Commit graph

1500 commits

Author SHA1 Message Date
Jim Kalafut d9d93e42a8
Fix server command test (#5407)
The addition of CheckMigration to the server startup process means
that physical backends in this test need to be able to respond to Get() without error.
2018-09-26 14:52:11 -07:00
Jim Kalafut c1f7e4a276
Fix wording in log message (#5399) 2018-09-25 16:52:03 -07:00
Jim Kalafut 4c80debe63
Add physical backend migrator command (#5143) 2018-09-25 16:18:22 -07:00
Seth Vargo 743161abd4 Also format TTLs in non-secret responses (#5367) 2018-09-21 09:54:18 -04:00
Becca Petrin 74d4d0ccc0
add alicloud secrets engine (#5352) 2018-09-19 08:42:28 -07:00
Jeff Mitchell 43aebacfa8 Fix default_max_request_duration HCL name and update docs (#5321)
* Fix default_max_request_duration HCL name and update docs

* Update tcp.html.md
2018-09-18 14:30:21 -07:00
Jeff Mitchell 919b968c27
The big one (#5346) 2018-09-17 23:03:00 -04:00
Jim Kalafut eb6c165e29
Improve CLI error message (#5327) 2018-09-13 08:23:36 -07:00
Becca Petrin b2ff87c9c2
Poll for new creds in the AWS auth agent (#5300) 2018-09-12 13:30:57 -07:00
Becca Petrin 625592c5e6
update to match aws (#5315) 2018-09-11 11:10:50 -07:00
Jeff Mitchell 1837c571ec
Fix authhandler-based wrapping in agent (#5316) 2018-09-11 13:10:11 -04:00
Jeff Mitchell c28ed23972
Allow most parts of Vault's logging to have its level changed on-the-fly (#5280)
* Allow most parts of Vault's logging to have its level changed on-the-fly

* Use a const for not set
2018-09-05 15:52:54 -04:00
Becca Petrin 7e0e49656a Add AliCloud auth to the Vault Agent (#5179) 2018-09-05 11:56:30 -04:00
Jim Kalafut f03fc41ba2
Fix server test that fails build under 1.11 (#5264)
command/server_test.go:147:2: finished declared but not used
vet: typecheck failures
2018-09-04 11:35:28 -06:00
Brian Kassouf c603a8b811
Add performance standby status to status output (#5192)
* Add performance standby status to status output

* Update ha.go
2018-08-27 10:01:07 -07:00
Jeff Mitchell ac79655f8a Sync some changes over 2018-08-27 12:03:43 -04:00
Jeff Mitchell ae285d29a3 Sync over 2018-08-27 12:02:57 -04:00
Jeff Mitchell 9cd7c05269
Change deprecation warnings from 0.11 or later to 0.12. (#5176)
Also remove a deprecated parameter that we warned would be removed since
0.8.
2018-08-24 12:16:37 -04:00
Jeff Mitchell aec9a689a0 Sync over some stuff 2018-08-24 12:09:03 -04:00
Becca Petrin c0f2f21d97 Auth handler shutdown logic (#5170) 2018-08-24 09:17:14 -04:00
Jeff Mitchell 362a92945e Don't resetnamed 2018-08-23 15:04:18 -04:00
Calvin Leung Huang 5812a84c28
command/namespace: Move trailing slash check to the end (#5163) 2018-08-22 15:49:24 -07:00
Jeff Mitchell 66a0029195 Sync some ns stuff to api/command 2018-08-22 14:37:40 -04:00
Jeff Mitchell 3b01b29056
Pass in an ErrorLog to http.Server (#5135)
Fixes #5108
2018-08-21 11:23:18 -04:00
Jim Kalafut a8e81ce393 Initial import of Azure Secrets (#5120)
* Initial import of Azure Secrets

* Update vendor folder
2018-08-16 12:18:06 -07:00
Becca Petrin 8e8095163e Add alicloud auth (#5123)
* add alicloud auth commands

* add dependencies
2018-08-16 12:17:49 -07:00
Jeff Mitchell f1d72abb39 Remove injection into top routes (#5101) 2018-08-14 15:29:22 -04:00
Jeff Mitchell c3e063f2a6 Fix read test 2018-08-14 14:20:49 -04:00
Jeff Mitchell 74175b29af
Add support for passing args via vault read (#5093)
We support this in the API as of 0.10.2 so read should support it too.

Trivially tested with some log info:

`core: data: data="map[string]interface {}{"zip":[]string{"zap", "zap2"}}"`
2018-08-13 22:00:26 -04:00
Nándor István Krácser b9fab6375b Alibaba Object Storage support (#4783) 2018-08-13 17:03:24 -04:00
Jeff Mitchell 9d1a427949 Port over some ns stuff 2018-08-10 12:17:17 -04:00
Jeff Mitchell fb3c7eb449 Port some ns stuff over 2018-08-10 12:13:11 -04:00
Jeff Mitchell a6d0ae5890
Add exit-after-auth functionality to agent (#5013)
This allows it to authenticate once, then exit once all sinks have
reported success. Useful for things like an init container vs. a
sidecard container.

Also adds command-level testing of it.
2018-07-30 10:37:04 -04:00
Paul Nicholson c761a9a8f2 agent: kubernetes: add missing slash in token path (#5010) 2018-07-29 15:50:18 -04:00
Jeff Mitchell e72890e83f
VSI (#4985) 2018-07-24 22:02:27 -04:00
Jeff Mitchell 4261618d10 Add request timeouts in normal request path and to expirations (#4971)
* Add request timeouts in normal request path and to expirations

* Add ability to adjust default max request duration

* Some test fixes

* Ensure tests have defaults set for max request duration

* Add context cancel checking to inmem/file

* Fix tests

* Fix tests

* Set default max request duration to basically infinity for this release for BC

* Address feedback
2018-07-24 14:50:49 -07:00
Jeff Mitchell 9687ccc8fa Tackle #4929 a different way (#4932)
* Tackle #4929 a different way

This turns c.sealed into an atomic, which allows us to call sealInternal
without a lock. By doing so we can better control lock grabbing when a
condition causing the standby loop to get out of active happens. This
encapsulates that logic into two distinct pieces (although they could
be combined into one), and makes lock guarding more understandable.

* Re-add context canceling to the non-HA version of sealInternal

* Return explicitly after stopCh triggered
2018-07-24 13:57:25 -07:00
Michael Russell c66544381a Make the SSH executable path configurable (#4937)
Making this configurable is useful for windows users which may not be
using the default `ssh` executable. It also means that users can point to a
specify SSH executable if multiple are available.
2018-07-17 17:47:07 -07:00
Julien Blache c8fb9ed6a8 FoundationDB physical backend (#4900) 2018-07-16 10:18:09 -04:00
Michael Russell b6dfe372fd Allow vault ssh to work with single ssh args like -v (#4825) 2018-07-16 10:11:56 -04:00
zhogov 5c472429c2 Fixed parsing of environment variables (#4925) 2018-07-13 10:45:35 -07:00
Seth Vargo 1259ee6743 Add plugin CLI for interacting with the plugin catalog (#4911)
* Add 'plugin list' command

* Add 'plugin register' command

* Add 'plugin deregister' command

* Use a shared plugin helper

* Add 'plugin read' command

* Rename to plugin info

* Add base plugin for help text

* Fix arg ordering

* Add docs

* Rearrange to alphabetize

* Fix arg ordering in example

* Don't use "sudo" in command description
2018-07-13 10:35:08 -07:00
Jeff Mitchell a2b88fa239
Turn off retries on CLI (#4918)
For the CLI it just ends up confusing people as to why it's "hanging"
before returning a 500. This can still be overridden with
VAULT_MAX_RETRIES.
2018-07-12 18:38:18 -04:00
Jeff Mitchell 8433bf26e9 Fix printable check key not being valid 2018-07-12 16:59:07 -04:00
Jeff Mitchell 954f6c4ece
Add config flag to disable non-printable character check (#4917) 2018-07-12 16:29:36 -04:00
Calvin Leung Huang f801f4b808
Add description flag to secrets and auth tune subcommands (#4894)
* Add description flag to secrets and auth tune subcommands

* Allow empty description to be provided in secret and auth mount tune

* Use flagNameDescription
2018-07-12 11:15:50 -04:00
Jeff Mitchell cd51a769ca Fix tests 2018-07-12 10:18:50 -04:00
Jeff Mitchell 5beb7ab1fd
Add in logic for handling a field of 'data' to kv get (#4895)
We do this for normal commands in PrintRawField but it needs some help
for KV v2.
2018-07-11 15:50:26 -04:00
Jeff Mitchell 98bf463a65 Make single-lease revocation behave like expiration (#4883)
This change makes it so that if a lease is revoked through user action,
we set the expiration time to now and update pending, just as we do with
tokens. This allows the normal retry logic to apply in these cases as
well, instead of just erroring out immediately. The idea being that once
you tell Vault to revoke something it should keep doing its darndest to
actually make that happen.
2018-07-11 15:45:35 -04:00
Jeff Mitchell 6e0e024d90
Allow lease_duration to be pulled out with -field (#4906)
* Allow lease_duration to be pulled out with -field

This also provides an easy way to verify that when -field is used we
don't string format the value.

This also changes the human string helper to accept more than one type
of incoming int.

* Address review feedback
2018-07-11 15:09:04 -04:00
Seth Vargo 87b60308f8 Special case handle TTLs from JSON responses (#4893) 2018-07-11 12:07:48 -04:00
Seth Vargo bfdc295ffb Properly parse envvars for bools (#4882)
Fixes GH-4875
2018-07-09 13:43:46 -07:00
Jeff Mitchell 1011f61bf2 Add JWT plugin 2018-07-09 16:21:47 -04:00
Seth Vargo 419e4ffa14 Ensure there's a newline between each warning (#4878)
It's really hard to see where one stops and another starts given
multiple warnings.
2018-07-09 10:57:53 -07:00
Jeff Mitchell 4a3fe87a39
Allow max request size to be user-specified (#4824)
* Allow max request size to be user-specified

This turned out to be way more impactful than I'd expected because I
felt like the right granularity was per-listener, since an org may want
to treat external clients differently from internal clients. It's pretty
straightforward though.

This also introduces actually using request contexts for values, which
so far we have not done (using our own logical.Request struct instead),
but this allows non-logical methods to still get this benefit.

* Switch to ioutil.ReadAll()
2018-07-06 15:44:56 -04:00
Chris Hoffman a1c8c8459b
Bump Deps (#4868)
* bump deps

* revert script changes

* adding govendor miss
2018-07-06 12:09:34 -04:00
Jeff Mitchell 5a0c44f4f4 Update generate-root output (#4807)
In current Vault server EncodedToken will always be populated regardless
of type (root, DR), so prioritize that, and properly refer to it as
Encoded Token instead of Root Token.

Additionally refer to the nonce as the Operation nonce instead of the
Root generation operation nonce since it's used for both strategies.
2018-07-06 09:02:47 -04:00
Nándor István Krácser a40ff31777 vault kv metadata put doesn't need [DATA] (#4847) 2018-06-28 00:26:10 -07:00
Seth Vargo 0322f1bf43 Validate operator init args (#4838) 2018-06-26 10:15:00 -04:00
Vishal Nayak 57c7ecfcd4
Identity: Remove unused MemDB indexes and unused functions (#4817)
* refactor delete utility

* refactor delete alias utility

* remove MemDBUpsertAlias

* Remove MemDBAliasByCanonicalID

* remove MemDBAliasesByMetadata

* remove MemDBDeleteAliasByID

* Remove MemDBUpsertEntity and MemDBEntityByNameInTxn

* Remove is.MemDBEntitiesByBucketEntryKeyHash

* Remove MemDBEntitiesByBucketEntryKeyHash and MemDBEntityByMergedEntityID

* Remove MemDBEntities

* Remove validateMemberGroupID

* Remove validateEntityID, validateGroupID, deleteAliasFromEntity

* Remove updateAliasInEntity

* Remove satisfiesMetadataFilters and UpsertGroup

* Remove MemDBUpsertGroup

* Remove deleteGroupByID

* Remove deleleGroupByName

* Remove MemDBDeleteGroupByNameInTxn

* Remove MemDBGroupsByPolicy and MemDBGroupsByPolicyInTxn

* Remove MemDBGroupIterator

* Remove MemDBGroupsByBucketEntryKeyHash

* Remove deleteGroupAlias

* Remove metadata index from entities table

* Remove unneeded indexes from entity alias and group alias schema

* Remove unneeded index from groups table schema

* Fix test

* s/entity/lockEntity

* Don't expose the memdb instance outside identity store

* More txn.Abort() corrections

* switch back to deferring abort calls
2018-06-24 07:45:53 -04:00
Jeff Mitchell e52b554c0b
Add an idle timeout for the server (#4760)
* Add an idle timeout for the server

Because tidy operations can be long-running, this also changes all tidy
operations to behave the same operationally (kick off the process, get a
warning back, log errors to server log) and makes them all run in a
goroutine.

This could mean a sort of hard stop if Vault gets sealed because the
function won't have the read lock. This should generally be okay
(running tidy again should pick back up where it left off), but future
work could use cleanup funcs to trigger the functions to stop.

* Fix up tidy test

* Add deadline to cluster connections and an idle timeout to the cluster server, plus add readheader/read timeout to api server
2018-06-16 18:21:33 -04:00
Jeff Mitchell ebe3f09f82
Add kv rollback (#4774)
* Add `kv rollback`

Like `kv patch` this is more of a helper than anything else; it provides
a single command to fetch the current version (for CAS), read the
version you want to roll back to, and set it as the new version (using
CAS for safety).
2018-06-15 15:34:17 -04:00
Jeff Mitchell 734b46ea5b
Add a hidden combine-logs flag (#4766)
This can be used when errors are happening early on to avoid them being
swallowed by logGate.

This also does a bit of cleanup of format env var checking --
helper/logging internally looks for this so it was totally unnecessary
since moving to hclog.
2018-06-15 14:47:37 -04:00
Wim 3e1930e7c3 Use %q in error output for better visibility (#4771) 2018-06-14 18:19:22 -04:00
Michael Russell 063221b44a Allow vault ssh to accept ssh commands in any ssh compatible format (#4710)
* Allow vault ssh to accept ssh commands in any ssh compatible format

Previously vault ssh required ssh commands to be in the format
`username@hostname <flags> command`. While this works just fine for human
users this breaks a lot of automation workflows and is not compatible
with the options that the ssh client supports.

