Commit graph

2229 commits

Author SHA1 Message Date
Mark Gritter 97d415d024
Token gauge metrics implementation. (#9239)
* Token gauge metrics implementation.
* Enable gauges only when interval is nonzero.
* Added count by TTL
* Yandle "in restore mode" error specifically.
* Refactored initialization code for gauge collection processes.
* Fixed for multiple namespaces.
* Ability to disable individual gauges with environment variable.
* changelog++
2020-06-23 18:36:24 -05:00
Calvin Leung Huang c45bdca0b3
raft: add support for using backend for ha_storage (#9193)
* raft: initial work on raft ha storage support

* add note on join

* add todo note

* raft: add support for bootstrapping and joining existing nodes

* raft: gate bootstrap join by reading leader api address from storage

* raft: properly check for raft-only for certain conditionals

* raft: add bootstrap to api and cli

* raft: fix bootstrap cli command

* raft: add test for setting up new cluster with raft HA

* raft: extend TestRaft_HA_NewCluster to include inmem and consul backends

* raft: add test for updating an existing cluster to use raft HA

* raft: remove debug log lines, clean up verifyRaftPeers

* raft: minor cleanup

* raft: minor cleanup

* Update physical/raft/raft.go

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update vault/ha.go

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update vault/ha.go

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update vault/logical_system_raft.go

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update vault/raft.go

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update vault/raft.go

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* address feedback comments

* address feedback comments

* raft: refactor tls keyring logic

* address feedback comments

* Update vault/raft.go

Co-authored-by: Alexander Bezobchuk <alexanderbez@users.noreply.github.com>

* Update vault/raft.go

Co-authored-by: Alexander Bezobchuk <alexanderbez@users.noreply.github.com>

* address feedback comments

* testing: fix import ordering

* raft: rename var, cleanup comment line

* docs: remove ha_storage restriction note on raft

* docs: more raft HA interaction updates with migration and recovery mode

* docs: update the raft join command

* raft: update comments

* raft: add missing isRaftHAOnly check for clearing out state set earlier

* raft: update a few ha_storage config checks

* Update command/operator_raft_bootstrap.go

Co-authored-by: Vishal Nayak <vishalnayak@users.noreply.github.com>

* raft: address feedback comments

* raft: fix panic when checking for config.HAStorage.Type

* Update vault/raft.go

Co-authored-by: Alexander Bezobchuk <alexanderbez@users.noreply.github.com>

* Update website/pages/docs/commands/operator/raft.mdx

Co-authored-by: Alexander Bezobchuk <alexanderbez@users.noreply.github.com>

* raft: remove bootstrap cli command

* Update vault/raft.go

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update vault/raft.go

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* raft: address review feedback

* raft: revert vendored sdk

* raft: don't send applied index and node ID info if we're HA-only

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
Co-authored-by: Alexander Bezobchuk <alexanderbez@users.noreply.github.com>
Co-authored-by: Vishal Nayak <vishalnayak@users.noreply.github.com>
2020-06-23 12:04:13 -07:00
Mark Gritter ce88903638
Add counter for creation of new entity. (#9263) 2020-06-19 18:24:05 -05:00
Mark Gritter 3e220f300a
Fix to failing test compilation. (#9272) 2020-06-19 15:19:21 -05:00
Mark Gritter b3c3635f49
Added gauges to count KV secrets. (#9250)
* Added gauges to count KV secrets.
* Use real KV implementation in test.
2020-06-19 14:01:35 -05:00
Mark Gritter 239b2375aa
Counter that increments on every secret engine lease creation. (#9244) 2020-06-18 15:36:21 -05:00
Mark Gritter cc6a64d4d8
Replaced ClusterMetricSink's cluster name with an atomic.Value. (#9252)
* Replaced ClusterMetricSink's cluster name with an atomic.Value.
This should permit go-race tests to pass which seal and unseal
the core.

* Replace metric sink before unseal to avoid data races.
2020-06-18 12:55:50 -05:00
Michael Golowka f77bcc53c4
Move sdk/helper/random -> helper/random (#9226)
* This package is new for 1.5 so this is not a breaking change.
* This is being moved because this code was originally intended to be used
within plugins, however the design of password policies has changed such
that this is no longer needed. Thus, this code doesn't need to be in the
public SDK.
2020-06-17 14:24:38 -06:00
Scott Miller 0b9a40a64e
Add a simple sealed gauge, updated when seal status changes (#9177)
* Add a simple unsealed gauge, updated when seal status changes
2020-06-17 09:50:28 -05:00
Mike Jarmy e608503139
Test Shamir-to-Transit and Transit-to-Shamir Seal Migration for post-1.4 Vault. (#9214)
* move adjustForSealMigration to vault package

* fix adjustForSealMigration

* begin working on new seal migration test

* create shamir seal migration test

* refactor testhelpers

* add VerifyRaftConfiguration to testhelpers

* stub out TestTransit

* Revert "refactor testhelpers"

This reverts commit 39593defd0d4c6fd79aedfd37df6298391abb9db.

* get shamir test working again

* stub out transit join

* work on transit join

* remove debug code

* initTransit now works with raft join

* runTransit works with inmem

* work on runTransit with raft

* runTransit works with raft

* cleanup tests

* TestSealMigration_TransitToShamir_Pre14

* TestSealMigration_ShamirToTransit_Pre14

* split for pre-1.4 testing

* add simple tests for transit and shamir

* fix typo in test suite

* debug wrapper type

* test debug

* test-debug

* refactor core migration

* Revert "refactor core migration"

This reverts commit a776452d32a9dca7a51e3df4a76b9234d8c0c7ce.

* begin refactor of adjustForSealMigration

* fix bug in adjustForSealMigration

* clean up tests

* clean up core refactoring

* fix bug in shamir->transit migration

* stub out test that brings individual nodes up and down

* refactor NewTestCluster

* pass listeners into newCore()

* simplify cluster address setup

* simplify extra test core setup

* refactor TestCluster for readability

* refactor TestCluster for readability

* refactor TestCluster for readability

* add shutdown func to TestCore

* add cleanup func to TestCore

* create RestartCore

* stub out TestSealMigration_ShamirToTransit_Post14

* refactor address handling in NewTestCluster

* fix listener setup in newCore()

* remove unnecessary lock from setSealsForMigration()

* rename sealmigration test package

* use ephemeral ports below 30000

* work on post-1.4 migration testing

* clean up pre-1.4 test

* TestSealMigration_ShamirToTransit_Post14 works for non-raft

* work on raft TestSealMigration_ShamirToTransit_Post14

* clean up test code

* refactor TestClusterCore

* clean up TestClusterCore

* stub out some temporary tests

* use HardcodedServerAddressProvider in seal migration tests

* work on raft for TestSealMigration_ShamirToTransit_Post14

* always use hardcoded raft address provider in seal migration tests

* debug TestSealMigration_ShamirToTransit_Post14

* fix bug in RestartCore

* remove debug code

* TestSealMigration_ShamirToTransit_Post14 works now

* clean up debug code

* clean up tests

* cleanup tests

* refactor test code

* stub out TestSealMigration_TransitToShamir_Post14

* set seals properly for transit->shamir migration

* migrateFromTransitToShamir_Post14 works for inmem

* migrateFromTransitToShamir_Post14 works for raft

* use base ports per-test

* fix seal verification test code

* simplify seal migration test suite

* simplify test suite

* cleanup test suite

* use explicit ports below 30000

* simplify use of numTestCores

* Update vault/external_tests/sealmigration/seal_migration_test.go

Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>

* Update vault/external_tests/sealmigration/seal_migration_test.go

Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>

* clean up imports

* rename to StartCore()

* Update vault/testing.go

Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>

* simplify test suite

* clean up tests

Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>
2020-06-16 14:12:22 -04:00
Mark Gritter 50b388a93c
Changes to expiration manager to walk tokens (#9182)
* Changes to expiration manager to walk tokens (including non-expiring ones.)
* Count by namespace in token manager.
* Keep a dictionary of policy lists and deduplicate based on it.
2020-06-15 18:54:36 -05:00
Austin Gebauer a826bd1d23
fix: configutil redeclared as imported package name (#9211) 2020-06-11 18:08:46 -07:00
Michael Golowka a89f09802d
Integrate password policies into RabbitMQ secret engine (#9143)
* Add password policies to RabbitMQ & update docs
* Also updates some parts of the password policies to aid/fix testing
2020-06-11 16:08:20 -06:00
Mike Jarmy 4303790aae
Test pre-1.4 seal migration (#9085)
* enable seal wrap in all seal migration tests

* move adjustForSealMigration to vault package

* fix adjustForSealMigration

* begin working on new seal migration test

* create shamir seal migration test

* refactor testhelpers

* add VerifyRaftConfiguration to testhelpers

* stub out TestTransit

* Revert "refactor testhelpers"

This reverts commit 39593defd0d4c6fd79aedfd37df6298391abb9db.

* get shamir test working again

* stub out transit join

* work on transit join

* Revert "move resuable storage test to avoid creating import cycle"

This reverts commit b3ff2317381a5af12a53117f87d1c6fbb093af6b.

* remove debug code

* initTransit now works with raft join

* runTransit works with inmem

* work on runTransit with raft

* runTransit works with raft

* get rid of dis-used test

* cleanup tests

* TestSealMigration_TransitToShamir_Pre14

* TestSealMigration_ShamirToTransit_Pre14

* split for pre-1.4 testing

* add simple tests for transit and shamir

* fix typo in test suite

* debug wrapper type

* test debug

* test-debug

* refactor core migration

* Revert "refactor core migration"

This reverts commit a776452d32a9dca7a51e3df4a76b9234d8c0c7ce.

* begin refactor of adjustForSealMigration

* fix bug in adjustForSealMigration

* clean up tests

* clean up core refactoring

* fix bug in shamir->transit migration

* remove unnecessary lock from setSealsForMigration()

* rename sealmigration test package

* use ephemeral ports below 30000

* simplify use of numTestCores
2020-06-11 15:07:59 -04:00
ncabatoff 2ec9049ef7
Add ssh signing algorithm as a role option. (#9096) 2020-06-11 08:10:13 -04:00
ncabatoff fdba917b66
Fix feature flag persistence: we shouldn't have excluded dr primaries, they too must write feature flags. DR secondaries might not need depend on feature flags being there, but a DR primary could also be (or become) a perf primary. (#9148) 2020-06-04 13:00:33 -04:00
Mark Gritter 475fe0eede
Token creation counters (#9052)
* Add token creation counters.
* Created a utility to change TTL to bucket name.
* Add counter covering token creation for response wrapping.
* Fix namespace label, with a new utility function.
2020-06-02 13:40:54 -05:00
ncabatoff 8870b2e51c
Add mongodbatlas static roles support (#8987)
* Refactor PG container creation.
* Rework rotation tests to use shorter sleeps.
* Refactor rotation tests.
* Add a static role rotation test for MongoDB Atlas.
2020-05-29 14:21:23 -04:00
Scott Miller 12d704d97f
Provide token ttl and issue time in the audit log. (#9091)
* Populate a token_ttl and token_issue_time field on the Auth struct of audit log entries, and in the Auth portion of a response for login methods

* Revert go fmt, better zero checking

* Update unit tests

* changelog++
2020-05-29 12:30:47 -05:00
Michael Golowka b52950f884
Add user configurable password policies available to secret engines (#8637)
* Add random string generator with rules engine

This adds a random string generation library that validates random
strings against a set of rules. The library is designed for use as generating
passwords, but can be used to generate any random strings.
2020-05-27 12:28:00 -06:00
Josh Black 6e92c8cbd2
Add a new "vault monitor" command (#8477)
Add a new "vault monitor" command

