Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'master' into auto-to-shamir
Browse files Browse the repository at this point in the history
vishalnayak authored Jan 17, 2020
2 parents edc946c + 981a856 commit 6561f46
Showing 63 changed files with 1,310 additions and 9,167 deletions.
6 changes: 5 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -26,11 +26,14 @@ BUG FIXES:
* secrets/database/mysql: Fix issue where special characters for a MySQL password were encoded [GH-8040]
* ui: Update headless Chrome flag to fix `yarn run test:oss` [GH-8035]
* ui: Change `.box-radio` height to min-height to prevent overflow issues [GH-8065]
* ui: Fix OIDC callback to check storage [GH-7929].

## 1.3.2 (Unreleased)

BUG FIXES:
* auth/ldap: Fix renewal of tokens without cofigured policies that are
generated by an LDAP login [GH-8072]
* auth/okta: Fix renewal of tokens without configured policies that are
generated by an Okta login [GH-8072]
* replication: Fix issue where a forwarded request from a performance/standby node could run in
a timeout
* secrets/database: Fix issue where a manual static role rotation could potentially panic [GH-8098]
@@ -41,6 +44,7 @@ BUG FIXES:
* secrets/database/mysql: Fix issue where special characters for a MySQL password were encoded [GH-8040]
* ui: Fix deleting namespaces [GH-8132]
* ui: Fix Error handler on kv-secret edit and kv-secret view pages [GH-8133]
* ui: Fix OIDC callback to check storage [GH-7929].

## 1.3.1 (December 18th, 2019)

3 changes: 2 additions & 1 deletion builtin/credential/ldap/path_login.go
Original file line number Diff line number Diff line change
@@ -133,9 +133,10 @@ func (b *backend) pathLoginRenew(ctx context.Context, req *logical.Request, d *f
password := req.Auth.InternalData["password"].(string)

loginPolicies, resp, groupNames, err := b.Login(ctx, req, username, password)
if len(loginPolicies) == 0 {
if err != nil || (resp != nil && resp.IsError()) {
return resp, err
}

finalPolicies := cfg.TokenPolicies
if len(loginPolicies) > 0 {
finalPolicies = append(finalPolicies, loginPolicies...)
2 changes: 1 addition & 1 deletion builtin/credential/okta/path_login.go
Original file line number Diff line number Diff line change
@@ -118,7 +118,7 @@ func (b *backend) pathLoginRenew(ctx context.Context, req *logical.Request, d *f
}

loginPolicies, resp, groupNames, err := b.Login(ctx, req, username, password)
if len(loginPolicies) == 0 {
if err != nil || (resp != nil && resp.IsError()) {
return resp, err
}

8 changes: 4 additions & 4 deletions command/seal_migration_test.go
Original file line number Diff line number Diff line change
@@ -106,13 +106,13 @@ func TestSealMigration(t *testing.T) {
if err != nil {
t.Fatal(err)
}
shamirwrapper := vault.NewDefaultSeal(&seal.Access{
wrapper := vault.NewDefaultSeal(&seal.Access{
Wrapper: aeadwrapper.NewWrapper(&wrapping.WrapperOptions{
Logger: logger.Named("shamir"),
}),
})
coreConfig := &vault.CoreConfig{
Seal: shamirwrapper,
Seal: wrapper,
Physical: phys,
HAPhysical: haPhys.(physical.HABackend),
DisableSealWrap: true,
@@ -333,7 +333,7 @@ func TestSealMigration(t *testing.T) {

core := cluster.Cores[0].Core

if err := adjustCoreForSealMigration(logger, core, shamirwrapper, altSeal); err != nil {
if err := adjustCoreForSealMigration(logger, core, wrapper, altSeal); err != nil {
t.Fatal(err)
}

@@ -369,7 +369,7 @@ func TestSealMigration(t *testing.T) {
{
logger.SetLevel(hclog.Trace)
logger.Info("integ: verify autoseal is off and the expected key shares work")
coreConfig.Seal = shamirwrapper
coreConfig.Seal = wrapper
cluster := vault.NewTestCluster(t, coreConfig, clusterConfig)
cluster.Start()
defer cluster.Cleanup()
10 changes: 8 additions & 2 deletions command/server/seal/server_seal_awskms.go
Original file line number Diff line number Diff line change
@@ -3,16 +3,22 @@ package seal
import (
"github.com/hashicorp/errwrap"
"github.com/hashicorp/go-hclog"
wrapping "github.com/hashicorp/go-kms-wrapping"
"github.com/hashicorp/go-kms-wrapping/wrappers/awskms"
"github.com/hashicorp/vault/command/server"
"github.com/hashicorp/vault/sdk/logical"
"github.com/hashicorp/vault/vault"
"github.com/hashicorp/vault/vault/seal"
)

