release prep

CHANGELOG.md

@@ -1,4 +1,4 @@
-## 1.0.0-beta2 (Unreleased)
+## 1.0.0-beta2 (November 12th, 2018)
 
 CHANGES:
 
@@ -52,26 +52,33 @@ IMPROVEMENTS:
 
 BUG FIXES:
 
- * auth/userpass: Fix minor timing issue that could leak the presence of a
-   username [GH-5614]
- * cli: Fix panic that could occur if parameters were not provided [GH-5603]
  * core: Migration from autounseal to shamir will clean up old keys [GH-5671]
- * core: Fix buggy behavior if trying to remount into a namespace
- * identity: Fix duplication of entity alias entity during alias transfer
-   between entities [GH-5733]
  * secrets/azure: Fix valid roles being rejected for duplicate ids despite
    having distinct scopes
    [[GH-16]](https://github.com/hashicorp/vault-plugin-secrets-azure/pull/16)
  * secrets/kv: Disallow empty paths on a `kv put` while accepting empty paths
    for all other operations for backwards compatibility
    [[GH-19]](https://github.com/hashicorp/vault-plugin-secrets-kv/pull/19)
- * ui: Fix bug where editing secrets as JSON doesn't save properly [GH-5660]
- * agent: Fix issue when specifying two file sinks [GH-5610]
  * ui: Fix bug where `sys/leases/revoke` required 'sudo' capability to show
    the revoke button in the UI [GH-5647]
  * ui: Fix issue where certain pages wouldn't render in a namespace [GH-5692]
+
+## 0.11.5 (November 12th, 2018)
+
+BUG FIXES:
+
+ * auth/userpass: Fix minor timing issue that could leak the presence of a
+   username [GH-5614]
+ * cli: Fix panic that could occur if parameters were not provided [GH-5603]
+ * core: Fix buggy behavior if trying to remount into a namespace
+ * identity: Fix duplication of entity alias entity during alias transfer
+   between entities [GH-5733]
+ * ui: Fix bug where editing secrets as JSON doesn't save properly [GH-5660]
  * ui: Fix issue where IE 11 didn't render the UI and also had a broken form
    when trying to use tool/hash [GH-5714]
+ * agent: Fix issue when specifying two file sinks [GH-5610]
+ * autounseal/alicloud: Fix issue interacting with the API
+ * autounseal/azure: Fix key version tracking 
 
 ## 1.0.0-beta1 (October 23rd, 2018)
 

vendor/github.com/hashicorp/vault-plugin-auth-gcp/plugin/path_role.go

@@ -289,7 +289,7 @@ func (b *GcpAuthBackend) pathRoleRead(ctx context.Context, req *logical.Request,
 	resp := make(map[string]interface{})
 
 	if role.RoleType != "" {
-		resp["role"] = role.RoleType
+		resp["type"] = role.RoleType
 	}
 	if role.ProjectId != "" {
 		resp["project_id"] = role.ProjectId

vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/Gopkg.lock

@@ -2,8 +2,7 @@
 
 
 [[projects]]
-  branch = "master"
-  digest = "1:e26170d7ec7d444d7b74a5b1dbd6437fd8e552d27efce9327f733311737c4ae9"
+  digest = "1:a69ab3f1445ffd4815add4bd31ba05b65b3b9fec1ade5057d5d717f30e6efd6d"
   name = "github.com/SermoDigital/jose"
   packages = [
     ".",
@@ -12,7 +11,8 @@
     "jwt",
   ]
   pruneopts = "UT"
-  revision = "803625baeddc3526d01d321b5066029f53eafc81"
+  revision = "f6df55f235c24f236d11dbcf665249a59ac2021f"
+  version = "1.1"
 
 [[projects]]
   branch = "master"
@@ -23,16 +23,17 @@
   revision = "7fddfc383310abc091d79a27f116d30cf0424032"
 
