Merge remote-tracking branch 'origin/master' into auth_aws_no_prefix_…

…matching

CHANGELOG.md

@@ -2,14 +2,18 @@
 
 DEPRECATIONS/CHANGES:
 
- * The AWS authentication backend now allows binds for inputs, as either a
+ * The AWS authentication backend now allows binds for inputs as either a
    comma-delimited string or a string array. However, to keep consistency with
    input and output, when reading a role the binds will now be returned as
    string arrays rather than strings.
 
 IMPROVEMENTS:
 
+ * auth/approle: Allow array input for bound_cidr_list [4078]
  * auth/aws: Allow using lists in role bind parameters [GH-3907]
+ * auth/aws: Allow binding by EC2 instance IDs [GH-3816]
+ * secret/transit: Allow selecting signature algorithm as well as hash
+   algorithm when signing/verifying [GH-4018]
  * server: Make sure `tls_disable_client_cert` is actually a true value rather
    than just set [GH-4049]
  * storage/gcs: Allow specifying chunk size for transfers, which can reduce
@@ -19,8 +23,18 @@ IMPROVEMENTS:
 
 BUG FIXES:
 
+ * auth/aws: Fix honoring `max_ttl` when a corresponding role `ttl` is not also
+   set [GH-4107]
+ * auth/okta: Fix honoring configured `max_ttl` value [GH-4110]
+ * auth/token: If a periodic token being issued has a period greater than the
+   max_lease_ttl configured on the token store mount, truncate it. This matches
+   renewal behavior; before it was inconsistent between issuance and renewal.
+   [GH-4112]
  * cli: Improve error messages around `vault auth help` when there is no CLI
    helper for a particular method [GH-4056]
+ * cli: Fix autocomplete installation when using Fish as the shell [GH-4094]
+ * secret/database: Properly honor mount-tuned max TTL [GH-4051]
+ * secret/ssh: Return `key_bits` value when reading a role [GH-4098]
 
 ## 0.9.5 (February 26th, 2018)
 

api/renewer.go

@@ -162,8 +162,8 @@ func (r *Renewer) Stop() {
 }
 
 // Renew starts a background process for renewing this secret. When the secret
-// is has auth data, this attempts to renew the auth (token). When the secret
-// has a lease, this attempts to renew the lease.
+// has auth data, this attempts to renew the auth (token). When the secret has
+// a lease, this attempts to renew the lease.
 func (r *Renewer) Renew() {
 	var result error
 	if r.secret.Auth != nil {

api/sys_auth.go

@@ -91,9 +91,11 @@ type EnableAuthOptions struct {
 }
 
 type AuthConfigInput struct {
-	DefaultLeaseTTL string `json:"default_lease_ttl" structs:"default_lease_ttl" mapstructure:"default_lease_ttl"`
-	MaxLeaseTTL     string `json:"max_lease_ttl" structs:"max_lease_ttl" mapstructure:"max_lease_ttl"`
-	PluginName      string `json:"plugin_name,omitempty" structs:"plugin_name,omitempty" mapstructure:"plugin_name"`
+	DefaultLeaseTTL          string   `json:"default_lease_ttl" structs:"default_lease_ttl" mapstructure:"default_lease_ttl"`
+	MaxLeaseTTL              string   `json:"max_lease_ttl" structs:"max_lease_ttl" mapstructure:"max_lease_ttl"`
+	PluginName               string   `json:"plugin_name,omitempty" structs:"plugin_name,omitempty" mapstructure:"plugin_name"`
+	AuditNonHMACRequestKeys  []string `json:"audit_non_hmac_request_keys,omitempty" structs:"audit_non_hmac_request_keys" mapstructure:"audit_non_hmac_request_keys"`
+	AuditNonHMACResponseKeys []string `json:"audit_non_hmac_response_keys,omitempty" structs:"audit_non_hmac_response_keys" mapstructure:"audit_non_hmac_response_keys"`
 }
 
