Merge remote-tracking branch 'upstream/master' into constrain-cn

.travis.yml

@@ -7,7 +7,7 @@ services:
   - docker
 
 go:
-  - 1.8
+  - 1.8.1
 
 matrix:
   allow_failures:

CHANGELOG.md

@@ -7,18 +7,22 @@ FEATURES:
 
 IMPROVEMENTS:
 
+ * cli/revoke: Add `-self` option to allow revoking the currently active token
+   [GH-2596]
  * secret/pki: Add `no_store` option that allows certificates to be issued
    without being stored. This removes the ability to look up and/or add to a
    CRL but helps with scaling to very large numbers of certificates. [GH-2565]
+ * storage/etcd3: Add `discovery_srv` option to query for SRV records to find
+   servers [GH-2521]
  * storage/s3: Support `max_parallel` option to limit concurrent outstanding
    requests [GH-2466]
  * storage/s3: Use pooled transport for http client [GH-2481]
- * storage/etcd3: Add `discovery_srv` option to query for SRV records to find
-   servers [GH-2521]
+ * storage/swift: Allow domain values for V3 authentication [GH-2554]
 
 BUG FIXES:
 
  * api: Respect a configured path in Vault's address [GH-2588]
+ * auth/aws-ec2: New bounds added as criteria to allow role creation [GH-2600]
  * secret/pki: Don't lowercase O/OU values in certs [GH-2555]
  * secret/pki: Don't attempt to validate IP SANs if none are provided [GH-2574]
  * storage/consul: Properly handle state events rather than timing out

builtin/credential/aws-ec2/path_role.go

@@ -350,12 +350,14 @@ func (b *backend) pathRoleCreateUpdate(
 
 	// Ensure that at least one bound is set on the role
 	switch {
-	case roleEntry.BoundAccountID != "":
 	case roleEntry.BoundAmiID != "":
-	case roleEntry.BoundIamInstanceProfileARN != "":
+	case roleEntry.BoundAccountID != "":
+	case roleEntry.BoundRegion != "":
+	case roleEntry.BoundVpcID != "":
+	case roleEntry.BoundSubnetID != "":
 	case roleEntry.BoundIamRoleARN != "":
+	case roleEntry.BoundIamInstanceProfileARN != "":
 	default:
-
 		return logical.ErrorResponse("at least be one bound parameter should be specified on the role"), nil
 	}
 

builtin/credential/aws-ec2/path_role_test.go

@@ -9,6 +9,8 @@ import (
 )
 
 func TestAwsEc2_RoleCrud(t *testing.T) {
+	var err error
+	var resp *logical.Response
 	config := logical.TestBackendConfig()
 	storage := &logical.InmemStorage{}
 	config.StorageView = storage
@@ -22,6 +24,23 @@ func TestAwsEc2_RoleCrud(t *testing.T) {
 		t.Fatal(err)
 	}
 
+	role1Data := map[string]interface{}{
+		"bound_vpc_id":             "testvpcid",
+		"allow_instance_migration": true,
+		"policies":                 "testpolicy1,testpolicy2",
+	}
+	roleReq := &logical.Request{
+		Operation: logical.UpdateOperation,
+		Storage:   storage,
+		Path:      "role/role1",
+		Data:      role1Data,
+	}
+
+	resp, err = b.HandleRequest(roleReq)
+	if err != nil || (resp != nil && resp.IsError()) {
+		t.Fatalf("resp: %#v, err: %v", resp, err)
+	}
+
 	roleData := map[string]interface{}{
 		"bound_ami_id":                   "testamiid",
 		"bound_account_id":               "testaccountid",
@@ -40,14 +59,9 @@ func TestAwsEc2_RoleCrud(t *testing.T) {
 		"period":                    "1m",
 	}
 
-	roleReq := &logical.Request{
-		Operation: logical.UpdateOperation,
-		Storage:   storage,
-		Path:      "role/testrole",
-		Data:      roleData,
-	}
-
-	resp, err := b.HandleRequest(roleReq)
+	roleReq.Path = "role/testrole"
+	roleReq.Data = roleData
+	resp, err = b.HandleRequest(roleReq)
 	if err != nil || (resp != nil && resp.IsError()) {
 		t.Fatalf("resp: %#v, err: %v", resp, err)
 	}

builtin/logical/cassandra/util.go

@@ -76,7 +76,7 @@ func createSession(cfg *sessionConfig, s logical.Storage) (*gocql.Session, error
 		}
 
 		clusterConfig.SslOpts = &gocql.SslOptions{
-			Config: *tlsConfig,
+			Config: tlsConfig,
 		}
 	}
 

