mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-16 03:27:01 +02:00
Code Issues Projects Releases Wiki Activity
10,305 Commits 2,843 Branches 445 Tags 454 MiB
9be1128201
Commit Graph

1096 Commits

Author SHA1 Message Date
Seth Vargo
7f6aa892a4
Add start of base command, flags, prediction 2017-10-24 09:26:44 -04:00
Jeff Mitchell
e869d65fb7 Make compile 2017-10-23 17:41:44 -04:00
Jeff Mitchell
cd6d67d84b Final sync 2017-10-23 17:39:21 -04:00
Jeff Mitchell
f6c277cd2d Sync up server.go a bit 2017-10-10 12:27:51 -04:00
Jeff Mitchell
6faf8365e9 Add option to disable client certificate requesting. (#3373) 
Fixes #3372
 2017-09-25 14:41:46 -04:00
Calvin Leung Huang
b7413325dd Add support for stored shares and skip-init in dev mode (#3364) 2017-09-21 15:23:29 -04:00
Vishal Nayak
de7ac83df6 Add 'pid_file' config option (#3321) 
* add pid_file config option

* address review feedback

* address review comments
 2017-09-16 17:09:37 -04:00
Chris Hoffman
010575cb60 Rename "generic" secret backend to "kv" (#3292) 2017-09-15 09:02:29 -04:00
Chris Hoffman
4a8c33cca3 Disable the sys/raw endpoint by default (#3329) 
* disable raw endpoint by default

* adding docs

* config option raw -> raw_storage_endpoint

* docs updates

* adding listing on raw endpoint

* reworking tests for enabled raw endpoints

* root protecting base raw endpoint
 2017-09-15 00:21:35 -04:00
Chris Hoffman
09f272510f Adding latency injector option to -dev mode for storage operations (#3289) 2017-09-11 14:49:08 -04:00
Jeff Mitchell
79b63deaf5 Change auth helper interface to api.Secret. (#3263) 
This allows us to properly handle wrapped responses.

Fixes #3217
 2017-08-31 16:57:00 -04:00
Calvin Leung Huang
d10075e0fd Normalize plugin_name option for mount and enable-auth (#3202) 2017-08-31 12:16:59 -04:00
Jeff Mitchell
3f31ed733f Add option to set cluster TLS cipher suites. (#3228) 
* Add option to set cluster TLS cipher suites.

Fixes #3227
 2017-08-30 16:28:23 -04:00
Brian Kassouf
41db07530a Add basic autocompletion (#3223) 
* Add basic autocompletion

* Add autocomplete to some common commands

* Autocomplete the generate-root flags

* Add information about autocomplete to the docs
 2017-08-24 15:23:40 -07:00
Doyoon Kim
f855da7a89 Moved PROXY protocol wrap to execute before the TLS wrap (#3195) 2017-08-23 12:00:09 -04:00
Seth Vargo
be57fd0594 Thread stderr through too (#3211) 
* Thread stderr through too

* Small docs typo
 2017-08-21 17:23:29 -04:00
Jeff Mitchell
88e9d194fd Properly lowercase policy names. (#3210) 
Previously we lowercased names on ingress but not on lookup or delete
which could cause unexpected results. Now, just unilaterally lowercase
policy names on write and delete. On get, to avoid the performance hit
of always lowercasing when not necessary since it's in the critical
path, we have a minor optimization -- we check the LRU first before
normalizing. For tokens, because they're already normalized when adding
policies during creation, this should always work; it might just be
slower for API calls.

Fixes #3187
 2017-08-18 19:47:23 -04:00
Seth Vargo
dcd2de395d Do not revoke SSH key (#3208) 
There is no secret to revoke - this produces an error on the CLI
 2017-08-18 15:44:20 -04:00
Seth Vargo
edd447461a
Add host key checking for SSH CA 2017-08-18 12:59:09 -04:00
Seth Vargo
b5fd472cc1
Revoke temporary cred after creation, update warning 
/cc @vishalnayak
 2017-08-18 12:59:09 -04:00
Seth Vargo
72f66559eb
Initial pass at SSH CLI CA type authentication 
1. The current implementation of the SSH command is heavily tied to the
assumptions of OTP/dynamic key types. The SSH CA backend is
fundamentally a different approach to login and authentication. As a
result, there was some restructuring of existing methods to share more
code and state.

2. Each authentication method (ca, otp, dynamic) are now fully-contained
in their own handle* function.

3. -mode and -role are going to be required for SSH CA, and I don't
think the magical UX (and overhead) of guessing them is a good UX. It's
confusing as to which role and how Vault guesses. We can reduce 66% of
the API calls and add more declaration to the CLI by making -mode and
-role required. This commit adds warnings for that deprecation, but
these values are both required for CA type authentication.

4. The principal and extensions are currently fixed, and I personally
believe that's good enough for the first pass at this. Until we
understand what configuration options users will want, I think we should
ship with all the local extensions enabled. Users who don't want that
can generate the key themselves directly (current behavior) or submit
PRs to make the map of extensions customizable.

5. Host key checking for the CA backend is not currently implemented.
It's not strictly required at setup, so I need to think about whether it
belongs here.

This is not ready for merge, but it's ready for early review.
 2017-08-18 12:59:08 -04:00
Calvin Leung Huang
82c5118500 Improve auth-enable output for plugin backends (#3189) 
* Improve auth-enable output for plugin backends

* Unquote authType on final output
 2017-08-16 14:31:16 -04:00
Jeff Mitchell
a7f3f40f9e * Add ability to specify a plugin dir in dev mode (#3184) 
* Change (with backwards compatibility) sha_256 to sha256 for plugin
registration
 2017-08-16 11:17:50 -04:00
Seth Vargo
bf50130335 Update help output (spaces instead of tabs) (#3178) 2017-08-15 21:21:30 -04:00
Seth Vargo
d82f59cdba Use SSHPASS envvar instead of -p for sshpass (#3177) 
From the sshpass manpage:

> The -p option should be considered the least secure of all of sshpass's options. All system users can see the password in the command line with a simple "ps" command. Sshpass makes a minimal attempt to hide the password, but such attempts are doomed to create race conditions without actually solving the problem. Users of sshpass are encouraged to use one of the other password passing techniques, which are all more secure.

This PR changes the sshpass behavior to execute a subprocess with the
SSHPASS envvar (which is generally regarded as more secure) than using
the -p option.
 2017-08-15 19:43:39 -04:00
Jeff Mitchell
0ac531d3f4 Migrate physical backends into separate packages (#3106) 2017-08-03 13:24:27 -04:00
Gobin Sougrakpam
f166016ae8 tls_client_ca_file option for verifying client (#3034) 2017-08-03 07:33:06 -04:00
Calvin Leung Huang
15634f3b6e Store original request path in WrapInfo (#3100) 
* Store original request path in WrapInfo as CreationPath

* Add wrapping_token_creation_path to CLI output

* Add CreationPath to AuditResponseWrapInfo

* Fix tests

* Add and fix tests, update API docs with new sample responses
 2017-08-02 18:28:58 -04:00
Jeff Mitchell
608322b546 Add PROXY protocol support (#3098) 2017-08-02 18:24:12 -04:00
Brian Kassouf
dd9cf42ba6 Add Testing Interface to test helpers (#3091) 
* Add testing interface

* Add vendored files
 2017-08-01 11:07:08 -07:00
Jeff Mitchell
0c3e14f047 Add some useful variable output to three node dev startup 2017-08-01 11:50:41 -04:00
Jeff Mitchell
4a64062daa Use 1-based indexing for unseal keys in three node dev cluster 2017-08-01 11:12:45 -04:00
Jeff Mitchell
95ce578842 Add leader cluster address to status/leader output. (#3061) 
* Add leader cluster address to status/leader output. This helps in
identifying a particular node when all share the same redirect address.

Fixes #3042
 2017-07-31 18:25:27 -04:00
Jeff Mitchell
c6615e1b51 Add a -dev-three-node option for devs. (#3081) 2017-07-31 11:28:06 -04:00
Calvin Leung Huang
2b0f80b981 Backend plugin system (#2874) 
* Add backend plugin changes

* Fix totp backend plugin tests

* Fix logical/plugin InvalidateKey test

* Fix plugin catalog CRUD test, fix NoopBackend

* Clean up commented code block

* Fix system backend mount test

* Set plugin_name to omitempty, fix handleMountTable config parsing

* Clean up comments, keep shim connections alive until cleanup

* Include pluginClient, disallow LookupPlugin call from within a plugin

* Add wrapper around backendPluginClient for proper cleanup

* Add logger shim tests

* Add logger, storage, and system shim tests

* Use pointer receivers for system view shim

* Use plugin name if no path is provided on mount

* Enable plugins for auth backends

* Add backend type attribute, move builtin/plugin/package

* Fix merge conflict

* Fix missing plugin name in mount config

* Add integration tests on enabling auth backend plugins

* Remove dependency cycle on mock-plugin

* Add passthrough backend plugin, use logical.BackendType to determine lease generation

* Remove vault package dependency on passthrough package

* Add basic impl test for passthrough plugin

* Incorporate feedback; set b.backend after shims creation on backendPluginServer

* Fix totp plugin test

* Add plugin backends docs

* Fix tests

* Fix builtin/plugin tests

* Remove flatten from PluginRunner fields

* Move mock plugin to logical/plugin, remove totp and passthrough plugins

* Move pluginMap into newPluginClient

* Do not create storage RPC connection on HandleRequest and HandleExistenceCheck

* Change shim logger's Fatal to no-op

* Change BackendType to uint32, match UX backend types

* Change framework.Backend Setup signature

* Add Setup func to logical.Backend interface

* Move OptionallyEnableMlock call into plugin.Serve, update docs and comments

* Remove commented var in plugin package

* RegisterLicense on logical.Backend interface (#3017)

* Add RegisterLicense to logical.Backend interface

* Update RegisterLicense to use callback func on framework.Backend

* Refactor framework.Backend.RegisterLicense

* plugin: Prevent plugin.SystemViewClient.ResponseWrapData from getting JWTs

* plugin: Revert BackendType to remove TypePassthrough and related references

* Fix typo in plugin backends docs
 2017-07-20 13:28:40 -04:00
Jeff Mitchell
ef0108853e Add token-only. (#2971) 2017-07-12 15:04:34 -04:00
Jeff Mitchell
997da9ae39 Create and persist human-friendly-ish mount accessors (#2918) 2017-06-26 18:14:36 +01:00
Jeff Mitchell
22e06c05e8 Convert listener arguments to map[string]interface{} (#2905) 
This allows people to use more natural constructs, e.g. for tls_disable
it can be a bool, int, or string.
 2017-06-22 20:29:53 +01:00
Jeff Mitchell
5939c526ac Fix tests 2017-06-21 11:19:38 -04:00
Jeff Mitchell
5be95b01a1 Add option to have dev mode generic backend return leases 2017-06-21 10:42:50 -04:00
Chris Hoffman
31579fc5d1 Exclude /sys/leases/renew from registering with expiration manager (#2891) 
* exclude /sys/leases/renew from registering with expiration manager

