updating azure plugin and deps (#4191)

2018-03-23 16:48:05 -04:00 · 2018-03-23 16:48:05 -04:00 · 84ec79a93f
parent 74452d7db7
commit 84ec79a93f
10 changed files with 280 additions and 89 deletions
--- a/vendor/github.com/coreos/go-oidc/code-of-conduct.md
+++ b/vendor/github.com/coreos/go-oidc/code-of-conduct.md
@ -0,0 +1,61 @@
 ## CoreOS Community Code of Conduct
 ### Contributor Code of Conduct
 As contributors and maintainers of this project, and in the interest of
 fostering an open and welcoming community, we pledge to respect all people who
 contribute through reporting issues, posting feature requests, updating
 documentation, submitting pull requests or patches, and other activities.
 We are committed to making participation in this project a harassment-free
 experience for everyone, regardless of level of experience, gender, gender
 identity and expression, sexual orientation, disability, personal appearance,
 body size, race, ethnicity, age, religion, or nationality.
 Examples of unacceptable behavior by participants include:
 * The use of sexualized language or imagery
 * Personal attacks
 * Trolling or insulting/derogatory comments
 * Public or private harassment
 * Publishing others' private information, such as physical or electronic addresses, without explicit permission
 * Other unethical or unprofessional conduct.
 Project maintainers have the right and responsibility to remove, edit, or
 reject comments, commits, code, wiki edits, issues, and other contributions
 that are not aligned to this Code of Conduct. By adopting this Code of Conduct,
 project maintainers commit themselves to fairly and consistently applying these
 principles to every aspect of managing this project. Project maintainers who do
 not follow or enforce the Code of Conduct may be permanently removed from the
 project team.
 This code of conduct applies both within project spaces and in public spaces
 when an individual is representing the project or its community.
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
 reported by contacting a project maintainer, Brandon Philips
 <brandon.philips@coreos.com>, and/or Rithu John <rithu.john@coreos.com>.
 This Code of Conduct is adapted from the Contributor Covenant
 (http://contributor-covenant.org), version 1.2.0, available at
 http://contributor-covenant.org/version/1/2/0/
 ### CoreOS Events Code of Conduct
 CoreOS events are working conferences intended for professional networking and
 collaboration in the CoreOS community. Attendees are expected to behave
 according to professional standards and in accordance with their employer’s
 policies on appropriate workplace behavior.
 While at CoreOS events or related social networking opportunities, attendees
 should not engage in discriminatory or offensive speech or actions including
 but not limited to gender, sexuality, race, age, disability, or religion.
 Speakers should be especially aware of these concerns.
 CoreOS does not condone any statements by speakers contrary to these standards.
 CoreOS reserves the right to deny entrance and/or eject from an event (without
 refund) any individual found to be engaging in discriminatory or offensive
 speech or actions.
 Please bring any concerns to the immediate attention of designated on-site
 staff, Brandon Philips <brandon.philips@coreos.com>, and/or Rithu John <rithu.john@coreos.com>.
--- a/vendor/github.com/coreos/go-oidc/jwks.go
+++ b/vendor/github.com/coreos/go-oidc/jwks.go
@ -23,6 +23,20 @@ import (
 // updated.
 const keysExpiryDelta = 30 * time.Second
 // NewRemoteKeySet returns a KeySet that can validate JSON web tokens by using HTTP
 // GETs to fetch JSON web token sets hosted at a remote URL. This is automatically
 // used by NewProvider using the URLs returned by OpenID Connect discovery, but is
 // exposed for providers that don't support discovery or to prevent round trips to the
 // discovery URL.
 //
 // The returned KeySet is a long lived verifier that caches keys based on cache-control
 // headers. Reuse a common remote key set instead of creating new ones as needed.
