Commit Graph

259 Commits

Author SHA1 Message Date
Calvin Leung Huang 90d305a322
Optimize revokeSalted by not calling view.List twice (#4465)
* Optimize revokeSalted by not calling view.List twice

* Minor comment update

* Do not go through the orphaning dance if we are revoking the entire tree

* Update comment
2018-05-18 12:14:42 -07:00
Calvin Leung Huang d7017c7924
Return as internal error on failed token lookup (#4589) 2018-05-18 10:14:31 -07:00
Calvin Leung Huang 08720c93ec
Return ts.Lookup error on handleCreateCommon (#4587)
* Return ts.Lookup error on handleCreateCommon

* Fix test
2018-05-18 09:30:03 -07:00
Calvin Leung Huang dd7520459e
Token revocation refactor (#4512)
* Hand off lease expiration to expiration manager via timers

* Use sync.Map as the cache to track token deletion state

* Add CreateOrFetchRevocationLeaseByToken to hand off token revocation to exp manager

* Update revoke and revoke-self handlers

* Fix tests

* revokeSalted: Move token entry deletion into the deferred func

* Fix test race

* Add blocking lease revocation test

* Remove test log

* Add HandlerFunc on NoopBackend, adjust locks, and add test

* Add sleep to allow for revocations to settle

* Various updates

* Rename some functions and variables to be more clear
* Change step-down and seal to use expmgr for revoke functionality like
during request handling
* Attempt to WAL the token as being invalid as soon as possible so that
further usage will fail even if revocation does not fully complete

* Address feedback

* Return invalid lease on negative TTL

* Revert "Return invalid lease on negative TTL"

This reverts commit a39597ecdc23cf7fc69fe003eef9f10d533551d8.

* Extend sleep on tests
2018-05-10 15:50:02 -04:00
Jeff Mitchell 6d95b4d266
Add the ability to restrict token usage by IP. Add to token roles. (#4412)
Fixes #815
2018-04-21 10:49:16 -04:00
Vishal Nayak 62ba3f381f
Identity policies in token lookup (#4366)
* Add identity_policies to token lookup

* add tests

* naming change

* add commenting in tests
2018-04-17 11:16:26 -04:00
Vishal Nayak 28e3eb9e2c
Errwrap everywhere (#4252)
* package api

* package builtin/credential

* package builtin/logical

* package command

* package helper

* package http and logical

* package physical

* package shamir

* package vault

* package vault

* address feedback

* more fixes
2018-04-05 11:49:21 -04:00
Chris Hoffman a7ada08b3b
Core handling of TTLs (#4230)
* govet cleanup in token store

* adding general ttl handling to login requests

* consolidating TTL calculation to system view

* deprecate LeaseExtend

* deprecate LeaseExtend

* set the increment to the correct value

* move calculateTTL out of SystemView

* remove unused value

* add back clearing of lease id

* implement core ttl in some backends

* removing increment and issue time from lease options

* adding ttl tests, fixing some compile issue

* adding ttl tests

* fixing some explicit max TTL logic

* fixing up some tests

* removing unneeded test

* off by one errors...

* adding back some logic for bc

* adding period to return on renewal

* tweaking max ttl capping slightly

* use the appropriate precision for ttl calculation

* deprecate proto fields instead of delete

* addressing feedback

* moving TTL handling for backends to core

* mongo is a secret backend not auth

* adding estimated ttl for backends that also manage the expiration time

* set the estimate values before calling the renew request

* moving calculate TTL to framework, revert removal of increment and issue time from logical

* minor edits

* addressing feedback

* address more feedback
2018-04-03 12:20:20 -04:00
Becca Petrin 03cf302e9a Move to "github.com/hashicorp/go-hclog" (#4227)
* logbridge with hclog and identical output

* Initial search & replace

This compiles, but there is a fair amount of TODO
and commented out code, especially around the
plugin logclient/logserver code.

* strip logbridge

* fix majority of tests

* update logxi aliases

* WIP fixing tests

* more test fixes

* Update test to hclog

* Fix format

* Rename hclog -> log

* WIP making hclog and logxi love each other

* update logger_test.go

* clean up merged comments

* Replace RawLogger interface with a Logger

* Add some logger names

* Replace Trace with Debug

* update builtin logical logging patterns

* Fix build errors

* More log updates

* update log approach in command and builtin

* More log updates

* update helper, http, and logical directories

* Update loggers

* Log updates

* Update logging

* Update logging

* Update logging

* Update logging

* update logging in physical

* prefixing and lowercase

* Update logging

* Move phyisical logging name to server command

* Fix som tests

* address jims feedback so far

* incorporate brians feedback so far

* strip comments

* move vault.go to logging package

* update Debug to Trace

* Update go-plugin deps

* Update logging based on review comments

* Updates from review

* Unvendor logxi

* Remove null_logger.go
2018-04-02 17:46:59 -07:00
Calvin Leung Huang 8d9295c539
Token store deleted parent (#4193)
* Handle removal of parent index on revoke-orphan and tidy operations

* Refactor handleTidy to use same for loop children deletion of invalid parent entry

* Update comments

* Add logic for revoke-orphan and tidy to turn no-parent tokens into orphans

* Add orphan check to test

* Update test comments

* Fix TestTokenStore_Revoke_Orphan test

* Address feedback, add explicit delete when parent prefix is empty

* Revert explicit delete, add comment on why it's not done

* Update comment to indicate ok on marking token as orphan

* Fix test
2018-03-27 11:12:06 -04:00
Jeff Mitchell 65d8eb0914 Add more docs around list paths in policies.
CC #4199
2018-03-26 11:30:58 -04:00
Josh Soref 73b1fde82f Spelling (#4119) 2018-03-20 14:54:10 -04:00
Jeff Mitchell 3a5e1792c0 Update path-help to make clear you shouldn't put things in the URL.
Remove from website docs as those have been long deprecated.
2018-03-19 11:50:16 -04:00
Jeff Mitchell 55187255bd
Truncate token store issued token periods when greater than tuned max at (#4112)
issue time, not just renew time.
2018-03-09 10:53:04 -05:00
Brian Kassouf 9dba3590ac
Add context to the NewSalt function (#4102) 2018-03-08 11:21:11 -08:00
Calvin Leung Huang 848ce6427b
Handle period's zero value in token store's token creation (#3880)
* Handle period's zero value on handleCreateCommon

