Merge remote-tracking branch 'oss/master' into type-string-slice

* oss/master:
  Fix azure test round 2
  Fix test for changed Azure
  changelog++
  Add -self flag to token-revoke (#2596)
  Update revoke.html.md (#2604)
  Update to new Azure code after dep update (#2603)
  changelog++
  Added "Domain" configuration parameter to Swift provider to enable V3 authentication (#2554)
  Fix cassandra dep breakage

CHANGELOG.md

@@ -7,14 +7,17 @@ FEATURES:
 
 IMPROVEMENTS:
 
+ * cli/revoke: Add `-self` option to allow revoking the currently active token
+   [GH-2596]
  * secret/pki: Add `no_store` option that allows certificates to be issued
    without being stored. This removes the ability to look up and/or add to a
    CRL but helps with scaling to very large numbers of certificates. [GH-2565]
+ * storage/etcd3: Add `discovery_srv` option to query for SRV records to find
+   servers [GH-2521]
  * storage/s3: Support `max_parallel` option to limit concurrent outstanding
    requests [GH-2466]
  * storage/s3: Use pooled transport for http client [GH-2481]
- * storage/etcd3: Add `discovery_srv` option to query for SRV records to find
-   servers [GH-2521]
+ * storage/swift: Allow domain values for V3 authentication [GH-2554]
 
 BUG FIXES:
 

builtin/logical/cassandra/util.go

@@ -76,7 +76,7 @@ func createSession(cfg *sessionConfig, s logical.Storage) (*gocql.Session, error
 		}
 
 		clusterConfig.SslOpts = &gocql.SslOptions{
-			Config: *tlsConfig,
+			Config: tlsConfig,
 		}
 	}
 

command/token_revoke.go

@@ -15,24 +15,33 @@ type TokenRevokeCommand struct {
 func (c *TokenRevokeCommand) Run(args []string) int {
 	var mode string
 	var accessor bool
+	var self bool
+	var token string
 	flags := c.Meta.FlagSet("token-revoke", meta.FlagSetDefault)
 	flags.BoolVar(&accessor, "accessor", false, "")
+	flags.BoolVar(&self, "self", false, "")
 	flags.StringVar(&mode, "mode", "", "")
 	flags.Usage = func() { c.Ui.Error(c.Help()) }
 	if err := flags.Parse(args); err != nil {
 		return 1
 	}
 
 	args = flags.Args()
-	if len(args) != 1 {
+	switch {
+	case len(args) == 1 && !self:
+		token = args[0]
+	case len(args) != 0 && self:
+		flags.Usage()
+		c.Ui.Error(fmt.Sprintf(
+			"\ntoken-revoke expects no arguments when revoking self"))
+		return 1
+	case len(args) != 1 && !self:
 		flags.Usage()
 		c.Ui.Error(fmt.Sprintf(
-			"\ntoken-revoke expects one argument"))
+			"\ntoken-revoke expects one argument or the 'self' flag"))
 		return 1
 	}
 
-	token := args[0]
-
 	client, err := c.Client()
 	if err != nil {
 		c.Ui.Error(fmt.Sprintf(
@@ -43,14 +52,22 @@ func (c *TokenRevokeCommand) Run(args []string) int {
 	var fn func(string) error
 	// Handle all 6 possible combinations
 	switch {
-	case !accessor && mode == "":
+	case !accessor && self && mode == "":
+		fn = client.Auth().Token().RevokeSelf
+	case !accessor && !self && mode == "":
 		fn = client.Auth().Token().RevokeTree
-	case !accessor && mode == "orphan":
+	case !accessor && !self && mode == "orphan":
 		fn = client.Auth().Token().RevokeOrphan
-	case !accessor && mode == "path":
+	case !accessor && !self && mode == "path":
 		fn = client.Sys().RevokePrefix
-	case accessor && mode == "":
+	case accessor && !self && mode == "":
 		fn = client.Auth().Token().RevokeAccessor
+	case accessor && self:
+		c.Ui.Error("token-revoke cannot be run on self when 'accessor' flag is set")
+		return 1
+	case self && mode != "":
+		c.Ui.Error("token-revoke cannot be run on self when 'mode' flag is set")
+		return 1
 	case accessor && mode == "orphan":
 		c.Ui.Error("token-revoke cannot be run for 'orphan' mode when 'accessor' flag is set")
 		return 1
@@ -110,6 +127,8 @@ Token Options:
                           via '/auth/token/lookup-accessor/<accessor>' endpoint.
                           Accessor is used when there is no access to token ID.
 
+  -self                   A boolean flag, if set, the operation is performed on the currently
+                          authenticated token i.e. lookup-self.
 
