release prep

This commit is contained in:
Brian Kassouf 2018-11-12 11:10:47 -08:00
parent 3f5117e87d
commit 48dffb9b7c
11 changed files with 118 additions and 69 deletions

View File

@ -1,4 +1,4 @@
## 1.0.0-beta2 (Unreleased)
## 1.0.0-beta2 (November 12th, 2018)
CHANGES:
@ -52,26 +52,33 @@ IMPROVEMENTS:
BUG FIXES:
* auth/userpass: Fix minor timing issue that could leak the presence of a
username [GH-5614]
* cli: Fix panic that could occur if parameters were not provided [GH-5603]
* core: Migration from autounseal to shamir will clean up old keys [GH-5671]
* core: Fix buggy behavior if trying to remount into a namespace
* identity: Fix duplication of entity alias entity during alias transfer
between entities [GH-5733]
* secrets/azure: Fix valid roles being rejected for duplicate ids despite
having distinct scopes
[[GH-16]](https://github.com/hashicorp/vault-plugin-secrets-azure/pull/16)
* secrets/kv: Disallow empty paths on a `kv put` while accepting empty paths
for all other operations for backwards compatibility
[[GH-19]](https://github.com/hashicorp/vault-plugin-secrets-kv/pull/19)
* ui: Fix bug where editing secrets as JSON doesn't save properly [GH-5660]
* agent: Fix issue when specifying two file sinks [GH-5610]
* ui: Fix bug where `sys/leases/revoke` required 'sudo' capability to show
the revoke button in the UI [GH-5647]
* ui: Fix issue where certain pages wouldn't render in a namespace [GH-5692]
## 0.11.5 (November 12th, 2018)
BUG FIXES:
* auth/userpass: Fix minor timing issue that could leak the presence of a
username [GH-5614]
* cli: Fix panic that could occur if parameters were not provided [GH-5603]
* core: Fix buggy behavior if trying to remount into a namespace
* identity: Fix duplication of entity alias entity during alias transfer
between entities [GH-5733]
* ui: Fix bug where editing secrets as JSON doesn't save properly [GH-5660]
* ui: Fix issue where IE 11 didn't render the UI and also had a broken form
when trying to use tool/hash [GH-5714]
* agent: Fix issue when specifying two file sinks [GH-5610]
* autounseal/alicloud: Fix issue interacting with the API
* autounseal/azure: Fix key version tracking
## 1.0.0-beta1 (October 23rd, 2018)

View File

@ -289,7 +289,7 @@ func (b *GcpAuthBackend) pathRoleRead(ctx context.Context, req *logical.Request,
resp := make(map[string]interface{})
if role.RoleType != "" {
resp["role"] = role.RoleType
resp["type"] = role.RoleType
}
if role.ProjectId != "" {
resp["project_id"] = role.ProjectId

View File

@ -2,8 +2,7 @@
[[projects]]
branch = "master"
digest = "1:e26170d7ec7d444d7b74a5b1dbd6437fd8e552d27efce9327f733311737c4ae9"
digest = "1:a69ab3f1445ffd4815add4bd31ba05b65b3b9fec1ade5057d5d717f30e6efd6d"
name = "github.com/SermoDigital/jose"
packages = [
".",
@ -12,7 +11,8 @@
"jwt",
]
pruneopts = "UT"
revision = "803625baeddc3526d01d321b5066029f53eafc81"
revision = "f6df55f235c24f236d11dbcf665249a59ac2021f"
version = "1.1"
[[projects]]
branch = "master"
@ -23,16 +23,17 @@
revision = "7fddfc383310abc091d79a27f116d30cf0424032"
[[projects]]
digest = "1:b12a893d64eb4c4c1980240c5706026032f505fef4ecd7d4cbfa2ed60ecd40c9"
branch = "master"
digest = "1:fb6bb07f738b9ec248ffa7b737dd983df2028001ebd0dad29dfb0830576cef12"
name = "github.com/briankassouf/jose"
packages = [
".",
"crypto",
"jws",
"jwt",
]
pruneopts = "UT"
revision = "f6df55f235c24f236d11dbcf665249a59ac2021f"
version = "1.1"
revision = "d2569464773f2b9de32e57a79d87318bca5b56c0"
[[projects]]
digest = "1:34e709f36fd4f868fb00dbaf8a6cab4c1ae685832d392874ba9d7c5dec2429d1"
@ -433,7 +434,6 @@
analyzer-name = "dep"
analyzer-version = 1
input-imports = [
"github.com/SermoDigital/jose/jws",
"github.com/briankassouf/jose/crypto",
"github.com/briankassouf/jose/jws",
"github.com/briankassouf/jose/jwt",

