upstream/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2026-06-28 10:30:34 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
7497 commits 2882 branches 482 tags 656 MiB
Commit graph

140 commits

Author SHA1 Message Date
Seth Vargo
ff0366f6fe Only show params if there are fields 2016-04-13 22:15:06 +01:00
vishalnayak
daab5d6777 Fix SanitizeTTL check 2016-03-16 14:27:01 -04:00
vishalnayak
5556b35d01 Accept params both as part of URL or as part of http body 2016-03-14 19:14:36 -04:00
Jeff Mitchell
ceeb47c9c9 Make SanitizeTTL treat an empty string the same as a "0" string. 
This causes a 0 TTL to be returned for the value, which is a clue to
other parts of Vault to use appropriate defaults. However, this makes
the defaults be used at lease allocation or extension time instead of
when parsing parameters.
 2016-02-18 16:51:36 -05:00
Jeff Mitchell
c60a9cd130 Remove grace periods 2016-01-31 19:33:16 -05:00
Jeff Mitchell
c4c170555a invert logic to prefer client increment 2016-01-29 20:02:15 -05:00
Jeff Mitchell
8a5bf09c49 Update proposed time 2016-01-29 19:31:37 -05:00
Jeff Mitchell
bde65134e6 Adjust framework unit tests for new LeaseExtend 2016-01-29 19:31:37 -05:00
Jeff Mitchell
0e15ac04c6 Update LeaseExtend 2016-01-29 19:31:37 -05:00
Jeff Mitchell
45b96ed140 Address some more review feedback 2016-01-12 15:09:16 -05:00
Jeff Mitchell
f3ef23318d Create more granular ACL capabilities. 
This commit splits ACL policies into more fine-grained capabilities.
This both drastically simplifies the checking code and makes it possible
to support needed workflows that are not possible with the previous
method. It is backwards compatible; policies containing a "policy"
string are simply converted to a set of capabilities matching previous
behavior.

Fixes #724 (and others).
 2016-01-08 13:05:14 -05:00
Jeff Mitchell
45e32756ea WriteOperation -> UpdateOperation 2016-01-08 13:03:03 -05:00
Jeff Mitchell
97820e2d77 Add '.' to GenericNameRegex; it cannot appear as the first or last 
character. This allows its usage in a number of extra path-based
variables.

Ping #244
 2015-10-13 16:04:10 -04:00
Jeff Mitchell
c2f74828a4 Fix up per-backend timing logic; also fix error in TypeDurationSecond in 
GetOkErr.
 2015-09-21 09:55:03 -04:00
Jeff Mitchell
a4ca14cfbc Add HMAC capability to salt. Pass a salt into audit backends. Require it for audit.Hash. 2015-09-18 17:38:22 -04:00
vishalnayak
fd6a63550c Error on violating SysView boundaries 2015-09-17 11:24:46 -04:00
vishalnayak
586c1a6889 Vault userpass: Enable renewals for login tokens 2015-09-16 23:55:35 -04:00
Jeff Mitchell
51e948c8fc Implement the cubbyhole backend 
In order to implement this efficiently, I have introduced the concept of
"singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't
much reason to allow sys to be mounted at multiple places, and there
isn't much reason you'd need multiple per-token storage areas. By
restricting it to just one, I can store that particular mount instead of
iterating through them in order to call the appropriate revoke function.

Additionally, because revocation on the backend needs to be triggered by
the token store, the token store's salt is kept in the router and
client tokens going to the cubbyhole backend are double-salted by the
router. This allows the token store to drive when revocation happens
using its salted tokens.
 2015-09-15 13:50:37 -04:00
Lassi Pölönen
750cf5053c Implement clean up routine to backend as some backends may require 
e.g closing database connections on unmount to avoud connection
stacking.
 2015-09-11 11:45:58 +03:00
Jeff Mitchell
dd8ac00daa Rejig how dynamic values are represented in system view and location of some functions in various packages; create mount-tune command and API analogues; update documentation 2015-09-10 15:09:54 -04:00
Jeff Mitchell
aadf039368 Add DynamicSystemView. This uses a pointer to a pointer to always have 
up-to-date information. This allows remount to be implemented with the
same source and dest, allowing mount options to be changed on the fly.
If/when Vault gains the ability to HUP its configuration, this should
just work for the global values as well.

