Merge remote-tracking branch 'oss/master' into 1.1-beta

.travis.yml

@@ -27,8 +27,8 @@ cache:
   - ui/node_modules
 
 before_install:
-  - nvm install 8
-  - nvm use 8
+  - nvm install 10
+  - nvm use 10
   - curl -o- -L https://yarnpkg.com/install.sh | bash -s -- --version 1.12.1
   - export PATH="$HOME/.yarn/bin:$PATH"
 

CHANGELOG.md

@@ -1,10 +1,36 @@
 ## 1.0.3 (February 12th, 2019)
 
+CHANGES:
+
+ * auth/jwt: The `groups_claim_delimiter_pattern` has been removed. If the groups
+   claim is not at the top level, it can now be specified as a
+   [JSONPointer](https://tools.ietf.org/html/rfc6901).
+ * auth/jwt: Roles now have a "role type" parameter with a default type of "oidc". To
+   configure new JWT roles, a role type of "jwt" must be explicitly specified.
+
+IMPROVEMENTS:
+
+ * auth/jwt: A default role can be set. It will be used during JWT/OIDC logins if
+   a role is not specified.
+ * auth/jwt: Arbitrary claims data can now be copied into token & alias metadata.
+ * auth/jwt: An arbitrary set of bound claims can now be configured for a role.
+ * auth/jwt: The name "oidc" has been added as an alias for the jwt backend. Either
+   name may be specified in the `auth enable` command.
+
+FEATURES:
+
+ * **OIDC Support**: The JWT auth backend now supports OIDC roles. These allow
+   authentication via an OIDC-compliant provider via the user's browser. The
+   login may be initiatated from the Vault UI or through the `vault login` command.
+
+## 1.0.3 (February 12th, 2019)
+
 CHANGES:
 
  * New AWS authentication plugin mounts will default to using the generated
-   role ID as the Identity alias name.  This applies to both EC2 and IAM auth.
-   Existing mounts will not be affected.
+   role ID as the Identity alias name. This applies to both EC2 and IAM auth.
+   Existing mounts that explicitly set this value will not be affected but
+   mounts that specified no preference will switch over on upgrade.
  * The default policy now allows a token to look up its associated identity
    entity either by name or by id [GH-6105]
  * The Vault UI's navigation and onboarding wizard now only displays items that

