luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
7590 commits 1 branch 0 tags 214 MiB
Commit graph

1360 commits

Author SHA1 Message Date
Jeff Mitchell 65d8eb0914 Add more docs around list paths in policies. 
CC #4199
 2018-03-26 11:30:58 -04:00
Josh Soref 73b1fde82f Spelling (#4119) 2018-03-20 14:54:10 -04:00
Jeff Mitchell e49c230f7b
Log revocations in revokeCommon rather than expireID (#4164) 
Revocations that happen not as a result of direct expirations will
therefore be logged

Fixes #4156
 2018-03-20 11:46:27 -04:00
Jeff Mitchell 933f1e4b87 Sync 2018-03-20 10:42:57 -04:00
Calvin Leung Huang f86881c295
Unauthenticated endpoint to list secret and auth mounts (#4134) 
* Add audit hmac values to AuthConfigInput and AuthConfigOutput, fix docs

* docs: Add ttl params to auth enable endpoint

* Rewording of go string to simply string

* Add audit hmac keys as CLI flags on auth/secrets enable

* Fix copypasta mistake

* WIP on auth-list endpoint

* Rename variable to be singular, add CLI flag, show value in auth and secrets list

* Add audit hmac keys to auth and secrets list

* Only set config values if they exist

* Fix http sys/auth tests

* More auth plugin_name test fixes

* Rename tag internal_ui_show_mount to _ui_show_mount

* Add tests

* Make endpoint unauthed

* Rename field to listing_visibility

* Add listing-visibility to cli tune commands

* Use ListingVisiblityType

* Fix type conversion

* Do not actually change token's value on testHttpGet

* Remove unused ListingVisibilityAuth, use const in pathInternalUIMountsRead
 2018-03-19 23:16:33 -04:00
Jeff Mitchell 3a5e1792c0 Update path-help to make clear you shouldn't put things in the URL. 
Remove from website docs as those have been long deprecated.
 2018-03-19 11:50:16 -04:00
Jeff Mitchell 60adb4297f Update SealWrapStorage in passthrough to use newer style glob for matching all 2018-03-18 14:25:15 -04:00
Jeff Mitchell 6e93a6c4fb
Properly forward (or specifically don't) sys calls that result in read only errors (#4129) 
Prior to this policy writes against a performance secondary would not
succeed because the read-only error was swallowed by handleError. In
addition to fixing this, it adds a similar function that explicitly
doesn't trigger forwarding. This is useful for things that are local to
the secondary such as raw operations and lease management.
 2018-03-17 21:29:17 -04:00
Jin-wook Jeong 92ea5f9d66 Make credential plugin to work that is modified before vault startup and reloaded after vault startup. (#4121) 
Set routeEntry.rootPaths, loginPaths after plugin reload using atomic values.
 2018-03-16 10:35:19 -07:00
Calvin Leung Huang 3108860d4b
Audit HMAC values on AuthConfig (#4077) 
* Add audit hmac values to AuthConfigInput and AuthConfigOutput, fix docs

* docs: Add ttl params to auth enable endpoint

* Rewording of go string to simply string

* Add audit hmac keys as CLI flags on auth/secrets enable

* Fix copypasta mistake

* Add audit hmac keys to auth and secrets list

* Only set config values if they exist

* Fix http sys/auth tests

* More auth plugin_name test fixes

* Pass API values into MountEntry's config when creating auth/secrets mount

* Update usage wording
 2018-03-09 14:32:28 -05:00
Jeff Mitchell 55187255bd
Truncate token store issued token periods when greater than tuned max at (#4112) 
issue time, not just renew time.
 2018-03-09 10:53:04 -05:00
Jeff Mitchell a82b43081c Fix output in warning displaying nanoseconds instead of seconds 2018-03-08 16:14:20 -05:00
Brian Kassouf 9dba3590ac
Add context to the NewSalt function (#4102) 2018-03-08 11:21:11 -08:00
Brian Kassouf 34d958968d Revert stopoptions (#4088) 
* Use an atomic value instead to communicate whether to give up HA lock

* Remove now-unneeded StopOptions struct

* Add a channel based mutex acquisition function to avoid a deadlock

* Make periodic leader refresh only spawn a single waiting goroutine and
extend logic to the key upgrade check
 2018-03-06 21:35:58 -05:00
Jeff Mitchell 6b777dc63e
Rearrange shutdown logic to remove some lock switching (#4083) 
* Rearrange shutdown logic to remove some lock switching and to allow
giving up the HA lock to be skipped.
 2018-03-06 18:06:09 -05:00
Calvin Leung Huang e2fb199ce5
Non-HMAC audit values (#4033) 
* Add non-hmac request keys

* Update comment

* Initial audit request keys implementation

* Add audit_non_hmac_response_keys

* Move where req.NonHMACKeys gets set

* Minor refactor

* Add params to auth tune endpoints

* Sync cache on loadCredentials

* Explicitly unset req.NonHMACKeys

* Do not error if entry is nil

* Add tests

* docs: Add params to api sections

* Refactor audit.Backend and Formatter interfaces, update audit broker methods

* Add audit_broker.go

* Fix method call params in audit backends

* Remove fields from logical.Request and logical.Response, pass keys via LogInput

* Use data.GetOk to allow unsetting existing values

* Remove debug lines

* Add test for unsetting values

* Address review feedback

* Initialize values in FormatRequest and FormatResponse using input values

* Update docs

* Use strutil.StrListContains

* Use strutil.StrListContains
 2018-03-02 12:18:39 -05:00
Jeff Mitchell 5034ae2dcb Add the ability to use multiple paths for capability checking (#3663) 
* Add the ability to use multiple paths for capability checking. WIP
(tests, docs).

