Commit Graph

460 Commits

Author SHA1 Message Date
Vishal Nayak ea1f552d48 set entity id on the token (#3468) 2017-10-18 13:23:05 -04:00
Vishal Nayak f7ed6732a5 Porting identity store (#3419)
* porting identity to OSS

* changes that glue things together

* add testing bits

* wrapped entity id

* fix mount error

* some more changes to core

* fix storagepacker tests

* fix some more tests

* fix mount tests

* fix http mount tests

* audit changes for identity

* remove upgrade structs on the oss side

* added go-memdb to vendor
2017-10-11 10:21:20 -07:00
Chris Hoffman 1029ad3b33 Rename "generic" secret backend to "kv" (#3292) 2017-09-15 09:02:29 -04:00
Chris Hoffman 9d73c81f38 Disable the `sys/raw` endpoint by default (#3329)
* disable raw endpoint by default

* adding docs

* config option raw -> raw_storage_endpoint

* docs updates

* adding listing on raw endpoint

* reworking tests for enabled raw endpoints

* root protecting base raw endpoint
2017-09-15 00:21:35 -04:00
Brian Kassouf a8d9426d9f Update locking components from DR replication changes (#3283)
* Update locking components from DR replication changes

* Fix plugin backend test

* Add a comment about needing the statelock:
2017-09-04 19:38:37 -04:00
Calvin Leung Huang a581e96b78 Lazy-load plugin mounts (#3255)
* Lazy load plugins to avoid setup-unwrap cycle

* Remove commented blocks

* Refactor NewTestCluster, use single core cluster on basic plugin tests

* Set c.pluginDirectory in TestAddTestPlugin for setupPluginCatalog to work properly

* Add special path to mock plugin

* Move ensureCoresSealed to vault/testing.go

* Use same method for EnsureCoresSealed and Cleanup

* Bump ensureCoresSealed timeout to 60s

* Correctly handle nil opts on NewTestCluster

* Add metadata flag to APIClientMeta, use meta-enabled plugin when mounting to bootstrap

* Check metadata flag directly on the plugin process

* Plumb isMetadataMode down to PluginRunner

* Add NOOP shims when running in metadata mode

* Remove unused flag from the APIMetadata object

* Remove setupSecretPlugins and setupCredentialPlugins functions

* Move when we setup rollback manager to after the plugins are initialized

* Fix tests

* Fix merge issue

* start rollback manager after the credential setup

* Add guards against running certain client and server functions while in metadata mode

* Call initialize once a plugin is loaded on the fly

* Add more tests, update basic secret/auth plugin tests to trigger lazy loading

* Skip mount if plugin removed from catalog

* Fixup

* Remove commented line on LookupPlugin

* Fail on mount operation if plugin is re-added to catalog and mount is on existing path

* Check type and special paths on startBackend

* Fix merge conflicts

* Refactor PluginRunner run methods to use runCommon, fix TestSystemBackend_Plugin_auth
2017-09-01 01:02:03 -04:00
Jeff Mitchell 3edb337a00 Add option to set cluster TLS cipher suites. (#3228)
* Add option to set cluster TLS cipher suites.

Fixes #3227
2017-08-30 16:28:23 -04:00
Calvin Leung Huang 86ea7e945d Add plugin auto-reload capability (#3171)
* Add automatic plugin reload

* Refactor builtin/backend

* Remove plugin reload at the core level

* Refactor plugin tests

* Add auto-reload test case

* Change backend to use sync.RWMutex, fix dangling test plugin processes

* Add a canary to plugin backends to avoid reloading many times (#3174)

* Call setupPluginCatalog before mount-related operations in postUnseal

* Don't create multiple system backends since core only holds a reference (#3176)

to one.
2017-08-15 22:10:32 -04:00
Chris Hoffman 6092538511 splitting cache into transactional and non-transactional cache structs (#3132) 2017-08-08 20:47:14 -04:00
Aaron Salvo ad1d74cae0 Set allowed headers via API instead of defaulting to wildcard. (#3023) 2017-08-07 10:03:30 -04:00
Jeff Mitchell c2c908cdc0 Unlock the statelock on unsuccessful sealInitCommon 2017-08-04 16:49:31 -04:00
Jeff Mitchell 3ef2113be9 Remove a couple unneeded cancels 2017-08-04 16:47:04 -04:00
Jeff Mitchell ae75312185 Make seal/stepdown functions async internally so they can poke the request context 2017-08-04 16:42:51 -04:00
Jeff Mitchell d0f329e124 Add leader cluster address to status/leader output. (#3061)
* Add leader cluster address to status/leader output. This helps in
identifying a particular node when all share the same redirect address.

Fixes #3042
2017-07-31 18:25:27 -04:00
Jeff Mitchell 1bfc6d4fe7 Add a -dev-three-node option for devs. (#3081) 2017-07-31 11:28:06 -04:00
Calvin Leung Huang bb54e9c131 Backend plugin system (#2874)
* Add backend plugin changes

* Fix totp backend plugin tests

* Fix logical/plugin InvalidateKey test

* Fix plugin catalog CRUD test, fix NoopBackend

* Clean up commented code block

* Fix system backend mount test

* Set plugin_name to omitempty, fix handleMountTable config parsing

* Clean up comments, keep shim connections alive until cleanup

* Include pluginClient, disallow LookupPlugin call from within a plugin

* Add wrapper around backendPluginClient for proper cleanup

* Add logger shim tests

* Add logger, storage, and system shim tests

* Use pointer receivers for system view shim

* Use plugin name if no path is provided on mount

* Enable plugins for auth backends

* Add backend type attribute, move builtin/plugin/package

* Fix merge conflict

* Fix missing plugin name in mount config

* Add integration tests on enabling auth backend plugins

* Remove dependency cycle on mock-plugin

* Add passthrough backend plugin, use logical.BackendType to determine lease generation

