Commit graph

2016 commits

Author SHA1 Message Date
Jeff Mitchell 61398f1b01 Remove enable/disable and make deletion_allowed a configurable property. On read, return the version and creation time of each key 2015-09-18 14:41:05 -04:00
Jeff Mitchell 801e531364 Enhance transit backend:
* Remove raw endpoint from transit
* Add multi-key structure
* Add enable, disable, rewrap, and rotate functionality
* Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function
* Unit tests for everything
2015-09-18 14:41:05 -04:00
Jeff Mitchell 9c5dcac90c Make TLS backend honor SystemView default values. Expose lease TTLs on read. Make auth command show lease TTL if one exists. Addresses most of #527 2015-09-18 14:01:28 -04:00
Vishal Nayak e27b824dcb Merge pull request #623 from hashicorp/userpass-renewal
Vault userpass: Enable renewals for login tokens
2015-09-17 16:41:09 -04:00
vishalnayak 1f53376ae6 Userpass Bk: Added tests for TTL duration verifications 2015-09-17 16:33:26 -04:00
vishalnayak a2e88414f5 Throw error if system view boundaries are violated 2015-09-17 15:47:36 -04:00
vishalnayak 4332eb9d05 Vault userpass: Enable renewals for login tokens 2015-09-17 14:35:50 -04:00
Jeff Mitchell 8f79e8be82 Add revoke-self endpoint.
Fixes #620.
2015-09-17 13:22:30 -04:00
Vishal Nayak 5b6d6bf79a Merge pull request #624 from hashicorp/vault-i583
CLI: Avoiding CR when printing specific fields
2015-09-17 11:47:51 -04:00
vishalnayak fdf05e8ead Adding type checking to ensure only BasicUi is affected 2015-09-17 11:37:21 -04:00
vishalnayak 7f640c4374 Error on violating SysView boundaries 2015-09-17 11:24:46 -04:00
vishalnayak e885dff580 CLI: Avoiding CR when printing specific fields 2015-09-17 10:05:56 -04:00
Jeff Mitchell 91bcf83e5f Merge pull request #606 from tsilen/renew-etcd-semaphore-key
Renew the semaphore key periodically
2015-09-17 10:00:06 -04:00
vishalnayak 6a4089b2a8 Vault userpass: Enable renewals for login tokens 2015-09-16 23:55:35 -04:00
Jeff Mitchell b08f6e5540 Merge pull request #622 from Poohblah/log-level-help
improve documentation for available log levels
2015-09-16 15:15:36 -04:00
hendrenj 0532682816 improve documentation for available log levels 2015-09-16 11:01:33 -06:00
Jeff Mitchell 047ba90a44 Restrict orphan revocation to root tokens 2015-09-16 09:22:15 -04:00
Seth Vargo 5c363a1bd3 Merge pull request #621 from jklein/patch-1
Grammar fix
2015-09-15 20:54:24 +01:00
Jonathan Klein dff6e468f9 Grammar fix 2015-09-15 15:53:27 -04:00
Jeff Mitchell 461609b754 Merge pull request #612 from hashicorp/f-cubby
Implement the cubbyhole backend
2015-09-15 14:04:07 -04:00
Jeff Mitchell e7d5a18e94 Directly pass the cubbyhole backend to the token store and bypass logic in router 2015-09-15 13:50:37 -04:00
Jeff Mitchell 849b78daee Move more cubby logic outside of router into auth setup 2015-09-15 13:50:37 -04:00
Jeff Mitchell bdb8cf128d Cleanup; remove everything but double-salting from the router and give
the token store cubby backend information for direct calling.
2015-09-15 13:50:37 -04:00
Jeff Mitchell 538852d6d6 Add documentation for cubbyhole 2015-09-15 13:50:37 -04:00
Jeff Mitchell b50f7ec1b5 Remove noop checks in unmount/remount and restore previous behavior 2015-09-15 13:50:37 -04:00
Jeff Mitchell 77e7379ab5 Implement the cubbyhole backend
In order to implement this efficiently, I have introduced the concept of
"singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't
much reason to allow sys to be mounted at multiple places, and there
isn't much reason you'd need multiple per-token storage areas. By
restricting it to just one, I can store that particular mount instead of
iterating through them in order to call the appropriate revoke function.

