From b3f5b5948fe3b9d6b681d7a2a6010842e7878c6f Mon Sep 17 00:00:00 2001 From: Brian Kassouf Date: Tue, 2 Oct 2018 15:15:46 -0700 Subject: [PATCH 01/24] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ea3ff3cc6..ac9426b54 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -50,6 +50,7 @@ IMPROVEMENTS: * storage/zookeeper: Enable TLS based communication with Zookeeper [GH-4856] * ui: you can now init a cluster with a seal config [GH-5428] * ui: added the option to force promote replication clusters [GH-5438] + * replication: Allow promotion of a secondary when data is syncing with a "force" flag ## 0.11.1.1 (September 17th, 2018) (Enterprise Only) From 0cd93c48c0b8a42b13e5ea462204dbe34ed02500 Mon Sep 17 00:00:00 2001 From: Chris Hoffman Date: Tue, 2 Oct 2018 20:18:59 -0400 Subject: [PATCH 02/24] adding upgrade guide (#5447) --- .../upgrading/upgrade-to-0.11.2.html.md | 24 +++++++++++++++++++ website/source/layouts/guides.erb | 3 +++ 2 files changed, 27 insertions(+) create mode 100644 website/source/guides/upgrading/upgrade-to-0.11.2.html.md diff --git a/website/source/guides/upgrading/upgrade-to-0.11.2.html.md b/website/source/guides/upgrading/upgrade-to-0.11.2.html.md new file mode 100644 index 000000000..cbcb05b39 --- /dev/null +++ b/website/source/guides/upgrading/upgrade-to-0.11.2.html.md @@ -0,0 +1,24 @@ +--- +layout: "guides" +page_title: "Upgrading to Vault 0.11.2 - Guides" +sidebar_current: "guides-upgrading-to-0.11.2" +description: |- + This page contains the list of deprecations and important or breaking changes + for Vault 0.11.2. Please read it carefully. +--- + +# Overview + +This page contains the list of deprecations and important or breaking changes +for Vault 0.11.2 compared to 0.11.1. Please read it carefully. + +### `sys/seal-status` Behavior Change + +The `sys/seal-status` endpoint now includes an initialized boolean in the +output. If Vault is not initialized, it will return a 200 with this value +set false instead of a 400 + +### Mount Config Passthrough Headers + +The mount config option for `passthrough_request_headers` will now deny +certain headers from being provided to backends based on a global denylist. diff --git a/website/source/layouts/guides.erb b/website/source/layouts/guides.erb index 9261a37c3..99ebb937f 100644 --- a/website/source/layouts/guides.erb +++ b/website/source/layouts/guides.erb @@ -197,6 +197,9 @@ > Upgrade to 0.11.0 + > + Upgrade to 0.11.2 + From 7409777888adca8ba3a6ca1d212013864cd1b320 Mon Sep 17 00:00:00 2001 From: Becca Petrin Date: Tue, 2 Oct 2018 17:21:26 -0700 Subject: [PATCH 03/24] alicloud auto-unseal docs (#5446) --- .../configuration/seal/alicloudkms.html.md | 90 +++++++++++++++++++ website/source/layouts/docs.erb | 3 + 2 files changed, 93 insertions(+) create mode 100644 website/source/docs/configuration/seal/alicloudkms.html.md diff --git a/website/source/docs/configuration/seal/alicloudkms.html.md b/website/source/docs/configuration/seal/alicloudkms.html.md new file mode 100644 index 000000000..47f40643c --- /dev/null +++ b/website/source/docs/configuration/seal/alicloudkms.html.md @@ -0,0 +1,90 @@ +--- +layout: "docs" +page_title: "AliCloud KMS - Seals - Configuration" +sidebar_current: "docs-configuration-seal-alicloudkms" +description: |- + The AliCloud KMS seal configures Vault to use AliCloud KMS as the seal wrapping + mechanism. +--- + +# `alicloudkms` Seal + +The AliCloud KMS seal configures Vault to use AliCloud KMS as the seal wrapping mechanism. +Vault Enterprise's AliCloud KMS seal is activated by one of the following: + +* The presence of a `seal "alicloudkms"` block in Vault's configuration file. +* The presence of the environment variable `VAULT_SEAL_TYPE` set to `alicloudkms`. If + enabling via environment variable, all other required values specific to AliCloud + KMS (i.e. `VAULT_ALICLOUDKMS_SEAL_KEY_ID`) must be also supplied, as well as all + other AliCloud-related environment variables that lends to successful + authentication. + +## `alicloudkms` Example + +This example shows configuring AliCloud KMS seal through the Vault configuration file +by providing all the required values: + +```hcl +seal "alicloudkms" { + region = "us-east-1" + access_key = "0wNEpMMlzy7szvai" + secret_key = "PupkTg8jdmau1cXxYacgE736PJj4cA" + kms_key_id = "08c33a6f-4e0a-4a1b-a3fa-7ddfa1d4fb73" +} +``` + +## `alicloudkms` Parameters + +These parameters apply to the `seal` stanza in the Vault configuration file: + +- `region` `(string: "us-east-1")`: The AliCloud region where the encryption key + lives. May also be specified by the `ALICLOUD_REGION` + environment variable. + +- `domain` `(string: "kms.us-east-1.aliyuncs.com")`: If set, overrides the endpoint + AliCloud would normally use for KMS for a particular region. May also be specified + by the `ALICLOUD_DOMAIN` environment variable. + +- `access_key` `(string: )`: The AliCloud access key ID to use. May also be + specified by the `ALICLOUD_ACCESS_KEY` environment variable or as part of the + AliCloud