luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
1889 commits 1 branch 0 tags 214 MiB
Commit graph

140 commits

Author SHA1 Message Date
Vishal Nayak d526c8ce1c Merge pull request #629 from hashicorp/token-create-sudo 
TokenStore: Provide access based on sudo permissions and not policy name
 2015-09-21 10:12:29 -04:00
vishalnayak 1a01ab3608 Take ClientToken instead of Policies 2015-09-21 10:04:03 -04:00
Jeff Mitchell ab7d35b95e Fix up per-backend timing logic; also fix error in TypeDurationSecond in 
GetOkErr.
 2015-09-21 09:55:03 -04:00
vishalnayak 02485e7175 Abstraced SudoPrivilege to take list of policies 2015-09-19 18:23:44 -04:00
vishalnayak a2799b235e Using acl.RootPrivilege and rewrote mockTokenStore 2015-09-19 17:53:24 -04:00
vishalnayak b6d47dd784 fix broken tests 2015-09-19 12:33:52 -04:00
vishalnayak fb77ec3623 TokenStore: Provide access based on sudo permissions and not policy name 2015-09-19 11:14:51 -04:00
Jeff Mitchell b655f6b858 Add HMAC capability to salt. Pass a salt into audit backends. Require it for audit.Hash. 2015-09-18 17:38:22 -04:00
Jeff Mitchell 801e531364 Enhance transit backend: 
* Remove raw endpoint from transit
* Add multi-key structure
* Add enable, disable, rewrap, and rotate functionality
* Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function
* Unit tests for everything
 2015-09-18 14:41:05 -04:00
vishalnayak 7f640c4374 Error on violating SysView boundaries 2015-09-17 11:24:46 -04:00
vishalnayak 6a4089b2a8 Vault userpass: Enable renewals for login tokens 2015-09-16 23:55:35 -04:00
Jeff Mitchell 77e7379ab5 Implement the cubbyhole backend 
In order to implement this efficiently, I have introduced the concept of
"singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't
much reason to allow sys to be mounted at multiple places, and there
isn't much reason you'd need multiple per-token storage areas. By
restricting it to just one, I can store that particular mount instead of
iterating through them in order to call the appropriate revoke function.

Additionally, because revocation on the backend needs to be triggered by
the token store, the token store's salt is kept in the router and
client tokens going to the cubbyhole backend are double-salted by the
router. This allows the token store to drive when revocation happens
using its salted tokens.
 2015-09-15 13:50:37 -04:00
Jeff Mitchell 104b29ab04 Rename View to StorageView to make it more distinct from SystemView 2015-09-15 13:50:37 -04:00
Lassi Pölönen fb07cf9f53 Implement clean up routine to backend as some backends may require 
e.g closing database connections on unmount to avoud connection
stacking.
 2015-09-11 11:45:58 +03:00
Jeff Mitchell 39cfcccdac Remove error returns from sysview TTL calls 2015-09-10 15:09:54 -04:00
Jeff Mitchell 488d33c70a Rejig how dynamic values are represented in system view and location of some functions in various packages; create mount-tune command and API analogues; update documentation 2015-09-10 15:09:54 -04:00
Jeff Mitchell 4239f9d243 Add DynamicSystemView. This uses a pointer to a pointer to always have 
up-to-date information. This allows remount to be implemented with the
same source and dest, allowing mount options to be changed on the fly.
If/when Vault gains the ability to HUP its configuration, this should
just work for the global values as well.