 //
 // The behavior of the returned KeySet is undefined once the context is canceled.
 func NewRemoteKeySet(ctx context.Context, jwksURL string) KeySet {
 	return newRemoteKeySet(ctx, jwksURL, time.Now)
 }
 func newRemoteKeySet(ctx context.Context, jwksURL string, now func() time.Time) *remoteKeySet {
 	if now == nil {
 		now = time.Now
@ -79,6 +93,14 @@ func (i *inflight) result() ([]jose.JSONWebKey, error) {
 	return i.keys, i.err
 }
 func (r *remoteKeySet) VerifySignature(ctx context.Context, jwt string) ([]byte, error) {
 	jws, err := jose.ParseSigned(jwt)
 	if err != nil {
 		return nil, fmt.Errorf("oidc: malformed jwt: %v", err)
 	}
 	return r.verify(ctx, jws)
 }
 func (r *remoteKeySet) verify(ctx context.Context, jws *jose.JSONWebSignature) ([]byte, error) {
 	// We don't support JWTs signed with multiple signatures.
 	keyID := ""
--- a/vendor/github.com/coreos/go-oidc/oidc.go
+++ b/vendor/github.com/coreos/go-oidc/oidc.go
@ -3,9 +3,13 @@ package oidc
 import (
 	"context"
 	"crypto/sha256"
 	"crypto/sha512"
 	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"hash"
 	"io/ioutil"
 	"mime"
 	"net/http"
@ -31,6 +35,11 @@ const (
 	ScopeOfflineAccess = "offline_access"
 )
 var (
 	errNoAtHash      = errors.New("id token did not have an access token hash")
 	errInvalidAtHash = errors.New("access token hash does not match value in ID token")
 )
 // ClientContext returns a new Context that carries the provided HTTP client.
 //
 // This method sets the same context key used by the golang.org/x/oauth2 package,
@ -64,7 +73,7 @@ type Provider struct {
 	// Raw claims returned by the server.
 	rawClaims []byte
-	remoteKeySet *remoteKeySet
+	remoteKeySet KeySet
 }
 type cachedKeys struct {
@ -120,7 +129,7 @@ func NewProvider(ctx context.Context, issuer string) (*Provider, error) {
 		tokenURL:     p.TokenURL,
 		userInfoURL:  p.UserInfoURL,
 		rawClaims:    body,
-		remoteKeySet: newRemoteKeySet(ctx, p.JWKSURL, time.Now),
+		remoteKeySet: NewRemoteKeySet(ctx, p.JWKSURL),
 	}, nil
 }
@ -242,6 +251,14 @@ type IDToken struct {
 	// and it's the user's responsibility to ensure it contains a valid value.
 	Nonce string
 	// at_hash claim, if set in the ID token. Callers can verify an access token
 	// that corresponds to the ID token using the VerifyAccessToken method.
 	AccessTokenHash string
 	// signature algorithm used for ID token, needed to compute a verification hash of an
 	// access token
 	sigAlgorithm string
 	// Raw payload of the id_token.
 	claims []byte
 }
@ -267,6 +284,34 @@ func (i *IDToken) Claims(v interface{}) error {
 	return json.Unmarshal(i.claims, v)
 }
 // VerifyAccessToken verifies that the hash of the access token that corresponds to the iD token
 // matches the hash in the id token. It returns an error if the hashes  don't match.
 // It is the caller's responsibility to ensure that the optional access token hash is present for the ID token
 // before calling this method. See https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken
 func (i *IDToken) VerifyAccessToken(accessToken string) error {
 	if i.AccessTokenHash == "" {
 		return errNoAtHash
 	}
 	var h hash.Hash
 	switch i.sigAlgorithm {
 	case RS256, ES256, PS256:
 		h = sha256.New()
 	case RS384, ES384, PS384:
 		h = sha512.New384()
 	case RS512, ES512, PS512:
 		h = sha512.New()
 	default:
 		return fmt.Errorf("oidc: unsupported signing algorithm %q", i.sigAlgorithm)
 	}
 	h.Write([]byte(accessToken)) // hash documents that Write will never return an error
 	sum := h.Sum(nil)[:h.Size()/2]
 	actual := base64.RawURLEncoding.EncodeToString(sum)
 	if actual != i.AccessTokenHash {
 		return errInvalidAtHash
 	}
 	return nil
 }
 type idToken struct {
 	Issuer   string   `json:"iss"`
 	Subject  string   `json:"sub"`
@ -274,6 +319,7 @@ type idToken struct {
 	Expiry   jsonTime `json:"exp"`
 	IssuedAt jsonTime `json:"iat"`
 	Nonce    string   `json:"nonce"`
 	AtHash   string   `json:"at_hash"`
 }
 type audience []string
--- a/vendor/github.com/coreos/go-oidc/test
+++ b/vendor/github.com/coreos/go-oidc/test
@ -11,6 +11,6 @@ LINTABLE=$( go list -tags=golint -f '
 go test -v -i -race github.com/coreos/go-oidc/...
 go test -v -race github.com/coreos/go-oidc/...
