diff --git a/.travis.yml b/.travis.yml index d05c73505e6e..13bcc38a8a21 100644 --- a/.travis.yml +++ b/.travis.yml @@ -27,8 +27,8 @@ cache: - ui/node_modules before_install: - - nvm install 8 - - nvm use 8 + - nvm install 10 + - nvm use 10 - curl -o- -L https://yarnpkg.com/install.sh | bash -s -- --version 1.12.1 - export PATH="$HOME/.yarn/bin:$PATH" diff --git a/CHANGELOG.md b/CHANGELOG.md index 4dcb052e45e7..67cf8cf0e040 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,36 @@ ## 1.0.3 (February 12th, 2019) +CHANGES: + + * auth/jwt: The `groups_claim_delimiter_pattern` has been removed. If the groups + claim is not at the top level, it can now be specified as a + [JSONPointer](https://tools.ietf.org/html/rfc6901). + * auth/jwt: Roles now have a "role type" parameter with a default type of "oidc". To + configure new JWT roles, a role type of "jwt" must be explicitly specified. + +IMPROVEMENTS: + + * auth/jwt: A default role can be set. It will be used during JWT/OIDC logins if + a role is not specified. + * auth/jwt: Arbitrary claims data can now be copied into token & alias metadata. + * auth/jwt: An arbitrary set of bound claims can now be configured for a role. + * auth/jwt: The name "oidc" has been added as an alias for the jwt backend. Either + name may be specified in the `auth enable` command. + +FEATURES: + + * **OIDC Support**: The JWT auth backend now supports OIDC roles. These allow + authentication via an OIDC-compliant provider via the user's browser. The + login may be initiatated from the Vault UI or through the `vault login` command. + +## 1.0.3 (February 12th, 2019) + CHANGES: * New AWS authentication plugin mounts will default to using the generated - role ID as the Identity alias name. This applies to both EC2 and IAM auth. - Existing mounts will not be affected. + role ID as the Identity alias name. This applies to both EC2 and IAM auth. + Existing mounts that explicitly set this value will not be affected but + mounts that specified no preference will switch over on upgrade. * The default policy now allows a token to look up its associated identity entity either by name or by id [GH-6105] * The Vault UI's navigation and onboarding wizard now only displays items that diff --git a/README.md b/README.md index 1ab507bfedf0..ccfa8a165baf 100644 --- a/README.md +++ b/README.md @@ -82,6 +82,16 @@ $ bin/vault ... ``` +To compile a development version of Vault with the UI, run `make static-dist dev-ui`. This will +put the Vault binary in the `bin` and `$GOPATH/bin` folders: + +```sh +$ make static-dist dev-ui +... +$ bin/vault +... +``` + To run tests, type `make test`. Note: this requires Docker to be installed. If this exits with exit status 0, then everything is working! diff --git a/plugins/database/mssql/README.md b/plugins/database/mssql/README.md new file mode 100644 index 000000000000..a6d60dd2a38f --- /dev/null +++ b/plugins/database/mssql/README.md @@ -0,0 +1,24 @@ +# Testing + +To run these tests, first start MSSQL in Docker. Please do make sure to view the EULA before +accepting it as it includes limits on the number of users per company who can be using the +image, and how it can be used in testing. + +``` +sudo docker run -e 'ACCEPT_EULA=Y' -e 'SA_PASSWORD=' \ + -p 1433:1433 --name sql1 \ + -d mcr.microsoft.com/mssql/server:2017-latest +``` + +Then use the following env variables for testing: + +``` +export VAULT_ACC=1 +export MSSQL_URL="sqlserver://SA:%3CYourStrong%21Passw0rd%3E@localhost:1433" +``` + +Note that the SA password passed into the Docker container differs from the one passed into the tests. +It's the same password, but Go's libraries require