 type AuthMount struct {
@@ -106,7 +108,9 @@ type AuthMount struct {
 }
 
 type AuthConfigOutput struct {
-	DefaultLeaseTTL int    `json:"default_lease_ttl" structs:"default_lease_ttl" mapstructure:"default_lease_ttl"`
-	MaxLeaseTTL     int    `json:"max_lease_ttl" structs:"max_lease_ttl" mapstructure:"max_lease_ttl"`
-	PluginName      string `json:"plugin_name,omitempty" structs:"plugin_name,omitempty" mapstructure:"plugin_name"`
+	DefaultLeaseTTL          int      `json:"default_lease_ttl" structs:"default_lease_ttl" mapstructure:"default_lease_ttl"`
+	MaxLeaseTTL              int      `json:"max_lease_ttl" structs:"max_lease_ttl" mapstructure:"max_lease_ttl"`
+	PluginName               string   `json:"plugin_name,omitempty" structs:"plugin_name,omitempty" mapstructure:"plugin_name"`
+	AuditNonHMACRequestKeys  []string `json:"audit_non_hmac_request_keys,omitempty" structs:"audit_non_hmac_request_keys" mapstructure:"audit_non_hmac_request_keys"`
+	AuditNonHMACResponseKeys []string `json:"audit_non_hmac_response_keys,omitempty" structs:"audit_non_hmac_response_keys" mapstructure:"audit_non_hmac_response_keys"`
 }

audit/audit.go

@@ -27,7 +27,7 @@ type Backend interface {
 	// GetHash is used to return the given data with the backend's hash,
 	// so that a caller can determine if a value in the audit log matches
 	// an expected plaintext value
-	GetHash(string) (string, error)
+	GetHash(context.Context, string) (string, error)
 
 	// Reload is called on SIGHUP for supporting backends.
 	Reload(context.Context) error

audit/format.go

@@ -1,6 +1,7 @@
 package audit
 
 import (
+	"context"
 	"fmt"
 	"io"
 	"strings"
@@ -16,7 +17,7 @@ import (
 type AuditFormatWriter interface {
 	WriteRequest(io.Writer, *AuditRequestEntry) error
 	WriteResponse(io.Writer, *AuditResponseEntry) error
-	Salt() (*salt.Salt, error)
+	Salt(context.Context) (*salt.Salt, error)
 }
 
 // AuditFormatter implements the Formatter interface, and allows the underlying
@@ -27,7 +28,7 @@ type AuditFormatter struct {
 
 var _ Formatter = (*AuditFormatter)(nil)
 
-func (f *AuditFormatter) FormatRequest(w io.Writer, config FormatterConfig, in *LogInput) error {
+func (f *AuditFormatter) FormatRequest(ctx context.Context, w io.Writer, config FormatterConfig, in *LogInput) error {
 	if in == nil || in.Request == nil {
 		return fmt.Errorf("request to request-audit a nil request")
 	}
@@ -40,7 +41,7 @@ func (f *AuditFormatter) FormatRequest(w io.Writer, config FormatterConfig, in *
 		return fmt.Errorf("no format writer specified")
 	}
 
-	salt, err := f.Salt()
+	salt, err := f.Salt(ctx)
 	if err != nil {
 		return errwrap.Wrapf("error fetching salt: {{err}}", err)
 	}
@@ -151,7 +152,7 @@ func (f *AuditFormatter) FormatRequest(w io.Writer, config FormatterConfig, in *
 	return f.AuditFormatWriter.WriteRequest(w, reqEntry)
 }
 
-func (f *AuditFormatter) FormatResponse(w io.Writer, config FormatterConfig, in *LogInput) error {
+func (f *AuditFormatter) FormatResponse(ctx context.Context, w io.Writer, config FormatterConfig, in *LogInput) error {
 	if in == nil || in.Request == nil {
 		return fmt.Errorf("request to response-audit a nil request")
 	}
@@ -164,7 +165,7 @@ func (f *AuditFormatter) FormatResponse(w io.Writer, config FormatterConfig, in
 		return fmt.Errorf("no format writer specified")
 	}
 