-golint $LINTABLE
+golint -set_exit_status $LINTABLE
 go vet github.com/coreos/go-oidc/...
 go build -v ./example/...
--- a/vendor/github.com/coreos/go-oidc/verify.go
+++ b/vendor/github.com/coreos/go-oidc/verify.go
@ -19,19 +19,54 @@ const (
 	issuerGoogleAccountsNoScheme = "accounts.google.com"
 )
-// keySet is an interface that lets us stub out verification policies for
+// KeySet is a set of publc JSON Web Keys that can be used to validate the signature
-// testing. Outside of testing, it's always backed by a remoteKeySet.
+// of JSON web tokens. This is expected to be backed by a remote key set through
-type keySet interface {
+// provider metadata discovery or an in-memory set of keys delivered out-of-band.
-	verify(ctx context.Context, jws *jose.JSONWebSignature) ([]byte, error)
+type KeySet interface {
 	// VerifySignature parses the JSON web token, verifies the signature, and returns
 	// the raw payload. Header and claim fields are validated by other parts of the
 	// package. For example, the KeySet does not need to check values such as signature
 	// algorithm, issuer, and audience since the IDTokenVerifier validates these values
 	// independently.
 	//
 	// If VerifySignature makes HTTP requests to verify the token, it's expected to
 	// use any HTTP client associated with the context through ClientContext.
 	VerifySignature(ctx context.Context, jwt string) (payload []byte, err error)
 }
 // IDTokenVerifier provides verification for ID Tokens.
 type IDTokenVerifier struct {
-	keySet keySet
+	keySet KeySet
 	config *Config
 	issuer string
 }
 // NewVerifier returns a verifier manually constructed from a key set and issuer URL.
 //
 // It's easier to use provider discovery to construct an IDTokenVerifier than creating
 // one directly. This method is intended to be used with provider that don't support
 // metadata discovery, or avoiding round trips when the key set URL is already known.
 //
 // This constructor can be used to create a verifier directly using the issuer URL and
 // JSON Web Key Set URL without using discovery:
 //
 //		keySet := oidc.NewRemoteKeySet(ctx, "https://www.googleapis.com/oauth2/v3/certs")
 //		verifier := oidc.NewVerifier("https://accounts.google.com", keySet, config)
 //
 // Since KeySet is an interface, this constructor can also be used to supply custom
 // public key sources. For example, if a user wanted to supply public keys out-of-band
 // and hold them statically in-memory:
 //
 //		// Custom KeySet implementation.
 //		keySet := newStatisKeySet(publicKeys...)
 //
 //		// Verifier uses the custom KeySet implementation.
 //		verifier := oidc.NewVerifier("https://auth.example.com", keySet, config)
 //
 func NewVerifier(issuerURL string, keySet KeySet, config *Config) *IDTokenVerifier {
 	return &IDTokenVerifier{keySet: keySet, config: config, issuer: issuerURL}
 }
 // Config is the configuration for an IDTokenVerifier.
 type Config struct {
 	// Expected audience of the token. For a majority of the cases this is expected to be
@ -59,21 +94,7 @@ type Config struct {
 // The returned IDTokenVerifier is tied to the Provider's context and its behavior is
 // undefined once the Provider's context is canceled.
 func (p *Provider) Verifier(config *Config) *IDTokenVerifier {
-
+	return NewVerifier(p.issuer, p.remoteKeySet, config)
 	return newVerifier(p.remoteKeySet, config, p.issuer)
 }
 func newVerifier(keySet keySet, config *Config, issuer string) *IDTokenVerifier {
 	// If SupportedSigningAlgs is empty defaults to only support RS256.
