Commit graph

10725 commits

Author SHA1 Message Date
Calvin Leung Huang 5428ab50ee audit: log invalid wrapping token request/response (#6541)
* audit: log invalid wrapping token request/response

* Update helper/consts/error.go

Co-Authored-By: calvn <cleung2010@gmail.com>

* update error comments

* Update vault/wrapping.go

Co-Authored-By: calvn <cleung2010@gmail.com>

* update comment

* move validateWrappingToken out of http and into logical

* minor refactor, add test cases

* comment rewording

* refactor validateWrappingToken to perform audit logging

* move ValidateWrappingToken back to wrappingVerificationFunc

* Fix tests

* Review feedback
2019-07-05 14:15:14 -07:00
Becca Petrin 0663a2665c
add a reader that takes stdin (#7074) 2019-07-05 13:36:44 -07:00
Clint f27dc7d5f8 Combined Database backend: Add Static Account support to MongoDB (#7003)
* Implement SetCredentials for MongoDB, adding support for static accounts

* rework SetCredentials to split from CreateUser, and to parse the url for database

* Add integration test for mongodb static account rotation

* check the length of the password results to avoid out-of-bounds

* remove unused method

* use the pre-existing test helper for this. Add parse method to helper

* remove unused command
2019-07-05 14:57:01 -04:00
Clint 28447e00a3 Combined Database backend: Add Static Account support to MySQL (#6970)
* temp support for mysql+static accounts

* remove create/update database user for static accounts

* update tests after create/delete removed

* small cleanups

* update postgresql setcredentials test

* temp support for mysql+static accounts

* Add Static Account support to MySQL

* add note that MySQL supports static roles

* remove code comment

* tidy up tests

* Update plugins/database/mysql/mysql_test.go

Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com>

* Update plugins/database/mysql/mysql.go

Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com>

* update what password we test

* refactor CreateUser and SetCredentials to use a common helper

* add close statements for statements in loops

* remove some redundant checks in the mysql test

* use root rotation statements as default for static accounts

* missed a file save
2019-07-05 14:52:56 -04:00
Clint cd6b0b2de5 Combined Database backend: Add GenerateCredentials to the CredentialsProducer Interface (#7010)
* Add GenerateCredentials to the CredentialsProducer Interface, add default implementation

* Remove GenerateCredentials implementation from database plugins
2019-07-05 14:34:47 -04:00
Matthew Irish d23bef606a
Actually lazy load swagger ui (#7067)
* switch to dynamic imports so that bundling doesn't include swagger-ui-dist in its vendor file

* remove ember-ajax

* delete comment

* update comment about lazy loading in the engine index.js
2019-07-05 10:28:41 -05:00
Jim Kalafut 150d75756a
changelog++ 2019-07-03 15:56:19 -07:00
Brian Kassouf 4d7d0d729a
storage/raft: When restoring a snapshot preseal first (#7011)
* storage/raft: When restoring a snapshot preseal first

* best-effort allow standbys to apply the restoreOp before sealing active node

* Don't cache the raft tls key

* Update physical/raft/raft.go

* Move pending raft peers to core

* Fix race on close bool

* Extend the leaderlease time for tests

* Update raft deps

* Fix audit hashing

* Fix race with auditing
2019-07-03 13:56:30 -07:00
Noelle Daley a045f206f8
Fix barchart bugs (#7063)
* ensure dropdown works in storybook by handling Dates and strings

* camelcase fix

* ensure tooltip doesn't blink
2019-07-03 13:52:56 -07:00
Jim Kalafut ee84319f4f
Fix issuer (#7064) 2019-07-03 13:52:29 -07:00
Noelle Daley 5cd7e924fe
Http request volume/dropdown (#7016)
* init dropdown

* add dropdown to storybook

* move http requests components into container

* add event handler for selecting new time window

* no need for this. in the template

* filter bar chart and table

* add bar chart transitions

* handle Last 12 Months in dropdown

* don't use fake data

* start tests

* add jsdoc and notes for storybook

* add container to storybook

* compute filteredCounters when counters change

* move static dropdown options to template

* add tests

* style the dropdown

* use this.elementId

* fix linting errors

* use ember array extensions

* use fillIn instead of page object and make dom assertions consistent

* calculate the correct percent change between months

* use data-test selector instead of id

* show plus or minus next to percent change
2019-07-03 10:46:40 -07:00
Lexman 19b67fc617
Fixed some typos in an error message in the OIDC backend that can arise when signing a token against a role (#7059)
* fixes a typo in an error message

