Merge branch 'master' into f-nomad

CHANGELOG.md

@@ -40,14 +40,20 @@ IMPROVEMENTS:
 
  * audit/file: Setting a file mode of `0000` will now disable Vault from
    automatically `chmod`ing the log file [GH-3649]
+ * auth/github: The legacy MFA system can now be used with the GitHub auth
+   backend [GH-3696]
  * auth/okta: The legacy MFA system can now be used with the Okta auth backend
    [GH-3653]
  * auth/token: `allowed_policies` and `disallowed_policies` can now be specified
    as a comma-separated string or an array of strings [GH-3641]
+ * core: Period values from auth backends will now be checked and applied to the
+   TTL value directly by core on login and renewal requests [GH-3677]
  * database/mongodb: Add optional `write_concern` parameter, which can be set
    during database configuration. This establishes a session-wide [write
    concern](https://docs.mongodb.com/manual/reference/write-concern/) for the
    lifecycle of the mount [GH-3646]
+ * http: Request path containing non-printable characters will return 400 - Bad
+   Request [GH-3697]
  * mfa/okta: Filter a given email address as a login filter, allowing operation
    when login email and account email are different
  * plugins: Make Vault more resilient when unsealing when plugins are
@@ -60,6 +66,7 @@ IMPROVEMENTS:
 
 BUG FIXES:
 
+ * api/status (enterprise): Fix status reporting when using an auto seal
  * auth/approle: Fix case-sensitive/insensitive comparison issue [GH-3665]
  * auth/cert: Return `allowed_names` on role read [GH-3654]
  * auth/ldap: Fix incorrect control information being sent [GH-3402] [GH-3496]
@@ -72,6 +79,8 @@ BUG FIXES:
    port and then go away -- redux! [GH-3680]
  * core: Replace recursive token revocation logic with depth-first logic, which
    can avoid hitting stack depth limits in extreme cases [GH-2348]
+ * core: When doing a read on configured audited-headers, properly handle case
+   insensitivity [GH-3701]
  * core/pkcs11 (enterprise): Fix panic when PKCS#11 library is not readable
  * database/mysql: Allow the creation statement to use commands that are not yet
    supported by the prepare statement protocol [GH-3619]

api/renewer.go

@@ -50,12 +50,13 @@ var (
 type Renewer struct {
 	l sync.Mutex
 
-	client  *Client
-	secret  *Secret
-	grace   time.Duration
-	random  *rand.Rand
-	doneCh  chan error
-	renewCh chan *RenewOutput
+	client    *Client
+	secret    *Secret
+	grace     time.Duration
+	random    *rand.Rand
+	increment int
+	doneCh    chan error
+	renewCh   chan *RenewOutput
 
 	stopped bool
 	stopCh  chan struct{}
@@ -79,6 +80,11 @@ type RenewerInput struct {
 	// RenewBuffer is the size of the buffered channel where renew messages are
 	// dispatched.
 	RenewBuffer int
+
+	// The new TTL, in seconds, that should be set on the lease. The TTL set
+	// here may or may not be honored by the vault server, based on Vault
+	// configuration or any associated max TTL values.
+	Increment int
 }
 
 // RenewOutput is the metadata returned to the client (if it's listening) to
@@ -120,12 +126,13 @@ func (c *Client) NewRenewer(i *RenewerInput) (*Renewer, error) {
 	}
 
 	return &Renewer{
-		client:  c,
-		secret:  secret,
-		grace:   grace,
-		random:  random,
-		doneCh:  make(chan error, 1),
-		renewCh: make(chan *RenewOutput, renewBuffer),
+		client:    c,
+		secret:    secret,
+		grace:     grace,
+		increment: i.Increment,
+		random:    random,
+		doneCh:    make(chan error, 1),
+		renewCh:   make(chan *RenewOutput, renewBuffer),
 
 		stopped: false,
 		stopCh:  make(chan struct{}),
@@ -245,7 +252,7 @@ func (r *Renewer) renewLease() error {
 		}
 
