Commit graph

395 commits

Author SHA1 Message Date
Seth Vargo f66d49b79b
Add more secret helpers for getting secret data 2017-10-24 09:30:47 -04:00
Seth Vargo 8910915c86
Add API functions for token helpers 2017-10-24 09:26:44 -04:00
Jeff Mitchell 8e271dcbdc More syncing 2017-10-23 16:52:56 -04:00
Billie Cleek 3033a7beb6 do not panic when Client.Transport is not *http.Transport (#3440) 2017-10-10 08:46:54 -04:00
Jeff Mitchell 3cf4e3e142 Fix panic when setting a client http client with no transport (#3437)
Fixes #3436
2017-10-09 08:49:20 -04:00
Marcus Söderberg 3d00731fda Add http headers to the api client (#3394) 2017-10-06 14:27:58 -04:00
Chris Hoffman 1029ad3b33 Rename "generic" secret backend to "kv" (#3292) 2017-09-15 09:02:29 -04:00
Calvin Leung Huang 6f417d39da Normalize plugin_name option for mount and enable-auth (#3202) 2017-08-31 12:16:59 -04:00
Seth Vargo ae5996a737
Add SignKey endpoint for SSH API client 2017-08-18 12:59:08 -04:00
Jeff Mitchell d2410e3399 gofmt 2017-08-02 19:38:35 -04:00
nrhall-deshaw 888e1e3859 Add SRV record functionality for client side host/port discovery of Vault (#3035)
* added SRV record functionality for client side port discovery of Vault

* Add a check on returned address length
2017-08-02 19:19:06 -04:00
Calvin Leung Huang db9d9e6415 Store original request path in WrapInfo (#3100)
* Store original request path in WrapInfo as CreationPath

* Add wrapping_token_creation_path to CLI output

* Add CreationPath to AuditResponseWrapInfo

* Fix tests

* Add and fix tests, update API docs with new sample responses
2017-08-02 18:28:58 -04:00
Jeff Mitchell cefa70c8a3 Have sys health api always return even in an error case (#3087)
* Have sys health api always return even in an error case, which HTTP API docs say it should

* Use specific return codes to bypass automatic error handling
2017-08-02 10:01:40 -04:00
Jeff Mitchell d0f329e124 Add leader cluster address to status/leader output. (#3061)
* Add leader cluster address to status/leader output. This helps in
identifying a particular node when all share the same redirect address.

Fixes #3042
2017-07-31 18:25:27 -04:00
Jeff Mitchell 1bfc6d4fe7 Add a -dev-three-node option for devs. (#3081) 2017-07-31 11:28:06 -04:00
Chris Hoffman 5cb87e26ef moving client calls to new endpoint (#2867) 2017-07-25 11:58:33 -04:00
Calvin Leung Huang bb54e9c131 Backend plugin system (#2874)
* Add backend plugin changes

* Fix totp backend plugin tests

* Fix logical/plugin InvalidateKey test

* Fix plugin catalog CRUD test, fix NoopBackend

* Clean up commented code block

* Fix system backend mount test

* Set plugin_name to omitempty, fix handleMountTable config parsing

* Clean up comments, keep shim connections alive until cleanup

* Include pluginClient, disallow LookupPlugin call from within a plugin

* Add wrapper around backendPluginClient for proper cleanup

* Add logger shim tests

* Add logger, storage, and system shim tests

* Use pointer receivers for system view shim

* Use plugin name if no path is provided on mount

* Enable plugins for auth backends

* Add backend type attribute, move builtin/plugin/package

* Fix merge conflict

* Fix missing plugin name in mount config

* Add integration tests on enabling auth backend plugins

* Remove dependency cycle on mock-plugin

* Add passthrough backend plugin, use logical.BackendType to determine lease generation

* Remove vault package dependency on passthrough package

* Add basic impl test for passthrough plugin

* Incorporate feedback; set b.backend after shims creation on backendPluginServer

