Commit graph

138 commits

Author SHA1 Message Date
Vishal Nayak ac2b499fc9
Support reading Vault's address from Agent's config file (#6306)
* Support reading Vault's address from Agent's config file

* use consts and switch

* Add tls options to agent config vault block

* Update command/agent/config/config.go

Co-Authored-By: vishalnayak <vishalnayak@users.noreply.github.com>

* remove fmt.Printfs
2019-02-28 17:29:28 -05:00
Vishal Nayak 5037185d5d
Agent Cache: Some review feedback (#6257)
* Revamp agent cache client

* Update command/agent.go

Co-Authored-By: vishalnayak <vishalnayak@users.noreply.github.com>

* Agent cache auto auth token lookup case (#6258)

* agent cache auto auth token lookup case

* Use Blake2b256Hash instead of SHA256

* agent/cache: update cache-clear endpoint; use bytes.NewReader instead (#6259)

* agent/cache: update cache-clear endpoint; use bytes.NewReader instead

* agent/cache: Fix TestCache_ComputeIndexID after switching to blake2b

* agent/cache: Only parse response body if it's non-nil (#6260)

* Differently disable agent address in the API client

* Remove DisableAgent
2019-02-19 16:53:29 -05:00
Vishal Nayak 614ec67b05
address some review back (#6237) 2019-02-15 13:40:03 -05:00
Vishal Nayak feb235d5f8
Vault Agent Cache (#6220)
* vault-agent-cache: squashed 250+ commits

* Add proper token revocation validations to the tests

* Add more test cases

* Avoid leaking by not closing request/response bodies; add comments

* Fix revoke orphan use case; update tests

* Add CLI test for making request over unix socket

* agent/cache: remove namespace-related tests

* Strip-off the auto-auth token from the lookup response

* Output listener details along with configuration

* Add scheme to API address output

* leasecache: use IndexNameLease for prefix lease revocations

* Make CLI accept the fully qualified unix address

* export VAULT_AGENT_ADDR=unix://path/to/socket

* unix:/ to unix://
2019-02-14 20:10:36 -05:00
Jeff Mitchell 82ee4176e6
Add the ability to print curl commands from CLI (#6113) 2019-02-01 17:13:51 -05:00
Jim Kalafut d0e2badbae Run goimports across the repository (#6010)
The result will still pass gofmtcheck and won't trigger additional
changes if someone isn't using goimports, but it will avoid the
piecemeal imports changes we've been seeing.
2019-01-08 16:48:57 -08:00
Sander van Harmelen d4328a6684 Use a pooled HTTP client for the Vault CLI (#5734)
As the CLI client is initialized with a specific Vault address, is makes
sense to use the pooled HTTP client here. This will prevent setting up
new TCP sessions for each API call that the client needs to make.
2018-11-09 10:46:57 -05:00
Becca Petrin 7bd22e6779
Run all builtins as plugins (#5536) 2018-11-06 17:21:24 -08:00
Jeff Mitchell 3b8d0ed72c Update comment on API client's clone method 2018-11-01 12:26:18 -04:00
Jeff Mitchell 66a0029195 Sync some ns stuff to api/command 2018-08-22 14:37:40 -04:00
Jeff Mitchell 3403c7ad9c Add headers accessor and ns function 2018-08-09 18:29:03 -04:00
Brian Kassouf beda7845f6
API: Add context to each raw request call (#4987) 2018-07-24 15:49:55 -07:00
Jeff Mitchell c7981e6417
Clean up request logic and use retryable's more efficient handling (#4670) 2018-06-01 09:12:43 -04:00
Jeff Mitchell 35cb9bc517
Redo API client locking (#4551)
* Redo API client locking

This assigns local values when in critical paths, allowing a single API
client to much more quickly and safely pipeline requests.

Additionally, in order to take that paradigm all the way it changes how
timeouts are set. It now uses a context value set on the request instead
of configuring the timeout in the http client per request, which was
also potentially quite racy.

Trivially tested with
VAULT_CLIENT_TIMEOUT=2 vault write pki/root/generate/internal key_type=rsa key_bits=8192
2018-05-25 14:38:06 -04:00
Jeff Mitchell 03b3914151 Fix fmt 2018-05-11 11:50:10 -04:00
Robbie McKinstry 9765779622 Client side rate limiting (#4421) 2018-05-11 10:42:06 -04:00
Jeff Mitchell af802275bd
Fix response wrapping from K/V version 2 (#4511)
This takes place in two parts, since working on this exposed an issue
with response wrapping when there is a raw body set. The changes are (in
diff order):

* A CurrentWrappingLookupFunc has been added to return the current
value. This is necessary for the lookahead call since we don't want the
lookahead call to be wrapped.