* Remove vault package dependency on passthrough package

* Add basic impl test for passthrough plugin

* Incorporate feedback; set b.backend after shims creation on backendPluginServer

* Fix totp plugin test

* Add plugin backends docs

* Fix tests

* Fix builtin/plugin tests

* Remove flatten from PluginRunner fields

* Move mock plugin to logical/plugin, remove totp and passthrough plugins

* Move pluginMap into newPluginClient

* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck

* Change shim logger's Fatal to no-op

* Change BackendType to uint32, match UX backend types

* Change framework.Backend Setup signature

* Add Setup func to logical.Backend interface

* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments

* Remove commented var in plugin package

* RegisterLicense on logical.Backend interface (#3017)

* Add RegisterLicense to logical.Backend interface

* Update RegisterLicense to use callback func on framework.Backend

* Refactor framework.Backend.RegisterLicense

* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs

* plugin: Revert BackendType to remove TypePassthrough and related references

* Fix typo in plugin backends docs
2017-07-20 13:28:40 -04:00
Jeff Mitchell 753b68fa1b Port TestCluster changes from proxy branch 2017-07-03 14:54:01 -04:00
Jeff Mitchell d55d75a79f Convert listener arguments to map[string]interface{} (#2905)
This allows people to use more natural constructs, e.g. for tls_disable
it can be a bool, int, or string.
2017-06-22 20:29:53 +01:00
Jeff Mitchell cf7d56e8f3 Fix up CORS.
Ref #2021
2017-06-17 01:26:25 -04:00
Aaron Salvo 0303f51b68 Cors headers (#2021) 2017-06-17 00:04:55 -04:00
Brian Rodgers e9b52ed928 Log auth info on permission denied due to ACL (#2754) 2017-06-05 18:04:31 -04:00
Jeff Mitchell 605d74d889 Don't try to clean up upgrades if we're sealed 2017-06-05 16:00:56 -04:00
Jeff Mitchell 72a5b5e23b Fix tests 2017-05-25 09:00:49 -04:00
Jeff Mitchell 3d7db4248f Rename peer cluster cache 2017-05-24 21:10:32 -04:00
Jeff Mitchell 5c230c796b Add peer cluster address cache 2017-05-24 20:51:53 -04:00
Jeff Mitchell bbe27aaedf Add heartbeating and cluster address sharing to request forwarding (#2762) 2017-05-24 15:06:56 -04:00
Jeff Mitchell 9d4801b1e8 Revert grpc back a version (they introduced a panic) and clean up a bunch of old request forwarding stuff 2017-05-24 10:38:48 -04:00
Jeff Mitchell 0d4e7fba69 Remove non-gRPC request forwarding 2017-05-24 09:34:59 -04:00
Brian Kassouf cb1f1d418c Only run Abs on the plugin directory if it's set 2017-04-24 16:20:20 -07:00
Brian Kassouf ce9688ce8c Change MlockDisabled to MlockEnabled 2017-04-24 12:21:49 -07:00
Brian Kassouf 6f9d178370 Calls to builtin plugins now go directly to the implementation instead of go-plugin 2017-04-20 18:46:41 -07:00
Brian Kassouf 8ccf10641b Merge branch 'master' into database-refactor 2017-04-12 14:29:10 -07:00
Brian Kassouf 8071aed758 Mlock the plugin process 2017-04-10 17:12:52 -07:00
Brian Kassouf 0034074691 Execute builtin plugins 2017-04-04 14:43:39 -07:00
Brian Kassouf e8781b6a2b Plugin catalog 2017-04-03 17:52:29 -07:00
Jeff Mitchell e7f418c903 Fix poison pill location 2017-03-04 10:21:27 -05:00
Jeff Mitchell 25428971c8 Add poison pill 2017-03-03 15:05:25 -05:00
Jeff Mitchell 31cddc43e1 Use own mutex for updating cluster parameters and fix leader UUID bug 2017-03-02 10:50:54 -05:00
Jeff Mitchell beb3067787 Add some trace level information about new cluster status 2017-03-02 10:21:35 -05:00
Jeff Mitchell 36c84df326 Large update to request forwarding handling. (#2426) 2017-03-02 10:03:49 -05:00
Jeff Mitchell 90389323a2 Some more forwarding client cleanup 2017-03-01 20:59:20 -05:00
Jeff Mitchell b1c2a930fe Clean up request forwarding logic 2017-03-01 18:17:06 -05:00
Jeff Mitchell 00cfaf7f64 Rejig signature of last remote wal 2017-03-01 12:42:10 -05:00
Jeff Mitchell 6ebb2cc958 Add last remote WAL bits 2017-03-01 12:40:36 -05:00
Jeff Mitchell f2282247ef Add seal cache purging back into postUnseal 2017-02-28 18:36:28 -05:00
Jeff Mitchell 09543dceeb Rejig core standby logic to check validity of barrier during active transition 2017-02-28 18:17:30 -05:00
Jeff Mitchell b29861f7bb Do some porting to make diffing easier 2017-02-24 10:45:29 -05:00
Brian Kassouf f992103615 Merge branch 'master' into acl-parameters-permission 2017-02-21 14:46:06 -08:00
Jeff Mitchell 494b4c844b More porting from rep (#2389)
* More porting from rep

