mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-29 02:21:08 +02:00
Code Issues Projects Releases Wiki Activity
7,782 Commits 2,838 Branches 446 Tags
Commit Graph

7782 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
vishalnayak
a0a05438cc Using core's logger 2015-09-19 19:01:36 -04:00
vishalnayak
7060670515 Abstraced SudoPrivilege to take list of policies 2015-09-19 18:23:44 -04:00
vishalnayak
b3647b3323 Using acl.RootPrivilege and rewrote mockTokenStore 2015-09-19 17:53:24 -04:00
Jeff Mitchell
b03d89d974 Bump AESGCM version; include path in the GCM tags. 2015-09-19 17:04:37 -04:00
vishalnayak
6bb58f9e69 fix broken tests 2015-09-19 12:33:52 -04:00
Jeff Mitchell
f966c61e27 Allow tuning of auth mounts, to set per-mount default/max lease times 2015-09-19 11:50:50 -04:00
Jeff Mitchell
aaf06a2c9e Merge pull request #627 from hashicorp/enhance-audit-security 
Enhance audit security with hmac-sha256 on secrets
 2015-09-19 11:30:30 -04:00
Jeff Mitchell
743e7f99b6 Use hmac-sha256 for protecting secrets in audit entries 2015-09-19 11:29:31 -04:00
vishalnayak
4474e04ed1 TokenStore: Provide access based on sudo permissions and not policy name 2015-09-19 11:14:51 -04:00
Jeff Mitchell
49ec196016 Changes to salt to clean up HMAC stuff. 2015-09-18 18:13:10 -04:00
Jeff Mitchell
1a22cb0b12 Expand HMAC support in Salt; require an identifier be passed in to specify type but allow generation with and without. Add a StaticSalt ID for testing functions. Fix bugs; unit tests pass. 2015-09-18 17:38:30 -04:00
Jeff Mitchell
a4ca14cfbc Add HMAC capability to salt. Pass a salt into audit backends. Require it for audit.Hash. 2015-09-18 17:38:22 -04:00
Jeff Mitchell
d62f533a6f Store token creation time and TTL. This can be used to properly populate 
fields in 'lookup-self'. Importantly, this also makes credential
backends use the SystemView per-backend TTL values and fixes unit tests
to expect this.

Fully fixes #527
 2015-09-18 16:39:35 -04:00
Jeff Mitchell
f454e8d1ba Merge pull request #626 from hashicorp/f-transit-enhancements 
Enhancements to the transit backend
 2015-09-18 14:48:24 -04:00
Jeff Mitchell
fa6cbba286 Move no_plaintext to two separate paths for datakey. 2015-09-18 14:41:05 -04:00
Jeff Mitchell
b8fe460170 Add datakey generation to transit. 
Can specify 128 bits (defaults to 256) and control whether or not
plaintext is returned (default true).

