Commit graph

496 commits

Author SHA1 Message Date
Becca Petrin 4a4eab50a1 Merge branch 'opensource-master' into 6234-aws-region 2019-04-03 11:37:33 -07:00
Artem Alexandrov ae422eea9f Fix getCN during group fetching in auth/ldap (#6518)
* Fix getCN during group fetching in auth/ldap

* #6518 Change strings.ToLower to strings.EqualFold
2019-04-02 16:25:03 -07:00
Becca Petrin 339cfcaaf8 merge master 2019-04-01 13:52:44 -07:00
Jeff Mitchell 0a78c00c9f Sync over 2019-03-25 12:43:16 -04:00
Jeff Mitchell eff4896bcf Remove unneeded build flag 2019-03-25 11:26:11 -04:00
Jeff Mitchell 6797e21f54
Migrate from SermoDigital go Square JOSE (#6445) 2019-03-20 14:54:03 -04:00
T.K 453f1ac109 changed misspelled english words (#6432) 2019-03-19 09:32:45 -04:00
Jeff Mitchell 9193792773 Sync over 2019-03-18 09:33:01 -04:00
Michel Vocks f4b0bd484a
Added upstream changes from enterprise to OSS (#6419) 2019-03-15 14:25:05 +01:00
Vishal Nayak f7907c2809 Agent: Listener refactoring and socket file system permissions (#6397)
* Listener refactoring and file system permissions

* added listenerutil and move some common code there

* Added test for verifying socket file permissions

* Change default port of agent to 8200

* address review feedback

* Address review feedback

* Read socket options from listener config
2019-03-14 11:53:14 -07:00
Becca Petrin 1909b20217 merge master 2019-03-05 09:39:53 -08:00
Jeff Mitchell 718ae5a010 Minor syncs 2019-03-04 13:35:22 -05:00
Michel Vocks f2d022ac20
Print warning when 'tls_cipher_suites' includes blacklisted cipher suites (#6300)
* Implemented a warning when tls_cipher_suites includes only cipher suites which are not supprted by the HTTP/2 spec

* Added test for cipher suites

* Added hard fail on startup when all defined cipher suites are blacklisted. Added warning when some ciphers are blacklisted.

* Replaced hard failure with warning. Removed bad cipher util function and replaced it by external library.

* Added missing dependency. Fixed renaming of package name.
2019-03-01 16:48:06 +01:00
Becca Petrin 5829774e91
Support env vars for STS region (#6284) 2019-02-28 09:31:06 -08:00
Calvin Leung Huang fda590f538
agent/caching: use const for cache-clear path (#6271) 2019-02-21 14:53:34 -08:00
Brian Kassouf efe5671f36 make fmt 2019-02-20 12:12:21 -08:00
Brian Kassouf ab1a04f8e6
Port over some test fixes (#6261) 2019-02-19 12:03:02 -08:00
Brian Kassouf f5b5fbb392
Refactor the cluster listener (#6232)
* Port over OSS cluster port refactor components

* Start forwarding

* Cleanup a bit

* Fix copy error

* Return error from perf standby creation

* Add some more comments

* Fix copy/paste error
2019-02-14 18:14:56 -08:00
Martin 9044173d6e Prometheus support on v1/sys/metrics endpoint (#5308)
* initial commit for prometheus and sys/metrics support

* Throw an error if prometheusRetentionTime is 0,add prometheus in devmode

* return when format=prometheus is used and prom is disable

* parse prometheus_retention_time from string instead of int

* Initialize config.Telemetry if nil

* address PR issues

* add sys/metrics framework.Path in a factory

* Apply requiredMountTable entries's MountConfig to existing core table

* address pr comments

* enable prometheus sink by default

* Move Metric-related code in a separate metricsutil helper
2019-02-14 12:46:59 -08:00
madalynrose 625f0c7546
Update OpenAPI responses to include information the UI can use (#6204) 2019-02-14 12:42:44 -05:00
Calvin Leung Huang 77d737c8b2 Merge branch 'master-oss' into 1.1-beta 2019-02-11 14:47:22 -08:00
Jim Kalafut df4139df51
Create alias and command for OIDC (#6206) 2019-02-11 13:37:55 -08:00
Brian Nuszkowski 707c6d1813 Add SHA1 signing/verification support to transit engine (#6037)
* Add SHA1 signing/verification support to transit engine

* Update signing/verification endpoint documentation to include sha1 hash algorithm
2019-02-07 15:31:31 -08:00
Jeff Mitchell 9ef0680e7f
Fix leader info repopulation (#6167)
* Two things:

* Change how we populate and clear leader UUID. This fixes a case where
if a standby disconnects from an active node and reconnects, without the
active node restarting, the UUID doesn't change so triggers on a new
active node don't get run.

