Merge branch 'master' into approle-metadata-fix

.travis.yml

@@ -14,7 +14,7 @@ services:
   - docker
 
 go:
-  - "1.10.2"
+  - "1.10.3"
 
 go_import_path: github.com/hashicorp/vault
 

CHANGELOG.md

@@ -1,3 +1,13 @@
+## 0.10.3 (Unreleased)
+
+BUG FIXES:
+
+ * secrets/kv: Fix writing to the root of a KVv2 mount from `vault kv` commands
+   incorrectly operating on a root+mount path instead of being an error
+   [GH-4726]
+ * seal/pkcs11: Add `CKK_SHA256_HMAC` to the search list when finding HMAC
+   keys, fixing lookup on some Thales devices
+
 ## 0.10.2 (June 6th, 2018)
 
 SECURITY:
@@ -89,6 +99,8 @@ IMPROVEMENTS:
  * ui: Identity interface now lists groups by name [GH-4655]
  * ui: Permission denied errors still render the sidebar in the Access section
    [GH-4658]
+ * replication: Improve performance of index page flushes and WAL garbage 
+   collecting
 
 BUG FIXES:
 

builtin/credential/approle/backend.go

@@ -30,7 +30,7 @@ type backend struct {
 	view logical.Storage
 
 	// Guard to clean-up the expired SecretID entries
-	tidySecretIDCASGuard uint32
+	tidySecretIDCASGuard *uint32
 
 	// Locks to make changes to role entries. These will be initialized to a
 	// predefined number of locks when the backend is created, and will be
@@ -85,6 +85,8 @@ func Backend(conf *logical.BackendConfig) (*backend, error) {
 
 		// Create locks to modify the generated SecretIDAccessors
 		secretIDAccessorLocks: locksutil.CreateLocks(),
+
+		tidySecretIDCASGuard: new(uint32),
 	}
 
 	// Attach the paths and secrets that are to be handled by the backend

builtin/credential/approle/path_tidy_user_id.go

@@ -27,9 +27,9 @@ func pathTidySecretID(b *backend) *framework.Path {
 
 // tidySecretID is used to delete entries in the whitelist that are expired.
 func (b *backend) tidySecretID(ctx context.Context, s logical.Storage) error {
-	grabbed := atomic.CompareAndSwapUint32(&b.tidySecretIDCASGuard, 0, 1)
+	grabbed := atomic.CompareAndSwapUint32(b.tidySecretIDCASGuard, 0, 1)
 	if grabbed {
-		defer atomic.StoreUint32(&b.tidySecretIDCASGuard, 0)
+		defer atomic.StoreUint32(b.tidySecretIDCASGuard, 0)
 	} else {
 		return fmt.Errorf("SecretID tidy operation already running")
 	}

builtin/credential/aws/backend.go

@@ -39,8 +39,8 @@ type backend struct {
 	blacklistMutex sync.RWMutex
 
 	// Guards the blacklist/whitelist tidy functions
-	tidyBlacklistCASGuard uint32
-	tidyWhitelistCASGuard uint32
+	tidyBlacklistCASGuard *uint32
+	tidyWhitelistCASGuard *uint32
 
 	// Duration after which the periodic function of the backend needs to
 	// tidy the blacklist and whitelist entries.
@@ -82,10 +82,12 @@ func Backend(conf *logical.BackendConfig) (*backend, error) {
 	b := &backend{
 		// Setting the periodic func to be run once in an hour.
 		// If there is a real need, this can be made configurable.
-		tidyCooldownPeriod:  time.Hour,
-		EC2ClientsMap:       make(map[string]map[string]*ec2.EC2),
-		IAMClientsMap:       make(map[string]map[string]*iam.IAM),
-		iamUserIdToArnCache: cache.New(7*24*time.Hour, 24*time.Hour),
+		tidyCooldownPeriod:    time.Hour,
+		EC2ClientsMap:         make(map[string]map[string]*ec2.EC2),
+		IAMClientsMap:         make(map[string]map[string]*iam.IAM),
+		iamUserIdToArnCache:   cache.New(7*24*time.Hour, 24*time.Hour),
+		tidyBlacklistCASGuard: new(uint32),
+		tidyWhitelistCASGuard: new(uint32),
 	}
 