* Support for unwrapping < 0.6.2 tokens via the API/CLI has been
removed, because we now have backends returning 404s with data and can't
rely on the 404 trick. These can still be read manually via
cubbyhole/response.

* KV preflight version request now ensures that its calls is not
wrapped, and restores any given function after.

* When responding with a raw body, instead of always base64-decoding a
string value and erroring on failure, on failure we assume that it
simply wasn't a base64-encoded value and use it as is.

* A test that fails on master and works now that ensures that raw body
responses that are wrapped and then unwrapped return the expected
values.

* A flag for response data that indicates to the wrapping handling that
the data contained therein is already JSON decoded (more later).

* RespondWithStatusCode now defaults to a string so that the value is
HMAC'd during audit. The function always JSON encodes the body, so
before now it was always returning []byte which would skip HMACing. We
don't know what's in the data, so this is a "better safe than sorry"
issue. If different behavior is needed, backends can always manually
populate the data instead of relying on the helper function.

* We now check unwrapped data after unwrapping to see if there were raw
flags. If so, we try to detect whether the value can be unbase64'd. The
reason is that if it can it was probably originally a []byte and
shouldn't be audit HMAC'd; if not, it was probably originally a string
and should be. In either case, we then set the value as the raw body and
hit the flag indicating that it's already been JSON decoded so not to
try again before auditing. Doing it this way ensures the right typing.

* There is now a check to see if the data coming from unwrapping is
already JSON decoded and if so the decoding is skipped before setting
the audit response.
2018-05-10 15:40:03 -04:00
Jeff Mitchell aa80a7e502 Change retry timing to be a little less long 2018-05-09 18:33:51 -04:00
Jeff Mitchell 6d9fce63c6 Adjust MaxRetries for retryablehttp 2018-05-09 18:24:41 -04:00
Jeff Mitchell 2dc9276e4c Update go-retryablehttp and use PassthroughErrorHandler 2018-05-09 18:11:08 -04:00
Jeff Mitchell 7f886b5675 Update go-retryablehttp vendor 2018-05-09 17:44:53 -04:00
Vishal Nayak 28e3eb9e2c
Errwrap everywhere (#4252)
* package api

* package builtin/credential

* package builtin/logical

* package command

* package helper

* package http and logical

* package physical

* package shamir

* package vault

* package vault

* address feedback

* more fixes
2018-04-05 11:49:21 -04:00
Jeff Mitchell bab8db3328
Don't allow non-printable characters in the API client's token (#3841) 2018-01-24 19:57:49 -05:00
Jeff Mitchell 8efa6756c3
Make -client-cert and -client-key work when the server doesn't know (#3568)
about the CA used to sign the cert.

Stop swallowing an error in meta.

Fixes #2946
2017-11-10 18:16:50 -05:00
Jeff Mitchell 0798ccdd7c Populate config error in three node test function 2017-11-10 17:44:25 -05:00
Jeff Mitchell 7e80b4b7ad
Minor client refactoring (#3539) 2017-11-06 12:06:19 -05:00
Jeff Mitchell d229d7d5b0
Redo API locking (#3508)
* Redo the API client quite a bit to make the behavior of NewClient more
predictable and add locking to make it safer to use with Clone() and if
multiple goroutines for some reason decide to change things.

Along the way I discovered that currently, the x/net/http2 package is
broke with the built-in h2 support in released Go. For those using
DefaultConfig (the vast majority of cases) this will be a non-event.
Others can manually call http2.ConfigureTransport as needed. We should
keep an eye on commits on that repo and consider more updates before
release. Alternately we could go back revisions but miss out on bug
fixes; my theory is that this is not a purposeful break and I'll be
following up on this in the Go issue tracker.

In a few tests that don't use NewTestCluster, either for legacy or other
reasons, ensure that http2.ConfigureTransport is called.