* error msg shouldn't start with a capital letter
2019-07-03 09:31:31 -07:00
Jim Kalafut d38468aacb
Remove unneeded context parameter (#7057) 2019-07-03 07:12:46 -07:00
Matthew Irish 267d5e7e40
make style overrides more specific because loading order isn't guaranteed (#7049) 2019-07-03 08:17:14 -05:00
Mike Jarmy 9c0d9f6fc0
fix output-curl-string for 'vault kv patch' (#6848)
* fix output-curl-string for 'vault-kv-patch'

* improve comments
2019-07-03 09:03:35 -04:00
Jeff Mitchell d7cabc2174
Change regexes for reading entity/group names (#7055)
We don't restrict the name itself, so we shouldn't restrict lookup.

Fixes #7054
2019-07-03 08:56:01 -04:00
Michel Vocks 71e6be653b Changelog: Added new agent namespace config option 2019-07-03 09:37:13 +02:00
Michel Vocks 524c7517e9
Add namespace config option to agent auto-auth config (#6988)
* Added namespace option to vault agent auto-auth method

* Implemented review feedback
2019-07-03 09:33:20 +02:00
Lexman 439d773683
Refactor periodic func test in the OIDC backend to work with namespaces (#7050)
* adds allowed_roles field to identity token keys and updates tests

* removed a comment that was redundant

* allowed_roles uses role client_id s instead of role names

* renamed allowed_roles to allowed_clients

* renamed allowed_clients to allowed_clientIDs

* WIP

* Kinda working?

* Handle nil during rotation

* Update discovery document

* WIP

* removes some warning messages and checks on keys when creating a role

* Path issuer ns/specific

* Fix nspath handling

* Update issuer handling

* Add locking around key updates

* Cleanup

* Fix nextRun handling

* saving work

* Include namespace in token

* saving work

* saving work

* happy path

* saving work

* sharing debug msgs

* Merge branch 'master' into refactor_periodic_func_test

# Conflicts:
#	vault/identity_store_oidc.go
#	vault/identity_store_oidc_test.go

* use MatchingStorageByAPIPath instead of logical.InmemStorage
2019-07-02 22:23:18 -07:00
Jeff Mitchell b35aa24c7f Bump auth plugins 2019-07-03 00:47:07 -04:00
Jeff Mitchell 76216398da Bump api/sdk 2019-07-03 00:14:05 -04:00
Jeff Mitchell 6be11db56e Update api's sdk 2019-07-03 00:13:12 -04:00
Jeff Mitchell 16479c503d Fix another backwards compat issue 2019-07-03 00:11:51 -04:00
Jeff Mitchell fd856bdd24
Fix some compatibility (#7048) 2019-07-02 23:29:42 -04:00
Jim Kalafut 2721c3a629
Namespace support for identity tokens (#7045) 2019-07-02 20:15:43 -07:00
Jeff Mitchell ab453c0a37 Update api/sdk 2019-07-02 22:18:30 -04:00
Jeff Mitchell 28b5670d49 Bump api's sdk 2019-07-02 22:18:09 -04:00
Jeff Mitchell 94b235452c changelog++ 2019-07-02 22:17:35 -04:00
Jeff Mitchell a3fc497fec
Fix batch token test (#7047)
At the level of role config it doesn't mean anything to use
default-service or default-batch; that's for mount tuning. So disallow
it in tokenutil. This also fixes the fact that the switch statement
wasn't right.
2019-07-02 22:16:43 -04:00
Jeff Mitchell 924ec944b5 Add connection to test request 2019-07-02 21:04:54 -04:00
Jeff Mitchell 70ee688bbf Bump sdk 2019-07-02 21:02:07 -04:00
Jeff Mitchell e36f626e75 Fix import cycle 2019-07-02 21:01:34 -04:00
Jeff Mitchell 9ca8412add Bump sdk 2019-07-02 21:00:25 -04:00
Jeff Mitchell 4b85cb3098 Update sdk's testrequest with connection value 2019-07-02 20:59:48 -04:00
Matthew Irish cc60bc5e56
changelog++ 2019-07-02 17:48:01 -05:00
Matthew Irish 311cc49c61
UI - Vault API explorer engine (#7044)
* open-api-explorer engine with embedded swagger-ui

* move swagger config to a component, rely directly on swagger-ui

* filter operations by endpoint, hook up filter to query param, add namespace handling