 	b.resolveArnToUniqueIDFunc = b.resolveArnToRealUniqueId

builtin/credential/aws/path_tidy_identity_whitelist.go

@@ -34,9 +34,9 @@ expiration, before it is removed from the backend storage.`,
 
 // tidyWhitelistIdentity is used to delete entries in the whitelist that are expired.
 func (b *backend) tidyWhitelistIdentity(ctx context.Context, s logical.Storage, safety_buffer int) error {
-	grabbed := atomic.CompareAndSwapUint32(&b.tidyWhitelistCASGuard, 0, 1)
+	grabbed := atomic.CompareAndSwapUint32(b.tidyWhitelistCASGuard, 0, 1)
 	if grabbed {
-		defer atomic.StoreUint32(&b.tidyWhitelistCASGuard, 0)
+		defer atomic.StoreUint32(b.tidyWhitelistCASGuard, 0)
 	} else {
 		return fmt.Errorf("identity whitelist tidy operation already running")
 	}

builtin/credential/aws/path_tidy_roletag_blacklist.go

@@ -34,9 +34,9 @@ expiration, before it is removed from the backend storage.`,
 
 // tidyBlacklistRoleTag is used to clean-up the entries in the role tag blacklist.
 func (b *backend) tidyBlacklistRoleTag(ctx context.Context, s logical.Storage, safety_buffer int) error {
-	grabbed := atomic.CompareAndSwapUint32(&b.tidyBlacklistCASGuard, 0, 1)
+	grabbed := atomic.CompareAndSwapUint32(b.tidyBlacklistCASGuard, 0, 1)
 	if grabbed {
-		defer atomic.StoreUint32(&b.tidyBlacklistCASGuard, 0)
+		defer atomic.StoreUint32(b.tidyBlacklistCASGuard, 0)
 	} else {
 		return fmt.Errorf("roletag blacklist tidy operation already running")
 	}

command/kv_delete.go

@@ -101,44 +101,49 @@ func (c *KVDeleteCommand) Run(args []string) int {
 		return 2
 	}
 
+	var secret *api.Secret
 	if v2 {
-		err = c.deleteV2(path, mountPath, client)
+		secret, err = c.deleteV2(path, mountPath, client)
 	} else {
-		_, err = client.Logical().Delete(path)
+		secret, err = client.Logical().Delete(path)
 	}
 
 	if err != nil {
 		c.UI.Error(fmt.Sprintf("Error deleting %s: %s", path, err))
+		if secret != nil {
+			OutputSecret(c.UI, secret)
+		}
 		return 2
 	}
 
 	c.UI.Info(fmt.Sprintf("Success! Data deleted (if it existed) at: %s", path))
 	return 0
 }
 
-func (c *KVDeleteCommand) deleteV2(path, mountPath string, client *api.Client) error {
+func (c *KVDeleteCommand) deleteV2(path, mountPath string, client *api.Client) (*api.Secret, error) {
 	var err error
+	var secret *api.Secret
 	switch {
 	case len(c.flagVersions) > 0:
 		path = addPrefixToVKVPath(path, mountPath, "delete")
 		if err != nil {
-			return err
+			return nil, err
 		}
 
 		data := map[string]interface{}{
 			"versions": kvParseVersionsFlags(c.flagVersions),
 		}
 
-		_, err = client.Logical().Write(path, data)
+		secret, err = client.Logical().Write(path, data)
 	default:
 
 		path = addPrefixToVKVPath(path, mountPath, "data")
 		if err != nil {
-			return err
+			return nil, err
 		}
 
-		_, err = client.Logical().Delete(path)
+		secret, err = client.Logical().Delete(path)
 	}
 