* Add test for period zero value
2018-02-01 12:01:46 -05:00
Vishal Nayak 150ad8405b
Remove logical.Initialize() method (#3848)
* Remove logical.Initialize() method

* More cleanup

* Fix test
2018-01-25 20:19:27 -05:00
Brian Kassouf 2f19de0305 Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 01:44:44 -05:00
Brian Kassouf 1c190d4bda
Pass context to backends (#3750)
* Start work on passing context to backends

* More work on passing context

* Unindent logical system

* Unindent token store

* Unindent passthrough

* Unindent cubbyhole

* Fix tests

* use requestContext in rollback and expiration managers
2018-01-08 10:31:38 -08:00
lemondrank 255212af23 Non-recursive DFS token tree revoke (#2478) 2017-12-11 16:51:37 -05:00
Jeff Mitchell 8f159b12b1
allowed/disallowed_policies as TypeCommaStringSlice (#3641)
Our docs apparently claim that this is a list, but the code is
string-only. This fixes that discrepancy.
2017-12-04 12:47:05 -05:00
Jeff Mitchell 2b78bc2a9b
Port over bits (#3575) 2017-11-13 15:31:32 -05:00
Jeff Mitchell 119607dcb7
Seal wrap all root tokens and their leases (#3540) 2017-11-06 13:10:36 -05:00
Jeff Mitchell 47dae8ffc7 Sync 2017-10-23 14:59:37 -04:00
Vishal Nayak f7ed6732a5 Porting identity store (#3419)
* porting identity to OSS

* changes that glue things together

* add testing bits

* wrapped entity id

* fix mount error

* some more changes to core

* fix storagepacker tests

* fix some more tests

* fix mount tests

* fix http mount tests

* audit changes for identity

* remove upgrade structs on the oss side

* added go-memdb to vendor
2017-10-11 10:21:20 -07:00
Jeff Mitchell 675cbe1bcd Handle expiration manager being nil 2017-09-05 12:01:02 -04:00
Chris Hoffman 71952b7738 ExpirationManager restoration to load in the background (#3260) 2017-09-05 11:09:00 -04:00
Lars Lehtonen b851d88d68 fix swallowed error in vault package. (#2993) 2017-07-26 12:15:54 -04:00
Brian Kassouf b04e0a7a2a Dynamically load and invalidate the token store salt (#3021)
* Dynaically load and invalidate the token store salt

* Pass salt function into the router
2017-07-18 09:02:03 -07:00
Jeff Mitchell a71cb52f1b Don't allow overriding token ID with the same token ID (#2917)
Fixes #2916
2017-06-24 01:52:48 +01:00
Jeff Mitchell 858deb9ca4 Don't allow parent references in file paths 2017-05-12 13:52:33 -04:00
Jeff Mitchell d25aa9fc21 Don't write salts in initialization, look up on demand (#2702) 2017-05-09 17:51:09 -04:00
vishalnayak fa201f2505 auth/token/tidy log level update 2017-05-05 11:16:13 -04:00
Jeff Mitchell b482043de1 Update debugging around tidy 2017-05-05 10:48:12 -04:00
Jeff Mitchell f8295a301d Merge branch 'master-oss' into sys-tidy-leases 2017-05-04 09:37:52 -04:00
Chris Hoffman 3d9cf89ad6 Add the ability to view and list of leases metadata (#2650) 2017-05-03 22:03:42 -04:00
Jeff Mitchell 7f3891c734 Fix substitution of index/child in delete call 2017-05-03 15:09:13 -04:00
Jeff Mitchell 99884a8f13 Merge remote-tracking branch 'oss/master' into sys-tidy-leases 2017-05-03 15:02:42 -04:00
Jeff Mitchell bb6b5f7aa6 Add taint flag for looking up by accessor 2017-05-03 13:08:50 -04:00
vishalnayak a1a0c2950f logging updates 2017-05-03 12:58:10 -04:00
vishalnayak 6aa7f9b7c9 Added logs when deletion fails so we can rely on server logs 2017-05-03 12:47:05 -04:00
vishalnayak bc5d5b7319 consistent logging 2017-05-03 12:45:22 -04:00
Jeff Mitchell 596ad2c8f7 Adhere to tainted status in salted accessor lookup 2017-05-03 12:36:10 -04:00
Jeff Mitchell 0553f7a8d1 change some logging output 2017-05-03 12:14:58 -04:00
Jeff Mitchell c9bd54ad65 Less scary debugging 2017-05-03 11:15:59 -04:00
vishalnayak dd898ed2e1 Added summary logs to help better understand the consequence 2017-05-03 10:54:07 -04:00
Ben Gadbois 537342f038 Fixing printf (and similar) issues (#2666) 2017-05-01 23:34:10 -04:00
vishalnayak 72d05cd8dd Refactor locking code in lease tidy; add ending debug statements 2017-04-27 16:22:19 -04:00
vishalnayak d8e91ef616 refactor lock handling in token tidy function 2017-04-27 13:48:29 -04:00
vishalnayak f9c1426ac8 Use an atomic lock for tidy operation in token store 2017-04-27 11:41:33 -04:00