Laura Bennett
ae8a90be30
adding ids
2016-07-25 16:54:43 -04:00
Laura Bennett
e5737b6789
initial local commit
2016-07-23 21:46:28 -04:00
vishalnayak
c14235b206
Merge branch 'master-oss' into json-use-number
...
Conflicts:
http/handler.go
logical/framework/field_data.go
logical/framework/wal.go
vault/logical_passthrough.go
2016-07-15 19:21:55 -04:00
Vishal Nayak
c55fa03760
Merge pull request #1599 from hashicorp/use-go-uuid
...
Use go-uuid's GenerateUUID in PutWAL and discard logical.UUID()
2016-07-13 11:36:28 -06:00
Vishal Nayak
9f1e6c7b26
Merge pull request #1607 from hashicorp/standardize-time
...
Remove redundant invocations of UTC() call on `time.Time` objects
2016-07-13 10:19:23 -06:00
vishalnayak
8269f323d3
Revert 'risky' changes
2016-07-12 16:38:07 -04:00
Jeff Mitchell
5b210b2a1f
Return a duration instead and port a few other places to use it
2016-07-11 18:19:35 +00:00
Jeff Mitchell
ab6c2bc5e8
Factor out parsing duration second type and use it for parsing tune values too
2016-07-11 17:53:39 +00:00
vishalnayak
e09b40e155
Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC
2016-07-08 18:30:18 -04:00
vishalnayak
581b293a26
Use go-uuid's GenerateUUID in PutWAL and discart logical.UUID()
2016-07-07 17:57:36 -04:00
vishalnayak
98fca2a31a
Added json.Number as recognized type for FieldData
2016-07-06 18:54:18 -04:00
Jeff Mitchell
7023eafc67
Make the API client retry on 5xx errors.
...
This should help with transient issues. Full control over min/max delays
and number of retries (and ability to turn off) is provided in the API
and via env vars.
Fix tests.
2016-07-06 16:50:23 -04:00
vishalnayak
ad7cb2c8f1
Added JSON Decode and Encode helpers.
...
Changed all the occurances of Unmarshal to use the helpers.
Fixed http/ package tests.
2016-07-06 12:25:40 -04:00
Jeff Mitchell
22e83ae7f5
Dockerize Postgres secret backend acceptance tests
...
Additionally enable them on all unit test runs.
2016-06-30 13:46:39 -04:00
Jeff Mitchell
d00374fe3c
Add a logger to testing backend config so it's available to backends during unit tests
2016-06-30 09:17:14 -04:00
Jeff Mitchell
e925987cb6
Add token accessor to wrap information if one exists
2016-06-13 23:58:17 +00:00
vishalnayak
6c5e1969ac
Added GetDefaultOrZero method to FieldData
2016-06-10 10:42:01 -04:00
Jeff Mitchell
10b218d292
Use time.Time which does RFC3339 across the wire to handle time zones. Arguably we should change the API to always do this...
2016-06-07 16:01:09 -04:00
Jeff Mitchell
401456ea50
Add creation time to returned wrapped token info
...
This makes it easier to understand the expected lifetime without a
lookup call that uses the single use left on the token.
This also adds a couple of safety checks and for JSON uses int, rather
than int64, for the TTL for the wrapped token.
2016-06-07 15:00:35 -04:00
Jeff Mitchell
8f437d6142
Make logical.InmemStorage a wrapper around physical.InmemBackend.
...