 	if len(config.SupportedSigningAlgs) == 0 {
 		config.SupportedSigningAlgs = []string{RS256}
 	}
 	return &IDTokenVerifier{
 		keySet: keySet,
 		config: config,
 		issuer: issuer,
 	}
 }
 func parseJWT(p string) ([]byte, error) {
@ -135,13 +156,14 @@ func (v *IDTokenVerifier) Verify(ctx context.Context, rawIDToken string) (*IDTok
 	}
 	t := &IDToken{
-		Issuer:   token.Issuer,
+		Issuer:          token.Issuer,
-		Subject:  token.Subject,
+		Subject:         token.Subject,
-		Audience: []string(token.Audience),
+		Audience:        []string(token.Audience),
-		Expiry:   time.Time(token.Expiry),
+		Expiry:          time.Time(token.Expiry),
-		IssuedAt: time.Time(token.IssuedAt),
+		IssuedAt:        time.Time(token.IssuedAt),
-		Nonce:    token.Nonce,
+		Nonce:           token.Nonce,
-		claims:   payload,
+		AccessTokenHash: token.AtHash,
 		claims:          payload,
 	}
 	// Check issuer.
@ -165,7 +187,7 @@ func (v *IDTokenVerifier) Verify(ctx context.Context, rawIDToken string) (*IDTok
 				return nil, fmt.Errorf("oidc: expected audience %q got %q", v.config.ClientID, t.Audience)
 			}
 		} else {
-			return nil, fmt.Errorf("oidc: Invalid configuration. ClientID must be provided or SkipClientIDCheck must be set.")
+			return nil, fmt.Errorf("oidc: invalid configuration, clientID must be provided or SkipClientIDCheck must be set")
 		}
 	}
@ -190,11 +212,18 @@ func (v *IDTokenVerifier) Verify(ctx context.Context, rawIDToken string) (*IDTok
 	}
 	sig := jws.Signatures[0]
-	if len(v.config.SupportedSigningAlgs) != 0 && !contains(v.config.SupportedSigningAlgs, sig.Header.Algorithm) {
+	supportedSigAlgs := v.config.SupportedSigningAlgs
-		return nil, fmt.Errorf("oidc: id token signed with unsupported algorithm, expected %q got %q", v.config.SupportedSigningAlgs, sig.Header.Algorithm)
+	if len(supportedSigAlgs) == 0 {
 		supportedSigAlgs = []string{RS256}
 	}
-	gotPayload, err := v.keySet.verify(ctx, jws)
+	if !contains(supportedSigAlgs, sig.Header.Algorithm) {
 		return nil, fmt.Errorf("oidc: id token signed with unsupported algorithm, expected %q got %q", supportedSigAlgs, sig.Header.Algorithm)
 	}
 	t.sigAlgorithm = sig.Header.Algorithm
 	gotPayload, err := v.keySet.VerifySignature(ctx, rawIDToken)
 	if err != nil {
 		return nil, fmt.Errorf("failed to verify signature: %v", err)
 	}
--- a/vendor/github.com/hashicorp/vault-plugin-auth-azure/plugin/azure.go
+++ b/vendor/github.com/hashicorp/vault-plugin-auth-azure/plugin/azure.go
@ -2,8 +2,11 @@ package plugin
 import (
 	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io/ioutil"
 	"net/http"
 	"os"
 	"github.com/Azure/azure-sdk-for-go/services/compute/mgmt/2017-12-01/compute"
@ -11,10 +14,9 @@ import (
 	"github.com/Azure/go-autorest/autorest/azure"
 	"github.com/Azure/go-autorest/autorest/azure/auth"
 	oidc "github.com/coreos/go-oidc"
-)
+	"github.com/hashicorp/errwrap"
-
+	cleanhttp "github.com/hashicorp/go-cleanhttp"
-const (
+	"golang.org/x/oauth2"
 	issuerBaseURI = "https://sts.windows.net"
 )
 type computeClient interface {
@ -30,39 +32,66 @@ type provider interface {
 	ComputeClient(subscriptionID string) computeClient
 }
 var _ provider = &azureProvider{}
 type azureProvider struct {
-	settings     *azureSettings
+	oidcVerifier *oidc.IDTokenVerifier
 	oidcProvider *oidc.Provider
 	authorizer   autorest.Authorizer
 	httpClient   *http.Client
 }
