Update plugins

go.mod

@@ -74,15 +74,15 @@ require (
 	github.com/hashicorp/vault-plugin-auth-azure v0.5.2-0.20190814210035-08e00d801115
 	github.com/hashicorp/vault-plugin-auth-centrify v0.5.2-0.20190814210042-090ec2ed93ce
 	github.com/hashicorp/vault-plugin-auth-cf v0.0.0-20190821162840-1c2205826fee
-	github.com/hashicorp/vault-plugin-auth-gcp v0.5.2-0.20190814210049-1ccb3dc10102
+	github.com/hashicorp/vault-plugin-auth-gcp v0.5.2-0.20190930204802-acfd134850c2
 	github.com/hashicorp/vault-plugin-auth-jwt v0.5.2-0.20191010173058-65cf93bad3f2
-	github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190826163451-8461c66275a9
+	github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190925162726-2e5b0b8184e6
 	github.com/hashicorp/vault-plugin-auth-oci v0.0.0-20190904175623-97c0c0187c5c
 	github.com/hashicorp/vault-plugin-database-elasticsearch v0.0.0-20190814210117-e079e01fbb93
 	github.com/hashicorp/vault-plugin-secrets-ad v0.6.1-0.20191108162300-8f4121d78b9c
 	github.com/hashicorp/vault-plugin-secrets-alicloud v0.5.2-0.20190814210129-4d18bec92f56
 	github.com/hashicorp/vault-plugin-secrets-azure v0.5.2
-	github.com/hashicorp/vault-plugin-secrets-gcp v0.5.3-0.20190814210141-d2086ff79b04
+	github.com/hashicorp/vault-plugin-secrets-gcp v0.5.3-0.20190926185807-2bf1d3b105ac
 	github.com/hashicorp/vault-plugin-secrets-gcpkms v0.5.2-0.20190814210149-315cdbf5de6e
 	github.com/hashicorp/vault-plugin-secrets-kv v0.5.2-0.20191017213228-e8cf7060a4d0
 	github.com/hashicorp/vault/api v1.0.5-0.20191108163347-bdd38fca2cff
@@ -95,6 +95,7 @@ require (
 	github.com/joyent/triton-go v0.0.0-20190112182421-51ffac552869
 	github.com/keybase/go-crypto v0.0.0-20190403132359-d65b6b94177f
 	github.com/kr/pretty v0.1.0
+	github.com/kr/pty v1.1.3 // indirect
 	github.com/kr/text v0.1.0
 	github.com/lib/pq v1.2.0
 	github.com/mattn/go-colorable v0.1.2

