Commit graph

890 commits

Author SHA1 Message Date
Jeff Mitchell e52b554c0b
Add an idle timeout for the server (#4760)
* Add an idle timeout for the server

Because tidy operations can be long-running, this also changes all tidy
operations to behave the same operationally (kick off the process, get a
warning back, log errors to server log) and makes them all run in a
goroutine.

This could mean a sort of hard stop if Vault gets sealed because the
function won't have the read lock. This should generally be okay
(running tidy again should pick back up where it left off), but future
work could use cleanup funcs to trigger the functions to stop.

* Fix up tidy test

* Add deadline to cluster connections and an idle timeout to the cluster server, plus add readheader/read timeout to api server
2018-06-16 18:21:33 -04:00
Jeff Mitchell ebe3f09f82
Add kv rollback (#4774)
* Add `kv rollback`

Like `kv patch` this is more of a helper than anything else; it provides
a single command to fetch the current version (for CAS), read the
version you want to roll back to, and set it as the new version (using
CAS for safety).
2018-06-15 15:34:17 -04:00
Jeff Mitchell 734b46ea5b
Add a hidden combine-logs flag (#4766)
This can be used when errors are happening early on to avoid them being
swallowed by logGate.

This also does a bit of cleanup of format env var checking --
helper/logging internally looks for this so it was totally unnecessary
since moving to hclog.
2018-06-15 14:47:37 -04:00
Wim 3e1930e7c3 Use %q in error output for better visibility (#4771) 2018-06-14 18:19:22 -04:00
Michael Russell 063221b44a Allow vault ssh to accept ssh commands in any ssh compatible format (#4710)
* Allow vault ssh to accept ssh commands in any ssh compatible format

Previously vault ssh required ssh commands to be in the format
`username@hostname <flags> command`. While this works just fine for human
users this breaks a lot of automation workflows and is not compatible
with the options that the ssh client supports.

Motivation

We currently run ansible which uses vault ssh to connect to hosts.
Ansible generates ssh commands with the format `ssh <flags> -o User=username hostname
command`. While this is a valid ssh command it currently breaks with
vault because vault expects the format to be `username@hostname`. To work
around this we currently use a wrapper script to parse the correct username being set
by ansible and translate this into a vault ssh compatible `username@hostname` format

Changes

* You can now specify arguments in any order that ssh client allows. All
arguments are passed directly to the ssh command and the format isn't
modified in any way.
* The username and port are parsed from the specified ssh command. It
will accept all of the options supported by the ssh command and also
will properly prefer `-p` and `user@` if both options are specified.
* The ssh port is only added from the vault credentials if it hasn't
been specified on the command line
2018-06-14 09:54:48 -04:00
Jeff Mitchell 5d44c54947
Changes the way policies are reported in audit logs (#4747)
* This changes the way policies are reported in audit logs.

Previously, only policies tied to tokens would be reported. This could
make it difficult to perform after-the-fact analysis based on both the
initial response entry and further requests. Now, the full set of
applicable policies from both the token and any derived policies from
Identity are reported.

To keep things consistent, token authentications now also return the
full set of policies in api.Secret.Auth responses, so this both makes it
easier for users to understand their actual full set, and it matches
what the audit logs now report.
2018-06-14 09:49:33 -04:00
Calvin Leung Huang c4abeb9ea5
Move checkHCLKeys into hclutil (#4749) 2018-06-12 12:38:08 -04:00
Jeff Mitchell c1267ab16c
Fix writing to KVv2 root via kv put (#4726)
* Fix writing to KVv2 root via `kv put`

The check that adds the API path wasn't taking into account the root,
e.g. if it's mounted at `kv`, `kv` and `kv/` would end up creating an
extra copy of the mount path in front, leading to paths like
`kv/data/kv`.

