Commit graph

1119 commits

Author SHA1 Message Date
Jeff Mitchell 5119b173c4 Rename helper 'duration' to 'parseutil'. (#2449)
Add a ParseBool function that accepts various kinds of ways of
specifying booleans.

Have config use ParseBool for UI and disabling mlock/cache.
2017-03-07 11:21:22 -05:00
Jeff Mitchell 8462d945d3 Add some nil checks to mounting 2017-03-04 16:43:18 -05:00
Jeff Mitchell e7f418c903 Fix poison pill location 2017-03-04 10:21:27 -05:00
Brian Kassouf e62f5dbc31 Allowed/Denied parameters support for globs (#2438)
* Add check for globbed strings

* Add tests for the acl globbing

* Fix bad test case
2017-03-03 14:50:55 -08:00
Jeff Mitchell 25428971c8 Add poison pill 2017-03-03 15:05:25 -05:00
Vishal Nayak 491a56fe9f AppRole: Support restricted use tokens (#2435)
* approle: added token_num_uses to the role

* approle: added RUD tests for token_num_uses on role

* approle: doc: added token_num_uses
2017-03-03 09:31:20 -05:00
Jeff Mitchell a585f709d3 Understand local when persisting mount tables, to avoid invalidations when not necessary (#2427) 2017-03-02 14:37:59 -05:00
Jeff Mitchell bb05f2d8f8 Fix double-lock 2017-03-02 10:54:31 -05:00
Jeff Mitchell 31cddc43e1 Use own mutex for updating cluster parameters and fix leader UUID bug 2017-03-02 10:50:54 -05:00
Jeff Mitchell beb3067787 Add some trace level information about new cluster status 2017-03-02 10:21:35 -05:00
Jeff Mitchell 36c84df326 Large update to request forwarding handling. (#2426) 2017-03-02 10:03:49 -05:00
Jeff Mitchell 90389323a2 Some more forwarding client cleanup 2017-03-01 20:59:20 -05:00
Jeff Mitchell b1c2a930fe Clean up request forwarding logic 2017-03-01 18:17:06 -05:00
Brian Kassouf 259e686d4c Update TestSeal to ignore setting the config to nil 2017-03-01 14:10:06 -08:00
Jeff Mitchell 00cfaf7f64 Rejig signature of last remote wal 2017-03-01 12:42:10 -05:00
Jeff Mitchell 6ebb2cc958 Add last remote WAL bits 2017-03-01 12:40:36 -05:00
Jeff Mitchell f2282247ef Add seal cache purging back into postUnseal 2017-02-28 18:36:28 -05:00
Jeff Mitchell 09543dceeb Rejig core standby logic to check validity of barrier during active transition 2017-02-28 18:17:30 -05:00
Jeff Mitchell 7f0a99e8eb Add max/min wrapping TTL ACL statements (#2411) 2017-02-27 14:42:00 -05:00
Jeff Mitchell 2cc0906b33 Fix breakage for HTTP2 support due to changes in wrapping introduced in 1.8 (#2412) 2017-02-27 12:49:35 -05:00
Jeff Mitchell 8091a10c38 Make rollback attempts trace level instead of debug level 2017-02-27 09:41:56 -05:00
Jeff Mitchell b29861f7bb Do some porting to make diffing easier 2017-02-24 10:45:29 -05:00
Jeff Mitchell 4e045d000c Create upgrade path for cubbyhole's local status 2017-02-24 10:05:44 -05:00
Jeff Mitchell 0e1b1e33be Add comment around not allowing users to create JWT wrapping tokens 2017-02-22 11:13:40 -05:00
Brian Kassouf 9a9b89f16f Update confusing comment 2017-02-21 16:06:00 -08:00
Brian Kassouf dd5b541db6 Added test for the empty values array case 2017-02-21 16:02:00 -08:00
Brian Kassouf a25132cec4 On merge favor values that have additive privileges 2017-02-21 15:53:27 -08:00
Brian Kassouf 9ec8dd3d17 PR feedback 2017-02-21 15:02:39 -08:00
Brian Kassouf f992103615 Merge branch 'master' into acl-parameters-permission 2017-02-21 14:46:06 -08:00
Jeff Mitchell 496420a5ab Make cubbyhole local instead of replicated. (#2397)
This doesn't really change behavior, just what it looks like in the UX.
However, it does make tests more complicated. Most were fixed by adding
a sorting function, which is generally useful anyways.
2017-02-18 13:51:05 -05:00
Jeff Mitchell 4a966726e5 Make reindex a root path as well 2017-02-16 23:36:06 -05:00
Jeff Mitchell f3bee3550c Remove now-unnecessary stanza from default policy 2017-02-16 23:30:38 -05:00
Jeff Mitchell 674a0a48bf Fix rep path fetching method into a function 2017-02-16 23:23:21 -05:00
Jeff Mitchell f37b6492d1 More rep porting (#2391)
* More rep porting

