From 5ed871014fbda34484438e33cedf17d8b062405d Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Tue, 12 Feb 2019 08:53:40 -0500 Subject: [PATCH 01/21] Pull in updated plugins --- .../vault-plugin-auth-azure/Gopkg.lock | 16 ++++- .../vault-plugin-auth-azure/path_config.go | 5 ++ .../plugin/path_config.go | 3 + .../vault-plugin-auth-jwt/path_config.go | 17 ++++++ .../vault-plugin-auth-jwt/path_login.go | 3 +- .../vault-plugin-auth-kubernetes/Gopkg.lock | 16 ++++- .../path_config.go | 5 ++ .../clients/sts.go | 4 +- .../path_creds.go | 21 +++++-- .../vault-plugin-secrets-gcpkms/README.md | 6 ++ vendor/vendor.json | 58 +++++++++---------- 11 files changed, 112 insertions(+), 42 deletions(-) diff --git a/vendor/github.com/hashicorp/vault-plugin-auth-azure/Gopkg.lock b/vendor/github.com/hashicorp/vault-plugin-auth-azure/Gopkg.lock index a8eb992af37c..b73a81c63b35 100644 --- a/vendor/github.com/hashicorp/vault-plugin-auth-azure/Gopkg.lock +++ b/vendor/github.com/hashicorp/vault-plugin-auth-azure/Gopkg.lock @@ -216,7 +216,7 @@ [[projects]] branch = "master" - digest = "1:450803219e484669ba680c777ecac629dac92abde2bc83009beaa630f5368e71" + digest = "1:606c7307ae83d1adc0901aa8909b700489d7f1294533344453436a8dbff0091b" name = "github.com/hashicorp/vault" packages = [ "api", @@ -226,6 +226,7 @@ "helper/errutil", "helper/hclutil", "helper/jsonutil", + "helper/license", "helper/locksutil", "helper/logging", "helper/mlock", @@ -245,7 +246,7 @@ "version", ] pruneopts = "UT" - revision = "8655d167084028d627f687ddc25d0c71307eb5be" + revision = "c0739a0f2367d5fdd20cef502b628e01bdb90470" [[projects]] branch = "master" @@ -287,6 +288,17 @@ revision = "4dadeb3030eda0273a12382bb2348ffc7c9d1a39" version = "v1.0.0" +[[projects]] + digest = "1:c7a5e79396b6eb570159df7a1d487ce5775bf43b7907976fbef6de544ea160ad" + name = "github.com/pierrec/lz4" + packages = [ + ".", + "internal/xxh32", + ] + pruneopts = "UT" + revision = "473cd7ce01a1113208073166464b98819526150e" + version = "v2.0.8" + [[projects]] branch = "master" digest = "1:bd9efe4e0b0f768302a1e2f0c22458149278de533e521206e5ddc71848c269a0" diff --git a/vendor/github.com/hashicorp/vault-plugin-auth-azure/path_config.go b/vendor/github.com/hashicorp/vault-plugin-auth-azure/path_config.go index 8b18cc90650a..4e5fad3890df 100644 --- a/vendor/github.com/hashicorp/vault-plugin-auth-azure/path_config.go +++ b/vendor/github.com/hashicorp/vault-plugin-auth-azure/path_config.go @@ -16,26 +16,31 @@ func pathConfig(b *azureAuthBackend) *framework.Path { Description: `The tenant id for the Azure Active Directory. This is sometimes referred to as Directory ID in AD. This value can also be provided with the AZURE_TENANT_ID environment variable.`, + DisplayName: "Tenant ID", }, "resource": &framework.FieldSchema{ Type: framework.TypeString, Description: `The resource URL for the vault application in Azure Active Directory. This value can also be provided with the AZURE_AD_RESOURCE environment variable.`, + DisplayName: "Resource", }, "environment": &framework.FieldSchema{ Type: framework.TypeString, Description: `The Azure environment name. If not provided, AzurePublicCloud is used. This value can also be provided with the AZURE_ENVIRONMENT environment variable.`, + DisplayName: "Environment", }, "client_id": &framework.FieldSchema{ Type: framework.TypeString, Description: `The OAuth2 client id to connection to Azure. This value can also be provided with the AZURE_CLIENT_ID environment variable.`, + DisplayName: "Client ID", }, "client_secret": &framework.FieldSchema{ Type: framework.TypeString, Description: `The OAuth2 client secret to connection to Azure. This value can also be provided with the AZURE_CLIENT_SECRET environment variable.`, + DisplayName: "Client Secret", }, }, Callbacks: map[logical.Operation]framework.OperationFunc{ diff --git a/vendor/github.com/hashicorp/vault-plugin-auth-gcp/plugin/path_config.go b/vendor/github.com/hashicorp/vault-plugin-auth-gcp/plugin/path_config.go index 3476a64134e3..da4d32f310ba 100644 --- a/vendor/github.com/hashicorp/vault-plugin-auth-gcp/plugin/path_config.go +++ b/vendor/github.com/hashicorp/vault-plugin-auth-gcp/plugin/path_config.go @@ -6,6 +6,7 @@ import ( "fmt" "encoding/json" + "github.com/hashicorp/go-gcp-common/gcputil" "github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical/framework" @@ -20,11 +21,13 @@ func pathConfig(b *GcpAuthBackend) *framework.Path { Description: ` Google credentials JSON that Vault will use to verify users against GCP APIs. If not specified, will use application default credentials`, + DisplayName: "Credentials", }, "google_certs_endpoint": { Type: framework.TypeString, Description: ` Deprecated. This field does nothing and be removed in a future release`, + Deprecated: true, }, }, Callbacks: map[logical.Operation]framework.OperationFunc{ diff --git a/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_config.go b/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_config.go index 5019cbd603de..2f13db15f936 100644 --- a/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_config.go +++ b/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_config.go @@ -4,6 +4,7 @@ import ( "crypto/tls" "crypto/x509" "errors" + "fmt" "net/http" "context" @@ -33,6 +34,10 @@ func pathConfig(b *jwtAuthBackend) *framework.Path { Type: framework.TypeCommaStringSlice, Description: `A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with "oidc_discovery_url".