README.md

@@ -82,6 +82,16 @@ $ bin/vault
 ...
 ```
 
+To compile a development version of Vault with the UI, run `make static-dist dev-ui`. This will
+put the Vault binary in the `bin` and `$GOPATH/bin` folders:
+
+```sh
+$ make static-dist dev-ui
+...
+$ bin/vault
+...
+```
+
 To run tests, type `make test`. Note: this requires Docker to be installed. If
 this exits with exit status 0, then everything is working!
 

plugins/database/mssql/README.md

@@ -0,0 +1,24 @@
+# Testing
+
+To run these tests, first start MSSQL in Docker. Please do make sure to view the EULA before 
+accepting it as it includes limits on the number of users per company who can be using the 
+image, and how it can be used in testing.
+
+```
+sudo docker run -e 'ACCEPT_EULA=Y' -e 'SA_PASSWORD=<YourStrong!Passw0rd>' \
+   -p 1433:1433 --name sql1 \
+   -d mcr.microsoft.com/mssql/server:2017-latest
+```
+
+Then use the following env variables for testing:
+
+```
+export VAULT_ACC=1
+export MSSQL_URL="sqlserver://SA:%3CYourStrong%21Passw0rd%3E@localhost:1433"
+```
+
+Note that the SA password passed into the Docker container differs from the one passed into the tests.
+It's the same password, but Go's libraries require it to be percent encoded.
+
+Running all the tests at once against one Docker container will likely fail because they interact with
+each other. Consider running one test at a time.

plugins/database/mssql/mssql_test.go

@@ -14,7 +14,7 @@ import (
 
 func TestMSSQL_Initialize(t *testing.T) {
 	if os.Getenv("MSSQL_URL") == "" || os.Getenv("VAULT_ACC") != "1" {
-		return
+		t.SkipNow()
 	}
 	connURL := os.Getenv("MSSQL_URL")
 
@@ -51,7 +51,7 @@ func TestMSSQL_Initialize(t *testing.T) {
 
 func TestMSSQL_CreateUser(t *testing.T) {
 	if os.Getenv("MSSQL_URL") == "" || os.Getenv("VAULT_ACC") != "1" {
-		return
+		t.SkipNow()
 	}
 	connURL := os.Getenv("MSSQL_URL")
 
@@ -92,7 +92,7 @@ func TestMSSQL_CreateUser(t *testing.T) {
 
 func TestMSSQL_RotateRootCredentials(t *testing.T) {
 	if os.Getenv("MSSQL_URL") == "" || os.Getenv("VAULT_ACC") != "1" {
-		return
+		t.SkipNow()
 	}
 	connURL := os.Getenv("MSSQL_URL")
 
@@ -131,7 +131,7 @@ func TestMSSQL_RotateRootCredentials(t *testing.T) {
 
 func TestMSSQL_RevokeUser(t *testing.T) {
 	if os.Getenv("MSSQL_URL") == "" || os.Getenv("VAULT_ACC") != "1" {
-		return
+		t.SkipNow()
 	}
 	connURL := os.Getenv("MSSQL_URL")
 

scripts/cross/Dockerfile

@@ -12,12 +12,14 @@ RUN apt-get update -y && apt-get install --no-install-recommends -y -q \
                          libltdl-dev \
                          libltdl7
 
-RUN curl -sL https://deb.nodesource.com/setup_8.x | bash -
-RUN apt-get install -y nodejs npm
+RUN curl -sL https://deb.nodesource.com/setup_10.x | bash -
+RUN curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -
+RUN echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list
+
+RUN apt-get update -y && apt-get install nodejs yarn=1.12.1-1
 
 RUN rm -rf /var/lib/apt/lists/*
 
-RUN npm install -g [email protected]
 
 ENV GOVERSION 1.11.5
 RUN mkdir /goroot && mkdir /gopath

ui/.nvmrc

@@ -1 +1 @@
-v8.12.0
+v10

ui/scripts/start-vault.js

@@ -42,7 +42,10 @@ readline
     if (root && unseal) {
       fs.writeFile(
         path.join(process.cwd(), 'tests/helpers/vault-keys.js'),
-        `export default ${JSON.stringify({ unseal, root }, null, 2)}`
+        `export default ${JSON.stringify({ unseal, root }, null, 2)}`,
+        err => {
+          if (err) throw err;
+        }
       );
 
       console.log('VAULT SERVER READY');
@@ -71,4 +74,7 @@ process.on('exit', function() {
   vault.kill('SIGINT');
 });
 
-fs.writeFile(pidFile, process.pid);
+fs.writeFile(pidFile, process.pid, err => {
+  if (err) throw err;
+  console.log('The file has been saved!');
+});

vault/identity_store_util.go

@@ -1868,7 +1868,7 @@ func (i *IdentityStore) refreshExternalGroupMembershipsByEntityID(entityID strin
 
 		// If the external group is from a different mount, don't remove the
 		// entity ID from it.
-		if mountAccessor != "" && group.Alias.MountAccessor != mountAccessor {
+		if mountAccessor != "" && group.Alias != nil && group.Alias.MountAccessor != mountAccessor {
 			continue
 		}
 

vault/router.go

@@ -784,8 +784,7 @@ func (r *Router) LoginPath(ctx context.Context, path string) bool {
 	return match == remain
 }
 
-// pathsToRadix converts a the mapping of special paths to a mapping
-// of special paths to radix trees.
+// pathsToRadix converts a list of special paths to a radix tree.
 func pathsToRadix(paths []string) *radix.Tree {
 	tree := radix.New()
 	for _, path := range paths {

website/source/docs/configuration/listener/tcp.html.md

@@ -43,8 +43,8 @@ advertise the correct address to other nodes.
   request duration allowed before Vault cancels the request. This overrides
   `default_max_request_duration` for this listener.
 
-- `proxy_protocol_behavior` `(string: "") – When specified, turns on the PROXY
-  protocol for the listener.
+- `proxy_protocol_behavior` `(string: "")` – When specified, enables a PROXY
+  protocol version 1 behavior for the listener.
   Accepted Values:
   - *use_always* - The client's IP address will always be used.
   - *allow_authorized* - If the source IP address is in the

website/source/docs/configuration/storage/consul.html.md

@@ -25,7 +25,7 @@ check.
 ```hcl
 storage "consul" {
   address = "127.0.0.1:8500"
-  path    = "vault"
+  path    = "vault/"
 }
 ```
 

website/source/guides/operations/deployment-guide.html.md

@@ -5,8 +5,8 @@ sidebar_current: "guides-operations-deployment-guide"
 description: |-
   This deployment guide covers the steps required to install and
   configure a single HashiCorp Vault cluster as defined in the
-  Vault Reference Architecture
-product_version: 1.0
+  Vault Reference Architecture.
+ea_version: 1.0
 ---
 
 # Vault Deployment Guide

website/source/guides/operations/reference-architecture.html.md

@@ -6,7 +6,7 @@ sidebar_current: "guides-operations-reference-architecture"
 description: |-
   This guide provides guidance in the best practices of Vault
   implementations through use of a reference architecture.
-product_version: 0.11
+ea_version: 1.0
 ---
 
 # Vault Reference Architecture