Commit Graph

213 Commits

Author SHA1 Message Date
Clint dd9c3b9133
Sync Protobuf dependencies between core and sdk (#9154)
* update go.mod/sum for root and sdk folders to sync protobuf versions

* run 'go mod vendor'

* bump github.com/golang/protobuf to v1.4.2
2020-06-05 14:15:12 -05:00
Michael Golowka b52950f884
Add user configurable password policies available to secret engines (#8637)
* Add random string generator with rules engine

This adds a random string generation library that validates random
strings against a set of rules. The library is designed for use as generating
passwords, but can be used to generate any random strings.
2020-05-27 12:28:00 -06:00
Josh Black 6e92c8cbd2
Add a new "vault monitor" command (#8477)
Add a new "vault monitor" command

Co-authored-by: ncabatoff <ncabatoff@hashicorp.com>
Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>
Co-authored-by: Jeff Mitchell <jeffrey.mitchell@gmail.com>
2020-05-21 13:07:50 -07:00
ncabatoff af3eff4d29
Restore the original code used for setting userDN based on the result of our query. (#9041) 2020-05-20 14:47:59 -04:00
Jeff Mitchell b4f5d38916
Update to latest go-kms-wrapping and fix protos/etcd (#8996) 2020-05-14 18:45:10 -04:00
Andrew N Golovkov 753b2c135a
More helpful errors when import bundled certificates (#8951)
* helpful errors: print not only CN but also exactly what we are comparing
* helpful errors: return different errors for non-existent and unknown keys
* helpful errors: print error about encrypted key instead of "private key not found"
2020-05-11 17:01:10 -06:00
Calvin Leung Huang e7af25b969
raft: use file paths for TLS info in the retry_join block (#8894)
* raft: use file paths for TLS info in the retry_join stanza

* raft: maintain backward compat for existing tls params

* docs: update raft docs with new file-based TLS params

* Update godoc comment, fix docs
2020-05-06 18:26:08 -07:00
Vishal Nayak 84df802f4b
Add TypeFloat to field data (#8923)
* Add TypeFloat to field data

* Handle zero value case

* Address review feedback
2020-05-04 18:22:28 -04:00
Becca Petrin 3b420b0735
Add helper for aliasmetadata and add to AWS auth (#8783)
* add aliasmetadata sdk helper and add to aws auth

* split into ec2_metadata and iam_metadata fields

* fix tests

* strip pointer

* add test of default metadata

* more test <3

* switch from interface to custom marshallers

* add tests for marshalling

* store nil when selected fields are default

* separate loop into pieces

* separate acc test into multiple

* Update builtin/credential/aws/path_login.go

Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>

* changes from feedback

* update aws test

* refactor to also populate auth metadata

* update how jsonification is tested

* only add populated metadata values

* add auth_type to ec2 logins

Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
2020-04-27 10:06:07 -07:00
Austin Gebauer 01e701f008
Fix: rotate root credentials for database plugins using WAL (#8782)
* fix: rotate root credentials for database plugins using WAL

* test: adds a test for WAL rollback logic

* fix: progress on wal rollback

* docs: updates some comments

* docs: updates some comments

* test: adds additional test coverage for WAL rollback

* chore: remove unneeded log

* style: error handling, imports, signature line wraps

* fix: always close db plugin connection
2020-04-22 16:21:28 -07:00
Jim Kalafut e7e2f7415b
Update the version prelease value (#8748) 2020-04-16 10:10:35 -07:00
Michel Vocks b216d75938
Fix outdated comment about logical request path (#8653) 2020-04-02 08:53:16 +02:00
Jerry Aldrich 053a57598e
Fix error interpolation in LDAP client (#8426)
Signed-off-by: jerryaldrichiii <jerryaldrichiii@gmail.com>
2020-03-24 13:22:06 -07:00
Daniel Gozalo cdeb22b14c
feat: replace the way AWS sessions are created and added a new WebIdentity provider to the credentials chain (#7738)
* feat: replace the way AWS sessions are created and added a new WebIdentity provider to the credentials chain

