Jeff Mitchell
f9bbe0fb04
Use logical operations instead of strings for comparison
2016-01-12 21:16:31 -05:00
Jeff Mitchell
d949043cac
Merge pull request #914 from hashicorp/acl-rework
...
More granular ACL capabilities
2016-01-12 21:11:52 -05:00
Jeff Mitchell
4253299dfe
Store uint32s in radix
2016-01-12 17:24:01 -05:00
Jeff Mitchell
e58705b34c
Cleanup
2016-01-12 17:10:48 -05:00
Jeff Mitchell
87fba5dad0
Convert map to bitmap
2016-01-12 17:08:10 -05:00
Jeff Mitchell
da87d490eb
Add some commenting around create/update
2016-01-12 15:13:54 -05:00
Jeff Mitchell
9db22dcfad
Address some more review feedback
2016-01-12 15:09:16 -05:00
Jeff Mitchell
ce5bd64244
Clean up HelpOperation
2016-01-12 14:34:49 -05:00
Jeff Mitchell
a99787afeb
Don't allow a policy with no name, even though it is a valid slice member
2016-01-08 21:23:40 -05:00
Jeff Mitchell
f6d2271a3c
Use an array of keys so that if the same fingerprint is used none are lost when using PGP key backup
2016-01-08 14:29:23 -05:00
Jeff Mitchell
4f4ddbf017
Create more granular ACL capabilities.
...
This commit splits ACL policies into more fine-grained capabilities.
This both drastically simplifies the checking code and makes it possible
to support needed workflows that are not possible with the previous
method. It is backwards compatible; policies containing a "policy"
string are simply converted to a set of capabilities matching previous
behavior.
Fixes #724 (and others).
2016-01-08 13:05:14 -05:00
Jeff Mitchell
f3ce90164f
WriteOperation -> UpdateOperation
2016-01-08 13:03:03 -05:00
Jeff Mitchell
2412c078ac
Also convert policy store cache to 2q.
...
Ping #908
2016-01-07 09:26:08 -05:00
Jeff Mitchell
85509e7ba5
Simplify some logic and ensure that if key share backup fails, we fail
...
the operation as well.
Ping #907
2016-01-06 13:14:23 -05:00
Jeff Mitchell
a094eedce2
Add rekey nonce/backup.
2016-01-06 09:54:35 -05:00
Jeff Mitchell
d51d723c1f
Use int64 for converting time values, not int (will be float64 in JSON anyways, so no need to lose precision, plus could hit a 32-bit max in some edge cases)
2016-01-04 17:11:22 -05:00
Jeff Mitchell
e990b77d6e
Address review feedback; move storage of these values to the expiration manager
2016-01-04 16:43:07 -05:00
Jeff Mitchell
5ddd243144
Store a last renewal time in the token entry and return it upon lookup
...
of the token.
Fixes #889
2016-01-04 11:20:49 -05:00
Jeff Mitchell
df68e3bd4c
Filter out duplicate policies during token creation.
2015-12-30 15:18:30 -05:00
Jeff Mitchell
96cb7d0051
Commenting/format update
2015-12-18 10:34:54 -05:00
Jeff Mitchell
4482fdacfd
If we have not yet completed post-unseal when running in single-node
...
mode, don't advertise that we are active.
Ping #872
2015-12-17 13:48:08 -05:00
Jeff Mitchell
f2da5b639f
Migrate 'uuid' to 'go-uuid' to better fit HC naming convention
2015-12-16 12:56:20 -05:00
Jeff Mitchell
b2a0b48a2e
Add test to ensure the right backend was used with separate HA
2015-12-14 20:48:22 -05:00
Jeff Mitchell
7ce8aff906
Address review feedback
2015-12-14 17:58:30 -05:00
Jeff Mitchell
ced0835574
Allow separate HA physical backend.
...
With no separate backend specified, HA will be attempted on the normal
physical backend.
Fixes #395 .
2015-12-14 07:59:58 -05:00
Jeff Mitchell
900b3d8882
Return 400 instead of 500 if generic backend is written to without data.
...