* Address feedback
2017-02-16 20:13:19 -05:00
Jeff Mitchell 0c39b613c8 Port some replication bits to OSS (#2386) 2017-02-16 15:15:02 -05:00
Jeff Mitchell 0a9a6d3343 Move ReplicationState to consts 2017-02-16 13:37:21 -05:00
Jeff Mitchell 2fd59ad308 Merge branch 'master-oss' into acl-parameters-permission 2017-02-08 01:59:52 -05:00
Jeff Mitchell 67f96bc64e Rejig check for HA/Sealed in Leader to check for sealed first. (#2342)
Fixes #2334
2017-02-06 18:29:56 -05:00
Brian Kassouf 6701ba8a10 Configure the request headers that are output to the audit log (#2321)
* Add /sys/config/audited-headers endpoint for configuring the headers that will be audited

* Remove some debug lines

* Add a persistant layer and refactor a bit

* update the api endpoints to be more restful

* Add comments and clean up a few functions

* Remove unneeded hash structure functionaility

* Fix existing tests

* Add tests

* Add test for Applying the header config

* Add Benchmark for the ApplyConfig method

* ResetTimer on the benchmark:

* Update the headers comment

* Add test for audit broker

* Use hyphens instead of camel case

* Add size paramater to the allocation of the result map

* Fix the tests for the audit broker

* PR feedback

* update the path and permissions on config/* paths

* Add docs file

* Fix TestSystemBackend_RootPaths test
2017-02-02 11:49:20 -08:00
Jeff Mitchell 69eb5066dd Multi value test seal (#2281) 2017-01-17 15:43:10 -05:00
Jeff Mitchell dd0e44ca10 Add nonce to unseal to allow seeing if the operation has reset (#2276) 2017-01-17 11:47:06 -05:00
Brian Kassouf ae116ada25 Merge branch 'master' into acl-parameters-permission 2017-01-13 16:44:10 -08:00
Jeff Mitchell 252e1f1e84 Port over some work to make the system views a bit nicer 2017-01-13 14:51:27 -05:00
Jeff Mitchell 9923c753d0 Set c.standby true in non-HA context. (#2259)
This value is the key for some checks in core logic. In a non-HA
environment, if the core was sealed it would never be set back to true.
2017-01-11 11:13:09 -05:00
Jeff Mitchell 681e36c4af Split Unseal into Unseal and unsealInternal 2017-01-06 16:30:43 -05:00
Jeff Mitchell 9e5d1eaac9 Port some updates 2017-01-06 15:42:18 -05:00
Jeff Mitchell 0391475c70 Add read locks to LookupToken/ValidateWrappingToken (#2232) 2017-01-04 16:52:03 -05:00
Jeff Mitchell 3129187dc2 JWT wrapping tokens (#2172) 2017-01-04 16:44:03 -05:00
mwoolsey 3e72e50fa5 Merge remote-tracking branch 'upstream/master' 2016-11-20 18:31:55 -08:00
Jeff Mitchell e84a015487 Add extra logic around listener handling. (#2089) 2016-11-11 16:43:33 -05:00
Vishal Nayak b3c805e662 Audit the client token accessors (#2037) 2016-10-29 17:01:49 -04:00
ChaseLEngel c2b512cf46 Changed AllowOperation to take logical.Request 2016-10-16 16:29:52 -07:00
Jeff Mitchell 85315ff188 Rejig where the reload functions live 2016-09-30 00:07:22 -04:00
Jeff Mitchell b45a481365 Wrapping enhancements (#1927) 2016-09-28 21:01:28 -07:00
Jeff Mitchell 2ce4397deb Plumb through the ability to set the storage read cache size. (#1784)
Plumb through the ability to set the storage read cache size.

Fixes #1772
2016-08-26 10:27:06 -04:00
Jeff Mitchell b89073f7e6 Error when an invalid (as opposed to incorrect) unseal key is given. (#1782)
Fixes #1777
2016-08-24 14:15:25 -04:00
Jeff Mitchell 58b32e5432 Convert to logxi 2016-08-21 18:13:37 -04:00
Jeff Mitchell 2bb8adcbde Cleanup and avoid unnecessary advertisement parsing in leader check 2016-08-19 14:49:11 -04:00
Jeff Mitchell b7acf5b5ab Rename proto service stuff and change log levels for some messages 2016-08-19 11:49:25 -04:00
Jeff Mitchell bdcfe05517 Clustering enhancements (#1747) 2016-08-19 11:03:53 -04:00
vishalnayak 87c42a796b s/advertisement/redirect 2016-08-19 10:52:14 -04:00
Jeff Mitchell 62c69f8e19 Provide base64 keys in addition to hex encoded. (#1734)
* Provide base64 keys in addition to hex encoded.

Accept these at unseal/rekey time.

Also fix a bug where backup would not be honored when doing a rekey with
no operation currently ongoing.
2016-08-15 16:01:15 -04:00
Jeff Mitchell 37320f8798 Request forwarding (#1721)
Add request forwarding.
2016-08-15 09:42:42 -04:00
vishalnayak cff7aada7a Fix invalid input getting marked as internal error 2016-07-28 16:23:11 -04:00
vishalnayak a3e6400697 Remove global name/id. Make only cluster name configurable. 2016-07-26 10:01:35 -04:00
vishalnayak c7dabe4def Storing local and global cluster name/id to storage and returning them in health status 2016-07-26 02:32:42 -04:00
Jeff Mitchell df621911d7 Merge pull request #1624 from hashicorp/dynamodb-ha-off-default
Turn off DynamoDB HA by default.
2016-07-18 13:54:26 -04:00
Jeff Mitchell 028d024345 Add metrics around leadership
This can be helpful for detecting flapping.

