Commit graph

97 commits

Author SHA1 Message Date
Jeff Mitchell d775445efe Store token creation time and TTL. This can be used to properly populate
fields in 'lookup-self'. Importantly, this also makes credential
backends use the SystemView per-backend TTL values and fixes unit tests
to expect this.

Fully fixes #527
2015-09-18 16:39:35 -04:00
Jeff Mitchell 77e7379ab5 Implement the cubbyhole backend
In order to implement this efficiently, I have introduced the concept of
"singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't
much reason to allow sys to be mounted at multiple places, and there
isn't much reason you'd need multiple per-token storage areas. By
restricting it to just one, I can store that particular mount instead of
iterating through them in order to call the appropriate revoke function.

Additionally, because revocation on the backend needs to be triggered by
the token store, the token store's salt is kept in the router and
client tokens going to the cubbyhole backend are double-salted by the
router. This allows the token store to drive when revocation happens
using its salted tokens.
2015-09-15 13:50:37 -04:00
Jeff Mitchell ace611d56d Address items from feedback. Make MountConfig use values rather than
pointers and change how config is read to compensate.
2015-09-10 15:09:54 -04:00
Jeff Mitchell eff1c331ad Add more unit tests against backend TTLs, and fix two bugs found by them
(yay unit tests!)
2015-09-10 15:09:54 -04:00
Jeff Mitchell 86ccae7bd5 Fix mount config test by proxying mounts/ in addition to mounts 2015-09-10 15:09:54 -04:00
Jeff Mitchell 775dfe38a2 A couple bug fixes + most unit tests 2015-09-10 15:09:54 -04:00
Jeff Mitchell 6efcbe3a9f Allow POST as well as PUT for seal/unseal command, fits in more with how logical handles things 2015-09-10 15:09:53 -04:00
Jeff Mitchell 696d0c7b1d Plumb per-mount config options through API 2015-09-10 15:09:53 -04:00
Jeff Mitchell 4596ed6484 Remove custom http/sys_auth handler in favor of logical. Unit tests
pass.
2015-08-28 13:42:01 -07:00
Jeff Mitchell 6bc86cfee1 Use logical passthrough for renew API calls 2015-08-26 13:22:16 -07:00
Jeff Mitchell 17cbd9e1ca If JSON decoding fails, make it clear that the problem is failing to
parse the JSON, rather than returning the possibly confusing error from
the JSON decoder.

Fixes #553.
2015-08-26 07:03:33 -07:00
Jeff Mitchell cc232e6f79 Address comments from review. 2015-08-25 15:33:58 -07:00
Jeff Mitchell c887df93cc Add support for pgp-keys argument to rekey, as well as tests, plus
refactor common bits out of init.
2015-08-25 14:52:13 -07:00
Jeff Mitchell 2f3e245b0b Add support for "pgp-tokens" parameters to init.
There are thorough unit tests that read the returned
encrypted tokens, seal the vault, and unseal it
again to ensure all works as expected.
2015-08-25 14:52:13 -07:00
Jeff Mitchell a8ef0e8a80 Remove cookie authentication. 2015-08-21 19:46:23 -07:00
Jeff Mitchell 93ef9a54bd Internally refactor Lease/LeaseGracePeriod into TTL/GracePeriod 2015-08-20 18:00:51 -07:00
Jeff Mitchell c84ccc08d4 sys_mount.go is now unnecessary 2015-08-20 14:09:15 -07:00
Jeff Mitchell 271255b008 Send sys mounting logic directly to logical backend. Unit tests run. 2015-08-20 13:59:57 -07:00
Jeff Mitchell 15f57082e0 Begin factoring out sys paths into logical routes. Also, standardize on 307 as redirect code. 2015-08-20 13:20:35 -07:00
Caleb Tennis 4da080e769 This adds a new error class which can be used by logical backends to
specify more concrete error cases to make their way back up the stack.

Over time there is probably a cleaner way of doing this, but that's
looking like a more massive rewrite and this solves some issues in
the meantime.

