Commit Graph

411 Commits

Author SHA1 Message Date
vishalnayak 5749a6718c Added sys/capabililties endpoint 2016-03-04 10:36:02 -05:00
Jeff Mitchell 0d46fb4696 Create a unified function to sanitize mount paths.
This allows mount paths to start with '/' in addition to ensuring they
end in '/' before leaving the system backend.
2016-03-03 13:13:47 -05:00
Jeff Mitchell 3e7bca82a1 Merge pull request #1146 from hashicorp/step-down
Provide 'sys/step-down' and 'vault step-down'
2016-03-03 12:30:08 -05:00
Jeff Mitchell cd86226845 Add forced revocation.
In some situations, it can be impossible to revoke leases (for instance,
if someone has gone and manually removed users created by Vault). This
can not only cause Vault to cycle trying to revoke them, but it also
prevents mounts from being unmounted, leaving them in a tainted state
where the only operations allowed are to revoke (or rollback), which
will never successfully complete.

This adds a new endpoint that works similarly to `revoke-prefix` but
ignores errors coming from a backend upon revocation (it does not ignore
errors coming from within the expiration manager, such as errors
accessing the data store). This can be used to force Vault to abandon
leases.

Like `revoke-prefix`, this is a very sensitive operation and requires
`sudo`. It is implemented as a separate endpoint, rather than an
argument to `revoke-prefix`, to ensure that control can be delegated
appropriately, as even most administrators should not normally have
this privilege.

Fixes #1135
2016-03-03 10:13:59 -05:00
Jeff Mitchell 54232eb980 Add other token role unit tests and some minor other changes. 2016-03-01 12:41:41 -05:00
Jeff Mitchell ef990a3681 Initial work on token roles 2016-03-01 12:41:40 -05:00
vishalnayak aee006ba2d moved the test cert keys to appropriate test-fixtures folder 2016-02-29 15:49:08 -05:00
Jeff Mitchell d131d99c34 Merge branch 'master' into step-down 2016-02-29 11:02:09 -05:00
vishalnayak dca18aec2e replaced old certs, with new certs generated from PKI backend, containing IP SANs 2016-02-28 22:15:54 -05:00
Jeff Mitchell 11ddd2290b Provide 'sys/step-down' and 'vault step-down'
This endpoint causes the node it's hit to step down from active duty.
It's a noop if the node isn't active or not running in HA mode. The node
will wait one second before attempting to reacquire the lock, to give
other nodes a chance to grab it.

Fixes #1093
2016-02-26 19:43:55 -05:00
vishalnayak d02d3124b5 fix api tests 2016-02-26 17:01:40 -05:00
Robert M. Thomson 024407518b Add VAULT_TLS_SERVER_NAME environment variable
If specified, verify a specific server name during TLS negotiation
rather than the server name in the URL.
2016-02-25 17:28:49 +01:00
vishalnayak c42ade8982 Use tls_skip_verify in vault-ssh-helper 2016-02-23 17:32:49 -05:00
vishalnayak 00d01043fd ssh-helper api changes 2016-02-23 00:16:00 -05:00
Jeff Mitchell 5f5542cb91 Return status for rekey/root generation at init time. This mitigates a
(very unlikely) potential timing attack between init-ing and fetching
status.

Fixes #1054
2016-02-12 14:24:36 -05:00
Jeff Mitchell 0c427e27e9 Add some documentation to the API revoke functions 2016-02-03 11:42:13 -05:00
Paul Hinze 073965de8c Parse and return MountConfigOutput from API
When working on the Terraform / Vault integration I came across the fact
that `Sys().MountConfig(...)` didn't seem to return a response struct,
even though it's a `GET` method.

