Jeff Mitchell
c1aa89363a
Make time logic a bit clearer
2016-08-16 16:29:07 -04:00
Jeff Mitchell
02d9702fbd
Add local into handler path for forwarded requests
2016-08-16 11:46:37 -04:00
Jeff Mitchell
62c69f8e19
Provide base64 keys in addition to hex encoded. ( #1734 )
...
* Provide base64 keys in addition to hex encoded.
Accept these at unseal/rekey time.
Also fix a bug where backup would not be honored when doing a rekey with
no operation currently ongoing.
2016-08-15 16:01:15 -04:00
Jeff Mitchell
37320f8798
Request forwarding ( #1721 )
...
Add request forwarding.
2016-08-15 09:42:42 -04:00
Jeff Mitchell
40ece8fd7c
Add another test and fix some output
2016-08-14 07:17:14 -04:00
Jeff Mitchell
b6ef112382
Minor wording change
2016-08-13 15:45:13 -04:00
Jeff Mitchell
cdea4b3445
Add some tests and fix some bugs
2016-08-13 14:03:22 -04:00
Jeff Mitchell
de60702d76
Don't check the role period again as we've checked it earlier and it may be greater than the te Period
2016-08-13 13:21:56 -04:00
Jeff Mitchell
bcb4ab5422
Add periodic support for root/sudo tokens to auth/token/create
2016-08-12 21:14:12 -04:00
Jeff Mitchell
c1a46349fa
Change to keybase openpgp fork as it has important fixes
2016-08-11 08:31:43 -04:00
vishalnayak
3895ea4c2b
Address review feedback from @jefferai
2016-08-10 15:22:12 -04:00
vishalnayak
95f9c62523
Fix Cluster object being returned as nil when unsealed
2016-08-10 15:09:16 -04:00
Jeff Mitchell
0f40fba40d
Don't allow a root token that expires to create one that doesn't
2016-08-09 20:32:40 -04:00
vishalnayak
b5d55a9f47
Fix broken mount_test
2016-08-09 12:06:59 -04:00
Jeff Mitchell
4246ab1220
Change local cluster info path
2016-08-09 11:28:42 -04:00
Vishal Nayak
c27a52069c
Merge pull request #1693 from hashicorp/mount-table-compress
...
Added utilities to compress the JSON encoded string.
2016-08-09 11:23:14 -04:00
Jeff Mitchell
cc10fd7a7e
Use config file cluster name after automatic gen
2016-08-09 11:03:50 -04:00
vishalnayak
b43cc03f0e
Address review feedback from @jefferai
2016-08-09 10:47:55 -04:00
Jeff Mitchell
94c9fc3b49
Minor test fix
2016-08-09 07:13:29 -04:00
vishalnayak
78d57520fb
Refactoring and test fixes
2016-08-09 03:43:03 -04:00
vishalnayak
5866cee5b4
Added utilities to compress the data
2016-08-09 00:50:19 -04:00
Jeff Mitchell
d2124486ef
Merge pull request #1702 from hashicorp/renew-post-body
...
Add ability to specify renew lease ID in POST body.
2016-08-08 20:01:25 -04:00
Jeff Mitchell
c86fd0353c
urllease_id -> url_lease_id
2016-08-08 18:34:00 -04:00
Jeff Mitchell
065da5fd69
Migrate default policy to a const
2016-08-08 18:33:31 -04:00
Jeff Mitchell
5a48611a62
Add test for both paths in backend
2016-08-08 18:32:18 -04:00
Jeff Mitchell
56b7f595aa
Fix parsing optional URL param
2016-08-08 18:08:25 -04:00
Jeff Mitchell
ab71b981ad
Add ability to specify renew lease ID in POST body.
2016-08-08 18:00:44 -04:00
Jeff Mitchell
13b7d37a0b
Remove change to naming return values
2016-08-08 17:56:14 -04:00
Jeff Mitchell
a583f8a3f8
Use policyutil sanitizing
2016-08-08 17:42:25 -04:00
Jeff Mitchell
4f0310ed96
Don't allow root from authentication backends either.
...
We've disabled this in the token store, but it makes no sense to have
that disabled but have it enabled elsewhere. It's the same issue across
all, so simply remove the ability altogether.