* adding sys/leases/renew to return full secret object, adding tests to catch renew errors
 2017-06-20 12:34:00 -04:00
Jeff Mitchell
27e584c2ce Fix up CORS. 
Ref #2021
 2017-06-17 01:26:25 -04:00
Jeff Mitchell
f5de93f1bf Add DogStatsD metrics output. (#2883) 
Fixes #2490
 2017-06-16 23:51:46 -04:00
Jeff Mitchell
6b0ca941a6 Add a no-store option to vault auth (#2809) 
Fixes #2746
 2017-06-05 16:36:28 -04:00
Jeff Mitchell
1fc803ab2c Fix tests 2017-05-25 09:00:49 -04:00
Jeff Mitchell
6c8c42b990 Revert grpc back a version (they introduced a panic) and clean up a bunch of old request forwarding stuff 2017-05-24 10:38:48 -04:00
emily
38ffde5a9d add gofmt checks to Vault and format existing code (#2745) 2017-05-19 08:34:17 -04:00
Brian Kassouf
55f1f5116a Merge remote-tracking branch 'oss/master' into database-refactor 2017-05-04 10:45:18 -07:00
Jeff Mitchell
b54ea7b956 Write always needs a path, even with force. (#2675) 
Fixes #2674
 2017-05-04 06:40:58 -04:00
Jeff Mitchell
d026b6816a Further Sethisize loglevel inputz 2017-04-25 11:14:25 -04:00
Jeff Mitchell
00beeeba2f Sethisize log level 2017-04-25 11:12:38 -04:00
Brian Kassouf
f4ef3df4bd Update the builtin keys; move catalog to core; protect against unset plugin directory 2017-04-24 10:30:33 -07:00
Brian Kassouf
f1fa617e03 Calls to builtin plugins now go directly to the implementation instead of go-plugin 2017-04-20 18:46:41 -07:00
Brian Kassouf
afc5be1c67 Merge remote-tracking branch 'oss/master' into database-refactor 2017-04-19 15:16:00 -07:00
Christoph Blecker
377640d75c Add -self flag to token-revoke (#2596) 2017-04-17 12:40:51 -04:00
Brian Kassouf
07f3f4fc26 Update the plugin directory logic 2017-04-13 11:22:53 -07:00
Brian Kassouf
4c75326aad Cleanup path files 2017-04-12 17:35:02 -07:00
Brian Kassouf
f2401c0128 Merge branch 'master' into database-refactor 2017-04-12 14:29:10 -07:00
Brian Kassouf
9ae5a2aede Add backend test 2017-04-07 15:50:03 -07:00
Brian Kassouf
8a2e29c607 Refactor to use builtin plugins from an external repo 2017-04-05 16:20:31 -07:00
Brian Kassouf
8f88452fc0 move builtin plugins list to the pluginutil 2017-04-05 11:00:13 -07:00
Brian Kassouf
485b331d6a Add a cli command to run builtin plugins 2017-04-04 17:12:02 -07:00
Brian Kassouf
f6b45bdcfb Execute builtin plugins 2017-04-04 14:43:39 -07:00
Jeff Mitchell
6699bd4a44 Add some minor tweaks to the PR 2017-04-04 12:22:14 -04:00
Brian Kassouf
ac519abecf Plugin catalog 2017-04-03 17:52:29 -07:00
Greg Parris
a705e5e783 Typo corrections and tweaks to commands' help info 
* Normalize "X arguments expected" messages
* Use "Vault" when referring to the product and "vault" when referring to an instance of the product
* Various minor tweaks to improve readability and/or provide clarity
 2017-03-25 12:51:12 -05:00
Jeff Mitchell
317c664370 Add option to require valid client certificates (#2457) 2017-03-08 10:21:31 -05:00
Jeff Mitchell
8681311b7c Add option to disable caching per-backend. (#2455) 2017-03-08 09:20:09 -05:00
Jeff Mitchell
b1ed578f3d Rename physical backend to storage and alias old value (#2456) 2017-03-08 09:17:00 -05:00
Jeff Mitchell
df575f0b3a Rename helper 'duration' to 'parseutil'. (#2449) 
Add a ParseBool function that accepts various kinds of ways of
specifying booleans.

Have config use ParseBool for UI and disabling mlock/cache.
 2017-03-07 11:21:22 -05:00
Jeff Mitchell
7c4e5a775c Fix breakage for HTTP2 support due to changes in wrapping introduced in 1.8 (#2412) 2017-02-27 12:49:35 -05:00
Sean Chittenden
f075d7a3cd
Change the default DisplayName for a Circonus check to be Vault instead of the InstanceID. 
Trivial defaults change, committing direct to `master`.
 2017-02-26 15:18:46 -08:00
Jeff Mitchell
9533d3d8a6 Don't try synthesizing cluster when not in dev mode 2017-02-24 12:50:26 -05:00
Jeff Mitchell
bfaf9022fa Do some porting to make diffing easier 2017-02-24 10:45:29 -05:00
Jeff Mitchell
78269445a8 Fix missing newline in status output 2017-02-17 11:23:20 -05:00
Jeff Mitchell
8acbdefdf2 More porting from rep (#2388) 
* More porting from rep

* Address review feedback
 2017-02-16 16:29:30 -05:00
Jeff Mitchell
513f8b918d Add WithOptions methods to audit/auth enabling (#2383) 2017-02-16 11:37:27 -05:00
Jeff Mitchell
b505b3b81c Correct port parsing. (#2354) 
* Correct port parsing.

Fixes #2351

* use strings.Contains instead of strings.HasSuffix

* Make the error message point to the wrong input
 2017-02-08 13:50:17 -05:00
Roman Vynar
51bb8bc544 Added tls_cipher_suites, tls_prefer_server_ciphers config options to listener (#2293) 2017-01-23 13:48:35 -05:00
Vishal Nayak
0645606f84 Merge pull request #2202 from fcantournet/fix_govet_fatalf 
all: test: Fix govet warnings
 2017-01-17 16:45:35 -05:00
Jeff Mitchell
d51b13fca6 Multi value test seal (#2281) 2017-01-17 15:43:10 -05:00
Jeff Mitchell
ac0f45e45c Add nonce to unseal to allow seeing if the operation has reset (#2276) 2017-01-17 11:47:06 -05:00
vishalnayak
089cb4f9c0 init: pgp-keys input validations 2017-01-11 23:32:38 -05:00
Jeff Mitchell
0dd5a2a6ba JWT wrapping tokens (#2172) 2017-01-04 16:44:03 -05:00
Cameron Stokes
eb8343625f Fix generate-root help and progress output. 2017-01-04 09:01:17 -08:00
Félix Cantournet
0d6d4211b8 all: test: Fix govet warnings 
Fix calls to t.Fatal() with formatting.
Fixed some calls to Fatalf() with wrong formatting
 2016-12-21 19:44:07 +01:00
Jeff Mitchell
192b9f361e Change an output to an error 2016-12-06 07:56:45 -05:00
Jeff Mitchell
fb9acace54 Minor ports 2016-12-05 12:28:12 -05:00
Vishal Nayak
20fabef08b Use Vault client's scheme for auto discovery (#2146) 2016-12-02 11:24:57 -05:00
Jeff Mitchell
b7c655f45c Fix panic when unwrapping if the server EOFs 2016-11-29 16:50:07 -05:00
Jeff Mitchell
c88c8c27a1 Add cgo info to vault version output 2016-11-27 19:32:57 -05:00
Jeff Mitchell
c91a7c51a2 Print the revision, if known, separately from the version. 
Also, indicate whether the build is dynamic or not.
 2016-11-27 19:28:35 -05:00
Jeff Mitchell
2b5fb353f3 Only add version sha if known 2016-11-27 19:16:44 -05:00
Jeff Mitchell
2a84f795f7 Add version sha to server startup output 2016-11-22 16:43:05 -05:00
Jeff Mitchell
24d2f39a7f Don't say mlock is supported on OSX when it isn't. (#2120) 
Fixes #2119
 2016-11-22 12:56:36 -05:00
Kyle McCullough
9571df6bc6 cli: fix bug with 'vault read -field=...' when the field value contains a printf formatting verb (#2109) 2016-11-22 12:30:23 -05:00
Chris Lundquist
61411f2f4f prevent binding 0.0.0.0 -> ::0 (#2094) 2016-11-15 12:00:57 -05:00
matt maier
2cd3cfd83e Vendor circonus (#2082) 2016-11-10 16:17:55 -05:00
vishalnayak
b408c95e0d ssh: Use temporary file to store the identity file 2016-10-18 12:50:12 -04:00
Jeff Mitchell
601b1b6958 Make listener shutdown more synchronous (#1985) 2016-10-10 13:18:19 -04:00
Jeff Mitchell
80281c16fc Split HA server command tests from reload tests 2016-10-07 11:06:01 -04:00
Jeff Mitchell
0765d8e938 Switch default case of disable cluster. (#1959) 2016-10-02 14:54:01 -04:00
Jeff Mitchell
81cdd76a5c Adds HUP support for audit log files to close and reopen. (#1953) 
Adds HUP support for audit log files to close and reopen. This makes it
much easier to deal with normal log rotation methods.