* feat: use the correct sdk version

* feat: update go.mod

* feat: remove unnecessary new line

* feat: move AWS_ROLE_SESSION_NAME check up
2020-03-06 13:19:50 -08:00
Jorge Heleno a9e864f5e3
Add LDAP anonymous group search and client certs (#8365) 2020-03-06 10:27:09 -08:00
Brian Kassouf 5aa4b8d54c set version to 1.4.0-beta1 2020-02-20 10:13:28 -08:00
Sam Salisbury 84ca2ef0af sdk: set version to 1.4.0-beta 2020-02-20 09:11:25 +00:00
ncabatoff e5721310ac
Add persistent feature flags to be used on enterprise non-primaries. (#8391) 2020-02-19 18:06:53 -05:00
Noelle Daley ced8a3f6b3
clarify that EditType is optional (#8386) 2020-02-19 11:44:22 -06:00
JulesRenz c54c8c92bd
RSA3072 implementation in transit secrets engine (#8151)
* RSA3072 implementation in transit secrets engine

* moved new KeyType at the end of the list
So already stored keys still work properly

Co-authored-by: Jim Kalafut <jim@kalafut.net>
2020-02-15 14:40:50 -08:00
Jeff Mitchell f09f21e512 Move reload/listenerutil/gatedwriter back out of sdk 2020-02-15 14:56:00 -05:00
Gerardo Di Giacomo 8573eefe90
enabling TLS 1.3 support for TCP listeners (#8305)
* adding support for TLS 1.3 for TCP listeners

* removed test as CI uses go 1.12

* removed Cassandra support, added deprecation notice

* re-added TestTCPListener_tls13
2020-02-15 11:40:18 -08:00
Brian Kassouf 3bbd9dc34c
Port some changes back to OSS (#8359) 2020-02-14 16:39:13 -08:00
Jeff Mitchell e90d9f3946 Update to go-kms-wrapping entropy module 2020-02-14 17:27:19 -05:00
Jeff Mitchell 31b6345c31 Remove EncryptedBlobInfo in Entry 2020-02-14 17:03:40 -05:00
Jeff Mitchell aeac23d59e Revert "Move encrypted blob info (#8357)"
This reverts commit 5a3c55b6dfe89d0348d78acafcb83b60cf614d38.
2020-02-14 17:02:33 -05:00
Jeff Mitchell e12351f263
Move encrypted blob info (#8357) 2020-02-14 16:45:37 -05:00
Jeff Mitchell 01402febb8 Update proto 2020-02-14 16:00:33 -05:00
Michel Vocks 985acc4ce5
Fix ldap client upndomain (#8333) 2020-02-14 10:26:30 -08:00
Becca Petrin 5a01a5af0f
Add Kubernetes service registration (#8249) 2020-02-13 09:56:29 -08:00
Jeff Malnick 27ad920399
Add redshift database plugin (#8299)
* feat: add redshift database plugin

* build: update vendored libraries

* docs: add reference doc for redshift variant of the database secrets engine

* feat: set middlewear type name for better metrics naming (#8346)

Co-authored-by: Becca Petrin <beccapetrin@gmail.com>
2020-02-13 09:42:30 -08:00
Jeff Mitchell fedb451a12 Move reload and listenerutil into sdk 2020-02-13 10:40:02 -05:00
Becca Petrin 759f9b38f7
Observer pattern for service registration interface (#8123)
* use observer pattern for service discovery

* update perf standby method

* fix test

* revert usersTags to being called serviceTags

* use previous consul code

* vault isnt a performance standby before starting

* log err

* changes from feedback

* add Run method to interface

* changes from feedback

* fix core test

* update example
2020-01-24 09:42:03 -08:00
Jeff Mitchell 997a74cf18 Fix Flush interface in gatedwriter 2020-01-23 14:24:13 -05:00
Jeff Mitchell 3be3cd6d42 Update sdk's go-hclog 2020-01-23 14:11:38 -05:00
Jeff Mitchell d3adf1286d Migrate gated-writer to sdk 2020-01-23 14:00:15 -05:00
Becca Petrin 02c9a45c40
Fix AWS region tests (#8145)
* fix aws region tests

