Chris Hoffman
9d73c81f38
Disable the sys/raw
endpoint by default ( #3329 )
...
* disable raw endpoint by default
* adding docs
* config option raw -> raw_storage_endpoint
* docs updates
* adding listing on raw endpoint
* reworking tests for enabled raw endpoints
* root protecting base raw endpoint
2017-09-15 00:21:35 -04:00
Chris Hoffman
91338d7aa2
Adding latency injector option to -dev mode for storage operations ( #3289 )
2017-09-11 14:49:08 -04:00
Jeff Mitchell
223c4fc325
Change auth helper interface to api.Secret. ( #3263 )
...
This allows us to properly handle wrapped responses.
Fixes #3217
2017-08-31 16:57:00 -04:00
Calvin Leung Huang
6f417d39da
Normalize plugin_name option for mount and enable-auth ( #3202 )
2017-08-31 12:16:59 -04:00
Jeff Mitchell
3edb337a00
Add option to set cluster TLS cipher suites. ( #3228 )
...
* Add option to set cluster TLS cipher suites.
Fixes #3227
2017-08-30 16:28:23 -04:00
Brian Kassouf
23089dafbc
Add basic autocompletion ( #3223 )
...
* Add basic autocompletion
* Add autocomplete to some common commands
* Autocomplete the generate-root flags
* Add information about autocomplete to the docs
2017-08-24 15:23:40 -07:00
Doyoon Kim
3ffebb7780
Moved PROXY protocol wrap to execute before the TLS wrap ( #3195 )
2017-08-23 12:00:09 -04:00
Seth Vargo
ec9e187ce4
Thread stderr through too ( #3211 )
...
* Thread stderr through too
* Small docs typo
2017-08-21 17:23:29 -04:00
Jeff Mitchell
654e7d92ac
Properly lowercase policy names. ( #3210 )
...
Previously we lowercased names on ingress but not on lookup or delete
which could cause unexpected results. Now, just unilaterally lowercase
policy names on write and delete. On get, to avoid the performance hit
of always lowercasing when not necessary since it's in the critical
path, we have a minor optimization -- we check the LRU first before
normalizing. For tokens, because they're already normalized when adding
policies during creation, this should always work; it might just be
slower for API calls.
Fixes #3187
2017-08-18 19:47:23 -04:00
Seth Vargo
51d8e5ff86
Do not revoke SSH key ( #3208 )
...
There is no secret to revoke - this produces an error on the CLI
2017-08-18 15:44:20 -04:00
Seth Vargo
2e3a9ebd06
Add host key checking for SSH CA
2017-08-18 12:59:09 -04:00
Seth Vargo
89cffaf25e
Revoke temporary cred after creation, update warning
...
/cc @vishalnayak
2017-08-18 12:59:09 -04:00
Seth Vargo
430fc22023
Initial pass at SSH CLI CA type authentication
...
1. The current implementation of the SSH command is heavily tied to the
assumptions of OTP/dynamic key types. The SSH CA backend is
fundamentally a different approach to login and authentication. As a
result, there was some restructuring of existing methods to share more
code and state.
2. Each authentication method (ca, otp, dynamic) are now fully-contained
in their own handle* function.
3. -mode and -role are going to be required for SSH CA, and I don't
think the magical UX (and overhead) of guessing them is a good UX. It's
confusing as to which role and how Vault guesses. We can reduce 66% of
the API calls and add more declaration to the CLI by making -mode and
-role required. This commit adds warnings for that deprecation, but
these values are both required for CA type authentication.
4. The principal and extensions are currently fixed, and I personally
believe that's good enough for the first pass at this. Until we
understand what configuration options users will want, I think we should
ship with all the local extensions enabled. Users who don't want that
can generate the key themselves directly (current behavior) or submit
PRs to make the map of extensions customizable.
5. Host key checking for the CA backend is not currently implemented.
It's not strictly required at setup, so I need to think about whether it
belongs here.
This is not ready for merge, but it's ready for early review.
2017-08-18 12:59:08 -04:00
Calvin Leung Huang
ea6a1382ff
Improve auth-enable output for plugin backends ( #3189 )
...
* Improve auth-enable output for plugin backends
* Unquote authType on final output
2017-08-16 14:31:16 -04:00
Jeff Mitchell
c34a5b2e93
* Add ability to specify a plugin dir in dev mode ( #3184 )
...
* Change (with backwards compatibility) sha_256 to sha256 for plugin
registration
2017-08-16 11:17:50 -04:00
Seth Vargo
f8922bf674
Update help output (spaces instead of tabs) ( #3178 )
2017-08-15 21:21:30 -04:00
Seth Vargo
c1e6e0bdf2
Use SSHPASS envvar instead of -p for sshpass ( #3177 )
...
From the sshpass manpage:
> The -p option should be considered the least secure of all of sshpass's options. All system users can see the password in the command line with a simple "ps" command. Sshpass makes a minimal attempt to hide the password, but such attempts are doomed to create race conditions without actually solving the problem. Users of sshpass are encouraged to use one of the other password passing techniques, which are all more secure.
This PR changes the sshpass behavior to execute a subprocess with the
SSHPASS envvar (which is generally regarded as more secure) than using
the -p option.
2017-08-15 19:43:39 -04:00
Jeff Mitchell
fdaaaadee2
Migrate physical backends into separate packages ( #3106 )
2017-08-03 13:24:27 -04:00
Gobin Sougrakpam
8e01c994bf
tls_client_ca_file option for verifying client ( #3034 )
2017-08-03 07:33:06 -04:00
Calvin Leung Huang
db9d9e6415
Store original request path in WrapInfo ( #3100 )
...
* Store original request path in WrapInfo as CreationPath
* Add wrapping_token_creation_path to CLI output
* Add CreationPath to AuditResponseWrapInfo
* Fix tests
* Add and fix tests, update API docs with new sample responses
2017-08-02 18:28:58 -04:00
Jeff Mitchell
7e3ff5e56c
Add PROXY protocol support ( #3098 )
2017-08-02 18:24:12 -04:00
Brian Kassouf
e0713b307d
Add Testing Interface to test helpers ( #3091 )
...
* Add testing interface
* Add vendored files
2017-08-01 11:07:08 -07:00
Jeff Mitchell
d39d1b4003
Add some useful variable output to three node dev startup
2017-08-01 11:50:41 -04:00
Jeff Mitchell
1f36e2a846
Use 1-based indexing for unseal keys in three node dev cluster
2017-08-01 11:12:45 -04:00
Jeff Mitchell
d0f329e124
Add leader cluster address to status/leader output. ( #3061 )
...
* Add leader cluster address to status/leader output. This helps in
identifying a particular node when all share the same redirect address.
Fixes #3042
2017-07-31 18:25:27 -04:00
Jeff Mitchell
1bfc6d4fe7
Add a -dev-three-node option for devs. ( #3081 )
2017-07-31 11:28:06 -04:00
Calvin Leung Huang
bb54e9c131
Backend plugin system ( #2874 )
...
* Add backend plugin changes
* Fix totp backend plugin tests
* Fix logical/plugin InvalidateKey test
* Fix plugin catalog CRUD test, fix NoopBackend
* Clean up commented code block
* Fix system backend mount test
* Set plugin_name to omitempty, fix handleMountTable config parsing
* Clean up comments, keep shim connections alive until cleanup
* Include pluginClient, disallow LookupPlugin call from within a plugin
* Add wrapper around backendPluginClient for proper cleanup
* Add logger shim tests
* Add logger, storage, and system shim tests
* Use pointer receivers for system view shim
* Use plugin name if no path is provided on mount
* Enable plugins for auth backends
* Add backend type attribute, move builtin/plugin/package
* Fix merge conflict
* Fix missing plugin name in mount config
* Add integration tests on enabling auth backend plugins
* Remove dependency cycle on mock-plugin
* Add passthrough backend plugin, use logical.BackendType to determine lease generation
* Remove vault package dependency on passthrough package
* Add basic impl test for passthrough plugin
* Incorporate feedback; set b.backend after shims creation on backendPluginServer
* Fix totp plugin test
* Add plugin backends docs
* Fix tests
* Fix builtin/plugin tests
* Remove flatten from PluginRunner fields
* Move mock plugin to logical/plugin, remove totp and passthrough plugins
* Move pluginMap into newPluginClient
* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck
* Change shim logger's Fatal to no-op
* Change BackendType to uint32, match UX backend types
* Change framework.Backend Setup signature
* Add Setup func to logical.Backend interface
* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments
* Remove commented var in plugin package
* RegisterLicense on logical.Backend interface (#3017 )
* Add RegisterLicense to logical.Backend interface
* Update RegisterLicense to use callback func on framework.Backend
* Refactor framework.Backend.RegisterLicense
* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs
* plugin: Revert BackendType to remove TypePassthrough and related references
* Fix typo in plugin backends docs
2017-07-20 13:28:40 -04:00
Jeff Mitchell
76d1402a44
Add token-only. ( #2971 )
2017-07-12 15:04:34 -04:00
Jeff Mitchell
d169918465
Create and persist human-friendly-ish mount accessors ( #2918 )
2017-06-26 18:14:36 +01:00
Jeff Mitchell
d55d75a79f
Convert listener arguments to map[string]interface{} ( #2905 )
...
