Commit graph

102 commits

Author SHA1 Message Date
Brian Kassouf a8d9426d9f Update locking components from DR replication changes (#3283)
* Update locking components from DR replication changes

* Fix plugin backend test

* Add a comment about needing the statelock:
2017-09-04 19:38:37 -04:00
Calvin Leung Huang 48263622cb Add comment to the reason behind mounting a nil backend for plugin mounts during setup 2017-09-01 12:26:31 -04:00
Calvin Leung Huang a581e96b78 Lazy-load plugin mounts (#3255)
* Lazy load plugins to avoid setup-unwrap cycle

* Remove commented blocks

* Refactor NewTestCluster, use single core cluster on basic plugin tests

* Set c.pluginDirectory in TestAddTestPlugin for setupPluginCatalog to work properly

* Add special path to mock plugin

* Move ensureCoresSealed to vault/testing.go

* Use same method for EnsureCoresSealed and Cleanup

* Bump ensureCoresSealed timeout to 60s

* Correctly handle nil opts on NewTestCluster

* Add metadata flag to APIClientMeta, use meta-enabled plugin when mounting to bootstrap

* Check metadata flag directly on the plugin process

* Plumb isMetadataMode down to PluginRunner

* Add NOOP shims when running in metadata mode

* Remove unused flag from the APIMetadata object

* Remove setupSecretPlugins and setupCredentialPlugins functions

* Move when we setup rollback manager to after the plugins are initialized

* Fix tests

* Fix merge issue

* start rollback manager after the credential setup

* Add guards against running certain client and server functions while in metadata mode

* Call initialize once a plugin is loaded on the fly

* Add more tests, update basic secret/auth plugin tests to trigger lazy loading

* Skip mount if plugin removed from catalog

* Fixup

* Remove commented line on LookupPlugin

* Fail on mount operation if plugin is re-added to catalog and mount is on existing path

* Check type and special paths on startBackend

* Fix merge conflicts

* Refactor PluginRunner run methods to use runCommon, fix TestSystemBackend_Plugin_auth
2017-09-01 01:02:03 -04:00
Calvin Leung Huang 6853d80212 Add plugin backend reload capability (#3112)
* Add plugin reload capability on all mounts for a specific plugin type

* Comments cleanup

* Add per-mount plugin backend reload, add tests

* Fix typos

* Remove old comment

* Reuse existing storage view in reloadPluginCommon

* Correctly handle reloading auth plugin backends

* Update path to plugin/backend/reload

* Use multierrors on reloadMatchingPluginMounts, attempt to reload all mounts provided

* Use internal value as check to ensure plugin backend reload

* Remove connection state from request for plugins at the moment

* Minor cleanup

* Refactor tests
2017-08-08 00:18:59 -04:00
Calvin Leung Huang bb54e9c131 Backend plugin system (#2874)
* Add backend plugin changes

* Fix totp backend plugin tests

* Fix logical/plugin InvalidateKey test

* Fix plugin catalog CRUD test, fix NoopBackend

* Clean up commented code block

* Fix system backend mount test

* Set plugin_name to omitempty, fix handleMountTable config parsing

* Clean up comments, keep shim connections alive until cleanup

* Include pluginClient, disallow LookupPlugin call from within a plugin

* Add wrapper around backendPluginClient for proper cleanup

* Add logger shim tests

* Add logger, storage, and system shim tests

* Use pointer receivers for system view shim

* Use plugin name if no path is provided on mount

* Enable plugins for auth backends

* Add backend type attribute, move builtin/plugin/package

* Fix merge conflict

* Fix missing plugin name in mount config

* Add integration tests on enabling auth backend plugins

* Remove dependency cycle on mock-plugin

* Add passthrough backend plugin, use logical.BackendType to determine lease generation

* Remove vault package dependency on passthrough package

* Add basic impl test for passthrough plugin

* Incorporate feedback; set b.backend after shims creation on backendPluginServer

* Fix totp plugin test

* Add plugin backends docs

* Fix tests

* Fix builtin/plugin tests

* Remove flatten from PluginRunner fields

* Move mock plugin to logical/plugin, remove totp and passthrough plugins

* Move pluginMap into newPluginClient

* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck

* Change shim logger's Fatal to no-op

* Change BackendType to uint32, match UX backend types

* Change framework.Backend Setup signature

* Add Setup func to logical.Backend interface

* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments

* Remove commented var in plugin package

* RegisterLicense on logical.Backend interface (#3017)

