Commit graph

180 commits

Author SHA1 Message Date
Jeff Mitchell 348be0e50b Remove RevokePrefix from the API too as we simply do not support it any
longer.
2016-04-05 11:00:12 -04:00
Jeff Mitchell afae46feb7 SealInterface 2016-04-04 10:44:22 -04:00
vishalnayak 4e6dcfd6d0 Enable callbacks for handling logical.Request changes before processing requests 2016-03-17 22:29:53 -04:00
vishalnayak f275cd2e9c Fixed capabilities API to receive logical response 2016-03-17 21:03:32 -04:00
vishalnayak a5d79d587a Refactoring the capabilities function 2016-03-17 21:03:32 -04:00
vishalnayak 71fc07833f Rename id to path and path to file_path, print audit backend paths 2016-03-14 17:15:07 -04:00
Vishal Nayak c70b4bbbb2 Merge pull request #1201 from hashicorp/accessor-cli-flags
Accessor CLI flags
2016-03-11 09:55:45 -05:00
vishalnayak b8d202f920 Restore RevokeSelf API 2016-03-11 06:30:45 -05:00
vishalnayak 0486fa1a3a Added accessor flag to token-revoke CLI 2016-03-10 21:21:20 -05:00
vishalnayak ed8a096596 Add accessor flag to token-lookup command and add lookup-accessor client API 2016-03-10 21:21:20 -05:00
Seth Vargo 30f24dd5cc Validate HCL for SSHHelper too 2016-03-10 16:47:46 -05:00
Jeff Mitchell fa2ba47a5c Merge branch 'master' into token-roles 2016-03-09 17:23:34 -05:00
Jeff Mitchell 6df72e6efd Merge pull request #1168 from hashicorp/revoke-force
Add forced revocation.
2016-03-09 16:59:52 -05:00
vishalnayak 151c932875 AccessorID --> Accessor, accessor_id --> accessor 2016-03-09 06:23:31 -05:00
vishalnayak 301776012f Introduced AccessorID in TokenEntry and returning it along with token 2016-03-08 14:06:10 -05:00
Jeff Mitchell cc1f5207b3 Merge branch 'master' into token-roles 2016-03-07 10:03:54 -05:00
vishalnayak 9946a2d8b5 refactoring changes due to acl.Capabilities 2016-03-04 18:55:48 -05:00
vishalnayak 7fe871e60a Removing the 'Message' field 2016-03-04 10:36:03 -05:00
vishalnayak 286e63a648 Handled root token use case 2016-03-04 10:36:03 -05:00
vishalnayak 5749a6718c Added sys/capabililties endpoint 2016-03-04 10:36:02 -05:00
Jeff Mitchell 0d46fb4696 Create a unified function to sanitize mount paths.
This allows mount paths to start with '/' in addition to ensuring they
end in '/' before leaving the system backend.
2016-03-03 13:13:47 -05:00
Jeff Mitchell 3e7bca82a1 Merge pull request #1146 from hashicorp/step-down
Provide 'sys/step-down' and 'vault step-down'
2016-03-03 12:30:08 -05:00
Jeff Mitchell cd86226845 Add forced revocation.
In some situations, it can be impossible to revoke leases (for instance,
if someone has gone and manually removed users created by Vault). This
can not only cause Vault to cycle trying to revoke them, but it also
prevents mounts from being unmounted, leaving them in a tainted state
where the only operations allowed are to revoke (or rollback), which
will never successfully complete.

This adds a new endpoint that works similarly to `revoke-prefix` but
ignores errors coming from a backend upon revocation (it does not ignore
errors coming from within the expiration manager, such as errors
accessing the data store). This can be used to force Vault to abandon
leases.

Like `revoke-prefix`, this is a very sensitive operation and requires
`sudo`. It is implemented as a separate endpoint, rather than an
argument to `revoke-prefix`, to ensure that control can be delegated
appropriately, as even most administrators should not normally have
this privilege.