Co-authored-by: ncabatoff <ncabatoff@hashicorp.com>
Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>
Co-authored-by: Jeff Mitchell <jeffrey.mitchell@gmail.com>
2020-05-21 13:07:50 -07:00
Mark Gritter 71b3de0450
Switch expiration manager's pending map to a sync.Map. (#8589) 2020-05-21 12:41:03 -05:00
ncabatoff 5376e87360
Don't audit replication status requests or responses. (#8877) 2020-05-21 09:20:05 -04:00
Brian Kassouf c8dde052f2
storage/raft: Advertise the configured cluster address (#9008)
* storage/raft: Advertise the configured cluster address

* Don't allow raft to start with unspecified IP

* Fix concurrent map write panic

* Add test file

* changelog++

* changelog++

* changelog++

* Update tcp_layer.go

* Update tcp_layer.go

* Only set the adverise addr if set
2020-05-18 18:22:25 -07:00
Brian Kassouf 1bb0bd489d
storage/raft: Add committed and applied indexes to the status output (#9011)
* storage/raft: Add committed and applied indexes to the status output

* Update api vendor

* changelog++

* Update http/sys_leader.go

Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>

Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
2020-05-18 16:07:27 -07:00
Calvin Leung Huang 8cefbca1c9
Refactor service registration (#8976)
* serivceregistration: refactor service registration logic to run later

* move state check to the internal func

* sr/kubernetes: update setInitialStateInternal godoc

* sr/kubernetes: remove return in setInitialState

* core/test: fix mockServiceRegistration

* address review feedback
2020-05-15 11:06:58 -07:00
Jeff Mitchell b4f5d38916
Update to latest go-kms-wrapping and fix protos/etcd (#8996) 2020-05-14 18:45:10 -04:00
Jeff Mitchell 1d3d89e2aa
Create configutil and move some common config and setup functions there (#8362) 2020-05-14 09:19:27 -04:00
Mike Jarmy 724af764bb
Test reusable storage (#8983)
* stub out reusable storage test

* implement reusable inmem test

* work on reusable raft test

* stub out simple raft test

* switch to reusable raft storage

* cleanup tests

* cleanup tests

* refactor tests

* verify raft configuration

* cleanup tests

* stub out reuseStorage

* use common base address across clusters

* attempt to reuse raft cluster

* tinker with test

* fix typo

* start debugging

* debug raft configuration

* add BaseClusterListenPort to TestCluster options

* use BaseClusterListenPort in test

* raft join works now

* misc cleanup of raft tests

* use configurable base port for raft test

* clean up raft tests

* add parallelized tests for all backends

* clean up reusable storage tests

* remove debugging code from startClusterListener()

* improve comments in testhelpers

* improve comments in teststorage

* improve comments and test logging

* fix typo in vault/testing

* fix typo in comments

* remove debugging code

* make number of cores parameterizable in test
2020-05-14 08:31:02 -04:00
Mark Gritter bd766d7bae
Metrics wrapper that adds the cluster name as a label. (#8961) 2020-05-12 21:00:59 -05:00
Scott Miller c3b6db2f26
Reject requests read and write requests to cubbyhole with an empty path (#8971)
* Reject requests read and write requests to cubbyhole with an empty path
2020-05-11 14:15:36 -05:00
Calvin Leung Huang cef02f4803
sys: use full mount path for checkAccess on internal/ui/mounts/:path (#8962) 2020-05-08 16:02:40 -07:00
ncabatoff 862beef59d
Factor out test logger creation so that it can be used when the caller wants to specify a logger explicitly, e.g. because they also want to use it when creating storage. (#8916) 2020-05-05 12:11:36 -04:00
ncabatoff a6809fdbaf
Write NewTestCluster logs to files, which get deleted if the test passes (#8911) 2020-05-01 12:26:26 -04:00
Calvin Leung Huang ec8448ab56
token: disallow periods on custom token IDs (#8646)
* token: disallow periods on custom token IDs

* docs: update token API docs
2020-04-27 09:39:33 -07:00
Dustin Decker 08571a0ac3
Add identity num_entities gauge metric (#8816)
Signed-off-by: Dustin Decker <dustindecker@protonmail.com>
2020-04-23 19:29:42 -05:00
Brian Kassouf 21cdba6fb5
identity: Add batch entity deletion endpoint (#8785)
* identity: Add batch entity deletion endpoint

* Update the parameter description

* Update error message

* Update helper/storagepacker/storagepacker.go

Co-Authored-By: Vishal Nayak <vishalnayak@users.noreply.github.com>

* Review feedback

* Update vault/identity_store_entities.go

Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com>

Co-authored-by: Vishal Nayak <vishalnayak@users.noreply.github.com>
Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>
2020-04-23 15:25:13 -07:00
Brian Kassouf 33b3e6857e
identity: group refresh shouldn't lock unless an update is needed (#8795) 2020-04-23 11:31:22 -07:00
Calvin Leung Huang 2659c34910
raft: check for nil on concrete type in SetupCluster (#8784)
* raft: check for nil on concrete type in SetupCluster

* raft: move check to its own func

* raft: func cleanup

* raft: disallow disable_clustering = true when raft storage is used

* docs: update disable_clustering to mention new behavior
2020-04-21 13:45:07 -07:00
Calvin Leung Huang df23b481a6
core: change rawConfig to be atomic.Value (#8755)
This avoids SetConfig from having to grab a write lock which is called on a SIGHUP, and may block, along with a long-running requests that has a read lock held, any other operation that requires a state lock.
2020-04-16 16:34:46 -07:00
Vishal Nayak b93bd39b97
Support unwrapping tokens that does not contain data (#8714)
* Support unwrapping tokens that does not contain data

* s/token/secret
2020-04-09 14:09:23 -04:00
Calvin Leung Huang c3caac76f1
token/renewal: return full set of token and identity policies in the … (#8535)
* token/renewal: return full set of token and identity policies in the policies field

* extend tests to cover additional token and identity policies on a token

* verify identity_policies returned on login and renewals
2020-03-31 13:36:45 -07:00
ncabatoff 236eb7e19f
Fix a test failure I observed on ent re cluster listener (#8647)
Panics when the cluster listener changes while we're setting up request forwarding.
2020-03-31 13:47:39 -04:00
Brian Kassouf 6b8b02f77a
identity: Fix potential deadlock on error to load groups (#8613) 2020-03-25 09:42:23 -07:00
ncabatoff c6518cc3f0
Make sure if a user gets removed from all groups in the external system, Vault updates itself accordingly. This is CVE-2020-10660. (#8606) 2020-03-23 18:00:26 -04:00
Brian Kassouf 05eea911bd
storage/raft: Refresh TLS keyring on snapshot restore (#8546) 2020-03-13 13:39:14 -07:00
ncabatoff 5fe1ab766b
Add option to detect deadlocks in Core.stateLock using build tag deadlock (#8524) 2020-03-10 16:01:20 -04:00
Jim Kalafut 90e8d9267d
Fix identity token caching (#8412)
The namespace-partitioned cache flushing was not being used correctly,
which could leave standby nodes with stale information.

Fixes #8284
2020-02-26 15:56:19 -05:00
ncabatoff e5721310ac
Add persistent feature flags to be used on enterprise non-primaries. (#8391) 2020-02-19 18:06:53 -05:00
Jeff Mitchell 844b2c3a5d Bump API/SDK and adapt to move from SDK stuff 2020-02-15 14:58:05 -05:00
Vitaly Velikodny 3ae6568512
Add missed description field for GET /sys/auth/:path/tune endpoint (#8193)
* fix #7623: add missed description field for GET /sys/auth/:path/tune endpoint

* fix #7623: allow empty description

* fix #7623: update tests with description field
2020-02-15 10:32:47 -08:00
ncabatoff 9dd18d8487
Unless we've been asked to stop, most failures should not result in (#7732)
waitForLeadership returning.
2020-02-14 18:28:37 -08:00
Joe Dollard 8f74b4d2b6
provide vault server flag to exit on core shutdown (#7561)
* provide vault server flag to exit on core shutdown

* Update command/server.go

Co-Authored-By: Jeff Mitchell <jeffrey.mitchell@gmail.com>

Co-authored-by: Jeff Mitchell <jeffrey.mitchell@gmail.com>
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
2020-02-14 18:07:31 -08:00
Brian Kassouf 3bbd9dc34c
Port some changes back to OSS (#8359) 2020-02-14 16:39:13 -08:00
Security Sauce d74463bbcc
Identity: Allow specifying a custom OIDC client_id field (#8165) 2020-02-13 23:15:35 -08:00
Vishal Nayak c87d34d1a4
Seal migration with Raft (#8103)
* Seal migration after unsealing

* Refactor migration fields migrationInformation in core

* Perform seal migration as part of postUnseal

* Remove the sleep logic

* Use proper seal in the unseal function

* Fix migration from Auto to Shamir

* Fix the recovery config missing issue

* Address the non-ha migration case

* Fix the multi cluster case

* Avoid re-running seal migration

* Run the post migration code in new leaders

* Fix the issue of wrong recovery being set

* Address review feedback

* Add more complete testing coverage for seal migrations.   (#8247)

* Add more complete testing coverage for seal migrations.  Also remove VAULT_ACC gate from some tests that just depend on docker, cleanup dangling recovery config in storage after migration, and fix a call in adjustCoreForSealMigration that seems broken.

* Fix the issue of wrong recovery key being set

* Adapt tests to work with multiple cores.

* Add missing line to disable raft join.

Co-authored-by: Vishal Nayak <vishalnayak@users.noreply.github.com>

* Fix all known issues

* Remove warning

* Review feedback.

* Revert my previous change that broke raft tests.  We'll need to come back and at least comment
this once we better understand why it's needed.

* Don't allow migration between same types for now

* Disable auto to auto tests for now since it uses migration between same types which is not allowed

* Update vault/core.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Add migration logs

* Address review comments

* Add the recovery config check back

* Skip a few steps if migration is already done

* Return from waitForLeadership if migration fails

Co-authored-by: ncabatoff <nick.cabatoff@gmail.com>
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
2020-02-13 16:27:31 -05:00
Calvin Leung Huang dac3382e15
external_tests: ensure derived cores are stable before proceeding on tests (#8342)
* external_tests: ensure derived cores are stable before proceeding on tests

* testhelpers: add min duration tolerance when checking stability on derived core
2020-02-13 13:18:53 -08:00
Jeff Malnick 27ad920399
Add redshift database plugin (#8299)
* feat: add redshift database plugin

* build: update vendored libraries

* docs: add reference doc for redshift variant of the database secrets engine

* feat: set middlewear type name for better metrics naming (#8346)

Co-authored-by: Becca Petrin <beccapetrin@gmail.com>
2020-02-13 09:42:30 -08:00
Jeff Mitchell 86327b8010 Bump api/sdk and fix imports 2020-02-13 10:41:16 -05:00
Jim Kalafut 2ee7b76469
Bundle MongoDB Atlas (#8309) 2020-02-07 14:09:39 -08:00
ncabatoff a0ac4bdd2a
Audit generate root requests and responses. (#8301) 2020-02-06 11:56:37 -05:00
ncabatoff 2c8b012d14
Changes needed so that benchmark-vault can run with Prometheus monitoring (#8295) 2020-02-05 13:45:16 -05:00
Sebastien Williams-Wynn 9f99ff4912
Fix minor typo in doc string (#8277) 2020-02-02 20:12:59 +01:00
ncabatoff 30d262f149
Fix flaky test of api renewer by moving away from legacy api. (#8265) 2020-01-30 15:12:21 -05:00
Jim Kalafut f17fc4e5c1
Run goimports (#8251) 2020-01-27 21:11:00 -08:00
Becca Petrin 759f9b38f7
Observer pattern for service registration interface (#8123)
* use observer pattern for service discovery

* update perf standby method

* fix test

* revert usersTags to being called serviceTags

* use previous consul code

* vault isnt a performance standby before starting

* log err

* changes from feedback

* add Run method to interface

* changes from feedback

* fix core test

* update example
2020-01-24 09:42:03 -08:00
Vishal Nayak fb93b0bf9c Use Shamir as KeK when migrating from auto-seal to shamir (#8172)
* Use Shamir as KeK when migrating from auto-seal to shamir

* Use the correct number of shares/threshold for the migrated seal.