it to be percent encoded. + +Running all the tests at once against one Docker container will likely fail because they interact with +each other. Consider running one test at a time. diff --git a/plugins/database/mssql/mssql_test.go b/plugins/database/mssql/mssql_test.go index 1c96c53e2b38..e48f903a973b 100644 --- a/plugins/database/mssql/mssql_test.go +++ b/plugins/database/mssql/mssql_test.go @@ -14,7 +14,7 @@ import ( func TestMSSQL_Initialize(t *testing.T) { if os.Getenv("MSSQL_URL") == "" || os.Getenv("VAULT_ACC") != "1" { - return + t.SkipNow() } connURL := os.Getenv("MSSQL_URL") @@ -51,7 +51,7 @@ func TestMSSQL_Initialize(t *testing.T) { func TestMSSQL_CreateUser(t *testing.T) { if os.Getenv("MSSQL_URL") == "" || os.Getenv("VAULT_ACC") != "1" { - return + t.SkipNow() } connURL := os.Getenv("MSSQL_URL") @@ -92,7 +92,7 @@ func TestMSSQL_CreateUser(t *testing.T) { func TestMSSQL_RotateRootCredentials(t *testing.T) { if os.Getenv("MSSQL_URL") == "" || os.Getenv("VAULT_ACC") != "1" { - return + t.SkipNow() } connURL := os.Getenv("MSSQL_URL") @@ -131,7 +131,7 @@ func TestMSSQL_RotateRootCredentials(t *testing.T) { func TestMSSQL_RevokeUser(t *testing.T) { if os.Getenv("MSSQL_URL") == "" || os.Getenv("VAULT_ACC") != "1" { - return + t.SkipNow() } connURL := os.Getenv("MSSQL_URL") diff --git a/scripts/cross/Dockerfile b/scripts/cross/Dockerfile index 968c0f01a1a2..997343b04845 100644 --- a/scripts/cross/Dockerfile +++ b/scripts/cross/Dockerfile @@ -12,12 +12,14 @@ RUN apt-get update -y && apt-get install --no-install-recommends -y -q \ libltdl-dev \ libltdl7 -RUN curl -sL https://deb.nodesource.com/setup_8.x | bash - -RUN apt-get install -y nodejs npm +RUN curl -sL https://deb.nodesource.com/setup_10.x | bash - +RUN curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - +RUN echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list + +RUN apt-get update -y && apt-get install nodejs yarn=1.12.1-1 RUN rm -rf /var/lib/apt/lists/* -RUN npm install -g yarn@1.12.1 ENV GOVERSION 1.11.5 RUN mkdir /goroot && mkdir /gopath diff --git a/ui/.nvmrc b/ui/.nvmrc index 368fe859d733..e338b86593fa 100644 --- a/ui/.nvmrc +++ b/ui/.nvmrc @@ -1 +1 @@ -v8.12.0 +v10 diff --git a/ui/scripts/start-vault.js b/ui/scripts/start-vault.js index 25479512bb0a..74b5bdbd839c 100755 --- a/ui/scripts/start-vault.js +++ b/ui/scripts/start-vault.js @@ -42,7 +42,10 @@ readline if (root && unseal) { fs.writeFile( path.join(process.cwd(), 'tests/helpers/vault-keys.js'), - `export default ${JSON.stringify({ unseal, root }, null, 2)}` + `export default ${JSON.stringify({ unseal, root }, null, 2)}`, + err => { + if (err) throw err; + } ); console.log('VAULT SERVER READY'); @@ -71,4 +74,7 @@ process.on('exit', function() { vault.kill('SIGINT'); }); -fs.writeFile(pidFile, process.pid); +fs.writeFile(pidFile, process.pid, err => { + if (err) throw err; + console.log('The file has been saved!'); +}); diff --git a/vault/identity_store_util.go b/vault/identity_store_util.go index 56956a482d46..ecac90ba56e4 100644 --- a/vault/identity_store_util.go +++ b/vault/identity_store_util.go @@ -1868,7 +1868,7 @@ func (i *IdentityStore) refreshExternalGroupMembershipsByEntityID(entityID strin // If the external group is from a different mount, don't remove the // entity ID from it. - if mountAccessor != "" && group.Alias.MountAccessor != mountAccessor { + if mountAccessor != "" && group.Alias != nil && group.Alias.MountAccessor != mountAccessor { continue } diff --git a/vault/router.go b/vault/router.go index 423b824bc709..e0b4bec06e81 100644 --- a/vault/router.go +++ b/vault/router.go @@ -784,8 +784,7 @@ func (r *Router) LoginPath(ctx