vishalnayak
3fd019574d
Fix logging levels
2017-04-26 17:29:04 -04:00
vishalnayak
7c3e20e9c5
Fix the log statements
2017-04-26 17:17:19 -04:00
vishalnayak
9025ef16e4
Added logger to token store and logs to tidy function
2017-04-26 16:11:23 -04:00
vishalnayak
5909d81b7b
Merge branch 'oss' into clean-stale-leases
2017-04-26 15:07:27 -04:00
Jeff Mitchell
4a4c981fb2
Update error message to distinguish tree revocation issue from non-tree
2017-04-26 14:06:45 -04:00
Jeff Mitchell
3ba162fea1
List should use a trailing slash
2017-04-21 15:37:43 -04:00
Chris Hoffman
847c86f788
Rename ParseDedupAndSortStrings to ParseDedupLowercaseAndSortStrings ( #2614 )
2017-04-19 10:39:07 -04:00
Jeff Mitchell
709389dd36
Use ParseStringSlice on PKI organization/organizational unit. ( #2561 )
...
After, separately dedup and use new flag to not lowercase value.
Fixes #2555
2017-04-04 08:54:18 -07:00
Vishal Nayak
5a6193a56e
Audit: Add token's use count to audit response ( #2437 )
...
* audit: Added token_num_uses to audit response
* Fixed jsonx tests
* Revert logical auth to NumUses instead of TokenNumUses
* s/TokenNumUses/NumUses
* Audit: Add num uses to audit requests as well
* Added RemainingUses to distinguish NumUses in audit requests
2017-03-08 17:36:50 -05:00
vishalnayak
f54ff0f842
Add locking where possible while doing auth/token/tidy
2017-03-07 16:06:05 -05:00
Jeff Mitchell
3d162b63cc
Use locks in a slice rather than a map, which is faster and makes things cleaner ( #2446 )
2017-03-07 11:21:32 -05:00
Jeff Mitchell
5119b173c4
Rename helper 'duration' to 'parseutil'. ( #2449 )
...
Add a ParseBool function that accepts various kinds of ways of
specifying booleans.
Have config use ParseBool for UI and disabling mlock/cache.
2017-03-07 11:21:22 -05:00
Jeff Mitchell
f37b6492d1
More rep porting ( #2391 )
...
* More rep porting
* Add a bit more porting
2017-02-16 23:09:39 -05:00
Jeff Mitchell
20c65b8300
Fix regression in 0.6.4 where token store roles could not properly wo… ( #2286 )
2017-01-18 16:11:25 -05:00
vishalnayak
c9bd2a37f8
Don't sanitize disallowed_policies on token role
2017-01-17 21:34:14 -05:00
Vishal Nayak
ba026aeaa1
TokenStore: Added tidy endpoint ( #2192 )
2016-12-16 15:29:27 -05:00
Jeff Mitchell
f6044764c0
Fix revocation of leases when num_uses goes to 0 ( #2190 )
2016-12-16 13:11:55 -05:00
Vishal Nayak
8400b87473
Don't add default policy to child token if parent does not have it ( #2164 )
2016-12-16 00:36:39 -05:00
Jeff Mitchell
b45a481365
Wrapping enhancements ( #1927 )
2016-09-28 21:01:28 -07:00
vishalnayak
57b21acabb
Added unit tests for token entry upgrade
2016-09-26 18:17:50 -04:00
vishalnayak
af888573be
Handle upgrade of deprecated fields in token entry
2016-09-26 15:47:48 -04:00
vishalnayak
328de60338
Description consistency
2016-08-29 15:53:11 -04:00
Jeff Mitchell
ac38863884
Add back token/accessor URL parameters but return a warning.
...
CC @sethvargo
2016-08-29 15:15:57 -04:00
Jeff Mitchell
9fee9ce8ff
Don't allow tokens in paths. ( #1783 )
2016-08-24 15:59:43 -04:00
Jeff Mitchell
01702415c2
Ensure we don't use a token entry period of 0 in role comparisons.