* strip logger

* return an error, restore tests to master

* fix extra line at import

* revert changes in spacing and comments

* Update sdk/helper/awsutil/region.go

Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>

* strip explicit nil value

Co-authored-by: Jim Kalafut <jim@kalafut.net>
2020-01-13 14:56:41 -08:00
Jeff Mitchell a0694943cc
Migrate built in auto seal to go-kms-wrapping (#8118) 2020-01-10 20:39:52 -05:00
Jeff Mitchell 156e31c740 Bump go-uuid 2020-01-10 10:43:37 -05:00
Jim Kalafut aa1761fb03
Update framework forwarding logic to handle nil system views (#8114) 2020-01-08 05:59:44 -08:00
Jim Kalafut fb4edc129e
Add path attributes to indicate when operations should forward (#7175) 2020-01-07 14:04:08 -08:00
Michel Vocks d4d82cdd4a
Fix MySQL Plugin password special character escape bug (#8040)
* Fix MySQL password escape bug

* Add test

* Add debug output

* Add debug line

* Added debug output

* Debug

* Debug

* Update vendor

* Remove debug comments
2020-01-07 16:51:49 +01:00
Brian Kassouf 549faf47f2
Add identity templating helper to sdk/framework (#8088)
* Add identity templating helper to sdk/framework

* Cleanup a bit

* Fix length issue when groups/aliases are filtered due to ns

* review feedback
2020-01-06 10:16:52 -08:00
Jeff Mitchell f437b80370
Update go-hclog to version that removes some possible panics and incorrect mutex locking (#8054) 2019-12-18 16:32:02 -05:00
Becca Petrin 3d7cdea66f
Avoid potential panic in LDAP client (#8047)
* fix potential panic

* add comment

* vendor the ldap update

* use localhost in test
2019-12-17 16:33:59 -08:00
ncabatoff fde5e55ce9
Handle otherName SANs in CSRs (#6163)
If a CSR contains a SAN of type otherName, encoded in UTF-8, and the signing role specifies use_csr_sans, the otherName SAN will be included in the signed cert's SAN extension.

Allow single star in allowed_other_sans to match any OtherName.  Update documentation to clarify globbing behaviour.
2019-12-11 10:16:44 -05:00
Mike Jarmy e42bc0ffc0
Introduce optional service_registration stanza (#7887)
* move ServiceDiscovery into methods

* add ServiceDiscoveryFactory

* add serviceDiscovery field to vault.Core

* refactor ConsulServiceDiscovery into separate struct

* cleanup

* revert accidental change to go.mod

* cleanup

* get rid of un-needed struct tags in vault.CoreConfig

* add service_discovery parser

* add ServiceDiscovery to config

* cleanup

* cleanup

* add test for ConfigServiceDiscovery to Core

* unit testing for config service_discovery stanza

* cleanup

* get rid of un-needed redirect_addr stuff in service_discovery stanza

* improve test suite

* cleanup

* clean up test a bit

* create docs for service_discovery

* check if service_discovery is configured, but storage does not support HA

* tinker with test

* tinker with test

* tweak docs

* move ServiceDiscovery into its own package

* tweak a variable name

* fix comment

* rename service_discovery to service_registration

* tweak service_registration config

* Revert "tweak service_registration config"

This reverts commit 5509920a8ab4c5a216468f262fc07c98121dce35.

* simplify naming

* refactor into ./serviceregistration/consul
2019-12-06 09:46:39 -05:00
Jason O'Donnell 854d00c609 Add int64 pointerutil (#7973) 2019-12-05 14:02:36 -08:00
Seth Vargo 4ac5764c4d Output human duration in TTL warnings (#7901) 2019-11-22 09:38:46 -08:00
Calvin Leung Huang 7009dcc432
sdk/ldaputil: add request_timeout configuration option (#7909)
* sdk/ldaputil: add request_timeout configuration option

* go mod vendor
2019-11-20 11:26:13 -08:00
Jeff Mitchell 9b5392bc8f
Fix cluster cipher test (#7900)
Go 1.13 flipped TLS 1.3 to opt-out instead of opt-in, and its TLS 1.3
support does not allow configuring cipher suites. Simply remove the
affected test; it's not relevant going forward and there's ample
evidence it works properly prior to Go 1.13.
2019-11-18 23:04:49 -05:00
Brian Kassouf 7b833aaec8 bump variables to 1.3 2019-11-11 19:33:14 -08:00
Jeff Mitchell a47758865c Bump go-ldap
Closes https://github.com/hashicorp/vault/pull/7780