Fixes #1544
2016-07-18 13:38:44 -04:00
Jeff Mitchell a3ce0dcb0c Turn off DynamoDB HA by default.
The semantics are wonky and have caused issues from people not reading
docs. It can be enabled but by default is off.
2016-07-18 13:19:58 -04:00
Jeff Mitchell 05b0e0a866 Enable audit-logging of seal and step-down commands.
This pulls the logical request building code into its own function so
that it's accessible from other HTTP handlers, then uses that with some
added logic to the Seal() and StepDown() commands to have meaningful
audit log entries.
2016-05-20 17:03:54 +00:00
Jeff Mitchell c4431a7e30 Address most review feedback. Change responses to multierror to better return more useful values when there are multiple errors 2016-05-16 16:11:33 -04:00
Jeff Mitchell 560e9c30a3 Merge branch 'master-oss' into cubbyhole-the-world 2016-05-12 14:59:12 -04:00
Sean Chittenden 99a5213f0b Merge pull request #1355 from hashicorp/f-vault-service
Vault/Consul Service refinement
2016-05-12 11:48:29 -07:00
Jeff Mitchell c52d352332 Merge branch 'master-oss' into cubbyhole-the-world 2016-05-07 16:40:04 -04:00
Jeff Mitchell fe1f56de40 Make a non-caching but still locking variant of transit for when caches are disabled 2016-05-02 22:36:44 -04:00
Jeff Mitchell 8572190b64 Plumb disabling caches through the policy store 2016-05-02 22:36:44 -04:00
Jeff Mitchell 2ebe49d3a1 Change UseToken mechanics.
Add locking around UseToken and Lookup. Have UseToken flag an entry that
needs to be revoked so that it can be done at the appropriate time, but
so that Lookup in the interm doesn't return a value.

The locking is a map of 4096 locks keyed off of the first three
characters of the token ID which should provide good distribution.
2016-05-02 03:44:24 -04:00
Jeff Mitchell aba689a877 Add wrapping through core and change to use TTL instead of Duration. 2016-05-02 00:47:35 -04:00
Sean Chittenden 5068d68a13 Name the output parameters for Leader 2016-04-28 11:05:18 -07:00
Sean Chittenden 0b72906fc3 Change the interface of ServiceDiscovery
Instead of passing state, signal that the state has changed and provide a callback handler that can query Core.
2016-04-28 11:05:18 -07:00
Sean Chittenden 7fe0b2c6a1 Persistently retry to update service registration
If the local Consul agent is not available while attempting to step down from active or up to active, retry once a second.  Allow for concurrent changes to the state with a single registration updater.  Fix standby initialization.
2016-04-25 18:01:13 -07:00
Sean Chittenden 230b59f34c Stub out service discovery functionality
Hook asynchronous notifications into Core to change the status of vault based on its active/standby, and sealed/unsealed status.
2016-04-25 18:00:54 -07:00
Jeff Mitchell 53773f12e3 Register the token entry's path instead of the request path, to handle role suffixes correctly 2016-04-14 08:08:28 -04:00
Jeff Mitchell a4ff72841e Check for seal status when initing and change logic order to avoid defer 2016-04-14 01:13:59 +00:00
vishalnayak e3a1ee92b5 Utility Enhancements 2016-04-05 20:32:59 -04:00
Jeff Mitchell afae46feb7 SealInterface 2016-04-04 10:44:22 -04:00
Jeff Mitchell ddce1efd0d Two items:
1: Fix path check in core to handle renew paths from the token store
that aren't simply renew/
2: Use token policy logic if token store role policies are empty
2016-03-31 14:52:49 -04:00
Jeff Mitchell 8a5fc6b017 Sort and filter policies going into the create token entry, then use
that as the definitive source for the response Auth object.
2016-03-15 14:05:25 -04:00
Jeff Mitchell 90dd55b1e6 Sort policies before returning/storing, like we do in handleCreateCommon 2016-03-10 22:31:26 -05:00
vishalnayak 378db2bc3c Add default policy to response auth object 2016-03-10 19:55:38 -05:00
Jeff Mitchell fa2ba47a5c Merge branch 'master' into token-roles 2016-03-09 17:23:34 -05:00
Jeff Mitchell d4371d1393 Add accessor to returned auth 2016-03-09 17:15:42 -05:00
Jeff Mitchell cc1f5207b3 Merge branch 'master' into token-roles 2016-03-07 10:03:54 -05:00
Jeff Mitchell 9bf6c40974 Add default case for if the step down channel is blocked 2016-03-03 12:29:30 -05:00
Jeff Mitchell ef990a3681 Initial work on token roles 2016-03-01 12:41:40 -05:00
Jeff Mitchell 6a980b88fd Address review feedback 2016-02-28 21:51:50 -05:00
Jeff Mitchell 11ddd2290b Provide 'sys/step-down' and 'vault step-down'
This endpoint causes the node it's hit to step down from active duty.
It's a noop if the node isn't active or not running in HA mode. The node
will wait one second before attempting to reacquire the lock, to give
other nodes a chance to grab it.

