luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
3300 commits 1 branch 0 tags 214 MiB
Commit graph

415 commits

Author SHA1 Message Date
vishalnayak 7fe871e60a Removing the 'Message' field 2016-03-04 10:36:03 -05:00
vishalnayak 3730e095ac testcase changes 2016-03-04 10:36:03 -05:00
vishalnayak b67ab8ab7c Test files for capabilities endpoint 2016-03-04 10:36:03 -05:00
vishalnayak 816f1f8631 self review rework 2016-03-04 10:36:03 -05:00
vishalnayak 286e63a648 Handled root token use case 2016-03-04 10:36:03 -05:00
vishalnayak 07f9486ecb Added capabilities and capabilities-self endpoints to http muxer 2016-03-04 10:36:03 -05:00
vishalnayak 5749a6718c Added sys/capabililties endpoint 2016-03-04 10:36:02 -05:00
Jeff Mitchell 0998e1cdf9 Update help text exporting dev mode listen address. 
Ping #1160
 2016-03-03 18:10:14 -05:00
Jeff Mitchell 3e7bca82a1 Merge pull request #1146 from hashicorp/step-down 
Provide 'sys/step-down' and 'vault step-down'
 2016-03-03 12:30:08 -05:00
Jeff Mitchell 69c853fd2f Add the ability to specify dev mode address via CLI flag and envvar. 
Fixes #1160
 2016-03-03 10:48:52 -05:00
Jeff Mitchell 750b33c51b Add ability to control dev root token id with 
VAULT_DEV_ROOT_TOKEN_ID env var, and change the CLI flag to match.

Ping #1160
 2016-03-03 10:24:44 -05:00
Jeff Mitchell cd86226845 Add forced revocation. 
In some situations, it can be impossible to revoke leases (for instance,
if someone has gone and manually removed users created by Vault). This
can not only cause Vault to cycle trying to revoke them, but it also
prevents mounts from being unmounted, leaving them in a tainted state
where the only operations allowed are to revoke (or rollback), which
will never successfully complete.

This adds a new endpoint that works similarly to `revoke-prefix` but
ignores errors coming from a backend upon revocation (it does not ignore
errors coming from within the expiration manager, such as errors
accessing the data store). This can be used to force Vault to abandon
leases.

Like `revoke-prefix`, this is a very sensitive operation and requires
`sudo`. It is implemented as a separate endpoint, rather than an
argument to `revoke-prefix`, to ensure that control can be delegated
appropriately, as even most administrators should not normally have
this privilege.

Fixes #1135
 2016-03-03 10:13:59 -05:00
Jeff Mitchell 8011148fb5 Allow specifying an initial root token ID in dev mode. 
Ping #1160
 2016-03-02 12:03:26 -05:00
Jeff Mitchell 521a956e4d Address review feedback 2016-03-01 20:25:40 -05:00
Jeff Mitchell addf92e185 Allow token-renew to not be given a token; it will then use the 
renew-self endpoint. Otherwise it will use the renew endpoint, even if
the token matches the client token.

Adds an -increment flag to allow increments even with no token passed
in.

Fixes #1150
 2016-03-01 17:02:48 -05:00
Jeff Mitchell 8a500e0181 Add command and token store documentation for roles 2016-03-01 13:02:40 -05:00
Jeff Mitchell ef990a3681 Initial work on token roles 2016-03-01 12:41:40 -05:00
vishalnayak 6314057b9a fix typo 2016-03-01 11:48:17 -05:00
Jeff Mitchell 11ddd2290b Provide 'sys/step-down' and 'vault step-down' 
This endpoint causes the node it's hit to step down from active duty.
It's a noop if the node isn't active or not running in HA mode. The node
will wait one second before attempting to reacquire the lock, to give
other nodes a chance to grab it.