go.sum

@@ -369,10 +369,14 @@ github.com/hashicorp/vault-plugin-auth-gcp v0.5.1 h1:8DR00s+Wmc21i3sfzvsqW88VMdf
 github.com/hashicorp/vault-plugin-auth-gcp v0.5.1/go.mod h1:eLj92eX8MPI4vY1jaazVLF2sVbSAJ3LRHLRhF/pUmlI=
 github.com/hashicorp/vault-plugin-auth-gcp v0.5.2-0.20190814210049-1ccb3dc10102 h1:RTHVdxCDwxTq/4zZFkV+b8zexkSU5EOXkY2D/kAvyFU=
 github.com/hashicorp/vault-plugin-auth-gcp v0.5.2-0.20190814210049-1ccb3dc10102/go.mod h1:j0hMnnTD44zXGQhLM1jarYDaTmSp6OPiOzgFQ6mNgzc=
+github.com/hashicorp/vault-plugin-auth-gcp v0.5.2-0.20190930204802-acfd134850c2 h1:gtpqHauSoJCxZStLVWKMQcsdW61EewJSoegMrZLQ/GU=
+github.com/hashicorp/vault-plugin-auth-gcp v0.5.2-0.20190930204802-acfd134850c2/go.mod h1:j0hMnnTD44zXGQhLM1jarYDaTmSp6OPiOzgFQ6mNgzc=
 github.com/hashicorp/vault-plugin-auth-jwt v0.5.2-0.20191010173058-65cf93bad3f2 h1:Oi9HO9/JItId2XYLEoTIW9Wcfg5sblxxO5Nr7ln1jnk=
 github.com/hashicorp/vault-plugin-auth-jwt v0.5.2-0.20191010173058-65cf93bad3f2/go.mod h1:Ti2NPndKhSGpSL6gWg11n7TkmuI7318BIPeojayIVRU=
 github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190826163451-8461c66275a9 h1:PjbIf3mlPBJopQSJstQAhVbdGTVZ/W35RZtm/GCOTUs=
 github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190826163451-8461c66275a9/go.mod h1:qkrONCr71ckSCTItJQ1j9uet/faieZJ5c7+GZugTm7s=
+github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190925162726-2e5b0b8184e6 h1:WgxwYXCuZJtU/oIDah4A99+MuqzzL/oGQu9421IYZ6M=
+github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190925162726-2e5b0b8184e6/go.mod h1:qkrONCr71ckSCTItJQ1j9uet/faieZJ5c7+GZugTm7s=
 github.com/hashicorp/vault-plugin-auth-oci v0.0.0-20190904175623-97c0c0187c5c h1:z6LQZvs1OtoVy2XgbgNhiDgp0U62Xbstn7/cgNZvh6g=
 github.com/hashicorp/vault-plugin-auth-oci v0.0.0-20190904175623-97c0c0187c5c/go.mod h1:YAl51RsYRihPbSdnug1NsvutzbRVfrZ12FjEIvSiOTs=
 github.com/hashicorp/vault-plugin-database-elasticsearch v0.0.0-20190814210117-e079e01fbb93 h1:kXTV1ImOPgDGZxAlbEQfiXgnZY/34vfgnZVhI/tscmg=
@@ -385,6 +389,8 @@ github.com/hashicorp/vault-plugin-secrets-azure v0.5.2 h1:8Jz4kl0D4+DPpP13jbIrys
 github.com/hashicorp/vault-plugin-secrets-azure v0.5.2/go.mod h1:SBc53adxMmf+o8zqRbqYvq+nuSrz8OHYmgmPfxVMJEo=
 github.com/hashicorp/vault-plugin-secrets-gcp v0.5.3-0.20190814210141-d2086ff79b04 h1:2FLjwVqpWueSoxaNdcC2Za7RX8FNp8Xt8pF/03dinV4=
 github.com/hashicorp/vault-plugin-secrets-gcp v0.5.3-0.20190814210141-d2086ff79b04/go.mod h1:Sc+ba3kscakE5a/pi8JJhWvXWok3cpt1P77DApmUuDc=
+github.com/hashicorp/vault-plugin-secrets-gcp v0.5.3-0.20190926185807-2bf1d3b105ac h1:ULcFIOOFykOSrJvY3yWqDLsgcj/SuUqhY7aZ5yQ7rkM=
+github.com/hashicorp/vault-plugin-secrets-gcp v0.5.3-0.20190926185807-2bf1d3b105ac/go.mod h1:Sc+ba3kscakE5a/pi8JJhWvXWok3cpt1P77DApmUuDc=
 github.com/hashicorp/vault-plugin-secrets-gcpkms v0.5.2-0.20190814210149-315cdbf5de6e h1:RjQBOFneGwxhHsymNtbEUJXAjMO74GlZcmUrGqJnYxY=
 github.com/hashicorp/vault-plugin-secrets-gcpkms v0.5.2-0.20190814210149-315cdbf5de6e/go.mod h1:5prAHuCcBiyv+xfGBviTVYeDQUhmQYN7WrxC2gMRWeQ=
 github.com/hashicorp/vault-plugin-secrets-kv v0.5.2-0.20191017213228-e8cf7060a4d0 h1:w4qR/yfqWOYmncR1HK1CVU7iHkqgcf0USWtbp/fTHM4=

vendor/github.com/hashicorp/vault-plugin-auth-gcp/plugin/authorizer_client_gcp.go

@@ -3,7 +3,9 @@ package gcpauth
 import (
 	"context"
 	"fmt"
+	"strings"
 
