From 900bbf5113d8f6c7b159ef0043fea6abf17a9190 Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Fri, 5 Apr 2019 09:24:43 -0400 Subject: [PATCH] Pull JWT auth plugin and update CL --- CHANGELOG.md | 24 +++++++++++-------- .../vault-plugin-auth-jwt/path_login.go | 10 ++++---- vendor/vendor.json | 6 ++--- 3 files changed, 22 insertions(+), 18 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 743d1a915..bd2700ae9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,11 +1,8 @@ -## Next +## 1.1.1 (unreleased) CHANGES: - * auth/jwt: Disallow logins of role_type "oidc" via the `/login` path - [[GH-38]](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/38) - -## 1.1.1 (unreleased) + * auth/jwt: Disallow logins of role_type "oidc" via the `/login` path [JWT-38] IMPROVEMENTS: @@ -14,20 +11,27 @@ IMPROVEMENTS: * ui: Navigating away from secret list view will clear any page-specific filter that was applied [GH-6511] - BUG FIXES: * agent: Allow auto-auth to be used with caching without having to define any sinks [GH-6468] + * auth/ldap: Fix CN check not working if CN was not all in uppercase [GH-6518] * auth/jwt: The CLI helper for OIDC logins will now open the browser to the correct - URL when running on Windows. [[GH-37]](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/37) + URL when running on Windows [JWT-37] * auth/jwt: Fix an issue where the `oidc_scopes` parameter was not being included in - the response to a role read request [[GH-35]](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/35) + the response to a role read request [JWT-35] + * core: Fix seal migration case when migrating to Shamir and a seal block + wasn't explicitly specified [GH-6455] + * core: Fix unwrapping when using namespaced wrapping tokens [GH-6536] * core: Fix incorrect representation of required properties in OpenAPI output - [[GH-6490]](https://github.com/hashicorp/vault/pull/6490) + [GH-6490] + * identity: Fix updating groups removing existing members [GH-6527] + * replication: Fix mount filter invalidation on performance standby nodes + * replication: Fix license reloading on performance standby nodes + * replication: Fix handling of control groups on performance standby nodes * secret/pki: Use `uri_sans` param in when not using CSR parameters [GH-6505] * storage/dynamodb: Fix a race condition possible in HA configurations that could - leave the cluster without a leader [[GH-6512]](https://github.com/hashicorp/vault/pull/6512) + leave the cluster without a leader [GH-6512] * ui: Fix an issue where in production builds OpenAPI model generation was failing, causing any form using it to render labels with missing fields [GH-6474] * ui: Fix issue nav-hiding when moving between namespaces [GH-6473] diff --git a/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_login.go b/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_login.go index 19db26811..2cbed7786 100644 --- a/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_login.go +++ b/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_login.go @@ -68,6 +68,10 @@ func (b *jwtAuthBackend) pathLogin(ctx context.Context, req *logical.Request, d return logical.ErrorResponse("role %q could not be found", roleName), nil } + if role.RoleType == "oidc" { + return logical.ErrorResponse("role with oidc role_type is not allowed"), nil + } + token := d.Get("jwt").(string) if len(token) == 0 { return logical.ErrorResponse("missing token"), nil @@ -228,13 +232,9 @@ func (b *jwtAuthBackend) verifyOIDCToken(ctx context.Context, config *jwtConfig, oidcConfig := &oidc.Config{ SupportedSigningAlgs: config.JWTSupportedAlgs, + SkipClientIDCheck: true, } - if role.RoleType == "oidc" { - oidcConfig.ClientID = config.OIDCClientID - } else { - oidcConfig.SkipClientIDCheck = true - } verifier := provider.Verifier(oidcConfig) idToken, err := verifier.Verify(ctx, rawToken) diff --git a/vendor/vendor.json b/vendor/vendor.json index 260fbedc5..4cd75cdf5 100644 --- a/vendor/vendor.json +++ b/vendor/vendor.json @@ -1391,10 +1391,10 @@ "revisionTime": "2019-04-02T00:00:36Z" }, { - "checksumSHA1": "itJt7LtTNuCOBfBVGDcTtUu9HIc=", + "checksumSHA1": "7htT8U/t65ixPdTbbzSBrERPvoE=", "path": "github.com/hashicorp/vault-plugin-auth-jwt", - "revision": "7b19d4b328acbeaecd0e4781c613bf7401115f63", - "revisionTime": "2019-04-01T19:55:01Z" + "revision": "7ca4cefd94ef8f290b0a8c93b214ee80defd5618", + "revisionTime": "2019-04-04T21:59:00Z" }, { "checksumSHA1": "2GD7htZi0dpYxt7kxljXq2qK61s=",