Commit Graph

8060 Commits

Author SHA1 Message Date
Calvin Leung Huang dd7520459e
Token revocation refactor (#4512)
* Hand off lease expiration to expiration manager via timers

* Use sync.Map as the cache to track token deletion state

* Add CreateOrFetchRevocationLeaseByToken to hand off token revocation to exp manager

* Update revoke and revoke-self handlers

* Fix tests

* revokeSalted: Move token entry deletion into the deferred func

* Fix test race

* Add blocking lease revocation test

* Remove test log

* Add HandlerFunc on NoopBackend, adjust locks, and add test

* Add sleep to allow for revocations to settle

* Various updates

* Rename some functions and variables to be more clear
* Change step-down and seal to use expmgr for revoke functionality like
during request handling
* Attempt to WAL the token as being invalid as soon as possible so that
further usage will fail even if revocation does not fully complete

* Address feedback

* Return invalid lease on negative TTL

* Revert "Return invalid lease on negative TTL"

This reverts commit a39597ecdc23cf7fc69fe003eef9f10d533551d8.

* Extend sleep on tests
2018-05-10 15:50:02 -04:00
Jeff Mitchell ae3fed38fe changelog++ 2018-05-10 15:40:45 -04:00
Jeff Mitchell af802275bd
Fix response wrapping from K/V version 2 (#4511)
This takes place in two parts, since working on this exposed an issue
with response wrapping when there is a raw body set. The changes are (in
diff order):

* A CurrentWrappingLookupFunc has been added to return the current
value. This is necessary for the lookahead call since we don't want the
lookahead call to be wrapped.

* Support for unwrapping < 0.6.2 tokens via the API/CLI has been
removed, because we now have backends returning 404s with data and can't
rely on the 404 trick. These can still be read manually via
cubbyhole/response.

* KV preflight version request now ensures that its calls is not
wrapped, and restores any given function after.

* When responding with a raw body, instead of always base64-decoding a
string value and erroring on failure, on failure we assume that it
simply wasn't a base64-encoded value and use it as is.

* A test that fails on master and works now that ensures that raw body
responses that are wrapped and then unwrapped return the expected
values.

* A flag for response data that indicates to the wrapping handling that
the data contained therein is already JSON decoded (more later).

* RespondWithStatusCode now defaults to a string so that the value is
HMAC'd during audit. The function always JSON encodes the body, so
before now it was always returning []byte which would skip HMACing. We
don't know what's in the data, so this is a "better safe than sorry"
issue. If different behavior is needed, backends can always manually
populate the data instead of relying on the helper function.

* We now check unwrapped data after unwrapping to see if there were raw
flags. If so, we try to detect whether the value can be unbase64'd. The
reason is that if it can it was probably originally a []byte and
shouldn't be audit HMAC'd; if not, it was probably originally a string
and should be. In either case, we then set the value as the raw body and
hit the flag indicating that it's already been JSON decoded so not to
try again before auditing. Doing it this way ensures the right typing.

* There is now a check to see if the data coming from unwrapping is
already JSON decoded and if so the decoding is skipped before setting
the audit response.
2018-05-10 15:40:03 -04:00
Brian Kassouf 55997b6bf0
physical/cache: Add a list of prefixes to not cache (#4515)
* physical/cache: Add a list of prefixes to not cache

* Rename the pathmanager

* Move cache back to the beggining of postUnseal

* Fix comment
2018-05-10 10:29:26 -07:00
Becca Petrin 2eea3fb660
dont reuse err on multiple goroutines (#4545) 2018-05-10 10:10:08 -07:00
Matthew Surabian 01d63b8148 DynamoDB Deprecation Fixes (#4534)
* Use the AWS SDK's UnmarshalMap method for dynamodb backend, not the deprecated ConvertFromMap method

* Use the AWS SDK's MarshalMap method for dynamodb backend, not the deprecated ConvertToMap method

* Use the AWS SDK's session.NewSession method for dynamodb backend, not the deprecated session.New method

* Fix variable name awserr that colides with imported package in dynamodb backend
2018-05-10 08:25:51 -04:00
emily 1eb2765318 update gcputil deps (#4537) 2018-05-10 08:24:53 -04:00
Jeff Mitchell f4b98ace65 Fix retryable dep 2018-05-09 20:52:44 -04:00
Jeff Mitchell 2cc9b7fc72 Update retryable dep 2018-05-09 20:49:32 -04:00
Jeff Mitchell a287830985 Update comment around legacy bool in API 2018-05-09 20:35:51 -04:00
Becca Petrin 76c717b081
Restrict cert auth by CIDR (#4478) 2018-05-09 15:39:55 -07:00
Jeff Mitchell bbaf923a27 Update retryable vendor 2018-05-09 18:34:05 -04:00
Jeff Mitchell aa80a7e502 Change retry timing to be a little less long 2018-05-09 18:33:51 -04:00
Jeff Mitchell 6d9fce63c6 Adjust MaxRetries for retryablehttp 2018-05-09 18:24:41 -04:00
Jeff Mitchell 2dc9276e4c Update go-retryablehttp and use PassthroughErrorHandler 2018-05-09 18:11:08 -04:00
Jeff Mitchell a59661a87a Remove unneeeded dep 2018-05-09 17:50:49 -04:00
Jeff Mitchell 7f886b5675 Update go-retryablehttp vendor 2018-05-09 17:44:53 -04:00
Jeff Kohrman ec4b839741 Add link to updated privacy policy in layout.erb (#4533)
Added link to updated privacy policy in footer of `layout.erb` for the OSS website.
2018-05-09 16:11:57 -04:00
Yoko fc97fc09ce
[Guide] DB Root Credential Rotation (#4508)
* DB root credential rotation guide

