5ee0d696d4
Merge remote-tracking branch 'oss/master' into database-refactor
2017-05-04 10:45:18 -07:00
b568ea751b
Move client token check in exp register to top
2017-05-04 12:45:57 -04:00
abd63096f8
Update comments
2017-05-04 12:44:31 -04:00
1a02f9be11
Fix up the tests
2017-05-04 12:41:15 -04:00
5683430cb7
Update Tidy function comment
2017-05-04 12:11:00 -04:00
d74b1b284a
Update commenting
2017-05-04 11:54:57 -04:00
9a91700263
Move tidy-leases to leases/tidy
2017-05-04 09:40:11 -04:00
f8295a301d
Merge branch 'master-oss' into sys-tidy-leases
2017-05-04 09:37:52 -04:00
3d9cf89ad6
Add the ability to view and list of leases metadata ( #2650 )
2017-05-03 22:03:42 -04:00
7250b3d01e
Fix comment typo
2017-05-03 20:25:55 -04:00
b7128f53a8
Add sys/leases/lookup and sys/leases/renew to the default policy
2017-05-03 20:22:16 -04:00
7f3891c734
Fix substitution of index/child in delete call
2017-05-03 15:09:13 -04:00
99884a8f13
Merge remote-tracking branch 'oss/master' into sys-tidy-leases
2017-05-03 15:02:42 -04:00
3b95e751c0
Add more cleanup if a lease fails to register and revoke tokens if registerauth fails
2017-05-03 14:29:57 -04:00
bb6b5f7aa6
Add taint flag for looking up by accessor
2017-05-03 13:08:50 -04:00
a1a0c2950f
logging updates
2017-05-03 12:58:10 -04:00
6aa7f9b7c9
Added logs when deletion fails so we can rely on server logs
2017-05-03 12:47:05 -04:00
bc5d5b7319
consistent logging
2017-05-03 12:45:22 -04:00
596ad2c8f7
Adhere to tainted status in salted accessor lookup
2017-05-03 12:36:10 -04:00
5f18b1605a
Two things:
...
1) Ensure that if we fail to generate a lease for a secret we attempt to revoke it
2) Ensure that any lease that is registered should never have a blank token
In theory, number 2 will let us a) find places where this *is* the case, and b) if errors are encountered when revoking tokens due to a blank client token, it suggests that the client token values are being stripped somewhere along the way, which is also instructive.
2017-05-03 12:17:09 -04:00
0553f7a8d1
change some logging output
2017-05-03 12:14:58 -04:00
c9bd54ad65
Less scary debugging
2017-05-03 11:15:59 -04:00
dd898ed2e1
Added summary logs to help better understand the consequence
2017-05-03 10:54:07 -04:00
9f682eb9cd
Test to check that leases with valid tokens are not being cleaned up
2017-05-02 18:12:03 -04:00
850cda7861
Added test to check the atomicity of the lease tidy operation
2017-05-02 18:06:59 -04:00
875658531b
Do not duplicate log lines for invalid leases
2017-05-02 17:56:15 -04:00
f644c34c5b
Remove unused TestCoreUnsealedWithListener function
2017-05-02 14:52:48 -07:00
5e0c03415b
Don't need to explictly set redirectAddrs
2017-05-02 14:44:14 -07:00
29d9b831d3
Update the api for serving plugins and provide a utility to pass TLS data for commuinicating with the vault process
2017-05-02 14:40:11 -07:00
403fd62c61
Check if multiple leases with same invalid token is getting cleaned up
2017-05-02 17:15:26 -04:00
5f70576715
Added steps to check if invalid token is properly cleaned up
2017-05-02 17:11:35 -04:00
668595b902
Added a test for tidying of empty token
2017-05-02 16:54:03 -04:00
68635e8a1c
Skip checking the validity of an empty client token
2017-05-02 16:53:41 -04:00
537342f038
Fixing printf (and similar) issues ( #2666 )
2017-05-01 23:34:10 -04:00
72d05cd8dd
Refactor locking code in lease tidy; add ending debug statements
2017-04-27 16:22:19 -04:00
d8e91ef616
refactor lock handling in token tidy function
2017-04-27 13:48:29 -04:00
f9c1426ac8
Use an atomic lock for tidy operation in token store
2017-04-27 11:41:33 -04:00
ac8aae36fe
Distinguish valid and invalid tokens using bool value in cache
2017-04-27 11:31:42 -04:00
58967c0bbd
Merge branch 'oss' into sys-tidy-leases
2017-04-27 11:23:48 -04:00
749ec4fab1
Some more logging updates
2017-04-27 11:20:55 -04:00
e64ba93d54
Cache only valid tokens
2017-04-27 11:08:11 -04:00
d256248095
Fix logging suggestions; put the policyStore nil check back in
2017-04-27 10:56:19 -04:00
1a60fede58
Updating revoke/renew to prefer PUT method ( #2646 )
2017-04-27 10:47:43 -04:00
50c0d520e1
Fix revoke tree test
2017-04-26 16:26:48 -07:00
3fd019574d
Fix logging levels
2017-04-26 17:29:04 -04:00
7c3e20e9c5
Fix the log statements
2017-04-26 17:17:19 -04:00
671353810b
Added caching of looked up tokens
2017-04-26 16:54:48 -04:00
9025ef16e4
Added logger to token store and logs to tidy function
2017-04-26 16:11:23 -04:00
27dd95156d
Revoke lease that has empty token; added logs
2017-04-26 15:48:28 -04:00
b939d049e4
Added atomic lock to ensure a single tidy operation is in progress
2017-04-26 15:07:58 -04:00
5909d81b7b
Merge branch 'oss' into clean-stale-leases
2017-04-26 15:07:27 -04:00
4a4c981fb2
Update error message to distinguish tree revocation issue from non-tree
2017-04-26 14:06:45 -04:00
b52b410a47
Update test to reflect the correct read response
2017-04-24 21:24:19 -07:00
e4e61ec18c
return a 404 when no plugin is found
2017-04-24 18:31:27 -07:00
cb1f1d418c
Only run Abs on the plugin directory if it's set
2017-04-24 16:20:20 -07:00
039bc19dd8
Fix test
2017-04-24 13:48:46 -07:00
5ff317eb8d
Update root paths test
2017-04-24 12:47:40 -07:00
ce9688ce8c
Change MlockDisabled to MlockEnabled
2017-04-24 12:21:49 -07:00
e06a78a474
Create unified aws auth backend ( #2441 )
...
* Rename builtin/credential/aws-ec2 to aws
The aws-ec2 authentication backend is being expanded and will become the
generic aws backend. This is a small rename commit to keep the commit
history clean.
* Expand aws-ec2 backend to more generic aws
This adds the ability to authenticate arbitrary AWS IAM principals using
AWS's sts:GetCallerIdentity method. The AWS-EC2 auth backend is being to
just AWS with the expansion.
* Add missing aws auth handler to CLI
This was omitted from the previous commit
* aws auth backend general variable name cleanup
Also fixed a bug where allowed auth types weren't being checked upon
login, and added tests for it.
* Update docs for the aws auth backend
* Refactor aws bind validation
* Fix env var override in aws backend test
Intent is to override the AWS environment variables with the TEST_*
versions if they are set, but the reverse was happening.