* Add a bunch of test helpers and minor updates to things.
2019-02-05 21:01:18 -05:00
Jeff Mitchell 5f249d4005
Add allowed_response_headers (#6115) 2019-02-05 16:02:15 -05:00
Jeff Mitchell bbc1d53a5d Revert "Refactor common token fields and operations into a helper (#5953)"
This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a.
2019-02-01 11:23:40 -05:00
Jeff Mitchell 85a560abba
Refactor common token fields and operations into a helper (#5953) 2019-01-30 16:23:28 -05:00
Jeff Mitchell 5e126f6de8
Implement JWS-compatible signature marshaling (#6077)
This currently only applies to ECDSA signatures, and is a toggleable
option.
2019-01-23 12:31:34 -05:00
Jim Kalafut f097b8d934
Update existing alias metadata during authentication (#6068) 2019-01-23 08:26:50 -08:00
Jeff Mitchell 2836dd0d53 Update testhelpers to allow passing in custom handler 2019-01-22 17:16:26 -05:00
Jeff Mitchell 4dfb25927a Make useCache explicit everywhere in lock manager (#6035)
* Make useCache explicit everywhere in lock manager

This also clears up a case where we could insert into the cache when it
wasn't active

* Address feedback
2019-01-14 08:58:03 -08:00
Giacomo Tirabassi 0d3845c537 Influxdb secret engine built-in plugin (#5924)
* intial work for influxdb secret plugin

* fixed typo

* added comment

* added documentation

* added tests

* fixed tests

* added vendoring

* minor testing issue with hardcoded values

* minor fixes
2019-01-08 17:26:16 -08:00
Jim Kalafut d0e2badbae Run goimports across the repository (#6010)
The result will still pass gofmtcheck and won't trigger additional
changes if someone isn't using goimports, but it will avoid the
piecemeal imports changes we've been seeing.
2019-01-08 16:48:57 -08:00
Pierre-Alain TORET f3143d6cc6 Allow to build on DragonFlyBSD (#5950) 2019-01-07 09:06:51 -08:00
Jim Kalafut 2547d7fb6a
Simplify base62.Random (#5982)
Also move existing base62 encode/decode operations to their only points
of use.
2018-12-20 07:40:01 -08:00
Jeff Mitchell cb1a686e3b
Strip empty strings from database revocation stmts (#5955)
* Strip empty strings from database revocation stmts

It's technically valid to give empty strings as statements to run on
most databases. However, in the case of revocation statements, it's not
only generally inadvisable but can lead to lack of revocations when you
expect them. This strips empty strings from the array of revocation
statements.

It also makes two other changes:

* Return statements on read as empty but valid arrays rather than nulls,
so that typing information is inferred (this is more in line with the
rest of Vault these days)

* Changes field data for TypeStringSlice and TypeCommaStringSlice such
that a client-supplied value of `""` doesn't turn into `[]string{""}`
but rather `[]string{}`.

The latter and the explicit revocation statement changes are related,
and defense in depth.
2018-12-14 09:12:26 -05:00
Þórhallur Sverrisson d86acfc94f Remove DEL characters from password input (#5837)
* Remove DEL characters from password input

iTerm password manager sends \x03\0x7f before sending a password
from its password manager to make sure the password is not being
echoed to the screen.  Unfortunately, vault login does not handle
the Space DEL sequence, causing the login to fail when using the
password manager.  This patch uses a simple method to delete the
sequence if present anywhere in the string, although it is strictly
only needed at the start of input.

* Simplify iTerm handling to only remove iTerm prefix

The logic now only removes the two byte prefix sent in by iTerm
instead of trying to remove all deletes in the string.

This has been tested to work with the iTerm password manager.

