-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Shamir seals now come in two varieties: legacy and new-style. #7694
Conversation
Shamir is automatically converted to new-style when a rekey operation is performed. All new Vault initializations using Shamir are new-style. New-style Shamir writes an encrypted master key to storage, just like AutoUnseal. The stored master key is encrypted using the shared key that is split via Shamir's algorithm. Thus when unsealing, we take the key fragments given, combine them into a Key-Encryption-Key, and use that to decrypt the master key on disk. Then the master key is used to read the keyring that decrypts the barrier.
vault/core.go
Outdated
@@ -1123,7 +1124,7 @@ func (c *Core) unsealPart(ctx context.Context, seal Seal, key []byte, useRecover | |||
// keys setup, nor 2) seals that support recovery keys but not stored keys. | |||
// If insufficient shares are provided, shamir.Combine will error, and if | |||
// no stored keys are found it will return masterKey as nil. | |||
if seal.StoredKeysSupported() == StoredKeysSupportedGeneric { | |||
if seal.StoredKeysSupported() != StoredKeysNotSupported { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No change needed, just curious if it's possible for this to be anything other than StoredKeysSupportedGeneric
since we only get into this block if the seal supports recovery keys?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, you're right, this is unnecessary. It was a first attempt to fix the problem. Will revert.
@@ -1185,21 +1198,20 @@ func (c *Core) unsealPart(ctx context.Context, seal Seal, key []byte, useRecover | |||
|
|||
// We have recovery keys; we're going to use them as the new | |||
// barrier key. | |||
if err := c.barrier.Rekey(ctx, recoveryKey); err != nil { | |||
return nil, errwrap.Wrapf("error rekeying barrier during migration: {{err}}", err) | |||
err = c.seal.GetAccess().(*shamirseal.ShamirSeal).SetKey(recoveryKey) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you update the comment above?
} | ||
|
||
masterKey = recoveryKey | ||
|
||
case c.seal.RecoveryKeySupported(): | ||
// The new seal will have recovery keys; we set it to the existing | ||
// master key, so barrier key shares -> recovery key shares | ||
if err := c.seal.SetRecoveryKey(ctx, masterKey); err != nil { | ||
if err := c.seal.SetRecoveryKey(ctx, newRecoveryKey); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we are moving from a new style shamir seal to an autoseal should we instead be using the old shared keys as the recovery key? (newRecoveryKey == master key here)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should, yes. When we're migrating in unsealPart, seal
is the migration seal.
So we took the else branch above on line 1146, setting masterKey = recoveredKey
, i.e. the barrier unseal key that was passed in by the user. Then we assigned newRecoveryKey := masterKey
. So from what I can tell we're doing what you suggest, as verified by TestSealMigration.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah okay, you're right. For some reason i thought newRecoveryKey
was being set after we update masterKey
to the stored key.
* master: (41 commits) changelog++ cli: fix json output for namespace list command (#7705) Update CHANGELOG.md Vault Agent Template (#7652) hostutil: disable host info collection on openbsd (#7699) Shamir seals now come in two varieties: legacy and new-style. (#7694) Update Title for AWS Marketplace (#7683) Bump go builder version Fix kv mod import and vendoring Fixing a typo with the sample payload (#7688) Update CHANGELOG.md Enable generated items for more auth methods (#7513) Update OIDC provider doc Update OIDC provider doc (#7693) Create .bundle and set group when running container (#7684) updates vendored api/client.go (#7692) Update circle config logical: remove unneeded error check in handleLogicalInternal (#7691) Update Go version Docs: add examples for when a seal rewrap is useful (#7689) ...
Pkgsrc changes: * Added a patch to cope with fromStatT on NetBSD * Added a patch to cope with docker client default settings (build also on NetBSD) Upstream changes: 1.5.3 (August 27th, 2020) NOTE: All security content from 1.5.2, 1.5.1, 1.4.5, 1.4.4, 1.3.9, 1.3.8, 1.2.6, and 1.2.5 has been made fully open source, and the git tags for 1.5.3, 1.4.6, 1.3.10, and 1.2.7 will build correctly for open source users. BUG FIXES: * auth/aws: Made header handling for IAM authentication more robust * secrets/ssh: Fixed a bug with role option for SSH signing algorithm to allow more than RSA signing ## 1.5.1 CHANGES: * pki: The tidy operation will now remove revoked certificates if the parameter `tidy_revoked_certs` is set to `true`. This will result in certificate entries being immediately removed, as opposed to awaiting until its NotAfter time. Note that this only affects certificates that have been already revoked. [[GH-9609](https://github.com/hashicorp/vault/pull/9609)] IMPROVEMENTS: * auth/jwt: Add support for fetching groups and user information from G Suite during authentication. [[GH-9574](https://github.com/hashicorp/vault/pull/9574)] * secrets/openldap: Add "ad" schema that allows the engine to correctly rotate AD passwords. [[GH-9740](https://github.com/hashicorp/vault/pull/9740)] * ui: Wrap TTL option on transit engine export action is updated to a new component. [[GH-9632](https://github.com/hashicorp/vault/pull/9632)] BUG FIXES: * secrets/gcp: Ensure that the IAM policy version is appropriately set after a roleset's bindings have changed. [[GH-9603](https://github.com/hashicorp/vault/pull/9603)] * replication (enterprise): Fix status API output incorrectly stating replication is in `idle` state. * core: Fix panic when printing over-long info fields at startup [[GH-9681](https://github.com/hashicorp/vault/pull/9681)] ## 1.5.0 ### July 21st, 2020 CHANGES: * storage/raft: The storage configuration now accepts a new `max_entry_size` config that will limit the total size in bytes of any entry committed via raft. It defaults to `"1048576"` (1MiB). [[GH-9027](https://github.com/hashicorp/vault/pull/9027)] * token: Token creation with custom token ID via `id` will no longer allow periods (`.`) as part of the input string. The final generated token value may contain periods, such as the `s.