As part of testing this I noticed that HUP and other items that come out
of command/server.go are going to stderr, which is where our normal log
lines go. This isn't so much problematic with our normal output but as
we officially move to supporting other formats this can cause
interleaving issues, so I moved those to stdout instead.
 2016-09-30 12:04:50 -07:00
Jeff Mitchell
ad62b32ff0 Rejig where the reload functions live 2016-09-30 00:07:22 -04:00
Jeff Mitchell
60deff1bad Wrapping enhancements (#1927) 2016-09-28 21:01:28 -07:00
Jeff Mitchell
c748ff322f Change default TTL from 30 to 32 to accommodate monthly operations (#1942) 2016-09-28 18:32:49 -04:00
Jeff Mitchell
721d103f68 Fix parsing env var, needed to be in the helper too 2016-09-23 13:20:26 -04:00
Evan Phoenix
d5038f34b0 Advertise the cluster_(id|name) in the Scada handshake (#1906) 2016-09-23 10:55:51 -04:00
Jeff Mitchell
0358a4b161 Use VAULT_LOG_FORMAT as an analogue to LOGXI_FORMAT 2016-09-22 17:22:02 -04:00
Jeff Mitchell
ce7680022b Force tls_disable on scada connection inside outer TLS connection as it's not currently supported anyways 2016-09-20 14:56:16 -04:00
Jeff Mitchell
01ffc31c88 Follow Vault convention on DELETE being idempotent (#1903) 
* Follow Vault convention on `DELETE` being idempotent with
audit/auth/mounts deletes (a.k.a. disabling/unmounting).
 2016-09-19 13:02:25 -04:00
vishalnayak
a7408e4dd5 Add yml alias for yaml 2016-09-16 10:43:23 -04:00
Jeff Mitchell
941b066780 Add support for PGP encrypting the initial root token. (#1883) 2016-09-13 18:42:24 -04:00
Jeff Mitchell
54347da422 Update text of init/rekey around recovery values 2016-09-12 16:20:21 -04:00
Jeff Mitchell
3fc14e5662 Don't panic on bad auth path 
Fixes #1860
 2016-09-08 11:14:47 -04:00
Jeff Mitchell
75f792b27e Add response wrapping to list operations (#1814) 2016-09-02 01:13:14 -04:00
Vishal Nayak
30e199cccf Merge pull request #1836 from hashicorp/truncate-version-string 
Remove the string 'Vault' from version information
 2016-09-01 20:23:26 -04:00
Seth Vargo
41addfe768 Update audit-enable to show more examples (#1842) 
* Update audit-enable to show more examples

* Update audit_enable.go
 2016-09-01 20:14:29 -04:00
Seth Vargo
638a8bead9 Add more examples and cleanup docs for auth (#1841) 2016-09-01 19:56:30 -04:00
vishalnayak
618949ae0b Update atlas listener factory to use version with pre-release info. 2016-09-01 17:21:11 -04:00
vishalnayak
111a945fb3 Avoid commas while printing policies 2016-09-01 16:32:27 -04:00
Jeff Mitchell
7f0b68862e Don't output key/value header if there are no values to display. (#1838) 
Fixes #1835
 2016-09-01 15:58:16 -04:00
vishalnayak
ee26c7e7b6 Remove the string 'Vault' from version information 2016-09-01 14:54:04 -04:00
Jeff Mitchell
392565fe01 Remove hex output from keys; standardize on B64 for CLI output. This (#1831) 
aligns with all other interactions which use B64 encoding for bytes.
 2016-09-01 12:59:15 -04:00
Jeff Mitchell
65ae080c82 Add a separator to list output 2016-08-30 16:48:55 -04:00
Jeff Mitchell
d40277a18f Plumb through the ability to set the storage read cache size. (#1784) 
Plumb through the ability to set the storage read cache size.

Fixes #1772
 2016-08-26 10:27:06 -04:00
Jeff Mitchell
f8c657a80a Strip trailing whitespace in token from file. 
Fixes #1774
 2016-08-23 20:22:45 -04:00
Jeff Mitchell
d5fcc1b74f Don't validate a dev listen address as that makes a proper Docker 
entrypoint difficult.

Fixes #1762
 2016-08-23 08:34:43 -04:00
Jeff Mitchell
68345eb770 Convert to logxi 2016-08-21 18:13:37 -04:00
Jeff Mitchell
edd6379466 Clustering enhancements (#1747) 2016-08-19 11:03:53 -04:00
Jeff Mitchell
e20eaea59f Force dev on when dev-ha is on 2016-08-19 08:29:34 -04:00
Jeff Mitchell
ed48b008ce Provide base64 keys in addition to hex encoded. (#1734) 
* Provide base64 keys in addition to hex encoded.

Accept these at unseal/rekey time.

Also fix a bug where backup would not be honored when doing a rekey with
no operation currently ongoing.
 2016-08-15 16:01:15 -04:00
Jeff Mitchell
645540012f Request forwarding (#1721) 
Add request forwarding.
 2016-08-15 09:42:42 -04:00
Jeff Mitchell
146cdc69eb Add periodic support for root/sudo tokens to auth/token/create 2016-08-12 21:14:12 -04:00
Jeff Mitchell
5a149c0573 Add some info about -f to the "expects two arguments" error. 
Ping #1722
 2016-08-12 15:47:16 -04:00
Jeff Mitchell
3eba24de39 Change to keybase openpgp fork as it has important fixes 2016-08-11 08:31:43 -04:00
Jeff Mitchell
bf63d3a7c0 Add HTTP test for renew and fix muxing 2016-08-08 20:01:08 -04:00
Jeff Mitchell
78bbc22fec Rename mounttune.go 2016-08-08 16:22:28 -04:00
Jeff Mitchell
001f02b211 Fix generate-root synopsis 2016-08-05 16:35:03 -04:00
vishalnayak
e4a20c0dcd Support execution of remote commands using 'vault ssh' 2016-08-01 14:53:00 -04:00
Jeff Mitchell
32b39e808b Close the shutdown channel instead of sending a value down 2016-08-01 11:58:45 -04:00
vishalnayak
577cd9de35 Address review feedback 2016-08-01 11:15:25 -04:00
vishalnayak
5318130ba2 Make the defer statement of waitgroup to execute last 2016-08-01 10:24:27 -04:00
vishalnayak
461c30969e Sharing shutdown message with physical consul backend 2016-07-31 10:09:16 -04:00
vishalnayak
13c4bbf9d7 Add waitgroup wait to allow physical consul to deregister checks 2016-07-30 13:17:29 -04:00
vishalnayak
8f1ccc6eff Add cluster information to 'vault status' 2016-07-29 14:13:53 -04:00
vishalnayak
5c38276598 Added Vault version informationto the 'status' command 2016-07-28 17:37:35 -04:00
Vishal Nayak
8d0bce03be Merge pull request #1655 from hashicorp/cluster-id 
Vault cluster name and ID
 2016-07-26 14:12:48 -04:00
Evan Phoenix
6135e246e3 Report the simple version string 2016-07-26 10:21:24 -07:00
vishalnayak
f76c926b0a Added cluster_name for existing config tests 2016-07-26 11:38:24 -04:00
vishalnayak
46b94d8612 Update cluster name during config merge 2016-07-26 11:11:12 -04:00
vishalnayak
e5c61509d6 Remove global name/id. Make only cluster name configurable. 2016-07-26 10:01:35 -04:00
vishalnayak
55cf44bc91 Storing local and global cluster name/id to storage and returning them in health status 2016-07-26 02:32:42 -04:00
matt maier
a1b50427f2 Circonus integration for telemetry metrics 2016-07-22 15:49:23 -04:00
vishalnayak
8f8b421c07 Address review feedback 2016-07-22 11:31:55 -04:00
vishalnayak
26ea86a100 Update docs on the init command 2016-07-22 11:22:10 -04:00
Vishal Nayak
2511231c64 Merge pull request #1642 from hashicorp/init-service-discovery 
Add service discovery to init command
 2016-07-21 20:47:32 -04:00
vishalnayak
201ea85fea Address review feedback by @jefferai 2016-07-21 20:46:31 -04:00
vishalnayak
cd719d9123 Address review feedback from @sean 2016-07-21 19:04:43 -04:00
vishalnayak
08b6740139 Added documentation for init service discovery 2016-07-21 17:27:56 -04:00
vishalnayak
f1ad3595a5 Added a separate flag consul-service to receive Consul service name 2016-07-21 16:51:38 -04:00
vishalnayak
d22204914d Add service discovery to init command 2016-07-21 16:17:29 -04:00
Jeff Mitchell
fda9473681 Trim leading/trailing space around PEM bundles. 
Fixes #1634
 2016-07-20 13:57:49 -04:00
Jeff Mitchell
4f27886641 Have human-oriented token duration and secret duration output display a more human-friendly format 2016-07-19 12:15:00 -04:00
Jeff Mitchell
a347917044 Turn off DynamoDB HA by default. 
The semantics are wonky and have caused issues from people not reading
docs. It can be enabled but by default is off.
 2016-07-18 13:19:58 -04:00
vishalnayak
5b458db104 Merge branch 'master-oss' into json-use-number 
Conflicts:
	http/handler.go
	logical/framework/field_data.go
	logical/framework/wal.go
	vault/logical_passthrough.go
 2016-07-15 19:21:55 -04:00
vishalnayak
ee6ba1e85e Make 'tls_min_version' configurable 2016-07-12 19:32:47 -04:00
vishalnayak
ef97199360 Added JSON Decode and Encode helpers. 
Changed all the occurances of Unmarshal to use the helpers.
Fixed http/ package tests.
 2016-07-06 12:25:40 -04:00
Jeff Mitchell
6bdda578ac Don't panic on an empty configuration during merge 2016-07-05 16:49:15 -04:00
Jeff Mitchell
409b9f9b0f Add aliases for field flag to allow printing auth results. 
Also fix the write command to use the shared function with aliases.

Fixes #1566
 2016-06-27 23:19:09 -04:00
Jeff Mitchell
6f0f46deb6 Up sleep time during reload test to not fail under certain test conditions 2016-06-27 15:37:25 -04:00
Jeff Mitchell
6a29f77544 Fix up external token helper tests 2016-06-22 10:04:43 -04:00
Tom Maher
ee7850cff3 Correctly check for existence of external token_helper binaries 2016-06-21 19:32:19 -07:00
Vishal Nayak
3558eca73c Merge pull request #1531 from hashicorp/auth-mount-tune-params 
Auth tune endpoints and config settings output from CLI
 2016-06-20 20:24:47 -04:00
Vishal Nayak
9cfc0106fc Merge pull request #1532 from hashicorp/vault-auth-path 
Added -path option to 'vault auth' command
 2016-06-20 16:43:26 -04:00
vishalnayak
78665752aa Added -path option to help output 2016-06-20 16:24:49 -04:00
vishalnayak
e6a91d891a Concatenating the output instead of printing twice 2016-06-20 15:26:33 -04:00
vishalnayak
56ae3530fb Fix the output format when warnings are present 2016-06-15 17:13:14 -04:00
vishalnayak
7672d69495 Added '-path' option to 'vault auth' command 2016-06-15 16:54:27 -04:00
vishalnayak
efaffa8f55 Added 'sys/auth/<path>/tune' endpoints. 
Displaying 'Default TTL' and 'Max TTL' in the output of 'vault auth -methods'
 2016-06-15 13:58:24 -04:00
Jeff Mitchell
47dc1ccd25 Add token accessor to wrap information if one exists 2016-06-13 23:58:17 +00:00
Jeff Mitchell
15a40fdde5 Add explicit max TTL capability to token creation API 2016-06-08 14:49:48 -04:00
Jeff Mitchell
4d53c5f6b6 Remove unneeded else 2016-06-08 13:55:31 -04:00
Jeff Mitchell
517571c04a Add renewable flag and API setting for token creation 2016-06-08 11:14:30 -04:00
Jeff Mitchell
8b675cbbed Make token renewable status work properly on lookup 2016-06-08 09:19:39 -04:00
Jeff Mitchell
8dffc64388 Use time.Time which does RFC3339 across the wire to handle time zones. Arguably we should change the API to always do this... 2016-06-07 16:01:09 -04:00
Jeff Mitchell
91053b7471 Add creation time to returned wrapped token info 
This makes it easier to understand the expected lifetime without a
lookup call that uses the single use left on the token.