 		// Renew the lease.
-		renewal, err := client.Sys().Renew(leaseID, 0)
+		renewal, err := client.Sys().Renew(leaseID, r.increment)
 		if err != nil {
 			return err
 		}

api/sys_seal.go

@@ -49,13 +49,14 @@ func sealStatusRequest(c *Sys, r *Request) (*SealStatusResponse, error) {
 }
 
 type SealStatusResponse struct {
-	Type        string `json:"type"`
-	Sealed      bool   `json:"sealed"`
-	T           int    `json:"t"`
-	N           int    `json:"n"`
-	Progress    int    `json:"progress"`
-	Nonce       string `json:"nonce"`
-	Version     string `json:"version"`
-	ClusterName string `json:"cluster_name,omitempty"`
-	ClusterID   string `json:"cluster_id,omitempty"`
+	Type         string `json:"type"`
+	Sealed       bool   `json:"sealed"`
+	T            int    `json:"t"`
+	N            int    `json:"n"`
+	Progress     int    `json:"progress"`
+	Nonce        string `json:"nonce"`
+	Version      string `json:"version"`
+	ClusterName  string `json:"cluster_name,omitempty"`
+	ClusterID    string `json:"cluster_id,omitempty"`
+	RecoverySeal bool   `json:"recovery_seal"`
 }

builtin/credential/github/backend.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/google/go-github/github"
 	"github.com/hashicorp/go-cleanhttp"
+	"github.com/hashicorp/vault/helper/mfa"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
 	"golang.org/x/oauth2"
@@ -35,11 +36,11 @@ func Backend() *backend {
 	}
 
 	allPaths := append(b.TeamMap.Paths(), b.UserMap.Paths()...)
-
 	b.Backend = &framework.Backend{
 		Help: backendHelp,
 
 		PathsSpecial: &logical.Paths{
+			Root: mfa.MFARootPaths(),
 			Unauthenticated: []string{
 				"login",
 			},
@@ -47,9 +48,7 @@ func Backend() *backend {
 
 		Paths: append([]*framework.Path{
 			pathConfig(&b),
-			pathLogin(&b),
-		}, allPaths...),
-
+		}, append(allPaths, mfa.MFAPaths(b.Backend, pathLogin(&b))...)...),
 		AuthRenew:   b.pathLoginRenew,
 		BackendType: logical.TypeCredential,
 	}

command/status.go

@@ -35,17 +35,24 @@ func (c *StatusCommand) Run(args []string) int {
 		return 1
 	}
 
+	var sealPrefix string
+	if sealStatus.RecoverySeal {
+		sealPrefix = "Recovery "
+	}
 	outStr := fmt.Sprintf(
-		"Seal Type: %s\n"+
+		"%sSeal Type: %s\n"+
 			"Sealed: %v\n"+
-			"Key Shares: %d\n"+
-			"Key Threshold: %d\n"+
+			"%sKey Shares: %d\n"+
+			"%sKey Threshold: %d\n"+
 			"Unseal Progress: %d\n"+
 			"Unseal Nonce: %v\n"+
 			"Version: %s",
+		sealPrefix,
 		sealStatus.Type,
 		sealStatus.Sealed,
+		sealPrefix,
 		sealStatus.N,
+		sealPrefix,
 		sealStatus.T,
 		sealStatus.Progress,
 		sealStatus.Nonce,

http/handler.go

@@ -10,6 +10,7 @@ import (
 	"time"
 
 	"github.com/hashicorp/errwrap"
+	cleanhttp "github.com/hashicorp/go-cleanhttp"
 	"github.com/hashicorp/vault/helper/consts"
 	"github.com/hashicorp/vault/helper/jsonutil"
 	"github.com/hashicorp/vault/helper/parseutil"
@@ -90,7 +91,11 @@ func Handler(core *vault.Core) http.Handler {
 	// handler
 	genericWrappedHandler := wrapGenericHandler(corsWrappedHandler)
 
-	return genericWrappedHandler
+	// Wrap the handler with PrintablePathCheckHandler to check for non-printable
+	// characters in the request path.
+	printablePathCheckHandler := cleanhttp.PrintablePathCheckHandler(genericWrappedHandler, nil)
+
+	return printablePathCheckHandler
 }
 
