Commit Graph

1833 Commits

Author SHA1 Message Date
Jim Kalafut 72a15422d5
Fix identity store 'key not found' response (#7267)
The existing custom response results in a 400 instead of the typical
404 which confuses the Terraform provider (and is inconsistent).
2019-08-07 09:46:45 -07:00
ncabatoff e1f8a82d81
Create test cores with an error injector. (#7243)
It's created with a 0% error rate, which means it's a no-op, but tests can opt-in to errors when
needed via core.underlyingPhysical.
2019-08-06 15:21:23 -04:00
Michel Vocks 90f7f89f22 Fix create token sudo non-root namespace check (#7224)
* Fix create token sudo non-root namespace check

* Moved path trimming to SudoPrivilege

* Changed to tokenCtx instead of request ctx

* Use root context for AllowOperation; details in comment
2019-08-05 16:03:47 -04:00
Jeff Mitchell f0a9d9910f
Revert "Generalize and improve testcluster-building code (#7177)" (#7212)
This reverts commit d177fc7dd1aa7beda8b1c5bf5a8a4e85d725cca5.
2019-07-30 01:04:06 -04:00
Brian Kassouf b83aaf7331
storage/raft: Support storage migration to raft storage (#7207)
* Support raft in the migration command

* Add comments
2019-07-29 13:05:43 -07:00
Lexman cf00988a49
also flush nilNamespace when a namespace is flushed in the identity/oidc backend (#7203)
* also flush nilNamespace when a namespace is flushed

* adds test cases with nilNamespace.ID

* adds a test case

* adds a test for oidcCache.Flush

* fixed a typo in an error message
2019-07-26 19:53:40 -07:00
ncabatoff 7512a71a4c
Generalize and improve testcluster-building code (#7177)
There are a few different things happening in this change.  First, some code that previously lived in enterprise has moved here: this includes some helper code for manipulating clusters and for building storage backends.  Second, the existing cluster-building code using inmem storage has been generalized to allow various storage backends. Third, added support for creating two-cluster DR setups. Finally, there are tweaks to handle edge cases that
result in intermittent failures, or to eliminate sleeps in favour of polling to detect state changes.

Also: generalize TestClusterOptions.PhysicalFactory so it can be used either
as a per-core factory (for raft) or a per-cluster factory (for other
storage backends.)
2019-07-26 16:42:51 -04:00
Jeff Mitchell 34fe00c9a8 Sync over 2019-07-25 08:43:59 -04:00
Brian Kassouf a77995cdb1 Ensure raft configuration properly lists the leader (#7188) 2019-07-25 08:41:14 -04:00
Nicolas Corrarello 446b564a2c Add maximum amount of random entropy requested (#7144)
* Add maximum amount of random characters requested at any given time

* Readability changes

* Removing sys/tools/random from the default policy

* Setting the maxBytes value as const

* Declaring maxBytes in the package to use it everywhere

* Using maxBytes in the error message
2019-07-24 18:22:23 -07:00
ncabatoff bea627f410
Close and flush perf standby conns/cache when sealing. (#7183) 2019-07-24 16:32:57 -04:00
ncabatoff f8cefa9b18
When cleaning up a TestCluster, set each core's logger to level Error. (#7124)
This eliminates a bunch of noise at the end of a test's logs, making it
easier to diagnose test failures.

Add TestCluster.Logger.  This is intendend to be used when test helpers
want to log something. If TestClusterOptions.Logger is non-nil, it will
be used as the cluster logger, otherwise we create one based on test
name.  In the absence of CoreConfig.Logger, this logger is also used as
the parent of each core's log.  This makes it easy when running parallel
tests to identify which log message came from which test.
2019-07-23 15:17:37 -04:00
Lexman d59a2daf8b
flush identity/oidc cache by namespace (#7167)
* flush identity/oidc cache by namespace

* separates and unit tests the logic that looks for a namespace id within a namespace key

