luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/vault
History
Joel Thompson 73112c49fb logical/aws: Harden WAL entry creation (#5202) 
* logical/aws: Harden WAL entry creation

If AWS IAM user creation failed in any way, the WAL corresponding to the
IAM user would get left around and Vault would try to roll it back.
However, because the user never existed, the rollback failed. Thus, the
WAL would essentially get "stuck" and Vault would continually attempt to
roll it back, failing every time. A similar situation could arise if the
IAM user that Vault created got deleted out of band, or if Vault deleted
it but was unable to write the lease revocation back to storage (e.g., a
storage failure).

This attempts to harden it in two ways. One is by deleting the WAL log
entry if the IAM user creation fails. However, the WAL deletion could
still fail, and this wouldn't help where the user is deleted out of
band, so second, consider the user rolled back if the user just doesn't
exist, under certain circumstances.

Fixes #5190

* Fix segfault in expiration unit tests

TestExpiration_Tidy was passing in a leaseEntry that had a nil Secret,
which then caused a segfault as the changes to revokeEntry didn't check
whether Secret was nil; this is probably unlikely to occur in real life,
but good to be extra cautious.

* Fix potential segfault

Missed the else...

* Respond to PR feedback
2018-09-27 09:54:59 -05:00
..
external_tests Restricts ACL templating to paths but allows failures (#5167) 2018-08-23 12:15:02 -04:00
seal The big one (#5346) 2018-09-17 23:03:00 -04:00
acl.go The big one (#5346) 2018-09-17 23:03:00 -04:00
acl_test.go The big one (#5346) 2018-09-17 23:03:00 -04:00
acl_util.go The big one (#5346) 2018-09-17 23:03:00 -04:00
audit.go The big one (#5346) 2018-09-17 23:03:00 -04:00
audit_broker.go The big one (#5346) 2018-09-17 23:03:00 -04:00
audit_test.go The big one (#5346) 2018-09-17 23:03:00 -04:00
audited_headers.go Errwrap everywhere (#4252) 2018-04-05 11:49:21 -04:00
audited_headers_test.go Add context to the NewSalt function (#4102) 2018-03-08 11:21:11 -08:00
auth.go The big one (#5346) 2018-09-17 23:03:00 -04:00
auth_test.go The big one (#5346) 2018-09-17 23:03:00 -04:00
barrier.go Spelling (#4119) 2018-03-20 14:54:10 -04:00
barrier_access.go Fix compile 2018-01-19 05:31:55 -05:00
barrier_aes_gcm.go Move logic around a bit to avoid holding locks when not necessary (#5277) 2018-09-05 11:49:32 -04:00
barrier_aes_gcm_test.go Move logic around a bit to avoid holding locks when not necessary (#5277) 2018-09-05 11:49:32 -04:00
barrier_test.go Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 01:44:44 -05:00
barrier_view.go The big one (#5346) 2018-09-17 23:03:00 -04:00
barrier_view_test.go The big one (#5346) 2018-09-17 23:03:00 -04:00
barrier_view_util.go The big one (#5346) 2018-09-17 23:03:00 -04:00
capabilities.go Fix Capabilities check when in a child namespace (#5406) 2018-09-26 15:10:36 -07:00
capabilities_test.go The big one (#5346) 2018-09-17 23:03:00 -04:00
cluster.go The big one (#5346) 2018-09-17 23:03:00 -04:00
cluster_test.go use constant where x-vault-token was still hardcoded (#5392) 2018-09-25 09:34:40 -07:00
cluster_tls.go The big one (#5346) 2018-09-17 23:03:00 -04:00
core.go The big one (#5346) 2018-09-17 23:03:00 -04:00
core_test.go The big one (#5346) 2018-09-17 23:03:00 -04:00