Fixes #825
2015-12-09 10:39:22 -05:00
Jeff Mitchell
1c7157e632
Reintroduce the ability to look up obfuscated values in the audit log
...
with a new endpoint '/sys/audit-hash', which returns the given input
string hashed with the given audit backend's hash function and salt
(currently, always HMAC-SHA256 and a backend-specific salt).
In the process of adding the HTTP handler, this also removes the custom
HTTP handlers for the other audit endpoints, which were simply
forwarding to the logical system backend. This means that the various
audit functions will now redirect correctly from a standby to master.
(Tests all pass.)
Fixes #784
2015-11-18 20:26:03 -05:00
Jeff Mitchell
bece637eb7
Address feedback from review
2015-11-15 17:32:57 -05:00
Jeff Mitchell
bc4c18a1cf
Rearchitect MountTable locking and fix rollback.
...
The rollback manager was using a saved MountTable rather than the
current table, causing it to attempt to rollback unmounted mounts, and
never rollback new mounts.
In fixing this, it became clear that bad things could happen to the
mount table...the table itself could be locked, but the table pointer
(which is what the rollback manager needs) could be modified at any time
without locking. This commit therefore also returns locking to a mutex
outside the table instead of inside, and plumbs RLock/RUnlock through to
the various places that are reading the table but not holding a write
lock.
Both unit tests and race detection pass.
Fixes #771
2015-11-11 11:54:52 -05:00
Jeff Mitchell
1a45696208
Add no-default-policy flag and API parameter to allow exclusion of the
...
default policy from a token create command.
2015-11-09 17:30:50 -05:00
Jeff Mitchell
d6693129de
Create a "default" policy with sensible rules.
...
It is forced to be included with each token, but can be changed (but not
deleted).
Fixes #732
2015-11-09 15:44:09 -05:00
Jeff Mitchell
1a621b7000
Minor test fix
2015-11-09 15:37:30 -05:00
Jeff Mitchell
8673f36b34
Don't require root tokens for mount and policy endpoints.
2015-11-09 15:29:21 -05:00
Jeff Mitchell
5783f547ab
Display whether a token is an orphan on lookup.
2015-11-09 13:19:59 -05:00
Jeff Mitchell
7aa3faa626
Rename core's 'policy' to 'policyStore' for clarification
2015-11-06 12:07:42 -05:00
Jeff Mitchell
7d8371c4a3
Remove warning about nonexistent root policy by using GetPolicy instead
...
of the listing function.
2015-11-06 11:36:40 -05:00
Jeff Mitchell
395d6bead4
Fix removing secondary index from exp manager.
...
Due to a typo, revoking ensures that index entries are created rather
than removed. This adds a failing, then fixed test case (and helper
function) to ensure that index entries are properly removed on revoke.
Fixes #749
2015-11-04 10:50:31 -05:00
Jeff Mitchell
6ccded7a2f
Add ability to create orphan tokens from the API
2015-11-03 15:12:21 -05:00
Jeff Mitchell
a9db12670a
errwrap -> go-multierror + errwrap
2015-11-02 13:29:33 -05:00
Jeff Mitchell
7e9918ec8e
Run preSeal if postUnseal fails.
...
This also ensures that every error path out of postUnseal returns an
error.
Fixes #733
2015-11-02 13:29:33 -05:00
Jeff Mitchell
1899bd8ef0
Merge pull request #730 from hashicorp/issue-713
...
Write HMAC-SHA256'd client token to audited requests
2015-10-30 13:36:22 -04:00
Jeff Mitchell
94b7be702b
Return data on a token with one use left if there is no Lease ID
...
Fixes #615
2015-10-30 12:35:42 -04:00
Jeff Mitchell
636d57a026
Make the token store's Create and RootToken functions non-exported.
...
Nothing requires them to be exported, and I don't want anything in the
future to think it's okay to simply create a root token when it likes.
2015-10-30 10:59:26 -04:00
Jeff Mitchell
cf4b88c196
Write HMAC-SHA256'd client token to audited requests
...
Fixes #713
2015-10-29 13:26:18 -04:00
Jeff Mitchell
85d4dd6a1d
Check TTL provided to generic backend on write
...
