Commit graph

498 commits

Author SHA1 Message Date
Daniel Spangenberg 8007845ba4
Fix SRV Lookups (#8520)
* Pin HTTP Host header for all client requests
* Drop port map scheme
* Add SRV Lookup environment var
* Lookup SRV records only when env var is specified
* Add docs

Co-Authored-By: Michel Vocks <michelvocks@gmail.com>
2020-03-11 14:22:58 +01:00
Jeff Mitchell 7779c077e6 Bump API's SDK 2020-02-15 14:57:06 -05:00
Jeff Mitchell 509e25de21 Update api's sdk 2020-02-14 17:27:43 -05:00
Jeff Mitchell b0acc1d036 Update API's sdk 2020-02-13 10:40:35 -05:00
Michel Vocks f695eb737b
Add Consul TLS options to access API endpoint (#8253) 2020-01-29 09:44:35 +01:00
Michel Vocks 90f1d3813d
Fix redoing redirect response raft snapshot cli (#8211)
* Fix redoing redirect response raft snapshot cli

* Removed unnecessary lines of code

* go mod vendor
2020-01-27 11:25:52 +01:00
Jeff Mitchell 79ba7def56 Bump api's sdk 2020-01-10 20:40:44 -05:00
Jeff Mitchell a0694943cc
Migrate built in auto seal to go-kms-wrapping (#8118) 2020-01-10 20:39:52 -05:00
Becca Petrin c2894b8d05
Add Kerberos auth agent (#7999)
* add kerberos auth agent

* strip old comment

* changes from feedback

* strip appengine indirect dependency
2020-01-09 14:56:34 -08:00
Michel Vocks 73ae91fca8
Fix automatic token set for plugin unwrap requests (#8058)
* Fix automatic token set for plugin unwrap requests

* Change to ClearToken helper-method
2020-01-02 10:40:13 +01:00
Jeff Mitchell 33e4ef7654 Update api's sdk 2019-12-18 16:35:58 -05:00
Michel Vocks 0beb645830
Fix SRV lookup if address scheme is known (#8016) 2019-12-16 09:34:40 +01:00
Jeff Mitchell f2f984557e
Add ability to renew by accessor (#7817)
* Add renewing by accessor

* Add accessor renewing test and fix bug

* Update website docs

* Remove extra newline

* Add command-level test
2019-11-08 11:32:01 -05:00
Jeff Mitchell bde1fd9391 Bump API's SDK 2019-11-08 11:20:21 -05:00
Connor Poole 4588c56232 adding a write bytes method (#7611) 2019-11-07 17:54:05 -08:00
Jeff Mitchell 2b2e61db82
Revert change suggested by vet. See the comment for details. (#7815) 2019-11-06 17:03:37 -05:00
Jeff Mitchell 950dff9ad5
Update API to use lease_id in body of sys/leases/revoke call (#7777)
We didn't make this change earlier because not everyone would have had
an updated version of Vault with this API change but it's definitely
time.

Fixes https://github.com/hashicorp/vault-ssh-helper/issues/40
2019-11-05 16:14:28 -05:00
Jeff Mitchell 519d1b3cb8
Fix some vet issues in api package (#7789)
* Dropped cancel func
* Bad struct tag
2019-11-05 12:07:06 -05:00
Jeff Mitchell 5c3649defe Sync up Agent and API's renewers. (#7733)
* Sync up Agent and API's renewers.

This introduces a new type, LifetimeWatcher, which can handle both
renewable and non-renewable secrets, modeled after the version in Agent.
It allows the user to select behavior, with the new style being the
default when calling Start(), and old style if using the legacy Renew()
call.

No tests have been modified (except for reflect issues) and no other
code has been modified to make sure the changes are backwards
compatible.

Once this is accepted I'll pull the Agent version out.