`, }, + "jwt_supported_algs": { + Type: framework.TypeCommaStringSlice, + Description: `A list of supported signing algorithms. Defaults to RS256.`, + }, "bound_issuer": { Type: framework.TypeString, Description: "The value against which to match the 'iss' claim in a JWT. Optional.", @@ -99,6 +104,7 @@ func (b *jwtAuthBackend) pathConfigRead(ctx context.Context, req *logical.Reques "oidc_discovery_url": config.OIDCDiscoveryURL, "oidc_discovery_ca_pem": config.OIDCDiscoveryCAPEM, "jwt_validation_pubkeys": config.JWTValidationPubKeys, + "jwt_supported_algs": config.JWTSupportedAlgs, "bound_issuer": config.BoundIssuer, }, } @@ -111,6 +117,7 @@ func (b *jwtAuthBackend) pathConfigWrite(ctx context.Context, req *logical.Reque OIDCDiscoveryURL: d.Get("oidc_discovery_url").(string), OIDCDiscoveryCAPEM: d.Get("oidc_discovery_ca_pem").(string), JWTValidationPubKeys: d.Get("jwt_validation_pubkeys").([]string), + JWTSupportedAlgs: d.Get("jwt_supported_algs").([]string), BoundIssuer: d.Get("bound_issuer").(string), } @@ -133,6 +140,15 @@ func (b *jwtAuthBackend) pathConfigWrite(ctx context.Context, req *logical.Reque } } + case len(config.JWTSupportedAlgs) != 0: + for _, a := range config.JWTSupportedAlgs { + switch a { + case oidc.RS256, oidc.RS384, oidc.RS512, oidc.ES256, oidc.ES384, oidc.ES512, oidc.PS256, oidc.PS384, oidc.PS512: + default: + return logical.ErrorResponse(fmt.Sprintf("Invalid supported algorithm: %s", a)), nil + } + } + default: return nil, errors.New("unknown condition") } @@ -182,6 +198,7 @@ type jwtConfig struct { OIDCDiscoveryURL string `json:"oidc_discovery_url"` OIDCDiscoveryCAPEM string `json:"oidc_discovery_ca_pem"` JWTValidationPubKeys []string `json:"jwt_validation_pubkeys"` + JWTSupportedAlgs []string `json:"jwt_supported_algs"` BoundIssuer string `json:"bound_issuer"` ParsedJWTPubKeys []interface{} `json:"-"` diff --git a/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_login.go b/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_login.go index 868fe9d094e4..0b515ab5f376 100644 --- a/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_login.go +++ b/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_login.go @@ -136,7 +136,8 @@ func (b *jwtAuthBackend) pathLogin(ctx context.Context, req *logical.Request, d } verifier := provider.Verifier(&oidc.Config{ - SkipClientIDCheck: true, + SkipClientIDCheck: true, + SupportedSigningAlgs: config.JWTSupportedAlgs, }) idToken, err := verifier.Verify(ctx, token) diff --git a/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/Gopkg.lock b/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/Gopkg.lock index 1d1007232e85..f6ee0566a5d4 100644 --- a/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/Gopkg.lock +++ b/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/Gopkg.lock @@ -203,7 +203,7 @@ [[projects]] branch = "master" - digest = "1:d00de8725219a569ffbb5dd1042e4ced1f3b5ccee2b07218371f71026cc7609a" + digest = "1:7be65468c591c5e836ec7ff70b6e7665452a6e700d5f0d5bb9edec8aa57b58e2" name = "github.com/hashicorp/vault" packages = [ "api", @@ -214,6 +214,7 @@ "helper/errutil", "helper/hclutil", "helper/jsonutil", + "helper/license", "helper/locksutil", "helper/logging", "helper/mlock", @@ -233,7 +234,7 @@ "version", ] pruneopts = "UT" - revision = "add60e6dc7ff7b94487f3b5b680d00d7c05fe621" + revision = "c0739a0f2367d5fdd20cef502b628e01bdb90470" [[projects]] branch = "master" @@ -275,6 +276,17 @@ revision = "4dadeb3030eda0273a12382bb2348ffc7c9d1a39" version = "v1.0.0" +[[projects]] + digest = "1:c7a5e79396b6eb570159df7a1d487ce5775bf43b7907976fbef6de544ea160ad" + name = "github.com/pierrec/lz4" + packages = [ + ".", + "internal/xxh32", + ] + pruneopts = "UT" + revision = "473cd7ce01a1113208073166464b98819526150e" + version = "v2.0.8" + [[projects]] digest = "1:0e792eea6c96ec55ff302ef33886acbaa5006e900fefe82689e88d96439dcd84" name = "github.com/ryanuber/go-glob" diff --git a/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/path_config.go b/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/path_config.go index f10d4b4c7fb3..01f6de36c806 100644 --- a/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/path_config.go +++ b/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/path_config.go @@ -22,16 +22,20 @@ func pathConfig(b *kubeAuthBackend) *framework.Path { "kubernetes_host": { Type: framework.TypeString, Description: "Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.", + DisplayName: "Kubernetes Host", }, + "kubernetes_ca_cert": { Type: framework.TypeString, Description: "PEM encoded CA cert for use by the TLS client used to talk with the API.", + DisplayName: "Kubernetes CA Certificate", }, "token_reviewer_jwt": { Type: framework.TypeString, Description: `A service account JWT used to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.`, + DisplayName: "Token Reviewer JWT", }, "pem_keys": { Type: framework.TypeCommaStringSlice, @@ -39,6 +43,7 @@ the JWT used for login will be used to access the API.