Brian Kassouf
ab3b625a3b
Add API methods for creating a DR Operation Token and make generate root accept strategy types ( #3565 )
...
* Add API and Command code for generating a DR Operation Token
* Update generate root to accept different token strategies
2017-11-10 10:19:42 -08:00
Jeff Mitchell
7e80b4b7ad
Minor client refactoring ( #3539 )
2017-11-06 12:06:19 -05:00
Jeff Mitchell
d229d7d5b0
Redo API locking ( #3508 )
...
* Redo the API client quite a bit to make the behavior of NewClient more
predictable and add locking to make it safer to use with Clone() and if
multiple goroutines for some reason decide to change things.
Along the way I discovered that currently, the x/net/http2 package is
broke with the built-in h2 support in released Go. For those using
DefaultConfig (the vast majority of cases) this will be a non-event.
Others can manually call http2.ConfigureTransport as needed. We should
keep an eye on commits on that repo and consider more updates before
release. Alternately we could go back revisions but miss out on bug
fixes; my theory is that this is not a purposeful break and I'll be
following up on this in the Go issue tracker.
In a few tests that don't use NewTestCluster, either for legacy or other
reasons, ensure that http2.ConfigureTransport is called.
* Use tls config cloning
* Don't http2.ConfigureServer anymore as current Go seems to work properly without requiring the http2 package
* Address feedback
2017-11-02 09:30:04 -05:00
Jeff Mitchell
e0669746b6
Add seal type to seal-status output. ( #3516 )
2017-11-01 21:00:41 -05:00
Jeff Mitchell
08d9353c60
Only call ConfigureTransport if "h2" is not already in NextProtos.
...
Fixes #3435
2017-10-27 14:08:30 -04:00
Jeff Mitchell
713d5d5307
Don't swallow errors on token functions.
2017-10-24 09:39:35 -04:00
Seth Vargo
42f3215589
Remove redundant TokenMeta
2017-10-24 09:39:34 -04:00
Seth Vargo
c5665920f6
Standardize on "auth method"
...
This removes all references I could find to:
- credential provider
- authentication backend
- authentication provider
- auth provider
- auth backend
in favor of the unified:
- auth method
2017-10-24 09:32:15 -04:00
Seth Vargo
f66d49b79b
Add more secret helpers for getting secret data
2017-10-24 09:30:47 -04:00
Seth Vargo
8910915c86
Add API functions for token helpers
2017-10-24 09:26:44 -04:00
Jeff Mitchell
8e271dcbdc
More syncing
2017-10-23 16:52:56 -04:00
Billie Cleek
3033a7beb6
do not panic when Client.Transport is not *http.Transport ( #3440 )
2017-10-10 08:46:54 -04:00
Jeff Mitchell
3cf4e3e142
Fix panic when setting a client http client with no transport ( #3437 )
...
Fixes #3436
2017-10-09 08:49:20 -04:00
Marcus Söderberg
3d00731fda
Add http headers to the api client ( #3394 )
2017-10-06 14:27:58 -04:00
Chris Hoffman
1029ad3b33
Rename "generic" secret backend to "kv" ( #3292 )
2017-09-15 09:02:29 -04:00
Calvin Leung Huang
6f417d39da
Normalize plugin_name option for mount and enable-auth ( #3202 )
2017-08-31 12:16:59 -04:00
Seth Vargo
ae5996a737
Add SignKey endpoint for SSH API client
2017-08-18 12:59:08 -04:00
Jeff Mitchell
d2410e3399
gofmt
2017-08-02 19:38:35 -04:00
nrhall-deshaw
888e1e3859
Add SRV record functionality for client side host/port discovery of Vault ( #3035 )
...
* added SRV record functionality for client side port discovery of Vault
* Add a check on returned address length
2017-08-02 19:19:06 -04:00
Calvin Leung Huang
db9d9e6415
Store original request path in WrapInfo ( #3100 )
...
* Store original request path in WrapInfo as CreationPath
* Add wrapping_token_creation_path to CLI output
* Add CreationPath to AuditResponseWrapInfo
* Fix tests
* Add and fix tests, update API docs with new sample responses
2017-08-02 18:28:58 -04:00
Jeff Mitchell
cefa70c8a3
Have sys health api always return even in an error case ( #3087 )
...
* Have sys health api always return even in an error case, which HTTP API docs say it should
* Use specific return codes to bypass automatic error handling
2017-08-02 10:01:40 -04:00
Jeff Mitchell
d0f329e124
Add leader cluster address to status/leader output. ( #3061 )
...
* Add leader cluster address to status/leader output. This helps in
identifying a particular node when all share the same redirect address.
Fixes #3042
2017-07-31 18:25:27 -04:00
Jeff Mitchell
1bfc6d4fe7
Add a -dev-three-node option for devs. ( #3081 )
2017-07-31 11:28:06 -04:00
Chris Hoffman
5cb87e26ef
moving client calls to new endpoint ( #2867 )
2017-07-25 11:58:33 -04:00
Calvin Leung Huang
bb54e9c131
Backend plugin system ( #2874 )
...