As a small correction, the byte sequence is \x20\x7f.  The
earlier commit message incorrectly stated it was \x03\x7f.
2018-12-12 15:06:10 -05:00
Calvin Leung Huang e99957aed9
Support registering plugin with name only (#5787)
* Support registering plugin with name only

* Make RegisterPlugin backwards compatible

* Add CLI backwards compat command to plugin info and deregister

* Add server-side deprecation warnings if old read/dereg API endpoints are called

* Address feedback
2018-11-15 14:33:11 -08:00
Becca Petrin 7bd22e6779
Run all builtins as plugins (#5536) 2018-11-06 17:21:24 -08:00
teresy 0f5c546c05 simplify a case of strings.Index with strings.Contains (#5698)
Simplifes a case of strings.Index with strings.Contains. Inspired by https://staticcheck.io/docs/gosimple#S1003
2018-11-05 18:40:29 -08:00
Vishal Nayak 332e32294a
Remove namespace.TestContext and namespace.TestNamespace (#5682) 2018-11-05 11:11:32 -05:00
Matthew Irish 8073ebcd1e Merge branch 'oss-master' into 1.0-beta-oss 2018-10-19 20:40:36 -05:00
Brian Kassouf e943a60041
Plugin version negotiation (#5434)
* Plugin version updates

* Update datatbase plugins

* Revert netRPC deletions

* Revert netRPC deletions

* Update plugins to serve both versions

* Update database plugins

* Add Initialize back in

* revert pointer changes

* Add deprecation warning

* Update tests

* Update go-plugin

* Review Feedback
2018-10-19 15:56:17 -07:00
Jeff Mitchell d843e0b52c Merge branch 'master-oss' into 1.0-beta-oss 2018-10-18 10:28:14 -04:00
Vishal Nayak ec7343b1c6
Transit: Key Trim (#5388)
* Support key trimming

* Add doc

* Move trimming to its own endpoint

* Remove trimmed_min_version field from config endpoint

* Fix description

* Doc updates

* Fix response json in docs

* Address review feedback

* s/min_version/min_available_version

* Commenting and error statement updates
2018-10-17 09:05:05 -07:00
Jeff Mitchell d929d83e15 Remove r. from namespace helper 2018-10-16 15:15:36 -04:00
Jeff Mitchell 6a3bf12b10 Support in ns split function 2018-10-15 14:22:45 -04:00
Jeff Mitchell a64fc7d7cb
Batch tokens (#755) 2018-10-15 12:56:24 -04:00
Becca Petrin f276ca2d11 add a check to prevent panics (#5471) 2018-10-05 09:23:06 -07:00
Brian Kassouf 0ae790f9de
Fix issue with revoking leases that have periods in them (#5461) 2018-10-04 09:55:48 -07:00
Calvin Leung Huang 37c0b83669
Add denylist check when filtering passthrough headers (#5436)
* Add denylist check when filtering passthrough headers

* Minor comment update
2018-10-01 12:20:31 -07:00
Jim Kalafut e8c06e6a74
Tablify compression tests (#5405) 2018-09-26 11:08:04 -07:00
Jeff Mitchell 56aaaac944
Add lz4 to compressutil (#5403) 2018-09-26 09:20:33 -05:00
Clint fec3b70374
Allow force restore for Transit Key Restores (#5382)
* Add test file for testing path_restore in Transit backend. Fails because 'force' is not implemented yet

* initial implementation of 'force', to force restore of existing transit key atomically
2018-09-25 15:20:59 -05:00
Jeff Mitchell 33065a60db Fix compilation/protobuf 2018-09-22 17:58:39 -04:00
Calvin Leung Huang 189b893b35
Add ability to provide env vars to plugins (#5359)
* Add ability to provide env vars to plugins

* Update docs

* Update docs with examples

* Refactor TestAddTestPlugin, remove TestAddTestPluginTempDir
2018-09-20 10:50:29 -07:00
Clint 5882156f53
Translate AWS Rate limiting errors to 502 errors (#5270)
* Initial implemntation of returning 529 for rate limits

- bump aws iam and sts packages to v1.14.31 to get mocking interface
- promote the iam and sts clients to the aws backend struct, for mocking in tests
- this also promotes some functions to methods on the Backend struct, so
  that we can use the injected client

Generating creds requires reading config/root for credentials to contact
IAM. Here we make pathConfigRoot a method on aws/backend so we can clear
the clients on successful update of config/root path. Adds a mutex to
safely clear the clients

* refactor locking and unlocking into methods on *backend

* refactor/simply the locking

* check client after grabbing lock
2018-09-18 15:26:06 -05:00
Jeff Mitchell 919b968c27
The big one (#5346) 2018-09-17 23:03:00 -04:00
Jeff Mitchell c28ed23972
Allow most parts of Vault's logging to have its level changed on-the-fly (#5280)
* Allow most parts of Vault's logging to have its level changed on-the-fly