+	log "github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/vault/sdk/helper/strutil"
 	"google.golang.org/api/compute/v1"
 	"google.golang.org/api/iam/v1"
@@ -15,6 +17,7 @@ var _ client = (*gcpClient)(nil)
 // abstracted as an interface for stubbing during testing. See stubbedClient for
 // more details.
 type gcpClient struct {
+	logger     log.Logger
 	computeSvc *compute.Service
 	iamSvc     *iam.Service
 }
@@ -28,6 +31,13 @@ func (c *gcpClient) InstanceGroups(ctx context.Context, project string, boundIns
 		Fields("items/*/instanceGroups/name").
 		Pages(ctx, func(l *compute.InstanceGroupAggregatedList) error {
 			for k, v := range l.Items {
+				// Some groups returned are regional
+				// TODO(emilymye, #73): Support regions?
+				if strings.Contains(k, "/regions/") {
+					c.logger.Debug("ignoring instance groups under region in instance group aggregated list", "key", k)
+					continue
+				}
+
 				zone, err := zoneFromSelfLink(k)
 				if err != nil {
 					return err

vendor/github.com/hashicorp/vault-plugin-auth-gcp/plugin/path_login.go

@@ -663,6 +663,7 @@ func (b *GcpAuthBackend) authorizeGCEInstance(ctx context.Context, project strin
 
 	return AuthorizeGCE(ctx, &AuthorizeGCEInput{
 		client: &gcpClient{
+			logger:     b.Logger(),
 			computeSvc: computeClient,
 			iamSvc:     iamClient,
 		},

vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/token_review.go

@@ -73,7 +73,7 @@ func (t *tokenReviewAPI) Review(jwt string) (*tokenReviewResult, error) {
 	}
 
 	// Build the request to the token review API
-	url := fmt.Sprintf("%s/apis/authentication.k8s.io/v1/tokenreviews", t.config.Host)
+	url := fmt.Sprintf("%s/apis/authentication.k8s.io/v1/tokenreviews", strings.TrimSuffix(t.config.Host, "/"))
 	req, err := http.NewRequest("POST", url, bytes.NewBuffer(trJSON))
 	if err != nil {
 		return nil, err
@@ -152,7 +152,7 @@ func parseResponse(resp *http.Response) (*authv1.TokenReview, error) {
 		return nil, kubeerrors.NewGenericServerResponse(resp.StatusCode, "POST", schema.GroupResource{}, "", strings.TrimSpace(string(body)), 0, true)
 	}
 
-	// If we can succesfully Unmarshal into a status object that means there is
+	// If we can successfully Unmarshal into a status object that means there is
 	// an error to return
 	errStatus := &metav1.Status{}
 	err = json.Unmarshal(body, errStatus)

vendor/github.com/hashicorp/vault-plugin-secrets-gcp/plugin/backend.go

@@ -17,6 +17,7 @@ import (
 	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/google"
 	"google.golang.org/api/iam/v1"
+	"google.golang.org/api/option"
 )
 
 const (
@@ -85,15 +86,15 @@ func Backend() *backend {
 	return b
 }
 
-// IAMClient returns a new IAM client. The client is cached.
+// IAMAdminClient returns a new IAM client. The client is cached.
-func (b *backend) IAMClient(s logical.Storage) (*iam.Service, error) {
+func (b *backend) IAMAdminClient(s logical.Storage) (*iam.Service, error) {
 	httpClient, err := b.HTTPClient(s)
 	if err != nil {
 		return nil, errwrap.Wrapf("failed to create IAM HTTP client: {{err}}", err)
 	}
 
 	client, err := b.cache.Fetch("iam", cacheTime, func() (interface{}, error) {
-		client, err := iam.New(httpClient)
+		client, err := iam.NewService(context.Background(), option.WithHTTPClient(httpClient))
 		if err != nil {
 			return nil, errwrap.Wrapf("failed to create IAM client: {{err}}", err)
 		}

vendor/github.com/hashicorp/vault-plugin-secrets-gcp/plugin/path_config.go

@@ -28,9 +28,13 @@ func pathConfig(b *backend) *framework.Path {
 			},
 		},
 
-		Callbacks: map[logical.Operation]framework.OperationFunc{
+		Operations: map[logical.Operation]framework.OperationHandler{
-			logical.ReadOperation:   b.pathConfigRead,
+			logical.ReadOperation: &framework.PathOperation{
-			logical.UpdateOperation: b.pathConfigWrite,
+				Callback: b.pathConfigRead,
+			},
+			logical.UpdateOperation: &framework.PathOperation{
+				Callback: b.pathConfigWrite,
+			},
 		},
 