This:
* Allows removing LockingInmemStorage since the physical backend already
locks properly
* Makes listing work properly by adhering to expected semantics of only
listing up to the next prefix separator
* Reduces duplicated code
2016-06-06 12:03:08 -04:00
Jeff Mitchell
72cfd19078
Add some comments to sanitize
2016-05-16 16:12:45 -04:00
Jeff Mitchell
c4431a7e30
Address most review feedback. Change responses to multierror to better return more useful values when there are multiple errors
2016-05-16 16:11:33 -04:00
Jeff Mitchell
4c67a739b9
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-16 12:14:40 -04:00
Sean Chittenden
7a4b31ce51
Speling police
2016-05-15 09:58:36 -07:00
vishalnayak
6f65d9293a
Fix framework rollback manager tests
2016-05-14 19:35:36 -04:00
vishalnayak
ddcaf26396
Merge branch 'master-oss' into aws-auth-backend
2016-05-10 14:50:00 -04:00
Jeff Mitchell
31e1ed2417
Implement WrapInfo audit logging
2016-05-07 20:03:56 -04:00
Jeff Mitchell
2295cadbf4
Make WrapInfo a pointer to match secret/auth in response
2016-05-07 19:17:51 -04:00
Jeff Mitchell
c52d352332
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-07 16:40:04 -04:00
Jeff Mitchell
d77563994c
Merge pull request #1346 from hashicorp/disable-all-caches
...
Disable all caches
2016-05-07 16:33:45 -04:00
Jeff Mitchell
75dbbff1a6
Merge branch 'master-oss' into cubbyhole-the-world
2016-05-05 20:45:36 -04:00
Jeff Mitchell
3e71221839
Merge remote-tracking branch 'origin/master' into aws-auth-backend
2016-05-05 10:04:52 -04:00
vishalnayak
92fe94546c
Split SanitizeTTL method to support time.Duration parameters as well
2016-05-05 09:45:48 -04:00
Jeff Mitchell
fe1f56de40
Make a non-caching but still locking variant of transit for when caches are disabled
2016-05-02 22:36:44 -04:00
Jeff Mitchell
8572190b64
Plumb disabling caches through the policy store
2016-05-02 22:36:44 -04:00
Jeff Mitchell
642163f8b0
Remove MountPoint from internal wrap object, for now at least
2016-05-02 10:29:51 -04:00
Jeff Mitchell
aba689a877
Add wrapping through core and change to use TTL instead of Duration.
2016-05-02 00:47:35 -04:00
Jeff Mitchell
d81806b446
Add:
...
* Request/Response field extension
* Parsing of header into request object
* Handling of duration/mount point within router
* Tests of router WrapDuration handling
2016-05-02 00:24:32 -04:00
vishalnayak
21854776af
Added cooldown period for periodic tidying operation
2016-04-26 10:22:29 -04:00
vishalnayak
9aa8fb6cc1
Support periodic tidy callback and config endpoints.
2016-04-26 10:22:29 -04:00
Sean Chittenden
aeea7628d6
Add a *log.Logger argument to physical.Factory
...
Logging in the backend is a good thing. This is a noisy interface change but should be a functional noop.
2016-04-25 20:10:32 -07:00
Seth Vargo
86455b4720
Only show params if there are fields
2016-04-13 22:15:06 +01:00
vishalnayak
a861125900
Added a TODO for 'Check' function
2016-04-06 12:51:49 -04:00
vishalnayak
d9dcbe04d8
Fix ErrorOk handling
2016-04-06 12:29:04 -04:00
vishalnayak
1df5c4d0ce
Use AcceptanceTest bool in Test() function
2016-04-05 16:48:11 -04:00
vishalnayak
fd8b023655
s/TF_ACC/VAULT_ACC
2016-04-05 15:24:59 -04:00
vishalnayak
95abdebb06
Added AcceptanceTest boolean to logical.TestCase
2016-04-05 15:10:44 -04:00
Jeff Mitchell
afae46feb7
SealInterface
2016-04-04 10:44:22 -04:00
vishalnayak
ba9b5b8847
Fix SanitizeTTL check
2016-03-16 14:27:01 -04:00
vishalnayak
3861c88211
Accept params both as part of URL or as part of http body
2016-03-14 19:14:36 -04:00
vishalnayak
151c932875
AccessorID --> Accessor, accessor_id --> accessor
2016-03-09 06:23:31 -05:00
vishalnayak
913bbe7693
Error text corrections and minor refactoring
2016-03-08 22:27:24 -05:00
vishalnayak
301776012f
Introduced AccessorID in TokenEntry and returning it along with token
2016-03-08 14:06:10 -05:00
Jeff Mitchell
7d41607b6e
Add "tidy/" which allows removing expired certificates.
...