-	salt, err := f.Salt()
+	salt, err := f.Salt(ctx)
 	if err != nil {
 		return errwrap.Wrapf("error fetching salt: {{err}}", err)
 	}

audit/format_json.go

@@ -1,6 +1,7 @@
 package audit
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -12,7 +13,7 @@ import (
 // a JSON format.
 type JSONFormatWriter struct {
 	Prefix   string
-	SaltFunc func() (*salt.Salt, error)
+	SaltFunc func(context.Context) (*salt.Salt, error)
 }
 
 func (f *JSONFormatWriter) WriteRequest(w io.Writer, req *AuditRequestEntry) error {
@@ -47,6 +48,6 @@ func (f *JSONFormatWriter) WriteResponse(w io.Writer, resp *AuditResponseEntry)
 	return enc.Encode(resp)
 }
 
-func (f *JSONFormatWriter) Salt() (*salt.Salt, error) {
-	return f.SaltFunc()
+func (f *JSONFormatWriter) Salt(ctx context.Context) (*salt.Salt, error) {
+	return f.SaltFunc(ctx)
 }

audit/format_json_test.go

@@ -2,6 +2,7 @@ package audit
 
 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"strings"
 	"testing"
@@ -17,11 +18,11 @@ import (
 )
 
 func TestFormatJSON_formatRequest(t *testing.T) {
-	salter, err := salt.NewSalt(nil, nil)
+	salter, err := salt.NewSalt(context.Background(), nil, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
-	saltFunc := func() (*salt.Salt, error) {
+	saltFunc := func(context.Context) (*salt.Salt, error) {
 		return salter, nil
 	}
 
@@ -90,7 +91,7 @@ func TestFormatJSON_formatRequest(t *testing.T) {
 			Request:  tc.Req,
 			OuterErr: tc.Err,
 		}
-		if err := formatter.FormatRequest(&buf, config, in); err != nil {
+		if err := formatter.FormatRequest(context.Background(), &buf, config, in); err != nil {
 			t.Fatalf("bad: %s\nerr: %s", name, err)
 		}
 

audit/format_jsonx.go

@@ -1,6 +1,7 @@
 package audit
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -13,7 +14,7 @@ import (
 // a XML format.
 type JSONxFormatWriter struct {
 	Prefix   string
-	SaltFunc func() (*salt.Salt, error)
+	SaltFunc func(context.Context) (*salt.Salt, error)
 }
 
 func (f *JSONxFormatWriter) WriteRequest(w io.Writer, req *AuditRequestEntry) error {
@@ -68,6 +69,6 @@ func (f *JSONxFormatWriter) WriteResponse(w io.Writer, resp *AuditResponseEntry)
 	return err
 }
 
-func (f *JSONxFormatWriter) Salt() (*salt.Salt, error) {
-	return f.SaltFunc()
+func (f *JSONxFormatWriter) Salt(ctx context.Context) (*salt.Salt, error) {
+	return f.SaltFunc(ctx)
 }

audit/format_jsonx_test.go

@@ -2,6 +2,7 @@ package audit
 
 import (
 	"bytes"
+	"context"
 	"strings"
 	"testing"
 	"time"
@@ -15,11 +16,11 @@ import (
 )
 
 func TestFormatJSONx_formatRequest(t *testing.T) {
-	salter, err := salt.NewSalt(nil, nil)
+	salter, err := salt.NewSalt(context.Background(), nil, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
-	saltFunc := func() (*salt.Salt, error) {
+	saltFunc := func(context.Context) (*salt.Salt, error) {
 		return salter, nil
 	}
 