This allows people to use more natural constructs, e.g. for tls_disable
it can be a bool, int, or string.
2017-06-22 20:29:53 +01:00
Jeff Mitchell
286392c2a2
Fix tests
2017-06-21 11:19:38 -04:00
Jeff Mitchell
069764ea8f
Add option to have dev mode generic backend return leases
2017-06-21 10:42:50 -04:00
Chris Hoffman
7e7d766e21
Exclude /sys/leases/renew from registering with expiration manager ( #2891 )
...
* exclude /sys/leases/renew from registering with expiration manager
* adding sys/leases/renew to return full secret object, adding tests to catch renew errors
2017-06-20 12:34:00 -04:00
Jeff Mitchell
cf7d56e8f3
Fix up CORS.
...
Ref #2021
2017-06-17 01:26:25 -04:00
Jeff Mitchell
33ca94773f
Add DogStatsD metrics output. ( #2883 )
...
Fixes #2490
2017-06-16 23:51:46 -04:00
Jeff Mitchell
fcc9f35c77
Add a no-store
option to vault auth
( #2809 )
...
Fixes #2746
2017-06-05 16:36:28 -04:00
Jeff Mitchell
72a5b5e23b
Fix tests
2017-05-25 09:00:49 -04:00
Jeff Mitchell
9d4801b1e8
Revert grpc back a version (they introduced a panic) and clean up a bunch of old request forwarding stuff
2017-05-24 10:38:48 -04:00
emily
aa40d2cff6
add gofmt checks to Vault and format existing code ( #2745 )
2017-05-19 08:34:17 -04:00
Brian Kassouf
5ee0d696d4
Merge remote-tracking branch 'oss/master' into database-refactor
2017-05-04 10:45:18 -07:00
Jeff Mitchell
ed24a1b5a5
Write always needs a path, even with force. ( #2675 )
...
Fixes #2674
2017-05-04 06:40:58 -04:00
Jeff Mitchell
3d939dbe50
Further Sethisize loglevel inputz
2017-04-25 11:14:25 -04:00
Jeff Mitchell
7283894f41
Sethisize log level
2017-04-25 11:12:38 -04:00
Brian Kassouf
6c8239ba03
Update the builtin keys; move catalog to core; protect against unset plugin directory
2017-04-24 10:30:33 -07:00
Brian Kassouf
6f9d178370
Calls to builtin plugins now go directly to the implementation instead of go-plugin
2017-04-20 18:46:41 -07:00
Brian Kassouf
af9ff63e9a
Merge remote-tracking branch 'oss/master' into database-refactor
2017-04-19 15:16:00 -07:00
Christoph Blecker
c82e7a631c
Add -self flag to token-revoke ( #2596 )
2017-04-17 12:40:51 -04:00
Brian Kassouf
8a3ef906d5
Update the plugin directory logic
2017-04-13 11:22:53 -07:00
Brian Kassouf
0cfe1ea81c
Cleanup path files
2017-04-12 17:35:02 -07:00
Brian Kassouf
8ccf10641b
Merge branch 'master' into database-refactor
2017-04-12 14:29:10 -07:00
Brian Kassouf
93136ea51e
Add backend test
2017-04-07 15:50:03 -07:00
Brian Kassouf
ca2c3d0c53
Refactor to use builtin plugins from an external repo
2017-04-05 16:20:31 -07:00
Brian Kassouf
b071144c67
move builtin plugins list to the pluginutil
2017-04-05 11:00:13 -07:00
Brian Kassouf
11abcd52e6
Add a cli command to run builtin plugins
2017-04-04 17:12:02 -07:00
Brian Kassouf
0034074691
Execute builtin plugins
2017-04-04 14:43:39 -07:00
Jeff Mitchell
a8d64c5721
Add some minor tweaks to the PR
2017-04-04 12:22:14 -04:00
Brian Kassouf
e8781b6a2b
Plugin catalog
2017-04-03 17:52:29 -07:00
Greg Parris
ad9546104b
Typo corrections and tweaks to commands' help info
...
* Normalize "X arguments expected" messages
* Use "Vault" when referring to the product and "vault" when referring to an instance of the product
* Various minor tweaks to improve readability and/or provide clarity
2017-03-25 12:51:12 -05:00
Jeff Mitchell
5d760d4090
Add option to require valid client certificates ( #2457 )
2017-03-08 10:21:31 -05:00
Jeff Mitchell
f03d500808
Add option to disable caching per-backend. ( #2455 )
2017-03-08 09:20:09 -05:00
Jeff Mitchell
b11f92ba5a
Rename physical backend to storage and alias old value ( #2456 )
2017-03-08 09:17:00 -05:00
Jeff Mitchell
5119b173c4
Rename helper 'duration' to 'parseutil'. ( #2449 )
...
Add a ParseBool function that accepts various kinds of ways of
specifying booleans.
Have config use ParseBool for UI and disabling mlock/cache.
2017-03-07 11:21:22 -05:00
Jeff Mitchell
2cc0906b33
Fix breakage for HTTP2 support due to changes in wrapping introduced in 1.8 ( #2412 )
2017-02-27 12:49:35 -05:00
Sean Chittenden
42d1c28bf5
Change the default DisplayName for a Circonus check to be Vault
instead of the InstanceID.
...
Trivial defaults change, committing direct to `master`.
2017-02-26 15:18:46 -08:00
Jeff Mitchell
3ab4a82e03
Don't try synthesizing cluster when not in dev mode
2017-02-24 12:50:26 -05:00
Jeff Mitchell
b29861f7bb
Do some porting to make diffing easier
2017-02-24 10:45:29 -05:00
Jeff Mitchell
37f3b2bafd
Fix missing newline in status output
2017-02-17 11:23:20 -05:00
Jeff Mitchell
c81582fea0
More porting from rep ( #2388 )
...
* More porting from rep
* Address review feedback
2017-02-16 16:29:30 -05:00
Jeff Mitchell
e0c9bfd926
Add WithOptions methods to audit/auth enabling ( #2383 )
2017-02-16 11:37:27 -05:00
Jeff Mitchell
388d8cd191
Correct port parsing. ( #2354 )
...
* Correct port parsing.
Fixes #2351
* use strings.Contains instead of strings.HasSuffix
* Make the error message point to the wrong input
2017-02-08 13:50:17 -05:00
Roman Vynar
1615280efa
Added tls_cipher_suites, tls_prefer_server_ciphers config options to listener ( #2293 )
2017-01-23 13:48:35 -05:00
Vishal Nayak
fa7d61baa3
Merge pull request #2202 from fcantournet/fix_govet_fatalf
...
all: test: Fix govet warnings
2017-01-17 16:45:35 -05:00
Jeff Mitchell
69eb5066dd
Multi value test seal ( #2281 )
2017-01-17 15:43:10 -05:00
Jeff Mitchell
dd0e44ca10
Add nonce to unseal to allow seeing if the operation has reset ( #2276 )
2017-01-17 11:47:06 -05:00
vishalnayak
adb6ac749f
init: pgp-keys input validations
2017-01-11 23:32:38 -05:00
Jeff Mitchell
3129187dc2
JWT wrapping tokens ( #2172 )
2017-01-04 16:44:03 -05:00
Cameron Stokes
b5f4558b7a
Fix generate-root help and progress output.
2017-01-04 09:01:17 -08:00
Félix Cantournet
103b7ceab2
all: test: Fix govet warnings
...
Fix calls to t.Fatal() with formatting.
Fixed some calls to Fatalf() with wrong formatting
2016-12-21 19:44:07 +01:00
Jeff Mitchell
dc0f751994
Change an output to an error
2016-12-06 07:56:45 -05:00
Jeff Mitchell
7865143c1d
Minor ports
2016-12-05 12:28:12 -05:00
Vishal Nayak
ad09acb479
Use Vault client's scheme for auto discovery ( #2146 )
2016-12-02 11:24:57 -05:00
Jeff Mitchell
0f5b847748
Fix panic when unwrapping if the server EOFs
2016-11-29 16:50:07 -05:00
Jeff Mitchell
b87b070987
Add cgo info to vault version output
2016-11-27 19:32:57 -05:00
Jeff Mitchell
fef97d9169
Print the revision, if known, separately from the version.
...
Also, indicate whether the build is dynamic or not.
2016-11-27 19:28:35 -05:00
Jeff Mitchell
f1f38de8d4
Only add version sha if known
2016-11-27 19:16:44 -05:00
Jeff Mitchell
545e338a9e
Add version sha to server startup output
2016-11-22 16:43:05 -05:00
Jeff Mitchell
fc81a301b8
Don't say mlock is supported on OSX when it isn't. ( #2120 )
...