* fix namespace handling

* update ember-engines so that we can app.import in a lazy engine

* use engine's included hook to move swagger-ui to engine-vendor.* files

* show flash message about this being a live vault server

* show a namespace reminder and override some styles from swagger-ui

* switch filter to use includes instead of startsWith

* move flash-message to alert-banner and fix namespace reminder with a block

* adds explore web-cli command to navigate to the api-explorer engine

* allow passing a preformatted string to flash messages

* add multi-line flash-message to api explorer

* invert control and trigger events on react app so we can control the layout more and use our components

* tweak styling some more and adjust message on the flash

* change web cli command from 'explore' to 'api'

* shorten namespace warning

* fix console

* fix comments
2019-07-02 17:41:23 -05:00
Jeff Mitchell 9baf59dcdc Update auth plugins 2019-07-02 18:40:41 -04:00
ncabatoff d2beeefe79
Add support for hashing time.Time within slices (#6767)
Add support for hashing time.Time within slices, which unbreaks auditing of requests returning the request counters.  

Break Hash into struct-specific func like HashAuth, HashRequest. Move all the copying/hashing logic from FormatRequest/FormatResponse into the new Hash* funcs.  HashStructure now modifies in place instead of copying.

Instead of returning an error when trying to hash map keys of type time.Time, ignore them, i.e. pass them through unhashed.

Enable auditing on test clusters by default if the caller didn't specify any audit backends.  If they do, they're responsible for setting it up.
2019-07-02 18:18:40 -04:00
Garrett T 8fc4a63796 Set MaxIdleConns to reduce connection churn (postgresql physical) (#6967)
* Set MaxIdleConns to reduce connection churn (postgresql physical)

* Make new  "max_idle_connection" config option for physical postgresql

* Add docs for "max_idle_connections" for postgresql storage

* Add minimum version to docs for max_idle_connections
2019-07-02 15:03:56 -07:00
Lexman b74591f934
adds allowed_client_ids field to identity token named keys (#6993)
* adds allowed_roles field to identity token keys and updates tests

* removed a comment that was redundant

* allowed_roles uses role client_id s instead of role names

* renamed allowed_roles to allowed_clients

* renamed allowed_clients to allowed_clientIDs

* removes some warning messages and checks on keys when creating a role

* removes name field being set unneededly
2019-07-02 14:46:22 -07:00
Jeff Mitchell 7b672fee99
Add bound cidr checking at login time for remaining auths (#7046) 2019-07-02 17:44:38 -04:00
Michael Gaffney 4044cff8f2
Merge branch 'master' into mgaffney/kv-delete-version-after 2019-07-02 17:27:36 -04:00
Matthew Irish ddf8c20219
UI - add delete for the various kmip models (#7015)
* add menu-loader component to show menu loading button when the model relationship isPending

* list what keys we've got in api-path error

* fix spacing issue on error flash

* add an action on list-controller that bubbles to the list-route mixin to refresh the route

* empty store when creating scopes

* don't delete _requestQuery in the loop, do it after

* add scope deletion from the scope list

* add deleteRecord to kmip adapters

* add model-wrap component

* delete role from detail page and list

* add revoke credentials functionality

* fix comment

* treat all operations fields specially on kmip roles

* adjust kmip role edit form for new fields

* fix api-path test

* update document blocks for menu-loader and model-wrap components
2019-07-02 16:23:07 -05:00
Jeff Mitchell ba29917e25 Fix github config path returning 500 instead of 404 2019-07-02 12:57:48 -04:00
Michael Gaffney 395e10957d
changelog++ 2019-07-02 10:59:14 -04:00
Jeff Mitchell 02120cfe5e Bump api/sdk 2019-07-02 10:25:04 -04:00
Jeff Mitchell 3168ae809b Bump sdk 2019-07-02 10:24:43 -04:00
Jeff Mitchell d7243f910a
Re-enable toggling renewable off for tokens (#7043)
Earlier in tokenutil's dev it seemed like there was no reason to allow
auth plugins to toggle renewability off. However, it turns out Centrify
makes use of this for sensible reasons. As a result, move the forcing-on
of renewability into tokenutil, but then allow overriding after
PopulateTokenAuth is called.
2019-07-02 10:23:46 -04:00
Jeff Mitchell 66431f37b0 Bump api/sdk 2019-07-02 09:53:02 -04:00
Jeff Mitchell 5217bb882f Bump API's sdk 2019-07-02 09:52:36 -04:00