mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-14 10:37:00 +02:00
Code Issues Projects Releases Wiki Activity
10,305 Commits 2,842 Branches 445 Tags 448 MiB
9be1128201
Commit Graph

437 Commits

Author SHA1 Message Date
Seth Vargo
f052e7fdf3
Add SignKey endpoint for SSH API client 2017-08-18 12:59:08 -04:00
Jeff Mitchell
4c7c181018 gofmt 2017-08-02 19:38:35 -04:00
nrhall-deshaw
52a18a1236 Add SRV record functionality for client side host/port discovery of Vault (#3035) 
* added SRV record functionality for client side port discovery of Vault

* Add a check on returned address length
 2017-08-02 19:19:06 -04:00
Calvin Leung Huang
15634f3b6e Store original request path in WrapInfo (#3100) 
* Store original request path in WrapInfo as CreationPath

* Add wrapping_token_creation_path to CLI output

* Add CreationPath to AuditResponseWrapInfo

* Fix tests

* Add and fix tests, update API docs with new sample responses
 2017-08-02 18:28:58 -04:00
Jeff Mitchell
b84701db02 Have sys health api always return even in an error case (#3087) 
* Have sys health api always return even in an error case, which HTTP API docs say it should

* Use specific return codes to bypass automatic error handling
 2017-08-02 10:01:40 -04:00
Jeff Mitchell
95ce578842 Add leader cluster address to status/leader output. (#3061) 
* Add leader cluster address to status/leader output. This helps in
identifying a particular node when all share the same redirect address.

Fixes #3042
 2017-07-31 18:25:27 -04:00
Jeff Mitchell
c6615e1b51 Add a -dev-three-node option for devs. (#3081) 2017-07-31 11:28:06 -04:00
Chris Hoffman
d4b9c17793 moving client calls to new endpoint (#2867) 2017-07-25 11:58:33 -04:00
Calvin Leung Huang
2b0f80b981 Backend plugin system (#2874) 
* Add backend plugin changes

* Fix totp backend plugin tests

* Fix logical/plugin InvalidateKey test

* Fix plugin catalog CRUD test, fix NoopBackend

* Clean up commented code block

* Fix system backend mount test

* Set plugin_name to omitempty, fix handleMountTable config parsing

* Clean up comments, keep shim connections alive until cleanup

* Include pluginClient, disallow LookupPlugin call from within a plugin

* Add wrapper around backendPluginClient for proper cleanup

* Add logger shim tests

* Add logger, storage, and system shim tests

* Use pointer receivers for system view shim

* Use plugin name if no path is provided on mount

* Enable plugins for auth backends

* Add backend type attribute, move builtin/plugin/package

* Fix merge conflict

* Fix missing plugin name in mount config

* Add integration tests on enabling auth backend plugins

* Remove dependency cycle on mock-plugin

* Add passthrough backend plugin, use logical.BackendType to determine lease generation

* Remove vault package dependency on passthrough package

* Add basic impl test for passthrough plugin

* Incorporate feedback; set b.backend after shims creation on backendPluginServer

* Fix totp plugin test

* Add plugin backends docs

* Fix tests

* Fix builtin/plugin tests

* Remove flatten from PluginRunner fields

* Move mock plugin to logical/plugin, remove totp and passthrough plugins

* Move pluginMap into newPluginClient

* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck

* Change shim logger's Fatal to no-op

* Change BackendType to uint32, match UX backend types

* Change framework.Backend Setup signature

* Add Setup func to logical.Backend interface

* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments

* Remove commented var in plugin package

* RegisterLicense on logical.Backend interface (#3017)