 		HelpSynopsis:    pathConfigHelpSyn,

vendor/github.com/hashicorp/vault-plugin-secrets-gcp/plugin/path_role_set.go

@@ -12,6 +12,7 @@ import (
 	"github.com/hashicorp/vault/sdk/helper/useragent"
 	"github.com/hashicorp/vault/sdk/logical"
 	"google.golang.org/api/iam/v1"
+	"google.golang.org/api/option"
 )
 
 const (
@@ -46,11 +47,19 @@ func pathsRoleSet(b *backend) []*framework.Path {
 				},
 			},
 			ExistenceCheck: b.pathRoleSetExistenceCheck,
-			Callbacks: map[logical.Operation]framework.OperationFunc{
+			Operations: map[logical.Operation]framework.OperationHandler{
-				logical.DeleteOperation: b.pathRoleSetDelete,
+				logical.DeleteOperation: &framework.PathOperation{
-				logical.ReadOperation:   b.pathRoleSetRead,
+					Callback: b.pathRoleSetDelete,
-				logical.CreateOperation: b.pathRoleSetCreateUpdate,
+				},
-				logical.UpdateOperation: b.pathRoleSetCreateUpdate,
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.pathRoleSetRead,
+				},
+				logical.CreateOperation: &framework.PathOperation{
+					Callback: b.pathRoleSetCreateUpdate,
+				},
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.pathRoleSetCreateUpdate,
+				},
 			},
 			HelpSynopsis:    pathRoleSetHelpSyn,
 			HelpDescription: pathRoleSetHelpDesc,
@@ -65,8 +74,10 @@ func pathsRoleSet(b *backend) []*framework.Path {
 				},
 			},
 			ExistenceCheck: b.pathRoleSetExistenceCheck,
-			Callbacks: map[logical.Operation]framework.OperationFunc{
+			Operations: map[logical.Operation]framework.OperationHandler{
-				logical.UpdateOperation: b.pathRoleSetRotateAccount,
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.pathRoleSetRotateAccount,
+				},
 			},
 			HelpSynopsis:    pathRoleSetRotateHelpSyn,
 			HelpDescription: pathRoleSetRotateHelpDesc,
@@ -81,8 +92,10 @@ func pathsRoleSet(b *backend) []*framework.Path {
 				},
 			},
 			ExistenceCheck: b.pathRoleSetExistenceCheck,
-			Callbacks: map[logical.Operation]framework.OperationFunc{
+			Operations: map[logical.Operation]framework.OperationHandler{
-				logical.UpdateOperation: b.pathRoleSetRotateKey,
+				logical.UpdateOperation: &framework.PathOperation{
+					Callback: b.pathRoleSetRotateKey,
+				},
 			},
 			HelpSynopsis:    pathRoleSetRotateKeyHelpSyn,
 			HelpDescription: pathRoleSetRotateKeyHelpDesc,
@@ -90,8 +103,10 @@ func pathsRoleSet(b *backend) []*framework.Path {
 		// Paths for listing role sets
 		{
 			Pattern: "rolesets/?",
-			Callbacks: map[logical.Operation]framework.OperationFunc{
+			Operations: map[logical.Operation]framework.OperationHandler{
-				logical.ListOperation: b.pathRoleSetList,
+				logical.ListOperation: &framework.PathOperation{
+					Callback: b.pathRoleSetList,
+				},
 			},
 
