Merge remote-tracking branch 'oss/master' into lazy-load-expiration

* oss/master:
  changelog++
  add support to use application default credentials to gcs storage backend (hashicorp#3257)
  Remove fake news about custom plugins
  Fix travis build on go 1.9
  changelog++
  stdout support for file backend via logger (hashicorp#3235)
  fix swallowed errors in pki package tests (hashicorp#3215)
  Fix API/AUTH/AppRole doc issue concerning bound_cidr_list (hashicorp#3205)

.travis.yml

@@ -7,7 +7,7 @@ services:
  - docker
 
 go:
- - 1.9.0
+ - 1.9
 
 matrix:
  allow_failures:

CHANGELOG.md

@@ -13,20 +13,23 @@ FEATURES:
  verification through the SSH CA backend, if enabled.
 
 IMPROVEMENTS:
- * cli: Add subcommand autocompletion that can be enabled with 
- `vault -autocomplete-install` [GH-3223]
+ * audit/file: Allow specifying `stdout` as the `file_path` to log to standard
+ output [GH-3235]
  * auth/okta: Compare groups case-insensitively since Okta is only
  case-preserving [GH-3240]
+ * cli: Add subcommand autocompletion that can be enabled with 
+ `vault -autocomplete-install` [GH-3223]
+ * storage/gcp: Use application default credentials if they exist [GH-3248]
 
 BUG FIXES:
 
- * core: Fix PROXY when underlying connection is TLS [GH-3195]
- * core: Policy-related commands would sometimes fail to act case-insensitively
- [GH-3210]
  * auth/aws: Properly use role-set period values for IAM-derived token renewals
  [GH-3220]
  * auth/okta: Fix updating organization/ttl/max_ttl after initial setting
  [GH-3236]
+ * core: Fix PROXY when underlying connection is TLS [GH-3195]
+ * core: Policy-related commands would sometimes fail to act case-insensitively
+ [GH-3210]
 
 ## 0.8.1 (August 16th, 2017)
 

builtin/audit/file/backend.go

@@ -5,6 +5,7 @@ import (
  "os"
  "path/filepath"
  "strconv"
+ "strings"
  "sync"
 
  "github.com/hashicorp/vault/audit"
@@ -28,6 +29,11 @@ func Factory(conf *audit.BackendConfig) (audit.Backend, error) {
  }
  }
 
+ // normalize path if configured for stdout
+ if strings.ToLower(path) == "stdout" {
+ path = "stdout"
+ }
+
  format, ok := conf.Config["format"]
  if !ok {
  format = "json"
@@ -92,11 +98,16 @@ func Factory(conf *audit.BackendConfig) (audit.Backend, error) {
  }
  }
 
- // Ensure that the file can be successfully opened for writing;
- // otherwise it will be too late to catch later without problems
- // (ref: https://github.com/hashicorp/vault/issues/550)
- if err := b.open(); err != nil {
- return nil, fmt.Errorf("sanity check failed; unable to open %s for writing: %v", path, err)
+ switch path {
+ case "stdout":
+ // no need to test opening file if outputting to stdout
+ default:
+ // Ensure that the file can be successfully opened for writing;
+ // otherwise it will be too late to catch later without problems
+ // (ref: https://github.com/hashicorp/vault/issues/550)
+ if err := b.open(); err != nil {
+ return nil, fmt.Errorf("sanity check failed; unable to open %s for writing: %v", path, err)
+ }
  }
 
  return b, nil
@@ -155,6 +166,10 @@ func (b *Backend) LogRequest(auth *logical.Auth, req *logical.Request, outerErr
  b.fileLock.Lock()
  defer b.fileLock.Unlock()
 
+ if b.path == "stdout" {
+ return b.formatter.FormatRequest(os.Stdout, b.formatConfig, auth, req, outerErr)
+ }
+
  if err := b.open(); err != nil {
  return err
  }
@@ -183,6 +198,10 @@ func (b *Backend) LogResponse(
  b.fileLock.Lock()
  defer b.fileLock.Unlock()
 