Looks like just a simple oversight to me. This fix does break API BC,
but the method had no use without its return value so I feel like that's
probably a mitigating factor.
2016-02-02 17:11:05 -06:00
Jeff Mitchell 88310ca538 Fix up unit tests to expect new values 2016-01-29 19:36:56 -05:00
Jeff Mitchell 5341cb69cc Updates and documentation 2016-01-22 10:07:32 -05:00
Jeff Mitchell d17c3f4407 Fix body closing in List method 2016-01-22 10:07:32 -05:00
Jeff Mitchell 10c307763e Add list capability, which will work with the generic and cubbyhole
backends for the moment. This is pretty simple; it just adds the actual
capability to make a list call into both the CLI and the HTTP handler.
The real meat was already in those backends.
2016-01-22 10:07:32 -05:00
Jeff Mitchell 973c888833 RootGeneration->GenerateRoot 2016-01-19 18:28:10 -05:00
Jeff Mitchell 3b994dbc7f Add the ability to generate root tokens via unseal keys. 2016-01-19 18:28:10 -05:00
Jeff Mitchell f6d2271a3c Use an array of keys so that if the same fingerprint is used none are lost when using PGP key backup 2016-01-08 14:29:23 -05:00
Jeff Mitchell 26e1837a82 Some minor rekey backup fixes 2016-01-08 14:09:40 -05:00
Jeff Mitchell a094eedce2 Add rekey nonce/backup. 2016-01-06 09:54:35 -05:00
Nicki Watt 442d538deb Make token-lookup functionality available via Vault CLI 2015-12-29 20:18:59 +00:00
Nicki Watt 939bc5ad9c Corrected HTTP Method for api.TokenAuth.LookupSelf() method 2015-12-28 00:05:15 +00:00
Jeff Mitchell bf2bf06997 Use cleanhttp.DefaultTransport rather than instantiating directly to avoid leaked FDs 2015-12-17 15:23:13 -05:00
Jeff Mitchell e25b3ad344 Update documentation to be consistent with return codes
Fixes #831
2015-12-10 10:26:40 -05:00
Jeff Mitchell 1c7157e632 Reintroduce the ability to look up obfuscated values in the audit log
with a new endpoint '/sys/audit-hash', which returns the given input
string hashed with the given audit backend's hash function and salt
(currently, always HMAC-SHA256 and a backend-specific salt).

In the process of adding the HTTP handler, this also removes the custom
HTTP handlers for the other audit endpoints, which were simply
forwarding to the logical system backend. This means that the various
audit functions will now redirect correctly from a standby to master.
(Tests all pass.)

Fixes #784
2015-11-18 20:26:03 -05:00
Jeff Mitchell 1a45696208 Add no-default-policy flag and API parameter to allow exclusion of the
default policy from a token create command.
2015-11-09 17:30:50 -05:00
Jeff Mitchell 32e23bea71 Move environment variable reading logic to API.
This allows the same environment variables to be read, parsed, and used
from any API client as was previously handled in the CLI. The CLI now
uses the API environment variable reading capability, then overrides any
values from command line flags, if necessary.

Fixes #618
2015-11-04 10:28:00 -05:00
Jeff Mitchell 195caa6bf6 Implement LookupSelf, RevokeSelf, and RenewSelf in the API client
Fixes #739
2015-10-30 17:27:33 -04:00
Jeff Mitchell c1d8b97342 Add reset support to the unseal command.
Reset clears the provided unseal keys, allowing the process to be begun
again. Includes documentation and unit test changes.

Fixes #695
2015-10-28 15:59:39 -04:00
Jeff Mitchell 22c65c0c07 Use cleanhttp instead of bare http.Client 2015-10-22 14:37:12 -04:00
Jeff Mitchell cba4e82682 Don't use http.DefaultClient
This strips out http.DefaultClient everywhere I could immediately find
it. Too many things use it and then modify it in incompatible ways.

