Skip to content

Commit

Permalink
merge from master
Browse files Browse the repository at this point in the history
  • Loading branch information
mjarmy committed Oct 8, 2019
2 parents 8ef0806 + 3415760 commit 61fa0fe
Show file tree
Hide file tree
Showing 282 changed files with 33,192 additions and 433 deletions.
29 changes: 24 additions & 5 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,13 @@ FEATURES:
[Stackdriver](https://cloud.google.com/stackdriver/). See the [configuration
documentation](https://www.vaultproject.io/docs/config/index.html) for
details. [GH-6957]
* Transit: Signing and verification is now supported with the P-384
(secp384r1) and P-521 (secp521r1) ECDSA curves [GH-7551]
* Transit: Encryption and decryption is now supported via AES128-GCM96
[GH-7555]

CHANGES:

* sys/seal-status now has a `storage_type` field denoting what type of storage
the cluster is configured to use

Expand All @@ -16,21 +21,35 @@ IMPROVEMENTS:
* auth/jwt: The redirect callback host may now be specified for CLI logins
[JWT-71]
* core: Exit ScanView if context has been cancelled [GH-7419]
* secrets/aws: The root config can now be read [GH-7245]
* storage/cassandra: Improve storage efficiency by eliminating unnecessary
copies of value data [GH-7199]
* replication (enterprise): Write-Ahead-Log entries will not duplicate the
data belonging to the encompassing physical entries of the transaction,
thereby improving the performance and storage capacity.
* secrets/aws: The root config can now be read [GH-7245]
* storage/azure: Add config parameter to Azure storage backend to allow
specifying the ARM endpoint [GH-7567]
* storage/cassandra: Improve storage efficiency by eliminating unnecessary
copies of value data [GH-7199]
* sys: Add a new `sys/host-info` endpoint for querying information about
the host [GH-7330]
* sys: Add a new set of endpoints under `sys/pprof/` that allows profiling
information to be extracted [GH-7473]

BUG FIXES:

* agent: Fix handling of gzipped responses [GH-7470]
* auth/gcp: Fix a bug where region information in instance groups names could
cause an authorization attempt to fail [GCP-74]
* cli: Fix a bug where a token of an unknown format (e.g. in ~/.vault-token)
could cause confusing error messages during `vault login` [GH-7508]
* identity: Add required field `response_types_supported` to identity token
`.well-known/openid-configuration` response [GH-7533]
* identity (enterprise): Fixed identity case sensitive loading in secondary
cluster [GH-7327]
* secrets/database: Fix bug in combined DB secrets engine that can result in
writes to static-roles endpoints timing out [GH-7518]
* ui: using the `wrapped_token` query param will work with `redirect_to` and
will automatically log in as intended [GH-7398]
* ui: Allow kv v2 secrets that are gated by Control Groups to be viewed in the UI [GH-7504]

## 1.2.3 (September 12, 2019)

Expand Down Expand Up @@ -269,13 +288,13 @@ BUG FIXES:
* namespaces: Fix a behavior (currently only known to be benign) where we
wouldn't delete policies through the official functions before wiping the
namespaces on deletion
* secrets/database: Escape username/password before using in connection URL
[GH-7089]
* secrets/pki: Forward revocation requests to active node when on a
performance standby [GH-7173]
* ui: Fix timestamp on some transit keys [GH-6827]
* ui: Show Entities and Groups in Side Navigation [GH-7138]
* ui: Ensure dropdown updates selected item on HTTP Request Metrics page
* secret/database: Escape username/password before using in connection URL
[GH-7089]

## 1.1.4/1.1.5 (July 25th/30th, 2019)

Expand Down
1 change: 1 addition & 0 deletions api/go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,7 @@ golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5h
golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190129075346-302c3dd5f1cc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e h1:nFYrTHrdrAOpShe27kaFHjsqYSEQ0KWqdWLu3xuZJts=
golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.1-0.20181227161524-e6919f6577db h1:6/JqlYfC1CCaLnGceQTI+sDGhC9UBSPAsBqI0Gun6kU=
Expand Down
171 changes: 87 additions & 84 deletions builtin/logical/database/rotation.go
Original file line number Diff line number Diff line change
Expand Up @@ -127,112 +127,115 @@ type setCredentialsWAL struct {
// This method loops through the priority queue, popping the highest priority
// item until it encounters the first item that does not yet need rotation,
// based on the current time.
func (b *databaseBackend) rotateCredentials(ctx context.Context, s logical.Storage) error {
for {
// Quit rotating credentials if shutdown has started
select {
case <-ctx.Done():
return nil
default:
}
item, err := b.popFromRotationQueue()
if err != nil {
if err == queue.ErrEmpty {
return nil
}
return err
}
func (b *databaseBackend) rotateCredentials(ctx context.Context, s logical.Storage) {
for b.rotateCredential(ctx, s) {
}
}

// Guard against possible nil item
if item == nil {
return nil
func (b *databaseBackend) rotateCredential(ctx context.Context, s logical.Storage) bool {
// Quit rotating credentials if shutdown has started
select {
case <-ctx.Done():
return false
default:
}
item, err := b.popFromRotationQueue()
if err != nil {
if err != queue.ErrEmpty {
b.logger.Error("error popping item from queue", "err", err)
}
return false
}