Fixes #1093
 2016-02-26 19:43:55 -05:00
Grégoire Paris 6de1a0ecd7 add missing verb 2016-02-26 14:43:56 +01:00
Jeff Mitchell efc48f2473 Fix CLI formatter to show warnings again on CLI list output. 2016-02-24 21:45:58 -05:00
Jeff Mitchell 5a35ee2ddd Merge pull request #1080 from jkanywhere/improve-formatter 
Refactor formatting of output
 2016-02-24 21:36:57 -05:00
vanhalt a387725e96 help sentence improved 2016-02-22 09:38:30 -06:00
vanhalt 31862dc5c2 When writing from a file it must be a JSON file 
Making clear from write help text that when writing secrets
using @file, the file must be a JSON file.
 2016-02-21 19:02:09 -06:00
vanhalt d0489e16c1 Fixing auth-enable help text 
auth-enable command help in the "Auth Enable Options" is suggesting
the usage of a non-existing command called 'auth-list' instead of
the correct one "auth -methods"
 2016-02-21 14:54:50 -06:00
Vishal Nayak 597ba98895 Merge pull request #1099 from hashicorp/fix-ssh-cli 
ssh: use resolved IP address while executing ssh command
 2016-02-19 13:02:34 -05:00
Jeff Mitchell 28857cb419 Fix mixed whitespacing in ssh help text 2016-02-19 12:47:58 -05:00
vishalnayak bccbf2b87e ssh: use resolved IP address while executing ssh command 2016-02-19 12:19:10 -05:00
Ron Kuris c4c6bbf33c Refactor formatting of output 
This change is almost perfectly compatible with the existing code,
except it's a little shorter because it uses a list of a available
formatters that must implement a `command.Formatter` interface.

Also added some basic formatting tests.
 2016-02-16 12:27:29 -08:00
Ryan Hileman 1e65c4a01f don't panic when config directory is empty 2016-02-12 16:40:19 -08:00
Jeff Mitchell 5f5542cb91 Return status for rekey/root generation at init time. This mitigates a 
(very unlikely) potential timing attack between init-ing and fetching
status.

