Commit graph

314 commits

Author SHA1 Message Date
Chris Hoffman b1b17cc387 Add field type TypeNameString (#3028) 2017-07-17 11:39:58 -07:00
Jeff Mitchell 338ebffb9d Add string slice with single value test function 2017-06-14 14:20:37 -04:00
Jeff Mitchell 39286c0500 Automatically upgrade values to salted on access if salt exists in PathMap (#2831) 2017-06-07 15:22:08 -04:00
Jeff Mitchell f7df60b131 Allow accessing Warnings directly in Response. (#2806)
A change in copystructure has caused some panics due to the custom copy
function. I'm more nervous about production panics than I am about
keeping some bad code wiping out some existing warnings, so remove the
custom copy function and just allow direct setting of Warnings.
2017-06-05 10:52:43 -04:00
Jeff Mitchell d25aa9fc21 Don't write salts in initialization, look up on demand (#2702) 2017-05-09 17:51:09 -04:00
Jeff Mitchell 490b01d6d8 Add salt mutex to app-id (#2690) 2017-05-08 16:15:24 -04:00
Brian Kassouf 5ee0d696d4 Merge remote-tracking branch 'oss/master' into database-refactor 2017-05-04 10:45:18 -07:00
Brian Kassouf 29bfc0a0d4 PR comments 2017-05-04 10:41:59 -07:00
Brian Kassouf ce9688ce8c Change MlockDisabled to MlockEnabled 2017-04-24 12:21:49 -07:00
Joel Thompson e06a78a474 Create unified aws auth backend (#2441)
* Rename builtin/credential/aws-ec2 to aws

The aws-ec2 authentication backend is being expanded and will become the
generic aws backend. This is a small rename commit to keep the commit
history clean.

* Expand aws-ec2 backend to more generic aws

This adds the ability to authenticate arbitrary AWS IAM principals using
AWS's sts:GetCallerIdentity method. The AWS-EC2 auth backend is being to
just AWS with the expansion.

* Add missing aws auth handler to CLI

This was omitted from the previous commit

* aws auth backend general variable name cleanup

Also fixed a bug where allowed auth types weren't being checked upon
login, and added tests for it.

* Update docs for the aws auth backend

* Refactor aws bind validation

* Fix env var override in aws backend test

Intent is to override the AWS environment variables with the TEST_*
versions if they are set, but the reverse was happening.

* Update docs on use of IAM authentication profile

AWS now allows you to change the instance profile of a running instance,
so the use case of "a long-lived instance that's not in an instance
profile" no longer means you have to use the the EC2 auth method. You
can now just change the instance profile on the fly.

* Fix typo in aws auth cli help

* Respond to PR feedback

* More PR feedback

* Respond to additional PR feedback

* Address more feedback on aws auth PR

* Make aws auth_type immutable per role

* Address more aws auth PR feedback

* Address more iam auth PR feedback

* Rename aws-ec2.html.md to aws.html.md

Per PR feedback, to go along with new backend name.

* Add MountType to logical.Request

* Make default aws auth_type dependent upon MountType

When MountType is aws-ec2, default to ec2 auth_type for backwards
compatibility with legacy roles. Otherwise, default to iam.

* Pass MountPoint and MountType back up to the core

Previously the request router reset the MountPoint and MountType back to
the empty string before returning to the core. This ensures they get set
back to the correct values.
2017-04-24 15:15:50 -04:00
Brian Kassouf 657d433330 Update the ResponseWrapData function to return a wrapping.ResponseWrapInfo object 2017-04-24 12:15:01 -07:00
Brian Kassouf af9ff63e9a Merge remote-tracking branch 'oss/master' into database-refactor 2017-04-19 15:16:00 -07:00
Chris Hoffman 6afcf2aa7d List Handling in API and CLI (#2584) 2017-04-18 16:02:31 -04:00
Brian Kassouf 8ccf10641b Merge branch 'master' into database-refactor 2017-04-12 14:29:10 -07:00
Brian Kassouf 128f25c13d Update help text and comments 2017-04-11 11:50:34 -07:00
Brian Kassouf 8071aed758 Mlock the plugin process 2017-04-10 17:12:52 -07:00
Brian Kassouf e8781b6a2b Plugin catalog 2017-04-03 17:52:29 -07:00
Brian Kassouf eb6117cbb2 Work on TLS communication over plugins 2017-03-15 17:14:48 -07:00
vishalnayak b066f1ff72 Fix typo 2017-03-08 20:05:23 -05:00
Vishal Nayak 5a6193a56e Audit: Add token's use count to audit response (#2437)
* audit: Added token_num_uses to audit response

* Fixed jsonx tests

* Revert logical auth to NumUses instead of TokenNumUses

* s/TokenNumUses/NumUses

* Audit: Add num uses to audit requests as well

* Added RemainingUses to distinguish NumUses in audit requests
2017-03-08 17:36:50 -05:00
Jeff Mitchell 5119b173c4 Rename helper 'duration' to 'parseutil'. (#2449)
Add a ParseBool function that accepts various kinds of ways of
specifying booleans.

