Jeff Mitchell
d1631346ce
replication state -> replication mode in sys/health
2018-01-17 22:38:03 -05:00
Jeff Mitchell
a71c74aa3f
Add replication state to EchoReply ( #3810 )
2018-01-17 22:17:47 -05:00
Jeff Mitchell
d8009bced1
Merge branch 'master-oss' into sethvargo/cli-magic
2018-01-10 11:15:49 -05:00
Calvin Leung Huang
ecb2005dae
Fix sys/health tests ( #3762 )
...
* Fix sys/health tests
* Fix sys/health tests
* Fix sys/health tests
2018-01-08 15:03:36 -05:00
Jeff Mitchell
1fe494e8e1
Port IsDRSecondary over and enable returning it via sys_health ( #3749 )
2018-01-03 15:07:13 -05:00
Jeff Mitchell
d1803098ae
Merge branch 'master-oss' into sethvargo/cli-magic
2018-01-03 14:02:31 -05:00
Calvin Leung Huang
685b4a27e4
Use cleanhttp.PrintablePathCheckHandler to handle non-printable chara… ( #3697 )
2017-12-15 20:19:37 -05:00
Chris Hoffman
9e79e9b397
generate token functions to share common names ( #3576 )
2017-11-13 15:44:26 -05:00
Jeff Mitchell
2b78bc2a9b
Port over bits ( #3575 )
2017-11-13 15:31:32 -05:00
Jeff Mitchell
d55f94f4a3
Plumb more seal wrap stuff through and move to outside layer of mount options ( #3572 )
2017-11-13 11:22:22 -05:00
Brian Kassouf
ab3b625a3b
Add API methods for creating a DR Operation Token and make generate root accept strategy types ( #3565 )
...
* Add API and Command code for generating a DR Operation Token
* Update generate root to accept different token strategies
2017-11-10 10:19:42 -08:00
Calvin Leung Huang
d9eaacf5de
Barrier unseal using recovery keys ( #3541 )
...
* Barrier unseal using recovery keys
* Remove tests
2017-11-07 15:15:39 -05:00
Chris Hoffman
5aac027469
fix unseal reset test ( #3528 )
2017-11-03 09:31:39 -04:00
Jeff Mitchell
710243ab26
Fix some tests
2017-11-02 15:35:06 -04:00
Jeff Mitchell
d229d7d5b0
Redo API locking ( #3508 )
...
* Redo the API client quite a bit to make the behavior of NewClient more
predictable and add locking to make it safer to use with Clone() and if
multiple goroutines for some reason decide to change things.
Along the way I discovered that currently, the x/net/http2 package is
broke with the built-in h2 support in released Go. For those using
DefaultConfig (the vast majority of cases) this will be a non-event.
Others can manually call http2.ConfigureTransport as needed. We should
keep an eye on commits on that repo and consider more updates before
release. Alternately we could go back revisions but miss out on bug
fixes; my theory is that this is not a purposeful break and I'll be
following up on this in the Go issue tracker.
In a few tests that don't use NewTestCluster, either for legacy or other
reasons, ensure that http2.ConfigureTransport is called.
* Use tls config cloning
* Don't http2.ConfigureServer anymore as current Go seems to work properly without requiring the http2 package
* Address feedback
2017-11-02 09:30:04 -05:00
Jeff Mitchell
3be99466d6
Change some instances of adding headers to setting headers, since really ( #3501 )
...
we want to replace anything that might be there (e.g. for request
forwarding and content-type).
Hopefully fixes #3485
2017-11-02 07:31:50 -05:00
Jeff Mitchell
e0669746b6
Add seal type to seal-status output. ( #3516 )
2017-11-01 21:00:41 -05:00
Brian Kassouf
6c35cb9a72
Fix a logic bug in the respondRaw function ( #3491 )
2017-10-26 00:08:10 -07:00
Seth Vargo
5440f994a2
Change http testing to tb interface
2017-10-24 09:28:05 -04:00
Jeff Mitchell
65f664be47
Make compile
2017-10-23 17:41:44 -04:00
Jeff Mitchell
a25dae82dd
Final sync
2017-10-23 17:39:21 -04:00
Vishal Nayak
f7ed6732a5
Porting identity store ( #3419 )
...
* porting identity to OSS
* changes that glue things together
* add testing bits
* wrapped entity id
* fix mount error
* some more changes to core
* fix storagepacker tests
* fix some more tests
* fix mount tests
* fix http mount tests
* audit changes for identity
* remove upgrade structs on the oss side
* added go-memdb to vendor
2017-10-11 10:21:20 -07:00
Chris Hoffman
fad5544fa0
only inject data into top level for existing sys/ paths ( #3426 )
2017-10-05 11:17:50 -04:00
Chris Hoffman
1029ad3b33
Rename "generic" secret backend to "kv" ( #3292 )
2017-09-15 09:02:29 -04:00
Jeff Mitchell
dae06d9a0e
Simplify a lot of the mount tuning code ( #3285 )
2017-09-05 10:57:25 -04:00
Brian Kassouf
a8d9426d9f
Update locking components from DR replication changes ( #3283 )
...