A buffer is used to ensure that we only remove certificates that are
both expired and for which the buffer has past. Options allow removal
from revoked/ and/or certs/.
2016-02-24 21:24:48 -05:00
Jeff Mitchell
f9fb20bbe4
Make SanitizeTTL treat an empty string the same as a "0" string.
...
This causes a 0 TTL to be returned for the value, which is a clue to
other parts of Vault to use appropriate defaults. However, this makes
the defaults be used at lease allocation or extension time instead of
when parsing parameters.
2016-02-18 16:51:36 -05:00
Jeff Mitchell
eb1deefac1
Introduce a locking inmem storage for unit tests that are doing concurrent things
2016-02-04 09:40:35 -05:00
Jeff Mitchell
627082b838
Remove grace periods
2016-01-31 19:33:16 -05:00
Jeff Mitchell
d5584e12bc
invert logic to prefer client increment
2016-01-29 20:02:15 -05:00
Jeff Mitchell
4619473175
Update proposed time
2016-01-29 19:31:37 -05:00
Jeff Mitchell
7353fa3e56
Adjust framework unit tests for new LeaseExtend
2016-01-29 19:31:37 -05:00
Jeff Mitchell
f53136ab09
Update LeaseExtend
2016-01-29 19:31:37 -05:00
Jeff Mitchell
12c00b97ef
Allow backends to see taint status.
...
This can be seen via System(). In the PKI backend, if the CA is
reconfigured but not fully (e.g. an intermediate CSR is generated but no
corresponding cert set) and there are already leases (issued certs), the
CRL is unable to be built. As a result revocation fails. But in this
case we don't actually need revocation to be successful since the CRL is
useless after unmounting. By checking taint status we know if we can
simply fast-path out of revocation with a success in this case.
Fixes #946
2016-01-22 17:01:22 -05:00
Jeff Mitchell
8069fa7972
Address some listing review feedback
2016-01-22 10:07:32 -05:00
Jeff Mitchell
5341cb69cc
Updates and documentation
2016-01-22 10:07:32 -05:00
Jeff Mitchell
f9bbe0fb04
Use logical operations instead of strings for comparison
2016-01-12 21:16:31 -05:00
Jeff Mitchell
9db22dcfad
Address some more review feedback
2016-01-12 15:09:16 -05:00
Jeff Mitchell
4f4ddbf017
Create more granular ACL capabilities.
...
This commit splits ACL policies into more fine-grained capabilities.
This both drastically simplifies the checking code and makes it possible
to support needed workflows that are not possible with the previous
method. It is backwards compatible; policies containing a "policy"
string are simply converted to a set of capabilities matching previous
behavior.
Fixes #724 (and others).
2016-01-08 13:05:14 -05:00
Jeff Mitchell
f3ce90164f
WriteOperation -> UpdateOperation
2016-01-08 13:03:03 -05:00
Jeff Mitchell
2d8e3b35f2
Revoke permissions before dropping user in postgresql.
...
Currently permissions are not revoked, which can lead revocation to not
actually work properly. This attempts to revoke all permissions and only
then drop the role.
Fixes issue #699
2015-10-30 11:58:52 -04:00
Jeff Mitchell
35a7f0de22
Add '.' to GenericNameRegex; it cannot appear as the first or last
...
character. This allows its usage in a number of extra path-based
variables.
Ping #244
2015-10-13 16:04:10 -04:00
Jeff Mitchell
c7cec2aabc
Add unit tests
2015-10-07 20:17:06 -04:00
Jeff Mitchell
10d24779c0
Rename GetWarnings->Warnings for responses
2015-10-07 16:18:39 -04:00
Jeff Mitchell
d740fd4a6a
Add the ability for warnings to be added to responses. These are
...
marshalled into JSON or displayed from the CLI depending on the output
mode. This allows conferring information such as "no such policy exists"
when creating a token -- not an error, but something the user should be
aware of.
Fixes #676
2015-10-07 16:18:39 -04:00
Jeff Mitchell
2091842dca
Sort policies when checking for equality
2015-10-06 15:48:25 -04:00
Jeff Mitchell
62ac518ae7
Switch per-mount values to strings going in and seconds coming out, like other commands. Indicate deprecation of 'lease' in the token backend.