Motivation

We currently run ansible which uses vault ssh to connect to hosts.
Ansible generates ssh commands with the format `ssh <flags> -o User=username hostname
command`. While this is a valid ssh command it currently breaks with
vault because vault expects the format to be `username@hostname`. To work
around this we currently use a wrapper script to parse the correct username being set
by ansible and translate this into a vault ssh compatible `username@hostname` format

Changes

* You can now specify arguments in any order that ssh client allows. All
arguments are passed directly to the ssh command and the format isn't
modified in any way.
* The username and port are parsed from the specified ssh command. It
will accept all of the options supported by the ssh command and also
will properly prefer `-p` and `user@` if both options are specified.
* The ssh port is only added from the vault credentials if it hasn't
been specified on the command line
2018-06-14 09:54:48 -04:00
Jeff Mitchell 5d44c54947
Changes the way policies are reported in audit logs (#4747)
* This changes the way policies are reported in audit logs.

Previously, only policies tied to tokens would be reported. This could
make it difficult to perform after-the-fact analysis based on both the
initial response entry and further requests. Now, the full set of
applicable policies from both the token and any derived policies from
Identity are reported.

To keep things consistent, token authentications now also return the
full set of policies in api.Secret.Auth responses, so this both makes it
easier for users to understand their actual full set, and it matches
what the audit logs now report.
2018-06-14 09:49:33 -04:00
Calvin Leung Huang c4abeb9ea5
Move checkHCLKeys into hclutil (#4749) 2018-06-12 12:38:08 -04:00
Jeff Mitchell c1267ab16c
Fix writing to KVv2 root via kv put (#4726)
* Fix writing to KVv2 root via `kv put`

The check that adds the API path wasn't taking into account the root,
e.g. if it's mounted at `kv`, `kv` and `kv/` would end up creating an
extra copy of the mount path in front, leading to paths like
`kv/data/kv`.

* Output warnings if they come back and fix a panic in metadata_get

* Also add to metadata put/delete
2018-06-08 13:45:47 -04:00
Kevin Hicks ed7992e8ae update docs and help text to include 'operator' (#4712) 2018-06-06 21:11:21 -07:00
Jeff Mitchell 21a9b06983
Show mount accessors in normal secrets/auth list commands (#4676)
This makes them significantly easier to find/consume
2018-06-01 10:20:09 -04:00
Michael Russell 1b555b6d4c Only append the UserKnownHostsFile ssh flag when required (#4674)
Don't set a default value for the UserKnownHostsFile flag.
Only append `-o UserKnownHostsFile` to the ssh command if it
has been specified by the user or vault ssh has set it based on another
flag (such as flagHostKeyMountPoint)

Fixes https://github.com/hashicorp/vault/issues/4672
2018-06-01 09:56:22 -04:00
Michael Russell 4d1669938c Use hostname instead of the IP when running the actual ssh command (#4673)
This is implementing the same fix that was added for the CA mode for vault
ssh in https://github.com/hashicorp/vault/pull/3922
Using the IP address caused `Host` entries in the ssh_config to not
match anymore meaning you would need to hardcode all of your IP
addresses in your ssh config instead of using DNS to connect to hosts
2018-06-01 09:16:12 -04:00
Jeff Mitchell 9e7f381fca Sync over changes to config.go 2018-05-30 08:34:46 -04:00
emily 192c228931 Add GCP auth helper (#4654)
* update auth plugin vendoring

* add GCP auth helper and docs
2018-05-29 20:36:24 -04:00
Jeff Mitchell 7cf283cd2c Make the rekey verification message more complete 2018-05-29 14:59:19 -04:00
Jeff Mitchell 2971813684 Add verification nonce to non-verify status, if it exists, and name it verification nonce in the verify status for clarity 2018-05-29 13:18:52 -04:00
Jeff Mitchell c53717ba1c Fix panic and update some text 2018-05-29 13:13:47 -04:00
Jeff Mitchell 8b065344f8 Update CLI text 2018-05-29 12:42:33 -04:00
Jeff Mitchell bd0ac25eb9
Merge branch 'master' into rekey-verification 2018-05-29 10:19:57 -04:00
Kloppi313 365335f609 Typo in operator_rekey.go (#4646) 2018-05-29 09:28:08 -04:00
Jeff Mitchell 14b65ff4db
Builds on top of #4600 to provide CLI support (#4605) 2018-05-28 00:39:53 -04:00
Becca Petrin 94ae5d2567
Add Active Directory secrets plugin (#4635) 2018-05-25 11:37:41 -07:00
Becca Petrin abc0975d75
fix tests (#4636) 2018-05-24 13:57:25 -07:00
Jeff Mitchell 7749f3cb3f Prevent warnings from showing in individual commands when format is not table, in addition to the existing hiding of higher-level deprecation warnings 2018-05-23 17:13:39 -04:00
Jeff Mitchell 396457ce03
Don't use environment as a mechanism for floating format around. (#4622)
This turns out to not work very well for the demo server. Also,
it's kinda hacky.
2018-05-23 16:45:17 -04:00
Jeff Mitchell f1c3ddc566
Fix panic on deprecated audit-disable and some cleanup (#4619) 2018-05-23 12:34:48 -04:00
Jeff Mitchell 84eaebb774
Add missing flags to KV commands and simplify boilerplate (#4617) 2018-05-23 09:56:47 -04:00
Dan Brown 013e4e4d81 Fix typo (#4607) 2018-05-22 08:30:13 -04:00
Jeff Mitchell c011cefed4
Fix panic when running capabilities CLI command with multiple paths (#4553)
* Fix panic using 'vault token capabilities' with more than one path

Fixes #4552

* Add test
2018-05-11 11:58:12 -04:00
Tyler Marshall 407550bd89 Fix minor spelling mistake (#4548) 2018-05-10 13:42:01 -07:00
Jeff Mitchell af802275bd
Fix response wrapping from K/V version 2 (#4511)
This takes place in two parts, since working on this exposed an issue
with response wrapping when there is a raw body set. The changes are (in
diff order):

* A CurrentWrappingLookupFunc has been added to return the current
value. This is necessary for the lookahead call since we don't want the
lookahead call to be wrapped.

* Support for unwrapping < 0.6.2 tokens via the API/CLI has been
removed, because we now have backends returning 404s with data and can't
rely on the 404 trick. These can still be read manually via
cubbyhole/response.

* KV preflight version request now ensures that its calls is not
wrapped, and restores any given function after.

* When responding with a raw body, instead of always base64-decoding a
string value and erroring on failure, on failure we assume that it
simply wasn't a base64-encoded value and use it as is.

* A test that fails on master and works now that ensures that raw body
responses that are wrapped and then unwrapped return the expected
values.

* A flag for response data that indicates to the wrapping handling that
the data contained therein is already JSON decoded (more later).

* RespondWithStatusCode now defaults to a string so that the value is
HMAC'd during audit. The function always JSON encodes the body, so
before now it was always returning []byte which would skip HMACing. We
don't know what's in the data, so this is a "better safe than sorry"
issue. If different behavior is needed, backends can always manually
populate the data instead of relying on the helper function.

* We now check unwrapped data after unwrapping to see if there were raw
flags. If so, we try to detect whether the value can be unbase64'd. The
reason is that if it can it was probably originally a []byte and
shouldn't be audit HMAC'd; if not, it was probably originally a string
and should be. In either case, we then set the value as the raw body and
hit the flag indicating that it's already been JSON decoded so not to
try again before auditing. Doing it this way ensures the right typing.

* There is now a check to see if the data coming from unwrapping is
already JSON decoded and if so the decoding is skipped before setting
the audit response.
2018-05-10 15:40:03 -04:00
Shelby Moore f8e1f82225 Updated proxy protocol config validation (#4528) 2018-05-09 10:53:44 -04:00
Prem Sichanugrist 0057bdbee6 Fix misspelling in vault auth deprecation message (#4460) 2018-04-26 06:55:36 -04:00
Jeff Mitchell 26e83442fa
Add -no-print to 'vault login' (#4454)
Trivially manually tested

Closes #2758
2018-04-25 15:47:49 -04:00
Jeff Mitchell 5e9308ccad Fix help output in kv_patch 2018-04-25 03:21:13 -04:00
Brian Kassouf 817f816eb2
Fallback to version 1 if the vault server is too old to have the kv preflight endpoint (#4445) 2018-04-24 15:49:06 -07:00
Brian Kassouf 6d447d2671 Rename up path to internal/ui/mounts/<path> (#4435) 2018-04-23 18:16:10 -04:00
Brian Kassouf c7f9d185b0
Kv preflight (#4430)
* Update kv command to use a preflight check

* Make the existing ui endpoint return the allowed mounts

* Add kv subcommand tests

* Enable `-field` in `vault kv get/put` (#4426)

* Enable `-field` in `vault kv get/put`

Fixes #4424

* Unify nil value handling

* Use preflight helper

* Update vkv plugin

* Add all the mount info when authenticated

* Add fix the error message on put

* add metadata test

* No need to sort the capabilities

* Remove the kv client header

* kv patch command (#4432)

* Fix test

* Fix tests

* Use permission denied instead of entity disabled
2018-04-23 15:00:02 -07:00
Malhar Vora 45fe086107 Corrects description for mode option in ssh command (#4420)
Fixes #4375
2018-04-22 13:42:46 -04:00
Kevin Wang f1e46a0d76 Fix panic on kv put command with no arguments (#4389) 2018-04-18 15:45:49 -07:00
Jeff Mitchell 805b5e5160
X-Forwarded-For (#4380) 2018-04-17 18:52:09 -04:00
Krzysztof Nazarewski f325bae6d3 copy-paste fix (#4377) 2018-04-17 08:36:38 -04:00
Brian Kassouf f48c7f4940
cli/generate-root: Port a fix for dr tokens from ent (#4328) 2018-04-10 08:21:38 -07:00
Jeff Mitchell 9395f6c5d7
Add -version support to tuning commands. (#4323)
Although not used for any auth mounts right now, it seemed appropriate
to add it for parity since internally it maps to the same endpoint.
2018-04-09 21:12:09 -04:00
Jeff Mitchell b1136383c9 Only trigger version output if the version flag is the only flag set 2018-04-09 21:03:11 -04:00
Jeff Mitchell 2d5120fe2a Bump KV plugin and allow -version to work 2018-04-09 16:33:01 -04:00
Jeff Mitchell 4372548fd7
Simplify color handling quite a lot (#4289)
This always specifies a color UI, but explicitly marks the output as
noncolorable if we don't want color. This allows getting rid of our
hacky Output function in favor of cli's normal functions.
2018-04-09 16:18:17 -04:00
Jeff Mitchell 5b0885ae49 Add options to detail output to mounts/auth list CLI commands 2018-04-09 15:42:18 -04:00
Jeff Mitchell 0535f46e27 Make standard secret/ mount version 1, but upgrade to v2 in dev mode. 2018-04-09 15:37:36 -04:00
Becca Petrin abb621752f Clean up error string formatting (#4304) 2018-04-09 14:35:21 -04:00
Brian Kassouf a8b8ca136e
KV: Update 'versioned' naming to 'v2' (#4293)
* Update 'versioned' naming to 'v2'

* Make sure options are set

* Fix description of auth flag

* Review feedback
2018-04-09 09:39:32 -07:00
Calvin Leung Huang fb81016252
Fix output-related tests (#4288)
* Fix command tests

* More test fixes

* Use backticks to escape quoted strings

* More test fixes

* Fix mismatched error output failures

* Fix mismatched error output failures
2018-04-05 20:43:29 -04:00
Jeff Mitchell 0776c65e15
Move colorable statements to fix Windows support. (#4287)
This puts it in the main command level.

Fixes #4070
2018-04-05 13:28:02 -04:00
Calvin Leung Huang 63b2698289 Do not fail if api_addr and cluster_addr are empty (#4286) 2018-04-05 12:54:15 -04:00
Vishal Nayak 28e3eb9e2c
Errwrap everywhere (#4252)
* package api

* package builtin/credential

* package builtin/logical

* package command

* package helper

* package http and logical

* package physical

* package shamir

* package vault

* package vault

* address feedback

* more fixes
2018-04-05 11:49:21 -04:00
Jeff Mitchell a84e2bcc25
Don't allow api/cluster addresses to be the same. (#4272)
People make this mistake quite often and it causes real issues.
2018-04-04 16:15:07 -04:00
Brian Kassouf 43496861c5
command/kv: Update the 404 parsing logic (#4269) 2018-04-04 09:26:06 -07:00
Jeff Mitchell fe2fa0030f
Rejig 404 handling again. (#4264)
Done this way, existing tests pass, and it makes logical sense, so we're
likely to have the least impact like this.
2018-04-04 04:41:46 -04:00
Jeff Mitchell 599f691141
Allow returning warnings and other data in 404s in the Go API (#4256)
* Allow returning list information and other data in 404s.

On read it'll output data and/or warnings on a 404 if they exist. On
list, the same behavior; the actual 'vault list' command doesn't change
behavior though in terms of output unless there are no actual keys (so
it doesn't just magically show other data).

This corrects some assumptions in response_util and wrapping.go; it also
corrects a few places in the latter where it could leak a (useless)
token in some error cases.

* Use same 404 logic in delete/put too

* Add the same secret parsing logic to the KV request functions
2018-04-03 22:35:45 -04:00
Brian Kassouf 829fcb226c
Allow for comma separated strings in the TypeCommaIntSlice field type (#4257)
* Allow for comma separated strings in the TypeCommaIntSlice field type

* Explode versions on client side

* fix deleting versions
2018-04-03 17:58:42 -07:00
Chris Hoffman e293fe84c3 OSS: Adding UI handlers and configurable headers (#390)
* adding UI handlers and UI header configuration

* forcing specific static headers

* properly getting UI config value from config/environment

* fixing formatting in stub UI text

* use http.Header

* case-insensitive X-Vault header check

* fixing var name

* wrap both stubbed and real UI in header handler

* adding test for >1 keys
2018-04-03 09:34:01 -05:00
Becca Petrin 03cf302e9a Move to "github.com/hashicorp/go-hclog" (#4227)
* logbridge with hclog and identical output

* Initial search & replace

This compiles, but there is a fair amount of TODO
and commented out code, especially around the
plugin logclient/logserver code.