 // wrapGenericHandler wraps the handler with an extra layer of handler where

http/handler_test.go

@@ -378,5 +378,24 @@ func TestHandler_error(t *testing.T) {
 	if w3.Code != 503 {
 		t.Fatalf("expected 503, got %d", w3.Code)
 	}
-
+}
+
+func TestHandler_nonPrintableChars(t *testing.T) {
+	core, _, token := vault.TestCoreUnsealed(t)
+	ln, addr := TestServer(t, core)
+	defer ln.Close()
+
+	req, err := http.NewRequest("GET", addr+"/v1/sys/mounts\n", nil)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	req.Header.Set(AuthHeaderName, token)
+
+	client := cleanhttp.DefaultClient()
+	resp, err := client.Do(req)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	testResponseStatus(t, resp, 400)
 }

vault/logical_system.go

@@ -1211,7 +1211,7 @@ func (b *SystemBackend) handleAuditedHeaderRead(req *logical.Request, d *framewo
 	}
 
 	headerConfig := b.Core.AuditedHeadersConfig()
-	settings, ok := headerConfig.Headers[header]
+	settings, ok := headerConfig.Headers[strings.ToLower(header)]
 	if !ok {
 		return logical.ErrorResponse("Could not find header in config"), nil
 	}

vendor/github.com/hashicorp/go-cleanhttp/cleanhttp.go

@@ -26,6 +26,7 @@ func DefaultPooledTransport() *http.Transport {
 		DialContext: (&net.Dialer{
 			Timeout:   30 * time.Second,
 			KeepAlive: 30 * time.Second,
+			DualStack: true,
 		}).DialContext,
 		MaxIdleConns:          100,
 		IdleConnTimeout:       90 * time.Second,

vendor/github.com/hashicorp/go-cleanhttp/handlers.go

@@ -0,0 +1,43 @@
+package cleanhttp
+
+import (
+	"net/http"
+	"strings"
+	"unicode"
+)
+
+// HandlerInput provides input options to cleanhttp's handlers
+type HandlerInput struct {
+	ErrStatus int
+}
+
+// PrintablePathCheckHandler is a middleware that ensures the request path
+// contains only printable runes.
+func PrintablePathCheckHandler(next http.Handler, input *HandlerInput) http.Handler {
+	if input == nil {
+		input = &HandlerInput{
+			ErrStatus: http.StatusBadRequest,
+		}
+	}
+
+	// Default to http.StatusBadRequest on error
+	if input.ErrStatus == 0 {
+		input.ErrStatus = http.StatusBadRequest
+	}
+
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// Nil-check on input to make it optional
+		// Check URL path for non-printable characters
+		idx := strings.IndexFunc(r.URL.Path, func(c rune) bool {
+			return !unicode.IsPrint(c)
+		})
+
+		if idx != -1 {
+			w.WriteHeader(input.ErrStatus)
+			return
+		}
+
+		next.ServeHTTP(w, r)
+		return
+	})
+}

vendor/vendor.json

@@ -991,10 +991,10 @@
 			"revisionTime": "2014-10-28T05:47:10Z"
 		},
 		{
-			"checksumSHA1": "b8F628srIitj5p7Y130xc9k0QWs=",
+			"checksumSHA1": "R0vdmL1vTvFNRqXIR6drJThQE+s=",
 			"path": "github.com/hashicorp/go-cleanhttp",
-			"revision": "3573b8b52aa7b37b9358d966a898feb387f62437",
-			"revisionTime": "2017-02-11T01:34:15Z"
+			"revision": "ddbb4a28f25f22bfbad9ca9f3e10c7b81c07d270",
+			"revisionTime": "2017-12-18T14:39:43Z"
 		},
 		{
 			"checksumSHA1": "AA0aYmdg4pb5gPCUSXg8iPzxLag=",

website/source/api/auth/kubernetes/index.html.md

@@ -191,8 +191,8 @@ Lists all the roles that are registered with the backend.
 