Fixes #700, I believe.
2015-10-15 17:54:00 -04:00
Jeff Mitchell b8455be005 Support and use TTL instead of lease for token creation 2015-10-09 19:52:13 -04:00
Jeff Mitchell b5d674d94e Add 301 redirect checking to the API client.
Vault doesn't generate these, but in some cases Go's internal HTTP
handler does. For instance, during a mount-tune command, finishing the
mount path with / (as in secret/) would cause the final URL path to
contain .../mounts/secret//tune. The double slash would trigger this
behavior in Go's handler and generate a 301. Since Vault generates 307s,
this would cause the client to think that everything was okay when in
fact nothing had happened.
2015-10-09 17:11:31 -04:00
Dejan Golja 87c84db51b Increase default timeout to 30s which should allow for any operation
to complete.
2015-10-09 00:53:35 +11:00
Dejan Golja ea17b85d94 added a sensible default timeout for the vault client 2015-10-08 18:44:00 +11:00
Jeff Mitchell c7cec2aabc Add unit tests 2015-10-07 20:17:06 -04:00
Jeff Mitchell d740fd4a6a Add the ability for warnings to be added to responses. These are
marshalled into JSON or displayed from the CLI depending on the output
mode. This allows conferring information such as "no such policy exists"
when creating a token -- not an error, but something the user should be
aware of.

Fixes #676
2015-10-07 16:18:39 -04:00
Alexey Grachov 2bb6ec1e18 Fix some lint warnings. 2015-09-29 10:35:16 +03:00
Jeff Mitchell 62ac518ae7 Switch per-mount values to strings going in and seconds coming out, like other commands. Indicate deprecation of 'lease' in the token backend. 2015-09-25 10:41:21 -04:00
Jeff Mitchell f489c1c24e Ensure that the response body of logical calls is closed, even if there is an error. 2015-09-14 18:22:33 -04:00
Jeff Mitchell ace611d56d Address items from feedback. Make MountConfig use values rather than
pointers and change how config is read to compensate.
2015-09-10 15:09:54 -04:00
Jeff Mitchell 488d33c70a Rejig how dynamic values are represented in system view and location of some functions in various packages; create mount-tune command and API analogues; update documentation 2015-09-10 15:09:54 -04:00
Jeff Mitchell 4239f9d243 Add DynamicSystemView. This uses a pointer to a pointer to always have
up-to-date information. This allows remount to be implemented with the
same source and dest, allowing mount options to be changed on the fly.
If/when Vault gains the ability to HUP its configuration, this should
just work for the global values as well.