* strip logbridge

* fix majority of tests

* update logxi aliases

* WIP fixing tests

* more test fixes

* Update test to hclog

* Fix format

* Rename hclog -> log

* WIP making hclog and logxi love each other

* update logger_test.go

* clean up merged comments

* Replace RawLogger interface with a Logger

* Add some logger names

* Replace Trace with Debug

* update builtin logical logging patterns

* Fix build errors

* More log updates

* update log approach in command and builtin

* More log updates

* update helper, http, and logical directories

* Update loggers

* Log updates

* Update logging

* Update logging

* Update logging

* Update logging

* update logging in physical

* prefixing and lowercase

* Update logging

* Move phyisical logging name to server command

* Fix som tests

* address jims feedback so far

* incorporate brians feedback so far

* strip comments

* move vault.go to logging package

* update Debug to Trace

* Update go-plugin deps

* Update logging based on review comments

* Updates from review

* Unvendor logxi

* Remove null_logger.go
2018-04-02 17:46:59 -07:00
Seth Vargo b48a9878e7 Add HA support to the Google Cloud Storage backend (#4226) 2018-03-30 12:36:37 -04:00
Vishal Nayak 55f13263c3
reintroduce flagMFA (#4223) 2018-03-30 12:11:10 -04:00
Seth Vargo b2d2c9236d Add dev flags for local plugin testing (#4188) 2018-03-28 17:36:55 -04:00
Jeff Mitchell 08f4bcab62 Merge branch '0.10-beta' into master-oss 2018-03-28 14:40:09 -04:00
Seth Vargo f0dd5ae61f Always use a local test server (#4207)
Some commands didn't setup a local test server since they didn't need
it. Other commands didn't setup a local test server because Seth forgot.

Long story short, I kept seeing weird requests to my Vault server when I
ran tests, and that should never happen. This ensures all test requests
will go to a test Vault instance.

Benchmarks show this adds 0.4s to the command test suite.
2018-03-28 10:34:37 -04:00
Jeff Mitchell 2f90e0c2e1 Merge branch 'master-oss' into 0.10-beta 2018-03-27 12:40:30 -04:00
Seth Vargo b665909b09 Add API functions and completions for plugins (#4194) 2018-03-26 13:40:33 -04:00
Jim Kalafut 7842557e62 Fix minor docs and help text issues (#4184) 2018-03-22 09:29:59 -04:00
Jeff Mitchell 22fc62dbd5 Fix some command help output formatting 2018-03-21 23:58:16 -04:00
Jeff Mitchell 85a86acfc9 Fix tests 2018-03-21 23:50:44 -04:00
Jeff Mitchell 2bb4e7535a Add gcp secrets 2018-03-21 23:07:16 -04:00
Brian Kassouf 3324d6dd12 Add kv backend (#4181) 2018-03-21 22:56:52 -04:00
Calvin Leung Huang 25792df5a9
Passthrough request headers (#4172)
* Add passthrough request headers for secret/auth mounts

* Update comments

* Fix SyncCache deletion of passthrough_request_headers

* Remove debug line

* Case-insensitive header comparison

* Remove unnecessary allocation

* Short-circuit filteredPassthroughHeaders if there's nothing to filter

* Add whitelistedHeaders list

* Update router logic after merge

* Add whitelist test

* Add lowercase x-vault-kv-client to whitelist

* Add back const

* Refactor whitelist logic
2018-03-21 19:56:47 -04:00
Brian Kassouf 5c84c36915
command/kv: Add a "kv" subcommand for using the key-value store (#4168)
* Add more cli subcommands

* Add metadata commands

* Add more subcommands

* Update cli

* Move archive commands to delete

* Add helpers for making http calls to the kv backend

* rename cli header

* Format the various maps from kv

* Add list command

* Update help text

* Add a command to enable versioning on a backend

* Rename enable-versions command

* Some review feedback

* Fix listing of top level keys

* Fix issue when metadata is nil

* Add test for lising top level keys

* Fix some typos

* Add a note about deleting all versions
2018-03-21 15:02:41 -07:00
Chris Hoffman 695eae6ede
adding azure auth plugin (#4180) 2018-03-21 17:35:31 -04:00
Brian Kassouf cc625e19ee
Add options to mount tune and mount endpoints in preparation for versioning (#4155)
* Add some requirements for versioned k/v

* Add a warning message when an upgrade is triggered

* Add path help values

* Make the kv header a const

* Add the uid to mount entry instead of options map

* Pass the backend aware uuid to the mounts and plugins

* Fix comment

* Add options to secret/auth enable and tune CLI commands (#4170)

* Switch mount/tune options to use TypeKVPairs (#4171)

* switching options to TypeKVPairs, adding bool parse for versioned flag

* flipping bool check

* Fix leases coming back from non-leased pluin kv store

* add a test for updating mount options

* Fix tests
2018-03-21 12:04:27 -07:00
Josh Soref 73b1fde82f Spelling (#4119) 2018-03-20 14:54:10 -04:00
Calvin Leung Huang f86881c295
Unauthenticated endpoint to list secret and auth mounts (#4134)
* Add audit hmac values to AuthConfigInput and AuthConfigOutput, fix docs

* docs: Add ttl params to auth enable endpoint

* Rewording of go string to simply string

* Add audit hmac keys as CLI flags on auth/secrets enable

* Fix copypasta mistake

* WIP on auth-list endpoint

* Rename variable to be singular, add CLI flag, show value in auth and secrets list

* Add audit hmac keys to auth and secrets list

* Only set config values if they exist

* Fix http sys/auth tests

* More auth plugin_name test fixes

* Rename tag internal_ui_show_mount to _ui_show_mount

* Add tests

* Make endpoint unauthed

* Rename field to listing_visibility

* Add listing-visibility to cli tune commands

* Use ListingVisiblityType

* Fix type conversion

* Do not actually change token's value on testHttpGet

* Remove unused ListingVisibilityAuth, use const in pathInternalUIMountsRead
2018-03-19 23:16:33 -04:00
Jeff Mitchell 735efccd6e Make the error message that comes from parsing the config file more
useful.

Fixes #2080
2018-03-19 19:40:51 -04:00
Calvin Leung Huang edfe77ff85
Add non-hmac flags for cli secrets/auth tune commands (#4151)
* Add non-hmac params for cli secrets/auth tune

* Fix value assignment mismatch
2018-03-19 09:56:57 -04:00
Jeff Mitchell 61c26fdf57 Fix compile 2018-03-16 13:55:56 -04:00
Jeff Mitchell 1cef14036f Have deprecated commands pass on address and token helper too 2018-03-16 13:52:08 -04:00
Jeff Mitchell cc0b430b77 Use runopts-provided address if given, without overriding 2018-03-16 13:41:32 -04:00
Jeff Mitchell 1b6c62ff53 Allow sending address through RunCustom 2018-03-16 13:14:32 -04:00
Jeff Mitchell e6bc62bfc6 Make help output use any custom stderr 2018-03-16 12:59:52 -04:00
Jeff Mitchell 3504ca61c8 Change base command template to runopts and allow specifying stdout/stderr 2018-03-16 12:31:26 -04:00
Jeff Mitchell 067052f304 Add RunCustom command to allow passing in a TokenHelper 2018-03-16 11:31:00 -04:00
Calvin Leung Huang 3108860d4b
Audit HMAC values on AuthConfig (#4077)
* Add audit hmac values to AuthConfigInput and AuthConfigOutput, fix docs

* docs: Add ttl params to auth enable endpoint

* Rewording of go string to simply string

* Add audit hmac keys as CLI flags on auth/secrets enable

* Fix copypasta mistake

* Add audit hmac keys to auth and secrets list

* Only set config values if they exist

* Fix http sys/auth tests

* More auth plugin_name test fixes

* Pass API values into MountEntry's config when creating auth/secrets mount

* Update usage wording
2018-03-09 14:32:28 -05:00
Lukasz Jagiello 6530a5e396 Vault status formatting (#4073)
```
:~# vault status
Key                     Value
---                     -----
Seal Type               shamir
Sealed                  false
Total Shares            8
Threshold               2
Version                 0.9.5
Cluster Name            vault-cluster-8c85f1aa
Cluster ID              aaaaaaaa-1111-2222-3333-444444444444
HA Enabled              true
HA Cluster              https://10.0.0.1:8201
HA Mode                 standby
Active Node Address:    https://10.0.0.1:8200
```

`Active Node Address:` - is the only one with a colon at the end.

This PR fix that output style issue.
2018-03-05 07:40:59 -05:00
Jeff Mitchell e073e7fc68 Don't output warning about not storing the token if the user uses
-token-only during `vault login`.
2018-03-01 21:02:54 -05:00
Jeff Mitchell ba459d238e
Fix confusing error messages around help for 'vault auth' (#4058)
Fixes #4056
2018-03-01 10:55:24 -05:00
Paddy 2b2bc2a911 Create a new command/config subpackage. (#4055)
* Create a new command/config subpackage.

This PR extracts the functions associated with loading and parsing
configs, and the DefaultTokenHelper, into a command/config subpackage,
just like TokenHelpers are in the command/token subpackage. The goal is
to allow other clients (in this case, the Vault and Nomad Terraform
providers, but in theory any client that wants to lean on Vault's
default behaviour) to reuse this logic and not drift from Vault, without
vendoring the entirety of Vault.

To retain backwards compatibility, I didn't remove any functions from
the command package; I just copied them into the command/config package,
and update the functions in the command package to call through to the
config package.
2018-02-28 20:09:21 -05:00
Bharath B 699f9246e6 Config parameter "tls_disable_client_certs" is wrongly evaluated. (#4049) 2018-02-28 10:07:23 -05:00
Jeff Mitchell f1bd0cbe74
Use atomic values in seal to avoid some data races (#4040) 2018-02-23 17:18:48 -05:00
Calvin Leung Huang 1bb4d165e7
Add TTL related config options on auth enable (#4019) 2018-02-22 10:26:29 -05:00
Jeff Mitchell 4bff53c771 Force trace mode in three-node 2018-02-22 01:44:19 -05:00
Jeff Mitchell 4669f37c78 Add four cluster flag 2018-02-22 00:23:37 -05:00
Max Walther e58855cdd4 Fix bug with vault cli when reading an individual field containing a Printf formatting verb (#4005) 2018-02-19 09:29:45 -05:00
Jeff Mitchell 8451b195d4
Handle missed error case in seal status output format (#4001)
Fixes #3998
2018-02-17 20:52:42 -05:00
Jeff Mitchell 5a1312ef30 Also exclude init command from race detector 2018-02-16 11:09:36 -05:00
Jeff Mitchell 8c8e006276
Allow formatted data when using -field and -format together. (#3987)
* Allow formatted data when using -field and -format together.

As a special case, allows "data" to be passed in to get the entire data
struct output.

* If data exists in the output map use that instead when special casing
2018-02-15 09:11:56 -05:00
Seth Vargo cd930b1173 Add support for Google Cloud Spanner (#3977) 2018-02-14 20:31:20 -05:00
Jeff Mitchell a787f97a9c
Re-add lost stored-shares parameter to operator rekey command. (#3974)
Also change the rekey API to not require explicitly setting values to 1.

Fixes #3969
2018-02-14 16:10:45 -05:00
Seth Vargo d838195241 Remove mlock warning when mlock is explicitly disabled (#3979) 2018-02-14 15:11:33 -05:00
Jeff Mitchell 76972f32ad
Add newline on non-ttl output (#3967)
Output is formatted with newlines in mind, so without this those get
lost and things get funky due to multiple outputs running together.
2018-02-13 14:46:57 -05:00
Jeff Mitchell 084f0abb22 Make fmt 2018-02-12 21:01:14 -05:00
Paul Stack 3c683dba92 Adding Manta Storage Backend (#3720)
This PR adds a new Storage Backend for Triton's Object Storage - Manta

```
make testacc TEST=./physical/manta
==> Checking that code complies with gofmt requirements...
==> Checking that build is using go version >= 1.9.1...
go generate
VAULT_ACC=1 go test -tags='vault' ./physical/manta -v  -timeout 45m
=== RUN   TestMantaBackend
--- PASS: TestMantaBackend (61.18s)
PASS
ok  	github.com/hashicorp/vault/physical/manta	61.210s
```

Manta behaves differently to how S3 works - it has no such concepts of Buckets - it is merely a filesystem style object store

Therefore, we have chosen the approach of when writing a secret `foo` it will actually map (on disk) as foo/.vault_value

The reason for this is because if we write the secret `foo/bar` and then try and Delete a key using the name `foo` then Manta
will complain that the folder is not empty because `foo/bar` exists. Therefore, `foo/bar` is written as `foo/bar/.vault_value`

The value of the key is *always* written to a directory tree of the name and put in a `.vault_value` file.
2018-02-12 18:22:41 -05:00
Calvin Leung Huang 60732577f5
CLI Enhancements (#3897)
* Use Colored UI if stdout is a tty

* Add format options to operator unseal

* Add format test on operator unseal

* Add -no-color output flag, and use BasicUi if no-color flag is provided

* Move seal status formatting logic to OutputSealStatus

* Apply no-color to warnings from DeprecatedCommands as well

* Add OutputWithFormat to support arbitrary data, add format option to auth list

* Add ability to output arbitrary list data on TableFormatter

* Clear up switch logic on format

* Add format option for list-related commands

* Add format option to rest of commands that returns a client API response

* Remove initOutputYAML and initOutputJSON, and use OutputWithFormat instead

* Remove outputAsYAML and outputAsJSON, and use OutputWithFormat instead

* Remove -no-color flag, use env var exclusively to toggle colored output

* Fix compile

* Remove -no-color flag in main.go

* Add missing FlagSetOutputFormat

* Fix generate-root/decode test

* Migrate init functions to main.go

* Add no-color flag back as hidden

* Handle non-supported data types for TableFormatter.OutputList

* Pull formatting much further up to remove the need to use c.flagFormat (#3950)

* Pull formatting much further up to remove the need to use c.flagFormat

Also remove OutputWithFormat as the logic can cause issues.