* Fix log message

* Add WaitForActiveNode to test

* Make test fail

* Minor updates

* Test with more shares and a threshold

* Add seal/unseal step to the test

* Update the logic that prepares seal migration (#8187)

* Update the logic that preps seal migration

* Add test and update recovery logic

Co-authored-by: ncabatoff <nick.cabatoff@gmail.com>
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
2020-01-21 09:24:33 -08:00
Brian Kassouf 1e37eadfa0
Fix panic when listener fails to startup (#8174) 2020-01-17 09:07:53 -08:00
Brian Kassouf f32a86ee7a
Create network layer abstraction to allow in-memory cluster traffic (#8173) 2020-01-16 23:03:02 -08:00
Calvin Leung Huang 67c0773df9
ldap, okta: fix renewal when login policies are empty (#8072)
* ldap, okta: fix renewal when login policies are empty

* test/policy: add test for login renewal without configured policy

* test/policy: remove external dependency on tests, refactor lease duration check
2020-01-16 09:42:35 -08:00
Vishal Nayak 8891f2ba88 Raft retry join (#7856)
* Raft retry join

* update

* Make retry join work with shamir seal

* Return upon context completion

* Update vault/raft.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Address some review comments

* send leader information slice as a parameter

* Make retry join work properly with Shamir case. This commit has a blocking issue

* Fix join goroutine exiting before the job is done

* Polishing changes

* Don't return after a successful join during unseal

* Added config parsing test

* Add test and fix bugs

* minor changes

* Address review comments

* Fix build error

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
2020-01-13 17:02:16 -08:00
Jeff Mitchell a0694943cc
Migrate built in auto seal to go-kms-wrapping (#8118) 2020-01-10 20:39:52 -05:00
Brian Kassouf 549faf47f2
Add identity templating helper to sdk/framework (#8088)
* Add identity templating helper to sdk/framework

* Cleanup a bit

* Fix length issue when groups/aliases are filtered due to ns

* review feedback
2020-01-06 10:16:52 -08:00
Jim Kalafut 5821fe48c7 Fix identity token panic during invalidation (#8015)
* Fix identity token crash during invalidation

* Check for nil namespace

* Fix test

* Add nil check test

* Check OIDC cache errors
2019-12-17 10:43:38 -08:00
ncabatoff d3ff2684bb
Fix panic when creating batch tokens for role that doesn't exist. (#8021) 2019-12-16 09:31:32 -05:00
Calvin Leung Huang 7727c8b913
plugin: fix panic on router.MatchingSystemView if backend is nil (#7991)
* plugin: fix panic on router.MatchingSystemView if backend is nil

* correctly determine the plugin binary file in the directory

* docs: simplify plugin file removal
2019-12-10 10:48:30 -08:00
Mike Jarmy e42bc0ffc0
Introduce optional service_registration stanza (#7887)
* move ServiceDiscovery into methods

* add ServiceDiscoveryFactory

* add serviceDiscovery field to vault.Core

* refactor ConsulServiceDiscovery into separate struct

* cleanup

* revert accidental change to go.mod

* cleanup

* get rid of un-needed struct tags in vault.CoreConfig

* add service_discovery parser

* add ServiceDiscovery to config

* cleanup

* cleanup

* add test for ConfigServiceDiscovery to Core

* unit testing for config service_discovery stanza

* cleanup

* get rid of un-needed redirect_addr stuff in service_discovery stanza

* improve test suite

* cleanup

* clean up test a bit

* create docs for service_discovery

* check if service_discovery is configured, but storage does not support HA

* tinker with test

* tinker with test

* tweak docs

* move ServiceDiscovery into its own package

* tweak a variable name

* fix comment

* rename service_discovery to service_registration

* tweak service_registration config

* Revert "tweak service_registration config"

This reverts commit 5509920a8ab4c5a216468f262fc07c98121dce35.

* simplify naming

* refactor into ./serviceregistration/consul
2019-12-06 09:46:39 -05:00
Steve Gore f991b92dc3 Fix "does not exists" grammar (#7950)
* Fix "does not exists" grammar

* Fix "does not exists" grammar

* Revert vendor and go.mod
2019-12-03 16:25:09 -06:00
Lars Lehtonen 019fbe4b9c vault: fix dropped error in TestTokenStore_HandleRequest_CreateToken_NotAllowedEntityAlias(). (#7934) 2019-12-02 10:03:24 -08:00
Brian Kassouf 5cb6600e83
Remove unnecessary locking during heartbeating (#7877) 2019-11-20 17:24:49 -08:00
Calvin Leung Huang afa9510835 tests: eliminate flakiness on TestRecovery (#7897) 2019-11-20 20:21:34 -05:00
Jeff Mitchell ec17f373e4 Fix test for Go 1.13 2019-11-18 23:10:37 -05:00
Jeff Mitchell 9b5392bc8f
Fix cluster cipher test (#7900)
Go 1.13 flipped TLS 1.3 to opt-out instead of opt-in, and its TLS 1.3
support does not allow configuring cipher suites. Simply remove the
affected test; it's not relevant going forward and there's ample
evidence it works properly prior to Go 1.13.
2019-11-18 23:04:49 -05:00
Brian Kassouf 5e8901b5db Fix token counters test (#7867) 2019-11-12 13:33:28 -05:00
Michel Vocks 83d38480fc Backport OSS changes from enterprise (#7864) 2019-11-12 09:17:37 -08:00
Brian Kassouf a003abd6e2
Update recovery_test.go 2019-11-11 16:29:04 -08:00
Calvin Leung Huang bbaa7f8ea9
core: revoke the proper token on partial failures from token-related requests (#7835)
* core: revoke the proper token on partial failures from token-related requests

* move test to vault package, move test trigger to expiration manager

* update logging messages for clarity

* docstring fix
2019-11-08 13:14:03 -08:00
Vishal Nayak 9d3d53b4f4
Ensure only primary stores the case sensitivity state (#7820)
* Ensure only primary stores the case sensitivity state

* Update the check
2019-11-08 12:13:53 -05:00
Jeff Mitchell f2f984557e
Add ability to renew by accessor (#7817)
* Add renewing by accessor

* Add accessor renewing test and fix bug

* Update website docs

* Remove extra newline

* Add command-level test
2019-11-08 11:32:01 -05:00
Jeff Mitchell a8aa5f0dd3 go-ldap update; bump dep, api, secrets-ad plugin, and vendor 2019-11-08 11:24:46 -05:00
Calvin Leung Huang dac03d44e6
port namespace lease revocation fix (#7836) 2019-11-07 14:10:47 -08:00
Jim Kalafut 59e526614d
Run go fmt (#7823) 2019-11-07 08:54:34 -08:00
Brian Kassouf be883161be
Port OSS changes from perf standby fix (#7818)
* Port OSS changes from perf standby fix

* Fix build
2019-11-06 14:36:47 -08:00
Jeff Mitchell 44e899afd1
Don't allow registering a non-root zero TTL token lease (#7524)
* Don't allow registering a non-root zero TTL token lease

This is defense-in-depth in that such a token was not allowed to be
used; however it's also a bug fix in that this would then cause no lease
to be generated but the token entry to be written, meaning the token
entry would stick around until it was attempted to be used or tidied (in
both cases the internal lookup would see that this was invalid and do a
revoke on the spot).

* Fix tests

* tidy
2019-11-05 16:11:13 -05:00
Lars Lehtonen bda6a6da78 core/policy & core/token: Remove Dead Test Code (#7774)
* vault: remove dead test helper function testMakeBatchTokenViaCore()

* vault: remove dead test helper function testMakeBatchTokenViaBackend()

* vault: remove dead test helper function mockPolicyStoreNoCache()

* vault: remove dead test helper function mockPolicyStore()

* vault: remove unused test imports
2019-11-04 10:36:07 +01:00
Calvin Leung Huang 8c31e45860
hostutil: query stats with context, update gopsutil, refactor tests (#7769)
* hostutil: query stats with context, update gopsutil, refactor tests

* go mod vendor

* minor comment wording
2019-11-01 10:12:22 -07:00
Mike Jarmy d3bb5d60b2
Fix the token counter test so it doesn't miscount the number of tokens. (#7760) 2019-10-30 08:03:03 -04:00
Michel Vocks e5a921d277
Harden mount/auth filter evaluation error handling (#7754) 2019-10-29 17:42:13 +01:00
Jeff Mitchell 4e1470f483
Handpick cluster cipher suites when they're not user-set (#7487)
* Handpick cluster cipher suites when they're not user-set

There is an undocumented way for users to choose cluster cipher suites
but for the most part this is to paper over the fact that there are
undesirable suites in TLS 1.2.

If not explicitly set, have the set of cipher suites for the cluster
port come from a hand-picked list; either the allowed TLS 1.3 set (for
forwards compatibility) or the three identical ones for TLS 1.2.

The 1.2 suites have been supported in Go until at least as far back as
Go 1.9 from two years ago. As a result in cases where no specific suites
have been chosen this _ought_ to have no compatibility issues.

Also includes a useful test script.
2019-10-28 12:51:45 -04:00
Brian Kassouf d05b401cd8
Update token_store.go 2019-10-28 09:31:58 -07:00
Jack Kleeman 65c67dd6f3 Add a counter for root token creation (#7172)
It would be useful to be able to page on root token creation. This PR
adds a counter which increments on this event.
2019-10-28 09:30:11 -07:00
Jeff Mitchell 0c88218dd4 Port some changes that got out of sync 2019-10-28 11:38:14 -04:00
Brian Kassouf a20e73c2da
Port filtered paths changes back to OSS (#7741)
* Port filtered paths changes back to OSS

* Fix build
2019-10-27 13:30:38 -07:00
Matt Morrison 1e7acd0800 path-help missing or incorrect for raft paths (#7326) 2019-10-25 12:37:48 -04:00
Mike Jarmy 56725e694f
fix token counter test so the token won't time out (#7737) 2019-10-25 10:55:38 -04:00
ncabatoff 7c6cc95a24
Fix a regression introduced in #7698 that breaks root token generation. (#7727) 2019-10-24 10:23:31 -04:00
Vishal Nayak 23b0fb62de Abstract generate-root authentication into the strategy interface (#7698)
* Abstract generate-root authentication into the strategy interface

* Generate root strategy ncabatoff (#7700)

* Adapt to new shamir-as-kek reality.

* Don't try to verify the master key when we might still be sealed (in
recovery mode).  Instead, verify it in the authenticate methods.
2019-10-23 09:52:28 -07:00
ncabatoff 13c00dfa38
Use docker instead of an external LDAP server that sometimes goes down (#7522) 2019-10-22 13:37:41 -04:00
ncabatoff 68656a86cb
Fix a nil map pointer in mergeEntity. (#7711) 2019-10-22 09:57:24 -04:00
ncabatoff 8543da27bd
TestSysRekey_Verification would fail sometimes when recovery=true (#7710)
because when unsealing it wouldn't wait for core 0 to come up and become
the active node. Much of our testing code assumes that core0 is the
active node.
2019-10-22 09:35:48 -04:00
ncabatoff 1c98152fa0
Shamir seals now come in two varieties: legacy and new-style. (#7694)
Shamir seals now come in two varieties: legacy and new-style. Legacy
Shamir is automatically converted to new-style when a rekey operation
is performed. All new Vault initializations using Shamir are new-style.

