Merge branch 'master' into b-website-fix-k8s-config-link

* master: (34 commits) Use Shamir as KeK when migrating from auto-seal to shamir (#8172) changelog++ ssh backend: support at character in role name (#8038) Fix typo in YAML markup (#8194) Fix typo (#8192) Fix k8s injector examples (#8179) update dependencies, patch nextjs config (#8184) Strip unnecessary payload in AD root cred rotation example (#8160) New Website! (#8154) Update CHANGELOG.md changelog++ Fix panic when listener fails to startup (#8174) Create network layer abstraction to allow in-memory cluster traffic (#8173) Update test var name and tidy Factor out mysqlhelper so we can create mysql docker containers in other tests. (#8167) changelog++ changelog++ Pull wrapping creation to a var (#8137) ldap, okta: fix renewal when login policies are empty (#8072) Update CHANGELOG.md ...
hashicorp · Jan 21, 2020 · 78ac661 · 78ac661
2 parents dcbc4fb + eb5fba1
commit 78ac661
Show file tree

Hide file tree

Showing 1,416 changed files with 109,905 additions and 106,124 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
diff --git a/.circleci/config/@config.yml b/.circleci/config/@config.yml
@@ -36,6 +36,8 @@ executors:
   node:
     docker:
       - image: *NODE_IMAGE
+        environment:
+            JOBS: 2
     shell: /usr/bin/env bash -euo pipefail -c
     working_directory: /go/src/github.com/hashicorp/vault
   python:

diff --git a/.circleci/config/jobs/website-docker-image.yml b/.circleci/config/jobs/website-docker-image.yml
@@ -0,0 +1,22 @@
+docker:
+  - image: circleci/buildpack-deps
+shell: /usr/bin/env bash -euo pipefail -c
+steps:
+  - checkout
+  - setup_remote_docker
+  - run:
+      name: Diff package-lock.json
+      command: |
+        echo 'export PACKAGE_LOCK_CHANGED=$(git diff --name-only $(git log --pretty=format:'%h' -n1 HEAD~1)...HEAD | grep -c website/package-lock.json)' >> $BASH_ENV
+  - run:
+      name: Build Docker Image if Necessary
+      command: |
+        if [ "$CIRCLE_BRANCH" = "master" ] && [ $PACKAGE_LOCK_CHANGED -gt 0 ]; then
+          cd website/
+          docker build -t hashicorp/vault-website:$CIRCLE_SHA1 .
+          docker tag hashicorp/vault-website:$CIRCLE_SHA1 hashicorp/vault-website:latest
+          docker login -u $DOCKER_USER -p $DOCKER_PASS
+          docker push hashicorp/vault-website
+        else
+          echo "Not building a new website docker image - branch is not master and/or dependencies have not changed."
+        fi
diff --git a/.circleci/config/workflows/ci.yml b/.circleci/config/workflows/ci.yml
@@ -15,12 +15,13 @@ jobs:
         - install-ui-dependencies
         - build-go-dev
       filters:
-          branches:
-            # Forked pull requests have CIRCLE_BRANCH set to pull/XXX
-            ignore: /pull\/[0-9]+/
+        branches:
+          # Forked pull requests have CIRCLE_BRANCH set to pull/XXX
+          ignore: /pull\/[0-9]+/
   - test-go:
       requires:
         - build-go-dev
   - test-go-race:
       requires:
         - build-go-dev
+  - website-docker-image
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,27 +2,47 @@
 
 IMPROVEMENTS:
 
-* auth/azure: Fix Azure compute client to use correct base URL [AZURE-27]
 * auth/jwt: Additional OIDC callback parameters available for CLI logins [JWT-80 & JWT-86]
 * auth/jwt: Bound claims may be optionally configured using globs [JWT-89]
 * core: Separate out service discovery interface from storage interface to allow
   new types of service discovery not coupled to storage [GH-7887]
 * cli: Incorrect TLS configuration will now correctly fail [GH-8025] 
 * secrets/gcp: Allow specifying the TTL for a service key [GCP-54]
 * secrets/gcp: Add support for rotating root keys [GCP-53]
+* secrets/nomad: Add support to specify TLS options per Nomad backend [GH-8083]
+* storage/raft: Nodes in the raft cluster can all be given possible leader
+  addresses for them to continuously try and join one of them, thus automating
+  the process of join to a greater extent [GH-7856]
 
 BUG FIXES:
 
-* plugin: Fix issue where a plugin unwrap request potentially used an expired token [GH-8058]
-* secrets/database: Fix issue where a manual static role rotation could potentially panic [GH-8098]
-* secrets/database/mysql: Fix issue where special characters for a MySQL password were encoded [GH-8040]
 * ui: Update headless Chrome flag to fix `yarn run test:oss` [GH-8035]
-* ui: Change `.box-radio` height to min-height to prevent overflow issues [GH-8065]
 
 ## 1.3.2 (Unreleased)
 
+IMPROVEMENTS:
+ * auth/aws: Add aws metadata to identity alias [GH-7975]
+
 BUG FIXES:
+
+* auth/azure: Fix Azure compute client to use correct base URL [AZURE-27]
+* auth/ldap: Fix renewal of tokens without cofigured policies that are 
+  generated by an LDAP login [GH-8072]
+* auth/okta: Fix renewal of tokens without configured policies that are 
+  generated by an Okta login [GH-8072]
+* plugin: Fix issue where a plugin unwrap request potentially used an expired token [GH-8058]
+* replication: Fix issue where a forwarded request from a performance/standby node could run in 
+  a timeout 
+* secrets/database: Fix issue where a manual static role rotation could potentially panic [GH-8098]
+* secrets/database: Fix issue where a manual root credential rotation request is not forwarded
+  to the primary node [GH-8125]
+* secrets/database: Fix issue where a manual static role rotation request is not forwarded
+  to the primary node [GH-8126]
+* secrets/database/mysql: Fix issue where special characters for a MySQL password were encoded [GH-8040]
 * ui: Fix deleting namespaces [GH-8132]
+* ui: Fix Error handler on kv-secret edit and kv-secret view pages [GH-8133]
+* ui: Fix OIDC callback to check storage [GH-7929].
+* ui: Change `.box-radio` height to min-height to prevent overflow issues [GH-8065]
 
 ## 1.3.1 (December 18th, 2019)
 

diff --git a/builtin/credential/aws/cli.go b/builtin/credential/aws/cli.go
@@ -13,6 +13,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/sts"
 	"github.com/hashicorp/errwrap"
+	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/vault/api"
 	"github.com/hashicorp/vault/sdk/helper/awsutil"
 )
@@ -40,7 +41,8 @@ func GenerateLoginData(creds *credentials.Credentials, headerValue, configuredRe
 	// Use the credentials we've found to construct an STS session
 	region, err := awsutil.GetRegion(configuredRegion)
 	if err != nil {
-		return nil, err
+		hclog.Default().Warn(fmt.Sprintf("defaulting region to %q due to %s", awsutil.DefaultRegion, err.Error()))
+		region = awsutil.DefaultRegion
 	}
 	stsSession, err := session.NewSessionWithOptions(session.Options{
 		Config: aws.Config{

diff --git a/builtin/credential/ldap/path_login.go b/builtin/credential/ldap/path_login.go
@@ -133,9 +133,10 @@ func (b *backend) pathLoginRenew(ctx context.Context, req *logical.Request, d *f
 	password := req.Auth.InternalData["password"].(string)
 
 	loginPolicies, resp, groupNames, err := b.Login(ctx, req, username, password)
-	if len(loginPolicies) == 0 {
+	if err != nil || (resp != nil && resp.IsError()) {
 		return resp, err
 	}
+
 	finalPolicies := cfg.TokenPolicies
 	if len(loginPolicies) > 0 {
 		finalPolicies = append(finalPolicies, loginPolicies...)

diff --git a/builtin/credential/okta/path_login.go b/builtin/credential/okta/path_login.go
@@ -118,7 +118,7 @@ func (b *backend) pathLoginRenew(ctx context.Context, req *logical.Request, d *f
 	}
 
 	loginPolicies, resp, groupNames, err := b.Login(ctx, req, username, password)
-	if len(loginPolicies) == 0 {
+	if err != nil || (resp != nil && resp.IsError()) {
 		return resp, err
 	}
 

diff --git a/builtin/logical/nomad/backend.go b/builtin/logical/nomad/backend.go
@@ -62,6 +62,15 @@ func (b *backend) client(ctx context.Context, s logical.Storage) (*api.Client, e
 		if conf.Token != "" {
 			nomadConf.SecretID = conf.Token
 		}
+		if conf.CACert != "" {
+			nomadConf.TLSConfig.CACertPEM = []byte(conf.CACert)
+		}
+		if conf.ClientCert != "" {
+			nomadConf.TLSConfig.ClientCertPEM = []byte(conf.ClientCert)
+		}
+		if conf.ClientKey != "" {
+			nomadConf.TLSConfig.ClientKeyPEM = []byte(conf.ClientKey)
+		}
 	}
 
 	client, err := api.NewClient(nomadConf)

diff --git a/builtin/logical/nomad/path_config_access.go b/builtin/logical/nomad/path_config_access.go
@@ -28,6 +28,21 @@ func pathConfigAccess(b *backend) *framework.Path {
 				Type:        framework.TypeInt,
 				Description: "Max length for name of generated Nomad tokens",
 			},
+			"ca_cert": &framework.FieldSchema{
+				Type: framework.TypeString,
+				Description: `CA certificate to use when verifying Nomad server certificate,
+must be x509 PEM encoded.`,
+			},
+			"client_cert": &framework.FieldSchema{
+				Type: framework.TypeString,
+				Description: `Client certificate used for Nomad's TLS communication,
+must be x509 PEM encoded and if this is set you need to also set client_key.`,
+			},
+			"client_key": &framework.FieldSchema{
+				Type: framework.TypeString,
+				Description: `Client key used for Nomad's TLS communication,
+must be x509 PEM encoded and if this is set you need to also set client_cert.`,
+			},
 		},
 
 		Callbacks: map[logical.Operation]framework.OperationFunc{
@@ -101,6 +116,18 @@ func (b *backend) pathConfigAccessWrite(ctx context.Context, req *logical.Reques
 	if ok {
 		conf.Token = token.(string)
 	}
+	caCert, ok := data.GetOk("ca_cert")
+	if ok {
+		conf.CACert = caCert.(string)
+	}
+	clientCert, ok := data.GetOk("client_cert")
+	if ok {
+		conf.ClientCert = clientCert.(string)
+	}
+	clientKey, ok := data.GetOk("client_key")
+	if ok {
+		conf.ClientKey = clientKey.(string)
+	}
 
 	conf.MaxTokenNameLength = data.Get("max_token_name_length").(int)
 
@@ -126,4 +153,7 @@ type accessConfig struct {
 	Address            string `json:"address"`
 	Token              string `json:"token"`
 	MaxTokenNameLength int    `json:"max_token_name_length"`
+	CACert             string `json:"ca_cert"`
+	ClientCert         string `json:"client_cert"`
+	ClientKey          string `json:"client_key"`
 }