open-vault/vault
Christopher Swenson 7a977fd6ea
events: Check token and ACLs on request (#19138)
This checks the request against the `read` permission for
`sys/events/subscribe/{eventType}` on the initial subscribe.

Future work includes moving this to its own verb (`subscribe`)
and periodically rechecking the request.

Tested locally by minting a token with the wrong permissions
and verifying that they are rejected as expected, and that
they work if the policy is adjusted to `sys/event/subscribe/*`
(or the specific topic name) with `read` permissions.

I had to change the `core.checkToken()` to be publicly accessible,
as it seems like the easiest way to check the token on the
`logical.Request` against all relevant policies, but without
going into all of the complex logic further in `handleLogical()`.

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2023-02-10 20:56:00 +00:00
..
activity Allow Token Create Requests To Be Replicated (#18689) 2023-01-24 14:00:27 -05:00
cluster Vault 11798 vault cli issue intermediate (#18467) 2023-01-27 16:41:16 -05:00
diagnose Upgrade `go.opentelemetry.io/otel` from v0.20.0 to v1.11.2 (#18589) 2023-01-04 11:31:30 -08:00
eventbus events: Add websockets and command (#19057) 2023-02-09 13:18:58 -08:00
external_tests test/plugin: test external plugin workflows (#19090) 2023-02-09 10:16:16 -06:00
hcp_link Remove the last vestiges of sdk/version. (#19068) 2023-02-08 12:30:27 -05:00
quotas VAULT-8336 Fix default rate limit paths (#18273) 2022-12-09 08:49:17 -05:00
replication Convert to Go 1.17 go:build directive (#13579) 2022-01-05 12:02:03 -06:00
seal OSS portion of wrapper-v2 (#16811) 2022-08-23 15:37:16 -04:00
tokens Allow Token Create Requests To Be Replicated (#18689) 2023-01-24 14:00:27 -05:00
acl.go Fix HelpOperation on sudo-protected paths (#18568) 2023-01-10 12:17:16 -06:00
acl_test.go Fix linter issues in policy.go & acl.go (#16366) 2022-07-22 14:13:14 -04:00
acl_util.go Convert to Go 1.17 go:build directive (#13579) 2022-01-05 12:02:03 -06:00
activity_log.go VAULT-13061: Fix mount path discrepancy in activity log (#18916) 2023-02-06 10:26:32 +01:00
activity_log_test.go VAULT-13061: Fix mount path discrepancy in activity log (#18916) 2023-02-06 10:26:32 +01:00
activity_log_testing_util.go s/path/mount_path (#14164) 2022-02-18 13:44:43 -05:00
activity_log_util.go Convert to Go 1.17 go:build directive (#13579) 2022-01-05 12:02:03 -06:00
activity_log_util_common.go VAULT-13061: Fix mount path discrepancy in activity log (#18916) 2023-02-06 10:26:32 +01:00
activity_log_util_common_test.go fix off by one err in current month client count computation (#17457) 2022-10-07 12:37:09 -04:00
audit.go core: push entry table type-checking into for loop (#17220) 2022-10-05 15:56:12 -04:00
audit_broker.go Add stack trace to audit logging panic recovery (#18121) 2022-11-30 17:59:05 +00:00
audit_test.go Vault test cluster helper refactorings, mostly audit related (#18928) 2023-02-01 08:33:16 -05:00
audited_headers.go vault: deprecate errwrap.Wrapf() (#11577) 2021-05-11 13:12:54 -04:00
audited_headers_test.go Fix some more error shadowing issues (#12990) 2021-11-01 11:43:00 -07:00
auth.go Add events sending routed from plugins (#18834) 2023-02-03 13:24:16 -08:00
auth_test.go Vault test cluster helper refactorings, mostly audit related (#18928) 2023-02-01 08:33:16 -05:00
barrier.go Rename master key to root key (#13324) 2021-12-06 17:12:20 -08:00
barrier_access.go Fix compile 2018-01-19 05:31:55 -05:00
barrier_aes_gcm.go Barrier: Fix potential locking issue (#17944) 2022-11-16 09:53:22 -08:00