Additionally, because revocation on the backend needs to be triggered by
the token store, the token store's salt is kept in the router and
client tokens going to the cubbyhole backend are double-salted by the
router. This allows the token store to drive when revocation happens
using its salted tokens.
2015-09-15 13:50:37 -04:00
Jeff Mitchell 104b29ab04 Rename View to StorageView to make it more distinct from SystemView 2015-09-15 13:50:37 -04:00
Tuomas Silen 5e8b3a28e4 Rename error return var 2015-09-15 11:18:43 +03:00
Jeff Mitchell f489c1c24e Ensure that the response body of logical calls is closed, even if there is an error. 2015-09-14 18:22:33 -04:00
Jeff Mitchell 38a75503ad Merge pull request #607 from lassizci/postgresql-timezone
Explicitly set timezone with PostgreSQL timestamps.
2015-09-14 11:55:02 -04:00
Jeff Mitchell 699e12a1c6 When there is one use left and a Secret is being returned, instead
return a descriptive error indicating that the Secret cannot be returned
because when the token was revoked the secret was too. This prevents
confusion where credentials come back but cannot be used.

Fixes #615
2015-09-14 11:07:27 -04:00
Lassi Pölönen 83d0ab73f5 Define time zone explicitly in postgresql connection string. 2015-09-14 13:43:06 +03:00
Lassi Pölönen a9aaee6f5a Explicitly set timezone with PostgreSQL timestamps. 2015-09-14 13:43:06 +03:00
Tuomas Silen 42d3f90e37 Further cleanup, use named return vals 2015-09-14 13:30:15 +03:00
Vishal Nayak 2fa1916521 Merge pull request #613 from hashicorp/doc-token-renewal
Improve documentation of token renewal
2015-09-11 21:38:34 -04:00
vishalnayak c5a3b0c681 Typo fix 2015-09-11 21:36:20 -04:00
vishalnayak 142cb563a6 Improve documentation of token renewal 2015-09-11 21:08:32 -04:00
Jeff Mitchell 99f372e3a6 Merge pull request #608 from lassizci/backend-cleanup
Provide a cleanup method for backends; if defined, will be run just before unloading.
2015-09-11 10:52:04 -04:00
Tuomas Silen 7f384b2312 Cleanup defer func 2015-09-11 16:30:12 +03:00
Tuomas Silen 2652db825a Use defer to close the channel in case of error 2015-09-11 16:17:23 +03:00
Lassi Pölönen d3aec0ba31 Cleanup routines should now use routeEntry instead of mountEntry. 2015-09-11 13:40:31 +03:00
Lassi Pölönen 79f68c934a Call ResetDB as Cleanup routine to close existing database connections
on backend unmount.
2015-09-11 11:45:58 +03:00
Lassi Pölönen fb07cf9f53 Implement clean up routine to backend as some backends may require
e.g closing database connections on unmount to avoud connection
stacking.
2015-09-11 11:45:58 +03:00
Vishal Nayak 08f7fb9c8d Merge pull request #580 from hashicorp/zeroaddress-path
Add root authenticated path to allow default CIDR to select roles
2015-09-10 15:28:49 -04:00
Jeff Mitchell 65414dc07e Merge pull request #585 from hashicorp/per-backend-ttls
Per backend configuration
2015-09-10 15:27:07 -04:00
Jeff Mitchell 39cfcccdac Remove error returns from sysview TTL calls 2015-09-10 15:09:54 -04:00
Jeff Mitchell 65ceb3439d Be consistent as both are the same pointer here 2015-09-10 15:09:54 -04:00
Jeff Mitchell 5de736e69c Implement shallow cloning to allow MountEntry pointers to stay consistent when spread across router/core/system views 2015-09-10 15:09:54 -04:00
Jeff Mitchell ace611d56d Address items from feedback. Make MountConfig use values rather than
pointers and change how config is read to compensate.
2015-09-10 15:09:54 -04:00
Jeff Mitchell c460ff10ca Push a lot of logic into Router to make a bunch of it nicer and enable a
lot of cleanup. Plumb config and calls to framework.Backend.Setup() into
logical_system and elsewhere, including tests.
2015-09-10 15:09:54 -04:00