2016-08-08 17:32:37 -04:00
Jeff Mitchell
796c93a8b0
Add sys/renew to default policy
2016-08-08 17:32:30 -04:00
Jeff Mitchell
d7f6218869
Move checking non-assignable policies above the actual token creation
2016-08-08 16:44:29 -04:00
Laura Bennett
da615642f5
Merge pull request #1687 from hashicorp/token-store-update
...
Minor update to token-store
2016-08-08 10:25:05 -04:00
Jeff Mitchell
ac62b18d56
Make capabilities-self
part of the default policy.
...
Fixes #1695
2016-08-08 10:00:01 -04:00
vishalnayak
e783bfe7e1
Minor changes to test cases
2016-08-05 20:22:07 -04:00
vishalnayak
5ddd1c7223
Fix broken test case
2016-08-05 20:07:18 -04:00
Laura Bennett
02911c0e01
full updates based on feedback
2016-08-05 18:57:35 -04:00
Laura Bennett
52623a2395
test updates based on feedback
2016-08-05 18:56:22 -04:00
Laura Bennett
405eb0075a
fix an error, tests still broken
2016-08-05 17:58:48 -04:00
Jeff Mitchell
82b3d136e6
Don't mark never-expiring root tokens as renewable
2016-08-05 11:15:25 -04:00
Laura Bennett
68d351c70c
addresses feedback, but tests broken
2016-08-05 10:04:02 -04:00
Jeff Mitchell
4b2b5363d4
Switch some errors that ought to be 500 to 500
2016-08-04 09:11:24 -04:00
Laura Bennett
c626277632
initial commit for minor update to token-store
2016-08-03 14:32:17 -04:00
Jeff Mitchell
a7ed50dbc8
coreClusterPath -> coreLocalClusterPath
2016-08-03 09:50:21 -04:00
Vishal Nayak
0b2098de2f
Merge pull request #1681 from hashicorp/disallowed-policies
...
Support disallowed_policies in token roles
2016-08-02 17:32:53 -04:00
vishalnayak
e7cb3fd990
Addressed review feedback
2016-08-02 16:53:06 -04:00
vishalnayak
4f45910dfc
disallowed_policies doc update
2016-08-02 16:33:22 -04:00
vishalnayak
9947b33498
Added tests for disallowed_policies
2016-08-02 15:21:15 -04:00
Jeff Mitchell
31b36fe2c2
Use duration helper to allow not specifying duration units
2016-08-02 15:12:45 -04:00
vishalnayak
a936914101
Address review feedback and fix existing tests
2016-08-02 14:10:20 -04:00
vishalnayak
a0c711d0cf
Added disallowed_policies to token roles
2016-08-02 10:33:50 -04:00
Jeff Mitchell
357f2d972f
Add some extra safety checking in accessor listing and update website
...
docs.
2016-08-01 13:12:06 -04:00
Jeff Mitchell
6546005487
Fix typo
2016-07-29 23:24:04 -04:00
Jeff Mitchell
e606aab6e0
oops, fix createAccessor
2016-07-29 18:23:55 -04:00
Jeff Mitchell
23ab63c78e
Add accessor list function to token store
2016-07-29 18:20:38 -04:00
vishalnayak
cff7aada7a
Fix invalid input getting marked as internal error
2016-07-28 16:23:11 -04:00
Laura Bennett
4d9c909ae4
Merge pull request #1650 from hashicorp/request-uuid
...
Added unique identifier to each request. Closes hashicorp/vault#1617
2016-07-27 09:40:48 -04:00
vishalnayak
c17534d527
Fix request_id test failures
2016-07-26 18:30:13 -04:00
Laura Bennett
fb1b032040
fixing id in buildLogicalRequest
2016-07-26 15:50:37 -04:00
Vishal Nayak
c7bcaa5bb6
Merge pull request #1655 from hashicorp/cluster-id
...
Vault cluster name and ID
2016-07-26 14:12:48 -04:00
vishalnayak
669bbdfa48
Address review feedback from @jefferai
2016-07-26 14:05:27 -04:00
Laura Bennett
ad66bd7502
fixes based proper interpretation of comments
2016-07-26 12:20:27 -04:00
vishalnayak
a3e6400697
Remove global name/id. Make only cluster name configurable.