* Use const for env var

* Minor updates

* Remove unnecessary check

* Fix SSH output and some tests

* Fix tests

* Make race detector not run on generate root since it kills Travis these days

* Update docs

* Update docs

* Address review feedback

* Handle --format as well as -format
2018-02-12 18:12:16 -05:00
rmbrad 393bdd75a0 Fixes for SSH command CA mode (#3922)
* Add `valid-principals` flag to SSH command CA mode options

* Fix SSH command CA mode host certificate validation
2018-02-12 17:53:34 -05:00
Jeff Mitchell 3f62c42fc7 Fix race in approle integ test 2018-02-09 17:01:10 -05:00
Vishal Nayak 81c66efd6d
AppRole/Identity: Fix for race when creating an entity during login (#3932)
* possible fix for race in approle login while creating entity

* Add a test that hits the login request concurrently

* address review comments
2018-02-09 10:40:56 -05:00
Jeff Mitchell a449d07689 Exclude rekey command tests from race detector 2018-02-08 13:34:45 -05:00
Jed da955a8f1b Lil typo fixes (#3925)
Read through the initial docs and noticed a few typos
2018-02-07 09:38:11 -05:00
Vishal Nayak b20b7ef61d
command/ssh: create and reuse the api client (#3909)
* pass around the api client

* reuse the client object in the base command
2018-02-06 13:06:17 -05:00
Jeff Mitchell 642b88c76a go vet fixes 2018-02-05 14:26:31 -05:00
Jeff Mitchell 20465d8040 Add centrify CLI handler support 2018-02-05 10:56:57 -05:00
Chris Hoffman ffa6fdaf1e
Adding tests to ensure all backends are mountable (#3861) 2018-02-01 11:30:04 -05:00
Jeff Mitchell 1b982750f5 (Re...)Add Nomad secrets engine.
Fixes #3858
2018-01-28 14:38:19 -05:00
Vishal Nayak 7be7bc1754
Redirect server output warnings to stdout (#3831) 2018-01-22 20:58:27 -05:00
Chris Hoffman b22b065206 adding back -dr-token flag to generate-root command (#3818) 2018-01-19 19:25:45 -05:00
Jeff Mitchell e5e4307713 Add centrify plugin as builtin 2018-01-19 06:03:33 -05:00
Jeff Mitchell ffe3ae9118 Add gcp and kubernetes back now that they're updated 2018-01-19 05:56:34 -05:00
Jeff Mitchell 33b68ebf3d Remove context from a few extraneous places 2018-01-19 03:44:06 -05:00
Brian Kassouf 2f19de0305 Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 01:44:44 -05:00
Vishal Nayak b826c56686
SHA2-256 salting for AppID (#3806)
* Use SHA2-256 hash with prefix to upgrade the paths

* test the SHA1 upgrade to SHA256

* Remove hash identifier and the delimiter; use 's' instead

* Added API test to verify the correctness of the fix

* Fix broken test

* remove unneeded test
2018-01-17 19:48:32 -05:00
Jeff Mitchell 5a6a7900ae Change next major release of Vault to 0.11 or later to make it less scary 2018-01-17 19:31:52 -05:00
Jeff Mitchell cef171e4ea Fix outdated test 2018-01-10 11:33:53 -05:00
Jeff Mitchell d1803098ae Merge branch 'master-oss' into sethvargo/cli-magic 2018-01-03 14:02:31 -05:00
Jeff Mitchell 821d62c1cc
Allow log level to be specified in an env var (#3721) 2017-12-19 17:12:23 -05:00
Chris Hoffman 0bacec0184
adding recovery info to seal status (#3706) 2017-12-18 09:58:14 -05:00
Chris Hoffman 164849f056
Add support for encrypted TLS key files (#3685) 2017-12-15 17:33:55 -05:00
Chris Hoffman 822ce95dc4
adding ability to override temp dir in dev cluster (#3673) 2017-12-11 18:02:35 -05:00
Jeff Mitchell 548629e8ef Port over some changes 2017-11-30 09:43:07 -05:00
Jeff Mitchell 304e1b96b8 Use Seal Type instead of Type in status output for less confusion 2017-11-21 12:14:00 -05:00
Chris Hoffman 9e79e9b397
generate token functions to share common names (#3576) 2017-11-13 15:44:26 -05:00
Jeff Mitchell ccfcac17fe grpclogfaker should use or, not and, to check whether to log 2017-11-13 15:37:00 -05:00
Jeff Mitchell 2b78bc2a9b
Port over bits (#3575) 2017-11-13 15:31:32 -05:00
Calvin Leung Huang 87feab4492
Docs update related to new top-level config values (#3556)
* Add new top level config value docs, add VAULT_API_ADDR, purge old references

* Fix indentation

* Update wording on ha.html

* Add section on split data/HA mode

* Fix grammar
2017-11-10 20:06:07 -05:00
Jeff Mitchell a5c821532c Don't output log level twice in three node mode 2017-11-10 16:33:16 -05:00
Jeff Mitchell e66c4b11d5 Add core numbers to output in dev three node 2017-11-10 16:21:46 -05:00
Brian Kassouf ab3b625a3b
Add API methods for creating a DR Operation Token and make generate root accept strategy types (#3565)
* Add API and Command code for generating a DR Operation Token

* Update generate root to accept different token strategies
2017-11-10 10:19:42 -08:00
Calvin Leung Huang 882f85740b Move HA-related config values to top level (#3550)
* Move HA-related config values to top level

* Add config2.hcl test-fixture
2017-11-08 14:19:41 -05:00
Calvin Leung Huang 0762ac14cf aws_region->region on awskms config 2017-11-02 16:31:16 -04:00
Vishal Nayak 7bae606662
External identity groups (#3447)
* external identity groups

* add local LDAP groups as well to group aliases

* add group aliases for okta credential backend

* Fix panic in tests

* fix build failure

* remove duplicated struct tag

* add test steps to test out removal of group member during renewals

* Add comment for having a prefix check in router

* fix tests

* s/parent_id/canonical_id

* s/parent/canonical in comments and errors
2017-11-02 16:05:48 -04:00
Jeff Mitchell d229d7d5b0
Redo API locking (#3508)
* Redo the API client quite a bit to make the behavior of NewClient more
predictable and add locking to make it safer to use with Clone() and if
multiple goroutines for some reason decide to change things.

Along the way I discovered that currently, the x/net/http2 package is
broke with the built-in h2 support in released Go. For those using
DefaultConfig (the vast majority of cases) this will be a non-event.
Others can manually call http2.ConfigureTransport as needed. We should
keep an eye on commits on that repo and consider more updates before
release. Alternately we could go back revisions but miss out on bug
fixes; my theory is that this is not a purposeful break and I'll be
following up on this in the Go issue tracker.

In a few tests that don't use NewTestCluster, either for legacy or other
reasons, ensure that http2.ConfigureTransport is called.

* Use tls config cloning

* Don't http2.ConfigureServer anymore as current Go seems to work properly without requiring the http2 package

* Address feedback
2017-11-02 09:30:04 -05:00
Jeff Mitchell e0669746b6
Add seal type to seal-status output. (#3516) 2017-11-01 21:00:41 -05:00
Seth Vargo 2bb2ed11d3
Use renamed method 2017-10-24 09:39:51 -04:00
Jeff Mitchell 713d5d5307
Don't swallow errors on token functions. 2017-10-24 09:39:35 -04:00
Seth Vargo 82cc9664f0
Update to use hidden commands 2017-10-24 09:39:34 -04:00
Seth Vargo 0b15e790d4
Fix bad rebase
Apparently I can't git...
2017-10-24 09:39:34 -04:00
Seth Vargo f2110b5a4e
More consistent output 2017-10-24 09:34:30 -04:00
Seth Vargo f5543844f3
Use a unified helper for seal output 2017-10-24 09:34:12 -04:00
Seth Vargo 51a27b758b
Resolve the most painful merge conflict known on earth 2017-10-24 09:34:12 -04:00
Seth Vargo 578f9a4872
Use vault login instead of vault list in example 2017-10-24 09:32:15 -04:00
Seth Vargo c5665920f6
Standardize on "auth method"
This removes all references I could find to:

- credential provider
- authentication backend
- authentication provider
- auth provider
- auth backend

in favor of the unified:

- auth method
2017-10-24 09:32:15 -04:00
Seth Vargo acb33eaa3f
Write all the deprecated commands together 2017-10-24 09:30:48 -04:00
Seth Vargo f851309361
Add a custom flag for specifying "system" ttls 2017-10-24 09:30:48 -04:00
Seth Vargo e1b63d4803
Move more formatting into base_helpers 2017-10-24 09:30:48 -04:00
Seth Vargo dbd07addf5
Update write command 2017-10-24 09:30:48 -04:00
Seth Vargo 3ad4f5dcf1
Update unwrap command 2017-10-24 09:30:48 -04:00
Seth Vargo 71ed308e6c
Update version command 2017-10-24 09:30:48 -04:00
Seth Vargo 05b18b8e4f
Update status command 2017-10-24 09:30:48 -04:00
Seth Vargo c4ccbf3ab3
Update ssh command 2017-10-24 09:30:48 -04:00
Seth Vargo 5b78a9905c
Update server command 2017-10-24 09:30:48 -04:00
Seth Vargo b982365fbb
Add "operator" subcommand 2017-10-24 09:30:48 -04:00
Seth Vargo 204006bd56
Rename mounts to secrets engines and add the subcommand 2017-10-24 09:30:48 -04:00
Seth Vargo d71decc112
Update read command 2017-10-24 09:30:48 -04:00
Seth Vargo 2f8bf3c71f
Add "policy" subcommand 2017-10-24 09:30:48 -04:00
Seth Vargo 0800385283
Update path-help command 2017-10-24 09:30:48 -04:00
Seth Vargo 6fc5f05c4b
Update list command 2017-10-24 09:30:47 -04:00
Seth Vargo 76de999b34
Add lease subcommand 2017-10-24 09:30:47 -04:00
Seth Vargo 02341c3b6a
Update delete command 2017-10-24 09:30:47 -04:00
Seth Vargo 810c0afe38
Predict "generic" as a secrets engine 2017-10-24 09:30:47 -04:00
Seth Vargo 1488ba6d72
Add token as a subcommand 2017-10-24 09:30:47 -04:00
Seth Vargo 5aab30091e
Make audit a subcommand 2017-10-24 09:30:47 -04:00
Seth Vargo 939495c7bb
Add login subcommand
This replaces the "auth" part of "vault auth"
2017-10-24 09:30:47 -04:00
Seth Vargo 69784a3bf1
Introduce auth as a subcommand 2017-10-24 09:30:47 -04:00
Seth Vargo d85c6a43c0
Wire all commands together 2017-10-24 09:30:47 -04:00
Seth Vargo f7782df97e
Update write command 2017-10-24 09:30:47 -04:00
Seth Vargo f7c9fe6d20
Update version command 2017-10-24 09:30:47 -04:00
Seth Vargo ca6e002235
Update unwrap command 2017-10-24 09:30:47 -04:00
Seth Vargo 0c0d90913a
update unseal command 2017-10-24 09:30:47 -04:00
Seth Vargo 2f0eb0a216
Update unmount command 2017-10-24 09:30:46 -04:00
Seth Vargo c63e1a7b96
Update token-revoke command 2017-10-24 09:30:46 -04:00
Seth Vargo 5dcd51302e
Update token-renew command 2017-10-24 09:30:46 -04:00
Seth Vargo 5cd62171f9
Update token-lookup command 2017-10-24 09:30:46 -04:00
Seth Vargo ad28d1d82a
Update token-create command 2017-10-24 09:30:46 -04:00
Seth Vargo c14629cb5d
Update step-down command 2017-10-24 09:30:46 -04:00
Seth Vargo 530144f7f7
Update status command 2017-10-24 09:30:46 -04:00
Seth Vargo 1d91e96c8e
Update ssh command 2017-10-24 09:30:46 -04:00
Seth Vargo 3f7f8b20bb
Update seal command 2017-10-24 09:30:46 -04:00
Seth Vargo 48e6460da5
Update rotate command 2017-10-24 09:30:46 -04:00
Seth Vargo 191ec2d750
Update revoke command 2017-10-24 09:30:46 -04:00
Seth Vargo 108f748d18
Update renew command 2017-10-24 09:30:46 -04:00
Seth Vargo 8df3be5656
Update remount command 2017-10-24 09:30:46 -04:00
Seth Vargo a72ab1ecf5
Update rekey command 2017-10-24 09:30:46 -04:00
Seth Vargo 648e0c7913
Update read command 2017-10-24 09:29:37 -04:00
Seth Vargo db4f5bac11
Update policy-write command 2017-10-24 09:29:37 -04:00
Seth Vargo a8b061723c
Update policy-list command 2017-10-24 09:29:37 -04:00
Seth Vargo bd879f2731
Update policy-delete command 2017-10-24 09:29:36 -04:00
Seth Vargo 85e5c33352
Update path-help command 2017-10-24 09:29:36 -04:00
Seth Vargo 19caaafe13
Update mounts command 2017-10-24 09:29:36 -04:00
Seth Vargo 136ef51f49
Update mount-tune command 2017-10-24 09:28:07 -04:00
Seth Vargo 7abb3341a3
Update mount command 2017-10-24 09:28:07 -04:00
Seth Vargo 4d0b10ebd2
Update list command 2017-10-24 09:28:07 -04:00
Seth Vargo 7cd7338f9d
Update key-status command 2017-10-24 09:28:07 -04:00
Seth Vargo 076703ebc1
Update init command 2017-10-24 09:28:07 -04:00
Seth Vargo 9500cb7fc7
Update generate-root command 2017-10-24 09:28:07 -04:00
Seth Vargo 9b949cebd5
Update format to not use colored UI for json/yaml 2017-10-24 09:28:07 -04:00
Seth Vargo 38823efa70
Update delete command 2017-10-24 09:28:07 -04:00
Seth Vargo fd5ba4c5ed
Update capabilities command 2017-10-24 09:28:06 -04:00
Seth Vargo d93c418db3
Add new auth-list command 2017-10-24 09:28:06 -04:00
Seth Vargo 153bfd6a83
Add new auth-help command 2017-10-24 09:28:06 -04:00
Seth Vargo 6178d61d6d
Update auth-enable command 2017-10-24 09:28:06 -04:00
Seth Vargo 43465577d4
Update auth-disable command 2017-10-24 09:28:06 -04:00
Seth Vargo 595456df69
Update auth command 2017-10-24 09:28:06 -04:00
Seth Vargo ac0be24253
Update audit-list command 2017-10-24 09:28:06 -04:00
Seth Vargo 8e343caeda
Update audit-enable command 2017-10-24 09:28:06 -04:00
Seth Vargo 197d7840cc
Update audit-disable command 2017-10-24 09:28:06 -04:00
Seth Vargo d03caa18b5
Add more testing helper functions 2017-10-24 09:28:06 -04:00
Seth Vargo 06580ebd61
Remove wrapping tests
There are no dedicated tests for this, but ttl wrapping is littered throughout other tests
2017-10-24 09:28:06 -04:00
Seth Vargo 9e2a833b19
Detect terminal and use the output writer for raw fields
If the value is being "piped", we don't print colors or the newline character at the end. If it's not, we still give users pretty when selecting a raw field/value.
2017-10-24 09:28:06 -04:00
Seth Vargo 5a6b08caab
Add helper for decrypting via PGP in tests 2017-10-24 09:28:06 -04:00
Seth Vargo e516762328
Remove unused file for tests 2017-10-24 09:28:06 -04:00
Seth Vargo bb4edc30f8
Add more predictors 2017-10-24 09:28:06 -04:00
Seth Vargo d271bdd4e1
Read env config for predictions 2017-10-24 09:28:05 -04:00
Seth Vargo 3331b25895
Expand and centralize helpers 2017-10-24 09:28:05 -04:00
Seth Vargo 971307351b
Cleanup base flags a bit 2017-10-24 09:28:05 -04:00
Seth Vargo 197339e78c
Use a TokenHelper method
It's weird to have two different helper funcs that can return different errors
2017-10-24 09:28:05 -04:00
Seth Vargo 5d31c4cb08
Allow hiding flags 2017-10-24 09:28:05 -04:00
Seth Vargo 502d7a2040
Add an in-mem token helper for testing 2017-10-24 09:27:19 -04:00
Seth Vargo 5b0b8b9db5
Add interface assertions for token helpers
This will ensure they meet the right API
2017-10-24 09:27:19 -04:00
Seth Vargo acd4241740
Drop cli and meta packages
This centralizes all command-related things in the command package
2017-10-24 09:27:19 -04:00
Seth Vargo 50705bcce7
Unwrap cli.Ui to get to the underlying writer
This allows us to write without a newline character, since the Ui
interface doesn't expose a direct Write() method.
2017-10-24 09:26:45 -04:00
Seth Vargo 0f2905fd7c
Only print default values if they are non-zero 2017-10-24 09:26:44 -04:00
Seth Vargo 5093b8dff8
More arbitrary function for wrapping at a length 2017-10-24 09:26:44 -04:00
Seth Vargo 9347c110f2
Delegate usage to the UI 2017-10-24 09:26:44 -04:00
Seth Vargo 6c73d28967
Make predict it's own struct
The previous architecture would create an API client many times, slowing down the CLI exponentially for each new command added.
2017-10-24 09:26:44 -04:00
Seth Vargo bd3064327c
Separate "files" and "folders" in predictor 2017-10-24 09:26:44 -04:00
Seth Vargo 2f3acd9068
Remove coupling between Raw() and UI 2017-10-24 09:26:44 -04:00
Seth Vargo cb31f95e75
Add testing harness for a vault cluster 2017-10-24 09:26:44 -04:00
Seth Vargo 9064d52e66
Output JSON with spaces not tabs 2017-10-24 09:26:44 -04:00
Seth Vargo cc0140be80
Add start of base command, flags, prediction 2017-10-24 09:26:44 -04:00
Jeff Mitchell 65f664be47 Make compile 2017-10-23 17:41:44 -04:00
Jeff Mitchell a25dae82dd Final sync 2017-10-23 17:39:21 -04:00
Jeff Mitchell 6bafb02a5b Sync up server.go a bit 2017-10-10 12:27:51 -04:00
Jeff Mitchell 17a15cd594 Add option to disable client certificate requesting. (#3373)
Fixes #3372
2017-09-25 14:41:46 -04:00
Calvin Leung Huang 29911bfea8 Add support for stored shares and skip-init in dev mode (#3364) 2017-09-21 15:23:29 -04:00
Vishal Nayak e99640f462 Add 'pid_file' config option (#3321)
* add pid_file config option