* Add backend plugin changes
* Fix totp backend plugin tests
* Fix logical/plugin InvalidateKey test
* Fix plugin catalog CRUD test, fix NoopBackend
* Clean up commented code block
* Fix system backend mount test
* Set plugin_name to omitempty, fix handleMountTable config parsing
* Clean up comments, keep shim connections alive until cleanup
* Include pluginClient, disallow LookupPlugin call from within a plugin
* Add wrapper around backendPluginClient for proper cleanup
* Add logger shim tests
* Add logger, storage, and system shim tests
* Use pointer receivers for system view shim
* Use plugin name if no path is provided on mount
* Enable plugins for auth backends
* Add backend type attribute, move builtin/plugin/package
* Fix merge conflict
* Fix missing plugin name in mount config
* Add integration tests on enabling auth backend plugins
* Remove dependency cycle on mock-plugin
* Add passthrough backend plugin, use logical.BackendType to determine lease generation
* Remove vault package dependency on passthrough package
* Add basic impl test for passthrough plugin
* Incorporate feedback; set b.backend after shims creation on backendPluginServer
* Fix totp plugin test
* Add plugin backends docs
* Fix tests
* Fix builtin/plugin tests
* Remove flatten from PluginRunner fields
* Move mock plugin to logical/plugin, remove totp and passthrough plugins
* Move pluginMap into newPluginClient
* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck
* Change shim logger's Fatal to no-op
* Change BackendType to uint32, match UX backend types
* Change framework.Backend Setup signature
* Add Setup func to logical.Backend interface
* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments
* Remove commented var in plugin package
* RegisterLicense on logical.Backend interface (#3017 )
* Add RegisterLicense to logical.Backend interface
* Update RegisterLicense to use callback func on framework.Backend
* Refactor framework.Backend.RegisterLicense
* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs
* plugin: Revert BackendType to remove TypePassthrough and related references
* Fix typo in plugin backends docs
2017-07-20 13:28:40 -04:00
Gobin Sougrakpam
2ddbc4a939
Adding option to set custom vault client timeout using env variable VAULT_CLIENT_TIMEOUT ( #3022 )
2017-07-18 09:48:31 -04:00
Seth Vargo
c77986d03e
Do not double-convert to seconds
2017-07-11 16:06:50 -07:00
Seth Vargo
cfad705ddc
Fix typo
2017-07-10 22:26:42 -07:00
Chris Hoffman
8fee1ec31d
updating for TestCluster changes
2017-07-10 20:47:03 -07:00
Seth Vargo
725e0e5b73
Fix doc
2017-07-07 17:15:43 -04:00
Seth Vargo
8da29a5a23
Use the core client
2017-07-07 17:14:49 -04:00
Seth Vargo
994cf1db5c
Fix failing test
2017-07-07 17:14:49 -04:00
Seth Vargo
462d30fd38
Buffer doneCh
2017-07-07 17:14:49 -04:00
Seth Vargo
d48c51185d
Add configurable buffer size
2017-07-07 17:14:48 -04:00
Seth Vargo
29255fd2eb
Do not block writing to doneCh if stopped
2017-07-07 17:14:48 -04:00
Seth Vargo
e22b3d9ec8
Make lock private
2017-07-07 17:14:48 -04:00
Seth Vargo
7f47f06014
Remove init() seed
2017-07-07 17:14:47 -04:00
Seth Vargo
81a24fda29
Fix vet errors
2017-07-07 17:14:47 -04:00
Seth Vargo
ae7d6da993
Allow a custom randomizer
2017-07-07 17:14:47 -04:00
Seth Vargo
5f658abc12
Use Fatalf
2017-07-07 17:14:47 -04:00
Seth Vargo
207e1d5dd3
Use a more heurstic function for calculating sleep backoff
2017-07-07 17:14:46 -04:00
Seth Vargo
f18b7fd6dc
Seed the random generator
2017-07-07 17:14:46 -04:00
Seth Vargo
10cdc62c62
Move renewer integration tests into separate package
2017-07-07 17:14:46 -04:00
Seth Vargo
a09c84ce75
Use a separate package for API integration tests
...
This removes the cyclic dependency
2017-07-07 17:14:45 -04:00
Seth Vargo
d711dfebd1
Send a more useful struct for renewal
2017-07-07 17:14:45 -04:00
Seth Vargo
951421e613
Reorg
2017-07-07 17:14:45 -04:00
Seth Vargo
1ea998e2f5
Use unbuffered channels
2017-07-07 17:14:45 -04:00
Seth Vargo
dcdbef1dfb
Use a time.Duration instead of an int for grace
2017-07-07 17:14:44 -04:00
Seth Vargo
62e1f5c498
Use RenewTokenAsSelf instead
2017-07-07 17:14:44 -04:00
Seth Vargo
77ee95cb82
Add secret renewer
2017-07-07 17:14:44 -04:00
Seth Vargo
4069eb21b6
Add test stubs for starting a vault server and pg database
2017-07-07 17:14:43 -04:00
Seth Vargo
506a304ecc
Add API helper for renewing a token as another token
2017-07-07 17:14:42 -04:00
Jeff Mitchell
d169918465
Create and persist human-friendly-ish mount accessors ( #2918 )
2017-06-26 18:14:36 +01:00
Seth Vargo
084064389e
Add a convenience function for copying a client ( #2887 )
2017-06-20 04:08:15 +01:00
Jeff Mitchell
5817a8a5f8
Return error on bad CORS and add Header specification to API request primitive
2017-06-19 18:20:44 -04:00
Aaron Salvo
0303f51b68
Cors headers ( #2021 )
2017-06-17 00:04:55 -04:00
Chris Hoffman
a91763b81f
reverting client changes in #2856 ( #2866 )
2017-06-14 16:39:20 -04:00
Chris Hoffman
ec1d943dce
moving client calls to new endpoint ( #2856 )
2017-06-14 10:38:15 -04:00
Vishal Nayak
2d61087b99
api: Don't treat 429 as error ( #2850 )
...
