vishalnayak
5909d81b7b
Merge branch 'oss' into clean-stale-leases
2017-04-26 15:07:27 -04:00
Jeff Mitchell
4a4c981fb2
Update error message to distinguish tree revocation issue from non-tree
2017-04-26 14:06:45 -04:00
Brian Kassouf
b52b410a47
Update test to reflect the correct read response
2017-04-24 21:24:19 -07:00
Brian Kassouf
e4e61ec18c
return a 404 when no plugin is found
2017-04-24 18:31:27 -07:00
Brian Kassouf
cb1f1d418c
Only run Abs on the plugin directory if it's set
2017-04-24 16:20:20 -07:00
Brian Kassouf
039bc19dd8
Fix test
2017-04-24 13:48:46 -07:00
Brian Kassouf
5ff317eb8d
Update root paths test
2017-04-24 12:47:40 -07:00
Brian Kassouf
ce9688ce8c
Change MlockDisabled to MlockEnabled
2017-04-24 12:21:49 -07:00
Joel Thompson
e06a78a474
Create unified aws auth backend ( #2441 )
...
* Rename builtin/credential/aws-ec2 to aws
The aws-ec2 authentication backend is being expanded and will become the
generic aws backend. This is a small rename commit to keep the commit
history clean.
* Expand aws-ec2 backend to more generic aws
This adds the ability to authenticate arbitrary AWS IAM principals using
AWS's sts:GetCallerIdentity method. The AWS-EC2 auth backend is being to
just AWS with the expansion.
* Add missing aws auth handler to CLI
This was omitted from the previous commit
* aws auth backend general variable name cleanup
Also fixed a bug where allowed auth types weren't being checked upon
login, and added tests for it.
* Update docs for the aws auth backend
* Refactor aws bind validation
* Fix env var override in aws backend test
Intent is to override the AWS environment variables with the TEST_*
versions if they are set, but the reverse was happening.
* Update docs on use of IAM authentication profile
AWS now allows you to change the instance profile of a running instance,
so the use case of "a long-lived instance that's not in an instance
profile" no longer means you have to use the the EC2 auth method. You
can now just change the instance profile on the fly.
* Fix typo in aws auth cli help
* Respond to PR feedback
* More PR feedback
* Respond to additional PR feedback
* Address more feedback on aws auth PR
* Make aws auth_type immutable per role
* Address more aws auth PR feedback
* Address more iam auth PR feedback
* Rename aws-ec2.html.md to aws.html.md
Per PR feedback, to go along with new backend name.
* Add MountType to logical.Request
* Make default aws auth_type dependent upon MountType
When MountType is aws-ec2, default to ec2 auth_type for backwards
compatibility with legacy roles. Otherwise, default to iam.
* Pass MountPoint and MountType back up to the core
Previously the request router reset the MountPoint and MountType back to
the empty string before returning to the core. This ensures they get set
back to the correct values.
2017-04-24 15:15:50 -04:00
Brian Kassouf
657d433330
Update the ResponseWrapData function to return a wrapping.ResponseWrapInfo object
2017-04-24 12:15:01 -07:00
Brian Kassouf
c4e2ad74c5
Update path for the plugin catalog in logical system
2017-04-24 11:35:32 -07:00
Brian Kassouf
6c8239ba03
Update the builtin keys; move catalog to core; protect against unset plugin directory
2017-04-24 10:30:33 -07:00
Jeff Mitchell
3ba162fea1
List should use a trailing slash
2017-04-21 15:37:43 -04:00
Brian Kassouf
4d0aac963d
Fix tests
2017-04-21 10:24:34 -07:00
Brian Kassouf
30b06b593c
Fix tests
2017-04-21 09:10:26 -07:00
Brian Kassouf
6f9d178370
Calls to builtin plugins now go directly to the implementation instead of go-plugin
2017-04-20 18:46:41 -07:00
Brian Kassouf
af9ff63e9a
Merge remote-tracking branch 'oss/master' into database-refactor
2017-04-19 15:16:00 -07:00
Chris Hoffman
847c86f788
Rename ParseDedupAndSortStrings to ParseDedupLowercaseAndSortStrings ( #2614 )
2017-04-19 10:39:07 -04:00
Brian Kassouf
8ccf10641b
Merge branch 'master' into database-refactor
2017-04-12 14:29:10 -07:00
Brian Kassouf
3cd5dd1839
Fix RootPaths test
2017-04-12 14:22:52 -07:00
Brian Kassouf
433004f75e
Add test for logical_system plugin-catalog handling
2017-04-12 10:39:18 -07:00
Brian Kassouf
c3724c6f17
Add path help and comments for plugin-catalog
2017-04-12 10:01:36 -07:00
Brian Kassouf
faaeb09065
Add remaining crud functions to plugin catalog and tests
2017-04-12 09:40:54 -07:00
Brian Kassouf
8071aed758
Mlock the plugin process
2017-04-10 17:12:52 -07:00
Brian Kassouf
db91a80540
Update plugin test
2017-04-10 14:12:28 -07:00
Brian Kassouf
93136ea51e
Add backend test
2017-04-07 15:50:03 -07:00
Brian Kassouf
ca2c3d0c53
Refactor to use builtin plugins from an external repo
2017-04-05 16:20:31 -07:00
Brian Kassouf
b071144c67
move builtin plugins list to the pluginutil
2017-04-05 11:00:13 -07:00
Brian Kassouf
11abcd52e6
Add a cli command to run builtin plugins
2017-04-04 17:12:02 -07:00
Brian Kassouf
0034074691
Execute builtin plugins
2017-04-04 14:43:39 -07:00
Jeff Mitchell
709389dd36
Use ParseStringSlice on PKI organization/organizational unit. ( #2561 )
...
After, separately dedup and use new flag to not lowercase value.
Fixes #2555
2017-04-04 08:54:18 -07:00
Brian Kassouf
e8781b6a2b
Plugin catalog
2017-04-03 17:52:29 -07:00
Brian Kassouf
29ae4602dc
More work on getting tests to pass
2017-03-23 15:54:15 -07:00
Brian Kassouf
eb6117cbb2
Work on TLS communication over plugins
2017-03-15 17:14:48 -07:00
Vishal Nayak
5a6193a56e
Audit: Add token's use count to audit response ( #2437 )
...
* audit: Added token_num_uses to audit response
* Fixed jsonx tests
* Revert logical auth to NumUses instead of TokenNumUses
* s/TokenNumUses/NumUses
* Audit: Add num uses to audit requests as well
* Added RemainingUses to distinguish NumUses in audit requests
2017-03-08 17:36:50 -05:00
Jeff Mitchell
f03d500808
Add option to disable caching per-backend. ( #2455 )
2017-03-08 09:20:09 -05:00
vishalnayak
f54ff0f842
Add locking where possible while doing auth/token/tidy
2017-03-07 16:06:05 -05:00
vishalnayak
3522b67e14
Added sys/tidy-leases endpoint
2017-03-07 15:50:17 -05:00
Jeff Mitchell
3d162b63cc
Use locks in a slice rather than a map, which is faster and makes things cleaner ( #2446 )
2017-03-07 11:21:32 -05:00
Jeff Mitchell
5119b173c4
Rename helper 'duration' to 'parseutil'. ( #2449 )
...
Add a ParseBool function that accepts various kinds of ways of
specifying booleans.
Have config use ParseBool for UI and disabling mlock/cache.
2017-03-07 11:21:22 -05:00
Jeff Mitchell
8462d945d3
Add some nil checks to mounting
2017-03-04 16:43:18 -05:00
Jeff Mitchell
e7f418c903
Fix poison pill location
2017-03-04 10:21:27 -05:00
Brian Kassouf
e62f5dbc31
Allowed/Denied parameters support for globs ( #2438 )
...
* Add check for globbed strings
* Add tests for the acl globbing
* Fix bad test case
2017-03-03 14:50:55 -08:00
Jeff Mitchell
25428971c8
Add poison pill
2017-03-03 15:05:25 -05:00
Vishal Nayak
491a56fe9f
AppRole: Support restricted use tokens ( #2435 )
...