* address review feedback

* address review comments
2017-09-16 17:09:37 -04:00
Chris Hoffman 1029ad3b33 Rename "generic" secret backend to "kv" (#3292) 2017-09-15 09:02:29 -04:00
Chris Hoffman 9d73c81f38 Disable the sys/raw endpoint by default (#3329)
* disable raw endpoint by default

* adding docs

* config option raw -> raw_storage_endpoint

* docs updates

* adding listing on raw endpoint

* reworking tests for enabled raw endpoints

* root protecting base raw endpoint
2017-09-15 00:21:35 -04:00
Chris Hoffman 91338d7aa2 Adding latency injector option to -dev mode for storage operations (#3289) 2017-09-11 14:49:08 -04:00
Jeff Mitchell 223c4fc325 Change auth helper interface to api.Secret. (#3263)
This allows us to properly handle wrapped responses.

Fixes #3217
2017-08-31 16:57:00 -04:00
Calvin Leung Huang 6f417d39da Normalize plugin_name option for mount and enable-auth (#3202) 2017-08-31 12:16:59 -04:00
Jeff Mitchell 3edb337a00 Add option to set cluster TLS cipher suites. (#3228)
* Add option to set cluster TLS cipher suites.

Fixes #3227
2017-08-30 16:28:23 -04:00
Brian Kassouf 23089dafbc Add basic autocompletion (#3223)
* Add basic autocompletion

* Add autocomplete to some common commands

* Autocomplete the generate-root flags

* Add information about autocomplete to the docs
2017-08-24 15:23:40 -07:00
Doyoon Kim 3ffebb7780 Moved PROXY protocol wrap to execute before the TLS wrap (#3195) 2017-08-23 12:00:09 -04:00
Seth Vargo ec9e187ce4 Thread stderr through too (#3211)
* Thread stderr through too

* Small docs typo
2017-08-21 17:23:29 -04:00
Jeff Mitchell 654e7d92ac Properly lowercase policy names. (#3210)
Previously we lowercased names on ingress but not on lookup or delete
which could cause unexpected results. Now, just unilaterally lowercase
policy names on write and delete. On get, to avoid the performance hit
of always lowercasing when not necessary since it's in the critical
path, we have a minor optimization -- we check the LRU first before
normalizing. For tokens, because they're already normalized when adding
policies during creation, this should always work; it might just be
slower for API calls.

Fixes #3187
2017-08-18 19:47:23 -04:00
Seth Vargo 51d8e5ff86 Do not revoke SSH key (#3208)
There is no secret to revoke - this produces an error on the CLI
2017-08-18 15:44:20 -04:00
Seth Vargo 2e3a9ebd06
Add host key checking for SSH CA 2017-08-18 12:59:09 -04:00
Seth Vargo 89cffaf25e
Revoke temporary cred after creation, update warning
/cc @vishalnayak
2017-08-18 12:59:09 -04:00
Seth Vargo 430fc22023
Initial pass at SSH CLI CA type authentication
1. The current implementation of the SSH command is heavily tied to the
assumptions of OTP/dynamic key types. The SSH CA backend is
fundamentally a different approach to login and authentication. As a
result, there was some restructuring of existing methods to share more
code and state.

2. Each authentication method (ca, otp, dynamic) are now fully-contained
in their own handle* function.

3. -mode and -role are going to be required for SSH CA, and I don't
think the magical UX (and overhead) of guessing them is a good UX. It's
confusing as to which role and how Vault guesses. We can reduce 66% of
the API calls and add more declaration to the CLI by making -mode and
-role required. This commit adds warnings for that deprecation, but
these values are both required for CA type authentication.

4. The principal and extensions are currently fixed, and I personally
believe that's good enough for the first pass at this. Until we
understand what configuration options users will want, I think we should
ship with all the local extensions enabled. Users who don't want that
can generate the key themselves directly (current behavior) or submit
PRs to make the map of extensions customizable.

5. Host key checking for the CA backend is not currently implemented.
It's not strictly required at setup, so I need to think about whether it
belongs here.

This is not ready for merge, but it's ready for early review.
2017-08-18 12:59:08 -04:00
Calvin Leung Huang ea6a1382ff Improve auth-enable output for plugin backends (#3189)
* Improve auth-enable output for plugin backends

* Unquote authType on final output
2017-08-16 14:31:16 -04:00
Jeff Mitchell c34a5b2e93 * Add ability to specify a plugin dir in dev mode (#3184)
* Change (with backwards compatibility) sha_256 to sha256 for plugin
registration
2017-08-16 11:17:50 -04:00
Seth Vargo f8922bf674 Update help output (spaces instead of tabs) (#3178) 2017-08-15 21:21:30 -04:00
Seth Vargo c1e6e0bdf2 Use SSHPASS envvar instead of -p for sshpass (#3177)
From the sshpass manpage:

> The -p option should be considered the least secure of all of sshpass's options. All system users can see the password in the command line with a simple "ps" command. Sshpass makes a minimal attempt to hide the password, but such attempts are doomed to create race conditions without actually solving the problem. Users of sshpass are encouraged to use one of the other password passing techniques, which are all more secure.

This PR changes the sshpass behavior to execute a subprocess with the
SSHPASS envvar (which is generally regarded as more secure) than using
the -p option.
2017-08-15 19:43:39 -04:00
Jeff Mitchell fdaaaadee2 Migrate physical backends into separate packages (#3106) 2017-08-03 13:24:27 -04:00
Gobin Sougrakpam 8e01c994bf tls_client_ca_file option for verifying client (#3034) 2017-08-03 07:33:06 -04:00
Calvin Leung Huang db9d9e6415 Store original request path in WrapInfo (#3100)
* Store original request path in WrapInfo as CreationPath

* Add wrapping_token_creation_path to CLI output

* Add CreationPath to AuditResponseWrapInfo

* Fix tests

* Add and fix tests, update API docs with new sample responses
2017-08-02 18:28:58 -04:00
Jeff Mitchell 7e3ff5e56c Add PROXY protocol support (#3098) 2017-08-02 18:24:12 -04:00
Brian Kassouf e0713b307d Add Testing Interface to test helpers (#3091)
* Add testing interface

* Add vendored files
2017-08-01 11:07:08 -07:00
Jeff Mitchell d39d1b4003 Add some useful variable output to three node dev startup 2017-08-01 11:50:41 -04:00
Jeff Mitchell 1f36e2a846 Use 1-based indexing for unseal keys in three node dev cluster 2017-08-01 11:12:45 -04:00
Jeff Mitchell d0f329e124 Add leader cluster address to status/leader output. (#3061)
* Add leader cluster address to status/leader output. This helps in
identifying a particular node when all share the same redirect address.

Fixes #3042
2017-07-31 18:25:27 -04:00
Jeff Mitchell 1bfc6d4fe7 Add a -dev-three-node option for devs. (#3081) 2017-07-31 11:28:06 -04:00
Calvin Leung Huang bb54e9c131 Backend plugin system (#2874)
* Add backend plugin changes

* Fix totp backend plugin tests

* Fix logical/plugin InvalidateKey test

* Fix plugin catalog CRUD test, fix NoopBackend

* Clean up commented code block

* Fix system backend mount test

* Set plugin_name to omitempty, fix handleMountTable config parsing

* Clean up comments, keep shim connections alive until cleanup

* Include pluginClient, disallow LookupPlugin call from within a plugin

* Add wrapper around backendPluginClient for proper cleanup

* Add logger shim tests

* Add logger, storage, and system shim tests

* Use pointer receivers for system view shim

* Use plugin name if no path is provided on mount

* Enable plugins for auth backends

* Add backend type attribute, move builtin/plugin/package

* Fix merge conflict

* Fix missing plugin name in mount config

* Add integration tests on enabling auth backend plugins

* Remove dependency cycle on mock-plugin

* Add passthrough backend plugin, use logical.BackendType to determine lease generation

* Remove vault package dependency on passthrough package

* Add basic impl test for passthrough plugin

* Incorporate feedback; set b.backend after shims creation on backendPluginServer

* Fix totp plugin test

* Add plugin backends docs

* Fix tests

* Fix builtin/plugin tests

* Remove flatten from PluginRunner fields

* Move mock plugin to logical/plugin, remove totp and passthrough plugins

* Move pluginMap into newPluginClient

* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck

* Change shim logger's Fatal to no-op

* Change BackendType to uint32, match UX backend types

* Change framework.Backend Setup signature

* Add Setup func to logical.Backend interface

* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments

* Remove commented var in plugin package

* RegisterLicense on logical.Backend interface (#3017)

* Add RegisterLicense to logical.Backend interface

* Update RegisterLicense to use callback func on framework.Backend

* Refactor framework.Backend.RegisterLicense

* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs

* plugin: Revert BackendType to remove TypePassthrough and related references

* Fix typo in plugin backends docs
2017-07-20 13:28:40 -04:00
Jeff Mitchell 76d1402a44 Add token-only. (#2971) 2017-07-12 15:04:34 -04:00
Jeff Mitchell d169918465 Create and persist human-friendly-ish mount accessors (#2918) 2017-06-26 18:14:36 +01:00
Jeff Mitchell d55d75a79f Convert listener arguments to map[string]interface{} (#2905)
This allows people to use more natural constructs, e.g. for tls_disable
it can be a bool, int, or string.
2017-06-22 20:29:53 +01:00
Jeff Mitchell 286392c2a2 Fix tests 2017-06-21 11:19:38 -04:00
Jeff Mitchell 069764ea8f Add option to have dev mode generic backend return leases 2017-06-21 10:42:50 -04:00
Chris Hoffman 7e7d766e21 Exclude /sys/leases/renew from registering with expiration manager (#2891)
* exclude /sys/leases/renew from registering with expiration manager