// Grab the exclusive lock for this Role, to make sure we don't incur and
// writes during the rotation process
lock := locksutil.LockForKey(b.roleLocks, item.Key)
lock.Lock()
defer lock.Unlock()
// Guard against possible nil item
if item == nil {
return false
}

// Validate the role still exists
role, err := b.StaticRole(ctx, s, item.Key)
if err != nil {
b.logger.Error("unable to load role", "role", item.Key, "error", err)
item.Priority = time.Now().Add(10 * time.Second).Unix()
if err := b.pushItem(item); err != nil {
b.logger.Error("unable to push item on to queue", "error", err)
}
continue
}
if role == nil {
b.logger.Warn("role not found", "role", item.Key, "error", err)
continue
}
// Grab the exclusive lock for this Role, to make sure we don't incur and
// writes during the rotation process
lock := locksutil.LockForKey(b.roleLocks, item.Key)
lock.Lock()
defer lock.Unlock()

// If "now" is less than the Item priority, then this item does not need to
// be rotated
if time.Now().Unix() < item.Priority {
if err := b.pushItem(item); err != nil {
b.logger.Error("unable to push item on to queue", "error", err)
}
// Break out of the for loop
break
// Validate the role still exists
role, err := b.StaticRole(ctx, s, item.Key)
if err != nil {
b.logger.Error("unable to load role", "role", item.Key, "error", err)
item.Priority = time.Now().Add(10 * time.Second).Unix()
if err := b.pushItem(item); err != nil {
b.logger.Error("unable to push item on to queue", "error", err)
}
return true
}
if role == nil {
b.logger.Warn("role not found", "role", item.Key, "error", err)
return true
}

input := &setStaticAccountInput{
RoleName: item.Key,
Role: role,
// If "now" is less than the Item priority, then this item does not need to
// be rotated
if time.Now().Unix() < item.Priority {
if err := b.pushItem(item); err != nil {
b.logger.Error("unable to push item on to queue", "error", err)
}
// Break out of the for loop
return false
}

// If there is a WAL entry related to this Role, the corresponding WAL ID
// should be stored in the Item's Value field.
if walID, ok := item.Value.(string); ok {
walEntry, err := b.findStaticWAL(ctx, s, walID)
if err != nil {
b.logger.Error("error finding static WAL", "error", err)
item.Priority = time.Now().Add(10 * time.Second).Unix()
if err := b.pushItem(item); err != nil {
b.logger.Error("unable to push item on to queue", "error", err)
}
}
if walEntry != nil && walEntry.NewPassword != "" {
input.Password = walEntry.NewPassword
input.WALID = walID
}
}
input := &setStaticAccountInput{
RoleName: item.Key,
Role: role,
}

resp, err := b.setStaticAccount(ctx, s, input)
// If there is a WAL entry related to this Role, the corresponding WAL ID
// should be stored in the Item's Value field.
if walID, ok := item.Value.(string); ok {
walEntry, err := b.findStaticWAL(ctx, s, walID)
if err != nil {
b.logger.Error("unable to rotate credentials in periodic function", "error", err)
// Increment the priority enough so that the next call to this method
// likely will not attempt to rotate it, as a back-off of sorts
b.logger.Error("error finding static WAL", "error", err)
item.Priority = time.Now().Add(10 * time.Second).Unix()

// Preserve the WALID if it was returned
if resp != nil && resp.WALID != "" {
item.Value = resp.WALID
}

if err := b.pushItem(item); err != nil {
b.logger.Error("unable to push item on to queue", "error", err)
}
// Go to next item
continue
}
if walEntry != nil && walEntry.NewPassword != "" {
input.Password = walEntry.NewPassword
input.WALID = walID
}
}

lvr := resp.RotationTime
if lvr.IsZero() {
lvr = time.Now()
resp, err := b.setStaticAccount(ctx, s, input)
if err != nil {
b.logger.Error("unable to rotate credentials in periodic function", "error", err)
// Increment the priority enough so that the next call to this method
// likely will not attempt to rotate it, as a back-off of sorts
item.Priority = time.Now().Add(10 * time.Second).Unix()

// Preserve the WALID if it was returned
if resp != nil && resp.WALID != "" {
item.Value = resp.WALID
}

// Update priority and push updated Item to the queue
nextRotation := lvr.Add(role.StaticAccount.RotationPeriod)
item.Priority = nextRotation.Unix()
if err := b.pushItem(item); err != nil {
b.logger.Warn("unable to push item on to queue", "error", err)
b.logger.Error("unable to push item on to queue", "error", err)
}
// Go to next item
return true
}
return nil

lvr := resp.RotationTime
if lvr.IsZero() {
lvr = time.Now()
}

// Update priority and push updated Item to the queue
nextRotation := lvr.Add(role.StaticAccount.RotationPeriod)
item.Priority = nextRotation.Unix()
if err := b.pushItem(item); err != nil {
b.logger.Warn("unable to push item on to queue", "error", err)
}
return true
}

// findStaticWAL loads a WAL entry by ID. If found, only return the WAL if it
Expand Down
Loading

0 comments on commit 61fa0fe

Please sign in to comment.