* approle: added token_num_uses to the role
* approle: added RUD tests for token_num_uses on role
* approle: doc: added token_num_uses
2017-03-03 09:31:20 -05:00
Jeff Mitchell
a585f709d3
Understand local when persisting mount tables, to avoid invalidations when not necessary ( #2427 )
2017-03-02 14:37:59 -05:00
Jeff Mitchell
bb05f2d8f8
Fix double-lock
2017-03-02 10:54:31 -05:00
Jeff Mitchell
31cddc43e1
Use own mutex for updating cluster parameters and fix leader UUID bug
2017-03-02 10:50:54 -05:00
Jeff Mitchell
beb3067787
Add some trace level information about new cluster status
2017-03-02 10:21:35 -05:00
Jeff Mitchell
36c84df326
Large update to request forwarding handling. ( #2426 )
2017-03-02 10:03:49 -05:00
Jeff Mitchell
90389323a2
Some more forwarding client cleanup
2017-03-01 20:59:20 -05:00
Jeff Mitchell
b1c2a930fe
Clean up request forwarding logic
2017-03-01 18:17:06 -05:00
Brian Kassouf
259e686d4c
Update TestSeal to ignore setting the config to nil
2017-03-01 14:10:06 -08:00
Jeff Mitchell
00cfaf7f64
Rejig signature of last remote wal
2017-03-01 12:42:10 -05:00
Jeff Mitchell
6ebb2cc958
Add last remote WAL bits
2017-03-01 12:40:36 -05:00
Jeff Mitchell
f2282247ef
Add seal cache purging back into postUnseal
2017-02-28 18:36:28 -05:00
Jeff Mitchell
09543dceeb
Rejig core standby logic to check validity of barrier during active transition
2017-02-28 18:17:30 -05:00
Jeff Mitchell
7f0a99e8eb
Add max/min wrapping TTL ACL statements ( #2411 )
2017-02-27 14:42:00 -05:00
Jeff Mitchell
2cc0906b33
Fix breakage for HTTP2 support due to changes in wrapping introduced in 1.8 ( #2412 )
2017-02-27 12:49:35 -05:00
Jeff Mitchell
8091a10c38
Make rollback attempts trace level instead of debug level
2017-02-27 09:41:56 -05:00
Jeff Mitchell
b29861f7bb
Do some porting to make diffing easier
2017-02-24 10:45:29 -05:00
Jeff Mitchell
4e045d000c
Create upgrade path for cubbyhole's local status
2017-02-24 10:05:44 -05:00
Jeff Mitchell
0e1b1e33be
Add comment around not allowing users to create JWT wrapping tokens
2017-02-22 11:13:40 -05:00
Brian Kassouf
9a9b89f16f
Update confusing comment
2017-02-21 16:06:00 -08:00
Brian Kassouf
dd5b541db6
Added test for the empty values array case
2017-02-21 16:02:00 -08:00
Brian Kassouf
a25132cec4
On merge favor values that have additive privileges
2017-02-21 15:53:27 -08:00
Brian Kassouf
9ec8dd3d17
PR feedback
2017-02-21 15:02:39 -08:00
Brian Kassouf
f992103615
Merge branch 'master' into acl-parameters-permission
2017-02-21 14:46:06 -08:00
Jeff Mitchell
496420a5ab
Make cubbyhole local instead of replicated. ( #2397 )
...
This doesn't really change behavior, just what it looks like in the UX.
However, it does make tests more complicated. Most were fixed by adding
a sorting function, which is generally useful anyways.
2017-02-18 13:51:05 -05:00
Jeff Mitchell
4a966726e5
Make reindex a root path as well
2017-02-16 23:36:06 -05:00
Jeff Mitchell
f3bee3550c
Remove now-unnecessary stanza from default policy
2017-02-16 23:30:38 -05:00
Jeff Mitchell
674a0a48bf
Fix rep path fetching method into a function
2017-02-16 23:23:21 -05:00
Jeff Mitchell
f37b6492d1
More rep porting ( #2391 )
...
* More rep porting
* Add a bit more porting
2017-02-16 23:09:39 -05:00
Brian Kassouf
1c5264c66c
ToLower parameter strings
2017-02-16 17:50:10 -08:00
Jeff Mitchell
494b4c844b
More porting from rep ( #2389 )
...
* More porting from rep
* Address feedback
2017-02-16 20:13:19 -05:00
Brian Kassouf
07799f665d
Simplify the merging of two policies
2017-02-16 16:30:08 -08:00
Brian Kassouf
7229bdfd38
Remove debug code
2017-02-16 16:14:30 -08:00
Brian Kassouf
136730cb01
Update logic to fix a few edge cases:
2017-02-16 15:20:11 -08:00
Jeff Mitchell
c81582fea0
More porting from rep ( #2388 )
...
* More porting from rep
* Address review feedback
2017-02-16 16:29:30 -05:00
Jeff Mitchell
0c39b613c8
Port some replication bits to OSS ( #2386 )
2017-02-16 15:15:02 -05:00
Jeff Mitchell
0a9a6d3343
Move ReplicationState to consts
2017-02-16 13:37:21 -05:00
Brian Kassouf
13ec9c5dbf
Load leases into the expiration manager in parallel ( #2370 )
...
* Add a benchmark for exiration.Restore
* Add benchmarks for consul Restore functions
* Add a parallel version of expiration.Restore
* remove debug code
* Up the MaxIdleConnsPerHost
* Add tests for etcd
* Return errors and ensure go routines are exited
* Refactor inmem benchmark
* Add s3 bench and refactor a bit
* Few tweaks
* Fix race with waitgroup.Add()
* Fix waitgroup race condition
* Move wait above the info log
* Add helper/consts package to store consts that are needed in cyclic packages
* Remove not used benchmarks
2017-02-16 10:16:06 -08:00
Brian Kassouf
8d880f5181
Remove duplicate test case
2017-02-15 22:38:33 -08:00
Brian Kassouf
f1d5b60b97
s/has/has been/
2017-02-15 22:19:35 -08:00
Brian Kassouf
c80593387c
Remove unnecessary else condition
2017-02-15 22:18:20 -08:00
Brian Kassouf
c9ae260cdf
Merge branch 'acl-parameters-permission' of github.com:hashicorp/vault into acl-parameters-permission
2017-02-15 22:13:28 -08:00
Brian Kassouf
24d8710233
Fix the issue of returning on the first paramater check. Added tests for this case.
2017-02-15 22:13:18 -08:00
Jeff Mitchell
978772a47a
Merge branch 'master-oss' into acl-parameters-permission
2017-02-16 00:46:40 -05:00
Jeff Mitchell
e60b24431a
Fix audit test and make audited headers more robust in map checks
2017-02-16 00:44:20 -05:00
Jeff Mitchell
da9e62bc24
Remove "permissions" from ACL
2017-02-15 21:12:26 -05:00
Jeff Mitchell
51f7114648
Merge branch 'master-oss' into acl-parameters-permission
2017-02-15 20:37:58 -05:00
Jeff Mitchell
acb7391b12
Compare headers case-insensitively for auditing
...
Fixes #2362
2017-02-15 20:35:35 -05:00
Jeff Mitchell
2fd59ad308
Merge branch 'master-oss' into acl-parameters-permission
2017-02-08 01:59:52 -05:00
Jeff Mitchell
4b2b28e085
Push test functions to a var for overriding
2017-02-07 20:44:31 -05:00
Jeff Mitchell
f1cfb060f6
Remove errant unlock of state lock
2017-02-07 11:08:52 -05:00
Jeff Mitchell
ddc977ba52
Add debug ( #2341 )
2017-02-06 18:30:13 -05:00
Jeff Mitchell
67f96bc64e
Rejig check for HA/Sealed in Leader to check for sealed first. ( #2342 )
...
Fixes #2334
2017-02-06 18:29:56 -05:00
Brian Kassouf
8ef4bc32dd
Update the help text for auditing headers ( #2330 )
...
* Update the help text for auditing headers
* Update help name
2017-02-03 10:08:31 -08:00
Jeff Mitchell
6c02e9357a
Update protos
2017-02-02 16:20:32 -05:00
Brian Kassouf
6701ba8a10
Configure the request headers that are output to the audit log ( #2321 )
...
* Add /sys/config/audited-headers endpoint for configuring the headers that will be audited
* Remove some debug lines
* Add a persistant layer and refactor a bit
* update the api endpoints to be more restful
* Add comments and clean up a few functions
* Remove unneeded hash structure functionaility
* Fix existing tests
* Add tests
* Add test for Applying the header config
* Add Benchmark for the ApplyConfig method
* ResetTimer on the benchmark:
* Update the headers comment
* Add test for audit broker
* Use hyphens instead of camel case
* Add size paramater to the allocation of the result map
* Fix the tests for the audit broker
* PR feedback
* update the path and permissions on config/* paths
* Add docs file
* Fix TestSystemBackend_RootPaths test
2017-02-02 11:49:20 -08:00
Jeff Mitchell
47274eca88
Add cleanup functions to multiple DB backends. ( #2313 )
...
Ensure it's called on unmount, not just for seal.
2017-02-01 14:05:25 -05:00
Jeff Mitchell
67410ab230
Make TLS 1.2 *explicitly* required for cluster communications
2017-01-31 13:30:25 -05:00
Brian Kassouf
3c0de664a4
Fix keyring test
2017-01-24 12:58:14 -08:00
Jeff Mitchell
061bd6012d
Fix keyring copypasta test failure
2017-01-24 14:00:13 -05:00
Jeff Mitchell
31ce37188b
Fix keyring tests, working around Go nil timezone bug in DeepEqual
...