* Fixed typos

* Added a note about creating a dedicated superuser

* Incorporated Chris's feedback

* Added a reference to DB root credential rotation

* Rephrase some of the languages

* Minor re-wording of a sentence
2018-05-09 11:01:58 -07:00
Jeff Mitchell 072cd783b5 Fix another PKI test 2018-05-09 12:51:34 -04:00
Jeff Mitchell 573b403b5e Fix PKI test 2018-05-09 12:47:00 -04:00
Jeff Mitchell 2eb463aa8c Remove outdated renewer test 2018-05-09 12:33:20 -04:00
Jeff VanSickle a69e8d81b0 Update jq path for "excited" in JSON output example (#4531) 2018-05-09 08:41:41 -07:00
Jeff Mitchell eecdbb0ee8 changelog++ 2018-05-09 10:55:44 -04:00
Shelby Moore f8e1f82225 Updated proxy protocol config validation (#4528) 2018-05-09 10:53:44 -04:00
Jeff Mitchell e5f4ca83a0
Update PKI to natively use time.Duration (#4493)
* Update PKI to natively use time.Duration

Among other things this now means PKI will output durations in seconds
like other backends, instead of as Go strings.

* Add a warning when refusing to blow away an existing root instead of just returning success

* Fix another issue found while debugging this...

The reason it wasn't caught on tests in the first place is that the ttl
and max ttl were only being compared if in addition to a provided csr, a
role was also provided. This was because the check was in the role !=
nil block instead of outside of it. This has been fixed, which made the
problem occur in all sign-verbatim cases and the changes in this PR have
now verified the fix.
2018-05-09 10:29:54 -04:00
Jeff Mitchell 274732733e Clarify that rotate requires sudo 2018-05-09 10:19:35 -04:00
Jeff Mitchell 2ecc42ed22 Grace is deprecated so mark as such 2018-05-09 10:02:06 -04:00
tdsacilowski c19e8d0dbc Clarify HA params, fixed typos (#4527)
* Clarify HA params, fixed typos

* Additional clarifications to listener parameters

* Updated cluster_address values
2018-05-08 13:36:42 -07:00
Jacob Friedman 64bb0bd58a Updated link for k8s-tokenreview (#4523)
Link for k8s-tokenreview was broken when they released a new version so I went ahead and fixed it.
2018-05-08 13:36:12 -07:00
Jacob Friedman 67b8d3dc40 Changed DR docs page to fix generating secondary DR token (#4521)
The docs for how to create secondary DR tokens were incorrect, which caused issues at a customer. I fixed the documentation with the proper syntax and formatting, which I copied from the perf replication docs (after changing endpoints). Can someone take a quick look for me?
2018-05-08 13:35:48 -07:00
vishalnayak f95a913bd5 docs: s/entity/group-alias 2018-05-08 16:32:35 -04:00
Matthew Irish 5fb2be2e2b
Ember cli update to 2.15 (#4526)
* update ember-cli to 2.15

* remove bower

* update ivy-codemirror

* update build and ci to not use bower or phantomjs
2018-05-08 10:43:20 -05:00
Calvin Leung Huang 8708fe8d6c Move timeout declaration outside of for loop, break out early if renewed cleanly (#4522) 2018-05-07 13:47:55 -07:00
Chris Hoffman 7c0e590f54
docs update 2018-05-07 16:34:39 -04:00
Chris Hoffman e7bbe6fbed
docs updates 2018-05-07 16:33:38 -04:00
Jeff Mitchell 58bc941b71 Fix #4472 a better way
Unlike switch, select will randomly choose from among multiple cases if
more than one are satisfiable.
2018-05-07 16:13:04 -04:00
Jeff Mitchell e2bb955673 Revert "Close the doneCh in the renewer when we return from Renew. (#4513)"
This reverts commit 79c708f8b6df13766830d4690e3688ccb49dc335.
2018-05-07 16:11:39 -04:00
Jeff Mitchell 2cc4f20f18 Revert "changelog++"
This reverts commit cd603e299cbe7377ed27cf702ba23dc8cdcc4a33.
2018-05-07 16:11:18 -04:00
Jeff Mitchell 767d241fda changelog++ 2018-05-07 14:02:47 -04:00
Chris Hoffman d4265b59ab
changelog++ 2018-05-07 13:54:29 -04:00
Chris Hoffman 049df3da3e
updating pkcs11 docs (#4520) 2018-05-07 13:50:45 -04:00
Chris Hoffman caa48d3e60
changelog++ 2018-05-07 13:27:54 -04:00
Jim Kalafut 103de6b5e1
Simplify password generator using base62 encoder (#4514) 2018-05-04 14:22:53 -07:00
Jeff Mitchell b894050c21 changelog++ 2018-05-04 13:26:39 -04:00
Jeff Mitchell 714ecf86fc
Close the doneCh in the renewer when we return from Renew. (#4513)
Closes #4472
2018-05-04 13:25:08 -04:00
vishalnayak 9fcda0c1f0 changelog++ 2018-05-04 10:17:18 -04:00
Vishal Nayak df8484f7af
approle: Make invalid role_id a 400 error instead of 500 (#4470)
* make invalid role_id a 400 error

* remove single-use validateCredentials function

* remove single-use validateBindSecretID function

* adjust the error message for CIDR check failure

* locking updates as review feedback
2018-05-04 10:15:16 -04:00
Anthony Dong 9b06c0fb56 Fix typo in AppRole guide (#4509) 2018-05-04 10:10:21 -04:00
Jeff Mitchell ef8f23a0b2 changelog++ 2018-05-04 10:09:43 -04:00