Commit graph

94 commits

Author SHA1 Message Date
Jeff Mitchell a3fc497fec
Fix batch token test (#7047)
At the level of role config it doesn't mean anything to use
default-service or default-batch; that's for mount tuning. So disallow
it in tokenutil. This also fixes the fact that the switch statement
wasn't right.
2019-07-02 22:16:43 -04:00
Jeff Mitchell 5f7321dcc7 Fix a case where mounts could be duplicated (#6771)
When unmounting, the router entry would be tainted, preventing routing.
However, we would then unmount the router before clearing storage, so if
an error occurred the router would have forgotten the path. For auth
mounts this isn't a problem since they had a secondary check, but
regular mounts didn't (not sure why, but this is true back to at least
0.2.0). This meant you could then create a duplicate mount using the
same path which would then not conflict in the router until postUnseal.

This adds the extra check to regular mounts, and also moves the location
of the router unmount.

This also ensures that on the next router.Mount, tainted is set to the
mount entry's tainted status.

Fixes #6769
2019-06-04 10:33:36 -07:00
Jeff Mitchell 9ebc57581d
Switch to go modules (#6585)
* Switch to go modules

* Make fmt
2019-04-13 03:44:06 -04:00
Jeff Mitchell 8bcb533a1b
Create sdk/ and api/ submodules (#6583) 2019-04-12 17:54:35 -04:00
Jeff Mitchell 30209cdd35 Update token path with / at end to ensure it's the token store 2019-04-08 14:25:29 -04:00
Jeff Mitchell 1d982c234f
Fix some more test failures and recursive locking (#6549) 2019-04-08 13:40:54 -04:00
Jeff Mitchell 775f547e4e Sync over 2019-03-25 14:18:43 -04:00
Brian Kassouf ad3605e657
Revert "filtered-path endpoint (#6132)" (#6337)
This reverts commit dfdbb0bad975fab447f49766baaa5a6c956f8e3d.
2019-03-04 14:08:21 -08:00
ncabatoff 8814fe1ba5 filtered-path endpoint (#6132)
* First pass at filtered-path endpoint.  It seems to be working, but there are tests missing, and possibly some optimization to handle large key sets.

* Vendor go-cmp.

* Fix incomplete vendoring of go-cmp.

* Improve test coverage.  Fix bug whereby access to a subtree named X would expose existence of a the key named X at the same level.

* Add benchmarks, which showed that hasNonDenyCapability would be "expensive" to call for every member of a large folder.  Made a couple of minor tweaks so that now it can be done without allocations.

* Comment cleanup.

* Review requested changes: rename some funcs, use routeCommon instead of
querying storage directly.

* Keep the same endpoint for now, but move it from a LIST to a POST and allow multiple paths to be queried in one operation.

* Modify test to pass multiple paths in at once.

* Add endpoint to default policy.

* Move endpoint to /sys/access/filtered-path.
2019-03-04 11:04:29 -08:00
Martin 4c9e7f4478 typo in pathsToRadix doc (#6253) 2019-02-18 10:05:04 -08:00
Jeff Mitchell 5f249d4005
Add allowed_response_headers (#6115) 2019-02-05 16:02:15 -05:00
Jeff Mitchell 27c960d8df
Split SubView functionality into logical.StorageView (#6141)
This lets other parts of Vault that can't depend on the vault package
take advantage of the subview functionality.

This also allows getting rid of BarrierStorage and vault.Entry, two
totally redundant abstractions.
2019-01-31 09:25:18 -05:00
Jim Kalafut d0e2badbae Run goimports across the repository (#6010)
The result will still pass gofmtcheck and won't trigger additional
changes if someone isn't using goimports, but it will avoid the
piecemeal imports changes we've been seeing.
2019-01-08 16:48:57 -08:00
Vishal Nayak 5818977dca
Deprecate SHA1 in token store (#770)
* Deprecate SHA1 in token store

* Fallback to SHA1 for user selected IDs

* Fix existing tests

* Added warning

* Address some review feedback and remove root token prefix

* Tests for service token prefixing

* Salting utility tests

* Adjust OTP length for root token generation

* Fix tests

* Address review feedback
2018-10-17 13:23:04 -07:00
Jeff Mitchell a64fc7d7cb
Batch tokens (#755) 2018-10-15 12:56:24 -04:00
Calvin Leung Huang 37c0b83669
Add denylist check when filtering passthrough headers (#5436)
* Add denylist check when filtering passthrough headers