 [[projects]]
-  digest = "1:b12a893d64eb4c4c1980240c5706026032f505fef4ecd7d4cbfa2ed60ecd40c9"
+  branch = "master"
+  digest = "1:fb6bb07f738b9ec248ffa7b737dd983df2028001ebd0dad29dfb0830576cef12"
   name = "github.com/briankassouf/jose"
   packages = [
+    ".",
     "crypto",
     "jws",
     "jwt",
   ]
   pruneopts = "UT"
-  revision = "f6df55f235c24f236d11dbcf665249a59ac2021f"
-  version = "1.1"
+  revision = "d2569464773f2b9de32e57a79d87318bca5b56c0"
 
 [[projects]]
   digest = "1:34e709f36fd4f868fb00dbaf8a6cab4c1ae685832d392874ba9d7c5dec2429d1"
@@ -433,7 +434,6 @@
   analyzer-name = "dep"
   analyzer-version = 1
   input-imports = [
-    "github.com/SermoDigital/jose/jws",
     "github.com/briankassouf/jose/crypto",
     "github.com/briankassouf/jose/jws",
     "github.com/briankassouf/jose/jwt",

vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/Gopkg.toml

@@ -24,14 +24,9 @@
 #   go-tests = true
 #   unused-packages = true
 
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/SermoDigital/jose"
-
 [[constraint]]
   name = "github.com/briankassouf/jose"
-  version = "1.1.0"
+  branch = "master"
 
 [[constraint]]
   branch = "master"

vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/README.md

@@ -1,4 +1,4 @@
-# Vault Plugin: Kubernetes Auth Backend
+# Vault Plugin: Kubernetes Auth Backend [![Build Status](https://travis-ci.org/hashicorp/vault-plugin-auth-kubernetes.svg?branch=master)](https://travis-ci.org/hashicorp/vault-plugin-auth-kubernetes)
 
 This is a standalone backend plugin for use with [Hashicorp Vault](https://www.github.com/hashicorp/vault).
 This plugin allows for Kubernetes Service Accounts to authenticate with Vault.

vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/path_config.go

@@ -8,7 +8,7 @@ import (
 	"encoding/pem"
 	"errors"
 
-	"github.com/SermoDigital/jose/jws"
+	"github.com/briankassouf/jose/jws"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
 )

vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/path_login.go

@@ -21,9 +21,9 @@ import (
 
 var (
 	// expectedJWTIssuer is used to verify the iss header on the JWT.
-	expectedJWTIssuer string = "kubernetes/serviceaccount"
+	expectedJWTIssuer = "kubernetes/serviceaccount"
 
-	uidJWTClaimKey string = "kubernetes.io/serviceaccount/service-account.uid"
+	uidJWTClaimKey = "kubernetes.io/serviceaccount/service-account.uid"
 
 	// errMismatchedSigningMethod is used if the certificate doesn't match the
 	// JWT's expected signing method.
@@ -108,20 +108,20 @@ func (b *kubeAuthBackend) pathLogin() framework.OperationFunc {
 				NumUses: role.NumUses,
 				Period:  role.Period,
 				Alias: &logical.Alias{
-					Name: serviceAccount.UID,
+					Name: serviceAccount.uid(),
 				},
 				InternalData: map[string]interface{}{
 					"role": roleName,
 				},
 				Policies: role.Policies,
 				Metadata: map[string]string{
-					"service_account_uid":         serviceAccount.UID,
-					"service_account_name":        serviceAccount.Name,
-					"service_account_namespace":   serviceAccount.Namespace,
+					"service_account_uid":         serviceAccount.uid(),
+					"service_account_name":        serviceAccount.name(),
+					"service_account_namespace":   serviceAccount.namespace(),
 					"service_account_secret_name": serviceAccount.SecretName,
-					"role": roleName,
+					"role":                        roleName,
 				},
-				DisplayName: fmt.Sprintf("%s-%s", serviceAccount.Namespace, serviceAccount.Name),
+				DisplayName: fmt.Sprintf("%s-%s", serviceAccount.namespace(), serviceAccount.name()),
 				LeaseOptions: logical.LeaseOptions{
 					Renewable: true,
 					TTL:       role.TTL,
@@ -187,14 +187,14 @@ func (b *kubeAuthBackend) parseAndValidateJWT(jwtStr string, role *roleStorageEn
 
