Skip to content

@starkandwayne-bot starkandwayne-bot released this Feb 6, 2019 · 2 commits to master since this release

Bug Fixes

  • safe target no longer cares if your current target is valid
    before overwriting it.

Breaking Changes

These are things that should have been done in 1.0.0 to maintain
backward compatibility with older versions of safe`s export calls.

  • safe export will now make a v1-style export if it is able to.
    These can be imported by older versions of safe.
  • safe export's --shallow and --only-alive flags are now the
    default behaviors. They can be flipped with the new --all and --deleted
    flags, respectively.
Assets 5

@starkandwayne-bot starkandwayne-bot released this Jan 25, 2019 · 8 commits to master since this release

Bug Fixes

  • safe commands no longer 403 when the auth token's policies does not have
    access to sys endpoints.
  • paths and tree operations work correctly when the Vault has a secret at the
    root of a mount.
Assets 5

@starkandwayne-bot starkandwayne-bot released this Jan 23, 2019 · 15 commits to master since this release

Bug Fixes

  • safe paths without the --keys flag has output again.
Assets 5

@starkandwayne-bot starkandwayne-bot released this Jan 18, 2019 · 17 commits to master since this release

New Features

  • safe now supports the versioned KV v2 backend! (Fixes #138)
  • Commands that write will append new versions to versioned backends.
  • Commands that read will read the newest version (if undeleted) by default.
    Older versions can be read with the PATH^VERSION syntax
    (i.e. mysecret:mykey^2).
  • Commands that delete will operate on the newest version by default. You can
    target specific versions with the PATH^VERSION syntax. By default, versions
    will be marked as deleted. They can be destroyed with the -D flag on safe delete.
    All versions of a secret can be targeted with the -a flag on safe delete.
  • safe paths and safe tree now has a -q flag. Because scripts using paths have
    thus far assumed that only paths with accessible secrets will be returned, we need to
    make sure that this behavior was preserved by default. However, Vault returns deleted
    or destroyed secrets from list requests. Therefore, we have to make extra calls to make
    sure that the latest version of the secret is alive. -q (quick) skips those checks to
    get you a result faster, even though any secret with remaining metadata will be returned.
  • safe versions is now a command. It shows all the existing version numbers for a
    secret with their respective states. v1 backends are abstracted as versioned backends
    that only ever have one living version.
  • safe undelete is now a command. It undeletes a version that was marked as deleted.
    It errs if you try it on a v1 backend because I can't get your cert back and I'm sorry.
  • safe revert reads in an older version and writes it as the newest version of a secret.
    It's a no-op if the newest version is specified. You can revert to versions marked as
    deleted with the -d flag. This will cause the version to be undeleted, read, and then
    redeleted. The resulting newest version will be left alive.

Improvements

  • Operations which walk the tree recursively now operate concurrently. This can lead
    to a significant speed increase in environments where there is noticeable latency when
    communicating with the Vault server. See: tree, paths, delete -R, etc
  • x509 reissue and x509 renew now show up in safe help x509
  • safe curl's --data-only flag is now in the help (thanks, @lvets)
  • We can safe local all the way up to Vault 1.0.1 (and possibly even beyond) (Fixes #171)
  • safe tree / and safe paths / will now show all secrets across all KV mounts.

Bug Fixes

  • We can read non-strings out of the Vault again (Fixes #178).
  • safe rekey's key prompt is fixed and now won't just ask you for the first key n times

Breaking Changes

  • Exports are now in a new format. While this version of safe can import versions of the old
    format, this version of safe will produce exports that older versions of safe will not be able
    to import.
Assets 5

@starkandwayne-bot starkandwayne-bot released this Oct 26, 2018 · 71 commits to master since this release

Improvements

  • safe local's internals have been updated to work with Vault 0.11.2+
Assets 5

@starkandwayne-bot starkandwayne-bot released this Oct 11, 2018 · 76 commits to master since this release

New Features

  • Safe honours the new $SAFE_TARGET environment variable to override the the safe target without using -T or calling safe target. This can be used for scripts that want to target a specific vault without modifying the user's current target in ~/.saferc
Assets 5

@starkandwayne-bot starkandwayne-bot released this Oct 2, 2018 · 81 commits to master since this release

Bug Fixes

  • safe auth -T <target> now correctly indicates the target being
    authenticated. It used to specify the current target instead of the
    specified target, even though it auth'ed to the specified target. Now it no
    longer lies.

  • safe targets --json reported the opposite state of the skip-ssh-verify
    condition -- this has been corrected.

Improvements

  • safe rekey now cancels an existing rekey operation.

  • safe x509 issue, safe x509 renew, and safe x509 reissue now have a
    --sig-algorithm flag that allows the user to specify which signature
    algorithm to sign the certificate with. Previously, this was hardcoded
    to be SHA512 with RSA - now that is simply the default value.

  • safe x509 show now shows the algorithm that the certificate was signed with.

Backend Changes

  • The code that actually talks to Vault was switched to a library for smoother
    development moving forward. This shouldn't cause any behavioral changes,
    but some error messaging may have changed. If some error messaging is unclear,
    (or if something broke, of course) drop us an issue.
Assets 5

@jhunt jhunt released this Sep 12, 2018 · 89 commits to master since this release

Improvements

  • safe x509 renew can now recover from missing CRLs and missing
    serial numbers, in case you've imported the certificate and
    private key from somewhere else.

  • safe x509 validate now complains is a certificate is listed as
    a CA but does not have its serial number or CRL.

Assets 5

@jhunt jhunt released this Aug 24, 2018 · 91 commits to master since this release

Improvements

  • safe x509 issue no longer propagates duplicate --name values
    into the resulting X.509 certificate's subject alt names list.

  • The help for safe set now documents all the fun little tricks
    that safe has up its sleeve, like safe set key@some/file.

Bug Fixes

  • If you somehow manage to create an empty path via safe set or
    some other out-of-band access to the Vault, safe paths will no
    longer panic when it encounters it.

  • For weirdos who populate ~/.saferc with empty tokens and then
    target their vaults via URL (you know who you are), target
    lookup has been fixed to work as expected.

Assets 5

@jhunt jhunt released this Aug 2, 2018 · 96 commits to master since this release

Bug Fixes

  • Line endings on windows are now properly trimmed when using prompt() functionality.

  • Windows LDAP auth should now be functional on more environments due to the above fix.

Assets 5
You can’t perform that action at this time.