Need specific unit tests for this functionality.
2015-09-10 15:09:54 -04:00
Jeff Mitchell 696d0c7b1d Plumb per-mount config options through API 2015-09-10 15:09:53 -04:00
Jeff Mitchell 2002406155 Rather than use http.DefaultClient, which is simply &http.Client{},
create our own. This avoids some potential client race conditions when
they are setting values on the Vault API client while the default client
is being used elsewhere in other goroutines, as was seen in
consul-template.
2015-09-03 13:47:20 -04:00
Jeff Mitchell bc2d914905 Change variable name for clarity 2015-09-03 13:38:24 -04:00
Jeff Mitchell c56fd6b3fc Remove redirect handling code that was never being executed (redirects are manually handled within RawRequest). Add a sync.Once to fix a potential data race with setting the CheckRedirect function on the default http.Client 2015-09-03 13:34:45 -04:00
Jeff Mitchell 099deb4392 Merge pull request #587 from hashicorp/sethvargo/auth_token_tests
Add test coverage for auth tokens
2015-09-03 11:26:14 -04:00
Seth Vargo 4b33a1669b Add test coverage for auth tokens 2015-09-03 10:57:17 -04:00
Seth Vargo 6f248425a6 Update documentation around cookies 2015-09-03 10:36:59 -04:00
Mike Sample e847fbd596 corrected two typos 2015-08-27 00:05:19 -07:00
Jeff Mitchell cc232e6f79 Address comments from review. 2015-08-25 15:33:58 -07:00
Jeff Mitchell c887df93cc Add support for pgp-keys argument to rekey, as well as tests, plus
refactor common bits out of init.
2015-08-25 14:52:13 -07:00
Jeff Mitchell 2f3e245b0b Add support for "pgp-tokens" parameters to init.
There are thorough unit tests that read the returned
encrypted tokens, seal the vault, and unseal it
again to ensure all works as expected.
2015-08-25 14:52:13 -07:00
Jeff Mitchell a8ef0e8a80 Remove cookie authentication. 2015-08-21 19:46:23 -07:00
vishalnayak 2da717fd8b Vault SSH: Adding the missed out config file 2015-08-20 11:30:21 -07:00
vishalnayak 251cd997ad Vault SSH: TLS client creation test 2015-08-18 19:00:27 -07:00
vishalnayak b91ebbc6e2 Vault SSH: Documentation update and minor refactoring changes. 2015-08-17 18:22:03 -07:00
vishalnayak 330ef396ca Vault SSH: Default lease of 5 min for SSH secrets 2015-08-12 17:10:35 -07:00
vishalnayak 2d23ffe3d2 Vault SSH: Exposed verify request/response messges to agent 2015-08-12 13:22:48 -07:00
vishalnayak 212afb5d9e Vault SSH: Moved agent's client creation code to Vault's source 2015-08-12 13:09:32 -07:00
vishalnayak 9c8f4d0322 Vault SSH: Moved SSH agent config to Vault's source 2015-08-12 12:52:21 -07:00
vishalnayak f84347c542 Vault SSH: Added SSHAgent API 2015-08-12 10:48:58 -07:00
vishalnayak e782717ba8 Vault SSH: Renamed path with mountPoint 2015-08-12 10:30:50 -07:00
vishalnayak 33d7ef71b9 Vault SSH: Fixed constructor of SSH api 2015-08-12 09:56:17 -07:00
vishalnayak 93dfa67039 Merging changes from master 2015-08-12 09:28:16 -07:00
Seth Vargo 4c5a527dad Remove Sys.Login (unused) 2015-08-11 13:04:11 -04:00
vishalnayak 61c9f884a4 Vault SSH: Review Rework 2015-07-29 14:21:36 -04:00
Vishal Nayak b532ee0bf4 Vault SSH: Dynamic Key test case fix 2015-07-24 12:13:26 -04:00
Vishal Nayak 791a250732 Vault SSH: Support OTP key type from CLI 2015-07-23 17:20:28 -04:00
Vishal Nayak 27e66e175f Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault 2015-07-17 17:22:17 -04:00
Armon Dadgar 9e6a0ffe1b api: fixing 404 handling of GetPolicy 2015-07-13 19:20:00 +10:00
Vishal Nayak ad9a0da9c4 Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault 2015-07-10 16:18:08 -06:00