* Update docs on use of IAM authentication profile
AWS now allows you to change the instance profile of a running instance,
so the use case of "a long-lived instance that's not in an instance
profile" no longer means you have to use the the EC2 auth method. You
can now just change the instance profile on the fly.
* Fix typo in aws auth cli help
* Respond to PR feedback
* More PR feedback
* Respond to additional PR feedback
* Address more feedback on aws auth PR
* Make aws auth_type immutable per role
* Address more aws auth PR feedback
* Address more iam auth PR feedback
* Rename aws-ec2.html.md to aws.html.md
Per PR feedback, to go along with new backend name.
* Add MountType to logical.Request
* Make default aws auth_type dependent upon MountType
When MountType is aws-ec2, default to ec2 auth_type for backwards
compatibility with legacy roles. Otherwise, default to iam.
* Pass MountPoint and MountType back up to the core
Previously the request router reset the MountPoint and MountType back to
the empty string before returning to the core. This ensures they get set
back to the correct values.
2017-04-24 15:15:50 -04:00
657d433330
Update the ResponseWrapData function to return a wrapping.ResponseWrapInfo object
2017-04-24 12:15:01 -07:00
c4e2ad74c5
Update path for the plugin catalog in logical system
2017-04-24 11:35:32 -07:00
6c8239ba03
Update the builtin keys; move catalog to core; protect against unset plugin directory
2017-04-24 10:30:33 -07:00
3ba162fea1
List should use a trailing slash
2017-04-21 15:37:43 -04:00
4d0aac963d
Fix tests
2017-04-21 10:24:34 -07:00
30b06b593c
Fix tests
2017-04-21 09:10:26 -07:00
6f9d178370
Calls to builtin plugins now go directly to the implementation instead of go-plugin
2017-04-20 18:46:41 -07:00
af9ff63e9a
Merge remote-tracking branch 'oss/master' into database-refactor
2017-04-19 15:16:00 -07:00
847c86f788
Rename ParseDedupAndSortStrings to ParseDedupLowercaseAndSortStrings ( #2614 )
2017-04-19 10:39:07 -04:00
8ccf10641b
Merge branch 'master' into database-refactor
2017-04-12 14:29:10 -07:00
3cd5dd1839
Fix RootPaths test
2017-04-12 14:22:52 -07:00
433004f75e
Add test for logical_system plugin-catalog handling
2017-04-12 10:39:18 -07:00
c3724c6f17
Add path help and comments for plugin-catalog
2017-04-12 10:01:36 -07:00
faaeb09065
Add remaining crud functions to plugin catalog and tests
2017-04-12 09:40:54 -07:00
8071aed758
Mlock the plugin process
2017-04-10 17:12:52 -07:00
db91a80540
Update plugin test
2017-04-10 14:12:28 -07:00
93136ea51e
Add backend test
2017-04-07 15:50:03 -07:00
ca2c3d0c53
Refactor to use builtin plugins from an external repo
2017-04-05 16:20:31 -07:00
b071144c67
move builtin plugins list to the pluginutil
2017-04-05 11:00:13 -07:00
11abcd52e6
Add a cli command to run builtin plugins
2017-04-04 17:12:02 -07:00
0034074691
Execute builtin plugins
2017-04-04 14:43:39 -07:00
709389dd36
Use ParseStringSlice on PKI organization/organizational unit. ( #2561 )
...
After, separately dedup and use new flag to not lowercase value.
Fixes #2555
2017-04-04 08:54:18 -07:00
e8781b6a2b
Plugin catalog
2017-04-03 17:52:29 -07:00
29ae4602dc
More work on getting tests to pass
2017-03-23 15:54:15 -07:00
eb6117cbb2
Work on TLS communication over plugins
2017-03-15 17:14:48 -07:00
5a6193a56e
Audit: Add token's use count to audit response ( #2437 )
...
* audit: Added token_num_uses to audit response
* Fixed jsonx tests
* Revert logical auth to NumUses instead of TokenNumUses
* s/TokenNumUses/NumUses
* Audit: Add num uses to audit requests as well
* Added RemainingUses to distinguish NumUses in audit requests
2017-03-08 17:36:50 -05:00
f03d500808
Add option to disable caching per-backend. ( #2455 )
2017-03-08 09:20:09 -05:00
f54ff0f842
Add locking where possible while doing auth/token/tidy
2017-03-07 16:06:05 -05:00
3522b67e14
Added sys/tidy-leases endpoint
2017-03-07 15:50:17 -05:00
3d162b63cc
Use locks in a slice rather than a map, which is faster and makes things cleaner ( #2446 )
2017-03-07 11:21:32 -05:00
5119b173c4
Rename helper 'duration' to 'parseutil'. ( #2449 )
...
Add a ParseBool function that accepts various kinds of ways of
specifying booleans.
Have config use ParseBool for UI and disabling mlock/cache.
2017-03-07 11:21:22 -05:00
8462d945d3
Add some nil checks to mounting
2017-03-04 16:43:18 -05:00
e7f418c903
Fix poison pill location
2017-03-04 10:21:27 -05:00
e62f5dbc31
Allowed/Denied parameters support for globs ( #2438 )
...
* Add check for globbed strings
* Add tests for the acl globbing
* Fix bad test case
2017-03-03 14:50:55 -08:00
25428971c8
Add poison pill
2017-03-03 15:05:25 -05:00
491a56fe9f
AppRole: Support restricted use tokens ( #2435 )
...
* approle: added token_num_uses to the role
* approle: added RUD tests for token_num_uses on role
* approle: doc: added token_num_uses
2017-03-03 09:31:20 -05:00
a585f709d3
Understand local when persisting mount tables, to avoid invalidations when not necessary ( #2427 )
2017-03-02 14:37:59 -05:00
bb05f2d8f8
Fix double-lock
2017-03-02 10:54:31 -05:00
31cddc43e1
Use own mutex for updating cluster parameters and fix leader UUID bug
2017-03-02 10:50:54 -05:00
beb3067787
Add some trace level information about new cluster status
2017-03-02 10:21:35 -05:00
36c84df326
Large update to request forwarding handling. ( #2426 )
2017-03-02 10:03:49 -05:00
90389323a2
Some more forwarding client cleanup
2017-03-01 20:59:20 -05:00
b1c2a930fe
Clean up request forwarding logic
2017-03-01 18:17:06 -05:00
259e686d4c
Update TestSeal to ignore setting the config to nil
2017-03-01 14:10:06 -08:00
00cfaf7f64
Rejig signature of last remote wal
2017-03-01 12:42:10 -05:00
6ebb2cc958
Add last remote WAL bits
2017-03-01 12:40:36 -05:00
f2282247ef
Add seal cache purging back into postUnseal
2017-02-28 18:36:28 -05:00
09543dceeb
Rejig core standby logic to check validity of barrier during active transition
2017-02-28 18:17:30 -05:00
7f0a99e8eb
Add max/min wrapping TTL ACL statements ( #2411 )
2017-02-27 14:42:00 -05:00
2cc0906b33
Fix breakage for HTTP2 support due to changes in wrapping introduced in 1.8 ( #2412 )
2017-02-27 12:49:35 -05:00
8091a10c38
Make rollback attempts trace level instead of debug level
2017-02-27 09:41:56 -05:00
b29861f7bb
Do some porting to make diffing easier
2017-02-24 10:45:29 -05:00
4e045d000c
Create upgrade path for cubbyhole's local status
2017-02-24 10:05:44 -05:00
0e1b1e33be
Add comment around not allowing users to create JWT wrapping tokens
2017-02-22 11:13:40 -05:00
9a9b89f16f
Update confusing comment
2017-02-21 16:06:00 -08:00
dd5b541db6
Added test for the empty values array case
2017-02-21 16:02:00 -08:00
a25132cec4
On merge favor values that have additive privileges
2017-02-21 15:53:27 -08:00
9ec8dd3d17
PR feedback
2017-02-21 15:02:39 -08:00
f992103615
Merge branch 'master' into acl-parameters-permission
2017-02-21 14:46:06 -08:00
496420a5ab
Make cubbyhole local instead of replicated. ( #2397 )
...