* api: Don't treat 429 as error
* Added parenthesis
2017-06-12 18:31:36 -04:00
Kiss György
0be37ca78b
Add Health() method to Sys client ( #2805 )
2017-06-05 11:00:45 -04:00
emily
aa40d2cff6
add gofmt checks to Vault and format existing code ( #2745 )
2017-05-19 08:34:17 -04:00
Lee Avital
bf34484d9d
Respect the configured address's path in the client ( #2588 )
2017-04-13 14:06:38 -04:00
pkrolikowski
0fb75d9e89
Pass user/pass for HTTP Basic Authentication in URL parameters ( #2469 )
2017-03-10 07:19:23 -05:00
Jeff Mitchell
f03d500808
Add option to disable caching per-backend. ( #2455 )
2017-03-08 09:20:09 -05:00
Jeff Mitchell
5ef2b0145b
Add ability to set max retries to API
2017-03-01 12:24:08 -05:00
Jordan Abderrachid
fa77e7cfa2
api: add `EnvVaultToken` constant. ( #2413 )
2017-02-27 18:36:21 -05:00
Jeff Mitchell
2cc0906b33
Fix breakage for HTTP2 support due to changes in wrapping introduced in 1.8 ( #2412 )
2017-02-27 12:49:35 -05:00
Jeff Mitchell
4ec5937e2d
Move http-using API tests into http package
2017-02-24 14:23:21 -05:00
Jeff Mitchell
e0c9bfd926
Add WithOptions methods to audit/auth enabling ( #2383 )
2017-02-16 11:37:27 -05:00
Jason Felice
ec10a9171d
ConfigureTLS() sets default HttpClient if nil ( #2329 )
2017-02-06 17:47:56 -05:00
Jeff Mitchell
dd0e44ca10
Add nonce to unseal to allow seeing if the operation has reset ( #2276 )
2017-01-17 11:47:06 -05:00
Vishal Nayak
ad09acb479
Use Vault client's scheme for auto discovery ( #2146 )
2016-12-02 11:24:57 -05:00
Jeff Mitchell
3397d55722
Better handle nil responses in logical unwrap
2016-12-01 16:38:08 -05:00
Jeff Mitchell
0f5b847748
Fix panic when unwrapping if the server EOFs
2016-11-29 16:50:07 -05:00
Jeff Mitchell
97ca3292a4
Set number of pester retries to zero by default and make seal command… ( #2093 )
...
* Set number of pester retries to zero by default and make seal command return 403 if unauthorized instead of 500
* Fix build
* Use 403 instead and update test
* Change another 500 to 403
2016-11-16 14:08:09 -05:00
Jeff Mitchell
12e986c6ec
Fix unwrap CLI command when there is no client token set. ( #2077 )
2016-11-08 11:36:15 -05:00
Jeff Mitchell
22b5bd54e3
change api so if wrapping token is the same as the client token it doesn't set it in the body
2016-10-27 12:15:30 -04:00
Jeff Mitchell
4072ac0eb9
Fix NOT logical bug.
...
Ping #2014
2016-10-18 09:51:45 -04:00
Jeff Mitchell
b45a481365
Wrapping enhancements ( #1927 )
2016-09-28 21:01:28 -07:00
Jeff Mitchell
f0203741ff
Change default TTL from 30 to 32 to accommodate monthly operations ( #1942 )
2016-09-28 18:32:49 -04:00
Jeff Mitchell
722e26f27a
Add support for PGP encrypting the initial root token. ( #1883 )
2016-09-13 18:42:24 -04:00
Jeff Mitchell
ac5ea8ccc2
Reinstate the token parameter to api.RevokeSelf to avoid breaking compatibility
2016-09-13 11:03:05 -04:00
Jeff Mitchell
1c6f2fd82b
Add response wrapping to list operations ( #1814 )
2016-09-02 01:13:14 -04:00
Evan Gilman
d7502e543d
Add golang api method for creating orphan tokens ( #1834 )
2016-09-01 15:39:44 -04:00
Jeff Mitchell
9fee9ce8ff
Don't allow tokens in paths. ( #1783 )
2016-08-24 15:59:43 -04:00
markrzasa
a110cd637c
allow a TLS server name to be configured for SSH agents ( #1720 )
2016-08-23 22:06:56 -04:00
Jeff Mitchell
62c69f8e19
Provide base64 keys in addition to hex encoded. ( #1734 )
...
* Provide base64 keys in addition to hex encoded.
Accept these at unseal/rekey time.
Also fix a bug where backup would not be honored when doing a rekey with
no operation currently ongoing.
2016-08-15 16:01:15 -04:00
Jeff Mitchell
ba87c6c0d6
Restore compatibility with pre-0.6.1 servers for CLI/Go API calls
2016-08-14 14:52:45 -04:00
Jeff Mitchell
bcb4ab5422
Add periodic support for root/sudo tokens to auth/token/create
2016-08-12 21:14:12 -04:00
Jeff Mitchell
9c33224928
Don't retry on redirections.
2016-08-12 15:13:42 -04:00
vishalnayak
ff22640015
Use default config and read environment by default while creating client object
2016-08-12 11:37:13 -04:00
Jeff Mitchell
5a1ca832af
Merge pull request #1699 from hashicorp/dataonly
...
Return sys values in top level normal api.Secret
2016-08-09 07:17:02 -04:00
Jeff Mitchell
ab71b981ad
Add ability to specify renew lease ID in POST body.
2016-08-08 18:00:44 -04:00
Jeff Mitchell
3c2aae215c
Fix tests and update mapstructure
2016-08-08 16:00:31 -04:00
Alex Dadgar
4d5de08a46
Merge pull request #1682 from hashicorp/f-refactor-tls-config
...
Refactor the TLS configuration between meta.Client and the api.Config
2016-08-02 13:35:37 -07:00
Alex Dadgar
92ede0db17
Address comments
2016-08-02 13:17:45 -07:00
vishalnayak
8b0b0d5922
Add cluster information to 'vault status'
2016-07-29 14:13:53 -04:00
vishalnayak
e5e0431393
Added Vault version informationto the 'status' command
2016-07-28 17:37:35 -04:00
Alex Dadgar
f5d56ad8f8
Refactor the TLS configuration between meta.Client and the api.Config
2016-07-27 17:26:26 -07:00
Jeff Mitchell
a76d51d0ee
Plumb request UUID through the API
2016-07-27 09:25:04 -04:00
vishalnayak
23800c5f1d
Add service discovery to init command
2016-07-21 16:17:29 -04:00
Vishal Nayak
8a1bb1626a
Merge pull request #1583 from hashicorp/ssh-allowed-roles
...
Add allowed_roles to ssh-helper-config and return role name from verify call
2016-07-19 12:04:12 -04:00
vishalnayak
c14235b206
Merge branch 'master-oss' into json-use-number
...
