Commit Graph

96 Commits

Author SHA1 Message Date
Jeff Mitchell 8f27c250d6 Fix problematic logging statements.
Fixes #665.
2015-10-02 18:31:46 -07:00
Jeff Mitchell 62ac518ae7 Switch per-mount values to strings going in and seconds coming out, like other commands. Indicate deprecation of 'lease' in the token backend. 2015-09-25 10:41:21 -04:00
Jeff Mitchell ab7d35b95e Fix up per-backend timing logic; also fix error in TypeDurationSecond in
GetOkErr.
2015-09-21 09:55:03 -04:00
Jeff Mitchell 68c268a6f0 Allow tuning of auth mounts, to set per-mount default/max lease times 2015-09-19 11:50:50 -04:00
Jeff Mitchell 39cfcccdac Remove error returns from sysview TTL calls 2015-09-10 15:09:54 -04:00
Jeff Mitchell ace611d56d Address items from feedback. Make MountConfig use values rather than
pointers and change how config is read to compensate.
2015-09-10 15:09:54 -04:00
Jeff Mitchell c460ff10ca Push a lot of logic into Router to make a bunch of it nicer and enable a
lot of cleanup. Plumb config and calls to framework.Backend.Setup() into
logical_system and elsewhere, including tests.
2015-09-10 15:09:54 -04:00
Jeff Mitchell 86ccae7bd5 Fix mount config test by proxying mounts/ in addition to mounts 2015-09-10 15:09:54 -04:00
Jeff Mitchell 488d33c70a Rejig how dynamic values are represented in system view and location of some functions in various packages; create mount-tune command and API analogues; update documentation 2015-09-10 15:09:54 -04:00
Jeff Mitchell 4239f9d243 Add DynamicSystemView. This uses a pointer to a pointer to always have
up-to-date information. This allows remount to be implemented with the
same source and dest, allowing mount options to be changed on the fly.
If/when Vault gains the ability to HUP its configuration, this should
just work for the global values as well.

Need specific unit tests for this functionality.
2015-09-10 15:09:54 -04:00
Jeff Mitchell 696d0c7b1d Plumb per-mount config options through API 2015-09-10 15:09:53 -04:00
Jeff Mitchell 992e357d07 Add some plumbing to allow specified system configuration information to
be retrieved by logical backends. First implemented is default/max TTL.
2015-08-27 08:51:35 -07:00
Jeff Mitchell 15f57082e0 Begin factoring out sys paths into logical routes. Also, standardize on 307 as redirect code. 2015-08-20 13:20:35 -07:00
Caleb Tennis 4da080e769 This adds a new error class which can be used by logical backends to
specify more concrete error cases to make their way back up the stack.

Over time there is probably a cleaner way of doing this, but that's
looking like a more massive rewrite and this solves some issues in
the meantime.