* Update locking components from DR replication changes
* Fix plugin backend test
* Add a comment about needing the statelock:
2017-09-04 19:38:37 -04:00
Jeff Mitchell
691d00149a
Fix exporting stdAllowedHeaders
2017-08-07 15:02:08 -04:00
Aaron Salvo
ad1d74cae0
Set allowed headers via API instead of defaulting to wildcard. ( #3023 )
2017-08-07 10:03:30 -04:00
Jeff Mitchell
fdaaaadee2
Migrate physical backends into separate packages ( #3106 )
2017-08-03 13:24:27 -04:00
Calvin Leung Huang
db9d9e6415
Store original request path in WrapInfo ( #3100 )
...
* Store original request path in WrapInfo as CreationPath
* Add wrapping_token_creation_path to CLI output
* Add CreationPath to AuditResponseWrapInfo
* Fix tests
* Add and fix tests, update API docs with new sample responses
2017-08-02 18:28:58 -04:00
Jeff Mitchell
d0f329e124
Add leader cluster address to status/leader output. ( #3061 )
...
* Add leader cluster address to status/leader output. This helps in
identifying a particular node when all share the same redirect address.
Fixes #3042
2017-07-31 18:25:27 -04:00
Jeff Mitchell
1bfc6d4fe7
Add a -dev-three-node option for devs. ( #3081 )
2017-07-31 11:28:06 -04:00
Lars Lehtonen
5ee98b9b6e
Fix swallowed errors in http package. ( #2972 )
2017-07-05 09:35:57 -04:00
Jeff Mitchell
753b68fa1b
Port TestCluster changes from proxy branch
2017-07-03 14:54:01 -04:00
Jeff Mitchell
d169918465
Create and persist human-friendly-ish mount accessors ( #2918 )
2017-06-26 18:14:36 +01:00
Jeff Mitchell
4936a83310
Fix lease lookup returning properties at top level ( #2902 )
2017-06-21 16:12:09 +01:00
Jeff Mitchell
069764ea8f
Add option to have dev mode generic backend return leases
2017-06-21 10:42:50 -04:00
Chris Hoffman
7e7d766e21
Exclude /sys/leases/renew from registering with expiration manager ( #2891 )
...
* exclude /sys/leases/renew from registering with expiration manager
* adding sys/leases/renew to return full secret object, adding tests to catch renew errors
2017-06-20 12:34:00 -04:00
Jeff Mitchell
5817a8a5f8
Return error on bad CORS and add Header specification to API request primitive
2017-06-19 18:20:44 -04:00
Aaron Salvo
0303f51b68
Cors headers ( #2021 )
2017-06-17 00:04:55 -04:00
vishalnayak
7550b79ce8
Fix policy tests
2017-06-01 17:22:34 -04:00
Jeff Mitchell
435f1def27
Have step-down request forward.
...
Unlike seal, this command has no meaning other than on the active node,
so when issuing it the expected behavior would be for whichever node is
currently active to step down.
2017-05-25 11:57:59 -04:00
Jeff Mitchell
0d4e7fba69
Remove non-gRPC request forwarding
2017-05-24 09:34:59 -04:00
emily
aa40d2cff6
add gofmt checks to Vault and format existing code ( #2745 )
2017-05-19 08:34:17 -04:00
Jeff Mitchell
f01b413d8d
Make path-help request forward ( #2677 )
2017-05-04 16:58:50 -04:00
Chris Hoffman
3d9cf89ad6
Add the ability to view and list of leases metadata ( #2650 )
2017-05-03 22:03:42 -04:00
Jeff Mitchell
cd73714ff9
Fix error message grammar
2017-03-14 17:10:43 -04:00
Vishal Nayak
5a6193a56e
Audit: Add token's use count to audit response ( #2437 )
...
* audit: Added token_num_uses to audit response
* Fixed jsonx tests
* Revert logical auth to NumUses instead of TokenNumUses
* s/TokenNumUses/NumUses
* Audit: Add num uses to audit requests as well
* Added RemainingUses to distinguish NumUses in audit requests
2017-03-08 17:36:50 -05:00
Jeff Mitchell
f03d500808
Add option to disable caching per-backend. ( #2455 )
2017-03-08 09:20:09 -05:00
Jeff Mitchell
5119b173c4
Rename helper 'duration' to 'parseutil'. ( #2449 )
...
Add a ParseBool function that accepts various kinds of ways of
specifying booleans.
Have config use ParseBool for UI and disabling mlock/cache.
2017-03-07 11:21:22 -05:00
Jeff Mitchell
2cc0906b33
Fix breakage for HTTP2 support due to changes in wrapping introduced in 1.8 ( #2412 )
2017-02-27 12:49:35 -05:00
Jeff Mitchell
4ec5937e2d
Move http-using API tests into http package
2017-02-24 14:23:21 -05:00
Jeff Mitchell
496420a5ab
Make cubbyhole local instead of replicated. ( #2397 )
...
This doesn't really change behavior, just what it looks like in the UX.
However, it does make tests more complicated. Most were fixed by adding
a sorting function, which is generally useful anyways.
2017-02-18 13:51:05 -05:00
Jeff Mitchell
62e8d0b359
Internally append trailing slash for all LIST operations. ( #2390 )
...
Fixes #2385
2017-02-16 23:23:32 -05:00
Jeff Mitchell
0c39b613c8
Port some replication bits to OSS ( #2386 )
2017-02-16 15:15:02 -05:00
Brian Kassouf
6701ba8a10
Configure the request headers that are output to the audit log ( #2321 )
...