If existing entries have unparseable TTLs, return the value plus a
warning, rather than an error.
Fixes #718
2015-10-29 11:05:21 -04:00
Jeff Mitchell
c1d8b97342
Add reset support to the unseal command.
...
Reset clears the provided unseal keys, allowing the process to be begun
again. Includes documentation and unit test changes.
Fixes #695
2015-10-28 15:59:39 -04:00
Levi Gross
fffcfc668b
Fixed comment spelling mistake and removed unnecessary variable allocation
2015-10-15 14:51:30 -04:00
Jeff Mitchell
78b5fcdf51
Serialize changing the state of the expiration manager pointer and
...
calling emitMetrics from its own goroutine.
Fixes #694
2015-10-12 16:33:54 -04:00
Jeff Mitchell
ed6ce1c53e
Fix a logic bug around setting both a mount default and max at the same time. Ping #688 .
2015-10-12 14:57:43 -04:00
Jeff Mitchell
a9155ef85e
Use split-out hashicorp/uuid
2015-10-12 14:07:12 -04:00
Jeff Mitchell
5fbaa0e64d
Apply mount-tune properties to the token authentication backend.
...
Fixes #688 .
2015-10-09 20:26:39 -04:00
Jeff Mitchell
e02517ae42
Rename tune functions
2015-10-09 20:00:17 -04:00
Jeff Mitchell
b5d674d94e
Add 301 redirect checking to the API client.
...
Vault doesn't generate these, but in some cases Go's internal HTTP
handler does. For instance, during a mount-tune command, finishing the
mount path with / (as in secret/) would cause the final URL path to
contain .../mounts/secret//tune. The double slash would trigger this
behavior in Go's handler and generate a 301. Since Vault generates 307s,
this would cause the client to think that everything was okay when in
fact nothing had happened.
2015-10-09 17:11:31 -04:00
Jeff Mitchell
bd1dce7f95
Address review feedback for #684
2015-10-08 14:34:10 -04:00
Jeff Mitchell
d58a3b601c
Add a cleanLeaderPrefix function to clean up stale leader entries in core/leader
...
Fixes #679 .
2015-10-08 14:04:58 -04:00
Jeff Mitchell
d740fd4a6a
Add the ability for warnings to be added to responses. These are
...
marshalled into JSON or displayed from the CLI depending on the output
mode. This allows conferring information such as "no such policy exists"
when creating a token -- not an error, but something the user should be
aware of.
Fixes #676
2015-10-07 16:18:39 -04:00
Jeff Mitchell
50b9129e65
Normalize policy names to lowercase on write. They are not currently
...
normalized when reading or deleting, for backwards compatibility.
Ping #676 .
2015-10-07 13:52:21 -04:00
Jeff Mitchell
4a52de13e3
Add renew-self endpoint.
...
Fixes #455 .
2015-10-07 12:49:13 -04:00
Jeff Mitchell
3c914f7fa8
Add revocation/renewal functions in all cases in the generic backend.
...
Fixes #673 .
2015-10-07 11:42:23 -04:00
Jeff Mitchell
21644751ed
Fix the key rotation upgrade check error message
2015-10-05 18:23:32 -04:00
vishalnayak
145aee229e
Merge branch 'master' of https://github.com/hashicorp/vault
2015-10-03 00:07:34 -04:00
Jeff Mitchell
8f27c250d6
Fix problematic logging statements.
...
Fixes #665 .
2015-10-02 18:31:46 -07:00
vishalnayak
3dd84446ab
Github backend: enable auth renewals
2015-10-02 13:33:19 -04:00
Jeff Mitchell
ca50012017
Format token lease/TTL as int in JSON API when looking up
2015-09-27 22:36:36 -04:00
Jesse Szwedko
6ef455af89
Fix warnings returned by make vet
...
$GOPATH/src/github.com/hashicorp/vault/vault/policy.go:69: unreachable code
$GOPATH/src/github.com/hashicorp/vault/vault/policy_store_test.go:139: github.com/hashicorp/vault/logical.StorageEntry composite literal uses unkeyed fields
2015-09-26 21:17:39 -07:00
Jeff Mitchell
62ac518ae7
Switch per-mount values to strings going in and seconds coming out, like other commands. Indicate deprecation of 'lease' in the token backend.