* Use tls config cloning

* Don't http2.ConfigureServer anymore as current Go seems to work properly without requiring the http2 package

* Address feedback
2017-11-02 09:30:04 -05:00
Jeff Mitchell 08d9353c60 Only call ConfigureTransport if "h2" is not already in NextProtos.
Fixes #3435
2017-10-27 14:08:30 -04:00
Jeff Mitchell 8e271dcbdc More syncing 2017-10-23 16:52:56 -04:00
Billie Cleek 3033a7beb6 do not panic when Client.Transport is not *http.Transport (#3440) 2017-10-10 08:46:54 -04:00
Jeff Mitchell 3cf4e3e142 Fix panic when setting a client http client with no transport (#3437)
Fixes #3436
2017-10-09 08:49:20 -04:00
Marcus Söderberg 3d00731fda Add http headers to the api client (#3394) 2017-10-06 14:27:58 -04:00
Jeff Mitchell d2410e3399 gofmt 2017-08-02 19:38:35 -04:00
nrhall-deshaw 888e1e3859 Add SRV record functionality for client side host/port discovery of Vault (#3035)
* added SRV record functionality for client side port discovery of Vault

* Add a check on returned address length
2017-08-02 19:19:06 -04:00
Gobin Sougrakpam 2ddbc4a939 Adding option to set custom vault client timeout using env variable VAULT_CLIENT_TIMEOUT (#3022) 2017-07-18 09:48:31 -04:00
Seth Vargo 084064389e Add a convenience function for copying a client (#2887) 2017-06-20 04:08:15 +01:00
emily aa40d2cff6 add gofmt checks to Vault and format existing code (#2745) 2017-05-19 08:34:17 -04:00
Lee Avital bf34484d9d Respect the configured address's path in the client (#2588) 2017-04-13 14:06:38 -04:00
pkrolikowski 0fb75d9e89 Pass user/pass for HTTP Basic Authentication in URL parameters (#2469) 2017-03-10 07:19:23 -05:00
Jeff Mitchell 5ef2b0145b Add ability to set max retries to API 2017-03-01 12:24:08 -05:00
Jordan Abderrachid fa77e7cfa2 api: add EnvVaultToken constant. (#2413) 2017-02-27 18:36:21 -05:00
Jeff Mitchell 2cc0906b33 Fix breakage for HTTP2 support due to changes in wrapping introduced in 1.8 (#2412) 2017-02-27 12:49:35 -05:00
Jason Felice ec10a9171d ConfigureTLS() sets default HttpClient if nil (#2329) 2017-02-06 17:47:56 -05:00
Vishal Nayak ad09acb479 Use Vault client's scheme for auto discovery (#2146) 2016-12-02 11:24:57 -05:00
Jeff Mitchell 97ca3292a4 Set number of pester retries to zero by default and make seal command… (#2093)
* Set number of pester retries to zero by default and make seal command return 403 if unauthorized instead of 500

* Fix build

* Use 403 instead and update test

* Change another 500 to 403
2016-11-16 14:08:09 -05:00
Jeff Mitchell b45a481365 Wrapping enhancements (#1927) 2016-09-28 21:01:28 -07:00
Jeff Mitchell 9c33224928 Don't retry on redirections. 2016-08-12 15:13:42 -04:00
vishalnayak ff22640015 Use default config and read environment by default while creating client object 2016-08-12 11:37:13 -04:00
Alex Dadgar 92ede0db17 Address comments 2016-08-02 13:17:45 -07:00
Alex Dadgar f5d56ad8f8 Refactor the TLS configuration between meta.Client and the api.Config 2016-07-27 17:26:26 -07:00
Jeff Mitchell a6682405a3 Migrate number of retries down by one to have it be max retries, not tries 2016-07-11 21:57:14 +00:00
Jeff Mitchell 57cdb58374 Switch to pester from go-retryablehttp to avoid swallowing 500 error messages 2016-07-11 21:37:46 +00:00
Jeff Mitchell 7023eafc67 Make the API client retry on 5xx errors.
This should help with transient issues. Full control over min/max delays
and number of retries (and ability to turn off) is provided in the API
and via env vars.

Fix tests.
2016-07-06 16:50:23 -04:00
Jeff Mitchell 05b2d4534c Add unwrap test function and some robustness around paths for the wrap lookup function 2016-05-19 11:49:46 -04:00
Jeff Mitchell c4431a7e30 Address most review feedback. Change responses to multierror to better return more useful values when there are multiple errors 2016-05-16 16:11:33 -04:00
Jeff Mitchell 99a5b4402d Merge branch 'master-oss' into cubbyhole-the-world 2016-05-04 14:42:14 -04:00
Jeff Mitchell 45a120f491 Switch our tri-copy ca loading code to go-rootcerts 2016-05-03 12:23:25 -04:00
Jeff Mitchell 1ffd5653c6 Add wrap support to API/CLI 2016-05-02 02:03:23 -04:00
Robert M. Thomson 024407518b Add VAULT_TLS_SERVER_NAME environment variable
If specified, verify a specific server name during TLS negotiation
rather than the server name in the URL.
2016-02-25 17:28:49 +01:00
Jeff Mitchell 32e23bea71 Move environment variable reading logic to API.
This allows the same environment variables to be read, parsed, and used
from any API client as was previously handled in the CLI. The CLI now
uses the API environment variable reading capability, then overrides any
values from command line flags, if necessary.