Fixes #1054
 2016-02-12 14:24:36 -05:00
Jeff Mitchell ba71ff7b0c Update documentation for status command to reflect new return codes 2016-02-08 11:36:08 -05:00
Jeff Mitchell da2360c7f4 On the CLI, ensure listing ends with /. 2016-02-03 21:08:46 -05:00
Jeff Mitchell 38c51f9412 Fix build tag 2016-02-03 08:41:31 -05:00
Jeff Mitchell 7e0d4bef3e Add test for HA availability to command/server 2016-02-02 17:47:02 -05:00
Jeff Mitchell a2bb51e7de remove unneeded assignment 2016-02-02 15:11:35 -05:00
Jeff Mitchell a5bf677bb3 Ensure that we fall back to Backend if HABackend is not specified. 2016-02-02 15:09:58 -05:00
Jeff Mitchell cb046c4ce2 Fix command status test with new return value 2016-01-29 19:31:01 -05:00
Jeff Mitchell 2712a10750 Return 2 for sealed instead of 1 to match the new init -check behavior 2016-01-29 10:55:31 -05:00
Jeff Mitchell 7cf93c0e37 Don't return 1 when flags don't parse for status command, as all other errors return 2; 1 is for when the vault is sealed 2016-01-29 10:53:56 -05:00
James Tancock 5d7537ff85 Docs typo in server command 2016-01-28 08:26:49 +00:00
Jeff Mitchell 3b7a533b5a Fix test on 1.6 by comparing to nil instead of a nil-defined map 2016-01-22 21:26:06 -05:00
Jeff Mitchell d95adc731a Add -check flag to init. 
Fixes #949
 2016-01-22 13:06:40 -05:00
Jeff Mitchell be1b4c8a46 Only allow listing on folders and enforce this. Also remove string sorting from Consul backend as it's not a requirement and other backends don't do it. 2016-01-22 10:07:32 -05:00
Jeff Mitchell e412ac8461 Remove bare option, prevent writes ending in slash, and return an exact file match as "." 2016-01-22 10:07:32 -05:00
Jeff Mitchell 455931873a Address some review feedback 2016-01-22 10:07:32 -05:00
Jeff Mitchell 5341cb69cc Updates and documentation 2016-01-22 10:07:32 -05:00
Jeff Mitchell 10c307763e Add list capability, which will work with the generic and cubbyhole 
backends for the moment. This is pretty simple; it just adds the actual
capability to make a list call into both the CLI and the HTTP handler.
The real meat was already in those backends.
 2016-01-22 10:07:32 -05:00
Jeff Mitchell 9adfdfd6e7 Add -decode flag verification 2016-01-21 12:18:57 -05:00
Jeff Mitchell 973c888833 RootGeneration->GenerateRoot 2016-01-19 18:28:10 -05:00
Jeff Mitchell 3b100c5965 Address most of the review feedback 2016-01-19 18:28:10 -05:00
Jeff Mitchell 3b994dbc7f Add the ability to generate root tokens via unseal keys. 2016-01-19 18:28:10 -05:00
Jeff Mitchell 630b2d83a7 Allow ASCII-armored PGP pub keys to be passed into -pgp-keys. 
Fixes #940
 2016-01-18 17:01:52 -05:00
Jeff Mitchell 8cb23835d7 Fix read panic when an empty argument is given. 
Fixes #923
 2016-01-12 08:46:49 -05:00
Jeff Mitchell a2bd31d493 Fix up PGP tests from earlier code fixes 2016-01-08 22:21:41 -05:00
Jeff Mitchell 676008b2c5 Lotsa warnings if you choose not to be safe 2016-01-08 17:35:07 -05:00
Jeff Mitchell 26e1837a82 Some minor rekey backup fixes 2016-01-08 14:09:40 -05:00
Jeff Mitchell a094eedce2 Add rekey nonce/backup. 2016-01-06 09:54:35 -05:00
Jeff Mitchell 80866d036d update init/rekey documentation around keybase entries 2016-01-04 14:17:51 -05:00
Jeff Mitchell 5ef7efffe3 Disable cmd/server tests for now so we can get Travis back on track 2015-12-31 08:48:53 -05:00
Jeff Mitchell c642feebe2 Remove some outdated comments 2015-12-30 21:00:27 -05:00
Jeff Mitchell 0509ad9c29 Use RenewSelf instead of Renew if the token we're renewing is the same as the client 2015-12-30 14:41:50 -05:00
Nicki Watt 442d538deb Make token-lookup functionality available via Vault CLI 2015-12-29 20:18:59 +00:00
Jeff Mitchell fefa696a33 Merge pull request #886 from ooesili/ssh-error-fetching-username 
Stop panic when vault ssh username fetching fails
 2015-12-29 12:17:51 -06:00
Jeff Mitchell fa1676882f Merge pull request #853 from hashicorp/issue-850 
Make TokenHelper an interface and split exisiting functionality
 2015-12-29 12:01:49 -06:00
Jeff Mitchell 6cdb8aeb4f Merge branch 'master' into f-disable-tls 2015-12-29 12:59:02 -05:00
Nicki Watt eb4aaad082 Using LookupSelf() API method instead of raw HTTP call for auth command 2015-12-28 01:38:00 +00:00
Wesley Merkel 5a368fa9de Stop panic when vault ssh username fetching fails 2015-12-26 15:09:07 -07:00
Wim e8e492f574 Fix ipv6 address advertisement 2015-12-22 21:40:36 +01:00
Jeff Mitchell 1a324cf347 Make TokenHelper an interface and split exisiting functionality 
Functionality is split into ExternalTokenHelper, which is used if a path
is given in a configuration file, and InternalTokenHelper which is used
otherwise. The internal helper no longer shells out to the same Vault
binary, instead performing the same actions with internal code. This
avoids problems using dev mode when there are spaces in paths or when
the binary is built in a container without a shell.

Fixes #850 among others
 2015-12-22 10:23:30 -05:00
Jeff Mitchell 5017907785 Move telemetry metrics up to fix one possible race, but deeper problems in go-metrics can't be solved with this 2015-12-17 16:38:17 -05:00
Jeff Mitchell db7a2083bf Allow setting the advertise address via an environment variable. 
Fixes #581
 2015-12-14 21:22:55 -05:00
Jeff Mitchell 1e653442cd Ensure advertise address detection runs without a specified HA backend 
Ping #840
 2015-12-14 21:13:27 -05:00
Jeff Mitchell 521ea42f6b Merge pull request #840 from hashicorp/issue-395 
Allow separate HA physical backend.
 2015-12-14 20:56:47 -05:00
Jeff Mitchell 7ce8aff906 Address review feedback 2015-12-14 17:58:30 -05:00
Mathias Lafeldt b00b476c7a Show error if output format is invalid 
Rather than silently using table as a fallback.
 2015-12-14 17:14:22 +01:00
Jeff Mitchell ced0835574 Allow separate HA physical backend. 
With no separate backend specified, HA will be attempted on the normal
physical backend.