Use a CodedError to return a more concrete HTTP return code for
operations you want to do so.  Returning a regular error leaves
the existing behavior in place.
2015-08-10 13:27:25 -04:00
Nate Brown a0be7af858 Fixing key-status if audit logging is on 2015-06-24 10:57:05 -07:00
Armon Dadgar ffeb6ea76c vault: allow increment to be duration string. Fixes #340 2015-06-17 15:58:20 -07:00
Armon Dadgar 4eb5c63a5d vault: create upgrade path in HA mode 2015-05-28 16:43:15 -07:00
Armon Dadgar 9f399eb9ff vault: prevent raw access to protected paths 2015-05-28 10:24:41 -07:00
Armon Dadgar 1a4256c20c vault: more logging around rotate 2015-05-27 17:56:55 -07:00
Armon Dadgar d0b93a6164 vault: adding sys/key-status and sys/rotate 2015-05-27 17:53:42 -07:00
Armon Dadgar 0b84e86483 vault: Adding more logging 2015-05-15 17:19:32 -07:00
Armon Dadgar 466c7575d3 Replace VaultID with LeaseID for terminology simplification 2015-04-08 13:35:32 -07:00
Mitchell Hashimoto 246c2839b0 logical/framework: make help look nicer 2015-04-03 21:00:23 -07:00
Armon Dadgar d5403d6673 vault: TODO cleanups 2015-04-01 22:13:08 -07:00
Armon Dadgar 114c1e1dea vault: Adding the raw/ endpoints to sys 2015-04-01 17:45:00 -07:00
Armon Dadgar c83f46606b vault: Simpify token checking logic 2015-04-01 14:03:17 -07:00
Armon Dadgar dda8dec5bf vault: Adding sys/ paths to enable/disable audit backends 2015-03-31 16:45:08 -07:00
Mitchell Hashimoto 0666bda865 vault: require root token for seal 2015-03-31 09:59:02 -07:00
Mitchell Hashimoto 04c80a81bc vault: add seal to the sys backend 2015-03-31 09:36:13 -07:00
Mitchell Hashimoto 62ee621ea3 logical: move cred stuff over here 2015-03-30 17:46:18 -07:00
Armon Dadgar f40ed182c4 vault: Support policy CRUD 2015-03-23 14:43:31 -07:00
Armon Dadgar 82e13e3c41 vault: implement the sys/auth* endpoints 2015-03-20 12:48:19 -07:00
Mitchell Hashimoto c349e97168 vault: clean up VaultID duplications, make secret responses clearer
/cc @armon - This is a reasonably major refactor that I think cleans up
a lot of the logic with secrets in responses. The reason for the
refactor is that while implementing Renew/Revoke in logical/framework I
found the existing API to be really awkward to work with.

Primarily, we needed a way to send down internal data for Vault core to
store since not all the data you need to revoke a key is always sent
down to the user (for example the user than AWS key belongs to).

At first, I was doing this manually in logical/framework with
req.Storage, but this is going to be such a common event that I think
its something core should assist with. Additionally, I think the added
context for secrets will be useful in the future when we have a Vault
API for returning orphaned out keys: we can also return the internal
data that might help an operator.

So this leads me to this refactor. I've removed most of the fields in
`logical.Response` and replaced it with a single `*Secret` pointer. If
this is non-nil, then the response represents a secret. The Secret
struct encapsulates all the lease info and such.

It also has some fields on it that are only populated at _request_ time
for Revoke/Renew operations. There is precedent for this sort of
behavior in the Go stdlib where http.Request/http.Response have fields
that differ based on client/server. I copied this style.

All core unit tests pass. The APIs fail for obvious reasons but I'll fix
that up in the next commit.
2015-03-19 23:11:42 +01:00
Mitchell Hashimoto 2a1ae18877 vault: convert to new callback style 2015-03-19 15:05:22 +01:00
Mitchell Hashimoto d9bff7b674 vault: TODOs 2015-03-17 20:54:38 -05:00
Mitchell Hashimoto abe0859aa5 vault: use RWMutex on MountTable itself 2015-03-17 20:39:45 -05:00
Armon Dadgar a24192b728 vault: Support sys/revoke-prefix/ 2015-03-16 16:33:48 -07:00
Armon Dadgar f08659aaaa vault: Adding sys/revoke 2015-03-16 16:26:34 -07:00
Armon Dadgar 57b4f970d2 vault: Test renew of bad ID 2015-03-16 16:14:53 -07:00
Armon Dadgar e52f1ee960 vault: Testing sys/renew 2015-03-16 16:11:55 -07:00
Mitchell Hashimoto de1e28a77c vault: change to /sys/mounts 2015-03-16 10:52:35 -07:00
Mitchell Hashimoto e3a796028e http: /v1/sys/mount endpoint 2015-03-16 10:36:43 -07:00
Mitchell Hashimoto 9f0d59d03f vault: system using the framework 2015-03-15 17:35:59 -07:00
Mitchell Hashimoto ece0be434e vault: rename SystemBackend2 to SystemBackend 2015-03-15 14:54:49 -07:00
Mitchell Hashimoto d1d1929192 vault: convert to logical.Request and friends 2015-03-15 14:53:41 -07:00
Mitchell Hashimoto 5ffcd02b7a vault: convert system to logical.Backend 2015-03-15 14:42:05 -07:00