9692 Commits

Author SHA1 Message Date
Jeff Mitchell
84c67e3f91 Remove noop checks in unmount/remount and restore previous behavior 2015-09-15 13:50:37 -04:00
Jeff Mitchell
51e948c8fc Implement the cubbyhole backend
In order to implement this efficiently, I have introduced the concept of
"singleton" backends -- currently, 'sys' and 'cubbyhole'. There isn't
much reason to allow sys to be mounted at multiple places, and there
isn't much reason you'd need multiple per-token storage areas. By
restricting it to just one, I can store that particular mount instead of
iterating through them in order to call the appropriate revoke function.

Additionally, because revocation on the backend needs to be triggered by
the token store, the token store's salt is kept in the router and
client tokens going to the cubbyhole backend are double-salted by the
router. This allows the token store to drive when revocation happens
using its salted tokens.
2015-09-15 13:50:37 -04:00
Jeff Mitchell
11cea42ec7 Rename View to StorageView to make it more distinct from SystemView 2015-09-15 13:50:37 -04:00
Tuomas Silen
82a04398a3 Rename error return var 2015-09-15 11:18:43 +03:00
Jeff Mitchell
1247459ae1 Ensure that the response body of logical calls is closed, even if there is an error. 2015-09-14 18:22:33 -04:00
Jeff Mitchell
ab4d01e4a3 Merge pull request #607 from lassizci/postgresql-timezone
Explicitly set timezone with PostgreSQL timestamps.
2015-09-14 11:55:02 -04:00
Jeff Mitchell
f0f20cb84f When there is one use left and a Secret is being returned, instead
return a descriptive error indicating that the Secret cannot be returned
because when the token was revoked the secret was too. This prevents
confusion where credentials come back but cannot be used.

Fixes #615
2015-09-14 11:07:27 -04:00
Lassi Pölönen
1a6f778623 Define time zone explicitly in postgresql connection string. 2015-09-14 13:43:06 +03:00
Lassi Pölönen
ea2a6361eb Explicitly set timezone with PostgreSQL timestamps. 2015-09-14 13:43:06 +03:00
Tuomas Silen
e92001ca69 Further cleanup, use named return vals 2015-09-14 13:30:15 +03:00
Vishal Nayak
3a6d9861ca Merge pull request #613 from hashicorp/doc-token-renewal
Improve documentation of token renewal
2015-09-11 21:38:34 -04:00
vishalnayak
cd5da08a62 Typo fix 2015-09-11 21:36:20 -04:00
vishalnayak
ec4f6e59b3 Improve documentation of token renewal 2015-09-11 21:08:32 -04:00
Jeff Mitchell
2c4b346c81 Merge pull request #608 from lassizci/backend-cleanup
Provide a cleanup method for backends; if defined, will be run just before unloading.
2015-09-11 10:52:04 -04:00
Tuomas Silen
154aada606 Cleanup defer func 2015-09-11 16:30:12 +03:00
Tuomas Silen
0f8bbb753a Use defer to close the channel in case of error 2015-09-11 16:17:23 +03:00
Lassi Pölönen
be1b9e5a36 Cleanup routines should now use routeEntry instead of mountEntry. 2015-09-11 13:40:31 +03:00
Lassi Pölönen
a769c1231b Call ResetDB as Cleanup routine to close existing database connections
on backend unmount.
2015-09-11 11:45:58 +03:00
Lassi Pölönen
750cf5053c Implement clean up routine to backend as some backends may require
e.g closing database connections on unmount to avoud connection
stacking.
2015-09-11 11:45:58 +03:00
Vishal Nayak
73416e1a0d Merge pull request #580 from hashicorp/zeroaddress-path
Add root authenticated path to allow default CIDR to select roles
2015-09-10 15:28:49 -04:00
Jeff Mitchell
a1e5777104 Merge pull request #585 from hashicorp/per-backend-ttls
Per backend configuration
2015-09-10 15:27:07 -04:00
Jeff Mitchell
4eb9cd4c28 Remove error returns from sysview TTL calls 2015-09-10 15:09:54 -04:00
Jeff Mitchell
58cac79665 Be consistent as both are the same pointer here 2015-09-10 15:09:54 -04:00
Jeff Mitchell
915b8680ac Implement shallow cloning to allow MountEntry pointers to stay consistent when spread across router/core/system views 2015-09-10 15:09:54 -04:00
Jeff Mitchell
b9a5a137c0 Address items from feedback. Make MountConfig use values rather than
pointers and change how config is read to compensate.
2015-09-10 15:09:54 -04:00
Jeff Mitchell
3e713c61ac Push a lot of logic into Router to make a bunch of it nicer and enable a
lot of cleanup. Plumb config and calls to framework.Backend.Setup() into
logical_system and elsewhere, including tests.
2015-09-10 15:09:54 -04:00
Jeff Mitchell
76c18762aa Add more unit tests against backend TTLs, and fix two bugs found by them
(yay unit tests!)
2015-09-10 15:09:54 -04:00
Jeff Mitchell
205ef29a59 Fix mount config test by proxying mounts/ in addition to mounts 2015-09-10 15:09:54 -04:00
Jeff Mitchell
0df0df2fcb Fix typo 2015-09-10 15:09:54 -04:00
Jeff Mitchell
b3422bec2f A couple bug fixes + most unit tests 2015-09-10 15:09:54 -04:00
Jeff Mitchell
dd8ac00daa Rejig how dynamic values are represented in system view and location of some functions in various packages; create mount-tune command and API analogues; update documentation 2015-09-10 15:09:54 -04:00
Jeff Mitchell
aadf039368 Add DynamicSystemView. This uses a pointer to a pointer to always have
up-to-date information. This allows remount to be implemented with the
same source and dest, allowing mount options to be changed on the fly.
If/when Vault gains the ability to HUP its configuration, this should
just work for the global values as well.