Fixes #2119
2016-11-22 12:56:36 -05:00
Kyle McCullough
aeb23b72d7
cli: fix bug with 'vault read -field=...' when the field value contains a printf formatting verb ( #2109 )
2016-11-22 12:30:23 -05:00
Chris Lundquist
9b5ee87929
prevent binding 0.0.0.0 -> ::0 ( #2094 )
2016-11-15 12:00:57 -05:00
matt maier
57925ee863
Vendor circonus ( #2082 )
2016-11-10 16:17:55 -05:00
vishalnayak
931c96d1ba
ssh: Use temporary file to store the identity file
2016-10-18 12:50:12 -04:00
Jeff Mitchell
53efd18dda
Make listener shutdown more synchronous ( #1985 )
2016-10-10 13:18:19 -04:00
Jeff Mitchell
21e1f38e6a
Split HA server command tests from reload tests
2016-10-07 11:06:01 -04:00
Jeff Mitchell
2c85fdfeb9
Switch default case of disable cluster. ( #1959 )
2016-10-02 14:54:01 -04:00
Jeff Mitchell
6d00f0c483
Adds HUP support for audit log files to close and reopen. ( #1953 )
...
Adds HUP support for audit log files to close and reopen. This makes it
much easier to deal with normal log rotation methods.
As part of testing this I noticed that HUP and other items that come out
of command/server.go are going to stderr, which is where our normal log
lines go. This isn't so much problematic with our normal output but as
we officially move to supporting other formats this can cause
interleaving issues, so I moved those to stdout instead.
2016-09-30 12:04:50 -07:00
Jeff Mitchell
85315ff188
Rejig where the reload functions live
2016-09-30 00:07:22 -04:00
Jeff Mitchell
b45a481365
Wrapping enhancements ( #1927 )
2016-09-28 21:01:28 -07:00
Jeff Mitchell
f0203741ff
Change default TTL from 30 to 32 to accommodate monthly operations ( #1942 )
2016-09-28 18:32:49 -04:00
Jeff Mitchell
72b9c4c649
Fix parsing env var, needed to be in the helper too
2016-09-23 13:20:26 -04:00
Evan Phoenix
4214a0199d
Advertise the cluster_(id|name) in the Scada handshake ( #1906 )
2016-09-23 10:55:51 -04:00
Jeff Mitchell
57f3904d74
Use VAULT_LOG_FORMAT as an analogue to LOGXI_FORMAT
2016-09-22 17:22:02 -04:00
Jeff Mitchell
bbe87db913
Force tls_disable on scada connection inside outer TLS connection as it's not currently supported anyways
2016-09-20 14:56:16 -04:00
Jeff Mitchell
f3ab4971a6
Follow Vault convention on DELETE
being idempotent ( #1903 )
...
* Follow Vault convention on `DELETE` being idempotent with
audit/auth/mounts deletes (a.k.a. disabling/unmounting).
2016-09-19 13:02:25 -04:00
vishalnayak
e123f33a91
Add yml alias for yaml
2016-09-16 10:43:23 -04:00
Jeff Mitchell
722e26f27a
Add support for PGP encrypting the initial root token. ( #1883 )
2016-09-13 18:42:24 -04:00
Jeff Mitchell
640351b7d1
Update text of init/rekey around recovery values
2016-09-12 16:20:21 -04:00
Jeff Mitchell
7e5aef279c
Don't panic on bad auth path
...
Fixes #1860
2016-09-08 11:14:47 -04:00
Jeff Mitchell
1c6f2fd82b
Add response wrapping to list operations ( #1814 )
2016-09-02 01:13:14 -04:00
Vishal Nayak
90737d3b44
Merge pull request #1836 from hashicorp/truncate-version-string
...
Remove the string 'Vault' from version information
2016-09-01 20:23:26 -04:00
Seth Vargo
fc4a5bae3c
Update audit-enable to show more examples ( #1842 )
...
* Update audit-enable to show more examples
* Update audit_enable.go
2016-09-01 20:14:29 -04:00
Seth Vargo
a438f5e950
Add more examples and cleanup docs for auth ( #1841 )
2016-09-01 19:56:30 -04:00
vishalnayak
5bd665a842
Update atlas listener factory to use version with pre-release info.
2016-09-01 17:21:11 -04:00
vishalnayak
f5447d8fa9
Avoid commas while printing policies
2016-09-01 16:32:27 -04:00
Jeff Mitchell
35800b0782
Don't output key/value header if there are no values to display. ( #1838 )
...
Fixes #1835
2016-09-01 15:58:16 -04:00
vishalnayak
9c78c58948
Remove the string 'Vault' from version information
2016-09-01 14:54:04 -04:00
Jeff Mitchell
61f1eee72c
Remove hex output from keys; standardize on B64 for CLI output. This ( #1831 )
...
aligns with all other interactions which use B64 encoding for bytes.
2016-09-01 12:59:15 -04:00
Jeff Mitchell
ecf61e9ba4
Add a separator to list output
2016-08-30 16:48:55 -04:00
Jeff Mitchell
2ce4397deb
Plumb through the ability to set the storage read cache size. ( #1784 )
...
Plumb through the ability to set the storage read cache size.
Fixes #1772
2016-08-26 10:27:06 -04:00
Jeff Mitchell
1ee4cb4725
Strip trailing whitespace in token from file.
...
Fixes #1774
2016-08-23 20:22:45 -04:00
Jeff Mitchell
dd53c4b1d8
Don't validate a dev listen address as that makes a proper Docker
...
entrypoint difficult.
Fixes #1762
2016-08-23 08:34:43 -04:00
Jeff Mitchell
58b32e5432
Convert to logxi
2016-08-21 18:13:37 -04:00
Jeff Mitchell
bdcfe05517
Clustering enhancements ( #1747 )
2016-08-19 11:03:53 -04:00
Jeff Mitchell
56940c282b
Force dev on when dev-ha is on
2016-08-19 08:29:34 -04:00
Jeff Mitchell
62c69f8e19
Provide base64 keys in addition to hex encoded. ( #1734 )
...
* Provide base64 keys in addition to hex encoded.
Accept these at unseal/rekey time.
Also fix a bug where backup would not be honored when doing a rekey with
no operation currently ongoing.
2016-08-15 16:01:15 -04:00
Jeff Mitchell
37320f8798
Request forwarding ( #1721 )
...
Add request forwarding.
2016-08-15 09:42:42 -04:00
Jeff Mitchell
bcb4ab5422
Add periodic support for root/sudo tokens to auth/token/create
2016-08-12 21:14:12 -04:00
Jeff Mitchell
92f4fdf892
Add some info about -f to the "expects two arguments" error.
...
Ping #1722
2016-08-12 15:47:16 -04:00
Jeff Mitchell
c1a46349fa
Change to keybase openpgp fork as it has important fixes
2016-08-11 08:31:43 -04:00
Jeff Mitchell
5771a539a5
Add HTTP test for renew and fix muxing
2016-08-08 20:01:08 -04:00
Jeff Mitchell
529e36636c
Rename mounttune.go
2016-08-08 16:22:28 -04:00
Jeff Mitchell
69c1121d29
Fix generate-root synopsis
2016-08-05 16:35:03 -04:00
vishalnayak
e029d3c87a
Support execution of remote commands using 'vault ssh'
2016-08-01 14:53:00 -04:00
Jeff Mitchell
6ffefb649d
Close the shutdown channel instead of sending a value down
2016-08-01 11:58:45 -04:00
vishalnayak
05b8ce8348
Address review feedback
2016-08-01 11:15:25 -04:00
vishalnayak
5ed10f4074
Make the defer statement of waitgroup to execute last
2016-08-01 10:24:27 -04:00
vishalnayak
ea2e677f02
Sharing shutdown message with physical consul backend
2016-07-31 10:09:16 -04:00
vishalnayak
a8b4fc0d3c
Add waitgroup wait to allow physical consul to deregister checks
2016-07-30 13:17:29 -04:00
vishalnayak
8b0b0d5922
Add cluster information to 'vault status'
2016-07-29 14:13:53 -04:00
vishalnayak
e5e0431393
Added Vault version informationto the 'status' command
2016-07-28 17:37:35 -04:00
Vishal Nayak
c7bcaa5bb6
Merge pull request #1655 from hashicorp/cluster-id
...
Vault cluster name and ID
2016-07-26 14:12:48 -04:00
Evan Phoenix
41ed3de3b1
Report the simple version string
2016-07-26 10:21:24 -07:00
vishalnayak
6e1d020c3a
Added cluster_name for existing config tests
2016-07-26 11:38:24 -04:00
vishalnayak
7daa92f42c
Update cluster name during config merge
2016-07-26 11:11:12 -04:00
vishalnayak
a3e6400697
Remove global name/id. Make only cluster name configurable.