Jeff Mitchell e9730e4491 Fix nil dereference reading policies with a failing connection (for instance, bad cert) 2015-07-10 14:22:33 -04:00
Vishal Nayak 170dae7f91 Vault SSH: Revoking key after SSH session from CLI 2015-07-06 11:05:02 -04:00
Vishal Nayak a1e2705173 Vault SSH: PR review rework 2015-07-02 17:23:09 -04:00
Vishal Nayak d691a95531 Vault SSH: PR review rework - 1 2015-07-01 11:58:49 -04:00
Vishal Nayak 91ed2dcdc2 Refactoring changes 2015-06-29 22:00:08 -04:00
Vishal Nayak 8c15e2313b ssh/lookup implementation and refactoring 2015-06-25 21:47:32 -04:00
Vishal Nayak b237a3bcc2 POC: Rework. Doing away with policy file. 2015-06-24 18:13:12 -04:00
Vishal Nayak 303a7cef9a Received OTK in SSH client. Forked SSH process from CLI. Added utility file for SSH. 2015-06-17 20:33:03 -04:00
Vishal Nayak 3ed73d98c2 Added: Ssh CLI command and API, config lease impl, sshConnect path to backend, http handler for Ssh connect 2015-06-17 12:39:49 -04:00
Jeff Mitchell 2de991ac7a The docs say that if HttpClient is nil, http.DefaultClient will be used. However, the code doesn't do this, resulting in a nil dereference. 2015-06-04 14:01:10 -04:00
boncheff 5f15d1e5cc Update SPEC.md 2015-06-02 14:51:43 +01:00
Armon Dadgar 84618a2fde api: Support the rekey endpoints 2015-05-28 14:37:20 -07:00
Armon Dadgar efcdfd0066 api: Adding Rotate and KeyStatus 2015-05-27 18:05:23 -07:00
Seth Vargo fc2ac74c5f Improve error message when TLS is disabled
Fixes #198
2015-05-14 10:33:38 -04:00
Mitchell Hashimoto d4155ef9d8 api: human friendly error for TLS [GH-123] 2015-05-02 13:08:35 -07:00
Seth Vargo ee6963ee01 Use lowercase JSON keys for client_token 2015-04-24 12:00:00 -04:00
Seth Vargo cc25b8b15c Remove api dependency on http package 2015-04-23 19:58:44 -04:00
Seth Vargo e5fca055f7 Use VAULT_ADDR instead 2015-04-23 11:46:22 -04:00
Seth Vargo 835e14dda0 Add docs 2015-04-23 11:45:37 -04:00
Seth Vargo b421689ab4 Read environment variables for VAULT_HTTP_ADDR and VAULT_TOKEN 2015-04-23 11:43:20 -04:00
Seth Vargo 3fa76e0ea9 Use a pointer config instead 2015-04-23 11:13:52 -04:00
Armon Dadgar 39cb908662 api: Support sys/leader endpoint 2015-04-20 12:04:13 -07:00
Armon Dadgar fbaca87f56 api: Support redirect for HA 2015-04-20 11:30:35 -07:00
Armon Dadgar 57f3ceac14 api: Allow reseting of request body 2015-04-20 10:44:51 -07:00
Mitchell Hashimoto fb3645214c command/token-create: add display name and one time use 2015-04-19 18:08:08 -07:00
Mitchell Hashimoto 58d476edd0 command/token-renew 2015-04-19 18:04:01 -07:00
Mitchell Hashimoto 0ebf2508e0 command/policy-delete 2015-04-19 16:36:11 -07:00
Mitchell Hashimoto 2bd9223247 api: update docs 2015-04-13 20:42:07 -07:00
Mitchell Hashimoto 0cc0fb066b command/renew 2015-04-13 20:42:07 -07:00
Armon Dadgar 466c7575d3 Replace VaultID with LeaseID for terminology simplification 2015-04-08 13:35:32 -07:00
Mitchell Hashimoto 7442bc1ef6 command/delete 2015-04-07 11:15:20 -07:00
Mitchell Hashimoto 3001c245e5 api: Logical delete 2015-04-07 11:04:56 -07:00
Mitchell Hashimoto f2ee82a17f command/remount 2015-04-07 10:46:47 -07:00
Mitchell Hashimoto 62f4d1dd0e credential/github: CLI handler 2015-04-06 09:53:43 -07:00
Mitchell Hashimoto 2744d84e0b api: make API a bit nicer 2015-04-04 17:54:16 -07:00
Mitchell Hashimoto 5d105b0cc8 api: client library methods to get tokens 2015-04-04 17:53:59 -07:00
Mitchell Hashimoto 2c1d334156 http: fix tests 2015-04-04 17:42:19 -07:00
Mitchell Hashimoto aabcaee0c0 api: add auth information to results 2015-04-04 15:40:41 -07:00
