59e83e2e6d
* move the ttls on enable for db to default and not as options * refactor form field to angle brackets * add database to supported backend * initial setup of components and models * setup selectable cards, need to make own component * styling setup * subtext and links * number styling * search select put in place and button, all pretty things * search label text * messy but closer to data configuration. making models and fetching those models on routes * connection adapter and serializer that is pulled in by the overview route * clean up and add new model params connections and roles to overview route hbs * setting up overview as route with SecretHeader component. TODO, show Overview tab, but have link to route. It's going be on the secret header list component * setup overview tab on secret-list-header to go to overview page * setup id in overview route * Correct link on secrets engine list for database and others * Roles tab on database fetches correct model * Update options for backend with hasOverview param so overview tab is rendered conditionally on secret list header * create new getCrendentialsComponent * Rename database connection parent component and start working on display * setup routing to credentials route for database from overview page * setup network request for the credentials of role * setup serializer for credentials * redirect previous route * fix border color on button disable * add margin to back button * change to glimmer component * glimmerize and clean up the get-credentials-card * Begin database connection show and create form * add component test for the get-credentials-card * Database connection model and field groups * add static roles to searhSelect * add staticRoles on overview page * Toolbar and tabs on database connection show view looks correct * combine static and dynamic role models for pagination * Update database-list-item with real link to connection * Add support for optionalText edit type on form-field * handle situation when no static and/or dynamic roles * turn partial into component so can handle computed and eventually click actions, similar to transform * glimmerize database-list-item * use lazy capabilities on list role and static-role actions * Create connection works and redirects to show page * creds request based on dynamic or static and unload the store by record creds when they transition away. * dynamcially add in backend for queries * fixes on overview page for get credentials with hardcoded backend and layout for static creds * Rotate and Reset connection actions working on connection * get credentials set the query params * setup async for handling permission errors on overivew * Move query logic to store for getting both types of role * Filtering works on combined role models * cleanup * Fix no meta on connections list * better handle the situation where you don't have access to list roles but do to generate * implment updated empty state component and add to credentials page when roleType is noRoleType * glimmerize the input search component * move logic for generate credentials urlto the generate creds component * remove query param for role type * handle permissions on the overview page * permissions for role list * New roles route for backends * handle different permissions for empty return on 404 vs 403 on overview page * fix links on overview page * Connetions WIP * setup lazy caps for the connections model and list * add computed to role and static role models to clean up permissions * setup actions for connections list * Update form-field to show password type and update json input to angle bracket syntax with optional theme option * setup capabilities on overview for empty state * fix hardcoded on the backend * toggle inner label has width 100% * Add custom update password togglable input on database connection edit form, and only submit defined attrs * Add updateRecord to connection adapter * glimmerize secret list header and make new component which either shows or does not show the tab based on permissions * Remove tabs on show connection * add peek record * Update database role to get both models on a single model, remove static-role model and adapter, remove roles route * fix creds permissions on database-list-item * add component info and rename for secret-list-header-tab * fix issues on overview page * Add path to individual role on serializer * add accetpance test for testing the engine * fix transform test * test fix * Update connection before role created, disable button with tooltip if user cannot update path * Add add-to-array and remove-from-array helpers with tests * Clean up connection update on delete or create role, cleanup logs, role create link works * Database role create and edit forms with readonly fields and validation. Add readonly-form-field * Add field div around ttl picker for correct spacing on form-field * fix the breadcrumbs * PLaceholder test for readonly form field * create new helper to format time duration * tooltip and formatting on static role * more on static roles time stuff * clean up * clean up * fixes on the test and addition of another helper test * fix secrets machine test * Add modal to connection creation flow * fix issue with readonly form field test * Add is-empty-object helper and tests * Role error handling * Remove Atlas option from connection list, add defaults to db role form * clean up stuff though might have made it uglier * clean up * Add capabilities checks on connection actions * Fix jsdocs on readonly-form-field * Fix json editor height on form field * Readonly form has notallowed cursor, readonly form field updates * Add blank field rendering to info-table-row * Start writing readonly form field tests * Address some PR comments * fix fallback action on search select * cleanup per comments * fix readonly form field test and lint * Cleanup string helpers * Replace renderBlank with alwaysRender logic * re-humanize label on readonly form field * Show defaultShown value on info-table-row if no value and always render * Show default on role and connection show table * Add changelog Co-authored-by: Chelsea Shaw <chelshaw.dev@gmail.com> |
||
|---|---|---|
| .circleci | ||
| .github | ||
| .hooks | ||
| api | ||
| audit | ||
| builtin | ||
| changelog | ||
| command | ||
| helper | ||
| http | ||
| internalshared | ||
| packages-oss.lock | ||
| physical | ||
| plugins/database | ||
| scripts | ||
| sdk | ||
| serviceregistration | ||
| shamir | ||
| terraform | ||
| tools | ||
| ui | ||
| vault | ||
| vendor | ||
| website | ||
| .gitattributes | ||
| .gitignore | ||
| .yamllint | ||
| CHANGELOG.md | ||
| CONTRIBUTING.md | ||
| LICENSE | ||
| Makefile | ||
| README.md | ||
| go.mod | ||
| go.sum | ||
| main.go | ||
| main_test.go | ||
| make.bat | ||
| packages-oss.yml | ||
| packagespec.mk | ||
README.md
Vault 
Please note: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault, please responsibly disclose by contacting us at security@hashicorp.com.