Changes to other parts of Vault have to come piece by piece, that's
next.
2019-11-08 11:18:36 -05:00
Jim Kalafut 59e526614d
Run go fmt (#7823) 2019-11-07 08:54:34 -08:00
Jeff Mitchell b998849b73
Update go-metrics in sdk (#7795) 2019-11-05 15:27:07 -05:00
Clint 245935447b
Vault Agent Template (#7652)
* Vault Agent Template: parse templates  (#7540)

* add template config parsing, but it's wrong b/c it's not using mapstructure

* parsing consul templates in agent config

* add additional test to configuration parsing, to cover basics

* another test fixture, rework simple test into table

* refactor into table test

* rename test

* remove flattenKeys and add other test fixture

* Update command/agent/config/config.go

Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>

* return the decode error instead of swallowing it

* Update command/agent/config/config_test.go

Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>

* go mod tidy

* change error checking style

* Add agent template doc

* TemplateServer: render secrets with Consul Template (#7621)

* add template config parsing, but it's wrong b/c it's not using mapstructure

* parsing consul templates in agent config

* add additional test to configuration parsing, to cover basics

* another test fixture, rework simple test into table

* refactor into table test

* rename test

* remove flattenKeys and add other test fixture

* add template package

* WIP: add runner

* fix panic, actually copy templates, etc

* rework how the config.Vault is created and enable reading from the environment

* this was supposed to be a part of the prior commit

* move/add methods to testhelpers for converting some values to pointers

* use new methods in testhelpers

* add an unblock channel to block agent until a template has been rendered

* add note

* unblock if there are no templates

* cleanups

* go mod tidy

* remove dead code

* simple test to starT

* add simple, empty templates test

* Update package doc, error logs, and add missing close() on channel

* update code comment to be clear what I'm referring to

* have template.NewServer return a (<- chan) type, even though it's a normal chan, as a better practice to enforce reading only

* Update command/agent.go

Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>

* update with test

* Add README and doc.go to the command/agent directory (#7503)

* Add README and doc.go to the command/agent directory

* Add link to website

* address feedback for agent.go

* updated with feedback from Calvin

* Rework template.Server to export the unblock channel, and remove it from the NewServer function

* apply feedback from Nick

* fix/restructure rendering test

* Add pointerutil package for converting types to their pointers

* Remove pointer helper methods; use sdk/helper/pointerutil instead

* update newRunnerConfig to use pointerutil and empty strings

* only wait for unblock if template server is initialized

* drain the token channel in this test

* conditionally send on channel
2019-10-18 16:21:46 -05:00
Madalyn 977af116c8 Enable generated items for more auth methods (#7513)
* enable auth method item configuration in go code

* properly parse and list generated items

* make sure we only set name on attrs if a label comes from openAPI

* correctly construct paths object for method index route

* set sensitive property on password for userpass

* remove debugger statements

* pass method model to list route template to use paths on model for tabs

* update tab generation in generated item list, undo enabling userpass users

* enable openapi generated itams for certs and userpass, update ldap to no longer have action on list endpoint

* add editType to DisplayAttributes, pull tokenutil fields into field group

* show sensitive message for sensitive fields displayed in fieldGroupShow component

* grab sensitive and editType fields from displayAttrs in openapi-to-attrs util

* make sure we don't ask for paths for secret backends since that isn't setup yet

* fix styling of sensitive text for fieldGroupShow component

* update openapi-to-attrs util test to no longer include label by default, change debugger to console.err in path-help, remove dynamic ui auth methods from tab count test

* properly log errors to the console

* capitalize This value is sensitive...