+ if b.path == "stdout" {
+ return b.formatter.FormatResponse(os.Stdout, b.formatConfig, auth, req, resp, err)
+ }
+
  if err := b.open(); err != nil {
  return err
  }
@@ -232,6 +251,10 @@ func (b *Backend) open() error {
 }
 
 func (b *Backend) Reload() error {
+ if b.path == "stdout" {
+ return nil
+ }
+
  b.fileLock.Lock()
  defer b.fileLock.Unlock()
 

builtin/logical/pki/backend_test.go

@@ -2209,6 +2209,10 @@ func TestBackend_Root_Idempotentcy(t *testing.T) {
  t.Fatal("expected ca info")
  }
  resp, err = client.Logical().Read("pki/cert/ca_chain")
+ if err != nil {
+ t.Fatalf("error reading ca_chain: %v", err)
+ }
+
  r1Data := resp.Data
 
  // Try again, make sure it's a 204 and same CA
@@ -2222,6 +2226,9 @@ func TestBackend_Root_Idempotentcy(t *testing.T) {
  t.Fatal("expected no ca info")
  }
  resp, err = client.Logical().Read("pki/cert/ca_chain")
+ if err != nil {
+ t.Fatalf("error reading ca_chain: %v", err)
+ }
  r2Data := resp.Data
  if !reflect.DeepEqual(r1Data, r2Data) {
  t.Fatal("got different ca certs")

physical/gcs/gcs.go

@@ -42,26 +42,14 @@ func NewGCSBackend(conf map[string]string, logger log.Logger) (physical.Backend,
  }
  }
 
- // path to service account JSON file
- credentialsFile := os.Getenv("GOOGLE_APPLICATION_CREDENTIALS")
- if credentialsFile == "" {
- credentialsFile = conf["credentials_file"]
- if credentialsFile == "" {
- return nil, fmt.Errorf("env var GOOGLE_APPLICATION_CREDENTIALS or configuration parameter 'credentials_file' must be set")
- }
- }
-
- client, err := storage.NewClient(
- context.Background(),
- option.WithServiceAccountFile(credentialsFile),
- )
-
+ ctx := context.Background()
+ client, err := newGCSClient(ctx, conf, logger)
  if err != nil {
- return nil, fmt.Errorf("error establishing storage client: '%v'", err)
+ return nil, errwrap.Wrapf("error establishing strorage client: {{err}}", err)
  }
 
  // check client connectivity by getting bucket attributes
- _, err = client.Bucket(bucketName).Attrs(context.Background())
+ _, err = client.Bucket(bucketName).Attrs(ctx)
  if err != nil {
  return nil, fmt.Errorf("unable to access bucket '%s': '%v'", bucketName, err)
  }
@@ -88,6 +76,29 @@ func NewGCSBackend(conf map[string]string, logger log.Logger) (physical.Backend,
  return &g, nil
 }
 
+func newGCSClient(ctx context.Context, conf map[string]string, logger log.Logger) (*storage.Client, error) {
+ // if credentials_file is configured, try to use it
+ // else use application default credentials
+ credentialsFile, ok := conf["credentials_file"]
+ if ok {
+ client, err := storage.NewClient(
+ ctx,
+ option.WithServiceAccountFile(credentialsFile),
+ )
+
+ if err != nil {
+ return nil, fmt.Errorf("error with provided credentials: '%v'", err)
+ }
+ return client, nil
+ }
+
+ client, err := storage.NewClient(ctx)
+ if err != nil {
+ return nil, errwrap.Wrapf("error with application default credentials: {{err}}", err)
+ }
+ return client, nil
+}
+
 // Put is used to insert or update an entry
 func (g *GCSBackend) Put(entry *physical.Entry) error {
  defer metrics.MeasureSince([]string{"gcs", "put"}, time.Now())

website/redirects.txt

@@ -80,4 +80,5 @@
 /docs/guides/upgrading/upgrade-to-0.6.3.html /guides/upgrading/upgrade-to-0.6.3.html
 /docs/guides/upgrading/upgrade-to-0.6.4.html /guides/upgrading/upgrade-to-0.6.4.html
 /docs/guides/upgrading/upgrade-to-0.7.0.html /guides/upgrading/upgrade-to-0.7.0.html
+/docs/secrets/custom.html /docs/plugin/index.html
 /intro/getting-started/acl.html /intro/getting-started/policies.html

