Commit graph

29 commits

Author SHA1 Message Date
Anton Averchenkov 5370d07b6c
openapi: Add display attributes for approle (#19363) 2023-04-06 11:03:11 -04:00
Hamid Ghaf 27bb03bbc0
adding copyright header (#19555)
* adding copyright header

* fix fmt and a test
2023-03-15 09:00:52 -07:00
Christopher Swenson 2c8e88ab67
Check if plugin version matches running version (#17182)
Check if plugin version matches running version

When registering a plugin, we check if the request version matches the
self-reported version from the plugin. If these do not match, we log a
warning.

This uncovered a few missing pieces for getting the database version
code fully working.

We added an environment variable that helps us unit test the running
version behavior as well, but only for approle, postgresql, and consul
plugins.

Return 400 on plugin not found or version mismatch

Populate the running SHA256 of plugins in the mount and auth tables (#17217)
2022-09-21 12:25:04 -07:00
ncabatoff 4463428a24
Reduce blocking in approle tidy by grabbing only one lock at a time. (#8418)
Revamp race test to make it aware of when tidies start/stop, and to generate dangling accessors that need cleaning up.  Also run for longer but with slightly less concurrency to ensure the writes and the cleanup actually overlap.
2020-03-03 16:43:24 -05:00
Jeff Mitchell 9ebc57581d
Switch to go modules (#6585)
* Switch to go modules

* Make fmt
2019-04-13 03:44:06 -04:00
Jeff Mitchell 8bcb533a1b
Create sdk/ and api/ submodules (#6583) 2019-04-12 17:54:35 -04:00
Jeff Mitchell 2f9a7c6203
Add more perf standby guards (#6149) 2019-02-01 16:56:57 -05:00
Jeff Mitchell 9bfd73bfc6 Modify approle tidy to validate dangling accessors (#4981) 2018-07-24 14:00:53 -07:00
Jeff Mitchell 98bf463a65 Make single-lease revocation behave like expiration (#4883)
This change makes it so that if a lease is revoked through user action,
we set the expiration time to now and update pending, just as we do with
tokens. This allows the normal retry logic to apply in these cases as
well, instead of just erroring out immediately. The idea being that once
you tell Vault to revoke something it should keep doing its darndest to
actually make that happen.
2018-07-11 15:45:35 -04:00
Jeff Mitchell 8916f6b625
Some atomic cleanup (#4732)
Taking inspiration from
https://github.com/golang/go/issues/17604#issuecomment-256384471
suggests that taking the address of a stack variable for use in atomics
works (at least, the race detector doesn't complain) but is doing it
wrong.

The only other change is a change in Leader() detecting if HA is enabled
to fast-path out. This value never changes after NewCore, so we don't
need to grab the read lock to check it.
2018-06-09 15:35:22 -04:00
vishalnayak 644892c53c naming changes 2018-04-23 16:52:09 -04:00
vishalnayak d14cd4a51e segregate local and non-local accessor entries 2018-04-23 16:19:05 -04:00
vishalnayak 7efbee2a12 Fix the tidy operation to consider both local and non-local secretID cleanups 2018-04-23 16:02:55 -04:00
vishalnayak 1680b56d43 add prefix to LocalStorage 2018-04-23 14:08:30 -04:00
vishalnayak 97b821b231 local secret IDs 2018-04-23 14:08:30 -04:00
Brian Kassouf 9dba3590ac
Add context to the NewSalt function (#4102) 2018-03-08 11:21:11 -08:00
Jeff Mitchell fc6564e4ee
Don't run rollback and upgrade functionality if we are a replication secondary (#3900)
* Don't run rollback and upgrade functionality if we are a replication
secondary, but do if the mount is local.
2018-02-02 20:28:25 -05:00
Brian Kassouf 2f19de0305 Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 01:44:44 -05:00
Calvin Leung Huang 3e8aecc7d5 Add BackendType to existing backends (#3078) 2017-07-28 14:04:46 -04:00
Calvin Leung Huang bb54e9c131 Backend plugin system (#2874)
* Add backend plugin changes

* Fix totp backend plugin tests

* Fix logical/plugin InvalidateKey test

* Fix plugin catalog CRUD test, fix NoopBackend

* Clean up commented code block

* Fix system backend mount test

* Set plugin_name to omitempty, fix handleMountTable config parsing

* Clean up comments, keep shim connections alive until cleanup

* Include pluginClient, disallow LookupPlugin call from within a plugin

* Add wrapper around backendPluginClient for proper cleanup

* Add logger shim tests

* Add logger, storage, and system shim tests

* Use pointer receivers for system view shim

* Use plugin name if no path is provided on mount

* Enable plugins for auth backends

* Add backend type attribute, move builtin/plugin/package

* Fix merge conflict

* Fix missing plugin name in mount config

* Add integration tests on enabling auth backend plugins

* Remove dependency cycle on mock-plugin

* Add passthrough backend plugin, use logical.BackendType to determine lease generation

* Remove vault package dependency on passthrough package

* Add basic impl test for passthrough plugin

* Incorporate feedback; set b.backend after shims creation on backendPluginServer

* Fix totp plugin test

* Add plugin backends docs

* Fix tests

* Fix builtin/plugin tests

* Remove flatten from PluginRunner fields

* Move mock plugin to logical/plugin, remove totp and passthrough plugins

* Move pluginMap into newPluginClient

* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck

* Change shim logger's Fatal to no-op

* Change BackendType to uint32, match UX backend types

* Change framework.Backend Setup signature

* Add Setup func to logical.Backend interface

* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments

* Remove commented var in plugin package

* RegisterLicense on logical.Backend interface (#3017)

* Add RegisterLicense to logical.Backend interface

* Update RegisterLicense to use callback func on framework.Backend

* Refactor framework.Backend.RegisterLicense

* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs

* plugin: Revert BackendType to remove TypePassthrough and related references

* Fix typo in plugin backends docs
2017-07-20 13:28:40 -04:00
Jeff Mitchell d25aa9fc21 Don't write salts in initialization, look up on demand (#2702) 2017-05-09 17:51:09 -04:00
Jeff Mitchell 6f6f242061 Add logic to skip initialization in some cases and some invalidation logic 2017-05-05 15:01:52 -04:00
Jeff Mitchell 3d162b63cc Use locks in a slice rather than a map, which is faster and makes things cleaner (#2446) 2017-03-07 11:21:32 -05:00
Jeff Mitchell c81582fea0 More porting from rep (#2388)
* More porting from rep

* Address review feedback
2017-02-16 16:29:30 -05:00
Vishal Nayak 14fcc4b6eb approle: secret-id listing lock sanity check (#2315)
* approle: secret-id listing lock sanity

* Skip processing an empty secretIDHMAC item during the iteration

* approle: use dedicated lock for listing of secret-id-accessors
2017-02-01 18:13:49 -05:00
vishalnayak ba72e7887a Safely manipulate secret id accessors 2016-09-15 18:13:50 -04:00
vishalnayak cdcfa4572f Address review feedback 2016-08-30 16:36:58 -04:00
vishalnayak 29b9295673 approle: fix racy updates problem for roles 2016-08-30 16:11:14 -04:00
vishalnayak a6907769b0 AppRole authentication backend 2016-07-26 09:32:41 -04:00