* Add RegisterLicense to logical.Backend interface

* Update RegisterLicense to use callback func on framework.Backend

* Refactor framework.Backend.RegisterLicense

* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs

* plugin: Revert BackendType to remove TypePassthrough and related references

* Fix typo in plugin backends docs
 2017-07-20 13:28:40 -04:00
Gobin Sougrakpam
638ef2c9b8 Adding option to set custom vault client timeout using env variable VAULT_CLIENT_TIMEOUT (#3022) 2017-07-18 09:48:31 -04:00
Seth Vargo
77fccbdd68
Do not double-convert to seconds 2017-07-11 16:06:50 -07:00
Seth Vargo
2fbb19285b Fix typo 2017-07-10 22:26:42 -07:00
Chris Hoffman
6034c9adc8 updating for TestCluster changes 2017-07-10 20:47:03 -07:00
Seth Vargo
c29e85125d
Fix doc 2017-07-07 17:15:43 -04:00
Seth Vargo
21a17b69c3
Use the core client 2017-07-07 17:14:49 -04:00
Seth Vargo
8f97e9b04d
Fix failing test 2017-07-07 17:14:49 -04:00
Seth Vargo
da9d57f5f1
Buffer doneCh 2017-07-07 17:14:49 -04:00
Seth Vargo
dfb6166cd8
Add configurable buffer size 2017-07-07 17:14:48 -04:00
Seth Vargo
54224b06dc
Do not block writing to doneCh if stopped 2017-07-07 17:14:48 -04:00
Seth Vargo
ce43621894
Make lock private 2017-07-07 17:14:48 -04:00
Seth Vargo
b2b9cdfdeb
Remove init() seed 2017-07-07 17:14:47 -04:00
Seth Vargo
8cdc0372b7
Fix vet errors 2017-07-07 17:14:47 -04:00
Seth Vargo
c0b2d41d8f
Allow a custom randomizer 2017-07-07 17:14:47 -04:00
Seth Vargo
437b8e71ab
Use Fatalf 2017-07-07 17:14:47 -04:00
Seth Vargo
3d74752524
Use a more heurstic function for calculating sleep backoff 2017-07-07 17:14:46 -04:00
Seth Vargo
a8fe164694
Seed the random generator 2017-07-07 17:14:46 -04:00
Seth Vargo
47260ed024
Move renewer integration tests into separate package 2017-07-07 17:14:46 -04:00
Seth Vargo
91a255bd2f
Use a separate package for API integration tests 
This removes the cyclic dependency
 2017-07-07 17:14:45 -04:00
Seth Vargo
de0250a66f
Send a more useful struct for renewal 2017-07-07 17:14:45 -04:00
Seth Vargo
f9465a8a5b
Reorg 2017-07-07 17:14:45 -04:00
Seth Vargo
320d76422a
Use unbuffered channels 2017-07-07 17:14:45 -04:00
Seth Vargo
7e08052e14
Use a time.Duration instead of an int for grace 2017-07-07 17:14:44 -04:00
Seth Vargo
42354aed99
Use RenewTokenAsSelf instead 2017-07-07 17:14:44 -04:00
Seth Vargo
dcbd729afa
Add secret renewer 2017-07-07 17:14:44 -04:00
Seth Vargo
46fa7be911
Add test stubs for starting a vault server and pg database 2017-07-07 17:14:43 -04:00
Seth Vargo
bf616909f7
Add API helper for renewing a token as another token 2017-07-07 17:14:42 -04:00
Jeff Mitchell
997da9ae39 Create and persist human-friendly-ish mount accessors (#2918) 2017-06-26 18:14:36 +01:00
Seth Vargo
a95649adf9 Add a convenience function for copying a client (#2887) 2017-06-20 04:08:15 +01:00
Jeff Mitchell
7e16fffd2f Return error on bad CORS and add Header specification to API request primitive 2017-06-19 18:20:44 -04:00
Aaron Salvo
362227c632 Cors headers (#2021) 2017-06-17 00:04:55 -04:00
Chris Hoffman
4dea784fac reverting client changes in #2856 (#2866) 2017-06-14 16:39:20 -04:00
Chris Hoffman
01894d0660 moving client calls to new endpoint (#2856) 2017-06-14 10:38:15 -04:00
Vishal Nayak
13790538b6 api: Don't treat 429 as error (#2850) 
* api: Don't treat 429 as error