View File

@ -24,14 +24,9 @@
# go-tests = true
# unused-packages = true
[[constraint]]
branch = "master"
name = "github.com/SermoDigital/jose"
[[constraint]]
name = "github.com/briankassouf/jose"
version = "1.1.0"
branch = "master"
[[constraint]]
branch = "master"

View File

@ -1,4 +1,4 @@
# Vault Plugin: Kubernetes Auth Backend
# Vault Plugin: Kubernetes Auth Backend [![Build Status](https://travis-ci.org/hashicorp/vault-plugin-auth-kubernetes.svg?branch=master)](https://travis-ci.org/hashicorp/vault-plugin-auth-kubernetes)
This is a standalone backend plugin for use with [Hashicorp Vault](https://www.github.com/hashicorp/vault).
This plugin allows for Kubernetes Service Accounts to authenticate with Vault.

View File

@ -8,7 +8,7 @@ import (
"encoding/pem"
"errors"
"github.com/SermoDigital/jose/jws"
"github.com/briankassouf/jose/jws"
"github.com/hashicorp/vault/logical"
"github.com/hashicorp/vault/logical/framework"
)

View File

@ -21,9 +21,9 @@ import (
var (
// expectedJWTIssuer is used to verify the iss header on the JWT.
expectedJWTIssuer string = "kubernetes/serviceaccount"
expectedJWTIssuer = "kubernetes/serviceaccount"
uidJWTClaimKey string = "kubernetes.io/serviceaccount/service-account.uid"
uidJWTClaimKey = "kubernetes.io/serviceaccount/service-account.uid"
// errMismatchedSigningMethod is used if the certificate doesn't match the
// JWT's expected signing method.
@ -108,20 +108,20 @@ func (b *kubeAuthBackend) pathLogin() framework.OperationFunc {
NumUses: role.NumUses,
Period: role.Period,
Alias: &logical.Alias{
Name: serviceAccount.UID,
Name: serviceAccount.uid(),
},
InternalData: map[string]interface{}{
"role": roleName,
},
Policies: role.Policies,
Metadata: map[string]string{
"service_account_uid": serviceAccount.UID,
"service_account_name": serviceAccount.Name,
"service_account_namespace": serviceAccount.Namespace,
"service_account_uid": serviceAccount.uid(),
"service_account_name": serviceAccount.name(),
"service_account_namespace": serviceAccount.namespace(),
"service_account_secret_name": serviceAccount.SecretName,
"role": roleName,
},
DisplayName: fmt.Sprintf("%s-%s", serviceAccount.Namespace, serviceAccount.Name),
DisplayName: fmt.Sprintf("%s-%s", serviceAccount.namespace(), serviceAccount.name()),
LeaseOptions: logical.LeaseOptions{
Renewable: true,
TTL: role.TTL,
@ -187,14 +187,14 @@ func (b *kubeAuthBackend) parseAndValidateJWT(jwtStr string, role *roleStorageEn
// verify the namespace is allowed
if len(role.ServiceAccountNamespaces) > 1 || role.ServiceAccountNamespaces[0] != "*" {
if !strutil.StrListContains(role.ServiceAccountNamespaces, sa.Namespace) {
if !strutil.StrListContains(role.ServiceAccountNamespaces, sa.namespace()) {
return errors.New("namespace not authorized")
}
}
// verify the service account name is allowed
if len(role.ServiceAccountNames) > 1 || role.ServiceAccountNames[0] != "*" {
if !strutil.StrListContains(role.ServiceAccountNames, sa.Name) {
if !strutil.StrListContains(role.ServiceAccountNames, sa.name()) {
return errors.New("service account name not authorized")
}
}
@ -284,6 +284,53 @@ type serviceAccount struct {
UID string `mapstructure:"kubernetes.io/serviceaccount/service-account.uid"`
SecretName string `mapstructure:"kubernetes.io/serviceaccount/secret.name"`
Namespace string `mapstructure:"kubernetes.io/serviceaccount/namespace"`
Aud []string `mapstructure:"aud"`
// the JSON returned from reviewing a Projected Service account has a
// different structure, where the information is in a sub-structure instead of
// at the top level
Kubernetes *projectedServiceToken `mapstructure:"kubernetes.io"`
Expiration int64 `mapstructure:"exp"`
IssuedAt int64 `mapstructure:"iat"`
}
// uid returns the UID for the service account, preferring the projected service
// account value if found
func (s *serviceAccount) uid() string {
if s.Kubernetes != nil && s.Kubernetes.ServiceAccount != nil {
return s.Kubernetes.ServiceAccount.UID
}
return s.UID
}
// name returns the name for the service account, preferring the projected
// service account value if found. This is "default" for projected service
// accounts
func (s *serviceAccount) name() string {
if s.Kubernetes != nil && s.Kubernetes.ServiceAccount != nil {
return s.Kubernetes.ServiceAccount.Name
}
return s.Name
}
// namespace returns the namespace for the service account, preferring the
// projected service account value if found
func (s *serviceAccount) namespace() string {
if s.Kubernetes != nil {
return s.Kubernetes.Namespace
}
return s.Namespace
}
type projectedServiceToken struct {
Namespace string `mapstructure:"namespace"`
Pod *projectedServiceAccountPod `mapstructure:"pod"`
ServiceAccount *projectedServiceAccountPod `mapstructure:"serviceaccount"`
}
type projectedServiceAccountPod struct {
Name string `mapstructure:"name"`
UID string `mapstructure:"uid"`
}
// lookup calls the TokenReview API in kubernetes to verify the token and secret
@ -296,13 +343,13 @@ func (s *serviceAccount) lookup(jwtStr string, tr tokenReviewer) error {
// Verify the returned metadata matches the expected data from the service
// account.
if s.Name != r.Name {
if s.name() != r.Name {
return errors.New("JWT names did not match")
}
if s.UID != r.UID {
if s.uid() != r.UID {
return errors.New("JWT UIDs did not match")
}
if s.Namespace != r.Namespace {
if s.namespace() != r.Namespace {
return errors.New("JWT namepaces did not match")
}

