From d8e9adc9d36c190aa8eea104495a216fb4dc4306 Mon Sep 17 00:00:00 2001 From: madalynrose Date: Thu, 14 Feb 2019 12:42:44 -0500 Subject: [PATCH] Update OpenAPI responses to include information the UI can use (#6204) --- CHANGELOG.md | 9 +++- builtin/credential/github/path_config.go | 3 ++ builtin/credential/okta/path_config.go | 7 +++ builtin/credential/radius/path_config.go | 4 ++ builtin/logical/aws/path_roles.go | 7 +++ builtin/logical/pki/fields.go | 18 ++++++- builtin/logical/pki/path_roles.go | 25 +++++++++ builtin/logical/ssh/path_roles.go | 17 ++++-- helper/ldaputil/config.go | 31 ++++++++--- terraform/aws/variables.tf | 2 +- .../vault-plugin-auth-azure/Gopkg.lock | 16 +++++- .../vault-plugin-auth-azure/path_config.go | 5 ++ .../plugin/path_config.go | 3 ++ .../vault-plugin-auth-jwt/path_config.go | 9 ++++ .../vault-plugin-auth-kubernetes/Gopkg.lock | 16 +++++- .../path_config.go | 5 ++ .../clients/sts.go | 4 +- .../path_creds.go | 21 +++++--- .../vault-plugin-secrets-gcpkms/README.md | 6 +++ vendor/vendor.json | 52 +++++++++---------- version/version_base.go | 2 +- website/config.rb | 2 +- .../source/docs/secrets/transit/index.html.md | 15 +++--- 23 files changed, 218 insertions(+), 61 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index de92860cc1..4dcb052e45 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,4 @@ -## Next +## 1.0.3 (February 12th, 2019) CHANGES: @@ -9,6 +9,11 @@ CHANGES: entity either by name or by id [GH-6105] * The Vault UI's navigation and onboarding wizard now only displays items that are permitted in a users' policy [GH-5980, GH-6094] + * An issue was fixed that caused recovery keys to not work on secondary + clusters when using a different unseal mechanism/key than the primary. This + would be hit if the cluster was rekeyed or initialized after 1.0. We recommend + rekeying the recovery keys on the primary cluster if you meet the above + requirements. FEATURES: @@ -47,6 +52,8 @@ BUG FIXES: a performance standby very quickly, before an associated entity has been replicated. If the entity is not found in this scenario, the request will forward to the active node. + * replication: Fix issue where recovery keys would not work on secondary + clusters if using a different unseal mechanism than the primary. * replication: Fix a "failed to register lease" error when using performance standbys * storage/postgresql: The `Get` method will now return an Entry object with diff --git a/builtin/credential/github/path_config.go b/builtin/credential/github/path_config.go index f42b156db7..b590746863 100644 --- a/builtin/credential/github/path_config.go +++ b/builtin/credential/github/path_config.go @@ -25,14 +25,17 @@ func pathConfig(b *backend) *framework.Path { Description: `The API endpoint to use. Useful if you are running GitHub Enterprise or an API-compatible authentication server.`, + DisplayName: "Base URL", }, "ttl": &framework.FieldSchema{ Type: framework.TypeString, Description: `Duration after which authentication will be expired`, + DisplayName: "TTL", }, "max_ttl": &framework.FieldSchema{ Type: framework.TypeString, Description: `Maximum duration after which authentication will be expired`, + DisplayName: "Max TTL", }, }, diff --git a/builtin/credential/okta/path_config.go b/builtin/credential/okta/path_config.go index 284a8dcc55..02785812e5 100644 --- a/builtin/credential/okta/path_config.go +++ b/builtin/credential/okta/path_config.go @@ -25,26 +25,32 @@ func pathConfig(b *backend) *framework.Path { "organization": &framework.FieldSchema{ Type: framework.TypeString, Description: "(DEPRECATED) Okta organization to authenticate against. Use org_name instead.", + Deprecated: true, }, "org_name": &framework.FieldSchema{ Type: framework.TypeString, Description: "Name of the organization to be used in the Okta API.", + DisplayName: "Organization Name", }, "token": &framework.FieldSchema{ Type: framework.TypeString, Description: "(DEPRECATED) Okta admin API token. Use api_token instead.", + Deprecated: true, }, "api_token": &framework.FieldSchema{ Type: framework.TypeString, Description: "Okta API key.", + DisplayName: "API Token", }, "base_url": &framework.FieldSchema{ Type: framework.TypeString, Description: `The base domain to use for the Okta API. When not specified in the configuration, "okta.com" is used.`, + DisplayName: "Base URL", }, "production": &framework.FieldSchema{ Type: framework.TypeBool, Description: `(DEPRECATED) Use base_url.`, + Deprecated: true, }, "ttl": &framework.FieldSchema{ Type: framework.TypeDurationSecond, @@ -57,6 +63,7 @@ func pathConfig(b *backend) *framework.Path { "bypass_okta_mfa": &framework.FieldSchema{ Type: framework.TypeBool, Description: `When set true, requests by Okta for a MFA check will be bypassed. This also disallows certain status checks on the account, such as whether the password is expired.