func configureAWSKMSSeal(configSeal *server.Seal, infoKeys *[]string, info *map[string]string, logger hclog.Logger, inseal vault.Seal) (vault.Seal, error) {
var getAWSKMSFunc = func(opts *wrapping.WrapperOptions, config map[string]string) (wrapping.Wrapper, map[string]string, error) {
kms := awskms.NewWrapper(nil)
kmsInfo, err := kms.SetConfig(configSeal.Config)
kmsInfo, err := kms.SetConfig(config)
return kms, kmsInfo, err
}

func configureAWSKMSSeal(configSeal *server.Seal, infoKeys *[]string, info *map[string]string, logger hclog.Logger, inseal vault.Seal) (vault.Seal, error) {
kms, kmsInfo, err := getAWSKMSFunc(nil, configSeal.Config)
if err != nil {
// If the error is any other than logical.KeyNotFoundError, return the error
if !errwrap.ContainsType(err, new(logical.KeyNotFoundError)) {
14 changes: 10 additions & 4 deletions command/server/seal/server_seal_transit.go
Original file line number Diff line number Diff line change
@@ -11,11 +11,17 @@ import (
"github.com/hashicorp/vault/vault/seal"
)

var GetTransitKMSFunc = func(opts *wrapping.WrapperOptions, config map[string]string) (wrapping.Wrapper, map[string]string, error) {
transitSeal := transit.NewWrapper(opts)
sealInfo, err := transitSeal.SetConfig(config)
return transitSeal, sealInfo, err
}

func configureTransitSeal(configSeal *server.Seal, infoKeys *[]string, info *map[string]string, logger log.Logger, inseal vault.Seal) (vault.Seal, error) {
transitSeal := transit.NewWrapper(&wrapping.WrapperOptions{
Logger: logger.ResetNamed("seal-transit"),
})
sealInfo, err := transitSeal.SetConfig(configSeal.Config)
transitSeal, sealInfo, err := GetTransitKMSFunc(
&wrapping.WrapperOptions{
Logger: logger.ResetNamed("seal-transit"),
}, configSeal.Config)
if err != nil {
// If the error is any other than logical.KeyNotFoundError, return the error
if !errwrap.ContainsType(err, new(logical.KeyNotFoundError)) {
9 changes: 4 additions & 5 deletions command/server/seal/server_seal_transit_acc_test.go
Original file line number Diff line number Diff line change
@@ -10,9 +10,9 @@ import (
"testing"
"time"

"github.com/hashicorp/go-kms-wrapping/wrappers/transit"
"github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/api"
"github.com/hashicorp/vault/command/server/seal"
"github.com/ory/dockertest"
)

@@ -29,8 +29,8 @@ func TestTransitWrapper_Lifecycle(t *testing.T) {
"mount_path": mountPath,
"key_name": keyName,
}
s := transit.NewWrapper(nil)
_, err := s.SetConfig(wrapperConfig)