* Added parenthesis
 2017-06-12 18:31:36 -04:00
Kiss György
57ba312941 Add Health() method to Sys client (#2805) 2017-06-05 11:00:45 -04:00
emily
38ffde5a9d add gofmt checks to Vault and format existing code (#2745) 2017-05-19 08:34:17 -04:00
Lee Avital
24299b8fd9 Respect the configured address's path in the client (#2588) 2017-04-13 14:06:38 -04:00
pkrolikowski
ee177d85f8 Pass user/pass for HTTP Basic Authentication in URL parameters (#2469) 2017-03-10 07:19:23 -05:00
Jeff Mitchell
8681311b7c Add option to disable caching per-backend. (#2455) 2017-03-08 09:20:09 -05:00
Jeff Mitchell
2ac644d983 Add ability to set max retries to API 2017-03-01 12:24:08 -05:00
Jordan Abderrachid
aae23b1ea1 api: add EnvVaultToken constant. (#2413) 2017-02-27 18:36:21 -05:00
Jeff Mitchell
7c4e5a775c Fix breakage for HTTP2 support due to changes in wrapping introduced in 1.8 (#2412) 2017-02-27 12:49:35 -05:00
Jeff Mitchell
615945a6b0 Move http-using API tests into http package 2017-02-24 14:23:21 -05:00
Jeff Mitchell
513f8b918d Add WithOptions methods to audit/auth enabling (#2383) 2017-02-16 11:37:27 -05:00
Jason Felice
0a1e7a7be4 ConfigureTLS() sets default HttpClient if nil (#2329) 2017-02-06 17:47:56 -05:00
Jeff Mitchell
ac0f45e45c Add nonce to unseal to allow seeing if the operation has reset (#2276) 2017-01-17 11:47:06 -05:00
Vishal Nayak
20fabef08b Use Vault client's scheme for auto discovery (#2146) 2016-12-02 11:24:57 -05:00
Jeff Mitchell
77d804e483 Better handle nil responses in logical unwrap 2016-12-01 16:38:08 -05:00
Jeff Mitchell
b7c655f45c Fix panic when unwrapping if the server EOFs 2016-11-29 16:50:07 -05:00
Jeff Mitchell
d9f97198bd Set number of pester retries to zero by default and make seal command… (#2093) 
* Set number of pester retries to zero by default and make seal command return 403 if unauthorized instead of 500

* Fix build

* Use 403 instead and update test

* Change another 500 to 403
 2016-11-16 14:08:09 -05:00
Jeff Mitchell
c7ca7aef0a Fix unwrap CLI command when there is no client token set. (#2077) 2016-11-08 11:36:15 -05:00
Jeff Mitchell
57870f7f05 change api so if wrapping token is the same as the client token it doesn't set it in the body 2016-10-27 12:15:30 -04:00
Jeff Mitchell
94ca45b121 Fix NOT logical bug. 
Ping #2014
 2016-10-18 09:51:45 -04:00
Jeff Mitchell
60deff1bad Wrapping enhancements (#1927) 2016-09-28 21:01:28 -07:00
Jeff Mitchell
c748ff322f Change default TTL from 30 to 32 to accommodate monthly operations (#1942) 2016-09-28 18:32:49 -04:00
Jeff Mitchell
941b066780 Add support for PGP encrypting the initial root token. (#1883) 2016-09-13 18:42:24 -04:00
Jeff Mitchell
47aafa6ee1 Reinstate the token parameter to api.RevokeSelf to avoid breaking compatibility 2016-09-13 11:03:05 -04:00
Jeff Mitchell
75f792b27e Add response wrapping to list operations (#1814) 2016-09-02 01:13:14 -04:00
Evan Gilman
d7a139ce4f Add golang api method for creating orphan tokens (#1834) 2016-09-01 15:39:44 -04:00
Jeff Mitchell
f447d21a72 Don't allow tokens in paths. (#1783) 2016-08-24 15:59:43 -04:00
markrzasa
6089d7f2d6 allow a TLS server name to be configured for SSH agents (#1720) 2016-08-23 22:06:56 -04:00
Jeff Mitchell
ed48b008ce Provide base64 keys in addition to hex encoded. (#1734) 
* Provide base64 keys in addition to hex encoded.

Accept these at unseal/rekey time.