...
When we added support for generating periodic tokens for root/sudo in
auth/token/create we used the token entry's period value to store the
shortest period found to eventually populate the TTL. The problem was
that we then assumed later that this value would be populated for
periodic tokens, when it wouldn't have been in the upgrade case.
Instead, use a temp var to store the proper value to use; populate
te.Period only if actually given; and check that it's not zero before
comparing against role value during renew.
2016-08-16 16:47:46 -04:00
Jeff Mitchell
c1aa89363a
Make time logic a bit clearer
2016-08-16 16:29:07 -04:00
Jeff Mitchell
cdea4b3445
Add some tests and fix some bugs
2016-08-13 14:03:22 -04:00
Jeff Mitchell
de60702d76
Don't check the role period again as we've checked it earlier and it may be greater than the te Period
2016-08-13 13:21:56 -04:00
Jeff Mitchell
bcb4ab5422
Add periodic support for root/sudo tokens to auth/token/create
2016-08-12 21:14:12 -04:00
Jeff Mitchell
0f40fba40d
Don't allow a root token that expires to create one that doesn't
2016-08-09 20:32:40 -04:00
Jeff Mitchell
d7f6218869
Move checking non-assignable policies above the actual token creation
2016-08-08 16:44:29 -04:00
Laura Bennett
da615642f5
Merge pull request #1687 from hashicorp/token-store-update
...
Minor update to token-store
2016-08-08 10:25:05 -04:00
vishalnayak
e783bfe7e1
Minor changes to test cases
2016-08-05 20:22:07 -04:00
Laura Bennett
405eb0075a
fix an error, tests still broken
2016-08-05 17:58:48 -04:00
Jeff Mitchell
82b3d136e6
Don't mark never-expiring root tokens as renewable
2016-08-05 11:15:25 -04:00
Laura Bennett
68d351c70c
addresses feedback, but tests broken
2016-08-05 10:04:02 -04:00
Laura Bennett
c626277632
initial commit for minor update to token-store
2016-08-03 14:32:17 -04:00
Vishal Nayak
0b2098de2f
Merge pull request #1681 from hashicorp/disallowed-policies
...
Support disallowed_policies in token roles
2016-08-02 17:32:53 -04:00
vishalnayak
e7cb3fd990
Addressed review feedback
2016-08-02 16:53:06 -04:00
vishalnayak
4f45910dfc
disallowed_policies doc update
2016-08-02 16:33:22 -04:00
Jeff Mitchell
31b36fe2c2
Use duration helper to allow not specifying duration units
2016-08-02 15:12:45 -04:00
vishalnayak
a936914101
Address review feedback and fix existing tests
2016-08-02 14:10:20 -04:00
vishalnayak
a0c711d0cf
Added disallowed_policies to token roles
2016-08-02 10:33:50 -04:00
Jeff Mitchell
357f2d972f
Add some extra safety checking in accessor listing and update website
...
docs.
2016-08-01 13:12:06 -04:00
Jeff Mitchell
6546005487
Fix typo
2016-07-29 23:24:04 -04:00
Jeff Mitchell
e606aab6e0
oops, fix createAccessor
2016-07-29 18:23:55 -04:00
Jeff Mitchell
23ab63c78e
Add accessor list function to token store
2016-07-29 18:20:38 -04:00
Laura Bennett
7e29cf1cae
edits based on comments in PR
2016-07-25 09:46:10 -04:00
Laura Bennett
9ea1c8b801
initial commit for nonAssignablePolicies
2016-07-24 22:27:41 -04:00
vishalnayak
331f229858
Added a cap of 256 for CreateLocks utility
2016-07-20 04:48:35 -04:00
vishalnayak
50e8a189e9
Added helper to create locks
2016-07-19 21:37:28 -04:00
vishalnayak
c14235b206
Merge branch 'master-oss' into json-use-number
...