See https://github.com/golang/go/issues/10089
2017-01-24 12:33:28 -05:00
Jeff Mitchell
2c8d18ad8d
Attempt to fix expiration test again
2017-01-24 11:17:48 -05:00
Jeff Mitchell
b0f741d4a1
Add some extra lease debugging to try to figure out Travis timezone issue
2017-01-24 10:48:11 -05:00
Jeff Mitchell
d75b5f01ec
Use the same time object in the serialization test
2017-01-24 10:32:40 -05:00
Jeff Mitchell
77bc6fa481
Use time.Now rather than using time as a struct
2017-01-24 10:21:41 -05:00
Jeff Mitchell
43acbea6a9
Add some newlines to a failing test to make it easier to spot differences
2017-01-23 14:08:29 -05:00
Brian Kassouf
7ec19459a7
Remove extra comments
2017-01-20 11:38:40 -08:00
Brian Kassouf
df800198e0
Remove some extra comments
2017-01-20 11:32:58 -08:00
Brian Kassouf
e1424c631e
Add logic to merge the two arrays and refactor the test around merging
2017-01-20 11:16:46 -08:00
Brian Kassouf
090736d4df
Clean up logic a bit and add some comments
2017-01-19 18:41:15 -08:00
Brian Kassouf
37f393ff94
Remove unneeded comment block
2017-01-19 18:18:06 -08:00
Brian Kassouf
1580296ae5
Update tests to check parsing of types
2017-01-19 18:13:39 -08:00
Brian Kassouf
5ccb3e052b
Add tests for boolean values
2017-01-19 17:41:02 -08:00
Brian Kassouf
68a1780052
Format dynamic_system_view.go
2017-01-19 16:54:08 -08:00
Brian Kassouf
f3870061ee
fix some of the tests and rename allowed/dissallowed paramaters
2017-01-19 16:40:19 -08:00
Brian Kassouf
25b49b8bae
Add test cases for map and integer types
2017-01-18 17:11:25 -08:00
Jeff Mitchell
20c65b8300
Fix regression in 0.6.4 where token store roles could not properly wo… ( #2286 )
2017-01-18 16:11:25 -05:00
vishalnayak
c9bd2a37f8
Don't sanitize disallowed_policies on token role
2017-01-17 21:34:14 -05:00
Brian Kassouf
be10ef9d42
Use deepequals and write tests for the allow/disallow values
2017-01-17 16:40:21 -08:00
Vishal Nayak
fa7d61baa3
Merge pull request #2202 from fcantournet/fix_govet_fatalf
...
all: test: Fix govet warnings
2017-01-17 16:45:35 -05:00
Jeff Mitchell
69eb5066dd
Multi value test seal ( #2281 )
2017-01-17 15:43:10 -05:00
Jeff Mitchell
2052e406d2
Move router mount back below table persistence
2017-01-17 15:15:28 -05:00
Jeff Mitchell
8e62acbd59
Sync the locking behavior between logical/auth backend ( #2280 )
2017-01-17 13:02:29 -05:00
Jeff Mitchell
dd0e44ca10
Add nonce to unseal to allow seeing if the operation has reset ( #2276 )
2017-01-17 11:47:06 -05:00
Brian Kassouf
1d3cae860b
Start to check the values with allowed/dissallowed lists in policy.
2017-01-16 17:48:22 -08:00
Brian Kassouf
ae116ada25
Merge branch 'master' into acl-parameters-permission
2017-01-13 16:44:10 -08:00
Brian Kassouf
3d47e5ebc7
add initialize method to noopbackend
2017-01-13 13:12:27 -08:00
Jeff Mitchell
252e1f1e84
Port over some work to make the system views a bit nicer
2017-01-13 14:51:27 -05:00
Jeff Mitchell
d869c0d6a6
Rejig IsPrimary again
2017-01-12 15:59:00 -05:00
Jeff Mitchell
ec4f069da4
Fix building some test code without build tags
2017-01-12 15:21:47 -05:00
Jeff Mitchell
32f9ccb6c8
Rejig dynamic system view to build without tags
2017-01-12 15:13:47 -05:00
Vishal Nayak
00ffd80fcd
Merge pull request #2236 from hashicorp/pgp-keys-check
...
rekey: added check to ensure that length of PGP keys and the shares are matching
2017-01-12 11:19:08 -05:00
vishalnayak
daacf23c38
rekey: remove the check from vault/rekey.go in favor of check in http layer
2017-01-12 00:07:49 -05:00
vishalnayak
adb6ac749f
init: pgp-keys input validations
2017-01-11 23:32:38 -05:00
vishalnayak
0778a2eba7
core: adding error server logs for failure to update mount table
2017-01-11 20:21:34 -05:00
vishalnayak
bf6aa296b3
rekey: added check to ensure that length of PGP keys and the shares are matching
2017-01-11 13:29:10 -05:00
Jeff Mitchell
9923c753d0
Set c.standby true in non-HA context. ( #2259 )
...
This value is the key for some checks in core logic. In a non-HA
environment, if the core was sealed it would never be set back to true.
2017-01-11 11:13:09 -05:00
Vishal Nayak
7367158a2a
Merge pull request #2252 from hashicorp/mountentry-clone
...
Adding Tainted to MountEntry.Clone
2017-01-10 10:28:13 -05:00
vishalnayak
28c3f4a192
Adding Tainted to MountEntry.Clone
2017-01-10 08:32:33 -05:00
Jeff Mitchell
bb32853fcd
Fix up exclusion rules for dynamic system view IsPrimary
2017-01-07 18:31:43 -05:00
Jeff Mitchell
9d89aae00c
Fix up invalidations in noopbackend
2017-01-07 18:22:34 -05:00
Armon Dadgar
c37d17ed47
Adding interface methods to logical.Backend for parity ( #2242 )
2017-01-07 18:18:22 -05:00
Jeff Mitchell
336dfed5c3
Rename gRPC request forwarding method
2017-01-06 17:08:43 -05:00
Jeff Mitchell
681e36c4af
Split Unseal into Unseal and unsealInternal
2017-01-06 16:30:43 -05:00
Jeff Mitchell
9e5d1eaac9
Port some updates
2017-01-06 15:42:18 -05:00
Jeff Mitchell
64fc18e523
When a JWT wrapping token is returned, audit the inner token both for
...
request and response. This makes it far easier to properly check
validity elsewhere in Vault because we simply replace the request client
token with the inner value.
2017-01-04 23:50:24 -05:00
vishalnayak
066038bebd
Fixed return types
2017-01-04 16:58:25 -05:00
Jeff Mitchell
0391475c70
Add read locks to LookupToken/ValidateWrappingToken ( #2232 )
2017-01-04 16:52:03 -05:00
Jeff Mitchell
3129187dc2
JWT wrapping tokens ( #2172 )
2017-01-04 16:44:03 -05:00
vishalnayak
d70fb45fbb
Removed unused methods
2017-01-03 12:51:35 -05:00
Félix Cantournet
103b7ceab2
all: test: Fix govet warnings
...
Fix calls to t.Fatal() with formatting.
Fixed some calls to Fatalf() with wrong formatting
2016-12-21 19:44:07 +01:00
Jeff Mitchell
9f60e9f88d
Add tidy expiration test
2016-12-16 17:04:28 -05:00
vishalnayak
bae84e3864
TokenStore: Make the testcase dangle 100 accessors and let it tidy up
2016-12-16 15:41:41 -05:00
Vishal Nayak
ba026aeaa1
TokenStore: Added tidy endpoint ( #2192 )
2016-12-16 15:29:27 -05:00
Jeff Mitchell
f6044764c0
Fix revocation of leases when num_uses goes to 0 ( #2190 )
2016-12-16 13:11:55 -05:00
Vishal Nayak
8400b87473
Don't add default policy to child token if parent does not have it ( #2164 )
2016-12-16 00:36:39 -05:00
Vishal Nayak
e3f56f375c
Add 'no-store' response header from all the API outlets ( #2183 )
2016-12-15 17:53:07 -05:00
mwoolsey
907e735541
Permissions were changed from a structure to and array of interfaces. Code optimization for acl.go. Fixed bug where multiple parameters would allow if second or following parameters were denied and there was a wildcard in allow.
2016-12-06 18:14:15 -08:00
mwoolsey
c27817aba3
Merge branch 'master' of https://github.com/hashicorp/vault
2016-12-06 16:09:32 -08:00
Jeff Mitchell
7865143c1d
Minor ports
2016-12-05 12:28:12 -05:00
Jeff Mitchell
710e8f2d4c
Change Vault audit broker logic to successfully start when at least one ( #2155 )
...
backend is successfully loaded.
Fixes #2083
2016-12-02 15:09:01 -05:00
Thomas Soëte
90b392c7fc
Fix panic() in test suite ( #2149 )
...
As `base` could be nil, move check in `if base != nil`
2016-12-02 06:31:06 -05:00
Jeff Mitchell
49284031c6
Respect logger in TestCluster
2016-12-01 15:25:10 -05:00
mwoolsey
3e72e50fa5
Merge remote-tracking branch 'upstream/master'
2016-11-20 18:31:55 -08:00
Jeff Mitchell
ee29b329fb
Bump proto files after update
2016-11-17 10:06:26 -05:00
Jeff Mitchell
e84a015487
Add extra logic around listener handling. ( #2089 )
2016-11-11 16:43:33 -05:00
Jeff Mitchell
6c1d2ffea9
Allow wrapping to be specified by backends, and take the lesser of the request/response times ( #2088 )
2016-11-11 15:12:11 -05:00
Jeff Mitchell
168d6e1a3d
Fix other clustering tests on OSX
2016-11-08 10:55:41 -05:00
Jeff Mitchell
e381c189e4
Fix cluster testing on OSX; see the inline comment for details
2016-11-08 10:31:35 -05:00
Jeff Mitchell
86edada67c
Show the listener address when it's created for the cluster in the log
2016-11-08 10:31:15 -05:00
Jeff Mitchell
6f86e664a8
use a const for cluster test pause period
2016-11-08 10:30:44 -05:00
lemondrank
c63d9e9f24
added AllowOperation tests
2016-11-07 12:28:41 -08:00
ChaseLEngel
a847caa4ae
Moved Operations out of test cases variable.
2016-11-07 12:08:17 -08:00
ChaseLEngel
e349d64dbc
Finished merge testing.