This also adds a couple of safety checks and for JSON uses int, rather
than int64, for the TTL for the wrapped token.
 2016-06-07 15:00:35 -04:00
Bill Monkman
64d72672ff #1486 : Fixed sealed and leader checks for consul backend 2016-06-03 16:00:31 -07:00
Jeff Mitchell
6f5fa23386 Merge pull request #1470 from hashicorp/unwrap-in-api 
Make Unwrap a first-party API command and refactor UnwrapCommand to u…
 2016-06-03 13:25:10 -04:00
Jeff Mitchell
32b4f48e66 Add a metadata node_id field for Atlas usage and fix tests 2016-06-02 18:19:51 -04:00
Jeff Mitchell
d32283ba49 Initial Atlas listener implementation 2016-06-02 14:05:47 -04:00
vishalnayak
cbf7ccb73d Prioritize dev flags over its env vars 2016-06-01 12:21:29 -04:00
vishalnayak
ff01f8f437 Address review feedback 2016-06-01 11:39:48 -04:00
vishalnayak
ea65ffd451 Supplying strictHostKeyChecking and userKnownHostsFile from env vars 2016-06-01 11:08:24 -04:00
vishalnayak
ab017967e4 Provide option to disable host key checking 2016-06-01 11:08:24 -04:00
Jeff Mitchell
6a2ad76035 Make Unwrap a first-party API command and refactor UnwrapCommand to use it 2016-05-27 21:04:30 +00:00
vishalnayak
8678c5e779 Add a non-nil check for 'port' field to be present in the response 2016-05-25 21:26:32 +00:00
Jeff Mitchell
86094cce6a Decode json.Number before handing to mapstructure 2016-05-25 19:02:31 +00:00
Jeff Mitchell
810e914730 Add unwrap test function and some robustness around paths for the wrap lookup function 2016-05-19 11:49:46 -04:00
Jeff Mitchell
0b59a54837 Add unwrap command, and change how the response is embedded (as a string, not an object) 2016-05-19 11:25:15 -04:00
Jeff Mitchell
07b86fe304 Merge branch 'master-oss' into cubbyhole-the-world 2016-05-19 02:43:22 +00:00
Jeff Mitchell
8c3866ea16 Rename lease_duration to refresh_interval when there is no lease ID, and output ---- between header and values 2016-05-17 17:10:12 +00:00
Jeff Mitchell
b626bfa725 Address most review feedback. Change responses to multierror to better return more useful values when there are multiple errors 2016-05-16 16:11:33 -04:00
Jeff Mitchell
53afa06beb Merge branch 'master-oss' into cubbyhole-the-world 2016-05-16 12:14:40 -04:00
Sean Chittenden
339c0a4127
Speling police 2016-05-15 09:58:36 -07:00
Jeff Mitchell
c104bcf959 Merge branch 'master-oss' into cubbyhole-the-world 2016-05-12 14:59:12 -04:00
Jeff Mitchell
17d02aa46e Merge branch 'master-oss' into f-vault-service 2016-05-04 17:20:00 -04:00
Jeff Mitchell
a110f6cae6 Merge branch 'master-oss' into cubbyhole-the-world 2016-05-04 14:42:14 -04:00
Jeff Mitchell
806119f5a1 Fix number of recovery shares output during init 2016-05-03 23:07:09 -04:00
Jeff Mitchell
4268158c82 Properly handle sigint/hup 2016-05-03 14:30:58 -04:00
Jeff Mitchell
ff4dc0b853 Add wrap support to API/CLI 2016-05-02 02:03:23 -04:00
Jeff Mitchell
b5b8ac8686 Ensure seal finalizing happens even when using verify-only 2016-04-28 14:06:05 -04:00
Sean Chittenden
eedd7f0c39 Change the interface of ServiceDiscovery 
Instead of passing state, signal that the state has changed and provide a callback handler that can query Core.
 2016-04-28 11:05:18 -07:00
Sean Chittenden
455b76828f Add a *log.Logger argument to physical.Factory 
Logging in the backend is a good thing.  This is a noisy interface change but should be a functional noop.
 2016-04-25 20:10:32 -07:00
Sean Chittenden
9647f2e067 Collapse UpdateAdvertiseAddr() into RunServiceDiscovery() 2016-04-25 18:01:13 -07:00
Sean Chittenden
38a3ea3978 Disable service registration for consul HA tests 2016-04-25 18:01:13 -07:00
Sean Chittenden
3e43da258a Use spaces in tests to be consistent 
The rest of the tests here use spaces, not tabs
 2016-04-25 18:01:13 -07:00
Sean Chittenden
53dd43650e Various refactoring to clean up code organization 
Brought to you by: Dept of 2nd thoughts before pushing enter on `git push`
 2016-04-25 18:01:13 -07:00
Sean Chittenden
9a2115181b Improve error handling re: homedir expansion 
Useful if the HOME envvar is not set because `vault` was launched in a clean environment (e.g. `env -i vault ...`).
 2016-04-25 18:01:13 -07:00
Sean Chittenden
c0bbeba5ad Teach Vault how to register with Consul 
Vault will now register itself with Consul.  The active node can be found using `active.vault.service.consul`.  All standby vaults are available via `standby.vault.service.consul`.  All unsealed vaults are considered healthy and available via `vault.service.consul`.  Change in status and registration is event driven and should happen at the speed of a write to Consul (~network RTT + ~1x fsync(2)).

Healthy/active:

```
curl -X GET 'http://127.0.0.1:8500/v1/health/service/vault?pretty' && echo;
[
    {
        "Node": {
            "Node": "vm1",
            "Address": "127.0.0.1",
            "TaggedAddresses": {
                "wan": "127.0.0.1"
            },
            "CreateIndex": 3,
            "ModifyIndex": 20
        },
        "Service": {
            "ID": "vault:127.0.0.1:8200",
            "Service": "vault",
            "Tags": [
                "active"
            ],
            "Address": "127.0.0.1",
            "Port": 8200,
            "EnableTagOverride": false,
            "CreateIndex": 17,
            "ModifyIndex": 20
        },
        "Checks": [
            {
                "Node": "vm1",
                "CheckID": "serfHealth",
                "Name": "Serf Health Status",
                "Status": "passing",
                "Notes": "",
                "Output": "Agent alive and reachable",
                "ServiceID": "",
                "ServiceName": "",
                "CreateIndex": 3,
                "ModifyIndex": 3
            },
            {
                "Node": "vm1",
                "CheckID": "vault-sealed-check",
                "Name": "Vault Sealed Status",
                "Status": "passing",
                "Notes": "Vault service is healthy when Vault is in an unsealed status and can become an active Vault server",
                "Output": "",
                "ServiceID": "vault:127.0.0.1:8200",
                "ServiceName": "vault",
                "CreateIndex": 19,
                "ModifyIndex": 19
            }
        ]
    }
]
```

Healthy/standby:

```
[snip]
        "Service": {
            "ID": "vault:127.0.0.2:8200",
            "Service": "vault",
            "Tags": [
                "standby"
            ],
            "Address": "127.0.0.2",
            "Port": 8200,
            "EnableTagOverride": false,
            "CreateIndex": 17,
            "ModifyIndex": 20
        },
        "Checks": [
            {
                "Node": "vm2",
                "CheckID": "serfHealth",
                "Name": "Serf Health Status",
                "Status": "passing",
                "Notes": "",
                "Output": "Agent alive and reachable",
                "ServiceID": "",
                "ServiceName": "",
                "CreateIndex": 3,
                "ModifyIndex": 3
            },
            {
                "Node": "vm2",
                "CheckID": "vault-sealed-check",
                "Name": "Vault Sealed Status",
                "Status": "passing",
                "Notes": "Vault service is healthy when Vault is in an unsealed status and can become an active Vault server",
                "Output": "",
                "ServiceID": "vault:127.0.0.2:8200",
                "ServiceName": "vault",
                "CreateIndex": 19,
                "ModifyIndex": 19
            }
        ]
    }
]
```

Sealed:

```
        "Checks": [
            {
                "Node": "vm2",
                "CheckID": "serfHealth",
                "Name": "Serf Health Status",
                "Status": "passing",
                "Notes": "",
                "Output": "Agent alive and reachable",
                "ServiceID": "",
                "ServiceName": "",
                "CreateIndex": 3,
                "ModifyIndex": 3
            },
            {
                "Node": "vm2",
                "CheckID": "vault-sealed-check",
                "Name": "Vault Sealed Status",
                "Status": "critical",
                "Notes": "Vault service is healthy when Vault is in an unsealed status and can become an active Vault server",
                "Output": "Vault Sealed",
                "ServiceID": "vault:127.0.0.2:8200",
                "ServiceName": "vault",
                "CreateIndex": 19,
                "ModifyIndex": 38
            }
        ]
```
 2016-04-25 18:01:13 -07:00
Sean Chittenden
bd5305e470 Stub out service discovery functionality 
Hook asynchronous notifications into Core to change the status of vault based on its active/standby, and sealed/unsealed status.
 2016-04-25 18:00:54 -07:00
Sean Chittenden
f2dc2f636e Comment nits 2016-04-25 18:00:54 -07:00
Jeff Mitchell
4c509ba162 Change seal test name in command package 2016-04-26 00:12:14 +00:00
Jeff Mitchell
28272ca629 Merge pull request #1326 from hashicorp/sethvargo/hint_noreauth 
Hint that you don't need to run auth twice
 2016-04-25 15:43:55 -04:00
Jeff Mitchell
99772d3cff Add seal tests and update generate-root and others to handle dualseal. 2016-04-25 19:39:04 +00:00
Jeff Mitchell
b44d2c01c0 Use UseNumber() on json.Decoder to have numbers be json.Number objects 
instead of float64. This fixes some display bugs.
 2016-04-20 18:38:20 +00:00
Jeff Mitchell
28c97b4914 Change recovery options in init to be 'key'-less 2016-04-18 17:02:07 +00:00
Jeff Mitchell
e5b089de0f Add check against seal type to catch errors before we attempt to use the data 2016-04-15 18:16:48 -04:00
Sean Chittenden
bc570e74f3 Fix SIGINT handling. 
No signal handler was setup to receive SIGINT.  I didn't investigate to
see if signal(2) mask was setup (ala `SIG_IGN`) or if sigprocmask(2) is
being used, but in either case, the correct behavior is to capture and
treat SIGINT the same as SIGTERM.  At some point in the future these two
signals may affect the running process differently, but we will clarify
that difference in the future.
 2016-04-15 10:03:22 -07:00
Jeff Mitchell
94d6b3ce94 Add Finalize method to seal. 2016-04-14 20:37:34 +00:00
vishalnayak
e53b9dbadb Provide clarity for output statements of idempotent calls. 2016-04-14 15:46:45 +00:00
vishalnayak
691052c3f4 Clarify token-revoke operation 2016-04-14 15:34:01 +00:00
Seth Vargo
f170066c19
Clarify delete operation 
One thing that has been a point of confusion for users is Vault's
response when deleting a key that does not actually exist in the system.
For example, consider:

    $ vault delete secret/foo
    Success! Deleted 'secret/foo'

This message is misleading if the secret does not exist, especially if
the same command is run twice in a row.

