luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
194 commits 1 branch 0 tags 214 MiB
Commit graph

84 commits

Author SHA1 Message Date
Mitchell Hashimoto 97dab0c285 vault: ignore backends that don't support rollback 2015-03-17 20:39:45 -05:00
Mitchell Hashimoto e078b957d4 vault: start/stop rollback manager post/pre seal 2015-03-17 20:39:45 -05:00
Mitchell Hashimoto c7b9148841 vault: RollbackManager 
There are some major TODO items here, and it isn't hooked into the core
yet, but the basic functionality is there.
 2015-03-17 20:39:45 -05:00
Mitchell Hashimoto abe0859aa5 vault: use RWMutex on MountTable itself 2015-03-17 20:39:45 -05:00
Armon Dadgar 99abc11ec5 vault: Adding ACL representation 2015-03-17 18:31:20 -07:00
Armon Dadgar ddab671bf4 vault: Adding policy parsing 2015-03-17 15:53:29 -07:00
Armon Dadgar 46ccb81db4 vault: Respect grace period for revocation 2015-03-16 17:09:18 -07:00
Armon Dadgar a24192b728 vault: Support sys/revoke-prefix/ 2015-03-16 16:33:48 -07:00
Armon Dadgar f08659aaaa vault: Adding sys/revoke 2015-03-16 16:26:34 -07:00
Armon Dadgar 57b4f970d2 vault: Test renew of bad ID 2015-03-16 16:14:53 -07:00
Armon Dadgar e52f1ee960 vault: Testing sys/renew 2015-03-16 16:11:55 -07:00
Armon Dadgar 15b7dc2d02 vault: integration expiration manager with core 2015-03-16 15:28:50 -07:00
Armon Dadgar 5f1e3e5986 vault: Testing restore 2015-03-16 15:11:47 -07:00
Armon Dadgar 703bcd8190 vault: Testing revoke and renew 2015-03-16 15:11:47 -07:00
Armon Dadgar b203c27326 vault: testing internal expiration manager methods 2015-03-16 15:11:47 -07:00
Armon Dadgar 11552f132b vault: testing expiration manager persistence 2015-03-16 15:11:46 -07:00
Armon Dadgar e85cd66b30 all: Removing fields from Lease 2015-03-16 13:29:51 -07:00
Armon Dadgar 18069d4cf7 vault: Handle a negetive renew increment 2015-03-16 11:52:38 -07:00
Armon Dadgar bdfa320e01 vault: First pass at expiration manager 2015-03-16 11:35:43 -07:00
Armon Dadgar c8d00f6aa2 vault: Adding barrier view scan method 2015-03-16 11:35:43 -07:00
Mitchell Hashimoto de1e28a77c vault: change to /sys/mounts 2015-03-16 10:52:35 -07:00
Mitchell Hashimoto e3a796028e http: /v1/sys/mount endpoint 2015-03-16 10:36:43 -07:00
Mitchell Hashimoto 12b12e578c vault: fix merge conflict + pass tests 2015-03-15 19:38:23 -07:00
Armon Dadgar ca358f64dd vault: Merge conflict 2015-03-15 18:06:19 -07:00
Armon Dadgar b96ac9f95f vault: Assign renew time 2015-03-15 18:05:31 -07:00
Mitchell Hashimoto 9f0d59d03f vault: system using the framework 2015-03-15 17:35:59 -07:00
Mitchell Hashimoto edd13a5d24 vault: passthrough backend uses logical/framework 2015-03-15 17:07:54 -07:00
Mitchell Hashimoto d4f54be927 vault: can pass in the backends 2015-03-15 16:25:38 -07:00
Mitchell Hashimoto ece0be434e vault: rename SystemBackend2 to SystemBackend 2015-03-15 14:54:49 -07:00
Mitchell Hashimoto d1d1929192 vault: convert to logical.Request and friends 2015-03-15 14:53:41 -07:00
Mitchell Hashimoto 5ffcd02b7a vault: convert system to logical.Backend 2015-03-15 14:42:05 -07:00
Mitchell Hashimoto c3ae1b59a1 vault: Passthrough backend uses logical.Backend 2015-03-15 14:27:06 -07:00
Mitchell Hashimoto c7e901ce45 vault: incremental change to get closer to logical structs 2015-03-15 14:27:06 -07:00
Mitchell Hashimoto 63a9eb321a logical: put structs here, vault uses them 2015-03-15 14:27:06 -07:00
Mitchell Hashimoto 92910d18d1 vault: make mount functions private again, going to try something else 2015-03-14 18:31:31 -07:00
Mitchell Hashimoto 9d84e7bacc vault: don't copy the key so it can be zeroed, document, add helper 2015-03-14 18:25:55 -07:00
Mitchell Hashimoto 866b91d858 vault: public TestCoreUnsealed, don't modify key in Unseal 
/cc @armon - I do a key copy within Unseal now. It tripped me up for
quite awhile that that method actually modifies the param in-place and I
can't think of any scenario that is good for the user. Do you see any
issues here?
 2015-03-14 17:47:11 -07:00
Mitchell Hashimoto b2af154fb4 vault: make Mount related core functions public 
/cc @armon - So I know the conversation we had related to this about
auth, but I think we still need to export these and do auth only at the
external API layer. If you're writing to the internal API, then all bets
are off.

The reason is simply that if you have access to the code, you can
already work around it anyways (you can disable auth or w/e), so a
compromised Vault source/binary is already a failure, and that is the
only thing that our previous unexported methods were protecting against.

If you write an external tool to access a Vault, it still needs to be
unsealed so _that_ is the primary security mechanism from an API
perspective. Once it is unsealed then the core API has full access to
the Vault, and identity/auth is only done at the external API layer, not
at the internal API layer.

The benefits of this approach is that it lets us still treat the "sys"
mount specially but at least have sys adopt helper/backend and use that
machinery and it can still be the only backend which actually has a
reference to *vault.Core to do core things (a key difference). So, an
AWS backend still will never be able to muck with things it can't, but
we're explicitly giving Sys (via struct initialization in Go itself)
a reference to *vault.Core.
 2015-03-14 17:26:59 -07:00
Mitchell Hashimoto f43a0290cf vault: public testing methods 2015-03-13 12:53:09 -07:00
Armon Dadgar 9d5db1286d vault: Track the renew time 2015-03-13 11:36:24 -07:00
Armon Dadgar 081358091a vault: improve seal/unseal log messages 2015-03-13 11:34:40 -07:00
Armon Dadgar f0d00e77ec vault: Adding start/stop to expiration manager 2015-03-13 11:31:43 -07:00
Armon Dadgar d744d4ee5e vault: integrate expiration manager with core setup/teardown 2015-03-13 11:20:36 -07:00
Armon Dadgar d0380e553d vault: Support a pre-seal teardown 2015-03-13 11:16:24 -07:00
Armon Dadgar 5ce63ea7cd vault: Adding lease registration 2015-03-13 10:56:03 -07:00
Armon Dadgar affeefa7f8 vault: Validate lease values 2015-03-13 10:56:03 -07:00
Armon Dadgar e77ce26d31 vault: spec out expiration manager API 2015-03-12 18:38:22 -07:00
Armon Dadgar 15de847389 vault: Setup expiration manager on unseal 2015-03-12 12:44:30 -07:00
Armon Dadgar 6c759416d0 vault: special view path for system 2015-03-12 12:44:30 -07:00
Armon Dadgar ef82fe04c6 vault: Support sub-views 2015-03-12 12:44:30 -07:00