 			HelpSynopsis:    pathListRoleSetHelpSyn,
@@ -99,8 +114,10 @@ func pathsRoleSet(b *backend) []*framework.Path {
 		},
 		{
 			Pattern: "roleset/?",
-			Callbacks: map[logical.Operation]framework.OperationFunc{
+			Operations: map[logical.Operation]framework.OperationHandler{
-				logical.ListOperation: b.pathRoleSetList,
+				logical.ListOperation: &framework.PathOperation{
+					Callback: b.pathRoleSetList,
+				},
 			},
 
 			HelpSynopsis:    pathListRoleSetHelpSyn,
@@ -217,7 +234,7 @@ func (b *backend) pathRoleSetDelete(ctx context.Context, req *logical.Request, d
 		return nil, err
 	}
 
-	iamAdmin, err := iam.New(httpC)
+	iamAdmin, err := iam.NewService(ctx, option.WithHTTPClient(httpC))
 	if err != nil {
 		return nil, err
 	}

vendor/github.com/hashicorp/vault-plugin-secrets-gcp/plugin/role_set.go

@@ -132,7 +132,7 @@ func (b *backend) saveRoleSetWithNewAccount(ctx context.Context, s logical.Stora
 		return nil, err
 	}
 
-	iamAdmin, err := b.IAMClient(s)
+	iamAdmin, err := b.IAMAdminClient(s)
 	if err != nil {
 		return nil, err
 	}
@@ -217,7 +217,7 @@ func (b *backend) saveRoleSetWithNewTokenKey(ctx context.Context, s logical.Stor
 		return "", fmt.Errorf("a key is not saved or used for non-access-token role set '%s'", rs.Name)
 	}
 
-	iamAdmin, err := b.IAMClient(s)
+	iamAdmin, err := b.IAMAdminClient(s)
 	if err != nil {
 		return "", err
 	}

vendor/github.com/hashicorp/vault-plugin-secrets-gcp/plugin/rollback.go

@@ -76,7 +76,7 @@ func (b *backend) serviceAccountRollback(ctx context.Context, req *logical.Reque
 	}
 
 	// Delete service account.
-	iamC, err := b.IAMClient(req.Storage)
+	iamC, err := b.IAMAdminClient(req.Storage)
 	if err != nil {
 		return err
 	}
@@ -104,7 +104,7 @@ func (b *backend) serviceAccountKeyRollback(ctx context.Context, req *logical.Re
 		return nil
 	}
 
-	iamC, err := b.IAMClient(req.Storage)
+	iamC, err := b.IAMAdminClient(req.Storage)
 	if err != nil {
 		return err
 	}
@@ -273,7 +273,7 @@ func isGoogleAccountKeyNotFoundErr(err error) bool {
 	return isGoogleApiErrorWithCodes(err, 403, 404)
 }
 
-func isGoogleApiErrorWithCodes(err error, validErrCodes... int) bool {
+func isGoogleApiErrorWithCodes(err error, validErrCodes ...int) bool {
 	if err == nil {
 		return false
 	}

vendor/github.com/hashicorp/vault-plugin-secrets-gcp/plugin/secrets_access_token.go

@@ -23,9 +23,9 @@ func pathSecretAccessToken(b *backend) *framework.Path {
 			},
 		},
 		ExistenceCheck: b.pathRoleSetExistenceCheck,
-		Callbacks: map[logical.Operation]framework.OperationFunc{
+		Operations: map[logical.Operation]framework.OperationHandler{
-			logical.ReadOperation:   b.pathAccessToken,
+			logical.ReadOperation:   &framework.PathOperation{Callback: b.pathAccessToken},
-			logical.UpdateOperation: b.pathAccessToken,
+			logical.UpdateOperation: &framework.PathOperation{Callback: b.pathAccessToken},
 		},
 		HelpSynopsis:    pathTokenHelpSyn,
 		HelpDescription: pathTokenHelpDesc,

vendor/github.com/hashicorp/vault-plugin-secrets-gcp/plugin/secrets_service_account_key.go