Need specific unit tests for this functionality.
 2015-09-10 15:09:54 -04:00
Jeff Mitchell d435048d9e Switch StaticSystemView values to pointers, to support updating 2015-09-10 15:09:54 -04:00
Jeff Mitchell 696d0c7b1d Plumb per-mount config options through API 2015-09-10 15:09:53 -04:00
Jeff Mitchell 9e5e8a8a4d Whitespace fix 2015-08-27 12:14:51 -07:00
Jeff Mitchell cdabe6350e SystemConfig -> SystemView 2015-08-27 11:38:05 -07:00
Jeff Mitchell b74fa8c888 Make DefaultSystemView StaticSystemView with statically-configured information. Export this from Framework to make it easy to override for testing. 2015-08-27 11:25:07 -07:00
Jeff Mitchell 7c2bbe4c7f Use a SystemView interface and turn SystemConfig into DefaultSystemView 2015-08-27 10:36:44 -07:00
Jeff Mitchell e58553e7d5 Plumb the system configuration information up into framework 2015-08-27 09:41:03 -07:00
Jeff Mitchell 2e07106c4b Add some documentation to SystemConfig 2015-08-27 09:14:03 -07:00
Jeff Mitchell 992e357d07 Add some plumbing to allow specified system configuration information to 
be retrieved by logical backends. First implemented is default/max TTL.
 2015-08-27 08:51:35 -07:00
Jeff Mitchell 5695d57ba0 Merge pull request #561 from hashicorp/fix-wild-cards 
Allow hyphens in endpoint patterns of most backends
 2015-08-21 11:40:42 -07:00
vishalnayak 6c2927ede0 Vault: Fix wild card paths for all backends 2015-08-21 00:56:13 -07:00
Jeff Mitchell ea9fbb90bc Rejig Lease terminology internally; also, put a few JSON names back to their original values 2015-08-20 22:27:01 -07:00
Jeff Mitchell 93ef9a54bd Internally refactor Lease/LeaseGracePeriod into TTL/GracePeriod 2015-08-20 18:00:51 -07:00
Jeff Mitchell b57ce8e5c2 Change "lease" parameter in the generic backend to be "ttl" to reduce confusion. "lease" is now deprecated but will remain valid until 0.4. 
Fixes #528.
 2015-08-20 16:41:25 -07:00
Armon Dadgar 4abc488cec Merge pull request #510 from ctennis/more_descriptive_errors 
More descriptive errors with specific HTTP return codes
 2015-08-11 10:11:26 -07:00
Caleb Tennis ae990884a6 Add a validation step in field data to error more quickly vs. allowing panics to happen when we go to get the data and convert it 2015-08-11 12:34:14 -04:00
Caleb Tennis 4da080e769 This adds a new error class which can be used by logical backends to 
specify more concrete error cases to make their way back up the stack.

Over time there is probably a cleaner way of doing this, but that's
looking like a more massive rewrite and this solves some issues in
the meantime.

Use a CodedError to return a more concrete HTTP return code for
operations you want to do so.  Returning a regular error leaves
the existing behavior in place.
 2015-08-10 13:27:25 -04:00
Caleb Tennis 7750af7014 Fix a couple of typos 2015-08-09 15:20:06 -04:00
vishalnayak 4409e704b5 Vault Test: Disabling mlock for logical.testing.Test() 2015-07-31 12:23:50 -04:00
Armon Dadgar c40cf7fcdf logical/framework: handle nil duration value. Fixes #408 2015-07-08 16:55:52 -06:00
Armon Dadgar cf82f4d6d6 logical/testing: Allow factory to be provided instead of Backend 2015-06-30 18:08:43 -07:00
Armon Dadgar 4b27e4d8c5 Remove SetLogger, and unify on framework.Setup 2015-06-30 17:45:20 -07:00
Armon Dadgar 541014e315 logical: remove SetLogger method 2015-06-30 17:39:39 -07:00
Armon Dadgar 5d69e7da90 Updating for backend API change 2015-06-30 17:36:12 -07:00
Armon Dadgar 41b72a4d39 vault: provide view to backend initializer for setup 2015-06-30 17:30:43 -07:00
Armon Dadgar e892d728a2 logical/framework: support Salt in PathMap 2015-06-30 14:28:45 -07:00
Armon Dadgar 6b23b14773 logical/framework: adding a new duration type to convert to seconds 2015-06-17 15:56:26 -07:00
Armon Dadgar f39b522681 logical/framework: allow the lease max to come from existing lease 2015-06-17 14:24:12 -07:00
Armon Dadgar cfab07b19f logical/framework: simplify calculation of lease renew 2015-06-17 14:16:44 -07:00
Armon Dadgar ae02203624 logical: remove IncrementedLease, simplify ExpirationTime calculation 2015-06-17 13:59:09 -07:00
Armon Dadgar 784f17a0a8 logical: Adding special fields to do raw HTTP 2015-05-27 14:09:47 -07:00
Armon Dadgar ba7bfed1af vault: Expose MountPoint to secret backend. Fixes #248 2015-05-27 11:46:42 -07:00
Armon Dadgar 7131f12fee logical/testing: Fixing revoke in acceptance tests. Fixes #236 2015-05-27 11:19:15 -07:00