* get rid of extra padding on bottom of fieldgroupshow

* make auth methods clickable and use new confirm ux

* Update sdk/framework/path.go

Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>

* Update sdk/framework/path.go

Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>

* add whitespace

* return intErr instead of err

* uncomment out helpUrl because we need it

* remove extra box class

* use const instead of let

* remove extra conditional since we already split the pathName later on

* ensure we request the correct url when listing generated items

* use const

* link to list and show pages

* remove dead code

* show nested item name instead of id

* add comments

* show tooltip for text-file inputs

* fix storybook

* remove extra filter

* add TODOs

* add comments

* comment out unused variables but leave them in function signature

* only link to auth methods that can be fully managed in the ui

* clean up comments

* only render tooltip if there is helpText

* rename id authMethodPath

* remove optionsForQuery since we don't need it

* add indentation

* standardize ConfirmMessage and show model name instead of id when editing

* standardize ConfirmMessage and show model name instead of id when editing

* add comments

* post to the correct updateUrl so we can edit users and groups

* use pop instead of slice

* add TODO for finding a better way to store ids

* ensure ids are handled the same way on list and show pages; fix editing and deleting

* add comment about difference between list and show urls

* use model.id instead of name since we do not need it

* remove dead code

* ensure list pages have page headers

* standardize using authMethodPath instead of method and remove dead code

* i love indentation

* remove more dead code

* use new Confirm

* show correct flash message when deleting an item

* update flash message for creating and updating

* use plus icon for creating group/user instead of an arrow
2019-10-17 16:19:14 -07:00
Lexman c86fe212c0
oss changes for entropy augmentation feature (#7670)
* oss changes for entropy augmentation feature

* fix oss command/server/config tests

* update go.sum

* fix logical_system and http/ tests

* adds vendored files

* removes unused variable
2019-10-17 10:33:00 -07:00
Mike Jarmy 510d82551a
Vault Agent Cache Auto-Auth SSRF Protection (#7627)
* implement SSRF protection header

* add test for SSRF protection header

* cleanup

* refactor

* implement SSRF header on a per-listener basis

* cleanup

* cleanup

* creat unit test for agent SSRF

* improve unit test for agent SSRF

* add VaultRequest SSRF header to CLI

* fix unit test

* cleanup

* improve test suite

* simplify check for Vault-Request header

* add constant for Vault-Request header

* improve test suite

* change 'config' to 'agentConfig'

* Revert "change 'config' to 'agentConfig'"

This reverts commit 14ee72d21fff8027966ee3c89dd3ac41d849206f.

* do not remove header from request

* change header name to X-Vault-Request

* simplify http.Handler logic

* cleanup

* simplify http.Handler logic

* use stdlib errors package
2019-10-11 18:56:07 -04:00
Brian Kassouf f43f84a354
Port over cache refresh changes (#7599) 2019-10-08 13:23:43 -07:00
Calvin Leung Huang 7a385a7854 update go.mod and sdk/go.mod 2019-10-04 09:40:23 -07:00
Jeff Mitchell 4252f5c9e4
Add AES128-GCM96 support to transit (#7555) 2019-10-03 16:11:43 -04:00
Jeff Mitchell 6d1e804a22
Add P384 and P521 support to Transit (#7551) 2019-10-03 12:32:43 -04:00
Jeff Mitchell 63f377c6b6 Tidy sdk 2019-09-18 09:09:44 -04:00
Jeff Mitchell f72bc5acb2 Update version for 1.3 dev target on master 2019-09-17 11:36:55 -04:00
Calvin Leung Huang ec64b7c672
logical/request: store the entire http.Request object instead (#7412)
This allows logical operations (along with a non-nil response writer) to
process http handler funcs within the operation function while keeping
auth and audit checks that the logical request flow provides.
2019-09-06 12:40:15 -07:00
Brian Kassouf c2905773e4
Add download headers to snapshot take API (#7369)
* Add download headers to snapshot take API

* Add content type
2019-09-06 10:34:36 -07:00
Jim Kalafut 051bc15da3
Bundle OCI Auth method (#7422) 2019-09-04 16:46:00 -07:00
Vu Pham a47b2faf34 Added OCI Object Storage Plugin (#6985) 2019-09-04 11:33:16 -07:00
Jeff Mitchell 5f7ed385aa Run go mod tidy 2019-09-04 12:44:50 -04:00
Michael Gaffney aac9f87a73
Exit ScanView if context has been cancelled (#7419) 2019-09-04 09:18:19 -04:00
Calvin Leung Huang 3a81e41983
salt: fix DidGenerate docstring (#7372) 2019-08-27 14:41:23 -07:00
Jeff Mitchell 9816963355
Move SudoPrivilege out of SystemView (#7266)
* Move SudoPrivilege out of SystemView

We only use this in token store and it literally doesn't work anything
that isn't the token store or system mount, so we should stop exposing
something that doesn't work.