Conflicts:
http/handler.go
logical/framework/field_data.go
logical/framework/wal.go
vault/logical_passthrough.go
2016-07-15 19:21:55 -04:00
Jeff Mitchell
a6682405a3
Migrate number of retries down by one to have it be max retries, not tries
2016-07-11 21:57:14 +00:00
Jeff Mitchell
57cdb58374
Switch to pester from go-retryablehttp to avoid swallowing 500 error messages
2016-07-11 21:37:46 +00:00
Jeff Mitchell
7023eafc67
Make the API client retry on 5xx errors.
...
This should help with transient issues. Full control over min/max delays
and number of retries (and ability to turn off) is provided in the API
and via env vars.
Fix tests.
2016-07-06 16:50:23 -04:00
vishalnayak
ad7cb2c8f1
Added JSON Decode and Encode helpers.
...
Changed all the occurances of Unmarshal to use the helpers.
Fixed http/ package tests.
2016-07-06 12:25:40 -04:00
vishalnayak
5367a7223d
Add allowed_roles to ssh-helper-config and return role name from verify call
2016-07-05 11:14:29 -04:00
vishalnayak
848b479a61
Added 'sys/auth/<path>/tune' endpoints.
...
Displaying 'Default TTL' and 'Max TTL' in the output of 'vault auth -methods'
2016-06-15 13:58:24 -04:00
Jeff Mitchell
e925987cb6
Add token accessor to wrap information if one exists
2016-06-13 23:58:17 +00:00
Jeff Mitchell
65d8973864
Add explicit max TTL capability to token creation API
2016-06-08 14:49:48 -04:00
Jeff Mitchell
c0155ac02b
Add renewable flag and API setting for token creation
2016-06-08 11:14:30 -04:00
Jeff Mitchell
10b218d292
Use time.Time which does RFC3339 across the wire to handle time zones. Arguably we should change the API to always do this...
2016-06-07 16:01:09 -04:00
Jeff Mitchell
401456ea50
Add creation time to returned wrapped token info
...
This makes it easier to understand the expected lifetime without a
lookup call that uses the single use left on the token.
This also adds a couple of safety checks and for JSON uses int, rather
than int64, for the TTL for the wrapped token.
2016-06-07 15:00:35 -04:00
Jeff Mitchell
63aba520c6
Make Unwrap a first-party API command and refactor UnwrapCommand to use it
2016-05-27 21:04:30 +00:00
Jeff Mitchell
05b2d4534c
Add unwrap test function and some robustness around paths for the wrap lookup function
2016-05-19 11:49:46 -04:00
Jeff Mitchell
c4431a7e30
Address most review feedback. Change responses to multierror to better return more useful values when there are multiple errors
2016-05-16 16:11:33 -04:00
Jeff Mitchell
c5008bcaac
Add more tests
2016-05-07 21:08:13 -04:00
Jeff Mitchell
99a5b4402d
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-04 14:42:14 -04:00
Jeff Mitchell
45a120f491
Switch our tri-copy ca loading code to go-rootcerts
2016-05-03 12:23:25 -04:00
Jeff Mitchell
1ffd5653c6
Add wrap support to API/CLI
2016-05-02 02:03:23 -04:00
Jeff Mitchell
4e53f4b1a4
Use UseNumber() on json.Decoder to have numbers be json.Number objects
...
instead of float64. This fixes some display bugs.
2016-04-20 18:38:20 +00:00
Adam Shannon
fb07d07ad9
all: Cleanup from running go vet
2016-04-13 14:38:29 -05:00
Jeff Mitchell
348be0e50b
Remove RevokePrefix from the API too as we simply do not support it any
...
longer.
2016-04-05 11:00:12 -04:00
Jeff Mitchell
afae46feb7
SealInterface
2016-04-04 10:44:22 -04:00
vishalnayak
4e6dcfd6d0
Enable callbacks for handling logical.Request changes before processing requests
2016-03-17 22:29:53 -04:00
vishalnayak
f275cd2e9c
Fixed capabilities API to receive logical response
2016-03-17 21:03:32 -04:00
vishalnayak
a5d79d587a
Refactoring the capabilities function
2016-03-17 21:03:32 -04:00
vishalnayak
71fc07833f
Rename id to path and path to file_path, print audit backend paths
2016-03-14 17:15:07 -04:00
Vishal Nayak
c70b4bbbb2
Merge pull request #1201 from hashicorp/accessor-cli-flags
...
Accessor CLI flags
2016-03-11 09:55:45 -05:00
vishalnayak
b8d202f920
Restore RevokeSelf API
2016-03-11 06:30:45 -05:00
vishalnayak
0486fa1a3a
Added accessor flag to token-revoke CLI
2016-03-10 21:21:20 -05:00
vishalnayak
ed8a096596
Add accessor flag to token-lookup command and add lookup-accessor client API
2016-03-10 21:21:20 -05:00
Seth Vargo
30f24dd5cc
Validate HCL for SSHHelper too
2016-03-10 16:47:46 -05:00
Jeff Mitchell
fa2ba47a5c
Merge branch 'master' into token-roles
2016-03-09 17:23:34 -05:00
Jeff Mitchell
6df72e6efd
Merge pull request #1168 from hashicorp/revoke-force
...
Add forced revocation.
2016-03-09 16:59:52 -05:00
vishalnayak
151c932875
AccessorID --> Accessor, accessor_id --> accessor
2016-03-09 06:23:31 -05:00
vishalnayak
301776012f
Introduced AccessorID in TokenEntry and returning it along with token
2016-03-08 14:06:10 -05:00
Jeff Mitchell
cc1f5207b3
Merge branch 'master' into token-roles
2016-03-07 10:03:54 -05:00
vishalnayak
9946a2d8b5
refactoring changes due to acl.Capabilities
2016-03-04 18:55:48 -05:00
vishalnayak
7fe871e60a
Removing the 'Message' field
2016-03-04 10:36:03 -05:00
vishalnayak
286e63a648
Handled root token use case
2016-03-04 10:36:03 -05:00
vishalnayak
5749a6718c
Added sys/capabililties endpoint
2016-03-04 10:36:02 -05:00
Jeff Mitchell
0d46fb4696
Create a unified function to sanitize mount paths.
...
This allows mount paths to start with '/' in addition to ensuring they
end in '/' before leaving the system backend.