-func NewAzureProvider(config *azureConfig) (*azureProvider, error) {
+type oidcDiscoveryInfo struct {
 	Issuer  string `json:"issuer"`
 	JWKSURL string `json:"jwks_uri"`
 }
 func newAzureProvider(config *azureConfig) (*azureProvider, error) {
 	httpClient := cleanhttp.DefaultClient()
 	settings, err := getAzureSettings(config)
 	if err != nil {
 		return nil, err
 	}
-	issuer := fmt.Sprintf("%s/%s/", issuerBaseURI, settings.TenantID)
+	// In many OIDC providers, the discovery endpoint matches the issuer. For Azure AD, the discovery
-	oidcProvider, err := oidc.NewProvider(context.Background(), issuer)
+	// endpoint is the AD endpoint which does not match the issuer defined in the discovery payload. This
 	// makes a request to the discovery URL to determine the issuer and key set information to configure
 	// the OIDC verifier
 	discoveryURL := fmt.Sprintf("%s%s/.well-known/openid-configuration", settings.Environment.ActiveDirectoryEndpoint, settings.TenantID)
 	resp, err := httpClient.Get(discoveryURL)
 	if err != nil {
 		return nil, err
 	}
 	defer resp.Body.Close()
-	provider := &azureProvider{
+	body, err := ioutil.ReadAll(resp.Body)
-		settings:     settings,
+	if err != nil {
-		oidcProvider: oidcProvider,
+		return nil, errwrap.Wrapf("unable to read response body: {{err}}", err)
 	}
 	if resp.StatusCode != http.StatusOK {
 		return nil, fmt.Errorf("%s: %s", resp.Status, body)
 	}
 	var discoveryInfo oidcDiscoveryInfo
 	if err := json.Unmarshal(body, &discoveryInfo); err != nil {
 		return nil, errwrap.Wrapf("unable to unmarshal discovery url: {{err}}", err)
 	}
-	// OAuth2 client for querying VM data
+	// Create a remote key set from the discovery endpoint
 	ctx := context.WithValue(context.Background(), oauth2.HTTPClient, httpClient)
 	remoteKeySet := oidc.NewRemoteKeySet(ctx, discoveryInfo.JWKSURL)
 	verifierConfig := &oidc.Config{
 		ClientID:             settings.Resource,
 		SupportedSigningAlgs: []string{oidc.RS256},
 	}
 	oidcVerifier := oidc.NewVerifier(discoveryInfo.Issuer, remoteKeySet, verifierConfig)
 	// Create an OAuth2 client for retrieving VM data
 	var authorizer autorest.Authorizer
 	switch {
 	// Use environment/config first
 	case settings.ClientSecret != "":
 		config := auth.NewClientCredentialsConfig(settings.ClientID, settings.ClientSecret, settings.TenantID)
 		config.AADEndpoint = settings.Environment.ActiveDirectoryEndpoint
 		config.Resource = settings.Environment.ResourceManagerEndpoint
-		provider.authorizer, err = config.Authorizer()
+		authorizer, err = config.Authorizer()
 		if err != nil {
 			return nil, err
 		}
@ -70,25 +99,27 @@ func NewAzureProvider(config *azureConfig) (*azureProvider, error) {
 	default:
 		config := auth.NewMSIConfig()
 		config.Resource = settings.Environment.ResourceManagerEndpoint
-		provider.authorizer, err = config.Authorizer()
+		authorizer, err = config.Authorizer()
 		if err != nil {
 			return nil, err
 		}
 	}
-	return provider, nil
+
 	return &azureProvider{
 		authorizer:   authorizer,
 		oidcVerifier: oidcVerifier,
 		httpClient:   httpClient,
 	}, nil
 }
 func (p *azureProvider) Verifier() tokenVerifier {
-	verifierConfig := &oidc.Config{
+	return p.oidcVerifier
 		ClientID:             p.settings.Resource,
 		SupportedSigningAlgs: []string{oidc.RS256},
 	}
 	return p.oidcProvider.Verifier(verifierConfig)
 }