* Add /sys/config/audited-headers endpoint for configuring the headers that will be audited
* Remove some debug lines
* Add a persistant layer and refactor a bit
* update the api endpoints to be more restful
* Add comments and clean up a few functions
* Remove unneeded hash structure functionaility
* Fix existing tests
* Add tests
* Add test for Applying the header config
* Add Benchmark for the ApplyConfig method
* ResetTimer on the benchmark:
* Update the headers comment
* Add test for audit broker
* Use hyphens instead of camel case
* Add size paramater to the allocation of the result map
* Fix the tests for the audit broker
* PR feedback
* update the path and permissions on config/* paths
* Add docs file
* Fix TestSystemBackend_RootPaths test
2017-02-02 11:49:20 -08:00
Vishal Nayak
fa7d61baa3
Merge pull request #2202 from fcantournet/fix_govet_fatalf
...
all: test: Fix govet warnings
2017-01-17 16:45:35 -05:00
Jeff Mitchell
69eb5066dd
Multi value test seal ( #2281 )
2017-01-17 15:43:10 -05:00
Jeff Mitchell
dd0e44ca10
Add nonce to unseal to allow seeing if the operation has reset ( #2276 )
2017-01-17 11:47:06 -05:00
vishalnayak
ba180a8e2b
rekey: pgp keys input validation
2017-01-12 00:05:41 -05:00
vishalnayak
adb6ac749f
init: pgp-keys input validations
2017-01-11 23:32:38 -05:00
Jeff Mitchell
3129187dc2
JWT wrapping tokens ( #2172 )
2017-01-04 16:44:03 -05:00
Félix Cantournet
103b7ceab2
all: test: Fix govet warnings
...
Fix calls to t.Fatal() with formatting.
Fixed some calls to Fatalf() with wrong formatting
2016-12-21 19:44:07 +01:00
Vishal Nayak
e3f56f375c
Add 'no-store' response header from all the API outlets ( #2183 )
2016-12-15 17:53:07 -05:00
Jeff Mitchell
f6a84cb84e
Don't unilaterally fail with internal status error when help fails, use the given response. Fixes #2153 .
2016-12-02 11:22:13 -05:00
Thomas Soëte
c29e5c8bad
Use 'http.MaxBytesReader' to limit request size ( #2131 )
...
Fix 'connection reset by peer' error introduced by 300b72e
2016-12-01 10:59:00 -08:00
Armon Dadgar
57ad75071c
http: increase request limit from 8MB to 32MB
2016-11-17 12:15:37 -08:00
Armon Dadgar
c8dadb46ec
http: limit maximum request size
2016-11-17 12:06:43 -08:00
Jeff Mitchell
97ca3292a4
Set number of pester retries to zero by default and make seal command… ( #2093 )
...
* Set number of pester retries to zero by default and make seal command return 403 if unauthorized instead of 500
* Fix build
* Use 403 instead and update test
* Change another 500 to 403
2016-11-16 14:08:09 -05:00
Vishal Nayak
b3c805e662
Audit the client token accessors ( #2037 )
2016-10-29 17:01:49 -04:00
vishalnayak
6d1e1a3ba5
Pulled out transit's lock manager and policy structs into a helper
2016-10-26 19:52:31 -04:00
Jeff Mitchell
5657789627
Audit unwrapped response ( #1950 )
2016-09-29 12:03:47 -07:00
Jeff Mitchell
b45a481365
Wrapping enhancements ( #1927 )
2016-09-28 21:01:28 -07:00
Jeff Mitchell
f0203741ff
Change default TTL from 30 to 32 to accommodate monthly operations ( #1942 )
2016-09-28 18:32:49 -04:00
Jeff Mitchell
6bf871995b
Don't use time.Time in responses. ( #1912 )
...
This fixes #1911 but not directly; it doesn't address the cause of the
panic. However, it turns out that this is the correct fix anyways,
because it ensures that the value being logged is RFC3339 format, which
is what the time turns into in JSON but not the normal time string
value, so what we audit log (and HMAC) matches what we are returning.
2016-09-23 12:32:07 -04:00
Jeff Mitchell
722e26f27a
Add support for PGP encrypting the initial root token. ( #1883 )
2016-09-13 18:42:24 -04:00
Jeff Mitchell
5b79e5c115
Redirect rekey operation from standby to master ( #1868 )
2016-09-13 11:59:12 -04:00
Jeff Mitchell
7ba006acd9
Remove too-verbose log
2016-09-04 07:43:54 -04:00
Jeff Mitchell
1c6f2fd82b
Add response wrapping to list operations ( #1814 )
2016-09-02 01:13:14 -04:00
vishalnayak
9c78c58948
Remove the string 'Vault' from version information
2016-09-01 14:54:04 -04:00
Jeff Mitchell
7e41d5ab45
Pass headers back when request forwarding ( #1795 )
2016-08-26 17:53:47 -04:00
Jeff Mitchell
1dbc06029d
Remove outdated comment.
2016-08-24 14:16:02 -04:00
Jeff Mitchell
b89073f7e6
Error when an invalid (as opposed to incorrect) unseal key is given. ( #1782 )
...