New-style Shamir writes an encrypted master key to storage, just like
AutoUnseal. The stored master key is encrypted using the shared key that
is split via Shamir's algorithm. Thus when unsealing, we take the key
fragments given, combine them into a Key-Encryption-Key, and use that
to decrypt the master key on disk. Then the master key is used to read
the keyring that decrypts the barrier.
2019-10-18 14:46:00 -04:00
Lexman c86fe212c0
oss changes for entropy augmentation feature (#7670)
* oss changes for entropy augmentation feature

* fix oss command/server/config tests

* update go.sum

* fix logical_system and http/ tests

* adds vendored files

* removes unused variable
2019-10-17 10:33:00 -07:00
Michael Gaffney 4f7bd872ed
core: Log if an error is returned from postSealMigration (#7675) 2019-10-16 14:00:00 -04:00
Michael Gaffney 24f663403e
core: add postSealMigration method (#7579)
* core: add postSealMigration method

The postSealMigration method is called at the end of the postUnseal
method if a seal migration has occurred. This starts a seal rewrap
process in the enterprise version of. It is a no-op in the OSS version.
2019-10-16 12:52:37 -04:00
Michael Gaffney 6ae92ede11
core: add hook for initializing seals for migration (#7666)
* core: add hook for initializing seals for migration

Needed in enterprise version.
2019-10-15 15:48:23 -04:00
Vishal Nayak 0d077d7945
Recovery Mode (#7559)
* Initial work

* rework

* s/dr/recovery

* Add sys/raw support to recovery mode (#7577)

* Factor the raw paths out so they can be run with a SystemBackend.

# Conflicts:
#	vault/logical_system.go

* Add handleLogicalRecovery which is like handleLogical but is only
sufficient for use with the sys-raw endpoint in recovery mode.  No
authentication is done yet.

* Integrate with recovery-mode.  We now handle unauthenticated sys/raw
requests, albeit on path v1/raw instead v1/sys/raw.

* Use sys/raw instead raw during recovery.

* Don't bother persisting the recovery token.  Authenticate sys/raw
requests with it.

* RecoveryMode: Support generate-root for autounseals (#7591)

* Recovery: Abstract config creation and log settings

* Recovery mode integration test. (#7600)

* Recovery: Touch up (#7607)

* Recovery: Touch up

* revert the raw backend creation changes

* Added recovery operation token prefix

* Move RawBackend to its own file

* Update API path and hit it using CLI flag on generate-root

* Fix a panic triggered when handling a request that yields a nil response. (#7618)

* Improve integ test to actually make changes while in recovery mode and
verify they're still there after coming back in regular mode.

* Refuse to allow a second recovery token to be generated.

* Resize raft cluster to size 1 and start as leader (#7626)

* RecoveryMode: Setup raft cluster post unseal (#7635)

* Setup raft cluster post unseal in recovery mode

* Remove marking as unsealed as its not needed

* Address review comments

* Accept only one seal config in recovery mode as there is no scope for migration
2019-10-15 00:55:31 -04:00
Matthew Irish 87d4e6e068
UI - raft config and snapshotting (#7410)
* add storage route

* template out the routes and new raft storage overview

* fetch raft config and add new server model

* pngcrush the favicon

* add view components and binary-file component

* add form-save-buttons component

* adjust rawRequest so that it can send a request body and returns the response on errors

* hook up restore

* rename binary-file to file-to-array-buffer

* add ember-service-worker

* use forked version of ember-service-worker for now

* scope the service worker to a single endpoint

* show both download buttons for now

* add service worker download with a fallback to JS in-mem download

* add remove peer functionality

* lint go file

* add storage-type to the cluster and node models

* update edit for to take a cancel action

* separate out a css table styles to be used by http-requests-table and on the raft-overview component

* add raft-join adapter, model, component and use on the init page

* fix styling and gate the menu item on the cluster using raft storage

* style tweaks to the raft-join component

* fix linting

* add form-save-buttons component to storybook

* add cancel functionality for backup uploads, and add a success message for successful uploads

* add component tests

* add filesize.js

* add filesize and modified date to file-to-array-buffer

* fix linting

* fix server section showing in the cluster nav

* don't use babel transforms in service worker lib because we don't want 2 copies of babel polyfill

* add file-to-array-buffer to storybook

* add comments and use removeObjectURL to raft-storage-overview

* update alert-banner markdown

* messaging change for upload alert banner

* Update ui/app/templates/components/raft-storage-restore.hbs

Co-Authored-By: Joshua Ogle <joshua@joshuaogle.com>

* more comments

* actually render the label if passed and update stories with knobs
2019-10-14 13:23:29 -05:00
Brian Kassouf 1167fad704
Improve raft write performance by utilizing FSM Batching (#7527)
* Start benchmark work

* Add batching FSM function

* dedupe some code

* Update dependency on chunking FSM

* fix raft external tests

* fix go.mod

* Add batching test

* uncomment test

* update raft deps

* update vendor

* Update physical/raft/fsm.go

Co-Authored-By: Michel Vocks <michelvocks@gmail.com>

* Update physical/raft/fsm.go
2019-10-14 09:25:07 -06:00
Brian Kassouf 024c29c36a
OSS portions of raft non-voters (#7634)
* OSS portions of raft non-voters

* add file

* Update vault/raft.go

Co-Authored-By: Vishal Nayak <vishalnayak@users.noreply.github.com>
2019-10-11 11:56:59 -07:00
isbric e6e20e9eb3 Correct spelling of error message (#7630) 2019-10-11 11:14:41 -04:00
ncabatoff c16e3bbceb
Cache whether we've been initialized to reduce load on storage (#7549) 2019-10-08 17:52:38 -04:00
Mike Jarmy 5986ce922d
add counters for active service tokens, and identity entities (#7541) 2019-10-08 13:58:19 -04:00
Calvin Leung Huang d8875b1991
sys/config: config state endpoint (#7424)
* sys/config: initial work on adding config state endpoint

* server/config: add tests, fix Sanitized method

* thread config through NewTestCluster's config to avoid panic on dev modes

* properly guard endpoint against request forwarding

* add http tests, guard against panics on nil RawConfig

* ensure non-nil rawConfig on NewTestCluster cores

* update non-forwarding logic

* fix imports; use no-forward handler

* add missing config test fixture; update gitignore

* return sanitized config as a map

* fix test, use deep.Equal to check for equality

* fix http test

* minor comment fix

* config: change Sanitized to return snake-cased keys, update tests

* core: hold rlock when reading config; add docstring

* update docstring
2019-10-08 10:57:15 -07:00
Michel Vocks a0c122926a
Unauth metrics: Fix missing parse form and error response (#7569)
* Unauth metrics: Fix missing parse form and error response

* Change metrics error response to text/plain content type always
2019-10-08 14:55:25 +02:00
Brian Shumate 66a3218331 Typo (#7586) 2019-10-07 08:08:18 -07:00
Michel Vocks a7a6dd55a5
Add config parameter to allow unauthenticated metrics access (#7550)
* Implement config parameter to allow unathenticated metricss access

* Add unit test for unauthenticated metrics access parameter

* go mod tidy
2019-10-04 09:29:51 +02:00
Calvin Leung Huang 8239612352
sys/pprof: fix pprof index description (#7564) 2019-10-03 17:02:41 -07:00
Calvin Leung Huang 920fa1452b
sys/host-info: fix host-info description typo (#7565) 2019-10-03 17:02:19 -07:00
Michael Gaffney 6b1e1909e9
core: re-encrypt barrier and recovery keys if the unseal key is updated (#7493)
Seal keys can be rotated. When this happens, the barrier and recovery
keys should be re-encrypted with the new seal key. This change
automatically re-encrypts the barrier and recovery keys with the latest
seal key on the active node during the 'postUnseal' phase.
2019-10-03 16:40:18 -04:00
Calvin Leung Huang 3f1c7c86a0
sys: add host-info endpoint (#7330)
* sys: add host-info endpoint, add client API method

* remove old commented handler

* add http tests, fix bugs

* query all partitions for disk usage

* fix Timestamp decoding

* add comments for clarification

* dont append a nil entry on disk usage query error

* remove HostInfo from the sdk api

We can use Logical().Read(...) to query this endpoint since the payload is contained with the data object. All warnings are preserved under Secret.Warnings.

* ensure that we're testing failure case against a standby node

* add and use TestWaitStandby to ensure core is on standby

* remove TestWaitStandby

* respond with local-only error

* move HostInfo into its own helper package

* fix imports; use new no-forward handler

* add cpu times to collection

* emit clearer multierrors/warnings by collection type

* add comments on HostInfo fields
2019-10-03 09:43:52 -07:00
David Adams 98a6a428c0 Add response_types_supported to OIDC configuration (#7533)
The OIDC Discovery standard requires the response_types_supported field
to be returned in the .well-known/openid-configuration response.

Also, the AWS IAM OIDC consumer won't accept Vault as an identity
provider without this field.

Based on examples in the OIDC Core documentation, it appears Vault
supports only the `id_token` flow, and thus that is the only value that
makes sense to be set in this field. See:

https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationExamples
2019-10-02 08:59:57 -07:00
ncabatoff e7fe4b6d92
Return a useful error on attempts to renew a token via sys/leases/renew (#7298) 2019-10-02 10:55:20 -04:00
Vishal Nayak c84f804f48
Fix identity case sensitivity loading in secondary cluster (#7327)
* Fix identity case sensitivity loading in secondary cluster

* Add nil check
2019-09-30 10:27:25 -04:00
Connor Zapfel f09b88b71e Added sys/health path-help content (#7360) 2019-09-26 13:16:21 -07:00
Calvin Leung Huang f4fd84d52b
sys: add pprof endpoint (#7473)
* sys/pprof: add pprof routes to the system backend

* sys/pprof: add pprof paths to handler with local-only check

* fix trailing slash on pprof index endpoint

* use new no-forward handler on pprof

* go mod tidy

* add pprof external tests

* disallow streaming requests to exceed DefaultMaxRequestDuration

* add max request duration test
2019-09-19 13:44:37 -07:00
Lars Lehtonen 404cb5f6dd Fix token_store_test.go (#7490)
* vault: fix dropped error in test goroutine

* vault: fix dropped test errors
2019-09-18 14:18:08 -07:00
Matthew Irish 6e4cc02f4d
expose 'storage_type' on the sys/seal-status endpoint (#7486)
* expose 'storage_type' on the sys/seal-status endpoint

* add comments

* Update vault/core.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>
2019-09-18 14:07:18 -05:00
Calvin Leung Huang 0caff07201
testing: set MetricsHelper if it not provided through base config (#7480) 2019-09-16 17:50:51 -07:00
Calvin Leung Huang 801e15ffe3
http: add handleLogicalNoForward handler for local-only requests (#7482)
* http: add handleLogicalNoForward handler for local-only requests

* fix missing no-forward case; add docstring

* add docstring for handleLogicalInternal

* fix docstring reference

* fix comment on not-ok case
2019-09-16 17:50:28 -07:00
Jeff Mitchell a965378b17
Support batch tokens in renewer and caching proxy for transit auto-unseal (#7441)
Currently this uses a fork of the api.Renewer code, which we should consolidate in 1.3.
2019-09-09 12:58:28 -07:00
Calvin Leung Huang ec64b7c672
logical/request: store the entire http.Request object instead (#7412)
This allows logical operations (along with a non-nil response writer) to
process http handler funcs within the operation function while keeping
auth and audit checks that the logical request flow provides.
2019-09-06 12:40:15 -07:00
Vu Pham 3e06f71ea8 OCI KMS auto-unseal plugin (#6950) 2019-09-04 12:40:54 -07:00
ncabatoff ed147b7ae7
Make clusterListener an atomic.Value to avoid races with getGRPCDialer. (#7408) 2019-09-03 11:59:56 -04:00
Jeff Mitchell 9816963355
Move SudoPrivilege out of SystemView (#7266)
* Move SudoPrivilege out of SystemView

We only use this in token store and it literally doesn't work anything
that isn't the token store or system mount, so we should stop exposing
something that doesn't work.