2016-07-26 10:01:35 -04:00
vishalnayak
a6907769b0
AppRole authentication backend
2016-07-26 09:32:41 -04:00
vishalnayak
09d362d973
As it is
2016-07-26 09:18:38 -04:00
vishalnayak
c7dabe4def
Storing local and global cluster name/id to storage and returning them in health status
2016-07-26 02:32:42 -04:00
Laura Bennett
06b1835469
Merge pull request #1649 from hashicorp/internal-policy-block
...
Closes hashicorp/vault#1618
2016-07-25 17:41:48 -04:00
Laura Bennett
ae8a90be30
adding ids
2016-07-25 16:54:43 -04:00
Jeff Mitchell
e26487ced5
Add test for non-assignable policies
2016-07-25 16:00:18 -04:00
Laura Bennett
8d52a96df5
moving id to http/logical
2016-07-25 15:24:10 -04:00
Jeff Mitchell
d2cbe48aaf
Use RFC3339Nano for better precision
2016-07-25 14:11:57 -04:00
Laura Bennett
eb75afe54d
minor edit for error statement
2016-07-25 13:29:57 -04:00
Laura Bennett
9ef3d90349
still fixing git mistake
2016-07-25 10:11:51 -04:00
Laura Bennett
cc668b5c48
Fixing git mistake
2016-07-25 09:57:47 -04:00
Laura Bennett
7e29cf1cae
edits based on comments in PR
2016-07-25 09:46:10 -04:00
Laura Bennett
395f052870
minor error correction
2016-07-24 22:35:54 -04:00
Laura Bennett
9ea1c8b801
initial commit for nonAssignablePolicies
2016-07-24 22:27:41 -04:00
Laura Bennett
4945198334
reverting branch mistake
2016-07-24 21:56:52 -04:00
Laura Bennett
483e796177
website update for request uuuid
2016-07-24 21:23:12 -04:00
Laura Bennett
c63cdc23a1
Merge branch 'master' of https://github.com/hashicorp/vault into request-uuid
2016-07-23 21:47:08 -04:00
Laura Bennett
e5737b6789
initial local commit
2016-07-23 21:46:28 -04:00
Jeff Mitchell
4ab60f36a3
Rename err var to be more clear
2016-07-22 16:57:47 -04:00
vishalnayak
331f229858
Added a cap of 256 for CreateLocks utility
2016-07-20 04:48:35 -04:00
vishalnayak
50e8a189e9
Added helper to create locks
2016-07-19 21:37:28 -04:00
Jeff Mitchell
80a688c059
Ensure mount/auth tables are not nil when triggering rollback
...
During setup or teardown there could be a race condition so check for it
to avoid a potential panic.
2016-07-18 22:02:39 -04:00
Jeff Mitchell
df621911d7
Merge pull request #1624 from hashicorp/dynamodb-ha-off-default
...
Turn off DynamoDB HA by default.
2016-07-18 13:54:26 -04:00
Jeff Mitchell
028d024345
Add metrics around leadership
...
This can be helpful for detecting flapping.
Fixes #1544
2016-07-18 13:38:44 -04:00
Jeff Mitchell
a3ce0dcb0c
Turn off DynamoDB HA by default.
...
The semantics are wonky and have caused issues from people not reading
docs. It can be enabled but by default is off.
2016-07-18 13:19:58 -04:00
vishalnayak
c14235b206
Merge branch 'master-oss' into json-use-number
...
Conflicts:
http/handler.go
logical/framework/field_data.go
logical/framework/wal.go
vault/logical_passthrough.go
2016-07-15 19:21:55 -04:00
Vishal Nayak
9f1e6c7b26
Merge pull request #1607 from hashicorp/standardize-time
...
Remove redundant invocations of UTC() call on `time.Time` objects
2016-07-13 10:19:23 -06:00
vishalnayak
8269f323d3
Revert 'risky' changes
2016-07-12 16:38:07 -04:00
Jeff Mitchell
5b210b2a1f
Return a duration instead and port a few other places to use it
2016-07-11 18:19:35 +00:00
Jeff Mitchell
ab6c2bc5e8
Factor out parsing duration second type and use it for parsing tune values too
2016-07-11 17:53:39 +00:00
vishalnayak
fcb0b580ab
Fix broken build
2016-07-08 23:16:58 -04:00
vishalnayak
55a667b8cd
Fix broken build
2016-07-08 20:30:27 -04:00
vishalnayak
dc690d6233
Place error check before the response check in expiration test
2016-07-08 19:01:36 -04:00
vishalnayak
e09b40e155
Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC
2016-07-08 18:30:18 -04:00
Jeff Mitchell
c7d72fea90
Do some extra checking in the modified renewal check
2016-07-08 10:34:49 -04:00
Jeff Mitchell
7023eafc67
Make the API client retry on 5xx errors.