Fixes #1777
2016-08-24 14:15:25 -04:00
Jeff Mitchell
58b32e5432
Convert to logxi
2016-08-21 18:13:37 -04:00
Jeff Mitchell
bdcfe05517
Clustering enhancements ( #1747 )
2016-08-19 11:03:53 -04:00
Jeff Mitchell
c349e697f5
Change uninit/sealed status codes from health endpoint
2016-08-18 12:10:23 -04:00
Jeff Mitchell
5c33356d14
Protobuf for forwarding ( #1743 )
2016-08-17 16:15:15 -04:00
Jeff Mitchell
62c69f8e19
Provide base64 keys in addition to hex encoded. ( #1734 )
...
* Provide base64 keys in addition to hex encoded.
Accept these at unseal/rekey time.
Also fix a bug where backup would not be honored when doing a rekey with
no operation currently ongoing.
2016-08-15 16:01:15 -04:00
Jeff Mitchell
37320f8798
Request forwarding ( #1721 )
...
Add request forwarding.
2016-08-15 09:42:42 -04:00
Jeff Mitchell
bcb4ab5422
Add periodic support for root/sudo tokens to auth/token/create
2016-08-12 21:14:12 -04:00
vishalnayak
3895ea4c2b
Address review feedback from @jefferai
2016-08-10 15:22:12 -04:00
vishalnayak
95f9c62523
Fix Cluster object being returned as nil when unsealed
2016-08-10 15:09:16 -04:00
Jeff Mitchell
5a1ca832af
Merge pull request #1699 from hashicorp/dataonly
...
Return sys values in top level normal api.Secret
2016-08-09 07:17:02 -04:00
Jeff Mitchell
5771a539a5
Add HTTP test for renew and fix muxing
2016-08-08 20:01:08 -04:00
Jeff Mitchell
ab71b981ad
Add ability to specify renew lease ID in POST body.
2016-08-08 18:00:44 -04:00
Jeff Mitchell
3c2aae215c
Fix tests and update mapstructure
2016-08-08 16:00:31 -04:00
Jeff Mitchell
3e6b48cca3
Initial `dataonly` work.
2016-08-08 11:55:24 -04:00
Jeff Mitchell
82b3d136e6
Don't mark never-expiring root tokens as renewable
2016-08-05 11:15:25 -04:00
Jeff Mitchell
1fc837c22a
Fix nil panic in certain error conditions
2016-08-02 14:57:11 -04:00
vishalnayak
4e25e729ee
Removed duplicated check in tests
2016-07-29 14:18:53 -04:00
vishalnayak
8b0b0d5922
Add cluster information to 'vault status'
2016-07-29 14:13:53 -04:00
vishalnayak
e5e0431393
Added Vault version informationto the 'status' command
2016-07-28 17:37:35 -04:00
Laura Bennett
4d9c909ae4
Merge pull request #1650 from hashicorp/request-uuid
...
Added unique identifier to each request. Closes hashicorp/vault#1617
2016-07-27 09:40:48 -04:00
vishalnayak
c17534d527
Fix request_id test failures
2016-07-26 18:30:13 -04:00
vishalnayak
9d4a1b03bc
Fix broken tests
2016-07-26 16:53:59 -04:00
Laura Bennett
67801bcf64
uncomment
2016-07-26 16:44:50 -04:00
Laura Bennett
fb1b032040
fixing id in buildLogicalRequest
2016-07-26 15:50:37 -04:00
vishalnayak
86446ff67e
Error out if cluster information is nil when Vault is unsealed
2016-07-26 15:30:38 -04:00
vishalnayak
6145bed088
Added omitempty to ClusterName and ClusterID
2016-07-26 14:11:32 -04:00
vishalnayak
669bbdfa48
Address review feedback from @jefferai
2016-07-26 14:05:27 -04:00
Laura Bennett
ad66bd7502
fixes based proper interpretation of comments
2016-07-26 12:20:27 -04:00
vishalnayak
a3e6400697
Remove global name/id. Make only cluster name configurable.
2016-07-26 10:01:35 -04:00
vishalnayak
c7dabe4def
Storing local and global cluster name/id to storage and returning them in health status
2016-07-26 02:32:42 -04:00
Jeff Mitchell
6c393cf17a
Fix tests
2016-07-25 17:05:54 -04:00
Laura Bennett
8d52a96df5
moving id to http/logical
2016-07-25 15:24:10 -04:00
vishalnayak
43d352a942
Add version information to health status
2016-07-22 18:28:16 -04:00
vishalnayak
c14235b206
Merge branch 'master-oss' into json-use-number
...
Conflicts:
http/handler.go
logical/framework/field_data.go
logical/framework/wal.go
vault/logical_passthrough.go
2016-07-15 19:21:55 -04:00
Vishal Nayak
9f1e6c7b26
Merge pull request #1607 from hashicorp/standardize-time
...
Remove redundant invocations of UTC() call on `time.Time` objects
2016-07-13 10:19:23 -06:00
vishalnayak
8269f323d3
Revert 'risky' changes
2016-07-12 16:38:07 -04:00
Jeff Mitchell
5b210b2a1f
Return a duration instead and port a few other places to use it
2016-07-11 18:19:35 +00:00
vishalnayak
e09b40e155
Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC
2016-07-08 18:30:18 -04:00
vishalnayak
ad7cb2c8f1
Added JSON Decode and Encode helpers.