barrier_aes_gcm_test.go validate cipher length before decrypting (#14098) 2022-02-18 07:37:22 -07:00
barrier_test.go Rename master key to root key (#13324) 2021-12-06 17:12:20 -08:00
barrier_view.go Create sdk/ and api/ submodules (#6583) 2019-04-12 17:54:35 -04:00
barrier_view_test.go Run a more strict formatter over the code (#11312) 2021-04-08 09:43:39 -07:00
barrier_view_util.go Convert to Go 1.17 go:build directive (#13579) 2022-01-05 12:02:03 -06:00
capabilities.go Adds ability to define an inline policy and internal metadata on tokens (#12682) 2021-10-07 10:36:22 -07:00
capabilities_test.go Create sdk/ and api/ submodules (#6583) 2019-04-12 17:54:35 -04:00
cluster.go VAULT-11829: Add cluster status handler (#18351) 2023-01-06 17:06:54 -05:00
cluster_test.go Vault test cluster helper refactorings, mostly audit related (#18928) 2023-02-01 08:33:16 -05:00
core.go events: Add websockets and command (#19057) 2023-02-09 13:18:58 -08:00
core_metrics.go Add more raft metrics, emit more metrics on non-perf standbys (#12166) 2022-10-07 09:09:08 -07:00
core_metrics_test.go oss changes (#15487) 2022-05-18 09:16:13 -07:00
core_test.go Vault test cluster helper refactorings, mostly audit related (#18928) 2023-02-01 08:33:16 -05:00
core_util.go core: Move rollback period init to NewCore (#17547) 2022-10-13 18:39:00 -04:00
core_util_common.go merkle sync undo logs (#17103) 2022-09-13 10:03:19 -07:00
cors.go Migrate to sdk/internalshared libs in go-secure-stdlib (#12090) 2021-07-15 20:17:31 -04:00
counters.go [VAULT-2852] deprecate req counters in oss (#12197) 2021-07-29 10:21:40 -07:00
counters_test.go Use %q for quoted strings where appropriate (#15216) 2022-08-03 12:32:45 -06:00
custom_response_headers.go reformat using 'make fmt' (#13794) 2022-01-27 10:06:34 -08:00
custom_response_headers_test.go vault: fix dropped test errors (#14402) 2022-03-08 12:32:27 -07:00
dynamic_system_view.go Add path based primary write forwarding (PBPWF) - OSS (#18735) 2023-01-20 16:36:18 -05:00
dynamic_system_view_test.go core: set namespace within GeneratePasswordFromPolicy (#12635) 2021-09-27 09:08:07 -07:00
events_test.go events: Add websockets and command (#19057) 2023-02-09 13:18:58 -08:00
expiration.go add core state lock deadlock detection config option v2 (#18604) 2023-01-11 13:32:05 -06:00
expiration_integ_test.go Revert the WithContext changes to vault tests (#14947) 2022-04-07 15:12:58 -04:00
expiration_test.go Fix a panic at cleanup time in an expiration restore lease benchmark. (#16485) 2022-07-28 05:54:03 -07:00
expiration_testing_util_common.go [VAULT-1981] Add OSS changes (#11999) 2021-07-06 17:12:24 -05:00
expiration_util.go Convert to Go 1.17 go:build directive (#13579) 2022-01-05 12:02:03 -06:00
external_plugin_test.go test/plugin: refactor compilePlugin for reuse (#18952) 2023-02-03 16:27:11 -06:00
forwarded_writer_oss.go Add path based primary write forwarding (PBPWF) - OSS (#18735) 2023-01-20 16:36:18 -05:00
generate_root.go SSCT Tokens Feature [OSS] (#14109) 2022-02-17 11:43:07 -08:00
generate_root_recovery.go SSCT Tokens Feature [OSS] (#14109) 2022-02-17 11:43:07 -08:00
generate_root_test.go SSCT Tokens Feature [OSS] (#14109) 2022-02-17 11:43:07 -08:00
ha.go VAULT-8436 remove <-time.After statements in for loops (#18818) 2023-02-06 17:49:01 +01:00
ha_test.go Run a more strict formatter over the code (#11312) 2021-04-08 09:43:39 -07:00
identity_lookup.go Switch to go modules (#6585) 2019-04-13 03:44:06 -04:00
identity_lookup_test.go Create sdk/ and api/ submodules (#6583) 2019-04-12 17:54:35 -04:00