Have config use ParseBool for UI and disabling mlock/cache.
2017-03-07 11:21:22 -05:00
Vishal Nayak 491a56fe9f AppRole: Support restricted use tokens (#2435)
* approle: added token_num_uses to the role

* approle: added RUD tests for token_num_uses on role

* approle: doc: added token_num_uses
2017-03-03 09:31:20 -05:00
Jeff Mitchell 6ebb2cc958 Add last remote WAL bits 2017-03-01 12:40:36 -05:00
Jeff Mitchell 1a3edc7515 Fix framework test on int64 with default durationsecond set 2017-02-18 13:53:23 -05:00
Jeff Mitchell 679b0144c9 Fix TypeDurationSecond to not panic at runtime if the given default is a string (#2396)
Fix TypeDurationSecond to not panic at runtime if the given default is a string.

Fixes #myownannoyance
2017-02-17 17:25:53 -05:00
Jeff Mitchell 0c39b613c8 Port some replication bits to OSS (#2386) 2017-02-16 15:15:02 -05:00
Jeff Mitchell 0a9a6d3343 Move ReplicationState to consts 2017-02-16 13:37:21 -05:00
Jeff Mitchell d7a6ec8d43 Add some repcluster handling to audit and add some tests (#2384)
* Add some repcluster handling to audit and add some tests

* Fix incorrect assumption about nil auth
2017-02-16 13:09:53 -05:00
Brian Kassouf 6701ba8a10 Configure the request headers that are output to the audit log (#2321)
* Add /sys/config/audited-headers endpoint for configuring the headers that will be audited

* Remove some debug lines

* Add a persistant layer and refactor a bit

* update the api endpoints to be more restful

* Add comments and clean up a few functions

* Remove unneeded hash structure functionaility

* Fix existing tests

* Add tests

* Add test for Applying the header config

* Add Benchmark for the ApplyConfig method

* ResetTimer on the benchmark:

* Update the headers comment

* Add test for audit broker

* Use hyphens instead of camel case

* Add size paramater to the allocation of the result map

* Fix the tests for the audit broker

* PR feedback

* update the path and permissions on config/* paths

* Add docs file

* Fix TestSystemBackend_RootPaths test
2017-02-02 11:49:20 -08:00
Jeff Mitchell 7304311648 That's what you get for not building first. 2017-01-30 11:46:45 -05:00
Jeff Mitchell 46fed7a089 Fix relying on old copystructure behavior 2017-01-30 11:31:20 -05:00
Jeff Mitchell 252e1f1e84 Port over some work to make the system views a bit nicer 2017-01-13 14:51:27 -05:00
Brian Rodgers cf990b41a9 Support LIST on auth/github/map/teams and /users 2017-01-11 15:09:01 -06:00
Armon Dadgar c37d17ed47 Adding interface methods to logical.Backend for parity (#2242) 2017-01-07 18:18:22 -05:00
Jeff Mitchell 9e5d1eaac9 Port some updates 2017-01-06 15:42:18 -05:00
Jeff Mitchell 3129187dc2 JWT wrapping tokens (#2172) 2017-01-04 16:44:03 -05:00
Vishal Nayak b3c805e662 Audit the client token accessors (#2037) 2016-10-29 17:01:49 -04:00
Jeff Mitchell 5657789627 Audit unwrapped response (#1950) 2016-09-29 12:03:47 -07:00
Jeff Mitchell 6bf871995b Don't use time.Time in responses. (#1912)
This fixes #1911 but not directly; it doesn't address the cause of the
panic. However, it turns out that this is the correct fix anyways,
because it ensures that the value being logged is RFC3339 format, which
is what the time turns into in JSON but not the normal time string
value, so what we audit log (and HMAC) matches what we are returning.
2016-09-23 12:32:07 -04:00
Jeff Mitchell 722e26f27a Add support for PGP encrypting the initial root token. (#1883) 2016-09-13 18:42:24 -04:00
Justin Carter c39145c40e Support for 1 and 2 char names in GenericNameRegex 2016-08-30 19:37:52 +02:00
Jeff Mitchell 58b32e5432 Convert to logxi 2016-08-21 18:13:37 -04:00
Jeff Mitchell 2860dcc60f gofmt 2016-08-19 16:48:32 -04:00
Jeff Mitchell 9828f28091 Use a better value for capacity 2016-08-09 07:16:40 -04:00
Jeff Mitchell 3e6b48cca3 Initial dataonly work. 2016-08-08 11:55:24 -04:00
Jeff Mitchell 6389a3cc31 Ensure response data not nil in IsError 2016-08-02 14:54:34 -04:00
vishalnayak cff7aada7a Fix invalid input getting marked as internal error 2016-07-28 16:23:11 -04:00
Laura Bennett 4d9c909ae4 Merge pull request #1650 from hashicorp/request-uuid
Added unique identifier to each request. Closes hashicorp/vault#1617
2016-07-27 09:40:48 -04:00
vishalnayak a6907769b0 AppRole authentication backend 2016-07-26 09:32:41 -04:00
Laura Bennett ae8a90be30 adding ids 2016-07-25 16:54:43 -04:00
Laura Bennett e5737b6789 initial local commit 2016-07-23 21:46:28 -04:00
vishalnayak c14235b206 Merge branch 'master-oss' into json-use-number
Conflicts:
	http/handler.go
	logical/framework/field_data.go
	logical/framework/wal.go
	vault/logical_passthrough.go
2016-07-15 19:21:55 -04:00
Vishal Nayak c55fa03760 Merge pull request #1599 from hashicorp/use-go-uuid
Use go-uuid's GenerateUUID in PutWAL and discard logical.UUID()
2016-07-13 11:36:28 -06:00
Vishal Nayak 9f1e6c7b26 Merge pull request #1607 from hashicorp/standardize-time
Remove redundant invocations of UTC() call on `time.Time` objects
2016-07-13 10:19:23 -06:00
vishalnayak 8269f323d3 Revert 'risky' changes 2016-07-12 16:38:07 -04:00
Jeff Mitchell 5b210b2a1f Return a duration instead and port a few other places to use it 2016-07-11 18:19:35 +00:00
Jeff Mitchell ab6c2bc5e8 Factor out parsing duration second type and use it for parsing tune values too 2016-07-11 17:53:39 +00:00
vishalnayak e09b40e155 Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC 2016-07-08 18:30:18 -04:00
vishalnayak 581b293a26 Use go-uuid's GenerateUUID in PutWAL and discart logical.UUID() 2016-07-07 17:57:36 -04:00
vishalnayak 98fca2a31a Added json.Number as recognized type for FieldData 2016-07-06 18:54:18 -04:00
Jeff Mitchell 7023eafc67 Make the API client retry on 5xx errors.
This should help with transient issues. Full control over min/max delays
and number of retries (and ability to turn off) is provided in the API
and via env vars.

Fix tests.
2016-07-06 16:50:23 -04:00
vishalnayak ad7cb2c8f1 Added JSON Decode and Encode helpers.
Changed all the occurances of Unmarshal to use the helpers.
Fixed http/ package tests.
2016-07-06 12:25:40 -04:00
Jeff Mitchell 22e83ae7f5 Dockerize Postgres secret backend acceptance tests
Additionally enable them on all unit test runs.
2016-06-30 13:46:39 -04:00
Jeff Mitchell d00374fe3c Add a logger to testing backend config so it's available to backends during unit tests 2016-06-30 09:17:14 -04:00
Jeff Mitchell e925987cb6 Add token accessor to wrap information if one exists 2016-06-13 23:58:17 +00:00
vishalnayak 6c5e1969ac Added GetDefaultOrZero method to FieldData 2016-06-10 10:42:01 -04:00
Jeff Mitchell 10b218d292 Use time.Time which does RFC3339 across the wire to handle time zones. Arguably we should change the API to always do this... 2016-06-07 16:01:09 -04:00
Jeff Mitchell 401456ea50 Add creation time to returned wrapped token info
This makes it easier to understand the expected lifetime without a
lookup call that uses the single use left on the token.