2015-09-25 10:41:21 -04:00
Jeff Mitchell
c694c7d31d
Fix situation where a new required singleton backend would not be activated upon upgrade.
2015-09-21 17:54:36 -04:00
Jeff Mitchell
81e535dc2d
Minor updates to passthrough and additional tests
2015-09-21 16:57:41 -04:00
Jeff Mitchell
47e8c0070a
Don't use leases on the generic backend...with a caveat.
...
You can now turn on and off the lease behavior in the generic backend by
using one of two factories. Core uses the normal one if it's not already
set, so unit tests can use the custom one and all stay working.
This also adds logic into core to check, when the response is coming
from a generic backend, whether that backend has leases enabled. This
adds some slight overhead.
2015-09-21 16:37:37 -04:00
Vishal Nayak
d526c8ce1c
Merge pull request #629 from hashicorp/token-create-sudo
...
TokenStore: Provide access based on sudo permissions and not policy name
2015-09-21 10:12:29 -04:00
vishalnayak
1a01ab3608
Take ClientToken instead of Policies
2015-09-21 10:04:03 -04:00
Jeff Mitchell
ab7d35b95e
Fix up per-backend timing logic; also fix error in TypeDurationSecond in
...
GetOkErr.
2015-09-21 09:55:03 -04:00
vishalnayak
3b51ee1c48
Using core's logger
2015-09-19 19:01:36 -04:00
vishalnayak
02485e7175
Abstraced SudoPrivilege to take list of policies
2015-09-19 18:23:44 -04:00
vishalnayak
a2799b235e
Using acl.RootPrivilege and rewrote mockTokenStore
2015-09-19 17:53:24 -04:00
Jeff Mitchell
c5ddfbc391
Bump AESGCM version; include path in the GCM tags.
2015-09-19 17:04:37 -04:00
vishalnayak
b6d47dd784
fix broken tests
2015-09-19 12:33:52 -04:00
Jeff Mitchell
68c268a6f0
Allow tuning of auth mounts, to set per-mount default/max lease times
2015-09-19 11:50:50 -04:00
Jeff Mitchell
c8a0eda224
Use hmac-sha256 for protecting secrets in audit entries
2015-09-19 11:29:31 -04:00
vishalnayak
fb77ec3623
TokenStore: Provide access based on sudo permissions and not policy name
2015-09-19 11:14:51 -04:00
Jeff Mitchell
5dde76fa1c
Expand HMAC support in Salt; require an identifier be passed in to specify type but allow generation with and without. Add a StaticSalt ID for testing functions. Fix bugs; unit tests pass.
2015-09-18 17:38:30 -04:00
Jeff Mitchell
b655f6b858
Add HMAC capability to salt. Pass a salt into audit backends. Require it for audit.Hash.
2015-09-18 17:38:22 -04:00
Jeff Mitchell
d775445efe
Store token creation time and TTL. This can be used to properly populate
...
fields in 'lookup-self'. Importantly, this also makes credential
backends use the SystemView per-backend TTL values and fixes unit tests
to expect this.
Fully fixes #527
2015-09-18 16:39:35 -04:00
Jeff Mitchell
8f79e8be82
Add revoke-self endpoint.
...
Fixes #620 .
2015-09-17 13:22:30 -04:00
Jeff Mitchell
047ba90a44
Restrict orphan revocation to root tokens
2015-09-16 09:22:15 -04:00
Jeff Mitchell
e7d5a18e94
Directly pass the cubbyhole backend to the token store and bypass logic in router
2015-09-15 13:50:37 -04:00
Jeff Mitchell
849b78daee
Move more cubby logic outside of router into auth setup
2015-09-15 13:50:37 -04:00
Jeff Mitchell
bdb8cf128d
Cleanup; remove everything but double-salting from the router and give
...
the token store cubby backend information for direct calling.
2015-09-15 13:50:37 -04:00
Jeff Mitchell
b50f7ec1b5
Remove noop checks in unmount/remount and restore previous behavior
2015-09-15 13:50:37 -04:00
Jeff Mitchell
77e7379ab5
Implement the cubbyhole backend
...