* Output warnings if they come back and fix a panic in metadata_get

* Also add to metadata put/delete
2018-06-08 13:45:47 -04:00
Kevin Hicks ed7992e8ae update docs and help text to include 'operator' (#4712) 2018-06-06 21:11:21 -07:00
Jeff Mitchell 21a9b06983
Show mount accessors in normal secrets/auth list commands (#4676)
This makes them significantly easier to find/consume
2018-06-01 10:20:09 -04:00
Michael Russell 1b555b6d4c Only append the UserKnownHostsFile ssh flag when required (#4674)
Don't set a default value for the UserKnownHostsFile flag.
Only append `-o UserKnownHostsFile` to the ssh command if it
has been specified by the user or vault ssh has set it based on another
flag (such as flagHostKeyMountPoint)

Fixes https://github.com/hashicorp/vault/issues/4672
2018-06-01 09:56:22 -04:00
Michael Russell 4d1669938c Use hostname instead of the IP when running the actual ssh command (#4673)
This is implementing the same fix that was added for the CA mode for vault
ssh in https://github.com/hashicorp/vault/pull/3922
Using the IP address caused `Host` entries in the ssh_config to not
match anymore meaning you would need to hardcode all of your IP
addresses in your ssh config instead of using DNS to connect to hosts
2018-06-01 09:16:12 -04:00
Jeff Mitchell 9e7f381fca Sync over changes to config.go 2018-05-30 08:34:46 -04:00
emily 192c228931 Add GCP auth helper (#4654)
* update auth plugin vendoring

* add GCP auth helper and docs
2018-05-29 20:36:24 -04:00
Jeff Mitchell 7cf283cd2c Make the rekey verification message more complete 2018-05-29 14:59:19 -04:00
Jeff Mitchell 2971813684 Add verification nonce to non-verify status, if it exists, and name it verification nonce in the verify status for clarity 2018-05-29 13:18:52 -04:00
Jeff Mitchell c53717ba1c Fix panic and update some text 2018-05-29 13:13:47 -04:00
Jeff Mitchell 8b065344f8 Update CLI text 2018-05-29 12:42:33 -04:00
Jeff Mitchell bd0ac25eb9
Merge branch 'master' into rekey-verification 2018-05-29 10:19:57 -04:00
Kloppi313 365335f609 Typo in operator_rekey.go (#4646) 2018-05-29 09:28:08 -04:00
Jeff Mitchell 14b65ff4db
Builds on top of #4600 to provide CLI support (#4605) 2018-05-28 00:39:53 -04:00
Becca Petrin 94ae5d2567
Add Active Directory secrets plugin (#4635) 2018-05-25 11:37:41 -07:00
Becca Petrin abc0975d75
fix tests (#4636) 2018-05-24 13:57:25 -07:00
Jeff Mitchell 7749f3cb3f Prevent warnings from showing in individual commands when format is not table, in addition to the existing hiding of higher-level deprecation warnings 2018-05-23 17:13:39 -04:00
Jeff Mitchell 396457ce03
Don't use environment as a mechanism for floating format around. (#4622)
This turns out to not work very well for the demo server. Also,
it's kinda hacky.
2018-05-23 16:45:17 -04:00
Jeff Mitchell f1c3ddc566
Fix panic on deprecated audit-disable and some cleanup (#4619) 2018-05-23 12:34:48 -04:00
Jeff Mitchell 84eaebb774
Add missing flags to KV commands and simplify boilerplate (#4617) 2018-05-23 09:56:47 -04:00
Dan Brown 013e4e4d81 Fix typo (#4607) 2018-05-22 08:30:13 -04:00
Jeff Mitchell c011cefed4
Fix panic when running capabilities CLI command with multiple paths (#4553)
* Fix panic using 'vault token capabilities' with more than one path

Fixes #4552

* Add test
2018-05-11 11:58:12 -04:00
Tyler Marshall 407550bd89 Fix minor spelling mistake (#4548) 2018-05-10 13:42:01 -07:00
Jeff Mitchell af802275bd
Fix response wrapping from K/V version 2 (#4511)
This takes place in two parts, since working on this exposed an issue
with response wrapping when there is a raw body set. The changes are (in
diff order):

* A CurrentWrappingLookupFunc has been added to return the current
value. This is necessary for the lookahead call since we don't want the
lookahead call to be wrapped.

* Support for unwrapping < 0.6.2 tokens via the API/CLI has been
removed, because we now have backends returning 404s with data and can't
rely on the 404 trick. These can still be read manually via
cubbyhole/response.

* KV preflight version request now ensures that its calls is not
wrapped, and restores any given function after.

* When responding with a raw body, instead of always base64-decoding a
string value and erroring on failure, on failure we assume that it
simply wasn't a base64-encoded value and use it as is.

* A test that fails on master and works now that ensures that raw body
responses that are wrapped and then unwrapped return the expected
values.

* A flag for response data that indicates to the wrapping handling that
the data contained therein is already JSON decoded (more later).