* Reconcile extended system view with sdk/logical a bit and put an explanation for why SudoPrivilege isn't moved over
2019-08-26 10:23:46 -04:00
Jeff Mitchell 87f649bf99 Prep for 1.2.2 2019-08-14 16:54:16 -04:00
Calvin Leung Huang 522fa83568 sdk/logical: handle empty token type string values as TokenTypeDefault (#7273)
* sdk/logical: handle empty token type string values as TokenTypeDefault

* add test case for missing token_type value
2019-08-14 09:45:40 -04:00
Jeff Mitchell c9d4e83350 Bump some versions to prep 2019-08-05 17:43:12 -04:00
ncabatoff f7690d1f6a
Handle TokenType serialized as string or as uint8. (#7233) 2019-08-05 16:51:14 -04:00
Jeff Mitchell 1d75ace163 Update files for release 2019-07-30 00:23:20 -04:00
Jeff Mitchell 022eaf1f5d
Port LDAP getCN changes to 1.2 branch (#7209) 2019-07-29 15:43:34 -04:00
Jeff Mitchell 1b977aba8d Update version in sdk 2019-07-25 12:57:05 -04:00
Sam Salisbury e211a081ce
ci: remove travis config + all refs (#7122) 2019-07-25 11:10:31 +01:00
Nick Cabatoff 3f1d1765ec Update sdk to grpc 1.22 for https://github.com/grpc/grpc-go/pull/2818 which caused intermittent ent test failures. 2019-07-24 11:45:58 -04:00
Christian Muehlhaeuser e6febc5839 Fixed a bunch of typos (#7146) 2019-07-18 21:10:15 -04:00
Mike Jarmy a44356ed6a
change the default for max_open_connections for DB plugins to 4 (#7093) 2019-07-18 16:16:22 -04:00
Mike Jarmy 0d4ae949a8
Add 'log-format' CLI flag, along with associated config flag, for 'vault server' command. (#6840)
* Read config before creating logger when booting vault server

* Allow for specifying log output in JSON format in a config file, via a 'log_level' flag

* Create parser for log format flag

* Allow for specifying log format in a config file, via a 'log_format' flag. Also, get rid of 'log_json' flag.

* Add 'log-format' command line flag

* Update documentation to include description of log_format setting

* Tweak comment for VAULT_LOG_FORMAT environment variable

* add test for ParseEnvLogFormat()

* clarify how log format is set

* fix typos in documentation
2019-07-18 15:59:27 -04:00
Lexman 119854a865
adds Cache-Control header to oidc .well-known endpoints (#7108) 2019-07-15 11:04:45 -07:00
Jeff Mitchell 7f1a9d8dd3 Bump version in sdk 2019-07-09 03:54:28 -04:00
Mark Gritter 6ac5ba8945 Escape SQL username and password parameters before substituting them in to a URL. (#7089) 2019-07-09 01:02:54 +02:00
Jeff Mitchell d810758ca2
Rerun proto gen as some got gen'd with old proto version (#7090) 2019-07-09 01:02:20 +02:00
Mike Jarmy e0ce2195cc AWS upgrade role entries (#7025)
* upgrade aws roles

* test upgrade aws roles

* Initialize aws credential backend at mount time

* add a TODO

* create end-to-end test for builtin/credential/aws

* fix bug in initializer

* improve comments

* add Initialize() to logical.Backend

* use Initialize() in Core.enableCredentialInternal()

* use InitializeRequest to call Initialize()

* improve unit testing for framework.Backend

* call logical.Backend.Initialize() from all of the places that it needs to be called.