View File

@ -161,7 +161,7 @@ func (b *azureSecretBackend) pathRoleUpdate(ctx context.Context, req *logical.Re
err := jsonutil.DecodeJSON([]byte(roles.(string)), &parsedRoles)
if err != nil {
return logical.ErrorResponse("invalid Azure role definitions"), nil
return logical.ErrorResponse(fmt.Sprintf("error parsing Azure roles '%s': %s", roles.(string), err.Error())), nil
}
role.AzureRoles = parsedRoles
}

48
vendor/vendor.json vendored
View File

@ -1403,14 +1403,14 @@
{
"checksumSHA1": "NRGHY73VI2kEgy+FSDOuSsixS4k=",
"path": "github.com/hashicorp/vault-plugin-auth-alicloud",
"revision": "1c2bb0abe14ed980276707b1d572dd280da69d86",
"revisionTime": "2018-10-03T22:48:59Z"
"revision": "f278a59ca3e8aeafeda7cb9a14e8815359d25fcd",
"revisionTime": "2018-11-09T18:06:36Z"
},
{
"checksumSHA1": "xdrSQoX7B7Hr4iWm9T2+5wHVpHQ=",
"path": "github.com/hashicorp/vault-plugin-auth-alicloud/tools",
"revision": "1c2bb0abe14ed980276707b1d572dd280da69d86",
"revisionTime": "2018-10-03T22:48:59Z"
"revision": "f278a59ca3e8aeafeda7cb9a14e8815359d25fcd",
"revisionTime": "2018-11-09T18:06:36Z"
},
{
"checksumSHA1": "ojr0r/jmutGEhftDXiHthCCwpIA=",
@ -1425,10 +1425,10 @@
"revisionTime": "2018-08-16T20:11:31Z"
},
{
"checksumSHA1": "/Jn1UXwpf4RVqNhxyUT275WMQzQ=",
"checksumSHA1": "pJC3V+AR+Khd/TpvekLf1ZRU7rA=",
"path": "github.com/hashicorp/vault-plugin-auth-gcp/plugin",
"revision": "d57adfb30a2e65659bdb83e632a6d4e6690e2e86",
"revisionTime": "2018-10-12T20:41:23Z"
"revision": "86f7837fd8102347f7a10e3f0ad275e5a256863c",
"revisionTime": "2018-10-25T21:28:40Z"
},
{
"checksumSHA1": "tt3FtyjXgdBI9Mb43UL4LtOZmAk=",
@ -1437,46 +1437,46 @@
"revisionTime": "2018-10-31T19:59:42Z"
},
{
"checksumSHA1": "hrJZzU9iG2ixRu2hOdPgN7wa48c=",
"checksumSHA1": "8J4z30a2oTqSPQYOaT4j/jiZuNE=",
"path": "github.com/hashicorp/vault-plugin-auth-kubernetes",
"revision": "8bfe988b36157168563f726887da232af94ee87f",
"revisionTime": "2018-08-16T20:15:54Z"
"revision": "5328b889a921243d6e19cda38fb2c31a48cba2b2",
"revisionTime": "2018-11-01T19:05:09Z"
},
{
"checksumSHA1": "pNERL2s72vwnApekzTLxGsvkyNU=",
"checksumSHA1": "PmhyvCKVlEMEP6JO31ozW+CBIiE=",
"path": "github.com/hashicorp/vault-plugin-secrets-ad/plugin",