...
Changed all the occurances of Unmarshal to use the helpers.
Fixed http/ package tests.
2016-07-06 12:25:40 -04:00
Jeff Mitchell
889ff24ccf
Fix up error detection regression to return correct status codes
2016-06-22 17:47:05 -04:00
vishalnayak
0bdeea3a33
Fix the test cases
2016-06-20 18:56:19 -04:00
Jeff Mitchell
e925987cb6
Add token accessor to wrap information if one exists
2016-06-13 23:58:17 +00:00
Jeff Mitchell
1de6140d5c
Fix mah broken tests
2016-06-10 14:03:56 -04:00
Jeff Mitchell
9f6c5bc02a
cubbyhole-response-wrapping -> response-wrapping
2016-06-10 13:48:46 -04:00
Daniel Stelter-Gliese
8b1da1a105
Support HEAD requests to /v1/sys/health
...
Some load balancers send HTTP HEAD requests to extract the status code.
2016-06-09 18:16:28 +02:00
Jeff Mitchell
401456ea50
Add creation time to returned wrapped token info
...
This makes it easier to understand the expected lifetime without a
lookup call that uses the single use left on the token.
This also adds a couple of safety checks and for JSON uses int, rather
than int64, for the TTL for the wrapped token.
2016-06-07 15:00:35 -04:00
Jeff Mitchell
05b0e0a866
Enable audit-logging of seal and step-down commands.
...
This pulls the logical request building code into its own function so
that it's accessible from other HTTP handlers, then uses that with some
added logic to the Seal() and StepDown() commands to have meaningful
audit log entries.
2016-05-20 17:03:54 +00:00
Jeff Mitchell
c9aaabe235
Fix missing return after respondError in handleLogical
2016-05-20 15:49:48 +00:00
Jeff Mitchell
caf77109ba
Add cubbyhole wrapping documentation
2016-05-19 13:33:51 -04:00
Jeff Mitchell
c4431a7e30
Address most review feedback. Change responses to multierror to better return more useful values when there are multiple errors
2016-05-16 16:11:33 -04:00
Jeff Mitchell
ce5614bf9b
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-11 19:29:52 -04:00
Jeff Mitchell
aecc3ad824
Add explicit maximum TTLs to token store roles.
2016-05-11 16:51:18 -04:00
Jeff Mitchell
c5008bcaac
Add more tests
2016-05-07 21:08:13 -04:00
Jeff Mitchell
2295cadbf4
Make WrapInfo a pointer to match secret/auth in response
2016-05-07 19:17:51 -04:00
Jeff Mitchell
09f06554cb
Address some review feedback
2016-05-04 16:03:53 -04:00
Jeff Mitchell
99a5b4402d
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-04 14:42:14 -04:00
Jeff Mitchell
7e462e566b
Check nil keys and respond internal error if it can't be cast to a []string
2016-05-02 20:00:46 -04:00
Jeff Mitchell
16b717022b
In a list response, if there are no keys, 404 to be consistent with GET
...
and with different backend conditions
Fixes #1365
2016-05-02 19:38:06 -04:00
Jeff Mitchell
aba689a877
Add wrapping through core and change to use TTL instead of Duration.
2016-05-02 00:47:35 -04:00
Jeff Mitchell
d81806b446
Add:
...
* Request/Response field extension
* Parsing of header into request object
* Handling of duration/mount point within router
* Tests of router WrapDuration handling
2016-05-02 00:24:32 -04:00
Sean Chittenden
aeea7628d6
Add a *log.Logger argument to physical.Factory
...
Logging in the backend is a good thing. This is a noisy interface change but should be a functional noop.
2016-04-25 20:10:32 -07:00
Jeff Mitchell
98d09b0dc6
Add seal tests and update generate-root and others to handle dualseal.
2016-04-25 19:39:04 +00:00
Jeff Mitchell
a4ff72841e
Check for seal status when initing and change logic order to avoid defer
2016-04-14 01:13:59 +00:00
Jeff Mitchell
afae46feb7
SealInterface
2016-04-04 10:44:22 -04:00
vishalnayak
d959ffc301
Rename PrepareRequest to PrepareRequestFunc
2016-03-18 10:37:49 -04:00
vishalnayak
fbfe72f286
Removed http/sys_capabilties_test.go
2016-03-18 09:48:45 -04:00
vishalnayak
55f03b5d25
Add separate path for capabilities-self to enable ACL
2016-03-17 22:52:03 -04:00
vishalnayak
a70d4d5c9f
Deleted http/sys_capabilities.go since the requests are directly going to system backend
2016-03-17 22:44:48 -04:00
vishalnayak
4e6dcfd6d0
Enable callbacks for handling logical.Request changes before processing requests
2016-03-17 22:29:53 -04:00
vishalnayak
f1feee9b53
Fix http capabilities tests
2016-03-17 21:03:32 -04:00
vishalnayak
68367f60c8
Fix broken testcases
2016-03-17 21:03:32 -04:00
vishalnayak
d348735322
Fix help descriptions
2016-03-17 21:03:32 -04:00
vishalnayak
f275cd2e9c
Fixed capabilities API to receive logical response
2016-03-17 21:03:32 -04:00
vishalnayak
a5d79d587a
Refactoring the capabilities function
2016-03-17 21:03:32 -04:00
vishalnayak
dcb7f00bcc
Move sys/capabilities to logical_system along with business logic from core
2016-03-17 21:03:32 -04:00
vishalnayak
2b712bc778
Move capabilities accessor logic to logical_system
2016-03-17 21:03:32 -04:00
vishalnayak
dd94e8e689
Fix broken test case
2016-03-14 18:44:13 -04:00
vishalnayak
ba50a14736
Refactor fetching sys/health parameters
2016-03-11 09:52:31 -05:00
Jeff Mitchell
77b90c6745
Add query parameters to `/sys/health` to specify return codes.