This doesn't really change behavior, just what it looks like in the UX.
However, it does make tests more complicated. Most were fixed by adding
a sorting function, which is generally useful anyways.
2017-02-18 13:51:05 -05:00
4a966726e5
Make reindex a root path as well
2017-02-16 23:36:06 -05:00
f3bee3550c
Remove now-unnecessary stanza from default policy
2017-02-16 23:30:38 -05:00
674a0a48bf
Fix rep path fetching method into a function
2017-02-16 23:23:21 -05:00
f37b6492d1
More rep porting ( #2391 )
...
* More rep porting
* Add a bit more porting
2017-02-16 23:09:39 -05:00
1c5264c66c
ToLower parameter strings
2017-02-16 17:50:10 -08:00
494b4c844b
More porting from rep ( #2389 )
...
* More porting from rep
* Address feedback
2017-02-16 20:13:19 -05:00
07799f665d
Simplify the merging of two policies
2017-02-16 16:30:08 -08:00
7229bdfd38
Remove debug code
2017-02-16 16:14:30 -08:00
136730cb01
Update logic to fix a few edge cases:
2017-02-16 15:20:11 -08:00
c81582fea0
More porting from rep ( #2388 )
...
* More porting from rep
* Address review feedback
2017-02-16 16:29:30 -05:00
0c39b613c8
Port some replication bits to OSS ( #2386 )
2017-02-16 15:15:02 -05:00
0a9a6d3343
Move ReplicationState to consts
2017-02-16 13:37:21 -05:00
13ec9c5dbf
Load leases into the expiration manager in parallel ( #2370 )
...
* Add a benchmark for exiration.Restore
* Add benchmarks for consul Restore functions
* Add a parallel version of expiration.Restore
* remove debug code
* Up the MaxIdleConnsPerHost
* Add tests for etcd
* Return errors and ensure go routines are exited
* Refactor inmem benchmark
* Add s3 bench and refactor a bit
* Few tweaks
* Fix race with waitgroup.Add()
* Fix waitgroup race condition
* Move wait above the info log
* Add helper/consts package to store consts that are needed in cyclic packages
* Remove not used benchmarks
2017-02-16 10:16:06 -08:00
8d880f5181
Remove duplicate test case
2017-02-15 22:38:33 -08:00
f1d5b60b97
s/has/has been/
2017-02-15 22:19:35 -08:00
c80593387c
Remove unnecessary else condition
2017-02-15 22:18:20 -08:00
c9ae260cdf
Merge branch 'acl-parameters-permission' of github.com:hashicorp/vault into acl-parameters-permission
2017-02-15 22:13:28 -08:00
24d8710233
Fix the issue of returning on the first paramater check. Added tests for this case.
2017-02-15 22:13:18 -08:00
978772a47a
Merge branch 'master-oss' into acl-parameters-permission
2017-02-16 00:46:40 -05:00
e60b24431a
Fix audit test and make audited headers more robust in map checks
2017-02-16 00:44:20 -05:00
da9e62bc24
Remove "permissions" from ACL
2017-02-15 21:12:26 -05:00
51f7114648
Merge branch 'master-oss' into acl-parameters-permission
2017-02-15 20:37:58 -05:00
acb7391b12
Compare headers case-insensitively for auditing
...
Fixes #2362
2017-02-15 20:35:35 -05:00
2fd59ad308
Merge branch 'master-oss' into acl-parameters-permission
2017-02-08 01:59:52 -05:00
4b2b28e085
Push test functions to a var for overriding
2017-02-07 20:44:31 -05:00
f1cfb060f6
Remove errant unlock of state lock
2017-02-07 11:08:52 -05:00
ddc977ba52
Add debug ( #2341 )
2017-02-06 18:30:13 -05:00
67f96bc64e
Rejig check for HA/Sealed in Leader to check for sealed first. ( #2342 )
...
Fixes #2334
2017-02-06 18:29:56 -05:00
8ef4bc32dd
Update the help text for auditing headers ( #2330 )
...
* Update the help text for auditing headers
* Update help name
2017-02-03 10:08:31 -08:00
6c02e9357a
Update protos
2017-02-02 16:20:32 -05:00
6701ba8a10
Configure the request headers that are output to the audit log ( #2321 )
...
* Add /sys/config/audited-headers endpoint for configuring the headers that will be audited
* Remove some debug lines
* Add a persistant layer and refactor a bit
* update the api endpoints to be more restful
* Add comments and clean up a few functions
* Remove unneeded hash structure functionaility
* Fix existing tests
* Add tests
* Add test for Applying the header config
* Add Benchmark for the ApplyConfig method
* ResetTimer on the benchmark:
* Update the headers comment
* Add test for audit broker
* Use hyphens instead of camel case
* Add size paramater to the allocation of the result map
* Fix the tests for the audit broker
* PR feedback
* update the path and permissions on config/* paths
* Add docs file
* Fix TestSystemBackend_RootPaths test
2017-02-02 11:49:20 -08:00
47274eca88
Add cleanup functions to multiple DB backends. ( #2313 )
...
Ensure it's called on unmount, not just for seal.
2017-02-01 14:05:25 -05:00
67410ab230
Make TLS 1.2 *explicitly* required for cluster communications
2017-01-31 13:30:25 -05:00
3c0de664a4
Fix keyring test
2017-01-24 12:58:14 -08:00
061bd6012d
Fix keyring copypasta test failure
2017-01-24 14:00:13 -05:00
31ce37188b
Fix keyring tests, working around Go nil timezone bug in DeepEqual
...