Unit tests for all of the new functionality.
 2015-09-18 14:41:05 -04:00
Jeff Mitchell
82d1f28fb6 Remove enable/disable and make deletion_allowed a configurable property. On read, return the version and creation time of each key 2015-09-18 14:41:05 -04:00
Jeff Mitchell
46073e4470 Enhance transit backend: 
* Remove raw endpoint from transit
* Add multi-key structure
* Add enable, disable, rewrap, and rotate functionality
* Upgrade functionality, and record creation time of keys in metadata. Add flag in config function to control the minimum decryption version, and enforce that in the decrypt function
* Unit tests for everything
 2015-09-18 14:41:05 -04:00
Jeff Mitchell
4836e7ca4d Make TLS backend honor SystemView default values. Expose lease TTLs on read. Make auth command show lease TTL if one exists. Addresses most of #527 2015-09-18 14:01:28 -04:00
Vishal Nayak
0f3a28f7df Merge pull request #623 from hashicorp/userpass-renewal 
Vault userpass: Enable renewals for login tokens
 2015-09-17 16:41:09 -04:00
vishalnayak
16f531da3d Userpass Bk: Added tests for TTL duration verifications 2015-09-17 16:33:26 -04:00
vishalnayak
f731c672cf Throw error if system view boundaries are violated 2015-09-17 15:47:36 -04:00
vishalnayak
714aff570b Vault userpass: Enable renewals for login tokens 2015-09-17 14:35:50 -04:00
Jeff Mitchell
913989e4b0 Add revoke-self endpoint. 
Fixes #620.
 2015-09-17 13:22:30 -04:00
Vishal Nayak
91b9acf34b Merge pull request #624 from hashicorp/vault-i583 
CLI: Avoiding CR when printing specific fields
 2015-09-17 11:47:51 -04:00
vishalnayak
fee64e16c2 Adding type checking to ensure only BasicUi is affected 2015-09-17 11:37:21 -04:00
vishalnayak
fd6a63550c Error on violating SysView boundaries 2015-09-17 11:24:46 -04:00
vishalnayak
fceaea733e CLI: Avoiding CR when printing specific fields 2015-09-17 10:05:56 -04:00
Jeff Mitchell
bb1ac0b759 Merge pull request #606 from tsilen/renew-etcd-semaphore-key 
Renew the semaphore key periodically
 2015-09-17 10:00:06 -04:00
vishalnayak
586c1a6889 Vault userpass: Enable renewals for login tokens 2015-09-16 23:55:35 -04:00
Jeff Mitchell
46de06aed7 Merge pull request #622 from Poohblah/log-level-help 
improve documentation for available log levels
 2015-09-16 15:15:36 -04:00
hendrenj
2925912b6b improve documentation for available log levels 2015-09-16 11:01:33 -06:00
Jeff Mitchell
7857419c0a Restrict orphan revocation to root tokens 2015-09-16 09:22:15 -04:00
Seth Vargo
a87798c724 Merge pull request #621 from jklein/patch-1 
Grammar fix
 2015-09-15 20:54:24 +01:00
Jonathan Klein
5af8601128 Grammar fix 2015-09-15 15:53:27 -04:00
Jeff Mitchell
3e12ce4f36 Merge pull request #612 from hashicorp/f-cubby 
Implement the cubbyhole backend
 2015-09-15 14:04:07 -04:00
Jeff Mitchell
f639383d45 Directly pass the cubbyhole backend to the token store and bypass logic in router 2015-09-15 13:50:37 -04:00
Jeff Mitchell
6b00838e27 Move more cubby logic outside of router into auth setup 2015-09-15 13:50:37 -04:00
Jeff Mitchell
19eb1cf5be Cleanup; remove everything but double-salting from the router and give 
the token store cubby backend information for direct calling.
 2015-09-15 13:50:37 -04:00
Jeff Mitchell
c80fdb4bdc Add documentation for cubbyhole 2015-09-15 13:50:37 -04:00
Jeff Mitchell
84c67e3f91 Remove noop checks in unmount/remount and restore previous behavior 2015-09-15 13:50:37 -04:00
Jeff Mitchell
51e948c8fc Implement the cubbyhole backend 
In order to implement this efficiently, I have introduced the concept of
"singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't
much reason to allow sys to be mounted at multiple places, and there
isn't much reason you'd need multiple per-token storage areas. By
restricting it to just one, I can store that particular mount instead of
iterating through them in order to call the appropriate revoke function.

Additionally, because revocation on the backend needs to be triggered by
the token store, the token store's salt is kept in the router and
client tokens going to the cubbyhole backend are double-salted by the
router. This allows the token store to drive when revocation happens
using its salted tokens.
 2015-09-15 13:50:37 -04:00
Jeff Mitchell
11cea42ec7 Rename View to StorageView to make it more distinct from SystemView 2015-09-15 13:50:37 -04:00
Tuomas Silen
82a04398a3 Rename error return var 2015-09-15 11:18:43 +03:00
Jeff Mitchell
1247459ae1 Ensure that the response body of logical calls is closed, even if there is an error. 2015-09-14 18:22:33 -04:00
Jeff Mitchell
ab4d01e4a3 Merge pull request #607 from lassizci/postgresql-timezone 
Explicitly set timezone with PostgreSQL timestamps.
 2015-09-14 11:55:02 -04:00
Jeff Mitchell
f0f20cb84f When there is one use left and a Secret is being returned, instead 
return a descriptive error indicating that the Secret cannot be returned
because when the token was revoked the secret was too. This prevents
confusion where credentials come back but cannot be used.

Fixes #615
 2015-09-14 11:07:27 -04:00
Lassi Pölönen
1a6f778623 Define time zone explicitly in postgresql connection string. 2015-09-14 13:43:06 +03:00
Lassi Pölönen
ea2a6361eb Explicitly set timezone with PostgreSQL timestamps. 2015-09-14 13:43:06 +03:00
Tuomas Silen
e92001ca69 Further cleanup, use named return vals 2015-09-14 13:30:15 +03:00