* Move compat flags to NewRenewer

* Port agent to shared lifetime watcher lib
2019-10-28 17:28:59 -07:00
Joe Dollard 7f843c4c9b support setting the API client retry policy (#7331) 2019-10-28 15:54:59 -04:00
Lexman c86fe212c0
oss changes for entropy augmentation feature (#7670)
* oss changes for entropy augmentation feature

* fix oss command/server/config tests

* update go.sum

* fix logical_system and http/ tests

* adds vendored files

* removes unused variable
2019-10-17 10:33:00 -07:00
ncabatoff db43d22325
Do not allow the same header map to be shared across requests. (#7690) 2019-10-17 11:48:15 -04:00
Vishal Nayak 0d077d7945
Recovery Mode (#7559)
* Initial work

* rework

* s/dr/recovery

* Add sys/raw support to recovery mode (#7577)

* Factor the raw paths out so they can be run with a SystemBackend.

# Conflicts:
#	vault/logical_system.go

* Add handleLogicalRecovery which is like handleLogical but is only
sufficient for use with the sys-raw endpoint in recovery mode.  No
authentication is done yet.

* Integrate with recovery-mode.  We now handle unauthenticated sys/raw
requests, albeit on path v1/raw instead v1/sys/raw.

* Use sys/raw instead raw during recovery.

* Don't bother persisting the recovery token.  Authenticate sys/raw
requests with it.

* RecoveryMode: Support generate-root for autounseals (#7591)

* Recovery: Abstract config creation and log settings

* Recovery mode integration test. (#7600)

* Recovery: Touch up (#7607)

* Recovery: Touch up

* revert the raw backend creation changes

* Added recovery operation token prefix

* Move RawBackend to its own file

* Update API path and hit it using CLI flag on generate-root

* Fix a panic triggered when handling a request that yields a nil response. (#7618)

* Improve integ test to actually make changes while in recovery mode and
verify they're still there after coming back in regular mode.

* Refuse to allow a second recovery token to be generated.

* Resize raft cluster to size 1 and start as leader (#7626)

* RecoveryMode: Setup raft cluster post unseal (#7635)

* Setup raft cluster post unseal in recovery mode

* Remove marking as unsealed as its not needed

* Address review comments

* Accept only one seal config in recovery mode as there is no scope for migration
2019-10-15 00:55:31 -04:00
Mike Jarmy 510d82551a
Vault Agent Cache Auto-Auth SSRF Protection (#7627)
* implement SSRF protection header

* add test for SSRF protection header

* cleanup

* refactor

* implement SSRF header on a per-listener basis

* cleanup

* cleanup

* creat unit test for agent SSRF

* improve unit test for agent SSRF

* add VaultRequest SSRF header to CLI

* fix unit test

* cleanup

* improve test suite

* simplify check for Vault-Request header

* add constant for Vault-Request header

* improve test suite

* change 'config' to 'agentConfig'

* Revert "change 'config' to 'agentConfig'"

This reverts commit 14ee72d21fff8027966ee3c89dd3ac41d849206f.

* do not remove header from request

* change header name to X-Vault-Request

* simplify http.Handler logic

* cleanup

* simplify http.Handler logic

* use stdlib errors package
2019-10-11 18:56:07 -04:00
Brian Kassouf 024c29c36a
OSS portions of raft non-voters (#7634)
* OSS portions of raft non-voters

* add file

* Update vault/raft.go

Co-Authored-By: Vishal Nayak <vishalnayak@users.noreply.github.com>
2019-10-11 11:56:59 -07:00
Nick Cabatoff 85e387439e go mod vendor and go mod tidy 2019-10-04 09:14:37 -04:00
Calvin Leung Huang 3f1c7c86a0
sys: add host-info endpoint (#7330)
* sys: add host-info endpoint, add client API method

* remove old commented handler

* add http tests, fix bugs

* query all partitions for disk usage

* fix Timestamp decoding

* add comments for clarification

* dont append a nil entry on disk usage query error

* remove HostInfo from the sdk api

We can use Logical().Read(...) to query this endpoint since the payload is contained with the data object. All warnings are preserved under Secret.Warnings.