2016-03-03 13:13:47 -05:00
Jeff Mitchell
3e7bca82a1
Merge pull request #1146 from hashicorp/step-down
...
Provide 'sys/step-down' and 'vault step-down'
2016-03-03 12:30:08 -05:00
Jeff Mitchell
cd86226845
Add forced revocation.
...
In some situations, it can be impossible to revoke leases (for instance,
if someone has gone and manually removed users created by Vault). This
can not only cause Vault to cycle trying to revoke them, but it also
prevents mounts from being unmounted, leaving them in a tainted state
where the only operations allowed are to revoke (or rollback), which
will never successfully complete.
This adds a new endpoint that works similarly to `revoke-prefix` but
ignores errors coming from a backend upon revocation (it does not ignore
errors coming from within the expiration manager, such as errors
accessing the data store). This can be used to force Vault to abandon
leases.
Like `revoke-prefix`, this is a very sensitive operation and requires
`sudo`. It is implemented as a separate endpoint, rather than an
argument to `revoke-prefix`, to ensure that control can be delegated
appropriately, as even most administrators should not normally have
this privilege.
Fixes #1135
2016-03-03 10:13:59 -05:00
Jeff Mitchell
54232eb980
Add other token role unit tests and some minor other changes.
2016-03-01 12:41:41 -05:00
Jeff Mitchell
ef990a3681
Initial work on token roles
2016-03-01 12:41:40 -05:00
vishalnayak
aee006ba2d
moved the test cert keys to appropriate test-fixtures folder
2016-02-29 15:49:08 -05:00
Jeff Mitchell
d131d99c34
Merge branch 'master' into step-down
2016-02-29 11:02:09 -05:00
vishalnayak
dca18aec2e
replaced old certs, with new certs generated from PKI backend, containing IP SANs
2016-02-28 22:15:54 -05:00
Jeff Mitchell
11ddd2290b
Provide 'sys/step-down' and 'vault step-down'
...
This endpoint causes the node it's hit to step down from active duty.
It's a noop if the node isn't active or not running in HA mode. The node
will wait one second before attempting to reacquire the lock, to give
other nodes a chance to grab it.
Fixes #1093
2016-02-26 19:43:55 -05:00
vishalnayak
d02d3124b5
fix api tests
2016-02-26 17:01:40 -05:00
Robert M. Thomson
024407518b
Add VAULT_TLS_SERVER_NAME environment variable
...
If specified, verify a specific server name during TLS negotiation
rather than the server name in the URL.
2016-02-25 17:28:49 +01:00
vishalnayak
c42ade8982
Use tls_skip_verify in vault-ssh-helper
2016-02-23 17:32:49 -05:00
vishalnayak
00d01043fd
ssh-helper api changes
2016-02-23 00:16:00 -05:00
Jeff Mitchell
5f5542cb91
Return status for rekey/root generation at init time. This mitigates a
...
(very unlikely) potential timing attack between init-ing and fetching
status.
Fixes #1054
2016-02-12 14:24:36 -05:00
Jeff Mitchell
0c427e27e9
Add some documentation to the API revoke functions
2016-02-03 11:42:13 -05:00
Paul Hinze
073965de8c
Parse and return MountConfigOutput from API
...
When working on the Terraform / Vault integration I came across the fact
that `Sys().MountConfig(...)` didn't seem to return a response struct,
even though it's a `GET` method.
Looks like just a simple oversight to me. This fix does break API BC,
but the method had no use without its return value so I feel like that's
probably a mitigating factor.
2016-02-02 17:11:05 -06:00
Jeff Mitchell
88310ca538
Fix up unit tests to expect new values
2016-01-29 19:36:56 -05:00
Jeff Mitchell
5341cb69cc
Updates and documentation
2016-01-22 10:07:32 -05:00
Jeff Mitchell
d17c3f4407
Fix body closing in List method
2016-01-22 10:07:32 -05:00
Jeff Mitchell
10c307763e
Add list capability, which will work with the generic and cubbyhole
...
backends for the moment. This is pretty simple; it just adds the actual
capability to make a list call into both the CLI and the HTTP handler.
The real meat was already in those backends.
2016-01-22 10:07:32 -05:00
Jeff Mitchell
973c888833
RootGeneration->GenerateRoot
2016-01-19 18:28:10 -05:00
Jeff Mitchell
3b994dbc7f
Add the ability to generate root tokens via unseal keys.
2016-01-19 18:28:10 -05:00
Jeff Mitchell
f6d2271a3c
Use an array of keys so that if the same fingerprint is used none are lost when using PGP key backup
2016-01-08 14:29:23 -05:00
Jeff Mitchell
26e1837a82
Some minor rekey backup fixes
2016-01-08 14:09:40 -05:00
Jeff Mitchell
a094eedce2
Add rekey nonce/backup.
2016-01-06 09:54:35 -05:00
Nicki Watt
442d538deb
Make token-lookup functionality available via Vault CLI
2015-12-29 20:18:59 +00:00
Nicki Watt
939bc5ad9c
Corrected HTTP Method for api.TokenAuth.LookupSelf() method
2015-12-28 00:05:15 +00:00
Jeff Mitchell
bf2bf06997
Use cleanhttp.DefaultTransport rather than instantiating directly to avoid leaked FDs
2015-12-17 15:23:13 -05:00
Jeff Mitchell
e25b3ad344
Update documentation to be consistent with return codes
...
Fixes #831
2015-12-10 10:26:40 -05:00
Jeff Mitchell
1c7157e632
Reintroduce the ability to look up obfuscated values in the audit log
...
with a new endpoint '/sys/audit-hash', which returns the given input
string hashed with the given audit backend's hash function and salt
(currently, always HMAC-SHA256 and a backend-specific salt).
In the process of adding the HTTP handler, this also removes the custom
HTTP handlers for the other audit endpoints, which were simply
forwarding to the logical system backend. This means that the various
audit functions will now redirect correctly from a standby to master.
(Tests all pass.)