 			// verify the namespace is allowed
 			if len(role.ServiceAccountNamespaces) > 1 || role.ServiceAccountNamespaces[0] != "*" {
-				if !strutil.StrListContains(role.ServiceAccountNamespaces, sa.Namespace) {
+				if !strutil.StrListContains(role.ServiceAccountNamespaces, sa.namespace()) {
 					return errors.New("namespace not authorized")
 				}
 			}
 
 			// verify the service account name is allowed
 			if len(role.ServiceAccountNames) > 1 || role.ServiceAccountNames[0] != "*" {
-				if !strutil.StrListContains(role.ServiceAccountNames, sa.Name) {
+				if !strutil.StrListContains(role.ServiceAccountNames, sa.name()) {
 					return errors.New("service account name not authorized")
 				}
 			}
@@ -280,10 +280,57 @@ func (b *kubeAuthBackend) parseAndValidateJWT(jwtStr string, role *roleStorageEn
 // serviceAccount holds the metadata from the JWT token and is used to lookup
 // the JWT in the kubernetes API and compare the results.
 type serviceAccount struct {
-	Name       string `mapstructure:"kubernetes.io/serviceaccount/service-account.name"`
-	UID        string `mapstructure:"kubernetes.io/serviceaccount/service-account.uid"`
-	SecretName string `mapstructure:"kubernetes.io/serviceaccount/secret.name"`
-	Namespace  string `mapstructure:"kubernetes.io/serviceaccount/namespace"`
+	Name       string   `mapstructure:"kubernetes.io/serviceaccount/service-account.name"`
+	UID        string   `mapstructure:"kubernetes.io/serviceaccount/service-account.uid"`
+	SecretName string   `mapstructure:"kubernetes.io/serviceaccount/secret.name"`
+	Namespace  string   `mapstructure:"kubernetes.io/serviceaccount/namespace"`
+	Aud        []string `mapstructure:"aud"`
+
+	// the JSON returned from reviewing a Projected Service account has a
+	// different structure, where the information is in a sub-structure instead of
+	// at the top level
+	Kubernetes *projectedServiceToken `mapstructure:"kubernetes.io"`
+	Expiration int64                  `mapstructure:"exp"`
+	IssuedAt   int64                  `mapstructure:"iat"`
+}
+
+// uid returns the UID for the service account, preferring the projected service
+// account value if found
+func (s *serviceAccount) uid() string {
+	if s.Kubernetes != nil && s.Kubernetes.ServiceAccount != nil {
+		return s.Kubernetes.ServiceAccount.UID
+	}
+	return s.UID
+}
+
+// name returns the name for the service account, preferring the projected
+// service account value if found. This is "default" for projected service
+// accounts
+func (s *serviceAccount) name() string {
+	if s.Kubernetes != nil && s.Kubernetes.ServiceAccount != nil {
+		return s.Kubernetes.ServiceAccount.Name
+	}
+	return s.Name
+}
+
+// namespace returns the namespace for the service account, preferring the
+// projected service account value if found
+func (s *serviceAccount) namespace() string {
+	if s.Kubernetes != nil {
+		return s.Kubernetes.Namespace
+	}
+	return s.Namespace
+}
+
+type projectedServiceToken struct {
+	Namespace      string                      `mapstructure:"namespace"`
+	Pod            *projectedServiceAccountPod `mapstructure:"pod"`
+	ServiceAccount *projectedServiceAccountPod `mapstructure:"serviceaccount"`
+}
+
+type projectedServiceAccountPod struct {
+	Name string `mapstructure:"name"`
+	UID  string `mapstructure:"uid"`
 }
 
 // lookup calls the TokenReview API in kubernetes to verify the token and secret
@@ -296,13 +343,13 @@ func (s *serviceAccount) lookup(jwtStr string, tr tokenReviewer) error {
 
