Prep for 0.9.2

2018-01-26 13:46:11 -05:00 · 2018-01-26 13:46:11 -05:00 · f3d1e8170b
parent 063f5a982b
commit f3d1e8170b
5 changed files with 59 additions and 4 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,4 +1,20 @@
-## 0.9.2 (Unreleased)
+## 0.9.2 (January 26th, 2018)
+
+SECURITY:
+
+ * Okta Auth Backend: While the Okta auth backend was successfully verifying
+   usernames and passwords, it was not checking the returned state of the
+   account, so accounts that had been marked locked out could still be used to
+   log in. Only accounts in SUCCESS or PASSWORD_WARN states are now allowed.
+ * Periodic Tokens: A regression in 0.9.1 meant that periodic tokens created by
+   the AppRole, AWS, and Cert auth backends would expire when the max TTL for
+   the backend/mount/system was hit instead of their stated behavior of living
+   as long as they are renewed. This is now fixed; existing tokens do not have
+   to be reissued as this was purely a regression in the renewal logic.
+ * Seal Wrapping: During certain replication states values written marked for
+   seal wrapping may not be wrapped on the secondaries. This has been fixed,
+   and existing values will be wrapped on next read or write. This does not
+   affect the barrier keys.

 DEPRECATIONS/CHANGES:

@ -63,6 +79,7 @@ BUG FIXES:
   TTL value [GH-3803]
 * auth/aws: Fix error returned if `bound_iam_principal_arn` was given to an
   existing role update [GH-3843]
+ * core/sealwrap: Speed improvements and bug fixes (Enterprise)
 * identity: Delete group alias when an external group is deleted [GH-3773]
 * legacymfa/duo: Fix intermittent panic when Duo could not be reached
   [GH-2030]
--- a/builtin/credential/okta/backend.go
+++ b/builtin/credential/okta/backend.go
@ -72,6 +72,7 @@ func (b *backend) Login(ctx context.Context, req *logical.Request, username stri

 	type authResult struct {
 		Embedded embeddedResult `json:"_embedded"`
+		Status   string         `json:"status"`
 	}

 	authReq, err := client.NewRequest("POST", "authn", map[string]interface{}{
@ -95,6 +96,43 @@ func (b *backend) Login(ctx context.Context, req *logical.Request, username stri
 		Data: map[string]interface{}{},
 	}

+	// If lockout failures are not configured to be hidden, the status needs to
+	// be inspected for LOCKED_OUT status. Otherwise, it is handled above by an
+	// error returned during the authentication request.
+	switch result.Status {
+	case "LOCKED_OUT":
+		if b.Logger().IsDebug() {
+			b.Logger().Debug("auth/okta: user is locked out", "user", username)
+		}
+		return nil, logical.ErrorResponse("okta authentication failed"), nil, nil
+
+	case "PASSWORD_EXPIRED":
+		if b.Logger().IsDebug() {
+			b.Logger().Debug("auth/okta: password is expired", "user", username)
+		}
+		return nil, logical.ErrorResponse("okta authentication failed"), nil, nil
+
+	case "PASSWORD_WARN":
+		oktaResponse.AddWarning("Your Okta password is in warning state and needs to be changed soon.")
+
+	case "SUCCESS":
+		// Do nothing here
+
+	default:
+		if b.Logger().IsDebug() {
+			b.Logger().Debug("auth/okta: unhandled result status", "status", result.Status)
+		}
+		return nil, logical.ErrorResponse("okta authentication failed"), nil, nil
+	}
+
+	// Verify result status again in case a switch case above modifies result
+	if result.Status != "SUCCESS" && result.Status != "PASSWORD_WARN" {
+		if b.Logger().IsDebug() {
+			b.Logger().Debug("auth/okta: authentication returned a non-success status", "status", result.Status)
+		}
+		return nil, logical.ErrorResponse("okta authentication failed"), nil, nil
+	}
+
 	var allGroups []string
 	// Only query the Okta API for group membership if we have a token
 	if cfg.Token != "" {
--- a/terraform/aws/variables.tf
+++ b/terraform/aws/variables.tf
@ -3,7 +3,7 @@
 //-------------------------------------------------------------------

 variable "download-url" {
-    default = "https://releases.hashicorp.com/vault/0.9.1/vault_0.9.1_linux_amd64.zip"
+    default = "https://releases.hashicorp.com/vault/0.9.2/vault_0.9.2_linux_amd64.zip"
    description = "URL to download Vault"
 }

--- a/version/version_base.go
+++ b/version/version_base.go
@ -2,7 +2,7 @@ package version

 func init() {
 	// The main version number that is being run at the moment.
-	Version = "0.9.1"
+	Version = "0.9.2"

 	// A pre-release marker for the version. If this is "" (empty string)
 	// then it means that it is a final release. Otherwise, this is a pre-release
--- a/website/config.rb
+++ b/website/config.rb
@ -2,7 +2,7 @@ set :base_url, "https://www.vaultproject.io/"

 activate :hashicorp do |h|
  h.name         = "vault"
-  h.version      = "0.9.1"
+  h.version      = "0.9.2"
  h.github_slug  = "hashicorp/vault"
  h.website_root = "website"
 end