* Minor comment update
2018-10-01 12:20:31 -07:00
Jeff Mitchell 919b968c27
The big one (#5346) 2018-09-17 23:03:00 -04:00
Jeff Mitchell 75eb0f862e
Revert some of commit 050ab805a7565c5b0cadb0176023031ee5f0d17b. (#4768)
If we have a panic defer functions are run but unlocks aren't. Since we
can't really trust plugins and storage, this backs out the changes for
those parts of the request path.
2018-06-14 13:44:13 -04:00
Jeff Mitchell 0c2d2226c4
Remove a lot of deferred functions in the request path. (#4733)
* Remove a lot of deferred functions in the request path.

There is an interesting benchmark at https://www.reddit.com/r/golang/comments/3h21nk/simple_micro_benchmark_to_measure_the_overhead_of/

It shows that defer actually adds quite a lot of overhead -- maybe 100ns
per call but we defer a *lot* of functions in the request path. So this
removes some of the ones in request handling, ha, barrier, router, and
physical cache.

One meta-note: nearly every metrics function is in a defer which means
every metrics call we add could add a non-trivial amount of time, e.g.
for every 10 extra metrics statements we add 1ms to a request. I don't
know how to solve this right now without doing what I did in some of
these cases and putting that call into a simple function call that then
goes before each return.

* Simplify barrier defer cleanup
2018-06-14 09:49:10 -04:00
Jeff Mitchell 743e31202d Don't pass te to backends 2018-06-08 17:53:28 -04:00
Vishal Nayak 9aca33487e
Passthrough EntityID to backends (#4663)
* passthrough entity id

* address review feedback
2018-05-31 10:18:34 -04:00
Brian Kassouf c7f9d185b0
Kv preflight (#4430)
* Update kv command to use a preflight check

* Make the existing ui endpoint return the allowed mounts

* Add kv subcommand tests

* Enable `-field` in `vault kv get/put` (#4426)

* Enable `-field` in `vault kv get/put`

Fixes #4424

* Unify nil value handling

* Use preflight helper

* Update vkv plugin

* Add all the mount info when authenticated

* Add fix the error message on put

* add metadata test

* No need to sort the capabilities

* Remove the kv client header

* kv patch command (#4432)

* Fix test

* Fix tests

* Use permission denied instead of entity disabled
2018-04-23 15:00:02 -07:00
Vishal Nayak 10419845b7
disable identity for local mounts (#4407) 2018-04-23 13:46:14 -04:00
Vishal Nayak 28e3eb9e2c
Errwrap everywhere (#4252)
* package api

* package builtin/credential

* package builtin/logical

* package command

* package helper

* package http and logical

* package physical

* package shamir

* package vault

* package vault

* address feedback

* more fixes
2018-04-05 11:49:21 -04:00
Calvin Leung Huang 25792df5a9
Passthrough request headers (#4172)
* Add passthrough request headers for secret/auth mounts

* Update comments

* Fix SyncCache deletion of passthrough_request_headers

* Remove debug line

* Case-insensitive header comparison

* Remove unnecessary allocation

* Short-circuit filteredPassthroughHeaders if there's nothing to filter

* Add whitelistedHeaders list

* Update router logic after merge

* Add whitelist test

* Add lowercase x-vault-kv-client to whitelist

* Add back const

* Refactor whitelist logic
2018-03-21 19:56:47 -04:00
Brian Kassouf cc625e19ee
Add options to mount tune and mount endpoints in preparation for versioning (#4155)
* Add some requirements for versioned k/v

* Add a warning message when an upgrade is triggered

* Add path help values

* Make the kv header a const

* Add the uid to mount entry instead of options map

* Pass the backend aware uuid to the mounts and plugins

* Fix comment

* Add options to secret/auth enable and tune CLI commands (#4170)

* Switch mount/tune options to use TypeKVPairs (#4171)