Also fix a bug where backup would not be honored when doing a rekey with
no operation currently ongoing.
 2016-08-15 16:01:15 -04:00
Jeff Mitchell
92cb23fc85 Restore compatibility with pre-0.6.1 servers for CLI/Go API calls 2016-08-14 14:52:45 -04:00
Jeff Mitchell
146cdc69eb Add periodic support for root/sudo tokens to auth/token/create 2016-08-12 21:14:12 -04:00
Jeff Mitchell
2a0f946f6b Don't retry on redirections. 2016-08-12 15:13:42 -04:00
vishalnayak
b01a4ff1cb Use default config and read environment by default while creating client object 2016-08-12 11:37:13 -04:00
Jeff Mitchell
558ba440d4 Merge pull request #1699 from hashicorp/dataonly 
Return sys values in top level normal api.Secret
 2016-08-09 07:17:02 -04:00
Jeff Mitchell
7f13c4bcff Add ability to specify renew lease ID in POST body. 2016-08-08 18:00:44 -04:00
Jeff Mitchell
593954d40c Fix tests and update mapstructure 2016-08-08 16:00:31 -04:00
Alex Dadgar
bcf98fa8d6 Merge pull request #1682 from hashicorp/f-refactor-tls-config 
Refactor the TLS configuration between meta.Client and the api.Config
 2016-08-02 13:35:37 -07:00
Alex Dadgar
881d67e2fd Address comments 2016-08-02 13:17:45 -07:00
vishalnayak
8f1ccc6eff Add cluster information to 'vault status' 2016-07-29 14:13:53 -04:00
vishalnayak
5c38276598 Added Vault version informationto the 'status' command 2016-07-28 17:37:35 -04:00
Alex Dadgar
5fccb9a83e Refactor the TLS configuration between meta.Client and the api.Config 2016-07-27 17:26:26 -07:00
Jeff Mitchell
1109936700 Plumb request UUID through the API 2016-07-27 09:25:04 -04:00
vishalnayak
d22204914d Add service discovery to init command 2016-07-21 16:17:29 -04:00
Vishal Nayak
4e5c3631f4 Merge pull request #1583 from hashicorp/ssh-allowed-roles 
Add allowed_roles to ssh-helper-config and return role name from verify call
 2016-07-19 12:04:12 -04:00
vishalnayak
5b458db104 Merge branch 'master-oss' into json-use-number 
Conflicts:
	http/handler.go
	logical/framework/field_data.go
	logical/framework/wal.go
	vault/logical_passthrough.go
 2016-07-15 19:21:55 -04:00
Jeff Mitchell
478f420912 Migrate number of retries down by one to have it be max retries, not tries 2016-07-11 21:57:14 +00:00
Jeff Mitchell
7129fd5785 Switch to pester from go-retryablehttp to avoid swallowing 500 error messages 2016-07-11 21:37:46 +00:00
Jeff Mitchell
60df9d3461 Make the API client retry on 5xx errors. 
This should help with transient issues. Full control over min/max delays
and number of retries (and ability to turn off) is provided in the API
and via env vars.

Fix tests.
 2016-07-06 16:50:23 -04:00
vishalnayak
ef97199360 Added JSON Decode and Encode helpers. 
Changed all the occurances of Unmarshal to use the helpers.
Fixed http/ package tests.
 2016-07-06 12:25:40 -04:00
vishalnayak
b632ef58e4 Add allowed_roles to ssh-helper-config and return role name from verify call 2016-07-05 11:14:29 -04:00
vishalnayak
efaffa8f55 Added 'sys/auth/<path>/tune' endpoints. 
Displaying 'Default TTL' and 'Max TTL' in the output of 'vault auth -methods'
 2016-06-15 13:58:24 -04:00
Jeff Mitchell
47dc1ccd25 Add token accessor to wrap information if one exists 2016-06-13 23:58:17 +00:00
Jeff Mitchell
15a40fdde5 Add explicit max TTL capability to token creation API 2016-06-08 14:49:48 -04:00
Jeff Mitchell
517571c04a Add renewable flag and API setting for token creation 2016-06-08 11:14:30 -04:00
Jeff Mitchell
8dffc64388 Use time.Time which does RFC3339 across the wire to handle time zones. Arguably we should change the API to always do this... 2016-06-07 16:01:09 -04:00
Jeff Mitchell
91053b7471 Add creation time to returned wrapped token info 
This makes it easier to understand the expected lifetime without a
lookup call that uses the single use left on the token.