Obviously the reason for this is clear - returning an error if a secret
does not exist would reveal the existence of a secret (the same reason
everything on S3 is a 403 or why GitHub repos 404 instead of 403 if you
do not have permission to view them).

I think we can make the UX a little bit better by adding just a few
words to the output:

    $ vault delete secret/foo
    Success! Deleted 'secret/foo' if it existed

This makes it clear that the operation was only performed if the secret
existed, but it does not reveal any more information.
 2016-04-14 10:38:10 +01:00
Jeff Mitchell
d273a051c7 Check for seal status when initing and change logic order to avoid defer 2016-04-14 01:13:59 +00:00
Seth Vargo
716f780cf1 Hint that you don't need to run auth twice 
This came up twice, in two different training courses. The UX is a
little confusing here on the CLI. Users are used to running:

    $ vault auth abcd-1234...

So when they auth using a method, the output leads them to believe the
need to "re-auth" as the generated token:

    $ vault auth -method=userpass username=foo password=bar
    Successfully authenticated!
    token: defg-5678...

A number of users then run:

    $ vault auth defg-5678

I've added some helpful text to hint this is not required if the method
is not "token".
 2016-04-13 19:45:48 +01:00
Jeff Mitchell
74826c25ca Fix panic when using -field with read or write with a non-string value. 
Fixes #1308
 2016-04-07 22:16:33 +00:00
Sean Chittenden
ffe34bf375 Reinstall the mlockall(2) command 
Requested by: jefferai
 2016-04-05 13:58:26 -07:00
Sean Chittenden
a199547ffc Unconditionally warn on systems w/o mlock support 
If someone begins using Vault on Windows in dev mode, always hint so that this isn't a surprise when they get to production.
 2016-04-05 12:32:53 -07:00
Jeff Mitchell
254023f55c Remove RevokePrefix from the API too as we simply do not support it any 
longer.
 2016-04-05 11:00:12 -04:00
Jeff Mitchell
f59cb0c501 Sync some seal stuff 2016-04-04 13:46:33 -04:00
Jeff Mitchell
ab93e3aa63 SealInterface 2016-04-04 10:44:22 -04:00
Jeff Mitchell
02be26e4ae Fix up the meta common options text function to not strip leading space and fix up commands 2016-04-01 16:50:12 -04:00
Jeff Mitchell
16c8f0b5ad Remove config from Meta; it's only used right now with the token helper. 2016-04-01 16:02:18 -04:00
Jeff Mitchell
48da40964c Move token helper out of meta 2016-04-01 14:23:15 -04:00
Jeff Mitchell
33326b30c3 Move meta into its own package 2016-04-01 13:16:05 -04:00
Jeff Mitchell
61a4f4a6a2 Sort infokeys on startup and add more padding 2016-03-30 12:31:47 -04:00
Jeff Mitchell
c22fc374b6 Merge HA Backend objects 2016-03-21 16:56:13 -04:00
vishalnayak
dfbf2da1e2 Restore the previous valid token if token authentication fails 2016-03-18 14:43:16 -04:00
Pradeep Chhetri
f86c98bca8 Fix Typo 2016-03-18 14:06:49 +00:00
Jeff Mitchell
367add864d Add -field and -format to write command. 
Fixes #1186
 2016-03-17 14:57:30 -04:00
Vishal Nayak
1e432efb20 Merge pull request #1210 from hashicorp/audit-id-path 
Rename id to path and path to file_path, print audit backend paths
 2016-03-15 20:13:21 -04:00
vishalnayak
bac4fe0799 Rename id to path and path to file_path, print audit backend paths 2016-03-14 17:15:07 -04:00
Jeff Mitchell
3a878c3dc4 Add test for listener reloading, and update website docs. 2016-03-14 14:05:47 -04:00
Jeff Mitchell
0c56385d59 Properly scope config objects for reloading 2016-03-14 11:18:02 -04:00
Jeff Mitchell
14f538556e Don't generate an ID; use address for the ID. Generally speaking we'll need to sane against what's in the config 2016-03-11 17:28:03 -05:00
Jeff Mitchell
ca40e06f5d Don't inline factory 2016-03-11 17:02:44 -05:00
Jeff Mitchell
92088f06e4 For not shutdown triggered... 2016-03-11 17:01:26 -05:00
Jeff Mitchell
9f2f5b1c61 Retool to have reloading logic run in command/server 2016-03-11 16:47:03 -05:00
Jeff Mitchell
6430cd97ba Add tests. This actually adds the initial tests for the TLS listener, 
then layers reloading tests on top.
 2016-03-11 14:05:52 -05:00
Jeff Mitchell
7e52796aae Add reload capability for Vault listener certs. No tests (other than 
manual) yet, and no documentation yet.
 2016-03-11 14:05:52 -05:00
Vishal Nayak
640b3b25c5 Merge pull request #1201 from hashicorp/accessor-cli-flags 
Accessor CLI flags
 2016-03-11 09:55:45 -05:00
vishalnayak
a090c9dc54 Added test for token-revoke accessor flag 2016-03-10 21:38:27 -05:00
vishalnayak
1612dfaa1f Added accessor flag to token-revoke CLI 2016-03-10 21:21:20 -05:00
vishalnayak
084cbb2fc9 Added test for token-lookup accessor flag 2016-03-10 21:21:20 -05:00
vishalnayak
82a9fa86ad Add accessor flag to token-lookup command and add lookup-accessor client API 2016-03-10 21:21:20 -05:00
Seth Vargo
f801e30844 Remove log statement 2016-03-10 17:48:34 -05:00
Seth Vargo
80a28004f0 Add missing fixture 2016-03-10 17:40:40 -05:00
Seth Vargo
b381a9d7e0 Fix failing config test 2016-03-10 17:36:10 -05:00
Seth Vargo
e5e66535c8 Fix test fixtures 2016-03-10 16:51:08 -05:00
Seth Vargo
bbb45c4370 Fix failing policy-write integration test 
This was a flawed test. Previously the test passed in a fixture that
corresponded to a CLI config file, not an actual policy. The test
_should_ have been failing, but it wasn't. This commit adds a new
fixture.
 2016-03-10 15:45:49 -05:00
Seth Vargo
80d627fc0a Parse HCL keys in command config 2016-03-10 15:25:25 -05:00
Seth Vargo
ffbe97c7ca Print errors on extra keys in server config 
This does NOT apply to the backend config, since each backend config
could have a variation of options that differ based off of the
configured backend itself. This may be an optimization that can be made
in the future, but I think each backend should be responsible for
performing its own configuration validation instead of overloading the
config itself with this functionality.
 2016-03-10 15:25:25 -05:00
Jeff Mitchell
8b6df2a1a4 Merge branch 'master' into token-roles 2016-03-09 17:23:34 -05:00
Jeff Mitchell
2a698c7786 Merge pull request #1168 from hashicorp/revoke-force 
Add forced revocation.
 2016-03-09 16:59:52 -05:00
vishalnayak
2a35de81dc AccessorID --> Accessor, accessor_id --> accessor 2016-03-09 06:23:31 -05:00
vishalnayak
38a5d75caa Introduced AccessorID in TokenEntry and returning it along with token 2016-03-08 14:06:10 -05:00
vishalnayak
1b9e486bfd use errwrap to check the type of error message, fix typos 2016-03-07 18:36:26 -05:00
Jeff Mitchell
c4124bc40a Merge branch 'master' into token-roles 2016-03-07 10:03:54 -05:00
vishalnayak
b5ca8ba5bc Documentation for capabilities and capabilities-self APIs 2016-03-07 06:13:56 -05:00
vishalnayak
0f82724f1f test cases for capabilities endpoint 2016-03-05 00:03:55 -05:00
vishalnayak
7f832f22aa refactoring changes due to acl.Capabilities 2016-03-04 18:55:48 -05:00
vishalnayak
a7cfc9cc7a Removing the 'Message' field 2016-03-04 10:36:03 -05:00
vishalnayak
5b9ef4ec2e testcase changes 2016-03-04 10:36:03 -05:00
vishalnayak
42a7bab69e Test files for capabilities endpoint 2016-03-04 10:36:03 -05:00
vishalnayak
894f2ccef1 self review rework 2016-03-04 10:36:03 -05:00
vishalnayak
f00261785a Handled root token use case 2016-03-04 10:36:03 -05:00
vishalnayak
b2f394d779 Added capabilities and capabilities-self endpoints to http muxer 2016-03-04 10:36:03 -05:00
vishalnayak
ed3e2c6c05 Added sys/capabililties endpoint 2016-03-04 10:36:02 -05:00
Jeff Mitchell
67b8eab204 Update help text exporting dev mode listen address. 
Ping #1160
 2016-03-03 18:10:14 -05:00
Jeff Mitchell
a520728263 Merge pull request #1146 from hashicorp/step-down 
Provide 'sys/step-down' and 'vault step-down'
 2016-03-03 12:30:08 -05:00
Jeff Mitchell
00721af2c1 Add the ability to specify dev mode address via CLI flag and envvar. 
Fixes #1160
 2016-03-03 10:48:52 -05:00
Jeff Mitchell
a05ea4720c Add ability to control dev root token id with 
VAULT_DEV_ROOT_TOKEN_ID env var, and change the CLI flag to match.