`, + DisplayName: "Bypass Okta MFA", }, }, diff --git a/builtin/credential/radius/path_config.go b/builtin/credential/radius/path_config.go index 85d60a3d68..6dde36c1d7 100644 --- a/builtin/credential/radius/path_config.go +++ b/builtin/credential/radius/path_config.go @@ -15,6 +15,7 @@ func pathConfig(b *backend) *framework.Path { "host": &framework.FieldSchema{ Type: framework.TypeString, Description: "RADIUS server host", + DisplayName: "Host", }, "port": &framework.FieldSchema{ @@ -30,6 +31,7 @@ func pathConfig(b *backend) *framework.Path { Type: framework.TypeString, Default: "", Description: "Comma-separated list of policies to grant upon successful RADIUS authentication of an unregisted user (default: emtpy)", + DisplayName: "Policies for unregistered users", }, "dial_timeout": &framework.FieldSchema{ Type: framework.TypeDurationSecond, @@ -45,11 +47,13 @@ func pathConfig(b *backend) *framework.Path { Type: framework.TypeInt, Default: 10, Description: "RADIUS NAS port field (default: 10)", + DisplayName: "NAS Port", }, "nas_identifier": &framework.FieldSchema{ Type: framework.TypeString, Default: "", Description: "RADIUS NAS Identifier field (optional)", + DisplayName: "NAS Identifier", }, }, diff --git a/builtin/logical/aws/path_roles.go b/builtin/logical/aws/path_roles.go index 8e40e36dbc..0745172253 100644 --- a/builtin/logical/aws/path_roles.go +++ b/builtin/logical/aws/path_roles.go @@ -36,6 +36,7 @@ func pathRoles(b *backend) *framework.Path { "name": &framework.FieldSchema{ Type: framework.TypeString, Description: "Name of the policy", + DisplayName: "Policy Name", }, "credential_type": &framework.FieldSchema{ @@ -46,11 +47,13 @@ func pathRoles(b *backend) *framework.Path { "role_arns": &framework.FieldSchema{ Type: framework.TypeCommaStringSlice, Description: "ARNs of AWS roles allowed to be assumed. Only valid when credential_type is " + assumedRoleCred, + DisplayName: "Role ARNs", }, "policy_arns": &framework.FieldSchema{ Type: framework.TypeCommaStringSlice, Description: "ARNs of AWS policies to attach to IAM users. Only valid when credential_type is " + iamUserCred, + DisplayName: "Policy ARNs", }, "policy_document": &framework.FieldSchema{ @@ -65,22 +68,26 @@ GetFederationToken API call, acting as a filter on permissions available.`, "default_sts_ttl": &framework.FieldSchema{ Type: framework.TypeDurationSecond, Description: fmt.Sprintf("Default TTL for %s and %s credential types when no TTL is explicitly requested with the credentials", assumedRoleCred, federationTokenCred), + DisplayName: "Default TTL", }, "max_sts_ttl": &framework.FieldSchema{ Type: framework.TypeDurationSecond, Description: fmt.Sprintf("Max allowed TTL for %s and %s credential types", assumedRoleCred, federationTokenCred), + DisplayName: "Max TTL", }, "arn": &framework.FieldSchema{ Type: framework.TypeString, Description: `Deprecated; use role_arns or policy_arns instead. ARN Reference to a managed policy or IAM role to assume`, + Deprecated: true, }, "policy": &framework.FieldSchema{ Type: framework.TypeString, Description: "Deprecated; use policy_document instead. IAM policy document", + Deprecated: true, }, }, diff --git a/builtin/logical/pki/fields.go b/builtin/logical/pki/fields.go index dee7779be2..1a0be88a61 100644 --- a/builtin/logical/pki/fields.go +++ b/builtin/logical/pki/fields.go @@ -11,6 +11,7 @@ func addIssueAndSignCommonFields(fields map[string]*framework.FieldSchema) map[s Description: `If true, the Common Name will not be included in DNS or Email Subject Alternate Names. Defaults to false (CN is included).`, + DisplayName: "Exclude Common Name from Subject Alternative Names (SANs)", } fields["format"] = &framework.FieldSchema{ @@ -20,6 +21,7 @@ Defaults to false (CN is included).`, or "pem_bundle". If "pem_bundle" any private key and issuing cert will be appended to the certificate pem. Defaults to "pem".`, + AllowedValues: []interface{}{"pem", "der", "pem_bundle"}, } fields["private_key_format"] = &framework.FieldSchema{ @@ -31,24 +33,28 @@ parameter as either base64-encoded DER or PEM-encoded DER. However, this can be set to "pkcs8" to have the returned private key contain base64-encoded pkcs8 or PEM-encoded pkcs8 instead. Defaults to "der".`, + AllowedValues: []interface{}{"", "der", "pem", "pkcs8"}, } fields["ip_sans"] = &framework.FieldSchema{ Type: framework.TypeCommaStringSlice, Description: `The requested IP SANs, if any, in a comma-delimited list`, + DisplayName: "IP Subject Alternative Names (SANs)", } fields["uri_sans"] = &framework.FieldSchema{ Type: framework.TypeCommaStringSlice, Description: `The requested URI SANs, if any, in a comma-delimited list.`, + DisplayName: "URI Subject Alternative Names (SANs)", } fields["other_sans"] = &framework.FieldSchema{ Type: framework.TypeCommaStringSlice, Description: `Requested other SANs, in an array with the format ;UTF8: for each entry.`, + DisplayName: "Other SANs", } return fields @@ -79,6 +85,7 @@ in the role, this may be an email address.`, in a comma-delimited list. If email protection is enabled for the role, this may contain email addresses.`, + DisplayName: "DNS/Email Subject Alternative Names (SANs)", } fields["serial_number"] = &framework.FieldSchema{ @@ -95,6 +102,7 @@ sets the expiration date. If not specified the role default, backend default, or system default TTL is used, in that order. Cannot be larger than the role max TTL.`, + DisplayName: "TTL", } return fields @@ -110,6 +118,7 @@ func addCACommonFields(fields map[string]*framework.FieldSchema) map[string]*fra Description: `The requested Subject Alternative Names, if any, in a comma-delimited list. May contain both DNS names and email addresses.`, + DisplayName: "DNS/Email Subject Alternative Names (SANs)", } fields["common_name"] = &framework.FieldSchema{ @@ -131,12 +140,14 @@ be larger than the mount max TTL. Note: this only has an effect when generating a CA cert or signing a CA cert, not when generating a CSR for an intermediate CA.`, + DisplayName: "TTL", } fields["ou"] = &framework.FieldSchema{ Type: framework.TypeCommaStringSlice, Description: `If set, OU (OrganizationalUnit) will be set to this value.