From 76e3ffc58fe4f146bf7c96242392b0ac37149619 Mon Sep 17 00:00:00 2001 From: djboris9 Date: Tue, 29 Aug 2017 18:37:20 +0200 Subject: [PATCH 1/8] Fix API/AUTH/AppRole doc issue concerning bound_cidr_list (#3205) This patch fixes a little documentation issue. bind_cidr_list doesn't exist as parameter to AppRole creation. It should be "bound_cidr_list". In "path-help" it is documented correctly. --- website/source/api/auth/approle/index.html.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/source/api/auth/approle/index.html.md b/website/source/api/auth/approle/index.html.md index 00ef187889eb..3c4453a8b235 100644 --- a/website/source/api/auth/approle/index.html.md +++ b/website/source/api/auth/approle/index.html.md @@ -70,7 +70,7 @@ enabled while creating or updating a role. - `role_name` `(string: )` - Name of the AppRole. - `bind_secret_id` `(bool: true)` - Require `secret_id` to be presented when logging in using this AppRole. -- `bind_cidr_list` `(array: [])` - Comma-separated list of CIDR blocks; if set, +- `bound_cidr_list` `(array: [])` - Comma-separated list of CIDR blocks; if set, specifies blocks of IP addresses which can perform the login operation. - `policies` `(array: [])` - Comma-separated list of policies set on tokens issued via this AppRole. From 56f127300d9dcb21c5165fc2c0a50e1d7593621d Mon Sep 17 00:00:00 2001 From: Lars Lehtonen Date: Tue, 29 Aug 2017 10:15:36 -0700 Subject: [PATCH 2/8] fix swallowed errors in pki package tests (#3215) --- builtin/logical/pki/backend_test.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go index 800495684e7a..e1795ae64f7f 100644 --- a/builtin/logical/pki/backend_test.go +++ b/builtin/logical/pki/backend_test.go @@ -2209,6 +2209,10 @@ func TestBackend_Root_Idempotentcy(t *testing.T) { t.Fatal("expected ca info") } resp, err = client.Logical().Read("pki/cert/ca_chain") + if err != nil { + t.Fatalf("error reading ca_chain: %v", err) + } + r1Data := resp.Data // Try again, make sure it's a 204 and same CA @@ -2222,6 +2226,9 @@ func TestBackend_Root_Idempotentcy(t *testing.T) { t.Fatal("expected no ca info") } resp, err = client.Logical().Read("pki/cert/ca_chain") + if err != nil { + t.Fatalf("error reading ca_chain: %v", err) + } r2Data := resp.Data if !reflect.DeepEqual(r1Data, r2Data) { t.Fatal("got different ca certs") From f2d452b5e16f091290afb3b84d9ce6d12323a29f Mon Sep 17 00:00:00 2001 From: Christopher Pauley Date: Tue, 29 Aug 2017 11:51:16 -0700 Subject: [PATCH 3/8] stdout support for file backend via logger (#3235) --- builtin/audit/file/backend.go | 33 ++++++++++++++++++++++---- website/source/docs/audit/file.html.md | 2 +- 2 files changed, 29 insertions(+), 6 deletions(-) diff --git a/builtin/audit/file/backend.go b/builtin/audit/file/backend.go index 4f39cc7bfb8f..bd1312afc031 100644 --- a/builtin/audit/file/backend.go +++ b/builtin/audit/file/backend.go @@ -5,6 +5,7 @@ import ( "os" "path/filepath" "strconv" + "strings" "sync" "github.com/hashicorp/vault/audit" @@ -28,6 +29,11 @@ func Factory(conf *audit.BackendConfig) (audit.Backend, error) { } } + // normalize path if configured for stdout + if strings.ToLower(path) == "stdout" { + path = "stdout" + } + format, ok := conf.Config["format"] if !ok { format = "json" @@ -92,11 +98,16 @@ func Factory(conf *audit.BackendConfig) (audit.Backend, error) { } } - // Ensure that the file can be successfully opened for writing; - // otherwise it will be too late to catch later without problems - // (ref: https://github.com/hashicorp/vault/issues/550) - if err := b.open(); err != nil { - return nil, fmt.Errorf("sanity check failed; unable to open %s for writing: %v", path, err) + switch path { + case "stdout": + // no need to test opening file if outputting to stdout + default: + // Ensure that the file can be successfully opened for writing; + // otherwise