profile from the AliCloud CLI or instance profile. + +- `secret_key` `(string: )`: The AliCloud secret access key to use. May + also be specified by the `ALICLOUD_SECRET_KEY` environment variable or as + part of the AliCloud profile from the AliCloud CLI or instance profile. + +- `kms_key_id` `(string: )`: The AliCloud KMS key ID to use for encryption + and decryption. May also be specified by the `VAULT_ALICLOUDKMS_SEAL_KEY_ID` + environment variable. + +## Authentication + +Authentication-related values must be provided, either as environment +variables or as configuration parameters. + +~> **Note:** Although the configuration file allows you to pass in +`ALICLOUD_ACCESS_KEY` and `ALICLOUD_SECRET_KEY` as part of the seal's parameters, it +is *strongly* recommended to set these values via environment variables. + +```text +AliCloud authentication values: + +* `ALICLOUD_REGION` +* `ALICLOUD_ACCESS_KEY` +* `ALICLOUD_SECRET_KEY` +``` + +Note: The client uses the official AliCloud SDK and will use environment credentials, +the specified credentials, or RAM role credentials in that order. + +## `alicloudkms` Environment Variables + +Alternatively, the AliCloud KMS seal can be activated by providing the following +environment variables: + +```text +Vault Seal specific values: + +* `VAULT_SEAL_TYPE` +* `VAULT_ALICLOUDKMS_SEAL_KEY_ID` +``` diff --git a/website/source/layouts/docs.erb b/website/source/layouts/docs.erb index 407527f6e..08d1afeaf 100644 --- a/website/source/layouts/docs.erb +++ b/website/source/layouts/docs.erb @@ -97,6 +97,9 @@ > seal
    + > + AliCloud KMS ENT + > AWS KMS ENT From 39a2ba7424adbb61f49f3aa83f7897a92afce8f9 Mon Sep 17 00:00:00 2001 From: Brian Kassouf Date: Tue, 2 Oct 2018 17:41:04 -0700 Subject: [PATCH 04/24] mailto link (#5448) --- website/source/guides/partnerships/index.html.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/source/guides/partnerships/index.html.md b/website/source/guides/partnerships/index.html.md index f1d92c6f0..478455553 100644 --- a/website/source/guides/partnerships/index.html.md +++ b/website/source/guides/partnerships/index.html.md @@ -110,7 +110,7 @@ The only knowledge necessary to write a plugin is basic command-line skills and ### 4. Review

    -HashiCorp will review and certify your Vault integration. Please send the Vault logs and other relevant logs for verification at: vault-integration-dev@hashicorp.com. For Auth, Secret and Storage plugins, submit a GitHub pull request (PR) against the Vault project (https://github.com/hashicorp/vault). Where applicable, the vendor will need to provide HashiCorp with a test account. +HashiCorp will review and certify your Vault integration. Please send the Vault logs and other relevant logs for verification at: vault-integration-dev@hashicorp.com. For Auth, Secret and Storage plugins, submit a GitHub pull request (PR) against the Vault project (https://github.com/hashicorp/vault). Where applicable, the vendor will need to provide HashiCorp with a test account.

    ### 5. Release From 316a9ed48f93c239dcfe6828adce0a80a261dc3b Mon Sep 17 00:00:00 2001 From: Brian Kassouf Date: Tue, 2 Oct 2018 17:45:17 -0700 Subject: [PATCH 05/24] Fix identity link (#5449) --- website/source/api/auth/aws/index.html.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/source/api/auth/aws/index.html.md b/website/source/api/auth/aws/index.html.md index a44e5b288..770c56638 100644 --- a/website/source/api/auth/aws/index.html.md +++ b/website/source/api/auth/aws/index.html.md @@ -134,7 +134,7 @@ $ curl \ ## Configure Identity Integration This configures the way that Vault interacts with the -[Identity](/docs/secrets/identity/index.html.md) store. This currently only +[Identity](/docs/secrets/identity/index.html) store. This currently only configures how identity aliases are generated when using the `iam` auth method. | Method | Path | Produces | From 59dc6d786fb2bc7ca7bcb95ba197803deb60efe5 Mon Sep 17 00:00:00 2001 From: Martins Sipenko Date: Wed, 3 Oct 2018 16:16:36 +0300 Subject: [PATCH 06/24] Fix missing > (#5452) --- website/source/docs/configuration/storage/mysql.html.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/source/docs/configuration/storage/mysql.html.md b/website/source/docs/configuration/storage/mysql.html.md index c64fdab0b..45cc16d1f 100644 --- a/website/source/docs/configuration/storage/mysql.html.md +++ b/website/source/docs/configuration/storage/mysql.html.md @@ -53,7 +53,7 @@ Additionally, Vault requires the following authentication information. - `username` `(string: )` – Specifies the MySQL username to connect to the database. -- `password` `(string: )` – Specifies the MySQL password to connect to the database. ### High Availability Parameters From 695f9ed6824a2748bd00e2d7fd625065a186a072 Mon Sep 17 00:00:00 2001 From: Jeff Date: Wed, 3 Oct 2018 13:25:57 -0500 Subject: [PATCH 07/24] fix doc typo (#5455) --- website/source/api/secret/aws/index.html.