This also adds a couple of safety checks and for JSON uses int, rather
than int64, for the TTL for the wrapped token.
2016-06-07 15:00:35 -04:00
Jeff Mitchell 8f437d6142 Make logical.InmemStorage a wrapper around physical.InmemBackend.
This:

* Allows removing LockingInmemStorage since the physical backend already
  locks properly
* Makes listing work properly by adhering to expected semantics of only
  listing up to the next prefix separator
* Reduces duplicated code
2016-06-06 12:03:08 -04:00
Jeff Mitchell 72cfd19078 Add some comments to sanitize 2016-05-16 16:12:45 -04:00
Jeff Mitchell c4431a7e30 Address most review feedback. Change responses to multierror to better return more useful values when there are multiple errors 2016-05-16 16:11:33 -04:00
Jeff Mitchell 4c67a739b9 Merge branch 'master-oss' into cubbyhole-the-world 2016-05-16 12:14:40 -04:00
Sean Chittenden 7a4b31ce51
Speling police 2016-05-15 09:58:36 -07:00
vishalnayak 6f65d9293a Fix framework rollback manager tests 2016-05-14 19:35:36 -04:00
vishalnayak ddcaf26396 Merge branch 'master-oss' into aws-auth-backend 2016-05-10 14:50:00 -04:00
Jeff Mitchell 31e1ed2417 Implement WrapInfo audit logging 2016-05-07 20:03:56 -04:00
Jeff Mitchell 2295cadbf4 Make WrapInfo a pointer to match secret/auth in response 2016-05-07 19:17:51 -04:00
Jeff Mitchell c52d352332 Merge branch 'master-oss' into cubbyhole-the-world 2016-05-07 16:40:04 -04:00
Jeff Mitchell d77563994c Merge pull request #1346 from hashicorp/disable-all-caches
Disable all caches
2016-05-07 16:33:45 -04:00
Jeff Mitchell 75dbbff1a6 Merge branch 'master-oss' into cubbyhole-the-world 2016-05-05 20:45:36 -04:00
Jeff Mitchell 3e71221839 Merge remote-tracking branch 'origin/master' into aws-auth-backend 2016-05-05 10:04:52 -04:00
vishalnayak 92fe94546c Split SanitizeTTL method to support time.Duration parameters as well 2016-05-05 09:45:48 -04:00
Jeff Mitchell fe1f56de40 Make a non-caching but still locking variant of transit for when caches are disabled 2016-05-02 22:36:44 -04:00
Jeff Mitchell 8572190b64 Plumb disabling caches through the policy store 2016-05-02 22:36:44 -04:00
Jeff Mitchell 642163f8b0 Remove MountPoint from internal wrap object, for now at least 2016-05-02 10:29:51 -04:00
Jeff Mitchell aba689a877 Add wrapping through core and change to use TTL instead of Duration. 2016-05-02 00:47:35 -04:00
Jeff Mitchell d81806b446 Add:
* Request/Response field extension
* Parsing of header into request object
* Handling of duration/mount point within router
* Tests of router WrapDuration handling
2016-05-02 00:24:32 -04:00
vishalnayak 21854776af Added cooldown period for periodic tidying operation 2016-04-26 10:22:29 -04:00
vishalnayak 9aa8fb6cc1 Support periodic tidy callback and config endpoints. 2016-04-26 10:22:29 -04:00
Sean Chittenden aeea7628d6 Add a *log.Logger argument to physical.Factory
Logging in the backend is a good thing.  This is a noisy interface change but should be a functional noop.
2016-04-25 20:10:32 -07:00
Seth Vargo 86455b4720 Only show params if there are fields 2016-04-13 22:15:06 +01:00
vishalnayak a861125900 Added a TODO for 'Check' function 2016-04-06 12:51:49 -04:00
vishalnayak d9dcbe04d8 Fix ErrorOk handling 2016-04-06 12:29:04 -04:00
vishalnayak 1df5c4d0ce Use AcceptanceTest bool in Test() function 2016-04-05 16:48:11 -04:00
vishalnayak fd8b023655 s/TF_ACC/VAULT_ACC 2016-04-05 15:24:59 -04:00
vishalnayak 95abdebb06 Added AcceptanceTest boolean to logical.TestCase 2016-04-05 15:10:44 -04:00
Jeff Mitchell afae46feb7 SealInterface 2016-04-04 10:44:22 -04:00
vishalnayak ba9b5b8847 Fix SanitizeTTL check 2016-03-16 14:27:01 -04:00
vishalnayak 3861c88211 Accept params both as part of URL or as part of http body 2016-03-14 19:14:36 -04:00
vishalnayak 151c932875 AccessorID --> Accessor, accessor_id --> accessor 2016-03-09 06:23:31 -05:00