* applies pr feedback

* renames nskeyContainsID to isNamespacedKey
2019-07-23 12:47:33 -04:00
Jeff Mitchell 19f669a52f Sync some changes that weren't properly pulled over 2019-07-22 13:11:00 -04:00
Christian Muehlhaeuser e6febc5839 Fixed a bunch of typos (#7146) 2019-07-18 21:10:15 -04:00
Jeff Mitchell 66aef1f996
Make rollback less spammy (#7136)
We already have a separate log line if rollback fails. It really fills
up logs to always note when rollback is occurring and it usually isn't
useful for incidents.
2019-07-18 21:05:21 -04:00
Lexman 119854a865
adds Cache-Control header to oidc .well-known endpoints (#7108) 2019-07-15 11:04:45 -07:00
Becca Petrin 974c381c7a
Fix "internal/specs/openapi" endpoint (#7097)
* fix panic generating openapi docs

* fmt
2019-07-09 15:10:39 -07:00
Jeff Mitchell ff40dd30e0 Add a missing lock to cluster handler 2019-07-09 03:46:08 -04:00
Jeff Mitchell d810758ca2
Rerun proto gen as some got gen'd with old proto version (#7090) 2019-07-09 01:02:20 +02:00
Jeff Mitchell 2cb16e3a9c
Fix nil pointer panic in wrapping validation (#7077)
Wrapping validation was deferring the function to audit log before
actually checking if we were sealed or standby, and without having the
read lock grabbed.
2019-07-05 22:31:03 -04:00
Brian Kassouf b0cfcc003d Bind entry to initalize locally 2019-07-05 18:37:10 -07:00
Mike Jarmy e0ce2195cc AWS upgrade role entries (#7025)
* upgrade aws roles

* test upgrade aws roles

* Initialize aws credential backend at mount time

* add a TODO

* create end-to-end test for builtin/credential/aws

* fix bug in initializer

* improve comments

* add Initialize() to logical.Backend

* use Initialize() in Core.enableCredentialInternal()

* use InitializeRequest to call Initialize()

* improve unit testing for framework.Backend

* call logical.Backend.Initialize() from all of the places that it needs to be called.

* implement backend.proto changes for logical.Backend.Initialize()

* persist current role storage version when upgrading aws roles

* format comments correctly

* improve comments

* use postUnseal funcs to initialize backends

* simplify test suite

* improve test suite

* simplify logic in aws role upgrade

* simplify aws credential initialization logic

* simplify logic in aws role upgrade

* use the core's activeContext for initialization

* refactor builtin/plugin/Backend

* use a goroutine to upgrade the aws roles

* misc improvements and cleanup

* do not run AWS role upgrade on DR Secondary

* always call logical.Backend.Initialize() when loading a plugin.

* improve comments

* on standbys and DR secondaries we do not want to run any kind of upgrade logic

* fix awsVersion struct

* clarify aws version upgrade

* make the upgrade logic for aws auth more explicit

* aws upgrade is now called from a switch

* fix fallthrough bug

* simplify logic

* simplify logic

* rename things

* introduce currentAwsVersion const to track aws version

* improve comments

* rearrange things once more

* conglomerate things into one function

* stub out aws auth initialize e2e test

* improve aws auth initialize e2e test

* finish aws auth initialize e2e test

* tinker with aws auth initialize e2e test

* tinker with aws auth initialize e2e test

* tinker with aws auth initialize e2e test

* fix typo in test suite

* simplify logic a tad

* rearrange assignment

* Fix a few lifecycle related issues in #7025 (#7075)

* Fix panic when plugin fails to load
2019-07-05 16:55:40 -07:00
Jeff Mitchell ffce5ca702 Fix various read only storage errors
* Fix various read only storage errors

A mistake we've seen multiple times in our own plugins and that we've
seen in the GCP plugin now is that control flow (how the code is
structured, helper functions, etc.) can obfuscate whether an error came
from storage or some other Vault-core location (in which case likely it
needs to be a 5XX message) or because of user input (thus 4XX). Error
handling for functions therefore often ends up always treating errors as
either user related or internal.

When the error is logical.ErrReadOnly this means that treating errors as
user errors skips the check that triggers forwarding, instead returning
a read only view error to the user.