 | Method   | Path                         | Produces               |
 | :------- | :--------------------------- | :--------------------- |
-| `LIST`   | `/auth/kubernetes/roles`            | `200 application/json` |
-| `GET`   | `/auth/kubernetes/roles?list=true`   | `200 application/json` |
+| `LIST`   | `/auth/kubernetes/role`            | `200 application/json` |
+| `GET`   | `/auth/kubernetes/role?list=true`   | `200 application/json` |
 
 ### Sample Request
 
@@ -200,7 +200,7 @@ Lists all the roles that are registered with the backend.
 $ curl \
     --header "X-Vault-Token: ..." \
     --request LIST \
-    https://vault.rocks/v1/auth/kubernetes/roles
+    https://vault.rocks/v1/auth/kubernetes/role
 ```
 
 ### Sample Response

website/source/api/system/seal-status.html.md

@@ -32,11 +32,13 @@ The "t" parameter is the threshold, and "n" is the number of shares.
 
 ```json
 {
+  "type": "shamir",
   "sealed": true,
   "t": 3,
   "n": 5,
   "progress": 2,
-  "version": "0.6.2"
+  "nonce": "",
+  "version": "0.9.0"
 }
 ```
 
@@ -44,12 +46,14 @@ Sample response when Vault is unsealed.
 
 ```json
 {
+  "type": "shamir",
   "sealed": false,
   "t": 3,
   "n": 5,
   "progress": 0,
-  "version": "0.6.2",
+  "version": "0.9.0",
   "cluster_name": "vault-cluster-d6ec3c7f",
-  "cluster_id": "3e8b3fec-3749-e056-ba41-b62a63b997e8"
+  "cluster_id": "3e8b3fec-3749-e056-ba41-b62a63b997e8",
+  "nonce": "ef05d55d-4d2c-c594-a5e8-55bc88604c24"
 }
 ```

website/source/docs/configuration/index.html.md

@@ -88,7 +88,12 @@ to specify where the configuration is.
     sudo setcap cap_ipc_lock=+ep $(readlink -f $(which vault))
     ```
 
-    If you use a Linux distribution with systemd, you can also add the above `setcap` command as an [ExecStartPre](https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecStartPre=) additional command in your Vault unit file to ensure that `mlock()` capability is added to the `vault` binary before executing.
+    If you use a Linux distribution with a modern version of systemd, you can add
+    the following directive to the "[Service]" configuration section:
+
+    ```ini
+    LimitMEMLOCK=infinity
+    ```
 
 - `plugin_directory` `(string: "")` – A directory from which plugins are
   allowed to be loaded. Vault must have permission to read files in this
@@ -105,9 +110,9 @@ to specify where the configuration is.
   duration for tokens and secrets. This is specified using a label
   suffix like `"30s"` or `"1h"`.
 
-- `raw_storage_endpoint` `(bool: false)` – Enables the `sys/raw` endpoint which 
-  allows the decryption/encryption of raw data into and out of the security 
-  barrier. This is a highly privileged endpoint. 
+- `raw_storage_endpoint` `(bool: false)` – Enables the `sys/raw` endpoint which
+  allows the decryption/encryption of raw data into and out of the security
+  barrier. This is a highly privileged endpoint.
 
 - `ui` `(bool: false, Enterprise-only)` – Enables the built-in web UI, which is
   available on all listeners (address + port) at the `/ui` path. Browsers accessing

website/source/docs/configuration/storage/dynamodb.html.md

@@ -39,9 +39,9 @@ see the [official AWS DynamoDB documentation][dynamodb-rw-capacity].
   endpoint. This can also be provided via the environment variable
   `AWS_DYNAMODB_ENDPOINT`.
 
-- `ha_enabled` `(bool: false)` – Specifies whether this backend should be used
-  to run Vault in high availability mode. This can also be provided via the
-  environment variable `DYNAMODB_HA_ENABLED`.
+- `ha_enabled` `(string: "false")` – Specifies whether this backend should be used
+  to run Vault in high availability mode. Valid values are "true" or "false". This
+  can also be provided via the environment variable `DYNAMODB_HA_ENABLED`.
 
 - `max_parallel` `(string: "128")` – Specifies the maximum number of concurrent
   requests.