Conflicts:
http/handler.go
logical/framework/field_data.go
logical/framework/wal.go
vault/logical_passthrough.go
2016-07-15 19:21:55 -04:00
vishalnayak
8269f323d3
Revert 'risky' changes
2016-07-12 16:38:07 -04:00
vishalnayak
e09b40e155
Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC
2016-07-08 18:30:18 -04:00
vishalnayak
ad7cb2c8f1
Added JSON Decode and Encode helpers.
...
Changed all the occurances of Unmarshal to use the helpers.
Fixed http/ package tests.
2016-07-06 12:25:40 -04:00
Jeff Mitchell
09720bbd8e
Fix picking wrong token lock
2016-06-27 11:17:08 -04:00
Jeff Mitchell
2b4b6559e3
Merge pull request #1504 from hashicorp/token-store-roles-renewability
...
Add renewable flag to token store roles
2016-06-08 15:56:54 -04:00
Jeff Mitchell
8a1bff7c11
Make out-of-bounds explicit max a cap+warning instead of an error
2016-06-08 15:25:17 -04:00
Jeff Mitchell
cf8f38bd4c
Add renewable flag to token store roles
2016-06-08 15:17:22 -04:00
Jeff Mitchell
65d8973864
Add explicit max TTL capability to token creation API
2016-06-08 14:49:48 -04:00
Jeff Mitchell
c0155ac02b
Add renewable flag and API setting for token creation
2016-06-08 11:14:30 -04:00
Jeff Mitchell
f8d70b64a0
Show renewable status for tokens in output
2016-06-01 17:30:31 -04:00
vishalnayak
1e4834bd20
Remove addDefault param from ParsePolicies
2016-05-31 13:39:58 -04:00
vishalnayak
49b4c83580
Adding default policies while creating tokens
2016-05-31 13:39:58 -04:00
vishalnayak
c0e745dbfa
s/logical.ErrorResponse/fmt.Errorf in renewal functions of credential backends
2016-05-26 10:21:03 -04:00
Jeff Mitchell
c4431a7e30
Address most review feedback. Change responses to multierror to better return more useful values when there are multiple errors
2016-05-16 16:11:33 -04:00
Jeff Mitchell
4c67a739b9
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-16 12:14:40 -04:00
Sean Chittenden
7a4b31ce51
Speling police
2016-05-15 09:58:36 -07:00
Jeff Mitchell
ce5614bf9b
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-11 19:29:52 -04:00
Jeff Mitchell
6ec1ca05c8
Fix bug around disallowing explicit max greater than sysview max
2016-05-11 18:46:55 -04:00
Jeff Mitchell
aecc3ad824
Add explicit maximum TTLs to token store roles.
2016-05-11 16:51:18 -04:00
Jeff Mitchell
1b190c9c62
Don't check if numuses is -1 with a read lock, it shouldn't come in with that from lookup anyways
2016-05-02 15:31:28 -04:00
Jeff Mitchell
324bb9cfac
Use a 256-level mutex map instead of 4096, and optimize the case for tokens that are not limited use
2016-05-02 14:57:17 -04:00
Jeff Mitchell
2ebe49d3a1
Change UseToken mechanics.
...
Add locking around UseToken and Lookup. Have UseToken flag an entry that
needs to be revoked so that it can be done at the appropriate time, but
so that Lookup in the interm doesn't return a value.
The locking is a map of 4096 locks keyed off of the first three
characters of the token ID which should provide good distribution.
2016-05-02 03:44:24 -04:00
Jeff Mitchell
81da06de05
Fix fetching parameters in token store when it's optionally in the URL
2016-04-28 15:15:37 -04:00
Jeff Mitchell
98d09b0dc6
Add seal tests and update generate-root and others to handle dualseal.
2016-04-25 19:39:04 +00:00
Jeff Mitchell
ae2d000de4
Make period output nicer -- seconds rather than duration
2016-04-14 06:10:22 -04:00
Jeff Mitchell
1db6808912
Construct token path from request to fix displaying TTLs when using
...
create-orphan.
