mirror of
https://github.com/hashicorp/vault.git
synced 2026-05-28 04:10:44 -04:00
b7dff9777d
* wip * Work on the tuneable allowance and some bugs * Call handleCancellableRequest instead, which gets the audit order more correct and includes the preauth response * Get rid of no longer needed operation * Phew, this wasn't necessary * Add auth error handling by the backend, and fix a bug with handleInvalidCredentials * Cleanup req/resp naming * Use the new form, and data * Discovered that tokens werent really being checked because isLoginRequest returns true for the re-request into the backend, when it shouldnt * Add a few more checks in the delegated request handler for bad inputs - Protect the delegated handler from bad inputs from the backend such as an empty accessor, a path that isn't registered as a login request - Add similar protections for bad auth results as we do in the normal login request paths. Technically not 100% needed but if somehow the handleCancelableRequest doesn't use the handleLoginRequest code path we could get into trouble in the future - Add delegated-auth-accessors flag to the secrets tune command and api-docs * Unit tests and some small fixes * Remove transit preauth test, rely on unit tests * Cleanup and add a little more commentary in tests * Fix typos, add another failure use-case which we reference a disabled auth mount * PR Feedback - Use router to lookup mount instead of defining a new lookup method - Enforce auth table types and namespace when mount is found - Define a type alias for the handleInvalidCreds - Fix typos/grammar - Clean up globals in test * Additional PR feedback - Add test for delegated auth handler - Force batch token usage - Add a test to validate failures if a non-batch token is used - Check for Data member being nil in test cases * Update failure error message around requiring batch tokens * Trap MFA requests * Reword some error messages * Add test and fixes for delegated response wrapping * Move MFA test to dedicated mount - If the delegated auth tests were running in parallel, the MFA test case might influence the other tests, so move the MFA to a dedicated mount * PR feedback: use textproto.CanonicalMIMEHeaderKey - Change the X-Vault-Wrap-Ttl constant to X-Vault-Wrap-TTL and use textproto.CanonicalMIMEHeaderKey to format it within the delete call. - This protects the code around changes of the constant typing * PR feedback - Append Error to RequestDelegatedAuth - Force error interface impl through explicit nil var assignment on RequestDelegatedAuthError - Clean up test factory and leverage NewTestSoloCluster - Leverage newer maps.Clone as this is 1.16 only --------- Co-authored-by: Scott G. Miller <smiller@hashicorp.com> |
||
|---|---|---|
| .. | ||
| inspect | ||
| mfa | ||
| replication | ||
| storage | ||
| audit-hash.mdx | ||
| audit.mdx | ||
| auth.mdx | ||
| capabilities-accessor.mdx | ||
| capabilities-self.mdx | ||
| capabilities.mdx | ||
| config-auditing.mdx | ||
| config-control-group.mdx | ||
| config-cors.mdx | ||
| config-group-policy-application.mdx | ||
| config-reload.mdx | ||
| config-state.mdx | ||
| config-ui.mdx | ||
| control-group.mdx | ||
| decode-token.mdx | ||
| experiments.mdx | ||
| generate-recovery-token.mdx | ||
| generate-root.mdx | ||
| ha-status.mdx | ||
| health.mdx | ||
| host-info.mdx | ||
| in-flight-req.mdx | ||
| index.mdx | ||
| init.mdx | ||
| internal-counters.mdx | ||
| internal-specs-openapi.mdx | ||
| internal-ui-feature.mdx | ||
| internal-ui-mounts.mdx | ||
| internal-ui-namespaces.mdx | ||
| internal-ui-resultant-acl.mdx | ||
| internal-ui-version.mdx | ||
| key-status.mdx | ||
| leader.mdx | ||
| lease-count-quotas.mdx | ||
| leases.mdx | ||
| license.mdx | ||
| loggers.mdx | ||
| managed-keys.mdx | ||
| metrics.mdx | ||
| monitor.mdx | ||
| mounts.mdx | ||
| namespaces.mdx | ||
| plugins-catalog.mdx | ||
| plugins-reload-backend.mdx | ||
| plugins-runtimes-catalog.mdx | ||
| policies-password.mdx | ||
| policies.mdx | ||
| policy.mdx | ||
| pprof.mdx | ||
| quotas-config.mdx | ||
| rate-limit-quotas.mdx | ||
| raw.mdx | ||
| rekey-recovery-key.mdx | ||
| rekey.mdx | ||
| remount.mdx | ||
| rotate-config.mdx | ||
| rotate.mdx | ||
| seal-backend-status.mdx | ||
| seal-status.mdx | ||
| seal.mdx | ||
| sealwrap-rewrap.mdx | ||
| secrets-sync.mdx | ||
| step-down.mdx | ||
| tools.mdx | ||
| unseal.mdx | ||
| user-lockout.mdx | ||
| version-history.mdx | ||
| wrapping-lookup.mdx | ||
| wrapping-rewrap.mdx | ||
| wrapping-unwrap.mdx | ||
| wrapping-wrap.mdx | ||