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/source/api/secret/aws/index.html.md b/website/source/api/secret/aws/index.html.md index e7adcad75..c14aec6fc 100644 --- a/website/source/api/secret/aws/index.html.md +++ b/website/source/api/secret/aws/index.html.md @@ -209,7 +209,7 @@ updated with the new attributes. prohibited otherwise. This is a comma-separated string or JSON array. - `policy_arns` `(list: [])` – Specifies the ARNs of the AWS managed policies to - be attached to IAM users when they are requsted. Valid only when + be attached to IAM users when they are requested. Valid only when `credential_type` is `iam_user`. When `credential_type` is `iam_user`, at least one of `policy_arns` or `policy_document` must be specified. This is a comma-separated string or JSON array. From 4c9301a91f96b309cd4e49704cd3a4dd8ee385d7 Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Thu, 4 Oct 2018 09:09:41 -0400 Subject: [PATCH 08/24] Remove incorrect api docs text around metadata being supported for identity aliases --- .../api/secret/identity/entity-alias.html.md | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/website/source/api/secret/identity/entity-alias.html.md b/website/source/api/secret/identity/entity-alias.html.md index e6f33c7d4..d47df2384 100644 --- a/website/source/api/secret/identity/entity-alias.html.md +++ b/website/source/api/secret/identity/entity-alias.html.md @@ -29,18 +29,11 @@ This endpoint creates a new alias for an entity. - `mount_accessor` `(string: )` - Accessor of the mount to which the alias should belong to. -- `metadata` `(key-value-map: {})` – Metadata to be associated with the - alias. - ### Sample Payload ```json { "name": "testuser", - "metadata": { - "group": "san_francisco", - "region": "west" - }, "canonical_id": "404e57bc-a0b1-a80f-0a73-b6e92e8a52d3", "mount_accessor": "auth_userpass_e50b1a44" } @@ -130,18 +123,11 @@ This endpoint is used to update an existing entity alias. - `mount_accessor` `(string: )` - Accessor of the mount to which the alias should belong to. -- `metadata` `(key-value-map: {})` – Metadata to be associated with the - alias. Format should be a list of `key=value` pairs. - ### Sample Payload ```json { "name": "testuser", - "metadata": { - "group": "philadelphia", - "region": "east" - }, "canonical_id": "404e57bc-a0b1-a80f-0a73-b6e92e8a52d3", "mount_accessor": "auth_userpass_e50b1a44" } From 247d09a1fc86a21cb56cf4392692e40ca0fea6b3 Mon Sep 17 00:00:00 2001 From: Konstantinos Tsanaktsidis Date: Thu, 4 Oct 2018 23:51:08 +1000 Subject: [PATCH 09/24] Fix a panic in MongoDB backend with concurrent create/revoke (#5463) When Vault is concurrently creating and revoking leases for MongoDB users as part of the database secrets engine, and then loses connection to MongoDB, it can panic. This occurrs because the RevokeUser path does _not_ lock the mutex, but the CreateUser path does. Both threads of execution can concurently decide to call c.session.Close() in mongodb/connection_producer.go:119, and then mgo panics when the second close attempt occurs. --- plugins/database/mongodb/mongodb.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/plugins/database/mongodb/mongodb.go b/plugins/database/mongodb/mongodb.go index 61ca9c51b..9f338a152 100644 --- a/plugins/database/mongodb/mongodb.go +++ b/plugins/database/mongodb/mongodb.go @@ -165,6 +165,9 @@ func (m *MongoDB) RenewUser(ctx context.Context, statements dbplugin.Statements, // RevokeUser drops the specified user from the authentication database. If none is provided // in the revocation statement, the default "admin" authentication database will be assumed. func (m *MongoDB) RevokeUser(ctx context.Context, statements dbplugin.Statements, username string) error { + m.Lock() + defer m.Unlock() + statements = dbutil.StatementCompatibilityHelper(statements) session, err := m.getConnection(ctx) From 6b9b189475248212e3c315dbec24da9e8ca2f320 Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Thu, 4 Oct 2018 09:51:41 -0400 Subject: [PATCH 10/24] changelog++ --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ac9426b54..70987ec80 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,9 @@ +## 0.11.3 (Unreleased) + +BUG FIXES: + + * database/mongodb: Fix panic that could occur at high load [GH-5463] + ## 0.11.2 (October 2nd, 2018) CHANGES: From f9ffdbb1b2959e6bd549aa596e0a5bf91a14c500 Mon Sep 17 00:00:00 2001 From: Sebastian Plattner Date: Thu, 4 Oct 2018 18:27:29 +0200 Subject: [PATCH 11/24] Fix remove Group Member in Identity Group not working (#5466) --- vault/identity_store_util.go | 39 ++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/vault/identity_store_util.go b/vault/identity_store_util.go index 94ae1eef4..94c04481e 100644 --- a/vault/identity_store_util.go +++ b/vault/identity_store_util.go @@ -931,6 +931,45 @@ func (i *IdentityStore) sanitizeAndUpsertGroup(ctx context.Context, group *ident defer txn.Abort() memberGroupIDs = strutil.RemoveDuplicates(memberGroupIDs, false) + + // Remove ParentGroupID from removed GroupMembers + // Get the current MemberGroups