* switching options to TypeKVPairs, adding bool parse for versioned flag

* flipping bool check

* Fix leases coming back from non-leased pluin kv store

* add a test for updating mount options

* Fix tests
2018-03-21 12:04:27 -07:00
Jeff Mitchell 933f1e4b87 Sync 2018-03-20 10:42:57 -04:00
Jin-wook Jeong 92ea5f9d66 Make credential plugin to work that is modified before vault startup and reloaded after vault startup. (#4121)
Set routeEntry.rootPaths, loginPaths after plugin reload using atomic values.
2018-03-16 10:35:19 -07:00
Brian Kassouf 9dba3590ac
Add context to the NewSalt function (#4102) 2018-03-08 11:21:11 -08:00
Brian Kassouf 2f19de0305 Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 01:44:44 -05:00
Brian Kassouf 1c190d4bda
Pass context to backends (#3750)
* Start work on passing context to backends

* More work on passing context

* Unindent logical system

* Unindent token store

* Unindent passthrough

* Unindent cubbyhole

* Fix tests

* use requestContext in rollback and expiration managers
2018-01-08 10:31:38 -08:00
Jeff Mitchell eef6afec3e
Fix mount path for credential values in aliases (#3580) 2017-11-14 01:31:10 -05:00
Jeff Mitchell fdaed84e82
Add ability to send seal wrap response info into cubbyhole request. (#3562)
Ref 84f80db4bf499ce7345615cc2def77e7d48bc690
2017-11-09 12:47:42 -05:00
Jonathan Freedman 4109473134 More Mount Conflict Detection (#2919) 2017-11-06 15:29:09 -05:00
Vishal Nayak 7bae606662
External identity groups (#3447)
* external identity groups

* add local LDAP groups as well to group aliases

* add group aliases for okta credential backend

* Fix panic in tests

* fix build failure

* remove duplicated struct tag

* add test steps to test out removal of group member during renewals

* Add comment for having a prefix check in router

* fix tests

* s/parent_id/canonical_id

* s/parent/canonical in comments and errors
2017-11-02 16:05:48 -04:00
Jeff Mitchell 47dae8ffc7 Sync 2017-10-23 14:59:37 -04:00
Vishal Nayak f7ed6732a5 Porting identity store (#3419)
* porting identity to OSS

* changes that glue things together

* add testing bits

* wrapped entity id

* fix mount error

* some more changes to core

* fix storagepacker tests

* fix some more tests

* fix mount tests

* fix http mount tests

* audit changes for identity

* remove upgrade structs on the oss side

* added go-memdb to vendor
2017-10-11 10:21:20 -07:00
Chris Hoffman 1029ad3b33 Rename "generic" secret backend to "kv" (#3292) 2017-09-15 09:02:29 -04:00
Calvin Leung Huang a581e96b78 Lazy-load plugin mounts (#3255)
* Lazy load plugins to avoid setup-unwrap cycle

* Remove commented blocks

* Refactor NewTestCluster, use single core cluster on basic plugin tests

* Set c.pluginDirectory in TestAddTestPlugin for setupPluginCatalog to work properly

* Add special path to mock plugin

* Move ensureCoresSealed to vault/testing.go

* Use same method for EnsureCoresSealed and Cleanup

* Bump ensureCoresSealed timeout to 60s

* Correctly handle nil opts on NewTestCluster

* Add metadata flag to APIClientMeta, use meta-enabled plugin when mounting to bootstrap

* Check metadata flag directly on the plugin process

* Plumb isMetadataMode down to PluginRunner

* Add NOOP shims when running in metadata mode

* Remove unused flag from the APIMetadata object

* Remove setupSecretPlugins and setupCredentialPlugins functions

* Move when we setup rollback manager to after the plugins are initialized

* Fix tests

* Fix merge issue

* start rollback manager after the credential setup

* Add guards against running certain client and server functions while in metadata mode

* Call initialize once a plugin is loaded on the fly

* Add more tests, update basic secret/auth plugin tests to trigger lazy loading

* Skip mount if plugin removed from catalog

* Fixup

* Remove commented line on LookupPlugin

* Fail on mount operation if plugin is re-added to catalog and mount is on existing path