* Fix totp plugin test

* Add plugin backends docs

* Fix tests

* Fix builtin/plugin tests

* Remove flatten from PluginRunner fields

* Move mock plugin to logical/plugin, remove totp and passthrough plugins

* Move pluginMap into newPluginClient

* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck

* Change shim logger's Fatal to no-op

* Change BackendType to uint32, match UX backend types

* Change framework.Backend Setup signature

* Add Setup func to logical.Backend interface

* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments

* Remove commented var in plugin package

* RegisterLicense on logical.Backend interface (#3017)

* Add RegisterLicense to logical.Backend interface

* Update RegisterLicense to use callback func on framework.Backend

* Refactor framework.Backend.RegisterLicense

* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs

* plugin: Revert BackendType to remove TypePassthrough and related references

* Fix typo in plugin backends docs
2017-07-20 13:28:40 -04:00
Gobin Sougrakpam 2ddbc4a939 Adding option to set custom vault client timeout using env variable VAULT_CLIENT_TIMEOUT (#3022) 2017-07-18 09:48:31 -04:00
Seth Vargo c77986d03e
Do not double-convert to seconds 2017-07-11 16:06:50 -07:00
Seth Vargo cfad705ddc Fix typo 2017-07-10 22:26:42 -07:00
Chris Hoffman 8fee1ec31d updating for TestCluster changes 2017-07-10 20:47:03 -07:00
Seth Vargo 725e0e5b73
Fix doc 2017-07-07 17:15:43 -04:00
Seth Vargo 8da29a5a23
Use the core client 2017-07-07 17:14:49 -04:00
Seth Vargo 994cf1db5c
Fix failing test 2017-07-07 17:14:49 -04:00
Seth Vargo 462d30fd38
Buffer doneCh 2017-07-07 17:14:49 -04:00
Seth Vargo d48c51185d
Add configurable buffer size 2017-07-07 17:14:48 -04:00
Seth Vargo 29255fd2eb
Do not block writing to doneCh if stopped 2017-07-07 17:14:48 -04:00
Seth Vargo e22b3d9ec8
Make lock private 2017-07-07 17:14:48 -04:00
Seth Vargo 7f47f06014
Remove init() seed 2017-07-07 17:14:47 -04:00
Seth Vargo 81a24fda29
Fix vet errors 2017-07-07 17:14:47 -04:00
Seth Vargo ae7d6da993
Allow a custom randomizer 2017-07-07 17:14:47 -04:00
Seth Vargo 5f658abc12
Use Fatalf 2017-07-07 17:14:47 -04:00
Seth Vargo 207e1d5dd3
Use a more heurstic function for calculating sleep backoff 2017-07-07 17:14:46 -04:00
Seth Vargo f18b7fd6dc
Seed the random generator 2017-07-07 17:14:46 -04:00
Seth Vargo 10cdc62c62
Move renewer integration tests into separate package 2017-07-07 17:14:46 -04:00
Seth Vargo a09c84ce75
Use a separate package for API integration tests
This removes the cyclic dependency
2017-07-07 17:14:45 -04:00
Seth Vargo d711dfebd1
Send a more useful struct for renewal 2017-07-07 17:14:45 -04:00
Seth Vargo 951421e613
Reorg 2017-07-07 17:14:45 -04:00
Seth Vargo 1ea998e2f5
Use unbuffered channels 2017-07-07 17:14:45 -04:00
Seth Vargo dcdbef1dfb
Use a time.Duration instead of an int for grace 2017-07-07 17:14:44 -04:00
Seth Vargo 62e1f5c498
Use RenewTokenAsSelf instead 2017-07-07 17:14:44 -04:00
Seth Vargo 77ee95cb82
Add secret renewer 2017-07-07 17:14:44 -04:00
Seth Vargo 4069eb21b6
Add test stubs for starting a vault server and pg database 2017-07-07 17:14:43 -04:00
Seth Vargo 506a304ecc
Add API helper for renewing a token as another token 2017-07-07 17:14:42 -04:00
Jeff Mitchell d169918465 Create and persist human-friendly-ish mount accessors (#2918) 2017-06-26 18:14:36 +01:00
Seth Vargo 084064389e Add a convenience function for copying a client (#2887) 2017-06-20 04:08:15 +01:00
Jeff Mitchell 5817a8a5f8 Return error on bad CORS and add Header specification to API request primitive 2017-06-19 18:20:44 -04:00
Aaron Salvo 0303f51b68 Cors headers (#2021) 2017-06-17 00:04:55 -04:00
Chris Hoffman a91763b81f reverting client changes in #2856 (#2866) 2017-06-14 16:39:20 -04:00
Chris Hoffman ec1d943dce moving client calls to new endpoint (#2856) 2017-06-14 10:38:15 -04:00
Vishal Nayak 2d61087b99 api: Don't treat 429 as error (#2850)
* api: Don't treat 429 as error