* Add RegisterLicense to logical.Backend interface

* Update RegisterLicense to use callback func on framework.Backend

* Refactor framework.Backend.RegisterLicense

* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs

* plugin: Revert BackendType to remove TypePassthrough and related references

* Fix typo in plugin backends docs
2017-07-20 13:28:40 -04:00
Chris Hoffman d481e65c5a Cleaning up logical and auth unmount functions (#2994) 2017-07-13 10:57:14 -07:00
Jeff Mitchell d169918465 Create and persist human-friendly-ish mount accessors (#2918) 2017-06-26 18:14:36 +01:00
Jeff Mitchell d25aa9fc21 Don't write salts in initialization, look up on demand (#2702) 2017-05-09 17:51:09 -04:00
Jeff Mitchell e3c8be72cc Fix local check on singleton required mounts 2017-05-09 08:36:10 -04:00
Jeff Mitchell e0c2b37c2a Add commenting to singletonMountTables 2017-05-08 13:39:18 -04:00
Jeff Mitchell f50d345fa3 Fix imports.
Closes #2688
2017-05-08 10:23:29 -04:00
Jeff Mitchell 726bd6f379 Don't load a required mount if in secondary mode, let sync invalidate do that 2017-05-05 19:40:26 -04:00
Jeff Mitchell 3aafb3270c Move singleton mount fetching function to mount.go and fix tests 2017-05-05 17:20:30 -04:00
Jeff Mitchell b53331d345 Add token to singleton mounts 2017-05-05 16:45:48 -04:00
Jeff Mitchell 6f6f242061 Add logic to skip initialization in some cases and some invalidation logic 2017-05-05 15:01:52 -04:00
Jeff Mitchell f03d500808 Add option to disable caching per-backend. (#2455) 2017-03-08 09:20:09 -05:00
Jeff Mitchell 8462d945d3 Add some nil checks to mounting 2017-03-04 16:43:18 -05:00
Jeff Mitchell a585f709d3 Understand local when persisting mount tables, to avoid invalidations when not necessary (#2427) 2017-03-02 14:37:59 -05:00
Jeff Mitchell 4e045d000c Create upgrade path for cubbyhole's local status 2017-02-24 10:05:44 -05:00
Jeff Mitchell 496420a5ab Make cubbyhole local instead of replicated. (#2397)
This doesn't really change behavior, just what it looks like in the UX.
However, it does make tests more complicated. Most were fixed by adding
a sorting function, which is generally useful anyways.
2017-02-18 13:51:05 -05:00
Jeff Mitchell 494b4c844b More porting from rep (#2389)
* More porting from rep

* Address feedback
2017-02-16 20:13:19 -05:00
Jeff Mitchell 47274eca88 Add cleanup functions to multiple DB backends. (#2313)
Ensure it's called on unmount, not just for seal.
2017-02-01 14:05:25 -05:00
Jeff Mitchell 2052e406d2 Move router mount back below table persistence 2017-01-17 15:15:28 -05:00
Jeff Mitchell 8e62acbd59 Sync the locking behavior between logical/auth backend (#2280) 2017-01-17 13:02:29 -05:00
vishalnayak 0778a2eba7 core: adding error server logs for failure to update mount table 2017-01-11 20:21:34 -05:00
Vishal Nayak 7367158a2a Merge pull request #2252 from hashicorp/mountentry-clone
Adding Tainted to MountEntry.Clone
2017-01-10 10:28:13 -05:00
vishalnayak 28c3f4a192 Adding Tainted to MountEntry.Clone 2017-01-10 08:32:33 -05:00
Jeff Mitchell 9e5d1eaac9 Port some updates 2017-01-06 15:42:18 -05:00
Jeff Mitchell 6d00f0c483 Adds HUP support for audit log files to close and reopen. (#1953)
Adds HUP support for audit log files to close and reopen. This makes it
much easier to deal with normal log rotation methods.

