrin 83e0c5e5e6
Check ec2 instance metadata for region (#6025) 2019-01-18 14:49:24 -08:00
Noelle Daley 58dfd8aa68
Add Policy-based Navigation (#5967)
* add permissions service

* start template helper

* match prefixed paths

* gate sidebar links

* land on first page user has access to

* show nav when user first logs in

* clear paths when user logs out

* add tests

* implement feedback

* show all nav items if no policy is found

* update onboarding wizard

* fix some unrelated tests

* add support for namespaces

* gate wizard

* unstage package and lockfile
2019-01-18 14:04:40 -08:00
Riley Lahd 1a010320e3 Consider whole response in UI console when missing auth, data and wrap_info for non writes/deletes (#6073) 2019-01-18 14:02:11 -06:00
Riley Lahd 6e26c18d05 Format array, number and boolean outputs in ui console (Fixes #6054) (#6062)
* format array, number and boolean outputs in ui console

* Remove extra description from console output tests
2019-01-18 10:15:37 -06:00
gitirabassi 1aaacda3ec small fixes to docs and indexes 2019-01-18 02:14:57 +01:00
Jim Kalafut 0f2fcfb6f1
Update JWT docs with new jwt_supported_algs parameter (#6069) 2019-01-17 15:27:20 -08:00
Zac Medico 49eaa3d4ff Makefile: do not execute static-assets in parallel with deps (#6057)
The static-assets target has a dependency on *either* ember-dist or
ember-dist-dev, so these targets must not execute in parallel. Since
this is an either/or dependency, it cannot be expressed as a regular
dependency unless the targets are refactored somehow.

Fixes: 7a312d7c37bb ("Add Makefile/Dockerfile UI bits")
2019-01-17 18:19:54 -05:00
Jeff Mitchell f7a35d4f49 Add missing performance_standby field to API 2019-01-17 18:15:00 -05:00
Jim Kalafut aff9bbe49f
changelog++ 2019-01-17 14:49:16 -08:00
Noelle Daley 9c99a8cc49
always show copy token button (#6064) 2019-01-17 14:36:54 -08:00
Seth Vargo 018ec9cdb8 Upgrade to new Cloud KMS client libraries (#6051)
* Upgrade to new Cloud KMS client libraries

We recently released the new Cloud KMS client libraries which use GRPC
instead of HTTP. They are faster and look nicer (</opinion>), but more
importantly they drastically simplify a lot of the logic around client
creation, encryption, and decryption. In particular, we can drop all the
logic around looking up credentials and base64-encoding/decoding.

Tested on a brand new cluster (no pre-existing unseal keys) and against
a cluster with stored keys from a previous version of Vault to ensure no
regressions.

* Use the default scopes the client requests

The client already does the right thing here, so we don't need to
surface it, especially since we aren't allowing users to configure it.
2019-01-17 17:27:15 -05:00
Noelle Daley 3bacca85b1
add link to copy current token from user status bar (#6063) 2019-01-17 11:24:49 -08:00
Jeff Mitchell 159f0c1b0a Fix typo in comment 2019-01-17 13:28:27 -05:00
Yoko e5c6b421e0 Fixed the broken link (#6052)
* Fixed the broken link

* Fixing the broken link

* Fixes redirect to Tokens guide

The separate redirect within learn.hashicorp.com will be fixed on its own repo.
2019-01-16 17:06:28 -08:00
Chris Hoffman fdf0344bfe
add code of conduct (#6049) 2019-01-15 17:30:33 -08:00
Jim Kalafut db3e83551a
changelog++ 2019-01-15 12:13:24 -08:00
Jim Kalafut 5a9dd0aa02
changelog++ 2019-01-15 12:12:03 -08:00
Jim Kalafut f5b19f9ce8
Fix physical/postgresql to return the full entry key (#6044)
Fixes #6041
2019-01-15 12:06:01 -08:00
Yoko e09f058ada
Adding the CLI flag placement info (#6027)
* Adding the CLI flag placement info

* Adding the definition of 'options' and 'args'

* tweaked the wording a little bit

* Added more description in the example

* Added a link to 'Flags' in the doc for options def
2019-01-15 11:24:50 -08:00
Brian Kassouf a1e6341a59
changelog++ 2019-01-15 10:56:14 -08:00
Jeff Mitchell 1c265fdea9
Cut version 1.0.2 2019-01-15 11:51:39 -05:00
Jeff Mitchell f75f4e75c7 Prepare for 1.0.2 2019-01-15 11:25:11 -05:00
Jeff Mitchell 440ef3b42e Fix bound cidrs propagation 2019-01-15 10:55:36 -05:00
Becca Petrin 015f641ada Return errs from parsing unknown plugins (#6038) 2019-01-15 10:51:55 -05:00
Jeff Mitchell 78b4ff570f Expose error so warning about not decoding accessors is more useful (#6034) 2019-01-14 09:55:49 -08:00
Jeff Mitchell 4dfb25927a Make useCache explicit everywhere in lock manager (#6035)
* Make useCache explicit everywhere in lock manager

This also clears up a case where we could insert into the cache when it
wasn't active

* Address feedback
2019-01-14 08:58:03 -08:00
Jeff Mitchell c07c946b7b changelog++ 2019-01-10 20:00:52 -05:00
Jeff Mitchell 28bd394d8b
Fix a couple of instances where we are using LIST verb (#6026)
* Fix a couple of instances where we are using LIST verb

We specify it for the wrapping lookup function but for broader
compatibility with proxies and such we want to filter it to a GET. In a
couple of places we weren't doing that, so this updates those locations.
2019-01-10 19:57:00 -05:00
Jim Kalafut 960eb45014
Remove unnecessary permission 2019-01-10 16:18:10 -08:00
Brian Kassouf ee5730ab59
changelog++ 2019-01-10 11:50:46 -08:00
Seth Vargo e726f13957 Simplify permission requirements for GCP things (#6012) 2019-01-10 10:05:21 -08:00