This also adds a couple of safety checks and for JSON uses int, rather
than int64, for the TTL for the wrapped token.
 2016-06-07 15:00:35 -04:00
Jeff Mitchell
6a2ad76035 Make Unwrap a first-party API command and refactor UnwrapCommand to use it 2016-05-27 21:04:30 +00:00
Jeff Mitchell
810e914730 Add unwrap test function and some robustness around paths for the wrap lookup function 2016-05-19 11:49:46 -04:00
Jeff Mitchell
b626bfa725 Address most review feedback. Change responses to multierror to better return more useful values when there are multiple errors 2016-05-16 16:11:33 -04:00
Jeff Mitchell
fd67b15bb0 Add more tests 2016-05-07 21:08:13 -04:00
Jeff Mitchell
a110f6cae6 Merge branch 'master-oss' into cubbyhole-the-world 2016-05-04 14:42:14 -04:00
Jeff Mitchell
d3f1176e03 Switch our tri-copy ca loading code to go-rootcerts 2016-05-03 12:23:25 -04:00
Jeff Mitchell
ff4dc0b853 Add wrap support to API/CLI 2016-05-02 02:03:23 -04:00
Jeff Mitchell
b44d2c01c0 Use UseNumber() on json.Decoder to have numbers be json.Number objects 
instead of float64. This fixes some display bugs.
 2016-04-20 18:38:20 +00:00
Adam Shannon
e0df8e9e88 all: Cleanup from running go vet 2016-04-13 14:38:29 -05:00
Jeff Mitchell
254023f55c Remove RevokePrefix from the API too as we simply do not support it any 
longer.
 2016-04-05 11:00:12 -04:00
Jeff Mitchell
ab93e3aa63 SealInterface 2016-04-04 10:44:22 -04:00
vishalnayak
f97b2e5648 Enable callbacks for handling logical.Request changes before processing requests 2016-03-17 22:29:53 -04:00
vishalnayak
aa0cef3564 Fixed capabilities API to receive logical response 2016-03-17 21:03:32 -04:00
vishalnayak
b812ea1203 Refactoring the capabilities function 2016-03-17 21:03:32 -04:00
vishalnayak
bac4fe0799 Rename id to path and path to file_path, print audit backend paths 2016-03-14 17:15:07 -04:00
Vishal Nayak
640b3b25c5 Merge pull request #1201 from hashicorp/accessor-cli-flags 
Accessor CLI flags
 2016-03-11 09:55:45 -05:00
vishalnayak
f8749bcbdd Restore RevokeSelf API 2016-03-11 06:30:45 -05:00
vishalnayak
1612dfaa1f Added accessor flag to token-revoke CLI 2016-03-10 21:21:20 -05:00
vishalnayak
82a9fa86ad Add accessor flag to token-lookup command and add lookup-accessor client API 2016-03-10 21:21:20 -05:00
Seth Vargo
d88b83d212 Validate HCL for SSHHelper too 2016-03-10 16:47:46 -05:00
Jeff Mitchell
8b6df2a1a4 Merge branch 'master' into token-roles 2016-03-09 17:23:34 -05:00
Jeff Mitchell
2a698c7786 Merge pull request #1168 from hashicorp/revoke-force 
Add forced revocation.
 2016-03-09 16:59:52 -05:00
vishalnayak
2a35de81dc AccessorID --> Accessor, accessor_id --> accessor 2016-03-09 06:23:31 -05:00
vishalnayak
38a5d75caa Introduced AccessorID in TokenEntry and returning it along with token 2016-03-08 14:06:10 -05:00
Jeff Mitchell
c4124bc40a Merge branch 'master' into token-roles 2016-03-07 10:03:54 -05:00
vishalnayak
7f832f22aa refactoring changes due to acl.Capabilities 2016-03-04 18:55:48 -05:00
vishalnayak
a7cfc9cc7a Removing the 'Message' field 2016-03-04 10:36:03 -05:00
vishalnayak
f00261785a Handled root token use case 2016-03-04 10:36:03 -05:00
vishalnayak
ed3e2c6c05 Added sys/capabililties endpoint 2016-03-04 10:36:02 -05:00
Jeff Mitchell
5f0beb7330 Create a unified function to sanitize mount paths. 
This allows mount paths to start with '/' in addition to ensuring they
end in '/' before leaving the system backend.
 2016-03-03 13:13:47 -05:00
Jeff Mitchell
a520728263 Merge pull request #1146 from hashicorp/step-down 
Provide 'sys/step-down' and 'vault step-down'
 2016-03-03 12:30:08 -05:00
Jeff Mitchell
f3f30022d0 Add forced revocation. 
In some situations, it can be impossible to revoke leases (for instance,
if someone has gone and manually removed users created by Vault). This
can not only cause Vault to cycle trying to revoke them, but it also
prevents mounts from being unmounted, leaving them in a tainted state
where the only operations allowed are to revoke (or rollback), which
will never successfully complete.