identity_store.go named Login MFA methods (#18610) 2023-01-23 15:51:22 -05:00
identity_store_aliases.go move custom metadata validation logic to its own package (#16464) 2022-07-28 10:40:38 -04:00
identity_store_aliases_test.go Support clearing an identity alias' custom_metadata (#13395) 2021-12-10 18:07:47 -05:00
identity_store_entities.go VAULT-9451 Fix data race in entity merge (#17631) 2022-10-21 16:47:59 -04:00
identity_store_entities_test.go Check if plugin version matches running version (#17182) 2022-09-21 12:25:04 -07:00
identity_store_group_aliases.go Refactor usages of Core in IdentityStore so they can be decoupled. (#12461) 2021-08-30 15:31:11 -04:00
identity_store_group_aliases_test.go Update group alias handling to better protect against namespace differences 2019-06-18 16:43:30 -04:00
identity_store_groups.go return bad request instead of server error for identity group cycle detection (#15912) 2022-06-10 10:15:31 -04:00
identity_store_groups_test.go update gofumpt to 0.3.1 and reformat the repo (#17055) 2022-09-07 17:31:20 -07:00
identity_store_oidc.go Fix multiple OpenAPI generation issues with new AST-based generator (#18554) 2023-01-31 16:27:39 -05:00
identity_store_oidc_provider.go Fix multiple OpenAPI generation issues with new AST-based generator (#18554) 2023-01-31 16:27:39 -05:00
identity_store_oidc_provider_test.go identity/oidc: adds claims_supported to discovery document (#16992) 2022-09-02 09:19:25 -07:00
identity_store_oidc_provider_util.go identity/oidc: Adds proof key for code exchange (PKCE) support (#13917) 2022-02-15 12:02:22 -08:00
identity_store_oidc_test.go unit test: fix oidc periodicfunc flaky test (#15320) 2022-05-09 13:43:23 -05:00
identity_store_oidc_util.go Convert to Go 1.17 go:build directive (#13579) 2022-01-05 12:02:03 -06:00
identity_store_oss.go Login MFA (#14025) 2022-02-17 13:08:51 -08:00
identity_store_schema.go Fix startup failures when aliases from a pre-1.9 vault version exist (#13169) 2021-11-16 14:56:34 -05:00
identity_store_structs.go HCP link integration (#16939) 2022-09-06 14:11:04 -04:00
identity_store_test.go identity/entity-alias: fix bug where alias metadata was shared if alias had same name (#16838) 2022-08-23 15:39:45 -04:00
identity_store_upgrade.go Prevent entity alias creation when entity is in different NS than mount (#943) (#6886) 2019-06-14 12:53:00 -04:00
identity_store_util.go VAULT-9451 Fix data race in entity merge (#17631) 2022-10-21 16:47:59 -04:00
init.go Revert #18683 (#18942) 2023-02-01 13:34:53 -06:00
init_test.go OSS portion of wrapper-v2 (#16811) 2022-08-23 15:37:16 -04:00
inspectable.go Introspection API Implementation for Router Struct (#17789) 2022-11-04 09:39:09 -07:00
inspectable_test.go OSS PR for Config Changes PR (#18418) 2022-12-15 12:19:19 -08:00
keyring.go reformat using 'make fmt' (#13794) 2022-01-27 10:06:34 -08:00
keyring_test.go Rename master key to root key (#13324) 2021-12-06 17:12:20 -08:00
logical_cubbyhole.go Add plugin version to GRPC interface (#17088) 2022-09-15 16:37:59 -07:00
logical_cubbyhole_test.go Create sdk/ and api/ submodules (#6583) 2019-04-12 17:54:35 -04:00
logical_passthrough.go Prevent panics in expiration invalidation, and make some changes for testing (#18401) 2022-12-15 18:09:36 +00:00
logical_passthrough_test.go Prevent panics in expiration invalidation, and make some changes for testing (#18401) 2022-12-15 18:09:36 +00:00
logical_raw.go Use %q for quoted strings where appropriate (#15216) 2022-08-03 12:32:45 -06:00
logical_system.go Make experiments API authenticated (#18966) 2023-02-09 20:18:14 +00:00