While it's obviously more correct to fix that code, it's not always
immediately apparent to reviewers or fixers what the issue is and fixing
it when it's found both requires someone to hit the problem and report
it (thus exposing bugs to users) and selective targeted refactoring that
only helps that one specific case.

If instead we check whether the logical.Response is an error and, if so,
whether it contains the error value, we work around this in all of these
cases automatically. It feels hacky since it's a coding mistake, but
it's one we've made too multiple times, and avoiding bugs altogether is
better for our users.
2019-07-05 18:13:49 -04:00
Brian Kassouf 19910f6c77
core: Don't shutdown if key upgrades fail due to canceled context (#7070)
* core: Don't shutdown if key upgrades fail due to canceled context

* Continue if we are not shutting down
2019-07-05 14:19:15 -07:00
Calvin Leung Huang 5428ab50ee audit: log invalid wrapping token request/response (#6541)
* audit: log invalid wrapping token request/response

* Update helper/consts/error.go

Co-Authored-By: calvn <cleung2010@gmail.com>

* update error comments

* Update vault/wrapping.go

Co-Authored-By: calvn <cleung2010@gmail.com>

* update comment

* move validateWrappingToken out of http and into logical

* minor refactor, add test cases

* comment rewording

* refactor validateWrappingToken to perform audit logging

* move ValidateWrappingToken back to wrappingVerificationFunc

* Fix tests

* Review feedback
2019-07-05 14:15:14 -07:00
Brian Kassouf 4d7d0d729a
storage/raft: When restoring a snapshot preseal first (#7011)
* storage/raft: When restoring a snapshot preseal first

* best-effort allow standbys to apply the restoreOp before sealing active node

* Don't cache the raft tls key

* Update physical/raft/raft.go

* Move pending raft peers to core

* Fix race on close bool

* Extend the leaderlease time for tests

* Update raft deps

* Fix audit hashing

* Fix race with auditing
2019-07-03 13:56:30 -07:00
Jim Kalafut ee84319f4f
Fix issuer (#7064) 2019-07-03 13:52:29 -07:00
Lexman 19b67fc617
Fixed some typos in an error message in the OIDC backend that can arise when signing a token against a role (#7059)
* fixes a typo in an error message

* error msg shouldn't start with a capital letter
2019-07-03 09:31:31 -07:00
Jim Kalafut d38468aacb
Remove unneeded context parameter (#7057) 2019-07-03 07:12:46 -07:00
Jeff Mitchell d7cabc2174
Change regexes for reading entity/group names (#7055)
We don't restrict the name itself, so we shouldn't restrict lookup.

Fixes #7054
2019-07-03 08:56:01 -04:00
Lexman 439d773683
Refactor periodic func test in the OIDC backend to work with namespaces (#7050)
* adds allowed_roles field to identity token keys and updates tests

* removed a comment that was redundant

* allowed_roles uses role client_id s instead of role names

* renamed allowed_roles to allowed_clients

* renamed allowed_clients to allowed_clientIDs

* WIP

* Kinda working?

* Handle nil during rotation

* Update discovery document

* WIP

* removes some warning messages and checks on keys when creating a role

* Path issuer ns/specific

* Fix nspath handling

* Update issuer handling

* Add locking around key updates

* Cleanup

* Fix nextRun handling

* saving work

* Include namespace in token

* saving work

* saving work

* happy path

* saving work

* sharing debug msgs

* Merge branch 'master' into refactor_periodic_func_test

# Conflicts:
#	vault/identity_store_oidc.go
#	vault/identity_store_oidc_test.go

* use MatchingStorageByAPIPath instead of logical.InmemStorage
2019-07-02 22:23:18 -07:00
Jeff Mitchell 16479c503d Fix another backwards compat issue 2019-07-03 00:11:51 -04:00
Jeff Mitchell fd856bdd24
Fix some compatibility (#7048) 2019-07-02 23:29:42 -04:00
Jim Kalafut 2721c3a629
Namespace support for identity tokens (#7045) 2019-07-02 20:15:43 -07:00
Jeff Mitchell a3fc497fec
Fix batch token test (#7047)
At the level of role config it doesn't mean anything to use
default-service or default-batch; that's for mount tuning. So disallow
it in tokenutil. This also fixes the fact that the switch statement
wasn't right.
2019-07-02 22:16:43 -04:00
ncabatoff d2beeefe79
Add support for hashing time.Time within slices (#6767)
Add support for hashing time.Time within slices, which unbreaks auditing of requests returning the request counters.  