- Website: https://www.vaultproject.io
- IRC:
#vault-toolon Freenode - Announcement list: Google Groups
- Discussion forum: Discuss
- Documentation: https://www.vaultproject.io/docs/
- Tutorials: HashiCorp's Learn Platform
- Certification Exam: Vault Associate
Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.
A modern system requires access to a multitude of secrets: database credentials, API keys for external services, credentials for service-oriented architecture communication, etc. Understanding who is accessing what secrets is already very difficult and platform-specific. Adding on key rolling, secure storage, and detailed audit logs is almost impossible without a custom solution. This is where Vault steps in.
The key features of Vault are:
-
Secure Secret Storage: Arbitrary key/value secrets can be stored in Vault. Vault encrypts these secrets prior to writing them to persistent storage, so gaining access to the raw storage isn't enough to access your secrets. Vault can write to disk, Consul, and more.
-
Dynamic Secrets: Vault can generate secrets on-demand for some systems, such as AWS or SQL databases. For example, when an application needs to access an S3 bucket, it asks Vault for credentials, and Vault will generate an AWS keypair with valid permissions on demand. After creating these dynamic secrets, Vault will also automatically revoke them after the lease is up.
-
Data Encryption: Vault can encrypt and decrypt data without storing it. This allows security teams to define encryption parameters and developers to store encrypted data in a location such as SQL without having to design their own encryption methods.
-
Leasing and Renewal: All secrets in Vault have a lease associated with it. At the end of the lease, Vault will automatically revoke that secret. Clients are able to renew leases via built-in renew APIs.
-
Revocation: Vault has built-in support for secret revocation. Vault can revoke not only single secrets, but a tree of secrets, for example all secrets read by a specific user, or all secrets of a particular type. Revocation assists in key rolling as well as locking down systems in the case of an intrusion.
Documentation, Getting Started, and Certification Exams
Documentation is available on the Vault website.
If you're new to Vault and want to get started with security automation, please check out our Getting Started guides on HashiCorp's learning platform. There are also additional guides to continue your learning.
Show off your Vault knowledge by passing a certification exam. Visit the certification page for information about exams and find study materials on HashiCorp's learning platform.
Developing Vault
If you wish to work on Vault itself or any of its built-in systems, you'll first need Go installed on your machine. Go version 1.15.3+ is required.
For local dev first make sure Go is properly installed, including setting up a
GOPATH. Ensure that $GOPATH/bin is in
your path as some distributions bundle old version of build tools. Next, clone this
repository. Vault uses Go Modules,
so it is recommended that you clone the repository outside of the GOPATH.
You can then download any required build tools by bootstrapping your environment:
$ make bootstrap
...
To compile a development version of Vault, run make or make dev. This will
put the Vault binary in the bin and $GOPATH/bin folders:
$ make dev
...
$ bin/vault
...
To compile a development version of Vault with the UI, run make static-dist dev-ui. This will
put the Vault binary in the bin and $GOPATH/bin folders:
$ make static-dist dev-ui
...
$ bin/vault
...
To run tests, type make test. Note: this requires Docker to be installed. If
this exits with exit status 0, then everything is working!
$ make test
...
If you're developing a specific package, you can run tests for just that
package by specifying the TEST variable. For example below, only
vault package tests will be run.
$ make test TEST=./vault
...
Acceptance Tests
Vault has comprehensive acceptance tests covering most of the features of the secret and auth methods.
If you're working on a feature of a secret or auth method and want to verify it is functioning (and also hasn't broken anything else), we recommend running the acceptance tests.
Warning: The acceptance tests create/destroy/modify real resources, which may incur real costs in some cases. In the presence of a bug, it is technically possible that broken backends could leave dangling data behind. Therefore, please run the acceptance tests at your own risk. At the very least, we recommend running them in their own private account for whatever backend you're testing.
To run the acceptance tests, invoke make testacc:
$ make testacc TEST=./builtin/logical/consul
...
The TEST variable is required, and you should specify the folder where the
backend is. The TESTARGS variable is recommended to filter down to a specific
resource to test, since testing all of them at once can sometimes take a very
long time.
Acceptance tests typically require other environment variables to be set for things such as access keys. The test itself should error early and tell you what to set, so it is not documented here.
For more information on Vault Enterprise features, visit the Vault Enterprise site.