command/token_revoke.go

@@ -15,24 +15,33 @@ type TokenRevokeCommand struct {
 func (c *TokenRevokeCommand) Run(args []string) int {
 	var mode string
 	var accessor bool
+	var self bool
+	var token string
 	flags := c.Meta.FlagSet("token-revoke", meta.FlagSetDefault)
 	flags.BoolVar(&accessor, "accessor", false, "")
+	flags.BoolVar(&self, "self", false, "")
 	flags.StringVar(&mode, "mode", "", "")
 	flags.Usage = func() { c.Ui.Error(c.Help()) }
 	if err := flags.Parse(args); err != nil {
 		return 1
 	}
 
 	args = flags.Args()
-	if len(args) != 1 {
+	switch {
+	case len(args) == 1 && !self:
+		token = args[0]
+	case len(args) != 0 && self:
+		flags.Usage()
+		c.Ui.Error(fmt.Sprintf(
+			"\ntoken-revoke expects no arguments when revoking self"))
+		return 1
+	case len(args) != 1 && !self:
 		flags.Usage()
 		c.Ui.Error(fmt.Sprintf(
-			"\ntoken-revoke expects one argument"))
+			"\ntoken-revoke expects one argument or the 'self' flag"))
 		return 1
 	}
 
-	token := args[0]
-
 	client, err := c.Client()
 	if err != nil {
 		c.Ui.Error(fmt.Sprintf(
@@ -43,14 +52,22 @@ func (c *TokenRevokeCommand) Run(args []string) int {
 	var fn func(string) error
 	// Handle all 6 possible combinations
 	switch {
-	case !accessor && mode == "":
+	case !accessor && self && mode == "":
+		fn = client.Auth().Token().RevokeSelf
+	case !accessor && !self && mode == "":
 		fn = client.Auth().Token().RevokeTree
-	case !accessor && mode == "orphan":
+	case !accessor && !self && mode == "orphan":
 		fn = client.Auth().Token().RevokeOrphan
-	case !accessor && mode == "path":
+	case !accessor && !self && mode == "path":
 		fn = client.Sys().RevokePrefix
-	case accessor && mode == "":
+	case accessor && !self && mode == "":
 		fn = client.Auth().Token().RevokeAccessor
+	case accessor && self:
+		c.Ui.Error("token-revoke cannot be run on self when 'accessor' flag is set")
+		return 1
+	case self && mode != "":
+		c.Ui.Error("token-revoke cannot be run on self when 'mode' flag is set")
+		return 1
 	case accessor && mode == "orphan":
 		c.Ui.Error("token-revoke cannot be run for 'orphan' mode when 'accessor' flag is set")
 		return 1
@@ -110,6 +127,8 @@ Token Options:
                           via '/auth/token/lookup-accessor/<accessor>' endpoint.
                           Accessor is used when there is no access to token ID.
 
+  -self                   A boolean flag, if set, the operation is performed on the currently
+                          authenticated token i.e. lookup-self.
 
   -mode=value             The type of revocation to do. See the documentation
                           above for more information.

physical/azure.go

@@ -12,7 +12,7 @@ import (
 
 	log "github.com/mgutz/logxi/v1"
 
-	"github.com/Azure/azure-sdk-for-go/storage"
+	"github.com/Azure/azure-storage-go"
 	"github.com/armon/go-metrics"
 	"github.com/hashicorp/errwrap"
 )
@@ -59,12 +59,23 @@ func newAzureBackend(conf map[string]string, logger log.Logger) (Backend, error)
 	}
 
 	client, err := storage.NewBasicClient(accountName, accountKey)
-
 	if err != nil {
-		return nil, fmt.Errorf("Failed to create Azure client: %v", err)
+		return nil, fmt.Errorf("failed to create Azure client: %v", err)
 	}
 
-	client.GetBlobService().CreateContainerIfNotExists(container, storage.ContainerAccessTypePrivate)
+	contObj := client.GetBlobService().GetContainerReference(container)
+	created, err := contObj.CreateIfNotExists()
+	if err != nil {
+		return nil, fmt.Errorf("failed to upsert container: %v", err)
+	}
+	if created {
+		err = contObj.SetPermissions(storage.ContainerPermissions{
+			AccessType: storage.ContainerAccessTypePrivate,
+		}, 0, "")
+		if err != nil {
+			return nil, fmt.Errorf("failed to set permissions on newly-created container: %v", err)
+		}
+	}
 
 	maxParStr, ok := conf["max_parallel"]
 	var maxParInt int
@@ -156,7 +167,8 @@ func (a *AzureBackend) List(prefix string) ([]string, error) {
 	a.permitPool.Acquire()
 	defer a.permitPool.Release()
 
-	list, err := a.client.ListBlobs(a.container, storage.ListBlobsParameters{Prefix: prefix})
+	contObj := a.client.GetContainerReference(a.container)
+	list, err := contObj.ListBlobs(storage.ListBlobsParameters{Prefix: prefix})
 
 	if err != nil {
 		// Break early.