`, + DisplayName: "OU (Organizational Unit)", } fields["organization"] = &framework.FieldSchema{ @@ -155,24 +166,28 @@ this value.`, Type: framework.TypeCommaStringSlice, Description: `If set, Locality will be set to this value.`, + DisplayName: "Locality/City", } fields["province"] = &framework.FieldSchema{ Type: framework.TypeCommaStringSlice, Description: `If set, Province will be set to this value.`, + DisplayName: "Province/State", } fields["street_address"] = &framework.FieldSchema{ Type: framework.TypeCommaStringSlice, Description: `If set, Street Address will be set to this value.`, + DisplayName: "Street Address", } fields["postal_code"] = &framework.FieldSchema{ Type: framework.TypeCommaStringSlice, Description: `If set, Postal Code will be set to this value.`, + DisplayName: "Postal Code", } fields["serial_number"] = &framework.FieldSchema{ @@ -209,8 +224,8 @@ the key_type.`, Default: "rsa", Description: `The type of key to use; defaults to RSA. "rsa" and "ec" are the only valid values.`, + AllowedValues: []interface{}{"rsa", "ec"}, } - return fields } @@ -226,6 +241,7 @@ func addCAIssueFields(fields map[string]*framework.FieldSchema) map[string]*fram fields["permitted_dns_domains"] = &framework.FieldSchema{ Type: framework.TypeCommaStringSlice, Description: `Domains for which this certificate is allowed to sign or issue child certificates. If set, all DNS names (subject and alt) on child certs must be exact matches or subsets of the given domains (see https://tools.ietf.org/html/rfc5280#section-4.2.1.10).`, + DisplayName: "Permitted DNS Domains", } return fields diff --git a/builtin/logical/pki/path_roles.go b/builtin/logical/pki/path_roles.go index e796df0122..a39fe97cb9 100644 --- a/builtin/logical/pki/path_roles.go +++ b/builtin/logical/pki/path_roles.go @@ -31,6 +31,11 @@ func pathRoles(b *backend) *framework.Path { return &framework.Path{ Pattern: "roles/" + framework.GenericNameRegex("name"), Fields: map[string]*framework.FieldSchema{ + "backend": &framework.FieldSchema{ + Type: framework.TypeString, + Description: "Backend Type", + }, + "name": &framework.FieldSchema{ Type: framework.TypeString, Description: "Name of the role", @@ -42,11 +47,13 @@ func pathRoles(b *backend) *framework.Path { requested. The lease duration controls the expiration of certificates issued by this backend. Defaults to the value of max_ttl.`, + DisplayName: "TTL", }, "max_ttl": &framework.FieldSchema{ Type: framework.TypeDurationSecond, Description: "The maximum allowed lease duration", + DisplayName: "Max TTL", }, "allow_localhost": &framework.FieldSchema{ @@ -107,17 +114,20 @@ CN and SANs. Defaults to true.`, Default: true, Description: `If set, IP Subject Alternative Names are allowed. Any valid IP is accepted.`, + DisplayName: "Allow IP Subject Alternative Names", }, "allowed_uri_sans": &framework.FieldSchema{ Type: framework.TypeCommaStringSlice, Description: `If set, an array of allowed URIs to put in the URI Subject Alternative Names. Any valid URI is accepted, these values support globbing.`, + DisplayName: "Allowed URI Subject Alternative Names", }, "allowed_other_sans": &framework.FieldSchema{ Type: framework.TypeCommaStringSlice, Description: `If set, an array of allowed other names to put in SANs. These values support globbing and must be in the format ;:. Currently only "utf8" is a valid type. All values, including globbing values, must use this syntax, with the exception being a single "*" which allows any OID and any value (but type must still be utf8).`, + DisplayName: "Allowed Other Subject Alternative Names", }, "allowed_serial_numbers": &framework.FieldSchema{ @@ -156,6 +166,7 @@ protection use. Defaults to false.`, Default: "rsa", Description: `The type of key to use; defaults to RSA. "rsa" and "ec" are the only valid values.`, + AllowedValues: []interface{}{"rsa", "ec"}, }, "key_bits": &framework.FieldSchema{ @@ -175,6 +186,7 @@ https://golang.org/pkg/crypto/x509/#KeyUsage -- simply drop the "KeyUsage" part of the name. To remove all key usages from being set, set this value to an empty list.`, + DisplayValue: "DigitalSignature,KeyAgreement,KeyEncipherment", }, "ext_key_usage": &framework.FieldSchema{ @@ -185,11 +197,13 @@ https://golang.org/pkg/crypto/x509/#ExtKeyUsage -- simply drop the "ExtKeyUsage" part of the name. To remove all key usages from being set, set this value to an empty list.`, + DisplayName: "Extended Key Usage", }, "ext_key_usage_oids": &framework.FieldSchema{ Type: framework.TypeCommaStringSlice, Description: `A comma-separated string or list of extended key usage oids.`, + DisplayName: "Extended Key Usage OIDs", }, "use_csr_common_name": &framework.FieldSchema{ @@ -199,6 +213,7 @@ this value to an empty list.`, the common name in the CSR will be used. This does *not* include any requested Subject Alternative Names. Defaults to true.`, + DisplayName: "Use CSR Common Name", }, "use_csr_sans": &framework.FieldSchema{ @@ -207,12 +222,14 @@ Names. Defaults to true.`, Description: `If set, when used with a signing profile, the SANs in the CSR will be used. This does *not* include the Common Name (cn). Defaults to true.`, + DisplayName: "Use CSR Subject Alternative Names", }, "ou": &framework.FieldSchema{ Type: framework.TypeCommaStringSlice, Description: `If set, OU (OrganizationalUnit) will be set to this value in certificates issued by this role.`, + DisplayName: "Organizational Unit", }, "organization": &framework.FieldSchema{ @@ -231,12 +248,14 @@ this value in certificates issued by this role.