Need specific unit tests for this functionality.
 2015-09-10 15:09:54 -04:00
Jeff Mitchell
84be5cff30 Make DefaultSystemView StaticSystemView with statically-configured information. Export this from Framework to make it easy to override for testing. 2015-08-27 11:25:07 -07:00
Jeff Mitchell
003d53106a Use a SystemView interface and turn SystemConfig into DefaultSystemView 2015-08-27 10:36:44 -07:00
Jeff Mitchell
80ce0ae041 Plumb the system configuration information up into framework 2015-08-27 09:41:03 -07:00
Jeff Mitchell
99041b5b6d Merge pull request #561 from hashicorp/fix-wild-cards 
Allow hyphens in endpoint patterns of most backends
 2015-08-21 11:40:42 -07:00
vishalnayak
41678f18ae Vault: Fix wild card paths for all backends 2015-08-21 00:56:13 -07:00
Jeff Mitchell
e7f2a54720 Rejig Lease terminology internally; also, put a few JSON names back to their original values 2015-08-20 22:27:01 -07:00
Jeff Mitchell
97112665e8 Internally refactor Lease/LeaseGracePeriod into TTL/GracePeriod 2015-08-20 18:00:51 -07:00
Caleb Tennis
d8d76a5304 Add a validation step in field data to error more quickly vs. allowing panics to happen when we go to get the data and convert it 2015-08-11 12:34:14 -04:00
Armon Dadgar
9515bf32de logical/framework: handle nil duration value. Fixes #408 2015-07-08 16:55:52 -06:00
Armon Dadgar
6a9dc00e57 Remove SetLogger, and unify on framework.Setup 2015-06-30 17:45:20 -07:00
Armon Dadgar
7b090ae1d6 logical/framework: support Salt in PathMap 2015-06-30 14:28:45 -07:00
Armon Dadgar
dcb45874bf logical/framework: adding a new duration type to convert to seconds 2015-06-17 15:56:26 -07:00
Armon Dadgar
daf94d6721 logical/framework: allow the lease max to come from existing lease 2015-06-17 14:24:12 -07:00
Armon Dadgar
2a894171ca logical/framework: simplify calculation of lease renew 2015-06-17 14:16:44 -07:00
Jonathan Sokolowski
3a2ad814bb logical/framework: Fix help text in PathMap 2015-05-15 07:56:32 +10:00
Jonathan Sokolowski
31d7426863 logical/framework: Add delete to PathMap 2015-05-14 22:28:33 +10:00
Jonathan Sokolowski
8d0ef0db75 logical/framework: Add delete to PathStruct 2015-05-14 22:25:30 +10:00
Mitchell Hashimoto
11a009d5ab logical/framework: PathMap is case insensitive by default 2015-05-11 10:27:04 -07:00
Mitchell Hashimoto
5d1baaace4 credential/github: case insensitive mappings 2015-05-11 10:24:39 -07:00
Armon Dadgar
68a99a8806 logical/framework: Generate help output even if no synopsis provided 2015-05-07 15:45:43 -07:00
Mitchell Hashimoto
33dfaaf88f logical/framework: PathMap allows hyphens in keys [GH-119] 2015-05-02 13:17:42 -07:00
Armon Dadgar
13d47848c1 logical/framework: Supporting list of path map 2015-04-23 21:44:04 -07:00
Mitchell Hashimoto
d76814e0f3 logical/framework: more flexible Pathmap and PolicyMap 2015-04-17 09:35:49 -07:00
Mitchell Hashimoto
81436dc871 logical/framework: PathStruct 2015-04-17 09:18:21 -07:00
Mitchell Hashimoto
0c8084c31f logical/framework: doc for defaultduration on secret 2015-04-13 20:42:06 -07:00
Mitchell Hashimoto
9af81182f0 logical/framework: secret lease tests 2015-04-13 15:18:27 -07:00
Mitchell Hashimoto
40027e22d3 logical/framework: allow max session time 2015-04-11 16:41:08 -07:00
Mitchell Hashimoto
cd8216c726 vault: token store allows unlimited renew 2015-04-11 16:28:16 -07:00
Mitchell Hashimoto
333d60f675 logical/framework: more tests 2015-04-11 14:51:00 -07:00
Mitchell Hashimoto
0822286acb logical/framework: AuthRenew callback, add LeaseExtend 
/cc @armon - Going with this "standard library" of callbacks approach
to make extending leases in a customizable way easy. See the docs/tests
above.
 2015-04-11 14:46:09 -07:00
Mitchell Hashimoto
a81e3bbe6a logical: add LeaseOptions.IncrementedLease() 2015-04-10 21:35:17 -07:00
Mitchell Hashimoto
333bdac62d vault: the expiration time should be relative to the issue time 2015-04-10 21:21:06 -07:00
Armon Dadgar
e15b8426b1 logical: Adding support for renew of Auth 2015-04-10 13:59:49 -07:00
Armon Dadgar
64ef2a6269 logical: Refactor LeaseOptions to share between Secret and Auth 2015-04-09 12:14:04 -07:00
Mitchell Hashimoto
61b7b71dec credential/app-id 2015-04-04 18:41:49 -07:00
Mitchell Hashimoto
8fd956391a credential/github: improve help 2015-04-04 12:18:33 -07:00
Mitchell Hashimoto
0109031e63 vault: pass a logger around to logical backends 2015-04-04 11:39:58 -07:00
Mitchell Hashimoto
d9e38470a8 logical/framework: better string values for types 2015-04-03 21:15:59 -07:00
Mitchell Hashimoto
105e68387a logical/aws: help 2015-04-03 21:10:54 -07:00
Mitchell Hashimoto
65159bd9c8 logical/framework: make help look nicer 2015-04-03 21:00:23 -07:00
Mitchell Hashimoto
e56b16b6d7 logical/framework: support root help 2015-04-03 20:36:47 -07:00
Mitchell Hashimoto
8e39a1e7d8 command/help 2015-04-02 22:42:05 -07:00
Armon Dadgar
553107a667 logical/framework: Panic if routing pattern is blank 2015-04-01 22:12:03 -07:00
Armon Dadgar
67bffd5f14 logical/framework: automatically anchor 2015-04-01 17:53:02 -07:00
Mitchell Hashimoto
fa9445fe1d logical/framework: add PolicyMap 2015-04-01 15:46:37 -07:00
Mitchell Hashimoto
10425cdb8a logical/framework: PathMap can get missing things 2015-04-01 15:46:37 -07:00
Mitchell Hashimoto
4cbe26b726 misc typos 2015-03-31 17:27:04 -07:00
Armon Dadgar
fef98675f1 logical/framework: Added missing case for TypeMap 2015-03-31 16:45:08 -07:00
Armon Dadgar
2ab45f5787 logical/framework: Adding TypeMap 2015-03-31 16:45:08 -07:00
Mitchell Hashimoto
77e35fd5f4 logical: move cred stuff over here 2015-03-30 17:46:18 -07:00
Mitchell Hashimoto
26583fb05f logical/framework: auto-extend leases if requested 2015-03-21 16:20:30 +01:00
Mitchell Hashimoto
a04df95177 logical/testing: immediate rollback, ignore RollbackMinAge 2015-03-21 11:18:33 +01:00
Mitchell Hashimoto
c872e0f788 logical/framework: rollback should return error, easier API 2015-03-21 11:08:13 +01:00
Mitchell Hashimoto
c9e64725d7 logical/framework: rollback needs to have access to request for storage 2015-03-21 11:03:59 +01:00
Mitchell Hashimoto
3456d9276c logical/aws 2015-03-20 19:03:20 +01:00
Mitchell Hashimoto
2ce92edd0f logical/framework: can specify InternalData for secret 2015-03-20 17:59:48 +01:00
Mitchell Hashimoto
e6ab3a3771 vault: clean up VaultID duplications, make secret responses clearer 
/cc @armon - This is a reasonably major refactor that I think cleans up
a lot of the logic with secrets in responses. The reason for the
refactor is that while implementing Renew/Revoke in logical/framework I
found the existing API to be really awkward to work with.