2016-11-06 15:16:08 -08:00
mwoolsey
42e0ecb0b8
narrowed the problem to: the Permissions struct in the TestPolicyMerge method is not being initialized
2016-11-06 13:38:25 -08:00
mwoolsey
2add5dbf3a
Started the testing on merged pathCapabilites
2016-11-01 21:27:33 -07:00
ChaseLEngel
482ed0a659
Add merge testcases
2016-11-01 19:48:00 -07:00
lemondrank
975ac72822
started acl_test updates
2016-10-30 15:09:45 -07:00
Vishal Nayak
b3c805e662
Audit the client token accessors ( #2037 )
2016-10-29 17:01:49 -04:00
mwoolsey
b5669d73db
Had to change what a wildcard value in a parameter mapped to, from a nil value to an empty struct
2016-10-28 12:54:37 -07:00
mwoolsey
3a0e01a5d7
Added the merging of wildcards to allowed and denied parameters.
2016-10-28 12:33:50 -07:00
Jeff Mitchell
0ed2dece6d
Don't panic if postUnseal calls preSeal due to audit table never being set up. Also call cleanup funcs on auth backends. ( #2043 )
2016-10-28 15:32:32 -04:00
mwoolsey
bcd0618623
updated testing on a policy to cover parameters in the policy
2016-10-28 10:18:31 -07:00
ChaseLEngel
2ea4caeffb
Update acl and policy tests to use Permissions.
2016-10-21 23:45:39 -07:00
ChaseLEngel
353241e328
Fixing type assertions.
2016-10-21 21:12:02 -07:00
mwoolsey
ed982675a1
permissions structure now holds a map of strings to empty structs. Modified acl.go to acommidate these changes
2016-10-21 19:35:55 -07:00
ChaseLEngel
c6b63b5312
Implemented AllowOperation parameter permission checking for request data.
2016-10-21 18:38:05 -07:00
Vishal Nayak
e06aaf20e1
Remove unused WrapListenersForClustering ( #2007 )
2016-10-18 10:20:09 -04:00
ChaseLEngel
c2b512cf46
Changed AllowOperation to take logical.Request
2016-10-16 16:29:52 -07:00
ChaseLEngel
bd7711bebf
Merge allowed and disallowed parameters maps.
2016-10-16 15:24:32 -07:00
mwoolsey
93bb52b733
policy now includes whether a certain parameter can be updated
2016-10-15 16:44:57 -07:00
mwoolsey
231d3e7758
policy now includes whether a certain parameter can be updated
2016-10-15 16:43:55 -07:00
ChaseLEngel
119dd9653e
Adding permissions to hcl config and decoding it.
2016-10-14 14:24:45 -07:00
ChaseLEngel
bd5235960c
Fixed permission conflicts
2016-10-14 10:33:12 -07:00
ChaseLEngel
d480df7141
Fixed Policy Permissions intergration and spelling.
2016-10-14 10:22:00 -07:00
mwoolsey
eb8b8a1def
created structure for permissions and modified parsePaths in policy.go and newAcl/AllowOperation in acl.go
2016-10-14 10:17:25 -07:00
mwoolsey
4582f2268c
working on modifying AllowOperation in acl.go
2016-10-10 11:21:25 -07:00
mwoolsey
6aa9a1d165
updated policy.go to include an expanded structure to add the ability to track allowed and disallowed params in the PathCapabilities structure. Updating Acl.go to interface with the updated PathCapabilites structure
2016-10-09 15:39:58 -07:00
Jeff Mitchell
b5225fd000
Add KeyNotFoundError to seal file
2016-10-05 17:17:33 -04:00
Jeff Mitchell
6d00f0c483
Adds HUP support for audit log files to close and reopen. ( #1953 )
...
Adds HUP support for audit log files to close and reopen. This makes it
much easier to deal with normal log rotation methods.
As part of testing this I noticed that HUP and other items that come out
of command/server.go are going to stderr, which is where our normal log
lines go. This isn't so much problematic with our normal output but as
we officially move to supporting other formats this can cause
interleaving issues, so I moved those to stdout instead.
2016-09-30 12:04:50 -07:00
Jeff Mitchell
85315ff188
Rejig where the reload functions live
2016-09-30 00:07:22 -04:00
Jeff Mitchell
4a505bfa3e
Update text around cubbyhole/response
2016-09-29 17:44:15 -04:00
Jeff Mitchell
5657789627
Audit unwrapped response ( #1950 )
2016-09-29 12:03:47 -07:00
Jeff Mitchell
b45a481365
Wrapping enhancements ( #1927 )
2016-09-28 21:01:28 -07:00
Jeff Mitchell
f0203741ff
Change default TTL from 30 to 32 to accommodate monthly operations ( #1942 )
2016-09-28 18:32:49 -04:00
vishalnayak
57b21acabb
Added unit tests for token entry upgrade
2016-09-26 18:17:50 -04:00
vishalnayak
af888573be
Handle upgrade of deprecated fields in token entry
2016-09-26 15:47:48 -04:00
Jeff Mitchell
f3ab4971a6
Follow Vault convention on DELETE
being idempotent ( #1903 )
...
* Follow Vault convention on `DELETE` being idempotent with
audit/auth/mounts deletes (a.k.a. disabling/unmounting).
2016-09-19 13:02:25 -04:00
Jeff Mitchell
722e26f27a
Add support for PGP encrypting the initial root token. ( #1883 )
2016-09-13 18:42:24 -04:00
Jeff Mitchell
fffee5611a
Rejig locks during unmount/remount. ( #1855 )
2016-09-13 11:50:14 -04:00
Jeff Mitchell
1c6f2fd82b
Add response wrapping to list operations ( #1814 )
2016-09-02 01:13:14 -04:00
Jeff Mitchell
19d64a476a
Apply fix from #1827 to rekey
2016-09-01 17:42:28 -04:00
Jeff Mitchell
5bd93b62d4
Return bad request error on providing same key for root generation ( #1833 )
...
Fixes #1827
2016-09-01 17:40:01 -04:00
vishalnayak
328de60338
Description consistency
2016-08-29 15:53:11 -04:00
Jeff Mitchell
ac38863884
Add back token/accessor URL parameters but return a warning.
...
CC @sethvargo
2016-08-29 15:15:57 -04:00
vishalnayak
aec05fdf02
Remove the upgrade code to update the mount table from 'aws' to 'aws-ec2'
2016-08-29 11:53:52 -04:00
Jeff Mitchell
7e41d5ab45
Pass headers back when request forwarding ( #1795 )
2016-08-26 17:53:47 -04:00
Jeff Mitchell
2ce4397deb
Plumb through the ability to set the storage read cache size. ( #1784 )
...
Plumb through the ability to set the storage read cache size.
Fixes #1772
2016-08-26 10:27:06 -04:00
Jeff Mitchell
9fee9ce8ff
Don't allow tokens in paths. ( #1783 )
2016-08-24 15:59:43 -04:00
Jeff Mitchell
b89073f7e6
Error when an invalid (as opposed to incorrect) unseal key is given. ( #1782 )
...
Fixes #1777
2016-08-24 14:15:25 -04:00
Jeff Mitchell
58b32e5432
Convert to logxi
2016-08-21 18:13:37 -04:00
Jeff Mitchell
2bb8adcbde
Cleanup and avoid unnecessary advertisement parsing in leader check
2016-08-19 14:49:11 -04:00
Jeff Mitchell
b7acf5b5ab
Rename proto service stuff and change log levels for some messages
2016-08-19 11:49:25 -04:00
Jeff Mitchell
bdcfe05517
Clustering enhancements ( #1747 )
2016-08-19 11:03:53 -04:00
vishalnayak
87c42a796b
s/advertisement/redirect
2016-08-19 10:52:14 -04:00
Jeff Mitchell
01702415c2
Ensure we don't use a token entry period of 0 in role comparisons.
...
When we added support for generating periodic tokens for root/sudo in
auth/token/create we used the token entry's period value to store the
shortest period found to eventually populate the TTL. The problem was
that we then assumed later that this value would be populated for
periodic tokens, when it wouldn't have been in the upgrade case.
Instead, use a temp var to store the proper value to use; populate
te.Period only if actually given; and check that it's not zero before
comparing against role value during renew.
2016-08-16 16:47:46 -04:00
Jeff Mitchell
c1aa89363a
Make time logic a bit clearer
2016-08-16 16:29:07 -04:00
Jeff Mitchell
02d9702fbd
Add local into handler path for forwarded requests
2016-08-16 11:46:37 -04:00
Jeff Mitchell
62c69f8e19
Provide base64 keys in addition to hex encoded. ( #1734 )
...
* Provide base64 keys in addition to hex encoded.
Accept these at unseal/rekey time.
Also fix a bug where backup would not be honored when doing a rekey with
no operation currently ongoing.
2016-08-15 16:01:15 -04:00
Jeff Mitchell
37320f8798
Request forwarding ( #1721 )
...
Add request forwarding.