@@ -94,7 +95,7 @@ func TestFormatJSONx_formatRequest(t *testing.T) {
 			Request:  tc.Req,
 			OuterErr: tc.Err,
 		}
-		if err := formatter.FormatRequest(&buf, config, in); err != nil {
+		if err := formatter.FormatRequest(context.Background(), &buf, config, in); err != nil {
 			t.Fatalf("bad: %s\nerr: %s", name, err)
 		}
 

audit/format_test.go

@@ -1,6 +1,7 @@
 package audit
 
 import (
+	"context"
 	"io"
 	"io/ioutil"
 	"testing"
@@ -22,12 +23,12 @@ func (n *noopFormatWriter) WriteResponse(_ io.Writer, _ *AuditResponseEntry) err
 	return nil
 }
 
-func (n *noopFormatWriter) Salt() (*salt.Salt, error) {
+func (n *noopFormatWriter) Salt(ctx context.Context) (*salt.Salt, error) {
 	if n.salt != nil {
 		return n.salt, nil
 	}
 	var err error
-	n.salt, err = salt.NewSalt(nil, nil)
+	n.salt, err = salt.NewSalt(ctx, nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -40,14 +41,14 @@ func TestFormatRequestErrors(t *testing.T) {
 		AuditFormatWriter: &noopFormatWriter{},
 	}
 
-	if err := formatter.FormatRequest(ioutil.Discard, config, &LogInput{}); err == nil {
+	if err := formatter.FormatRequest(context.Background(), ioutil.Discard, config, &LogInput{}); err == nil {
 		t.Fatal("expected error due to nil request")
 	}
 
 	in := &LogInput{
 		Request: &logical.Request{},
 	}
-	if err := formatter.FormatRequest(nil, config, in); err == nil {
+	if err := formatter.FormatRequest(context.Background(), nil, config, in); err == nil {
 		t.Fatal("expected error due to nil writer")
 	}
 }
@@ -58,14 +59,14 @@ func TestFormatResponseErrors(t *testing.T) {
 		AuditFormatWriter: &noopFormatWriter{},
 	}
 
-	if err := formatter.FormatResponse(ioutil.Discard, config, &LogInput{}); err == nil {
+	if err := formatter.FormatResponse(context.Background(), ioutil.Discard, config, &LogInput{}); err == nil {
 		t.Fatal("expected error due to nil request")
 	}
 
 	in := &LogInput{
 		Request: &logical.Request{},
 	}
-	if err := formatter.FormatResponse(nil, config, in); err == nil {
+	if err := formatter.FormatResponse(context.Background(), nil, config, in); err == nil {
 		t.Fatal("expected error due to nil writer")
 	}
 }

audit/formatter.go

@@ -1,6 +1,7 @@
 package audit
 
 import (
+	"context"
 	"io"
 )
 
@@ -10,8 +11,8 @@ import (
 //
 // It is recommended that you pass data through Hash prior to formatting it.
 type Formatter interface {
-	FormatRequest(io.Writer, FormatterConfig, *LogInput) error
-	FormatResponse(io.Writer, FormatterConfig, *LogInput) error
+	FormatRequest(context.Context, io.Writer, FormatterConfig, *LogInput) error
+	FormatResponse(context.Context, io.Writer, FormatterConfig, *LogInput) error
 }
 
 type FormatterConfig struct {

audit/hashstructure_test.go

@@ -99,7 +99,7 @@ func TestHashString(t *testing.T) {
 		Key:   "salt",
 		Value: []byte("foo"),
 	})
-	localSalt, err := salt.NewSalt(inmemStorage, &salt.Config{
+	localSalt, err := salt.NewSalt(context.Background(), inmemStorage, &salt.Config{
 		HMAC:     sha256.New,
 		HMACType: "hmac-sha256",
 	})
@@ -206,7 +206,7 @@ func TestHash(t *testing.T) {
 		Key:   "salt",
 		Value: []byte("foo"),
 	})
-	localSalt, err := salt.NewSalt(inmemStorage, &salt.Config{
+	localSalt, err := salt.NewSalt(context.Background(), inmemStorage, &salt.Config{
 		HMAC:     sha256.New,
 		HMACType: "hmac-sha256",
 	})