* Add a bit more porting
2017-02-16 23:09:39 -05:00
Brian Kassouf 1c5264c66c ToLower parameter strings 2017-02-16 17:50:10 -08:00
Jeff Mitchell 494b4c844b More porting from rep (#2389)
* More porting from rep

* Address feedback
2017-02-16 20:13:19 -05:00
Brian Kassouf 07799f665d Simplify the merging of two policies 2017-02-16 16:30:08 -08:00
Brian Kassouf 7229bdfd38 Remove debug code 2017-02-16 16:14:30 -08:00
Brian Kassouf 136730cb01 Update logic to fix a few edge cases: 2017-02-16 15:20:11 -08:00
Jeff Mitchell c81582fea0 More porting from rep (#2388)
* More porting from rep

* Address review feedback
2017-02-16 16:29:30 -05:00
Jeff Mitchell 0c39b613c8 Port some replication bits to OSS (#2386) 2017-02-16 15:15:02 -05:00
Jeff Mitchell 0a9a6d3343 Move ReplicationState to consts 2017-02-16 13:37:21 -05:00
Brian Kassouf 13ec9c5dbf Load leases into the expiration manager in parallel (#2370)
* Add a benchmark for exiration.Restore

* Add benchmarks for consul Restore functions

* Add a parallel version of expiration.Restore

* remove debug code

* Up the MaxIdleConnsPerHost

* Add tests for etcd

* Return errors and ensure go routines are exited

* Refactor inmem benchmark

* Add s3 bench and refactor a bit

* Few tweaks

* Fix race with waitgroup.Add()

* Fix waitgroup race condition

* Move wait above the info log

* Add helper/consts package to store consts that are needed in cyclic packages

* Remove not used benchmarks
2017-02-16 10:16:06 -08:00
Brian Kassouf 8d880f5181 Remove duplicate test case 2017-02-15 22:38:33 -08:00
Brian Kassouf f1d5b60b97 s/has/has been/ 2017-02-15 22:19:35 -08:00
Brian Kassouf c80593387c Remove unnecessary else condition 2017-02-15 22:18:20 -08:00
Brian Kassouf c9ae260cdf Merge branch 'acl-parameters-permission' of github.com:hashicorp/vault into acl-parameters-permission 2017-02-15 22:13:28 -08:00
Brian Kassouf 24d8710233 Fix the issue of returning on the first paramater check. Added tests for this case. 2017-02-15 22:13:18 -08:00
Jeff Mitchell 978772a47a Merge branch 'master-oss' into acl-parameters-permission 2017-02-16 00:46:40 -05:00
Jeff Mitchell e60b24431a Fix audit test and make audited headers more robust in map checks 2017-02-16 00:44:20 -05:00
Jeff Mitchell da9e62bc24 Remove "permissions" from ACL 2017-02-15 21:12:26 -05:00
Jeff Mitchell 51f7114648 Merge branch 'master-oss' into acl-parameters-permission 2017-02-15 20:37:58 -05:00
Jeff Mitchell acb7391b12 Compare headers case-insensitively for auditing
Fixes #2362
2017-02-15 20:35:35 -05:00
Jeff Mitchell 2fd59ad308 Merge branch 'master-oss' into acl-parameters-permission 2017-02-08 01:59:52 -05:00
Jeff Mitchell 4b2b28e085 Push test functions to a var for overriding 2017-02-07 20:44:31 -05:00
Jeff Mitchell f1cfb060f6 Remove errant unlock of state lock 2017-02-07 11:08:52 -05:00
Jeff Mitchell ddc977ba52 Add debug (#2341) 2017-02-06 18:30:13 -05:00
Jeff Mitchell 67f96bc64e Rejig check for HA/Sealed in Leader to check for sealed first. (#2342)
Fixes #2334
2017-02-06 18:29:56 -05:00
Brian Kassouf 8ef4bc32dd Update the help text for auditing headers (#2330)
* Update the help text for auditing headers