context.Context, path string) bool { return match == remain } -// pathsToRadix converts a the mapping of special paths to a mapping -// of special paths to radix trees. +// pathsToRadix converts a list of special paths to a radix tree. func pathsToRadix(paths []string) *radix.Tree { tree := radix.New() for _, path := range paths { diff --git a/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_config.go b/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_config.go index eede23d39e07..eac859d3405f 100644 --- a/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_config.go +++ b/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_config.go @@ -173,6 +173,15 @@ func (b *jwtAuthBackend) pathConfigWrite(ctx context.Context, req *logical.Reque } } + case len(config.JWTSupportedAlgs) != 0: + for _, a := range config.JWTSupportedAlgs { + switch a { + case oidc.RS256, oidc.RS384, oidc.RS512, oidc.ES256, oidc.ES384, oidc.ES512, oidc.PS256, oidc.PS384, oidc.PS512: + default: + return logical.ErrorResponse(fmt.Sprintf("Invalid supported algorithm: %s", a)), nil + } + } + default: return nil, errors.New("unknown condition") } diff --git a/website/source/docs/configuration/listener/tcp.html.md b/website/source/docs/configuration/listener/tcp.html.md index b75efb76337c..e301ece6a99a 100644 --- a/website/source/docs/configuration/listener/tcp.html.md +++ b/website/source/docs/configuration/listener/tcp.html.md @@ -43,8 +43,8 @@ advertise the correct address to other nodes. request duration allowed before Vault cancels the request. This overrides `default_max_request_duration` for this listener. -- `proxy_protocol_behavior` `(string: "") – When specified, turns on the PROXY - protocol for the listener. +- `proxy_protocol_behavior` `(string: "")` – When specified, enables a PROXY + protocol version 1 behavior for the listener. Accepted Values: - *use_always* - The client's IP address will always be used. - *allow_authorized* - If the source IP address is in the diff --git a/website/source/docs/configuration/storage/consul.html.md b/website/source/docs/configuration/storage/consul.html.md index 213182267e4d..c2d275070b1b 100644 --- a/website/source/docs/configuration/storage/consul.html.md +++ b/website/source/docs/configuration/storage/consul.html.md @@ -25,7 +25,7 @@ check. ```hcl storage "consul" { address = "127.0.0.1:8500" - path = "vault" + path = "vault/" } ``` diff --git a/website/source/guides/operations/deployment-guide.html.md b/website/source/guides/operations/deployment-guide.html.md index 781536411af7..95108798aa3b 100644 --- a/website/source/guides/operations/deployment-guide.html.md +++ b/website/source/guides/operations/deployment-guide.html.md @@ -5,8 +5,8 @@ sidebar_current: "guides-operations-deployment-guide" description: |- This deployment guide covers the steps required to install and configure a single HashiCorp Vault cluster as defined in the - Vault Reference Architecture -product_version: 1.0 + Vault Reference Architecture. +ea_version: 1.0 --- # Vault Deployment Guide diff --git a/website/source/guides/operations/reference-architecture.html.md b/website/source/guides/operations/reference-architecture.html.md index ff47b4758384..b914a0408cb8 100644 --- a/website/source/guides/operations/reference-architecture.html.md +++ b/website/source/guides/operations/reference-architecture.html.md @@ -6,7 +6,7 @@ sidebar_current: "guides-operations-reference-architecture" description: |- This guide provides guidance in the best practices of Vault implementations through use of a reference architecture. -product_version: 0.11 +ea_version: 1.0 --- # Vault Reference Architecture