Merge branch '1.1.2' into master-oss

CHANGELOG.md

@@ -16,6 +16,17 @@ BUG FIXES:
  * ui: fix an issue where sensitive input values weren't being saved to the
    server [GH-6586]
 
+## 1.1.2 (April 18th, 2019)
+
+This is a bug fix release containing the two items below. It is otherwise
+unchanged from 1.1.1.
+
+BUG FIXES:
+
+ * auth/okta: Fix a potential dropped error [GH-6592]
+ * secrets/kv: Fix a regression on upgrade where a KVv2 mount could fail to be
+   mounted on unseal if it had previously been mounted but not written to
+   [KV-31]
 
 ## 1.1.1 (April 11th, 2019)
 

go.mod

@@ -85,7 +85,7 @@ require (
 	github.com/hashicorp/vault-plugin-secrets-azure v0.5.1
 	github.com/hashicorp/vault-plugin-secrets-gcp v0.5.2
 	github.com/hashicorp/vault-plugin-secrets-gcpkms v0.5.1
-	github.com/hashicorp/vault-plugin-secrets-kv v0.5.1
+	github.com/hashicorp/vault-plugin-secrets-kv v0.5.2-0.20190416155133-fd495225dea0
 	github.com/hashicorp/vault/api v1.0.1
 	github.com/hashicorp/vault/sdk v0.1.8
 	github.com/influxdata/influxdb v0.0.0-20190411212539-d24b7ba8c4c4

go.sum

@@ -296,8 +296,8 @@ github.com/hashicorp/vault-plugin-secrets-gcp v0.5.2 h1:oH5EVMJCOHb81Ib9E7/ps1Wr
 github.com/hashicorp/vault-plugin-secrets-gcp v0.5.2/go.mod h1:2VjVlKHTwqvcVCkZBhYks+HASDzQ4/bIsJoOpO2YJFY=
 github.com/hashicorp/vault-plugin-secrets-gcpkms v0.5.1 h1:v25YWb7eMPe9DjGsUexRRuWwPlFNh+lbEGOeNrZalf8=
 github.com/hashicorp/vault-plugin-secrets-gcpkms v0.5.1/go.mod h1:seBkt6x33ZT20koMcUwV/viMomnXDipsLgK5KUKz2ik=
-github.com/hashicorp/vault-plugin-secrets-kv v0.5.1 h1:awaZ/UoeiDD0j3xF1E0kmXWJvAZw8ULayQu46mB6Un4=
-github.com/hashicorp/vault-plugin-secrets-kv v0.5.1/go.mod h1:PIjaafaRr2QlkGl2SNhIywxlejeW0iMUtmx8u9u/a6c=
+github.com/hashicorp/vault-plugin-secrets-kv v0.5.2-0.20190416155133-fd495225dea0 h1:pb5DaAqWgGsKWFMsGotmQJREcv/B1EZGHO1hqWOxDAI=
+github.com/hashicorp/vault-plugin-secrets-kv v0.5.2-0.20190416155133-fd495225dea0/go.mod h1:PIjaafaRr2QlkGl2SNhIywxlejeW0iMUtmx8u9u/a6c=
 github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb h1:b5rjCoWHc7eqmAS4/qyk21ZsHyb6Mxv/jykxvNTkU4M=
 github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
 github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d h1:kJCB4vdITiW1eC1vq2e6IsrXKrZit1bv/TDYFGMp4BQ=

sdk/version/version_base.go

@@ -8,7 +8,7 @@ var (
 	// Whether cgo is enabled or not; set at build time
 	CgoEnabled bool
 
-	Version           = "1.1.1"
+	Version           = "1.1.2"
 	VersionPrerelease = ""
 	VersionMetadata   = ""
 )

terraform/aws/variables.tf

@@ -3,7 +3,7 @@
 //-------------------------------------------------------------------
 
 variable "download-url" {
-    default = "https://releases.hashicorp.com/vault/1.1.1/vault_1.1.1_linux_amd64.zip"
+    default = "https://releases.hashicorp.com/vault/1.1.2/vault_1.1.2_linux_amd64.zip"
     description = "URL to download Vault"
 }
 