* adding sys/leases/renew to return full secret object, adding tests to catch renew errors
2017-06-20 12:34:00 -04:00
Jeff Mitchell cf7d56e8f3 Fix up CORS.
Ref #2021
2017-06-17 01:26:25 -04:00
Jeff Mitchell 33ca94773f Add DogStatsD metrics output. (#2883)
Fixes #2490
2017-06-16 23:51:46 -04:00
Jeff Mitchell fcc9f35c77 Add a no-store option to vault auth (#2809)
Fixes #2746
2017-06-05 16:36:28 -04:00
Jeff Mitchell 72a5b5e23b Fix tests 2017-05-25 09:00:49 -04:00
Jeff Mitchell 9d4801b1e8 Revert grpc back a version (they introduced a panic) and clean up a bunch of old request forwarding stuff 2017-05-24 10:38:48 -04:00
emily aa40d2cff6 add gofmt checks to Vault and format existing code (#2745) 2017-05-19 08:34:17 -04:00
Brian Kassouf 5ee0d696d4 Merge remote-tracking branch 'oss/master' into database-refactor 2017-05-04 10:45:18 -07:00
Jeff Mitchell ed24a1b5a5 Write always needs a path, even with force. (#2675)
Fixes #2674
2017-05-04 06:40:58 -04:00
Jeff Mitchell 3d939dbe50 Further Sethisize loglevel inputz 2017-04-25 11:14:25 -04:00
Jeff Mitchell 7283894f41 Sethisize log level 2017-04-25 11:12:38 -04:00
Brian Kassouf 6c8239ba03 Update the builtin keys; move catalog to core; protect against unset plugin directory 2017-04-24 10:30:33 -07:00
Brian Kassouf 6f9d178370 Calls to builtin plugins now go directly to the implementation instead of go-plugin 2017-04-20 18:46:41 -07:00
Brian Kassouf af9ff63e9a Merge remote-tracking branch 'oss/master' into database-refactor 2017-04-19 15:16:00 -07:00
Christoph Blecker c82e7a631c Add -self flag to token-revoke (#2596) 2017-04-17 12:40:51 -04:00
Brian Kassouf 8a3ef906d5 Update the plugin directory logic 2017-04-13 11:22:53 -07:00
Brian Kassouf 0cfe1ea81c Cleanup path files 2017-04-12 17:35:02 -07:00
Brian Kassouf 8ccf10641b Merge branch 'master' into database-refactor 2017-04-12 14:29:10 -07:00
Brian Kassouf 93136ea51e Add backend test 2017-04-07 15:50:03 -07:00
Brian Kassouf ca2c3d0c53 Refactor to use builtin plugins from an external repo 2017-04-05 16:20:31 -07:00
Brian Kassouf b071144c67 move builtin plugins list to the pluginutil 2017-04-05 11:00:13 -07:00
Brian Kassouf 11abcd52e6 Add a cli command to run builtin plugins 2017-04-04 17:12:02 -07:00
Brian Kassouf 0034074691 Execute builtin plugins 2017-04-04 14:43:39 -07:00
Jeff Mitchell a8d64c5721 Add some minor tweaks to the PR 2017-04-04 12:22:14 -04:00
Brian Kassouf e8781b6a2b Plugin catalog 2017-04-03 17:52:29 -07:00
Greg Parris ad9546104b Typo corrections and tweaks to commands' help info
* Normalize "X arguments expected" messages
* Use "Vault" when referring to the product and "vault" when referring to an instance of the product
* Various minor tweaks to improve readability and/or provide clarity
2017-03-25 12:51:12 -05:00
Jeff Mitchell 5d760d4090 Add option to require valid client certificates (#2457) 2017-03-08 10:21:31 -05:00
Jeff Mitchell f03d500808 Add option to disable caching per-backend. (#2455) 2017-03-08 09:20:09 -05:00
Jeff Mitchell b11f92ba5a Rename physical backend to storage and alias old value (#2456) 2017-03-08 09:17:00 -05:00
Jeff Mitchell 5119b173c4 Rename helper 'duration' to 'parseutil'. (#2449)
Add a ParseBool function that accepts various kinds of ways of
specifying booleans.

Have config use ParseBool for UI and disabling mlock/cache.
2017-03-07 11:21:22 -05:00
Jeff Mitchell 2cc0906b33 Fix breakage for HTTP2 support due to changes in wrapping introduced in 1.8 (#2412) 2017-02-27 12:49:35 -05:00
Sean Chittenden 42d1c28bf5
Change the default DisplayName for a Circonus check to be Vault instead of the InstanceID.
Trivial defaults change, committing direct to `master`.
2017-02-26 15:18:46 -08:00
Jeff Mitchell 3ab4a82e03 Don't try synthesizing cluster when not in dev mode 2017-02-24 12:50:26 -05:00
Jeff Mitchell b29861f7bb Do some porting to make diffing easier 2017-02-24 10:45:29 -05:00
Jeff Mitchell 37f3b2bafd Fix missing newline in status output 2017-02-17 11:23:20 -05:00
Jeff Mitchell c81582fea0 More porting from rep (#2388)
* More porting from rep

* Address review feedback
2017-02-16 16:29:30 -05:00
Jeff Mitchell e0c9bfd926 Add WithOptions methods to audit/auth enabling (#2383) 2017-02-16 11:37:27 -05:00
Jeff Mitchell 388d8cd191 Correct port parsing. (#2354)
* Correct port parsing.

Fixes #2351

* use strings.Contains instead of strings.HasSuffix

* Make the error message point to the wrong input
2017-02-08 13:50:17 -05:00
Roman Vynar 1615280efa Added tls_cipher_suites, tls_prefer_server_ciphers config options to listener (#2293) 2017-01-23 13:48:35 -05:00
Vishal Nayak fa7d61baa3 Merge pull request #2202 from fcantournet/fix_govet_fatalf
all: test: Fix govet warnings
2017-01-17 16:45:35 -05:00
Jeff Mitchell 69eb5066dd Multi value test seal (#2281) 2017-01-17 15:43:10 -05:00
Jeff Mitchell dd0e44ca10 Add nonce to unseal to allow seeing if the operation has reset (#2276) 2017-01-17 11:47:06 -05:00
vishalnayak adb6ac749f init: pgp-keys input validations 2017-01-11 23:32:38 -05:00
Jeff Mitchell 3129187dc2 JWT wrapping tokens (#2172) 2017-01-04 16:44:03 -05:00
Cameron Stokes b5f4558b7a Fix generate-root help and progress output. 2017-01-04 09:01:17 -08:00
Félix Cantournet 103b7ceab2 all: test: Fix govet warnings
Fix calls to t.Fatal() with formatting.
Fixed some calls to Fatalf() with wrong formatting
2016-12-21 19:44:07 +01:00
Jeff Mitchell dc0f751994 Change an output to an error 2016-12-06 07:56:45 -05:00
Jeff Mitchell 7865143c1d Minor ports 2016-12-05 12:28:12 -05:00
Vishal Nayak ad09acb479 Use Vault client's scheme for auto discovery (#2146) 2016-12-02 11:24:57 -05:00
Jeff Mitchell 0f5b847748 Fix panic when unwrapping if the server EOFs 2016-11-29 16:50:07 -05:00
Jeff Mitchell b87b070987 Add cgo info to vault version output 2016-11-27 19:32:57 -05:00
Jeff Mitchell fef97d9169 Print the revision, if known, separately from the version.
Also, indicate whether the build is dynamic or not.
2016-11-27 19:28:35 -05:00
Jeff Mitchell f1f38de8d4 Only add version sha if known 2016-11-27 19:16:44 -05:00
Jeff Mitchell 545e338a9e Add version sha to server startup output 2016-11-22 16:43:05 -05:00
Jeff Mitchell fc81a301b8 Don't say mlock is supported on OSX when it isn't. (#2120)
Fixes #2119
2016-11-22 12:56:36 -05:00
Kyle McCullough aeb23b72d7 cli: fix bug with 'vault read -field=...' when the field value contains a printf formatting verb (#2109) 2016-11-22 12:30:23 -05:00
Chris Lundquist 9b5ee87929 prevent binding 0.0.0.0 -> ::0 (#2094) 2016-11-15 12:00:57 -05:00
matt maier 57925ee863 Vendor circonus (#2082) 2016-11-10 16:17:55 -05:00
vishalnayak 931c96d1ba ssh: Use temporary file to store the identity file 2016-10-18 12:50:12 -04:00
Jeff Mitchell 53efd18dda Make listener shutdown more synchronous (#1985) 2016-10-10 13:18:19 -04:00
Jeff Mitchell 21e1f38e6a Split HA server command tests from reload tests 2016-10-07 11:06:01 -04:00
Jeff Mitchell 2c85fdfeb9 Switch default case of disable cluster. (#1959) 2016-10-02 14:54:01 -04:00
Jeff Mitchell 6d00f0c483 Adds HUP support for audit log files to close and reopen. (#1953)
Adds HUP support for audit log files to close and reopen. This makes it
much easier to deal with normal log rotation methods.

As part of testing this I noticed that HUP and other items that come out
of command/server.go are going to stderr, which is where our normal log
lines go. This isn't so much problematic with our normal output but as
we officially move to supporting other formats this can cause
interleaving issues, so I moved those to stdout instead.
2016-09-30 12:04:50 -07:00
Jeff Mitchell 85315ff188 Rejig where the reload functions live 2016-09-30 00:07:22 -04:00
Jeff Mitchell b45a481365 Wrapping enhancements (#1927) 2016-09-28 21:01:28 -07:00
Jeff Mitchell f0203741ff Change default TTL from 30 to 32 to accommodate monthly operations (#1942) 2016-09-28 18:32:49 -04:00
Jeff Mitchell 72b9c4c649 Fix parsing env var, needed to be in the helper too 2016-09-23 13:20:26 -04:00
Evan Phoenix 4214a0199d Advertise the cluster_(id|name) in the Scada handshake (#1906) 2016-09-23 10:55:51 -04:00
Jeff Mitchell 57f3904d74 Use VAULT_LOG_FORMAT as an analogue to LOGXI_FORMAT 2016-09-22 17:22:02 -04:00
Jeff Mitchell bbe87db913 Force tls_disable on scada connection inside outer TLS connection as it's not currently supported anyways 2016-09-20 14:56:16 -04:00
Jeff Mitchell f3ab4971a6 Follow Vault convention on DELETE being idempotent (#1903)
* Follow Vault convention on `DELETE` being idempotent with
audit/auth/mounts deletes (a.k.a. disabling/unmounting).
2016-09-19 13:02:25 -04:00
vishalnayak e123f33a91 Add yml alias for yaml 2016-09-16 10:43:23 -04:00
Jeff Mitchell 722e26f27a Add support for PGP encrypting the initial root token. (#1883) 2016-09-13 18:42:24 -04:00
Jeff Mitchell 640351b7d1 Update text of init/rekey around recovery values 2016-09-12 16:20:21 -04:00
Jeff Mitchell 7e5aef279c Don't panic on bad auth path
Fixes #1860
2016-09-08 11:14:47 -04:00
Jeff Mitchell 1c6f2fd82b Add response wrapping to list operations (#1814) 2016-09-02 01:13:14 -04:00
Vishal Nayak 90737d3b44 Merge pull request #1836 from hashicorp/truncate-version-string
Remove the string 'Vault' from version information
2016-09-01 20:23:26 -04:00
Seth Vargo fc4a5bae3c Update audit-enable to show more examples (#1842)
* Update audit-enable to show more examples

* Update audit_enable.go
2016-09-01 20:14:29 -04:00
Seth Vargo a438f5e950 Add more examples and cleanup docs for auth (#1841) 2016-09-01 19:56:30 -04:00
vishalnayak 5bd665a842 Update atlas listener factory to use version with pre-release info. 2016-09-01 17:21:11 -04:00
vishalnayak f5447d8fa9 Avoid commas while printing policies 2016-09-01 16:32:27 -04:00
Jeff Mitchell 35800b0782 Don't output key/value header if there are no values to display. (#1838)
Fixes #1835
2016-09-01 15:58:16 -04:00
vishalnayak 9c78c58948 Remove the string 'Vault' from version information 2016-09-01 14:54:04 -04:00
Jeff Mitchell 61f1eee72c Remove hex output from keys; standardize on B64 for CLI output. This (#1831)
aligns with all other interactions which use B64 encoding for bytes.
2016-09-01 12:59:15 -04:00
Jeff Mitchell ecf61e9ba4 Add a separator to list output 2016-08-30 16:48:55 -04:00
Jeff Mitchell 2ce4397deb Plumb through the ability to set the storage read cache size. (#1784)
Plumb through the ability to set the storage read cache size.

Fixes #1772
2016-08-26 10:27:06 -04:00
Jeff Mitchell 1ee4cb4725 Strip trailing whitespace in token from file.
Fixes #1774
2016-08-23 20:22:45 -04:00
Jeff Mitchell dd53c4b1d8 Don't validate a dev listen address as that makes a proper Docker
entrypoint difficult.

Fixes #1762
2016-08-23 08:34:43 -04:00
Jeff Mitchell 58b32e5432 Convert to logxi 2016-08-21 18:13:37 -04:00
Jeff Mitchell bdcfe05517 Clustering enhancements (#1747) 2016-08-19 11:03:53 -04:00
Jeff Mitchell 56940c282b Force dev on when dev-ha is on 2016-08-19 08:29:34 -04:00
Jeff Mitchell 62c69f8e19 Provide base64 keys in addition to hex encoded. (#1734)
* Provide base64 keys in addition to hex encoded.

Accept these at unseal/rekey time.