2016-07-26 10:01:35 -04:00
vishalnayak
c7dabe4def
Storing local and global cluster name/id to storage and returning them in health status
2016-07-26 02:32:42 -04:00
matt maier
6519c224ac
Circonus integration for telemetry metrics
2016-07-22 15:49:23 -04:00
vishalnayak
a7665723e3
Address review feedback
2016-07-22 11:31:55 -04:00
vishalnayak
f53792efc7
Update docs on the init command
2016-07-22 11:22:10 -04:00
Vishal Nayak
caab9d40f2
Merge pull request #1642 from hashicorp/init-service-discovery
...
Add service discovery to init command
2016-07-21 20:47:32 -04:00
vishalnayak
b243ee256e
Address review feedback by @jefferai
2016-07-21 20:46:31 -04:00
vishalnayak
bd8ff10462
Address review feedback from @sean
2016-07-21 19:04:43 -04:00
vishalnayak
5316082675
Added documentation for init service discovery
2016-07-21 17:27:56 -04:00
vishalnayak
f557457909
Added a separate flag consul-service to receive Consul service name
2016-07-21 16:51:38 -04:00
vishalnayak
23800c5f1d
Add service discovery to init command
2016-07-21 16:17:29 -04:00
Jeff Mitchell
3ec81debe7
Trim leading/trailing space around PEM bundles.
...
Fixes #1634
2016-07-20 13:57:49 -04:00
Jeff Mitchell
9d68297ffa
Have human-oriented token duration and secret duration output display a more human-friendly format
2016-07-19 12:15:00 -04:00
Jeff Mitchell
a3ce0dcb0c
Turn off DynamoDB HA by default.
...
The semantics are wonky and have caused issues from people not reading
docs. It can be enabled but by default is off.
2016-07-18 13:19:58 -04:00
vishalnayak
c14235b206
Merge branch 'master-oss' into json-use-number
...
Conflicts:
http/handler.go
logical/framework/field_data.go
logical/framework/wal.go
vault/logical_passthrough.go
2016-07-15 19:21:55 -04:00
vishalnayak
f34f0ef503
Make 'tls_min_version' configurable
2016-07-12 19:32:47 -04:00
vishalnayak
ad7cb2c8f1
Added JSON Decode and Encode helpers.
...
Changed all the occurances of Unmarshal to use the helpers.
Fixed http/ package tests.
2016-07-06 12:25:40 -04:00
Jeff Mitchell
61250157d7
Don't panic on an empty configuration during merge
2016-07-05 16:49:15 -04:00
Jeff Mitchell
2c1b9499fc
Add aliases for field flag to allow printing auth results.
...
Also fix the write command to use the shared function with aliases.
Fixes #1566
2016-06-27 23:19:09 -04:00
Jeff Mitchell
07ebfce1a4
Up sleep time during reload test to not fail under certain test conditions
2016-06-27 15:37:25 -04:00
Jeff Mitchell
a7e15a8c0e
Fix up external token helper tests
2016-06-22 10:04:43 -04:00
Tom Maher
3f40d8cbc7
Correctly check for existence of external token_helper binaries
2016-06-21 19:32:19 -07:00
Vishal Nayak
d4d47ce5e3
Merge pull request #1531 from hashicorp/auth-mount-tune-params
...
Auth tune endpoints and config settings output from CLI
2016-06-20 20:24:47 -04:00
Vishal Nayak
949bb97ebc
Merge pull request #1532 from hashicorp/vault-auth-path
...
Added -path option to 'vault auth' command
2016-06-20 16:43:26 -04:00
vishalnayak
3b308713ad
Added -path option to help output
2016-06-20 16:24:49 -04:00
vishalnayak
9be9f73806
Concatenating the output instead of printing twice
2016-06-20 15:26:33 -04:00
vishalnayak
91668dd21d
Fix the output format when warnings are present
2016-06-15 17:13:14 -04:00
vishalnayak
53fede4b70
Added '-path' option to 'vault auth' command
2016-06-15 16:54:27 -04:00
vishalnayak
848b479a61
Added 'sys/auth/<path>/tune' endpoints.
...
Displaying 'Default TTL' and 'Max TTL' in the output of 'vault auth -methods'
2016-06-15 13:58:24 -04:00
Jeff Mitchell
e925987cb6
Add token accessor to wrap information if one exists
2016-06-13 23:58:17 +00:00
Jeff Mitchell
65d8973864
Add explicit max TTL capability to token creation API
2016-06-08 14:49:48 -04:00
Jeff Mitchell
6ff0742aa6
Remove unneeded else
2016-06-08 13:55:31 -04:00
Jeff Mitchell
c0155ac02b
Add renewable flag and API setting for token creation
2016-06-08 11:14:30 -04:00
Jeff Mitchell
bb1e8ddaa2
Make token renewable status work properly on lookup
2016-06-08 09:19:39 -04:00
Jeff Mitchell
10b218d292
Use time.Time which does RFC3339 across the wire to handle time zones. Arguably we should change the API to always do this...
2016-06-07 16:01:09 -04:00
Jeff Mitchell
401456ea50
Add creation time to returned wrapped token info
...
This makes it easier to understand the expected lifetime without a
lookup call that uses the single use left on the token.
This also adds a couple of safety checks and for JSON uses int, rather
than int64, for the TTL for the wrapped token.
2016-06-07 15:00:35 -04:00
Bill Monkman
de8477244e
#1486 : Fixed sealed and leader checks for consul backend
2016-06-03 16:00:31 -07:00
Jeff Mitchell
5cefd6bd3a
Merge pull request #1470 from hashicorp/unwrap-in-api
...
Make Unwrap a first-party API command and refactor UnwrapCommand to u…
2016-06-03 13:25:10 -04:00
Jeff Mitchell
64c180510e
Add a metadata node_id field for Atlas usage and fix tests
2016-06-02 18:19:51 -04:00
Jeff Mitchell
0d9ea2a1a1
Initial Atlas listener implementation
2016-06-02 14:05:47 -04:00
vishalnayak
c197414b3b
Prioritize dev flags over its env vars
2016-06-01 12:21:29 -04:00
vishalnayak
4c08d43950
Address review feedback
2016-06-01 11:39:48 -04:00
vishalnayak
8d50543a88
Supplying strictHostKeyChecking and userKnownHostsFile from env vars
2016-06-01 11:08:24 -04:00
vishalnayak
315f9c868c
Provide option to disable host key checking
2016-06-01 11:08:24 -04:00
Jeff Mitchell
63aba520c6
Make Unwrap a first-party API command and refactor UnwrapCommand to use it
2016-05-27 21:04:30 +00:00
vishalnayak
ff6f5ae75b
Add a non-nil check for 'port' field to be present in the response
2016-05-25 21:26:32 +00:00
Jeff Mitchell
199f99d031
Decode json.Number before handing to mapstructure
2016-05-25 19:02:31 +00:00
Jeff Mitchell
05b2d4534c
Add unwrap test function and some robustness around paths for the wrap lookup function
2016-05-19 11:49:46 -04:00
Jeff Mitchell
0da8762bd5
Add unwrap command, and change how the response is embedded (as a string, not an object)
2016-05-19 11:25:15 -04:00
Jeff Mitchell
dce8a8da42
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-19 02:43:22 +00:00
Jeff Mitchell
0168b74e03
Rename lease_duration to refresh_interval when there is no lease ID, and output ---- between header and values
2016-05-17 17:10:12 +00:00
Jeff Mitchell
c4431a7e30
Address most review feedback. Change responses to multierror to better return more useful values when there are multiple errors
2016-05-16 16:11:33 -04:00
Jeff Mitchell
4c67a739b9
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-16 12:14:40 -04:00
Sean Chittenden
7a4b31ce51
Speling police
2016-05-15 09:58:36 -07:00
Jeff Mitchell
560e9c30a3
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-12 14:59:12 -04:00
Jeff Mitchell
885cc73b2e
Merge branch 'master-oss' into f-vault-service
2016-05-04 17:20:00 -04:00
Jeff Mitchell
99a5b4402d
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-04 14:42:14 -04:00
Jeff Mitchell
47a7ada7e8
Fix number of recovery shares output during init
2016-05-03 23:07:09 -04:00
Jeff Mitchell
2bbb39f4af
Properly handle sigint/hup
2016-05-03 14:30:58 -04:00
Jeff Mitchell
1ffd5653c6
Add wrap support to API/CLI
2016-05-02 02:03:23 -04:00
Jeff Mitchell
749b60d57d
Ensure seal finalizing happens even when using verify-only
2016-04-28 14:06:05 -04:00
Sean Chittenden
0b72906fc3
Change the interface of ServiceDiscovery
...
Instead of passing state, signal that the state has changed and provide a callback handler that can query Core.
2016-04-28 11:05:18 -07:00
Sean Chittenden
aeea7628d6
Add a *log.Logger argument to physical.Factory
...
Logging in the backend is a good thing. This is a noisy interface change but should be a functional noop.