IDs for this group + var currentMemberGroupIDs []string + currentMemberGroups, err := i.MemDBGroupsByParentGroupID(group.ID, false) + if err != nil { + return err + } + for _, currentMemberGroup := range currentMemberGroups { + currentMemberGroupIDs = append(currentMemberGroupIDs, currentMemberGroup.ID) + } + + // Check if current MemberGroups should be removed + for _, currentMemberGroupID := range currentMemberGroupIDs { + currentMemberGroup, err := i.MemDBGroupByID(currentMemberGroupID, true) + if err != nil { + return err + } + if currentMemberGroup == nil { + return fmt.Errorf("invalid member group ID %q", currentMemberGroupID) + } + + // Remove ParentGroup Entry for this group from removed Group + if !strutil.StrListContains(memberGroupIDs, currentMemberGroupID) { + currentMemberGroup.ParentGroupIDs = strutil.StrListDelete(currentMemberGroup.ParentGroupIDs, group.ID) + } + + // This technically is not upsert. It is only update, only the method + // name is upsert here. + err = i.UpsertGroupInTxn(txn, currentMemberGroup, true) + if err != nil { + // Ideally we would want to revert the whole operation in case of + // errors while persisting in member groups. But there is no + // storage transaction support yet. When we do have it, this will need + // an update. + return err + } + } + // After the group lock is held, make membership updates to all the // relevant groups for _, memberGroupID := range memberGroupIDs { From 5976b32855a531429d9d0d8d4fa1ca603e882510 Mon Sep 17 00:00:00 2001 From: Jim Kalafut Date: Thu, 4 Oct 2018 09:51:54 -0700 Subject: [PATCH 12/24] Update examples to use sha256 (#5468) sha_256 is supported but not referenced in our API docs. --- website/source/api/system/plugins-catalog.html.md | 2 +- website/source/docs/auth/azure.html.md | 2 +- website/source/docs/internals/plugins.html.md | 2 +- website/source/docs/secrets/databases/custom.html.md | 2 +- website/source/docs/secrets/databases/oracle.html.md | 2 +- website/source/guides/operations/plugin-backends.html.md | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/website/source/api/system/plugins-catalog.html.md b/website/source/api/system/plugins-catalog.html.md index 6f24ec5e6..781a1a2ba 100644 --- a/website/source/api/system/plugins-catalog.html.md +++ b/website/source/api/system/plugins-catalog.html.md @@ -81,7 +81,7 @@ supplied name. ```json { - "sha_256": "d130b9a0fbfddef9709d8ff92e5e6053ccd246b78632fc03b8548457026961e9", + "sha256": "d130b9a0fbfddef9709d8ff92e5e6053ccd246b78632fc03b8548457026961e9", "command": "mysql-database-plugin" } ``` diff --git a/website/source/docs/auth/azure.html.md b/website/source/docs/auth/azure.html.md index 6d3f38cfd..a1369c47a 100644 --- a/website/source/docs/auth/azure.html.md +++ b/website/source/docs/auth/azure.html.md @@ -178,7 +178,7 @@ for your server at `path/to/plugins`: ```text $ vault write sys/plugins/catalog/azure-auth \ command="vault-plugin-auth-azure" \ - sha_256="..." + sha256="..." ``` 1. Enable the azure auth method as a plugin: diff --git a/website/source/docs/internals/plugins.html.md b/website/source/docs/internals/plugins.html.md index 1ab0a6ffb..752725df8 100644 --- a/website/source/docs/internals/plugins.html.md +++ b/website/source/docs/internals/plugins.html.md @@ -73,7 +73,7 @@ An example plugin submission looks like: ``` $ vault write sys/plugins/catalog/myplugin-database-plugin \ - sha_256= \ + sha256= \ command="myplugin" Success! Data written to: sys/plugins/catalog/myplugin-database-plugin ``` diff --git a/website/source/docs/secrets/databases/custom.html.md b/website/source/docs/secrets/databases/custom.html.md index 9f22eaa0a..0b3218955 100644 --- a/website/source/docs/secrets/databases/custom.html.md +++ b/website/source/docs/secrets/databases/custom.html.md @@ -102,7 +102,7 @@ this your token will need sudo permissions. ```text $ vault write sys/plugins/catalog/myplugin-database-plugin \ - sha_256="..." \ + sha256="..." \ command="myplugin" Success! Data written to: sys/plugins/catalog/myplugin-database-plugin ``` diff --git a/website/source/docs/secrets/databases/oracle.html.md b/website/source/docs/secrets/databases/oracle.html.md index 325b2e43f..9df6320c0 100644 --- a/website/source/docs/secrets/databases/oracle.html.md +++ b/website/source/docs/secrets/databases/oracle.html.md @@ -49,7 +49,7 @@ you will need to enable ipc_lock capabilities for the plugin binary. ```text $ vault write sys/plugins/catalog/oracle-database-plugin \ - sha_256="..." \ + sha256="..." \ command=vault-plugin-database-oracle ``` diff --git a/website/source/guides/operations/plugin-backends.html.md b/website/source/guides/operations/plugin-backends.html.md index af53049e6..aadb91eed 100644 --- a/website/source/guides/operations/plugin-backends.html.md +++ b/website/source/guides/operations/plugin-backends.html.md @@ -70,7 +70,7 @@ $ shasum -a 256 /etc/vault/vault_plugins/my-mock-plugin 2c071aafa1b30897e60b79643e77592cb9d1e8f803025d44a7f9bbfa4779d615 /etc/vault/vault_plugins/my-mock-plugin $ vault write sys/plugins/catalog/my-mock-plugin \ - sha_256=2c071aafa1b30897e60b79643e77592cb9d1e8f803025d44a7f9bbfa4779d615 \ + sha256=2c071aafa1b30897e60b79643e77592cb9d1e8f803025d44a7f9bbfa4779d615 \ command=my-mock-plugin Success! Data written to: sys/plugins/catalog/my-mock-plugin ``` From 761635b27c1e46363fea000626f5654057b681f8 Mon Sep 17 00:00:00 2001 From: Brian Kassouf Date: Thu, 4 Oct 2018 09:55:48 -0700 Subject: [PATCH 13/24] Fix issue with revoking leases that have periods in them (#5461) --- helper/namespace/namespace.go | 24 ++++++++---- helper/namespace/namespace_test.go | 59 ++++++++++++++++++++++++++++++ 2 files changed, 76 insertions(+), 7 deletions(-) create mode 100644 helper/namespace/namespace_test.go diff --git a/helper/namespace/namespace.go b/helper/namespace/namespace.go index d8327dc6e..18ccc61c7 100644 --- a/helper/namespace/namespace.go +++ b/helper/namespace/namespace.go @@ -102,13 +102,23 @@ func Canonicalize(nsPath string) string { } func SplitIDFromString(input string) (string, string) { - idx := strings.LastIndex(input, ".") - if idx == -1 { - return input, "" - } - if idx == len(input)-1 { - return input, "" + prefix := "" + slashIdx := strings.LastIndex(input, "/") + if slashIdx > 0 { + if slashIdx == len(input)-1 { + return input, "" + } + prefix = input[:slashIdx+1] + input = input[slashIdx+1:] } - return input[:idx], input[idx+1:] + idx := strings.LastIndex(input, ".") + if idx == -1 { + return prefix + input, "" + } + if idx == len(input)-1 { + return prefix + input, "" + } + + return prefix + input[:idx], input[idx+1:] } diff --git a/helper/namespace/namespace_test.go b/helper/namespace/namespace_test.go new file mode 100644 index 000000000..022e6d1eb --- /dev/null +++ b/helper/namespace/namespace_test.go @@ -0,0 +1,59 @@ +package namespace + +import "testing" + +func TestSplitIDFromString(t *testing.T) { + tcases := []struct { + input string + id string + prefix string + }{ + { + "foo", + "", + "foo", + }, + { + "foo.id", + "id", + "foo", + }, + { + "foo.foo.id", + "id", + "foo.foo", + }, + { + "foo.foo/foo.id", + "id", + "foo.foo/foo", + }, + { + "foo.foo/.id", + "id", + "foo.foo/", + }, + { + "foo.foo/foo", + "", + "foo.foo/foo", + }, + { + "foo.foo/f", + "", + "foo.foo/f", + }, + { + "foo.foo/", + "", + "foo.foo/", + }, + } + + for _, c := range tcases { + pre, id := SplitIDFromString(c.input) + if pre != c.prefix || id != c.id { + t.Fatalf("bad test case: %s != %s, %s != %s", pre, c.prefix, id, c.id) + } + } +} From 989be25309cdb3a8e32606d1bc86ea6c8d002a58 Mon Sep 17 00:00:00 2001 From: Vishal Nayak Date: Thu, 4 Oct 2018 10:38:41 -0700 Subject: [PATCH 14/24] Added test for verifying member group id deletion (#5469) --- vault/identity_store_groups_test.go | 69 +++++++++++++++++++++++++++++ vault/identity_store_util.go | 22 +++++---- 2 files changed, 79 insertions(+), 12 deletions(-) diff --git a/vault/identity_store_groups_test.go b/vault/identity_store_groups_test.go index 780424f77..d7b0f9730 100644 --- a/vault/identity_store_groups_test.go +++ b/vault/identity_store_groups_test.go @@ -11,6 +11,75 @@ import ( "github.com/hashicorp/vault/logical" ) +func TestIdentityStore_MemberGroupIDDelete(t *testing.T) { + ctx := namespace.RootContext(nil) + i, _, _ := testIdentityStoreWithGithubAuth(ctx, t) + + // Create a child group + resp, err := i.HandleRequest(ctx, &logical.Request{ + Path: "group", + Operation: logical.UpdateOperation, + Data: map[string]interface{}{ + "name": "child", + }, + }) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) + } + childGroupID := resp.Data["id"].(string) + + // Create a parent group with the above group ID as its child + resp, err = i.HandleRequest(ctx, &logical.Request{ + Path: "group", + Operation: logical.UpdateOperation, + Data: map[string]interface{}{ + "name": "parent", + "member_group_ids": []string{childGroupID}, + }, + }) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) + } + + // Ensure that member group ID is properly updated + resp, err = i.HandleRequest(ctx, &logical.Request{ + Path: "group/name/parent", + Operation: logical.ReadOperation, + }) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) + } + memberGroupIDs := resp.Data["member_group_ids"].([]string) + if len(memberGroupIDs) != 1 && memberGroupIDs[0] != childGroupID { + t.Fatalf("bad: member group ids; expected: %#v, actual: %#v", []string{childGroupID}, memberGroupIDs) + } + + // Clear the member group IDs from the parent group + resp, err = i.HandleRequest(ctx, &logical.Request{ + Path: "group/name/parent", + Operation: logical.UpdateOperation, + Data: map[string]interface{}{ + "member_group_ids": []string{}, + }, + }) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) + } + + // Ensure that member group ID is properly deleted + resp, err = i.HandleRequest(ctx, &logical.Request{ + Path: "group/name/parent", + Operation: logical.ReadOperation, + }) + if err != nil || (resp != nil && resp.IsError()) { + t.Fatalf("bad: resp: %#v\nerr: %v", resp, err) + } + memberGroupIDs = resp.Data["member_group_ids"].