luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity
1,902 Commits 1 Branch 0 Tags 214 MiB
Commit Graph

1902 Commits

Author SHA1 Message Date
Jeff Mitchell b08f6e5540 Merge pull request #622 from Poohblah/log-level-help 
improve documentation for available log levels
 2015-09-16 15:15:36 -04:00
hendrenj 0532682816 improve documentation for available log levels 2015-09-16 11:01:33 -06:00
Jeff Mitchell 047ba90a44 Restrict orphan revocation to root tokens 2015-09-16 09:22:15 -04:00
Seth Vargo 5c363a1bd3 Merge pull request #621 from jklein/patch-1 
Grammar fix
 2015-09-15 20:54:24 +01:00
Jonathan Klein dff6e468f9 Grammar fix 2015-09-15 15:53:27 -04:00
Jeff Mitchell 461609b754 Merge pull request #612 from hashicorp/f-cubby 
Implement the cubbyhole backend
 2015-09-15 14:04:07 -04:00
Jeff Mitchell e7d5a18e94 Directly pass the cubbyhole backend to the token store and bypass logic in router 2015-09-15 13:50:37 -04:00
Jeff Mitchell 849b78daee Move more cubby logic outside of router into auth setup 2015-09-15 13:50:37 -04:00
Jeff Mitchell bdb8cf128d Cleanup; remove everything but double-salting from the router and give 
the token store cubby backend information for direct calling.
 2015-09-15 13:50:37 -04:00
Jeff Mitchell 538852d6d6 Add documentation for cubbyhole 2015-09-15 13:50:37 -04:00
Jeff Mitchell b50f7ec1b5 Remove noop checks in unmount/remount and restore previous behavior 2015-09-15 13:50:37 -04:00
Jeff Mitchell 77e7379ab5 Implement the cubbyhole backend 
In order to implement this efficiently, I have introduced the concept of
"singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't
much reason to allow sys to be mounted at multiple places, and there
isn't much reason you'd need multiple per-token storage areas. By
restricting it to just one, I can store that particular mount instead of
iterating through them in order to call the appropriate revoke function.

Additionally, because revocation on the backend needs to be triggered by
the token store, the token store's salt is kept in the router and
client tokens going to the cubbyhole backend are double-salted by the
router. This allows the token store to drive when revocation happens
using its salted tokens.
 2015-09-15 13:50:37 -04:00
Jeff Mitchell 104b29ab04 Rename View to StorageView to make it more distinct from SystemView 2015-09-15 13:50:37 -04:00
Tuomas Silen 5e8b3a28e4 Rename error return var 2015-09-15 11:18:43 +03:00
Jeff Mitchell f489c1c24e Ensure that the response body of logical calls is closed, even if there is an error. 2015-09-14 18:22:33 -04:00
Jeff Mitchell 38a75503ad Merge pull request #607 from lassizci/postgresql-timezone 
Explicitly set timezone with PostgreSQL timestamps.
 2015-09-14 11:55:02 -04:00
Jeff Mitchell 699e12a1c6 When there is one use left and a Secret is being returned, instead 
return a descriptive error indicating that the Secret cannot be returned
because when the token was revoked the secret was too. This prevents
confusion where credentials come back but cannot be used.