...
This should help with transient issues. Full control over min/max delays
and number of retries (and ability to turn off) is provided in the API
and via env vars.
Fix tests.
2016-07-06 16:50:23 -04:00
vishalnayak
ad7cb2c8f1
Added JSON Decode and Encode helpers.
...
Changed all the occurances of Unmarshal to use the helpers.
Fixed http/ package tests.
2016-07-06 12:25:40 -04:00
Jeff Mitchell
88c7292023
Fix broken test
2016-07-05 12:54:27 -04:00
Jeff Mitchell
8ce13b3f68
Add non-wrapped step
2016-07-05 12:11:40 -04:00
Jeff Mitchell
b6ca7e9423
Add response wrapping support to login endpoints.
...
Fixes #1587
2016-07-05 11:46:21 -04:00
Jeff Mitchell
90c2f5bb55
Fix some more too-tight timing in the token store tests
2016-07-01 11:59:39 -04:00
Jeff Mitchell
f3e6e4ee28
Fix timing in explicit max ttl test
2016-07-01 11:37:27 -04:00
Jeff Mitchell
09720bbd8e
Fix picking wrong token lock
2016-06-27 11:17:08 -04:00
vishalnayak
2933c5ce08
Made default_lease_ttl and max_lease_ttl as int64 and fixed tests
2016-06-20 20:23:49 -04:00
vishalnayak
0bdeea3a33
Fix the test cases
2016-06-20 18:56:19 -04:00
vishalnayak
848b479a61
Added 'sys/auth/<path>/tune' endpoints.
...
Displaying 'Default TTL' and 'Max TTL' in the output of 'vault auth -methods'
2016-06-15 13:58:24 -04:00
Jeff Mitchell
368a17e978
Add some commenting
2016-06-14 05:54:09 +00:00
Jeff Mitchell
e925987cb6
Add token accessor to wrap information if one exists
2016-06-13 23:58:17 +00:00
Jeff Mitchell
1de6140d5c
Fix mah broken tests
2016-06-10 14:03:56 -04:00
Jeff Mitchell
9f6c5bc02a
cubbyhole-response-wrapping -> response-wrapping
2016-06-10 13:48:46 -04:00
Jeff Mitchell
e4ce81afa1
Remove unneeded Fields in passthrough
2016-06-09 10:33:24 -04:00
Jeff Mitchell
351f536913
Don't check parsability of a ttl
key on write.
...
On read we already ignore bad values, so we shouldn't be restricting
this on write; doing so alters expected data-in-data-out behavior. In
addition, don't issue a warning if a given `ttl` value can't be parsed,
as this can quickly get annoying if it's on purpose.
The documentation has been updated/clarified to make it clear that this
is optional behavior that doesn't affect the status of the key as POD
and the `lease_duration` returned will otherwise default to the
system/mount defaults.
Fixes #1505
2016-06-08 20:14:36 -04:00
Jeff Mitchell
2b4b6559e3
Merge pull request #1504 from hashicorp/token-store-roles-renewability
...
Add renewable flag to token store roles
2016-06-08 15:56:54 -04:00
Jeff Mitchell
8a1bff7c11
Make out-of-bounds explicit max a cap+warning instead of an error
2016-06-08 15:25:17 -04:00
Jeff Mitchell
cf8f38bd4c
Add renewable flag to token store roles
2016-06-08 15:17:22 -04:00
Jeff Mitchell
65d8973864
Add explicit max TTL capability to token creation API
2016-06-08 14:49:48 -04:00
Jeff Mitchell
c0155ac02b
Add renewable flag and API setting for token creation
2016-06-08 11:14:30 -04:00
Jeff Mitchell
bb1e8ddaa2
Make token renewable status work properly on lookup
2016-06-08 09:19:39 -04:00
Jeff Mitchell
10b218d292
Use time.Time which does RFC3339 across the wire to handle time zones. Arguably we should change the API to always do this...
2016-06-07 16:01:09 -04:00
Jeff Mitchell
401456ea50
Add creation time to returned wrapped token info
...
This makes it easier to understand the expected lifetime without a
lookup call that uses the single use left on the token.
