luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
4040 commits 1 branch 0 tags 214 MiB
Commit graph

202 commits

Author SHA1 Message Date
Vishal Nayak 8a1bb1626a Merge pull request #1583 from hashicorp/ssh-allowed-roles 
Add allowed_roles to ssh-helper-config and return role name from verify call
 2016-07-19 12:04:12 -04:00
vishalnayak c14235b206 Merge branch 'master-oss' into json-use-number 
Conflicts:
	http/handler.go
	logical/framework/field_data.go
	logical/framework/wal.go
	vault/logical_passthrough.go
 2016-07-15 19:21:55 -04:00
Jeff Mitchell a6682405a3 Migrate number of retries down by one to have it be max retries, not tries 2016-07-11 21:57:14 +00:00
Jeff Mitchell 57cdb58374 Switch to pester from go-retryablehttp to avoid swallowing 500 error messages 2016-07-11 21:37:46 +00:00
Jeff Mitchell 7023eafc67 Make the API client retry on 5xx errors. 
This should help with transient issues. Full control over min/max delays
and number of retries (and ability to turn off) is provided in the API
and via env vars.

Fix tests.
 2016-07-06 16:50:23 -04:00
vishalnayak ad7cb2c8f1 Added JSON Decode and Encode helpers. 
Changed all the occurances of Unmarshal to use the helpers.
Fixed http/ package tests.
 2016-07-06 12:25:40 -04:00
vishalnayak 5367a7223d Add allowed_roles to ssh-helper-config and return role name from verify call 2016-07-05 11:14:29 -04:00
vishalnayak 848b479a61 Added 'sys/auth/<path>/tune' endpoints. 
Displaying 'Default TTL' and 'Max TTL' in the output of 'vault auth -methods'
 2016-06-15 13:58:24 -04:00
Jeff Mitchell e925987cb6 Add token accessor to wrap information if one exists 2016-06-13 23:58:17 +00:00
Jeff Mitchell 65d8973864 Add explicit max TTL capability to token creation API 2016-06-08 14:49:48 -04:00
Jeff Mitchell c0155ac02b Add renewable flag and API setting for token creation 2016-06-08 11:14:30 -04:00
Jeff Mitchell 10b218d292 Use time.Time which does RFC3339 across the wire to handle time zones. Arguably we should change the API to always do this... 2016-06-07 16:01:09 -04:00
Jeff Mitchell 401456ea50 Add creation time to returned wrapped token info 
This makes it easier to understand the expected lifetime without a
lookup call that uses the single use left on the token.