* Reconcile extended system view with sdk/logical a bit and put an explanation for why SudoPrivilege isn't moved over
2019-08-26 10:23:46 -04:00
ncabatoff 366add2979
Generalization of the PhysicalFactory notion introduced by Raft (#7217)
Generalization of the PhysicalFactory notion introduced by Raft, so it can be used by other storage backends in tests.  These are the OSS changes needed for my rework of the ent integ tests and cluster helpers.
2019-08-23 15:51:25 -04:00
Najib Ben 64936d5038 Remove 512 entity limit for groups (#7317)
* Consul 1.5.3 has configurable value limit for KV storage
* Integrated Raft
2019-08-14 13:47:11 -04:00
Jim Kalafut 72a15422d5
Fix identity store 'key not found' response (#7267)
The existing custom response results in a 400 instead of the typical
404 which confuses the Terraform provider (and is inconsistent).
2019-08-07 09:46:45 -07:00
ncabatoff e1f8a82d81
Create test cores with an error injector. (#7243)
It's created with a 0% error rate, which means it's a no-op, but tests can opt-in to errors when
needed via core.underlyingPhysical.
2019-08-06 15:21:23 -04:00
Michel Vocks 90f7f89f22 Fix create token sudo non-root namespace check (#7224)
* Fix create token sudo non-root namespace check

* Moved path trimming to SudoPrivilege

* Changed to tokenCtx instead of request ctx

* Use root context for AllowOperation; details in comment
2019-08-05 16:03:47 -04:00
Jeff Mitchell f0a9d9910f
Revert "Generalize and improve testcluster-building code (#7177)" (#7212)
This reverts commit d177fc7dd1aa7beda8b1c5bf5a8a4e85d725cca5.
2019-07-30 01:04:06 -04:00
Brian Kassouf b83aaf7331
storage/raft: Support storage migration to raft storage (#7207)
* Support raft in the migration command

* Add comments
2019-07-29 13:05:43 -07:00
Lexman cf00988a49
also flush nilNamespace when a namespace is flushed in the identity/oidc backend (#7203)
* also flush nilNamespace when a namespace is flushed

* adds test cases with nilNamespace.ID

* adds a test case

* adds a test for oidcCache.Flush

* fixed a typo in an error message
2019-07-26 19:53:40 -07:00
ncabatoff 7512a71a4c
Generalize and improve testcluster-building code (#7177)
There are a few different things happening in this change.  First, some code that previously lived in enterprise has moved here: this includes some helper code for manipulating clusters and for building storage backends.  Second, the existing cluster-building code using inmem storage has been generalized to allow various storage backends. Third, added support for creating two-cluster DR setups. Finally, there are tweaks to handle edge cases that
result in intermittent failures, or to eliminate sleeps in favour of polling to detect state changes.

Also: generalize TestClusterOptions.PhysicalFactory so it can be used either
as a per-core factory (for raft) or a per-cluster factory (for other
storage backends.)
2019-07-26 16:42:51 -04:00
Jeff Mitchell 34fe00c9a8 Sync over 2019-07-25 08:43:59 -04:00
Brian Kassouf a77995cdb1 Ensure raft configuration properly lists the leader (#7188) 2019-07-25 08:41:14 -04:00
Nicolas Corrarello 446b564a2c Add maximum amount of random entropy requested (#7144)
* Add maximum amount of random characters requested at any given time

* Readability changes

* Removing sys/tools/random from the default policy

* Setting the maxBytes value as const

* Declaring maxBytes in the package to use it everywhere

* Using maxBytes in the error message
2019-07-24 18:22:23 -07:00
ncabatoff bea627f410
Close and flush perf standby conns/cache when sealing. (#7183) 2019-07-24 16:32:57 -04:00
ncabatoff f8cefa9b18
When cleaning up a TestCluster, set each core's logger to level Error. (#7124)
This eliminates a bunch of noise at the end of a test's logs, making it
easier to diagnose test failures.

Add TestCluster.Logger.  This is intendend to be used when test helpers
want to log something. If TestClusterOptions.Logger is non-nil, it will
be used as the cluster logger, otherwise we create one based on test
name.  In the absence of CoreConfig.Logger, this logger is also used as
the parent of each core's log.  This makes it easy when running parallel
tests to identify which log message came from which test.
2019-07-23 15:17:37 -04:00
Lexman d59a2daf8b
flush identity/oidc cache by namespace (#7167)
* flush identity/oidc cache by namespace

* separates and unit tests the logic that looks for a namespace id within a namespace key

* applies pr feedback

* renames nskeyContainsID to isNamespacedKey
2019-07-23 12:47:33 -04:00
Jeff Mitchell 19f669a52f Sync some changes that weren't properly pulled over 2019-07-22 13:11:00 -04:00
Christian Muehlhaeuser e6febc5839 Fixed a bunch of typos (#7146) 2019-07-18 21:10:15 -04:00
Jeff Mitchell 66aef1f996
Make rollback less spammy (#7136)
We already have a separate log line if rollback fails. It really fills
up logs to always note when rollback is occurring and it usually isn't
useful for incidents.
2019-07-18 21:05:21 -04:00
Lexman 119854a865
adds Cache-Control header to oidc .well-known endpoints (#7108) 2019-07-15 11:04:45 -07:00
Becca Petrin 974c381c7a
Fix "internal/specs/openapi" endpoint (#7097)
* fix panic generating openapi docs

* fmt
2019-07-09 15:10:39 -07:00
Jeff Mitchell ff40dd30e0 Add a missing lock to cluster handler 2019-07-09 03:46:08 -04:00
Jeff Mitchell d810758ca2
Rerun proto gen as some got gen'd with old proto version (#7090) 2019-07-09 01:02:20 +02:00
Jeff Mitchell 2cb16e3a9c
Fix nil pointer panic in wrapping validation (#7077)
Wrapping validation was deferring the function to audit log before
actually checking if we were sealed or standby, and without having the
read lock grabbed.
2019-07-05 22:31:03 -04:00
Brian Kassouf b0cfcc003d Bind entry to initalize locally 2019-07-05 18:37:10 -07:00
Mike Jarmy e0ce2195cc AWS upgrade role entries (#7025)
* upgrade aws roles

* test upgrade aws roles

* Initialize aws credential backend at mount time

* add a TODO

* create end-to-end test for builtin/credential/aws

* fix bug in initializer

* improve comments

* add Initialize() to logical.Backend

* use Initialize() in Core.enableCredentialInternal()

* use InitializeRequest to call Initialize()

* improve unit testing for framework.Backend

* call logical.Backend.Initialize() from all of the places that it needs to be called.

* implement backend.proto changes for logical.Backend.Initialize()

* persist current role storage version when upgrading aws roles

* format comments correctly

* improve comments

* use postUnseal funcs to initialize backends

* simplify test suite

* improve test suite

* simplify logic in aws role upgrade

* simplify aws credential initialization logic

* simplify logic in aws role upgrade

* use the core's activeContext for initialization

* refactor builtin/plugin/Backend

* use a goroutine to upgrade the aws roles

* misc improvements and cleanup

* do not run AWS role upgrade on DR Secondary

* always call logical.Backend.Initialize() when loading a plugin.

* improve comments

* on standbys and DR secondaries we do not want to run any kind of upgrade logic

* fix awsVersion struct

* clarify aws version upgrade

* make the upgrade logic for aws auth more explicit

* aws upgrade is now called from a switch

* fix fallthrough bug

* simplify logic

* simplify logic

* rename things

* introduce currentAwsVersion const to track aws version

* improve comments

* rearrange things once more

* conglomerate things into one function

* stub out aws auth initialize e2e test

* improve aws auth initialize e2e test

* finish aws auth initialize e2e test

* tinker with aws auth initialize e2e test

* tinker with aws auth initialize e2e test

* tinker with aws auth initialize e2e test

* fix typo in test suite

* simplify logic a tad

* rearrange assignment

* Fix a few lifecycle related issues in #7025 (#7075)

* Fix panic when plugin fails to load
2019-07-05 16:55:40 -07:00
Jeff Mitchell ffce5ca702 Fix various read only storage errors
* Fix various read only storage errors

A mistake we've seen multiple times in our own plugins and that we've
seen in the GCP plugin now is that control flow (how the code is
structured, helper functions, etc.) can obfuscate whether an error came
from storage or some other Vault-core location (in which case likely it
needs to be a 5XX message) or because of user input (thus 4XX). Error
handling for functions therefore often ends up always treating errors as
either user related or internal.

When the error is logical.ErrReadOnly this means that treating errors as
user errors skips the check that triggers forwarding, instead returning
a read only view error to the user.

While it's obviously more correct to fix that code, it's not always
immediately apparent to reviewers or fixers what the issue is and fixing
it when it's found both requires someone to hit the problem and report
it (thus exposing bugs to users) and selective targeted refactoring that
only helps that one specific case.

If instead we check whether the logical.Response is an error and, if so,
whether it contains the error value, we work around this in all of these
cases automatically. It feels hacky since it's a coding mistake, but
it's one we've made too multiple times, and avoiding bugs altogether is
better for our users.
2019-07-05 18:13:49 -04:00
Brian Kassouf 19910f6c77
core: Don't shutdown if key upgrades fail due to canceled context (#7070)
* core: Don't shutdown if key upgrades fail due to canceled context

* Continue if we are not shutting down
2019-07-05 14:19:15 -07:00
Calvin Leung Huang 5428ab50ee audit: log invalid wrapping token request/response (#6541)
* audit: log invalid wrapping token request/response

* Update helper/consts/error.go

Co-Authored-By: calvn <cleung2010@gmail.com>

* update error comments

* Update vault/wrapping.go

Co-Authored-By: calvn <cleung2010@gmail.com>

* update comment

* move validateWrappingToken out of http and into logical

* minor refactor, add test cases

* comment rewording

* refactor validateWrappingToken to perform audit logging

* move ValidateWrappingToken back to wrappingVerificationFunc

* Fix tests

* Review feedback
2019-07-05 14:15:14 -07:00
Brian Kassouf 4d7d0d729a
storage/raft: When restoring a snapshot preseal first (#7011)
* storage/raft: When restoring a snapshot preseal first

* best-effort allow standbys to apply the restoreOp before sealing active node

* Don't cache the raft tls key

* Update physical/raft/raft.go

* Move pending raft peers to core

* Fix race on close bool

* Extend the leaderlease time for tests

* Update raft deps

* Fix audit hashing

* Fix race with auditing
2019-07-03 13:56:30 -07:00
Jim Kalafut ee84319f4f
Fix issuer (#7064) 2019-07-03 13:52:29 -07:00
Lexman 19b67fc617
Fixed some typos in an error message in the OIDC backend that can arise when signing a token against a role (#7059)
* fixes a typo in an error message

* error msg shouldn't start with a capital letter
2019-07-03 09:31:31 -07:00
Jim Kalafut d38468aacb
Remove unneeded context parameter (#7057) 2019-07-03 07:12:46 -07:00
Jeff Mitchell d7cabc2174
Change regexes for reading entity/group names (#7055)
We don't restrict the name itself, so we shouldn't restrict lookup.