Need specific unit tests for this functionality.
2015-09-10 15:09:54 -04:00
Jeff Mitchell
6e0cee3ef4 Switch StaticSystemView values to pointers, to support updating 2015-09-10 15:09:54 -04:00
Jeff Mitchell
b86f252c77 Allow POST as well as PUT for seal/unseal command, fits in more with how logical handles things 2015-09-10 15:09:53 -04:00
Jeff Mitchell
dffcf0548e Plumb per-mount config options through API 2015-09-10 15:09:53 -04:00
Jeff Mitchell
bb2a7b4343 Minor cleanup of MountConfig 2015-09-10 15:09:53 -04:00
Jeff Mitchell
0b8c781126 Add logic to core to fetch a SystemView for a given mount entry and use those values for default/max TTL. The SystemView will reflect system defaults if not set for that mount. 2015-09-10 15:09:53 -04:00
vishalnayak
484d854de0 Vault SSH: Testing credential creation on zero address roles 2015-09-10 11:55:07 -04:00
vishalnayak
32fc41cbac Vault SSH: Expected data for testRoleRead 2015-09-10 10:44:26 -04:00
vishalnayak
cb007ced48 Merge branch 'master' of https://github.com/hashicorp/vault 2015-09-10 10:03:17 -04:00
Tuomas Silen
8d9eaca39a Renew the semaphore key periodically
The semaphore key is used to determine whether we are the leader or not and is set to expire after TTL of 15 seconds. There was no logic implemented to renew the key before it expired, which caused the leader to step down and change every 15 seconds. A periodic timer is now added to update the key every 5 seconds to renew the TTL of the key.
2015-09-09 19:33:07 +03:00
Jeff Mitchell
12521eb87f Merge pull request #508 from mfischer-zd/webdoc_environment
docs: Document environment variables
2015-09-09 11:29:10 -04:00
Jeff Mitchell
a046662842 Merge pull request #592 from blalor/patch-1
Remove unused param to 'vault write aws/roles/deploy'
2015-09-09 11:28:15 -04:00
Michael S. Fischer
eb494455ed docs: Document environment variables 2015-09-08 11:59:58 -07:00
Seth Vargo
2880fac54a Merge pull request #595 from jeteon/patch-1
Typo fix
2015-09-08 14:06:19 -04:00
Neo
315047dca6 Typo fix 2015-09-08 02:43:01 +02:00
Brian Lalor
ade8c31469 Remove unused param to 'vault write aws/roles/deploy'
The name is taken from the path, not the request body.  Having the duplicate key is confusing.
2015-09-06 06:57:39 -04:00
Armon Dadgar
c3ba4fc147 Merge pull request #590 from MarkVLK/patch-1
Update mysql docs markdown to fix grammar error
2015-09-04 19:13:50 -07:00
Armon Dadgar
4e77fd1e04 Merge pull request #591 from MarkVLK/patch-2
Update transit docs markdown to add missing word
2015-09-04 19:13:35 -07:00
MarkVLK
ac44229d18 Update transit docs markdown to add missing word
Added the presumably missing *decrypt* from "encrypt/data" in the first sentence.
2015-09-04 17:11:34 -07:00