2016-04-25 20:10:32 -07:00
Sean Chittenden
f5183fa506
Collapse UpdateAdvertiseAddr() into RunServiceDiscovery()
2016-04-25 18:01:13 -07:00
Sean Chittenden
3977057cc9
Disable service registration for consul HA tests
2016-04-25 18:01:13 -07:00
Sean Chittenden
1f8397f0a3
Use spaces in tests to be consistent
...
The rest of the tests here use spaces, not tabs
2016-04-25 18:01:13 -07:00
Sean Chittenden
60006f550f
Various refactoring to clean up code organization
...
Brought to you by: Dept of 2nd thoughts before pushing enter on `git push`
2016-04-25 18:01:13 -07:00
Sean Chittenden
e7f600b4e6
Improve error handling re: homedir expansion
...
Useful if the HOME envvar is not set because `vault` was launched in a clean environment (e.g. `env -i vault ...`).
2016-04-25 18:01:13 -07:00
Sean Chittenden
6b2c83564e
Teach Vault how to register with Consul
...
Vault will now register itself with Consul. The active node can be found using `active.vault.service.consul`. All standby vaults are available via `standby.vault.service.consul`. All unsealed vaults are considered healthy and available via `vault.service.consul`. Change in status and registration is event driven and should happen at the speed of a write to Consul (~network RTT + ~1x fsync(2)).
Healthy/active:
```
curl -X GET 'http://127.0.0.1:8500/v1/health/service/vault?pretty ' && echo;
[
{
"Node": {
"Node": "vm1",
"Address": "127.0.0.1",
"TaggedAddresses": {
"wan": "127.0.0.1"
},
"CreateIndex": 3,
"ModifyIndex": 20
},
"Service": {
"ID": "vault:127.0.0.1:8200",
"Service": "vault",
"Tags": [
"active"
],
"Address": "127.0.0.1",
"Port": 8200,
"EnableTagOverride": false,
"CreateIndex": 17,
"ModifyIndex": 20
},
"Checks": [
{
"Node": "vm1",
"CheckID": "serfHealth",
"Name": "Serf Health Status",
"Status": "passing",
"Notes": "",
"Output": "Agent alive and reachable",
"ServiceID": "",
"ServiceName": "",
"CreateIndex": 3,
"ModifyIndex": 3
},
{
"Node": "vm1",
"CheckID": "vault-sealed-check",
"Name": "Vault Sealed Status",
"Status": "passing",
"Notes": "Vault service is healthy when Vault is in an unsealed status and can become an active Vault server",
"Output": "",
"ServiceID": "vault:127.0.0.1:8200",
"ServiceName": "vault",
"CreateIndex": 19,
"ModifyIndex": 19
}
]
}
]
```
Healthy/standby:
```
[snip]
"Service": {
"ID": "vault:127.0.0.2:8200",
"Service": "vault",
"Tags": [
"standby"
],
"Address": "127.0.0.2",
"Port": 8200,
"EnableTagOverride": false,
"CreateIndex": 17,
"ModifyIndex": 20
},
"Checks": [
{
"Node": "vm2",
"CheckID": "serfHealth",
"Name": "Serf Health Status",
"Status": "passing",
"Notes": "",
"Output": "Agent alive and reachable",
"ServiceID": "",
"ServiceName": "",
"CreateIndex": 3,
"ModifyIndex": 3
},
{
"Node": "vm2",
"CheckID": "vault-sealed-check",
"Name": "Vault Sealed Status",
"Status": "passing",
"Notes": "Vault service is healthy when Vault is in an unsealed status and can become an active Vault server",
"Output": "",
"ServiceID": "vault:127.0.0.2:8200",
"ServiceName": "vault",
"CreateIndex": 19,
"ModifyIndex": 19
}
]
}
]
```
Sealed:
```
"Checks": [
{
"Node": "vm2",
"CheckID": "serfHealth",
"Name": "Serf Health Status",
"Status": "passing",
"Notes": "",
"Output": "Agent alive and reachable",
"ServiceID": "",
"ServiceName": "",
"CreateIndex": 3,
"ModifyIndex": 3
},
{
"Node": "vm2",
"CheckID": "vault-sealed-check",
"Name": "Vault Sealed Status",
"Status": "critical",
"Notes": "Vault service is healthy when Vault is in an unsealed status and can become an active Vault server",
"Output": "Vault Sealed",
"ServiceID": "vault:127.0.0.2:8200",
"ServiceName": "vault",
"CreateIndex": 19,
"ModifyIndex": 38
}
]
```
2016-04-25 18:01:13 -07:00
Sean Chittenden
230b59f34c
Stub out service discovery functionality
...
Hook asynchronous notifications into Core to change the status of vault based on its active/standby, and sealed/unsealed status.
2016-04-25 18:00:54 -07:00
Sean Chittenden
0c23acb818
Comment nits
2016-04-25 18:00:54 -07:00
Jeff Mitchell
8d4e5aacae
Change seal test name in command package
2016-04-26 00:12:14 +00:00
Jeff Mitchell
267b13c1ba
Merge pull request #1326 from hashicorp/sethvargo/hint_noreauth
...
Hint that you don't need to run auth twice
2016-04-25 15:43:55 -04:00
Jeff Mitchell
98d09b0dc6
Add seal tests and update generate-root and others to handle dualseal.
2016-04-25 19:39:04 +00:00
Jeff Mitchell
4e53f4b1a4
Use UseNumber() on json.Decoder to have numbers be json.Number objects
...
instead of float64. This fixes some display bugs.
2016-04-20 18:38:20 +00:00
Jeff Mitchell
055a8e04e4
Change recovery options in init to be 'key'-less
2016-04-18 17:02:07 +00:00
Jeff Mitchell
b4620d5d04
Add check against seal type to catch errors before we attempt to use the data
2016-04-15 18:16:48 -04:00
Sean Chittenden
069d9cf021
Fix SIGINT handling.
...
No signal handler was setup to receive SIGINT. I didn't investigate to
see if signal(2) mask was setup (ala `SIG_IGN`) or if sigprocmask(2) is
being used, but in either case, the correct behavior is to capture and
treat SIGINT the same as SIGTERM. At some point in the future these two
signals may affect the running process differently, but we will clarify
that difference in the future.
2016-04-15 10:03:22 -07:00
Jeff Mitchell
119238149b
Add Finalize method to seal.
2016-04-14 20:37:34 +00:00
vishalnayak
5c336297ad
Provide clarity for output statements of idempotent calls.
2016-04-14 15:46:45 +00:00
vishalnayak
b7178846c1
Clarify token-revoke operation
2016-04-14 15:34:01 +00:00
Seth Vargo
54c414abb2
Clarify delete operation
...
One thing that has been a point of confusion for users is Vault's
response when deleting a key that does not actually exist in the system.
For example, consider:
$ vault delete secret/foo
Success! Deleted 'secret/foo'
This message is misleading if the secret does not exist, especially if
the same command is run twice in a row.
Obviously the reason for this is clear - returning an error if a secret
does not exist would reveal the existence of a secret (the same reason
everything on S3 is a 403 or why GitHub repos 404 instead of 403 if you
do not have permission to view them).
I think we can make the UX a little bit better by adding just a few
words to the output:
$ vault delete secret/foo
Success! Deleted 'secret/foo' if it existed
This makes it clear that the operation was only performed if the secret
existed, but it does not reveal any more information.
2016-04-14 10:38:10 +01:00
Jeff Mitchell
a4ff72841e
Check for seal status when initing and change logic order to avoid defer
2016-04-14 01:13:59 +00:00
Seth Vargo
217035d081
Hint that you don't need to run auth twice
...
This came up twice, in two different training courses. The UX is a
little confusing here on the CLI. Users are used to running:
$ vault auth abcd-1234...
So when they auth using a method, the output leads them to believe the
need to "re-auth" as the generated token:
$ vault auth -method=userpass username=foo password=bar
Successfully authenticated!
token: defg-5678...
A number of users then run:
$ vault auth defg-5678
I've added some helpful text to hint this is not required if the method
is not "token".
2016-04-13 19:45:48 +01:00
Jeff Mitchell
759915bb55
Fix panic when using -field with read or write with a non-string value.
...
Fixes #1308
2016-04-07 22:16:33 +00:00
Sean Chittenden
58846f8eac
Reinstall the mlockall(2) command
...
Requested by: jefferai
2016-04-05 13:58:26 -07:00
Sean Chittenden
47c3202811
Unconditionally warn on systems w/o mlock support
...
If someone begins using Vault on Windows in dev mode, always hint so that this isn't a surprise when they get to production.
2016-04-05 12:32:53 -07:00
Jeff Mitchell
348be0e50b
Remove RevokePrefix from the API too as we simply do not support it any
...
longer.
