Commit Graph

114 Commits

Author SHA1 Message Date
Jeff Mitchell 3129187dc2 JWT wrapping tokens (#2172) 2017-01-04 16:44:03 -05:00
Vishal Nayak e3f56f375c Add 'no-store' response header from all the API outlets (#2183) 2016-12-15 17:53:07 -05:00
Thomas Soëte c29e5c8bad Use 'http.MaxBytesReader' to limit request size (#2131)
Fix 'connection reset by peer' error introduced by 300b72e
2016-12-01 10:59:00 -08:00
Armon Dadgar c8dadb46ec http: limit maximum request size 2016-11-17 12:06:43 -08:00
Vishal Nayak b3c805e662 Audit the client token accessors (#2037) 2016-10-29 17:01:49 -04:00
Jeff Mitchell 5657789627 Audit unwrapped response (#1950) 2016-09-29 12:03:47 -07:00
Jeff Mitchell b45a481365 Wrapping enhancements (#1927) 2016-09-28 21:01:28 -07:00
Jeff Mitchell 6bf871995b Don't use time.Time in responses. (#1912)
This fixes #1911 but not directly; it doesn't address the cause of the
panic. However, it turns out that this is the correct fix anyways,
because it ensures that the value being logged is RFC3339 format, which
is what the time turns into in JSON but not the normal time string
value, so what we audit log (and HMAC) matches what we are returning.
2016-09-23 12:32:07 -04:00
Jeff Mitchell 1c6f2fd82b Add response wrapping to list operations (#1814) 2016-09-02 01:13:14 -04:00
Jeff Mitchell 3e6b48cca3 Initial `dataonly` work. 2016-08-08 11:55:24 -04:00
Laura Bennett 67801bcf64 uncomment 2016-07-26 16:44:50 -04:00
Laura Bennett fb1b032040 fixing id in buildLogicalRequest 2016-07-26 15:50:37 -04:00
Laura Bennett ad66bd7502 fixes based proper interpretation of comments 2016-07-26 12:20:27 -04:00
Laura Bennett 8d52a96df5 moving id to http/logical 2016-07-25 15:24:10 -04:00
Jeff Mitchell e925987cb6 Add token accessor to wrap information if one exists 2016-06-13 23:58:17 +00:00
Jeff Mitchell 401456ea50 Add creation time to returned wrapped token info
This makes it easier to understand the expected lifetime without a
lookup call that uses the single use left on the token.

This also adds a couple of safety checks and for JSON uses int, rather
than int64, for the TTL for the wrapped token.
2016-06-07 15:00:35 -04:00
Jeff Mitchell 05b0e0a866 Enable audit-logging of seal and step-down commands.
This pulls the logical request building code into its own function so
that it's accessible from other HTTP handlers, then uses that with some
added logic to the Seal() and StepDown() commands to have meaningful
audit log entries.
2016-05-20 17:03:54 +00:00
Jeff Mitchell c9aaabe235 Fix missing return after respondError in handleLogical 2016-05-20 15:49:48 +00:00
Jeff Mitchell caf77109ba Add cubbyhole wrapping documentation 2016-05-19 13:33:51 -04:00
Jeff Mitchell 2295cadbf4 Make WrapInfo a pointer to match secret/auth in response 2016-05-07 19:17:51 -04:00
Jeff Mitchell 99a5b4402d Merge branch 'master-oss' into cubbyhole-the-world 2016-05-04 14:42:14 -04:00
Jeff Mitchell 7e462e566b Check nil keys and respond internal error if it can't be cast to a []string 2016-05-02 20:00:46 -04:00
Jeff Mitchell 16b717022b In a list response, if there are no keys, 404 to be consistent with GET
and with different backend conditions

Fixes #1365
2016-05-02 19:38:06 -04:00
Jeff Mitchell aba689a877 Add wrapping through core and change to use TTL instead of Duration. 2016-05-02 00:47:35 -04:00
Jeff Mitchell d81806b446 Add:
* Request/Response field extension
* Parsing of header into request object
* Handling of duration/mount point within router
* Tests of router WrapDuration handling
2016-05-02 00:24:32 -04:00
vishalnayak d959ffc301 Rename PrepareRequest to PrepareRequestFunc 2016-03-18 10:37:49 -04:00
vishalnayak 4e6dcfd6d0 Enable callbacks for handling logical.Request changes before processing requests 2016-03-17 22:29:53 -04:00
vishalnayak 151c932875 AccessorID --> Accessor, accessor_id --> accessor 2016-03-09 06:23:31 -05:00
vishalnayak 301776012f Introduced AccessorID in TokenEntry and returning it along with token 2016-03-08 14:06:10 -05:00
Jeff Mitchell 7d1d003ba0 Update documentation and use ParseBool for list query param checking 2016-01-22 10:07:32 -05:00
Jeff Mitchell 455931873a Address some review feedback 2016-01-22 10:07:32 -05:00
Jeff Mitchell 5341cb69cc Updates and documentation 2016-01-22 10:07:32 -05:00
Jeff Mitchell 9042315973 Add handling of LIST verb to logical router 2016-01-22 10:07:32 -05:00
Jeff Mitchell 4f4ddbf017 Create more granular ACL capabilities.
This commit splits ACL policies into more fine-grained capabilities.
This both drastically simplifies the checking code and makes it possible
to support needed workflows that are not possible with the previous
method. It is backwards compatible; policies containing a "policy"
string are simply converted to a set of capabilities matching previous
behavior.