2016-04-07 15:45:38 +00:00
Jeff Mitchell
f2880561d1
Ensure we only use sysview's max if it's not zero. It never should be, but safety.
2016-04-07 15:27:14 +00:00
vishalnayak
e3a1ee92b5
Utility Enhancements
2016-04-05 20:32:59 -04:00
Jeff Mitchell
7d20380c42
Merge pull request #1280 from hashicorp/remove-ts-revoke-prefix
...
Remove auth/token/revoke-prefix in favor of sys/revoke-prefix.
2016-04-01 09:48:52 -04:00
Jeff Mitchell
2b2541e13f
Merge pull request #1277 from hashicorp/suprious-revoke-timer-logs
...
Keep the expiration manager from keeping old token entries.
2016-03-31 20:16:31 -04:00
Jeff Mitchell
2fd02b8dca
Remove auth/token/revoke-prefix in favor of sys/revoke-prefix.
2016-03-31 18:04:05 -04:00
Jeff Mitchell
7442867d53
Check for auth/ in the path of the prefix for revoke-prefix in the token
...
store.
2016-03-31 16:21:56 -04:00
Jeff Mitchell
75650ec1ad
Keep the expiration manager from keeping old token entries.
...
The expiration manager would never be poked to remove token entries upon
token revocation, if that revocation was initiated in the token store
itself. It might have been to avoid deadlock, since during revocation of
tokens the expiration manager is called, which then calls back into the
token store, and so on.
This adds a way to skip that last call back into the token store if we
know that we're on the revocation path because we're in the middle of
revoking a token. That way the lease is cleaned up. This both prevents
log entries appearing for already-revoked tokens, and it also releases
timer/memory resources since we're not keeping the leases around.
2016-03-31 15:10:25 -04:00
Jeff Mitchell
ddce1efd0d
Two items:
...
1: Fix path check in core to handle renew paths from the token store
that aren't simply renew/
2: Use token policy logic if token store role policies are empty
2016-03-31 14:52:49 -04:00
vishalnayak
3861c88211
Accept params both as part of URL or as part of http body
2016-03-14 19:14:36 -04:00
vishalnayak
85a888d588
Enable token to be supplied in the body for lookup call
2016-03-14 18:56:00 -04:00
Jeff Mitchell
fa2ba47a5c
Merge branch 'master' into token-roles
2016-03-09 17:23:34 -05:00
vishalnayak
0c4d5960a9
In-URL accessor for auth/token/lookup-accessor endpoint
2016-03-09 14:54:52 -05:00
vishalnayak
2528ffbc18
Restore old regex expressions for token endpoints
2016-03-09 14:08:52 -05:00
vishalnayak
f478cc57e0
fix all the broken tests
2016-03-09 13:45:36 -05:00
vishalnayak
007142262f
Provide accessor to revove-accessor in the URL itself
2016-03-09 13:08:37 -05:00
Jeff Mitchell
2ecdde1781
Address final feedback
2016-03-09 11:59:54 -05:00
vishalnayak
c4a2c5b56e
Added tests for 'sys/capabilities-accessor' endpoint
2016-03-09 11:29:09 -05:00
Jeff Mitchell
4785bec59d
Address review feedback
2016-03-09 11:07:13 -05:00
Jeff Mitchell
2e07f45bfa
Use role's allowed policies if none are given
2016-03-09 10:42:04 -05:00
vishalnayak
926e7513d7
Added docs for /sys/capabilities-accessor
2016-03-09 09:48:32 -05:00
vishalnayak
7407c27778
Add docs for new token endpoints
2016-03-09 09:31:09 -05:00
vishalnayak
6a992272cd
New prefix for accessor indexes
2016-03-09 09:09:09 -05:00
vishalnayak
151c932875
AccessorID --> Accessor, accessor_id --> accessor