Also fix a bug where backup would not be honored when doing a rekey with
no operation currently ongoing.
2016-08-15 16:01:15 -04:00
Jeff Mitchell 37320f8798 Request forwarding (#1721)
Add request forwarding.
2016-08-15 09:42:42 -04:00
Jeff Mitchell bcb4ab5422 Add periodic support for root/sudo tokens to auth/token/create 2016-08-12 21:14:12 -04:00
Jeff Mitchell 92f4fdf892 Add some info about -f to the "expects two arguments" error.
Ping #1722
2016-08-12 15:47:16 -04:00
Jeff Mitchell c1a46349fa Change to keybase openpgp fork as it has important fixes 2016-08-11 08:31:43 -04:00
Jeff Mitchell 5771a539a5 Add HTTP test for renew and fix muxing 2016-08-08 20:01:08 -04:00
Jeff Mitchell 529e36636c Rename mounttune.go 2016-08-08 16:22:28 -04:00
Jeff Mitchell 69c1121d29 Fix generate-root synopsis 2016-08-05 16:35:03 -04:00
vishalnayak e029d3c87a Support execution of remote commands using 'vault ssh' 2016-08-01 14:53:00 -04:00
Jeff Mitchell 6ffefb649d Close the shutdown channel instead of sending a value down 2016-08-01 11:58:45 -04:00
vishalnayak 05b8ce8348 Address review feedback 2016-08-01 11:15:25 -04:00
vishalnayak 5ed10f4074 Make the defer statement of waitgroup to execute last 2016-08-01 10:24:27 -04:00
vishalnayak ea2e677f02 Sharing shutdown message with physical consul backend 2016-07-31 10:09:16 -04:00
vishalnayak a8b4fc0d3c Add waitgroup wait to allow physical consul to deregister checks 2016-07-30 13:17:29 -04:00
vishalnayak 8b0b0d5922 Add cluster information to 'vault status' 2016-07-29 14:13:53 -04:00
vishalnayak e5e0431393 Added Vault version informationto the 'status' command 2016-07-28 17:37:35 -04:00
Vishal Nayak c7bcaa5bb6 Merge pull request #1655 from hashicorp/cluster-id
Vault cluster name and ID
2016-07-26 14:12:48 -04:00
Evan Phoenix 41ed3de3b1 Report the simple version string 2016-07-26 10:21:24 -07:00
vishalnayak 6e1d020c3a Added cluster_name for existing config tests 2016-07-26 11:38:24 -04:00
vishalnayak 7daa92f42c Update cluster name during config merge 2016-07-26 11:11:12 -04:00
vishalnayak a3e6400697 Remove global name/id. Make only cluster name configurable. 2016-07-26 10:01:35 -04:00
vishalnayak c7dabe4def Storing local and global cluster name/id to storage and returning them in health status 2016-07-26 02:32:42 -04:00
matt maier 6519c224ac Circonus integration for telemetry metrics 2016-07-22 15:49:23 -04:00
vishalnayak a7665723e3 Address review feedback 2016-07-22 11:31:55 -04:00
vishalnayak f53792efc7 Update docs on the init command 2016-07-22 11:22:10 -04:00
Vishal Nayak caab9d40f2 Merge pull request #1642 from hashicorp/init-service-discovery
Add service discovery to init command
2016-07-21 20:47:32 -04:00
vishalnayak b243ee256e Address review feedback by @jefferai 2016-07-21 20:46:31 -04:00
vishalnayak bd8ff10462 Address review feedback from @sean 2016-07-21 19:04:43 -04:00
vishalnayak 5316082675 Added documentation for init service discovery 2016-07-21 17:27:56 -04:00
vishalnayak f557457909 Added a separate flag consul-service to receive Consul service name 2016-07-21 16:51:38 -04:00
vishalnayak 23800c5f1d Add service discovery to init command 2016-07-21 16:17:29 -04:00
Jeff Mitchell 3ec81debe7 Trim leading/trailing space around PEM bundles.
Fixes #1634
2016-07-20 13:57:49 -04:00
Jeff Mitchell 9d68297ffa Have human-oriented token duration and secret duration output display a more human-friendly format 2016-07-19 12:15:00 -04:00
Jeff Mitchell a3ce0dcb0c Turn off DynamoDB HA by default.
The semantics are wonky and have caused issues from people not reading
docs. It can be enabled but by default is off.
2016-07-18 13:19:58 -04:00
vishalnayak c14235b206 Merge branch 'master-oss' into json-use-number
Conflicts:
	http/handler.go
	logical/framework/field_data.go
	logical/framework/wal.go
	vault/logical_passthrough.go
2016-07-15 19:21:55 -04:00
vishalnayak f34f0ef503 Make 'tls_min_version' configurable 2016-07-12 19:32:47 -04:00
vishalnayak ad7cb2c8f1 Added JSON Decode and Encode helpers.
Changed all the occurances of Unmarshal to use the helpers.
Fixed http/ package tests.
2016-07-06 12:25:40 -04:00
Jeff Mitchell 61250157d7 Don't panic on an empty configuration during merge 2016-07-05 16:49:15 -04:00
Jeff Mitchell 2c1b9499fc Add aliases for field flag to allow printing auth results.
Also fix the write command to use the shared function with aliases.

Fixes #1566
2016-06-27 23:19:09 -04:00
Jeff Mitchell 07ebfce1a4 Up sleep time during reload test to not fail under certain test conditions 2016-06-27 15:37:25 -04:00
Jeff Mitchell a7e15a8c0e Fix up external token helper tests 2016-06-22 10:04:43 -04:00
Tom Maher 3f40d8cbc7 Correctly check for existence of external token_helper binaries 2016-06-21 19:32:19 -07:00
Vishal Nayak d4d47ce5e3 Merge pull request #1531 from hashicorp/auth-mount-tune-params
Auth tune endpoints and config settings output from CLI
2016-06-20 20:24:47 -04:00
Vishal Nayak 949bb97ebc Merge pull request #1532 from hashicorp/vault-auth-path
Added -path option to 'vault auth' command
2016-06-20 16:43:26 -04:00
vishalnayak 3b308713ad Added -path option to help output 2016-06-20 16:24:49 -04:00
vishalnayak 9be9f73806 Concatenating the output instead of printing twice 2016-06-20 15:26:33 -04:00
vishalnayak 91668dd21d Fix the output format when warnings are present 2016-06-15 17:13:14 -04:00
vishalnayak 53fede4b70 Added '-path' option to 'vault auth' command 2016-06-15 16:54:27 -04:00
vishalnayak 848b479a61 Added 'sys/auth/<path>/tune' endpoints.
Displaying 'Default TTL' and 'Max TTL' in the output of 'vault auth -methods'
2016-06-15 13:58:24 -04:00
Jeff Mitchell e925987cb6 Add token accessor to wrap information if one exists 2016-06-13 23:58:17 +00:00
Jeff Mitchell 65d8973864 Add explicit max TTL capability to token creation API 2016-06-08 14:49:48 -04:00
Jeff Mitchell 6ff0742aa6 Remove unneeded else 2016-06-08 13:55:31 -04:00
Jeff Mitchell c0155ac02b Add renewable flag and API setting for token creation 2016-06-08 11:14:30 -04:00
Jeff Mitchell bb1e8ddaa2 Make token renewable status work properly on lookup 2016-06-08 09:19:39 -04:00
Jeff Mitchell 10b218d292 Use time.Time which does RFC3339 across the wire to handle time zones. Arguably we should change the API to always do this... 2016-06-07 16:01:09 -04:00
Jeff Mitchell 401456ea50 Add creation time to returned wrapped token info
This makes it easier to understand the expected lifetime without a
lookup call that uses the single use left on the token.

This also adds a couple of safety checks and for JSON uses int, rather
than int64, for the TTL for the wrapped token.
2016-06-07 15:00:35 -04:00
Bill Monkman de8477244e #1486 : Fixed sealed and leader checks for consul backend 2016-06-03 16:00:31 -07:00
Jeff Mitchell 5cefd6bd3a Merge pull request #1470 from hashicorp/unwrap-in-api
Make Unwrap a first-party API command and refactor UnwrapCommand to u…
2016-06-03 13:25:10 -04:00
Jeff Mitchell 64c180510e Add a metadata node_id field for Atlas usage and fix tests 2016-06-02 18:19:51 -04:00
Jeff Mitchell 0d9ea2a1a1 Initial Atlas listener implementation 2016-06-02 14:05:47 -04:00
vishalnayak c197414b3b Prioritize dev flags over its env vars 2016-06-01 12:21:29 -04:00
vishalnayak 4c08d43950 Address review feedback 2016-06-01 11:39:48 -04:00
vishalnayak 8d50543a88 Supplying strictHostKeyChecking and userKnownHostsFile from env vars 2016-06-01 11:08:24 -04:00
vishalnayak 315f9c868c Provide option to disable host key checking 2016-06-01 11:08:24 -04:00
Jeff Mitchell 63aba520c6 Make Unwrap a first-party API command and refactor UnwrapCommand to use it 2016-05-27 21:04:30 +00:00
vishalnayak ff6f5ae75b Add a non-nil check for 'port' field to be present in the response 2016-05-25 21:26:32 +00:00
Jeff Mitchell 199f99d031 Decode json.Number before handing to mapstructure 2016-05-25 19:02:31 +00:00
Jeff Mitchell 05b2d4534c Add unwrap test function and some robustness around paths for the wrap lookup function 2016-05-19 11:49:46 -04:00
Jeff Mitchell 0da8762bd5 Add unwrap command, and change how the response is embedded (as a string, not an object) 2016-05-19 11:25:15 -04:00
Jeff Mitchell dce8a8da42 Merge branch 'master-oss' into cubbyhole-the-world 2016-05-19 02:43:22 +00:00
Jeff Mitchell 0168b74e03 Rename lease_duration to refresh_interval when there is no lease ID, and output ---- between header and values 2016-05-17 17:10:12 +00:00
Jeff Mitchell c4431a7e30 Address most review feedback. Change responses to multierror to better return more useful values when there are multiple errors 2016-05-16 16:11:33 -04:00
Jeff Mitchell 4c67a739b9 Merge branch 'master-oss' into cubbyhole-the-world 2016-05-16 12:14:40 -04:00
Sean Chittenden 7a4b31ce51
Speling police 2016-05-15 09:58:36 -07:00
Jeff Mitchell 560e9c30a3 Merge branch 'master-oss' into cubbyhole-the-world 2016-05-12 14:59:12 -04:00
Jeff Mitchell 885cc73b2e Merge branch 'master-oss' into f-vault-service 2016-05-04 17:20:00 -04:00
Jeff Mitchell 99a5b4402d Merge branch 'master-oss' into cubbyhole-the-world 2016-05-04 14:42:14 -04:00
Jeff Mitchell 47a7ada7e8 Fix number of recovery shares output during init 2016-05-03 23:07:09 -04:00
Jeff Mitchell 2bbb39f4af Properly handle sigint/hup 2016-05-03 14:30:58 -04:00
Jeff Mitchell 1ffd5653c6 Add wrap support to API/CLI 2016-05-02 02:03:23 -04:00
Jeff Mitchell 749b60d57d Ensure seal finalizing happens even when using verify-only 2016-04-28 14:06:05 -04:00
Sean Chittenden 0b72906fc3 Change the interface of ServiceDiscovery
Instead of passing state, signal that the state has changed and provide a callback handler that can query Core.
2016-04-28 11:05:18 -07:00
Sean Chittenden aeea7628d6 Add a *log.Logger argument to physical.Factory
Logging in the backend is a good thing.  This is a noisy interface change but should be a functional noop.
2016-04-25 20:10:32 -07:00
Sean Chittenden f5183fa506 Collapse UpdateAdvertiseAddr() into RunServiceDiscovery() 2016-04-25 18:01:13 -07:00
Sean Chittenden 3977057cc9 Disable service registration for consul HA tests 2016-04-25 18:01:13 -07:00
Sean Chittenden 1f8397f0a3 Use spaces in tests to be consistent
The rest of the tests here use spaces, not tabs
2016-04-25 18:01:13 -07:00
Sean Chittenden 60006f550f Various refactoring to clean up code organization
Brought to you by: Dept of 2nd thoughts before pushing enter on `git push`
2016-04-25 18:01:13 -07:00
Sean Chittenden e7f600b4e6 Improve error handling re: homedir expansion
Useful if the HOME envvar is not set because `vault` was launched in a clean environment (e.g. `env -i vault ...`).
2016-04-25 18:01:13 -07:00
Sean Chittenden 6b2c83564e Teach Vault how to register with Consul
Vault will now register itself with Consul.  The active node can be found using `active.vault.service.consul`.  All standby vaults are available via `standby.vault.service.consul`.  All unsealed vaults are considered healthy and available via `vault.service.consul`.  Change in status and registration is event driven and should happen at the speed of a write to Consul (~network RTT + ~1x fsync(2)).