([]string) + if len(memberGroupIDs) != 0 { + t.Fatalf("bad: length of member group ids; expected: %d, actual: %d", 0, len(memberGroupIDs)) + } +} + func TestIdentityStore_GroupByName(t *testing.T) { ctx := namespace.RootContext(nil) i, _, _ := testIdentityStoreWithGithubAuth(ctx, t) diff --git a/vault/identity_store_util.go b/vault/identity_store_util.go index 94c04481e..2df22e9ea 100644 --- a/vault/identity_store_util.go +++ b/vault/identity_store_util.go @@ -932,7 +932,9 @@ func (i *IdentityStore) sanitizeAndUpsertGroup(ctx context.Context, group *ident memberGroupIDs = strutil.RemoveDuplicates(memberGroupIDs, false) - // Remove ParentGroupID from removed GroupMembers + // For those group member IDs that are removed from the list, remove current + // group ID as their respective ParentGroupID. + // Get the current MemberGroups IDs for this group var currentMemberGroupIDs []string currentMemberGroups, err := i.MemDBGroupsByParentGroupID(group.ID, false) @@ -943,8 +945,12 @@ func (i *IdentityStore) sanitizeAndUpsertGroup(ctx context.Context, group *ident currentMemberGroupIDs = append(currentMemberGroupIDs, currentMemberGroup.ID) } - // Check if current MemberGroups should be removed + // Update parent group IDs in the removed members for _, currentMemberGroupID := range currentMemberGroupIDs { + if strutil.StrListContains(memberGroupIDs, currentMemberGroupID) { + continue + } + currentMemberGroup, err := i.MemDBGroupByID(currentMemberGroupID, true) if err != nil { return err @@ -953,19 +959,11 @@ func (i *IdentityStore) sanitizeAndUpsertGroup(ctx context.Context, group *ident return fmt.Errorf("invalid member group ID %q", currentMemberGroupID) } - // Remove ParentGroup Entry for this group from removed Group - if !strutil.StrListContains(memberGroupIDs, currentMemberGroupID) { - currentMemberGroup.ParentGroupIDs = strutil.StrListDelete(currentMemberGroup.ParentGroupIDs, group.ID) - } + // Remove group ID from the parent group IDs + currentMemberGroup.ParentGroupIDs = strutil.StrListDelete(currentMemberGroup.ParentGroupIDs, group.ID) - // This technically is not upsert. It is only update, only the method - // name is upsert here. err = i.UpsertGroupInTxn(txn, currentMemberGroup, true) if err != nil { - // Ideally we would want to revert the whole operation in case of - // errors while persisting in member groups. But there is no - // storage transaction support yet. When we do have it, this will need - // an update. return err } } From 380796f4fe3d85a3678bcae1be7c77074153734f Mon Sep 17 00:00:00 2001 From: vishalnayak Date: Fri, 5 Oct 2018 05:46:09 -0400 Subject: [PATCH 15/24] Fix TestIdentityStore_GroupHierarchyCases --- vault/identity_store_groups_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/vault/identity_store_groups_test.go b/vault/identity_store_groups_test.go index d7b0f9730..20efae7f1 100644 --- a/vault/identity_store_groups_test.go +++ b/vault/identity_store_groups_test.go @@ -963,6 +963,7 @@ func TestIdentityStore_GroupHierarchyCases(t *testing.T) { entityIDReq.Path = "group/id/" + engGroupID entityIDReq.Data = map[string]interface{}{ "member_entity_ids": []string{entityID3}, + "member_group_ids": engMemberGroupIDs, } resp, err = is.HandleRequest(ctx, entityIDReq) if err != nil || (resp != nil && resp.IsError()) { From 3e3c19577327e0071af5d224b91808c435893934 Mon Sep 17 00:00:00 2001 From: Becca Petrin Date: Fri, 5 Oct 2018 09:23:06 -0700 Subject: [PATCH 16/24] add a check to prevent panics (#5471) --- helper/ldaputil/client.go | 4 ++++ helper/ldaputil/client_test.go | 1 + 2 files changed, 5 insertions(+) diff --git a/helper/ldaputil/client.go b/helper/ldaputil/client.go index 86804c146..130b17e92 100644 --- a/helper/ldaputil/client.go +++ b/helper/ldaputil/client.go @@ -377,6 +377,10 @@ func (c *Client) GetLdapGroups(cfg *ConfigEntry, conn Connection, userDN string, // EscapeLDAPValue is exported because a plugin uses it outside this package. func EscapeLDAPValue(input string) string { + if input == "" { + return "" + } + // RFC4514 forbids un-escaped: // - leading space or hash // - trailing space diff --git a/helper/ldaputil/client_test.go b/helper/ldaputil/client_test.go index 629cc58e9..fa06c2c40 100644 --- a/helper/ldaputil/client_test.go +++ b/helper/ldaputil/client_test.go @@ -11,6 +11,7 @@ func TestLDAPEscape(t *testing.T) { "test,hel+lo": "test\\,hel\\+lo", "test\\hello": "test\\\\hello", " test ": "\\ test \\ ", + "": "", } for test, answer := range testcases { From 4ada68ba34435571b2f117334ca04babbd7c3005 Mon Sep 17 00:00:00 2001 From: Jim Kalafut Date: Fri, 5 Oct 2018 16:05:26 -0700 Subject: [PATCH 17/24] Fix 'vault auth' panic (#5473) Running 'vault auth' with no parameters was panicking: panic: assignment to entry in nil map github.com/hashicorp/vault/command/login.go:255 +0xdee Now it will show help. --- command/auth.