2015-09-25 10:41:21 -04:00
Vishal Nayak
d526c8ce1c
Merge pull request #629 from hashicorp/token-create-sudo
...
TokenStore: Provide access based on sudo permissions and not policy name
2015-09-21 10:12:29 -04:00
vishalnayak
1a01ab3608
Take ClientToken instead of Policies
2015-09-21 10:04:03 -04:00
Jeff Mitchell
ab7d35b95e
Fix up per-backend timing logic; also fix error in TypeDurationSecond in
...
GetOkErr.
2015-09-21 09:55:03 -04:00
vishalnayak
02485e7175
Abstraced SudoPrivilege to take list of policies
2015-09-19 18:23:44 -04:00
vishalnayak
a2799b235e
Using acl.RootPrivilege and rewrote mockTokenStore
2015-09-19 17:53:24 -04:00
vishalnayak
b6d47dd784
fix broken tests
2015-09-19 12:33:52 -04:00
vishalnayak
fb77ec3623
TokenStore: Provide access based on sudo permissions and not policy name
2015-09-19 11:14:51 -04:00
Jeff Mitchell
b655f6b858
Add HMAC capability to salt. Pass a salt into audit backends. Require it for audit.Hash.
2015-09-18 17:38:22 -04:00
Jeff Mitchell
801e531364
Enhance transit backend:
...
* Remove raw endpoint from transit
* Add multi-key structure
* Add enable, disable, rewrap, and rotate functionality
* Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function
* Unit tests for everything
2015-09-18 14:41:05 -04:00
vishalnayak
7f640c4374
Error on violating SysView boundaries
2015-09-17 11:24:46 -04:00
vishalnayak
6a4089b2a8
Vault userpass: Enable renewals for login tokens
2015-09-16 23:55:35 -04:00
Jeff Mitchell
77e7379ab5
Implement the cubbyhole backend
...
In order to implement this efficiently, I have introduced the concept of
"singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't
much reason to allow sys to be mounted at multiple places, and there
isn't much reason you'd need multiple per-token storage areas. By
restricting it to just one, I can store that particular mount instead of
iterating through them in order to call the appropriate revoke function.
Additionally, because revocation on the backend needs to be triggered by
the token store, the token store's salt is kept in the router and
client tokens going to the cubbyhole backend are double-salted by the
router. This allows the token store to drive when revocation happens
using its salted tokens.
2015-09-15 13:50:37 -04:00
Jeff Mitchell
104b29ab04
Rename View to StorageView to make it more distinct from SystemView
2015-09-15 13:50:37 -04:00
Lassi Pölönen
fb07cf9f53
Implement clean up routine to backend as some backends may require
...
e.g closing database connections on unmount to avoud connection
stacking.
2015-09-11 11:45:58 +03:00
Jeff Mitchell
39cfcccdac
Remove error returns from sysview TTL calls
2015-09-10 15:09:54 -04:00
Jeff Mitchell
488d33c70a
Rejig how dynamic values are represented in system view and location of some functions in various packages; create mount-tune command and API analogues; update documentation
2015-09-10 15:09:54 -04:00
Jeff Mitchell
4239f9d243
Add DynamicSystemView. This uses a pointer to a pointer to always have
...
up-to-date information. This allows remount to be implemented with the
same source and dest, allowing mount options to be changed on the fly.
If/when Vault gains the ability to HUP its configuration, this should
just work for the global values as well.
Need specific unit tests for this functionality.
2015-09-10 15:09:54 -04:00
Jeff Mitchell
d435048d9e
Switch StaticSystemView values to pointers, to support updating
2015-09-10 15:09:54 -04:00
Jeff Mitchell
696d0c7b1d
Plumb per-mount config options through API
2015-09-10 15:09:53 -04:00
Jeff Mitchell
9e5e8a8a4d
Whitespace fix
2015-08-27 12:14:51 -07:00
Jeff Mitchell
cdabe6350e
SystemConfig -> SystemView
2015-08-27 11:38:05 -07:00
Jeff Mitchell
b74fa8c888
Make DefaultSystemView StaticSystemView with statically-configured information. Export this from Framework to make it easy to override for testing.