Mitchell Hashimoto 2e3d6d6a0e command/help 2015-04-02 22:42:05 -07:00
Mitchell Hashimoto 3caedf19bd api: help 2015-04-02 22:26:45 -07:00
Mitchell Hashimoto 020af2fac2 http: help 2015-04-02 22:26:45 -07:00
Mitchell Hashimoto d4ef9a552f api: audit methods 2015-04-01 18:38:25 -07:00
Mitchell Hashimoto a3d1502c2d api: SPEC 2015-04-01 18:16:31 -07:00
Mitchell Hashimoto db6a7ab7ce api: policy methods 2015-04-01 17:59:50 -07:00
Mitchell Hashimoto c25b7010d9 http: all policy endpoints 2015-04-01 17:59:50 -07:00
Mitchell Hashimoto fce856d19c http: list policies 2015-04-01 17:43:58 -07:00
Mitchell Hashimoto f21da26766 command/auth-enable 2015-04-01 17:09:11 -07:00
Mitchell Hashimoto 36691190cc api: fix compile 2015-03-31 20:29:20 -07:00
Mitchell Hashimoto 6cbe88cf99 api: fix auth API 2015-03-31 20:28:05 -07:00
Mitchell Hashimoto aba7fc1910 http: auth handlers 2015-03-31 20:24:51 -07:00
Mitchell Hashimoto 214218a993 api: RevokePrefix 2015-03-31 19:23:52 -07:00
Mitchell Hashimoto bbaa137f4e command/revoke: revoke 2015-03-31 19:21:02 -07:00
Mitchell Hashimoto 407b32ccd5 command/seal: test should use the token 2015-03-31 11:46:55 -07:00
Mitchell Hashimoto df4dc88176 api: SetToken 2015-03-30 21:20:23 -07:00
Mitchell Hashimoto 6e5345306e api: update the SPEC 2015-03-30 12:22:34 -07:00
Mitchell Hashimoto c2e1371217 api: re-use proper token constant 2015-03-30 11:14:51 -07:00
Mitchell Hashimoto bd471bfffb command/init: show root token 2015-03-29 16:25:53 -07:00
Mitchell Hashimoto 4cacaf62f0 http: support auth 2015-03-29 16:14:54 -07:00
Armon Dadgar e85cd66b30 all: Removing fields from Lease 2015-03-16 13:29:51 -07:00
Mitchell Hashimoto 4161f7a440 http: fix mount endpoints 2015-03-16 10:51:13 -07:00
Mitchell Hashimoto 1d07df9db6 command/write 2015-03-15 20:35:33 -07:00
Mitchell Hashimoto 9b14cf789e api: logical Read/Write 2015-03-15 19:47:32 -07:00
Mitchell Hashimoto 742923452b http: generic read/write endpoint for secrets 2015-03-15 19:35:04 -07:00
Mitchell Hashimoto c0ede206bb api: use /v1 prefix 2015-03-13 12:53:08 -07:00
Mitchell Hashimoto 128c742a65 api: add init 2015-03-12 12:42:40 -07:00
Mitchell Hashimoto d35b8eaa6f http: init endpoints 2015-03-12 12:37:54 -07:00
Mitchell Hashimoto 9a68a68d3c api: update mount API 2015-03-11 22:34:54 -07:00
Mitchell Hashimoto 88ed41abc2 api: lease renew should parse the secret 2015-03-11 19:48:32 -05:00
Mitchell Hashimoto 39884c7bde api: secret parsing and leasing 2015-03-11 19:48:31 -05:00
Mitchell Hashimoto 0a6ad5b143 api: mount API client 2015-03-11 19:48:31 -05:00
Mitchell Hashimoto 02126dd935 api: store token cookie, tests 2015-03-11 17:46:42 -05:00
Mitchell Hashimoto 0f413876f2 api: separate sys out further 2015-03-11 17:46:41 -05:00
Mitchell Hashimoto de159fdac8 api: document jar requirement 2015-03-11 17:46:41 -05:00
Mitchell Hashimoto a4fc46de2a api: auth methods 2015-03-11 17:46:41 -05:00
Mitchell Hashimoto 886812ecce api: automatically get errors in RawRequest 2015-03-11 17:46:41 -05:00
Mitchell Hashimoto 5202e8788d api: Response can decode errors 2015-03-11 17:46:41 -05:00
Mitchell Hashimoto 798689fb8d api: sys methods 2015-03-11 17:46:41 -05:00
Mitchell Hashimoto 8ec69eae81 api: start the groundwork API stuff 2015-03-09 11:38:50 -07:00
Mitchell Hashimoto c995ec1452 api: update spec 2015-03-04 15:41:21 -08:00
Mitchell Hashimoto 859a99c96c api: SPEC 2015-03-04 15:03:06 -08:00
Mitchell Hashimoto 342f4e7e30 api: update SPEC 2015-03-04 13:17:12 -08:00
Mitchell Hashimoto 80f8ba6b88 api: spec 2015-03-04 13:10:10 -08:00