See https://github.com/golang/go/issues/10089
2017-01-24 12:33:28 -05:00
2c8d18ad8d
Attempt to fix expiration test again
2017-01-24 11:17:48 -05:00
b0f741d4a1
Add some extra lease debugging to try to figure out Travis timezone issue
2017-01-24 10:48:11 -05:00
d75b5f01ec
Use the same time object in the serialization test
2017-01-24 10:32:40 -05:00
77bc6fa481
Use time.Now rather than using time as a struct
2017-01-24 10:21:41 -05:00
43acbea6a9
Add some newlines to a failing test to make it easier to spot differences
2017-01-23 14:08:29 -05:00
7ec19459a7
Remove extra comments
2017-01-20 11:38:40 -08:00
df800198e0
Remove some extra comments
2017-01-20 11:32:58 -08:00
e1424c631e
Add logic to merge the two arrays and refactor the test around merging
2017-01-20 11:16:46 -08:00
090736d4df
Clean up logic a bit and add some comments
2017-01-19 18:41:15 -08:00
37f393ff94
Remove unneeded comment block
2017-01-19 18:18:06 -08:00
1580296ae5
Update tests to check parsing of types
2017-01-19 18:13:39 -08:00
5ccb3e052b
Add tests for boolean values
2017-01-19 17:41:02 -08:00
68a1780052
Format dynamic_system_view.go
2017-01-19 16:54:08 -08:00
f3870061ee
fix some of the tests and rename allowed/dissallowed paramaters
2017-01-19 16:40:19 -08:00
25b49b8bae
Add test cases for map and integer types
2017-01-18 17:11:25 -08:00
20c65b8300
Fix regression in 0.6.4 where token store roles could not properly wo… ( #2286 )
2017-01-18 16:11:25 -05:00
c9bd2a37f8
Don't sanitize disallowed_policies on token role
2017-01-17 21:34:14 -05:00
be10ef9d42
Use deepequals and write tests for the allow/disallow values
2017-01-17 16:40:21 -08:00
fa7d61baa3
Merge pull request #2202 from fcantournet/fix_govet_fatalf
...
all: test: Fix govet warnings
2017-01-17 16:45:35 -05:00
69eb5066dd
Multi value test seal ( #2281 )
2017-01-17 15:43:10 -05:00
2052e406d2
Move router mount back below table persistence
2017-01-17 15:15:28 -05:00
8e62acbd59
Sync the locking behavior between logical/auth backend ( #2280 )
2017-01-17 13:02:29 -05:00
dd0e44ca10
Add nonce to unseal to allow seeing if the operation has reset ( #2276 )
2017-01-17 11:47:06 -05:00
1d3cae860b
Start to check the values with allowed/dissallowed lists in policy.
2017-01-16 17:48:22 -08:00
ae116ada25
Merge branch 'master' into acl-parameters-permission
2017-01-13 16:44:10 -08:00
3d47e5ebc7
add initialize method to noopbackend
2017-01-13 13:12:27 -08:00
252e1f1e84
Port over some work to make the system views a bit nicer
2017-01-13 14:51:27 -05:00
d869c0d6a6
Rejig IsPrimary again
2017-01-12 15:59:00 -05:00
ec4f069da4
Fix building some test code without build tags
2017-01-12 15:21:47 -05:00
32f9ccb6c8
Rejig dynamic system view to build without tags
2017-01-12 15:13:47 -05:00
00ffd80fcd
Merge pull request #2236 from hashicorp/pgp-keys-check
...
rekey: added check to ensure that length of PGP keys and the shares are matching
2017-01-12 11:19:08 -05:00
daacf23c38
rekey: remove the check from vault/rekey.go in favor of check in http layer
2017-01-12 00:07:49 -05:00
adb6ac749f
init: pgp-keys input validations
2017-01-11 23:32:38 -05:00
0778a2eba7
core: adding error server logs for failure to update mount table
2017-01-11 20:21:34 -05:00
bf6aa296b3
rekey: added check to ensure that length of PGP keys and the shares are matching
2017-01-11 13:29:10 -05:00
9923c753d0
Set c.standby true in non-HA context. ( #2259 )
...
This value is the key for some checks in core logic. In a non-HA
environment, if the core was sealed it would never be set back to true.
2017-01-11 11:13:09 -05:00
7367158a2a
Merge pull request #2252 from hashicorp/mountentry-clone
...
Adding Tainted to MountEntry.Clone
2017-01-10 10:28:13 -05:00
28c3f4a192
Adding Tainted to MountEntry.Clone
2017-01-10 08:32:33 -05:00
bb32853fcd
Fix up exclusion rules for dynamic system view IsPrimary
2017-01-07 18:31:43 -05:00
9d89aae00c
Fix up invalidations in noopbackend
2017-01-07 18:22:34 -05:00
c37d17ed47
Adding interface methods to logical.Backend for parity ( #2242 )
2017-01-07 18:18:22 -05:00
336dfed5c3
Rename gRPC request forwarding method
2017-01-06 17:08:43 -05:00
681e36c4af
Split Unseal into Unseal and unsealInternal
2017-01-06 16:30:43 -05:00
9e5d1eaac9
Port some updates
2017-01-06 15:42:18 -05:00
64fc18e523
When a JWT wrapping token is returned, audit the inner token both for
...
request and response. This makes it far easier to properly check
validity elsewhere in Vault because we simply replace the request client
token with the inner value.
2017-01-04 23:50:24 -05:00
066038bebd
Fixed return types
2017-01-04 16:58:25 -05:00
0391475c70
Add read locks to LookupToken/ValidateWrappingToken ( #2232 )
2017-01-04 16:52:03 -05:00
3129187dc2
JWT wrapping tokens ( #2172 )
2017-01-04 16:44:03 -05:00
d70fb45fbb
Removed unused methods
2017-01-03 12:51:35 -05:00
103b7ceab2
all: test: Fix govet warnings
...
Fix calls to t.Fatal() with formatting.
Fixed some calls to Fatalf() with wrong formatting
2016-12-21 19:44:07 +01:00
9f60e9f88d
Add tidy expiration test
2016-12-16 17:04:28 -05:00
bae84e3864
TokenStore: Make the testcase dangle 100 accessors and let it tidy up
2016-12-16 15:41:41 -05:00
ba026aeaa1
TokenStore: Added tidy endpoint ( #2192 )
2016-12-16 15:29:27 -05:00
f6044764c0
Fix revocation of leases when num_uses goes to 0 ( #2190 )
2016-12-16 13:11:55 -05:00
8400b87473
Don't add default policy to child token if parent does not have it ( #2164 )
2016-12-16 00:36:39 -05:00
e3f56f375c
Add 'no-store' response header from all the API outlets ( #2183 )
2016-12-15 17:53:07 -05:00
907e735541
Permissions were changed from a structure to and array of interfaces. Code optimization for acl.go. Fixed bug where multiple parameters would allow if second or following parameters were denied and there was a wildcard in allow.
2016-12-06 18:14:15 -08:00
c27817aba3
Merge branch 'master' of https://github.com/hashicorp/vault
2016-12-06 16:09:32 -08:00
7865143c1d
Minor ports
2016-12-05 12:28:12 -05:00
710e8f2d4c
Change Vault audit broker logic to successfully start when at least one ( #2155 )
...
backend is successfully loaded.
Fixes #2083
2016-12-02 15:09:01 -05:00
90b392c7fc
Fix panic() in test suite ( #2149 )
...