vault/external_tests/misc/kvv2_upgrade_test.go

@@ -0,0 +1,99 @@
+package token
+
+import (
+	"bytes"
+	"context"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/hashicorp/go-hclog"
+	logicalKv "github.com/hashicorp/vault-plugin-secrets-kv"
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/helper/testhelpers"
+	vaulthttp "github.com/hashicorp/vault/http"
+	"github.com/hashicorp/vault/logical"
+	"github.com/hashicorp/vault/physical"
+	"github.com/hashicorp/vault/vault"
+	"github.com/kr/pretty"
+)
+
+// Tests the regression in
+// https://github.com/hashicorp/vault-plugin-secrets-kv/pull/31
+func TestKVv2_UpgradePaths(t *testing.T) {
+	logOut := new(bytes.Buffer)
+	logger := hclog.New(&hclog.LoggerOptions{
+		Output: logOut,
+	})
+
+	coreConfig := &vault.CoreConfig{
+		LogicalBackends: map[string]logical.Factory{
+			"kv": logicalKv.Factory,
+		},
+		EnableRaw: true,
+		Logger:    logger,
+	}
+	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
+		HandlerFunc: vaulthttp.Handler,
+	})
+	cluster.Start()
+	defer cluster.Cleanup()
+
+	core := cluster.Cores[0]
+	vault.TestWaitActive(t, core.Core)
+	client := core.Client
+
+	// Enable KVv2
+	err := client.Sys().Mount("kv", &api.MountInput{
+		Type: "kv-v2",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	cluster.EnsureCoresSealed(t)
+
+	ctx := context.Background()
+
+	// Delete the policy from storage, to trigger the clean slate necessary for
+	// the error
+	mounts, err := core.UnderlyingStorage.List(ctx, "logical/")
+	if err != nil {
+		t.Fatal(err)
+	}
+	kvMount := mounts[0]
+	basePaths, err := core.UnderlyingStorage.List(ctx, "logical/"+kvMount)
+	if err != nil {
+		t.Fatal(err)
+	}
+	basePath := basePaths[0]
+
+	beforeList, err := core.UnderlyingStorage.List(ctx, "logical/"+kvMount+basePath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Log(pretty.Sprint(beforeList))
+
+	// Delete policy/archive
+	if err = logical.ClearView(ctx, physical.NewView(core.UnderlyingStorage, "logical/"+kvMount+basePath+"policy/")); err != nil {
+		t.Fatal(err)
+	}
+	if err = logical.ClearView(ctx, physical.NewView(core.UnderlyingStorage, "logical/"+kvMount+basePath+"archive/")); err != nil {
+		t.Fatal(err)
+	}
+
+	afterList, err := core.UnderlyingStorage.List(ctx, "logical/"+kvMount+basePath)
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Log(pretty.Sprint(afterList))
+
+	testhelpers.EnsureCoresUnsealed(t, cluster)
+
+	// Need to give it time to actually set up
+	time.Sleep(10 * time.Second)
+
+	if strings.Contains(logOut.String(), "cannot write to storage during setup") {
+		t.Fatal("got a cannot write to storage during setup error")
+	}
+}

vendor/github.com/hashicorp/vault-plugin-secrets-kv/path_data.go

@@ -6,6 +6,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"strings"
 	"time"
 
 	"github.com/golang/protobuf/proto"
@@ -65,6 +66,13 @@ func (b *versionedKVBackend) dataExistenceCheck() framework.ExistenceFunc {
 
 		meta, err := b.getKeyMetadata(ctx, req.Storage, key)
 		if err != nil {
+			// If we are returning a readonly error it means we are attempting
+			// to write the policy for the first time. This means no data exists
+			// yet and we can safely return false here.
+			if strings.Contains(err.Error(), logical.ErrReadOnly.Error()) {
+				return false, nil
+			}
+
 			return false, err
 		}
 

vendor/github.com/hashicorp/vault-plugin-secrets-kv/path_metadata.go

@@ -3,6 +3,7 @@ package kv
 import (
 	"context"
 	"fmt"
+	"strings"
 