Healthy/active:

```
curl -X GET 'http://127.0.0.1:8500/v1/health/service/vault?pretty' && echo;
[
    {
        "Node": {
            "Node": "vm1",
            "Address": "127.0.0.1",
            "TaggedAddresses": {
                "wan": "127.0.0.1"
            },
            "CreateIndex": 3,
            "ModifyIndex": 20
        },
        "Service": {
            "ID": "vault:127.0.0.1:8200",
            "Service": "vault",
            "Tags": [
                "active"
            ],
            "Address": "127.0.0.1",
            "Port": 8200,
            "EnableTagOverride": false,
            "CreateIndex": 17,
            "ModifyIndex": 20
        },
        "Checks": [
            {
                "Node": "vm1",
                "CheckID": "serfHealth",
                "Name": "Serf Health Status",
                "Status": "passing",
                "Notes": "",
                "Output": "Agent alive and reachable",
                "ServiceID": "",
                "ServiceName": "",
                "CreateIndex": 3,
                "ModifyIndex": 3
            },
            {
                "Node": "vm1",
                "CheckID": "vault-sealed-check",
                "Name": "Vault Sealed Status",
                "Status": "passing",
                "Notes": "Vault service is healthy when Vault is in an unsealed status and can become an active Vault server",
                "Output": "",
                "ServiceID": "vault:127.0.0.1:8200",
                "ServiceName": "vault",
                "CreateIndex": 19,
                "ModifyIndex": 19
            }
        ]
    }
]
```

Healthy/standby:

```
[snip]
        "Service": {
            "ID": "vault:127.0.0.2:8200",
            "Service": "vault",
            "Tags": [
                "standby"
            ],
            "Address": "127.0.0.2",
            "Port": 8200,
            "EnableTagOverride": false,
            "CreateIndex": 17,
            "ModifyIndex": 20
        },
        "Checks": [
            {
                "Node": "vm2",
                "CheckID": "serfHealth",
                "Name": "Serf Health Status",
                "Status": "passing",
                "Notes": "",
                "Output": "Agent alive and reachable",
                "ServiceID": "",
                "ServiceName": "",
                "CreateIndex": 3,
                "ModifyIndex": 3
            },
            {
                "Node": "vm2",
                "CheckID": "vault-sealed-check",
                "Name": "Vault Sealed Status",
                "Status": "passing",
                "Notes": "Vault service is healthy when Vault is in an unsealed status and can become an active Vault server",
                "Output": "",
                "ServiceID": "vault:127.0.0.2:8200",
                "ServiceName": "vault",
                "CreateIndex": 19,
                "ModifyIndex": 19
            }
        ]
    }
]
```

Sealed:

```
        "Checks": [
            {
                "Node": "vm2",
                "CheckID": "serfHealth",
                "Name": "Serf Health Status",
                "Status": "passing",
                "Notes": "",
                "Output": "Agent alive and reachable",
                "ServiceID": "",
                "ServiceName": "",
                "CreateIndex": 3,
                "ModifyIndex": 3
            },
            {
                "Node": "vm2",
                "CheckID": "vault-sealed-check",
                "Name": "Vault Sealed Status",
                "Status": "critical",
                "Notes": "Vault service is healthy when Vault is in an unsealed status and can become an active Vault server",
                "Output": "Vault Sealed",
                "ServiceID": "vault:127.0.0.2:8200",
                "ServiceName": "vault",
                "CreateIndex": 19,
                "ModifyIndex": 38
            }
        ]
```
2016-04-25 18:01:13 -07:00
Sean Chittenden 230b59f34c Stub out service discovery functionality
Hook asynchronous notifications into Core to change the status of vault based on its active/standby, and sealed/unsealed status.
2016-04-25 18:00:54 -07:00
Sean Chittenden 0c23acb818 Comment nits 2016-04-25 18:00:54 -07:00
Jeff Mitchell 8d4e5aacae Change seal test name in command package 2016-04-26 00:12:14 +00:00
Jeff Mitchell 267b13c1ba Merge pull request #1326 from hashicorp/sethvargo/hint_noreauth
Hint that you don't need to run auth twice
2016-04-25 15:43:55 -04:00
Jeff Mitchell 98d09b0dc6 Add seal tests and update generate-root and others to handle dualseal. 2016-04-25 19:39:04 +00:00
Jeff Mitchell 4e53f4b1a4 Use UseNumber() on json.Decoder to have numbers be json.Number objects
instead of float64. This fixes some display bugs.
2016-04-20 18:38:20 +00:00
Jeff Mitchell 055a8e04e4 Change recovery options in init to be 'key'-less 2016-04-18 17:02:07 +00:00
Jeff Mitchell b4620d5d04 Add check against seal type to catch errors before we attempt to use the data 2016-04-15 18:16:48 -04:00
Sean Chittenden 069d9cf021 Fix SIGINT handling.
No signal handler was setup to receive SIGINT.  I didn't investigate to
see if signal(2) mask was setup (ala `SIG_IGN`) or if sigprocmask(2) is
being used, but in either case, the correct behavior is to capture and
treat SIGINT the same as SIGTERM.  At some point in the future these two
signals may affect the running process differently, but we will clarify
that difference in the future.
2016-04-15 10:03:22 -07:00
Jeff Mitchell 119238149b Add Finalize method to seal. 2016-04-14 20:37:34 +00:00
vishalnayak 5c336297ad Provide clarity for output statements of idempotent calls. 2016-04-14 15:46:45 +00:00
vishalnayak b7178846c1 Clarify token-revoke operation 2016-04-14 15:34:01 +00:00
Seth Vargo 54c414abb2
Clarify delete operation
One thing that has been a point of confusion for users is Vault's
response when deleting a key that does not actually exist in the system.
For example, consider:

    $ vault delete secret/foo
    Success! Deleted 'secret/foo'

This message is misleading if the secret does not exist, especially if
the same command is run twice in a row.

Obviously the reason for this is clear - returning an error if a secret
does not exist would reveal the existence of a secret (the same reason
everything on S3 is a 403 or why GitHub repos 404 instead of 403 if you
do not have permission to view them).

I think we can make the UX a little bit better by adding just a few
words to the output:

    $ vault delete secret/foo
    Success! Deleted 'secret/foo' if it existed

This makes it clear that the operation was only performed if the secret
existed, but it does not reveal any more information.
2016-04-14 10:38:10 +01:00
Jeff Mitchell a4ff72841e Check for seal status when initing and change logic order to avoid defer 2016-04-14 01:13:59 +00:00
Seth Vargo 217035d081 Hint that you don't need to run auth twice
This came up twice, in two different training courses. The UX is a
little confusing here on the CLI. Users are used to running:

    $ vault auth abcd-1234...

So when they auth using a method, the output leads them to believe the
need to "re-auth" as the generated token:

    $ vault auth -method=userpass username=foo password=bar
    Successfully authenticated!
    token: defg-5678...

A number of users then run:

    $ vault auth defg-5678

I've added some helpful text to hint this is not required if the method
is not "token".
2016-04-13 19:45:48 +01:00
Jeff Mitchell 759915bb55 Fix panic when using -field with read or write with a non-string value.
Fixes #1308
2016-04-07 22:16:33 +00:00
Sean Chittenden 58846f8eac Reinstall the mlockall(2) command
Requested by: jefferai
2016-04-05 13:58:26 -07:00
Sean Chittenden 47c3202811 Unconditionally warn on systems w/o mlock support
If someone begins using Vault on Windows in dev mode, always hint so that this isn't a surprise when they get to production.
2016-04-05 12:32:53 -07:00
Jeff Mitchell 348be0e50b Remove RevokePrefix from the API too as we simply do not support it any
longer.
2016-04-05 11:00:12 -04:00
Jeff Mitchell 9102b994aa Sync some seal stuff 2016-04-04 13:46:33 -04:00
Jeff Mitchell afae46feb7 SealInterface 2016-04-04 10:44:22 -04:00
Jeff Mitchell 1b7335cf4e Fix up the meta common options text function to not strip leading space and fix up commands 2016-04-01 16:50:12 -04:00
Jeff Mitchell b0888e8af1 Remove config from Meta; it's only used right now with the token helper. 2016-04-01 16:02:18 -04:00
Jeff Mitchell a137081241 Move token helper out of meta 2016-04-01 14:23:15 -04:00
Jeff Mitchell 133d9c1008 Move meta into its own package 2016-04-01 13:16:05 -04:00
Jeff Mitchell 1be69ae235 Sort infokeys on startup and add more padding 2016-03-30 12:31:47 -04:00
Jeff Mitchell 528b25c5f4 Merge HA Backend objects 2016-03-21 16:56:13 -04:00
vishalnayak 119fa1653b Restore the previous valid token if token authentication fails 2016-03-18 14:43:16 -04:00
Pradeep Chhetri 6d7cbc890d Fix Typo 2016-03-18 14:06:49 +00:00
Jeff Mitchell 3dbac2e2cb Add -field and -format to write command.
Fixes #1186
2016-03-17 14:57:30 -04:00
Vishal Nayak 7db7b47fdd Merge pull request #1210 from hashicorp/audit-id-path
Rename id to path and path to file_path, print audit backend paths
2016-03-15 20:13:21 -04:00
vishalnayak 71fc07833f Rename id to path and path to file_path, print audit backend paths 2016-03-14 17:15:07 -04:00
Jeff Mitchell 0e3764832a Add test for listener reloading, and update website docs. 2016-03-14 14:05:47 -04:00
Jeff Mitchell b3218d26d6 Properly scope config objects for reloading 2016-03-14 11:18:02 -04:00
Jeff Mitchell 84af6ec8ac Don't generate an ID; use address for the ID. Generally speaking we'll need to sane against what's in the config 2016-03-11 17:28:03 -05:00
Jeff Mitchell 996c584192 Don't inline factory 2016-03-11 17:02:44 -05:00
Jeff Mitchell 9ce1be3b00 For not shutdown triggered... 2016-03-11 17:01:26 -05:00
Jeff Mitchell d75ce9de9b Retool to have reloading logic run in command/server 2016-03-11 16:47:03 -05:00
Jeff Mitchell c6066af4c1 Add tests. This actually adds the initial tests for the TLS listener,
then layers reloading tests on top.
2016-03-11 14:05:52 -05:00
Jeff Mitchell baf0763b3c Add reload capability for Vault listener certs. No tests (other than
manual) yet, and no documentation yet.
2016-03-11 14:05:52 -05:00
Vishal Nayak c70b4bbbb2 Merge pull request #1201 from hashicorp/accessor-cli-flags
Accessor CLI flags
2016-03-11 09:55:45 -05:00
vishalnayak 9659e3d148 Added test for token-revoke accessor flag 2016-03-10 21:38:27 -05:00
vishalnayak 0486fa1a3a Added accessor flag to token-revoke CLI 2016-03-10 21:21:20 -05:00
vishalnayak 266af2a5e2 Added test for token-lookup accessor flag 2016-03-10 21:21:20 -05:00
vishalnayak ed8a096596 Add accessor flag to token-lookup command and add lookup-accessor client API 2016-03-10 21:21:20 -05:00
Seth Vargo 30c8204da6 Remove log statement 2016-03-10 17:48:34 -05:00
Seth Vargo 68170d770a Add missing fixture 2016-03-10 17:40:40 -05:00
Seth Vargo b207fc403c Fix failing config test 2016-03-10 17:36:10 -05:00
Seth Vargo 0adab4182f Fix test fixtures 2016-03-10 16:51:08 -05:00
Seth Vargo 6739804118 Fix failing policy-write integration test
This was a flawed test. Previously the test passed in a fixture that
corresponded to a CLI config file, not an actual policy. The test
_should_ have been failing, but it wasn't. This commit adds a new
fixture.
2016-03-10 15:45:49 -05:00
Seth Vargo b817b60183 Parse HCL keys in command config 2016-03-10 15:25:25 -05:00
Seth Vargo f916ed349d Print errors on extra keys in server config
This does NOT apply to the backend config, since each backend config
could have a variation of options that differ based off of the
configured backend itself. This may be an optimization that can be made
in the future, but I think each backend should be responsible for
performing its own configuration validation instead of overloading the
config itself with this functionality.
2016-03-10 15:25:25 -05:00
Jeff Mitchell fa2ba47a5c Merge branch 'master' into token-roles 2016-03-09 17:23:34 -05:00
Jeff Mitchell 6df72e6efd Merge pull request #1168 from hashicorp/revoke-force
Add forced revocation.
2016-03-09 16:59:52 -05:00
vishalnayak 151c932875 AccessorID --> Accessor, accessor_id --> accessor 2016-03-09 06:23:31 -05:00
vishalnayak 301776012f Introduced AccessorID in TokenEntry and returning it along with token 2016-03-08 14:06:10 -05:00
vishalnayak 3b463c2d4e use errwrap to check the type of error message, fix typos 2016-03-07 18:36:26 -05:00
Jeff Mitchell cc1f5207b3 Merge branch 'master' into token-roles 2016-03-07 10:03:54 -05:00
vishalnayak 73943546c3 Documentation for capabilities and capabilities-self APIs 2016-03-07 06:13:56 -05:00
vishalnayak aab24113b0 test cases for capabilities endpoint 2016-03-05 00:03:55 -05:00
vishalnayak 9946a2d8b5 refactoring changes due to acl.Capabilities 2016-03-04 18:55:48 -05:00
vishalnayak 7fe871e60a Removing the 'Message' field 2016-03-04 10:36:03 -05:00
vishalnayak 3730e095ac testcase changes 2016-03-04 10:36:03 -05:00
vishalnayak b67ab8ab7c Test files for capabilities endpoint 2016-03-04 10:36:03 -05:00
vishalnayak 816f1f8631 self review rework 2016-03-04 10:36:03 -05:00
vishalnayak 286e63a648 Handled root token use case 2016-03-04 10:36:03 -05:00
vishalnayak 07f9486ecb Added capabilities and capabilities-self endpoints to http muxer 2016-03-04 10:36:03 -05:00
vishalnayak 5749a6718c Added sys/capabililties endpoint 2016-03-04 10:36:02 -05:00
Jeff Mitchell 0998e1cdf9 Update help text exporting dev mode listen address.
Ping #1160
2016-03-03 18:10:14 -05:00
Jeff Mitchell 3e7bca82a1 Merge pull request #1146 from hashicorp/step-down
Provide 'sys/step-down' and 'vault step-down'
2016-03-03 12:30:08 -05:00
Jeff Mitchell 69c853fd2f Add the ability to specify dev mode address via CLI flag and envvar.
Fixes #1160
2016-03-03 10:48:52 -05:00
Jeff Mitchell 750b33c51b Add ability to control dev root token id with
VAULT_DEV_ROOT_TOKEN_ID env var, and change the CLI flag to match.

Ping #1160
2016-03-03 10:24:44 -05:00
Jeff Mitchell cd86226845 Add forced revocation.
In some situations, it can be impossible to revoke leases (for instance,
if someone has gone and manually removed users created by Vault). This
can not only cause Vault to cycle trying to revoke them, but it also
prevents mounts from being unmounted, leaving them in a tainted state
where the only operations allowed are to revoke (or rollback), which
will never successfully complete.

This adds a new endpoint that works similarly to `revoke-prefix` but
ignores errors coming from a backend upon revocation (it does not ignore
errors coming from within the expiration manager, such as errors
accessing the data store). This can be used to force Vault to abandon
leases.

Like `revoke-prefix`, this is a very sensitive operation and requires
`sudo`. It is implemented as a separate endpoint, rather than an
argument to `revoke-prefix`, to ensure that control can be delegated
appropriately, as even most administrators should not normally have
this privilege.

Fixes #1135
2016-03-03 10:13:59 -05:00
Jeff Mitchell 8011148fb5 Allow specifying an initial root token ID in dev mode.
Ping #1160
2016-03-02 12:03:26 -05:00
Jeff Mitchell 521a956e4d Address review feedback 2016-03-01 20:25:40 -05:00
Jeff Mitchell addf92e185 Allow token-renew to not be given a token; it will then use the
renew-self endpoint. Otherwise it will use the renew endpoint, even if
the token matches the client token.

Adds an -increment flag to allow increments even with no token passed
in.

Fixes #1150
2016-03-01 17:02:48 -05:00