`, used to verify the signatures of kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kuberentes exposes these keys.`, + DisplayName: "Service account verification keys", }, }, Callbacks: map[logical.Operation]framework.OperationFunc{ diff --git a/vendor/github.com/hashicorp/vault-plugin-secrets-alicloud/clients/sts.go b/vendor/github.com/hashicorp/vault-plugin-secrets-alicloud/clients/sts.go index 5771417ac93b..210e2566e7ec 100644 --- a/vendor/github.com/hashicorp/vault-plugin-secrets-alicloud/clients/sts.go +++ b/vendor/github.com/hashicorp/vault-plugin-secrets-alicloud/clients/sts.go @@ -23,9 +23,9 @@ type STSClient struct { client *sts.Client } -func (c *STSClient) AssumeRole(userName, roleARN string) (*sts.AssumeRoleResponse, error) { +func (c *STSClient) AssumeRole(roleSessionName, roleARN string) (*sts.AssumeRoleResponse, error) { assumeRoleReq := sts.CreateAssumeRoleRequest() assumeRoleReq.RoleArn = roleARN - assumeRoleReq.RoleSessionName = userName + assumeRoleReq.RoleSessionName = roleSessionName return c.client.AssumeRole(assumeRoleReq) } diff --git a/vendor/github.com/hashicorp/vault-plugin-secrets-alicloud/path_creds.go b/vendor/github.com/hashicorp/vault-plugin-secrets-alicloud/path_creds.go index e901a8c8cca1..a2d7330948a7 100644 --- a/vendor/github.com/hashicorp/vault-plugin-secrets-alicloud/path_creds.go +++ b/vendor/github.com/hashicorp/vault-plugin-secrets-alicloud/path_creds.go @@ -60,7 +60,7 @@ func (b *backend) operationCredsRead(ctx context.Context, req *logical.Request, if err != nil { return nil, err } - assumeRoleResp, err := client.AssumeRole(generateUsername(req.DisplayName, roleName), role.RoleARN) + assumeRoleResp, err := client.AssumeRole(generateRoleSessionName(req.DisplayName, roleName), role.RoleARN) if err != nil { return nil, err } @@ -243,15 +243,24 @@ func (b *backend) operationCredsRead(ctx context.Context, req *logical.Request, // The max length of a username per AliCloud is 64. func generateUsername(displayName, roleName string) string { - username := fmt.Sprintf("%s-%s-", displayName, roleName) + return generateName(displayName, roleName, 64) +} + +// The max length of a role session name per AliCloud is 32. +func generateRoleSessionName(displayName, roleName string) string { + return generateName(displayName, roleName, 32) +} + +func generateName(displayName, roleName string, maxLength int) string { + name := fmt.Sprintf("%s-%s-", displayName, roleName) - // The time and random number take up to 15 more in length, so if the username + // The time and random number take up to 15 more in length, so if the name // is too long we need to trim it. - if len(username) > 49 { - username = username[:49] + if len(name) > maxLength-15 { + name = name[:maxLength-15] } r := rand.New(rand.NewSource(time.Now().UnixNano())) - return fmt.Sprintf("%s%d-%d", username, time.Now().Unix(), r.Intn(10000)) + return fmt.Sprintf("%s%d-%d", name, time.Now().Unix(), r.Intn(10000)) } const pathCredsHelpSyn = ` diff --git a/vendor/github.com/hashicorp/vault-plugin-secrets-gcpkms/README.md b/vendor/github.com/hashicorp/vault-plugin-secrets-gcpkms/README.md index f32c2cddb0bb..1924eb99156d 100644 --- a/vendor/github.com/hashicorp/vault-plugin-secrets-gcpkms/README.md +++ b/vendor/github.com/hashicorp/vault-plugin-secrets-gcpkms/README.md @@ -84,6 +84,12 @@ instructions are only useful if you want to develop against the plugin.** $ vault secrets enable -path=gcpkms -plugin=vault-plugin-secrets-gcpkms plugin ``` +### Documentation + +The documentation for the plugin lives in the [main Vault +repository](/hashicorp/vault) in the `website/` folder. Please make any +documentation updates as separate Pull Requests against that repo. + ### Tests This plugin has both unit tests and acceptance tests. To run the acceptance diff --git a/vendor/vendor.json b/vendor/vendor.json index f6ddcf764d2d..4b43ec9b71cd 100644 --- a/vendor/vendor.json +++ b/vendor/vendor.json @@ -1391,10 +1391,10 @@ "revisionTime": "2018-11-09T18:06:36Z" }, { - "checksumSHA1": "Jj3mz58lSv0dsuXd6bVxGV4759w=", + "checksumSHA1": "UgLfwpXoRLpMOF0rzaj+cRcTtdo=", "path": "github.com/hashicorp/vault-plugin-auth-azure", - "revision": "4c0b46069a2293d5a6ca7506c8d3e0c4a92f3dbc", - "revisionTime": "2018-12-07T23:25:28Z" + "revision": "0af1d040b5b329f41904cadcd96be55179468880", + "revisionTime": "2019-02-01T22:26:32Z" }, { "checksumSHA1": "4Z/niOo76EcP8KpLdSL5GdDcy78=", @@ -1403,52 +1403,52 @@ "revisionTime": "2018-08-16T20:11:31Z" }, { - "checksumSHA1": "llLHR3FVdqtuFgjIoL9GNN8zKKI=", + "checksumSHA1": "Nd9aBfL80t7N8B9VVsNBgihA5f4=", "path": "github.com/hashicorp/vault-plugin-auth-gcp/plugin", - "revision": "4d63bbfe6fcf0363a2ea2c273846e88b95d85089", - "revisionTime": "2018-12-10T20:01:33Z" + "revision": "7d4c2101e7d0b61ec9fb0dc3c75d79920c6369c5", + "revisionTime": "2019-02-01T21:54:14Z" }, { - "checksumSHA1": "tt3FtyjXgdBI9Mb43UL4LtOZmAk=", + "checksumSHA1": "6B+p22t7wBR52hepGYd3t1JnDME=", "path": "github.com/hashicorp/vault-plugin-auth-jwt", - "revision": "f428c77917331c1b87dae2dd37016bd1dd4c55da", - "revisionTime": "2018-10-31T19:59:42Z" + "revision": "a608a5ad1c249797e266cb8fcb4eac336aa72bef", + "revisionTime": "2019-01-28T23:42:21Z" }, { - "checksumSHA1": "Ldg2jQeyPrpAupyQq4lRVN+jfFY=", + "checksumSHA1": "NfVgV3CmKXGRsXk1sYVgMMRZ5Zc=", "path": "github.com/hashicorp/vault-plugin-auth-kubernetes", - "revision": "091d9e5d5fabce920533eff31ad778778992a671", - "revisionTime": "2018-11-30T16:25:33Z" + "revision": "db96aa4ab438cbc1cf544cec758d0d16ca4e9681", + "revisionTime": "2019-02-01T22:22:09Z" }, { "checksumSHA1": "PmhyvCKVlEMEP6JO31ozW+CBIiE=", "path": "github.com/hashicorp/vault-plugin-secrets-ad/plugin", - "revision": "540c0b6f1f113a1c6bdaa130a35ee8530c072b5a", - "revisionTime": "2018-11-09T18:28:34Z" + "revision": "4796d99801253c6f10d7d96b968a3204a9a1ead8", + "revisionTime": "2019-01-31T22:24:16Z" }, { "checksumSHA1": "GOxdFElG31lXWgKFG9aqpDcG47M=", "path": "github.com/hashicorp/vault-plugin-secrets-ad/plugin/client", - "revision": "540c0b6f1f113a1c6bdaa130a35ee8530c072b5a", - "revisionTime": "2018-11-09T18:28:34Z" + "revision": "4796d99801253c6f10d7d96b968a3204a9a1ead8", + "revisionTime": "2019-01-31T22:24:16Z" }, { "checksumSHA1": "RaH2xTkjaToCk+RoPhap7I66ibo=", "path": "github.com/hashicorp/vault-plugin-secrets-ad/plugin/util", - "revision": "540c0b6f1f113a1c6bdaa130a35ee8530c072b5a", - "revisionTime": "2018-11-09T18:28:34Z" + "revision": "4796d99801253c6f10d7d96b968a3204a9a1ead8", + "revisionTime": "2019-01-31T22:24:16Z" }, { - "checksumSHA1": "VLXyxS5dEoiWTSFmpMJIz+Pwtmw=", + "checksumSHA1": "l0xVOHA0/SIjNfrmBRbrFvMVOaw=", "path": "github.com/hashicorp/vault-plugin-secrets-alicloud", - "revision": "2aee79cc5cbf1bbca654dbc594f809cafc19cd8d", - "revisionTime": "2018-11-09T18:14:53Z" + "revision": "b0abe36195cb171e673a9f6425df977eff1ef825", + "revisionTime": "2019-01-31T21:18:12Z" }, { - "checksumSHA1": "dqduixICi6NeyLNRCDdw62t1LFU=", + "checksumSHA1": "e96mN6plz/ApctpjvU2kiCumOl0=", "path": "github.com/hashicorp/vault-plugin-secrets-alicloud/clients", - "revision": "2aee79cc5cbf1bbca654dbc594f809cafc19cd8d", - "revisionTime": "2018-11-09T18:14:53Z" + "revision": "b0abe36195cb171e673a9f6425df977eff1ef825", + "revisionTime": "2019-01-31T21:18:12Z" }, { "checksumSHA1": "rgeBhrdLyF2orH3QA/H66ZSSbuo=", @@ -1475,16 +1475,16 @@ "revisionTime": "2018-09-21T17:32:00Z" }, { - "checksumSHA1": "TbPoZQkYZ7Bukdw6U+/GejbaZAs=", + "checksumSHA1": "StwRTX92gyH7iHkyZk4df+dLISM=", "path": "github.com/hashicorp/vault-plugin-secrets-gcpkms", - "revision": "6cd991800a6d7af69b1950ec4cbf402d021a099d", - "revisionTime": "2018-12-12T18:25:53Z" + "revision": "d6b25b0b4a39132ec3c02f19631b6a9bdadef042", + "revisionTime": "2019-01-16T16:49:38Z" }, { "checksumSHA1": "yhUUqN5rbEXnfI8WfGUofXToD+o=", "path": "github.com/hashicorp/vault-plugin-secrets-kv", - "revision": "9dbe04db0e34c9c3c75bedcdb16d8ff78f0c54bd", - "revisionTime": "2018-12-19T17:59:33Z" + "revision": "edbfe287c5d9277cecf2c91c79ffcc34f19d2049", + "revisionTime": "2019-01-15T20:37:47Z" }, { "checksumSHA1": "ldkAQ1CpiAaQ9sti0qIch+UyRsI=", From f25424679bfad0d7deac09a82ef05bea32dbc288 Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Tue, 12 Feb 2019 08:55:58 -0500 Subject: [PATCH 02/21] Bump versions for release --- CHANGELOG.md | 2 +- terraform/aws/variables.tf | 2 +- version/version_base.go | 2 +- website/config.rb | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index de92860cc1de..7e77715ad9ec 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,4 @@ -## Next +## 1.0.3 (February 12th, 2019) CHANGES: diff --git a/terraform/aws/variables.tf b/terraform/aws/variables.tf index 64ffc78b6215..ece9cc78df3d 100644 --- a/terraform/aws/variables.tf +++ b/terraform/aws/variables.tf @@ -3,7 +3,7 @@ //------------------------------------------------------------------- variable "download-url" { - default = "https://releases.hashicorp.com/vault/1.0.2/vault_1.0.2_linux_amd64.zip" + default = "https://releases.hashicorp.com/vault/1.0.3/vault_1.0.3_linux_amd64.zip" description = "URL to download Vault" } diff --git a/version/version_base.go b/version/version_base.go index 9fe8ab27fc54..1b566a634337 100644 --- a/version/version_base.go +++ b/version/version_base.go @@ -2,7 +2,7 @@ package version func init() { // The main version number that is being run at the moment. - Version = "1.0.2" + Version = "1.0.3" // A pre-release marker for the version. If this is "" (empty string) // then it means that it is a final release. Otherwise, this is a pre-release diff --git a/website/config.rb b/website/config.rb index 697dbc206fde..bdc8a4a9a7c3 100644 --- a/website/config.rb +++ b/website/config.rb @@ -6,7 +6,7 @@ activate :hashicorp do |h| h.name = "vault" - h.version = "1.0.2" + h.version = "1.0.3" h.github_slug = "hashicorp/vault" h.website_root = "website" h.releases_enabled = true From 85909e3373aa743c34a6a0ab59131f61fd9e8e43 Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Tue, 12 Feb 2019 09:05:52 -0500 Subject: [PATCH 03/21] Cut version 1.0.3 From 04d05896c026a66507ad9bd18f2d7eb20ebf58da Mon Sep 17 00:00:00 2001 From: Brian Kassouf Date: Tue, 12 Feb 2019 10:52:23 -0800 Subject: [PATCH 04/21] changelog++ --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7e77715ad9ec..decf7d06f56f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,11 @@ CHANGES: entity either by name or by id [GH-6105] * The Vault UI's navigation and onboarding wizard now only displays items that are permitted in a users' policy [GH-5980, GH-6094] + * An issue was fixed that caused recovery keys to not work on secondary + clusters when using a different unseal mechanism/key than the primary. This + would be hit if the cluster was rekeyed or initalized after 1.0. We recomend + rekeying the recovery keys on the primary cluster if you meet the above + requirements. FEATURES: @@ -47,6 +52,8 @@ BUG FIXES: a performance standby very quickly, before an associated entity has been replicated. If the entity is not found in this scenario, the request will forward to the active node. + * replication: Fix issue where recovery keys would not work on secondary + clusters if using a different unseal mechanism than the primary. * replication: Fix a "failed to register lease" error when using performance standbys * storage/postgresql: The `Get` method will now return an Entry object with From 144e2001112f16bba3546d55abd20e8e534ba4ab Mon Sep 17 00:00:00 2001 From: Brian Kassouf Date: Tue, 12 Feb 2019 11:15:21 -0800 Subject: [PATCH 05/21] changelog++ --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index decf7d06f56f..4dcb052e45e7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,7 +11,7 @@ CHANGES: are permitted in a users' policy [GH-5980, GH-6094] * An issue was fixed that caused recovery keys to not work on secondary clusters when using a different unseal mechanism/key than the primary. This - would be hit if the cluster was rekeyed or initalized after 1.0. We recomend + would be hit if the cluster was rekeyed or initialized after 1.0. We recommend rekeying the recovery keys on the primary cluster if you meet the above requirements. From 2cc38dd25e34420f498e0f7ab53a95a084372db0 Mon Sep 17 00:00:00 2001 From: vishalnayak Date: Tue, 12 Feb 2019 14:27:17 -0500 Subject: [PATCH 06/21] Update transit docs --- website/source/docs/secrets/transit/index.html.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/website/source/docs/secrets/transit/index.html.md b/website/source/docs/secrets/transit/index.html.md index 7bf6998fe7f5..881bac6253f2 100644 --- a/website/source/docs/secrets/transit/index.html.md +++ b/website/source/docs/secrets/transit/index.html.md @@ -32,13 +32,14 @@ disabled to accommodate auditing requirements. ## Working Set Management -This secrets engine does not currently delete keys. Keys that are out of the -working set (earlier than a key's specified `min_decryption_version` are -instead archived. This is a performance consideration to keep key loading fast, -as well as a security consideration: by disallowing decryption of old versions -of keys, found ciphertext corresponding to obsolete (but sensitive) data can -not be decrypted by most users, but in an emergency the -`min_decryption_version` can be moved back to allow for legitimate decryption. +The Transit engine supports versioning of keys. Key versions that are earlier +than a key's specified `min_decryption_version` gets archived, and the rest of +the key versions belong to the working set. This is a performance consideration +to keep key loading fast, as well as a security consideration: by disallowing +decryption of old versions of keys, found ciphertext corresponding to obsolete +(but sensitive) data can not be decrypted by most users, but in an emergency +the `min_decryption_version` can be moved back to allow for legitimate +decryption. Currently this archive is stored in a single storage entry. With some storage backends, notably those using Raft or Paxos for HA capabilities, frequent From b275f2a1e6d74400bb3cf702d1e03c90d31624cb Mon Sep 17 00:00:00 2001 From: dominic Date: Tue, 12 Feb 2019 16:47:17 -0700 Subject: [PATCH 07/21] Add trailing slash for example in Vault Consul Storage Backend documentation. Fixes [issue 6171] --- website/source/docs/configuration/storage/consul.html.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/source/docs/configuration/storage/consul.html.md b/website/source/docs/configuration/storage/consul.html.md index 213182267e4d..c2d275070b1b 100644 --- a/website/source/docs/configuration/storage/consul.html.md +++ b/website/source/docs/configuration/storage/consul.html.md @@ -25,7 +25,7 @@ check. ```hcl storage "consul" { address = "127.0.0.1:8500" - path = "vault" + path = "vault/" } ``` From 7a380c71e30eeda3d71c7c82c9ca1d09f3b55434 Mon Sep 17 00:00:00 2001 From: dominic Date: Tue, 12 Feb 2019 16:49:34 -0700 Subject: [PATCH 08/21] Revert "Add trailing slash for example in Vault Consul Storage Backend documentation. Fixes [issue 6171]" This reverts commit b275f2a1e6d74400bb3cf702d1e03c90d31624cb. Pushed to master, my apologies. Will do proper PR for this. --- website/source/docs/configuration/storage/consul.html.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/source/docs/configuration/storage/consul.html.md b/website/source/docs/configuration/storage/consul.html.md index c2d275070b1b..213182267e4d 100644 --- a/website/source/docs/configuration/storage/consul.html.md +++ b/website/source/docs/configuration/storage/consul.html.md @@ -25,7 +25,7 @@ check. ```hcl storage "consul" { address = "127.0.0.1:8500" - path = "vault/" + path = "vault" } ``` From 7726fdd1aaf7848dc5af9d4867e76bd1588f7bac Mon Sep 17 00:00:00 2001 From: dp-h Date: Tue, 12 Feb 2019 17:05:31 -0700 Subject: [PATCH 09/21] Add trailing slash for example in Vault Consul Storage Backend documentation. Fixes [issue 6171] --- website/source/docs/configuration/storage/consul.html.