Merge branch 'master-oss' into pr-2495

This commit is contained in:
Jeff Mitchell 2017-03-17 13:40:58 -04:00
commit d2e9e0b873
10 changed files with 82 additions and 63 deletions

View file

@ -1,4 +1,12 @@
## 0.7.0 (Unreleased)
## 0.7.0 (Early Access; final release March 21th, 2017)
SECURITY:
* Common name not being validated when `exclude_cn_from_sans` option used in
`pki` backend: When using a role in the `pki` backend that specified the
`exclude_cn_from_sans` option, the common name would not then be properly
validated against the role's constraints. This has been fixed. We recommend
any users of this feature to upgrade to 0.7 as soon as feasible.
DEPRECATIONS/CHANGES:

View file

@ -217,7 +217,7 @@ func fetchCertBySerial(req *logical.Request, prefix, serial string) (*logical.St
// Given a set of requested names for a certificate, verifies that all of them
// match the various toggles set in the role for controlling issuance.
// If one does not pass, it is returned in the string argument.
func validateNames(req *logical.Request, names []string, role *roleEntry) (string, error) {
func validateNames(req *logical.Request, names []string, role *roleEntry) string {
for _, name := range names {
sanitizedName := name
emailDomain := name
@ -233,7 +233,7 @@ func validateNames(req *logical.Request, names []string, role *roleEntry) (strin
if strings.Contains(name, "@") {
splitEmail := strings.Split(name, "@")
if len(splitEmail) != 2 {
return name, nil
return name
}
sanitizedName = splitEmail[1]
emailDomain = splitEmail[1]
@ -250,7 +250,7 @@ func validateNames(req *logical.Request, names []string, role *roleEntry) (strin
// Email addresses using wildcard domain names do not make sense
if isEmail && isWildcard {
return name, nil
return name
}
// AllowAnyName is checked after this because EnforceHostnames still
@ -259,7 +259,7 @@ func validateNames(req *logical.Request, names []string, role *roleEntry) (strin
// wildcard prefix.
if role.EnforceHostnames {
if !hostnameRegex.MatchString(sanitizedName) {
return name, nil
return name
}
}
@ -368,10 +368,10 @@ func validateNames(req *logical.Request, names []string, role *roleEntry) (strin
}
//panic(fmt.Sprintf("\nName is %s\nRole is\n%#v\n", name, role))
return name, nil
return name
}
return "", nil
return ""
}
func generateCert(b *backend,
@ -560,8 +560,10 @@ func generateCreationBundle(b *backend,
var err error
var ok bool
// Get the common name
// Read in names -- CN, DNS and email addresses
var cn string
dnsNames := []string{}
emailAddresses := []string{}
{
if csr != nil && role.UseCSRCommonName {
cn = csr.Subject.CommonName
@ -572,28 +574,7 @@ func generateCreationBundle(b *backend,
return nil, errutil.UserError{Err: `the common_name field is required, or must be provided in a CSR with "use_csr_common_name" set to true`}
}
}
}
// Set OU (organizationalUnit) values if specified in the role
ou := []string{}
{
if role.OU != "" {
ou = strutil.ParseDedupAndSortStrings(role.OU, ",")
}
}
// Set O (organization) values if specified in the role
organization := []string{}
{
if role.Organization != "" {
organization = strutil.ParseDedupAndSortStrings(role.Organization, ",")
}
}
// Read in alternate names -- DNS and email addresses
dnsNames := []string{}
emailAddresses := []string{}
{
if csr != nil && role.UseCSRSANs {
dnsNames = csr.DNSNames
emailAddresses = csr.EmailAddresses
@ -613,11 +594,10 @@ func generateCreationBundle(b *backend,
}
if csr == nil || !role.UseCSRSANs {
cnAltInt, ok := data.GetOk("alt_names")
cnAltRaw, ok := data.GetOk("alt_names")
if ok {
cnAlt := cnAltInt.(string)
if len(cnAlt) != 0 {
for _, v := range strings.Split(cnAlt, ",") {
cnAlt := strutil.ParseDedupAndSortStrings(cnAltRaw.(string), ",")
for _, v := range cnAlt {
if strings.Contains(v, "@") {
emailAddresses = append(emailAddresses, v)
} else {
@ -626,25 +606,26 @@ func generateCreationBundle(b *backend,
}
}
}
// Check the CN. This ensures that the CN is checked even if it's
// excluded from SANs.
badName := validateNames(req, []string{cn}, role)
if len(badName) != 0 {
return nil, errutil.UserError{Err: fmt.Sprintf(
"common name %s not allowed by this role", badName)}
}
// Check for bad email and/or DNS names
badName, err := validateNames(req, dnsNames, role)
badName = validateNames(req, dnsNames, role)
if len(badName) != 0 {
return nil, errutil.UserError{Err: fmt.Sprintf(
"name %s not allowed by this role", badName)}
} else if err != nil {
return nil, errutil.InternalError{Err: fmt.Sprintf(
"error validating name %s: %s", badName, err)}
"subject alternate name %s not allowed by this role", badName)}
}
badName, err = validateNames(req, emailAddresses, role)
badName = validateNames(req, emailAddresses, role)
if len(badName) != 0 {
return nil, errutil.UserError{Err: fmt.Sprintf(
"email %s not allowed by this role", badName)}
} else if err != nil {
return nil, errutil.InternalError{Err: fmt.Sprintf(
"error validating name %s: %s", badName, err)}
"email address %s not allowed by this role", badName)}
}
}
@ -680,6 +661,22 @@ func generateCreationBundle(b *backend,
}
}
// Set OU (organizationalUnit) values if specified in the role
ou := []string{}
{
if role.OU != "" {
ou = strutil.ParseDedupAndSortStrings(role.OU, ",")
}
}
// Set O (organization) values if specified in the role
organization := []string{}
{
if role.Organization != "" {
organization = strutil.ParseDedupAndSortStrings(role.Organization, ",")
}
}
// Get the TTL and very it against the max allowed
var ttlField string
var ttl time.Duration