@@ -59,9 +59,9 @@ func pathSecretServiceAccountKey(b *backend) *framework.Path {
 			},
 		},
 		ExistenceCheck: b.pathRoleSetExistenceCheck,
-		Callbacks: map[logical.Operation]framework.OperationFunc{
+		Operations: map[logical.Operation]framework.OperationHandler{
-			logical.ReadOperation:   b.pathServiceAccountKey,
+			logical.ReadOperation:   &framework.PathOperation{Callback: b.pathServiceAccountKey},
-			logical.UpdateOperation: b.pathServiceAccountKey,
+			logical.UpdateOperation: &framework.PathOperation{Callback: b.pathServiceAccountKey},
 		},
 		HelpSynopsis:    pathServiceAccountKeySyn,
 		HelpDescription: pathServiceAccountKeyDesc,
@@ -138,7 +138,7 @@ func (b *backend) verifySecretServiceKeyExists(ctx context.Context, req *logical
 	}
 
 	// Verify service account key still exists.
-	iamAdmin, err := b.IAMClient(req.Storage)
+	iamAdmin, err := b.IAMAdminClient(req.Storage)
 	if err != nil {
 		return logical.ErrorResponse("could not confirm key still exists in GCP"), nil
 	}
@@ -154,7 +154,7 @@ func (b *backend) secretKeyRevoke(ctx context.Context, req *logical.Request, d *
 		return nil, fmt.Errorf("secret is missing key_name internal data")
 	}
 
-	iamAdmin, err := b.IAMClient(req.Storage)
+	iamAdmin, err := b.IAMAdminClient(req.Storage)
 	if err != nil {
 		return logical.ErrorResponse(err.Error()), nil
 	}
@@ -176,7 +176,7 @@ func (b *backend) getSecretKey(ctx context.Context, s logical.Storage, rs *RoleS
 		cfg = &config{}
 	}
 
-	iamC, err := b.IAMClient(s)
+	iamC, err := b.IAMAdminClient(s)
 	if err != nil {
 		return nil, errwrap.Wrapf("could not create IAM Admin client: {{err}}", err)
 	}

vendor/modules.txt

@@ -372,12 +372,12 @@ github.com/hashicorp/vault-plugin-auth-cf/models
 github.com/hashicorp/vault-plugin-auth-cf/util
 github.com/hashicorp/vault-plugin-auth-cf/testing/certificates
 github.com/hashicorp/vault-plugin-auth-cf/testing/cf
-# github.com/hashicorp/vault-plugin-auth-gcp v0.5.2-0.20190814210049-1ccb3dc10102
+# github.com/hashicorp/vault-plugin-auth-gcp v0.5.2-0.20190930204802-acfd134850c2
 github.com/hashicorp/vault-plugin-auth-gcp/plugin
 github.com/hashicorp/vault-plugin-auth-gcp/plugin/cache
 # github.com/hashicorp/vault-plugin-auth-jwt v0.5.2-0.20191010173058-65cf93bad3f2
 github.com/hashicorp/vault-plugin-auth-jwt
-# github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190826163451-8461c66275a9
+# github.com/hashicorp/vault-plugin-auth-kubernetes v0.5.2-0.20190925162726-2e5b0b8184e6
 github.com/hashicorp/vault-plugin-auth-kubernetes
 # github.com/hashicorp/vault-plugin-auth-oci v0.0.0-20190904175623-97c0c0187c5c
 github.com/hashicorp/vault-plugin-auth-oci
@@ -392,7 +392,7 @@ github.com/hashicorp/vault-plugin-secrets-alicloud
 github.com/hashicorp/vault-plugin-secrets-alicloud/clients
 # github.com/hashicorp/vault-plugin-secrets-azure v0.5.2
 github.com/hashicorp/vault-plugin-secrets-azure
-# github.com/hashicorp/vault-plugin-secrets-gcp v0.5.3-0.20190814210141-d2086ff79b04
+# github.com/hashicorp/vault-plugin-secrets-gcp v0.5.3-0.20190926185807-2bf1d3b105ac
 github.com/hashicorp/vault-plugin-secrets-gcp/plugin
 github.com/hashicorp/vault-plugin-secrets-gcp/plugin/iamutil
 github.com/hashicorp/vault-plugin-secrets-gcp/plugin/util