* Update help name
2017-02-03 10:08:31 -08:00
Jeff Mitchell 6c02e9357a Update protos 2017-02-02 16:20:32 -05:00
Brian Kassouf 6701ba8a10 Configure the request headers that are output to the audit log (#2321)
* Add /sys/config/audited-headers endpoint for configuring the headers that will be audited

* Remove some debug lines

* Add a persistant layer and refactor a bit

* update the api endpoints to be more restful

* Add comments and clean up a few functions

* Remove unneeded hash structure functionaility

* Fix existing tests

* Add tests

* Add test for Applying the header config

* Add Benchmark for the ApplyConfig method

* ResetTimer on the benchmark:

* Update the headers comment

* Add test for audit broker

* Use hyphens instead of camel case

* Add size paramater to the allocation of the result map

* Fix the tests for the audit broker

* PR feedback

* update the path and permissions on config/* paths

* Add docs file

* Fix TestSystemBackend_RootPaths test
2017-02-02 11:49:20 -08:00
Jeff Mitchell 47274eca88 Add cleanup functions to multiple DB backends. (#2313)
Ensure it's called on unmount, not just for seal.
2017-02-01 14:05:25 -05:00
Jeff Mitchell 67410ab230 Make TLS 1.2 *explicitly* required for cluster communications 2017-01-31 13:30:25 -05:00
Brian Kassouf 3c0de664a4 Fix keyring test 2017-01-24 12:58:14 -08:00
Jeff Mitchell 061bd6012d Fix keyring copypasta test failure 2017-01-24 14:00:13 -05:00
Jeff Mitchell 31ce37188b Fix keyring tests, working around Go nil timezone bug in DeepEqual
See https://github.com/golang/go/issues/10089
2017-01-24 12:33:28 -05:00
Jeff Mitchell 2c8d18ad8d Attempt to fix expiration test again 2017-01-24 11:17:48 -05:00
Jeff Mitchell b0f741d4a1 Add some extra lease debugging to try to figure out Travis timezone issue 2017-01-24 10:48:11 -05:00
Jeff Mitchell d75b5f01ec Use the same time object in the serialization test 2017-01-24 10:32:40 -05:00
Jeff Mitchell 77bc6fa481 Use time.Now rather than using time as a struct 2017-01-24 10:21:41 -05:00
Jeff Mitchell 43acbea6a9 Add some newlines to a failing test to make it easier to spot differences 2017-01-23 14:08:29 -05:00
Brian Kassouf 7ec19459a7 Remove extra comments 2017-01-20 11:38:40 -08:00
Brian Kassouf df800198e0 Remove some extra comments 2017-01-20 11:32:58 -08:00
Brian Kassouf e1424c631e Add logic to merge the two arrays and refactor the test around merging 2017-01-20 11:16:46 -08:00
Brian Kassouf 090736d4df Clean up logic a bit and add some comments 2017-01-19 18:41:15 -08:00
Brian Kassouf 37f393ff94 Remove unneeded comment block 2017-01-19 18:18:06 -08:00
Brian Kassouf 1580296ae5 Update tests to check parsing of types 2017-01-19 18:13:39 -08:00
Brian Kassouf 5ccb3e052b Add tests for boolean values 2017-01-19 17:41:02 -08:00
Brian Kassouf 68a1780052 Format dynamic_system_view.go 2017-01-19 16:54:08 -08:00
Brian Kassouf f3870061ee fix some of the tests and rename allowed/dissallowed paramaters 2017-01-19 16:40:19 -08:00
Brian Kassouf 25b49b8bae Add test cases for map and integer types 2017-01-18 17:11:25 -08:00
Jeff Mitchell 20c65b8300 Fix regression in 0.6.4 where token store roles could not properly wo… (#2286) 2017-01-18 16:11:25 -05:00
vishalnayak c9bd2a37f8 Don't sanitize disallowed_policies on token role 2017-01-17 21:34:14 -05:00
Brian Kassouf be10ef9d42 Use deepequals and write tests for the allow/disallow values 2017-01-17 16:40:21 -08:00
Vishal Nayak fa7d61baa3 Merge pull request #2202 from fcantournet/fix_govet_fatalf
all: test: Fix govet warnings
2017-01-17 16:45:35 -05:00
Jeff Mitchell 69eb5066dd Multi value test seal (#2281) 2017-01-17 15:43:10 -05:00
Jeff Mitchell 2052e406d2 Move router mount back below table persistence 2017-01-17 15:15:28 -05:00
Jeff Mitchell 8e62acbd59 Sync the locking behavior between logical/auth backend (#2280) 2017-01-17 13:02:29 -05:00
Jeff Mitchell dd0e44ca10 Add nonce to unseal to allow seeing if the operation has reset (#2276) 2017-01-17 11:47:06 -05:00
Brian Kassouf 1d3cae860b Start to check the values with allowed/dissallowed lists in policy. 2017-01-16 17:48:22 -08:00
Brian Kassouf ae116ada25 Merge branch 'master' into acl-parameters-permission 2017-01-13 16:44:10 -08:00