 func (p *azureProvider) ComputeClient(subscriptionID string) computeClient {
 	client := compute.NewVirtualMachinesClient(subscriptionID)
 	client.Authorizer = p.authorizer
 	client.Sender = p.httpClient
 	return client
 }
--- a/vendor/github.com/hashicorp/vault-plugin-auth-azure/plugin/backend.go
+++ b/vendor/github.com/hashicorp/vault-plugin-auth-azure/plugin/backend.go
@ -2,10 +2,8 @@ package plugin
 import (
 	"context"
 	"net/http"
 	"sync"
 	"github.com/hashicorp/go-cleanhttp"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
 )
@ -23,8 +21,7 @@ type azureAuthBackend struct {
 	l sync.RWMutex
-	provider   provider
+	provider provider
 	httpClient *http.Client
 }
 func Backend(c *logical.BackendConfig) *azureAuthBackend {
@ -51,7 +48,6 @@ func Backend(c *logical.BackendConfig) *azureAuthBackend {
 			pathsRole(b),
 		),
 	}
 	b.httpClient = cleanhttp.DefaultClient()
 	return b
 }
@ -81,7 +77,7 @@ func (b *azureAuthBackend) getProvider(config *azureConfig) (provider, error) {
 		return b.provider, nil
 	}
-	provider, err := NewAzureProvider(config)
+	provider, err := newAzureProvider(config)
 	if err != nil {
 		return nil, err
 	}
--- a/vendor/github.com/hashicorp/vault-plugin-auth-azure/plugin/path_login.go
+++ b/vendor/github.com/hashicorp/vault-plugin-auth-azure/plugin/path_login.go
@ -199,32 +199,32 @@ func (b *azureAuthBackend) verifyResource(ctx context.Context, subscriptionID, r
 	// Ensure the principal id for the VM matches the verified token OID
 	if vm.Identity == nil {
-		return fmt.Errorf("vm client did not return identity information")
+		return errors.New("vm client did not return identity information")
 	}
 	if vm.Identity.PrincipalID == nil {
-		return fmt.Errorf("vm principal id is empty")
+		return errors.New("vm principal id is empty")
 	}
 	if to.String(vm.Identity.PrincipalID) != claims.ObjectID {
-		return fmt.Errorf("token object id does not match virtual machine principal id")
+		return errors.New("token object id does not match virtual machine principal id")
 	}
 	// Check bound subsriptions
 	if len(role.BoundSubscriptionsIDs) > 0 && !strutil.StrListContains(role.BoundSubscriptionsIDs, subscriptionID) {
-		return fmt.Errorf("subscription not authoirzed")
+		return errors.New("subscription not authorized")
 	}
 	// Check bound resource groups
 	if len(role.BoundResourceGroups) > 0 && !strutil.StrListContains(role.BoundResourceGroups, resourceGroupName) {
-		return fmt.Errorf("resource group not authoirzed")
+		return errors.New("resource group not authorized")
 	}
 	// Check bound locations
 	if len(role.BoundLocations) > 0 {
 		if vm.Location == nil {
-			return fmt.Errorf("vm location is empty")
+			return errors.New("vm location is empty")
 		}
 		if !strutil.StrListContains(role.BoundLocations, to.String(vm.Location)) {
-			return fmt.Errorf("token object id does not match virtual machine principal id")
+			return errors.New("location not authorized")
 		}
 	}
@ -234,13 +234,13 @@ func (b *azureAuthBackend) verifyResource(ctx context.Context, subscriptionID, r
 func (b *azureAuthBackend) pathLoginRenew(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
 	roleName := req.Auth.InternalData["role"].(string)
 	if roleName == "" {
-		return nil, fmt.Errorf("failed to fetch role_name during renewal")
+		return nil, errors.New("failed to fetch role_name during renewal")
 	}
 	// Ensure that the Role still exists.