it will be too late to catch later without problems + // (ref: https://github.com/hashicorp/vault/issues/550) + if err := b.open(); err != nil { + return nil, fmt.Errorf("sanity check failed; unable to open %s for writing: %v", path, err) + } } return b, nil @@ -155,6 +166,10 @@ func (b *Backend) LogRequest(auth *logical.Auth, req *logical.Request, outerErr b.fileLock.Lock() defer b.fileLock.Unlock() + if b.path == "stdout" { + return b.formatter.FormatRequest(os.Stdout, b.formatConfig, auth, req, outerErr) + } + if err := b.open(); err != nil { return err } @@ -183,6 +198,10 @@ func (b *Backend) LogResponse( b.fileLock.Lock() defer b.fileLock.Unlock() + if b.path == "stdout" { + return b.formatter.FormatResponse(os.Stdout, b.formatConfig, auth, req, resp, err) + } + if err := b.open(); err != nil { return err } @@ -232,6 +251,10 @@ func (b *Backend) open() error { } func (b *Backend) Reload() error { + if b.path == "stdout" { + return nil + } + b.fileLock.Lock() defer b.fileLock.Unlock() diff --git a/website/source/docs/audit/file.html.md b/website/source/docs/audit/file.html.md index 087b37758f3f..c7940701943b 100644 --- a/website/source/docs/audit/file.html.md +++ b/website/source/docs/audit/file.html.md @@ -56,7 +56,7 @@ Following are the configuration options available for the backend. file_path required The path to where the audit log will be written. If this - path exists, the audit backend will append to it. + path exists, the audit backend will append to it. Specify `"stdout"` to write audit log to **stdout**.
  • log_raw From 94d335e66d937e0383795dcccc41ed8e1d107273 Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Tue, 29 Aug 2017 14:52:15 -0400 Subject: [PATCH 4/8] changelog++ --- CHANGELOG.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c9166cbd99e2..2a3b5d0d48b1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,20 +13,22 @@ FEATURES: verification through the SSH CA backend, if enabled. IMPROVEMENTS: - * cli: Add subcommand autocompletion that can be enabled with - `vault -autocomplete-install` [GH-3223] + * audit/file: Allow specifying `stdout` as the `file_path` to log to standard + output [GH-3235] * auth/okta: Compare groups case-insensitively since Okta is only case-preserving [GH-3240] + * cli: Add subcommand autocompletion that can be enabled with + `vault -autocomplete-install` [GH-3223] BUG FIXES: - * core: Fix PROXY when underlying connection is TLS [GH-3195] - * core: Policy-related commands would sometimes fail to act case-insensitively - [GH-3210] * auth/aws: Properly use role-set period values for IAM-derived token renewals [GH-3220] * auth/okta: Fix updating organization/ttl/max_ttl after initial setting [GH-3236] + * core: Fix PROXY when underlying connection is TLS [GH-3195] + * core: Policy-related commands would sometimes fail to act case-insensitively + [GH-3210] ## 0.8.1 (August 16th, 2017) From 2e39d2b2d43d65bfb1e54ffc8996c2ca0f82a367 Mon Sep 17 00:00:00 2001 From: Calvin Leung Huang Date: Tue, 29 Aug 2017 15:55:34 -0400 Subject: [PATCH 5/8] Fix travis build on go 1.9 --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 3aec0c8af9d2..f46f04caeb3a 100644 --- a/.travis.yml +++ b/.travis.yml @@ -7,7 +7,7 @@ services: - docker go: - - 1.9.0 + - 1.9 matrix: allow_failures: From aa1591cd3b351b06d8715b8b06dd8447e4a89cd9 Mon Sep 17 00:00:00 2001 From: Seth Vargo Date: Wed, 30 Aug 2017 12:57:45 -0400 Subject: [PATCH 6/8] Remove fake news about custom plugins This also adds a redirect from the old page to the new one --- website/redirects.txt | 1 + website/source/docs/plugin/index.html.md | 10 ++++------ website/source/docs/secrets/custom.html.md | 19 ------------------- website/source/layouts/docs.erb | 4 ---- 4 files changed, 5 insertions(+), 29 deletions(-) delete mode 100644 website/source/docs/secrets/custom.html.md