Fixes #618
2015-11-04 10:28:00 -05:00
Jeff Mitchell 22c65c0c07 Use cleanhttp instead of bare http.Client 2015-10-22 14:37:12 -04:00
Jeff Mitchell cba4e82682 Don't use http.DefaultClient
This strips out http.DefaultClient everywhere I could immediately find
it. Too many things use it and then modify it in incompatible ways.

Fixes #700, I believe.
2015-10-15 17:54:00 -04:00
Jeff Mitchell b5d674d94e Add 301 redirect checking to the API client.
Vault doesn't generate these, but in some cases Go's internal HTTP
handler does. For instance, during a mount-tune command, finishing the
mount path with / (as in secret/) would cause the final URL path to
contain .../mounts/secret//tune. The double slash would trigger this
behavior in Go's handler and generate a 301. Since Vault generates 307s,
this would cause the client to think that everything was okay when in
fact nothing had happened.
2015-10-09 17:11:31 -04:00
Dejan Golja 87c84db51b Increase default timeout to 30s which should allow for any operation
to complete.
2015-10-09 00:53:35 +11:00
Dejan Golja ea17b85d94 added a sensible default timeout for the vault client 2015-10-08 18:44:00 +11:00
Jeff Mitchell 2002406155 Rather than use http.DefaultClient, which is simply &http.Client{},
create our own. This avoids some potential client race conditions when
they are setting values on the Vault API client while the default client
is being used elsewhere in other goroutines, as was seen in
consul-template.
2015-09-03 13:47:20 -04:00
Jeff Mitchell bc2d914905 Change variable name for clarity 2015-09-03 13:38:24 -04:00
Jeff Mitchell c56fd6b3fc Remove redirect handling code that was never being executed (redirects are manually handled within RawRequest). Add a sync.Once to fix a potential data race with setting the CheckRedirect function on the default http.Client 2015-09-03 13:34:45 -04:00
Seth Vargo 6f248425a6 Update documentation around cookies 2015-09-03 10:36:59 -04:00
Jeff Mitchell a8ef0e8a80 Remove cookie authentication. 2015-08-21 19:46:23 -07:00
Jeff Mitchell 2de991ac7a The docs say that if HttpClient is nil, http.DefaultClient will be used. However, the code doesn't do this, resulting in a nil dereference. 2015-06-04 14:01:10 -04:00
Seth Vargo fc2ac74c5f Improve error message when TLS is disabled
Fixes #198
2015-05-14 10:33:38 -04:00
Mitchell Hashimoto d4155ef9d8 api: human friendly error for TLS [GH-123] 2015-05-02 13:08:35 -07:00
Seth Vargo cc25b8b15c Remove api dependency on http package 2015-04-23 19:58:44 -04:00
Seth Vargo e5fca055f7 Use VAULT_ADDR instead 2015-04-23 11:46:22 -04:00
Seth Vargo 835e14dda0 Add docs 2015-04-23 11:45:37 -04:00
Seth Vargo b421689ab4 Read environment variables for VAULT_HTTP_ADDR and VAULT_TOKEN 2015-04-23 11:43:20 -04:00
Seth Vargo 3fa76e0ea9 Use a pointer config instead 2015-04-23 11:13:52 -04:00
Armon Dadgar fbaca87f56 api: Support redirect for HA 2015-04-20 11:30:35 -07:00
Mitchell Hashimoto 7442bc1ef6 command/delete 2015-04-07 11:15:20 -07:00
Mitchell Hashimoto df4dc88176 api: SetToken 2015-03-30 21:20:23 -07:00
Mitchell Hashimoto c2e1371217 api: re-use proper token constant 2015-03-30 11:14:51 -07:00
Mitchell Hashimoto 02126dd935 api: store token cookie, tests 2015-03-11 17:46:42 -05:00
Mitchell Hashimoto de159fdac8 api: document jar requirement 2015-03-11 17:46:41 -05:00
Mitchell Hashimoto 886812ecce api: automatically get errors in RawRequest 2015-03-11 17:46:41 -05:00
Mitchell Hashimoto 798689fb8d api: sys methods 2015-03-11 17:46:41 -05:00
Mitchell Hashimoto 8ec69eae81 api: start the groundwork API stuff 2015-03-09 11:38:50 -07:00
Mitchell Hashimoto 80f8ba6b88 api: spec 2015-03-04 13:10:10 -08:00