2016-08-15 09:42:42 -04:00
Jeff Mitchell
40ece8fd7c
Add another test and fix some output
2016-08-14 07:17:14 -04:00
Jeff Mitchell
b6ef112382
Minor wording change
2016-08-13 15:45:13 -04:00
Jeff Mitchell
cdea4b3445
Add some tests and fix some bugs
2016-08-13 14:03:22 -04:00
Jeff Mitchell
de60702d76
Don't check the role period again as we've checked it earlier and it may be greater than the te Period
2016-08-13 13:21:56 -04:00
Jeff Mitchell
bcb4ab5422
Add periodic support for root/sudo tokens to auth/token/create
2016-08-12 21:14:12 -04:00
Jeff Mitchell
c1a46349fa
Change to keybase openpgp fork as it has important fixes
2016-08-11 08:31:43 -04:00
vishalnayak
3895ea4c2b
Address review feedback from @jefferai
2016-08-10 15:22:12 -04:00
vishalnayak
95f9c62523
Fix Cluster object being returned as nil when unsealed
2016-08-10 15:09:16 -04:00
Jeff Mitchell
0f40fba40d
Don't allow a root token that expires to create one that doesn't
2016-08-09 20:32:40 -04:00
vishalnayak
b5d55a9f47
Fix broken mount_test
2016-08-09 12:06:59 -04:00
Jeff Mitchell
4246ab1220
Change local cluster info path
2016-08-09 11:28:42 -04:00
Vishal Nayak
c27a52069c
Merge pull request #1693 from hashicorp/mount-table-compress
...
Added utilities to compress the JSON encoded string.
2016-08-09 11:23:14 -04:00
Jeff Mitchell
cc10fd7a7e
Use config file cluster name after automatic gen
2016-08-09 11:03:50 -04:00
vishalnayak
b43cc03f0e
Address review feedback from @jefferai
2016-08-09 10:47:55 -04:00
Jeff Mitchell
94c9fc3b49
Minor test fix
2016-08-09 07:13:29 -04:00
vishalnayak
78d57520fb
Refactoring and test fixes
2016-08-09 03:43:03 -04:00
vishalnayak
5866cee5b4
Added utilities to compress the data
2016-08-09 00:50:19 -04:00
Jeff Mitchell
d2124486ef
Merge pull request #1702 from hashicorp/renew-post-body
...
Add ability to specify renew lease ID in POST body.
2016-08-08 20:01:25 -04:00
Jeff Mitchell
c86fd0353c
urllease_id -> url_lease_id
2016-08-08 18:34:00 -04:00
Jeff Mitchell
065da5fd69
Migrate default policy to a const
2016-08-08 18:33:31 -04:00
Jeff Mitchell
5a48611a62
Add test for both paths in backend
2016-08-08 18:32:18 -04:00
Jeff Mitchell
56b7f595aa
Fix parsing optional URL param
2016-08-08 18:08:25 -04:00
Jeff Mitchell
ab71b981ad
Add ability to specify renew lease ID in POST body.
2016-08-08 18:00:44 -04:00
Jeff Mitchell
13b7d37a0b
Remove change to naming return values
2016-08-08 17:56:14 -04:00
Jeff Mitchell
a583f8a3f8
Use policyutil sanitizing
2016-08-08 17:42:25 -04:00
Jeff Mitchell
4f0310ed96
Don't allow root from authentication backends either.
...
We've disabled this in the token store, but it makes no sense to have
that disabled but have it enabled elsewhere. It's the same issue across
all, so simply remove the ability altogether.
2016-08-08 17:32:37 -04:00
Jeff Mitchell
796c93a8b0
Add sys/renew to default policy
2016-08-08 17:32:30 -04:00
Jeff Mitchell
d7f6218869
Move checking non-assignable policies above the actual token creation
2016-08-08 16:44:29 -04:00
Laura Bennett
da615642f5
Merge pull request #1687 from hashicorp/token-store-update
...
Minor update to token-store
2016-08-08 10:25:05 -04:00
Jeff Mitchell
ac62b18d56
Make capabilities-self
part of the default policy.
...
Fixes #1695
2016-08-08 10:00:01 -04:00
vishalnayak
e783bfe7e1
Minor changes to test cases
2016-08-05 20:22:07 -04:00
vishalnayak
5ddd1c7223
Fix broken test case
2016-08-05 20:07:18 -04:00
Laura Bennett
02911c0e01
full updates based on feedback
2016-08-05 18:57:35 -04:00
Laura Bennett
52623a2395
test updates based on feedback
2016-08-05 18:56:22 -04:00
Laura Bennett
405eb0075a
fix an error, tests still broken
2016-08-05 17:58:48 -04:00
Jeff Mitchell
82b3d136e6
Don't mark never-expiring root tokens as renewable
2016-08-05 11:15:25 -04:00
Laura Bennett
68d351c70c
addresses feedback, but tests broken
2016-08-05 10:04:02 -04:00
Jeff Mitchell
4b2b5363d4
Switch some errors that ought to be 500 to 500
2016-08-04 09:11:24 -04:00
Laura Bennett
c626277632
initial commit for minor update to token-store
2016-08-03 14:32:17 -04:00
Jeff Mitchell
a7ed50dbc8
coreClusterPath -> coreLocalClusterPath
2016-08-03 09:50:21 -04:00
Vishal Nayak
0b2098de2f
Merge pull request #1681 from hashicorp/disallowed-policies
...
Support disallowed_policies in token roles
2016-08-02 17:32:53 -04:00
vishalnayak
e7cb3fd990
Addressed review feedback
2016-08-02 16:53:06 -04:00
vishalnayak
4f45910dfc
disallowed_policies doc update
2016-08-02 16:33:22 -04:00
vishalnayak
9947b33498
Added tests for disallowed_policies
2016-08-02 15:21:15 -04:00
Jeff Mitchell
31b36fe2c2
Use duration helper to allow not specifying duration units
2016-08-02 15:12:45 -04:00
vishalnayak
a936914101
Address review feedback and fix existing tests
2016-08-02 14:10:20 -04:00
vishalnayak
a0c711d0cf
Added disallowed_policies to token roles
2016-08-02 10:33:50 -04:00
Jeff Mitchell
357f2d972f
Add some extra safety checking in accessor listing and update website
...
docs.
2016-08-01 13:12:06 -04:00
Jeff Mitchell
6546005487
Fix typo
2016-07-29 23:24:04 -04:00
Jeff Mitchell
e606aab6e0
oops, fix createAccessor
2016-07-29 18:23:55 -04:00
Jeff Mitchell
23ab63c78e
Add accessor list function to token store
2016-07-29 18:20:38 -04:00
vishalnayak
cff7aada7a
Fix invalid input getting marked as internal error
2016-07-28 16:23:11 -04:00
Laura Bennett
4d9c909ae4
Merge pull request #1650 from hashicorp/request-uuid
...
Added unique identifier to each request. Closes hashicorp/vault#1617
2016-07-27 09:40:48 -04:00
vishalnayak
c17534d527
Fix request_id test failures
2016-07-26 18:30:13 -04:00
Laura Bennett
fb1b032040
fixing id in buildLogicalRequest
2016-07-26 15:50:37 -04:00
Vishal Nayak
c7bcaa5bb6
Merge pull request #1655 from hashicorp/cluster-id
...
Vault cluster name and ID
2016-07-26 14:12:48 -04:00
vishalnayak
669bbdfa48
Address review feedback from @jefferai
2016-07-26 14:05:27 -04:00
Laura Bennett
ad66bd7502
fixes based proper interpretation of comments
2016-07-26 12:20:27 -04:00
vishalnayak
a3e6400697
Remove global name/id. Make only cluster name configurable.
2016-07-26 10:01:35 -04:00
vishalnayak
a6907769b0
AppRole authentication backend
2016-07-26 09:32:41 -04:00
vishalnayak
09d362d973
As it is
2016-07-26 09:18:38 -04:00
vishalnayak
c7dabe4def
Storing local and global cluster name/id to storage and returning them in health status
2016-07-26 02:32:42 -04:00
Laura Bennett
06b1835469
Merge pull request #1649 from hashicorp/internal-policy-block
...
Closes hashicorp/vault#1618
2016-07-25 17:41:48 -04:00
Laura Bennett
ae8a90be30
adding ids
2016-07-25 16:54:43 -04:00
Jeff Mitchell
e26487ced5
Add test for non-assignable policies
2016-07-25 16:00:18 -04:00
Laura Bennett
8d52a96df5
moving id to http/logical
2016-07-25 15:24:10 -04:00
Jeff Mitchell
d2cbe48aaf
Use RFC3339Nano for better precision
2016-07-25 14:11:57 -04:00
Laura Bennett
eb75afe54d
minor edit for error statement
2016-07-25 13:29:57 -04:00
Laura Bennett
9ef3d90349
still fixing git mistake
2016-07-25 10:11:51 -04:00
Laura Bennett
cc668b5c48
Fixing git mistake
2016-07-25 09:57:47 -04:00
Laura Bennett
7e29cf1cae
edits based on comments in PR
2016-07-25 09:46:10 -04:00
Laura Bennett
395f052870
minor error correction
2016-07-24 22:35:54 -04:00
Laura Bennett
9ea1c8b801
initial commit for nonAssignablePolicies
2016-07-24 22:27:41 -04:00
Laura Bennett
4945198334
reverting branch mistake
2016-07-24 21:56:52 -04:00
Laura Bennett
483e796177
website update for request uuuid
2016-07-24 21:23:12 -04:00
Laura Bennett
c63cdc23a1
Merge branch 'master' of https://github.com/hashicorp/vault into request-uuid
2016-07-23 21:47:08 -04:00
Laura Bennett
e5737b6789
initial local commit
2016-07-23 21:46:28 -04:00
Jeff Mitchell
4ab60f36a3
Rename err var to be more clear
2016-07-22 16:57:47 -04:00
vishalnayak
331f229858
Added a cap of 256 for CreateLocks utility
2016-07-20 04:48:35 -04:00
vishalnayak
50e8a189e9
Added helper to create locks
2016-07-19 21:37:28 -04:00
Jeff Mitchell
80a688c059
Ensure mount/auth tables are not nil when triggering rollback
...