diff --git a/website/redirects.txt b/website/redirects.txt index 024d3d428ccb..446afb0c5881 100644 --- a/website/redirects.txt +++ b/website/redirects.txt @@ -80,4 +80,5 @@ /docs/guides/upgrading/upgrade-to-0.6.3.html /guides/upgrading/upgrade-to-0.6.3.html /docs/guides/upgrading/upgrade-to-0.6.4.html /guides/upgrading/upgrade-to-0.6.4.html /docs/guides/upgrading/upgrade-to-0.7.0.html /guides/upgrading/upgrade-to-0.7.0.html +/docs/secrets/custom.html /docs/plugin/index.html /intro/getting-started/acl.html /intro/getting-started/policies.html diff --git a/website/source/docs/plugin/index.html.md b/website/source/docs/plugin/index.html.md index 03365d53ec5c..096eb9e3c2d1 100644 --- a/website/source/docs/plugin/index.html.md +++ b/website/source/docs/plugin/index.html.md @@ -1,22 +1,22 @@ --- layout: "docs" -page_title: "Plugin Backends" +page_title: "Custom Plugin Backends" sidebar_current: "docs-plugin" description: |- Plugin backends are mountable backends that are implemented unsing Vault's plugin system. --- -# Plugin Backends +# Custom Plugin Backends Plugin backends are the components in Vault that can be implemented separately from Vault's builtin backends. These backends can be either authentication or secret backends. -Detailed information regarding the plugin system can be found in the +Detailed information regarding the plugin system can be found in the [internals documentation](https://www.vaultproject.io/docs/internals/plugins.html). # Mounting/unmounting Plugin Backends -Before a plugin backend can be mounted, it needs to be registered via the +Before a plugin backend can be mounted, it needs to be registered via the [plugin catalog](https://www.vaultproject.io/docs/internals/plugins.html#plugin-catalog). After the plugin is registered, it can be mounted by specifying the registered plugin name: @@ -40,5 +40,3 @@ Unmounting a plugin backend is the identical to unmounting internal backends: ``` $ vault unmount my-secrets ``` - - diff --git a/website/source/docs/secrets/custom.html.md b/website/source/docs/secrets/custom.html.md deleted file mode 100644 index 419d4c691b44..000000000000 --- a/website/source/docs/secrets/custom.html.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -layout: "docs" -page_title: "Custom Secret Backend" -sidebar_current: "docs-secrets-custom" -description: |- - Create custom secret backends for Vault. ---- - -# Custom Secret Backends - -Vault doesn't currently support the creation of custom secret backends. -The primary reason is because we want to ensure the core of Vault is -secure before attempting any sort of plug-in system. We're interested -in supporting custom secret backends, but don't yet have a clear strategy -or timeline to do. - -In the mean time, you can use the -[generic backend](/docs/secrets/generic/index.html) to support custom -data with custom leases. diff --git a/website/source/layouts/docs.erb b/website/source/layouts/docs.erb index 816b5a06932f..cce3679d840b 100644 --- a/website/source/layouts/docs.erb +++ b/website/source/layouts/docs.erb @@ -252,10 +252,6 @@ Transit
    • - > - Custom - -
    > From 55fa69a2f44cf58d7ff506e7dec553d9b53dae60 Mon Sep 17 00:00:00 2001 From: stephan stachurski Date: Wed, 30 Aug 2017 15:42:02 -0400 Subject: [PATCH 7/8] add support to use application default credentials to gcs storage backend (#3257) --- physical/gcs/gcs.go | 43 ++++++++++++------- .../storage/google-cloud.html.md | 7 +-- 2 files changed, 31 insertions(+), 19 deletions(-) diff --git a/physical/gcs/gcs.go b/physical/gcs/gcs.go index 27125b47166b..5e7fc78cbb8c 100644 --- a/physical/gcs/gcs.go +++ b/physical/gcs/gcs.go @@ -42,26 +42,14 @@ func NewGCSBackend(conf map[string]string, logger log.Logger) (physical.Backend, } } - // path to service account JSON file - credentialsFile := os.Getenv("GOOGLE_APPLICATION_CREDENTIALS") - if credentialsFile == "" { - credentialsFile = conf["credentials_file"] - if credentialsFile == "" { - return nil, fmt.Errorf("env var GOOGLE_APPLICATION_CREDENTIALS or configuration parameter 'credentials_file' must be set") - } - } - - client, err := storage.NewClient( - context.Background(), - option.WithServiceAccountFile(credentialsFile), - ) - + ctx := context.Background() + client, err := newGCSClient(ctx, conf, logger) if err != nil { - return nil, fmt.Errorf("error establishing storage client: '%v'", err) + return nil, errwrap.Wrapf("error establishing strorage client: {{err}}", err) } // check client connectivity by getting bucket attributes - _, err = client.Bucket(bucketName).Attrs(context.Background()) + _, err = client.Bucket(bucketName).Attrs(ctx) if err != nil { return nil, fmt.Errorf("unable to access bucket '%s': '%v'", bucketName, err) } @@ -88,6 +76,29 @@ func NewGCSBackend(conf map[string]string, logger log.Logger) (physical.Backend, return &g, nil } +func newGCSClient(ctx context.Context, conf map[string]string, logger log.Logger) (*storage.Client, error) { + // if credentials_file is configured, try to use it + // else use application default credentials + credentialsFile, ok := conf["credentials_file"] + if ok { + client, err := storage.NewClient( + ctx, + option.WithServiceAccountFile(credentialsFile), + ) + + if err != nil { + return nil, fmt.Errorf("error with provided credentials: '%v'", err) + } + return client, nil + } + + client, err := storage.NewClient(ctx) + if err != nil { + return nil, errwrap.Wrapf("error with application default credentials: {{err}}", err) + } + return client, nil +} + // Put is used to insert or update an entry func (g *GCSBackend) Put(entry *physical.Entry) error { defer metrics.MeasureSince([]string{"gcs", "put"}, time.Now()) diff --git a/website/source/docs/configuration/storage/google-cloud.html.md b/website/source/docs/configuration/storage/google-cloud.html.md index d17ac9c251e1..2e6a98b66a74 100644 --- a/website/source/docs/configuration/storage/google-cloud.html.md +++ b/website/source/docs/configuration/storage/google-cloud.html.md @@ -34,10 +34,10 @@ storage "gcs" { account must have permission to read, write, and delete from the bucket. This can also be provided via the environment variable `GOOGLE_STORAGE_BUCKET`. -- `credentials_file` `(string: )` – Specifies the path on disk to a +- `credentials_file` `(string: "")` – Specifies the path on disk to a Google Cloud Platform [service account][gcs-service-account] private key file - in [JSON format][gcs-private-key]. This can also be provided via the - environment variable `GOOGLE_APPLICATION_CREDENTIALS`. + in [JSON format][gcs-private-key]. The GCS client library will attempt to use + the [application default credentials][adc] if this is not specified. - `max_parallel` `(string: "128")` – Specifies the maximum number of concurrent requests. @@ -55,6 +55,7 @@ storage "gcs" { } ``` +[adc]: https://developers.google.com/identity/protocols/application-default-credentials [gcs]: https://cloud.google.com/storage/ [gcs-service-account]: https://cloud.google.com/compute/docs/access/service-accounts [gcs-private-key]: https://cloud.google.com/storage/docs/authentication#generating-a-private-key From 2ca896cceac812b156b25428a3429d0db56b69de Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Wed, 30 Aug 2017 15:42:44 -0400 Subject: [PATCH 8/8] changelog++ --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2a3b5d0d48b1..d9823eed45f1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,7 @@ IMPROVEMENTS: case-preserving [GH-3240] * cli: Add subcommand autocompletion that can be enabled with `vault -autocomplete-install` [GH-3223] + * storage/gcp: Use application default credentials if they exist [GH-3248] BUG FIXES: