merge from master

hashicorp · Oct 8, 2019 · 61fa0fe · 61fa0fe
2 parents 8ef0806 + 3415760
commit 61fa0fe
Show file tree

Hide file tree

Showing 282 changed files with 33,192 additions and 433 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,8 +6,13 @@ FEATURES:
    [Stackdriver](https://cloud.google.com/stackdriver/). See the [configuration
    documentation](https://www.vaultproject.io/docs/config/index.html) for
    details. [GH-6957]
+ * Transit: Signing and verification is now supported with the P-384
+   (secp384r1) and P-521 (secp521r1) ECDSA curves [GH-7551]
+ * Transit: Encryption and decryption is now supported via AES128-GCM96
+   [GH-7555]
 
 CHANGES: 
+
  * sys/seal-status now has a `storage_type` field denoting what type of storage
    the cluster is configured to use
 
@@ -16,21 +21,35 @@ IMPROVEMENTS:
  * auth/jwt: The redirect callback host may now be specified for CLI logins
    [JWT-71]
  * core: Exit ScanView if context has been cancelled [GH-7419]
- * secrets/aws: The root config can now be read [GH-7245]
- * storage/cassandra: Improve storage efficiency by eliminating unnecessary
-   copies of value data [GH-7199]
  * replication (enterprise): Write-Ahead-Log entries will not duplicate the
    data belonging to the encompassing physical entries of the transaction,
    thereby improving the performance and storage capacity.
+ * secrets/aws: The root config can now be read [GH-7245]
+ * storage/azure: Add config parameter to Azure storage backend to allow
+   specifying the ARM endpoint [GH-7567]
+ * storage/cassandra: Improve storage efficiency by eliminating unnecessary
+   copies of value data [GH-7199]
+ * sys: Add a new `sys/host-info` endpoint for querying information about 
+   the host [GH-7330]
+ * sys: Add a new set of endpoints under `sys/pprof/` that allows profiling
+   information to be extracted [GH-7473]
 
 BUG FIXES:
+
  * agent: Fix handling of gzipped responses [GH-7470]
  * auth/gcp: Fix a bug where region information in instance groups names could
    cause an authorization attempt to fail [GCP-74]
  * cli: Fix a bug where a token of an unknown format (e.g. in ~/.vault-token)
    could cause confusing error messages during `vault login` [GH-7508]
+ * identity: Add required field `response_types_supported` to identity token
+   `.well-known/openid-configuration` response [GH-7533]
  * identity (enterprise): Fixed identity case sensitive loading in secondary
    cluster [GH-7327]
+ * secrets/database: Fix bug in combined DB secrets engine that can result in
+   writes to static-roles endpoints timing out [GH-7518]
+ * ui: using the `wrapped_token` query param will work with `redirect_to` and
+   will automatically log in as intended [GH-7398]
+ * ui: Allow kv v2 secrets that are gated by Control Groups to be viewed in the UI [GH-7504]
 
 ## 1.2.3 (September 12, 2019)
 
@@ -269,13 +288,13 @@ BUG FIXES:
  * namespaces: Fix a behavior (currently only known to be benign) where we
    wouldn't delete policies through the official functions before wiping the
    namespaces on deletion
+ * secrets/database: Escape username/password before using in connection URL
+   [GH-7089]
  * secrets/pki: Forward revocation requests to active node when on a
    performance standby [GH-7173]
  * ui: Fix timestamp on some transit keys [GH-6827]
  * ui: Show Entities and Groups in Side Navigation [GH-7138]
  * ui: Ensure dropdown updates selected item on HTTP Request Metrics page
- * secret/database: Escape username/password before using in connection URL
-   [GH-7089]
 
 ## 1.1.4/1.1.5 (July 25th/30th, 2019)
 

diff --git a/api/go.sum b/api/go.sum
@@ -94,6 +94,7 @@ golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190129075346-302c3dd5f1cc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e h1:nFYrTHrdrAOpShe27kaFHjsqYSEQ0KWqdWLu3xuZJts=
 golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20181227161524-e6919f6577db h1:6/JqlYfC1CCaLnGceQTI+sDGhC9UBSPAsBqI0Gun6kU=

diff --git a/builtin/logical/database/rotation.go b/builtin/logical/database/rotation.go
@@ -127,112 +127,115 @@ type setCredentialsWAL struct {
 // This method loops through the priority queue, popping the highest priority
 // item until it encounters the first item that does not yet need rotation,
 // based on the current time.
-func (b *databaseBackend) rotateCredentials(ctx context.Context, s logical.Storage) error {
-	for {
-		// Quit rotating credentials if shutdown has started
-		select {
-		case <-ctx.Done():
-			return nil
-		default:
-		}
-		item, err := b.popFromRotationQueue()
-		if err != nil {
-			if err == queue.ErrEmpty {
-				return nil
-			}
-			return err
-		}
+func (b *databaseBackend) rotateCredentials(ctx context.Context, s logical.Storage) {
+	for b.rotateCredential(ctx, s) {
+	}
+}
 
-		// Guard against possible nil item
-		if item == nil {
-			return nil
+func (b *databaseBackend) rotateCredential(ctx context.Context, s logical.Storage) bool {
+	// Quit rotating credentials if shutdown has started
+	select {
+	case <-ctx.Done():
+		return false
+	default:
+	}
+	item, err := b.popFromRotationQueue()
+	if err != nil {
+		if err != queue.ErrEmpty {
+			b.logger.Error("error popping item from queue", "err", err)
 		}
+		return false
+	}
 
-		// Grab the exclusive lock for this Role, to make sure we don't incur and
-		// writes during the rotation process
-		lock := locksutil.LockForKey(b.roleLocks, item.Key)
-		lock.Lock()
-		defer lock.Unlock()
+	// Guard against possible nil item
+	if item == nil {
+		return false
+	}
 
-		// Validate the role still exists
-		role, err := b.StaticRole(ctx, s, item.Key)
-		if err != nil {
-			b.logger.Error("unable to load role", "role", item.Key, "error", err)
-			item.Priority = time.Now().Add(10 * time.Second).Unix()
-			if err := b.pushItem(item); err != nil {
-				b.logger.Error("unable to push item on to queue", "error", err)
-			}
-			continue
-		}
-		if role == nil {
-			b.logger.Warn("role not found", "role", item.Key, "error", err)
-			continue
-		}
+	// Grab the exclusive lock for this Role, to make sure we don't incur and
+	// writes during the rotation process
+	lock := locksutil.LockForKey(b.roleLocks, item.Key)
+	lock.Lock()
+	defer lock.Unlock()
 
-		// If "now" is less than the Item priority, then this item does not need to
-		// be rotated
-		if time.Now().Unix() < item.Priority {
-			if err := b.pushItem(item); err != nil {
-				b.logger.Error("unable to push item on to queue", "error", err)
-			}
-			// Break out of the for loop
-			break
+	// Validate the role still exists
+	role, err := b.StaticRole(ctx, s, item.Key)
+	if err != nil {
+		b.logger.Error("unable to load role", "role", item.Key, "error", err)
+		item.Priority = time.Now().Add(10 * time.Second).Unix()
+		if err := b.pushItem(item); err != nil {
+			b.logger.Error("unable to push item on to queue", "error", err)
 		}
+		return true
+	}
+	if role == nil {
+		b.logger.Warn("role not found", "role", item.Key, "error", err)
+		return true
+	}
 
-		input := &setStaticAccountInput{
-			RoleName: item.Key,
-			Role:     role,
+	// If "now" is less than the Item priority, then this item does not need to
+	// be rotated
+	if time.Now().Unix() < item.Priority {
+		if err := b.pushItem(item); err != nil {
+			b.logger.Error("unable to push item on to queue", "error", err)
 		}
+		// Break out of the for loop
+		return false
+	}
 
-		// If there is a WAL entry related to this Role, the corresponding WAL ID
-		// should be stored in the Item's Value field.
-		if walID, ok := item.Value.(string); ok {
-			walEntry, err := b.findStaticWAL(ctx, s, walID)
-			if err != nil {
-				b.logger.Error("error finding static WAL", "error", err)
-				item.Priority = time.Now().Add(10 * time.Second).Unix()
-				if err := b.pushItem(item); err != nil {
-					b.logger.Error("unable to push item on to queue", "error", err)
-				}
-			}
-			if walEntry != nil && walEntry.NewPassword != "" {
-				input.Password = walEntry.NewPassword
-				input.WALID = walID
-			}
-		}
+	input := &setStaticAccountInput{
+		RoleName: item.Key,
+		Role:     role,
+	}
 
-		resp, err := b.setStaticAccount(ctx, s, input)
+	// If there is a WAL entry related to this Role, the corresponding WAL ID
+	// should be stored in the Item's Value field.
+	if walID, ok := item.Value.(string); ok {
+		walEntry, err := b.findStaticWAL(ctx, s, walID)
 		if err != nil {
-			b.logger.Error("unable to rotate credentials in periodic function", "error", err)
-			// Increment the priority enough so that the next call to this method
-			// likely will not attempt to rotate it, as a back-off of sorts
+			b.logger.Error("error finding static WAL", "error", err)
 			item.Priority = time.Now().Add(10 * time.Second).Unix()
-
-			// Preserve the WALID if it was returned
-			if resp != nil && resp.WALID != "" {
-				item.Value = resp.WALID
-			}
-
 			if err := b.pushItem(item); err != nil {
 				b.logger.Error("unable to push item on to queue", "error", err)
 			}
-			// Go to next item
-			continue
 		}
+		if walEntry != nil && walEntry.NewPassword != "" {
+			input.Password = walEntry.NewPassword
+			input.WALID = walID
+		}
+	}
 
-		lvr := resp.RotationTime
-		if lvr.IsZero() {
-			lvr = time.Now()
+	resp, err := b.setStaticAccount(ctx, s, input)
+	if err != nil {
+		b.logger.Error("unable to rotate credentials in periodic function", "error", err)
+		// Increment the priority enough so that the next call to this method
+		// likely will not attempt to rotate it, as a back-off of sorts
+		item.Priority = time.Now().Add(10 * time.Second).Unix()
+
+		// Preserve the WALID if it was returned
+		if resp != nil && resp.WALID != "" {
+			item.Value = resp.WALID
 		}
 
-		// Update priority and push updated Item to the queue
-		nextRotation := lvr.Add(role.StaticAccount.RotationPeriod)
-		item.Priority = nextRotation.Unix()
 		if err := b.pushItem(item); err != nil {
-			b.logger.Warn("unable to push item on to queue", "error", err)
+			b.logger.Error("unable to push item on to queue", "error", err)
 		}
+		// Go to next item
+		return true
 	}
-	return nil
+
+	lvr := resp.RotationTime
+	if lvr.IsZero() {
+		lvr = time.Now()
+	}
+
+	// Update priority and push updated Item to the queue
+	nextRotation := lvr.Add(role.StaticAccount.RotationPeriod)
+	item.Priority = nextRotation.Unix()
+	if err := b.pushItem(item); err != nil {
+		b.logger.Warn("unable to push item on to queue", "error", err)
+	}
+	return true
 }
 
 // findStaticWAL loads a WAL entry by ID. If found, only return the WAL if it