Jeff Mitchell
6c1d2ffea9
Allow wrapping to be specified by backends, and take the lesser of the request/response times ( #2088 )
2016-11-11 15:12:11 -05:00
Jeff Mitchell
b45a481365
Wrapping enhancements ( #1927 )
2016-09-28 21:01:28 -07:00
Laura Bennett
e5737b6789
initial local commit
2016-07-23 21:46:28 -04:00
Sean Chittenden
7a4b31ce51
Speling police
2016-05-15 09:58:36 -07:00
Jeff Mitchell
b5a8e5d724
Fix commenting
2016-02-29 20:29:04 -05:00
vishalnayak
bc4710eb06
Cert: renewal enhancements
2016-02-24 14:31:38 -05:00
Jeff Mitchell
9db22dcfad
Address some more review feedback
2016-01-12 15:09:16 -05:00
Jeff Mitchell
4f4ddbf017
Create more granular ACL capabilities.
...
This commit splits ACL policies into more fine-grained capabilities.
This both drastically simplifies the checking code and makes it possible
to support needed workflows that are not possible with the previous
method. It is backwards compatible; policies containing a "policy"
string are simply converted to a set of capabilities matching previous
behavior.
Fixes #724 (and others).
2016-01-08 13:05:14 -05:00
Jeff Mitchell
849b78daee
Move more cubby logic outside of router into auth setup
2015-09-15 13:50:37 -04:00
Jeff Mitchell
bdb8cf128d
Cleanup; remove everything but double-salting from the router and give
...
the token store cubby backend information for direct calling.
2015-09-15 13:50:37 -04:00
Jeff Mitchell
77e7379ab5
Implement the cubbyhole backend
...
In order to implement this efficiently, I have introduced the concept of
"singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't
much reason to allow sys to be mounted at multiple places, and there
isn't much reason you'd need multiple per-token storage areas. By
restricting it to just one, I can store that particular mount instead of
iterating through them in order to call the appropriate revoke function.
Additionally, because revocation on the backend needs to be triggered by
the token store, the token store's salt is kept in the router and
client tokens going to the cubbyhole backend are double-salted by the
router. This allows the token store to drive when revocation happens
using its salted tokens.
2015-09-15 13:50:37 -04:00
Lassi Pölönen
d3aec0ba31
Cleanup routines should now use routeEntry instead of mountEntry.
2015-09-11 13:40:31 +03:00
Lassi Pölönen
fb07cf9f53
Implement clean up routine to backend as some backends may require
...
e.g closing database connections on unmount to avoud connection
stacking.
2015-09-11 11:45:58 +03:00
Jeff Mitchell
5de736e69c
Implement shallow cloning to allow MountEntry pointers to stay consistent when spread across router/core/system views
2015-09-10 15:09:54 -04:00
Jeff Mitchell
c460ff10ca
Push a lot of logic into Router to make a bunch of it nicer and enable a
...
lot of cleanup. Plumb config and calls to framework.Backend.Setup() into
logical_system and elsewhere, including tests.
2015-09-10 15:09:54 -04:00
Jeff Mitchell
488d33c70a
Rejig how dynamic values are represented in system view and location of some functions in various packages; create mount-tune command and API analogues; update documentation
2015-09-10 15:09:54 -04:00
Armon Dadgar
579c1433a2
vault: use helper/salt library to share code
2015-06-30 14:08:21 -07:00
Nate Brown
31ab086063
Doing a little better with http response codes
2015-06-19 14:00:48 -07:00
Armon Dadgar
ba7bfed1af
vault: Expose MountPoint to secret backend. Fixes #248
2015-05-27 11:46:42 -07:00
Armon Dadgar
3500535db3
vault: fix detection of missing trailing slash. Fixes #157
2015-05-07 12:18:50 -07:00
Armon Dadgar
e25886859e
vault: router generates metrics per operation
2015-04-08 17:09:10 -07:00
Armon Dadgar
512b3d7afd
vault: Adding metrics profiling
2015-04-08 16:43:17 -07:00
Mitchell Hashimoto
8ff435ba1a
vault: fix issue with wrong path getting passed through
2015-04-03 20:48:04 -07:00
Mitchell Hashimoto
df8dbe9677
vault: allow mount point queries without trailing /
2015-04-03 20:45:00 -07:00
Armon Dadgar
002b2ad589
vault: Provide salted client token to logical backends
2015-04-03 14:42:39 -07:00
Armon Dadgar
3a8dc4dff9
vault: Adding Untaint to router
2015-04-02 12:01:53 -07:00
Armon Dadgar
3e427910fb
vault: Support tainting router paths
2015-04-02 11:18:06 -07:00
Armon Dadgar
c718408055
vault: Added MatchingView method
2015-04-02 11:18:06 -07:00
Mitchell Hashimoto
d4509b0ee3
vault: keep the connection info around for auth
2015-03-30 20:55:01 -07:00
Mitchell Hashimoto
c9acfa17cb
vault: get rid of HangleLogin
2015-03-30 20:26:39 -07:00
Mitchell Hashimoto
69593cde56
remove credential/ lots of tests faililng
2015-03-30 18:07:05 -07:00
Mitchell Hashimoto
62ee621ea3
logical: move cred stuff over here
2015-03-30 17:46:18 -07:00
Armon Dadgar
26f05f7a20
vault: Passthrough of client token to token store
2015-03-24 15:12:52 -07:00
Armon Dadgar
4598e43140
vault: Adding ClientToken
2015-03-24 11:09:25 -07:00
Armon Dadgar
10e64d1e90
vault: extend router to handle login routing
2015-03-23 11:47:55 -07:00
Armon Dadgar
421f73d332
vault: Removing mtype from router
2015-03-18 15:48:14 -07:00
Mitchell Hashimoto
d1d1929192
vault: convert to logical.Request and friends
2015-03-15 14:53:41 -07:00
Mitchell Hashimoto
c7e901ce45
vault: incremental change to get closer to logical structs
2015-03-15 14:27:06 -07:00
Armon Dadgar
59052069bc
vault: Router can check for matching mounts
2015-03-11 18:19:45 -07:00
Armon Dadgar
ff5834ddb4
vault: Adding mount type
2015-03-09 16:12:07 -07:00
Armon Dadgar
a453d8fbf8
vault: Adding router
2015-03-05 17:23:56 -08:00