...
Fixes #1199
2016-03-11 00:41:25 -05:00
Jeff Mitchell
fa2ba47a5c
Merge branch 'master' into token-roles
2016-03-09 17:23:34 -05:00
vishalnayak
f478cc57e0
fix all the broken tests
2016-03-09 13:45:36 -05:00
vishalnayak
c4a2c5b56e
Added tests for 'sys/capabilities-accessor' endpoint
2016-03-09 11:29:09 -05:00
vishalnayak
151c932875
AccessorID --> Accessor, accessor_id --> accessor
2016-03-09 06:23:31 -05:00
vishalnayak
62777c9f7e
ErrUserInput --> StatusBadRequest
2016-03-08 21:47:24 -05:00
vishalnayak
8117996378
Implemented /sys/capabilities-accessor and a way for setting HTTP error code in all the responses
2016-03-08 19:14:29 -05:00
vishalnayak
2737c81b39
Lay the foundation for returning proper HTTP status codes
2016-03-08 18:27:03 -05:00
vishalnayak
301776012f
Introduced AccessorID in TokenEntry and returning it along with token
2016-03-08 14:06:10 -05:00
vishalnayak
08c40c9bba
Introduced ErrUserInput to distinguish user error from server error
2016-03-07 22:16:09 -05:00
vishalnayak
3b463c2d4e
use errwrap to check the type of error message, fix typos
2016-03-07 18:36:26 -05:00
Jeff Mitchell
cc1f5207b3
Merge branch 'master' into token-roles
2016-03-07 10:03:54 -05:00
vishalnayak
aab24113b0
test cases for capabilities endpoint
2016-03-05 00:03:55 -05:00
vishalnayak
9946a2d8b5
refactoring changes due to acl.Capabilities
2016-03-04 18:55:48 -05:00
vishalnayak
7fe871e60a
Removing the 'Message' field
2016-03-04 10:36:03 -05:00
vishalnayak
b67ab8ab7c
Test files for capabilities endpoint
2016-03-04 10:36:03 -05:00
vishalnayak
816f1f8631
self review rework
2016-03-04 10:36:03 -05:00
vishalnayak
286e63a648
Handled root token use case
2016-03-04 10:36:03 -05:00
vishalnayak
07f9486ecb
Added capabilities and capabilities-self endpoints to http muxer
2016-03-04 10:36:03 -05:00
vishalnayak
a885f9e8d2
Refactor http/sys_capabilities.go
2016-03-04 10:36:03 -05:00
vishalnayak
5749a6718c
Added sys/capabililties endpoint
2016-03-04 10:36:02 -05:00
Jeff Mitchell
3e7bca82a1
Merge pull request #1146 from hashicorp/step-down
...
Provide 'sys/step-down' and 'vault step-down'
2016-03-03 12:30:08 -05:00
Jeff Mitchell
6ed5d10580
Remove proxy function as it's unneeded now
2016-03-02 14:55:51 -05:00
Jeff Mitchell
9c47b8c0a7
Remove sys_policy from special handling as it's implemented in
...
logical_system too. Clean up the mux handlers.
2016-03-02 14:16:54 -05:00
Jeff Mitchell
7b4478faba
Add a sleep in the RedirectStandby test to try to fix raciness
2016-03-02 12:06:16 -05:00
Jeff Mitchell
df2e337e4c
Update tests to add expected role parameters
2016-03-01 12:41:40 -05:00
Jeff Mitchell
11ddd2290b
Provide 'sys/step-down' and 'vault step-down'
...
This endpoint causes the node it's hit to step down from active duty.
It's a noop if the node isn't active or not running in HA mode. The node
will wait one second before attempting to reacquire the lock, to give
other nodes a chance to grab it.
Fixes #1093
2016-02-26 19:43:55 -05:00
Jeff Mitchell
434962c632
We treat put/post the same, so allow init to use POST
2016-02-22 20:22:31 -05:00
Jeff Mitchell
76923aa28a
Add the server's time in UTC to the health response.
2016-02-22 19:51:18 -05:00
Jeff Mitchell
8510dbad05
Verify that nonces are non-empty in tests
2016-02-12 15:35:26 -05:00
Jeff Mitchell
5f5542cb91
Return status for rekey/root generation at init time. This mitigates a
...
(very unlikely) potential timing attack between init-ing and fetching
status.
Fixes #1054
2016-02-12 14:24:36 -05:00
Jeff Mitchell
ff3adce39e
Make "ttl" reflect the actual TTL of the token in lookup calls.
...
Add a new value "creation_ttl" which holds the value at creation time.
