Commit graph

9832 commits

Author SHA1 Message Date
Matthew Irish 81f52d3c7f
changelog++ 2019-01-29 09:45:54 -06:00
Matthew Irish b777906fee
add entity lookup to the default policy (#6105)
* add entity lookup to the default policy

* only use id for lookup

* back in with name
2019-01-29 09:43:59 -06:00
Jeff Mitchell 4b3e611fd6 changelog++ 2019-01-29 00:53:01 -05:00
Noelle Daley 0aa0e0fe1d
UI/gate wizard (#6094)
* check for capabilities when finding matching paths

* disable wizard items that user does not have access to

* make hasPermissions accept an array of capabilities

* refactor features-selection

* fix tests

* implement feedback
2019-01-28 14:49:25 -08:00
Brian Shumate 2337df4b2b Update documentation for command operator unseal (#6117)
- Add migrate command option
2019-01-28 10:27:51 -05:00
Jeff Mitchell 39e14b9083 Force circonus v2 as directed by them 2019-01-28 10:27:02 -05:00
Jeff Mitchell 928698fce5 Update update deps script 2019-01-26 18:43:35 -05:00
Jeff Mitchell 40ff476664 changelog++ 2019-01-26 16:48:53 -05:00
Gordon Shankman cd2f7bbde8 Adding support for SSE in the S3 storage backend. (#5996) 2019-01-26 16:48:08 -05:00
Jeff Mitchell 3032dfd5c3 changelog++ 2019-01-25 14:11:58 -05:00
Jeff Mitchell e781ea3ac4
First part of perf standby entity race fix (#6106) 2019-01-25 14:08:42 -05:00
Jeff Mitchell 1f57e3674a Move a common block up a level 2019-01-24 18:29:22 -05:00
Calvin Leung Huang 34af3daeb0 docs: update agent sample config (#6096) 2019-01-24 07:25:03 -05:00
Becca Petrin df24d204ba Convert MSSQL tests to Docker (#6095)
* create working mssql docker container

* update tests
2019-01-24 07:24:31 -05:00
Jeff Mitchell 6d22f3fc2e minor linting change 2019-01-23 17:19:06 -05:00
Jeff Mitchell 94e56d964f Fix build 2019-01-23 16:52:51 -05:00
Jeff Mitchell 0874b552cb Fix build 2019-01-23 16:52:06 -05:00
Jeff Mitchell 42253deac3 changelog++ 2019-01-23 16:35:56 -05:00
Seth Vargo 98ad431d6d Continuously attempt to unseal if sealed keys are supported (#6039)
* Add helper for checking if an error is a fatal error

The double-double negative was really confusing, and this pattern is used a few places in Vault. This negates the double negative, making the devx a bit easier to follow.

* Check return value of UnsealWithStoredKeys in sys/init

* Return proper error types when attempting unseal with stored key

Prior to this commit, "nil" could have meant unsupported auto-unseal, a transient error, or success. This updates the function to return the correct error type, signaling to the caller whether they should retry or fail.

* Continuously attempt to unseal if sealed keys are supported

This fixes a bug that occurs on bootstrapping an initial cluster. Given a collection of Vault nodes and an initialized storage backend, they will all go into standby waiting for initialization. After one node is initialized, the other nodes had no mechanism by which they "re-check" to see if unseal keys are present. This adds a goroutine to the server command which continually waits for unseal keys to exist. It exits in the following conditions:

- the node is unsealed
- the node does not support stored keys
- a fatal error occurs (as defined by Vault)
- the server is shutting down

In all other situations, the routine wakes up at the specified interval and attempts to unseal with the stored keys.
2019-01-23 16:34:34 -05:00
Jeff Mitchell c5d8391c38
Prefix path rename (#6089)
* Rename Prefix -> Path in internal struct

* Update test
2019-01-23 15:04:49 -05:00
Jeff Mitchell 4a76aa0f12 changelog++ 2019-01-23 14:35:51 -05:00
Jeff Mitchell 3f1a7d4fdd
Update to latest etcd and use the new repository packages (#6087)
This will be necessary for go mod work

Additionally, the srv api has changed. This adapts to it.
2019-01-23 14:35:03 -05:00
Jeff Mitchell a11f2a3ba2
Rename glob -> prefix in ACL internals (#6086)
Really, it's a prefix
2019-01-23 13:55:40 -05:00
Jeff Mitchell 59bc9dd361 Add missing value to policy ShallowClone
Not related to a bug, just happened to notice it.
2019-01-23 13:20:04 -05:00
Jeff Mitchell 155fa5114b changelog++ 2019-01-23 12:33:10 -05:00
Jeff Mitchell 5e126f6de8
Implement JWS-compatible signature marshaling (#6077)
This currently only applies to ECDSA signatures, and is a toggleable
option.
2019-01-23 12:31:34 -05:00
Noel Cower 4f05192be3 Merge all configuration fields (#6028)
This changes (*Config).Merge to merge all fields of a Config.
Previously, when merging Configs, some configuration fields were
ignored and completely lost, including APIAddr, ClusterAddr, and
a couple boolean fields. This only occurs when using multiple config
files and does not affect single config files (even when loading from
a directory -- Merge is only called after a second file is loaded).