core_util.go The big one (#5346) 2018-09-17 23:03:00 -04:00
cors.go use constant where x-vault-token was still hardcoded (#5392) 2018-09-25 09:34:40 -07:00
dynamic_system_view.go The big one (#5346) 2018-09-17 23:03:00 -04:00
expiration.go logical/aws: Harden WAL entry creation (#5202) 2018-09-27 09:54:59 -05:00
expiration_integ_test.go Don't call LeaseExtend on login renewal paths when period is provided (#3803) 2018-01-18 12:19:18 -05:00
expiration_test.go The big one (#5346) 2018-09-17 23:03:00 -04:00
expiration_util.go The big one (#5346) 2018-09-17 23:03:00 -04:00
generate_root.go The big one (#5346) 2018-09-17 23:03:00 -04:00
generate_root_test.go The big one (#5346) 2018-09-17 23:03:00 -04:00
ha.go The big one (#5346) 2018-09-17 23:03:00 -04:00
identity_lookup.go The big one (#5346) 2018-09-17 23:03:00 -04:00
identity_lookup_test.go The big one (#5346) 2018-09-17 23:03:00 -04:00
identity_store.go The big one (#5346) 2018-09-17 23:03:00 -04:00
identity_store_aliases.go The big one (#5346) 2018-09-17 23:03:00 -04:00
identity_store_aliases_test.go The big one (#5346) 2018-09-17 23:03:00 -04:00
identity_store_entities.go Support operating on entities and groups by their names (#5355) 2018-09-25 12:28:28 -07:00
identity_store_entities_test.go Support operating on entities and groups by their names (#5355) 2018-09-25 12:28:28 -07:00
identity_store_group_aliases.go The big one (#5346) 2018-09-17 23:03:00 -04:00
identity_store_group_aliases_test.go The big one (#5346) 2018-09-17 23:03:00 -04:00
identity_store_groups.go Support operating on entities and groups by their names (#5355) 2018-09-25 12:28:28 -07:00
identity_store_groups_test.go Support operating on entities and groups by their names (#5355) 2018-09-25 12:28:28 -07:00
identity_store_schema.go The big one (#5346) 2018-09-17 23:03:00 -04:00
identity_store_structs.go Add locking when adding aliases to existing entities (#4965) 2018-07-24 22:01:58 -04:00
identity_store_test.go The big one (#5346) 2018-09-17 23:03:00 -04:00
identity_store_upgrade.go Add locking when adding aliases to existing entities (#4965) 2018-07-24 22:01:58 -04:00
identity_store_util.go Support operating on entities and groups by their names (#5355) 2018-09-25 12:28:28 -07:00
init.go The big one (#5346) 2018-09-17 23:03:00 -04:00
init_test.go The big one (#5346) 2018-09-17 23:03:00 -04:00
keyring.go Errwrap everywhere (#4252) 2018-04-05 11:49:21 -04:00
keyring_test.go Spelling (#4119) 2018-03-20 14:54:10 -04:00
logical_cubbyhole.go The big one (#5346) 2018-09-17 23:03:00 -04:00
logical_cubbyhole_test.go Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 01:44:44 -05:00
logical_passthrough.go The big one (#5346) 2018-09-17 23:03:00 -04:00
logical_passthrough_test.go Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 01:44:44 -05:00
logical_system.go Add ability to provide env vars to plugins (#5359) 2018-09-20 10:50:29 -07:00
logical_system_helpers.go The big one (#5346) 2018-09-17 23:03:00 -04:00
logical_system_integ_test.go Short-circuit TestBackend_PluginMainEnv on plain test run (#5393) 2018-09-25 09:22:34 -07:00
logical_system_paths.go Add ability to provide env vars to plugins (#5359) 2018-09-20 10:50:29 -07:00
logical_system_test.go The big one (#5346) 2018-09-17 23:03:00 -04:00
mount.go The big one (#5346) 2018-09-17 23:03:00 -04:00