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/command/auth.go b/command/auth.go index d51c067b1..78daf6d53 100644 --- a/command/auth.go +++ b/command/auth.go @@ -62,6 +62,10 @@ func (c *AuthCommand) Run(args []string) int { // Deprecation // TODO: remove in 0.9.0 + if len(args) == 0 { + return cli.RunResultHelp + } + // Parse the args for our deprecations and defer to the proper areas. for _, arg := range args { switch { From 0f3dd22e59559fe33e8f3b778a874f3a4a16e473 Mon Sep 17 00:00:00 2001 From: Jim Kalafut Date: Fri, 5 Oct 2018 22:53:09 -0700 Subject: [PATCH 18/24] Fix docs typos --- .../source/docs/enterprise/performance-standby/index.html.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/website/source/docs/enterprise/performance-standby/index.html.md b/website/source/docs/enterprise/performance-standby/index.html.md index 844d78810..f07bd2424 100644 --- a/website/source/docs/enterprise/performance-standby/index.html.md +++ b/website/source/docs/enterprise/performance-standby/index.html.md @@ -36,7 +36,7 @@ storage write is detected the standby will forward the request over the cluster port connection to the active node. If the request is read-only the Performance Standby will handle the requests locally. -Sending requests to Performance Stanbys that result in forwarded writes will be +Sending requests to Performance Standbys that result in forwarded writes will be slightly slower than going directly to the active node. A client that has advanced knowledge of the behavior of the call can choose to point the request to the appropriate node. @@ -45,7 +45,7 @@ to the appropriate node. A Performance Standby will tag itself as such in consul if service registration is enabled. To access the set of Performance Standbys the `performance-standby` -tag can be used. For example to send requets to only the performance standbys +tag can be used. For example to send requests to only the performance standbys `https://performance-standby.vault.dc1.consul` could be used (host name may vary based on consul configuration). From e10cfd6ab914ca28dd34267c3de7657556403315 Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Mon, 8 Oct 2018 09:51:43 -0400 Subject: [PATCH 19/24] Set allowed OIDs to any value when generaing a CA. (#5462) * Set allowed OIDs to any value when generaing a CA. Also, allow utf-8 in addition to utf8 as the OID type specifier, and allow `*` to specify any OID of a supported type. * Update PKI docs --- builtin/logical/pki/ca_util.go | 1 + builtin/logical/pki/cert_util.go | 11 ++++++++++- builtin/logical/pki/path_roles.go | 2 +- website/source/api/secret/pki/index.html.md | 7 +++++-- 4 files changed, 17 insertions(+), 4 deletions(-) diff --git a/builtin/logical/pki/ca_util.go b/builtin/logical/pki/ca_util.go index 143fd574e..b8632a9b4 100644 --- a/builtin/logical/pki/ca_util.go +++ b/builtin/logical/pki/ca_util.go @@ -37,6 +37,7 @@ func (b *backend) getGenerationParams( AllowIPSANs: true, EnforceHostnames: false, AllowedURISANs: []string{"*"}, + AllowedOtherSANs: []string{"*"}, AllowedSerialNumbers: []string{"*"}, OU: data.Get("ou").([]string), Organization: data.Get("organization").([]string), diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go index cec3c0e56..7426a40db 100644 --- a/builtin/logical/pki/cert_util.go +++ b/builtin/logical/pki/cert_util.go @@ -465,6 +465,12 @@ func validateNames(data *dataBundle, names []string) string { // allowed, it will be returned as the second string. Empty strings + error // means everything is okay. func validateOtherSANs(data *dataBundle, requested map[string][]string) (string, string, error) { + for _, val := range data.role.AllowedOtherSANs { + if val == "*" { + // Anything is allowed + return "", "", nil + } + } allowed, err := parseOtherSANs(data.role.AllowedOtherSANs) if err != nil { return "", "", errwrap.Wrapf("error parsing role's allowed SANs: {{err}}", err) @@ -504,7 +510,10 @@ func parseOtherSANs(others []string) (map[string][]string, error) { if len(splitType) != 2 { return nil, fmt.Errorf("expected a colon in other SAN %q", other) } - if !strings.EqualFold(splitType[0], "utf8") { + switch { + case strings.EqualFold(splitType[0], "utf8"): + case strings.EqualFold(splitType[0], "utf-8"): + default: return nil, fmt.Errorf("only utf8 other SANs are supported; found non-supported type in other SAN %q", other) } result[splitOther[0]] = append(result[splitOther[0]], splitType[1]) diff --git a/builtin/logical/pki/path_roles.go b/builtin/logical/pki/path_roles.go index c68d13fa4..e796df012 100644 --- a/builtin/logical/pki/path_roles.go +++ b/builtin/logical/pki/path_roles.go @@ -117,7 +117,7 @@ Any valid URI is accepted, these values support globbing.`, "allowed_other_sans": &framework.FieldSchema{ Type: framework.TypeCommaStringSlice, - Description: `If set, an array of allowed other names to put in SANs. These values support globbing.`, + Description: `If set, an array of allowed other names to put in SANs. These values support globbing and must be in the format ;:. Currently only "utf8" is a valid type. All values, including globbing values, must use this syntax, with the exception being a single "*" which allows any OID and any value (but type must still be utf8).