* Use a const for not set
2018-09-05 15:52:54 -04:00
Becca Petrin 7a8c116fb1
undo make fmt (#5265) 2018-09-04 09:29:18 -07:00
Becca Petrin ed7639b0ec
run make fmt (#5261) 2018-09-04 09:12:59 -07:00
Calvin Leung Huang 9988ace85e gofmt files (#5233) 2018-08-31 09:15:40 -07:00
Brian Kassouf 191fec2be1
Remove the nsContext cache (#5200) 2018-08-27 16:38:38 -07:00
Jeff Mitchell aec9a689a0 Sync over some stuff 2018-08-24 12:09:03 -04:00
Jeff Mitchell ba0d029247
Restricts ACL templating to paths but allows failures (#5167)
When a templating failure happens, we now simply ignore that path,
rather than fail all access to all policies
2018-08-23 12:15:02 -04:00
Jeff Mitchell 66a0029195 Sync some ns stuff to api/command 2018-08-22 14:37:40 -04:00
Jeff Mitchell 051bb9fc13
Two PKI improvements: (#5134)
* Disallow adding CA's serial to revocation list
* Allow disabling revocation list generation. This returns an empty (but
signed) list, but does not affect tracking of revocations so turning it
back on will populate the list properly.
2018-08-21 11:20:57 -04:00
Jim Kalafut 3be8a737c1
Request less random data in truncate mode (#5118) 2018-08-17 10:17:40 -07:00
Clint 96d8bd4bf7 [WIP] Support custom max Nomad token name length [supersedes https://github.com/hashicorp/vault/pull/4361] (#5117)
* Nomad: updating max token length to 256

* Initial support for supporting custom max token name length for Nomad

* simplify/correct tests

* document nomad max_token_name_length

* removed support for max token length env var. Rename field for clarity

* cleanups after removing env var support

* move RandomWithPrefix to testhelpers

* fix spelling

* Remove default 256 value. Use zero as a sentinel value and ignore it

* update docs
2018-08-16 15:48:23 -04:00
Jim Kalafut f8a0daafa0
Add check of truncated length (#5109) 2018-08-15 13:16:17 -07:00
Jeff Mitchell 71d92ef093 ACL Templating (#4994)
* Initial work on templating

* Add check for unbalanced closing in front

* Add missing templated assignment

* Add first cut of end-to-end test on templating.

* Make template errors be 403s and finish up testing

* Review feedback
2018-08-15 11:42:56 -07:00
Jim Kalafut 09e9a7a203 Make base62.Random truncation optional (#5100) 2018-08-14 12:38:25 -04:00
Jim Kalafut 5f86155e6a
Consolidate base62 functions (#5099) 2018-08-14 08:44:30 -07:00
Stephen J. Butler 672668dea5 Add tokenGroups and tokenGroupsGlobalAndUniversal (#4936) 2018-08-13 14:57:10 -07:00
Jeff Mitchell 24cb96a9c6 Port over ns identity proto info 2018-08-10 12:45:34 -04:00
Jeff Mitchell fb3c7eb449 Port some ns stuff over 2018-08-10 12:13:11 -04:00
Jeff Mitchell 2ed2e696a7
Merge Identity Entities if two claim the same alias (#5075)
* Merge Identity Entities if two claim the same alias

Past bugs/race conditions meant two entities could be created each
claiming the same alias. There are planned longer term fixes for this
(outside of the race condition being fixed in 0.10.4) that involve
changing the data model, but this is an immediate workaround that has
the same net effect: if two entities claim the same alias, assume they
were created due to this race condition and merge them.

In this situation, also automatically merge policies so we don't lose
e.g. RGPs.
2018-08-09 15:37:36 -05:00
Jim Kalafut 70d516b34d
Update ParseStringSlice and address lint/vet warnings (#5069) 2018-08-09 11:13:37 -07:00
Jim Kalafut 41df651499
Add plugin user-agent helper (#5039) 2018-08-06 09:02:04 -07:00
Jeff Mitchell e72890e83f
VSI (#4985) 2018-07-24 22:02:27 -04:00
Jeff Mitchell 4261618d10 Add request timeouts in normal request path and to expirations (#4971)
* Add request timeouts in normal request path and to expirations

* Add ability to adjust default max request duration

* Some test fixes

* Ensure tests have defaults set for max request duration

* Add context cancel checking to inmem/file

* Fix tests

* Fix tests

* Set default max request duration to basically infinity for this release for BC

* Address feedback
2018-07-24 14:50:49 -07:00
Jeff Mitchell 8b0561aad8
Two small items: (#4934)
1) Disable MaxRetries in test cluster clients. We generally want to fail
as fast as possible in tests so adding unpredictable timing in doesn't
help things, especially if we're timing sensitive in the test.

