Commit Graph

204 Commits

Author SHA1 Message Date
Brian Kassouf 6701ba8a10 Configure the request headers that are output to the audit log (#2321)
* Add /sys/config/audited-headers endpoint for configuring the headers that will be audited

* Remove some debug lines

* Add a persistant layer and refactor a bit

* update the api endpoints to be more restful

* Add comments and clean up a few functions

* Remove unneeded hash structure functionaility

* Fix existing tests

* Add tests

* Add test for Applying the header config

* Add Benchmark for the ApplyConfig method

* ResetTimer on the benchmark:

* Update the headers comment

* Add test for audit broker

* Use hyphens instead of camel case

* Add size paramater to the allocation of the result map

* Fix the tests for the audit broker

* PR feedback

* update the path and permissions on config/* paths

* Add docs file

* Fix TestSystemBackend_RootPaths test
2017-02-02 11:49:20 -08:00
Jeff Mitchell 69eb5066dd Multi value test seal (#2281) 2017-01-17 15:43:10 -05:00
Jeff Mitchell dd0e44ca10 Add nonce to unseal to allow seeing if the operation has reset (#2276) 2017-01-17 11:47:06 -05:00
Jeff Mitchell 252e1f1e84 Port over some work to make the system views a bit nicer 2017-01-13 14:51:27 -05:00
Jeff Mitchell 9923c753d0 Set c.standby true in non-HA context. (#2259)
This value is the key for some checks in core logic. In a non-HA
environment, if the core was sealed it would never be set back to true.
2017-01-11 11:13:09 -05:00
Jeff Mitchell 681e36c4af Split Unseal into Unseal and unsealInternal 2017-01-06 16:30:43 -05:00
Jeff Mitchell 9e5d1eaac9 Port some updates 2017-01-06 15:42:18 -05:00
Jeff Mitchell 0391475c70 Add read locks to LookupToken/ValidateWrappingToken (#2232) 2017-01-04 16:52:03 -05:00
Jeff Mitchell 3129187dc2 JWT wrapping tokens (#2172) 2017-01-04 16:44:03 -05:00
Jeff Mitchell e84a015487 Add extra logic around listener handling. (#2089) 2016-11-11 16:43:33 -05:00
Vishal Nayak b3c805e662 Audit the client token accessors (#2037) 2016-10-29 17:01:49 -04:00
Jeff Mitchell 85315ff188 Rejig where the reload functions live 2016-09-30 00:07:22 -04:00
Jeff Mitchell b45a481365 Wrapping enhancements (#1927) 2016-09-28 21:01:28 -07:00
Jeff Mitchell 2ce4397deb Plumb through the ability to set the storage read cache size. (#1784)
Plumb through the ability to set the storage read cache size.

Fixes #1772
2016-08-26 10:27:06 -04:00
Jeff Mitchell b89073f7e6 Error when an invalid (as opposed to incorrect) unseal key is given. (#1782)
Fixes #1777
2016-08-24 14:15:25 -04:00
Jeff Mitchell 58b32e5432 Convert to logxi 2016-08-21 18:13:37 -04:00
Jeff Mitchell 2bb8adcbde Cleanup and avoid unnecessary advertisement parsing in leader check 2016-08-19 14:49:11 -04:00
Jeff Mitchell b7acf5b5ab Rename proto service stuff and change log levels for some messages 2016-08-19 11:49:25 -04:00
Jeff Mitchell bdcfe05517 Clustering enhancements (#1747) 2016-08-19 11:03:53 -04:00
vishalnayak 87c42a796b s/advertisement/redirect 2016-08-19 10:52:14 -04:00
Jeff Mitchell 62c69f8e19 Provide base64 keys in addition to hex encoded. (#1734)
* Provide base64 keys in addition to hex encoded.

Accept these at unseal/rekey time.

Also fix a bug where backup would not be honored when doing a rekey with
no operation currently ongoing.
2016-08-15 16:01:15 -04:00
Jeff Mitchell 37320f8798 Request forwarding (#1721)
Add request forwarding.
2016-08-15 09:42:42 -04:00
vishalnayak cff7aada7a Fix invalid input getting marked as internal error 2016-07-28 16:23:11 -04:00
vishalnayak a3e6400697 Remove global name/id. Make only cluster name configurable. 2016-07-26 10:01:35 -04:00
vishalnayak c7dabe4def Storing local and global cluster name/id to storage and returning them in health status 2016-07-26 02:32:42 -04:00
Jeff Mitchell df621911d7 Merge pull request #1624 from hashicorp/dynamodb-ha-off-default
Turn off DynamoDB HA by default.
2016-07-18 13:54:26 -04:00
Jeff Mitchell 028d024345 Add metrics around leadership
This can be helpful for detecting flapping.