As `base` could be nil, move check in `if base != nil`
2016-12-02 06:31:06 -05:00
49284031c6
Respect logger in TestCluster
2016-12-01 15:25:10 -05:00
3e72e50fa5
Merge remote-tracking branch 'upstream/master'
2016-11-20 18:31:55 -08:00
ee29b329fb
Bump proto files after update
2016-11-17 10:06:26 -05:00
e84a015487
Add extra logic around listener handling. ( #2089 )
2016-11-11 16:43:33 -05:00
6c1d2ffea9
Allow wrapping to be specified by backends, and take the lesser of the request/response times ( #2088 )
2016-11-11 15:12:11 -05:00
168d6e1a3d
Fix other clustering tests on OSX
2016-11-08 10:55:41 -05:00
e381c189e4
Fix cluster testing on OSX; see the inline comment for details
2016-11-08 10:31:35 -05:00
86edada67c
Show the listener address when it's created for the cluster in the log
2016-11-08 10:31:15 -05:00
6f86e664a8
use a const for cluster test pause period
2016-11-08 10:30:44 -05:00
c63d9e9f24
added AllowOperation tests
2016-11-07 12:28:41 -08:00
a847caa4ae
Moved Operations out of test cases variable.
2016-11-07 12:08:17 -08:00
e349d64dbc
Finished merge testing.
2016-11-06 15:16:08 -08:00
42e0ecb0b8
narrowed the problem to: the Permissions struct in the TestPolicyMerge method is not being initialized
2016-11-06 13:38:25 -08:00
2add5dbf3a
Started the testing on merged pathCapabilites
2016-11-01 21:27:33 -07:00
482ed0a659
Add merge testcases
2016-11-01 19:48:00 -07:00
975ac72822
started acl_test updates
2016-10-30 15:09:45 -07:00
b3c805e662
Audit the client token accessors ( #2037 )
2016-10-29 17:01:49 -04:00
b5669d73db
Had to change what a wildcard value in a parameter mapped to, from a nil value to an empty struct
2016-10-28 12:54:37 -07:00
3a0e01a5d7
Added the merging of wildcards to allowed and denied parameters.
2016-10-28 12:33:50 -07:00
0ed2dece6d
Don't panic if postUnseal calls preSeal due to audit table never being set up. Also call cleanup funcs on auth backends. ( #2043 )
2016-10-28 15:32:32 -04:00
bcd0618623
updated testing on a policy to cover parameters in the policy
2016-10-28 10:18:31 -07:00
2ea4caeffb
Update acl and policy tests to use Permissions.
2016-10-21 23:45:39 -07:00
353241e328
Fixing type assertions.
2016-10-21 21:12:02 -07:00
ed982675a1
permissions structure now holds a map of strings to empty structs. Modified acl.go to acommidate these changes
2016-10-21 19:35:55 -07:00
c6b63b5312
Implemented AllowOperation parameter permission checking for request data.
2016-10-21 18:38:05 -07:00
e06aaf20e1
Remove unused WrapListenersForClustering ( #2007 )
2016-10-18 10:20:09 -04:00
c2b512cf46
Changed AllowOperation to take logical.Request
2016-10-16 16:29:52 -07:00
bd7711bebf
Merge allowed and disallowed parameters maps.
2016-10-16 15:24:32 -07:00
93bb52b733
policy now includes whether a certain parameter can be updated
2016-10-15 16:44:57 -07:00
231d3e7758
policy now includes whether a certain parameter can be updated
2016-10-15 16:43:55 -07:00
119dd9653e
Adding permissions to hcl config and decoding it.
2016-10-14 14:24:45 -07:00
bd5235960c
Fixed permission conflicts
2016-10-14 10:33:12 -07:00
d480df7141
Fixed Policy Permissions intergration and spelling.
2016-10-14 10:22:00 -07:00
eb8b8a1def
created structure for permissions and modified parsePaths in policy.go and newAcl/AllowOperation in acl.go
2016-10-14 10:17:25 -07:00
4582f2268c
working on modifying AllowOperation in acl.go
2016-10-10 11:21:25 -07:00
6aa9a1d165
updated policy.go to include an expanded structure to add the ability to track allowed and disallowed params in the PathCapabilities structure. Updating Acl.go to interface with the updated PathCapabilites structure
2016-10-09 15:39:58 -07:00
b5225fd000
Add KeyNotFoundError to seal file
2016-10-05 17:17:33 -04:00
6d00f0c483
Adds HUP support for audit log files to close and reopen. ( #1953 )
...
Adds HUP support for audit log files to close and reopen. This makes it
much easier to deal with normal log rotation methods.
As part of testing this I noticed that HUP and other items that come out
of command/server.go are going to stderr, which is where our normal log
lines go. This isn't so much problematic with our normal output but as
we officially move to supporting other formats this can cause
interleaving issues, so I moved those to stdout instead.
2016-09-30 12:04:50 -07:00
85315ff188
Rejig where the reload functions live
2016-09-30 00:07:22 -04:00
4a505bfa3e
Update text around cubbyhole/response
2016-09-29 17:44:15 -04:00
5657789627
Audit unwrapped response ( #1950 )
2016-09-29 12:03:47 -07:00
b45a481365
Wrapping enhancements ( #1927 )
2016-09-28 21:01:28 -07:00
f0203741ff
Change default TTL from 30 to 32 to accommodate monthly operations ( #1942 )
2016-09-28 18:32:49 -04:00
57b21acabb
Added unit tests for token entry upgrade
2016-09-26 18:17:50 -04:00
af888573be
Handle upgrade of deprecated fields in token entry
2016-09-26 15:47:48 -04:00
f3ab4971a6
Follow Vault convention on `DELETE` being idempotent ( #1903 )
...
* Follow Vault convention on `DELETE` being idempotent with
audit/auth/mounts deletes (a.k.a. disabling/unmounting).
2016-09-19 13:02:25 -04:00
722e26f27a
Add support for PGP encrypting the initial root token. ( #1883 )
2016-09-13 18:42:24 -04:00
fffee5611a
Rejig locks during unmount/remount. ( #1855 )
2016-09-13 11:50:14 -04:00
1c6f2fd82b
Add response wrapping to list operations ( #1814 )
2016-09-02 01:13:14 -04:00
19d64a476a
Apply fix from #1827 to rekey
2016-09-01 17:42:28 -04:00
5bd93b62d4
Return bad request error on providing same key for root generation ( #1833 )
...
Fixes #1827
2016-09-01 17:40:01 -04:00
328de60338
Description consistency
2016-08-29 15:53:11 -04:00
ac38863884
Add back token/accessor URL parameters but return a warning.
...
CC @sethvargo
2016-08-29 15:15:57 -04:00
aec05fdf02
Remove the upgrade code to update the mount table from 'aws' to 'aws-ec2'
2016-08-29 11:53:52 -04:00
7e41d5ab45
Pass headers back when request forwarding ( #1795 )
2016-08-26 17:53:47 -04:00
2ce4397deb
Plumb through the ability to set the storage read cache size. ( #1784 )
...
Plumb through the ability to set the storage read cache size.
Fixes #1772
2016-08-26 10:27:06 -04:00
9fee9ce8ff
Don't allow tokens in paths. ( #1783 )
2016-08-24 15:59:43 -04:00
b89073f7e6
Error when an invalid (as opposed to incorrect) unseal key is given. ( #1782 )
...