* Added parenthesis
2017-06-12 18:31:36 -04:00
Kiss György 0be37ca78b Add Health() method to Sys client (#2805) 2017-06-05 11:00:45 -04:00
emily aa40d2cff6 add gofmt checks to Vault and format existing code (#2745) 2017-05-19 08:34:17 -04:00
Lee Avital bf34484d9d Respect the configured address's path in the client (#2588) 2017-04-13 14:06:38 -04:00
pkrolikowski 0fb75d9e89 Pass user/pass for HTTP Basic Authentication in URL parameters (#2469) 2017-03-10 07:19:23 -05:00
Jeff Mitchell f03d500808 Add option to disable caching per-backend. (#2455) 2017-03-08 09:20:09 -05:00
Jeff Mitchell 5ef2b0145b Add ability to set max retries to API 2017-03-01 12:24:08 -05:00
Jordan Abderrachid fa77e7cfa2 api: add EnvVaultToken constant. (#2413) 2017-02-27 18:36:21 -05:00
Jeff Mitchell 2cc0906b33 Fix breakage for HTTP2 support due to changes in wrapping introduced in 1.8 (#2412) 2017-02-27 12:49:35 -05:00
Jeff Mitchell 4ec5937e2d Move http-using API tests into http package 2017-02-24 14:23:21 -05:00
Jeff Mitchell e0c9bfd926 Add WithOptions methods to audit/auth enabling (#2383) 2017-02-16 11:37:27 -05:00
Jason Felice ec10a9171d ConfigureTLS() sets default HttpClient if nil (#2329) 2017-02-06 17:47:56 -05:00
Jeff Mitchell dd0e44ca10 Add nonce to unseal to allow seeing if the operation has reset (#2276) 2017-01-17 11:47:06 -05:00
Vishal Nayak ad09acb479 Use Vault client's scheme for auto discovery (#2146) 2016-12-02 11:24:57 -05:00
Jeff Mitchell 3397d55722 Better handle nil responses in logical unwrap 2016-12-01 16:38:08 -05:00
Jeff Mitchell 0f5b847748 Fix panic when unwrapping if the server EOFs 2016-11-29 16:50:07 -05:00
Jeff Mitchell 97ca3292a4 Set number of pester retries to zero by default and make seal command… (#2093)
* Set number of pester retries to zero by default and make seal command return 403 if unauthorized instead of 500

* Fix build

* Use 403 instead and update test

* Change another 500 to 403
2016-11-16 14:08:09 -05:00
Jeff Mitchell 12e986c6ec Fix unwrap CLI command when there is no client token set. (#2077) 2016-11-08 11:36:15 -05:00
Jeff Mitchell 22b5bd54e3 change api so if wrapping token is the same as the client token it doesn't set it in the body 2016-10-27 12:15:30 -04:00
Jeff Mitchell 4072ac0eb9 Fix NOT logical bug.
Ping #2014
2016-10-18 09:51:45 -04:00
Jeff Mitchell b45a481365 Wrapping enhancements (#1927) 2016-09-28 21:01:28 -07:00
Jeff Mitchell f0203741ff Change default TTL from 30 to 32 to accommodate monthly operations (#1942) 2016-09-28 18:32:49 -04:00
Jeff Mitchell 722e26f27a Add support for PGP encrypting the initial root token. (#1883) 2016-09-13 18:42:24 -04:00
Jeff Mitchell ac5ea8ccc2 Reinstate the token parameter to api.RevokeSelf to avoid breaking compatibility 2016-09-13 11:03:05 -04:00
Jeff Mitchell 1c6f2fd82b Add response wrapping to list operations (#1814) 2016-09-02 01:13:14 -04:00
Evan Gilman d7502e543d Add golang api method for creating orphan tokens (#1834) 2016-09-01 15:39:44 -04:00
Jeff Mitchell 9fee9ce8ff Don't allow tokens in paths. (#1783) 2016-08-24 15:59:43 -04:00
markrzasa a110cd637c allow a TLS server name to be configured for SSH agents (#1720) 2016-08-23 22:06:56 -04:00
Jeff Mitchell 62c69f8e19 Provide base64 keys in addition to hex encoded. (#1734)
* Provide base64 keys in addition to hex encoded.