`, }, "allowed_serial_numbers": &framework.FieldSchema{ diff --git a/website/source/api/secret/pki/index.html.md b/website/source/api/secret/pki/index.html.md index 7c608b619..c038c110f 100644 --- a/website/source/api/secret/pki/index.html.md +++ b/website/source/api/secret/pki/index.html.md @@ -786,8 +786,11 @@ request is denied. - `allowed_other_sans` `(string: "")` – Defines allowed custom OID/UTF8-string SANs. This field supports globbing. The format is the same as OpenSSL: - `;:` where the only current valid type is `UTF8`. This can - be a comma-delimited list or a JSON string slice. + `;:` where the only current valid type is `UTF8` (or + `UTF-8`). This can be a comma-delimited list or a JSON string slice. All + values, including globbing values, must use the correct syntax, with the + exception being a single `*` which allows any OID and any value (but type + must still be UTF8). - `server_flag` `(bool: true)` – Specifies if certificates are flagged for server use. From 8fc5c52f6c0ec932e1330cddf1339e7d2f731707 Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Mon, 8 Oct 2018 09:53:12 -0400 Subject: [PATCH 20/24] changelog++ --- CHANGELOG.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 70987ec80..7b493c699 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,13 @@ ## 0.11.3 (Unreleased) +IMPROVEMENTS: + + * secret/pki: OID SANs can now specify `*` to allow any value [GH-5459] + BUG FIXES: * database/mongodb: Fix panic that could occur at high load [GH-5463] + * secret/pki: Fix CA generation not allowing OID SANs [GH-5459] ## 0.11.2 (October 2nd, 2018) From 00f6ad01469979578c6696a7131b6a2cee7a06b1 Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Mon, 8 Oct 2018 09:54:21 -0400 Subject: [PATCH 21/24] changelog++ --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7b493c699..b2a214b70 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,8 @@ IMPROVEMENTS: BUG FIXES: - * database/mongodb: Fix panic that could occur at high load [GH-5463] + * auth/ldap: Fix panic if specific values were given to be escaped [GH-5471] + * secret/database/mongodb: Fix panic that could occur at high load [GH-5463] * secret/pki: Fix CA generation not allowing OID SANs [GH-5459] ## 0.11.2 (October 2nd, 2018) From ec7904fd89f07e078ce112b88dda88dec9011b37 Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Mon, 8 Oct 2018 10:01:45 -0400 Subject: [PATCH 22/24] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b2a214b70..a315e5ee3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ IMPROVEMENTS: BUG FIXES: * auth/ldap: Fix panic if specific values were given to be escaped [GH-5471] + * cli/auth: Fix panic if `vault auth` was given no parameters [GH-5473] * secret/database/mongodb: Fix panic that could occur at high load [GH-5463] * secret/pki: Fix CA generation not allowing OID SANs [GH-5459] From e7a0d8a1589504ffb32d175f7be7b6b90b95723e Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Mon, 8 Oct 2018 11:23:50 -0400 Subject: [PATCH 23/24] Prep for release --- CHANGELOG.md | 8 +++++++- terraform/aws/variables.tf | 2 +- version/version_base.go | 2 +- website/config.rb | 2 +- 4 files changed, 10 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a315e5ee3..7464524fa 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,10 @@ -## 0.11.3 (Unreleased) +## 0.11.3 (October 8th, 2018) + +SECURITY: + + * Revocation: A regression in 0.11.2 (OSS) and 0.11.0 (Enterprise) caused + lease IDs containing periods (`.`) to not be revoked properly. Upon startup + when revocation is tried again these should now revoke successfully. IMPROVEMENTS: diff --git a/terraform/aws/variables.tf b/terraform/aws/variables.tf index 21c55d6e7..cee50dfe3 100644 --- a/terraform/aws/variables.tf +++ b/terraform/aws/variables.tf @@ -3,7 +3,7 @@ //------------------------------------------------------------------- variable "download-url" { - default = "https://releases.hashicorp.com/vault/0.11.1/vault_0.11.2_linux_amd64.zip" + default = "https://releases.hashicorp.com/vault/0.11.3/vault_0.11.3_linux_amd64.zip" description = "URL to download Vault" } diff --git a/version/version_base.go b/version/version_base.go index 0b3e30401..8df2bf6b4 100644 --- a/version/version_base.go +++ b/version/version_base.go @@ -2,7 +2,7 @@ package version func init() { // The main version number that is being run at the moment. - Version = "0.11.2" + Version = "0.11.3" // A pre-release marker for the version. If this is "" (empty string) // then it means that it is a final release. Otherwise, this is a pre-release diff --git a/website/config.rb b/website/config.rb index 9a1abe3c7..4d436c500 100644 --- a/website/config.rb +++ b/website/config.rb @@ -2,7 +2,7 @@ set :base_url, "https://www.vaultproject.io/" activate :hashicorp do |h| h.name = "vault" - h.version = "0.11.2" + h.version = "0.11.3" h.github_slug = "hashicorp/vault" h.website_root = "website" end