Fixes #3336

* Added tests

* added 'paths' field

* Update docs

* return error if paths is not supplied
 2018-03-01 11:14:56 -05:00
Jeff Mitchell f1bd0cbe74
Use atomic values in seal to avoid some data races (#4040) 2018-02-23 17:18:48 -05:00
Jeff Mitchell d4a431b298
Move local cluster parameters to atomic values to fix some potential data races (#4036) 2018-02-23 14:47:07 -05:00
Brian Kassouf cb08fb92d2 Port some replicated cluster changes from ent (#4037) 2018-02-23 14:01:15 -05:00
Jeff Mitchell 1a814803d7 Add core object to policy store for some ent uses 2018-02-23 14:00:46 -05:00
Calvin Leung Huang 1bb4d165e7
Add TTL related config options on auth enable (#4019) 2018-02-22 10:26:29 -05:00
Jeff Mitchell 4669f37c78 Add four cluster flag 2018-02-22 00:23:37 -05:00
Gobin Sougrakpam 33e22c41ca Log warnings when too many leases are active (#3957) 2018-02-14 09:22:46 -05:00
Kevin Paulisse 2282fcef8a Decompress data before sending via sys/raw (#3954) 2018-02-09 18:43:48 -05:00
Jeff Mitchell 96ea0620fd
Add sealunwrapper to ease OSS downgrades (#3936) 2018-02-09 16:37:40 -05:00
Jeff Mitchell 847e499261 Simplify readonly view logic 2018-02-09 15:39:27 -05:00
Vishal Nayak bf66dc2841 Make mount view read only until after mount persist (#3910) 2018-02-09 14:04:25 -05:00
Vishal Nayak 81c66efd6d
AppRole/Identity: Fix for race when creating an entity during login (#3932) 
* possible fix for race in approle login while creating entity

* Add a test that hits the login request concurrently

* address review comments
 2018-02-09 10:40:56 -05:00
seanjfellows 4739342fdb Create audit failure metrics unconditionally (#3937) 2018-02-07 15:57:00 -05:00
Jeff Mitchell 1a8a843588
Change grpc's max sent/recv size to a very large value. (#3912) 2018-02-06 13:52:35 -05:00
Jeff Mitchell 642b88c76a go vet fixes 2018-02-05 14:26:31 -05:00
Jeff Mitchell 05723e1229 Revert cluster.go change 2018-02-04 20:42:45 -05:00
Jeff Mitchell f33563f667 Some vet fixes 2018-02-04 20:37:57 -05:00
Jeff Mitchell fc6564e4ee
Don't run rollback and upgrade functionality if we are a replication secondary (#3900) 
* Don't run rollback and upgrade functionality if we are a replication
secondary, but do if the mount is local.
 2018-02-02 20:28:25 -05:00
Jeff Mitchell 676b302dbf
Add a sysview call to determine if a mount is local. (#3899) 
This is useful for deciding when to run upgrade logic, e.g. if on a
performance secondary but local it's fine to run.
 2018-02-02 18:17:12 -05:00
Calvin Leung Huang 848ce6427b
Handle period's zero value in token store's token creation (#3880) 
* Handle period's zero value on handleCreateCommon

* Add test for period zero value
 2018-02-01 12:01:46 -05:00
Jeff Mitchell 60e2209532
Remove core restriction in cache and turn it into an active/standby restriction instead (#3849) 2018-01-25 22:21:51 -05:00
Vishal Nayak 150ad8405b
Remove logical.Initialize() method (#3848) 
* Remove logical.Initialize() method

* More cleanup

* Fix test
 2018-01-25 20:19:27 -05:00
Jeff Mitchell ad9da2e0b8
Fix intermittent panic by storing a reference to the grpc server (#3842) 
* Fix intermittent panic by storing a reference to the grpc server and
using that to ensure it will never be nil.

* Just get rid of c.rpcServer
 2018-01-24 20:23:08 -05:00
Jeff Mitchell cf87cc54fc Fix build 2018-01-22 21:45:22 -05:00
Jeff Mitchell 8e8675053b Sync some bits over 2018-01-22 21:44:49 -05:00
Jeff Mitchell 7d6fed2e86
Use a separate var for active node replication state (#3819) 2018-01-19 19:24:04 -05:00
Jeff Mitchell 43617619ad Embed derived contexts into replication clients 2018-01-19 07:22:31 -05:00
Jeff Mitchell 123e22cd7e Fix compile 2018-01-19 05:31:55 -05:00
Jeff Mitchell b4be030d07
Add context to barrier encryptor interface 2018-01-19 05:28:47 -05:00
Jeff Mitchell 31a7eb1168
Add context to barrier encryptor access 2018-01-19 05:24:40 -05:00
Jeff Mitchell 69aead14f0 A bit more context plumbing 2018-01-19 04:11:59 -05:00
Jeff Mitchell 33b68ebf3d Remove context from a few extraneous places 2018-01-19 03:44:06 -05:00
Jeff Mitchell 6be5b8e8a1 Don't use context in barrier type/recovery type 2018-01-19 03:17:36 -05:00