As part of testing this I noticed that HUP and other items that come out
of command/server.go are going to stderr, which is where our normal log
lines go. This isn't so much problematic with our normal output but as
we officially move to supporting other formats this can cause
interleaving issues, so I moved those to stdout instead.
2016-09-30 12:04:50 -07:00
Jeff Mitchell f3ab4971a6 Follow Vault convention on DELETE being idempotent (#1903)
* Follow Vault convention on `DELETE` being idempotent with
audit/auth/mounts deletes (a.k.a. disabling/unmounting).
2016-09-19 13:02:25 -04:00
Jeff Mitchell fffee5611a Rejig locks during unmount/remount. (#1855) 2016-09-13 11:50:14 -04:00
Jeff Mitchell 58b32e5432 Convert to logxi 2016-08-21 18:13:37 -04:00
vishalnayak b43cc03f0e Address review feedback from @jefferai 2016-08-09 10:47:55 -04:00
vishalnayak 5866cee5b4 Added utilities to compress the data 2016-08-09 00:50:19 -04:00
Jeff Mitchell 4b2b5363d4 Switch some errors that ought to be 500 to 500 2016-08-04 09:11:24 -04:00
vishalnayak ad7cb2c8f1 Added JSON Decode and Encode helpers.
Changed all the occurances of Unmarshal to use the helpers.
Fixed http/ package tests.
2016-07-06 12:25:40 -04:00
Jeff Mitchell a57996ac08 Add to auth/audit too 2016-05-26 13:38:51 -04:00
Jeff Mitchell 475b0e2d33 Add table/type checking to mounts table. 2016-05-26 12:55:00 -04:00
Jeff Mitchell dcf844027b Show entry path in log, not internal view path 2016-01-28 12:34:49 -05:00
Jeff Mitchell 9c5ad28632 Update deps, and adjust usage of go-uuid to match new return values 2016-01-13 13:40:08 -05:00
Jeff Mitchell f2da5b639f Migrate 'uuid' to 'go-uuid' to better fit HC naming convention 2015-12-16 12:56:20 -05:00
Jeff Mitchell bc4c18a1cf Rearchitect MountTable locking and fix rollback.
The rollback manager was using a saved MountTable rather than the
current table, causing it to attempt to rollback unmounted mounts, and
never rollback new mounts.

In fixing this, it became clear that bad things could happen to the
mount table...the table itself could be locked, but the table pointer
(which is what the rollback manager needs) could be modified at any time
without locking. This commit therefore also returns locking to a mutex
outside the table instead of inside, and plumbs RLock/RUnlock through to
the various places that are reading the table but not holding a write
lock.

Both unit tests and race detection pass.

Fixes #771
2015-11-11 11:54:52 -05:00
Jeff Mitchell a9155ef85e Use split-out hashicorp/uuid 2015-10-12 14:07:12 -04:00
Jeff Mitchell 8f27c250d6 Fix problematic logging statements.
Fixes #665.
2015-10-02 18:31:46 -07:00
Jeff Mitchell c694c7d31d Fix situation where a new required singleton backend would not be activated upon upgrade. 2015-09-21 17:54:36 -04:00
Jeff Mitchell 68c268a6f0 Allow tuning of auth mounts, to set per-mount default/max lease times 2015-09-19 11:50:50 -04:00
Jeff Mitchell e7d5a18e94 Directly pass the cubbyhole backend to the token store and bypass logic in router 2015-09-15 13:50:37 -04:00
Jeff Mitchell 849b78daee Move more cubby logic outside of router into auth setup 2015-09-15 13:50:37 -04:00
Jeff Mitchell b50f7ec1b5 Remove noop checks in unmount/remount and restore previous behavior 2015-09-15 13:50:37 -04:00
Jeff Mitchell 77e7379ab5 Implement the cubbyhole backend
In order to implement this efficiently, I have introduced the concept of
"singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't
much reason to allow sys to be mounted at multiple places, and there
isn't much reason you'd need multiple per-token storage areas. By
restricting it to just one, I can store that particular mount instead of
iterating through them in order to call the appropriate revoke function.

Additionally, because revocation on the backend needs to be triggered by
the token store, the token store's salt is kept in the router and
client tokens going to the cubbyhole backend are double-salted by the
router. This allows the token store to drive when revocation happens
using its salted tokens.
2015-09-15 13:50:37 -04:00