Brian Kassouf 3d47e5ebc7 add initialize method to noopbackend 2017-01-13 13:12:27 -08:00
Jeff Mitchell 252e1f1e84 Port over some work to make the system views a bit nicer 2017-01-13 14:51:27 -05:00
Jeff Mitchell d869c0d6a6 Rejig IsPrimary again 2017-01-12 15:59:00 -05:00
Jeff Mitchell ec4f069da4 Fix building some test code without build tags 2017-01-12 15:21:47 -05:00
Jeff Mitchell 32f9ccb6c8 Rejig dynamic system view to build without tags 2017-01-12 15:13:47 -05:00
Vishal Nayak 00ffd80fcd Merge pull request #2236 from hashicorp/pgp-keys-check
rekey: added check to ensure that length of PGP keys and the shares are matching
2017-01-12 11:19:08 -05:00
vishalnayak daacf23c38 rekey: remove the check from vault/rekey.go in favor of check in http layer 2017-01-12 00:07:49 -05:00
vishalnayak adb6ac749f init: pgp-keys input validations 2017-01-11 23:32:38 -05:00
vishalnayak 0778a2eba7 core: adding error server logs for failure to update mount table 2017-01-11 20:21:34 -05:00
vishalnayak bf6aa296b3 rekey: added check to ensure that length of PGP keys and the shares are matching 2017-01-11 13:29:10 -05:00
Jeff Mitchell 9923c753d0 Set c.standby true in non-HA context. (#2259)
This value is the key for some checks in core logic. In a non-HA
environment, if the core was sealed it would never be set back to true.
2017-01-11 11:13:09 -05:00
Vishal Nayak 7367158a2a Merge pull request #2252 from hashicorp/mountentry-clone
Adding Tainted to MountEntry.Clone
2017-01-10 10:28:13 -05:00
vishalnayak 28c3f4a192 Adding Tainted to MountEntry.Clone 2017-01-10 08:32:33 -05:00
Jeff Mitchell bb32853fcd Fix up exclusion rules for dynamic system view IsPrimary 2017-01-07 18:31:43 -05:00
Jeff Mitchell 9d89aae00c Fix up invalidations in noopbackend 2017-01-07 18:22:34 -05:00
Armon Dadgar c37d17ed47 Adding interface methods to logical.Backend for parity (#2242) 2017-01-07 18:18:22 -05:00
Jeff Mitchell 336dfed5c3 Rename gRPC request forwarding method 2017-01-06 17:08:43 -05:00
Jeff Mitchell 681e36c4af Split Unseal into Unseal and unsealInternal 2017-01-06 16:30:43 -05:00
Jeff Mitchell 9e5d1eaac9 Port some updates 2017-01-06 15:42:18 -05:00
Jeff Mitchell 64fc18e523 When a JWT wrapping token is returned, audit the inner token both for
request and response. This makes it far easier to properly check
validity elsewhere in Vault because we simply replace the request client
token with the inner value.
2017-01-04 23:50:24 -05:00
vishalnayak 066038bebd Fixed return types 2017-01-04 16:58:25 -05:00
Jeff Mitchell 0391475c70 Add read locks to LookupToken/ValidateWrappingToken (#2232) 2017-01-04 16:52:03 -05:00
Jeff Mitchell 3129187dc2 JWT wrapping tokens (#2172) 2017-01-04 16:44:03 -05:00
vishalnayak d70fb45fbb Removed unused methods 2017-01-03 12:51:35 -05:00
Félix Cantournet 103b7ceab2 all: test: Fix govet warnings
Fix calls to t.Fatal() with formatting.
Fixed some calls to Fatalf() with wrong formatting
2016-12-21 19:44:07 +01:00
Jeff Mitchell 9f60e9f88d Add tidy expiration test 2016-12-16 17:04:28 -05:00
vishalnayak bae84e3864 TokenStore: Make the testcase dangle 100 accessors and let it tidy up 2016-12-16 15:41:41 -05:00
Vishal Nayak ba026aeaa1 TokenStore: Added tidy endpoint (#2192) 2016-12-16 15:29:27 -05:00
Jeff Mitchell f6044764c0 Fix revocation of leases when num_uses goes to 0 (#2190) 2016-12-16 13:11:55 -05:00
Vishal Nayak 8400b87473 Don't add default policy to child token if parent does not have it (#2164) 2016-12-16 00:36:39 -05:00
Vishal Nayak e3f56f375c Add 'no-store' response header from all the API outlets (#2183) 2016-12-15 17:53:07 -05:00
mwoolsey 907e735541 Permissions were changed from a structure to and array of interfaces. Code optimization for acl.go. Fixed bug where multiple parameters would allow if second or following parameters were denied and there was a wildcard in allow. 2016-12-06 18:14:15 -08:00
mwoolsey c27817aba3 Merge branch 'master' of https://github.com/hashicorp/vault 2016-12-06 16:09:32 -08:00
Jeff Mitchell 7865143c1d Minor ports 2016-12-05 12:28:12 -05:00
Jeff Mitchell 710e8f2d4c Change Vault audit broker logic to successfully start when at least one (#2155)
backend is successfully loaded.