Fixes #1544
2016-07-18 13:38:44 -04:00
Jeff Mitchell a3ce0dcb0c Turn off DynamoDB HA by default.
The semantics are wonky and have caused issues from people not reading
docs. It can be enabled but by default is off.
2016-07-18 13:19:58 -04:00
Jeff Mitchell 05b0e0a866 Enable audit-logging of seal and step-down commands.
This pulls the logical request building code into its own function so
that it's accessible from other HTTP handlers, then uses that with some
added logic to the Seal() and StepDown() commands to have meaningful
audit log entries.
2016-05-20 17:03:54 +00:00
Jeff Mitchell c4431a7e30 Address most review feedback. Change responses to multierror to better return more useful values when there are multiple errors 2016-05-16 16:11:33 -04:00
Jeff Mitchell 560e9c30a3 Merge branch 'master-oss' into cubbyhole-the-world 2016-05-12 14:59:12 -04:00
Sean Chittenden 99a5213f0b Merge pull request #1355 from hashicorp/f-vault-service
Vault/Consul Service refinement
2016-05-12 11:48:29 -07:00
Jeff Mitchell c52d352332 Merge branch 'master-oss' into cubbyhole-the-world 2016-05-07 16:40:04 -04:00
Jeff Mitchell fe1f56de40 Make a non-caching but still locking variant of transit for when caches are disabled 2016-05-02 22:36:44 -04:00
Jeff Mitchell 8572190b64 Plumb disabling caches through the policy store 2016-05-02 22:36:44 -04:00
Jeff Mitchell 2ebe49d3a1 Change UseToken mechanics.
Add locking around UseToken and Lookup. Have UseToken flag an entry that
needs to be revoked so that it can be done at the appropriate time, but
so that Lookup in the interm doesn't return a value.

The locking is a map of 4096 locks keyed off of the first three
characters of the token ID which should provide good distribution.
2016-05-02 03:44:24 -04:00
Jeff Mitchell aba689a877 Add wrapping through core and change to use TTL instead of Duration. 2016-05-02 00:47:35 -04:00
Sean Chittenden 5068d68a13 Name the output parameters for Leader 2016-04-28 11:05:18 -07:00
Sean Chittenden 0b72906fc3 Change the interface of ServiceDiscovery
Instead of passing state, signal that the state has changed and provide a callback handler that can query Core.
2016-04-28 11:05:18 -07:00
Sean Chittenden 7fe0b2c6a1 Persistently retry to update service registration
If the local Consul agent is not available while attempting to step down from active or up to active, retry once a second.  Allow for concurrent changes to the state with a single registration updater.  Fix standby initialization.
2016-04-25 18:01:13 -07:00
Sean Chittenden 230b59f34c Stub out service discovery functionality
Hook asynchronous notifications into Core to change the status of vault based on its active/standby, and sealed/unsealed status.
2016-04-25 18:00:54 -07:00
Jeff Mitchell 53773f12e3 Register the token entry's path instead of the request path, to handle role suffixes correctly 2016-04-14 08:08:28 -04:00
Jeff Mitchell a4ff72841e Check for seal status when initing and change logic order to avoid defer 2016-04-14 01:13:59 +00:00
vishalnayak e3a1ee92b5 Utility Enhancements 2016-04-05 20:32:59 -04:00
Jeff Mitchell afae46feb7 SealInterface 2016-04-04 10:44:22 -04:00
Jeff Mitchell ddce1efd0d Two items:
1: Fix path check in core to handle renew paths from the token store
that aren't simply renew/
2: Use token policy logic if token store role policies are empty
2016-03-31 14:52:49 -04:00
Jeff Mitchell 8a5fc6b017 Sort and filter policies going into the create token entry, then use
that as the definitive source for the response Auth object.
2016-03-15 14:05:25 -04:00
Jeff Mitchell 90dd55b1e6 Sort policies before returning/storing, like we do in handleCreateCommon 2016-03-10 22:31:26 -05:00
vishalnayak 378db2bc3c Add default policy to response auth object 2016-03-10 19:55:38 -05:00
Jeff Mitchell fa2ba47a5c Merge branch 'master' into token-roles 2016-03-09 17:23:34 -05:00