View file

@ -3,7 +3,7 @@
//-------------------------------------------------------------------
variable "download-url" {
default = "https://releases.hashicorp.com/vault/0.6.5/vault_0.6.5_linux_amd64.zip"
default = "https://releases.hashicorp.com/vault/0.7.0/vault_0.7.0_linux_amd64.zip"
description = "URL to download Vault"
}

View file

@ -9,5 +9,5 @@ func init() {
// A pre-release marker for the version. If this is "" (empty string)
// then it means that it is a final release. Otherwise, this is a pre-release
// such as "dev" (in development), "beta", "rc1", etc.
VersionPrerelease = "beta1"
VersionPrerelease = ""
}

View file

@ -2,7 +2,7 @@ set :base_url, "https://www.vaultproject.io/"
activate :hashicorp do |h|
h.name = "vault"
h.version = "0.6.5"
h.version = "0.7.0"
h.github_slug = "hashicorp/vault"
h.website_root = "website"
end

View file

@ -12,4 +12,4 @@ description: |-
The `listener` stanza configures the addresses and ports on which Vault will
respond to requests. At this time, there is only one listener - [TCP][tcp].
[tcp]: /docs/configuration/listenger/tcp.html
[tcp]: /docs/configuration/listener/tcp.html

View file

@ -56,5 +56,5 @@ storage "gcs" {
```
[gcs]: https://cloud.google.com/storage/
[gcs-service-account]: (https://cloud.google.com/compute/docs/access/service-accounts
[gcs-service-account]: https://cloud.google.com/compute/docs/access/service-accounts
[gcs-private-key]: https://cloud.google.com/storage/docs/authentication#generating-a-private-key

View file

@ -14,5 +14,9 @@ guidance to do them safely.
The following guides are available:
* [Generate Root](/docs/guides/generate-root.html) - This guide covers how to
generate new root tokens using unseal keys.
* [Generate a Root Token](/docs/guides/generate-root.html) - This guide covers
how to generate new root tokens using unseal keys.
* [Setting Up and Managing Replication](/docs/guides/replication.html) - This
guide covers how to set up and manage Vault Replication, a part of Vault
Enterprise.

View file

@ -19,7 +19,11 @@ the [Vault Replication API documentation](/docs/http/system/replication.html)
### Activating the Primary
To activate the primary, run `vault write -f sys/replication/primary/enable`.
To activate the primary, run:
$ vault write -f sys/replication/primary/enable
There is currently one optional argument: `primary_cluster_addr`. This can be
used to override the cluster address that the primary advertises to the
@ -28,18 +32,24 @@ members of a single cluster and primary/secondary clusters.
### Fetching a Secondary Token
To fetch a secondary bootstrap token, run `vault write
sys/replication/primary/secondary-token id=<id>`.
To fetch a secondary bootstrap token, run:
The value for ID is opaque to Vault and can be any identifying value you want;
$ vault write sys/replication/primary/secondary-token id=<id>
The value for `id` is opaque to Vault and can be any identifying value you want;
this can be used later to revoke the secondary and will be listed when you read
replication status on the primary. You will get back a normal wrapped response,
except that the token will be a JWT instead of UUID-formatted random bytes.
### Activating a Secondary
To activate a secondary, run `vault write sys/replication/secondary/enable
token=<token>`.
To activate a secondary using the fetched token, run:
$ vault write sys/replication/secondary/enable token=<token>
You must provide the full token value. Be very careful when running this
command, as it will destroy all data currently stored in the secondary.

View file

@ -118,7 +118,7 @@
<a href="/docs/http/system/renew.html"><tt>/sys/renew</tt></a>
</li>
<li<%= sidebar_current("docs-http-system-replication") %>>
<a href="/docs/http/system/replication.html"><tt>/sys/replication</tt></a>
<a href="/docs/http/system/replication.html">/sys/replication</a>
</li>
<li<%= sidebar_current("docs-http-system-revoke/") %>>
<a href="/docs/http/system/revoke.html"><tt>/sys/revoke</tt></a>