Jeff Mitchell
2ebe49d3a1
Change UseToken mechanics.
...
Add locking around UseToken and Lookup. Have UseToken flag an entry that
needs to be revoked so that it can be done at the appropriate time, but
so that Lookup in the interm doesn't return a value.
The locking is a map of 4096 locks keyed off of the first three
characters of the token ID which should provide good distribution.
2016-05-02 03:44:24 -04:00
Jeff Mitchell
81da06de05
Fix fetching parameters in token store when it's optionally in the URL
2016-04-28 15:15:37 -04:00
Jeff Mitchell
53773f12e3
Register the token entry's path instead of the request path, to handle role suffixes correctly
2016-04-14 08:08:28 -04:00
Jeff Mitchell
1db6808912
Construct token path from request to fix displaying TTLs when using
...
create-orphan.
2016-04-07 15:45:38 +00:00
Jeff Mitchell
2fd02b8dca
Remove auth/token/revoke-prefix in favor of sys/revoke-prefix.
2016-03-31 18:04:05 -04:00
Jeff Mitchell
7442867d53
Check for auth/ in the path of the prefix for revoke-prefix in the token
...
store.
2016-03-31 16:21:56 -04:00
Jeff Mitchell
fa2ba47a5c
Merge branch 'master' into token-roles
2016-03-09 17:23:34 -05:00
vishalnayak
0c4d5960a9
In-URL accessor for auth/token/lookup-accessor endpoint
2016-03-09 14:54:52 -05:00
vishalnayak
f478cc57e0
fix all the broken tests
2016-03-09 13:45:36 -05:00
vishalnayak
007142262f
Provide accessor to revove-accessor in the URL itself
2016-03-09 13:08:37 -05:00
vishalnayak
3b302817e5
Added tests for lookup-accessor and revoke-accessor endpoints
2016-03-09 12:50:26 -05:00
Jeff Mitchell
2ecdde1781
Address final feedback
2016-03-09 11:59:54 -05:00
Jeff Mitchell
7c5f810bc0
Address first round of feedback
2016-03-01 15:30:37 -05:00
Jeff Mitchell
54232eb980
Add other token role unit tests and some minor other changes.
2016-03-01 12:41:41 -05:00
Jeff Mitchell
df2e337e4c
Update tests to add expected role parameters
2016-03-01 12:41:40 -05:00
Jeff Mitchell
b8b59560dc
Add token role CRUD tests
2016-03-01 12:41:40 -05:00
Jeff Mitchell
ff3adce39e
Make "ttl" reflect the actual TTL of the token in lookup calls.
...
Add a new value "creation_ttl" which holds the value at creation time.
Fixes #986
2016-02-01 11:16:32 -05:00
Jeff Mitchell
b2bde47b01
Pull out setting the root token ID; use the new ParseUUID method in
...
go-uuid instead, and revoke if there is an error.
2016-01-19 19:44:33 -05:00
Jeff Mitchell
3b994dbc7f
Add the ability to generate root tokens via unseal keys.
2016-01-19 18:28:10 -05:00
Jeff Mitchell
9c5ad28632
Update deps, and adjust usage of go-uuid to match new return values
2016-01-13 13:40:08 -05:00
Jeff Mitchell
f3ce90164f
WriteOperation -> UpdateOperation
2016-01-08 13:03:03 -05:00
Jeff Mitchell
d51d723c1f
Use int64 for converting time values, not int (will be float64 in JSON anyways, so no need to lose precision, plus could hit a 32-bit max in some edge cases)
2016-01-04 17:11:22 -05:00
Jeff Mitchell
e990b77d6e
Address review feedback; move storage of these values to the expiration manager
2016-01-04 16:43:07 -05:00
Jeff Mitchell
5ddd243144
Store a last renewal time in the token entry and return it upon lookup
...
of the token.
Fixes #889
2016-01-04 11:20:49 -05:00
Jeff Mitchell
df68e3bd4c
Filter out duplicate policies during token creation.
2015-12-30 15:18:30 -05:00
Jeff Mitchell
f2da5b639f
Migrate 'uuid' to 'go-uuid' to better fit HC naming convention
2015-12-16 12:56:20 -05:00
Jeff Mitchell
1a45696208
Add no-default-policy flag and API parameter to allow exclusion of the
...
default policy from a token create command.
2015-11-09 17:30:50 -05:00
Jeff Mitchell
5783f547ab
Display whether a token is an orphan on lookup.
2015-11-09 13:19:59 -05:00
Jeff Mitchell
6ccded7a2f
Add ability to create orphan tokens from the API
2015-11-03 15:12:21 -05:00
Jeff Mitchell
636d57a026
Make the token store's Create and RootToken functions non-exported.
...
Nothing requires them to be exported, and I don't want anything in the
future to think it's okay to simply create a root token when it likes.
2015-10-30 10:59:26 -04:00
Jeff Mitchell
a9155ef85e
Use split-out hashicorp/uuid
2015-10-12 14:07:12 -04:00
Jeff Mitchell
4a52de13e3
Add renew-self endpoint.
...
Fixes #455 .
2015-10-07 12:49:13 -04:00
Jeff Mitchell
ca50012017
Format token lease/TTL as int in JSON API when looking up
2015-09-27 22:36:36 -04:00
Jeff Mitchell
62ac518ae7
Switch per-mount values to strings going in and seconds coming out, like other commands. Indicate deprecation of 'lease' in the token backend.
2015-09-25 10:41:21 -04:00
Vishal Nayak
d526c8ce1c
Merge pull request #629 from hashicorp/token-create-sudo
...