This adds a new endpoint that works similarly to `revoke-prefix` but
ignores errors coming from a backend upon revocation (it does not ignore
errors coming from within the expiration manager, such as errors
accessing the data store). This can be used to force Vault to abandon
leases.

Like `revoke-prefix`, this is a very sensitive operation and requires
`sudo`. It is implemented as a separate endpoint, rather than an
argument to `revoke-prefix`, to ensure that control can be delegated
appropriately, as even most administrators should not normally have
this privilege.

Fixes #1135
 2016-03-03 10:13:59 -05:00
Jeff Mitchell
5883848f60 Add other token role unit tests and some minor other changes. 2016-03-01 12:41:41 -05:00
Jeff Mitchell
c1677c0b55 Initial work on token roles 2016-03-01 12:41:40 -05:00
vishalnayak
9fbfd1aff2 moved the test cert keys to appropriate test-fixtures folder 2016-02-29 15:49:08 -05:00
Jeff Mitchell
2a347d2eb4 Merge branch 'master' into step-down 2016-02-29 11:02:09 -05:00
vishalnayak
48f3f4b5d0 replaced old certs, with new certs generated from PKI backend, containing IP SANs 2016-02-28 22:15:54 -05:00
Jeff Mitchell
6b0c692385 Provide 'sys/step-down' and 'vault step-down' 
This endpoint causes the node it's hit to step down from active duty.
It's a noop if the node isn't active or not running in HA mode. The node
will wait one second before attempting to reacquire the lock, to give
other nodes a chance to grab it.

Fixes #1093
 2016-02-26 19:43:55 -05:00
vishalnayak
9394e5f212 fix api tests 2016-02-26 17:01:40 -05:00
Robert M. Thomson
b906f22fe9 Add VAULT_TLS_SERVER_NAME environment variable 
If specified, verify a specific server name during TLS negotiation
rather than the server name in the URL.
 2016-02-25 17:28:49 +01:00
vishalnayak
26cdd93088 Use tls_skip_verify in vault-ssh-helper 2016-02-23 17:32:49 -05:00
vishalnayak
1e4ee603a7 ssh-helper api changes 2016-02-23 00:16:00 -05:00
Jeff Mitchell
58a2c4d9a0 Return status for rekey/root generation at init time. This mitigates a 
(very unlikely) potential timing attack between init-ing and fetching
status.

Fixes #1054
 2016-02-12 14:24:36 -05:00
Jeff Mitchell
37a63e6e40 Add some documentation to the API revoke functions 2016-02-03 11:42:13 -05:00
Paul Hinze
1f78f07d7b Parse and return MountConfigOutput from API 
When working on the Terraform / Vault integration I came across the fact
that `Sys().MountConfig(...)` didn't seem to return a response struct,
even though it's a `GET` method.

Looks like just a simple oversight to me. This fix does break API BC,
but the method had no use without its return value so I feel like that's
probably a mitigating factor.
 2016-02-02 17:11:05 -06:00
Jeff Mitchell
a80481792e Fix up unit tests to expect new values 2016-01-29 19:36:56 -05:00
Jeff Mitchell
2613343c3d Updates and documentation 2016-01-22 10:07:32 -05:00
Jeff Mitchell
41332a692b Fix body closing in List method 2016-01-22 10:07:32 -05:00
Jeff Mitchell
4b67fd139f Add list capability, which will work with the generic and cubbyhole 
backends for the moment. This is pretty simple; it just adds the actual
capability to make a list call into both the CLI and the HTTP handler.
The real meat was already in those backends.
 2016-01-22 10:07:32 -05:00
Jeff Mitchell
e9538f1441 RootGeneration->GenerateRoot 2016-01-19 18:28:10 -05:00
Jeff Mitchell
4cc7694a3a Add the ability to generate root tokens via unseal keys. 2016-01-19 18:28:10 -05:00
Jeff Mitchell
1c9b00524f Use an array of keys so that if the same fingerprint is used none are lost when using PGP key backup 2016-01-08 14:29:23 -05:00
Jeff Mitchell
839b804e43 Some minor rekey backup fixes 2016-01-08 14:09:40 -05:00
Jeff Mitchell
027c84c62a Add rekey nonce/backup. 2016-01-06 09:54:35 -05:00
Nicki Watt
05c9e5b5ad Make token-lookup functionality available via Vault CLI 2015-12-29 20:18:59 +00:00
Nicki Watt
9db5180803 Corrected HTTP Method for api.TokenAuth.LookupSelf() method 2015-12-28 00:05:15 +00:00
Jeff Mitchell
b38394e456 Use cleanhttp.DefaultTransport rather than instantiating directly to avoid leaked FDs 2015-12-17 15:23:13 -05:00
Jeff Mitchell
583882efdc Update documentation to be consistent with return codes 
Fixes #831
 2015-12-10 10:26:40 -05:00
Jeff Mitchell
49d525ebf3 Reintroduce the ability to look up obfuscated values in the audit log 
with a new endpoint '/sys/audit-hash', which returns the given input
string hashed with the given audit backend's hash function and salt
(currently, always HMAC-SHA256 and a backend-specific salt).