2016-03-09 06:23:31 -05:00
vishalnayak
913bbe7693
Error text corrections and minor refactoring
2016-03-08 22:27:24 -05:00
vishalnayak
62777c9f7e
ErrUserInput --> StatusBadRequest
2016-03-08 21:47:24 -05:00
vishalnayak
2737c81b39
Lay the foundation for returning proper HTTP status codes
2016-03-08 18:27:03 -05:00
vishalnayak
8c6afea1d0
Implemented /auth/token/revoke-accessor in token_store
2016-03-08 18:07:27 -05:00
vishalnayak
a7adab25bc
Implemented lookup-accessor as a token_store endpoint
2016-03-08 17:38:19 -05:00
vishalnayak
f19ee68fdb
placeholders for revoke-accessor and lookup-accessor
2016-03-08 15:13:29 -05:00
vishalnayak
a7c97fcd18
Clear the accessor index during revocation
2016-03-08 14:06:10 -05:00
vishalnayak
c0fb69a8b1
Create indexing from Accessor ID to Token ID
2016-03-08 14:06:10 -05:00
vishalnayak
301776012f
Introduced AccessorID in TokenEntry and returning it along with token
2016-03-08 14:06:10 -05:00
Jeff Mitchell
6b0f79f499
Address review feedback
2016-03-07 10:07:04 -05:00
Jeff Mitchell
cc1f5207b3
Merge branch 'master' into token-roles
2016-03-07 10:03:54 -05:00
vishalnayak
da9152169b
changed response of expiration manager's renewtoken to logical.response
2016-03-04 14:56:51 -05:00
Jeff Mitchell
41dba5dd5d
Move descriptions into const block
2016-03-03 11:04:05 -05:00
Jeff Mitchell
7c5f810bc0
Address first round of feedback
2016-03-01 15:30:37 -05:00
Jeff Mitchell
8a500e0181
Add command and token store documentation for roles
2016-03-01 13:02:40 -05:00
Jeff Mitchell
54232eb980
Add other token role unit tests and some minor other changes.
2016-03-01 12:41:41 -05:00
Jeff Mitchell
df2e337e4c
Update tests to add expected role parameters
2016-03-01 12:41:40 -05:00
Jeff Mitchell
b8b59560dc
Add token role CRUD tests
2016-03-01 12:41:40 -05:00
Jeff Mitchell
ef990a3681
Initial work on token roles
2016-03-01 12:41:40 -05:00
vishalnayak
bc4710eb06
Cert: renewal enhancements
2016-02-24 14:31:38 -05:00
Jeff Mitchell
ff3adce39e
Make "ttl" reflect the actual TTL of the token in lookup calls.
...
Add a new value "creation_ttl" which holds the value at creation time.
Fixes #986
2016-02-01 11:16:32 -05:00
Jeff Mitchell
d3a705f17b
Make backends much more consistent:
...
1) Use the new LeaseExtend
2) Use default values controlled by mount tuning/system defaults instead
of a random hard coded value
3) Remove grace periods
2016-01-29 20:03:37 -05:00
Jeff Mitchell
9c5ad28632
Update deps, and adjust usage of go-uuid to match new return values
2016-01-13 13:40:08 -05:00
Jeff Mitchell
a99787afeb
Don't allow a policy with no name, even though it is a valid slice member
2016-01-08 21:23:40 -05:00
Jeff Mitchell
f3ce90164f
WriteOperation -> UpdateOperation
2016-01-08 13:03:03 -05:00
Jeff Mitchell
d51d723c1f
Use int64 for converting time values, not int (will be float64 in JSON anyways, so no need to lose precision, plus could hit a 32-bit max in some edge cases)
2016-01-04 17:11:22 -05:00
Jeff Mitchell
e990b77d6e
Address review feedback; move storage of these values to the expiration manager
2016-01-04 16:43:07 -05:00
Jeff Mitchell
5ddd243144
Store a last renewal time in the token entry and return it upon lookup
...
of the token.