Fixes #1093
2016-02-26 19:43:55 -05:00
vishalnayak a10888f1f1 Added comments to changes the error message 2016-02-03 11:35:47 -05:00
vishalnayak f1facb0f9f Throw error on sealing vault in standby mode 2016-02-03 10:58:33 -05:00
Jeff Mitchell 8b9fa042fe If the path is not correct, don't fail due to existence check, fail due to unsupported path 2016-01-23 14:05:09 -05:00
Jeff Mitchell 9cac7ccd0f Add some commenting 2016-01-22 10:13:49 -05:00
Jeff Mitchell 3955604d3e Address more list feedback 2016-01-22 10:07:32 -05:00
Jeff Mitchell b2bde47b01 Pull out setting the root token ID; use the new ParseUUID method in
go-uuid instead, and revoke if there is an error.
2016-01-19 19:44:33 -05:00
Jeff Mitchell 973c888833 RootGeneration->GenerateRoot 2016-01-19 18:28:10 -05:00
Jeff Mitchell 3b994dbc7f Add the ability to generate root tokens via unseal keys. 2016-01-19 18:28:10 -05:00
Jeff Mitchell 9857da207c Move rekey to its own files for cleanliness 2016-01-14 17:01:04 -05:00
Jeff Mitchell 9c5ad28632 Update deps, and adjust usage of go-uuid to match new return values 2016-01-13 13:40:08 -05:00
Jeff Mitchell d949043cac Merge pull request #914 from hashicorp/acl-rework
More granular ACL capabilities
2016-01-12 21:11:52 -05:00
Jeff Mitchell da87d490eb Add some commenting around create/update 2016-01-12 15:13:54 -05:00
Jeff Mitchell 9db22dcfad Address some more review feedback 2016-01-12 15:09:16 -05:00
Jeff Mitchell f6d2271a3c Use an array of keys so that if the same fingerprint is used none are lost when using PGP key backup 2016-01-08 14:29:23 -05:00
Jeff Mitchell 4f4ddbf017 Create more granular ACL capabilities.
This commit splits ACL policies into more fine-grained capabilities.
This both drastically simplifies the checking code and makes it possible
to support needed workflows that are not possible with the previous
method. It is backwards compatible; policies containing a "policy"
string are simply converted to a set of capabilities matching previous
behavior.

Fixes #724 (and others).
2016-01-08 13:05:14 -05:00
Jeff Mitchell f3ce90164f WriteOperation -> UpdateOperation 2016-01-08 13:03:03 -05:00
Jeff Mitchell 85509e7ba5 Simplify some logic and ensure that if key share backup fails, we fail
the operation as well.

Ping #907
2016-01-06 13:14:23 -05:00
Jeff Mitchell a094eedce2 Add rekey nonce/backup. 2016-01-06 09:54:35 -05:00
Jeff Mitchell 96cb7d0051 Commenting/format update 2015-12-18 10:34:54 -05:00
Jeff Mitchell 4482fdacfd If we have not yet completed post-unseal when running in single-node
mode, don't advertise that we are active.

Ping #872
2015-12-17 13:48:08 -05:00
Jeff Mitchell f2da5b639f Migrate 'uuid' to 'go-uuid' to better fit HC naming convention 2015-12-16 12:56:20 -05:00
Jeff Mitchell 7ce8aff906 Address review feedback 2015-12-14 17:58:30 -05:00
Jeff Mitchell ced0835574 Allow separate HA physical backend.
With no separate backend specified, HA will be attempted on the normal
physical backend.

Fixes #395.
2015-12-14 07:59:58 -05:00
Jeff Mitchell bc4c18a1cf Rearchitect MountTable locking and fix rollback.
The rollback manager was using a saved MountTable rather than the
current table, causing it to attempt to rollback unmounted mounts, and
never rollback new mounts.

In fixing this, it became clear that bad things could happen to the
mount table...the table itself could be locked, but the table pointer
(which is what the rollback manager needs) could be modified at any time
without locking. This commit therefore also returns locking to a mutex
outside the table instead of inside, and plumbs RLock/RUnlock through to
the various places that are reading the table but not holding a write
lock.

Both unit tests and race detection pass.

Fixes #771
2015-11-11 11:54:52 -05:00
Jeff Mitchell d6693129de Create a "default" policy with sensible rules.
It is forced to be included with each token, but can be changed (but not
deleted).

Fixes #732
2015-11-09 15:44:09 -05:00
Jeff Mitchell 7aa3faa626 Rename core's 'policy' to 'policyStore' for clarification 2015-11-06 12:07:42 -05:00
Jeff Mitchell a9db12670a errwrap -> go-multierror + errwrap 2015-11-02 13:29:33 -05:00
Jeff Mitchell 7e9918ec8e Run preSeal if postUnseal fails.
This also ensures that every error path out of postUnseal returns an
error.

Fixes #733
2015-11-02 13:29:33 -05:00
Jeff Mitchell 94b7be702b Return data on a token with one use left if there is no Lease ID
Fixes #615
2015-10-30 12:35:42 -04:00
Jeff Mitchell 636d57a026 Make the token store's Create and RootToken functions non-exported.
Nothing requires them to be exported, and I don't want anything in the
future to think it's okay to simply create a root token when it likes.
2015-10-30 10:59:26 -04:00
Jeff Mitchell c1d8b97342 Add reset support to the unseal command.
Reset clears the provided unseal keys, allowing the process to be begun
again. Includes documentation and unit test changes.

Fixes #695
2015-10-28 15:59:39 -04:00
Jeff Mitchell 78b5fcdf51 Serialize changing the state of the expiration manager pointer and
calling emitMetrics from its own goroutine.