 	"github.com/golang/protobuf/ptypes"
 	"github.com/hashicorp/vault/sdk/framework"
@@ -54,6 +55,13 @@ func (b *versionedKVBackend) metadataExistenceCheck() framework.ExistenceFunc {
 
 		meta, err := b.getKeyMetadata(ctx, req.Storage, key)
 		if err != nil {
+			// If we are returning a readonly error it means we are attempting
+			// to write the policy for the first time. This means no data exists
+			// yet and we can safely return false here.
+			if strings.Contains(err.Error(), logical.ErrReadOnly.Error()) {
+				return false, nil
+			}
+
 			return false, err
 		}
 

vendor/github.com/hashicorp/vault-plugin-secrets-kv/upgrade.go

@@ -11,10 +11,8 @@ import (
 
 	"github.com/golang/protobuf/proto"
 	"github.com/golang/protobuf/ptypes"
-	"github.com/hashicorp/errwrap"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/consts"
-	"github.com/hashicorp/vault/sdk/helper/keysutil"
 	"github.com/hashicorp/vault/sdk/helper/locksutil"
 	"github.com/hashicorp/vault/sdk/helper/pluginutil"
 	"github.com/hashicorp/vault/sdk/logical"
@@ -65,22 +63,7 @@ func (b *versionedKVBackend) upgradeDone(ctx context.Context, s logical.Storage)
 		}
 	}
 
-	if !upgradeInfo.Done {
-		return false, nil
-	}
-
-	// Also make sure the policy is found. This is created on first call to
-	// policy() but if that happens to be a secondary you get a readonly
-	// storage error -- not nice UX.
-	policy, err := keysutil.LoadPolicy(ctx, s, path.Join(b.storagePrefix, "policy/metadata"))
-	if err != nil {
-		return false, err
-	}
-	if policy == nil {
-		return false, nil
-	}
-
-	return true, nil
+	return upgradeInfo.Done, nil
 }
 
 func (b *versionedKVBackend) Upgrade(ctx context.Context, s logical.Storage) error {
@@ -135,30 +118,7 @@ func (b *versionedKVBackend) Upgrade(ctx context.Context, s logical.Storage) err
 		return nil
 	}
 
-	// See if we're already done, in which case we just need to ensure the
-	// policy was created
-	upgradeEntry, err := s.Get(ctx, path.Join(b.storagePrefix, "upgrading"))
-	if err != nil {
-		return err
-	}
-
-	upgradeInfo := new(UpgradeInfo)
-	if upgradeEntry != nil {
-		err := proto.Unmarshal(upgradeEntry.Value, upgradeInfo)
-		if err != nil {
-			return err
-		}
-	}
-
-	if upgradeInfo.Done {
-		// Just synchronously call policy
-		if _, err = b.policy(ctx, s); err != nil {
-			return errwrap.Wrapf("upgrade done but error checking/creating policy: {{err}}", err)
-		}
-		return nil
-	}
-
-	upgradeInfo = &UpgradeInfo{
+	upgradeInfo := &UpgradeInfo{
 		StartedTime: ptypes.TimestampNow(),
 	}
 

vendor/github.com/hashicorp/vault/sdk/version/version_base.go

@@ -8,7 +8,7 @@ var (
 	// Whether cgo is enabled or not; set at build time
 	CgoEnabled bool
 
-	Version           = "1.1.1"
+	Version           = "1.1.2"
 	VersionPrerelease = ""
 	VersionMetadata   = ""
 )

vendor/modules.txt

@@ -344,7 +344,7 @@ github.com/hashicorp/vault-plugin-secrets-gcp/plugin/iamutil
 github.com/hashicorp/vault-plugin-secrets-gcp/plugin/util
 # github.com/hashicorp/vault-plugin-secrets-gcpkms v0.5.1
 github.com/hashicorp/vault-plugin-secrets-gcpkms
-# github.com/hashicorp/vault-plugin-secrets-kv v0.5.1
+# github.com/hashicorp/vault-plugin-secrets-kv v0.5.2-0.20190416155133-fd495225dea0
 github.com/hashicorp/vault-plugin-secrets-kv
 # github.com/hashicorp/vault/api v1.0.1 => ./api
 github.com/hashicorp/vault/api

website/config.rb

@@ -6,7 +6,7 @@ use ReshapeMiddleware, component_file: "assets/reshape.js"
 
 activate :hashicorp do |h|
   h.name         = "vault"
-  h.version      = "1.1.1"
+  h.version      = "1.1.2"
   h.github_slug  = "hashicorp/vault"
   h.website_root = "website"
   h.releases_enabled = true