Fixes #889
2016-01-04 11:20:49 -05:00
Jeff Mitchell
df68e3bd4c
Filter out duplicate policies during token creation.
2015-12-30 15:18:30 -05:00
Jeff Mitchell
f2da5b639f
Migrate 'uuid' to 'go-uuid' to better fit HC naming convention
2015-12-16 12:56:20 -05:00
Jeff Mitchell
1a45696208
Add no-default-policy flag and API parameter to allow exclusion of the
...
default policy from a token create command.
2015-11-09 17:30:50 -05:00
Jeff Mitchell
d6693129de
Create a "default" policy with sensible rules.
...
It is forced to be included with each token, but can be changed (but not
deleted).
Fixes #732
2015-11-09 15:44:09 -05:00
Jeff Mitchell
5783f547ab
Display whether a token is an orphan on lookup.
2015-11-09 13:19:59 -05:00
Jeff Mitchell
7aa3faa626
Rename core's 'policy' to 'policyStore' for clarification
2015-11-06 12:07:42 -05:00
Jeff Mitchell
7d8371c4a3
Remove warning about nonexistent root policy by using GetPolicy instead
...
of the listing function.
2015-11-06 11:36:40 -05:00
Jeff Mitchell
6ccded7a2f
Add ability to create orphan tokens from the API
2015-11-03 15:12:21 -05:00
Jeff Mitchell
636d57a026
Make the token store's Create and RootToken functions non-exported.
...
Nothing requires them to be exported, and I don't want anything in the
future to think it's okay to simply create a root token when it likes.
2015-10-30 10:59:26 -04:00
Jeff Mitchell
a9155ef85e
Use split-out hashicorp/uuid
2015-10-12 14:07:12 -04:00
Jeff Mitchell
b5d674d94e
Add 301 redirect checking to the API client.
...
Vault doesn't generate these, but in some cases Go's internal HTTP
handler does. For instance, during a mount-tune command, finishing the
mount path with / (as in secret/) would cause the final URL path to
contain .../mounts/secret//tune. The double slash would trigger this
behavior in Go's handler and generate a 301. Since Vault generates 307s,
this would cause the client to think that everything was okay when in
fact nothing had happened.
2015-10-09 17:11:31 -04:00
Jeff Mitchell
d740fd4a6a
Add the ability for warnings to be added to responses. These are
...
marshalled into JSON or displayed from the CLI depending on the output
mode. This allows conferring information such as "no such policy exists"
when creating a token -- not an error, but something the user should be
aware of.
Fixes #676
2015-10-07 16:18:39 -04:00
Jeff Mitchell
4a52de13e3
Add renew-self endpoint.
...
Fixes #455 .
2015-10-07 12:49:13 -04:00
vishalnayak
3dd84446ab
Github backend: enable auth renewals
2015-10-02 13:33:19 -04:00
Jeff Mitchell
ca50012017
Format token lease/TTL as int in JSON API when looking up
2015-09-27 22:36:36 -04:00
Jeff Mitchell
62ac518ae7
Switch per-mount values to strings going in and seconds coming out, like other commands. Indicate deprecation of 'lease' in the token backend.
2015-09-25 10:41:21 -04:00
Vishal Nayak
d526c8ce1c
Merge pull request #629 from hashicorp/token-create-sudo
...
TokenStore: Provide access based on sudo permissions and not policy name
2015-09-21 10:12:29 -04:00
vishalnayak
1a01ab3608
Take ClientToken instead of Policies
2015-09-21 10:04:03 -04:00
vishalnayak
02485e7175
Abstraced SudoPrivilege to take list of policies
2015-09-19 18:23:44 -04:00
vishalnayak
a2799b235e
Using acl.RootPrivilege and rewrote mockTokenStore
2015-09-19 17:53:24 -04:00
vishalnayak
fb77ec3623
TokenStore: Provide access based on sudo permissions and not policy name
2015-09-19 11:14:51 -04:00