`, Type: framework.TypeCommaStringSlice, Description: `If set, Locality will be set to this value in certificates issued by this role.`, + DisplayName: "Locality/City", }, "province": &framework.FieldSchema{ Type: framework.TypeCommaStringSlice, Description: `If set, Province will be set to this value in certificates issued by this role.`, + DisplayName: "Province/State", }, "street_address": &framework.FieldSchema{ @@ -263,6 +282,7 @@ to the CRL. When large number of certificates are generated with long lifetimes, it is recommended that lease generation be disabled, as large amount of leases adversely affect the startup time of Vault.`, }, + "no_store": &framework.FieldSchema{ Type: framework.TypeBool, Description: ` @@ -273,18 +293,23 @@ or revoked, so this option is recommended only for certificates that are non-sensitive, or extremely short-lived. This option implies a value of "false" for "generate_lease".`, }, + "require_cn": &framework.FieldSchema{ Type: framework.TypeBool, Default: true, Description: `If set to false, makes the 'common_name' field optional while generating a certificate.`, + DisplayName: "Use CSR Common Name", }, + "policy_identifiers": &framework.FieldSchema{ Type: framework.TypeCommaStringSlice, Description: `A comma-separated string or list of policy oids.`, }, + "basic_constraints_valid_for_non_ca": &framework.FieldSchema{ Type: framework.TypeBool, Description: `Mark Basic Constraints valid when issuing non-CA certificates.`, + DisplayName: "Basic Constraints Valid for Non-CA", }, "not_before_duration": &framework.FieldSchema{ Type: framework.TypeDurationSecond, diff --git a/builtin/logical/ssh/path_roles.go b/builtin/logical/ssh/path_roles.go index 932d6edf65..3d535f2b89 100644 --- a/builtin/logical/ssh/path_roles.go +++ b/builtin/logical/ssh/path_roles.go @@ -93,6 +93,7 @@ func pathRoles(b *backend) *framework.Path { credential is being generated for other users, Vault uses this admin username to login to remote host and install the generated credential for the other user.`, + DisplayName: "Admin Username", }, "default_user": &framework.FieldSchema{ Type: framework.TypeString, @@ -101,6 +102,7 @@ func pathRoles(b *backend) *framework.Path { Default username for which a credential will be generated. When the endpoint 'creds/' is used without a username, this value will be used as default username.`, + DisplayName: "Default Username", }, "cidr_list": &framework.FieldSchema{ Type: framework.TypeString, @@ -108,6 +110,7 @@ func pathRoles(b *backend) *framework.Path { [Optional for Dynamic type] [Optional for OTP type] [Not applicable for CA type] Comma separated list of CIDR blocks for which the role is applicable for. CIDR blocks can belong to more than one role.`, + DisplayName: "CIDR List", }, "exclude_cidr_list": &framework.FieldSchema{ Type: framework.TypeString, @@ -116,6 +119,7 @@ func pathRoles(b *backend) *framework.Path { Comma separated list of CIDR blocks. IP addresses belonging to these blocks are not accepted by the role. This is particularly useful when big CIDR blocks are being used by the role and certain parts of it needs to be kept out.`, + DisplayName: "Exclude CIDR List", }, "port": &framework.FieldSchema{ Type: framework.TypeInt, @@ -125,6 +129,7 @@ func pathRoles(b *backend) *framework.Path { play any role in creation of OTP. For 'otp' type, this is just a way to inform client about the port number to use. Port number will be returned to client by Vault server along with OTP.`, + DisplayValue: 22, }, "key_type": &framework.FieldSchema{ Type: framework.TypeString, @@ -132,6 +137,8 @@ func pathRoles(b *backend) *framework.Path { [Required for all types] Type of key used to login to hosts. It can be either 'otp', 'dynamic' or 'ca'. 'otp' type requires agent to be installed in remote hosts.`, + AllowedValues: []interface{}{"otp", "dynamic","ca"}, + DisplayValue: "ca", }, "key_bits": &framework.FieldSchema{ Type: framework.TypeInt, @@ -188,6 +195,7 @@ func pathRoles(b *backend) *framework.Path { requested. The lease duration controls the expiration of certificates issued by this backend. Defaults to the value of max_ttl.`, + DisplayName: "TTL", }, "max_ttl": &framework.FieldSchema{ Type: framework.TypeDurationSecond, @@ -195,6 +203,7 @@ func pathRoles(b *backend) *framework.Path { [Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] The maximum allowed lease duration `, + DisplayName: "Max TTL", }, "allowed_critical_options": &framework.FieldSchema{ Type: framework.TypeString, @@ -202,7 +211,7 @@ func pathRoles(b *backend) *framework.Path { [Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] A comma-separated list of critical options that certificates can have when signed. To allow any critical options, set this to an empty string. - `, + `, }, "allowed_extensions": &framework.FieldSchema{ Type: framework.TypeString, @@ -238,7 +247,7 @@ func pathRoles(b *backend) *framework.Path { [Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] If set, certificates are allowed to be signed for use as a 'user'. `, - Default: false, + Default: false, }, "allow_host_certificates": &framework.FieldSchema{ Type: framework.TypeBool, @@ -246,7 +255,7 @@ func pathRoles(b *backend) *framework.Path { [Not applicable for Dynamic type] [Not applicable for OTP type] [Optional for CA type] If set, certificates are allowed to be signed for use as a 'host'. `, - Default: false, + Default: false, }, "allow_bare_domains": &framework.FieldSchema{ Type: framework.TypeBool, @@ -272,6 +281,7 @@ func pathRoles(b *backend) *framework.Path { When false, the key ID will always be the token display name. The key ID is logged by the SSH server and can be useful for auditing. `, + DisplayName: "Allow User Key IDs", }, "key_id_format": &framework.FieldSchema{ Type: framework.TypeString, @@ -282,6 +292,7 @@ func pathRoles(b *backend) *framework.Path { the token used to make the request. '{{role_name}}' - The name of the role signing the request. '{{public_key_hash}}' - A SHA256 checksum of the public key that is being signed. `, + DisplayName: "Key ID Format", }, "allowed_user_key_lengths": &framework.FieldSchema{ Type: framework.TypeMap, diff --git a/helper/ldaputil/config.go b/helper/ldaputil/config.go index 9da1ffd71a..7169a8c82b 100644 --- a/helper/ldaputil/config.go +++ b/helper/ldaputil/config.go @@ -22,26 +22,31 @@ func ConfigFields() map[string]*framework.FieldSchema { Type: framework.TypeString, Default: "ldap://127.0.0.1", Description: "LDAP URL to connect to (default: ldap://127.0.0.1). Multiple URLs can be specified by concatenating them with commas; they will be tried in-order.", + DisplayName: "URL", }, "userdn": { Type: framework.TypeString, Description: "LDAP domain to use for users (eg: ou=People,dc=example,dc=org)", + DisplayName: "User DN", }, "binddn": { Type: framework.TypeString, Description: "LDAP DN for searching for the user DN (optional)", + DisplayName: "Name of Object to bind (binddn)", }, "bindpass": { - Type: framework.TypeString, - Description: "LDAP password for searching for the user DN (optional)", + Type: framework.TypeString, + Description: "LDAP password for searching for the user DN (optional)", + DisplaySensitive: true, }, "groupdn": { Type: framework.TypeString, Description: "LDAP search base to use for group membership search (eg: ou=Groups,dc=example,dc=org)", + DisplayName: "Group DN", }, "groupfilter": { @@ -60,17 +65,20 @@ Default: (|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN} in order to enumerate user group membership. Examples: "cn" or "memberOf", etc. Default: cn`, + DisplayName: "Group Attribute", }, "upndomain": { Type: framework.TypeString, Description: "Enables userPrincipalDomain login with [username]@UPNDomain (optional)", + DisplayName: "User Principal (UPN) Domain", }, "userattr": { Type: framework.TypeString, Default: "cn", Description: "Attribute used for users (default: cn)", + DisplayName: "User Attribute", }, "certificate": { @@ -81,28 +89,35 @@ Default: cn`, "discoverdn": { Type: framework.TypeBool, Description: "Use anonymous bind to discover the bind DN of a user (optional)", + DisplayName: "Discover DN", }, "insecure_tls": { Type: framework.TypeBool, Description: "Skip LDAP server SSL Certificate verification - VERY insecure (optional)", + DisplayName: "Insecure TLS", }, "starttls": { Type: framework.TypeBool, Description: "Issue a StartTLS command after establishing unencrypted connection (optional)", + DisplayName: "Issue StartTLS command after establishing an unencrypted connection", }, "tls_min_version": { - Type: framework.TypeString, - Default: "tls12", - Description: "Minimum TLS version to use. Accepted values are 'tls10', 'tls11' or 'tls12'. Defaults to 'tls12'", + Type: framework.TypeString, + Default: "tls12", + Description: "Minimum TLS version to use. Accepted values are 'tls10', 'tls11' or 'tls12'. Defaults to 'tls12'", + DisplayName: "Minimum TLS Version", + AllowedValues: []interface{}{"tls10", "tls11", "tls12"}, }, "tls_max_version": { - Type: framework.TypeString, - Default: "tls12", - Description: "Maximum TLS version to use. Accepted values are 'tls10', 'tls11' or 'tls12'. Defaults to 'tls12'", + Type: framework.TypeString, + Default: "tls12", + Description: "Maximum TLS version to use. Accepted values are 'tls10', 'tls11' or 'tls12'. Defaults to 'tls12'", + DisplayName: "Maxumum TLS Version", + AllowedValues: []interface{}{"tls10", "tls11", "tls12"}, }, "deny_null_bind": { diff --git a/terraform/aws/variables.tf b/terraform/aws/variables.tf index 64ffc78b62..ece9cc78df 100644 --- a/terraform/aws/variables.tf +++ b/terraform/aws/variables.tf @@ -3,7 +3,7 @@ //------------------------------------------------------------------- variable "download-url" { - default = "https://releases.hashicorp.com/vault/1.0.2/vault_1.0.2_linux_amd64.zip" + default = "https://releases.hashicorp.com/vault/1.0.3/vault_1.0.3_linux_amd64.zip" description = "URL to download Vault" } diff --git a/vendor/github.com/hashicorp/vault-plugin-auth-azure/Gopkg.lock b/vendor/github.com/hashicorp/vault-plugin-auth-azure/Gopkg.lock index a8eb992af3..b73a81c63b 100644 --- a/vendor/github.com/hashicorp/vault-plugin-auth-azure/Gopkg.lock +++ b/vendor/github.com/hashicorp/vault-plugin-auth-azure/Gopkg.lock @@ -216,7 +216,7 @@ [[projects]] branch = "master" - digest = "1:450803219e484669ba680c777ecac629dac92abde2bc83009beaa630f5368e71" + digest = "1:606c7307ae83d1adc0901aa8909b700489d7f1294533344453436a8dbff0091b" name = "github.com/hashicorp/vault" packages = [ "api", @@ -226,6 +226,7 @@ "helper/errutil", "helper/hclutil", "helper/jsonutil", + "helper/license", "helper/locksutil", "helper/logging", "helper/mlock", @@ -245,7 +246,7 @@ "version", ] pruneopts = "UT" - revision = "8655d167084028d627f687ddc25d0c71307eb5be" + revision = "c0739a0f2367d5fdd20cef502b628e01bdb90470" [[projects]] branch = "master" @@ -287,6 +288,17 @@ revision = "4dadeb3030eda0273a12382bb2348ffc7c9d1a39" version = "v1.0.0" +[[projects]] + digest = "1:c7a5e79396b6eb570159df7a1d487ce5775bf43b7907976fbef6de544ea160ad" + name = "github.com/pierrec/lz4" + packages = [ + ".", + "internal/xxh32", + ] + pruneopts = "UT" + revision = "473cd7ce01a1113208073166464b98819526150e" + version = "v2.0.8" + [[projects]] branch = "master" digest = "1:bd9efe4e0b0f768302a1e2f0c22458149278de533e521206e5ddc71848c269a0" diff --git a/vendor/github.com/hashicorp/vault-plugin-auth-azure/path_config.go b/vendor/github.com/hashicorp/vault-plugin-auth-azure/path_config.go index 8b18cc9065..4e5fad3890 100644 --- a/vendor/github.com/hashicorp/vault-plugin-auth-azure/path_config.go +++ b/vendor/github.com/hashicorp/vault-plugin-auth-azure/path_config.go @@ -16,26 +16,31 @@ func pathConfig(b *azureAuthBackend) *framework.Path { Description: `The tenant id for the Azure Active Directory. This is sometimes referred to as Directory ID in AD. This value can also be provided with the AZURE_TENANT_ID environment variable.`, + DisplayName: "Tenant ID", }, "resource": &framework.FieldSchema{ Type: framework.TypeString, Description: `The resource URL for the vault application in Azure Active Directory. This value can also be provided with the AZURE_AD_RESOURCE environment variable.`, + DisplayName: "Resource", }, "environment": &framework.FieldSchema{ Type: framework.TypeString, Description: `The Azure environment name. If not provided, AzurePublicCloud is used. This value can also be provided with the AZURE_ENVIRONMENT environment variable.`, + DisplayName: "Environment", }, "client_id": &framework.FieldSchema{ Type: framework.TypeString, Description: `The OAuth2 client id to connection to Azure. This value can also be provided with the AZURE_CLIENT_ID environment variable.`, + DisplayName: "Client ID", }, "client_secret": &framework.FieldSchema{ Type: framework.TypeString, Description: `The OAuth2 client secret to connection to Azure. This value can also be provided with the AZURE_CLIENT_SECRET environment variable.`, + DisplayName: "Client Secret", }, }, Callbacks: map[logical.Operation]framework.OperationFunc{ diff --git a/vendor/github.com/hashicorp/vault-plugin-auth-gcp/plugin/path_config.go b/vendor/github.com/hashicorp/vault-plugin-auth-gcp/plugin/path_config.go index 3476a64134..da4d32f310 100644 --- a/vendor/github.com/hashicorp/vault-plugin-auth-gcp/plugin/path_config.go +++ b/vendor/github.com/hashicorp/vault-plugin-auth-gcp/plugin/path_config.go @@ -6,6 +6,7 @@ import ( "fmt" "encoding/json" + "github.com/hashicorp/go-gcp-common/gcputil" "github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical/framework" @@ -20,11 +21,13 @@ func pathConfig(b *GcpAuthBackend) *framework.Path { Description: ` Google credentials JSON that Vault will use to verify users against GCP APIs. If not specified, will use application default credentials`, + DisplayName: "Credentials", }, "google_certs_endpoint": { Type: framework.TypeString, Description: ` Deprecated. This field does nothing and be removed in a future release`, + Deprecated: true, }, }, Callbacks: map[logical.Operation]framework.OperationFunc{ diff --git a/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_config.go b/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_config.go index 3fc200df4c..8c44519ab0 100644 --- a/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_config.go +++ b/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_config.go @@ -174,6 +174,15 @@ func (b *jwtAuthBackend) pathConfigWrite(ctx context.Context, req *logical.Reque } } + case len(config.JWTSupportedAlgs) != 0: + for _, a := range config.JWTSupportedAlgs { + switch a { + case oidc.RS256, oidc.RS384, oidc.RS512, oidc.ES256, oidc.ES384, oidc.ES512, oidc.PS256, oidc.PS384, oidc.PS512: + default: + return logical.ErrorResponse(fmt.Sprintf("Invalid supported algorithm: %s", a)), nil + } + } + default: return nil, errors.New("unknown condition") } diff --git a/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/Gopkg.lock b/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/Gopkg.lock index 1d1007232e..f6ee0566a5 100644 --- a/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/Gopkg.lock +++ b/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/Gopkg.lock @@ -203,7 +203,7 @@ [[projects]] branch = "master" - digest = "1:d00de8725219a569ffbb5dd1042e4ced1f3b5ccee2b07218371f71026cc7609a" + digest = "1:7be65468c591c5e836ec7ff70b6e7665452a6e700d5f0d5bb9edec8aa57b58e2" name = "github.com/hashicorp/vault" packages = [ "api", @@ -214,6 +214,7 @@ "helper/errutil", "helper/hclutil", "helper/jsonutil", + "helper/license", "helper/locksutil", "helper/logging", "helper/mlock", @@ -233,7 +234,7 @@ "version", ] pruneopts = "UT" - revision = "add60e6dc7ff7b94487f3b5b680d00d7c05fe621" + revision = "c0739a0f2367d5fdd20cef502b628e01bdb90470" [[projects]] branch = "master" @@ -275,6 +276,17 @@ revision = "4dadeb3030eda0273a12382bb2348ffc7c9d1a39" version = "v1.0.0" +[[projects]] + digest = "1:c7a5e79396b6eb570159df7a1d487ce5775bf43b7907976fbef6de544ea160ad" + name = "github.com/pierrec/lz4" + packages = [ + ".", + "internal/xxh32", + ] + pruneopts = "UT" + revision = "473cd7ce01a1113208073166464b98819526150e" + version = "v2.0.8" + [[projects]] digest = "1:0e792eea6c96ec55ff302ef33886acbaa5006e900fefe82689e88d96439dcd84" name = "github.com/ryanuber/go-glob" diff --git a/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/path_config.go b/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/path_config.go index f10d4b4c7f..01f6de36c8 100644 --- a/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/path_config.go +++ b/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/path_config.go @@ -22,16 +22,20 @@ func pathConfig(b *kubeAuthBackend) *framework.Path { "kubernetes_host": { Type: framework.TypeString, Description: "Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.", + DisplayName: "Kubernetes Host", }, + "kubernetes_ca_cert": { Type: framework.TypeString, Description: "PEM encoded CA cert for use by the TLS client used to talk with the API.", + DisplayName: "Kubernetes CA Certificate", }, "token_reviewer_jwt": { Type: framework.TypeString, Description: `A service account JWT used to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.