In the process of adding the HTTP handler, this also removes the custom
HTTP handlers for the other audit endpoints, which were simply
forwarding to the logical system backend. This means that the various
audit functions will now redirect correctly from a standby to master.
(Tests all pass.)

Fixes #784
 2015-11-18 20:26:03 -05:00
Jeff Mitchell
f600e3ac29 Add no-default-policy flag and API parameter to allow exclusion of the 
default policy from a token create command.
 2015-11-09 17:30:50 -05:00
Jeff Mitchell
673c6d726a Move environment variable reading logic to API. 
This allows the same environment variables to be read, parsed, and used
from any API client as was previously handled in the CLI. The CLI now
uses the API environment variable reading capability, then overrides any
values from command line flags, if necessary.

Fixes #618
 2015-11-04 10:28:00 -05:00
Jeff Mitchell
b11cb5d964 Implement LookupSelf, RevokeSelf, and RenewSelf in the API client 
Fixes #739
 2015-10-30 17:27:33 -04:00
Jeff Mitchell
d7f528a768 Add reset support to the unseal command. 
Reset clears the provided unseal keys, allowing the process to be begun
again. Includes documentation and unit test changes.

Fixes #695
 2015-10-28 15:59:39 -04:00
Jeff Mitchell
5c0a16b16a Use cleanhttp instead of bare http.Client 2015-10-22 14:37:12 -04:00
Jeff Mitchell
0dbbef1ac0 Don't use http.DefaultClient 
This strips out http.DefaultClient everywhere I could immediately find
it. Too many things use it and then modify it in incompatible ways.

Fixes #700, I believe.
 2015-10-15 17:54:00 -04:00
Jeff Mitchell
27029d9744 Support and use TTL instead of lease for token creation 2015-10-09 19:52:13 -04:00
Jeff Mitchell
c9c8398352 Add 301 redirect checking to the API client. 
Vault doesn't generate these, but in some cases Go's internal HTTP
handler does. For instance, during a mount-tune command, finishing the
mount path with / (as in secret/) would cause the final URL path to
contain .../mounts/secret//tune. The double slash would trigger this
behavior in Go's handler and generate a 301. Since Vault generates 307s,
this would cause the client to think that everything was okay when in
fact nothing had happened.
 2015-10-09 17:11:31 -04:00
Dejan Golja
71615a172c Increase default timeout to 30s which should allow for any operation 
to complete.
 2015-10-09 00:53:35 +11:00
Dejan Golja
4ee297408f added a sensible default timeout for the vault client 2015-10-08 18:44:00 +11:00
Jeff Mitchell
c8af19e9dc Add unit tests 2015-10-07 20:17:06 -04:00
Jeff Mitchell
fd2c0f033e Add the ability for warnings to be added to responses. These are 
marshalled into JSON or displayed from the CLI depending on the output
mode. This allows conferring information such as "no such policy exists"
when creating a token -- not an error, but something the user should be
aware of.

Fixes #676
 2015-10-07 16:18:39 -04:00
Alexey Grachov
923d07b6bf Fix some lint warnings. 2015-09-29 10:35:16 +03:00
Jeff Mitchell
70ce824267 Switch per-mount values to strings going in and seconds coming out, like other commands. Indicate deprecation of 'lease' in the token backend. 2015-09-25 10:41:21 -04:00
Jeff Mitchell
1247459ae1 Ensure that the response body of logical calls is closed, even if there is an error. 2015-09-14 18:22:33 -04:00
Jeff Mitchell
b9a5a137c0 Address items from feedback. Make MountConfig use values rather than 
pointers and change how config is read to compensate.
 2015-09-10 15:09:54 -04:00
Jeff Mitchell
dd8ac00daa Rejig how dynamic values are represented in system view and location of some functions in various packages; create mount-tune command and API analogues; update documentation 2015-09-10 15:09:54 -04:00
Jeff Mitchell
aadf039368 Add DynamicSystemView. This uses a pointer to a pointer to always have 
up-to-date information. This allows remount to be implemented with the
same source and dest, allowing mount options to be changed on the fly.
If/when Vault gains the ability to HUP its configuration, this should
just work for the global values as well.