* ensure that we're testing failure case against a standby node

* add and use TestWaitStandby to ensure core is on standby

* remove TestWaitStandby

* respond with local-only error

* move HostInfo into its own helper package

* fix imports; use new no-forward handler

* add cpu times to collection

* emit clearer multierrors/warnings by collection type

* add comments on HostInfo fields
2019-10-03 09:43:52 -07:00
Jeff Mitchell 1fd71ed774 Bump API's SDK 2019-09-19 09:42:45 -04:00
Matthew Irish 6e4cc02f4d
expose 'storage_type' on the sys/seal-status endpoint (#7486)
* expose 'storage_type' on the sys/seal-status endpoint

* add comments

* Update vault/core.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>
2019-09-18 14:07:18 -05:00
Jeff Mitchell fbfeda9576 Bump API's sdk 2019-09-18 09:10:23 -04:00
Mike Jarmy ecfcdc329e
use api.Config.Timeout instead of http.Client.Timeout for 60s request timeout default (#7469) 2019-09-13 08:28:58 -04:00
Jeff Mitchell 3190d37915 Update api's SDK 2019-09-04 12:45:30 -04:00
Jeff Mitchell faa4f6bb77 Bump retryablehttp again 2019-08-26 15:39:27 -04:00
Jeff Mitchell be5a2bde22 Bump go-retryablehttp version 2019-08-26 14:44:03 -04:00
Jeff Mitchell a8e9bdaaf4 Bump api's sdk 2019-08-05 18:02:15 -04:00
Jeff Mitchell 356faff9ab Update api's sdk 2019-07-30 00:23:57 -04:00
Jeff Mitchell 522c11e654 Update api's sdk version 2019-07-25 12:57:51 -04:00
Jeff Mitchell 5c898b8674 Pull in sdk 0.1.12 to api 2019-07-25 12:16:06 -04:00
Nick Cabatoff 3f1d1765ec Update sdk to grpc 1.22 for https://github.com/grpc/grpc-go/pull/2818 which caused intermittent ent test failures. 2019-07-24 11:45:58 -04:00
Jeff Mitchell 58dcca680a Bump API's SDK 2019-07-19 10:39:32 -04:00
Calvin Leung Huang e869893df3
logical: add support for passing data to delete (#7139)
* logical: add support for passing data to delete

* add back raft bit

* add back raft bit

* update error message

* fix command delete tests
2019-07-18 10:42:36 -07:00
Jeff Mitchell f522dd8f35
Add backwards compat support for API env vars (#7135)
Several env vars got renamed in
https://github.com/hashicorp/vault/pull/6306. This re-adds support for
those.

Indirectly addresses
https://github.com/hashicorp/consul-template/pull/1233 although they
should still update to the new values.
2019-07-17 06:29:25 -04:00
Jeff Mitchell b12a49f19f Bump api's sdk 2019-07-09 04:01:32 -04:00
Jeff Mitchell b86c920b6c Bump sdk in api 2019-07-08 19:04:47 -04:00
Jeff Mitchell 6be11db56e Update api's sdk 2019-07-03 00:13:12 -04:00
Jeff Mitchell 28b5670d49 Bump api's sdk 2019-07-02 22:18:09 -04:00
Jeff Mitchell 3168ae809b Bump sdk 2019-07-02 10:24:43 -04:00
Jeff Mitchell 5217bb882f Bump API's sdk 2019-07-02 09:52:36 -04:00
Jeff Mitchell fc4491890b Bump api's sdk import 2019-07-01 18:29:23 -04:00
Michel Vocks 2b5aca4300
Token identity support (#6267)
* Implemented token backend support for identity

* Fixed tests

* Refactored a few checks for the token entity overwrite. Fixed tests.

* Moved entity alias check up so that the entity and entity alias is only created when it has been specified in allowed_entity_aliases list

* go mod vendor

* Added glob pattern

* Optimized allowed entity alias check

* Added test for asterisk only

* Changed to glob pattern anywhere

* Changed response code in case of failure. Changed globbing pattern check. Added docs.

* Added missing token role get parameter. Added more samples

* Fixed failing tests

* Corrected some cosmetical review points

* Changed response code for invalid provided entity alias

* Fixed minor things

* Fixed failing test
2019-07-01 11:39:54 +02:00