During setup or teardown there could be a race condition so check for it
to avoid a potential panic.
2016-07-18 22:02:39 -04:00
Jeff Mitchell
df621911d7
Merge pull request #1624 from hashicorp/dynamodb-ha-off-default
...
Turn off DynamoDB HA by default.
2016-07-18 13:54:26 -04:00
Jeff Mitchell
028d024345
Add metrics around leadership
...
This can be helpful for detecting flapping.
Fixes #1544
2016-07-18 13:38:44 -04:00
Jeff Mitchell
a3ce0dcb0c
Turn off DynamoDB HA by default.
...
The semantics are wonky and have caused issues from people not reading
docs. It can be enabled but by default is off.
2016-07-18 13:19:58 -04:00
vishalnayak
c14235b206
Merge branch 'master-oss' into json-use-number
...
Conflicts:
http/handler.go
logical/framework/field_data.go
logical/framework/wal.go
vault/logical_passthrough.go
2016-07-15 19:21:55 -04:00
Vishal Nayak
9f1e6c7b26
Merge pull request #1607 from hashicorp/standardize-time
...
Remove redundant invocations of UTC() call on `time.Time` objects
2016-07-13 10:19:23 -06:00
vishalnayak
8269f323d3
Revert 'risky' changes
2016-07-12 16:38:07 -04:00
Jeff Mitchell
5b210b2a1f
Return a duration instead and port a few other places to use it
2016-07-11 18:19:35 +00:00
Jeff Mitchell
ab6c2bc5e8
Factor out parsing duration second type and use it for parsing tune values too
2016-07-11 17:53:39 +00:00
vishalnayak
fcb0b580ab
Fix broken build
2016-07-08 23:16:58 -04:00
vishalnayak
55a667b8cd
Fix broken build
2016-07-08 20:30:27 -04:00
vishalnayak
dc690d6233
Place error check before the response check in expiration test
2016-07-08 19:01:36 -04:00
vishalnayak
e09b40e155
Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC
2016-07-08 18:30:18 -04:00
Jeff Mitchell
c7d72fea90
Do some extra checking in the modified renewal check
2016-07-08 10:34:49 -04:00
Jeff Mitchell
7023eafc67
Make the API client retry on 5xx errors.
...
This should help with transient issues. Full control over min/max delays
and number of retries (and ability to turn off) is provided in the API
and via env vars.
Fix tests.
2016-07-06 16:50:23 -04:00
vishalnayak
ad7cb2c8f1
Added JSON Decode and Encode helpers.
...
Changed all the occurances of Unmarshal to use the helpers.
Fixed http/ package tests.
2016-07-06 12:25:40 -04:00
Jeff Mitchell
88c7292023
Fix broken test
2016-07-05 12:54:27 -04:00
Jeff Mitchell
8ce13b3f68
Add non-wrapped step
2016-07-05 12:11:40 -04:00
Jeff Mitchell
b6ca7e9423
Add response wrapping support to login endpoints.
...
Fixes #1587
2016-07-05 11:46:21 -04:00
Jeff Mitchell
90c2f5bb55
Fix some more too-tight timing in the token store tests
2016-07-01 11:59:39 -04:00
Jeff Mitchell
f3e6e4ee28
Fix timing in explicit max ttl test
2016-07-01 11:37:27 -04:00
Jeff Mitchell
09720bbd8e
Fix picking wrong token lock
2016-06-27 11:17:08 -04:00
vishalnayak
2933c5ce08
Made default_lease_ttl and max_lease_ttl as int64 and fixed tests
2016-06-20 20:23:49 -04:00
vishalnayak
0bdeea3a33
Fix the test cases
2016-06-20 18:56:19 -04:00
vishalnayak
848b479a61
Added 'sys/auth/<path>/tune' endpoints.
...
Displaying 'Default TTL' and 'Max TTL' in the output of 'vault auth -methods'
2016-06-15 13:58:24 -04:00
Jeff Mitchell
368a17e978
Add some commenting
2016-06-14 05:54:09 +00:00
Jeff Mitchell
e925987cb6
Add token accessor to wrap information if one exists
2016-06-13 23:58:17 +00:00
Jeff Mitchell
1de6140d5c
Fix mah broken tests
2016-06-10 14:03:56 -04:00
Jeff Mitchell
9f6c5bc02a
cubbyhole-response-wrapping -> response-wrapping
2016-06-10 13:48:46 -04:00
Jeff Mitchell
e4ce81afa1
Remove unneeded Fields in passthrough
2016-06-09 10:33:24 -04:00
Jeff Mitchell
351f536913
Don't check parsability of a ttl
key on write.
...
On read we already ignore bad values, so we shouldn't be restricting
this on write; doing so alters expected data-in-data-out behavior. In
addition, don't issue a warning if a given `ttl` value can't be parsed,
as this can quickly get annoying if it's on purpose.
The documentation has been updated/clarified to make it clear that this
is optional behavior that doesn't affect the status of the key as POD
and the `lease_duration` returned will otherwise default to the
system/mount defaults.
Fixes #1505
2016-06-08 20:14:36 -04:00
Jeff Mitchell
2b4b6559e3
Merge pull request #1504 from hashicorp/token-store-roles-renewability
...
Add renewable flag to token store roles
2016-06-08 15:56:54 -04:00
Jeff Mitchell
8a1bff7c11
Make out-of-bounds explicit max a cap+warning instead of an error
2016-06-08 15:25:17 -04:00
Jeff Mitchell
cf8f38bd4c
Add renewable flag to token store roles
2016-06-08 15:17:22 -04:00
Jeff Mitchell
65d8973864
Add explicit max TTL capability to token creation API
2016-06-08 14:49:48 -04:00
Jeff Mitchell
c0155ac02b
Add renewable flag and API setting for token creation
2016-06-08 11:14:30 -04:00
Jeff Mitchell
bb1e8ddaa2
Make token renewable status work properly on lookup
2016-06-08 09:19:39 -04:00
Jeff Mitchell
10b218d292
Use time.Time which does RFC3339 across the wire to handle time zones. Arguably we should change the API to always do this...
2016-06-07 16:01:09 -04:00
Jeff Mitchell
401456ea50
Add creation time to returned wrapped token info
...
This makes it easier to understand the expected lifetime without a
lookup call that uses the single use left on the token.
This also adds a couple of safety checks and for JSON uses int, rather
than int64, for the TTL for the wrapped token.
2016-06-07 15:00:35 -04:00
Jeff Mitchell
f8d70b64a0
Show renewable status for tokens in output
2016-06-01 17:30:31 -04:00
Vishal Nayak
9dd4e5ec5b
Merge pull request #1235 from hashicorp/policies-validation
...
Strip out other policies if root is present
2016-06-01 12:08:22 -04:00
vishalnayak
4fea41f7e5
Use entry.Type as a criteria for upgrade
2016-06-01 10:30:11 -04:00
vishalnayak
875778a2d9
Modify just the type and not the path
2016-05-31 23:19:13 -04:00
vishalnayak
1e4834bd20
Remove addDefault param from ParsePolicies
2016-05-31 13:39:58 -04:00
vishalnayak
49b4c83580
Adding default policies while creating tokens
2016-05-31 13:39:58 -04:00
vishalnayak
55fbfab4fe
Upgrade 'aws' auth table entry to 'aws-ec2'
2016-05-30 18:58:58 -04:00
Jeff Mitchell
8d19b4fb53
Add keyring zeroize function and add some more memzero calls in
...
appropriate places. Known to be best-effort, but may help in some cases.
Fixes #1446
2016-05-27 20:47:40 +00:00
vishalnayak
1d94828e45
Re-enable rollback triggers for auth backends
2016-05-26 14:29:41 -04:00
Vishal Nayak
644ac5f5e8
Merge pull request #1456 from hashicorp/consul-lease-renewal
...
Fix the consul secret backends renewal revocation problem
2016-05-26 13:59:45 -04:00
Jeff Mitchell
a57996ac08
Add to auth/audit too
2016-05-26 13:38:51 -04:00
Jeff Mitchell
475b0e2d33
Add table/type checking to mounts table.
2016-05-26 12:55:00 -04:00
vishalnayak
c0e745dbfa
s/logical.ErrorResponse/fmt.Errorf in renewal functions of credential backends
2016-05-26 10:21:03 -04:00
vishalnayak
70b8530962
Fix the consul secret backends renewal revocation problem
2016-05-25 23:24:16 -04:00
Jeff Mitchell
417a56c42b
Disable rollback on auth for now and add workaround for its auth/ adding to entry paths
2016-05-25 17:53:45 -04:00
Jeff Mitchell
05b0e0a866
Enable audit-logging of seal and step-down commands.
...
This pulls the logical request building code into its own function so
that it's accessible from other HTTP handlers, then uses that with some
added logic to the Seal() and StepDown() commands to have meaningful
audit log entries.
2016-05-20 17:03:54 +00:00
Jeff Mitchell
0da8762bd5
Add unwrap command, and change how the response is embedded (as a string, not an object)
2016-05-19 11:25:15 -04:00
Jeff Mitchell
2e6ac4c37a
Remove wrap specs from backend response
2016-05-19 03:06:09 +00:00
Jeff Mitchell
c4431a7e30
Address most review feedback. Change responses to multierror to better return more useful values when there are multiple errors
2016-05-16 16:11:33 -04:00
Jeff Mitchell
4c67a739b9
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-16 12:14:40 -04:00
Jeff Mitchell
60975bf76e
Revert "Remove a few assumptions regarding bash(1) being located in /bin."