This also adds a couple of safety checks and for JSON uses int, rather
than int64, for the TTL for the wrapped token.
2016-06-07 15:00:35 -04:00
Jeff Mitchell
f8d70b64a0
Show renewable status for tokens in output
2016-06-01 17:30:31 -04:00
Vishal Nayak
9dd4e5ec5b
Merge pull request #1235 from hashicorp/policies-validation
...
Strip out other policies if root is present
2016-06-01 12:08:22 -04:00
vishalnayak
4fea41f7e5
Use entry.Type as a criteria for upgrade
2016-06-01 10:30:11 -04:00
vishalnayak
875778a2d9
Modify just the type and not the path
2016-05-31 23:19:13 -04:00
vishalnayak
1e4834bd20
Remove addDefault param from ParsePolicies
2016-05-31 13:39:58 -04:00
vishalnayak
49b4c83580
Adding default policies while creating tokens
2016-05-31 13:39:58 -04:00
vishalnayak
55fbfab4fe
Upgrade 'aws' auth table entry to 'aws-ec2'
2016-05-30 18:58:58 -04:00
Jeff Mitchell
8d19b4fb53
Add keyring zeroize function and add some more memzero calls in
...
appropriate places. Known to be best-effort, but may help in some cases.
Fixes #1446
2016-05-27 20:47:40 +00:00
vishalnayak
1d94828e45
Re-enable rollback triggers for auth backends
2016-05-26 14:29:41 -04:00
Vishal Nayak
644ac5f5e8
Merge pull request #1456 from hashicorp/consul-lease-renewal
...
Fix the consul secret backends renewal revocation problem
2016-05-26 13:59:45 -04:00
Jeff Mitchell
a57996ac08
Add to auth/audit too
2016-05-26 13:38:51 -04:00
Jeff Mitchell
475b0e2d33
Add table/type checking to mounts table.
2016-05-26 12:55:00 -04:00
vishalnayak
c0e745dbfa
s/logical.ErrorResponse/fmt.Errorf in renewal functions of credential backends
2016-05-26 10:21:03 -04:00
vishalnayak
70b8530962
Fix the consul secret backends renewal revocation problem
2016-05-25 23:24:16 -04:00
Jeff Mitchell
417a56c42b
Disable rollback on auth for now and add workaround for its auth/ adding to entry paths
2016-05-25 17:53:45 -04:00
Jeff Mitchell
05b0e0a866
Enable audit-logging of seal and step-down commands.
...
This pulls the logical request building code into its own function so
that it's accessible from other HTTP handlers, then uses that with some
added logic to the Seal() and StepDown() commands to have meaningful
audit log entries.
2016-05-20 17:03:54 +00:00
Jeff Mitchell
0da8762bd5
Add unwrap command, and change how the response is embedded (as a string, not an object)
2016-05-19 11:25:15 -04:00
Jeff Mitchell
2e6ac4c37a
Remove wrap specs from backend response
2016-05-19 03:06:09 +00:00
Jeff Mitchell
c4431a7e30
Address most review feedback. Change responses to multierror to better return more useful values when there are multiple errors
2016-05-16 16:11:33 -04:00
Jeff Mitchell
4c67a739b9
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-16 12:14:40 -04:00
Jeff Mitchell
60975bf76e
Revert "Remove a few assumptions regarding bash(1) being located in /bin."
2016-05-15 15:22:21 -04:00
Sean Chittenden
f91114fef5
Remove a few assumptions regarding bash(1) being located in /bin.
...
Use sh(1) where appropriate.
2016-05-15 11:41:14 -07:00
Sean Chittenden
792950e16c
Merge pull request #1417 from hashicorp/b-pki-expire-ttl-unset
...
Set entry's TTL before writing out the storage entry's config
2016-05-15 10:02:03 -07:00
Sean Chittenden
7a4b31ce51
Speling police
2016-05-15 09:58:36 -07:00
Sean Chittenden
af4e2feda7
When testing, increase the time we wait for the stepdown to occur.
...
2s -> 5s, no functional change.
2016-05-15 07:30:40 -07:00
Vishal Nayak
53fc941761
Merge pull request #1300 from hashicorp/aws-auth-backend
...
AWS EC2 instances authentication backend
2016-05-14 19:42:03 -04:00
Jeff Mitchell
560e9c30a3
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-12 14:59:12 -04:00