`, + DisplayName: "Token Reviewer JWT", }, "pem_keys": { Type: framework.TypeCommaStringSlice, @@ -39,6 +43,7 @@ the JWT used for login will be used to access the API.`, used to verify the signatures of kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kuberentes exposes these keys.`, + DisplayName: "Service account verification keys", }, }, Callbacks: map[logical.Operation]framework.OperationFunc{ diff --git a/vendor/github.com/hashicorp/vault-plugin-secrets-alicloud/clients/sts.go b/vendor/github.com/hashicorp/vault-plugin-secrets-alicloud/clients/sts.go index 5771417ac9..210e2566e7 100644 --- a/vendor/github.com/hashicorp/vault-plugin-secrets-alicloud/clients/sts.go +++ b/vendor/github.com/hashicorp/vault-plugin-secrets-alicloud/clients/sts.go @@ -23,9 +23,9 @@ type STSClient struct { client *sts.Client } -func (c *STSClient) AssumeRole(userName, roleARN string) (*sts.AssumeRoleResponse, error) { +func (c *STSClient) AssumeRole(roleSessionName, roleARN string) (*sts.AssumeRoleResponse, error) { assumeRoleReq := sts.CreateAssumeRoleRequest() assumeRoleReq.RoleArn = roleARN - assumeRoleReq.RoleSessionName = userName + assumeRoleReq.RoleSessionName = roleSessionName return c.client.AssumeRole(assumeRoleReq) } diff --git a/vendor/github.com/hashicorp/vault-plugin-secrets-alicloud/path_creds.go b/vendor/github.com/hashicorp/vault-plugin-secrets-alicloud/path_creds.go index e901a8c8cc..a2d7330948 100644 --- a/vendor/github.com/hashicorp/vault-plugin-secrets-alicloud/path_creds.go +++ b/vendor/github.com/hashicorp/vault-plugin-secrets-alicloud/path_creds.go @@ -60,7 +60,7 @@ func (b *backend) operationCredsRead(ctx context.Context, req *logical.Request, if err != nil { return nil, err } - assumeRoleResp, err := client.AssumeRole(generateUsername(req.DisplayName, roleName), role.RoleARN) + assumeRoleResp, err := client.AssumeRole(generateRoleSessionName(req.DisplayName, roleName), role.RoleARN) if err != nil { return nil, err } @@ -243,15 +243,24 @@ func (b *backend) operationCredsRead(ctx context.Context, req *logical.Request, // The max length of a username per AliCloud is 64. func generateUsername(displayName, roleName string) string { - username := fmt.Sprintf("%s-%s-", displayName, roleName) + return generateName(displayName, roleName, 64) +} - // The time and random number take up to 15 more in length, so if the username +// The max length of a role session name per AliCloud is 32. +func generateRoleSessionName(displayName, roleName string) string { + return generateName(displayName, roleName, 32) +} + +func generateName(displayName, roleName string, maxLength int) string { + name := fmt.Sprintf("%s-%s-", displayName, roleName) + + // The time and random number take up to 15 more in length, so if the name // is too long we need to trim it. - if len(username) > 49 { - username = username[:49] + if len(name) > maxLength-15 { + name = name[:maxLength-15] } r := rand.New(rand.NewSource(time.Now().UnixNano())) - return fmt.Sprintf("%s%d-%d", username, time.Now().Unix(), r.Intn(10000)) + return fmt.Sprintf("%s%d-%d", name, time.Now().Unix(), r.Intn(10000)) } const pathCredsHelpSyn = ` diff --git a/vendor/github.com/hashicorp/vault-plugin-secrets-gcpkms/README.md b/vendor/github.com/hashicorp/vault-plugin-secrets-gcpkms/README.md index f32c2cddb0..1924eb9915 100644 --- a/vendor/github.com/hashicorp/vault-plugin-secrets-gcpkms/README.md +++ b/vendor/github.com/hashicorp/vault-plugin-secrets-gcpkms/README.md @@ -84,6 +84,12 @@ instructions are only useful if you want to develop against the plugin.** $ vault secrets enable -path=gcpkms -plugin=vault-plugin-secrets-gcpkms plugin ``` +### Documentation + +The documentation for the plugin lives in the [main Vault +repository](/hashicorp/vault) in the `website/` folder. Please make any +documentation updates as separate Pull Requests against that repo. + ### Tests This plugin has both unit tests and acceptance tests. To run the acceptance diff --git a/vendor/vendor.json b/vendor/vendor.json index 72a0c22377..85025862f4 100644 --- a/vendor/vendor.json +++ b/vendor/vendor.json @@ -1391,10 +1391,10 @@ "revisionTime": "2018-11-09T18:06:36Z" }, { - "checksumSHA1": "Jj3mz58lSv0dsuXd6bVxGV4759w=", + "checksumSHA1": "UgLfwpXoRLpMOF0rzaj+cRcTtdo=", "path": "github.com/hashicorp/vault-plugin-auth-azure", - "revision": "4c0b46069a2293d5a6ca7506c8d3e0c4a92f3dbc", - "revisionTime": "2018-12-07T23:25:28Z" + "revision": "0af1d040b5b329f41904cadcd96be55179468880", + "revisionTime": "2019-02-01T22:26:32Z" }, { "checksumSHA1": "4Z/niOo76EcP8KpLdSL5GdDcy78=", @@ -1403,10 +1403,10 @@ "revisionTime": "2018-08-16T20:11:31Z" }, { - "checksumSHA1": "llLHR3FVdqtuFgjIoL9GNN8zKKI=", + "checksumSHA1": "Nd9aBfL80t7N8B9VVsNBgihA5f4=", "path": "github.com/hashicorp/vault-plugin-auth-gcp/plugin", - "revision": "4d63bbfe6fcf0363a2ea2c273846e88b95d85089", - "revisionTime": "2018-12-10T20:01:33Z" + "revision": "7d4c2101e7d0b61ec9fb0dc3c75d79920c6369c5", + "revisionTime": "2019-02-01T21:54:14Z" }, { "checksumSHA1": "jCtLHj3YAONxCcV6v6kifTrRJwM=", @@ -1417,40 +1417,40 @@ "versionExact": "oidc-dev" }, { - "checksumSHA1": "Ldg2jQeyPrpAupyQq4lRVN+jfFY=", + "checksumSHA1": "NfVgV3CmKXGRsXk1sYVgMMRZ5Zc=", "path": "github.com/hashicorp/vault-plugin-auth-kubernetes", - "revision": "091d9e5d5fabce920533eff31ad778778992a671", - "revisionTime": "2018-11-30T16:25:33Z" + "revision": "db96aa4ab438cbc1cf544cec758d0d16ca4e9681", + "revisionTime": "2019-02-01T22:22:09Z" }, { "checksumSHA1": "PmhyvCKVlEMEP6JO31ozW+CBIiE=", "path": "github.com/hashicorp/vault-plugin-secrets-ad/plugin", - "revision": "540c0b6f1f113a1c6bdaa130a35ee8530c072b5a", - "revisionTime": "2018-11-09T18:28:34Z" + "revision": "4796d99801253c6f10d7d96b968a3204a9a1ead8", + "revisionTime": "2019-01-31T22:24:16Z" }, { "checksumSHA1": "GOxdFElG31lXWgKFG9aqpDcG47M=", "path": "github.com/hashicorp/vault-plugin-secrets-ad/plugin/client", - "revision": "540c0b6f1f113a1c6bdaa130a35ee8530c072b5a", - "revisionTime": "2018-11-09T18:28:34Z" + "revision": "4796d99801253c6f10d7d96b968a3204a9a1ead8", + "revisionTime": "2019-01-31T22:24:16Z" }, { "checksumSHA1": "RaH2xTkjaToCk+RoPhap7I66ibo=", "path": "github.com/hashicorp/vault-plugin-secrets-ad/plugin/util", - "revision": "540c0b6f1f113a1c6bdaa130a35ee8530c072b5a", - "revisionTime": "2018-11-09T18:28:34Z" + "revision": "4796d99801253c6f10d7d96b968a3204a9a1ead8", + "revisionTime": "2019-01-31T22:24:16Z" }, { - "checksumSHA1": "VLXyxS5dEoiWTSFmpMJIz+Pwtmw=", + "checksumSHA1": "l0xVOHA0/SIjNfrmBRbrFvMVOaw=", "path": "github.com/hashicorp/vault-plugin-secrets-alicloud", - "revision": "2aee79cc5cbf1bbca654dbc594f809cafc19cd8d", - "revisionTime": "2018-11-09T18:14:53Z" + "revision": "b0abe36195cb171e673a9f6425df977eff1ef825", + "revisionTime": "2019-01-31T21:18:12Z" }, { - "checksumSHA1": "dqduixICi6NeyLNRCDdw62t1LFU=", + "checksumSHA1": "e96mN6plz/ApctpjvU2kiCumOl0=", "path": "github.com/hashicorp/vault-plugin-secrets-alicloud/clients", - "revision": "2aee79cc5cbf1bbca654dbc594f809cafc19cd8d", - "revisionTime": "2018-11-09T18:14:53Z" + "revision": "b0abe36195cb171e673a9f6425df977eff1ef825", + "revisionTime": "2019-01-31T21:18:12Z" }, { "checksumSHA1": "rgeBhrdLyF2orH3QA/H66ZSSbuo=", @@ -1477,16 +1477,16 @@ "revisionTime": "2018-09-21T17:32:00Z" }, { - "checksumSHA1": "TbPoZQkYZ7Bukdw6U+/GejbaZAs=", + "checksumSHA1": "StwRTX92gyH7iHkyZk4df+dLISM=", "path": "github.com/hashicorp/vault-plugin-secrets-gcpkms", - "revision": "6cd991800a6d7af69b1950ec4cbf402d021a099d", - "revisionTime": "2018-12-12T18:25:53Z" + "revision": "d6b25b0b4a39132ec3c02f19631b6a9bdadef042", + "revisionTime": "2019-01-16T16:49:38Z" }, { "checksumSHA1": "yhUUqN5rbEXnfI8WfGUofXToD+o=", "path": "github.com/hashicorp/vault-plugin-secrets-kv", - "revision": "9dbe04db0e34c9c3c75bedcdb16d8ff78f0c54bd", - "revisionTime": "2018-12-19T17:59:33Z" + "revision": "edbfe287c5d9277cecf2c91c79ffcc34f19d2049", + "revisionTime": "2019-01-15T20:37:47Z" }, { "checksumSHA1": "ldkAQ1CpiAaQ9sti0qIch+UyRsI=", diff --git a/version/version_base.go b/version/version_base.go index 9fe8ab27fc..1b566a6343 100644 --- a/version/version_base.go +++ b/version/version_base.go @@ -2,7 +2,7 @@ package version func init() { // The main version number that is being run at the moment. - Version = "1.0.2" + Version = "1.0.3" // A pre-release marker for the version. If this is "" (empty string) // then it means that it is a final release. Otherwise, this is a pre-release diff --git a/website/config.rb b/website/config.rb index 697dbc206f..bdc8a4a9a7 100644 --- a/website/config.rb +++ b/website/config.rb @@ -6,7 +6,7 @@ use ReshapeMiddleware, component_file: "assets/reshape.js" activate :hashicorp do |h| h.name = "vault" - h.version = "1.0.2" + h.version = "1.0.3" h.github_slug = "hashicorp/vault" h.website_root = "website" h.releases_enabled = true diff --git a/website/source/docs/secrets/transit/index.html.md b/website/source/docs/secrets/transit/index.html.md index 7bf6998fe7..881bac6253 100644 --- a/website/source/docs/secrets/transit/index.html.md +++ b/website/source/docs/secrets/transit/index.html.md @@ -32,13 +32,14 @@ disabled to accommodate auditing requirements. ## Working Set Management -This secrets engine does not currently delete keys. Keys that are out of the -working set (earlier than a key's specified `min_decryption_version` are -instead archived. This is a performance consideration to keep key loading fast, -as well as a security consideration: by disallowing decryption of old versions -of keys, found ciphertext corresponding to obsolete (but sensitive) data can -not be decrypted by most users, but in an emergency the -`min_decryption_version` can be moved back to allow for legitimate decryption. +The Transit engine supports versioning of keys. Key versions that are earlier +than a key's specified `min_decryption_version` gets archived, and the rest of +the key versions belong to the working set. This is a performance consideration +to keep key loading fast, as well as a security consideration: by disallowing +decryption of old versions of keys, found ciphertext corresponding to obsolete +(but sensitive) data can not be decrypted by most users, but in an emergency +the `min_decryption_version` can be moved back to allow for legitimate +decryption. Currently this archive is stored in a single storage entry. With some storage backends, notably those using Raft or Paxos for HA capabilities, frequent