Bump plugins and changelog

CHANGELOG.md

@@ -36,6 +36,7 @@ BUG FIXES:
  * core: Optimizations to remove some speed regressions due to the
    security-related changes in 0.10.2
  * secrets/database: Fix default MySQL root rotation statement [GH-4748]
+ * secrets/gcp: Fix renewal for GCP account keys
  * secrets/kv: Fix writing to the root of a KVv2 mount from `vault kv` commands
    incorrectly operating on a root+mount path instead of being an error
    [GH-4726]

vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/path_login.go

@@ -120,7 +120,7 @@ func (b *kubeAuthBackend) pathLogin() framework.OperationFunc {
 					"service_account_secret_name": serviceAccount.SecretName,
 					"role": roleName,
 				},
-				DisplayName: serviceAccount.Name,
+				DisplayName: fmt.Sprintf("%s:%s", serviceAccount.Namespace, serviceAccount.Name),
 				LeaseOptions: logical.LeaseOptions{
 					Renewable: true,
 					TTL:       role.TTL,

vendor/github.com/hashicorp/vault-plugin-secrets-ad/plugin/backend.go

@@ -32,6 +32,7 @@ func newBackend(client secretsClient) *backend {
 			adBackend.pathRoles(),
 			adBackend.pathListRoles(),
 			adBackend.pathCreds(),
+			adBackend.pathRotateCredentials(),
 		},
 		PathsSpecial: &logical.Paths{
 			SealWrapStorage: []string{
@@ -65,6 +66,7 @@ type secretsClient interface {
 	Get(conf *ldaputil.ConfigEntry, serviceAccountName string) (*client.Entry, error)
 	GetPasswordLastSet(conf *ldaputil.ConfigEntry, serviceAccountName string) (time.Time, error)
 	UpdatePassword(conf *ldaputil.ConfigEntry, serviceAccountName string, newPassword string) error
+	UpdateRootPassword(conf *ldaputil.ConfigEntry, bindDN string, newPassword string) error
 }
 
 const backendHelp = `

vendor/github.com/hashicorp/vault-plugin-secrets-ad/plugin/path_rotate_root_creds.go

@@ -0,0 +1,60 @@
+package plugin
+
+import (
+	"context"
+	"errors"
+	"github.com/hashicorp/vault-plugin-secrets-ad/plugin/util"
+	"github.com/hashicorp/vault/logical"
+	"github.com/hashicorp/vault/logical/framework"
+)
+
+func (b *backend) pathRotateCredentials() *framework.Path {
+	return &framework.Path{
+		Pattern: "rotate-root",
+		Callbacks: map[logical.Operation]framework.OperationFunc{
+			logical.ReadOperation: b.pathRotateCredentialsUpdate,
+		},
+
+		HelpSynopsis:    pathRotateCredentialsUpdateHelpSyn,
+		HelpDescription: pathRotateCredentialsUpdateHelpDesc,
+	}
+}
+
+func (b *backend) pathRotateCredentialsUpdate(ctx context.Context, req *logical.Request, _ *framework.FieldData) (*logical.Response, error) {
+	engineConf, err := b.readConfig(ctx, req.Storage)
+	if err != nil {
+		return nil, err
+	}
+	if engineConf == nil {
+		return nil, errors.New("the config is currently unset")
+	}
+
+	newPassword, err := util.GeneratePassword(engineConf.PasswordConf.Formatter, engineConf.PasswordConf.Length)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := b.client.UpdateRootPassword(engineConf.ADConf, engineConf.ADConf.BindDN, newPassword); err != nil {
+		return nil, err
+	}
+
+	engineConf.ADConf.BindPassword = newPassword
+	entry, err := logical.StorageEntryJSON(configStorageKey, engineConf)
+	if err != nil {
+		return nil, err
+	}
+	if err := req.Storage.Put(ctx, entry); err != nil {
+		return nil, err
+	}
+
+	// Respond with a 204.
+	return nil, nil
+}
+
+const pathRotateCredentialsUpdateHelpSyn = `
+Request to rotate the root credentials.
+`
+
+const pathRotateCredentialsUpdateHelpDesc = `
+This path attempts to rotate the root credentials. 
+`

vendor/github.com/hashicorp/vault-plugin-secrets-ad/plugin/util/secrets_client.go

@@ -71,3 +71,10 @@ func (c *SecretsClient) UpdatePassword(conf *ldaputil.ConfigEntry, serviceAccoun
 	}
 	return c.adClient.UpdatePassword(conf, filters, newPassword)
 }
+
+func (c *SecretsClient) UpdateRootPassword(conf *ldaputil.ConfigEntry, bindDN string, newPassword string) error {
+	filters := map[*client.Field][]string{
+		client.FieldRegistry.DistinguishedName: {bindDN},
+	}
+	return c.adClient.UpdatePassword(conf, filters, newPassword)
+}

vendor/github.com/hashicorp/vault-plugin-secrets-gcp/plugin/secrets_service_account_key.go