Fixes #1777
2016-08-24 14:15:25 -04:00
58b32e5432
Convert to logxi
2016-08-21 18:13:37 -04:00
2bb8adcbde
Cleanup and avoid unnecessary advertisement parsing in leader check
2016-08-19 14:49:11 -04:00
b7acf5b5ab
Rename proto service stuff and change log levels for some messages
2016-08-19 11:49:25 -04:00
bdcfe05517
Clustering enhancements ( #1747 )
2016-08-19 11:03:53 -04:00
87c42a796b
s/advertisement/redirect
2016-08-19 10:52:14 -04:00
01702415c2
Ensure we don't use a token entry period of 0 in role comparisons.
...
When we added support for generating periodic tokens for root/sudo in
auth/token/create we used the token entry's period value to store the
shortest period found to eventually populate the TTL. The problem was
that we then assumed later that this value would be populated for
periodic tokens, when it wouldn't have been in the upgrade case.
Instead, use a temp var to store the proper value to use; populate
te.Period only if actually given; and check that it's not zero before
comparing against role value during renew.
2016-08-16 16:47:46 -04:00
c1aa89363a
Make time logic a bit clearer
2016-08-16 16:29:07 -04:00
02d9702fbd
Add local into handler path for forwarded requests
2016-08-16 11:46:37 -04:00
62c69f8e19
Provide base64 keys in addition to hex encoded. ( #1734 )
...
* Provide base64 keys in addition to hex encoded.
Accept these at unseal/rekey time.
Also fix a bug where backup would not be honored when doing a rekey with
no operation currently ongoing.
2016-08-15 16:01:15 -04:00
37320f8798
Request forwarding ( #1721 )
...
Add request forwarding.
2016-08-15 09:42:42 -04:00
40ece8fd7c
Add another test and fix some output
2016-08-14 07:17:14 -04:00
b6ef112382
Minor wording change
2016-08-13 15:45:13 -04:00
cdea4b3445
Add some tests and fix some bugs
2016-08-13 14:03:22 -04:00
de60702d76
Don't check the role period again as we've checked it earlier and it may be greater than the te Period
2016-08-13 13:21:56 -04:00
bcb4ab5422
Add periodic support for root/sudo tokens to auth/token/create
2016-08-12 21:14:12 -04:00
c1a46349fa
Change to keybase openpgp fork as it has important fixes
2016-08-11 08:31:43 -04:00
3895ea4c2b
Address review feedback from @jefferai
2016-08-10 15:22:12 -04:00
95f9c62523
Fix Cluster object being returned as nil when unsealed
2016-08-10 15:09:16 -04:00
0f40fba40d
Don't allow a root token that expires to create one that doesn't
2016-08-09 20:32:40 -04:00
b5d55a9f47
Fix broken mount_test
2016-08-09 12:06:59 -04:00
4246ab1220
Change local cluster info path
2016-08-09 11:28:42 -04:00
c27a52069c
Merge pull request #1693 from hashicorp/mount-table-compress
...
Added utilities to compress the JSON encoded string.
2016-08-09 11:23:14 -04:00
cc10fd7a7e
Use config file cluster name after automatic gen
2016-08-09 11:03:50 -04:00
b43cc03f0e
Address review feedback from @jefferai
2016-08-09 10:47:55 -04:00
94c9fc3b49
Minor test fix
2016-08-09 07:13:29 -04:00
78d57520fb
Refactoring and test fixes
2016-08-09 03:43:03 -04:00
5866cee5b4
Added utilities to compress the data
2016-08-09 00:50:19 -04:00
d2124486ef
Merge pull request #1702 from hashicorp/renew-post-body
...
Add ability to specify renew lease ID in POST body.
2016-08-08 20:01:25 -04:00
c86fd0353c
urllease_id -> url_lease_id
2016-08-08 18:34:00 -04:00
065da5fd69
Migrate default policy to a const
2016-08-08 18:33:31 -04:00
5a48611a62
Add test for both paths in backend
2016-08-08 18:32:18 -04:00
56b7f595aa
Fix parsing optional URL param
2016-08-08 18:08:25 -04:00
ab71b981ad
Add ability to specify renew lease ID in POST body.
2016-08-08 18:00:44 -04:00
13b7d37a0b
Remove change to naming return values
2016-08-08 17:56:14 -04:00
a583f8a3f8
Use policyutil sanitizing
2016-08-08 17:42:25 -04:00
4f0310ed96
Don't allow root from authentication backends either.
...
We've disabled this in the token store, but it makes no sense to have
that disabled but have it enabled elsewhere. It's the same issue across
all, so simply remove the ability altogether.
2016-08-08 17:32:37 -04:00
796c93a8b0
Add sys/renew to default policy
2016-08-08 17:32:30 -04:00
d7f6218869
Move checking non-assignable policies above the actual token creation
2016-08-08 16:44:29 -04:00
da615642f5
Merge pull request #1687 from hashicorp/token-store-update
...
Minor update to token-store
2016-08-08 10:25:05 -04:00
ac62b18d56
Make `capabilities-self` part of the default policy.
...
Fixes #1695
2016-08-08 10:00:01 -04:00
e783bfe7e1
Minor changes to test cases
2016-08-05 20:22:07 -04:00
5ddd1c7223
Fix broken test case
2016-08-05 20:07:18 -04:00
02911c0e01
full updates based on feedback
2016-08-05 18:57:35 -04:00
52623a2395
test updates based on feedback
2016-08-05 18:56:22 -04:00
405eb0075a
fix an error, tests still broken
2016-08-05 17:58:48 -04:00
82b3d136e6
Don't mark never-expiring root tokens as renewable
2016-08-05 11:15:25 -04:00
68d351c70c
addresses feedback, but tests broken
2016-08-05 10:04:02 -04:00
4b2b5363d4
Switch some errors that ought to be 500 to 500
2016-08-04 09:11:24 -04:00
c626277632
initial commit for minor update to token-store
2016-08-03 14:32:17 -04:00
a7ed50dbc8
coreClusterPath -> coreLocalClusterPath
2016-08-03 09:50:21 -04:00
0b2098de2f
Merge pull request #1681 from hashicorp/disallowed-policies
...
Support disallowed_policies in token roles
2016-08-02 17:32:53 -04:00
e7cb3fd990
Addressed review feedback
2016-08-02 16:53:06 -04:00
4f45910dfc
disallowed_policies doc update
2016-08-02 16:33:22 -04:00
9947b33498
Added tests for disallowed_policies
2016-08-02 15:21:15 -04:00
31b36fe2c2
Use duration helper to allow not specifying duration units
2016-08-02 15:12:45 -04:00
a936914101
Address review feedback and fix existing tests
2016-08-02 14:10:20 -04:00
a0c711d0cf
Added disallowed_policies to token roles
2016-08-02 10:33:50 -04:00
357f2d972f
Add some extra safety checking in accessor listing and update website
...
docs.
2016-08-01 13:12:06 -04:00
6546005487
Fix typo
2016-07-29 23:24:04 -04:00
e606aab6e0
oops, fix createAccessor
2016-07-29 18:23:55 -04:00
23ab63c78e
Add accessor list function to token store
2016-07-29 18:20:38 -04:00
cff7aada7a
Fix invalid input getting marked as internal error
2016-07-28 16:23:11 -04:00
4d9c909ae4
Merge pull request #1650 from hashicorp/request-uuid
...