Ping #1160
 2016-03-03 10:24:44 -05:00
Jeff Mitchell
f3f30022d0 Add forced revocation. 
In some situations, it can be impossible to revoke leases (for instance,
if someone has gone and manually removed users created by Vault). This
can not only cause Vault to cycle trying to revoke them, but it also
prevents mounts from being unmounted, leaving them in a tainted state
where the only operations allowed are to revoke (or rollback), which
will never successfully complete.

This adds a new endpoint that works similarly to `revoke-prefix` but
ignores errors coming from a backend upon revocation (it does not ignore
errors coming from within the expiration manager, such as errors
accessing the data store). This can be used to force Vault to abandon
leases.

Like `revoke-prefix`, this is a very sensitive operation and requires
`sudo`. It is implemented as a separate endpoint, rather than an
argument to `revoke-prefix`, to ensure that control can be delegated
appropriately, as even most administrators should not normally have
this privilege.

Fixes #1135
 2016-03-03 10:13:59 -05:00
Jeff Mitchell
c19641887d Allow specifying an initial root token ID in dev mode. 
Ping #1160
 2016-03-02 12:03:26 -05:00
Jeff Mitchell
143d876c99 Address review feedback 2016-03-01 20:25:40 -05:00
Jeff Mitchell
c3a70bc1bf Allow token-renew to not be given a token; it will then use the 
renew-self endpoint. Otherwise it will use the renew endpoint, even if
the token matches the client token.

Adds an -increment flag to allow increments even with no token passed
in.

Fixes #1150
 2016-03-01 17:02:48 -05:00
Jeff Mitchell
42501e388b Add command and token store documentation for roles 2016-03-01 13:02:40 -05:00
Jeff Mitchell
c1677c0b55 Initial work on token roles 2016-03-01 12:41:40 -05:00
vishalnayak
01d61f6f0c fix typo 2016-03-01 11:48:17 -05:00
Jeff Mitchell
6b0c692385 Provide 'sys/step-down' and 'vault step-down' 
This endpoint causes the node it's hit to step down from active duty.
It's a noop if the node isn't active or not running in HA mode. The node
will wait one second before attempting to reacquire the lock, to give
other nodes a chance to grab it.

Fixes #1093
 2016-02-26 19:43:55 -05:00
Grégoire Paris
b42567acfc add missing verb 2016-02-26 14:43:56 +01:00
Jeff Mitchell
949e707006 Fix CLI formatter to show warnings again on CLI list output. 2016-02-24 21:45:58 -05:00
Jeff Mitchell
c24cf2eb50 Merge pull request #1080 from jkanywhere/improve-formatter 
Refactor formatting of output
 2016-02-24 21:36:57 -05:00
vanhalt
5b916974c5 help sentence improved 2016-02-22 09:38:30 -06:00
vanhalt
805cf6d302 When writing from a file it must be a JSON file 
Making clear from write help text that when writing secrets
using @file, the file must be a JSON file.
 2016-02-21 19:02:09 -06:00
vanhalt
4a4550eb04 Fixing auth-enable help text 
auth-enable command help in the "Auth Enable Options" is suggesting
the usage of a non-existing command called 'auth-list' instead of
the correct one "auth -methods"
 2016-02-21 14:54:50 -06:00
Vishal Nayak
685b1f3f9c Merge pull request #1099 from hashicorp/fix-ssh-cli 
ssh: use resolved IP address while executing ssh command
 2016-02-19 13:02:34 -05:00
Jeff Mitchell
99917c5f4e Fix mixed whitespacing in ssh help text 2016-02-19 12:47:58 -05:00
vishalnayak
7e1694d387 ssh: use resolved IP address while executing ssh command 2016-02-19 12:19:10 -05:00
Ron Kuris
32bf42519c Refactor formatting of output 
This change is almost perfectly compatible with the existing code,
except it's a little shorter because it uses a list of a available
formatters that must implement a `command.Formatter` interface.

Also added some basic formatting tests.
 2016-02-16 12:27:29 -08:00
Ryan Hileman
a2565836ac don't panic when config directory is empty 2016-02-12 16:40:19 -08:00
Jeff Mitchell
58a2c4d9a0 Return status for rekey/root generation at init time. This mitigates a 
(very unlikely) potential timing attack between init-ing and fetching
status.

Fixes #1054
 2016-02-12 14:24:36 -05:00
Jeff Mitchell
ef8086b17f Update documentation for status command to reflect new return codes 2016-02-08 11:36:08 -05:00
Jeff Mitchell
c6cfa99284 On the CLI, ensure listing ends with /. 2016-02-03 21:08:46 -05:00
Jeff Mitchell
6c8961af28 Fix build tag 2016-02-03 08:41:31 -05:00
Jeff Mitchell
2cf9afe5d6 Add test for HA availability to command/server 2016-02-02 17:47:02 -05:00
Jeff Mitchell
dcb6901593 remove unneeded assignment 2016-02-02 15:11:35 -05:00
Jeff Mitchell
92c276369d Ensure that we fall back to Backend if HABackend is not specified. 2016-02-02 15:09:58 -05:00
Jeff Mitchell
855985230f Fix command status test with new return value 2016-01-29 19:31:01 -05:00
Jeff Mitchell
09586dd941 Return 2 for sealed instead of 1 to match the new init -check behavior 2016-01-29 10:55:31 -05:00
Jeff Mitchell
afd0bca03a Don't return 1 when flags don't parse for status command, as all other errors return 2; 1 is for when the vault is sealed 2016-01-29 10:53:56 -05:00
James Tancock
6ab184596f Docs typo in server command 2016-01-28 08:26:49 +00:00
Jeff Mitchell
98fada78e4 Fix test on 1.6 by comparing to nil instead of a nil-defined map 2016-01-22 21:26:06 -05:00
Jeff Mitchell
479775806e Add -check flag to init. 
Fixes #949
 2016-01-22 13:06:40 -05:00
Jeff Mitchell
2667f08f97 Only allow listing on folders and enforce this. Also remove string sorting from Consul backend as it's not a requirement and other backends don't do it. 2016-01-22 10:07:32 -05:00
Jeff Mitchell
f1b843d773 Remove bare option, prevent writes ending in slash, and return an exact file match as "." 2016-01-22 10:07:32 -05:00
Jeff Mitchell
f8e569ae0a Address some review feedback 2016-01-22 10:07:32 -05:00
Jeff Mitchell
2613343c3d Updates and documentation 2016-01-22 10:07:32 -05:00
Jeff Mitchell
4b67fd139f Add list capability, which will work with the generic and cubbyhole 
backends for the moment. This is pretty simple; it just adds the actual
capability to make a list call into both the CLI and the HTTP handler.
The real meat was already in those backends.
 2016-01-22 10:07:32 -05:00
Jeff Mitchell
2c4da115ff Add -decode flag verification 2016-01-21 12:18:57 -05:00
Jeff Mitchell
e9538f1441 RootGeneration->GenerateRoot 2016-01-19 18:28:10 -05:00
Jeff Mitchell
a25514d4f7 Address most of the review feedback 2016-01-19 18:28:10 -05:00
Jeff Mitchell
4cc7694a3a Add the ability to generate root tokens via unseal keys. 2016-01-19 18:28:10 -05:00
Jeff Mitchell
3ecd88bd5c Allow ASCII-armored PGP pub keys to be passed into -pgp-keys. 
Fixes #940
 2016-01-18 17:01:52 -05:00
Jeff Mitchell
0478a4f7c2 Fix read panic when an empty argument is given. 
Fixes #923
 2016-01-12 08:46:49 -05:00
Jeff Mitchell
996cb54b99 Fix up PGP tests from earlier code fixes 2016-01-08 22:21:41 -05:00
Jeff Mitchell
71e320eae8 Lotsa warnings if you choose not to be safe 2016-01-08 17:35:07 -05:00
Jeff Mitchell
839b804e43 Some minor rekey backup fixes 2016-01-08 14:09:40 -05:00
Jeff Mitchell
027c84c62a Add rekey nonce/backup. 2016-01-06 09:54:35 -05:00
Jeff Mitchell
139ab81f58 update init/rekey documentation around keybase entries 2016-01-04 14:17:51 -05:00
Jeff Mitchell
b0f075cc1f Disable cmd/server tests for now so we can get Travis back on track 2015-12-31 08:48:53 -05:00
Jeff Mitchell
5f49615fc1 Remove some outdated comments 2015-12-30 21:00:27 -05:00
Jeff Mitchell
70561c0fe2 Use RenewSelf instead of Renew if the token we're renewing is the same as the client 2015-12-30 14:41:50 -05:00
Nicki Watt
05c9e5b5ad Make token-lookup functionality available via Vault CLI 2015-12-29 20:18:59 +00:00
Jeff Mitchell
f8682021c5 Merge pull request #886 from ooesili/ssh-error-fetching-username 
Stop panic when vault ssh username fetching fails
 2015-12-29 12:17:51 -06:00
Jeff Mitchell
3dec78a4d5 Merge pull request #853 from hashicorp/issue-850 
Make TokenHelper an interface and split exisiting functionality
 2015-12-29 12:01:49 -06:00
Jeff Mitchell
eabfb472ca Merge branch 'master' into f-disable-tls 2015-12-29 12:59:02 -05:00
Nicki Watt
658b99c115 Using LookupSelf() API method instead of raw HTTP call for auth command 2015-12-28 01:38:00 +00:00
Wesley Merkel
59c5ccb36f Stop panic when vault ssh username fetching fails 2015-12-26 15:09:07 -07:00
Wim
fb92a7a802 Fix ipv6 address advertisement 2015-12-22 21:40:36 +01:00
Jeff Mitchell
c15974cbdd Make TokenHelper an interface and split exisiting functionality 
Functionality is split into ExternalTokenHelper, which is used if a path
is given in a configuration file, and InternalTokenHelper which is used
otherwise. The internal helper no longer shells out to the same Vault
binary, instead performing the same actions with internal code. This
avoids problems using dev mode when there are spaces in paths or when
the binary is built in a container without a shell.