Fixes #694
2015-10-12 16:33:54 -04:00
Jeff Mitchell a9155ef85e Use split-out hashicorp/uuid 2015-10-12 14:07:12 -04:00
Jeff Mitchell 5fbaa0e64d Apply mount-tune properties to the token authentication backend.
Fixes #688.
2015-10-09 20:26:39 -04:00
Jeff Mitchell bd1dce7f95 Address review feedback for #684 2015-10-08 14:34:10 -04:00
Jeff Mitchell d58a3b601c Add a cleanLeaderPrefix function to clean up stale leader entries in core/leader
Fixes #679.
2015-10-08 14:04:58 -04:00
Jeff Mitchell 21644751ed Fix the key rotation upgrade check error message 2015-10-05 18:23:32 -04:00
Jeff Mitchell 8f27c250d6 Fix problematic logging statements.
Fixes #665.
2015-10-02 18:31:46 -07:00
Jeff Mitchell 81e535dc2d Minor updates to passthrough and additional tests 2015-09-21 16:57:41 -04:00
Jeff Mitchell 47e8c0070a Don't use leases on the generic backend...with a caveat.
You can now turn on and off the lease behavior in the generic backend by
using one of two factories. Core uses the normal one if it's not already
set, so unit tests can use the custom one and all stay working.

This also adds logic into core to check, when the response is coming
from a generic backend, whether that backend has leases enabled. This
adds some slight overhead.
2015-09-21 16:37:37 -04:00
Jeff Mitchell d775445efe Store token creation time and TTL. This can be used to properly populate
fields in 'lookup-self'. Importantly, this also makes credential
backends use the SystemView per-backend TTL values and fixes unit tests
to expect this.

Fully fixes #527
2015-09-18 16:39:35 -04:00
Jeff Mitchell 77e7379ab5 Implement the cubbyhole backend
In order to implement this efficiently, I have introduced the concept of
"singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't
much reason to allow sys to be mounted at multiple places, and there
isn't much reason you'd need multiple per-token storage areas. By
restricting it to just one, I can store that particular mount instead of
iterating through them in order to call the appropriate revoke function.

Additionally, because revocation on the backend needs to be triggered by
the token store, the token store's salt is kept in the router and
client tokens going to the cubbyhole backend are double-salted by the
router. This allows the token store to drive when revocation happens
using its salted tokens.
2015-09-15 13:50:37 -04:00
Jeff Mitchell 699e12a1c6 When there is one use left and a Secret is being returned, instead
return a descriptive error indicating that the Secret cannot be returned
because when the token was revoked the secret was too. This prevents
confusion where credentials come back but cannot be used.