Fixes #7054
2019-07-03 08:56:01 -04:00
Lexman 439d773683
Refactor periodic func test in the OIDC backend to work with namespaces (#7050)
* adds allowed_roles field to identity token keys and updates tests

* removed a comment that was redundant

* allowed_roles uses role client_id s instead of role names

* renamed allowed_roles to allowed_clients

* renamed allowed_clients to allowed_clientIDs

* WIP

* Kinda working?

* Handle nil during rotation

* Update discovery document

* WIP

* removes some warning messages and checks on keys when creating a role

* Path issuer ns/specific

* Fix nspath handling

* Update issuer handling

* Add locking around key updates

* Cleanup

* Fix nextRun handling

* saving work

* Include namespace in token

* saving work

* saving work

* happy path

* saving work

* sharing debug msgs

* Merge branch 'master' into refactor_periodic_func_test

# Conflicts:
#	vault/identity_store_oidc.go
#	vault/identity_store_oidc_test.go

* use MatchingStorageByAPIPath instead of logical.InmemStorage
2019-07-02 22:23:18 -07:00
Jeff Mitchell 16479c503d Fix another backwards compat issue 2019-07-03 00:11:51 -04:00
Jeff Mitchell fd856bdd24
Fix some compatibility (#7048) 2019-07-02 23:29:42 -04:00
Jim Kalafut 2721c3a629
Namespace support for identity tokens (#7045) 2019-07-02 20:15:43 -07:00
Jeff Mitchell a3fc497fec
Fix batch token test (#7047)
At the level of role config it doesn't mean anything to use
default-service or default-batch; that's for mount tuning. So disallow
it in tokenutil. This also fixes the fact that the switch statement
wasn't right.
2019-07-02 22:16:43 -04:00
ncabatoff d2beeefe79
Add support for hashing time.Time within slices (#6767)
Add support for hashing time.Time within slices, which unbreaks auditing of requests returning the request counters.  

Break Hash into struct-specific func like HashAuth, HashRequest. Move all the copying/hashing logic from FormatRequest/FormatResponse into the new Hash* funcs.  HashStructure now modifies in place instead of copying.

Instead of returning an error when trying to hash map keys of type time.Time, ignore them, i.e. pass them through unhashed.

Enable auditing on test clusters by default if the caller didn't specify any audit backends.  If they do, they're responsible for setting it up.
2019-07-02 18:18:40 -04:00
Lexman b74591f934
adds allowed_client_ids field to identity token named keys (#6993)
* adds allowed_roles field to identity token keys and updates tests

* removed a comment that was redundant

* allowed_roles uses role client_id s instead of role names

* renamed allowed_roles to allowed_clients

* renamed allowed_clients to allowed_clientIDs

* removes some warning messages and checks on keys when creating a role

* removes name field being set unneededly
2019-07-02 14:46:22 -07:00
Jeff Mitchell d7243f910a
Re-enable toggling renewable off for tokens (#7043)
Earlier in tokenutil's dev it seemed like there was no reason to allow
auth plugins to toggle renewability off. However, it turns out Centrify
makes use of this for sensible reasons. As a result, move the forcing-on
of renewability into tokenutil, but then allow overriding after
PopulateTokenAuth is called.
2019-07-02 10:23:46 -04:00
Jeff Mitchell edf0f3cbbd Use metrics helper from base in test cluster cores 2019-07-01 12:08:55 -04:00
Michel Vocks 2b5aca4300
Token identity support (#6267)
* Implemented token backend support for identity

* Fixed tests

* Refactored a few checks for the token entity overwrite. Fixed tests.

* Moved entity alias check up so that the entity and entity alias is only created when it has been specified in allowed_entity_aliases list

* go mod vendor

* Added glob pattern

* Optimized allowed entity alias check

* Added test for asterisk only

* Changed to glob pattern anywhere

* Changed response code in case of failure. Changed globbing pattern check. Added docs.

* Added missing token role get parameter. Added more samples

* Fixed failing tests

* Corrected some cosmetical review points

* Changed response code for invalid provided entity alias

* Fixed minor things

* Fixed failing test
2019-07-01 11:39:54 +02:00
Jeff Mitchell e18866498d Fix tests 2019-06-30 21:03:36 -04:00
Jeff Mitchell 5435645bb6
Fix upgrade logic with tokenutil (#7026)
If only a non-_token field is provided we don't want to clear out the
Token version of the params, we want to set both. Otherwise we can't
rely on using the Token version of the parameter when creating the Auth
struct.
2019-06-30 14:24:41 -04:00
Vishal Nayak 6dbd8c228f
Raft tests (#7008)
* Add join test

* Add configuration test

* Add remove peer test

* Test join with and without client certs
2019-06-28 14:08:53 -04:00
Jeff Mitchell 14303c475b Check ctx again after getting state lock when forwarding 2019-06-27 20:36:16 -04:00
Jeff Mitchell fe7bb0b630
Standardize how we format deprecated values in traditional path-help (#7007) 2019-06-27 14:52:52 -04:00
Brian Kassouf 62e14c280d
storage/raft: fix races in tests (#6996)
* storage/raft: fix races in tests

* Fix another test race
2019-06-27 10:00:03 -07:00
Jim Kalafut 15b68c35c3
Support EC and EdDSA in identity tokens (#6992) 2019-06-27 08:34:48 -07:00
dr-db 720db0ffbc Fix the doc string for IsFatalError (#7000) 2019-06-27 12:50:47 +02:00
Lexman 4b01a6b95c
adds tests for the identity/oidc backend (#6964)
* adds several tests

* use deep.Equal to validate responses

* use deep.Equal in a few other places
2019-06-25 12:55:20 -07:00
Jeff Mitchell b700389cdd Fix test 2019-06-23 23:05:51 -04:00
Jeff Mitchell cf93f60bb1
Allow turning on client auth in test clusters (#6958) 2019-06-23 21:50:27 -04:00
Brian Kassouf 17b46e2979
Fix key upgrade and raft tests (#6949) 2019-06-21 11:38:21 -06:00
Jim Kalafut 2bf5db4fe8 Add OIDC token generation to Identity (#6900)
* Add OIDC token generation to Identity

There are a few open TODOs and some remaining cleanup, but this is
functionally complete and ready for review.

(Tests will being added soon.)

* Simplified key update endpoint

* Cache the config

* Fix Issuer handling

* Suppose base64-encoded templates (#6919)

* Cache JWKS and switch to go-cache (#6918)

* Address review comments

* Add warning if neither Issue nor api_addr are set

* adds tests (#6937)

* adds help synopsis and descriptions to the framework path for the oid… (#6930)

* adds help synopsis and descriptions to the framework path for the oidc backend

* Update vault/identity_store_oidc.go

Co-Authored-By: Jim Kalafut <jim@kalafut.net>

* Add Now parameter to PopulateStringInput

* Addressing review comments

* Refactor template processing to improve mode-specific handling

* adds a test for the periodic func (#6943)

* adds a test for the periodic func

* removes commented out code

* adds a comment

* Add comments
2019-06-21 10:23:39 -07:00
Vishal Nayak 53035ce390
Raft CLI (#6893)
* raft cli

* Reuse the command's client

* Better response handling

* minor touchups
2019-06-20 21:32:00 -04:00
Jeff Mitchell 07dcdc8b79 Sync 2019-06-20 20:55:10 -04:00
Jeff Mitchell 7966231d88
Port some stuff (#6939)
* Port some fixes

* Sync some updates
2019-06-20 16:02:11 -04:00
Brian Kassouf ed14061578
Raft Storage Backend (#6888)
* Work on raft backend

* Add logstore locally

* Add encryptor and unsealable interfaces

* Add clustering support to raft

* Remove client and handler

* Bootstrap raft on init

* Cleanup raft logic a bit

* More raft work

* Work on TLS config

* More work on bootstrapping

* Fix build

* More work on bootstrapping

* More bootstrapping work

* fix build

* Remove consul dep

* Fix build

* merged oss/master into raft-storage

* Work on bootstrapping

* Get bootstrapping to work

* Clean up FMS and node-id

* Update local node ID logic

* Cleanup node-id change

* Work on snapshotting

* Raft: Add remove peer API (#906)

* Add remove peer API

* Add some comments

* Fix existing snapshotting (#909)

* Raft get peers API (#912)

* Read raft configuration

* address review feedback

* Use the Leadership Transfer API to step-down the active node (#918)

* Raft join and unseal using Shamir keys (#917)

* Raft join using shamir

* Store AEAD instead of master key

* Split the raft join process to answer the challenge after a successful unseal

* get the follower to standby state

* Make unseal work

* minor changes

* Some input checks

* reuse the shamir seal access instead of new default seal access

* refactor joinRaftSendAnswer function

* Synchronously send answer in auto-unseal case

* Address review feedback

* Raft snapshots (#910)

* Fix existing snapshotting

* implement the noop snapshotting

* Add comments and switch log libraries

* add some snapshot tests

* add snapshot test file

* add TODO

* More work on raft snapshotting

* progress on the ConfigStore strategy

* Don't use two buckets

* Update the snapshot store logic to hide the file logic

* Add more backend tests

* Cleanup code a bit

* [WIP] Raft recovery (#938)

* Add recovery functionality

* remove fmt.Printfs

* Fix a few fsm bugs

* Add max size value for raft backend (#942)

* Add max size value for raft backend

* Include physical.ErrValueTooLarge in the message

* Raft snapshot Take/Restore API  (#926)

* Inital work on raft snapshot APIs

* Always redirect snapshot install/download requests

* More work on the snapshot APIs

* Cleanup code a bit

* On restore handle special cases

* Use the seal to encrypt the sha sum file

* Add sealer mechanism and fix some bugs

* Call restore while state lock is held

* Send restore cb trigger through raft log

* Make error messages nicer

* Add test helpers

* Add snapshot test

* Add shamir unseal test

* Add more raft snapshot API tests

* Fix locking

* Change working to initalize

* Add underlying raw object to test cluster core

* Move leaderUUID to core

* Add raft TLS rotation logic (#950)

* Add TLS rotation logic

* Cleanup logic a bit

* Add/Remove from follower state on add/remove peer

* add comments

* Update more comments

* Update request_forwarding_service.proto

* Make sure we populate all nodes in the followerstate obj

* Update times

* Apply review feedback

* Add more raft config setting (#947)

* Add performance config setting

* Add more config options and fix tests

* Test Raft Recovery (#944)

* Test raft recovery

* Leave out a node during recovery

* remove unused struct

* Update physical/raft/snapshot_test.go

* Update physical/raft/snapshot_test.go

* fix vendoring

* Switch to new raft interface

* Remove unused files

* Switch a gogo -> proto instance

* Remove unneeded vault dep in go.sum

* Update helper/testhelpers/testhelpers.go

Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com>

* Update vault/cluster/cluster.go

* track active key within the keyring itself (#6915)

* track active key within the keyring itself

* lookup and store using the active key ID

* update docstring

* minor refactor

* Small text fixes (#6912)

* Update physical/raft/raft.go

Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com>

* review feedback

* Move raft logical system into separate file

* Update help text a bit

* Enforce cluster addr is set and use it for raft bootstrapping

* Fix tests

* fix http test panic

* Pull in latest raft-snapshot library

* Add comment
2019-06-20 12:14:58 -07:00
Clint b55303eddb
Combined Database Backend: Static Accounts (#6834)
* Add priority queue to sdk

* fix issue of storing pointers and now copy

* update to use copy structure

* Remove file, put Item struct def. into other file

* add link

* clean up docs

* refactor internal data structure to hide heap method implementations. Other cleanup after feedback

* rename PushItem and PopItem to just Push/Pop, after encapsulating the heap methods

* updates after feedback

* refactoring/renaming

* guard against pushing a nil item

* minor updates after feedback

* Add SetCredentials, GenerateCredentials gRPC methods to combined database backend gPRC

* Initial Combined database backend implementation of static accounts and automatic rotation

* vendor updates

* initial implementation of static accounts with Combined database backend, starting with PostgreSQL implementation

* add lock and setup of rotation queue

* vendor the queue

* rebase on new method signature of queue

* remove mongo tests for now

* update default role sql

* gofmt after rebase

* cleanup after rebasing to remove checks for ErrNotFound error

* rebase cdcr-priority-queue

* vendor dependencies with 'go mod vendor'

* website database docs for Static Role support

* document the rotate-role API endpoint

* postgres specific static role docs

* use constants for paths

* updates from review

* remove dead code

* combine and clarify error message for older plugins

* Update builtin/logical/database/backend.go

Co-Authored-By: Jim Kalafut <jim@kalafut.net>

* cleanups from feedback

* code and comment cleanups

* move db.RLock higher to protect db.GenerateCredentials call

* Return output with WALID if we failed to delete the WAL

* Update builtin/logical/database/path_creds_create.go

Co-Authored-By: Jim Kalafut <jim@kalafut.net>

* updates after running 'make fmt'

* update after running 'make proto'

* Update builtin/logical/database/path_roles.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update builtin/logical/database/path_roles.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* update comment and remove and rearrange some dead code

* Update website/source/api/secret/databases/index.html.md

Co-Authored-By: Jim Kalafut <jim@kalafut.net>

* cleanups after review

* Update sdk/database/dbplugin/grpc_transport.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* code cleanup after feedback

* remove PasswordLastSet; it's not used

* document GenerateCredentials and SetCredentials

* Update builtin/logical/database/path_rotate_credentials.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* wrap pop and popbykey in backend methods to protect against nil cred rotation queue

* use strings.HasPrefix instead of direct equality check for path

* Forgot to commit this

* updates after feedback

* re-purpose an outdated test to now check that static and dynamic roles cannot share a name

* check for unique name across dynamic and static roles

* refactor loadStaticWALs to return a map of name/setCredentialsWAL struct to consolidate where we're calling set credentials

* remove commented out code

* refactor to have loadstaticwals filter out wals for roles that no longer exist

* return error if nil input given

* add nil check for input into setStaticAccount

* Update builtin/logical/database/path_roles.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* add constant for queue tick time in seconds, used for comparrison in updates

* Update builtin/logical/database/path_roles.go

Co-Authored-By: Jim Kalafut <jim@kalafut.net>

* code cleanup after review

* remove misplaced code comment

* remove commented out code

* create a queue in the Factory method, even if it's never used

* update path_roles to use a common set of fields, with specific overrides for dynamic/static roles by type

* document new method

* move rotation things into a specific file

* rename test file and consolidate some static account tests

* Update builtin/logical/database/path_roles.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update builtin/logical/database/rotation.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update builtin/logical/database/rotation.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update builtin/logical/database/rotation.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update builtin/logical/database/rotation.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update builtin/logical/database/rotation.go

Co-Authored-By: Brian Kassouf <briankassouf@users.noreply.github.com>

* update code comments, method names, and move more methods into rotation.go

* update comments to be capitalized

* remove the item from the queue before we try to destroy it

* findStaticWAL returns an error

* use lowercase keys when encoding WAL entries

* small cleanups

* remove vestigial static account check

* remove redundant DeleteWAL call in populate queue

* if we error on loading role, push back to queue with 10 second backoff

* poll in initqueue to make sure the backend is setup and can write/delete data

* add revoke_user_on_delete flag to allow users to opt-in to revoking the static database user on delete of the Vault role. Default false

* add code comments on read-only loop

* code comment updates

* re-push if error returned from find static wal

* add locksutil and acquire locks when pop'ing from the queue

* grab exclusive locks for updating static roles

* Add SetCredentials and GenerateCredentials stubs to mockPlugin

* add a switch in initQueue to listen for cancelation

* remove guard on zero time, it should have no affect

* create a new context in Factory to pass on and use for closing the backend queue

* restore master copy of vendor dir
2019-06-19 14:45:39 -05:00
Jeff Mitchell 3f1c510bc9
Fix a deadlock if a panic happens during request handling (#6920)
* Fix a deadlock if a panic happens during request handling

During request handling, if a panic is created, deferred functions are
run but otherwise execution stops. #5889 changed some locks to
non-defers but had the side effect of causing the read lock to not be
released if the request panicked. This fixes that and addresses a few
other potential places where things could go wrong:

1) In sealInitCommon we always now defer a function that unlocks the
read lock if it hasn't been unlocked already
2) In StepDown we defer the RUnlock but we also had two error cases that
were calling it manually. These are unlikely to be hit but if they were
I believe would cause a panic.

* Add panic recovery test
2019-06-19 09:40:57 -04:00
Becca Petrin f6703c3630 fix test 2019-06-18 14:04:08 -07:00
Jeff Mitchell 8603573611 Update group alias handling to better protect against namespace differences
Also, allow canonical ID to be switched
2019-06-18 16:43:30 -04:00
Jeff Mitchell 8ae4149703 Update description field for some token store role values to be accurate 2019-06-18 11:33:56 -04:00
Jeff Mitchell d65a716b63 Add a force capability to delete in the policy store
This allows us to truly delete policies when we've either invalidated it
(which since they're singletons/default should only happen when we're
doing a namespace delete) or are doing a namespace delete on the local
node.
2019-06-18 10:25:57 -04:00
Jeff Mitchell 1e1e7c9321 Fix some tests 2019-06-17 17:02:34 -04:00
ncabatoff 006bab1e49
Add new license callback init step for logical backends. (#6887) 2019-06-17 14:11:35 -04:00
Jeff Mitchell 1ea0c0314a
Prevent entity alias creation when entity is in different NS than mount (#943) (#6886) 2019-06-14 12:53:00 -04:00
Jeff Mitchell 402ba1b0f0
Tokenhelper v2 (#6662)
This provides an sdk util for common token fields and parsing and plumbs it into token store roles.
2019-06-14 10:17:04 -04:00
Brian Kassouf 934b497101
Clear the Barrier AEAD cache on keyring reload (#6870)
* Clear the barrier's AEAD cache on keyring reload

* Update barrier_aes_gcm_test.go
2019-06-12 08:56:16 -07:00
Calvin Leung Huang 08e17cc111
core: add generic request forwarding bits to oss (#6866) 2019-06-11 13:13:03 -07:00
ncabatoff cc41e608dc
Add core.coreNumber field, used to differentiate multiple cores/clusters when running tests (#6855)
This is not used or exposed in prod.

Remove some test-specific code from the cluster-building helpers. The corresponding additions go on the ent side.
2019-06-10 14:07:16 -04:00
Jeff Mitchell c02abb969c
Attempt to grab read statelock in emit metrics to remove some raciness (#6829) 2019-06-05 12:26:29 -04:00
Michael Gaffney 055c5ff311
Fix data race in kvv2_upgrade_test (#6825) 2019-06-04 18:48:31 -04:00
Jeff Mitchell 5f7321dcc7 Fix a case where mounts could be duplicated (#6771)
When unmounting, the router entry would be tainted, preventing routing.
However, we would then unmount the router before clearing storage, so if
an error occurred the router would have forgotten the path. For auth
mounts this isn't a problem since they had a secondary check, but
regular mounts didn't (not sure why, but this is true back to at least
0.2.0). This meant you could then create a duplicate mount using the
same path which would then not conflict in the router until postUnseal.

This adds the extra check to regular mounts, and also moves the location
of the router unmount.

This also ensures that on the next router.Mount, tainted is set to the
mount entry's tainted status.

Fixes #6769
2019-06-04 10:33:36 -07:00
tonyd 0570966cb9 Allow logical backends access to the disabled state of an entity (#6791)
* Allow logical backends access to the disabled state of an entity via SystemView.EntityInfo().

* Add generated file in vendor directory.
2019-05-28 16:31:50 -05:00
ncabatoff ad28263b69
Allow plugins to submit audit requests/responses via extended SystemView (#6777)
Move audit.LogInput to sdk/logical.  Allow the Data values in audited
logical.Request and Response to implement OptMarshaler, in which case
we delegate hashing/serializing responsibility to them.  Add new
ClientCertificateSerialNumber audit request field.

SystemView can now be cast to ExtendedSystemView to expose the Auditor
interface, which allows submitting requests and responses to the audit
broker.
2019-05-22 18:52:53 -04:00
Jeff Mitchell ec3ea45858
Update grpc and protos (#6725)
gRPC updated to 1.20.1 which fixes a couple of important bugs.

Updates protos as well.
2019-05-13 12:09:30 -04:00
Vishal Nayak 550f2a52bd
Storage packer V1 updates (#6531)
* spv1 updates

* fix tests
2019-05-07 15:29:51 -04:00
Jeff Mitchell e8a9d47aca
Port over some SP v2 bits (#6516)
* Port over some SP v2 bits

Specifically:

* Add too-large handling to Physical (Consul only for now)
* Contextify some identity funcs
* Update SP protos

* Add size limiting to inmem storage
2019-05-01 13:47:41 -04:00
EdwinRobbins de885660e8 DynamoDB: Make Unlock key delete conditional on being old leader's (#6637) 2019-04-30 17:44:47 -07:00
Jim Kalafut eb8ea30ca6
List additional sys paths as unauthenticated (#6654)
These paths are handled directly in handler.go, but the list of special
paths here impacts the x-vault-unauthenticated field in generated
OpenAPI.

Fixes: #6651
2019-04-29 16:42:23 -07:00
Calvin Leung Huang 262608c2c0
core: honor non-HMAC keys in audit requests (#6653) 2019-04-29 13:14:26 -07:00
Mark Gritter ed722d8013
Merge branch 'master' into fix-6579 2019-04-29 11:52:24 -05:00
mgritter be2f69bc4a Check nil parameter value when processing an ACL. 2019-04-26 15:57:00 -07:00
Michel Vocks 23d50af9bb Fixed wrong imports in test after refactoring (#6639) 2019-04-25 09:08:03 -07:00
Brian Kassouf 04d0ddfdae
Add mount UUID to the secret and auth list API responses (#6633) 2019-04-24 12:27:43 -07:00
Chris Hoffman 25cd6da6a4
refactoring to unit test transit seal (#6605) 2019-04-23 15:13:56 -04:00
Jeff Mitchell a4285a487d Sync plugin reload file 2019-04-23 10:22:56 -04:00
ncabatoff 06574da57a
Merge multiple functions for creating consul containers into one. (#6612)
Merge both functions for creating mongodb containers into one.
Add retries to docker container cleanups.
Require $VAULT_ACC be set to enable AWS tests.
2019-04-22 12:26:10 -04:00
Jeff Mitchell 9a7eb54a68 Merge branch '1.1.2' into master-oss 2019-04-18 18:49:49 -04:00
Brian Kassouf 8afbb0ba46
Add a get handler function (#6603) 2019-04-17 14:21:56 -07:00
Brian Kassouf 43783a5dca
Move cluster logic out of vault package (#6601)
* Move cluster logic out of vault package

* Dedup heartbeat and fix tests

* Fix test
2019-04-17 13:50:31 -07:00
Jeff Mitchell c22075fa81 Add unit test for KV issue 31 (#6591) 2019-04-16 09:53:24 -07:00
Jeff Mitchell 213b9fd1cf Update to api 1.0.1 and sdk 0.1.8 2019-04-15 14:10:07 -04:00
Jeff Mitchell 9ebc57581d
Switch to go modules (#6585)
* Switch to go modules

* Make fmt
2019-04-13 03:44:06 -04:00
Jeff Mitchell 1b5155080b Update protobufs, sdk changes 2019-04-12 23:13:14 -04:00
Becca Petrin 6ded269700
Merge pull request #6268 from hashicorp/6234-aws-region
Add region to CLI for generating AWS login data
2019-04-12 16:15:38 -07:00
Jeff Mitchell 80c303ac83 Move ldaputil and tlsutil over to sdk 2019-04-12 18:26:54 -04:00
Jeff Mitchell 371db36ede Move useragent to sdk 2019-04-12 18:17:49 -04:00
Jeff Mitchell 8d6ce1ffb5 Move policyutil to sdk 2019-04-12 18:08:46 -04:00
Jeff Mitchell 8bcb533a1b
Create sdk/ and api/ submodules (#6583) 2019-04-12 17:54:35 -04:00
Becca Petrin f20772310b Merge branch 'opensource-master' into 6234-aws-region 2019-04-12 11:13:17 -07:00
Jeff Mitchell 3ec1e79b6a Fix test code breakage 2019-04-12 11:37:34 -04:00
ncabatoff 521e93c32b Save metrics to barrier without going through c.systemBarrierView (#884)
* Don't bother trying to save metrics when we don't have a barrier.  Use stateLock.