2016-04-05 11:00:12 -04:00
Jeff Mitchell
9102b994aa
Sync some seal stuff
2016-04-04 13:46:33 -04:00
Jeff Mitchell
afae46feb7
SealInterface
2016-04-04 10:44:22 -04:00
Jeff Mitchell
1b7335cf4e
Fix up the meta common options text function to not strip leading space and fix up commands
2016-04-01 16:50:12 -04:00
Jeff Mitchell
b0888e8af1
Remove config from Meta; it's only used right now with the token helper.
2016-04-01 16:02:18 -04:00
Jeff Mitchell
a137081241
Move token helper out of meta
2016-04-01 14:23:15 -04:00
Jeff Mitchell
133d9c1008
Move meta into its own package
2016-04-01 13:16:05 -04:00
Jeff Mitchell
1be69ae235
Sort infokeys on startup and add more padding
2016-03-30 12:31:47 -04:00
Jeff Mitchell
528b25c5f4
Merge HA Backend objects
2016-03-21 16:56:13 -04:00
vishalnayak
119fa1653b
Restore the previous valid token if token authentication fails
2016-03-18 14:43:16 -04:00
Pradeep Chhetri
6d7cbc890d
Fix Typo
2016-03-18 14:06:49 +00:00
Jeff Mitchell
3dbac2e2cb
Add -field
and -format
to write command.
...
Fixes #1186
2016-03-17 14:57:30 -04:00
Vishal Nayak
7db7b47fdd
Merge pull request #1210 from hashicorp/audit-id-path
...
Rename id to path and path to file_path, print audit backend paths
2016-03-15 20:13:21 -04:00
vishalnayak
71fc07833f
Rename id to path and path to file_path, print audit backend paths
2016-03-14 17:15:07 -04:00
Jeff Mitchell
0e3764832a
Add test for listener reloading, and update website docs.
2016-03-14 14:05:47 -04:00
Jeff Mitchell
b3218d26d6
Properly scope config objects for reloading
2016-03-14 11:18:02 -04:00
Jeff Mitchell
84af6ec8ac
Don't generate an ID; use address for the ID. Generally speaking we'll need to sane against what's in the config
2016-03-11 17:28:03 -05:00
Jeff Mitchell
996c584192
Don't inline factory
2016-03-11 17:02:44 -05:00
Jeff Mitchell
9ce1be3b00
For not shutdown triggered...
2016-03-11 17:01:26 -05:00
Jeff Mitchell
d75ce9de9b
Retool to have reloading logic run in command/server
2016-03-11 16:47:03 -05:00
Jeff Mitchell
c6066af4c1
Add tests. This actually adds the initial tests for the TLS listener,
...
then layers reloading tests on top.
2016-03-11 14:05:52 -05:00
Jeff Mitchell
baf0763b3c
Add reload capability for Vault listener certs. No tests (other than
...
manual) yet, and no documentation yet.
2016-03-11 14:05:52 -05:00
Vishal Nayak
c70b4bbbb2
Merge pull request #1201 from hashicorp/accessor-cli-flags
...
Accessor CLI flags
2016-03-11 09:55:45 -05:00
vishalnayak
9659e3d148
Added test for token-revoke accessor flag
2016-03-10 21:38:27 -05:00
vishalnayak
0486fa1a3a
Added accessor flag to token-revoke CLI
2016-03-10 21:21:20 -05:00
vishalnayak
266af2a5e2
Added test for token-lookup accessor flag
2016-03-10 21:21:20 -05:00
vishalnayak
ed8a096596
Add accessor flag to token-lookup command and add lookup-accessor client API
2016-03-10 21:21:20 -05:00
Seth Vargo
30c8204da6
Remove log statement
2016-03-10 17:48:34 -05:00
Seth Vargo
68170d770a
Add missing fixture
2016-03-10 17:40:40 -05:00
Seth Vargo
b207fc403c
Fix failing config test
2016-03-10 17:36:10 -05:00
Seth Vargo
0adab4182f
Fix test fixtures
2016-03-10 16:51:08 -05:00
Seth Vargo
6739804118
Fix failing policy-write integration test
...
This was a flawed test. Previously the test passed in a fixture that
corresponded to a CLI config file, not an actual policy. The test
_should_ have been failing, but it wasn't. This commit adds a new
fixture.
2016-03-10 15:45:49 -05:00
Seth Vargo
b817b60183
Parse HCL keys in command config
2016-03-10 15:25:25 -05:00
Seth Vargo
f916ed349d
Print errors on extra keys in server config
...
This does NOT apply to the backend config, since each backend config
could have a variation of options that differ based off of the
configured backend itself. This may be an optimization that can be made
in the future, but I think each backend should be responsible for
performing its own configuration validation instead of overloading the
config itself with this functionality.
2016-03-10 15:25:25 -05:00
Jeff Mitchell
fa2ba47a5c
Merge branch 'master' into token-roles
2016-03-09 17:23:34 -05:00
Jeff Mitchell
6df72e6efd
Merge pull request #1168 from hashicorp/revoke-force
...
Add forced revocation.
2016-03-09 16:59:52 -05:00
vishalnayak
151c932875
AccessorID --> Accessor, accessor_id --> accessor
2016-03-09 06:23:31 -05:00
vishalnayak
301776012f
Introduced AccessorID in TokenEntry and returning it along with token
2016-03-08 14:06:10 -05:00
vishalnayak
3b463c2d4e
use errwrap to check the type of error message, fix typos
2016-03-07 18:36:26 -05:00
Jeff Mitchell
cc1f5207b3
Merge branch 'master' into token-roles
2016-03-07 10:03:54 -05:00
vishalnayak
73943546c3
Documentation for capabilities and capabilities-self APIs
2016-03-07 06:13:56 -05:00
vishalnayak
aab24113b0
test cases for capabilities endpoint
2016-03-05 00:03:55 -05:00
vishalnayak
9946a2d8b5
refactoring changes due to acl.Capabilities
2016-03-04 18:55:48 -05:00
vishalnayak
7fe871e60a
Removing the 'Message' field
2016-03-04 10:36:03 -05:00
vishalnayak
3730e095ac
testcase changes
2016-03-04 10:36:03 -05:00
vishalnayak
b67ab8ab7c
Test files for capabilities endpoint
2016-03-04 10:36:03 -05:00
vishalnayak
816f1f8631
self review rework
2016-03-04 10:36:03 -05:00
vishalnayak
286e63a648
Handled root token use case
2016-03-04 10:36:03 -05:00
vishalnayak
07f9486ecb
Added capabilities and capabilities-self endpoints to http muxer
2016-03-04 10:36:03 -05:00
vishalnayak
5749a6718c
Added sys/capabililties endpoint
2016-03-04 10:36:02 -05:00
Jeff Mitchell
0998e1cdf9
Update help text exporting dev mode listen address.
...
Ping #1160
2016-03-03 18:10:14 -05:00
Jeff Mitchell
3e7bca82a1
Merge pull request #1146 from hashicorp/step-down
...
Provide 'sys/step-down' and 'vault step-down'
2016-03-03 12:30:08 -05:00
Jeff Mitchell
69c853fd2f
Add the ability to specify dev mode address via CLI flag and envvar.
...
Fixes #1160
2016-03-03 10:48:52 -05:00
Jeff Mitchell
750b33c51b
Add ability to control dev root token id with
...
VAULT_DEV_ROOT_TOKEN_ID env var, and change the CLI flag to match.
Ping #1160
2016-03-03 10:24:44 -05:00
Jeff Mitchell
cd86226845
Add forced revocation.
...
In some situations, it can be impossible to revoke leases (for instance,
if someone has gone and manually removed users created by Vault). This
can not only cause Vault to cycle trying to revoke them, but it also
prevents mounts from being unmounted, leaving them in a tainted state
where the only operations allowed are to revoke (or rollback), which
will never successfully complete.
This adds a new endpoint that works similarly to `revoke-prefix` but
ignores errors coming from a backend upon revocation (it does not ignore
errors coming from within the expiration manager, such as errors
accessing the data store). This can be used to force Vault to abandon
leases.
Like `revoke-prefix`, this is a very sensitive operation and requires
`sudo`. It is implemented as a separate endpoint, rather than an
argument to `revoke-prefix`, to ensure that control can be delegated
appropriately, as even most administrators should not normally have
this privilege.
Fixes #1135
2016-03-03 10:13:59 -05:00
Jeff Mitchell
8011148fb5
Allow specifying an initial root token ID in dev mode.
...
Ping #1160
2016-03-02 12:03:26 -05:00
Jeff Mitchell
521a956e4d
Address review feedback
2016-03-01 20:25:40 -05:00
Jeff Mitchell
addf92e185
Allow token-renew
to not be given a token; it will then use the
...
renew-self endpoint. Otherwise it will use the renew endpoint, even if
the token matches the client token.
Adds an -increment flag to allow increments even with no token passed
in.
Fixes #1150
2016-03-01 17:02:48 -05:00
Jeff Mitchell
8a500e0181
Add command and token store documentation for roles
2016-03-01 13:02:40 -05:00
Jeff Mitchell
ef990a3681
Initial work on token roles
2016-03-01 12:41:40 -05:00
vishalnayak
6314057b9a
fix typo
2016-03-01 11:48:17 -05:00
Jeff Mitchell
11ddd2290b
Provide 'sys/step-down' and 'vault step-down'
...