* implement backend.proto changes for logical.Backend.Initialize()

* persist current role storage version when upgrading aws roles

* format comments correctly

* improve comments

* use postUnseal funcs to initialize backends

* simplify test suite

* improve test suite

* simplify logic in aws role upgrade

* simplify aws credential initialization logic

* simplify logic in aws role upgrade

* use the core's activeContext for initialization

* refactor builtin/plugin/Backend

* use a goroutine to upgrade the aws roles

* misc improvements and cleanup

* do not run AWS role upgrade on DR Secondary

* always call logical.Backend.Initialize() when loading a plugin.

* improve comments

* on standbys and DR secondaries we do not want to run any kind of upgrade logic

* fix awsVersion struct

* clarify aws version upgrade

* make the upgrade logic for aws auth more explicit

* aws upgrade is now called from a switch

* fix fallthrough bug

* simplify logic

* simplify logic

* rename things

* introduce currentAwsVersion const to track aws version

* improve comments

* rearrange things once more

* conglomerate things into one function

* stub out aws auth initialize e2e test

* improve aws auth initialize e2e test

* finish aws auth initialize e2e test

* tinker with aws auth initialize e2e test

* tinker with aws auth initialize e2e test

* tinker with aws auth initialize e2e test

* fix typo in test suite

* simplify logic a tad

* rearrange assignment

* Fix a few lifecycle related issues in #7025 (#7075)

* Fix panic when plugin fails to load
2019-07-05 16:55:40 -07:00
Calvin Leung Huang 5428ab50ee audit: log invalid wrapping token request/response (#6541)
* audit: log invalid wrapping token request/response

* Update helper/consts/error.go

Co-Authored-By: calvn <cleung2010@gmail.com>

* update error comments

* Update vault/wrapping.go

Co-Authored-By: calvn <cleung2010@gmail.com>

* update comment

* move validateWrappingToken out of http and into logical

* minor refactor, add test cases

* comment rewording

* refactor validateWrappingToken to perform audit logging

* move ValidateWrappingToken back to wrappingVerificationFunc

* Fix tests

* Review feedback
2019-07-05 14:15:14 -07:00
Clint cd6b0b2de5 Combined Database backend: Add GenerateCredentials to the CredentialsProducer Interface (#7010)
* Add GenerateCredentials to the CredentialsProducer Interface, add default implementation

* Remove GenerateCredentials implementation from database plugins
2019-07-05 14:34:47 -04:00
Brian Kassouf 4d7d0d729a
storage/raft: When restoring a snapshot preseal first (#7011)
* storage/raft: When restoring a snapshot preseal first

* best-effort allow standbys to apply the restoreOp before sealing active node

* Don't cache the raft tls key

* Update physical/raft/raft.go

* Move pending raft peers to core

* Fix race on close bool

* Extend the leaderlease time for tests

* Update raft deps

* Fix audit hashing

* Fix race with auditing
2019-07-03 13:56:30 -07:00
Jeff Mitchell a3fc497fec
Fix batch token test (#7047)
At the level of role config it doesn't mean anything to use
default-service or default-batch; that's for mount tuning. So disallow
it in tokenutil. This also fixes the fact that the switch statement
wasn't right.
2019-07-02 22:16:43 -04:00
Jeff Mitchell e36f626e75 Fix import cycle 2019-07-02 21:01:34 -04:00
Jeff Mitchell 4b85cb3098 Update sdk's testrequest with connection value 2019-07-02 20:59:48 -04:00
Jeff Mitchell d7243f910a
Re-enable toggling renewable off for tokens (#7043)
Earlier in tokenutil's dev it seemed like there was no reason to allow
auth plugins to toggle renewability off. However, it turns out Centrify
makes use of this for sensible reasons. As a result, move the forcing-on
of renewability into tokenutil, but then allow overriding after
PopulateTokenAuth is called.
2019-07-02 10:23:46 -04:00
Jeff Mitchell 126bdf2d02
Add UpgradeValue path to tokenutil (#7041)
This drastically reduces boilerplate for upgrading existing values
2019-07-02 09:52:05 -04:00
Jeff Mitchell 26f371633c
Update ldaputil to allow for modifying an existing config (#7038) 2019-07-01 16:12:32 -04:00
Jeff Mitchell 69d2a5cb4e
Add DisplayAttributes to tokenutil fields (#7029) 2019-07-01 08:57:57 -04:00