Fixes #986
2016-02-01 11:16:32 -05:00
Jeff Mitchell
88310ca538
Fix up unit tests to expect new values
2016-01-29 19:36:56 -05:00
Jeff Mitchell
7d1d003ba0
Update documentation and use ParseBool for list query param checking
2016-01-22 10:07:32 -05:00
Jeff Mitchell
455931873a
Address some review feedback
2016-01-22 10:07:32 -05:00
Jeff Mitchell
5341cb69cc
Updates and documentation
2016-01-22 10:07:32 -05:00
Jeff Mitchell
9042315973
Add handling of LIST verb to logical router
2016-01-22 10:07:32 -05:00
Jeff Mitchell
973c888833
RootGeneration->GenerateRoot
2016-01-19 18:28:10 -05:00
Jeff Mitchell
3b994dbc7f
Add the ability to generate root tokens via unseal keys.
2016-01-19 18:28:10 -05:00
Jeff Mitchell
386aa408b7
Remove need for PUT in rekey. We've decided that POST and PUT are to
...
stay as synonyms for writes, so there's no reason to limit it for this
operation.
2016-01-14 16:52:34 -05:00
Jeff Mitchell
4f4ddbf017
Create more granular ACL capabilities.
...
This commit splits ACL policies into more fine-grained capabilities.
This both drastically simplifies the checking code and makes it possible
to support needed workflows that are not possible with the previous
method. It is backwards compatible; policies containing a "policy"
string are simply converted to a set of capabilities matching previous
behavior.
Fixes #724 (and others).
2016-01-08 13:05:14 -05:00
Jeff Mitchell
f3ce90164f
WriteOperation -> UpdateOperation
2016-01-08 13:03:03 -05:00
Jeff Mitchell
455acc255b
Have 'sys/renew' return the value provided in Secret.
...
Fixes a regression introduced in 0.3.
2016-01-07 11:35:09 -05:00
Jeff Mitchell
a094eedce2
Add rekey nonce/backup.
2016-01-06 09:54:35 -05:00
Jeff Mitchell
f6ff39ffb0
Fix StandbyRedirect test
2015-12-17 13:58:16 -05:00
Jeff Mitchell
7ce8aff906
Address review feedback
2015-12-14 17:58:30 -05:00
Jeff Mitchell
ced0835574
Allow separate HA physical backend.
...
With no separate backend specified, HA will be attempted on the normal
physical backend.
Fixes #395 .
2015-12-14 07:59:58 -05:00
Jeff Mitchell
1c7157e632
Reintroduce the ability to look up obfuscated values in the audit log
...
with a new endpoint '/sys/audit-hash', which returns the given input
string hashed with the given audit backend's hash function and salt
(currently, always HMAC-SHA256 and a backend-specific salt).
In the process of adding the HTTP handler, this also removes the custom
HTTP handlers for the other audit endpoints, which were simply
forwarding to the logical system backend. This means that the various
audit functions will now redirect correctly from a standby to master.
(Tests all pass.)
Fixes #784
2015-11-18 20:26:03 -05:00
Jeff Mitchell
d6693129de
Create a "default" policy with sensible rules.
...
It is forced to be included with each token, but can be changed (but not
deleted).
Fixes #732
2015-11-09 15:44:09 -05:00
Jeff Mitchell
5783f547ab
Display whether a token is an orphan on lookup.
2015-11-09 13:19:59 -05:00
Jeff Mitchell
7aa3faa626
Rename core's 'policy' to 'policyStore' for clarification
2015-11-06 12:07:42 -05:00
Jeff Mitchell
c1d8b97342
Add reset support to the unseal command.
...
Reset clears the provided unseal keys, allowing the process to be begun
again. Includes documentation and unit test changes.
Fixes #695
2015-10-28 15:59:39 -04:00
Jeff Mitchell
22c65c0c07
Use cleanhttp instead of bare http.Client
2015-10-22 14:37:12 -04:00
Jeff Mitchell
cba4e82682
Don't use http.DefaultClient
...
This strips out http.DefaultClient everywhere I could immediately find
it. Too many things use it and then modify it in incompatible ways.
Fixes #700 , I believe.
2015-10-15 17:54:00 -04:00
Jeff Mitchell
c7cec2aabc
Add unit tests
2015-10-07 20:17:06 -04:00
Jeff Mitchell
10d24779c0
Rename GetWarnings->Warnings for responses
2015-10-07 16:18:39 -04:00
Jeff Mitchell
d740fd4a6a
Add the ability for warnings to be added to responses. These are
...
marshalled into JSON or displayed from the CLI depending on the output
mode. This allows conferring information such as "no such policy exists"
when creating a token -- not an error, but something the user should be
aware of.
Fixes #676
2015-10-07 16:18:39 -04:00
Jeff Mitchell
62ac518ae7
Switch per-mount values to strings going in and seconds coming out, like other commands. Indicate deprecation of 'lease' in the token backend.
2015-09-25 10:41:21 -04:00
Jeff Mitchell
d775445efe
Store token creation time and TTL. This can be used to properly populate
...
fields in 'lookup-self'. Importantly, this also makes credential
backends use the SystemView per-backend TTL values and fixes unit tests
to expect this.