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/source/docs/configuration/storage/consul.html.md b/website/source/docs/configuration/storage/consul.html.md index 213182267e4d..c2d275070b1b 100644 --- a/website/source/docs/configuration/storage/consul.html.md +++ b/website/source/docs/configuration/storage/consul.html.md @@ -25,7 +25,7 @@ check. ```hcl storage "consul" { address = "127.0.0.1:8500" - path = "vault" + path = "vault/" } ``` From a4b63b5187c10f23958f88c8fa78ffe64ee4ae65 Mon Sep 17 00:00:00 2001 From: Brian Shumate Date: Wed, 13 Feb 2019 09:27:05 -0500 Subject: [PATCH 10/21] Update configuration/listener documentation (#6228) - Clarify that PROXY protocol version 1 is currently supported - Add missing backtick to fix formatting issue --- website/source/docs/configuration/listener/tcp.html.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/website/source/docs/configuration/listener/tcp.html.md b/website/source/docs/configuration/listener/tcp.html.md index b75efb76337c..e301ece6a99a 100644 --- a/website/source/docs/configuration/listener/tcp.html.md +++ b/website/source/docs/configuration/listener/tcp.html.md @@ -43,8 +43,8 @@ advertise the correct address to other nodes. request duration allowed before Vault cancels the request. This overrides `default_max_request_duration` for this listener. -- `proxy_protocol_behavior` `(string: "") – When specified, turns on the PROXY - protocol for the listener. +- `proxy_protocol_behavior` `(string: "")` – When specified, enables a PROXY + protocol version 1 behavior for the listener. Accepted Values: - *use_always* - The client's IP address will always be used. - *allow_authorized* - If the source IP address is in the From b62e3078761a86a7d65fe0c0343878d8e0ea075c Mon Sep 17 00:00:00 2001 From: Becca Petrin Date: Wed, 13 Feb 2019 06:28:28 -0800 Subject: [PATCH 11/21] add readme on mssql testing (#6199) --- plugins/database/mssql/README.md | 24 ++++++++++++++++++++++++ plugins/database/mssql/mssql_test.go | 8 ++++---- 2 files changed, 28 insertions(+), 4 deletions(-) create mode 100644 plugins/database/mssql/README.md diff --git a/plugins/database/mssql/README.md b/plugins/database/mssql/README.md new file mode 100644 index 000000000000..a6d60dd2a38f --- /dev/null +++ b/plugins/database/mssql/README.md @@ -0,0 +1,24 @@ +# Testing + +To run these tests, first start MSSQL in Docker. Please do make sure to view the EULA before +accepting it as it includes limits on the number of users per company who can be using the +image, and how it can be used in testing. + +``` +sudo docker run -e 'ACCEPT_EULA=Y' -e 'SA_PASSWORD=' \ + -p 1433:1433 --name sql1 \ + -d mcr.microsoft.com/mssql/server:2017-latest +``` + +Then use the following env variables for testing: + +``` +export VAULT_ACC=1 +export MSSQL_URL="sqlserver://SA:%3CYourStrong%21Passw0rd%3E@localhost:1433" +``` + +Note that the SA password passed into the Docker container differs from the one passed into the tests. +It's the same password, but Go's libraries require it to be percent encoded. + +Running all the tests at once against one Docker container will likely fail because they interact with +each other. Consider running one test at a time. diff --git a/plugins/database/mssql/mssql_test.go b/plugins/database/mssql/mssql_test.go index 1c96c53e2b38..e48f903a973b 100644 --- a/plugins/database/mssql/mssql_test.go +++ b/plugins/database/mssql/mssql_test.go @@ -14,7 +14,7 @@ import ( func TestMSSQL_Initialize(t *testing.T) { if os.Getenv("MSSQL_URL") == "" || os.Getenv("VAULT_ACC") != "1" { - return + t.SkipNow() } connURL := os.Getenv("MSSQL_URL") @@ -51,7 +51,7 @@ func TestMSSQL_Initialize(t *testing.T) { func TestMSSQL_CreateUser(t *testing.T) { if os.Getenv("MSSQL_URL") == "" || os.Getenv("VAULT_ACC") != "1" { - return + t.SkipNow() } connURL := os.Getenv("MSSQL_URL") @@ -92,7 +92,7 @@ func TestMSSQL_CreateUser(t *testing.T) { func TestMSSQL_RotateRootCredentials(t *testing.T) { if os.Getenv("MSSQL_URL") == "" || os.Getenv("VAULT_ACC") != "1" { - return + t.SkipNow() } connURL := os.Getenv("MSSQL_URL") @@ -131,7 +131,7 @@ func TestMSSQL_RotateRootCredentials(t *testing.T) { func TestMSSQL_RevokeUser(t *testing.T) { if os.Getenv("MSSQL_URL") == "" || os.Getenv("VAULT_ACC") != "1" { - return + t.SkipNow() } connURL := os.Getenv("MSSQL_URL") From fa13c45e7cafe108884f2eee77658ab52c3d30b3 Mon Sep 17 00:00:00 2001 From: Matthew Irish Date: Wed, 13 Feb 2019 08:34:38 -0600 Subject: [PATCH 12/21] update to node v10 for all of the things (#6218) * update to node v10 for all of the things * combine apt-get commands --- scripts/cross/Dockerfile | 8 +++++--- ui/.nvmrc | 2 +- ui/scripts/start-vault.js | 5 ++++- 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/scripts/cross/Dockerfile b/scripts/cross/Dockerfile index 968c0f01a1a2..997343b04845 100644 --- a/scripts/cross/Dockerfile +++ b/scripts/cross/Dockerfile @@ -12,12 +12,14 @@ RUN apt-get update -y && apt-get install --no-install-recommends -y -q \ libltdl-dev \ libltdl7 -RUN curl -sL https://deb.nodesource.com/setup_8.x | bash - -RUN apt-get install -y nodejs npm +RUN curl -sL https://deb.nodesource.com/setup_10.x | bash - +RUN curl -sL https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - +RUN echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list + +RUN apt-get update -y && apt-get install nodejs yarn=1.12.1-1 RUN rm -rf /var/lib/apt/lists/* -RUN npm install -g yarn@1.12.1 ENV GOVERSION 1.11.5 RUN mkdir /goroot && mkdir /gopath diff --git a/ui/.nvmrc b/ui/.nvmrc index 368fe859d733..e338b86593fa 100644 --- a/ui/.nvmrc +++ b/ui/.nvmrc @@ -1 +1 @@ -v8.12.0 +v10 diff --git a/ui/scripts/start-vault.js b/ui/scripts/start-vault.js index 25479512bb0a..de2c2f8d61fa 100755 --- a/ui/scripts/start-vault.js +++ b/ui/scripts/start-vault.js @@ -71,4 +71,7 @@ process.on('exit', function() { vault.kill('SIGINT'); }); -fs.writeFile(pidFile, process.pid); +fs.writeFile(pidFile, process.pid, (err) => { + if (err) throw err; + console.log('The file has been saved!'); +}); From 57c9a9de428dcdf0e1078bcd1928b182feacc720 Mon Sep 17 00:00:00 2001 From: Varsha Varadarajan Date: Wed, 13 Feb 2019 06:39:09 -0800 Subject: [PATCH 13/21] Update the readme with information on how to compile the dev version of vault with UI. (#6045) --- README.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/README.md b/README.md index 1ab507bfedf0..ccfa8a165baf 100644 --- a/README.md +++ b/README.md @@ -82,6 +82,16 @@ $ bin/vault ... ``` +To compile a development version of Vault with the UI, run `make static-dist dev-ui`. This will +put the Vault binary in the `bin` and `$GOPATH/bin` folders: + +```sh +$ make static-dist dev-ui +... +$ bin/vault +... +``` + To run tests, type `make test`. Note: this requires Docker to be installed. If this exits with exit status 0, then everything is working! From 2f60669541a64a8884a471edf0fbef38156ec92d Mon Sep 17 00:00:00 2001 From: Dan Brown Date: Wed, 13 Feb 2019 15:06:54 +0000 Subject: [PATCH 14/21] Docs EA update 1.0 (#6219) * Confirm RA against Vault 1.0 Change product_version frontmatter to ea_version and increase to 1.0 * Update frontmatter key Change product_version frontmatter to ea_version --- website/source/guides/operations/deployment-guide.html.md | 4 ++-- .../source/guides/operations/reference-architecture.html.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/website/source/guides/operations/deployment-guide.html.md b/website/source/guides/operations/deployment-guide.html.md index 781536411af7..95108798aa3b 100644 --- a/website/source/guides/operations/deployment-guide.html.md +++ b/website/source/guides/operations/deployment-guide.html.md @@ -5,8 +5,8 @@ sidebar_current: "guides-operations-deployment-guide" description: |- This deployment guide covers the steps required to install and configure a single HashiCorp Vault cluster as defined in the - Vault Reference Architecture -product_version: 1.0 + Vault Reference Architecture. +ea_version: 1.0 --- # Vault Deployment Guide diff --git a/website/source/guides/operations/reference-architecture.html.md b/website/source/guides/operations/reference-architecture.html.md index ff47b4758384..b914a0408cb8 100644 --- a/website/source/guides/operations/reference-architecture.html.md +++ b/website/source/guides/operations/reference-architecture.html.md @@ -6,7 +6,7 @@ sidebar_current: "guides-operations-reference-architecture" description: |- This guide provides guidance in the best practices of Vault implementations through use of a reference architecture. -product_version: 0.11 +ea_version: 1.0 --- # Vault Reference Architecture From 5d444354923ab54c8207f8c8820cfe78c1572656 Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Wed, 13 Feb 2019 13:06:11 -0500 Subject: [PATCH 15/21] changelog++ --- CHANGELOG.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4dcb052e45e7..97fc5d9f588b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,8 +3,9 @@ CHANGES: * New AWS authentication plugin mounts will default to using the generated - role ID as the Identity alias name. This applies to both EC2 and IAM auth. - Existing mounts will not be affected. + role ID as the Identity alias name. This applies to both EC2 and IAM auth. + Existing mounts that explicitly set this value will not be affected but + mounts that specified no preference will switch over on upgrade. * The default policy now allows a token to look up its associated identity entity either by name or by id [GH-6105] * The Vault UI's navigation and onboarding wizard now only displays items that From b9373b07d70b1cfefab831f10ad8952f2d0e66b4 Mon Sep 17 00:00:00 2001 From: Martin Date: Thu, 14 Feb 2019 21:57:20 +0100 Subject: [PATCH 16/21] Avoid panic at login when external group has a nil alias (#6230) --- vault/identity_store_util.