2016-05-15 15:22:21 -04:00
Sean Chittenden
f91114fef5
Remove a few assumptions regarding bash(1) being located in /bin.
...
Use sh(1) where appropriate.
2016-05-15 11:41:14 -07:00
Sean Chittenden
792950e16c
Merge pull request #1417 from hashicorp/b-pki-expire-ttl-unset
...
Set entry's TTL before writing out the storage entry's config
2016-05-15 10:02:03 -07:00
Sean Chittenden
7a4b31ce51
Speling police
2016-05-15 09:58:36 -07:00
Sean Chittenden
af4e2feda7
When testing, increase the time we wait for the stepdown to occur.
...
2s -> 5s, no functional change.
2016-05-15 07:30:40 -07:00
Vishal Nayak
53fc941761
Merge pull request #1300 from hashicorp/aws-auth-backend
...
AWS EC2 instances authentication backend
2016-05-14 19:42:03 -04:00
Jeff Mitchell
560e9c30a3
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-12 14:59:12 -04:00
Sean Chittenden
99a5213f0b
Merge pull request #1355 from hashicorp/f-vault-service
...
Vault/Consul Service refinement
2016-05-12 11:48:29 -07:00
vishalnayak
af222a945a
Fix mount tune bounds checking
2016-05-12 07:22:00 -04:00
Jeff Mitchell
ce5614bf9b
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-11 19:29:52 -04:00
Jeff Mitchell
6ec1ca05c8
Fix bug around disallowing explicit max greater than sysview max
2016-05-11 18:46:55 -04:00
Jeff Mitchell
aecc3ad824
Add explicit maximum TTLs to token store roles.
2016-05-11 16:51:18 -04:00
vishalnayak
ddcaf26396
Merge branch 'master-oss' into aws-auth-backend
2016-05-10 14:50:00 -04:00
Jeff Mitchell
2295cadbf4
Make WrapInfo a pointer to match secret/auth in response
2016-05-07 19:17:51 -04:00
Jeff Mitchell
c5085bc79f
Merge response fix over from mfatw
2016-05-07 16:41:24 -04:00
Jeff Mitchell
c52d352332
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-07 16:40:04 -04:00
Jeff Mitchell
d77563994c
Merge pull request #1346 from hashicorp/disable-all-caches
...
Disable all caches
2016-05-07 16:33:45 -04:00
Jeff Mitchell
3e71221839
Merge remote-tracking branch 'origin/master' into aws-auth-backend
2016-05-05 10:04:52 -04:00
Jeff Mitchell
885cc73b2e
Merge branch 'master-oss' into f-vault-service
2016-05-04 17:20:00 -04:00
Jeff Mitchell
09f06554cb
Address some review feedback
2016-05-04 16:03:53 -04:00
Jeff Mitchell
99a5b4402d
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-04 14:42:14 -04:00
Jeff Mitchell
1bc2abecd5
Properly persist auth mount tuning
2016-05-03 14:24:04 -04:00
Jeff Mitchell
6f7409bb49
Slightly nicer check for LRU in policy store
2016-05-02 22:36:44 -04:00
Jeff Mitchell
fe1f56de40
Make a non-caching but still locking variant of transit for when caches are disabled
2016-05-02 22:36:44 -04:00
Jeff Mitchell
8572190b64
Plumb disabling caches through the policy store
2016-05-02 22:36:44 -04:00
Jeff Mitchell
1b190c9c62
Don't check if numuses is -1 with a read lock, it shouldn't come in with that from lookup anyways
2016-05-02 15:31:28 -04:00
Jeff Mitchell
324bb9cfac
Use a 256-level mutex map instead of 4096, and optimize the case for tokens that are not limited use
2016-05-02 14:57:17 -04:00
Jeff Mitchell
642163f8b0
Remove MountPoint from internal wrap object, for now at least
2016-05-02 10:29:51 -04:00
Jeff Mitchell
2ebe49d3a1
Change UseToken mechanics.
...
Add locking around UseToken and Lookup. Have UseToken flag an entry that
needs to be revoked so that it can be done at the appropriate time, but
so that Lookup in the interm doesn't return a value.
The locking is a map of 4096 locks keyed off of the first three
characters of the token ID which should provide good distribution.
2016-05-02 03:44:24 -04:00
Jeff Mitchell
1ffd5653c6
Add wrap support to API/CLI
2016-05-02 02:03:23 -04:00
Jeff Mitchell
aba689a877
Add wrapping through core and change to use TTL instead of Duration.
2016-05-02 00:47:35 -04:00
Jeff Mitchell
d81806b446
Add:
...
* Request/Response field extension
* Parsing of header into request object
* Handling of duration/mount point within router
* Tests of router WrapDuration handling
2016-05-02 00:24:32 -04:00
Jeff Mitchell
4182d711c3
Merge branch 'master-oss' into aws-auth-backend
2016-04-29 14:23:16 +00:00
Jeff Mitchell
81da06de05
Fix fetching parameters in token store when it's optionally in the URL
2016-04-28 15:15:37 -04:00
Sean Chittenden
5068d68a13
Name the output parameters for Leader
2016-04-28 11:05:18 -07:00
Sean Chittenden
0b72906fc3
Change the interface of ServiceDiscovery
...
Instead of passing state, signal that the state has changed and provide a callback handler that can query Core.
2016-04-28 11:05:18 -07:00
Jeff Mitchell
4a409ebb81
Fix some rekey testing expected seal type logic
2016-04-28 17:13:03 +00:00
Jeff Mitchell
91c41f12d4
minor fix for expected barrier type in rekey test
2016-04-28 16:52:32 +00:00
Jeff Mitchell
1027b51d17
Built tag-ify sealtesting
2016-04-28 00:47:44 +00:00
Jeff Mitchell
0b8e3457d3
Move TestSeal funcs to sealtesting
2016-04-27 20:59:06 +00:00
vishalnayak
9aa8fb6cc1
Support periodic tidy callback and config endpoints.
2016-04-26 10:22:29 -04:00
Sean Chittenden
aeea7628d6
Add a *log.Logger argument to physical.Factory
...
Logging in the backend is a good thing. This is a noisy interface change but should be a functional noop.
2016-04-25 20:10:32 -07:00
Sean Chittenden
7fe0b2c6a1
Persistently retry to update service registration
...
If the local Consul agent is not available while attempting to step down from active or up to active, retry once a second. Allow for concurrent changes to the state with a single registration updater. Fix standby initialization.
2016-04-25 18:01:13 -07:00
Sean Chittenden
230b59f34c
Stub out service discovery functionality
...
Hook asynchronous notifications into Core to change the status of vault based on its active/standby, and sealed/unsealed status.
2016-04-25 18:00:54 -07:00
Jeff Mitchell
398ed86d04
Split out TestSeal
2016-04-26 00:14:16 +00:00
Jeff Mitchell
98d09b0dc6
Add seal tests and update generate-root and others to handle dualseal.
2016-04-25 19:39:04 +00:00
Jeff Mitchell
f293b1bb98
Merge pull request #1328 from hashicorp/sethvargo/path-help
...
Add missing path-helps and clarify subpaths in tables
2016-04-25 13:53:06 -04:00
Jeff Mitchell
62058a0ff8
Update tests for change in raw blacklisting
2016-04-19 20:26:26 +00:00
Jeff Mitchell
556039344a
There's no good story around accessing any of core via /sys/raw, so blacklist it all
2016-04-19 16:01:15 +00:00
Jeff Mitchell
b4620d5d04
Add check against seal type to catch errors before we attempt to use the data
2016-04-15 18:16:48 -04:00
Jeff Mitchell
9bc24be343
Move recovery info behind the barrier
2016-04-15 17:04:29 +00:00
Jeff Mitchell
119238149b
Add Finalize method to seal.
2016-04-14 20:37:34 +00:00
Jeff Mitchell
53773f12e3
Register the token entry's path instead of the request path, to handle role suffixes correctly
2016-04-14 08:08:28 -04:00
Jeff Mitchell
ae2d000de4
Make period output nicer -- seconds rather than duration
2016-04-14 06:10:22 -04:00
Jeff Mitchell
a4ff72841e
Check for seal status when initing and change logic order to avoid defer
2016-04-14 01:13:59 +00:00
Seth Vargo
03c09341a4
Add missing path-helps and clarify subpaths in tables
2016-04-13 22:15:54 +01:00
Adam Shannon
fb07d07ad9
all: Cleanup from running go vet
2016-04-13 14:38:29 -05:00
Jeff Mitchell
1db6808912
Construct token path from request to fix displaying TTLs when using
...
create-orphan.
2016-04-07 15:45:38 +00:00
Jeff Mitchell
f2880561d1
Ensure we only use sysview's max if it's not zero. It never should be, but safety.
2016-04-07 15:27:14 +00:00
Sean Chittenden
09ad6317ea
Merge pull request #1297 from hashicorp/f-bsd-mlock
...
F bsd mlock
2016-04-06 13:57:34 -07:00
vishalnayak
e3a1ee92b5
Utility Enhancements
2016-04-05 20:32:59 -04:00
Sean Chittenden
087e7c94d3
Add Vault support for the *BSDs, including Darwin
...