-	return err
+	return secret, err
 }

command/kv_destroy.go

@@ -115,6 +115,9 @@ func (c *KVDestroyCommand) Run(args []string) int {
 	secret, err := client.Logical().Write(path, data)
 	if err != nil {
 		c.UI.Error(fmt.Sprintf("Error writing data to %s: %s", path, err))
+		if secret != nil {
+			OutputSecret(c.UI, secret)
+		}
 		return 2
 	}
 	if secret == nil {

command/kv_helpers.go

@@ -99,8 +99,13 @@ func isKVv2(path string, client *api.Client) (string, bool, error) {
 }
 
 func addPrefixToVKVPath(p, mountPath, apiPrefix string) string {
-	p = strings.TrimPrefix(p, mountPath)
-	return path.Join(mountPath, apiPrefix, p)
+	switch {
+	case p == mountPath, p == strings.TrimSuffix(mountPath, "/"):
+		return path.Join(mountPath, apiPrefix)
+	default:
+		p = strings.TrimPrefix(p, mountPath)
+		return path.Join(mountPath, apiPrefix, p)
+	}
 }
 
 func getHeaderForMap(header string, data map[string]interface{}) string {

command/kv_metadata_delete.go

@@ -82,8 +82,11 @@ func (c *KVMetadataDeleteCommand) Run(args []string) int {
 	}
 
 	path = addPrefixToVKVPath(path, mountPath, "metadata")
-	if _, err := client.Logical().Delete(path); err != nil {
+	if secret, err := client.Logical().Delete(path); err != nil {
 		c.UI.Error(fmt.Sprintf("Error deleting %s: %s", path, err))
+		if secret != nil {
+			OutputSecret(c.UI, secret)
+		}
 		return 2
 	}
 

command/kv_metadata_get.go

@@ -105,7 +105,13 @@ func (c *KVMetadataGetCommand) Run(args []string) int {
 		return OutputSecret(c.UI, secret)
 	}
 
-	versions := secret.Data["versions"].(map[string]interface{})
+	versionsRaw, ok := secret.Data["versions"]
+	if !ok || versionsRaw == nil {
+		c.UI.Error(fmt.Sprintf("No value found at %s", path))
+		OutputSecret(c.UI, secret)
+		return 2
+	}
+	versions := versionsRaw.(map[string]interface{})
 
 	delete(secret.Data, "versions")
 

command/kv_metadata_put.go

@@ -125,6 +125,9 @@ func (c *KVMetadataPutCommand) Run(args []string) int {
 	secret, err := client.Logical().Write(path, data)
 	if err != nil {
 		c.UI.Error(fmt.Sprintf("Error writing data to %s: %s", path, err))
+		if secret != nil {
+			OutputSecret(c.UI, secret)
+		}
 		return 2
 	}
 	if secret == nil {

command/kv_undelete.go

@@ -110,6 +110,9 @@ func (c *KVUndeleteCommand) Run(args []string) int {
 	secret, err := client.Logical().Write(path, data)
 	if err != nil {
 		c.UI.Error(fmt.Sprintf("Error writing data to %s: %s", path, err))
+		if secret != nil {
+			OutputSecret(c.UI, secret)
+		}
 		return 2
 	}
 	if secret == nil {

http/cors.go

@@ -22,13 +22,18 @@ func wrapCORSHandler(h http.Handler, core *vault.Core) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 		corsConf := core.CORSConfig()
 
-		origin := req.Header.Get("Origin")
-		requestMethod := req.Header.Get("Access-Control-Request-Method")
-
 		// If CORS is not enabled or if no Origin header is present (i.e. the request
 		// is from the Vault CLI. A browser will always send an Origin header), then
 		// just return a 204.
-		if !corsConf.IsEnabled() || origin == "" {
+		if !corsConf.IsEnabled() {
+			h.ServeHTTP(w, req)
+			return
+		}
+
+		origin := req.Header.Get("Origin")
+		requestMethod := req.Header.Get("Access-Control-Request-Method")
+
+		if origin == "" {
 			h.ServeHTTP(w, req)
 			return
 		}