Fixes #784
2015-11-18 20:26:03 -05:00
Jeff Mitchell
1a45696208
Add no-default-policy flag and API parameter to allow exclusion of the
...
default policy from a token create command.
2015-11-09 17:30:50 -05:00
Jeff Mitchell
32e23bea71
Move environment variable reading logic to API.
...
This allows the same environment variables to be read, parsed, and used
from any API client as was previously handled in the CLI. The CLI now
uses the API environment variable reading capability, then overrides any
values from command line flags, if necessary.
Fixes #618
2015-11-04 10:28:00 -05:00
Jeff Mitchell
195caa6bf6
Implement LookupSelf, RevokeSelf, and RenewSelf in the API client
...
Fixes #739
2015-10-30 17:27:33 -04:00
Jeff Mitchell
c1d8b97342
Add reset support to the unseal command.
...
Reset clears the provided unseal keys, allowing the process to be begun
again. Includes documentation and unit test changes.
Fixes #695
2015-10-28 15:59:39 -04:00
Jeff Mitchell
22c65c0c07
Use cleanhttp instead of bare http.Client
2015-10-22 14:37:12 -04:00
Jeff Mitchell
cba4e82682
Don't use http.DefaultClient
...
This strips out http.DefaultClient everywhere I could immediately find
it. Too many things use it and then modify it in incompatible ways.
Fixes #700 , I believe.
2015-10-15 17:54:00 -04:00
Jeff Mitchell
b8455be005
Support and use TTL instead of lease for token creation
2015-10-09 19:52:13 -04:00
Jeff Mitchell
b5d674d94e
Add 301 redirect checking to the API client.
...
Vault doesn't generate these, but in some cases Go's internal HTTP
handler does. For instance, during a mount-tune command, finishing the
mount path with / (as in secret/) would cause the final URL path to
contain .../mounts/secret//tune. The double slash would trigger this
behavior in Go's handler and generate a 301. Since Vault generates 307s,
this would cause the client to think that everything was okay when in
fact nothing had happened.
2015-10-09 17:11:31 -04:00
Dejan Golja
87c84db51b
Increase default timeout to 30s which should allow for any operation
...
to complete.
2015-10-09 00:53:35 +11:00
Dejan Golja
ea17b85d94
added a sensible default timeout for the vault client
2015-10-08 18:44:00 +11:00
Jeff Mitchell
c7cec2aabc
Add unit tests
2015-10-07 20:17:06 -04:00
Jeff Mitchell
d740fd4a6a
Add the ability for warnings to be added to responses. These are
...
marshalled into JSON or displayed from the CLI depending on the output
mode. This allows conferring information such as "no such policy exists"
when creating a token -- not an error, but something the user should be
aware of.
Fixes #676
2015-10-07 16:18:39 -04:00
Alexey Grachov
2bb6ec1e18
Fix some lint warnings.
2015-09-29 10:35:16 +03:00
Jeff Mitchell
62ac518ae7
Switch per-mount values to strings going in and seconds coming out, like other commands. Indicate deprecation of 'lease' in the token backend.
2015-09-25 10:41:21 -04:00
Jeff Mitchell
f489c1c24e
Ensure that the response body of logical calls is closed, even if there is an error.
2015-09-14 18:22:33 -04:00
Jeff Mitchell
ace611d56d
Address items from feedback. Make MountConfig use values rather than
...
pointers and change how config is read to compensate.
2015-09-10 15:09:54 -04:00
Jeff Mitchell
488d33c70a
Rejig how dynamic values are represented in system view and location of some functions in various packages; create mount-tune command and API analogues; update documentation
2015-09-10 15:09:54 -04:00
Jeff Mitchell
4239f9d243
Add DynamicSystemView. This uses a pointer to a pointer to always have
...
up-to-date information. This allows remount to be implemented with the
same source and dest, allowing mount options to be changed on the fly.
If/when Vault gains the ability to HUP its configuration, this should
just work for the global values as well.
Need specific unit tests for this functionality.
2015-09-10 15:09:54 -04:00
Jeff Mitchell
696d0c7b1d
Plumb per-mount config options through API
2015-09-10 15:09:53 -04:00
Jeff Mitchell
2002406155
Rather than use http.DefaultClient, which is simply &http.Client{},
...
create our own. This avoids some potential client race conditions when
they are setting values on the Vault API client while the default client
is being used elsewhere in other goroutines, as was seen in
consul-template.
2015-09-03 13:47:20 -04:00
Jeff Mitchell
bc2d914905
Change variable name for clarity
2015-09-03 13:38:24 -04:00
Jeff Mitchell
c56fd6b3fc
Remove redirect handling code that was never being executed (redirects are manually handled within RawRequest). Add a sync.Once to fix a potential data race with setting the CheckRedirect function on the default http.Client
2015-09-03 13:34:45 -04:00
Jeff Mitchell
099deb4392
Merge pull request #587 from hashicorp/sethvargo/auth_token_tests
...
Add test coverage for auth tokens
2015-09-03 11:26:14 -04:00
Seth Vargo
4b33a1669b
Add test coverage for auth tokens
2015-09-03 10:57:17 -04:00
Seth Vargo
6f248425a6
Update documentation around cookies
2015-09-03 10:36:59 -04:00
Mike Sample
e847fbd596
corrected two typos
2015-08-27 00:05:19 -07:00
Jeff Mitchell
cc232e6f79
Address comments from review.
2015-08-25 15:33:58 -07:00
Jeff Mitchell
c887df93cc
Add support for pgp-keys argument to rekey, as well as tests, plus
...
refactor common bits out of init.
2015-08-25 14:52:13 -07:00
Jeff Mitchell
2f3e245b0b
Add support for "pgp-tokens" parameters to init.
...
There are thorough unit tests that read the returned
encrypted tokens, seal the vault, and unseal it
again to ensure all works as expected.
2015-08-25 14:52:13 -07:00
Jeff Mitchell
a8ef0e8a80
Remove cookie authentication.