Fixes #850 among others
 2015-12-22 10:23:30 -05:00
Jeff Mitchell
88f05bec4d Move telemetry metrics up to fix one possible race, but deeper problems in go-metrics can't be solved with this 2015-12-17 16:38:17 -05:00
Jeff Mitchell
d7cb3c9f94 Allow setting the advertise address via an environment variable. 
Fixes #581
 2015-12-14 21:22:55 -05:00
Jeff Mitchell
6e46e56b21 Ensure advertise address detection runs without a specified HA backend 
Ping #840
 2015-12-14 21:13:27 -05:00
Jeff Mitchell
32bfc884c7 Merge pull request #840 from hashicorp/issue-395 
Allow separate HA physical backend.
 2015-12-14 20:56:47 -05:00
Jeff Mitchell
b1f815d7f8 Address review feedback 2015-12-14 17:58:30 -05:00
Mathias Lafeldt
05f0cde643 Show error if output format is invalid 
Rather than silently using table as a fallback.
 2015-12-14 17:14:22 +01:00
Jeff Mitchell
4f51b6e3c9 Allow separate HA physical backend. 
With no separate backend specified, HA will be attempted on the normal
physical backend.

Fixes #395.
 2015-12-14 07:59:58 -05:00
Jeff Mitchell
55e2417b11 Merge pull request #832 from mlafeldt/yaml-ouput 
Allow to output secrets in YAML format
 2015-12-11 12:04:41 -05:00
Mathias Lafeldt
073e4c872e Allow to output secrets in YAML format 
This can be done with https://github.com/ghodss/yaml, which reuses
existing JSON struct tags for YAML.
 2015-12-10 11:32:31 +01:00
Mathias Lafeldt
459be44363 Output secrets sorted by key 
Instead of printing them in random order each time `vault read` is invoked.
 2015-12-10 10:08:23 +01:00
Armon Dadgar
5c085d3718 server: sanity check value for 'tls_disable' 2015-11-25 11:37:57 -08:00
Jeff Mitchell
f600e3ac29 Add no-default-policy flag and API parameter to allow exclusion of the 
default policy from a token create command.
 2015-11-09 17:30:50 -05:00
Jeff Mitchell
60697f3c70 Fix unmount help output 2015-11-09 15:23:49 -05:00
Jeff Mitchell
904e1ee600 Print version on startup. 
Fixes #765
 2015-11-09 13:52:55 -05:00
Jeff Mitchell
673c6d726a Move environment variable reading logic to API. 
This allows the same environment variables to be read, parsed, and used
from any API client as was previously handled in the CLI. The CLI now
uses the API environment variable reading capability, then overrides any
values from command line flags, if necessary.

Fixes #618
 2015-11-04 10:28:00 -05:00
Jeff Mitchell
d7f528a768 Add reset support to the unseal command. 
Reset clears the provided unseal keys, allowing the process to be begun
again. Includes documentation and unit test changes.

Fixes #695
 2015-10-28 15:59:39 -04:00
Jeff Mitchell
40486da446 Fix cache disabling 2015-10-28 13:05:56 -04:00
voutasaurus
fbf21b5f2d Modifies documentation in output of vault server -dev 
Environment variable setting is different in windows
 2015-10-22 00:48:46 -07:00
Jeff Mitchell
0dbbef1ac0 Don't use http.DefaultClient 
This strips out http.DefaultClient everywhere I could immediately find
it. Too many things use it and then modify it in incompatible ways.

Fixes #700, I believe.
 2015-10-15 17:54:00 -04:00
Jeff Mitchell
676970574b Allow disabling the physical storage cache with 'disable_cache'. 
Fixes #674.
 2015-10-12 13:00:32 -04:00
Jeff Mitchell
27029d9744 Support and use TTL instead of lease for token creation 2015-10-09 19:52:13 -04:00
Jeff Mitchell
a087e943c7 Fix output of token-create help to use ttl instead of lease 2015-10-09 19:40:30 -04:00
Jeff Mitchell
46a14f6b65 Fix mount-tune CLI output 2015-10-09 16:03:31 -04:00
Jeff Mitchell
843c5353c3 Update CLI help text for init/rekey regarding base64-encoded keys 2015-10-08 11:09:30 -04:00
Jeff Mitchell
41f7cc9406 Adjust warnings message to make it clear they are from the server 2015-10-07 16:18:39 -04:00
Jeff Mitchell
fd2c0f033e Add the ability for warnings to be added to responses. These are 
marshalled into JSON or displayed from the CLI depending on the output
mode. This allows conferring information such as "no such policy exists"
when creating a token -- not an error, but something the user should be
aware of.

Fixes #676
 2015-10-07 16:18:39 -04:00
vishalnayak
02f11cb2da Merge branch 'master' of https://github.com/hashicorp/vault 2015-10-03 00:07:34 -04:00
Jeff Mitchell
5088eb322c Remove use of os/user as it cannot be run with CGO disabled 2015-10-02 18:43:38 -07:00
vishalnayak
25f604f429 Remove format parameter 2015-10-02 14:10:24 -04:00
vishalnayak
bf017d28d1 Github backend: enable auth renewals 2015-10-02 13:33:19 -04:00
Jeff Mitchell
70ce824267 Switch per-mount values to strings going in and seconds coming out, like other commands. Indicate deprecation of 'lease' in the token backend. 2015-09-25 10:41:21 -04:00
Jeff Mitchell
4801922b43 Minor updates to passthrough and additional tests 2015-09-21 16:57:41 -04:00
Jeff Mitchell
7e1c2c62c4 Use 'ttl_seconds' in CLI output so as not to shadow actual 'ttl' parameter 2015-09-21 16:37:37 -04:00
Jeff Mitchell
a782efa308 If there's no lease, output ttl instead of lease_duration 2015-09-21 16:37:37 -04:00
Jeff Mitchell
b0c97f8b8d If lease_duration is not zero, output it even if there is no lease. 2015-09-21 16:37:37 -04:00
Jeff Mitchell
4836e7ca4d Make TLS backend honor SystemView default values. Expose lease TTLs on read. Make auth command show lease TTL if one exists. Addresses most of #527 2015-09-18 14:01:28 -04:00
vishalnayak
fee64e16c2 Adding type checking to ensure only BasicUi is affected 2015-09-17 11:37:21 -04:00
vishalnayak
fceaea733e CLI: Avoiding CR when printing specific fields 2015-09-17 10:05:56 -04:00
hendrenj
2925912b6b improve documentation for available log levels 2015-09-16 11:01:33 -06:00
vishalnayak
cd5da08a62 Typo fix 2015-09-11 21:36:20 -04:00
vishalnayak
ec4f6e59b3 Improve documentation of token renewal 2015-09-11 21:08:32 -04:00
Jeff Mitchell
b9a5a137c0 Address items from feedback. Make MountConfig use values rather than 
pointers and change how config is read to compensate.
 2015-09-10 15:09:54 -04:00
Jeff Mitchell
3e713c61ac Push a lot of logic into Router to make a bunch of it nicer and enable a 
lot of cleanup. Plumb config and calls to framework.Backend.Setup() into
logical_system and elsewhere, including tests.
 2015-09-10 15:09:54 -04:00
Jeff Mitchell
0df0df2fcb Fix typo 2015-09-10 15:09:54 -04:00
Jeff Mitchell
dd8ac00daa Rejig how dynamic values are represented in system view and location of some functions in various packages; create mount-tune command and API analogues; update documentation 2015-09-10 15:09:54 -04:00
Jeff Mitchell
aadf039368 Add DynamicSystemView. This uses a pointer to a pointer to always have 
up-to-date information. This allows remount to be implemented with the
same source and dest, allowing mount options to be changed on the fly.
If/when Vault gains the ability to HUP its configuration, this should
just work for the global values as well.

Need specific unit tests for this functionality.
 2015-09-10 15:09:54 -04:00
Jeff Mitchell
dffcf0548e Plumb per-mount config options through API 2015-09-10 15:09:53 -04:00
vishalnayak
140013aebd Vault SSH: Default CIDR for roles 2015-08-27 13:04:15 -04:00
Jeff Mitchell
4c5c82e6f7 Rename config lease_duration parameters to lease_ttl in line with current standardization efforts 2015-08-27 07:50:24 -07:00
Jeff Mitchell
5584a11997 When using PGP encryption on unseal keys, encrypt the hexencoded string rather than the raw bytes. 2015-08-26 07:59:50 -07:00
Jeff Mitchell
4d877dc4eb Address comments from review. 2015-08-25 15:33:58 -07:00
Jeff Mitchell
e133536b79 Add support for pgp-keys argument to rekey, as well as tests, plus 
refactor common bits out of init.
 2015-08-25 14:52:13 -07:00
Jeff Mitchell
efccbcd23e Don't store the given public keys in the seal config 2015-08-25 14:52:13 -07:00
Jeff Mitchell
ee10f1a565 Handle people specifying PGP key files with @ in front 2015-08-25 14:52:13 -07:00
Jeff Mitchell
d2023234b9 Add support for "pgp-tokens" parameters to init. 
There are thorough unit tests that read the returned
encrypted tokens, seal the vault, and unseal it
again to ensure all works as expected.
 2015-08-25 14:52:13 -07:00
Jeff Mitchell
f1a301922d Remove cookie authentication. 2015-08-21 19:46:23 -07:00
vishalnayak
47464abd08 Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault 2015-08-19 12:16:37 -07:00
Jeff Mitchell
1f0458ffd5 Add -no-verify option to CLI auth command, to avoid decrementing the token use count during auth. 2015-08-18 19:22:17 -07:00
vishalnayak
d6c5031169 Vault SSH: TLS client creation test 2015-08-18 19:00:27 -07:00
vishalnayak
99736663e2 Vault SSH: verify echo test 2015-08-18 16:48:50 -07:00
vishalnayak
71c039d7cd Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault 2015-08-17 18:22:13 -07:00
vishalnayak
d63726b41b Vault SSH: Documentation update and minor refactoring changes. 2015-08-17 18:22:03 -07:00
Armon Dadgar
e659d93163 command: Fixing setup of client certificates 2015-08-17 12:18:14 -07:00
vishalnayak
a98b3befd9 Vault SSH: Website page for SSH backend 2015-08-14 12:41:26 -07:00
vishalnayak
ffaf80167d Vault SSH: CLI embellishments 2015-08-13 16:55:47 -07:00
vishalnayak
f21c64e874 Vault SSH: Renamed path with mountPoint 2015-08-12 10:30:50 -07:00
vishalnayak
6b86811503 Vault SSH: Fixed constructor of SSH api 2015-08-12 09:56:17 -07:00
vishalnayak
2ac3cabf87 Merging changes from master 2015-08-12 09:28:16 -07:00
Michael S. Fischer
3a05fb70a7 command/meta.go: document environment variables 
Document the environment variables which, if set, can provide default
values for configuration options.