Fully fixes #527
2015-09-18 16:39:35 -04:00
Jeff Mitchell
77e7379ab5
Implement the cubbyhole backend
...
In order to implement this efficiently, I have introduced the concept of
"singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't
much reason to allow sys to be mounted at multiple places, and there
isn't much reason you'd need multiple per-token storage areas. By
restricting it to just one, I can store that particular mount instead of
iterating through them in order to call the appropriate revoke function.
Additionally, because revocation on the backend needs to be triggered by
the token store, the token store's salt is kept in the router and
client tokens going to the cubbyhole backend are double-salted by the
router. This allows the token store to drive when revocation happens
using its salted tokens.
2015-09-15 13:50:37 -04:00
Jeff Mitchell
ace611d56d
Address items from feedback. Make MountConfig use values rather than
...
pointers and change how config is read to compensate.
2015-09-10 15:09:54 -04:00
Jeff Mitchell
eff1c331ad
Add more unit tests against backend TTLs, and fix two bugs found by them
...
(yay unit tests!)
2015-09-10 15:09:54 -04:00
Jeff Mitchell
86ccae7bd5
Fix mount config test by proxying mounts/ in addition to mounts
2015-09-10 15:09:54 -04:00
Jeff Mitchell
775dfe38a2
A couple bug fixes + most unit tests
2015-09-10 15:09:54 -04:00
Jeff Mitchell
6efcbe3a9f
Allow POST as well as PUT for seal/unseal command, fits in more with how logical handles things
2015-09-10 15:09:53 -04:00
Jeff Mitchell
696d0c7b1d
Plumb per-mount config options through API
2015-09-10 15:09:53 -04:00
Jeff Mitchell
4596ed6484
Remove custom http/sys_auth handler in favor of logical. Unit tests
...
pass.
2015-08-28 13:42:01 -07:00
Jeff Mitchell
6bc86cfee1
Use logical passthrough for renew API calls
2015-08-26 13:22:16 -07:00
Jeff Mitchell
17cbd9e1ca
If JSON decoding fails, make it clear that the problem is failing to
...
parse the JSON, rather than returning the possibly confusing error from
the JSON decoder.
Fixes #553 .
2015-08-26 07:03:33 -07:00
Jeff Mitchell
cc232e6f79
Address comments from review.
2015-08-25 15:33:58 -07:00
Jeff Mitchell
c887df93cc
Add support for pgp-keys argument to rekey, as well as tests, plus
...
refactor common bits out of init.
2015-08-25 14:52:13 -07:00
Jeff Mitchell
2f3e245b0b
Add support for "pgp-tokens" parameters to init.
...
There are thorough unit tests that read the returned
encrypted tokens, seal the vault, and unseal it
again to ensure all works as expected.
2015-08-25 14:52:13 -07:00
Jeff Mitchell
a8ef0e8a80
Remove cookie authentication.
2015-08-21 19:46:23 -07:00
Jeff Mitchell
93ef9a54bd
Internally refactor Lease/LeaseGracePeriod into TTL/GracePeriod
2015-08-20 18:00:51 -07:00
Jeff Mitchell
c84ccc08d4
sys_mount.go is now unnecessary
2015-08-20 14:09:15 -07:00
Jeff Mitchell
271255b008
Send sys mounting logic directly to logical backend. Unit tests run.
2015-08-20 13:59:57 -07:00
Jeff Mitchell
15f57082e0
Begin factoring out sys paths into logical routes. Also, standardize on 307 as redirect code.
2015-08-20 13:20:35 -07:00
Caleb Tennis
4da080e769
This adds a new error class which can be used by logical backends to
...
specify more concrete error cases to make their way back up the stack.
Over time there is probably a cleaner way of doing this, but that's
looking like a more massive rewrite and this solves some issues in
the meantime.
Use a CodedError to return a more concrete HTTP return code for
operations you want to do so. Returning a regular error leaves
the existing behavior in place.
2015-08-10 13:27:25 -04:00
Armon Dadgar
0521c6df6c
http: support ?standbyok for 200 status on standby. Fixes #389
2015-07-02 17:49:35 -07:00
Armon Dadgar
3bc388f30d
Merge pull request #366 from nbrownus/http_responses
...
Better http responses
2015-06-29 15:31:45 -07:00
Armon Dadgar
496ebe561c
vault: cleanups for the audit log changes
2015-06-29 15:27:28 -07:00
Nate Brown
31ab086063
Doing a little better with http response codes
2015-06-19 14:00:48 -07:00
Nate Brown
c55f103c58
Adding error and remote_address to audit log lines
2015-06-18 17:17:18 -07:00
Seth Vargo
79388d2446
Accept PUT as well as post to sys/mounts
2015-06-16 13:02:21 -04:00
Armon Dadgar
7964fa4d86
http: adding rekey handlers
2015-05-28 14:28:50 -07:00
Armon Dadgar
af47c72639
http: adding key-status and rotate handlers
2015-05-27 18:02:50 -07:00
Armon Dadgar
8ee5aebb3c
vault: testing raw responses
2015-05-27 14:19:12 -07:00
Armon Dadgar
11c625fea2
http: support raw HTTP output
2015-05-27 14:10:00 -07:00
Jonathan Sokolowski
be2538aca3
http: Extract IP from RemoteAddr correctly
2015-05-20 15:23:41 +10:00