Fixes #615
2015-09-14 11:07:27 -04:00
Jeff Mitchell 39cfcccdac Remove error returns from sysview TTL calls 2015-09-10 15:09:54 -04:00
Jeff Mitchell 65ceb3439d Be consistent as both are the same pointer here 2015-09-10 15:09:54 -04:00
Jeff Mitchell c460ff10ca Push a lot of logic into Router to make a bunch of it nicer and enable a
lot of cleanup. Plumb config and calls to framework.Backend.Setup() into
logical_system and elsewhere, including tests.
2015-09-10 15:09:54 -04:00
Jeff Mitchell 488d33c70a Rejig how dynamic values are represented in system view and location of some functions in various packages; create mount-tune command and API analogues; update documentation 2015-09-10 15:09:54 -04:00
Jeff Mitchell 17c60d3e78 Add logic to core to fetch a SystemView for a given mount entry and use those values for default/max TTL. The SystemView will reflect system defaults if not set for that mount. 2015-09-10 15:09:53 -04:00
Jeff Mitchell 98d0d23d70 Ensure token store is available when looking up token 2015-09-01 08:21:47 -04:00
Jeff Mitchell 3f45f3f41b Rename config lease_duration parameters to lease_ttl in line with current standardization efforts 2015-08-27 07:50:24 -07:00
Jeff Mitchell cc232e6f79 Address comments from review. 2015-08-25 15:33:58 -07:00
Jeff Mitchell c887df93cc Add support for pgp-keys argument to rekey, as well as tests, plus
refactor common bits out of init.
2015-08-25 14:52:13 -07:00
Jeff Mitchell f57e7892e7 Don't store the given public keys in the seal config 2015-08-25 14:52:13 -07:00
Jeff Mitchell 2f3e245b0b Add support for "pgp-tokens" parameters to init.
There are thorough unit tests that read the returned
encrypted tokens, seal the vault, and unseal it
again to ensure all works as expected.
2015-08-25 14:52:13 -07:00
Jeff Mitchell 93ef9a54bd Internally refactor Lease/LeaseGracePeriod into TTL/GracePeriod 2015-08-20 18:00:51 -07:00
Jeff Mitchell db79dd8c22 Don't defer revocation when sealing, and clear out response/auth if there is a token use error 2015-08-20 10:37:42 -07:00
Jeff Mitchell 0e8e3660ff Fix #461 properly by defering potential revocation of a token until after the request is fully handled. 2015-08-20 10:14:13 -07:00
Karl Gutwin 151ec72d00 Add configuration options for default lease duration and max lease duration. 2015-07-30 09:42:49 -04:00
Armon Dadgar 41b72a4d39 vault: provide view to backend initializer for setup 2015-06-30 17:30:43 -07:00
Armon Dadgar 8bc99f8c23 helper/uuid: single generateUUID definition 2015-06-30 12:38:32 -07:00
Armon Dadgar 496ebe561c vault: cleanups for the audit log changes 2015-06-29 15:27:28 -07:00
Nate Brown b667ef4c71 Collapsing audit response logging to a single point 2015-06-18 19:48:26 -07:00
Nate Brown 4ec685dc1a Logging authentication errors and bad token usage 2015-06-18 18:30:18 -07:00
Armon Dadgar dbf6cf6e6d vault: support core shutdown 2015-06-17 18:23:59 -07:00
Armon Dadgar 5c75a6c5c7 vault: ensure token renew does not double register 2015-06-17 15:22:50 -07:00
Armon Dadgar daffef08db vault: reload master key before keyring 2015-05-29 14:30:03 -07:00
Armon Dadgar 4f5fde039f vault: all rekey commands should fail as standby 2015-05-29 11:52:37 -07:00
Armon Dadgar 5aaad32af8 vault: ensure upgrades are cleaned up 2015-05-28 16:52:06 -07:00
Armon Dadgar db0afc9ebe vault: move upgrade logic out of core 2015-05-28 16:43:44 -07:00
Armon Dadgar 82ef0b1ac7 vault: handle read of key upgrades 2015-05-28 16:11:31 -07:00
Armon Dadgar c60970e743 vault: prevent rekey on standby 2015-05-28 15:26:35 -07:00
Armon Dadgar 01e890653c vault: more logging 2015-05-28 14:15:06 -07:00
Armon Dadgar 0877160754 vault: minor rekey cleanups 2015-05-28 12:07:52 -07:00
Armon Dadgar 361c722c5c vault: first pass at rekey 2015-05-28 11:40:01 -07:00
Armon Dadgar 3bcd32228d vault: lease renewal should not create new lease entry 2015-05-15 17:47:39 -07:00
Armon Dadgar 843d9e6484 vault: verify login endpoint never returns a secret 2015-05-09 11:51:58 -07:00
Armon Dadgar 13ab31f4b5 vault: ensure InternalData is never returned from the core 2015-05-09 11:47:46 -07:00
Armon Dadgar c7496772d4 vault: defer barrier initialization until as late as possible 2015-05-08 11:06:39 -07:00
Armon Dadgar a6eef6bba3 vault: Guard against an invalid seal config 2015-05-08 11:05:31 -07:00
Mitchell Hashimoto 727e0e90cd vault: validate advertise addr is valid URL [GH-106] 2015-05-02 13:28:33 -07:00
Mitchell Hashimoto e80111502b vault: way more verbose error if mlock fails [GH-59] 2015-04-28 18:56:16 -07:00
Mitchell Hashimoto b5f8f3b05a vault: add helper/mlock for doing mlock 2015-04-28 14:59:43 -07:00
Mitchell Hashimoto 2e55c3de68 vault: ability to toggle mlock on core 2015-04-27 16:40:14 -07:00
Armon Dadgar 2f0995d650 vault: Swap the HAEnabled check with the sealed check 2015-04-20 12:19:09 -07:00
Armon Dadgar c5f914cb34 vault: Lock memory when possible 2015-04-19 13:42:47 -07:00
Armon Dadgar 4473abd6ce vault: core enforcement of limited use tokens 2015-04-17 11:57:56 -07:00
Armon Dadgar b65e1b3e22 vault: using a constant to make @mitchellh feel better 2015-04-15 17:19:59 -07:00
Armon Dadgar 76b69b2514 vault: thread the display name through 2015-04-15 14:12:34 -07:00
Armon Dadgar 9f7143cf44 vault: expose the current leader 2015-04-14 16:53:40 -07:00
Armon Dadgar 445f64eb39 vault: leader should advertise address 2015-04-14 16:44:48 -07:00
Armon Dadgar ec8a41d2d2 vault: rename internal variable 2015-04-14 16:11:39 -07:00
Armon Dadgar 2820bec479 vault: testing standby mode 2015-04-14 16:06:58 -07:00
Armon Dadgar a0e1b90b81 vault: reject operation if standby 2015-04-14 14:09:11 -07:00
Armon Dadgar d7102e2661 vault: first pass at HA standby mode 2015-04-14 14:06:15 -07:00
Armon Dadgar 255e0fbda4 vault: enable physical cache in core 2015-04-14 11:08:04 -07:00
Armon Dadgar 512b3d7afd vault: Adding metrics profiling 2015-04-08 16:43:17 -07:00
Armon Dadgar 466c7575d3 Replace VaultID with LeaseID for terminology simplification 2015-04-08 13:35:32 -07:00
Armon Dadgar eaa483ff87 vault: Enforce default and max length leasing 2015-04-03 15:42:34 -07:00
Armon Dadgar eec6c27fae vault: Special case auth/token/create 2015-04-02 18:05:23 -07:00
Armon Dadgar c6479642e9 vault: integrate login with expiration manager 2015-04-02 17:52:11 -07:00
Armon Dadgar 4138e43f00 vault: Adding audit trail for login 2015-04-01 14:48:37 -07:00
Armon Dadgar 3d3e18793b vault: Integrate audit logging with core 2015-04-01 14:33:48 -07:00
Armon Dadgar b657b74a97 vault: Minor rework for clarity 2015-04-01 14:11:26 -07:00
Armon Dadgar c83f46606b vault: Simpify token checking logic 2015-04-01 14:03:17 -07:00
Mitchell Hashimoto 2c9ebecda7 vault: register zero lease entries with the expiration manager
/cc @armon - would appreciate a review on this one
2015-03-31 21:01:12 -07:00
Armon Dadgar a6bc60c7d6 vault: Adding AuditBroker and basic tests 2015-03-31 13:22:40 -07:00
Mitchell Hashimoto 0666bda865 vault: require root token for seal 2015-03-31 09:59:02 -07:00
Mitchell Hashimoto c9acfa17cb vault: get rid of HangleLogin 2015-03-30 20:26:39 -07:00
Mitchell Hashimoto 69593cde56 remove credential/ lots of tests faililng 2015-03-30 18:07:05 -07:00
Armon Dadgar 042db7798e vault: Adding basic audit table load/unload 2015-03-27 14:00:38 -07:00
Armon Dadgar 609ac4c562 vault: Allow passing in audit factory methods 2015-03-27 13:45:13 -07:00
Armon Dadgar 20c2375352 vault: Adding ACL enforcement 2015-03-24 11:37:07 -07:00
Armon Dadgar 65ef4f1032 vault: wire tokens into expiration manager 2015-03-23 18:11:15 -07:00
Armon Dadgar 86c9bd9083 vault: Give expiration manager a token store reference 2015-03-23 18:00:14 -07:00
Armon Dadgar 6481ff9e34 vault: Generate a root token when initializing 2015-03-23 17:31:30 -07:00
Armon Dadgar 192dcf7d39 vault: first pass at HandleLogin 2015-03-23 13:56:43 -07:00
Armon Dadgar 879a0501f8 vault: Track the token store in core 2015-03-23 13:41:05 -07:00
Mitchell Hashimoto c349e97168 vault: clean up VaultID duplications, make secret responses clearer
/cc @armon - This is a reasonably major refactor that I think cleans up
a lot of the logic with secrets in responses. The reason for the
refactor is that while implementing Renew/Revoke in logical/framework I
found the existing API to be really awkward to work with.