- Fix APIAddr not being merged.
- Fix ClusterAddr not being merged.
- Fix DisablePrintableCheck not being merged.
- Fix DisableClustering not being merged. The DisableClusteringRaw
  value is also preserved so that it can be used in overrides for
  storage fields.
- Use merged top-level config as storage field overrides.
- Update config dir test fixtures to set some fields missed by
  (*Config).Merge previously.
2019-01-23 11:27:21 -05:00
Jim Kalafut f097b8d934
Update existing alias metadata during authentication (#6068) 2019-01-23 08:26:50 -08:00
Becca Petrin aac271ed7f swap the forked aliyun sdk for the original (#6024) 2019-01-23 11:24:51 -05:00
Stuart Moore 1e836c1f67 Typo fix in gcpckms.go (#6081) 2019-01-23 07:52:31 -05:00
Jeff Mitchell c7ac2e449a Sync up code 2019-01-22 17:44:13 -05:00
Jeff Mitchell 797c622567 Sync seal testing 2019-01-22 17:23:20 -05:00
Jeff Mitchell 9653f9e379 Sync logical_system 2019-01-22 17:21:53 -05:00
Jeff Mitchell 2836dd0d53 Update testhelpers to allow passing in custom handler 2019-01-22 17:16:26 -05:00
Clint c940f5fcc7
Merge pull request #6070 from gitirabassi/master
Small fixes to docs and indexes for InfluxDB plugin
2019-01-22 12:20:10 -06:00
Thomas L. Kula 319324f731 Incredibly tiny comment fix on secret.go (#6078) 2019-01-21 16:57:39 -05:00
Jim Kalafut 0374a1ed6d
Add Sprintf capability to logical.ErrorResponse (#6076)
Roughly 25% of calls to logical.ErrorResponse() include an inner fmt.Sprintf() call.
This PR would simplify these cases:

`return logical.ErrorResponse(fmt.Sprintf("unable to read role '%s'", role))`

  could become

`return logical.ErrorResponse("unable to read role '%s'", role)`

With only a single parameter passed in, behavior is unchanged.
2019-01-18 15:12:38 -08:00
Becca Petrin 83e0c5e5e6
Check ec2 instance metadata for region (#6025) 2019-01-18 14:49:24 -08:00
Noelle Daley 58dfd8aa68
Add Policy-based Navigation (#5967)
* add permissions service

* start template helper

* match prefixed paths

* gate sidebar links

* land on first page user has access to

* show nav when user first logs in

* clear paths when user logs out

* add tests

* implement feedback

* show all nav items if no policy is found

* update onboarding wizard

* fix some unrelated tests

* add support for namespaces

* gate wizard

* unstage package and lockfile
2019-01-18 14:04:40 -08:00
Riley Lahd 1a010320e3 Consider whole response in UI console when missing auth, data and wrap_info for non writes/deletes (#6073) 2019-01-18 14:02:11 -06:00
Riley Lahd 6e26c18d05 Format array, number and boolean outputs in ui console (Fixes #6054) (#6062)
* format array, number and boolean outputs in ui console

* Remove extra description from console output tests
2019-01-18 10:15:37 -06:00
gitirabassi 1aaacda3ec small fixes to docs and indexes 2019-01-18 02:14:57 +01:00
Jim Kalafut 0f2fcfb6f1
Update JWT docs with new jwt_supported_algs parameter (#6069) 2019-01-17 15:27:20 -08:00
Zac Medico 49eaa3d4ff Makefile: do not execute static-assets in parallel with deps (#6057)
The static-assets target has a dependency on *either* ember-dist or
ember-dist-dev, so these targets must not execute in parallel. Since
this is an either/or dependency, it cannot be expressed as a regular
dependency unless the targets are refactored somehow.

Fixes: 7a312d7c37bb ("Add Makefile/Dockerfile UI bits")
2019-01-17 18:19:54 -05:00
Jeff Mitchell f7a35d4f49 Add missing performance_standby field to API 2019-01-17 18:15:00 -05:00
Jim Kalafut aff9bbe49f
changelog++ 2019-01-17 14:49:16 -08:00
Noelle Daley 9c99a8cc49
always show copy token button (#6064) 2019-01-17 14:36:54 -08:00
Seth Vargo 018ec9cdb8 Upgrade to new Cloud KMS client libraries (#6051)
* Upgrade to new Cloud KMS client libraries

We recently released the new Cloud KMS client libraries which use GRPC
instead of HTTP. They are faster and look nicer (</opinion>), but more
importantly they drastically simplify a lot of the logic around client
creation, encryption, and decryption. In particular, we can drop all the
logic around looking up credentials and base64-encoding/decoding.

Tested on a brand new cluster (no pre-existing unseal keys) and against
a cluster with stored keys from a previous version of Vault to ensure no
regressions.

* Use the default scopes the client requests

The client already does the right thing here, so we don't need to
surface it, especially since we aren't allowing users to configure it.
2019-01-17 17:27:15 -05:00
Noelle Daley 3bacca85b1
add link to copy current token from user status bar (#6063) 2019-01-17 11:24:49 -08:00
Jeff Mitchell 159f0c1b0a Fix typo in comment 2019-01-17 13:28:27 -05:00