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vault/identity_store_util.go b/vault/identity_store_util.go index 56956a482d46..ecac90ba56e4 100644 --- a/vault/identity_store_util.go +++ b/vault/identity_store_util.go @@ -1868,7 +1868,7 @@ func (i *IdentityStore) refreshExternalGroupMembershipsByEntityID(entityID strin // If the external group is from a different mount, don't remove the // entity ID from it. - if mountAccessor != "" && group.Alias.MountAccessor != mountAccessor { + if mountAccessor != "" && group.Alias != nil && group.Alias.MountAccessor != mountAccessor { continue } From a15bbee8f9ad814d12998fa2076d5113ba5f26ab Mon Sep 17 00:00:00 2001 From: Noelle Daley Date: Thu, 14 Feb 2019 15:11:43 -0800 Subject: [PATCH 17/21] throw an error when starting vault if one occurs (#6235) * throw an error when starting vault if one occurs * use node 10 * do not use shorthand --- .travis.yml | 4 ++-- ui/scripts/start-vault.js | 7 +++++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/.travis.yml b/.travis.yml index d05c73505e6e..13bcc38a8a21 100644 --- a/.travis.yml +++ b/.travis.yml @@ -27,8 +27,8 @@ cache: - ui/node_modules before_install: - - nvm install 8 - - nvm use 8 + - nvm install 10 + - nvm use 10 - curl -o- -L https://yarnpkg.com/install.sh | bash -s -- --version 1.12.1 - export PATH="$HOME/.yarn/bin:$PATH" diff --git a/ui/scripts/start-vault.js b/ui/scripts/start-vault.js index de2c2f8d61fa..74b5bdbd839c 100755 --- a/ui/scripts/start-vault.js +++ b/ui/scripts/start-vault.js @@ -42,7 +42,10 @@ readline if (root && unseal) { fs.writeFile( path.join(process.cwd(), 'tests/helpers/vault-keys.js'), - `export default ${JSON.stringify({ unseal, root }, null, 2)}` + `export default ${JSON.stringify({ unseal, root }, null, 2)}`, + err => { + if (err) throw err; + } ); console.log('VAULT SERVER READY'); @@ -71,7 +74,7 @@ process.on('exit', function() { vault.kill('SIGINT'); }); -fs.writeFile(pidFile, process.pid, (err) => { +fs.writeFile(pidFile, process.pid, err => { if (err) throw err; console.log('The file has been saved!'); }); From e7e901ed278e65ccb10fa5523454b57271f2f73b Mon Sep 17 00:00:00 2001 From: Jim Kalafut Date: Thu, 14 Feb 2019 22:39:02 -0800 Subject: [PATCH 18/21] changelog++ --- CHANGELOG.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 97fc5d9f588b..d04c1af8095b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,25 @@ +## Next + +CHANGES: + + * auth/jwt: The `groups_claim_delimiter_pattern` has been removed. If the groups + claim is not at the top level, it can now be specified as a + [JSONPointer](https://tools.ietf.org/html/rfc6901). + * auth/jwt: Roles now have a "role type" parameter with a default type of "oidc". To + configure new JWT roles, a role type of "jwt" must be explicitly specified. + +IMPROVEMENTS: + + * auth/jwt: A default role may be set. It will be used during JWT/OIDC logins if + a role is not specified. + * auth/jwt: Arbitrary claims data may now be copied into token & alias metadata. + +FEATURES: + + * **OIDC Support**: The JWT auth backend now supports OIDC roles. These allow + authentication via an OIDC-compliant provider via the user's browser. The + login may be initiatated from the Vault UI or through the `vault login` command. + ## 1.0.3 (February 12th, 2019) CHANGES: From 740ea0ff38bccf8438bcafce103aef4e0f4bd4e8 Mon Sep 17 00:00:00 2001 From: Jim Kalafut Date: Fri, 15 Feb 2019 07:15:56 -0800 Subject: [PATCH 19/21] changelog++ --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d04c1af8095b..ff42773bb218 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,7 +13,8 @@ IMPROVEMENTS: * auth/jwt: A default role may be set. It will be used during JWT/OIDC logins if a role is not specified. * auth/jwt: Arbitrary claims data may now be copied into token & alias metadata. - + * auth/jwt: An arbitrary set of bound claims may now be configured for a role. + FEATURES: * **OIDC Support**: The JWT auth backend now supports OIDC roles. These allow From 2629b6bc11451ea3f0822b09d601b8793a3497d7 Mon Sep 17 00:00:00 2001 From: Jim Kalafut Date: Fri, 15 Feb 2019 08:28:42 -0800 Subject: [PATCH 20/21] changelog++ --- CHANGELOG.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ff42773bb218..e73a8d2567bb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,10 +10,12 @@ CHANGES: IMPROVEMENTS: - * auth/jwt: A default role may be set. It will be used during JWT/OIDC logins if + * auth/jwt: A default role can be set. It will be used during JWT/OIDC logins if a role is not specified. - * auth/jwt: Arbitrary claims data may now be copied into token & alias metadata. - * auth/jwt: An arbitrary set of bound claims may now be configured for a role. + * auth/jwt: Arbitrary claims data can now be copied into token & alias metadata. + * auth/jwt: An arbitrary set of bound claims can now be configured for a role. + * auth/jwt: The name "oidc" has been added as an alias for the jwt backend. Either + name may be specified in the `auth enable` command. FEATURES: From 724f5a2268307ee74caf8fea1b8e21b00e7bcad5 Mon Sep 17 00:00:00 2001 From: Martin Date: Mon, 18 Feb 2019 19:05:04 +0100 Subject: [PATCH 21/21] typo in pathsToRadix doc (#6253) --- vault/router.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/vault/router.go b/vault/router.go index 423b824bc709..e0b4bec06e81 100644 --- a/vault/router.go +++ b/vault/router.go @@ -784,8 +784,7 @@ func (r *Router) LoginPath(ctx context.Context, path string) bool { return match == remain } -// pathsToRadix converts a the mapping of special paths to a mapping -// of special paths to radix trees. +// pathsToRadix converts a list of special paths to a radix tree. func pathsToRadix(paths []string) *radix.Tree { tree := radix.New() for _, path := range paths {