Primarily, we needed a way to send down internal data for Vault core to
store since not all the data you need to revoke a key is always sent
down to the user (for example the user than AWS key belongs to).

At first, I was doing this manually in logical/framework with
req.Storage, but this is going to be such a common event that I think
its something core should assist with. Additionally, I think the added
context for secrets will be useful in the future when we have a Vault
API for returning orphaned out keys: we can also return the internal
data that might help an operator.

So this leads me to this refactor. I've removed most of the fields in
`logical.Response` and replaced it with a single `*Secret` pointer. If
this is non-nil, then the response represents a secret. The Secret
struct encapsulates all the lease info and such.

It also has some fields on it that are only populated at _request_ time
for Revoke/Renew operations. There is precedent for this sort of
behavior in the Go stdlib where http.Request/http.Response have fields
that differ based on client/server. I copied this style.

All core unit tests pass. The APIs fail for obvious reasons but I'll fix
that up in the next commit.
2015-03-19 23:11:42 +01:00
Armon Dadgar d88a41944e vault: Switch AuthTable to using MountTable 2015-03-19 09:54:57 -07:00
Armon Dadgar 8cc88981d6 vault: token store is a credential implementation 2015-03-18 19:11:52 -07:00
Armon Dadgar b8da9c2ee2 vault: first pass at initializing credential backends 2015-03-18 15:46:07 -07:00
Armon Dadgar d2d1822931 vault: Adding hooks for auth loading 2015-03-18 15:30:31 -07:00
Armon Dadgar 21b9bdaf37 vault: Allow passing in credential backends 2015-03-18 15:21:41 -07:00
Armon Dadgar 6e22ca50eb vault: integrate policy and token store into core 2015-03-18 14:00:42 -07:00
Mitchell Hashimoto e078b957d4 vault: start/stop rollback manager post/pre seal 2015-03-17 20:39:45 -05:00
Mitchell Hashimoto abe0859aa5 vault: use RWMutex on MountTable itself 2015-03-17 20:39:45 -05:00
Armon Dadgar 15b7dc2d02 vault: integration expiration manager with core 2015-03-16 15:28:50 -07:00
Mitchell Hashimoto 9f0d59d03f vault: system using the framework 2015-03-15 17:35:59 -07:00
Mitchell Hashimoto d4f54be927 vault: can pass in the backends 2015-03-15 16:25:38 -07:00
Mitchell Hashimoto d1d1929192 vault: convert to logical.Request and friends 2015-03-15 14:53:41 -07:00
Mitchell Hashimoto 9d84e7bacc vault: don't copy the key so it can be zeroed, document, add helper 2015-03-14 18:25:55 -07:00
Mitchell Hashimoto 866b91d858 vault: public TestCoreUnsealed, don't modify key in Unseal
/cc @armon - I do a key copy within Unseal now. It tripped me up for
quite awhile that that method actually modifies the param in-place and I
can't think of any scenario that is good for the user. Do you see any
issues here?
2015-03-14 17:47:11 -07:00
Armon Dadgar 081358091a vault: improve seal/unseal log messages 2015-03-13 11:34:40 -07:00
Armon Dadgar d744d4ee5e vault: integrate expiration manager with core setup/teardown 2015-03-13 11:20:36 -07:00
Armon Dadgar d0380e553d vault: Support a pre-seal teardown 2015-03-13 11:16:24 -07:00
Armon Dadgar 15de847389 vault: Setup expiration manager on unseal 2015-03-12 12:44:30 -07:00
Armon Dadgar 6c759416d0 vault: special view path for system 2015-03-12 12:44:30 -07:00
Armon Dadgar aa0ca02b8c vault: sanity check key length 2015-03-12 11:20:38 -07:00