s, _, err := seal.GetTransitKMSFunc(nil, wrapperConfig)
if err != nil {
t.Fatalf("error setting wrapper config: %v", err)
}
@@ -86,8 +86,7 @@ func TestTransitSeal_TokenRenewal(t *testing.T) {
"mount_path": mountPath,
"key_name": keyName,
}
s := transit.NewWrapper(nil)
_, err = s.SetConfig(wrapperConfig)
s, _, err := seal.GetTransitKMSFunc(nil, wrapperConfig)
if err != nil {
t.Fatalf("error setting wrapper config: %v", err)
}
3 changes: 0 additions & 3 deletions go.mod
Original file line number Diff line number Diff line change
@@ -28,7 +28,6 @@ require (
github.com/cockroachdb/apd v1.1.0 // indirect
github.com/cockroachdb/cockroach-go v0.0.0-20181001143604-e0a95dfd547c
github.com/coreos/go-semver v0.2.0
github.com/coreos/go-systemd v0.0.0-20181012123002-c6f51f82210d // indirect
github.com/denisenkom/go-mssqldb v0.0.0-20190412130859-3b1d194e553a
github.com/dnaeon/go-vcr v1.0.1 // indirect
github.com/dsnet/compress v0.0.1 // indirect
@@ -48,7 +47,6 @@ require (
github.com/golang/protobuf v1.3.2
github.com/google/go-github v17.0.0+incompatible
github.com/google/go-metrics-stackdriver v0.0.0-20190816035513-b52628e82e2a
github.com/google/go-querystring v1.0.0 // indirect
github.com/grpc-ecosystem/grpc-gateway v1.8.5 // indirect
github.com/hashicorp/consul-template v0.22.0
github.com/hashicorp/consul/api v1.1.0
@@ -97,7 +95,6 @@ require (
github.com/joyent/triton-go v0.0.0-20190112182421-51ffac552869
github.com/keybase/go-crypto v0.0.0-20190403132359-d65b6b94177f
github.com/kr/pretty v0.1.0
github.com/kr/pty v1.1.3 // indirect
github.com/kr/text v0.1.0
github.com/lib/pq v1.2.0
github.com/mattn/go-colorable v0.1.4
2 changes: 0 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
@@ -359,8 +359,6 @@ github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0m
github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
github.com/hashicorp/memberlist v0.1.4 h1:gkyML/r71w3FL8gUi74Vk76avkj/9lYAY9lvg0OcoGs=
github.com/hashicorp/memberlist v0.1.4/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
github.com/hashicorp/nomad/api v0.0.0-20190412184103-1c38ced33adf h1:U/40PQvWkaXCDdK9QHKf1pVDVcA+NIDVbzzonFGkgIA=
github.com/hashicorp/nomad/api v0.0.0-20190412184103-1c38ced33adf/go.mod h1:BDngVi1f4UA6aJq9WYTgxhfWSE1+42xshvstLU2fRGk=
github.com/hashicorp/nomad/api v0.0.0-20191220223628-edc62acd919d h1:BXqsASWhyiAiEVm6FcltF0dg8XvoookQwmpHn8lstu8=
github.com/hashicorp/nomad/api v0.0.0-20191220223628-edc62acd919d/go.mod h1:WKCL+tLVhN1D+APwH3JiTRZoxcdwRk86bWu1LVCUPaE=
github.com/hashicorp/raft v1.0.1/go.mod h1:DVSAWItjLjTOkVbSpWQ0j0kUADIvDaCtBxIcbNAQLkI=
67 changes: 67 additions & 0 deletions helper/testhelpers/mysql/mysqlhelper.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
package mysqlhelper

import (
"database/sql"
"fmt"
"os"
"strings"
"testing"

"github.com/hashicorp/vault/helper/testhelpers/docker"
"github.com/ory/dockertest"
)

func PrepareMySQLTestContainer(t *testing.T, legacy bool, pw string) (cleanup func(), retURL string) {
if os.Getenv("MYSQL_URL") != "" {
return func() {}, os.Getenv("MYSQL_URL")
}

pool, err := dockertest.NewPool("")
if err != nil {
t.Fatalf("Failed to connect to docker: %s", err)
}

imageVersion := "5.7"
if legacy {
imageVersion = "5.6"
}

resource, err := pool.Run("mysql", imageVersion, []string{"MYSQL_ROOT_PASSWORD=" + pw})
if err != nil {
t.Fatalf("Could not start local MySQL docker container: %s", err)
}

cleanup = func() {
docker.CleanupResource(t, pool, resource)
}

retURL = fmt.Sprintf("root:%s@(localhost:%s)/mysql?parseTime=true", pw, resource.GetPort("3306/tcp"))

// exponential backoff-retry
if err = pool.Retry(func() error {
var err error
var db *sql.DB
db, err = sql.Open("mysql", retURL)
if err != nil {
return err
}
defer db.Close()
return db.Ping()
}); err != nil {
cleanup()
t.Fatalf("Could not connect to MySQL docker container: %s", err)
}

return
}

func TestCredsExist(t testing.TB, connURL, username, password string) error {
// Log in with the new creds
connURL = strings.Replace(connURL, "root:secret", fmt.Sprintf("%s:%s", username, password), 1)
db, err := sql.Open("mysql", connURL)
if err != nil {
return err
}
defer db.Close()
return db.Ping()
}
8 changes: 1 addition & 7 deletions physical/raft/raft.go
Original file line number Diff line number Diff line change
@@ -503,14 +503,8 @@ func (b *RaftBackend) SetupCluster(ctx context.Context, opts SetupOpts) error {
case opts.ClusterListener == nil:
return errors.New("no cluster listener provided")
default:
// Load the base TLS config from the cluster listener.
baseTLSConfig, err := opts.ClusterListener.TLSConfig(ctx)
if err != nil {
return err
}