logical_system_activity.go De-duplicate namespaces when historical and current month data are mixed (#18452) 2022-12-16 16:02:42 -08:00
logical_system_helpers.go Login MFA (#14025) 2022-02-17 13:08:51 -08:00
logical_system_integ_test.go Vault test cluster helper refactorings, mostly audit related (#18928) 2023-02-01 08:33:16 -05:00
logical_system_paths.go VAULT-12112: openapi response definitions: sys/audit (#18456) 2023-01-20 11:09:33 -05:00
logical_system_pprof.go Add support for unauthenticated pprof access on a per-listener basis,… (#11324) 2021-04-19 14:30:59 -04:00
logical_system_quotas.go VAULT-6614 Enable role based quotas for lease-count quotas (OSS) (#16157) 2022-07-05 13:02:00 -04:00
logical_system_raft.go Prevent autopilot from demoting voters when they join a 2nd time (#18263) 2022-12-07 14:17:45 -05:00
logical_system_test.go Vault test cluster helper refactorings, mostly audit related (#18928) 2023-02-01 08:33:16 -05:00
logical_system_user_lockout.go Prevent Brute Forcing: Create an api endpoint to list locked users OSS changes (#18675) 2023-01-17 14:25:56 -08:00
logical_system_util.go Convert to Go 1.17 go:build directive (#13579) 2022-01-05 12:02:03 -06:00
login_mfa.go VAULT-8436 remove <-time.After statements in for loops (#18818) 2023-02-06 17:49:01 +01:00
login_mfa_test.go named Login MFA methods (#18610) 2023-01-23 15:51:22 -05:00
managed_key_registry.go Invalidate the ManagedKeyRegistry cache when Vault config is updated. (#14179) 2022-02-21 09:55:44 -05:00
mfa_auth_resp_priority_queue.go Login MFA (#14025) 2022-02-17 13:08:51 -08:00
mfa_auth_resp_priority_queue_test.go Login MFA (#14025) 2022-02-17 13:08:51 -08:00
mount.go Add events sending routed from plugins (#18834) 2023-02-03 13:24:16 -08:00
mount_test.go Vault test cluster helper refactorings, mostly audit related (#18928) 2023-02-01 08:33:16 -05:00
mount_util.go Add path based primary write forwarding (PBPWF) - OSS (#18735) 2023-01-20 16:36:18 -05:00
mount_util_shared.go Add path based primary write forwarding (PBPWF) - OSS (#18735) 2023-01-20 16:36:18 -05:00
namespaces.go Refactor usages of Core in IdentityStore so they can be decoupled. (#12461) 2021-08-30 15:31:11 -04:00
namespaces_oss.go HCP link integration (#16939) 2022-09-06 14:11:04 -04:00
password_policy_util.go Convert to Go 1.17 go:build directive (#13579) 2022-01-05 12:02:03 -06:00
plugin_catalog.go Move version out of SDK. (#14229) 2022-12-07 13:29:51 -05:00
plugin_catalog_test.go Remove pinned builtin plugin versions from storage (#18051) 2022-11-23 18:36:25 +00:00
plugin_reload.go Plugins: Add version info to CLI and server log output (#17430) 2022-10-06 12:54:27 +01:00
policy.go prevent memory leak when using control group factors in a policy (#17532) 2022-10-14 19:15:15 -04:00
policy_store.go Make experiments API authenticated (#18966) 2023-02-09 20:18:14 +00:00
policy_store_test.go Make experiments API authenticated (#18966) 2023-02-09 20:18:14 +00:00
policy_store_util.go Convert to Go 1.17 go:build directive (#13579) 2022-01-05 12:02:03 -06:00
policy_test.go Add HTTP PATCH support to KV (#12687) 2021-10-13 15:24:31 -04:00
policy_util.go Convert to Go 1.17 go:build directive (#13579) 2022-01-05 12:02:03 -06:00
raft.go VAULT-8436 remove <-time.After statements in for loops (#18818) 2023-02-06 17:49:01 +01:00
rekey.go Revert #18683 (#18942) 2023-02-01 13:34:53 -06:00
rekey_test.go OSS portion of wrapper-v2 (#16811) 2022-08-23 15:37:16 -04:00
request_forwarding.go Add autopilot automated upgrades and redundancy zones (#15521) 2022-05-20 16:49:11 -04:00