Fixes #615
 2015-09-14 11:07:27 -04:00
Lassi Pölönen 83d0ab73f5 Define time zone explicitly in postgresql connection string. 2015-09-14 13:43:06 +03:00
Lassi Pölönen a9aaee6f5a Explicitly set timezone with PostgreSQL timestamps. 2015-09-14 13:43:06 +03:00
Tuomas Silen 42d3f90e37 Further cleanup, use named return vals 2015-09-14 13:30:15 +03:00
Vishal Nayak 2fa1916521 Merge pull request #613 from hashicorp/doc-token-renewal 
Improve documentation of token renewal
 2015-09-11 21:38:34 -04:00
vishalnayak c5a3b0c681 Typo fix 2015-09-11 21:36:20 -04:00
vishalnayak 142cb563a6 Improve documentation of token renewal 2015-09-11 21:08:32 -04:00
Jeff Mitchell 99f372e3a6 Merge pull request #608 from lassizci/backend-cleanup 
Provide a cleanup method for backends; if defined, will be run just before unloading.
 2015-09-11 10:52:04 -04:00
Tuomas Silen 7f384b2312 Cleanup defer func 2015-09-11 16:30:12 +03:00
Tuomas Silen 2652db825a Use defer to close the channel in case of error 2015-09-11 16:17:23 +03:00
Lassi Pölönen d3aec0ba31 Cleanup routines should now use routeEntry instead of mountEntry. 2015-09-11 13:40:31 +03:00
Lassi Pölönen 79f68c934a Call ResetDB as Cleanup routine to close existing database connections 
on backend unmount.
 2015-09-11 11:45:58 +03:00
Lassi Pölönen fb07cf9f53 Implement clean up routine to backend as some backends may require 
e.g closing database connections on unmount to avoud connection
stacking.
 2015-09-11 11:45:58 +03:00
Vishal Nayak 08f7fb9c8d Merge pull request #580 from hashicorp/zeroaddress-path 
Add root authenticated path to allow default CIDR to select roles
 2015-09-10 15:28:49 -04:00
Jeff Mitchell 65414dc07e Merge pull request #585 from hashicorp/per-backend-ttls 
Per backend configuration
 2015-09-10 15:27:07 -04:00
Jeff Mitchell 39cfcccdac Remove error returns from sysview TTL calls 2015-09-10 15:09:54 -04:00
Jeff Mitchell 65ceb3439d Be consistent as both are the same pointer here 2015-09-10 15:09:54 -04:00
Jeff Mitchell 5de736e69c Implement shallow cloning to allow MountEntry pointers to stay consistent when spread across router/core/system views 2015-09-10 15:09:54 -04:00
Jeff Mitchell ace611d56d Address items from feedback. Make MountConfig use values rather than 
pointers and change how config is read to compensate.
 2015-09-10 15:09:54 -04:00
Jeff Mitchell c460ff10ca Push a lot of logic into Router to make a bunch of it nicer and enable a 
lot of cleanup. Plumb config and calls to framework.Backend.Setup() into
logical_system and elsewhere, including tests.
 2015-09-10 15:09:54 -04:00
Jeff Mitchell eff1c331ad Add more unit tests against backend TTLs, and fix two bugs found by them 
(yay unit tests!)
 2015-09-10 15:09:54 -04:00
Jeff Mitchell 86ccae7bd5 Fix mount config test by proxying mounts/ in addition to mounts 2015-09-10 15:09:54 -04:00
Jeff Mitchell 971e4144ec Fix typo 2015-09-10 15:09:54 -04:00
Jeff Mitchell 775dfe38a2 A couple bug fixes + most unit tests 2015-09-10 15:09:54 -04:00
Jeff Mitchell 488d33c70a Rejig how dynamic values are represented in system view and location of some functions in various packages; create mount-tune command and API analogues; update documentation 2015-09-10 15:09:54 -04:00
Jeff Mitchell 4239f9d243 Add DynamicSystemView. This uses a pointer to a pointer to always have 
up-to-date information. This allows remount to be implemented with the
same source and dest, allowing mount options to be changed on the fly.
If/when Vault gains the ability to HUP its configuration, this should
just work for the global values as well.

Need specific unit tests for this functionality.
 2015-09-10 15:09:54 -04:00
Jeff Mitchell d435048d9e Switch StaticSystemView values to pointers, to support updating 2015-09-10 15:09:54 -04:00
Jeff Mitchell 6efcbe3a9f Allow POST as well as PUT for seal/unseal command, fits in more with how logical handles things 2015-09-10 15:09:53 -04:00
Jeff Mitchell 696d0c7b1d Plumb per-mount config options through API 2015-09-10 15:09:53 -04:00
Jeff Mitchell 893d2d9b00 Minor cleanup of MountConfig 2015-09-10 15:09:53 -04:00
Jeff Mitchell 17c60d3e78 Add logic to core to fetch a SystemView for a given mount entry and use those values for default/max TTL. The SystemView will reflect system defaults if not set for that mount. 2015-09-10 15:09:53 -04:00
vishalnayak 473c1d759d Vault SSH: Testing credential creation on zero address roles 2015-09-10 11:55:07 -04:00
vishalnayak d26497267c Vault SSH: Expected data for testRoleRead 2015-09-10 10:44:26 -04:00
vishalnayak 475df43c59 Merge branch 'master' of https://github.com/hashicorp/vault 2015-09-10 10:03:17 -04:00