* RespondWithStatusCode now defaults to a string so that the value is
HMAC'd during audit. The function always JSON encodes the body, so
before now it was always returning []byte which would skip HMACing. We
don't know what's in the data, so this is a "better safe than sorry"
issue. If different behavior is needed, backends can always manually
populate the data instead of relying on the helper function.

* We now check unwrapped data after unwrapping to see if there were raw
flags. If so, we try to detect whether the value can be unbase64'd. The
reason is that if it can it was probably originally a []byte and
shouldn't be audit HMAC'd; if not, it was probably originally a string
and should be. In either case, we then set the value as the raw body and
hit the flag indicating that it's already been JSON decoded so not to
try again before auditing. Doing it this way ensures the right typing.

* There is now a check to see if the data coming from unwrapping is
already JSON decoded and if so the decoding is skipped before setting
the audit response.
2018-05-10 15:40:03 -04:00
Shelby Moore f8e1f82225 Updated proxy protocol config validation (#4528) 2018-05-09 10:53:44 -04:00
Prem Sichanugrist 0057bdbee6 Fix misspelling in vault auth deprecation message (#4460) 2018-04-26 06:55:36 -04:00
Jeff Mitchell 26e83442fa
Add -no-print to 'vault login' (#4454)
Trivially manually tested

Closes #2758
2018-04-25 15:47:49 -04:00
Jeff Mitchell 5e9308ccad Fix help output in kv_patch 2018-04-25 03:21:13 -04:00
Brian Kassouf 817f816eb2
Fallback to version 1 if the vault server is too old to have the kv preflight endpoint (#4445) 2018-04-24 15:49:06 -07:00
Brian Kassouf 6d447d2671 Rename up path to internal/ui/mounts/<path> (#4435) 2018-04-23 18:16:10 -04:00
Brian Kassouf c7f9d185b0
Kv preflight (#4430)
* Update kv command to use a preflight check

* Make the existing ui endpoint return the allowed mounts

* Add kv subcommand tests

* Enable `-field` in `vault kv get/put` (#4426)

* Enable `-field` in `vault kv get/put`

Fixes #4424

* Unify nil value handling

* Use preflight helper

* Update vkv plugin

* Add all the mount info when authenticated

* Add fix the error message on put

* add metadata test

* No need to sort the capabilities

* Remove the kv client header

* kv patch command (#4432)

* Fix test

* Fix tests

* Use permission denied instead of entity disabled
2018-04-23 15:00:02 -07:00
Malhar Vora 45fe086107 Corrects description for mode option in ssh command (#4420)
Fixes #4375
2018-04-22 13:42:46 -04:00
Kevin Wang f1e46a0d76 Fix panic on kv put command with no arguments (#4389) 2018-04-18 15:45:49 -07:00
Jeff Mitchell 805b5e5160
X-Forwarded-For (#4380) 2018-04-17 18:52:09 -04:00
Krzysztof Nazarewski f325bae6d3 copy-paste fix (#4377) 2018-04-17 08:36:38 -04:00
Brian Kassouf f48c7f4940
cli/generate-root: Port a fix for dr tokens from ent (#4328) 2018-04-10 08:21:38 -07:00
Jeff Mitchell 9395f6c5d7
Add -version support to tuning commands. (#4323)
Although not used for any auth mounts right now, it seemed appropriate
to add it for parity since internally it maps to the same endpoint.
2018-04-09 21:12:09 -04:00
Jeff Mitchell b1136383c9 Only trigger version output if the version flag is the only flag set 2018-04-09 21:03:11 -04:00
Jeff Mitchell 2d5120fe2a Bump KV plugin and allow -version to work 2018-04-09 16:33:01 -04:00
Jeff Mitchell 4372548fd7
Simplify color handling quite a lot (#4289)
This always specifies a color UI, but explicitly marks the output as
noncolorable if we don't want color. This allows getting rid of our
hacky Output function in favor of cli's normal functions.
2018-04-09 16:18:17 -04:00
Jeff Mitchell 5b0885ae49 Add options to detail output to mounts/auth list CLI commands 2018-04-09 15:42:18 -04:00
Jeff Mitchell 0535f46e27 Make standard secret/ mount version 1, but upgrade to v2 in dev mode. 2018-04-09 15:37:36 -04:00
Becca Petrin abb621752f Clean up error string formatting (#4304) 2018-04-09 14:35:21 -04:00