In order to implement this efficiently, I have introduced the concept of
"singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't
much reason to allow sys to be mounted at multiple places, and there
isn't much reason you'd need multiple per-token storage areas. By
restricting it to just one, I can store that particular mount instead of
iterating through them in order to call the appropriate revoke function.
Additionally, because revocation on the backend needs to be triggered by
the token store, the token store's salt is kept in the router and
client tokens going to the cubbyhole backend are double-salted by the
router. This allows the token store to drive when revocation happens
using its salted tokens.
2015-09-15 13:50:37 -04:00
Jeff Mitchell
104b29ab04
Rename View to StorageView to make it more distinct from SystemView
2015-09-15 13:50:37 -04:00
Jeff Mitchell
699e12a1c6
When there is one use left and a Secret is being returned, instead
...
return a descriptive error indicating that the Secret cannot be returned
because when the token was revoked the secret was too. This prevents
confusion where credentials come back but cannot be used.
Fixes #615
2015-09-14 11:07:27 -04:00
vishalnayak
142cb563a6
Improve documentation of token renewal
2015-09-11 21:08:32 -04:00
Lassi Pölönen
d3aec0ba31
Cleanup routines should now use routeEntry instead of mountEntry.
2015-09-11 13:40:31 +03:00
Lassi Pölönen
fb07cf9f53
Implement clean up routine to backend as some backends may require
...
e.g closing database connections on unmount to avoud connection
stacking.
2015-09-11 11:45:58 +03:00
Jeff Mitchell
39cfcccdac
Remove error returns from sysview TTL calls
2015-09-10 15:09:54 -04:00
Jeff Mitchell
65ceb3439d
Be consistent as both are the same pointer here
2015-09-10 15:09:54 -04:00
Jeff Mitchell
5de736e69c
Implement shallow cloning to allow MountEntry pointers to stay consistent when spread across router/core/system views
2015-09-10 15:09:54 -04:00
Jeff Mitchell
ace611d56d
Address items from feedback. Make MountConfig use values rather than
...
pointers and change how config is read to compensate.
2015-09-10 15:09:54 -04:00
Jeff Mitchell
c460ff10ca
Push a lot of logic into Router to make a bunch of it nicer and enable a
...
lot of cleanup. Plumb config and calls to framework.Backend.Setup() into
logical_system and elsewhere, including tests.
2015-09-10 15:09:54 -04:00
Jeff Mitchell
eff1c331ad
Add more unit tests against backend TTLs, and fix two bugs found by them
...
(yay unit tests!)
2015-09-10 15:09:54 -04:00
Jeff Mitchell
86ccae7bd5
Fix mount config test by proxying mounts/ in addition to mounts
2015-09-10 15:09:54 -04:00
Jeff Mitchell
775dfe38a2
A couple bug fixes + most unit tests
2015-09-10 15:09:54 -04:00
Jeff Mitchell
488d33c70a
Rejig how dynamic values are represented in system view and location of some functions in various packages; create mount-tune command and API analogues; update documentation
2015-09-10 15:09:54 -04:00
Jeff Mitchell
4239f9d243
Add DynamicSystemView. This uses a pointer to a pointer to always have
...
up-to-date information. This allows remount to be implemented with the
same source and dest, allowing mount options to be changed on the fly.
If/when Vault gains the ability to HUP its configuration, this should
just work for the global values as well.
Need specific unit tests for this functionality.
2015-09-10 15:09:54 -04:00
Jeff Mitchell
d435048d9e
Switch StaticSystemView values to pointers, to support updating
2015-09-10 15:09:54 -04:00
Jeff Mitchell
696d0c7b1d
Plumb per-mount config options through API
2015-09-10 15:09:53 -04:00
Jeff Mitchell
893d2d9b00
Minor cleanup of MountConfig
2015-09-10 15:09:53 -04:00
Jeff Mitchell
17c60d3e78
Add logic to core to fetch a SystemView for a given mount entry and use those values for default/max TTL. The SystemView will reflect system defaults if not set for that mount.