2015-08-21 19:46:23 -07:00
vishalnayak
2da717fd8b
Vault SSH: Adding the missed out config file
2015-08-20 11:30:21 -07:00
vishalnayak
251cd997ad
Vault SSH: TLS client creation test
2015-08-18 19:00:27 -07:00
vishalnayak
b91ebbc6e2
Vault SSH: Documentation update and minor refactoring changes.
2015-08-17 18:22:03 -07:00
vishalnayak
330ef396ca
Vault SSH: Default lease of 5 min for SSH secrets
2015-08-12 17:10:35 -07:00
vishalnayak
2d23ffe3d2
Vault SSH: Exposed verify request/response messges to agent
2015-08-12 13:22:48 -07:00
vishalnayak
212afb5d9e
Vault SSH: Moved agent's client creation code to Vault's source
2015-08-12 13:09:32 -07:00
vishalnayak
9c8f4d0322
Vault SSH: Moved SSH agent config to Vault's source
2015-08-12 12:52:21 -07:00
vishalnayak
f84347c542
Vault SSH: Added SSHAgent API
2015-08-12 10:48:58 -07:00
vishalnayak
e782717ba8
Vault SSH: Renamed path with mountPoint
2015-08-12 10:30:50 -07:00
vishalnayak
33d7ef71b9
Vault SSH: Fixed constructor of SSH api
2015-08-12 09:56:17 -07:00
vishalnayak
93dfa67039
Merging changes from master
2015-08-12 09:28:16 -07:00
Seth Vargo
4c5a527dad
Remove Sys.Login (unused)
2015-08-11 13:04:11 -04:00
vishalnayak
61c9f884a4
Vault SSH: Review Rework
2015-07-29 14:21:36 -04:00
Vishal Nayak
b532ee0bf4
Vault SSH: Dynamic Key test case fix
2015-07-24 12:13:26 -04:00
Vishal Nayak
791a250732
Vault SSH: Support OTP key type from CLI
2015-07-23 17:20:28 -04:00
Vishal Nayak
27e66e175f
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-07-17 17:22:17 -04:00
Armon Dadgar
9e6a0ffe1b
api: fixing 404 handling of GetPolicy
2015-07-13 19:20:00 +10:00
Vishal Nayak
ad9a0da9c4
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-07-10 16:18:08 -06:00
Jeff Mitchell
e9730e4491
Fix nil dereference reading policies with a failing connection (for instance, bad cert)
2015-07-10 14:22:33 -04:00
Vishal Nayak
170dae7f91
Vault SSH: Revoking key after SSH session from CLI
2015-07-06 11:05:02 -04:00
Vishal Nayak
a1e2705173
Vault SSH: PR review rework
2015-07-02 17:23:09 -04:00
Vishal Nayak
d691a95531
Vault SSH: PR review rework - 1
2015-07-01 11:58:49 -04:00
Vishal Nayak
91ed2dcdc2
Refactoring changes
2015-06-29 22:00:08 -04:00
Vishal Nayak
8c15e2313b
ssh/lookup implementation and refactoring
2015-06-25 21:47:32 -04:00
Vishal Nayak
b237a3bcc2
POC: Rework. Doing away with policy file.
2015-06-24 18:13:12 -04:00
Vishal Nayak
303a7cef9a
Received OTK in SSH client. Forked SSH process from CLI. Added utility file for SSH.
2015-06-17 20:33:03 -04:00
Vishal Nayak
3ed73d98c2
Added: Ssh CLI command and API, config lease impl, sshConnect path to backend, http handler for Ssh connect
2015-06-17 12:39:49 -04:00
Jeff Mitchell
2de991ac7a
The docs say that if HttpClient is nil, http.DefaultClient will be used. However, the code doesn't do this, resulting in a nil dereference.
2015-06-04 14:01:10 -04:00
boncheff
5f15d1e5cc
Update SPEC.md
2015-06-02 14:51:43 +01:00
Armon Dadgar
84618a2fde
api: Support the rekey endpoints
2015-05-28 14:37:20 -07:00
Armon Dadgar
efcdfd0066
api: Adding Rotate and KeyStatus
2015-05-27 18:05:23 -07:00
Seth Vargo
fc2ac74c5f
Improve error message when TLS is disabled
...
Fixes #198
2015-05-14 10:33:38 -04:00
Mitchell Hashimoto
d4155ef9d8
api: human friendly error for TLS [GH-123]
2015-05-02 13:08:35 -07:00
Seth Vargo
ee6963ee01
Use lowercase JSON keys for client_token
2015-04-24 12:00:00 -04:00
Seth Vargo
cc25b8b15c
Remove api dependency on http package
2015-04-23 19:58:44 -04:00
Seth Vargo
e5fca055f7
Use VAULT_ADDR instead
2015-04-23 11:46:22 -04:00
Seth Vargo
835e14dda0
Add docs
2015-04-23 11:45:37 -04:00
Seth Vargo
b421689ab4
Read environment variables for VAULT_HTTP_ADDR and VAULT_TOKEN
2015-04-23 11:43:20 -04:00
Seth Vargo
3fa76e0ea9
Use a pointer config instead
2015-04-23 11:13:52 -04:00
Armon Dadgar
39cb908662
api: Support sys/leader endpoint
2015-04-20 12:04:13 -07:00
Armon Dadgar
fbaca87f56
api: Support redirect for HA
2015-04-20 11:30:35 -07:00
Armon Dadgar
57f3ceac14
api: Allow reseting of request body
2015-04-20 10:44:51 -07:00
Mitchell Hashimoto
fb3645214c
command/token-create: add display name and one time use
2015-04-19 18:08:08 -07:00
Mitchell Hashimoto
58d476edd0
command/token-renew
2015-04-19 18:04:01 -07:00
Mitchell Hashimoto
0ebf2508e0
command/policy-delete
2015-04-19 16:36:11 -07:00
Mitchell Hashimoto
2bd9223247
api: update docs