The `syscall` package has been frozen in favor of `x/sys`. As a result, all of the BSDs are supported and do have `mlockall(2)` support in current versions of Go.
2016-04-05 12:18:19 -07:00
Jeff Mitchell
afae46feb7
SealInterface
2016-04-04 10:44:22 -04:00
Jeff Mitchell
7d20380c42
Merge pull request #1280 from hashicorp/remove-ts-revoke-prefix
...
Remove auth/token/revoke-prefix in favor of sys/revoke-prefix.
2016-04-01 09:48:52 -04:00
Jeff Mitchell
2b2541e13f
Merge pull request #1277 from hashicorp/suprious-revoke-timer-logs
...
Keep the expiration manager from keeping old token entries.
2016-03-31 20:16:31 -04:00
Jeff Mitchell
2fd02b8dca
Remove auth/token/revoke-prefix in favor of sys/revoke-prefix.
2016-03-31 18:04:05 -04:00
Jeff Mitchell
7442867d53
Check for auth/ in the path of the prefix for revoke-prefix in the token
...
store.
2016-03-31 16:21:56 -04:00
Jeff Mitchell
75650ec1ad
Keep the expiration manager from keeping old token entries.
...
The expiration manager would never be poked to remove token entries upon
token revocation, if that revocation was initiated in the token store
itself. It might have been to avoid deadlock, since during revocation of
tokens the expiration manager is called, which then calls back into the
token store, and so on.
This adds a way to skip that last call back into the token store if we
know that we're on the revocation path because we're in the middle of
revoking a token. That way the lease is cleaned up. This both prevents
log entries appearing for already-revoked tokens, and it also releases
timer/memory resources since we're not keeping the leases around.
2016-03-31 15:10:25 -04:00
Jeff Mitchell
ddce1efd0d
Two items:
...
1: Fix path check in core to handle renew paths from the token store
that aren't simply renew/
2: Use token policy logic if token store role policies are empty
2016-03-31 14:52:49 -04:00
vishalnayak
034ffd8af3
Fix capabilities test case
2016-03-18 12:55:18 -04:00
vishalnayak
6831e2a8fd
Sort the capabilities before returning
2016-03-18 12:40:17 -04:00
vishalnayak
a6f6cbd95a
Tests for capabilites in system backend
2016-03-18 11:58:06 -04:00
vishalnayak
d959ffc301
Rename PrepareRequest to PrepareRequestFunc
2016-03-18 10:37:49 -04:00
vishalnayak
fbfe72f286
Removed http/sys_capabilties_test.go
2016-03-18 09:48:45 -04:00
vishalnayak
55f03b5d25
Add separate path for capabilities-self to enable ACL
2016-03-17 22:52:03 -04:00
vishalnayak
68367f60c8
Fix broken testcases
2016-03-17 21:03:32 -04:00
vishalnayak
d348735322
Fix help descriptions
2016-03-17 21:03:32 -04:00
vishalnayak
f275cd2e9c
Fixed capabilities API to receive logical response
2016-03-17 21:03:32 -04:00
vishalnayak
a5d79d587a
Refactoring the capabilities function
2016-03-17 21:03:32 -04:00
vishalnayak
dcb7f00bcc
Move sys/capabilities to logical_system along with business logic from core
2016-03-17 21:03:32 -04:00
vishalnayak
2b712bc778
Move capabilities accessor logic to logical_system
2016-03-17 21:03:32 -04:00
Vishal Nayak
7db7b47fdd
Merge pull request #1210 from hashicorp/audit-id-path
...
Rename id to path and path to file_path, print audit backend paths
2016-03-15 20:13:21 -04:00
Jeff Mitchell
8a5fc6b017
Sort and filter policies going into the create token entry, then use
...
that as the definitive source for the response Auth object.
2016-03-15 14:05:25 -04:00
vishalnayak
3861c88211
Accept params both as part of URL or as part of http body
2016-03-14 19:14:36 -04:00
vishalnayak
85a888d588
Enable token to be supplied in the body for lookup call
2016-03-14 18:56:00 -04:00
vishalnayak
dd94e8e689
Fix broken test case
2016-03-14 18:44:13 -04:00
vishalnayak
71fc07833f
Rename id to path and path to file_path, print audit backend paths
2016-03-14 17:15:07 -04:00
Jeff Mitchell
04eb6e79f0
Merge pull request #1200 from hashicorp/sethvargo/hcl_errors
...
Show HCL parsing errors and typos
2016-03-10 22:31:55 -05:00
Jeff Mitchell
90dd55b1e6
Sort policies before returning/storing, like we do in handleCreateCommon
2016-03-10 22:31:26 -05:00
vishalnayak
8094077cd3
Fix broken test case
2016-03-10 20:06:22 -05:00
vishalnayak
378db2bc3c
Add default policy to response auth object
2016-03-10 19:55:38 -05:00
Seth Vargo
f6adea85ce
Preserve pointer
2016-03-10 15:55:47 -05:00
Seth Vargo
ad7049eed1
Parse policy HCL syntax and keys
2016-03-10 15:25:25 -05:00
Jeff Mitchell
cba947b049
Fix path help description for rekey_backup
2016-03-09 21:04:54 -05:00
Jeff Mitchell
fa2ba47a5c
Merge branch 'master' into token-roles
2016-03-09 17:23:34 -05:00
Jeff Mitchell
d4371d1393
Add accessor to returned auth
2016-03-09 17:15:42 -05:00
Jeff Mitchell
6df72e6efd
Merge pull request #1168 from hashicorp/revoke-force
...
Add forced revocation.
2016-03-09 16:59:52 -05:00
Jeff Mitchell
d171931e59
Add unit test for forced revocation
2016-03-09 16:47:58 -05:00
vishalnayak
0c4d5960a9
In-URL accessor for auth/token/lookup-accessor endpoint
2016-03-09 14:54:52 -05:00
vishalnayak
2528ffbc18
Restore old regex expressions for token endpoints
2016-03-09 14:08:52 -05:00
vishalnayak
f478cc57e0
fix all the broken tests
2016-03-09 13:45:36 -05:00
vishalnayak
007142262f
Provide accessor to revove-accessor in the URL itself
2016-03-09 13:08:37 -05:00
vishalnayak
3b302817e5
Added tests for lookup-accessor and revoke-accessor endpoints
2016-03-09 12:50:26 -05:00
Jeff Mitchell
2ecdde1781
Address final feedback
2016-03-09 11:59:54 -05:00
vishalnayak
c4a2c5b56e
Added tests for 'sys/capabilities-accessor' endpoint
2016-03-09 11:29:09 -05:00
Jeff Mitchell
4785bec59d
Address review feedback
2016-03-09 11:07:13 -05:00
Jeff Mitchell
2e07f45bfa
Use role's allowed policies if none are given
2016-03-09 10:42:04 -05:00
vishalnayak
926e7513d7
Added docs for /sys/capabilities-accessor
2016-03-09 09:48:32 -05:00
vishalnayak
7407c27778
Add docs for new token endpoints
2016-03-09 09:31:09 -05:00
vishalnayak
6a992272cd
New prefix for accessor indexes
2016-03-09 09:09:09 -05:00
vishalnayak
151c932875
AccessorID --> Accessor, accessor_id --> accessor
2016-03-09 06:23:31 -05:00
vishalnayak
913bbe7693
Error text corrections and minor refactoring
2016-03-08 22:27:24 -05:00
vishalnayak
62777c9f7e
ErrUserInput --> StatusBadRequest
2016-03-08 21:47:24 -05:00
vishalnayak
8117996378
Implemented /sys/capabilities-accessor and a way for setting HTTP error code in all the responses
2016-03-08 19:14:29 -05:00
vishalnayak
2737c81b39
Lay the foundation for returning proper HTTP status codes
2016-03-08 18:27:03 -05:00
vishalnayak
8c6afea1d0
Implemented /auth/token/revoke-accessor in token_store
2016-03-08 18:07:27 -05:00
vishalnayak
a7adab25bc
Implemented lookup-accessor as a token_store endpoint
2016-03-08 17:38:19 -05:00
vishalnayak
f19ee68fdb
placeholders for revoke-accessor and lookup-accessor
2016-03-08 15:13:29 -05:00
vishalnayak
a7c97fcd18
Clear the accessor index during revocation
2016-03-08 14:06:10 -05:00
vishalnayak
c0fb69a8b1
Create indexing from Accessor ID to Token ID
2016-03-08 14:06:10 -05:00
vishalnayak
301776012f
Introduced AccessorID in TokenEntry and returning it along with token
2016-03-08 14:06:10 -05:00
Vishal Nayak
be1163c64a
Merge pull request #1171 from hashicorp/capabilities-endpoint
...
Capabilities endpoint
2016-03-08 13:12:09 -05:00
Jeff Mitchell
419598ede2
Warn on error when in force revoke mode
2016-03-08 11:05:46 -05:00
vishalnayak
08c40c9bba
Introduced ErrUserInput to distinguish user error from server error
2016-03-07 22:16:09 -05:00
vishalnayak
3b463c2d4e
use errwrap to check the type of error message, fix typos
2016-03-07 18:36:26 -05:00
Jeff Mitchell
6b0f79f499
Address review feedback
2016-03-07 10:07:04 -05:00
Jeff Mitchell
cc1f5207b3
Merge branch 'master' into token-roles
2016-03-07 10:03:54 -05:00