Break Hash into struct-specific func like HashAuth, HashRequest. Move all the copying/hashing logic from FormatRequest/FormatResponse into the new Hash* funcs.  HashStructure now modifies in place instead of copying.

Instead of returning an error when trying to hash map keys of type time.Time, ignore them, i.e. pass them through unhashed.

Enable auditing on test clusters by default if the caller didn't specify any audit backends.  If they do, they're responsible for setting it up.
2019-07-02 18:18:40 -04:00
Lexman b74591f934
adds allowed_client_ids field to identity token named keys (#6993)
* adds allowed_roles field to identity token keys and updates tests

* removed a comment that was redundant

* allowed_roles uses role client_id s instead of role names

* renamed allowed_roles to allowed_clients

* renamed allowed_clients to allowed_clientIDs

* removes some warning messages and checks on keys when creating a role

* removes name field being set unneededly
2019-07-02 14:46:22 -07:00
Jeff Mitchell d7243f910a
Re-enable toggling renewable off for tokens (#7043)
Earlier in tokenutil's dev it seemed like there was no reason to allow
auth plugins to toggle renewability off. However, it turns out Centrify
makes use of this for sensible reasons. As a result, move the forcing-on
of renewability into tokenutil, but then allow overriding after
PopulateTokenAuth is called.
2019-07-02 10:23:46 -04:00
Jeff Mitchell edf0f3cbbd Use metrics helper from base in test cluster cores 2019-07-01 12:08:55 -04:00
Michel Vocks 2b5aca4300
Token identity support (#6267)
* Implemented token backend support for identity

* Fixed tests

* Refactored a few checks for the token entity overwrite. Fixed tests.

* Moved entity alias check up so that the entity and entity alias is only created when it has been specified in allowed_entity_aliases list

* go mod vendor

* Added glob pattern

* Optimized allowed entity alias check

* Added test for asterisk only

* Changed to glob pattern anywhere

* Changed response code in case of failure. Changed globbing pattern check. Added docs.

* Added missing token role get parameter. Added more samples

* Fixed failing tests

* Corrected some cosmetical review points

* Changed response code for invalid provided entity alias

* Fixed minor things

* Fixed failing test
2019-07-01 11:39:54 +02:00
Jeff Mitchell e18866498d Fix tests 2019-06-30 21:03:36 -04:00
Jeff Mitchell 5435645bb6
Fix upgrade logic with tokenutil (#7026)
If only a non-_token field is provided we don't want to clear out the
Token version of the params, we want to set both. Otherwise we can't
rely on using the Token version of the parameter when creating the Auth
struct.
2019-06-30 14:24:41 -04:00
Vishal Nayak 6dbd8c228f
Raft tests (#7008)
* Add join test

* Add configuration test

* Add remove peer test

* Test join with and without client certs
2019-06-28 14:08:53 -04:00
Jeff Mitchell 14303c475b Check ctx again after getting state lock when forwarding 2019-06-27 20:36:16 -04:00
Jeff Mitchell fe7bb0b630
Standardize how we format deprecated values in traditional path-help (#7007) 2019-06-27 14:52:52 -04:00
Brian Kassouf 62e14c280d
storage/raft: fix races in tests (#6996)
* storage/raft: fix races in tests

* Fix another test race
2019-06-27 10:00:03 -07:00
Jim Kalafut 15b68c35c3
Support EC and EdDSA in identity tokens (#6992) 2019-06-27 08:34:48 -07:00
dr-db 720db0ffbc Fix the doc string for IsFatalError (#7000) 2019-06-27 12:50:47 +02:00
Lexman 4b01a6b95c
adds tests for the identity/oidc backend (#6964)
* adds several tests

* use deep.Equal to validate responses

* use deep.Equal in a few other places
2019-06-25 12:55:20 -07:00