2015-08-27 11:25:07 -07:00
Jeff Mitchell
7c2bbe4c7f
Use a SystemView interface and turn SystemConfig into DefaultSystemView
2015-08-27 10:36:44 -07:00
Jeff Mitchell
e58553e7d5
Plumb the system configuration information up into framework
2015-08-27 09:41:03 -07:00
Jeff Mitchell
2e07106c4b
Add some documentation to SystemConfig
2015-08-27 09:14:03 -07:00
Jeff Mitchell
992e357d07
Add some plumbing to allow specified system configuration information to
...
be retrieved by logical backends. First implemented is default/max TTL.
2015-08-27 08:51:35 -07:00
Jeff Mitchell
5695d57ba0
Merge pull request #561 from hashicorp/fix-wild-cards
...
Allow hyphens in endpoint patterns of most backends
2015-08-21 11:40:42 -07:00
vishalnayak
6c2927ede0
Vault: Fix wild card paths for all backends
2015-08-21 00:56:13 -07:00
Jeff Mitchell
ea9fbb90bc
Rejig Lease terminology internally; also, put a few JSON names back to their original values
2015-08-20 22:27:01 -07:00
Jeff Mitchell
93ef9a54bd
Internally refactor Lease/LeaseGracePeriod into TTL/GracePeriod
2015-08-20 18:00:51 -07:00
Jeff Mitchell
b57ce8e5c2
Change "lease" parameter in the generic backend to be "ttl" to reduce confusion. "lease" is now deprecated but will remain valid until 0.4.
...
Fixes #528 .
2015-08-20 16:41:25 -07:00
Armon Dadgar
4abc488cec
Merge pull request #510 from ctennis/more_descriptive_errors
...
More descriptive errors with specific HTTP return codes
2015-08-11 10:11:26 -07:00
Caleb Tennis
ae990884a6
Add a validation step in field data to error more quickly vs. allowing panics to happen when we go to get the data and convert it
2015-08-11 12:34:14 -04:00
Caleb Tennis
4da080e769
This adds a new error class which can be used by logical backends to
...
specify more concrete error cases to make their way back up the stack.
Over time there is probably a cleaner way of doing this, but that's
looking like a more massive rewrite and this solves some issues in
the meantime.
Use a CodedError to return a more concrete HTTP return code for
operations you want to do so. Returning a regular error leaves
the existing behavior in place.
2015-08-10 13:27:25 -04:00
Caleb Tennis
7750af7014
Fix a couple of typos
2015-08-09 15:20:06 -04:00
vishalnayak
4409e704b5
Vault Test: Disabling mlock for logical.testing.Test()
2015-07-31 12:23:50 -04:00
Armon Dadgar
c40cf7fcdf
logical/framework: handle nil duration value. Fixes #408
2015-07-08 16:55:52 -06:00
Armon Dadgar
cf82f4d6d6
logical/testing: Allow factory to be provided instead of Backend
2015-06-30 18:08:43 -07:00
Armon Dadgar
4b27e4d8c5
Remove SetLogger, and unify on framework.Setup
2015-06-30 17:45:20 -07:00
Armon Dadgar
541014e315
logical: remove SetLogger method
2015-06-30 17:39:39 -07:00
Armon Dadgar
5d69e7da90
Updating for backend API change
2015-06-30 17:36:12 -07:00
Armon Dadgar
41b72a4d39
vault: provide view to backend initializer for setup
2015-06-30 17:30:43 -07:00
Armon Dadgar
e892d728a2
logical/framework: support Salt in PathMap
2015-06-30 14:28:45 -07:00
Armon Dadgar
6b23b14773
logical/framework: adding a new duration type to convert to seconds
2015-06-17 15:56:26 -07:00
Armon Dadgar
f39b522681
logical/framework: allow the lease max to come from existing lease
2015-06-17 14:24:12 -07:00
Armon Dadgar