website/source/api/auth/approle/index.html.md

@@ -70,7 +70,7 @@ enabled while creating or updating a role.
 - `role_name` `(string: <required>)` - Name of the AppRole.
 - `bind_secret_id` `(bool: true)` - Require `secret_id` to be presented when 
  logging in using this AppRole.
-- `bind_cidr_list` `(array: [])` - Comma-separated list of CIDR blocks; if set,
+- `bound_cidr_list` `(array: [])` - Comma-separated list of CIDR blocks; if set,
  specifies blocks of IP addresses which can perform the login operation.
 - `policies` `(array: [])` - Comma-separated list of policies set on tokens 
  issued via this AppRole.

website/source/docs/audit/file.html.md

@@ -56,7 +56,7 @@ Following are the configuration options available for the backend.
   <span class="param">file_path</span>
   <span class="param-flags">required</span>
   The path to where the audit log will be written. If this
-  path exists, the audit backend will append to it.
+  path exists, the audit backend will append to it. Specify `"stdout"` to write audit log to **stdout**.
   </li>
   <li>
   <span class="param">log_raw</span>

website/source/docs/configuration/storage/google-cloud.html.md

@@ -34,10 +34,10 @@ storage "gcs" {
  account must have permission to read, write, and delete from the bucket. This
  can also be provided via the environment variable `GOOGLE_STORAGE_BUCKET`.
 
-- `credentials_file` `(string: <required>)` – Specifies the path on disk to a
+- `credentials_file` `(string: "<varies>")` – Specifies the path on disk to a
  Google Cloud Platform [service account][gcs-service-account] private key file
- in [JSON format][gcs-private-key]. This can also be provided via the
- environment variable `GOOGLE_APPLICATION_CREDENTIALS`.
+ in [JSON format][gcs-private-key]. The GCS client library will attempt to use
+ the [application default credentials][adc] if this is not specified.
 
 - `max_parallel` `(string: "128")` – Specifies the maximum number of concurrent
  requests.
@@ -55,6 +55,7 @@ storage "gcs" {
 }
 ```
 
+[adc]: https://developers.google.com/identity/protocols/application-default-credentials
 [gcs]: https://cloud.google.com/storage/
 [gcs-service-account]: https://cloud.google.com/compute/docs/access/service-accounts
 [gcs-private-key]: https://cloud.google.com/storage/docs/authentication#generating-a-private-key

website/source/docs/plugin/index.html.md

@@ -1,22 +1,22 @@
 ---
 layout: "docs"
-page_title: "Plugin Backends"
+page_title: "Custom Plugin Backends"
 sidebar_current: "docs-plugin"
 description: |-
  Plugin backends are mountable backends that are implemented unsing Vault's plugin system.
 ---
 
-# Plugin Backends
+# Custom Plugin Backends
 
 Plugin backends are the components in Vault that can be implemented separately from Vault's
 builtin backends. These backends can be either authentication or secret backends.
 
-Detailed information regarding the plugin system can be found in the 
+Detailed information regarding the plugin system can be found in the
 [internals documentation](https://www.vaultproject.io/docs/internals/plugins.html).
 
 # Mounting/unmounting Plugin Backends
 
-Before a plugin backend can be mounted, it needs to be registered via the 
+Before a plugin backend can be mounted, it needs to be registered via the
 [plugin catalog](https://www.vaultproject.io/docs/internals/plugins.html#plugin-catalog). After
 the plugin is registered, it can be mounted by specifying the registered plugin name:
 
@@ -40,5 +40,3 @@ Unmounting a plugin backend is the identical to unmounting internal backends:
 ```
 $ vault unmount my-secrets
 ```
-
-

website/source/layouts/docs.erb

@@ -252,10 +252,6 @@
  <a href="/docs/secrets/transit/index.html">Transit</a>
  </li>
 
- <li<%= sidebar_current("docs-secrets-custom") %>>
- <a href="/docs/secrets/custom.html">Custom</a>
- </li>
-
  <hr>
 
  <li<%= sidebar_current("docs-secrets-cassandra") %>>