* Use c.barrier instead of c.systemBarrierView, thus we don't need locking
and don't need to worry about race with mount setup.

* Remove unneccessary lock.
2019-04-11 12:37:38 -04:00
Jeff Mitchell 9f148c499e Fix test break 2019-04-11 11:18:32 -04:00
Jeff Mitchell 4aa4a0665f Sync over 2019-04-11 11:12:37 -04:00
Jeff Mitchell aa6fafced9 Fix hasMountPath for segment wildcard mounts; introduce priority order (#6532)
* Add prioritization when multiple segment/glob rules can match.

* Disallow ambiguous "+*" in policy paths.
2019-04-10 17:46:17 -04:00
Vishal Nayak 0df2d14961
Properly invalidate group alias in a secondary (#6564) 2019-04-10 16:14:31 -04:00
Vishal Nayak 7ab753b569
Use NS context when loading entities and groups (#6563)
* Use NS context when loading entities and groups

* update context while group loading as well

* Address review feedback
2019-04-10 15:05:57 -04:00
Brian Kassouf f5be7c8cea
Fix perf standby elections when the new active node was also the previous active node (#6561) 2019-04-10 10:09:36 -07:00
Brian Kassouf 76969aa801
Fix deadlock on the mounts & auth locks (#6560)
* Fix deadlock on the mountsLock

* Fix deadlock on authLock too
2019-04-09 19:20:06 -07:00
Jeff Mitchell 12285f5ed0 Sync over 2019-04-08 14:57:14 -04:00
Jeff Mitchell 30209cdd35 Update token path with / at end to ensure it's the token store 2019-04-08 14:25:29 -04:00
Jeff Mitchell 1d982c234f
Fix some more test failures and recursive locking (#6549) 2019-04-08 13:40:54 -04:00
Jeff Mitchell 9f0a6edfcb
Remove some instances of potential recursive locking (#6548) 2019-04-08 12:45:28 -04:00
Vishal Nayak f4876b744c Fix handling member group IDs (#6527)
* Process member_group_ids only if supplied
2019-04-05 09:12:39 -04:00
Jeff Mitchell eec3f9afb2
Handle JWT checks with namespaced service tokens (#6536)
Some checks would fail because we considered a token with two dots a
JWT, but service tokens in namespaces also fit this bill.
2019-04-04 17:13:09 -04:00
ncabatoff b08963779c Apply the bits from ent pr 852 that are relevant to OSS. (#6528) 2019-04-04 13:02:44 -04:00
Calvin Leung Huang ee46fd4362
core: port over CG and perf standby handling bits (#6530) 2019-04-03 14:16:49 -07:00
Becca Petrin d6f489cca7 strip import whitespace 2019-04-03 13:43:54 -07:00
Becca Petrin ed03e8f04d add comment on region parsing 2019-04-03 11:58:20 -07:00
Becca Petrin 339cfcaaf8 merge master 2019-04-01 13:52:44 -07:00
Jim Kalafut 265e61b993
Add OpenAPI support for query parameters (#6490)
Also, fix handling of required properties in request body.
2019-03-28 14:40:56 -07:00
Brian Kassouf f50ff52a8b
Add metrics to seal methods (#6478) 2019-03-26 10:32:19 -07:00
Jeff Mitchell 775f547e4e Sync over 2019-03-25 14:18:43 -04:00
Jeff Mitchell 6797e21f54
Migrate from SermoDigital go Square JOSE (#6445) 2019-03-20 14:54:03 -04:00
T.K 453f1ac109 changed misspelled english words (#6432) 2019-03-19 09:32:45 -04:00
Brian Kassouf 2af9d9de98
Fix a locking issue in the Rollback manager (#6426)
* Fix a locking issue in the Rollback manager

* Update rollback.go

* Update rollback.go

* move state creation

* Update vault/rollback.go

Co-Authored-By: briankassouf <briankassouf@users.noreply.github.com>

* Simplify logic by canceling the lock grab

* Use context instead of a chan

* Update vault/rollback.go
2019-03-18 11:12:48 -07:00
Jeff Mitchell 9193792773 Sync over 2019-03-18 09:33:01 -04:00
Calvin Leung Huang 7a80fd0a81 add short sleep between revocation and lookup (#6425) 2019-03-15 18:24:53 -04:00
Michel Vocks f4b0bd484a
Added upstream changes from enterprise to OSS (#6419) 2019-03-15 14:25:05 +01:00
Calvin Leung Huang a71adbc2ce sys: do not show filtered mounts on internal/ui/mounts (#6412) 2019-03-14 11:43:44 -07:00
Calvin Leung Huang 70108668a9
testing: allow logger and audit backends to be set in TestCoreWithSealAndUI (#6388) 2019-03-08 13:46:24 -08:00
Chris Hoffman d9c54877ba Fixing transit seal tests (#6342)
* fixing dockertest to run on travis

* try a repo local directory

* precreate the directory

* strip extraneous comment

* check directory was created

* try to print container logs

* try writing out client logs

* one last try

* Attempt to fix test

* convert to insecure tls

* strip test-temp
2019-03-07 11:23:30 -08:00
Jeff Mitchell c4001cc40d This moves api_test package tests into vault/external_tests
This prevents projects importing Vault's API from then also importing
the rest of Vault.
2019-03-06 11:20:42 -05:00
ncabatoff cd747c9318
Add code for writing and reading request counters to storage. (#5918)
Increment a counter whenever a request is received. 
The in-memory counter is persisted to counters/requests/YYYY/MM.
When the month wraps around, we reset the in-memory counter to
zero.
Add an endpoint for querying the request counters across all time.
2019-03-05 14:55:07 -05:00
Becca Petrin 1909b20217 merge master 2019-03-05 09:39:53 -08:00
Jim Kalafut 69dbd2464d Fix failing TokenStore test 2019-03-04 17:44:00 -08:00
Becca Petrin a8ebfef8ef
fix typo 2019-03-04 16:42:48 -08:00
Calvin Leung Huang 1ae110e59a
core: handleLoginRequest should set resp.Auth.Orphan = true (#6335)
* core: handleLoginRequest should set resp.Auth.Orphan = true

* set auth.Orphan in RegisterAuth dynamically

* update related tests
2019-03-04 14:32:09 -08:00
Jeff Mitchell a83ed04730 Add ability to migrate autoseal to autoseal (#5930)
* Add ability to migrate autoseal to autoseal

This adds the ability to migrate from shamir to autoseal, autoseal to
shamir, or autoseal to autoseal, by allowing multiple seal stanzas. A
disabled stanza will be used as the config being migrated from; this can
also be used to provide an unwrap seal on ent over multiple unseals.

A new test is added to ensure that autoseal to autoseal works as
expected.

* Fix test

* Provide default shamir info if not given in config

* Linting feedback

* Remove context var that isn't used

* Don't run auto unseal watcher when in migration, and move SetCores to SetSealsForMigration func

* Slight logic cleanup

* Fix test build and fix bug

* Updates

* remove GetRecoveryKey function
2019-03-04 14:11:56 -08:00
Brian Kassouf ad3605e657
Revert "filtered-path endpoint (#6132)" (#6337)
This reverts commit dfdbb0bad975fab447f49766baaa5a6c956f8e3d.
2019-03-04 14:08:21 -08:00
ncabatoff 8814fe1ba5 filtered-path endpoint (#6132)
* First pass at filtered-path endpoint.  It seems to be working, but there are tests missing, and possibly some optimization to handle large key sets.

* Vendor go-cmp.

* Fix incomplete vendoring of go-cmp.

* Improve test coverage.  Fix bug whereby access to a subtree named X would expose existence of a the key named X at the same level.

* Add benchmarks, which showed that hasNonDenyCapability would be "expensive" to call for every member of a large folder.  Made a couple of minor tweaks so that now it can be done without allocations.

* Comment cleanup.

* Review requested changes: rename some funcs, use routeCommon instead of
querying storage directly.

* Keep the same endpoint for now, but move it from a LIST to a POST and allow multiple paths to be queried in one operation.

* Modify test to pass multiple paths in at once.

* Add endpoint to default policy.

* Move endpoint to /sys/access/filtered-path.
2019-03-04 11:04:29 -08:00
Jeff Mitchell a3a2a3cd04 A few more syncs 2019-03-04 13:53:15 -05:00
Michel Vocks ce832e402a Fixed ignored empty value set on token role update call (#6314)
* Fixed ignored empty value set on token role update call

* Made a pre-check a bit more elegant. Updated tests
2019-03-04 09:39:29 -08:00
Vishal Nayak d514ff573a
Set orphan status in the token creation response (#6320) 2019-03-01 18:55:58 -05:00
Brian Kassouf 7b910a093b
Handle ns lease and token renew/revoke via relative paths (#6236) (#6312)
* Handle ns lease and token renew/revoke via relative paths

* s/usin/using/

* add token and lease lookup paths; set ctx only on non-nil ns

Addtionally, use client token's ns for auth/token/lookup if no token is provided
2019-02-28 16:02:25 -08:00
Chris Hoffman 4f35c548fe Transit Autounseal (#5995)
* Adding Transit Autoseal

* adding tests

* adding more tests

* updating seal info

* send a value to test and set current key id

* updating message

* cleanup

* Adding tls config, addressing some feedback

* adding tls testing

* renaming config fields for tls
2019-02-28 13:13:56 -08:00
Becca Petrin 5829774e91
Support env vars for STS region (#6284) 2019-02-28 09:31:06 -08:00
vishalnayak 3f92836771 Port identity store cleanup code 2019-02-26 16:11:16 -05:00
Brian Kassouf efe5671f36 make fmt 2019-02-20 12:12:21 -08:00
Brian Kassouf 26d8d318d7 Merge remote-tracking branch 'oss/master' into 1.1-beta 2019-02-19 12:17:15 -08:00
Brian Kassouf ab1a04f8e6
Port over some test fixes (#6261) 2019-02-19 12:03:02 -08:00
Martin 4c9e7f4478 typo in pathsToRadix doc (#6253) 2019-02-18 10:05:04 -08:00