   -mode=value             The type of revocation to do. See the documentation
                           above for more information.

physical/azure.go

@@ -12,7 +12,7 @@ import (
 
 	log "github.com/mgutz/logxi/v1"
 
-	"github.com/Azure/azure-sdk-for-go/storage"
+	"github.com/Azure/azure-storage-go"
 	"github.com/armon/go-metrics"
 	"github.com/hashicorp/errwrap"
 )
@@ -59,12 +59,23 @@ func newAzureBackend(conf map[string]string, logger log.Logger) (Backend, error)
 	}
 
 	client, err := storage.NewBasicClient(accountName, accountKey)
-
 	if err != nil {
-		return nil, fmt.Errorf("Failed to create Azure client: %v", err)
+		return nil, fmt.Errorf("failed to create Azure client: %v", err)
 	}
 
-	client.GetBlobService().CreateContainerIfNotExists(container, storage.ContainerAccessTypePrivate)
+	contObj := client.GetBlobService().GetContainerReference(container)
+	created, err := contObj.CreateIfNotExists()
+	if err != nil {
+		return nil, fmt.Errorf("failed to upsert container: %v", err)
+	}
+	if created {
+		err = contObj.SetPermissions(storage.ContainerPermissions{
+			AccessType: storage.ContainerAccessTypePrivate,
+		}, 0, "")
+		if err != nil {
+			return nil, fmt.Errorf("failed to set permissions on newly-created container: %v", err)
+		}
+	}
 
 	maxParStr, ok := conf["max_parallel"]
 	var maxParInt int
@@ -156,7 +167,8 @@ func (a *AzureBackend) List(prefix string) ([]string, error) {
 	a.permitPool.Acquire()
 	defer a.permitPool.Release()
 
-	list, err := a.client.ListBlobs(a.container, storage.ListBlobsParameters{Prefix: prefix})
+	contObj := a.client.GetContainerReference(a.container)
+	list, err := contObj.ListBlobs(storage.ListBlobsParameters{Prefix: prefix})
 
 	if err != nil {
 		// Break early.

physical/azure_test.go

@@ -9,7 +9,7 @@ import (
 	"github.com/hashicorp/vault/helper/logformat"
 	log "github.com/mgutz/logxi/v1"
 
-	"github.com/Azure/azure-sdk-for-go/storage"
+	"github.com/Azure/azure-storage-go"
 )
 
 func TestAzureBackend(t *testing.T) {
@@ -35,7 +35,8 @@ func TestAzureBackend(t *testing.T) {
 	})
 
 	defer func() {
-		cleanupClient.GetBlobService().DeleteContainerIfExists(container)
+		contObj := cleanupClient.GetBlobService().GetContainerReference(container)
+		contObj.DeleteIfExists()
 	}()
 
 	if err != nil {

physical/swift.go

@@ -58,17 +58,36 @@ func newSwiftBackend(conf map[string]string, logger log.Logger) (Backend, error)
 			return nil, fmt.Errorf("missing container")
 		}
 	}
-	tenant := os.Getenv("OS_TENANT_NAME")
-	if tenant == "" {
-		tenant = conf["tenant"]
+	project := os.Getenv("OS_PROJECT_NAME")
+	if project == "" {
+		project = conf["project"]
+
+		if project == "" {
+			// Check for KeyStone naming prior to V3
+			project := os.Getenv("OS_TENANT_NAME")
+			if project == "" {
+				project = conf["tenant"]
+			}
+		}
+	}
+
+	domain := os.Getenv("OS_USER_DOMAIN_NAME")
+	if domain == "" {
+		domain = conf["domain"]
+	}
+	projectDomain := os.Getenv("OS_PROJECT_DOMAIN_NAME")
+	if projectDomain == "" {
+		projectDomain = conf["project-domain"]
 	}
 
 	c := swift.Connection{
-		UserName:  username,
-		ApiKey:    password,
-		AuthUrl:   authUrl,
-		Tenant:    tenant,
-		Transport: cleanhttp.DefaultPooledTransport(),
+		Domain:       domain,
+		UserName:     username,
+		ApiKey:       password,
+		AuthUrl:      authUrl,
+		Tenant:       project,
+		TenantDomain: projectDomain,
+		Transport:    cleanhttp.DefaultPooledTransport(),
 	}
 
 	err := c.Authenticate()

physical/swift_test.go

@@ -21,17 +21,21 @@ func TestSwiftBackend(t *testing.T) {
 	username := os.Getenv("OS_USERNAME")
 	password := os.Getenv("OS_PASSWORD")
 	authUrl := os.Getenv("OS_AUTH_URL")
-	tenant := os.Getenv("OS_TENANT_NAME")
+	project := os.Getenv("OS_PROJECT_NAME")
+	domain := os.Getenv("OS_USER_DOMAIN_NAME")
+	projectDomain := os.Getenv("OS_PROJECT_DOMAIN_NAME")
 
 	ts := time.Now().UnixNano()
 	container := fmt.Sprintf("vault-test-%d", ts)
 
 	cleaner := swift.Connection{
-		UserName:  username,
-		ApiKey:    password,
-		AuthUrl:   authUrl,
-		Tenant:    tenant,
-		Transport: cleanhttp.DefaultPooledTransport(),
+		Domain:       domain,
+		UserName:     username,
+		ApiKey:       password,
+		AuthUrl:      authUrl,
+		Tenant:       project,
+		TenantDomain: projectDomain,
+		Transport:    cleanhttp.DefaultPooledTransport(),
 	}
 
 	err := cleaner.Authenticate()
@@ -63,11 +67,13 @@ func TestSwiftBackend(t *testing.T) {
 	logger := logformat.NewVaultLogger(log.LevelTrace)
 
 	b, err := NewBackend("swift", logger, map[string]string{
-		"username":  username,
-		"password":  password,
-		"container": container,
-		"auth_url":  authUrl,
-		"tenant":    tenant,
+		"username":       username,
+		"password":       password,
+		"container":      container,
+		"auth_url":       authUrl,
+		"project":        project,
+		"domain":         domain,
+		"project-domain": projectDomain,
 	})
 	if err != nil {
 		t.Fatalf("err: %s", err)