request_forwarding_rpc.go Add stack trace to audit logging panic recovery (#18121) 2022-11-30 17:59:05 +00:00
request_forwarding_rpc_util.go Convert to Go 1.17 go:build directive (#13579) 2022-01-05 12:02:03 -06:00
request_forwarding_service.pb.go Allow Token Create Requests To Be Replicated (#18689) 2023-01-24 14:00:27 -05:00
request_forwarding_service.proto Add autopilot automated upgrades and redundancy zones (#15521) 2022-05-20 16:49:11 -04:00
request_forwarding_service_grpc.pb.go Update protobuf & grpc libraries and protoc plugins (#12679) 2021-09-29 18:25:15 -07:00
request_handling.go events: Check token and ACLs on request (#19138) 2023-02-10 20:56:00 +00:00
request_handling_test.go SSCT Optimizations (OSS) (#14323) 2022-03-01 12:24:45 -08:00
request_handling_util.go Allow Token Create Requests To Be Replicated (#18689) 2023-01-24 14:00:27 -05:00
rollback.go Fix a data race with rollbackPeriod. (#17387) 2022-10-13 09:59:07 -04:00
rollback_test.go When tainting a route during setup, pre-calculate the namespace specific path (#15067) 2022-04-26 09:13:45 -07:00
router.go Introspection API Implementation for Router Struct (#17789) 2022-11-04 09:39:09 -07:00
router_access.go The big one (#5346) 2018-09-17 23:03:00 -04:00
router_test.go When tainting a route during setup, pre-calculate the namespace specific path (#15067) 2022-04-26 09:13:45 -07:00
router_testing.go AWS upgrade role entries (#7025) 2019-07-05 16:55:40 -07:00
seal.go Revert #18683 (#18942) 2023-02-01 13:34:53 -06:00
seal_access.go OSS portion of wrapper-v2 (#16811) 2022-08-23 15:37:16 -04:00
seal_autoseal.go Revert #18683 (#18942) 2023-02-01 13:34:53 -06:00
seal_autoseal_test.go OSS portion of wrapper-v2 (#16811) 2022-08-23 15:37:16 -04:00
seal_test.go Shamir seals now come in two varieties: legacy and new-style. (#7694) 2019-10-18 14:46:00 -04:00
seal_testing.go Rename master key to root key (#13324) 2021-12-06 17:12:20 -08:00
seal_testing_util.go OSS portion of wrapper-v2 (#16811) 2022-08-23 15:37:16 -04:00
sealunwrapper.go OSS portion of wrapper-v2 (#16811) 2022-08-23 15:37:16 -04:00
sealunwrapper_test.go OSS portion of wrapper-v2 (#16811) 2022-08-23 15:37:16 -04:00
test_cluster_detect_deadlock.go add core state lock deadlock detection config option v2 (#18604) 2023-01-11 13:32:05 -06:00
test_cluster_do_not_detect_deadlock.go add core state lock deadlock detection config option v2 (#18604) 2023-01-11 13:32:05 -06:00
testing.go test/plugin: refactor compilePlugin for reuse (#18952) 2023-02-03 16:27:11 -06:00
testing_util.go Convert to Go 1.17 go:build directive (#13579) 2022-01-05 12:02:03 -06:00
token_store.go Allow Token Create Requests To Be Replicated (#18689) 2023-01-24 14:00:27 -05:00
token_store_test.go Use %q for quoted strings where appropriate (#15216) 2022-08-03 12:32:45 -06:00
token_store_util.go Convert to Go 1.17 go:build directive (#13579) 2022-01-05 12:02:03 -06:00
token_store_util_common.go Load SSCT Generation Counter Upon DR Promotion [OSS] (#16956) 2022-08-31 11:05:21 -07:00
ui.go Add Semgrep Rules to OSS (#14513) 2022-03-18 11:14:03 -07:00
ui_test.go Fix UI custom header values (#10511) 2020-12-15 15:58:03 +01:00
util.go
util_test.go
vault_version_time.go Add build date (#14957) 2022-04-19 14:28:08 -04:00
version_store.go plugins: Handle mount/enable for shadowed builtins (#17879) 2022-12-14 13:06:33 -05:00
version_store_test.go Move version out of SDK. (#14229) 2022-12-07 13:29:51 -05:00
wrapping.go feature: secrets/auth plugin multiplexing (#14946) 2022-08-29 21:42:26 -05:00
wrapping_util.go Convert to Go 1.17 go:build directive (#13579) 2022-01-05 12:02:03 -06:00