This also adds a couple of safety checks and for JSON uses int, rather
than int64, for the TTL for the wrapped token.
 2016-06-07 15:00:35 -04:00
Jeff Mitchell 63aba520c6 Make Unwrap a first-party API command and refactor UnwrapCommand to use it 2016-05-27 21:04:30 +00:00
Jeff Mitchell 05b2d4534c Add unwrap test function and some robustness around paths for the wrap lookup function 2016-05-19 11:49:46 -04:00
Jeff Mitchell c4431a7e30 Address most review feedback. Change responses to multierror to better return more useful values when there are multiple errors 2016-05-16 16:11:33 -04:00
Jeff Mitchell c5008bcaac Add more tests 2016-05-07 21:08:13 -04:00
Jeff Mitchell 99a5b4402d Merge branch 'master-oss' into cubbyhole-the-world 2016-05-04 14:42:14 -04:00
Jeff Mitchell 45a120f491 Switch our tri-copy ca loading code to go-rootcerts 2016-05-03 12:23:25 -04:00
Jeff Mitchell 1ffd5653c6 Add wrap support to API/CLI 2016-05-02 02:03:23 -04:00
Jeff Mitchell 4e53f4b1a4 Use UseNumber() on json.Decoder to have numbers be json.Number objects 
instead of float64. This fixes some display bugs.
 2016-04-20 18:38:20 +00:00
Adam Shannon fb07d07ad9 all: Cleanup from running go vet 2016-04-13 14:38:29 -05:00
Jeff Mitchell 348be0e50b Remove RevokePrefix from the API too as we simply do not support it any 
longer.
 2016-04-05 11:00:12 -04:00
Jeff Mitchell afae46feb7 SealInterface 2016-04-04 10:44:22 -04:00
vishalnayak 4e6dcfd6d0 Enable callbacks for handling logical.Request changes before processing requests 2016-03-17 22:29:53 -04:00
vishalnayak f275cd2e9c Fixed capabilities API to receive logical response 2016-03-17 21:03:32 -04:00
vishalnayak a5d79d587a Refactoring the capabilities function 2016-03-17 21:03:32 -04:00
vishalnayak 71fc07833f Rename id to path and path to file_path, print audit backend paths 2016-03-14 17:15:07 -04:00
Vishal Nayak c70b4bbbb2 Merge pull request #1201 from hashicorp/accessor-cli-flags 
Accessor CLI flags
 2016-03-11 09:55:45 -05:00
vishalnayak b8d202f920 Restore RevokeSelf API 2016-03-11 06:30:45 -05:00
vishalnayak 0486fa1a3a Added accessor flag to token-revoke CLI 2016-03-10 21:21:20 -05:00
vishalnayak ed8a096596 Add accessor flag to token-lookup command and add lookup-accessor client API 2016-03-10 21:21:20 -05:00
Seth Vargo 30f24dd5cc Validate HCL for SSHHelper too 2016-03-10 16:47:46 -05:00
Jeff Mitchell fa2ba47a5c Merge branch 'master' into token-roles 2016-03-09 17:23:34 -05:00
Jeff Mitchell 6df72e6efd Merge pull request #1168 from hashicorp/revoke-force 
Add forced revocation.
 2016-03-09 16:59:52 -05:00
vishalnayak 151c932875 AccessorID --> Accessor, accessor_id --> accessor 2016-03-09 06:23:31 -05:00
vishalnayak 301776012f Introduced AccessorID in TokenEntry and returning it along with token 2016-03-08 14:06:10 -05:00
Jeff Mitchell cc1f5207b3 Merge branch 'master' into token-roles 2016-03-07 10:03:54 -05:00
vishalnayak 9946a2d8b5 refactoring changes due to acl.Capabilities 2016-03-04 18:55:48 -05:00
vishalnayak 7fe871e60a Removing the 'Message' field 2016-03-04 10:36:03 -05:00
vishalnayak 286e63a648 Handled root token use case 2016-03-04 10:36:03 -05:00
vishalnayak 5749a6718c Added sys/capabililties endpoint 2016-03-04 10:36:02 -05:00
Jeff Mitchell 0d46fb4696 Create a unified function to sanitize mount paths. 
This allows mount paths to start with '/' in addition to ensuring they
end in '/' before leaving the system backend.
 2016-03-03 13:13:47 -05:00
Jeff Mitchell 3e7bca82a1 Merge pull request #1146 from hashicorp/step-down 
Provide 'sys/step-down' and 'vault step-down'
 2016-03-03 12:30:08 -05:00
Jeff Mitchell cd86226845 Add forced revocation. 
In some situations, it can be impossible to revoke leases (for instance,
if someone has gone and manually removed users created by Vault). This
can not only cause Vault to cycle trying to revoke them, but it also
prevents mounts from being unmounted, leaving them in a tainted state
where the only operations allowed are to revoke (or rollback), which
will never successfully complete.

This adds a new endpoint that works similarly to `revoke-prefix` but
ignores errors coming from a backend upon revocation (it does not ignore
errors coming from within the expiration manager, such as errors
accessing the data store). This can be used to force Vault to abandon
leases.

Like `revoke-prefix`, this is a very sensitive operation and requires
`sudo`. It is implemented as a separate endpoint, rather than an
argument to `revoke-prefix`, to ensure that control can be delegated
appropriately, as even most administrators should not normally have
this privilege.

Fixes #1135
 2016-03-03 10:13:59 -05:00
Jeff Mitchell 54232eb980 Add other token role unit tests and some minor other changes. 2016-03-01 12:41:41 -05:00
Jeff Mitchell ef990a3681 Initial work on token roles 2016-03-01 12:41:40 -05:00
vishalnayak aee006ba2d moved the test cert keys to appropriate test-fixtures folder 2016-02-29 15:49:08 -05:00
Jeff Mitchell d131d99c34 Merge branch 'master' into step-down 2016-02-29 11:02:09 -05:00
vishalnayak dca18aec2e replaced old certs, with new certs generated from PKI backend, containing IP SANs 2016-02-28 22:15:54 -05:00