physical/azure_test.go

@@ -9,7 +9,7 @@ import (
 	"github.com/hashicorp/vault/helper/logformat"
 	log "github.com/mgutz/logxi/v1"
 
-	"github.com/Azure/azure-sdk-for-go/storage"
+	"github.com/Azure/azure-storage-go"
 )
 
 func TestAzureBackend(t *testing.T) {
@@ -35,7 +35,8 @@ func TestAzureBackend(t *testing.T) {
 	})
 
 	defer func() {
-		cleanupClient.GetBlobService().DeleteContainerIfExists(container)
+		contObj := cleanupClient.GetBlobService().GetContainerReference(container)
+		contObj.DeleteIfExists()
 	}()
 
 	if err != nil {

physical/swift.go

@@ -58,17 +58,36 @@ func newSwiftBackend(conf map[string]string, logger log.Logger) (Backend, error)
 			return nil, fmt.Errorf("missing container")
 		}
 	}
-	tenant := os.Getenv("OS_TENANT_NAME")
-	if tenant == "" {
-		tenant = conf["tenant"]
+	project := os.Getenv("OS_PROJECT_NAME")
+	if project == "" {
+		project = conf["project"]
+
+		if project == "" {
+			// Check for KeyStone naming prior to V3
+			project := os.Getenv("OS_TENANT_NAME")
+			if project == "" {
+				project = conf["tenant"]
+			}
+		}
+	}
+
+	domain := os.Getenv("OS_USER_DOMAIN_NAME")
+	if domain == "" {
+		domain = conf["domain"]
+	}
+	projectDomain := os.Getenv("OS_PROJECT_DOMAIN_NAME")
+	if projectDomain == "" {
+		projectDomain = conf["project-domain"]
 	}
 
 	c := swift.Connection{
-		UserName:  username,
-		ApiKey:    password,
-		AuthUrl:   authUrl,
-		Tenant:    tenant,
-		Transport: cleanhttp.DefaultPooledTransport(),
+		Domain:       domain,
+		UserName:     username,
+		ApiKey:       password,
+		AuthUrl:      authUrl,
+		Tenant:       project,
+		TenantDomain: projectDomain,
+		Transport:    cleanhttp.DefaultPooledTransport(),
 	}
 
 	err := c.Authenticate()

physical/swift_test.go

@@ -21,17 +21,21 @@ func TestSwiftBackend(t *testing.T) {
 	username := os.Getenv("OS_USERNAME")
 	password := os.Getenv("OS_PASSWORD")
 	authUrl := os.Getenv("OS_AUTH_URL")
-	tenant := os.Getenv("OS_TENANT_NAME")
+	project := os.Getenv("OS_PROJECT_NAME")
+	domain := os.Getenv("OS_USER_DOMAIN_NAME")
+	projectDomain := os.Getenv("OS_PROJECT_DOMAIN_NAME")
 
 	ts := time.Now().UnixNano()
 	container := fmt.Sprintf("vault-test-%d", ts)
 
 	cleaner := swift.Connection{
-		UserName:  username,
-		ApiKey:    password,
-		AuthUrl:   authUrl,
-		Tenant:    tenant,
-		Transport: cleanhttp.DefaultPooledTransport(),
+		Domain:       domain,
+		UserName:     username,
+		ApiKey:       password,
+		AuthUrl:      authUrl,
+		Tenant:       project,
+		TenantDomain: projectDomain,
+		Transport:    cleanhttp.DefaultPooledTransport(),
 	}
 
 	err := cleaner.Authenticate()
@@ -63,11 +67,13 @@ func TestSwiftBackend(t *testing.T) {
 	logger := logformat.NewVaultLogger(log.LevelTrace)
 
 	b, err := NewBackend("swift", logger, map[string]string{
-		"username":  username,
-		"password":  password,
-		"container": container,
-		"auth_url":  authUrl,
-		"tenant":    tenant,
+		"username":       username,
+		"password":       password,
+		"container":      container,
+		"auth_url":       authUrl,
+		"project":        project,
+		"domain":         domain,
+		"project-domain": projectDomain,
 	})
 	if err != nil {
 		t.Fatalf("err: %s", err)

scripts/cross/Dockerfile

@@ -10,7 +10,7 @@ RUN apt-get update -y && apt-get install --no-install-recommends -y -q \
                          git mercurial bzr \
                && rm -rf /var/lib/apt/lists/*
 
-ENV GOVERSION 1.8
+ENV GOVERSION 1.8.1
 RUN mkdir /goroot && mkdir /gopath
 RUN curl https://storage.googleapis.com/golang/go${GOVERSION}.linux-amd64.tar.gz \
            | tar xvzf - -C /goroot --strip-components=1