Accept these at unseal/rekey time.

Also fix a bug where backup would not be honored when doing a rekey with
no operation currently ongoing.
2016-08-15 16:01:15 -04:00
Jeff Mitchell ba87c6c0d6 Restore compatibility with pre-0.6.1 servers for CLI/Go API calls 2016-08-14 14:52:45 -04:00
Jeff Mitchell bcb4ab5422 Add periodic support for root/sudo tokens to auth/token/create 2016-08-12 21:14:12 -04:00
Jeff Mitchell 9c33224928 Don't retry on redirections. 2016-08-12 15:13:42 -04:00
vishalnayak ff22640015 Use default config and read environment by default while creating client object 2016-08-12 11:37:13 -04:00
Jeff Mitchell 5a1ca832af Merge pull request #1699 from hashicorp/dataonly
Return sys values in top level normal api.Secret
2016-08-09 07:17:02 -04:00
Jeff Mitchell ab71b981ad Add ability to specify renew lease ID in POST body. 2016-08-08 18:00:44 -04:00
Jeff Mitchell 3c2aae215c Fix tests and update mapstructure 2016-08-08 16:00:31 -04:00
Alex Dadgar 4d5de08a46 Merge pull request #1682 from hashicorp/f-refactor-tls-config
Refactor the TLS configuration between meta.Client and the api.Config
2016-08-02 13:35:37 -07:00
Alex Dadgar 92ede0db17 Address comments 2016-08-02 13:17:45 -07:00
vishalnayak 8b0b0d5922 Add cluster information to 'vault status' 2016-07-29 14:13:53 -04:00
vishalnayak e5e0431393 Added Vault version informationto the 'status' command 2016-07-28 17:37:35 -04:00
Alex Dadgar f5d56ad8f8 Refactor the TLS configuration between meta.Client and the api.Config 2016-07-27 17:26:26 -07:00
Jeff Mitchell a76d51d0ee Plumb request UUID through the API 2016-07-27 09:25:04 -04:00
vishalnayak 23800c5f1d Add service discovery to init command 2016-07-21 16:17:29 -04:00
Vishal Nayak 8a1bb1626a Merge pull request #1583 from hashicorp/ssh-allowed-roles
Add allowed_roles to ssh-helper-config and return role name from verify call
2016-07-19 12:04:12 -04:00
vishalnayak c14235b206 Merge branch 'master-oss' into json-use-number
Conflicts:
	http/handler.go
	logical/framework/field_data.go
	logical/framework/wal.go
	vault/logical_passthrough.go
2016-07-15 19:21:55 -04:00
Jeff Mitchell a6682405a3 Migrate number of retries down by one to have it be max retries, not tries 2016-07-11 21:57:14 +00:00
Jeff Mitchell 57cdb58374 Switch to pester from go-retryablehttp to avoid swallowing 500 error messages 2016-07-11 21:37:46 +00:00
Jeff Mitchell 7023eafc67 Make the API client retry on 5xx errors.
This should help with transient issues. Full control over min/max delays
and number of retries (and ability to turn off) is provided in the API
and via env vars.