Fixes #2083
2016-12-02 15:09:01 -05:00
Thomas Soëte 90b392c7fc Fix panic() in test suite (#2149)
As `base` could be nil, move check in `if base != nil`
2016-12-02 06:31:06 -05:00
Jeff Mitchell 49284031c6 Respect logger in TestCluster 2016-12-01 15:25:10 -05:00
mwoolsey 3e72e50fa5 Merge remote-tracking branch 'upstream/master' 2016-11-20 18:31:55 -08:00
Jeff Mitchell ee29b329fb Bump proto files after update 2016-11-17 10:06:26 -05:00
Jeff Mitchell e84a015487 Add extra logic around listener handling. (#2089) 2016-11-11 16:43:33 -05:00
Jeff Mitchell 6c1d2ffea9 Allow wrapping to be specified by backends, and take the lesser of the request/response times (#2088) 2016-11-11 15:12:11 -05:00
Jeff Mitchell 168d6e1a3d Fix other clustering tests on OSX 2016-11-08 10:55:41 -05:00
Jeff Mitchell e381c189e4 Fix cluster testing on OSX; see the inline comment for details 2016-11-08 10:31:35 -05:00
Jeff Mitchell 86edada67c Show the listener address when it's created for the cluster in the log 2016-11-08 10:31:15 -05:00
Jeff Mitchell 6f86e664a8 use a const for cluster test pause period 2016-11-08 10:30:44 -05:00
lemondrank c63d9e9f24 added AllowOperation tests 2016-11-07 12:28:41 -08:00
ChaseLEngel a847caa4ae Moved Operations out of test cases variable. 2016-11-07 12:08:17 -08:00
ChaseLEngel e349d64dbc Finished merge testing. 2016-11-06 15:16:08 -08:00
mwoolsey 42e0ecb0b8 narrowed the problem to: the Permissions struct in the TestPolicyMerge method is not being initialized 2016-11-06 13:38:25 -08:00
mwoolsey 2add5dbf3a Started the testing on merged pathCapabilites 2016-11-01 21:27:33 -07:00
ChaseLEngel 482ed0a659 Add merge testcases 2016-11-01 19:48:00 -07:00
lemondrank 975ac72822 started acl_test updates 2016-10-30 15:09:45 -07:00
Vishal Nayak b3c805e662 Audit the client token accessors (#2037) 2016-10-29 17:01:49 -04:00
mwoolsey b5669d73db Had to change what a wildcard value in a parameter mapped to, from a nil value to an empty struct 2016-10-28 12:54:37 -07:00
mwoolsey 3a0e01a5d7 Added the merging of wildcards to allowed and denied parameters. 2016-10-28 12:33:50 -07:00
Jeff Mitchell 0ed2dece6d Don't panic if postUnseal calls preSeal due to audit table never being set up. Also call cleanup funcs on auth backends. (#2043) 2016-10-28 15:32:32 -04:00
mwoolsey bcd0618623 updated testing on a policy to cover parameters in the policy 2016-10-28 10:18:31 -07:00
ChaseLEngel 2ea4caeffb Update acl and policy tests to use Permissions. 2016-10-21 23:45:39 -07:00
ChaseLEngel 353241e328 Fixing type assertions. 2016-10-21 21:12:02 -07:00