Added unique identifier to each request. Closes hashicorp/vault#1617
2016-07-27 09:40:48 -04:00
c17534d527
Fix request_id test failures
2016-07-26 18:30:13 -04:00
fb1b032040
fixing id in buildLogicalRequest
2016-07-26 15:50:37 -04:00
c7bcaa5bb6
Merge pull request #1655 from hashicorp/cluster-id
...
Vault cluster name and ID
2016-07-26 14:12:48 -04:00
669bbdfa48
Address review feedback from @jefferai
2016-07-26 14:05:27 -04:00
ad66bd7502
fixes based proper interpretation of comments
2016-07-26 12:20:27 -04:00
a3e6400697
Remove global name/id. Make only cluster name configurable.
2016-07-26 10:01:35 -04:00
a6907769b0
AppRole authentication backend
2016-07-26 09:32:41 -04:00
09d362d973
As it is
2016-07-26 09:18:38 -04:00
c7dabe4def
Storing local and global cluster name/id to storage and returning them in health status
2016-07-26 02:32:42 -04:00
06b1835469
Merge pull request #1649 from hashicorp/internal-policy-block
...
Closes hashicorp/vault#1618
2016-07-25 17:41:48 -04:00
ae8a90be30
adding ids
2016-07-25 16:54:43 -04:00
e26487ced5
Add test for non-assignable policies
2016-07-25 16:00:18 -04:00
8d52a96df5
moving id to http/logical
2016-07-25 15:24:10 -04:00
d2cbe48aaf
Use RFC3339Nano for better precision
2016-07-25 14:11:57 -04:00
eb75afe54d
minor edit for error statement
2016-07-25 13:29:57 -04:00
9ef3d90349
still fixing git mistake
2016-07-25 10:11:51 -04:00
cc668b5c48
Fixing git mistake
2016-07-25 09:57:47 -04:00
7e29cf1cae
edits based on comments in PR
2016-07-25 09:46:10 -04:00
395f052870
minor error correction
2016-07-24 22:35:54 -04:00
9ea1c8b801
initial commit for nonAssignablePolicies
2016-07-24 22:27:41 -04:00
4945198334
reverting branch mistake
2016-07-24 21:56:52 -04:00
483e796177
website update for request uuuid
2016-07-24 21:23:12 -04:00
c63cdc23a1
Merge branch 'master' of https://github.com/hashicorp/vault into request-uuid
2016-07-23 21:47:08 -04:00
e5737b6789
initial local commit
2016-07-23 21:46:28 -04:00
4ab60f36a3
Rename err var to be more clear
2016-07-22 16:57:47 -04:00
331f229858
Added a cap of 256 for CreateLocks utility
2016-07-20 04:48:35 -04:00
50e8a189e9
Added helper to create locks
2016-07-19 21:37:28 -04:00
80a688c059
Ensure mount/auth tables are not nil when triggering rollback
...
During setup or teardown there could be a race condition so check for it
to avoid a potential panic.
2016-07-18 22:02:39 -04:00
df621911d7
Merge pull request #1624 from hashicorp/dynamodb-ha-off-default
...
Turn off DynamoDB HA by default.
2016-07-18 13:54:26 -04:00
028d024345
Add metrics around leadership
...
This can be helpful for detecting flapping.
Fixes #1544
2016-07-18 13:38:44 -04:00
a3ce0dcb0c
Turn off DynamoDB HA by default.
...
The semantics are wonky and have caused issues from people not reading
docs. It can be enabled but by default is off.
2016-07-18 13:19:58 -04:00
c14235b206
Merge branch 'master-oss' into json-use-number
...
Conflicts:
http/handler.go
logical/framework/field_data.go
logical/framework/wal.go
vault/logical_passthrough.go
2016-07-15 19:21:55 -04:00
9f1e6c7b26
Merge pull request #1607 from hashicorp/standardize-time
...
Remove redundant invocations of UTC() call on `time.Time` objects
2016-07-13 10:19:23 -06:00
8269f323d3
Revert 'risky' changes
2016-07-12 16:38:07 -04:00
5b210b2a1f
Return a duration instead and port a few other places to use it
2016-07-11 18:19:35 +00:00
ab6c2bc5e8
Factor out parsing duration second type and use it for parsing tune values too
2016-07-11 17:53:39 +00:00
fcb0b580ab
Fix broken build
2016-07-08 23:16:58 -04:00
55a667b8cd
Fix broken build
2016-07-08 20:30:27 -04:00
dc690d6233
Place error check before the response check in expiration test
2016-07-08 19:01:36 -04:00
e09b40e155
Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC
2016-07-08 18:30:18 -04:00
c7d72fea90
Do some extra checking in the modified renewal check
2016-07-08 10:34:49 -04:00
7023eafc67
Make the API client retry on 5xx errors.
...
This should help with transient issues. Full control over min/max delays
and number of retries (and ability to turn off) is provided in the API
and via env vars.
Fix tests.
2016-07-06 16:50:23 -04:00
ad7cb2c8f1
Added JSON Decode and Encode helpers.
...
Changed all the occurances of Unmarshal to use the helpers.
Fixed http/ package tests.
2016-07-06 12:25:40 -04:00
88c7292023
Fix broken test
2016-07-05 12:54:27 -04:00
8ce13b3f68
Add non-wrapped step
2016-07-05 12:11:40 -04:00
b6ca7e9423
Add response wrapping support to login endpoints.
...
Fixes #1587
2016-07-05 11:46:21 -04:00
90c2f5bb55
Fix some more too-tight timing in the token store tests
2016-07-01 11:59:39 -04:00
f3e6e4ee28
Fix timing in explicit max ttl test
2016-07-01 11:37:27 -04:00
09720bbd8e
Fix picking wrong token lock
2016-06-27 11:17:08 -04:00
2933c5ce08
Made default_lease_ttl and max_lease_ttl as int64 and fixed tests
2016-06-20 20:23:49 -04:00
0bdeea3a33
Fix the test cases
2016-06-20 18:56:19 -04:00
848b479a61
Added 'sys/auth/<path>/tune' endpoints.
...
Displaying 'Default TTL' and 'Max TTL' in the output of 'vault auth -methods'
2016-06-15 13:58:24 -04:00
368a17e978
Add some commenting
2016-06-14 05:54:09 +00:00
e925987cb6
Add token accessor to wrap information if one exists
2016-06-13 23:58:17 +00:00
1de6140d5c
Fix mah broken tests
2016-06-10 14:03:56 -04:00
9f6c5bc02a
cubbyhole-response-wrapping -> response-wrapping
2016-06-10 13:48:46 -04:00
e4ce81afa1
Remove unneeded Fields in passthrough
2016-06-09 10:33:24 -04:00
351f536913
Don't check parsability of a `ttl` key on write.
...
On read we already ignore bad values, so we shouldn't be restricting
this on write; doing so alters expected data-in-data-out behavior. In
addition, don't issue a warning if a given `ttl` value can't be parsed,
as this can quickly get annoying if it's on purpose.