"revision": "d8a0991deac4006068826a99b82d8274aa119161",
"revisionTime": "2018-08-20T22:27:10Z"
"revision": "540c0b6f1f113a1c6bdaa130a35ee8530c072b5a",
"revisionTime": "2018-11-09T18:28:34Z"
},
{
"checksumSHA1": "GOxdFElG31lXWgKFG9aqpDcG47M=",
"path": "github.com/hashicorp/vault-plugin-secrets-ad/plugin/client",
"revision": "d8a0991deac4006068826a99b82d8274aa119161",
"revisionTime": "2018-08-20T22:27:10Z"
"revision": "540c0b6f1f113a1c6bdaa130a35ee8530c072b5a",
"revisionTime": "2018-11-09T18:28:34Z"
},
{
"checksumSHA1": "RaH2xTkjaToCk+RoPhap7I66ibo=",
"path": "github.com/hashicorp/vault-plugin-secrets-ad/plugin/util",
"revision": "d8a0991deac4006068826a99b82d8274aa119161",
"revisionTime": "2018-08-20T22:27:10Z"
"revision": "540c0b6f1f113a1c6bdaa130a35ee8530c072b5a",
"revisionTime": "2018-11-09T18:28:34Z"
},
{
"checksumSHA1": "VLXyxS5dEoiWTSFmpMJIz+Pwtmw=",
"path": "github.com/hashicorp/vault-plugin-secrets-alicloud",
"revision": "4272d944e495635b30fcabf70dd71a9355b798a9",
"revisionTime": "2018-10-03T22:47:18Z"
"revision": "2aee79cc5cbf1bbca654dbc594f809cafc19cd8d",
"revisionTime": "2018-11-09T18:14:53Z"
},
{
"checksumSHA1": "dqduixICi6NeyLNRCDdw62t1LFU=",
"path": "github.com/hashicorp/vault-plugin-secrets-alicloud/clients",
"revision": "4272d944e495635b30fcabf70dd71a9355b798a9",
"revisionTime": "2018-10-03T22:47:18Z"
"revision": "2aee79cc5cbf1bbca654dbc594f809cafc19cd8d",
"revisionTime": "2018-11-09T18:14:53Z"
},
{
"checksumSHA1": "f7Ul8JZy98iiDLRN5j9/6jbq9jc=",
"checksumSHA1": "Zr5xVeEJxmlBLWgaUq5rRRIuryE=",
"path": "github.com/hashicorp/vault-plugin-secrets-azure",
"revision": "824f07d5c72f72bb6d983c07d8fba2ab72bd45b8",
"revisionTime": "2018-10-24T21:21:15Z"
"revision": "26e517ba4190bab20ebb28336921434f96093250",
"revisionTime": "2018-11-08T17:16:20Z"
},
{
"checksumSHA1": "tFP1EEyVlomSSx46NHDZWGPzUz0=",

View File

@ -7,5 +7,5 @@ func init() {
// A pre-release marker for the version. If this is "" (empty string)
// then it means that it is a final release. Otherwise, this is a pre-release
// such as "dev" (in development), "beta", "rc1", etc.
VersionPrerelease = "beta1"
VersionPrerelease = "beta2"
}