2) EquivalentPolicies is supposed to return true if only one set
contains `default` and the other is empty, but if one set was nil
instead of simply a zero length slice it would always return false. This
means that renewing against, say, `userpass` when not actually
specifying any user policies would always fail.
2018-07-17 01:23:26 -04:00
Jeff Mitchell 28890ee198 Make proto
It appears the only thing that actually change is that the tag got
`proto3` values added.
2018-07-10 20:49:48 -04:00
Jeff Mitchell 4a3fe87a39
Allow max request size to be user-specified (#4824)
* Allow max request size to be user-specified

This turned out to be way more impactful than I'd expected because I
felt like the right granularity was per-listener, since an org may want
to treat external clients differently from internal clients. It's pretty
straightforward though.

This also introduces actually using request contexts for values, which
so far we have not done (using our own logical.Request struct instead),
but this allows non-logical methods to still get this benefit.

* Switch to ioutil.ReadAll()
2018-07-06 15:44:56 -04:00
Jeff Mitchell a8826b28e0 Port pubkey parsing from kube-auth to helper/certutil 2018-07-06 10:25:32 -04:00
Brian Kassouf 8b344acaac
secret/kv: Sort keys during list operation (#4845) 2018-06-27 11:48:59 -07:00
Jeff Mitchell e52b554c0b
Add an idle timeout for the server (#4760)
* Add an idle timeout for the server

Because tidy operations can be long-running, this also changes all tidy
operations to behave the same operationally (kick off the process, get a
warning back, log errors to server log) and makes them all run in a
goroutine.

This could mean a sort of hard stop if Vault gets sealed because the
function won't have the read lock. This should generally be okay
(running tidy again should pick back up where it left off), but future
work could use cleanup funcs to trigger the functions to stop.

* Fix up tidy test

* Add deadline to cluster connections and an idle timeout to the cluster server, plus add readheader/read timeout to api server
2018-06-16 18:21:33 -04:00
Calvin Leung Huang c4abeb9ea5
Move checkHCLKeys into hclutil (#4749) 2018-06-12 12:38:08 -04:00
Jeff Mitchell 76b0d11793
Redo transit locking (#4720)
This massively simplifies transit locking behavior by pushing some
locking down to the Policy level, and embedding either a local or global
lock in the Policy depending on whether caching is enabled or not.
2018-06-12 12:24:12 -04:00
Jeff Mitchell e5a43d3431 Remove final usage of gogo in our code 2018-06-07 10:48:36 -04:00
Jeff Mitchell 4b7d2bed01 Transit convergent v3 2018-06-05 18:53:39 -04:00
Chris Hoffman 5344b7c5ae
adding option go_package to protos (#4687)
* adding option go_package to protos

* switching proto output dir to relative paths
2018-06-04 10:19:26 -04:00
Jeff Mitchell bd0ac25eb9
Merge branch 'master' into rekey-verification 2018-05-29 10:19:57 -04:00
Becca Petrin 44678e9ada
Fix possible nil pointer on mapping method (#4609) 2018-05-22 12:10:36 -07:00
Becca Petrin 4c1d8013f3
move fields and field parsing to helper (#4603) 2018-05-21 17:04:26 -07:00
Jeff Mitchell c55a2ec486 Finish api tests for verification 2018-05-20 19:01:24 -04:00
Becca Petrin 4693f4ee6c
export EscapeLDAPValue (#4556) 2018-05-11 15:51:20 -07:00
Becca Petrin 910925457f
Move LDAP client and config code to helper (#4532) 2018-05-10 14:12:42 -07:00
Brian Kassouf 55997b6bf0
physical/cache: Add a list of prefixes to not cache (#4515)
* physical/cache: Add a list of prefixes to not cache

* Rename the pathmanager

* Move cache back to the beggining of postUnseal

* Fix comment
2018-05-10 10:29:26 -07:00
Becca Petrin 76c717b081
Restrict cert auth by CIDR (#4478) 2018-05-09 15:39:55 -07:00