2015-04-13 20:42:07 -07:00
Mitchell Hashimoto
0cc0fb066b
command/renew
2015-04-13 20:42:07 -07:00
Armon Dadgar
466c7575d3
Replace VaultID with LeaseID for terminology simplification
2015-04-08 13:35:32 -07:00
Mitchell Hashimoto
7442bc1ef6
command/delete
2015-04-07 11:15:20 -07:00
Mitchell Hashimoto
3001c245e5
api: Logical delete
2015-04-07 11:04:56 -07:00
Mitchell Hashimoto
f2ee82a17f
command/remount
2015-04-07 10:46:47 -07:00
Mitchell Hashimoto
62f4d1dd0e
credential/github: CLI handler
2015-04-06 09:53:43 -07:00
Mitchell Hashimoto
2744d84e0b
api: make API a bit nicer
2015-04-04 17:54:16 -07:00
Mitchell Hashimoto
5d105b0cc8
api: client library methods to get tokens
2015-04-04 17:53:59 -07:00
Mitchell Hashimoto
2c1d334156
http: fix tests
2015-04-04 17:42:19 -07:00
Mitchell Hashimoto
aabcaee0c0
api: add auth information to results
2015-04-04 15:40:41 -07:00
Mitchell Hashimoto
2e3d6d6a0e
command/help
2015-04-02 22:42:05 -07:00
Mitchell Hashimoto
3caedf19bd
api: help
2015-04-02 22:26:45 -07:00
Mitchell Hashimoto
020af2fac2
http: help
2015-04-02 22:26:45 -07:00
Mitchell Hashimoto
d4ef9a552f
api: audit methods
2015-04-01 18:38:25 -07:00
Mitchell Hashimoto
a3d1502c2d
api: SPEC
2015-04-01 18:16:31 -07:00
Mitchell Hashimoto
db6a7ab7ce
api: policy methods
2015-04-01 17:59:50 -07:00
Mitchell Hashimoto
c25b7010d9
http: all policy endpoints
2015-04-01 17:59:50 -07:00
Mitchell Hashimoto
fce856d19c
http: list policies
2015-04-01 17:43:58 -07:00
Mitchell Hashimoto
f21da26766
command/auth-enable
2015-04-01 17:09:11 -07:00
Mitchell Hashimoto
36691190cc
api: fix compile
2015-03-31 20:29:20 -07:00
Mitchell Hashimoto
6cbe88cf99
api: fix auth API
2015-03-31 20:28:05 -07:00
Mitchell Hashimoto
aba7fc1910
http: auth handlers
2015-03-31 20:24:51 -07:00
Mitchell Hashimoto
214218a993
api: RevokePrefix
2015-03-31 19:23:52 -07:00
Mitchell Hashimoto
bbaa137f4e
command/revoke: revoke
2015-03-31 19:21:02 -07:00
Mitchell Hashimoto
407b32ccd5
command/seal: test should use the token
2015-03-31 11:46:55 -07:00
Mitchell Hashimoto
df4dc88176
api: SetToken
2015-03-30 21:20:23 -07:00
Mitchell Hashimoto
6e5345306e
api: update the SPEC
2015-03-30 12:22:34 -07:00
Mitchell Hashimoto
c2e1371217
api: re-use proper token constant
2015-03-30 11:14:51 -07:00
Mitchell Hashimoto
bd471bfffb
command/init: show root token
2015-03-29 16:25:53 -07:00
Mitchell Hashimoto
4cacaf62f0
http: support auth
2015-03-29 16:14:54 -07:00
Armon Dadgar
e85cd66b30
all: Removing fields from Lease
2015-03-16 13:29:51 -07:00
Mitchell Hashimoto
4161f7a440
http: fix mount endpoints
2015-03-16 10:51:13 -07:00
Mitchell Hashimoto
1d07df9db6
command/write
2015-03-15 20:35:33 -07:00
Mitchell Hashimoto
9b14cf789e
api: logical Read/Write
2015-03-15 19:47:32 -07:00
Mitchell Hashimoto
742923452b
http: generic read/write endpoint for secrets
2015-03-15 19:35:04 -07:00
Mitchell Hashimoto
c0ede206bb
api: use /v1 prefix
2015-03-13 12:53:08 -07:00
Mitchell Hashimoto
128c742a65
api: add init
2015-03-12 12:42:40 -07:00
Mitchell Hashimoto
d35b8eaa6f
http: init endpoints
2015-03-12 12:37:54 -07:00
Mitchell Hashimoto
9a68a68d3c
api: update mount API
2015-03-11 22:34:54 -07:00
Mitchell Hashimoto
88ed41abc2
api: lease renew should parse the secret
2015-03-11 19:48:32 -05:00
Mitchell Hashimoto
39884c7bde
api: secret parsing and leasing
2015-03-11 19:48:31 -05:00
Mitchell Hashimoto
0a6ad5b143
api: mount API client
2015-03-11 19:48:31 -05:00
Mitchell Hashimoto
02126dd935
api: store token cookie, tests
2015-03-11 17:46:42 -05:00
Mitchell Hashimoto
0f413876f2
api: separate sys out further
2015-03-11 17:46:41 -05:00
Mitchell Hashimoto
de159fdac8
api: document jar requirement
2015-03-11 17:46:41 -05:00
Mitchell Hashimoto
a4fc46de2a
api: auth methods
2015-03-11 17:46:41 -05:00
Mitchell Hashimoto
886812ecce
api: automatically get errors in RawRequest
2015-03-11 17:46:41 -05:00
Mitchell Hashimoto
5202e8788d
api: Response can decode errors
2015-03-11 17:46:41 -05:00
Mitchell Hashimoto
798689fb8d
api: sys methods
2015-03-11 17:46:41 -05:00
Mitchell Hashimoto
8ec69eae81
api: start the groundwork API stuff
2015-03-09 11:38:50 -07:00
Mitchell Hashimoto
c995ec1452
api: update spec
2015-03-04 15:41:21 -08:00
Mitchell Hashimoto
859a99c96c
api: SPEC
2015-03-04 15:03:06 -08:00
Mitchell Hashimoto
342f4e7e30
api: update SPEC
2015-03-04 13:17:12 -08:00
Mitchell Hashimoto
80f8ba6b88
api: spec
2015-03-04 13:10:10 -08:00