@@ -90,10 +90,12 @@ func (b *backend) pathServiceAccountKey(ctx context.Context, req *logical.Reques
 
 func (b *backend) secretKeyRenew(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
 	resp, err := b.verifySecretServiceKeyExists(ctx, req)
-	if err != nil || resp != nil {
+	if err != nil {
 		return resp, err
 	}
-
+	if resp == nil {
+		resp = &logical.Response{}
+	}
 	cfg, err := getConfig(ctx, req.Storage)
 	if err != nil {
 		return nil, err
@@ -143,7 +145,7 @@ func (b *backend) verifySecretServiceKeyExists(ctx context.Context, req *logical
 	if k, err := iamAdmin.Projects.ServiceAccounts.Keys.Get(keyName.(string)).Do(); err != nil || k == nil {
 		return logical.ErrorResponse(fmt.Sprintf("could not confirm key still exists in GCP: %v", err)), nil
 	}
-	return &logical.Response{}, nil
+	return nil, nil
 }
 
 func secretKeyRevoke(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {

vendor/vendor.json

@@ -1321,46 +1321,46 @@
 			"revisionTime": "2018-04-08T01:06:05Z"
 		},
 		{
-			"checksumSHA1": "p5RZZr9+57AbEn0cJWofpxup66Q=",
+			"checksumSHA1": "WnypXIUMGbOz/oAfrA5E2veXQC8=",
 			"path": "github.com/hashicorp/vault-plugin-auth-kubernetes",
-			"revision": "8b146812410672dcf7c36b45762f4d3d3a6398b0",
-			"revisionTime": "2018-06-06T02:28:44Z"
+			"revision": "2e612c8cb9cce51bf2c4fbdb1c26ae4a9d06d8cb",
+			"revisionTime": "2018-06-18T15:34:39Z"
 		},
 		{
-			"checksumSHA1": "TXlbc4EPXue+Jz/HXl3NU5kEoUs=",
+			"checksumSHA1": "yb6NN3tJ3pfjrP8O4Y76jNa2SyA=",
 			"path": "github.com/hashicorp/vault-plugin-secrets-ad/plugin",
-			"revision": "28b22929498292a5fe2cc972d77e931f415e0786",
-			"revisionTime": "2018-06-06T02:34:28Z"
+			"revision": "5d57d386f7bbf8fc12e8e7fbfa2b361236cbe2ff",
+			"revisionTime": "2018-06-18T15:50:42Z"
 		},
 		{
 			"checksumSHA1": "w0TXZUy4HvuTrCxm32cVzkF3sEg=",
 			"path": "github.com/hashicorp/vault-plugin-secrets-ad/plugin/client",
-			"revision": "28b22929498292a5fe2cc972d77e931f415e0786",
-			"revisionTime": "2018-06-06T02:34:28Z"
+			"revision": "5d57d386f7bbf8fc12e8e7fbfa2b361236cbe2ff",
+			"revisionTime": "2018-06-18T15:50:42Z"
 		},
 		{
-			"checksumSHA1": "f5N0jlhC8c2vq0zez81fezfas/o=",
+			"checksumSHA1": "CRXQJhgMU5iZfRiTLhbwlpRSTLk=",
 			"path": "github.com/hashicorp/vault-plugin-secrets-ad/plugin/util",
-			"revision": "28b22929498292a5fe2cc972d77e931f415e0786",
-			"revisionTime": "2018-06-06T02:34:28Z"
+			"revision": "5d57d386f7bbf8fc12e8e7fbfa2b361236cbe2ff",
+			"revisionTime": "2018-06-18T15:50:42Z"
 		},
 		{
-			"checksumSHA1": "X9XW3xqAeOQqDdeJKzeqOYHn4Wo=",
+			"checksumSHA1": "jOsVXVfsxCgGrUCnwmBMid9SM+Q=",
 			"path": "github.com/hashicorp/vault-plugin-secrets-gcp/plugin",
-			"revision": "19ce67943d4ba3d0dcda025d832e3a0c4da47d42",
-			"revisionTime": "2018-06-06T02:42:09Z"
+			"revision": "2a8aff9bbb8b3fafdfd64d3dc0f5bf6e747fe2f4",
+			"revisionTime": "2018-06-06T18:14:30Z"
 		},
 		{
 			"checksumSHA1": "Dmpy+AguiGWfVg43Me5HB3+eDsk=",
 			"path": "github.com/hashicorp/vault-plugin-secrets-gcp/plugin/iamutil",
-			"revision": "19ce67943d4ba3d0dcda025d832e3a0c4da47d42",
-			"revisionTime": "2018-06-06T02:42:09Z"
+			"revision": "2a8aff9bbb8b3fafdfd64d3dc0f5bf6e747fe2f4",
+			"revisionTime": "2018-06-06T18:14:30Z"
 		},
 		{
 			"checksumSHA1": "81kYL49zTBoj1NYczxB2Xbr2d6Y=",
 			"path": "github.com/hashicorp/vault-plugin-secrets-gcp/plugin/util",
-			"revision": "19ce67943d4ba3d0dcda025d832e3a0c4da47d42",
-			"revisionTime": "2018-06-06T02:42:09Z"
+			"revision": "2a8aff9bbb8b3fafdfd64d3dc0f5bf6e747fe2f4",
+			"revisionTime": "2018-06-06T18:14:30Z"
 		},
 		{
 			"checksumSHA1": "grTzIH3YAjsrME6m9IBXpS77W14=",