 	// Verify the returned metadata matches the expected data from the service
 	// account.
-	if s.Name != r.Name {
+	if s.name() != r.Name {
 		return errors.New("JWT names did not match")
 	}
-	if s.UID != r.UID {
+	if s.uid() != r.UID {
 		return errors.New("JWT UIDs did not match")
 	}
-	if s.Namespace != r.Namespace {
+	if s.namespace() != r.Namespace {
 		return errors.New("JWT namepaces did not match")
 	}
 

vendor/github.com/hashicorp/vault-plugin-secrets-ad/plugin/role.go

@@ -14,7 +14,7 @@ type backendRole struct {
 func (r *backendRole) Map() map[string]interface{} {
 	m := map[string]interface{}{
 		"service_account_name": r.ServiceAccountName,
-		"ttl": r.TTL,
+		"ttl":                  r.TTL,
 	}
 
 	var unset time.Time

vendor/github.com/hashicorp/vault-plugin-secrets-azure/path_roles.go

@@ -161,7 +161,7 @@ func (b *azureSecretBackend) pathRoleUpdate(ctx context.Context, req *logical.Re
 
 		err := jsonutil.DecodeJSON([]byte(roles.(string)), &parsedRoles)
 		if err != nil {
-			return logical.ErrorResponse("invalid Azure role definitions"), nil
+			return logical.ErrorResponse(fmt.Sprintf("error parsing Azure roles '%s': %s", roles.(string), err.Error())), nil
 		}
 		role.AzureRoles = parsedRoles
 	}