* Check type and special paths on startBackend

* Fix merge conflicts

* Refactor PluginRunner run methods to use runCommon, fix TestSystemBackend_Plugin_auth
2017-09-01 01:02:03 -04:00
Jeff Mitchell 4ec737b013 Don't append a trailing slash to the request path if it doesn't actually help find something (#3271) 2017-08-31 16:50:03 -04:00
Calvin Leung Huang 6853d80212 Add plugin backend reload capability (#3112)
* Add plugin reload capability on all mounts for a specific plugin type

* Comments cleanup

* Add per-mount plugin backend reload, add tests

* Fix typos

* Remove old comment

* Reuse existing storage view in reloadPluginCommon

* Correctly handle reloading auth plugin backends

* Update path to plugin/backend/reload

* Use multierrors on reloadMatchingPluginMounts, attempt to reload all mounts provided

* Use internal value as check to ensure plugin backend reload

* Remove connection state from request for plugins at the moment

* Minor cleanup

* Refactor tests
2017-08-08 00:18:59 -04:00
Brian Kassouf b04e0a7a2a Dynamically load and invalidate the token store salt (#3021)
* Dynaically load and invalidate the token store salt

* Pass salt function into the router
2017-07-18 09:02:03 -07:00
Chris Hoffman 8c179c246f Fixing reverse storage prefix lookup for auth entries (#2967)
* fixing reverse storage prefix for auth entries

* adding test
2017-07-04 14:00:36 -04:00
Vishal Nayak 4b26425609 Input validation for router mount (#2942)
* Added input validation for router mount

* Add path and type in returned errors
2017-06-29 17:00:13 -04:00
Jeff Mitchell d169918465 Create and persist human-friendly-ish mount accessors (#2918) 2017-06-26 18:14:36 +01:00
Jeff Mitchell 43d7547235 Address review feedback 2017-06-16 23:54:49 -04:00
vishalnayak 4fe7fc4ef9 Added utility on router to fetch mount entry using its ID 2017-06-16 23:54:49 -04:00
Joel Thompson e06a78a474 Create unified aws auth backend (#2441)
* Rename builtin/credential/aws-ec2 to aws

The aws-ec2 authentication backend is being expanded and will become the
generic aws backend. This is a small rename commit to keep the commit
history clean.

* Expand aws-ec2 backend to more generic aws

This adds the ability to authenticate arbitrary AWS IAM principals using
AWS's sts:GetCallerIdentity method. The AWS-EC2 auth backend is being to
just AWS with the expansion.

* Add missing aws auth handler to CLI

This was omitted from the previous commit

* aws auth backend general variable name cleanup

Also fixed a bug where allowed auth types weren't being checked upon
login, and added tests for it.

* Update docs for the aws auth backend

* Refactor aws bind validation

* Fix env var override in aws backend test

Intent is to override the AWS environment variables with the TEST_*
versions if they are set, but the reverse was happening.

* Update docs on use of IAM authentication profile

AWS now allows you to change the instance profile of a running instance,
so the use case of "a long-lived instance that's not in an instance
profile" no longer means you have to use the the EC2 auth method. You
can now just change the instance profile on the fly.

* Fix typo in aws auth cli help

* Respond to PR feedback

* More PR feedback

* Respond to additional PR feedback

* Address more feedback on aws auth PR

* Make aws auth_type immutable per role

* Address more aws auth PR feedback

* Address more iam auth PR feedback

* Rename aws-ec2.html.md to aws.html.md

Per PR feedback, to go along with new backend name.

* Add MountType to logical.Request

* Make default aws auth_type dependent upon MountType

When MountType is aws-ec2, default to ec2 auth_type for backwards
compatibility with legacy roles. Otherwise, default to iam.

* Pass MountPoint and MountType back up to the core

Previously the request router reset the MountPoint and MountType back to
the empty string before returning to the core. This ensures they get set
back to the correct values.
2017-04-24 15:15:50 -04:00
Vishal Nayak 5a6193a56e Audit: Add token's use count to audit response (#2437)
* audit: Added token_num_uses to audit response

* Fixed jsonx tests

* Revert logical auth to NumUses instead of TokenNumUses

* s/TokenNumUses/NumUses

* Audit: Add num uses to audit requests as well

* Added RemainingUses to distinguish NumUses in audit requests
2017-03-08 17:36:50 -05:00
Jeff Mitchell 6ebb2cc958 Add last remote WAL bits 2017-03-01 12:40:36 -05:00