2015-09-10 15:09:53 -04:00
Jeff Mitchell
98d0d23d70
Ensure token store is available when looking up token
2015-09-01 08:21:47 -04:00
Jeff Mitchell
b74fa8c888
Make DefaultSystemView StaticSystemView with statically-configured information. Export this from Framework to make it easy to override for testing.
2015-08-27 11:25:07 -07:00
Jeff Mitchell
7c2bbe4c7f
Use a SystemView interface and turn SystemConfig into DefaultSystemView
2015-08-27 10:36:44 -07:00
Jeff Mitchell
e58553e7d5
Plumb the system configuration information up into framework
2015-08-27 09:41:03 -07:00
Jeff Mitchell
992e357d07
Add some plumbing to allow specified system configuration information to
...
be retrieved by logical backends. First implemented is default/max TTL.
2015-08-27 08:51:35 -07:00
Jeff Mitchell
3f45f3f41b
Rename config lease_duration parameters to lease_ttl in line with current standardization efforts
2015-08-27 07:50:24 -07:00
Jeff Mitchell
cc232e6f79
Address comments from review.
2015-08-25 15:33:58 -07:00
Jeff Mitchell
c887df93cc
Add support for pgp-keys argument to rekey, as well as tests, plus
...
refactor common bits out of init.
2015-08-25 14:52:13 -07:00
Jeff Mitchell
f57e7892e7
Don't store the given public keys in the seal config
2015-08-25 14:52:13 -07:00
Jeff Mitchell
2f3e245b0b
Add support for "pgp-tokens" parameters to init.
...
There are thorough unit tests that read the returned
encrypted tokens, seal the vault, and unseal it
again to ensure all works as expected.
2015-08-25 14:52:13 -07:00
Jeff Mitchell
ea9fbb90bc
Rejig Lease terminology internally; also, put a few JSON names back to their original values
2015-08-20 22:27:01 -07:00
Jeff Mitchell
93ef9a54bd
Internally refactor Lease/LeaseGracePeriod into TTL/GracePeriod
2015-08-20 18:00:51 -07:00
Jeff Mitchell
0fa783f850
Update help text for TTL values in generic backend
2015-08-20 17:59:30 -07:00
Jeff Mitchell
b57ce8e5c2
Change "lease" parameter in the generic backend to be "ttl" to reduce confusion. "lease" is now deprecated but will remain valid until 0.4.
...
Fixes #528 .
2015-08-20 16:41:25 -07:00
Jeff Mitchell
15f57082e0
Begin factoring out sys paths into logical routes. Also, standardize on 307 as redirect code.
2015-08-20 13:20:35 -07:00
Jeff Mitchell
46d06144a8
Merge pull request #552 from hashicorp/fix-uselimit-decrement
...
Fix #461 properly by defering potential revocation of a token until a…
2015-08-20 10:39:24 -07:00
Jeff Mitchell
db79dd8c22
Don't defer revocation when sealing, and clear out response/auth if there is a token use error
2015-08-20 10:37:42 -07:00
Jeff Mitchell
0e8e3660ff
Fix #461 properly by defering potential revocation of a token until after the request is fully handled.
2015-08-20 10:14:13 -07:00
vishalnayak
1f5062a6e1
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-08-19 12:16:37 -07:00
Jeff Mitchell
fe8c1c514d
Add -no-verify option to CLI auth command, to avoid decrementing the token use count during auth.
2015-08-18 19:22:17 -07:00
vishalnayak
9324db7979
Vault SSH: verify echo test
2015-08-18 16:48:50 -07:00
Caleb Tennis
688df0be6d
See if this clears build error
2015-08-13 13:17:09 -04:00
vishalnayak
93dfa67039
Merging changes from master
2015-08-12 09:28:16 -07:00
Caleb Tennis
323b49f03d
Fix #392 by giving a more specific error
2015-08-11 20:18:52 -04:00
Caleb Tennis
4da080e769
This adds a new error class which can be used by logical backends to
...
specify more concrete error cases to make their way back up the stack.
Over time there is probably a cleaner way of doing this, but that's
looking like a more massive rewrite and this solves some issues in
the meantime.