This endpoint causes the node it's hit to step down from active duty.
It's a noop if the node isn't active or not running in HA mode. The node
will wait one second before attempting to reacquire the lock, to give
other nodes a chance to grab it.
Fixes #1093
2016-02-26 19:43:55 -05:00
Grégoire Paris
6de1a0ecd7
add missing verb
2016-02-26 14:43:56 +01:00
Jeff Mitchell
efc48f2473
Fix CLI formatter to show warnings again on CLI list output.
2016-02-24 21:45:58 -05:00
Jeff Mitchell
5a35ee2ddd
Merge pull request #1080 from jkanywhere/improve-formatter
...
Refactor formatting of output
2016-02-24 21:36:57 -05:00
vanhalt
a387725e96
help sentence improved
2016-02-22 09:38:30 -06:00
vanhalt
31862dc5c2
When writing from a file it must be a JSON file
...
Making clear from write help text that when writing secrets
using @file, the file must be a JSON file.
2016-02-21 19:02:09 -06:00
vanhalt
d0489e16c1
Fixing auth-enable help text
...
auth-enable command help in the "Auth Enable Options" is suggesting
the usage of a non-existing command called 'auth-list' instead of
the correct one "auth -methods"
2016-02-21 14:54:50 -06:00
Vishal Nayak
597ba98895
Merge pull request #1099 from hashicorp/fix-ssh-cli
...
ssh: use resolved IP address while executing ssh command
2016-02-19 13:02:34 -05:00
Jeff Mitchell
28857cb419
Fix mixed whitespacing in ssh help text
2016-02-19 12:47:58 -05:00
vishalnayak
bccbf2b87e
ssh: use resolved IP address while executing ssh command
2016-02-19 12:19:10 -05:00
Ron Kuris
c4c6bbf33c
Refactor formatting of output
...
This change is almost perfectly compatible with the existing code,
except it's a little shorter because it uses a list of a available
formatters that must implement a `command.Formatter` interface.
Also added some basic formatting tests.
2016-02-16 12:27:29 -08:00
Ryan Hileman
1e65c4a01f
don't panic when config directory is empty
2016-02-12 16:40:19 -08:00
Jeff Mitchell
5f5542cb91
Return status for rekey/root generation at init time. This mitigates a
...
(very unlikely) potential timing attack between init-ing and fetching
status.
Fixes #1054
2016-02-12 14:24:36 -05:00
Jeff Mitchell
ba71ff7b0c
Update documentation for status command to reflect new return codes
2016-02-08 11:36:08 -05:00
Jeff Mitchell
da2360c7f4
On the CLI, ensure listing ends with /.
2016-02-03 21:08:46 -05:00
Jeff Mitchell
38c51f9412
Fix build tag
2016-02-03 08:41:31 -05:00
Jeff Mitchell
7e0d4bef3e
Add test for HA availability to command/server
2016-02-02 17:47:02 -05:00
Jeff Mitchell
a2bb51e7de
remove unneeded assignment
2016-02-02 15:11:35 -05:00
Jeff Mitchell
a5bf677bb3
Ensure that we fall back to Backend if HABackend is not specified.
2016-02-02 15:09:58 -05:00
Jeff Mitchell
cb046c4ce2
Fix command status test with new return value
2016-01-29 19:31:01 -05:00
Jeff Mitchell
2712a10750
Return 2 for sealed instead of 1 to match the new init -check behavior
2016-01-29 10:55:31 -05:00
Jeff Mitchell
7cf93c0e37
Don't return 1 when flags don't parse for status command, as all other errors return 2; 1 is for when the vault is sealed
2016-01-29 10:53:56 -05:00
James Tancock
5d7537ff85
Docs typo in server command
2016-01-28 08:26:49 +00:00
Jeff Mitchell
3b7a533b5a
Fix test on 1.6 by comparing to nil instead of a nil-defined map
2016-01-22 21:26:06 -05:00
Jeff Mitchell
d95adc731a
Add -check flag to init.
...
Fixes #949
2016-01-22 13:06:40 -05:00
Jeff Mitchell
be1b4c8a46
Only allow listing on folders and enforce this. Also remove string sorting from Consul backend as it's not a requirement and other backends don't do it.
2016-01-22 10:07:32 -05:00
Jeff Mitchell
e412ac8461
Remove bare option, prevent writes ending in slash, and return an exact file match as "."
2016-01-22 10:07:32 -05:00
Jeff Mitchell
455931873a
Address some review feedback
2016-01-22 10:07:32 -05:00
Jeff Mitchell
5341cb69cc
Updates and documentation
2016-01-22 10:07:32 -05:00
Jeff Mitchell
10c307763e
Add list capability, which will work with the generic and cubbyhole
...
backends for the moment. This is pretty simple; it just adds the actual
capability to make a list call into both the CLI and the HTTP handler.
The real meat was already in those backends.
2016-01-22 10:07:32 -05:00
Jeff Mitchell
9adfdfd6e7
Add -decode flag verification
2016-01-21 12:18:57 -05:00
Jeff Mitchell
973c888833
RootGeneration->GenerateRoot
2016-01-19 18:28:10 -05:00
Jeff Mitchell
3b100c5965
Address most of the review feedback
2016-01-19 18:28:10 -05:00
Jeff Mitchell
3b994dbc7f
Add the ability to generate root tokens via unseal keys.
2016-01-19 18:28:10 -05:00
Jeff Mitchell
630b2d83a7
Allow ASCII-armored PGP pub keys to be passed into -pgp-keys.
...
Fixes #940
2016-01-18 17:01:52 -05:00
Jeff Mitchell
8cb23835d7
Fix read panic when an empty argument is given.
...
Fixes #923
2016-01-12 08:46:49 -05:00
Jeff Mitchell
a2bd31d493
Fix up PGP tests from earlier code fixes
2016-01-08 22:21:41 -05:00
Jeff Mitchell
676008b2c5
Lotsa warnings if you choose not to be safe
2016-01-08 17:35:07 -05:00
Jeff Mitchell
26e1837a82
Some minor rekey backup fixes
2016-01-08 14:09:40 -05:00
Jeff Mitchell
a094eedce2
Add rekey nonce/backup.
2016-01-06 09:54:35 -05:00
Jeff Mitchell
80866d036d
update init/rekey documentation around keybase entries
2016-01-04 14:17:51 -05:00
Jeff Mitchell
5ef7efffe3
Disable cmd/server tests for now so we can get Travis back on track
2015-12-31 08:48:53 -05:00
Jeff Mitchell
c642feebe2
Remove some outdated comments
2015-12-30 21:00:27 -05:00
Jeff Mitchell
0509ad9c29
Use RenewSelf instead of Renew if the token we're renewing is the same as the client
2015-12-30 14:41:50 -05:00
Nicki Watt
442d538deb
Make token-lookup functionality available via Vault CLI
2015-12-29 20:18:59 +00:00
Jeff Mitchell
fefa696a33
Merge pull request #886 from ooesili/ssh-error-fetching-username
...
Stop panic when vault ssh username fetching fails
2015-12-29 12:17:51 -06:00
Jeff Mitchell
fa1676882f
Merge pull request #853 from hashicorp/issue-850
...
Make TokenHelper an interface and split exisiting functionality
2015-12-29 12:01:49 -06:00
Jeff Mitchell
6cdb8aeb4f
Merge branch 'master' into f-disable-tls
2015-12-29 12:59:02 -05:00
Nicki Watt
eb4aaad082
Using LookupSelf() API method instead of raw HTTP call for auth command
2015-12-28 01:38:00 +00:00
Wesley Merkel
5a368fa9de
Stop panic when vault ssh username fetching fails
2015-12-26 15:09:07 -07:00
Wim
e8e492f574
Fix ipv6 address advertisement
2015-12-22 21:40:36 +01:00
Jeff Mitchell
1a324cf347
Make TokenHelper an interface and split exisiting functionality
...
Functionality is split into ExternalTokenHelper, which is used if a path
is given in a configuration file, and InternalTokenHelper which is used
otherwise. The internal helper no longer shells out to the same Vault
binary, instead performing the same actions with internal code. This
avoids problems using dev mode when there are spaces in paths or when
the binary is built in a container without a shell.
Fixes #850 among others
2015-12-22 10:23:30 -05:00
Jeff Mitchell
5017907785
Move telemetry metrics up to fix one possible race, but deeper problems in go-metrics can't be solved with this
2015-12-17 16:38:17 -05:00
Jeff Mitchell
db7a2083bf
Allow setting the advertise address via an environment variable.
...
Fixes #581
2015-12-14 21:22:55 -05:00
Jeff Mitchell
1e653442cd
Ensure advertise address detection runs without a specified HA backend
...