Use a CodedError to return a more concrete HTTP return code for
operations you want to do so.  Returning a regular error leaves
the existing behavior in place.
2015-08-10 13:27:25 -04:00
Armon Dadgar 0521c6df6c http: support ?standbyok for 200 status on standby. Fixes #389 2015-07-02 17:49:35 -07:00
Armon Dadgar 3bc388f30d Merge pull request #366 from nbrownus/http_responses
Better http responses
2015-06-29 15:31:45 -07:00
Armon Dadgar 496ebe561c vault: cleanups for the audit log changes 2015-06-29 15:27:28 -07:00
Nate Brown 31ab086063 Doing a little better with http response codes 2015-06-19 14:00:48 -07:00
Nate Brown c55f103c58 Adding error and remote_address to audit log lines 2015-06-18 17:17:18 -07:00
Seth Vargo 79388d2446 Accept PUT as well as post to sys/mounts 2015-06-16 13:02:21 -04:00
Armon Dadgar 7964fa4d86 http: adding rekey handlers 2015-05-28 14:28:50 -07:00
Armon Dadgar af47c72639 http: adding key-status and rotate handlers 2015-05-27 18:02:50 -07:00
Armon Dadgar 8ee5aebb3c vault: testing raw responses 2015-05-27 14:19:12 -07:00
Armon Dadgar 11c625fea2 http: support raw HTTP output 2015-05-27 14:10:00 -07:00
Jonathan Sokolowski be2538aca3 http: Extract IP from RemoteAddr correctly 2015-05-20 15:23:41 +10:00
Ian Unruh 63199e5af4 HTTP should return 503 when sealed 2015-05-19 00:59:19 -07:00
Armon Dadgar 42b28ca03d http: PUT to sys/auth should be the same as POST 2015-05-12 17:57:39 -07:00
Mitchell Hashimoto 42d6b2a916 http: allow header for auth token [GH-124] 2015-05-11 10:56:58 -07:00
Seth Vargo 95c8001388 Disable mlock in tests 2015-04-28 22:18:00 -04:00
Armon Dadgar d258be6093 http: avoid authenticating as new token for auth/token/create 2015-04-27 15:17:59 -07:00
Seth Vargo ee6963ee01 Use lowercase JSON keys for client_token 2015-04-24 12:00:00 -04:00
Armon Dadgar cca4580db8 Merge pull request #29 from hashicorp/f-health
Adding sys/health for Consul HTTP health monitoring
2015-04-23 11:58:58 -07:00
Armon Dadgar 667a1bf2d8 http: adding sys/health endpoint 2015-04-23 11:53:31 -07:00
Mitchell Hashimoto 978d324c43 http: allow trailing slash on GET /sys/auth 2015-04-22 07:55:51 +02:00
Mitchell Hashimoto bfaf52c34e http: fix redirect issues with trailing slashes 2015-04-22 07:55:40 +02:00
Armon Dadgar f9501c4981 http: Adding sys/leader endpoint 2015-04-20 11:59:24 -07:00
Mitchell Hashimoto 86ea943537 http: fix some error returns to use the common helper 2015-04-19 22:40:50 -07:00
Mitchell Hashimoto 0ebf2508e0 command/policy-delete 2015-04-19 16:36:11 -07:00
Armon Dadgar c7d521b2be http: pass raw request through 2015-04-19 14:36:50 -07:00
Armon Dadgar 6f5b4637fb http: support standby redirects 2015-04-19 13:47:57 -07:00
Armon Dadgar 76c6c18826 http: split testing methods 2015-04-19 13:47:56 -07:00
Mitchell Hashimoto a44eb0dcd0 http: renew endpoints 2015-04-13 20:42:07 -07:00
Armon Dadgar 466c7575d3 Replace VaultID with LeaseID for terminology simplification 2015-04-08 13:35:32 -07:00
Mitchell Hashimoto 6015a8d7c2 http: handle errors better 2015-04-08 11:19:03 -07:00