// Set the local address and localID in the streaming layer and the raft config.
streamLayer, err := NewRaftLayer(b.logger.Named("stream"), opts.TLSKeyring, opts.ClusterListener.Addr(), baseTLSConfig)
streamLayer, err := NewRaftLayer(b.logger.Named("stream"), opts.TLSKeyring, opts.ClusterListener)
if err != nil {
return err
}
61 changes: 30 additions & 31 deletions physical/raft/streamlayer.go
Original file line number Diff line number Diff line change
@@ -110,7 +110,7 @@ func GenerateTLSKey(reader io.Reader) (*TLSKey, error) {
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageKeyAgreement | x509.KeyUsageCertSign,
SerialNumber: big.NewInt(mathrand.Int63()),
NotBefore: time.Now().Add(-30 * time.Second),
// 30 years of single-active uptime ought to be enough for anybody
// 30 years ought to be enough for anybody
NotAfter: time.Now().Add(262980 * time.Hour),
BasicConstraintsValid: true,
IsCA: true,
@@ -162,25 +162,26 @@ type raftLayer struct {
dialerFunc func(string, time.Duration) (net.Conn, error)

// TLS config
keyring *TLSKeyring
baseTLSConfig *tls.Config
keyring *TLSKeyring
clusterListener cluster.ClusterHook
}

// NewRaftLayer creates a new raftLayer object. It parses the TLS information
// from the network config.
func NewRaftLayer(logger log.Logger, raftTLSKeyring *TLSKeyring, clusterAddr net.Addr, baseTLSConfig *tls.Config) (*raftLayer, error) {
func NewRaftLayer(logger log.Logger, raftTLSKeyring *TLSKeyring, clusterListener cluster.ClusterHook) (*raftLayer, error) {
clusterAddr := clusterListener.Addr()
switch {
case clusterAddr == nil:
// Clustering disabled on the server, don't try to look for params
return nil, errors.New("no raft addr found")
}

layer := &raftLayer{
addr: clusterAddr,
connCh: make(chan net.Conn),
closeCh: make(chan struct{}),
logger: logger,
baseTLSConfig: baseTLSConfig,
addr: clusterAddr,
connCh: make(chan net.Conn),
closeCh: make(chan struct{}),
logger: logger,
clusterListener: clusterListener,
}

if err := layer.setTLSKeyring(raftTLSKeyring); err != nil {
@@ -236,6 +237,24 @@ func (l *raftLayer) setTLSKeyring(keyring *TLSKeyring) error {
return nil
}

func (l *raftLayer) ServerName() string {
key := l.keyring.GetActive()
if key == nil {
return ""
}

return key.parsedCert.Subject.CommonName
}

func (l *raftLayer) CACert(ctx context.Context) *x509.Certificate {
key := l.keyring.GetActive()
if key == nil {
return nil
}

return key.parsedCert
}

func (l *raftLayer) ClientLookup(ctx context.Context, requestInfo *tls.CertificateRequestInfo) (*tls.Certificate, error) {
for _, subj := range requestInfo.AcceptableCAs {
for _, key := range l.keyring.Keys {
@@ -346,26 +365,6 @@ func (l *raftLayer) Addr() net.Addr {

// Dial is used to create a new outgoing connection
func (l *raftLayer) Dial(address raft.ServerAddress, timeout time.Duration) (net.Conn, error) {

tlsConfig := l.baseTLSConfig.Clone()

key := l.keyring.GetActive()
if key == nil {
return nil, errors.New("no active key")
}

tlsConfig.NextProtos = []string{consts.RaftStorageALPN}
tlsConfig.ServerName = key.parsedCert.Subject.CommonName

l.logger.Debug("creating rpc dialer", "host", tlsConfig.ServerName)

pool := x509.NewCertPool()
pool.AddCert(key.parsedCert)
tlsConfig.RootCAs = pool
tlsConfig.ClientCAs = pool

dialer := &net.Dialer{
Timeout: timeout,
}
return tls.DialWithDialer(dialer, "tcp", string(address), tlsConfig)
dialFunc := l.clusterListener.GetDialerFunc(context.Background(), consts.RaftStorageALPN)
return dialFunc(string(address), timeout)
}
Loading

0 comments on commit 6561f46

Please sign in to comment.