Fixes #476
 2015-08-07 15:13:30 -07:00
Matt Button
907011f8d7 Allow the vault token-create command to specify the token's id 2015-08-07 08:45:34 +00:00
vishalnayak
b5c3624f2e Merging with master 2015-08-06 18:44:40 -04:00
vishalnayak
044a2257e7 Vault SSH: Automate OTP typing if sshpass is installed 2015-08-06 17:00:50 -04:00
vishalnayak
0542fd8389 Vault SSH: uninstall dynamic keys using script 2015-08-06 15:50:12 -04:00
vishalnayak
8dbbb8b8e6 Vault SSH: CRUD test case for OTP Role 2015-07-31 13:24:23 -04:00
Karl Gutwin
1a673ddc0a PR review updates 2015-07-30 13:21:41 -04:00
Karl Gutwin
a87af4e863 Add configuration options for default lease duration and max lease duration. 2015-07-30 09:42:49 -04:00
vishalnayak
9aa02ad560 Vault SSH: Review Rework 2015-07-29 14:21:36 -04:00
Vishal Nayak
11a6c6de12 Vault SSH: Refactoring 2015-07-27 16:42:03 -04:00
Vishal Nayak
6c5548ca7b Vault SSH: Refactoring 2015-07-27 13:02:31 -04:00
Vishal Nayak
0a4854e542 Vault SSH: Dynamic Key test case fix 2015-07-24 12:13:26 -04:00
Vishal Nayak
699862b07a Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault 2015-07-23 17:20:34 -04:00
Vishal Nayak
3a1eaf1869 Vault SSH: Support OTP key type from CLI 2015-07-23 17:20:28 -04:00
Armon Dadgar
676f6d4233 server: import sha512. Fixes #448 2015-07-23 13:51:45 -07:00
Karl Gutwin
04c5596822 Avoid unnecessary abbreviation 2015-07-22 23:28:46 -04:00
Karl Gutwin
3ed4f2f9e1 Allow specifying a TLS minimum version 2015-07-22 23:19:41 -04:00
Nate Brown
ba38ab3a58 Git ignore getting in the way 2015-07-14 15:57:06 -07:00
Nate Brown
e83432adb3 Fix travis build 2015-07-14 15:50:29 -07:00
Nate Brown
8f666b8e60 Telemetry object in config 2015-07-14 15:36:28 -07:00
Nate Brown
693f529ae7 Disable hostname prefix for runtime telemetry 2015-07-13 13:17:57 -07:00
Vishal Nayak
47a9f548fe Vault SSH: Refactoring and fixes 2015-07-10 18:44:31 -06:00
Vishal Nayak
dae996c994 Vault SSH: Added comments to ssh_test 2015-07-10 16:59:32 -06:00
Vishal Nayak
eb0f119491 Vault SSH: Backend and CLI testing 2015-07-10 16:18:02 -06:00
Vishal Nayak
c25525a22a Vault SSH: Test case skeleton 2015-07-10 09:56:14 -06:00
Vishal Nayak
6f86d32089 Vault SSH: Made port number configurable 2015-07-06 16:56:45 -04:00
Vishal Nayak
0a59e84cef Vault SSH: Revoking key after SSH session from CLI 2015-07-06 11:05:02 -04:00
Vishal Nayak
280efd28f6 Vault SSH: PR review rework: Formatting/Refactoring 2015-07-02 19:52:47 -04:00
Vishal Nayak
fbaea45101 Vault SSH: PR review rework 2015-07-02 17:23:09 -04:00
Vishal Nayak
57174693ce Vault SSH: replaced concatenated strings by fmt.Sprintf 2015-07-01 20:35:11 -04:00
Vishal Nayak
13ab7fc40b Vault SSH: PR review rework - 1 2015-07-01 11:58:49 -04:00
Vishal Nayak
b821a8e872 Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault 2015-06-30 18:33:37 -04:00
Vishal Nayak
2163818bd6 Input validations, help strings, default_user support 2015-06-30 18:33:17 -04:00
Armon Dadgar
18a23c9bef command: source general options docs from common source 2015-06-30 12:01:23 -07:00
Karl Gutwin
3a5b8789b8 CLI docs 2015-06-30 09:04:57 -04:00
Karl Gutwin
67993efeb0 Better error messages. 2015-06-30 08:59:38 -04:00
Vishal Nayak
756be6976d Refactoring changes 2015-06-29 22:00:08 -04:00
Karl Gutwin
75861c7c3b Initial sketch for client TLS auth 2015-06-29 15:33:16 -04:00
Vishal Nayak
5da639feff Creating SSH keys and removal of files in pure 'go' 2015-06-26 15:43:27 -04:00
Vishal Nayak
7dbad8386c ssh/lookup implementation and refactoring 2015-06-25 21:47:32 -04:00
Vishal Nayak
4b07eba487 POC: Rework. Doing away with policy file. 2015-06-24 18:13:12 -04:00
Vishal Nayak
9d709bd5a9 SSHs to multiple users by registering the respective host keys 2015-06-19 12:59:36 -04:00
Vishal Nayak
5cd9b7a7d8 merging with master 2015-06-18 20:51:11 -04:00
Vishal Nayak
fe5bb20e92 Roles, key renewal handled. End-to-end basic flow working. 2015-06-18 20:48:41 -04:00
Armon Dadgar
f91b91289c command/read: Ensure only a single argument. Fixes #304 2015-06-18 16:00:41 -07:00
Armon Dadgar
48e7531f79 command/path-help: rename command, better error if sealed. Fixes #234 2015-06-18 15:56:42 -07:00
Armon Dadgar
2772807547 command/write: adding force flag for when no data fields are necessary. Fixes #357 2015-06-18 13:51:06 -07:00
Armon Dadgar
57d1230e6c command/server: fixing output weirdness 2015-06-18 13:48:18 -07:00
Armon Dadgar
0696bc47e0 command/auth: warn earlier about VAULT_TOKEN 2015-06-18 13:48:04 -07:00
Armon Dadgar
ee176b2f5d command/auth: warn about the VAULT_TOKEN env var. Fixes #195 2015-06-17 19:19:02 -07:00
Vishal Nayak
f2ace92e98 Implementation for storing and deleting the host information in Vault 2015-06-17 22:10:47 -04:00
Armon Dadgar
0277cedc8a cmomand/read: strip path prefix if necessary. Fixes #343 2015-06-17 18:33:15 -07:00
Armon Dadgar
70ee1866ca server: graceful shutdown for fast failover. Fixes #308 2015-06-17 18:24:56 -07:00
Vishal Nayak
c1880de3d1 Merge branch 'master' of https://github.com/hashicorp/vault into vishalvault 2015-06-17 20:34:56 -04:00
Vishal Nayak
fa83fe89f0 Received OTK in SSH client. Forked SSH process from CLI. Added utility file for SSH. 2015-06-17 20:33:03 -04:00
Armon Dadgar
d19b74f78f command/token-create: provide more useful output. Fixes #337 2015-06-17 16:59:50 -07:00
Vishal Nayak
fb866f9059 Added: Ssh CLI command and API, config lease impl, sshConnect path to backend, http handler for Ssh connect 2015-06-17 12:39:49 -04:00
Mitchell Hashimoto
dcc84749d1 command/auth, github: improve cli docs 
/cc @sethvargo
 2015-06-16 10:05:11 -07:00
Seth Vargo
669686f654 Merge pull request #270 from sheldonh/no_export_vault_token 
Don't recommend exporting VAULT_TOKEN
 2015-06-01 11:52:40 -04:00
Armon Dadgar
3f9a3a5811 Merge pull request #278 from Zhann/feature/add_dev_to_server_options_help 
Add help info for -dev flag
 2015-06-01 13:08:50 +02:00
Armon Dadgar
7abe375a9c command/rekey: use same language in rekey as init 2015-06-01 13:08:20 +02:00
Armon Dadgar
b1f64cb521 Merge pull request #273 from hashicorp/unseal-keys-notice 
Change phrasing for unseal key notification
 2015-06-01 13:06:52 +02:00
Steven De Coeyer
fc2400698a Add help info for -dev flag 2015-05-31 18:05:15 +02:00
Chris Bednarski
99325f2a31 Updated phrasing to note restarts, stop, and other sealing scenarios 2015-05-28 17:07:38 -07:00
Chris Bednarski
1e94e05c60 Changed phrasing for unseal key notification 2015-05-28 17:02:09 -07:00
Armon Dadgar
33bc096f43 command/rekey: adding tests 2015-05-28 15:22:42 -07:00
Armon Dadgar
da566a41fd command/rekey: first pass at rekey 2015-05-28 15:08:09 -07:00
Armon Dadgar
4a11980dc1 command/rotate: Adding new rotate command 2015-05-28 10:16:33 -07:00
Sheldon Hearn
c2390f2a29 Don't recommend exporting VAULT_TOKEN 
It's not needed by the dev server (which writes ~/.vault-token),
and breaks the Getting Started guide (e.g. #267).
 2015-05-28 14:39:35 +02:00
Armon Dadgar
db55ac7d74 command/key-status: Adding new key-status command 2015-05-27 18:17:02 -07:00
Armon Dadgar
aa867120b3 Merge pull request #251 from DavidWittman/auth-prompt-without-args 
Prompt for auth token when no args provided
 2015-05-27 11:24:33 -07:00
David Wittman
deccef209c Add test for stdin input 
Shamelessly borrowed this pattern from write_test.go
 2015-05-23 13:23:38 -05:00
David Wittman
d86fe916cb Read from stdin with auth command 2015-05-23 13:23:37 -05:00
Ian Unruh
c6b5d957de Add ability to read raw field from secret 2015-05-22 11:28:23 -07:00
Armon Dadgar
bb6addc58f command/renew: typo fix. Fixes #240 2015-05-21 11:03:25 -07:00
David Wittman
9797143038 Prompt for auth token when no args provided 
This makes `vault auth` work as documented:

> If no -method is specified, then the token is expected. If it is not
> given on the command-line, it will be asked via user input. If the
> token is "-", it will be read from stdin.
 2015-05-20 22:10:02 -05:00
Armon Dadgar
b474fa6dc5 server: Minor copy change 2015-05-20 17:49:16 -07:00
Armon Dadgar
628e102419 Merge pull request #222 from DavidWittman/config-backend-check 
Fail gracefully if a physical backend is not supplied
 2015-05-20 17:47:45 -07:00
Armon Dadgar
61f2e86f4e command/listener: Request TLS client cert. Fixes #214 2015-05-20 16:01:40 -07:00
Ian Unruh
045b5a9c84 Improve unseal CLI message 2015-05-19 00:34:18 -07:00
David Wittman
792e3a26f4 Fail gracefully if a phys backend is not supplied 2015-05-18 22:55:12 -05:00