Use a CodedError to return a more concrete HTTP return code for
operations you want to do so. Returning a regular error leaves
the existing behavior in place.
2015-08-10 13:27:25 -04:00
vishalnayak
e5080a7f32
Merging with master
2015-08-06 18:44:40 -04:00
Karl Gutwin
151ec72d00
Add configuration options for default lease duration and max lease duration.
2015-07-30 09:42:49 -04:00
Vishal Nayak
27e66e175f
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-07-17 17:22:17 -04:00
Armon Dadgar
ef770e371a
vault: guard against potentially missing keyring
2015-07-13 18:18:22 +10:00
Vishal Nayak
ed258f80c6
Vault SSH: Refactoring and fixes
2015-07-10 18:44:31 -06:00
Vishal Nayak
89a0e37a89
Vault SSH: Backend and CLI testing
2015-07-10 16:18:02 -06:00
Vishal Nayak
2901890df2
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-07-10 09:56:21 -06:00
Vishal Nayak
3c7dd8611c
Vault SSH: Test case skeleton
2015-07-10 09:56:14 -06:00
Armon Dadgar
7ecd8f05d1
nomad: fixing issue with keyring upgrade
2015-07-07 16:02:49 -06:00
Armon Dadgar
03be7a5999
vault: upgrade old policies with implicit glob
2015-07-05 19:14:15 -06:00
Armon Dadgar
3d2fa8818e
vault: adding another ACL test
2015-07-05 17:34:34 -06:00
Armon Dadgar
dc8cc308af
vault: fixing test with glob change
2015-07-05 17:31:41 -06:00
Armon Dadgar
05b3fa836e
vault: Handle exact vs glob match, deny has highest precedence
2015-07-05 17:31:30 -06:00
Armon Dadgar
eda88c18ff
vault: Adding precedence logic for conflicting policy
2015-07-05 17:30:19 -06:00
Armon Dadgar
27d01270c8
vault: look for glob character in policy
2015-07-05 14:58:38 -07:00
Armon Dadgar
541014e315
logical: remove SetLogger method
2015-06-30 17:39:39 -07:00
Armon Dadgar
41b72a4d39
vault: provide view to backend initializer for setup
2015-06-30 17:30:43 -07:00
Armon Dadgar
579c1433a2
vault: use helper/salt library to share code
2015-06-30 14:08:21 -07:00
Armon Dadgar
8bc99f8c23
helper/uuid: single generateUUID definition
2015-06-30 12:38:32 -07:00
Armon Dadgar
3bc388f30d
Merge pull request #366 from nbrownus/http_responses
...
Better http responses
2015-06-29 15:31:45 -07:00
Armon Dadgar
496ebe561c
vault: cleanups for the audit log changes
2015-06-29 15:27:28 -07:00
Armon Dadgar
add8e1a3fd
Fixing merge conflict
2015-06-29 15:19:04 -07:00
Armon Dadgar
deeb611ab2
vault: handle a panic while generating audit output
2015-06-29 15:11:35 -07:00
Nate Brown
a0be7af858
Fixing key-status if audit logging is on
2015-06-24 10:57:05 -07:00
Nate Brown
94e89537a1
Fixing tests
2015-06-19 14:04:32 -07:00
Nate Brown
31ab086063
Doing a little better with http response codes
2015-06-19 14:00:48 -07:00
Nate Brown
91611a32c9
Fixing tests
2015-06-18 20:14:20 -07:00
Nate Brown
b667ef4c71
Collapsing audit response logging to a single point
2015-06-18 19:48:26 -07:00
Nate Brown
4ec685dc1a
Logging authentication errors and bad token usage
2015-06-18 18:30:18 -07:00
Nate Brown
c55f103c58
Adding error and remote_address to audit log lines
2015-06-18 17:17:18 -07:00
Armon Dadgar
e2b0f5dae8
vault: improve lease error message. Fixes #338