mount_test.go The big one (#5346) 2018-09-17 23:03:00 -04:00
mount_util.go The big one (#5346) 2018-09-17 23:03:00 -04:00
namespaces.go The big one (#5346) 2018-09-17 23:03:00 -04:00
plugin_catalog.go Add ability to provide env vars to plugins (#5359) 2018-09-20 10:50:29 -07:00
plugin_catalog_test.go Add ability to provide env vars to plugins (#5359) 2018-09-20 10:50:29 -07:00
plugin_reload.go The big one (#5346) 2018-09-17 23:03:00 -04:00
policy.go The big one (#5346) 2018-09-17 23:03:00 -04:00
policy_store.go The big one (#5346) 2018-09-17 23:03:00 -04:00
policy_store_test.go The big one (#5346) 2018-09-17 23:03:00 -04:00
policy_store_util.go The big one (#5346) 2018-09-17 23:03:00 -04:00
policy_test.go The big one (#5346) 2018-09-17 23:03:00 -04:00
policy_util.go The big one (#5346) 2018-09-17 23:03:00 -04:00
rekey.go Tackle #4929 a different way (#4932) 2018-07-24 13:57:25 -07:00
rekey_test.go The big one (#5346) 2018-09-17 23:03:00 -04:00
replication_cluster_util.go The big one (#5346) 2018-09-17 23:03:00 -04:00
request_forwarding.go The big one (#5346) 2018-09-17 23:03:00 -04:00
request_forwarding_rpc.go The big one (#5346) 2018-09-17 23:03:00 -04:00
request_forwarding_rpc_util.go The big one (#5346) 2018-09-17 23:03:00 -04:00
request_forwarding_service.pb.go Fix compilation/protobuf 2018-09-22 17:58:39 -04:00
request_forwarding_service.proto The big one (#5346) 2018-09-17 23:03:00 -04:00
request_forwarding_util.go The big one (#5346) 2018-09-17 23:03:00 -04:00
request_handling.go Fix for using ExplicitMaxTTL in auth method plugins. (#5379) 2018-09-21 14:31:29 -07:00
request_handling_test.go The big one (#5346) 2018-09-17 23:03:00 -04:00
request_handling_util.go The big one (#5346) 2018-09-17 23:03:00 -04:00
rollback.go The big one (#5346) 2018-09-17 23:03:00 -04:00
rollback_test.go The big one (#5346) 2018-09-17 23:03:00 -04:00
router.go The big one (#5346) 2018-09-17 23:03:00 -04:00
router_access.go The big one (#5346) 2018-09-17 23:03:00 -04:00
router_test.go The big one (#5346) 2018-09-17 23:03:00 -04:00
seal.go The big one (#5346) 2018-09-17 23:03:00 -04:00
seal_access.go More work on recovery test 2018-05-20 18:42:14 -04:00
seal_test.go Use atomic values in seal to avoid some data races (#4040) 2018-02-23 17:18:48 -05:00
seal_testing.go The big one (#5346) 2018-09-17 23:03:00 -04:00
seal_testing_util.go The big one (#5346) 2018-09-17 23:03:00 -04:00
sealunwrapper.go The big one (#5346) 2018-09-17 23:03:00 -04:00
sealunwrapper_test.go The big one (#5346) 2018-09-17 23:03:00 -04:00
testing.go Add ability to provide env vars to plugins (#5359) 2018-09-20 10:50:29 -07:00
testing_util.go The big one (#5346) 2018-09-17 23:03:00 -04:00
token_store.go replication: Fix DR API checks when using a token (#5398) 2018-09-25 13:27:57 -07:00
token_store_test.go Detect and bypass cycles during token revocation (#5364) 2018-09-20 14:56:38 -07:00
token_store_util.go The big one (#5346) 2018-09-17 23:03:00 -04:00
ui.go adds ability to override default CSP with warning (#395) 2018-04-03 09:34:14 -05:00
ui_test.go Fix compilation and tests failures (#4254) 2018-04-03 14:07:43 -04:00
util.go Removed unused methods 2017-01-03 12:51:35 -05:00
util_test.go Utility Enhancements 2016-04-05 20:32:59 -04:00
wrapping.go The big one (#5346) 2018-09-17 23:03:00 -04:00
wrapping_util.go The big one (#5346) 2018-09-17 23:03:00 -04:00