luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Prep for 0.9.2

This commit is contained in:
Jeff Mitchell 2018-01-26 13:46:11 -05:00
parent 063f5a982b
commit f3d1e8170b
5 changed files with 59 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
CHANGELOG.md
View File

@ -1,4 +1,20 @@
## 0.9.2 (Unreleased) ## 0.9.2 (January 26th, 2018)
SECURITY:
* Okta Auth Backend: While the Okta auth backend was successfully verifying
usernames and passwords, it was not checking the returned state of the
account, so accounts that had been marked locked out could still be used to
log in. Only accounts in SUCCESS or PASSWORD_WARN states are now allowed.
* Periodic Tokens: A regression in 0.9.1 meant that periodic tokens created by
the AppRole, AWS, and Cert auth backends would expire when the max TTL for
the backend/mount/system was hit instead of their stated behavior of living
as long as they are renewed. This is now fixed; existing tokens do not have
to be reissued as this was purely a regression in the renewal logic.
* Seal Wrapping: During certain replication states values written marked for
seal wrapping may not be wrapped on the secondaries. This has been fixed,
and existing values will be wrapped on next read or write. This does not
affect the barrier keys.
DEPRECATIONS/CHANGES: DEPRECATIONS/CHANGES:
@ -63,6 +79,7 @@ BUG FIXES:
TTL value [GH-3803] TTL value [GH-3803]
* auth/aws: Fix error returned if `bound_iam_principal_arn` was given to an * auth/aws: Fix error returned if `bound_iam_principal_arn` was given to an
existing role update [GH-3843] existing role update [GH-3843]
* core/sealwrap: Speed improvements and bug fixes (Enterprise)
* identity: Delete group alias when an external group is deleted [GH-3773] * identity: Delete group alias when an external group is deleted [GH-3773]
* legacymfa/duo: Fix intermittent panic when Duo could not be reached * legacymfa/duo: Fix intermittent panic when Duo could not be reached
[GH-2030] [GH-2030]

38
builtin/credential/okta/backend.go
View File

@ -72,6 +72,7 @@ func (b *backend) Login(ctx context.Context, req *logical.Request, username stri
type authResult struct { type authResult struct {
Embedded embeddedResult `json:"_embedded"` Embedded embeddedResult `json:"_embedded"`
Status string `json:"status"`
} }
authReq, err := client.NewRequest("POST", "authn", map[string]interface{}{ authReq, err := client.NewRequest("POST", "authn", map[string]interface{}{
@ -95,6 +96,43 @@ func (b *backend) Login(ctx context.Context, req *logical.Request, username stri
Data: map[string]interface{}{}, Data: map[string]interface{}{},
} }
// If lockout failures are not configured to be hidden, the status needs to
// be inspected for LOCKED_OUT status. Otherwise, it is handled above by an
// error returned during the authentication request.
switch result.Status {
case "LOCKED_OUT":
if b.Logger().IsDebug() {
b.Logger().Debug("auth/okta: user is locked out", "user", username)
}
return nil, logical.ErrorResponse("okta authentication failed"), nil, nil
case "PASSWORD_EXPIRED":
if b.Logger().IsDebug() {
b.Logger().Debug("auth/okta: password is expired", "user", username)
}
return nil, logical.ErrorResponse("okta authentication failed"), nil, nil
case "PASSWORD_WARN":
oktaResponse.AddWarning("Your Okta password is in warning state and needs to be changed soon.")
case "SUCCESS":
// Do nothing here
default:
if b.Logger().IsDebug() {
b.Logger().Debug("auth/okta: unhandled result status", "status", result.Status)
}
return nil, logical.ErrorResponse("okta authentication failed"), nil, nil
}
// Verify result status again in case a switch case above modifies result
if result.Status != "SUCCESS" && result.Status != "PASSWORD_WARN" {
if b.Logger().IsDebug() {
b.Logger().Debug("auth/okta: authentication returned a non-success status", "status", result.Status)
}
return nil, logical.ErrorResponse("okta authentication failed"), nil, nil
}
var allGroups []string var allGroups []string
// Only query the Okta API for group membership if we have a token // Only query the Okta API for group membership if we have a token
if cfg.Token != "" { if cfg.Token != "" {

2
terraform/aws/variables.tf
View File

@ -3,7 +3,7 @@
//------------------------------------------------------------------- //-------------------------------------------------------------------
variable "download-url" { variable "download-url" {
default = "https://releases.hashicorp.com/vault/0.9.1/vault_0.9.1_linux_amd64.zip" default = "https://releases.hashicorp.com/vault/0.9.2/vault_0.9.2_linux_amd64.zip"
description = "URL to download Vault" description = "URL to download Vault"
} }

2
version/version_base.go
View File

@ -2,7 +2,7 @@ package version
func init() { func init() {
// The main version number that is being run at the moment. // The main version number that is being run at the moment.
Version = "0.9.1" Version = "0.9.2"
// A pre-release marker for the version. If this is "" (empty string) // A pre-release marker for the version. If this is "" (empty string)
// then it means that it is a final release. Otherwise, this is a pre-release // then it means that it is a final release. Otherwise, this is a pre-release

2
website/config.rb
View File

@ -2,7 +2,7 @@ set :base_url, "https://www.vaultproject.io/"
activate :hashicorp do |h| activate :hashicorp do |h|
h.name = "vault" h.name = "vault"
h.version = "0.9.1" h.version = "0.9.2"
h.github_slug = "hashicorp/vault" h.github_slug = "hashicorp/vault"
h.website_root = "website" h.website_root = "website"
end end