TokenStore: Provide access based on sudo permissions and not policy name
2015-09-21 10:12:29 -04:00
vishalnayak
a2799b235e
Using acl.RootPrivilege and rewrote mockTokenStore
2015-09-19 17:53:24 -04:00
vishalnayak
b6d47dd784
fix broken tests
2015-09-19 12:33:52 -04:00
Jeff Mitchell
d775445efe
Store token creation time and TTL. This can be used to properly populate
...
fields in 'lookup-self'. Importantly, this also makes credential
backends use the SystemView per-backend TTL values and fixes unit tests
to expect this.
Fully fixes #527
2015-09-18 16:39:35 -04:00
Jeff Mitchell
8f79e8be82
Add revoke-self endpoint.
...
Fixes #620 .
2015-09-17 13:22:30 -04:00
Jeff Mitchell
047ba90a44
Restrict orphan revocation to root tokens
2015-09-16 09:22:15 -04:00
Jeff Mitchell
c460ff10ca
Push a lot of logic into Router to make a bunch of it nicer and enable a
...
lot of cleanup. Plumb config and calls to framework.Backend.Setup() into
logical_system and elsewhere, including tests.
2015-09-10 15:09:54 -04:00
Jeff Mitchell
93ef9a54bd
Internally refactor Lease/LeaseGracePeriod into TTL/GracePeriod
2015-08-20 18:00:51 -07:00
Armon Dadgar
ffeb6ea76c
vault: allow increment to be duration string. Fixes #340
2015-06-17 15:58:20 -07:00
Armon Dadgar
ae421f75b7
vault: fixing issues with token renewal
2015-06-17 14:28:13 -07:00
Armon Dadgar
538c795f9b
vault: Adding method to consume a limited use token
2015-04-17 11:51:04 -07:00
Armon Dadgar
fd3948d476
vault: Tokens can have a use count specified
2015-04-17 11:34:25 -07:00
Armon Dadgar
818ce0a045
vault: token store allows specifying display_name
2015-04-15 14:24:07 -07:00
Mitchell Hashimoto
5eff7f1b57
vault: upper bound on test
2015-04-10 21:22:17 -07:00
Mitchell Hashimoto
992028e23e
vault: the expiration time should be relative to the issue time
2015-04-10 21:21:06 -07:00
Armon Dadgar
a6d974c74e
vault: revoking a token should revoke all secrets it has generated
2015-04-10 15:12:04 -07:00
Armon Dadgar
1e2863e2b8
vault: remove unused RevokeAll method
2015-04-10 14:59:49 -07:00
Armon Dadgar
13836e8612
vault: groundwork to allow auth renew
2015-04-10 13:59:49 -07:00
Armon Dadgar
4679febdf3
logical: Refactor LeaseOptions to share between Secret and Auth
2015-04-09 12:14:04 -07:00
Armon Dadgar
82c5d9c478
vault: Enforce non-renewability
2015-04-08 17:03:46 -07:00
Mitchell Hashimoto
9378d0388a
vault: token store inehrits policies by default
2015-04-07 14:19:52 -07:00
Armon Dadgar
493ee49e4d
vault: unify the token renew response
2015-04-06 16:35:39 -07:00
Armon Dadgar
b8d69a357c
vault: Use Auth for lease and renewable
2015-04-03 14:04:50 -07:00
Armon Dadgar
2feba52f40
vault: Adding auth/token/renew endpoint
2015-04-03 12:11:49 -07:00
Armon Dadgar
c82fbbb8c3
vault: Support prefix based token revocation
2015-04-03 11:40:08 -07:00
Mitchell Hashimoto
1dcb37c6b6
vault: lookup-self for TokenStore to look up your own store
2015-03-31 12:51:00 -07:00
Mitchell Hashimoto
63f259cc8d
vault: lookup without a token looks up self
2015-03-31 12:50:07 -07:00
Mitchell Hashimoto
6a72ea61d5
vault: convert TokenStore to logical/framework
2015-03-31 12:48:19 -07:00
Mitchell Hashimoto
c9acfa17cb
vault: get rid of HangleLogin
2015-03-30 20:26:39 -07:00
Mitchell Hashimoto
e9a3a34c27
vault: tests passing
2015-03-29 16:18:08 -07:00
Armon Dadgar
23864839bb
vault: testing root privilege restrictions
2015-03-24 15:52:07 -07:00
Armon Dadgar
b354f03cb2
vault: adding auth/token/lookup/ support
2015-03-24 15:39:33 -07:00
Armon Dadgar
4a4d1d3e45
vault: adding auth/token/revoke/ and auth/token/revoke-orphan/
2015-03-24 15:30:09 -07:00
Armon Dadgar
26f05f7a20
vault: Passthrough of client token to token store
2015-03-24 15:12:52 -07:00
Armon Dadgar
6fd3cae2c2
vault: Adding auth/token/create endpoint
2015-03-24 15:10:46 -07:00
Armon Dadgar
b5332404d1
vault: Allow providing token ID during creation
2015-03-24 14:22:50 -07:00
Armon Dadgar
cd3ee5cc03
vault: Remove core reference
2015-03-23 17:29:36 -07:00
Armon Dadgar
3607eae208
vault: Adding method to generate root token
2015-03-23 17:16:37 -07:00
Armon Dadgar
56d99fe580
vault: token tracks generation path and meta data
2015-03-23 13:39:43 -07:00
Armon Dadgar
8cc88981d6
vault: token store is a credential implementation
2015-03-18 19:11:52 -07:00
Armon Dadgar
481a3a2a91
vault: testing token revocation
2015-03-18 13:50:36 -07:00
Armon Dadgar
ded5dc71e9
vault: First pass token store
2015-03-18 13:19:19 -07:00