vendor/vendor.json

@@ -1403,14 +1403,14 @@
 		{
 			"checksumSHA1": "NRGHY73VI2kEgy+FSDOuSsixS4k=",
 			"path": "github.com/hashicorp/vault-plugin-auth-alicloud",
-			"revision": "1c2bb0abe14ed980276707b1d572dd280da69d86",
-			"revisionTime": "2018-10-03T22:48:59Z"
+			"revision": "f278a59ca3e8aeafeda7cb9a14e8815359d25fcd",
+			"revisionTime": "2018-11-09T18:06:36Z"
 		},
 		{
 			"checksumSHA1": "xdrSQoX7B7Hr4iWm9T2+5wHVpHQ=",
 			"path": "github.com/hashicorp/vault-plugin-auth-alicloud/tools",
-			"revision": "1c2bb0abe14ed980276707b1d572dd280da69d86",
-			"revisionTime": "2018-10-03T22:48:59Z"
+			"revision": "f278a59ca3e8aeafeda7cb9a14e8815359d25fcd",
+			"revisionTime": "2018-11-09T18:06:36Z"
 		},
 		{
 			"checksumSHA1": "ojr0r/jmutGEhftDXiHthCCwpIA=",
@@ -1425,10 +1425,10 @@
 			"revisionTime": "2018-08-16T20:11:31Z"
 		},
 		{
-			"checksumSHA1": "/Jn1UXwpf4RVqNhxyUT275WMQzQ=",
+			"checksumSHA1": "pJC3V+AR+Khd/TpvekLf1ZRU7rA=",
 			"path": "github.com/hashicorp/vault-plugin-auth-gcp/plugin",
-			"revision": "d57adfb30a2e65659bdb83e632a6d4e6690e2e86",
-			"revisionTime": "2018-10-12T20:41:23Z"
+			"revision": "86f7837fd8102347f7a10e3f0ad275e5a256863c",
+			"revisionTime": "2018-10-25T21:28:40Z"
 		},
 		{
 			"checksumSHA1": "tt3FtyjXgdBI9Mb43UL4LtOZmAk=",
@@ -1437,46 +1437,46 @@
 			"revisionTime": "2018-10-31T19:59:42Z"
 		},
 		{
-			"checksumSHA1": "hrJZzU9iG2ixRu2hOdPgN7wa48c=",
+			"checksumSHA1": "8J4z30a2oTqSPQYOaT4j/jiZuNE=",
 			"path": "github.com/hashicorp/vault-plugin-auth-kubernetes",
-			"revision": "8bfe988b36157168563f726887da232af94ee87f",
-			"revisionTime": "2018-08-16T20:15:54Z"
+			"revision": "5328b889a921243d6e19cda38fb2c31a48cba2b2",
+			"revisionTime": "2018-11-01T19:05:09Z"
 		},
 		{
-			"checksumSHA1": "pNERL2s72vwnApekzTLxGsvkyNU=",
+			"checksumSHA1": "PmhyvCKVlEMEP6JO31ozW+CBIiE=",
 			"path": "github.com/hashicorp/vault-plugin-secrets-ad/plugin",
-			"revision": "d8a0991deac4006068826a99b82d8274aa119161",
-			"revisionTime": "2018-08-20T22:27:10Z"
+			"revision": "540c0b6f1f113a1c6bdaa130a35ee8530c072b5a",
+			"revisionTime": "2018-11-09T18:28:34Z"
 		},
 		{
 			"checksumSHA1": "GOxdFElG31lXWgKFG9aqpDcG47M=",
 			"path": "github.com/hashicorp/vault-plugin-secrets-ad/plugin/client",
-			"revision": "d8a0991deac4006068826a99b82d8274aa119161",
-			"revisionTime": "2018-08-20T22:27:10Z"
+			"revision": "540c0b6f1f113a1c6bdaa130a35ee8530c072b5a",
+			"revisionTime": "2018-11-09T18:28:34Z"
 		},
 		{
 			"checksumSHA1": "RaH2xTkjaToCk+RoPhap7I66ibo=",
 			"path": "github.com/hashicorp/vault-plugin-secrets-ad/plugin/util",
-			"revision": "d8a0991deac4006068826a99b82d8274aa119161",
-			"revisionTime": "2018-08-20T22:27:10Z"
+			"revision": "540c0b6f1f113a1c6bdaa130a35ee8530c072b5a",
+			"revisionTime": "2018-11-09T18:28:34Z"
 		},
 		{
 			"checksumSHA1": "VLXyxS5dEoiWTSFmpMJIz+Pwtmw=",
 			"path": "github.com/hashicorp/vault-plugin-secrets-alicloud",
-			"revision": "4272d944e495635b30fcabf70dd71a9355b798a9",
-			"revisionTime": "2018-10-03T22:47:18Z"
+			"revision": "2aee79cc5cbf1bbca654dbc594f809cafc19cd8d",
+			"revisionTime": "2018-11-09T18:14:53Z"
 		},
 		{
 			"checksumSHA1": "dqduixICi6NeyLNRCDdw62t1LFU=",
 			"path": "github.com/hashicorp/vault-plugin-secrets-alicloud/clients",
-			"revision": "4272d944e495635b30fcabf70dd71a9355b798a9",
-			"revisionTime": "2018-10-03T22:47:18Z"
+			"revision": "2aee79cc5cbf1bbca654dbc594f809cafc19cd8d",
+			"revisionTime": "2018-11-09T18:14:53Z"
 		},
 		{
-			"checksumSHA1": "f7Ul8JZy98iiDLRN5j9/6jbq9jc=",
+			"checksumSHA1": "Zr5xVeEJxmlBLWgaUq5rRRIuryE=",
 			"path": "github.com/hashicorp/vault-plugin-secrets-azure",
-			"revision": "824f07d5c72f72bb6d983c07d8fba2ab72bd45b8",
-			"revisionTime": "2018-10-24T21:21:15Z"
+			"revision": "26e517ba4190bab20ebb28336921434f96093250",
+			"revisionTime": "2018-11-08T17:16:20Z"
 		},
 		{
 			"checksumSHA1": "tFP1EEyVlomSSx46NHDZWGPzUz0=",

version/version_base.go

@@ -7,5 +7,5 @@ func init() {
 	// A pre-release marker for the version. If this is "" (empty string)
 	// then it means that it is a final release. Otherwise, this is a pre-release
 	// such as "dev" (in development), "beta", "rc1", etc.
-	VersionPrerelease = "beta1"
+	VersionPrerelease = "beta2"
 }