2015-06-18 15:37:08 -07:00
Armon Dadgar
dbf6cf6e6d
vault: support core shutdown
2015-06-17 18:23:59 -07:00
Armon Dadgar
ffeb6ea76c
vault: allow increment to be duration string. Fixes #340
2015-06-17 15:58:20 -07:00
Armon Dadgar
5c75a6c5c7
vault: ensure token renew does not double register
2015-06-17 15:22:50 -07:00
Armon Dadgar
ae421f75b7
vault: fixing issues with token renewal
2015-06-17 14:28:13 -07:00
Armon Dadgar
a0cf8f1793
vault: attempt to resolve #303
2015-06-02 22:55:18 +02:00
Armon Dadgar
0f933df76e
vault: fixing a typo
2015-06-02 16:04:05 +02:00
Armon Dadgar
daffef08db
vault: reload master key before keyring
2015-05-29 14:30:03 -07:00
Armon Dadgar
f6729b29f8
vault: adding ability to reload master key
2015-05-29 14:29:55 -07:00
Armon Dadgar
716f8d9979
core: adding tests for HA rekey and rotate
2015-05-29 12:16:34 -07:00
Armon Dadgar
4f5fde039f
vault: all rekey commands should fail as standby
2015-05-29 11:52:37 -07:00
Armon Dadgar
5aaad32af8
vault: ensure upgrades are cleaned up
2015-05-28 16:52:06 -07:00
Armon Dadgar
db0afc9ebe
vault: move upgrade logic out of core
2015-05-28 16:43:44 -07:00
Armon Dadgar
4eb5c63a5d
vault: create upgrade path in HA mode
2015-05-28 16:43:15 -07:00
Armon Dadgar
67ed0a3c16
vault: moving upgrade path into barrier
2015-05-28 16:42:32 -07:00
Armon Dadgar
82ef0b1ac7
vault: handle read of key upgrades
2015-05-28 16:11:31 -07:00
Armon Dadgar
796ae59a89
vault: support keyring reload
2015-05-28 16:09:15 -07:00
Armon Dadgar
2e86fa62d5
vault: adding barrier AddKey
2015-05-28 15:52:26 -07:00
Armon Dadgar
c095861a02
keyring: Add key serialization
2015-05-28 15:49:52 -07:00
Armon Dadgar
c60970e743
vault: prevent rekey on standby
2015-05-28 15:26:35 -07:00
Armon Dadgar
01e890653c
vault: more logging
2015-05-28 14:15:06 -07:00
Armon Dadgar
0877160754
vault: minor rekey cleanups
2015-05-28 12:07:52 -07:00
Armon Dadgar
c5352d14a4
vault: testing rekey
2015-05-28 12:02:30 -07:00
Armon Dadgar
361c722c5c
vault: first pass at rekey
2015-05-28 11:40:01 -07:00
Armon Dadgar
5aed043ea5
vault: ensure master key is copied to avoid memzero issues
2015-05-28 11:38:59 -07:00
Armon Dadgar
4e3f0cddcf
vault: Adding VerifyMaster to Barrier
2015-05-28 11:28:33 -07:00
Armon Dadgar
9f399eb9ff
vault: prevent raw access to protected paths
2015-05-28 10:24:41 -07:00
Armon Dadgar
1a4256c20c
vault: more logging around rotate
2015-05-27 17:56:55 -07:00
Armon Dadgar
d0b93a6164
vault: adding sys/key-status and sys/rotate
2015-05-27 17:53:42 -07:00
Armon Dadgar
26cff2f42f
vault: expose information about keys
2015-05-27 17:25:36 -07:00
Armon Dadgar
3e717907cd
vault: testing barrier rekey
2015-05-27 17:17:03 -07:00
Armon Dadgar
b93feb8a6b
vault: first pass at rekey
2015-05-27 17:13:40 -07:00
Armon Dadgar
9e39fec4a5
vault: testing key rotation
2015-05-27 17:10:08 -07:00
Armon Dadgar
ead96e8c99
vault: first pass at key rotation
2015-05-27 17:05:02 -07:00
Armon Dadgar
3d800fe7be
vault: keyring api changes
2015-05-27 17:04:46 -07:00
Armon Dadgar
490bece0a0
vault: make keyring immutable
2015-05-27 16:58:55 -07:00