 	role, err := b.role(ctx, req.Storage, roleName)
 	if err != nil {
-		return nil, fmt.Errorf("failed to validate role %s during renewal:%s", roleName, err)
+		return nil, errwrap.Wrapf(fmt.Sprintf("failed to validate role %s during renewal: {{err}}", roleName), err)
 	}
 	if role == nil {
 		return nil, fmt.Errorf("role %s does not exist during renewal", roleName)
--- a/vendor/github.com/hashicorp/vault-plugin-auth-azure/plugin/path_role.go
+++ b/vendor/github.com/hashicorp/vault-plugin-auth-azure/plugin/path_role.go
@ -3,6 +3,7 @@ package plugin
 import (
 	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"strings"
 	"time"
@ -57,24 +58,29 @@ duration specified by this value. At each renewal, the token's
 TTL will be set to the value of this parameter.`,
 				},
 				"bound_subscription_ids": &framework.FieldSchema{
-					Type:        framework.TypeCommaStringSlice,
+					Type: framework.TypeCommaStringSlice,
-					Description: ``,
+					Description: `Comma-separated list of subscription ids that login 
 is restricted to.`,
 				},
 				"bound_resource_groups": &framework.FieldSchema{
-					Type:        framework.TypeCommaStringSlice,
+					Type: framework.TypeCommaStringSlice,
-					Description: ``,
+					Description: `Comma-separated list of resource groups that login 
 is restricted to.`,
 				},
 				"bound_group_ids": &framework.FieldSchema{
-					Type:        framework.TypeCommaStringSlice,
+					Type: framework.TypeCommaStringSlice,
-					Description: ``,
+					Description: `Comma-separated list of group ids that login 
 is restricted to.`,
 				},
 				"bound_service_principal_ids": &framework.FieldSchema{
-					Type:        framework.TypeCommaStringSlice,
+					Type: framework.TypeCommaStringSlice,
-					Description: ``,
+					Description: `Comma-separated list of service principal ids that login 
 is restricted to.`,
 				},
 				"bound_locations": &framework.FieldSchema{
-					Type:        framework.TypeCommaStringSlice,
+					Type: framework.TypeCommaStringSlice,
-					Description: ``,
+					Description: `Comma-separated list of locations that login 
 is restricted to.`,
 				},
 			},
 			ExistenceCheck: b.pathRoleExistenceCheck,
@ -226,7 +232,7 @@ func (b *azureAuthBackend) pathRoleCreateUpdate(ctx context.Context, req *logica
 	// Create a new entry object if this is a CreateOperation
 	if role == nil {
 		if req.Operation == logical.UpdateOperation {
-			return nil, fmt.Errorf("role entry not found during update operation")
+			return nil, errors.New("role entry not found during update operation")
 		}
 		role = new(azureRole)
 	}
--- a/vendor/vendor.json
+++ b/vendor/vendor.json
@ -643,10 +643,10 @@
 			"revisionTime": "2018-02-10T00:12:50Z"
 		},
 		{
-			"checksumSHA1": "8o2JlMI+LchFOAR1uGZ3u6cROkY=",
+			"checksumSHA1": "b6LGjzkSCWdrqH6dnS/Bf+BfdPU=",
 			"path": "github.com/coreos/go-oidc",
-			"revision": "a93f71fdfe73d2c0f5413c0565eea0af6523a6df",
+			"revision": "065b426bd41667456c1a924468f507673629c46b",
-			"revisionTime": "2017-10-02T15:50:02Z"
+			"revisionTime": "2018-01-17T17:01:38Z"
 		},
 		{
 			"checksumSHA1": "97BsbXOiZ8+Kr+LIuZkQFtSj7H4=",
@ -1279,10 +1279,10 @@
 			"revisionTime": "2018-02-03T00:31:27Z"
 		},
 		{
-			"checksumSHA1": "LmozvTcHq18DkRN7aloRXug7Yqg=",
+			"checksumSHA1": "C6sgT2K7ZAv4y/MFMWppVs7oqTM=",
 			"path": "github.com/hashicorp/vault-plugin-auth-azure/plugin",
-			"revision": "ba506e5d0aae1d115c2b5ad4ea8d3f06be77b45a",
+			"revision": "29767bb64e3fd21c7661a5008aa62a2eda1aebb8",
-			"revisionTime": "2018-03-21T20:06:11Z"
+			"revisionTime": "2018-03-23T20:42:11Z"
 		},
 		{
 			"checksumSHA1": "xApm6AbAzE3wMLMaozaZ53pb7AU=",