Primarily, we needed a way to send down internal data for Vault core to
store since not all the data you need to revoke a key is always sent
down to the user (for example the user than AWS key belongs to).

At first, I was doing this manually in logical/framework with
req.Storage, but this is going to be such a common event that I think
its something core should assist with. Additionally, I think the added
context for secrets will be useful in the future when we have a Vault
API for returning orphaned out keys: we can also return the internal
data that might help an operator.

So this leads me to this refactor. I've removed most of the fields in
`logical.Response` and replaced it with a single `*Secret` pointer. If
this is non-nil, then the response represents a secret. The Secret
struct encapsulates all the lease info and such.

It also has some fields on it that are only populated at _request_ time
for Revoke/Renew operations. There is precedent for this sort of
behavior in the Go stdlib where http.Request/http.Response have fields
that differ based on client/server. I copied this style.

All core unit tests pass. The APIs fail for obvious reasons but I'll fix
that up in the next commit.
 2015-03-19 23:11:42 +01:00
Mitchell Hashimoto
163bfa62a6 logical/framework: support renew 2015-03-19 20:20:57 +01:00
Mitchell Hashimoto
b54dc20aff logical/framework: revoke support 2015-03-19 19:41:41 +01:00
Mitchell Hashimoto
6c1ecc8a15 logical/framework: can specify renew/revoke functins for secret 2015-03-19 15:07:45 +01:00
Mitchell Hashimoto
b5757ae49a logical/framework: add methods to look up secret and gen response 2015-03-19 14:59:01 +01:00
Mitchell Hashimoto
ef56daa3bc logical/framework: use custom request wrapper 2015-03-19 14:39:25 +01:00
Mitchell Hashimoto
f4cc32e126 logical/framework: test for minimum age 2015-03-17 20:42:35 -05:00
Mitchell Hashimoto
56fb620b2d logical/framework: only rollback old enough WAL entries 2015-03-17 20:39:46 -05:00
Mitchell Hashimoto
93f828ec0d logical/framework: WAL entry supports "kind" 2015-03-17 20:39:46 -05:00
Mitchell Hashimoto
e77f79b317 logical/framework: rollback support 2015-03-17 20:39:46 -05:00
Mitchell Hashimoto
79af0e5d9e logical/framework: WAL should live here 2015-03-17 20:39:45 -05:00
Mitchell Hashimoto
1be431df51 vault: system using the framework 2015-03-15 17:35:59 -07:00
Mitchell Hashimoto
12566c645c logical/framework, logical/testing 2015-03-15 16:39:49 -07:00