Fixes #724 (and others).
2016-01-08 13:05:14 -05:00
Jeff Mitchell f3ce90164f WriteOperation -> UpdateOperation 2016-01-08 13:03:03 -05:00
Jeff Mitchell 10d24779c0 Rename GetWarnings->Warnings for responses 2015-10-07 16:18:39 -04:00
Jeff Mitchell d740fd4a6a Add the ability for warnings to be added to responses. These are
marshalled into JSON or displayed from the CLI depending on the output
mode. This allows conferring information such as "no such policy exists"
when creating a token -- not an error, but something the user should be
aware of.

Fixes #676
2015-10-07 16:18:39 -04:00
Jeff Mitchell a8ef0e8a80 Remove cookie authentication. 2015-08-21 19:46:23 -07:00
Jeff Mitchell 93ef9a54bd Internally refactor Lease/LeaseGracePeriod into TTL/GracePeriod 2015-08-20 18:00:51 -07:00
Jeff Mitchell 15f57082e0 Begin factoring out sys paths into logical routes. Also, standardize on 307 as redirect code. 2015-08-20 13:20:35 -07:00
Armon Dadgar 496ebe561c vault: cleanups for the audit log changes 2015-06-29 15:27:28 -07:00
Nate Brown c55f103c58 Adding error and remote_address to audit log lines 2015-06-18 17:17:18 -07:00
Armon Dadgar 11c625fea2 http: support raw HTTP output 2015-05-27 14:10:00 -07:00
Jonathan Sokolowski be2538aca3 http: Extract IP from RemoteAddr correctly 2015-05-20 15:23:41 +10:00
Armon Dadgar d258be6093 http: avoid authenticating as new token for auth/token/create 2015-04-27 15:17:59 -07:00
Seth Vargo ee6963ee01 Use lowercase JSON keys for client_token 2015-04-24 12:00:00 -04:00
Armon Dadgar c7d521b2be http: pass raw request through 2015-04-19 14:36:50 -07:00
Armon Dadgar 6f5b4637fb http: support standby redirects 2015-04-19 13:47:57 -07:00
Mitchell Hashimoto a44eb0dcd0 http: renew endpoints 2015-04-13 20:42:07 -07:00
Armon Dadgar 466c7575d3 Replace VaultID with LeaseID for terminology simplification 2015-04-08 13:35:32 -07:00
Mitchell Hashimoto 6015a8d7c2 http: handle errors better 2015-04-08 11:19:03 -07:00
Mitchell Hashimoto d97d9b928a command/token-revoke 2015-04-07 14:36:17 -07:00
Mitchell Hashimoto ee690ee3b3 command/token-create 2015-04-07 14:20:18 -07:00
Mitchell Hashimoto 065650b88d http: make POST to WriteOperation 2015-04-07 14:00:09 -07:00
Mitchell Hashimoto 37f58dec59 http: logical delete support 2015-04-07 11:04:06 -07:00
Mitchell Hashimoto aabcaee0c0 api: add auth information to results 2015-04-04 15:40:41 -07:00
Mitchell Hashimoto 4e8efbbd48 http: respondCommon to do common responses 2015-03-31 21:29:53 -07:00
Mitchell Hashimoto 795e117867 http: detect errors in logical and return them properly 2015-03-31 21:24:20 -07:00
Mitchell Hashimoto e9b20c7ae3 http: handle redirects and set auth cookies 2015-03-30 21:06:15 -07:00
Mitchell Hashimoto 4cacaf62f0 http: support auth 2015-03-29 16:14:54 -07:00
Mitchell Hashimoto 1ff229ca68 http: passing tests 2015-03-19 23:28:49 +01:00
Armon Dadgar e85cd66b30 all: Removing fields from Lease 2015-03-16 13:29:51 -07:00
Mitchell Hashimoto 341d71c91d http: 404 if reading secret that doesn't exist 2015-03-15 19:42:24 -07:00
Mitchell Hashimoto 742923452b http: generic read/write endpoint for secrets 2015-03-15 19:35:04 -07:00