Need specific unit tests for this functionality.
 2015-09-10 15:09:54 -04:00
Jeff Mitchell
dffcf0548e Plumb per-mount config options through API 2015-09-10 15:09:53 -04:00
Jeff Mitchell
81505f5f97 Rather than use http.DefaultClient, which is simply &http.Client{}, 
create our own. This avoids some potential client race conditions when
they are setting values on the Vault API client while the default client
is being used elsewhere in other goroutines, as was seen in
consul-template.
 2015-09-03 13:47:20 -04:00
Jeff Mitchell
4d6ebab007 Change variable name for clarity 2015-09-03 13:38:24 -04:00
Jeff Mitchell
1a2c44d805 Remove redirect handling code that was never being executed (redirects are manually handled within RawRequest). Add a sync.Once to fix a potential data race with setting the CheckRedirect function on the default http.Client 2015-09-03 13:34:45 -04:00
Jeff Mitchell
566aba71b7 Merge pull request #587 from hashicorp/sethvargo/auth_token_tests 
Add test coverage for auth tokens
 2015-09-03 11:26:14 -04:00
Seth Vargo
8df186fd37 Add test coverage for auth tokens 2015-09-03 10:57:17 -04:00
Seth Vargo
f0b3ad6a2a Update documentation around cookies 2015-09-03 10:36:59 -04:00
Mike Sample
02ac5e1ec6 corrected two typos 2015-08-27 00:05:19 -07:00
Jeff Mitchell
4d877dc4eb Address comments from review. 2015-08-25 15:33:58 -07:00
Jeff Mitchell
e133536b79 Add support for pgp-keys argument to rekey, as well as tests, plus 
refactor common bits out of init.
 2015-08-25 14:52:13 -07:00
Jeff Mitchell
d2023234b9 Add support for "pgp-tokens" parameters to init. 
There are thorough unit tests that read the returned
encrypted tokens, seal the vault, and unseal it
again to ensure all works as expected.
 2015-08-25 14:52:13 -07:00
Jeff Mitchell
f1a301922d Remove cookie authentication. 2015-08-21 19:46:23 -07:00
vishalnayak
440b11c279 Vault SSH: Adding the missed out config file 2015-08-20 11:30:21 -07:00
vishalnayak
d6c5031169 Vault SSH: TLS client creation test 2015-08-18 19:00:27 -07:00
vishalnayak
d63726b41b Vault SSH: Documentation update and minor refactoring changes. 2015-08-17 18:22:03 -07:00
vishalnayak
d1b75e9d28 Vault SSH: Default lease of 5 min for SSH secrets 2015-08-12 17:10:35 -07:00
vishalnayak
f74a0c9bfa Vault SSH: Exposed verify request/response messges to agent 2015-08-12 13:22:48 -07:00
vishalnayak
c008a8d796 Vault SSH: Moved agent's client creation code to Vault's source 2015-08-12 13:09:32 -07:00
vishalnayak
f2e4867555 Vault SSH: Moved SSH agent config to Vault's source 2015-08-12 12:52:21 -07:00
vishalnayak
67b705565e Vault SSH: Added SSHAgent API 2015-08-12 10:48:58 -07:00
vishalnayak
f21c64e874 Vault SSH: Renamed path with mountPoint 2015-08-12 10:30:50 -07:00
vishalnayak
6b86811503 Vault SSH: Fixed constructor of SSH api 2015-08-12 09:56:17 -07:00
vishalnayak
2ac3cabf87 Merging changes from master 2015-08-12 09:28:16 -07:00
Seth Vargo
83bc2692f9 Remove Sys.Login (unused) 2015-08-11 13:04:11 -04:00
vishalnayak
9aa02ad560 Vault SSH: Review Rework 2015-07-29 14:21:36 -04:00