The documentation has been updated/clarified to make it clear that this
is optional behavior that doesn't affect the status of the key as POD
and the `lease_duration` returned will otherwise default to the
system/mount defaults.
Fixes #1505
2016-06-08 20:14:36 -04:00
2b4b6559e3
Merge pull request #1504 from hashicorp/token-store-roles-renewability
...
Add renewable flag to token store roles
2016-06-08 15:56:54 -04:00
8a1bff7c11
Make out-of-bounds explicit max a cap+warning instead of an error
2016-06-08 15:25:17 -04:00
cf8f38bd4c
Add renewable flag to token store roles
2016-06-08 15:17:22 -04:00
65d8973864
Add explicit max TTL capability to token creation API
2016-06-08 14:49:48 -04:00
c0155ac02b
Add renewable flag and API setting for token creation
2016-06-08 11:14:30 -04:00
bb1e8ddaa2
Make token renewable status work properly on lookup
2016-06-08 09:19:39 -04:00
10b218d292
Use time.Time which does RFC3339 across the wire to handle time zones. Arguably we should change the API to always do this...
2016-06-07 16:01:09 -04:00
401456ea50
Add creation time to returned wrapped token info
...
This makes it easier to understand the expected lifetime without a
lookup call that uses the single use left on the token.
This also adds a couple of safety checks and for JSON uses int, rather
than int64, for the TTL for the wrapped token.
2016-06-07 15:00:35 -04:00
f8d70b64a0
Show renewable status for tokens in output
2016-06-01 17:30:31 -04:00
9dd4e5ec5b
Merge pull request #1235 from hashicorp/policies-validation
...
Strip out other policies if root is present
2016-06-01 12:08:22 -04:00
4fea41f7e5
Use entry.Type as a criteria for upgrade
2016-06-01 10:30:11 -04:00
875778a2d9
Modify just the type and not the path
2016-05-31 23:19:13 -04:00
1e4834bd20
Remove addDefault param from ParsePolicies
2016-05-31 13:39:58 -04:00
49b4c83580
Adding default policies while creating tokens
2016-05-31 13:39:58 -04:00
55fbfab4fe
Upgrade 'aws' auth table entry to 'aws-ec2'
2016-05-30 18:58:58 -04:00
8d19b4fb53
Add keyring zeroize function and add some more memzero calls in
...
appropriate places. Known to be best-effort, but may help in some cases.
Fixes #1446
2016-05-27 20:47:40 +00:00
1d94828e45
Re-enable rollback triggers for auth backends
2016-05-26 14:29:41 -04:00
644ac5f5e8
Merge pull request #1456 from hashicorp/consul-lease-renewal
...
Fix the consul secret backends renewal revocation problem
2016-05-26 13:59:45 -04:00
a57996ac08
Add to auth/audit too
2016-05-26 13:38:51 -04:00
475b0e2d33
Add table/type checking to mounts table.
2016-05-26 12:55:00 -04:00
c0e745dbfa
s/logical.ErrorResponse/fmt.Errorf in renewal functions of credential backends
2016-05-26 10:21:03 -04:00
70b8530962
Fix the consul secret backends renewal revocation problem
2016-05-25 23:24:16 -04:00
417a56c42b
Disable rollback on auth for now and add workaround for its auth/ adding to entry paths
2016-05-25 17:53:45 -04:00
05b0e0a866
Enable audit-logging of seal and step-down commands.
...
This pulls the logical request building code into its own function so
that it's accessible from other HTTP handlers, then uses that with some
added logic to the Seal() and StepDown() commands to have meaningful
audit log entries.
2016-05-20 17:03:54 +00:00
0da8762bd5
Add unwrap command, and change how the response is embedded (as a string, not an object)
2016-05-19 11:25:15 -04:00
2e6ac4c37a
Remove wrap specs from backend response
2016-05-19 03:06:09 +00:00
c4431a7e30
Address most review feedback. Change responses to multierror to better return more useful values when there are multiple errors
2016-05-16 16:11:33 -04:00
4c67a739b9
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-16 12:14:40 -04:00
60975bf76e
Revert "Remove a few assumptions regarding bash(1) being located in /bin."
2016-05-15 15:22:21 -04:00
f91114fef5
Remove a few assumptions regarding bash(1) being located in /bin.
...
Use sh(1) where appropriate.
2016-05-15 11:41:14 -07:00
792950e16c
Merge pull request #1417 from hashicorp/b-pki-expire-ttl-unset
...
Set entry's TTL before writing out the storage entry's config
2016-05-15 10:02:03 -07:00
7a4b31ce51
Speling police
2016-05-15 09:58:36 -07:00
af4e2feda7
When testing, increase the time we wait for the stepdown to occur.
...
2s -> 5s, no functional change.
2016-05-15 07:30:40 -07:00
53fc941761
Merge pull request #1300 from hashicorp/aws-auth-backend
...
AWS EC2 instances authentication backend
2016-05-14 19:42:03 -04:00
560e9c30a3
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-12 14:59:12 -04:00
99a5213f0b
Merge pull request #1355 from hashicorp/f-vault-service
...
Vault/Consul Service refinement
2016-05-12 11:48:29 -07:00
af222a945a
Fix mount tune bounds checking
2016-05-12 07:22:00 -04:00
ce5614bf9b
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-11 19:29:52 -04:00
6ec1ca05c8
Fix bug around disallowing explicit max greater than sysview max
2016-05-11 18:46:55 -04:00
aecc3ad824
Add explicit maximum TTLs to token store roles.
2016-05-11 16:51:18 -04:00
ddcaf26396
Merge branch 'master-oss' into aws-auth-backend
2016-05-10 14:50:00 -04:00
2295cadbf4
Make WrapInfo a pointer to match secret/auth in response
2016-05-07 19:17:51 -04:00
c5085bc79f
Merge response fix over from mfatw
2016-05-07 16:41:24 -04:00
c52d352332
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-07 16:40:04 -04:00
d77563994c
Merge pull request #1346 from hashicorp/disable-all-caches
...
Disable all caches
2016-05-07 16:33:45 -04:00
3e71221839
Merge remote-tracking branch 'origin/master' into aws-auth-backend
2016-05-05 10:04:52 -04:00
885cc73b2e
Merge branch 'master-oss' into f-vault-service
2016-05-04 17:20:00 -04:00
09f06554cb
Address some review feedback
2016-05-04 16:03:53 -04:00
99a5b4402d
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-04 14:42:14 -04:00
1bc2abecd5
Properly persist auth mount tuning
2016-05-03 14:24:04 -04:00
6f7409bb49
Slightly nicer check for LRU in policy store
2016-05-02 22:36:44 -04:00
fe1f56de40
Make a non-caching but still locking variant of transit for when caches are disabled
2016-05-02 22:36:44 -04:00
8572190b64
Plumb disabling caches through the policy store
2016-05-02 22:36:44 -04:00
1b190c9c62
Don't check if numuses is -1 with a read lock, it shouldn't come in with that from lookup anyways
2016-05-02 15:31:28 -04:00
324bb9cfac
Use a 256-level mutex map instead of 4096, and optimize the case for tokens that are not limited use
2016-05-02 14:57:17 -04:00
Brian Kassouf