Fix tests.
2016-07-06 16:50:23 -04:00
vishalnayak ad7cb2c8f1 Added JSON Decode and Encode helpers.
Changed all the occurances of Unmarshal to use the helpers.
Fixed http/ package tests.
2016-07-06 12:25:40 -04:00
vishalnayak 5367a7223d Add allowed_roles to ssh-helper-config and return role name from verify call 2016-07-05 11:14:29 -04:00
vishalnayak 848b479a61 Added 'sys/auth/<path>/tune' endpoints.
Displaying 'Default TTL' and 'Max TTL' in the output of 'vault auth -methods'
2016-06-15 13:58:24 -04:00
Jeff Mitchell e925987cb6 Add token accessor to wrap information if one exists 2016-06-13 23:58:17 +00:00
Jeff Mitchell 65d8973864 Add explicit max TTL capability to token creation API 2016-06-08 14:49:48 -04:00
Jeff Mitchell c0155ac02b Add renewable flag and API setting for token creation 2016-06-08 11:14:30 -04:00
Jeff Mitchell 10b218d292 Use time.Time which does RFC3339 across the wire to handle time zones. Arguably we should change the API to always do this... 2016-06-07 16:01:09 -04:00
Jeff Mitchell 401456ea50 Add creation time to returned wrapped token info
This makes it easier to understand the expected lifetime without a
lookup call that uses the single use left on the token.

This also adds a couple of safety checks and for JSON uses int, rather
than int64, for the TTL for the wrapped token.
2016-06-07 15:00:35 -04:00
Jeff Mitchell 63aba520c6 Make Unwrap a first-party API command and refactor UnwrapCommand to use it 2016-05-27 21:04:30 +00:00
Jeff Mitchell 05b2d4534c Add unwrap test function and some robustness around paths for the wrap lookup function 2016-05-19 11:49:46 -04:00
Jeff Mitchell c4431a7e30 Address most review feedback. Change responses to multierror to better return more useful values when there are multiple errors 2016-05-16 16:11:33 -04:00
Jeff Mitchell c5008bcaac Add more tests 2016-05-07 21:08:13 -04:00
Jeff Mitchell 99a5b4402d Merge branch 'master-oss' into cubbyhole-the-world 2016-05-04 14:42:14 -04:00
Jeff Mitchell 45a120f491 Switch our tri-copy ca loading code to go-rootcerts 2016-05-03 12:23:25 -04:00
Jeff Mitchell 1ffd5653c6 Add wrap support to API/CLI 2016-05-02 02:03:23 -04:00
Jeff Mitchell 4e53f4b1a4 Use UseNumber() on json.Decoder to have numbers be json.Number objects
instead of float64. This fixes some display bugs.
2016-04-20 18:38:20 +00:00
Adam Shannon fb07d07ad9 all: Cleanup from running go vet 2016-04-13 14:38:29 -05:00
Jeff Mitchell 348be0e50b Remove RevokePrefix from the API too as we simply do not support it any
longer.
2016-04-05 11:00:12 -04:00
Jeff Mitchell afae46feb7 SealInterface 2016-04-04 10:44:22 -04:00
vishalnayak 4e6dcfd6d0 Enable callbacks for handling logical.Request changes before processing requests 2016-03-17 22:29:53 -04:00
vishalnayak f275cd2e9c Fixed capabilities API to receive logical response 2016-03-17 21:03:32 -04:00
vishalnayak a5d79d587a Refactoring the capabilities function 2016-03-17 21:03:32 -04:00
vishalnayak 71fc07833f Rename id to path and path to file_path, print audit backend paths 2016-03-14 17:15:07 -04:00
Vishal Nayak c70b4bbbb2 Merge pull request #1201 from hashicorp/accessor-cli-flags
Accessor CLI flags
2016-03-11 09:55:45 -05:00
vishalnayak b8d202f920 Restore RevokeSelf API 2016-03-11 06:30:45 -05:00
vishalnayak 0486fa1a3a Added accessor flag to token-revoke CLI 2016-03-10 21:21:20 -05:00
vishalnayak ed8a096596 Add accessor flag to token-lookup command and add lookup-accessor client API 2016-03-10 21:21:20 -05:00
Seth Vargo 30f24dd5cc Validate HCL for SSHHelper too 2016-03-10 16:47:46 -05:00
Jeff Mitchell fa2ba47a5c Merge branch 'master' into token-roles 2016-03-09 17:23:34 -05:00
Jeff Mitchell 6df72e6efd Merge pull request #1168 from hashicorp/revoke-force
Add forced revocation.
2016-03-09 16:59:52 -05:00
vishalnayak 151c932875 AccessorID --> Accessor, accessor_id --> accessor 2016-03-09 06:23:31 -05:00
vishalnayak 301776012f Introduced AccessorID in TokenEntry and returning it along with token 2016-03-08 14:06:10 -05:00
Jeff Mitchell cc1f5207b3 Merge branch 'master' into token-roles 2016-03-07 10:03:54 -05:00
vishalnayak 9946a2d8b5 refactoring changes due to acl.Capabilities 2016-03-04 18:55:48 -05:00
vishalnayak 7fe871e60a Removing the 'Message' field 2016-03-04 10:36:03 -05:00
vishalnayak 286e63a648 Handled root token use case 2016-03-04 10:36:03 -05:00
vishalnayak 5749a6718c Added sys/capabililties endpoint 2016-03-04 10:36:02 -05:00
Jeff Mitchell 0d46fb4696 Create a unified function to sanitize mount paths.
This allows mount paths to start with '/' in addition to ensuring they
end in '/' before leaving the system backend.
2016-03-03 13:13:47 -05:00
Jeff Mitchell 3e7bca82a1 Merge pull request #1146 from hashicorp/step-down
Provide 'sys/step-down' and 'vault step-down'
2016-03-03 12:30:08 -05:00
Jeff Mitchell cd86226845 Add forced revocation.
In some situations, it can be impossible to revoke leases (for instance,
if someone has gone and manually removed users created by Vault). This
can not only cause Vault to cycle trying to revoke them, but it also
prevents mounts from being unmounted, leaving them in a tainted state
where the only operations allowed are to revoke (or rollback), which
will never successfully complete.