` prefix for service token indication. [[GH-8646](https://github.com/hashicorp/vault/pull/8646/files)] * token: Token renewals will now return token policies within the `token_policies` , identity policies within `identity_policies`, and the full policy set within `policies`. [[GH-8535](https://github.com/hashicorp/vault/pull/8535)] * cubbyhole: Reject reads and writes to an empty ("") path. [[GH-8971](https://github.com/hashicorp/vault/pull/8971)] * core: Remove the addition of newlines to parsed configuration when using integer/boolean values [[GH-8928](https://github.com/hashicorp/vault/pull/8928)] * audit: Token TTL and issue time are now provided in the auth portion of audit logs. [[GH-9091](https://github.com/hashicorp/vault/pull/9091)] IMPROVEMENTS: * audit: Replication status requests are no longer audited. [[GH-8877](https://github.com/hashicorp/vault/pull/8877)] * audit: Added mount_type field to requests and responses. [[GH-9167](https://github.com/hashicorp/vault/pull/9167)] * auth/aws: Add support for Web Identity credentials [[GH-7738](https://github.com/hashicorp/vault/pull/7738)] * auth/jwt: Support users that are members of more than 200 groups on Azure [[GH-120](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/120)] * auth/kubernetes: Allow disabling `iss` validation [[GH-91](https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/91)] * core: Add the Go version used to build a Vault binary to the server message output. [[GH-9078](https://github.com/hashicorp/vault/pull/9078)] * core: Added Password Policies for user-configurable password generation [[GH-8637](https://github.com/hashicorp/vault/pull/8637)] * core: New telemetry metrics covering token counts, token creation, KV secret counts, lease creation. [[GH-9239](https://github.com/hashicorp/vault/pull/9239)] [[GH-9250](https://github.com/hashicorp/vault/pull/9250)] [[GH-9244](https://github.com/hashicorp/vault/pull/9244)] [[GH-9052](https://github.com/hashicorp/vault/pull/9052)] * cli: Support reading TLS parameters from file for the `vault operator raft join` command. [[GH-9060](https://github.com/hashicorp/vault/pull/9060)] * plugin: Add SDK method, `Sys.ReloadPlugin`, and CLI command, `vault plugin reload`, for reloading plugins. [[GH-8777](https://github.com/hashicorp/vault/pull/8777)] * plugin (enterprise): Add a scope field to plugin reload, which when global, reloads the plugin anywhere in a cluster. [[GH-9347](https://github.com/hashicorp/vault/pull/9347)] * sdk/framework: Support accepting TypeFloat parameters over the API [[GH-8923](https://github.com/hashicorp/vault/pull/8923)] * secrets/aws: Add iam_groups parameter to role create/update [[GH-8811](https://github.com/hashicorp/vault/pull/8811)] * secrets/database: Add static role rotation for MongoDB Atlas database plugin [[GH-11](https://github.com/hashicorp/vault-plugin-database-mongodbatlas/pull/11)] * secrets/database: Add static role rotation for MSSQL database plugin [[GH-9062](https://github.com/hashicorp/vault/pull/9062)] * secrets/database: Allow InfluxDB to use insecure TLS without cert bundle [[GH-8778](https://github.com/hashicorp/vault/pull/8778)] * secrets/gcp: Support BigQuery dataset ACLs in absence of IAM endpoints [[GH-78](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/78)] * secrets/pki: Allow 3072-bit RSA keys [[GH-8343](https://github.com/hashicorp/vault/pull/8343)] * secrets/ssh: Add a CA-mode role option to specify signing algorithm [[GH-9096](https://github.com/hashicorp/vault/pull/9096)] * secrets/transit: Transit requests that make use of keys now include a new field `key_version` in their responses [[GH-8775](https://github.com/hashicorp/vault/pull/8775)] * secrets/transit: Improving transit batch encrypt and decrypt latencies [[GH-9100](https://github.com/hashicorp/vault/pull/9100)] * sentinel: Add a sentinel config section, and "additional_enabled_modules", a list of Sentinel modules that may be imported in addition to the defaults. * ui: Update TTL picker styling on SSH secret engine [[GH-8891](https://github.com/hashicorp/vault/pull/8891)] * ui: Only render the JWT input field of the Vault login form on mounts configured for JWT auth [[GH-8952](https://github.com/hashicorp/vault/pull/8952)] * cli: Add a new subcommand, `vault monitor`, for tailing server logs in the console. [[GH-8477](https://github.com/hashicorp/vault/pull/8477)] * ui: Add replication dashboards. Improve replication management workflows. [[GH-8705]](https://github.com/hashicorp/vault/pull/8705). BUG FIXES: * agent: Restart template server when it shuts down [[GH-9200](https://github.com/hashicorp/vault/pull/9200)] * auth/oci: Fix issue where users of the Oracle Cloud Infrastructure (OCI) auth method could not authenticate when the plugin backend was mounted at a non-default path. [[GH-7](https://github.com/hashicorp/vault-plugin-auth-oci/pull/7)] * core: Extend replicated cubbyhole fix in 1.4.0 to cover case where a performance primary is also a DR primary [[GH-9148](https://github.com/hashicorp/vault/pull/9148)] * secrets/aws: Fix issue where performance standbys weren't able to generate STS credentials after an IAM access key rotation in AWS and root IAM credential update in Vault [[GH-9186](https://github.com/hashicorp/vault/pull/9186)] * secrets/database: Fix issue where rotating root database credentials while Vault's storage backend is unavailable causes Vault to lose access to the database [[GH-8782](https://github.com/hashicorp/vault/pull/8782)] * secrets/database: Fix issue that prevents performance standbys from connecting to databases after a root credential rotation [[GH-9129](https://github.com/hashicorp/vault/pull/9129)] * secrets/gcp: Fix issue were updates were not being applied to the `token_scopes` of a roleset. [[GH-90](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/90)] * secrets/kv: Return the value of delete_version_after when reading kv/config, even if it is set to the default. [[GH-42](https://github.com/hashicorp/vault-plugin-secrets-kv/pull/42)] * ui: Add Toggle component into core addon so it is available in KMIP and other Ember Engines. [[GH-8913]](https://github.com/hashicorp/vault/pull/8913) * ui: Disallow max versions value of large than 9999999999999999 on kv2 secrets engine. [[GH-9242](https://github.com/hashicorp/vault/pull/9242)] ## 1.4.3 (TBD) IMPROVEMENTS: * auth/aws: Add support for Web Identity credentials [[GH-9251](https://github.com/hashicorp/vault/pull/9251)] * core: Add the Go version used to build a Vault binary to the server message output. [[GH-9078](https://github.com/hashicorp/vault/pull/9078)] * secrets/database: Add static role rotation for MongoDB Atlas database plugin [[GH-9311](https://github.com/hashicorp/vault/pull/9311)] * ui: Link to the Vault Changelog in the UI footer [[GH-9216](https://github.com/hashicorp/vault/pull/9216)] BUG FIXES: * auth/oci: Fix issue where users of the Oracle Cloud Infrastructure (OCI) auth method could not authenticate when the plugin backend was mounted at a non-default path. [[GH-9278](https://github.com/hashicorp/vault/pull/9278)] * replication: The issue causing cubbyholes in namespaces on performance secondaries to not work, which was fixed in 1.4.0, was still an issue when the primary was both a performance primary and DR primary. * secrets/aws: Fix issue where performance standbys weren't able to generate STS credentials after an IAM access key rotation in AWS and root IAM credential update in Vault [[GH-9207](https://github.com/hashicorp/vault/pull/9207)] * secrets/database: Fix issue that prevents performance standbys from connecting to databases after a root credential rotation [[GH-9208](https://github.com/hashicorp/vault/pull/9208)] * secrets/gcp: Fix issue were updates were not being applied to the `token_scopes` of a roleset. [[GH-9277](https://github.com/hashicorp/vault/pull/9277)] ## 1.4.2 (May 21st, 2020) SECURITY: * core: Proxy environment variables are now redacted before being logged, in case the URLs include a username:password. This vulnerability, CVE-2020-13223, is fixed in 1.3.6 and 1.4.2, but affects 1.4.0 and 1.4.1, as well as older versions of Vault [[GH-9022](https://github.com/hashicorp/vault/pull/9022)] * secrets/gcp: Fix a regression in 1.4.0 where the system TTLs were being used instead of the configured backend TTLs for dynamic service accounts. This vulnerability is CVE-2020-12757. [[GH-85](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/85)] IMPROVEMENTS: * storage/raft: The storage stanza now accepts `leader_ca_cert_file`, `leader_client_cert_file`, and `leader_client_key_file` parameters to read and parse TLS certificate information from paths on disk. Existing non-path based parameters will continue to work, but their values will need to be provided as a single-line string with newlines delimited by `\n`. [[GH-8894](https://github.com/hashicorp/vault/pull/8894)] * storage/raft: The `vault status` CLI command and the `sys/leader` API now contain the committed and applied raft indexes. [[GH-9011](https://github.com/hashicorp/vault/pull/9011)] BUG FIXES: * auth/aws: Fix token renewal issues caused by the metadata changes in 1.4.1 [[GH-8991](https://github.com/hashicorp/vault/pull/8991)] * auth/ldap: Fix 1.4.0 regression that could result in auth failures when LDAP auth config includes upndomain. [[GH-9041](https://github.com/hashicorp/vault/pull/9041)] * secrets/ad: Forward rotation requests from standbys to active clusters [[GH-66](https://github.com/hashicorp/vault-plugin-secrets-ad/pull/66)] * secrets/database: Prevent generation of usernames that are not allowed by the MongoDB Atlas API [[GH-9](https://github.com/hashicorp/vault-plugin-database-mongodbatlas/pull/9)] * secrets/database: Return an error if a manual rotation of static account credentials fails [[GH-9035](https://github.com/hashicorp/vault/pull/9035)] * secrets/openldap: Forward all rotation requests from standbys to active clusters [[GH-9028](https://github.com/hashicorp/vault/pull/9028)] * secrets/transform (enterprise): Fix panic that could occur when accessing cached template entries, such as a requests that accessed templates directly or indirectly from a performance standby node. * serviceregistration: Fix a regression for Consul service registration that ignored using the listener address as the redirect address unless api_addr was provided. It now properly uses the same redirect address as the one used by Vault's Core object. [[GH-8976](https://github.com/hashicorp/vault/pull/8976)] * storage/raft: Advertise the configured cluster address to the rest of the nodes in the raft cluster. This fixes an issue where a node advertising 0.0.0.0 is not using a unique hostname. [[GH-9008](https://github.com/hashicorp/vault/pull/9008)] * storage/raft: Fix panic when multiple nodes attempt to join the cluster at once. [[GH-9008](https://github.com/hashicorp/vault/pull/9008)] * sys: The path provided in `sys/internal/ui/mounts/:path` is now namespace-aware. This fixes an issue with `vault kv` subcommands that had namespaces provided in the path returning permission denied all the time. [[GH-8962](https://github.com/hashicorp/vault/pull/8962)] * ui: Fix snowman that appears when namespaces have more than one period [[GH-8910](https://github.com/hashicorp/vault/pull/8910)] ## 1.4.1 (April 30th, 2020) CHANGES: * auth/aws: The default set of metadata fields added in 1.4.1 has been changed to `account_id` and `auth_type` [[GH-8783](https://github.com/hashicorp/vault/pull/8783)] * storage/raft: Disallow `ha_storage` to be specified if `raft` is set as the `storage` type. [[GH-8707](https://github.com/hashicorp/vault/pull/8707)] IMPROVEMENTS: * auth/aws: The set of metadata stored during login is now configurable [[GH-8783](https://github.com/hashicorp/vault/pull/8783)] * auth/aws: Improve region selection to avoid errors seen if the account hasn't enabled some newer AWS regions [[GH-8679](https://github.com/hashicorp/vault/pull/8679)] * auth/azure: Enable login from Azure VMs with user-assigned identities [[GH-33](https://github.com/hashicorp/vault-plugin-auth-azure/pull/33)] * auth/gcp: The set of metadata stored during login is now configurable [[GH-92](https://github.com/hashicorp/vault-plugin-auth-gcp/pull/92)] * auth/gcp: The type of alias name used during login is now configurable [[GH-95](https://github.com/hashicorp/vault-plugin-auth-gcp/pull/95)] * auth/ldap: Improve error messages during LDAP operation failures [[GH-8740](https://github.com/hashicorp/vault/pull/8740)] * identity: Add a batch delete API for identity entities [[GH-8785]](https://github.com/hashicorp/vault/pull/8785) * identity: Improve performance of logins when no group updates are needed [[GH-8795]](https://github.com/hashicorp/vault/pull/8795) * metrics: Add `vault.identity.num_entities` metric [[GH-8816]](https://github.com/hashicorp/vault/pull/8816) * secrets/kv: Allow `delete-version-after` to be reset to 0 via the CLI [[GH-8635](https://github.com/hashicorp/vault/pull/8635)] * secrets/rabbitmq: Improve error handling and reporting [[GH-8619](https://github.com/hashicorp/vault/pull/8619)] * ui: Provide One Time Password during Operation Token generation process [[GH-8630]](https://github.com/hashicorp/vault/pull/8630) BUG FIXES: * auth/okta: Fix MFA regression (introduced in [GH-8143](https://github.com/hashicorp/vault/pull/8143)) from 1.4.0 [[GH-8807](https://github.com/hashicorp/vault/pull/8807)] * auth/userpass: Fix upgrade value for `token_bound_cidrs` being ignored due to incorrect key provided [[GH-8826](https://github.com/hashicorp/vault/pull/8826/files)] * config/seal: Fix segfault when seal block is removed [[GH-8517](https://github.com/hashicorp/vault/pull/8517)] * core: Fix an issue where users attempting to build Vault could receive Go module checksum errors [[GH-8770](https://github.com/hashicorp/vault/pull/8770)] * core: Fix blocked requests if a SIGHUP is issued during a long-running request has the state lock held. Also fixes deadlock that can happen if `vault debug` with the config target is ran during this time. [[GH-8755](https://github.com/hashicorp/vault/pull/8755)] * core: Always rewrite the .vault-token file as part of a `vault login` to ensure permissions and ownership are set correctly [[GH-8867](https://github.com/hashicorp/vault/pull/8867)] * database/mongodb: Fix context deadline error that may result due to retry attempts on failed commands [[GH-8863](https://github.com/hashicorp/vault/pull/8863)] * http: Fix superflous call messages from the http package on logs caused by missing returns after `respondError` calls [[GH-8796](https://github.com/hashicorp/vault/pull/8796)] * namespace (enterprise): Fix namespace listing to return `key_info` when a scoping namespace is also provided. * seal/gcpkms: Fix panic that could occur if all seal parameters were provided via environment variables [[GH-8840](https://github.com/hashicorp/vault/pull/8840)] * storage/raft: Fix memory allocation and incorrect metadata tracking issues with snapshots [[GH-8793](https://github.com/hashicorp/vault/pull/8793)] * storage/raft: Fix panic that could occur if `disable_clustering` was set to true on Raft storage cluster [[GH-8784](https://github.com/hashicorp/vault/pull/8784)] * storage/raft: Handle errors returned from the API during snapshot operations [[GH-8861](https://github.com/hashicorp/vault/pull/8861)] * sys/wrapping: Allow unwrapping of wrapping tokens which contain nil data [[GH-8714](https://github.com/hashicorp/vault/pull/8714)] ## 1.4.0 (April 7th, 2020) CHANGES: * cli: The raft configuration command has been renamed to list-peers to avoid confusion. FEATURES: * **Kerberos Authentication**: Vault now supports Kerberos authentication using a SPNEGO token. Login can be performed using the Vault CLI, API, or agent. * **Kubernetes Service Discovery**: A new Kubernetes service discovery feature where, if configured, Vault will tag Vault pods with their current health status. For more, see [#8249](https://github.com/hashicorp/vault/pull/8249). * **MongoDB Atlas Secrets**: Vault can now generate dynamic credentials for both MongoDB Atlas databases as well as the [Atlas programmatic interface] (https://docs.atlas.mongodb.com/tutorial/manage-programmatic-access/). * **OpenLDAP Secrets Engine**: We now support password management of existing OpenLDAP user entries. For more, see [#8360] (https://github.com/hashicorp/vault/pull/8360/). * **Redshift Database Secrets Engine**: The database secrets engine now supports static and dynamic secrets for the Amazon Web Services (AWS) Redshift service. * **Service Registration Config**: A newly introduced `service_registration` configuration stanza, that allows for service registration to be configured separately from the storage backend. For more, see [#7887] (https://github.com/hashicorp/vault/pull/7887/). * **Transform Secrets Engine (Enterprise)**: A new secrets engine that handles secure data transformation and tokenization against provided input value. * **Integrated Storage**: Promoted out of beta and into general availability for both open-source and enterprise workloads. IMPROVEMENTS: * agent: add option to force the use of the auth-auth token, and ignore the Vault token in the request [[GH-8101](https://github.com/hashicorp/vault/pull/8101)] * api: Restore and fix DNS SRV Lookup [[GH-8520](https://github.com/hashicorp/vault/pull/8520)] * audit: HMAC http_raw_body in audit log; this ensures that large authenticated Prometheus metrics responses get replaced with short HMAC values [[GH-8130](https://github.com/hashicorp/vault/pull/8130)] * audit: Generate-root, generate-recovery-token, and generate-dr-operation-token requests and responses are now audited. [[GH-8301](https://github.com/hashicorp/vault/pull/8301)] * auth/aws: Reduce the number of simultaneous STS client credentials needed [[GH-8161](https://github.com/hashicorp/vault/pull/8161)] * auth/azure: subscription ID, resource group, vm and vmss names are now stored in alias metadata [[GH-30](https://github.com/hashicorp/vault-plugin-auth-azure/pull/30)] * auth/jwt: Additional OIDC callback parameters available for CLI logins [[GH-80](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/80) & [GH-86](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/86)] * auth/jwt: Bound claims may be optionally configured using globs [[GH-89](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/89)] * auth/jwt: Timeout during OIDC CLI login if process doesn't complete within 2 minutes [[GH-97](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/97)] * auth/jwt: Add support for the `form_post` response mode [[GH-98](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/98)] * auth/jwt: add optional client_nonce to authorization flow [[GH-104](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/104)] * auth/okta: Upgrade okta sdk lib, which should improve handling of groups [[GH-8143](https://github.com/hashicorp/vault/pull/8143)] * aws: Add support for v2 of the instance metadata service (see [issue 7924](https://github.com/hashicorp/vault/issues/7924) for all linked PRs) * core: Separate out service discovery interface from storage interface to allow new types of service discovery not coupled to storage [[GH-7887](https://github.com/hashicorp/vault/pull/7887)] * core: Add support for telemetry option `metrics_prefix` [[GH-8340](https://github.com/hashicorp/vault/pull/8340)] * core: Entropy Augmentation can now be used with AWS KMS and Vault Transit seals * core: Allow tls_min_version to be set to TLS 1.3 [[GH-8305](https://github.com/hashicorp/vault/pull/8305)] * cli: Incorrect TLS configuration will now correctly fail [[GH-8025](https://github.com/hashicorp/vault/pull/8025)] * identity: Allow specifying a custom `client_id` for identity tokens [[GH-8165](https://github.com/hashicorp/vault/pull/8165)] * metrics/prometheus: improve performance with high volume of metrics updates [[GH-8507](https://github.com/hashicorp/vault/pull/8507)] * replication (enterprise): Fix race condition causing clusters with high throughput writes to sometimes fail to enter streaming-wal mode * replication (enterprise): Secondary clusters can now perform an extra gRPC call to all nodes in a primary cluster in an attempt to resolve the active node's address * replication (enterprise): The replication status API now outputs `last_performance_wal`, `last_dr_wal`, and `connection_state` values * replication (enterprise): DR secondary clusters can now be recovered by the `replication/dr/secondary/recover` API * replication (enterprise): We now allow for an alternate means to create a Disaster Recovery token, by using a batch token that is created with an ACL that allows for access to one or more of the DR endpoints. * secrets/database/mongodb: Switched internal MongoDB driver to mongo-driver [[GH-8140](https://github.com/hashicorp/vault/pull/8140)] * secrets/database/mongodb: Add support for x509 client authorization to MongoDB [[GH-8329](https://github.com/hashicorp/vault/pull/8329)] * secrets/database/oracle: Add support for static credential rotation [[GH-26](https://github.com/hashicorp/vault-plugin-database-oracle/pull/26)] * secrets/consul: Add support to specify TLS options per Consul backend [[GH-4800](https://github.com/hashicorp/vault/pull/4800)] * secrets/gcp: Allow specifying the TTL for a service key [[GH-54](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/54)] * secrets/gcp: Add support for rotating root keys [[GH-53](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/53)] * secrets/gcp: Handle version 3 policies for Resource Manager IAM requests [[GH-77](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/77) * secrets/nomad: Add support to specify TLS options per Nomad backend [[GH-8083](https://github.com/hashicorp/vault/pull/8083)] * secrets/ssh: Allowed users can now be templated with identity information [[GH-7548](https://github.com/hashicorp/vault/pull/7548)] * secrets/transit: Adding RSA3072 key support [[GH-8151](https://github.com/hashicorp/vault/pull/8151)] * storage/consul: Vault returns now a more descriptive error message when only a client cert or a client key has been provided [[GH-4930]](https://github.com/hashicorp/vault/pull/8084) * storage/raft: Nodes in the raft cluster can all be given possible leader addresses for them to continuously try and join one of them, thus automating the process of join to a greater extent [[GH-7856](https://github.com/hashicorp/vault/pull/7856)] * storage/raft: Fix a potential deadlock that could occur on leadership transition [[GH-8547](https://github.com/hashicorp/vault/pull/8547)] * storage/raft: Refresh TLS keyring on snapshot restore [[GH-8546](https://github.com/hashicorp/vault/pull/8546)] * storage/etcd: Bumped etcd client API SDK [[GH-7931](https://github.com/hashicorp/vault/pull/7931) & [GH-4961](https://github.com/hashicorp/vault/pull/4961) & [GH-4349](https://github.com/hashicorp/vault/pull/4349) & [GH-7582](https://github.com/hashicorp/vault/pull/7582)] * ui: Make Transit Key actions more prominent [[GH-8304](https://github.com/hashicorp/vault/pull/8304)] * ui: Add Core Usage Metrics [[GH-8347](https://github.com/hashicorp/vault/pull/8347)] * ui: Add refresh Namespace list on the Namespace dropdown, and redesign of Namespace dropdown menu [[GH-8442](https://github.com/hashicorp/vault/pull/8442)] * ui: Update transit actions to codeblocks & automatically encode plaintext unless indicated [[GH-8462](https://github.com/hashicorp/vault/pull/8462)] * ui: Display the results of transit key actions in a modal window [[GH-8462](https://github.com/hashicorp/vault/pull/8575)] * ui: Transit key version styling updates & ability to copy key from dropdown [[GH-8480](https://github.com/hashicorp/vault/pull/8480)] BUG FIXES: * agent: Fix issue where TLS options are ignored for agent template feature [[GH-7889](https://github.com/hashicorp/vault/pull/7889)] * auth/jwt: Use lower case role names for `default_role` to match the `role` case convention [[GH-100](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/100)] * auth/ldap: Fix a bug where the UPNDOMAIN parameter was wrongly used to lookup the group membership of the given user [[GH-6325]](https://github.com/hashicorp/vault/pull/8333) * cli: Support autocompletion for nested mounts [[GH-8303](https://github.com/hashicorp/vault/pull/8303)] * cli: Fix CLI namespace autocompletion [[GH-8315](https://github.com/hashicorp/vault/pull/8315)] * identity: Fix incorrect caching of identity token JWKS responses [[GH-8412](https://github.com/hashicorp/vault/pull/8412)] * metrics/stackdriver: Fix issue that prevents the stackdriver metrics library to create unnecessary stackdriver descriptors [[GH-8073](https://github.com/hashicorp/vault/pull/8073)] * replication: Fix issue causing cubbyholes in namespaces on performance secondaries to not work. * replication (enterprise): Unmounting a dynamic secrets backend could sometimes lead to replication errors. Change the order of operations to prevent that. * seal (enterprise): Fix seal migration when transactional seal wrap backend is in use. * secrets/database/influxdb: Fix potential panic if connection to the InfluxDB database cannot be established [[GH-8282](https://github.com/hashicorp/vault/pull/8282)] * secrets/database/mysql: Ensures default static credential rotation statements are used [[GH-8240](https://github.com/hashicorp/vault/pull/8240)] * secrets/database/mysql: Fix inconsistent query parameter names: {{name}} or {{username}} for different queries. Now it allows for either for backwards compatibility [[GH-8240](https://github.com/hashicorp/vault/pull/8240)] * secrets/database/postgres: Fix inconsistent query parameter names: {{name}} or {{username}} for different queries. Now it allows for either for backwards compatibility [[GH-8240](https://github.com/hashicorp/vault/pull/8240)] * secrets/pki: Support FQDNs in DNS Name [[GH-8288](https://github.com/hashicorp/vault/pull/8288)] * storage/raft: Allow seal migration to be performed on Vault clusters using raft storage [[GH-8103](https://github.com/hashicorp/vault/pull/8103)] * telemetry: Prometheus requests on standby nodes will now return an error instead of forwarding the request to the active node [[GH-8280](https://github.com/hashicorp/vault/pull/8280)] * ui: Fix broken popup menu on the transit secrets list page [[GH-8348](https://github.com/hashicorp/vault/pull/8348)] * ui: Update headless Chrome flag to fix `yarn run test:oss` [[GH-8035](https://github.com/hashicorp/vault/pull/8035)] * ui: Update CLI to accept empty strings as param value to reset previously-set values * ui: Fix bug where error states don't clear when moving between action tabs on Transit [[GH-8354](https://github.com/hashicorp/vault/pull/8354)] ## 1.3.6 (May 21st, 2020) SECURITY: * core: proxy environment variables are now redacted before being logged, in case the URLs include a username:password. This vulnerability, CVE-2020-13223, is fixed in 1.3.6 and 1.4.2, but affects 1.4 and 1.4.1, as well as older versions of Vault [[GH-9022](https://github.com/hashicorp/vault/pull/9022) BUG FIXES: * auth/aws: Fix token renewal issues caused by the metadata changes in 1.3.5 [[GH-8991](https://github.com/hashicorp/vault/pull/8991)] * replication: Fix mount filter bug that allowed replication filters to hide local mounts on a performance secondary ## 1.3.5 (April 28th, 2020) CHANGES: * auth/aws: The default set of metadata fields added in 1.3.2 has been changed to `account_id` and `auth_type` [[GH-8783](https://github.com/hashicorp/vault/pull/8783)] IMPROVEMENTS: * auth/aws: The set of metadata stored during login is now configurable [[GH-8783](https://github.com/hashicorp/vault/pull/8783)] ## 1.3.4 (March 19th, 2020) SECURITY: * A vulnerability was identified in Vault and Vault Enterprise such that, under certain circumstances, an Entity's Group membership may inadvertently include Groups the Entity no longer has permissions to. This vulnerability, CVE-2020-10660, affects Vault and Vault Enterprise versions 0.9.0 and newer, and is fixed in 1.3.4. [[GH-8606](https://github.com/hashicorp/vault/pull/8606)] * A vulnerability was identified in Vault Enterprise such that, under certain circumstances, existing nested-path policies may give access to Namespaces created after-the-fact. This vulnerability, CVE-2020-10661, affects Vault Enterprise versions 0.11 and newer, and is fixed in 1.3.4. ## 1.3.3 (March 5th, 2020) BUG FIXES: * approle: Fix excessive locking during tidy, which could potentially block new approle logins for long enough to cause an outage [[GH-8418](https://github.com/hashicorp/vault/pull/8418)] * cli: Fix issue where Raft snapshots from standby nodes created an empty backup file [[GH-8097](https://github.com/hashicorp/vault/pull/8097)] * identity: Fix incorrect caching of identity token JWKS responses [[GH-8412](https://github.com/hashicorp/vault/pull/8412)] * kmip: role read now returns tls_client_ttl * kmip: fix panic when templateattr not provided in rekey request * secrets/database/influxdb: Fix potential panic if connection to the InfluxDB database cannot be established [[GH-8282](https://github.com/hashicorp/vault/pull/8282)] * storage/mysql: Fix potential crash when using MySQL as coordination for high availability [[GH-8300](https://github.com/hashicorp/vault/pull/8300)] * storage/raft: Fix potential crash when using Raft as coordination for high availability [[GH-8356](https://github.com/hashicorp/vault/pull/8356)] * ui: Fix missing License menu item [[GH-8230](https://github.com/hashicorp/vault/pull/8230)] * ui: Fix bug where default auth method on login is defaulted to auth method that is listing-visibility=unauth instead of "other" [[GH-8218](https://github.com/hashicorp/vault/pull/8218)] * ui: Fix bug where KMIP details were not shown in the UI Wizard [[GH-8255](https://github.com/hashicorp/vault/pull/8255)] * ui: Show Error messages on Auth Configuration page when you hit permission errors [[GH-8500](https://github.com/hashicorp/vault/pull/8500)] * ui: Remove duplicate form inputs for the GitHub config [[GH-8519](https://github.com/hashicorp/vault/pull/8519)] * ui: Correct HMAC capitalization [[GH-8528](https://github.com/hashicorp/vault/pull/8528)] * ui: Fix danger message in DR [[GH-8555](https://github.com/hashicorp/vault/pull/8555)] * ui: Fix certificate field for LDAP config [[GH-8573](https://github.com/hashicorp/vault/pull/8573)] ## 1.3.2 (January 22nd, 2020) SECURITY: * When deleting a namespace on Vault Enterprise, in certain circumstances, the deletion process will fail to revoke dynamic secrets for a mount in that namespace. This will leave any dynamic secrets in remote systems alive and will fail to clean them up. This vulnerability, CVE-2020-7220, affects Vault Enterprise 0.11.0 and newer. IMPROVEMENTS: * auth/aws: Add aws metadata to identity alias [[GH-7985](https://github.com/hashicorp/vault/pull/7985)] * auth/kubernetes: Allow both names and namespaces to be set to "*" [[GH-78](https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/78)] BUG FIXES: * auth/azure: Fix Azure compute client to use correct base URL [[GH-8072](https://github.com/hashicorp/vault/pull/8072)] * auth/ldap: Fix renewal of tokens without configured policies that are generated by an LDAP login [[GH-8072](https://github.com/hashicorp/vault/pull/8072)] * auth/okta: Fix renewal of tokens without configured policies that are generated by an Okta login [[GH-8072](https://github.com/hashicorp/vault/pull/8072)] * core: Fix seal migration error when attempting to migrate from auto unseal to shamir [[GH-8172](https://github.com/hashicorp/vault/pull/8172)] * core: Fix seal migration config issue when migrating from auto unseal to auto unseal [[GH-8172](https://github.com/hashicorp/vault/pull/8172)] * plugin: Fix issue where a plugin unwrap request potentially used an expired token [[GH-8058](https://github.com/hashicorp/vault/pull/8058)] * replication: Fix issue where a forwarded request from a performance/standby node could run into a timeout * secrets/database: Fix issue where a manual static role rotation could potentially panic [[GH-8098](https://github.com/hashicorp/vault/pull/8098)] * secrets/database: Fix issue where a manual root credential rotation request is not forwarded to the primary node [[GH-8125](https://github.com/hashicorp/vault/pull/8125)] * secrets/database: Fix issue where a manual static role rotation request is not forwarded to the primary node [[GH-8126](https://github.com/hashicorp/vault/pull/8126)] * secrets/database/mysql: Fix issue where special characters for a MySQL password were encoded [[GH-8040](https://github.com/hashicorp/vault/pull/8040)] * ui: Fix deleting namespaces [[GH-8132](https://github.com/hashicorp/vault/pull/8132)] * ui: Fix Error handler on kv-secret edit and kv-secret view pages [[GH-8133](https://github.com/hashicorp/vault/pull/8133)] * ui: Fix OIDC callback to check storage [[GH-7929](https://github.com/hashicorp/vault/pull/7929)]. * ui: Change `.box-radio` height to min-height to prevent overflow issues [[GH-8065](https://github.com/hashicorp/vault/pull/8065)] ## 1.3.1 (December 18th, 2019) IMPROVEMENTS: * agent: Add ability to set `exit-after-auth` via the CLI [[GH-7920](https://github.com/hashicorp/vault/pull/7920)] * auth/ldap: Add a `request_timeout` configuration option to prevent connection requests from hanging [[GH-7909](https://github.com/hashicorp/vault/pull/7909)] * auth/kubernetes: Add audience to tokenreview API request for Kube deployments where issuer is not Kube. [[GH-74](https://github.com/hashicorp/vault/pull/74)] * secrets/ad: Add a `request_timeout` configuration option to prevent connection requests from hanging [[GH-59](https://github.com/hashicorp/vault-plugin-secrets-ad/pull/59)] * storage/postgresql: Add support for setting `connection_url` from enviornment variable `VAULT_PG_CONNECTION_URL` [[GH-7937](https://github.com/hashicorp/vault/pull/7937)] * telemetry: Add `enable_hostname_label` option to telemetry stanza [[GH-7902](https://github.com/hashicorp/vault/pull/7902)] * telemetry: Add accept header check for prometheus mime type [[GH-7958](https://github.com/hashicorp/vault/pull/7958)] BUG FIXES: * agent: Fix issue where Agent exits before all templates are rendered when using and `exit_after_auth` [[GH-7899](https://github.com/hashicorp/vault/pull/7899)] * auth/aws: Fixes region-related issues when using a custom `sts_endpoint` by adding a `sts_region` parameter [[GH-7922](https://github.com/hashicorp/vault/pull/7922)] * auth/token: Fix panic when getting batch tokens on a performance standby from a role that does not exist [[GH-8027](https://github.com/hashicorp/vault/pull/8027)] * core: Improve warning message for lease TTLs [[GH-7901](https://github.com/hashicorp/vault/pull/7901)] * identity: Fix identity token panic during invalidation [[GH-8043](https://github.com/hashicorp/vault/pull/8043)] * plugin: Fix a panic that could occur if a mount/auth entry was unable to mount the plugin backend and a request that required the system view to be retrieved was made [[GH-7991](https://github.com/hashicorp/vault/pull/7991)] * replication: Add `generate-public-key` endpoint to list of allowed endpoints for existing DR secondaries * secrets/gcp: Fix panic if bindings aren't provided in roleset create/update. [[GH-56](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/56)] * secrets/pki: Prevent generating certificate on performance standby when storing [[GH-7904](https://github.com/hashicorp/vault/pull/7904)] * secrets/transit: Prevent restoring keys to new names that are sub paths [[GH-7998](https://github.com/hashicorp/vault/pull/7998)] * storage/s3: Fix a bug in configurable S3 paths that was preventing use of S3 as a source during `operator migrate` operations [[GH-7966](https://github.com/hashicorp/vault/pull/7966)] * ui: Ensure secrets with a period in their key can be viewed and copied [[GH-7926](https://github.com/hashicorp/vault/pull/7926)] * ui: Fix status menu after demotion [[GH-7997](https://github.com/hashicorp/vault/pull/7997)] * ui: Fix select dropdowns in Safari when running Mojave [[GH-8023](https://github.com/hashicorp/vault/pull/8023)] ## 1.3 (November 14th, 2019) CHANGES: * Secondary cluster activation: There has been a change to the way that activating performance and DR secondary clusters works when using public keys for encryption of the parameters rather than a wrapping token. This flow was experimental and never documented. It is now officially supported and documented but is not backwards compatible with older Vault releases. * Cluster cipher suites: On its cluster port, Vault will no longer advertise the full TLS 1.2 cipher suite list by default. Although this port is only used for Vault-to-Vault communication and would always pick a strong cipher, it could cause false flags on port scanners and other security utilities that assumed insecure ciphers were being used. The previous behavior can be achieved by setting the value of the (undocumented) `cluster_cipher_suites` config flag to `tls12`. * API/Agent Renewal behavior: The API now allows multiple options for how it deals with renewals. The legacy behavior in the Agent/API is for the renewer (now called the lifetime watcher) to exit on a renew error, leading to a reauthentication. The new default behavior is for the lifetime watcher to ignore 5XX errors and simply retry as scheduled, using the existing lease duration. It is also possible, within custom code, to disable renewals entirely, which allows the lifetime watcher to simply return when it believes it is time for your code to renew or reauthenticate. FEATURES: * **Vault Debug**: A new top-level subcommand, `debug`, is added that allows operators to retrieve debugging information related to a particular Vault node. Operators can use this simple workflow to capture triaging information, which can then be consumed programmatically or by support and engineering teams. It has the abilitity to probe for config, host, metrics, pprof, server status, and replication status. * **Recovery Mode**: Vault server can be brought up in recovery mode to resolve outages caused due to data store being in bad state. This is a privileged mode that allows `sys/raw` API calls to perform surgical corrections to the data tore. Bad storage state can be caused by bugs. However, this is usually observed when known (and fixed) bugs are hit by older versions of Vault. * **Entropy Augmentation (Enterprise)**: Vault now supports sourcing entropy from external source for critical security parameters. Currently an HSM that supports PKCS#11 is the only supported source. * **Active Directory Secret Check-In/Check-Out**: In the Active Directory secrets engine, users or applications can check out a service account for use, and its password will be rotated when it's checked back in. * **Vault Agent Template**: Vault Agent now supports rendering templates containing Vault secrets to disk, similar to Consul Template [[GH-7652](https://github.com/hashicorp/vault/pull/7652)] * **Transit Key Type Support**: Signing and verification is now supported with the P-384 (secp384r1) and P-521 (secp521r1) ECDSA curves [[GH-7551](https://github.com/hashicorp/vault/pull/7551)] and encryption and decryption is now supported via AES128-GCM96 [[GH-7555](https://github.com/hashicorp/vault/pull/7555)] * **SSRF Protection for Vault Agent**: Vault Agent has a configuration option to require a specific header before allowing requests [[GH-7627](https://github.com/hashicorp/vault/pull/7627)] * **AWS Auth Method Root Rotation**: The credential used by the AWS auth method can now be rotated, to ensure that only Vault knows the credentials it is using [[GH-7131](https://github.com/hashicorp/vault/pull/7131)] * **New UI Features**: The UI now supports managing users and groups for the Userpass, Cert, Okta, and Radius auth methods. * **Shamir with Stored Master Key**: The on disk format for Shamir seals has changed, allowing for a secondary cluster using Shamir downstream from a primary cluster using Auto Unseal. [[GH-7694](https://github.com/hashicorp/vault/pull/7694)] * **Stackdriver Metrics Sink**: Vault can now send metrics to [Stackdriver](https://cloud.google.com/stackdriver/). See the [configuration documentation](https://www.vaultproject.io/docs/config/index.html) for details. [[GH-6957](https://github.com/hashicorp/vault/pull/6957)] * **Filtered Paths Replication (Enterprise)**: Based on the predecessor Filtered Mount Replication, Filtered Paths Replication allows now filtering of namespaces in addition to mounts. * **Token Renewal via Accessor**: Tokens can now be renewed via the accessor value through the new `auth/token/renew-accessor` endpoint if the caller's token has permission to access that endpoint. * **Improved Integrated Storage (Beta)**: Improved raft write performance, added support for non-voter nodes, along with UI support for: using raft storage, joining a raft cluster, and downloading and restoring a snapshot. IMPROVEMENTS: * agent: Add ability to set the TLS SNI name used by Agent [[GH-7519](https://github.com/hashicorp/vault/pull/7519)] * agent & api: Change default renewer behavior to ignore 5XX errors [[GH-7733](https://github.com/hashicorp/vault/pull/7733)] * auth/jwt: The redirect callback host may now be specified for CLI logins [[GH-71](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/71)] * auth/jwt: Bound claims may now contain boolean values [[GH-73](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/73)] * auth/jwt: CLI logins can now open the browser when running in WSL [[GH-77](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/77)] * core: Exit ScanView if context has been cancelled [[GH-7419](https://github.com/hashicorp/vault/pull/7419)] * core: re-encrypt barrier and recovery keys if the unseal key is updated [[GH-7493](https://github.com/hashicorp/vault/pull/7493)] * core: Don't advertise the full set of TLS 1.2 cipher suites on the cluster port, even though only strong ciphers were used [[GH-7487](https://github.com/hashicorp/vault/pull/7487)] * core (enterprise): Add background seal re-wrap * core/metrics: Add config parameter to allow unauthenticated sys/metrics access. [[GH-7550](https://github.com/hashicorp/vault/pull/7550)] * metrics: Upgrade DataDog library to improve performance [[GH-7794](https://github.com/hashicorp/vault/pull/7794)] * replication (enterprise): Write-Ahead-Log entries will not duplicate the data belonging to the encompassing physical entries of the transaction, thereby improving the performance and storage capacity. * replication (enterprise): Added more replication metrics * replication (enterprise): Reindex process now compares subpages for a more accurate indexing process. * replication (enterprise): Reindex API now accepts a new `skip_flush` parameter indicating all the changes should not be flushed while the tree is locked. * secrets/aws: The root config can now be read [[GH-7245](https://github.com/hashicorp/vault/pull/7245)] * secrets/database/cassandra: Add ability to skip verfication of connection [[GH-7614](https://github.com/hashicorp/vault/pull/7614)] * secrets/gcp: Fix panic during rollback if the roleset has been deleted [[GH-52](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/52)] * storage/azure: Add config parameter to Azure storage backend to allow specifying the ARM endpoint [[GH-7567](https://github.com/hashicorp/vault/pull/7567)] * storage/cassandra: Improve storage efficiency by eliminating unnecessary copies of value data [[GH-7199](https://github.com/hashicorp/vault/pull/7199)] * storage/raft: Improve raft write performance by utilizing FSM Batching [[GH-7527](https://github.com/hashicorp/vault/pull/7527)] * storage/raft: Add support for non-voter nodes [[GH-7634](https://github.com/hashicorp/vault/pull/7634)] * sys: Add a new `sys/host-info` endpoint for querying information about the host [[GH-7330](https://github.com/hashicorp/vault/pull/7330)] * sys: Add a new set of endpoints under `sys/pprof/` that allows profiling information to be extracted [[GH-7473](https://github.com/hashicorp/vault/pull/7473)] * sys: Add endpoint that counts the total number of active identity entities [[GH-7541](https://github.com/hashicorp/vault/pull/7541)] * sys: `sys/seal-status` now has a `storage_type` field denoting what type of storage the cluster is configured to use * sys: Add a new `sys/internal/counters/tokens` endpoint, that counts the total number of active service token accessors in the shared token storage. [[GH-7541](https://github.com/hashicorp/vault/pull/7541)] * sys/config: Add a new endpoint under `sys/config/state/sanitized` that returns the configuration state of the server. It excludes config values from `storage`, `ha_storage`, and `seal` stanzas and some values from `telemetry` due to potential sensitive entries in those fields. * ui: when using raft storage, you can now join a raft cluster, download a snapshot, and restore a snapshot from the UI [[GH-7410](https://github.com/hashicorp/vault/pull/7410)] * ui: clarify when secret version is deleted in the secret version history dropdown [[GH-7714](https://github.com/hashicorp/vault/pull/7714)] BUG FIXES: * agent: Fix a data race on the token value for inmemsink [[GH-7707](https://github.com/hashicorp/vault/pull/7707)] * api: Fix Go API using lease revocation via URL instead of body [[GH-7777](https://github.com/hashicorp/vault/pull/7777)] * api: Allow setting a function to control retry behavior [[GH-7331](https://github.com/hashicorp/vault/pull/7331)] * auth/gcp: Fix a bug where region information in instance groups names could cause an authorization attempt to fail [[GH-74](https://github.com/hashicorp/vault-plugin-auth-gcp/pull/74)] * cli: Fix a bug where a token of an unknown format (e.g. in ~/.vault-token) could cause confusing error messages during `vault login` [[GH-7508](https://github.com/hashicorp/vault/pull/7508)] * cli: Fix a bug where the `namespace list` command with JSON formatting always returned an empty object [[GH-7705](https://github.com/hashicorp/vault/pull/7705)] * cli: Command timeouts are now always specified solely by the `VAULT_CLIENT_TIMEOUT` value. [[GH-7469](https://github.com/hashicorp/vault/pull/7469)] * core: Don't allow registering a non-root zero TTL token lease. This is purely defense in depth as the lease would be revoked immediately anyways, but there's no real reason to allow registration. [[GH-7524](https://github.com/hashicorp/vault/pull/7524)] * identity (enterprise): Fixed identity case sensitive loading in secondary cluster [[GH-7327](https://github.com/hashicorp/vault/pull/7327)] * identity: Ensure only replication primary stores the identity case sensitivity state [[GH-7820](https://github.com/hashicorp/vault/pull/7820)] * raft: Fixed VAULT_CLUSTER_ADDR env being ignored at startup [[GH-7619](https://github.com/hashicorp/vault/pull/7619)] * secrets/pki: Don't allow duplicate SAN names in issued certs [[GH-7605](https://github.com/hashicorp/vault/pull/7605)] * sys/health: Pay attention to the values provided for `standbyok` and `perfstandbyok` rather than simply using their presence as a key to flip on that behavior [[GH-7323](https://github.com/hashicorp/vault/pull/7323)] * ui: using the `wrapped_token` query param will work with `redirect_to` and will automatically log in as intended [[GH-7398](https://github.com/hashicorp/vault/pull/7398)] * ui: fix an error when initializing from the UI using PGP keys [[GH-7542](https://github.com/hashicorp/vault/pull/7542)] * ui: show all active kv v2 secret versions even when `delete_version_after` is configured [[GH-7685](https://github.com/hashicorp/vault/pull/7685)] * ui: Ensure that items in the top navigation link to pages that users have access to [[GH-7590](https://github.com/hashicorp/vault/pull/7590)] ## 1.2.4 (November 7th, 2019) SECURITY: * In a non-root namespace, revocation of a token scoped to a non-root namespace did not trigger the expected revocation of dynamic secret leases associated with that token. As a result, dynamic secret leases in non-root namespaces may outlive the token that created them. This vulnerability, CVE-2019-18616, affects Vault Enterprise 0.11.0 and newer. * Disaster Recovery secondary clusters did not delete already-replicated data after a mount filter has been created on an upstream Performance secondary cluster. As a result, encrypted secrets may remain replicated on a Disaster Recovery secondary cluster after application of a mount filter excluding those secrets from replication. This vulnerability, CVE-2019-18617, affects Vault Enterprise 0.8 and newer. * Update version of Go to 1.12.12 to fix Go bug golang.org/issue/34960 which corresponds to CVE-2019-17596. CHANGES: * auth/aws: If a custom `sts_endpoint` is configured, Vault Agent and the CLI should provide the corresponding region via the `region` parameter (which already existed as a CLI parameter, and has now been added to Agent). The automatic region detection added to the CLI and Agent in 1.2 has been removed. IMPROVEMENTS: * cli: Ignore existing token during CLI login [[GH-7508](https://github.com/hashicorp/vault/pull/7508)] * core: Log proxy settings from environment on startup [[GH-7528](https://github.com/hashicorp/vault/pull/7528)] * core: Cache whether we've been initialized to reduce load on storage [[GH-7549](https://github.com/hashicorp/vault/pull/7549)] BUG FIXES: * agent: Fix handling of gzipped responses [[GH-7470](https://github.com/hashicorp/vault/pull/7470)] * cli: Fix panic when pgp keys list is empty [[GH-7546](https://github.com/hashicorp/vault/pull/7546)] * cli: Command timeouts are now always specified solely by the `VAULT_CLIENT_TIMEOUT` value. [[GH-7469](https://github.com/hashicorp/vault/pull/7469)] * core: add hook for initializing seals for migration [[GH-7666](https://github.com/hashicorp/vault/pull/7666)] * core (enterprise): Migrating from one auto unseal method to another never worked on enterprise, now it does. * identity: Add required field `response_types_supported` to identity token `.well-known/openid-configuration` response [[GH-7533](https://github.com/hashicorp/vault/pull/7533)] * identity: Fixed nil pointer panic when merging entities [[GH-7712](https://github.com/hashicorp/vault/pull/7712)] * replication (Enterprise): Fix issue causing performance standbys nodes disconnecting when under high loads. * secrets/azure: Fix panic that could occur if client retries timeout [[GH-7793](https://github.com/hashicorp/vault/pull/7793)] * secrets/database: Fix bug in combined DB secrets engine that can result in writes to static-roles endpoints timing out [[GH-7518](https://github.com/hashicorp/vault/pull/7518)] * secrets/pki: Improve tidy to continue when value is nil [[GH-7589](https://github.com/hashicorp/vault/pull/7589)] * ui (Enterprise): Allow kv v2 secrets that are gated by Control Groups to be viewed in the UI [[GH-7504](https://github.com/hashicorp/vault/pull/7504)]
Legacy Shamir is automatically converted to new-style when a rekey operation
is performed. All new Vault initializations using Shamir are new-style.
New-style Shamir writes an encrypted master key to storage, just like
AutoUnseal. The stored master key is encrypted using the shared key that
is split via Shamir's algorithm. Thus when unsealing, we take the key
fragments given, combine them into a Key-Encryption-Key, and use that
to decrypt the master key on disk. Then the master key is used to read
the keyring that decrypts the barrier.