Ping #840
2015-12-14 21:13:27 -05:00
Jeff Mitchell
521ea42f6b
Merge pull request #840 from hashicorp/issue-395
...
Allow separate HA physical backend.
2015-12-14 20:56:47 -05:00
Jeff Mitchell
7ce8aff906
Address review feedback
2015-12-14 17:58:30 -05:00
Mathias Lafeldt
b00b476c7a
Show error if output format is invalid
...
Rather than silently using table as a fallback.
2015-12-14 17:14:22 +01:00
Jeff Mitchell
ced0835574
Allow separate HA physical backend.
...
With no separate backend specified, HA will be attempted on the normal
physical backend.
Fixes #395 .
2015-12-14 07:59:58 -05:00
Jeff Mitchell
e941f699d3
Merge pull request #832 from mlafeldt/yaml-ouput
...
Allow to output secrets in YAML format
2015-12-11 12:04:41 -05:00
Mathias Lafeldt
61d4ef70f4
Allow to output secrets in YAML format
...
This can be done with https://github.com/ghodss/yaml , which reuses
existing JSON struct tags for YAML.
2015-12-10 11:32:31 +01:00
Mathias Lafeldt
607d12174d
Output secrets sorted by key
...
Instead of printing them in random order each time `vault read` is invoked.
2015-12-10 10:08:23 +01:00
Armon Dadgar
985717b428
server: sanity check value for 'tls_disable'
2015-11-25 11:37:57 -08:00
Jeff Mitchell
1a45696208
Add no-default-policy flag and API parameter to allow exclusion of the
...
default policy from a token create command.
2015-11-09 17:30:50 -05:00
Jeff Mitchell
5d5d58ffe4
Fix unmount help output
2015-11-09 15:23:49 -05:00
Jeff Mitchell
75f1c1e40c
Print version on startup.
...
Fixes #765
2015-11-09 13:52:55 -05:00
Jeff Mitchell
32e23bea71
Move environment variable reading logic to API.
...
This allows the same environment variables to be read, parsed, and used
from any API client as was previously handled in the CLI. The CLI now
uses the API environment variable reading capability, then overrides any
values from command line flags, if necessary.
Fixes #618
2015-11-04 10:28:00 -05:00
Jeff Mitchell
c1d8b97342
Add reset support to the unseal command.
...
Reset clears the provided unseal keys, allowing the process to be begun
again. Includes documentation and unit test changes.
Fixes #695
2015-10-28 15:59:39 -04:00
Jeff Mitchell
7b25204a19
Fix cache disabling
2015-10-28 13:05:56 -04:00
voutasaurus
1da78942e8
Modifies documentation in output of vault server -dev
...
Environment variable setting is different in windows
2015-10-22 00:48:46 -07:00
Jeff Mitchell
cba4e82682
Don't use http.DefaultClient
...
This strips out http.DefaultClient everywhere I could immediately find
it. Too many things use it and then modify it in incompatible ways.
Fixes #700 , I believe.
2015-10-15 17:54:00 -04:00
Jeff Mitchell
9f0b1547bb
Allow disabling the physical storage cache with 'disable_cache'.
...
Fixes #674 .
2015-10-12 13:00:32 -04:00
Jeff Mitchell
b8455be005
Support and use TTL instead of lease for token creation
2015-10-09 19:52:13 -04:00
Jeff Mitchell
ee92124357
Fix output of token-create help to use ttl instead of lease
2015-10-09 19:40:30 -04:00
Jeff Mitchell
aa3055f816
Fix mount-tune CLI output
2015-10-09 16:03:31 -04:00
Jeff Mitchell
d39580b38c
Update CLI help text for init/rekey regarding base64-encoded keys
2015-10-08 11:09:30 -04:00
Jeff Mitchell
4e0a6c5e5f
Adjust warnings message to make it clear they are from the server
2015-10-07 16:18:39 -04:00
Jeff Mitchell
d740fd4a6a
Add the ability for warnings to be added to responses. These are
...
marshalled into JSON or displayed from the CLI depending on the output
mode. This allows conferring information such as "no such policy exists"
when creating a token -- not an error, but something the user should be
aware of.
Fixes #676
2015-10-07 16:18:39 -04:00
vishalnayak
145aee229e
Merge branch 'master' of https://github.com/hashicorp/vault
2015-10-03 00:07:34 -04:00
Jeff Mitchell
645932a0df
Remove use of os/user as it cannot be run with CGO disabled
2015-10-02 18:43:38 -07:00
vishalnayak
c7fd639b2e
Remove format parameter
2015-10-02 14:10:24 -04:00
vishalnayak
3dd84446ab
Github backend: enable auth renewals
2015-10-02 13:33:19 -04:00
Jeff Mitchell
62ac518ae7
Switch per-mount values to strings going in and seconds coming out, like other commands. Indicate deprecation of 'lease' in the token backend.
2015-09-25 10:41:21 -04:00
Jeff Mitchell
81e535dc2d
Minor updates to passthrough and additional tests
2015-09-21 16:57:41 -04:00
Jeff Mitchell
e7dfb4f943
Use 'ttl_seconds' in CLI output so as not to shadow actual 'ttl' parameter
2015-09-21 16:37:37 -04:00
Jeff Mitchell
425e286f90
If there's no lease, output ttl instead of lease_duration
2015-09-21 16:37:37 -04:00
Jeff Mitchell
15e1a2281d
If lease_duration is not zero, output it even if there is no lease.
2015-09-21 16:37:37 -04:00
Jeff Mitchell
9c5dcac90c
Make TLS backend honor SystemView default values. Expose lease TTLs on read. Make auth command show lease TTL if one exists. Addresses most of #527
2015-09-18 14:01:28 -04:00
vishalnayak
fdf05e8ead
Adding type checking to ensure only BasicUi is affected
2015-09-17 11:37:21 -04:00
vishalnayak
e885dff580
CLI: Avoiding CR when printing specific fields
2015-09-17 10:05:56 -04:00
hendrenj
0532682816
improve documentation for available log levels
2015-09-16 11:01:33 -06:00
vishalnayak
c5a3b0c681
Typo fix
2015-09-11 21:36:20 -04:00
vishalnayak
142cb563a6
Improve documentation of token renewal
2015-09-11 21:08:32 -04:00
Jeff Mitchell
ace611d56d
Address items from feedback. Make MountConfig use values rather than
...
pointers and change how config is read to compensate.
2015-09-10 15:09:54 -04:00
Jeff Mitchell
c460ff10ca
Push a lot of logic into Router to make a bunch of it nicer and enable a
...
lot of cleanup. Plumb config and calls to framework.Backend.Setup() into
logical_system and elsewhere, including tests.
2015-09-10 15:09:54 -04:00
Jeff Mitchell
971e4144ec
Fix typo
2015-09-10 15:09:54 -04:00
Jeff Mitchell
488d33c70a
Rejig how dynamic values are represented in system view and location of some functions in various packages; create mount-tune command and API analogues; update documentation
2015-09-10 15:09:54 -04:00
Jeff Mitchell
4239f9d243
Add DynamicSystemView. This uses a pointer to a pointer to always have
...
up-to-date information. This allows remount to be implemented with the
same source and dest, allowing mount options to be changed on the fly.
If/when Vault gains the ability to HUP its configuration, this should
just work for the global values as well.
Need specific unit tests for this functionality.
2015-09-10 15:09:54 -04:00
Jeff Mitchell
696d0c7b1d
Plumb per-mount config options through API
2015-09-10 15:09:53 -04:00
vishalnayak
5063a0608b
Vault SSH: Default CIDR for roles
2015-08-27 13:04:15 -04:00
Jeff Mitchell
3f45f3f41b
Rename config lease_duration parameters to lease_ttl in line with current standardization efforts
2015-08-27 07:50:24 -07:00
Jeff Mitchell
8669a87fdd
When using PGP encryption on unseal keys, encrypt the hexencoded string rather than the raw bytes.
2015-08-26 07:59:50 -07:00
Jeff Mitchell
cc232e6f79
Address comments from review.
2015-08-25 15:33:58 -07:00
Jeff Mitchell
c887df93cc
Add support for pgp-keys argument to rekey, as well as tests, plus
...
refactor common bits out of init.
2015-08-25 14:52:13 -07:00
Jeff Mitchell
f57e7892e7
Don't store the given public keys in the seal config
2015-08-25 14:52:13 -07:00
Jeff Mitchell
a7316f2e24
Handle people specifying PGP key files with @ in front
2015-08-25 14:52:13 -07:00
Jeff Mitchell
2f3e245b0b
Add support for "pgp-tokens" parameters to init.
...
There are thorough unit tests that read the returned
encrypted tokens, seal the vault, and unseal it
again to ensure all works as expected.
2015-08-25 14:52:13 -07:00
Jeff Mitchell
a8ef0e8a80
Remove cookie authentication.
2015-08-21 19:46:23 -07:00
vishalnayak
1f5062a6e1
Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault
2015-08-19 12:16:37 -07:00