Fixes #395.
 2015-12-14 07:59:58 -05:00
Jeff Mitchell e941f699d3 Merge pull request #832 from mlafeldt/yaml-ouput 
Allow to output secrets in YAML format
 2015-12-11 12:04:41 -05:00
Mathias Lafeldt 61d4ef70f4 Allow to output secrets in YAML format 
This can be done with https://github.com/ghodss/yaml, which reuses
existing JSON struct tags for YAML.
 2015-12-10 11:32:31 +01:00
Mathias Lafeldt 607d12174d Output secrets sorted by key 
Instead of printing them in random order each time `vault read` is invoked.
 2015-12-10 10:08:23 +01:00
Armon Dadgar 985717b428 server: sanity check value for 'tls_disable' 2015-11-25 11:37:57 -08:00
Jeff Mitchell 1a45696208 Add no-default-policy flag and API parameter to allow exclusion of the 
default policy from a token create command.
 2015-11-09 17:30:50 -05:00
Jeff Mitchell 5d5d58ffe4 Fix unmount help output 2015-11-09 15:23:49 -05:00
Jeff Mitchell 75f1c1e40c Print version on startup. 
Fixes #765
 2015-11-09 13:52:55 -05:00
Jeff Mitchell 32e23bea71 Move environment variable reading logic to API. 
This allows the same environment variables to be read, parsed, and used
from any API client as was previously handled in the CLI. The CLI now
uses the API environment variable reading capability, then overrides any
values from command line flags, if necessary.

Fixes #618
 2015-11-04 10:28:00 -05:00
Jeff Mitchell c1d8b97342 Add reset support to the unseal command. 
Reset clears the provided unseal keys, allowing the process to be begun
again. Includes documentation and unit test changes.

Fixes #695
 2015-10-28 15:59:39 -04:00
Jeff Mitchell 7b25204a19 Fix cache disabling 2015-10-28 13:05:56 -04:00
voutasaurus 1da78942e8 Modifies documentation in output of vault server -dev 
Environment variable setting is different in windows
 2015-10-22 00:48:46 -07:00
Jeff Mitchell cba4e82682 Don't use http.DefaultClient 
This strips out http.DefaultClient everywhere I could immediately find
it. Too many things use it and then modify it in incompatible ways.

Fixes #700, I believe.
 2015-10-15 17:54:00 -04:00
Jeff Mitchell 9f0b1547bb Allow disabling the physical storage cache with 'disable_cache'. 
Fixes #674.
 2015-10-12 13:00:32 -04:00
Jeff Mitchell b8455be005 Support and use TTL instead of lease for token creation 2015-10-09 19:52:13 -04:00
Jeff Mitchell ee92124357 Fix output of token-create help to use ttl instead of lease 2015-10-09 19:40:30 -04:00
Jeff Mitchell aa3055f816 Fix mount-tune CLI output 2015-10-09 16:03:31 -04:00
Jeff Mitchell d39580b38c Update CLI help text for init/rekey regarding base64-encoded keys 2015-10-08 11:09:30 -04:00
Jeff Mitchell 4e0a6c5e5f Adjust warnings message to make it clear they are from the server 2015-10-07 16:18:39 -04:00
Jeff Mitchell d740fd4a6a Add the ability for warnings to be added to responses. These are 
marshalled into JSON or displayed from the CLI depending on the output
mode. This allows conferring information such as "no such policy exists"
when creating a token -- not an error, but something the user should be
aware of.

Fixes #676
 2015-10-07 16:18:39 -04:00
vishalnayak 145aee229e Merge branch 'master' of https://github.com/hashicorp/vault 2015-10-03 00:07:34 -04:00
Jeff Mitchell 645932a0df Remove use of os/user as it cannot be run with CGO disabled 2015-10-02 18:43:38 -07:00
vishalnayak c7fd639b2e Remove format parameter 2015-10-02 14:10:24 -04:00
vishalnayak 3dd84446ab Github backend: enable auth renewals 2015-10-02 13:33:19 -04:00