cfab07b19f
logical/framework: simplify calculation of lease renew
2015-06-17 14:16:44 -07:00
Armon Dadgar
ae02203624
logical: remove IncrementedLease, simplify ExpirationTime calculation
2015-06-17 13:59:09 -07:00
Armon Dadgar
784f17a0a8
logical: Adding special fields to do raw HTTP
2015-05-27 14:09:47 -07:00
Armon Dadgar
ba7bfed1af
vault: Expose MountPoint to secret backend. Fixes #248
2015-05-27 11:46:42 -07:00
Armon Dadgar
7131f12fee
logical/testing: Fixing revoke in acceptance tests. Fixes #236
2015-05-27 11:19:15 -07:00
Jonathan Sokolowski
d58512b3f8
logical/framework: Fix help text in PathMap
2015-05-15 07:56:32 +10:00
Jonathan Sokolowski
283e8ccacb
logical/framework: Add delete to PathMap
2015-05-14 22:28:33 +10:00
Jonathan Sokolowski
896f9cd4d3
logical/framework: Add delete to PathStruct
2015-05-14 22:25:30 +10:00
Mitchell Hashimoto
5c63b70eea
logical/framework: PathMap is case insensitive by default
2015-05-11 10:27:04 -07:00
Mitchell Hashimoto
4e861f29bc
credential/github: case insensitive mappings
2015-05-11 10:24:39 -07:00
Armon Dadgar
c849aba53a
vault: Adding InternalData to Auth
2015-05-09 11:39:54 -07:00
Armon Dadgar
8ed48191fb
logical/framework: Generate help output even if no synopsis provided
2015-05-07 15:45:43 -07:00
Mitchell Hashimoto
81b12660c5
logical/framework: PathMap allows hyphens in keys [GH-119]
2015-05-02 13:17:42 -07:00
Mitchell Hashimoto
6287513c30
logical/testing: add return after fatal?
2015-04-28 18:46:56 -07:00
Armon Dadgar
c4a92a276d
logical/framework: Supporting list of path map
2015-04-23 21:44:04 -07:00
Armon Dadgar
af4f9196b8
logical: allow specifying ConnState
2015-04-23 16:36:31 -07:00
Mitchell Hashimoto
f7a1b2ced9
credential/app-id: allow restriction by CIDR block [GH-10]
2015-04-17 10:14:39 -07:00
Mitchell Hashimoto
e643b48235
credential/app-id: support associating a name with app ID [GH-9]
2015-04-17 10:01:03 -07:00
Mitchell Hashimoto
cd3fa3be92
logical/framework: more flexible Pathmap and PolicyMap
2015-04-17 09:35:49 -07:00
Mitchell Hashimoto
910bf9c76d
logical/framework: PathStruct
2015-04-17 09:18:21 -07:00
Armon Dadgar
9d2bd2bf29
logical: Adding a DisplayName for operators
2015-04-15 13:56:42 -07:00
Mitchell Hashimoto
463a32ba56
logical/framework: doc for defaultduration on secret
2015-04-13 20:42:06 -07:00
Mitchell Hashimoto
6272ad75dc
logical/framework: secret lease tests
2015-04-13 15:18:27 -07:00
Mitchell Hashimoto
209b275bfd
logical/framework: allow max session time
2015-04-11 16:41:08 -07:00
Mitchell Hashimoto
33d66f0130
vault: token store allows unlimited renew
2015-04-11 16:28:16 -07:00
Mitchell Hashimoto
d81707a222
logical/framework: more tests
2015-04-11 14:51:00 -07:00
Mitchell Hashimoto
a360ca4928
logical/framework: AuthRenew callback, add LeaseExtend
...
/cc @armon - Going with this "standard library" of callbacks approach
to make extending leases in a customizable way easy. See the docs/tests
above.
2015-04-11 14:46:09 -07:00
Mitchell Hashimoto
f996dcf964
logical: add LeaseOptions.IncrementedLease()
2015-04-10 21:35:17 -07:00
Mitchell Hashimoto
7139ad427e
logical: lease tests
2015-04-10 21:29:03 -07:00
Mitchell Hashimoto
992028e23e
vault: the expiration time should be relative to the issue time
2015-04-10 21:21:06 -07:00