Fixes #1135
2016-03-03 10:13:59 -05:00
Jeff Mitchell 54232eb980 Add other token role unit tests and some minor other changes. 2016-03-01 12:41:41 -05:00
Jeff Mitchell ef990a3681 Initial work on token roles 2016-03-01 12:41:40 -05:00
vishalnayak aee006ba2d moved the test cert keys to appropriate test-fixtures folder 2016-02-29 15:49:08 -05:00
Jeff Mitchell d131d99c34 Merge branch 'master' into step-down 2016-02-29 11:02:09 -05:00
vishalnayak dca18aec2e replaced old certs, with new certs generated from PKI backend, containing IP SANs 2016-02-28 22:15:54 -05:00
Jeff Mitchell 11ddd2290b Provide 'sys/step-down' and 'vault step-down'
This endpoint causes the node it's hit to step down from active duty.
It's a noop if the node isn't active or not running in HA mode. The node
will wait one second before attempting to reacquire the lock, to give
other nodes a chance to grab it.

Fixes #1093
2016-02-26 19:43:55 -05:00
vishalnayak d02d3124b5 fix api tests 2016-02-26 17:01:40 -05:00
Robert M. Thomson 024407518b Add VAULT_TLS_SERVER_NAME environment variable
If specified, verify a specific server name during TLS negotiation
rather than the server name in the URL.
2016-02-25 17:28:49 +01:00
vishalnayak c42ade8982 Use tls_skip_verify in vault-ssh-helper 2016-02-23 17:32:49 -05:00
vishalnayak 00d01043fd ssh-helper api changes 2016-02-23 00:16:00 -05:00
Jeff Mitchell 5f5542cb91 Return status for rekey/root generation at init time. This mitigates a
(very unlikely) potential timing attack between init-ing and fetching
status.

Fixes #1054
2016-02-12 14:24:36 -05:00
Jeff Mitchell 0c427e27e9 Add some documentation to the API revoke functions 2016-02-03 11:42:13 -05:00
Paul Hinze 073965de8c Parse and return MountConfigOutput from API
When working on the Terraform / Vault integration I came across the fact
that `Sys().MountConfig(...)` didn't seem to return a response struct,
even though it's a `GET` method.

Looks like just a simple oversight to me. This fix does break API BC,
but the method had no use without its return value so I feel like that's
probably a mitigating factor.
2016-02-02 17:11:05 -06:00
Jeff Mitchell 88310ca538 Fix up unit tests to expect new values 2016-01-29 19:36:56 -05:00
Jeff Mitchell 5341cb69cc Updates and documentation 2016-01-22 10:07:32 -05:00
Jeff Mitchell d17c3f4407 Fix body closing in List method 2016-01-22 10:07:32 -05:00
Jeff Mitchell 10c307763e Add list capability, which will work with the generic and cubbyhole
backends for the moment. This is pretty simple; it just adds the actual
capability to make a list call into both the CLI and the HTTP handler.
The real meat was already in those backends.
2016-01-22 10:07:32 -05:00
Jeff Mitchell 973c888833 RootGeneration->GenerateRoot 2016-01-19 18:28:10 -05:00
Jeff Mitchell 3b994dbc7f Add the ability to generate root tokens via unseal keys. 2016-01-19 18:28:10 -05:00
Jeff Mitchell f6d2271a3c Use an array of keys so that if the same fingerprint is used none are lost when using PGP key backup 2016-01-08 14:29:23 -05:00
Jeff Mitchell 26e1837a82 Some minor rekey backup fixes 2016-01-08 14:09:40 -05:00
Jeff Mitchell a094eedce2 Add rekey nonce/backup. 2016-01-06 09:54:35 -05:00
Nicki Watt 442d538deb Make token-lookup functionality available via Vault CLI 2015-12-29 20:18:59 +00:00
Nicki Watt 939bc5ad9c Corrected HTTP Method for api.TokenAuth.LookupSelf() method 2015-12-28 00:05:15 +00:00
Jeff Mitchell bf2bf06997 Use cleanhttp.DefaultTransport rather than instantiating directly to avoid leaked FDs 2015-12-17 15:23:13 -05:00
Jeff Mitchell e25b3ad344 Update documentation to be consistent with return codes
Fixes #831
2015-12-10 10:26:40 -05:00
Jeff Mitchell 1c7157e632 Reintroduce the ability to look up obfuscated values in the audit log
with a new endpoint '/sys/audit-hash', which returns the given input
string hashed with the given audit backend's hash function and salt
(currently, always HMAC-SHA256 and a backend-specific salt).

In the process of adding the HTTP handler, this also removes the custom
HTTP handlers for the other audit endpoints, which were simply
forwarding to the logical system backend. This means that the various
audit functions will now redirect correctly from a standby to master.
(Tests all pass.)

Fixes #784
2015-11-18 20:26:03 -05:00