This adds a new endpoint that works similarly to `revoke-prefix` but
ignores errors coming from a backend upon revocation (it does not ignore
errors coming from within the expiration manager, such as errors
accessing the data store). This can be used to force Vault to abandon
leases.

Like `revoke-prefix`, this is a very sensitive operation and requires
`sudo`. It is implemented as a separate endpoint, rather than an
argument to `revoke-prefix`, to ensure that control can be delegated
appropriately, as even most administrators should not normally have
this privilege.

Fixes #1135
2016-03-03 10:13:59 -05:00
Jeff Mitchell 54232eb980 Add other token role unit tests and some minor other changes. 2016-03-01 12:41:41 -05:00
Jeff Mitchell ef990a3681 Initial work on token roles 2016-03-01 12:41:40 -05:00
vishalnayak aee006ba2d moved the test cert keys to appropriate test-fixtures folder 2016-02-29 15:49:08 -05:00
Jeff Mitchell d131d99c34 Merge branch 'master' into step-down 2016-02-29 11:02:09 -05:00
vishalnayak dca18aec2e replaced old certs, with new certs generated from PKI backend, containing IP SANs 2016-02-28 22:15:54 -05:00
Jeff Mitchell 11ddd2290b Provide 'sys/step-down' and 'vault step-down'
This endpoint causes the node it's hit to step down from active duty.
It's a noop if the node isn't active or not running in HA mode. The node
will wait one second before attempting to reacquire the lock, to give
other nodes a chance to grab it.

Fixes #1093
2016-02-26 19:43:55 -05:00
vishalnayak d02d3124b5 fix api tests 2016-02-26 17:01:40 -05:00
Robert M. Thomson 024407518b Add VAULT_TLS_SERVER_NAME environment variable
If specified, verify a specific server name during TLS negotiation
rather than the server name in the URL.
2016-02-25 17:28:49 +01:00
vishalnayak c42ade8982 Use tls_skip_verify in vault-ssh-helper 2016-02-23 17:32:49 -05:00
vishalnayak 00d01043fd ssh-helper api changes 2016-02-23 00:16:00 -05:00
Jeff Mitchell 5f5542cb91 Return status for rekey/root generation at init time. This mitigates a
(very unlikely) potential timing attack between init-ing and fetching
status.

Fixes #1054
2016-02-12 14:24:36 -05:00
Jeff Mitchell 0c427e27e9 Add some documentation to the API revoke functions 2016-02-03 11:42:13 -05:00