diff --git a/vendor/github.com/hashicorp/vault-plugin-auth-azure/Gopkg.lock b/vendor/github.com/hashicorp/vault-plugin-auth-azure/Gopkg.lock index a8eb992af3..b73a81c63b 100644 --- a/vendor/github.com/hashicorp/vault-plugin-auth-azure/Gopkg.lock +++ b/vendor/github.com/hashicorp/vault-plugin-auth-azure/Gopkg.lock @@ -216,7 +216,7 @@ [[projects]] branch = "master" - digest = "1:450803219e484669ba680c777ecac629dac92abde2bc83009beaa630f5368e71" + digest = "1:606c7307ae83d1adc0901aa8909b700489d7f1294533344453436a8dbff0091b" name = "github.com/hashicorp/vault" packages = [ "api", @@ -226,6 +226,7 @@ "helper/errutil", "helper/hclutil", "helper/jsonutil", + "helper/license", "helper/locksutil", "helper/logging", "helper/mlock", @@ -245,7 +246,7 @@ "version", ] pruneopts = "UT" - revision = "8655d167084028d627f687ddc25d0c71307eb5be" + revision = "c0739a0f2367d5fdd20cef502b628e01bdb90470" [[projects]] branch = "master" @@ -287,6 +288,17 @@ revision = "4dadeb3030eda0273a12382bb2348ffc7c9d1a39" version = "v1.0.0" +[[projects]] + digest = "1:c7a5e79396b6eb570159df7a1d487ce5775bf43b7907976fbef6de544ea160ad" + name = "github.com/pierrec/lz4" + packages = [ + ".", + "internal/xxh32", + ] + pruneopts = "UT" + revision = "473cd7ce01a1113208073166464b98819526150e" + version = "v2.0.8" + [[projects]] branch = "master" digest = "1:bd9efe4e0b0f768302a1e2f0c22458149278de533e521206e5ddc71848c269a0" diff --git a/vendor/github.com/hashicorp/vault-plugin-auth-azure/path_config.go b/vendor/github.com/hashicorp/vault-plugin-auth-azure/path_config.go index 8b18cc9065..4e5fad3890 100644 --- a/vendor/github.com/hashicorp/vault-plugin-auth-azure/path_config.go +++ b/vendor/github.com/hashicorp/vault-plugin-auth-azure/path_config.go @@ -16,26 +16,31 @@ func pathConfig(b *azureAuthBackend) *framework.Path { Description: `The tenant id for the Azure Active Directory. This is sometimes referred to as Directory ID in AD. This value can also be provided with the AZURE_TENANT_ID environment variable.`, + DisplayName: "Tenant ID", }, "resource": &framework.FieldSchema{ Type: framework.TypeString, Description: `The resource URL for the vault application in Azure Active Directory. This value can also be provided with the AZURE_AD_RESOURCE environment variable.`, + DisplayName: "Resource", }, "environment": &framework.FieldSchema{ Type: framework.TypeString, Description: `The Azure environment name. If not provided, AzurePublicCloud is used. This value can also be provided with the AZURE_ENVIRONMENT environment variable.`, + DisplayName: "Environment", }, "client_id": &framework.FieldSchema{ Type: framework.TypeString, Description: `The OAuth2 client id to connection to Azure. This value can also be provided with the AZURE_CLIENT_ID environment variable.`, + DisplayName: "Client ID", }, "client_secret": &framework.FieldSchema{ Type: framework.TypeString, Description: `The OAuth2 client secret to connection to Azure. This value can also be provided with the AZURE_CLIENT_SECRET environment variable.`, + DisplayName: "Client Secret", }, }, Callbacks: map[logical.Operation]framework.OperationFunc{ diff --git a/vendor/github.com/hashicorp/vault-plugin-auth-gcp/plugin/path_config.go b/vendor/github.com/hashicorp/vault-plugin-auth-gcp/plugin/path_config.go index 3476a64134..da4d32f310 100644 --- a/vendor/github.com/hashicorp/vault-plugin-auth-gcp/plugin/path_config.go +++ b/vendor/github.com/hashicorp/vault-plugin-auth-gcp/plugin/path_config.go @@ -6,6 +6,7 @@ import ( "fmt" "encoding/json" + "github.com/hashicorp/go-gcp-common/gcputil" "github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical/framework" @@ -20,11 +21,13 @@ func pathConfig(b *GcpAuthBackend) *framework.Path { Description: ` Google credentials JSON that Vault will use to verify users against GCP APIs. If not specified, will use application default credentials`, + DisplayName: "Credentials", }, "google_certs_endpoint": { Type: framework.TypeString, Description: ` Deprecated. This field does nothing and be removed in a future release`, + Deprecated: true, }, }, Callbacks: map[logical.Operation]framework.OperationFunc{ diff --git a/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_config.go b/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_config.go index 5019cbd603..2f13db15f9 100644 --- a/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_config.go +++ b/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_config.go @@ -4,6 +4,7 @@ import ( "crypto/tls" "crypto/x509" "errors" + "fmt" "net/http" "context" @@ -33,6 +34,10 @@ func pathConfig(b *jwtAuthBackend) *framework.Path { Type: framework.TypeCommaStringSlice, Description: `A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used with "oidc_discovery_url".`, }, + "jwt_supported_algs": { + Type: framework.TypeCommaStringSlice, + Description: `A list of supported signing algorithms. Defaults to RS256.`, + }, "bound_issuer": { Type: framework.TypeString, Description: "The value against which to match the 'iss' claim in a JWT. Optional.", @@ -99,6 +104,7 @@ func (b *jwtAuthBackend) pathConfigRead(ctx context.Context, req *logical.Reques "oidc_discovery_url": config.OIDCDiscoveryURL, "oidc_discovery_ca_pem": config.OIDCDiscoveryCAPEM, "jwt_validation_pubkeys": config.JWTValidationPubKeys, + "jwt_supported_algs": config.JWTSupportedAlgs, "bound_issuer": config.BoundIssuer, }, } @@ -111,6 +117,7 @@ func (b *jwtAuthBackend) pathConfigWrite(ctx context.Context, req *logical.Reque OIDCDiscoveryURL: d.Get("oidc_discovery_url").(string), OIDCDiscoveryCAPEM: d.Get("oidc_discovery_ca_pem").(string), JWTValidationPubKeys: d.Get("jwt_validation_pubkeys").([]string), + JWTSupportedAlgs: d.Get("jwt_supported_algs").([]string), BoundIssuer: d.Get("bound_issuer").(string), } @@ -133,6 +140,15 @@ func (b *jwtAuthBackend) pathConfigWrite(ctx context.Context, req *logical.Reque } } + case len(config.JWTSupportedAlgs) != 0: + for _, a := range config.JWTSupportedAlgs { + switch a { + case oidc.RS256, oidc.RS384, oidc.RS512, oidc.ES256, oidc.ES384, oidc.ES512, oidc.PS256, oidc.PS384, oidc.PS512: + default: + return logical.ErrorResponse(fmt.Sprintf("Invalid supported algorithm: %s", a)), nil + } + } + default: return nil, errors.New("unknown condition") } @@ -182,6 +198,7 @@ type jwtConfig struct { OIDCDiscoveryURL string `json:"oidc_discovery_url"` OIDCDiscoveryCAPEM string `json:"oidc_discovery_ca_pem"` JWTValidationPubKeys []string `json:"jwt_validation_pubkeys"` + JWTSupportedAlgs []string `json:"jwt_supported_algs"` BoundIssuer string `json:"bound_issuer"` ParsedJWTPubKeys []interface{} `json:"-"` diff --git a/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_login.go b/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_login.go index 868fe9d094..0b515ab5f3 100644 --- a/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_login.go +++ b/vendor/github.com/hashicorp/vault-plugin-auth-jwt/path_login.go @@ -136,7 +136,8 @@ func (b *jwtAuthBackend) pathLogin(ctx context.Context, req *logical.Request, d } verifier := provider.Verifier(&oidc.Config{ - SkipClientIDCheck: true, + SkipClientIDCheck: true, + SupportedSigningAlgs: config.JWTSupportedAlgs, }) idToken, err := verifier.Verify(ctx, token) diff --git a/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/Gopkg.lock b/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/Gopkg.lock index 1d1007232e..f6ee0566a5 100644 --- a/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/Gopkg.lock +++ b/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/Gopkg.lock @@ -203,7 +203,7 @@ [[projects]] branch = "master" - digest = "1:d00de8725219a569ffbb5dd1042e4ced1f3b5ccee2b07218371f71026cc7609a" + digest = "1:7be65468c591c5e836ec7ff70b6e7665452a6e700d5f0d5bb9edec8aa57b58e2" name = "github.com/hashicorp/vault" packages = [ "api", @@ -214,6 +214,7 @@ "helper/errutil", "helper/hclutil", "helper/jsonutil", + "helper/license", "helper/locksutil", "helper/logging", "helper/mlock", @@ -233,7 +234,7 @@ "version", ] pruneopts = "UT" - revision = "add60e6dc7ff7b94487f3b5b680d00d7c05fe621" + revision = "c0739a0f2367d5fdd20cef502b628e01bdb90470" [[projects]] branch = "master" @@ -275,6 +276,17 @@ revision = "4dadeb3030eda0273a12382bb2348ffc7c9d1a39" version = "v1.0.0" +[[projects]] + digest = "1:c7a5e79396b6eb570159df7a1d487ce5775bf43b7907976fbef6de544ea160ad" + name = "github.com/pierrec/lz4" + packages = [ + ".", + "internal/xxh32", + ] + pruneopts = "UT" + revision = "473cd7ce01a1113208073166464b98819526150e" + version = "v2.0.8" + [[projects]] digest = "1:0e792eea6c96ec55ff302ef33886acbaa5006e900fefe82689e88d96439dcd84" name = "github.com/ryanuber/go-glob" diff --git a/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/path_config.go b/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/path_config.go index f10d4b4c7f..01f6de36c8 100644 --- a/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/path_config.go +++ b/vendor/github.com/hashicorp/vault-plugin-auth-kubernetes/path_config.go @@ -22,16 +22,20 @@ func pathConfig(b *kubeAuthBackend) *framework.Path { "kubernetes_host": { Type: framework.TypeString, Description: "Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server.", + DisplayName: "Kubernetes Host", }, + "kubernetes_ca_cert": { Type: framework.TypeString, Description: "PEM encoded CA cert for use by the TLS client used to talk with the API.", + DisplayName: "Kubernetes CA Certificate", }, "token_reviewer_jwt": { Type: framework.TypeString, Description: `A service account JWT used to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API.`, + DisplayName: "Token Reviewer JWT", }, "pem_keys": { Type: framework.TypeCommaStringSlice, @@ -39,6 +43,7 @@ the JWT used for login will be used to access the API.`, used to verify the signatures of kubernetes service account JWTs. If a certificate is given, its public key will be extracted. Not every installation of Kuberentes exposes these keys.`, + DisplayName: "Service account verification keys", }, }, Callbacks: map[logical.Operation]framework.OperationFunc{ diff --git a/vendor/github.com/hashicorp/vault-plugin-secrets-alicloud/clients/sts.go b/vendor/github.com/hashicorp/vault-plugin-secrets-alicloud/clients/sts.go index 5771417ac9..210e2566e7 100644 --- a/vendor/github.com/hashicorp/vault-plugin-secrets-alicloud/clients/sts.go +++ b/vendor/github.com/hashicorp/vault-plugin-secrets-alicloud/clients/sts.go @@ -23,9 +23,9 @@ type STSClient struct { client *sts.Client } -func (c *STSClient) AssumeRole(userName, roleARN string) (*sts.AssumeRoleResponse, error) { +func (c *STSClient) AssumeRole(roleSessionName, roleARN string) (*sts.AssumeRoleResponse, error) { assumeRoleReq := sts.CreateAssumeRoleRequest() assumeRoleReq.RoleArn = roleARN - assumeRoleReq.RoleSessionName = userName + assumeRoleReq.RoleSessionName = roleSessionName return c.client.AssumeRole(assumeRoleReq) } diff --git a/vendor/github.com/hashicorp/vault-plugin-secrets-alicloud/path_creds.go b/vendor/github.com/hashicorp/vault-plugin-secrets-alicloud/path_creds.go index e901a8c8cc..a2d7330948 100644 --- a/vendor/github.com/hashicorp/vault-plugin-secrets-alicloud/path_creds.go +++ b/vendor/github.com/hashicorp/vault-plugin-secrets-alicloud/path_creds.go @@ -60,7 +60,7 @@ func (b *backend) operationCredsRead(ctx context.Context, req *logical.Request, if err != nil { return nil, err } - assumeRoleResp, err := client.AssumeRole(generateUsername(req.DisplayName, roleName), role.RoleARN) + assumeRoleResp, err := client.AssumeRole(generateRoleSessionName(req.DisplayName, roleName), role.RoleARN) if err != nil { return nil, err } @@ -243,15 +243,24 @@ func (b *backend) operationCredsRead(ctx context.Context, req *logical.Request, // The max length of a username per AliCloud is 64. func generateUsername(displayName, roleName string) string { - username := fmt.Sprintf("%s-%s-", displayName, roleName) + return generateName(displayName, roleName, 64) +} - // The time and random number take up to 15 more in length, so if the username +// The max length of a role session name per AliCloud is 32. +func generateRoleSessionName(displayName, roleName string) string { + return generateName(displayName, roleName, 32) +} + +func generateName(displayName, roleName string, maxLength int) string { + name := fmt.Sprintf("%s-%s-", displayName, roleName) + + // The time and random number take up to 15 more in length, so if the name // is too long we need to trim it. - if len(username) > 49 { - username = username[:49] + if len(name) > maxLength-15 { + name = name[:maxLength-15] } r := rand.New(rand.NewSource(time.Now().UnixNano())) - return fmt.Sprintf("%s%d-%d", username, time.Now().Unix(), r.Intn(10000)) + return fmt.Sprintf("%s%d-%d", name, time.Now().Unix(), r.Intn(10000)) } const pathCredsHelpSyn = ` diff --git a/vendor/github.com/hashicorp/vault-plugin-secrets-gcpkms/README.md b/vendor/github.com/hashicorp/vault-plugin-secrets-gcpkms/README.md index f32c2cddb0..1924eb9915 100644 --- a/vendor/github.com/hashicorp/vault-plugin-secrets-gcpkms/README.md +++ b/vendor/github.com/hashicorp/vault-plugin-secrets-gcpkms/README.md @@ -84,6 +84,12 @@ instructions are only useful if you want to develop against the plugin.** $ vault secrets enable -path=gcpkms -plugin=vault-plugin-secrets-gcpkms plugin ``` +### Documentation + +The documentation for the plugin lives in the [main Vault +repository](/hashicorp/vault) in the `website/` folder. Please make any +documentation updates as separate Pull Requests against that repo. + ### Tests This plugin has both unit tests and acceptance tests. To run the acceptance diff --git a/vendor/vendor.json b/vendor/vendor.json index f6ddcf764d..4b43ec9b71 100644 --- a/vendor/vendor.json +++ b/vendor/vendor.json @@ -1391,10 +1391,10 @@ "revisionTime": "2018-11-09T18:06:36Z" }, { - "checksumSHA1": "Jj3mz58lSv0dsuXd6bVxGV4759w=", + "checksumSHA1": "UgLfwpXoRLpMOF0rzaj+cRcTtdo=", "path": "github.com/hashicorp/vault-plugin-auth-azure", - "revision": "4c0b46069a2293d5a6ca7506c8d3e0c4a92f3dbc", - "revisionTime": "2018-12-07T23:25:28Z" + "revision": "0af1d040b5b329f41904cadcd96be55179468880", + "revisionTime": "2019-02-01T22:26:32Z" }, { "checksumSHA1": "4Z/niOo76EcP8KpLdSL5GdDcy78=", @@ -1403,52 +1403,52 @@ "revisionTime": "2018-08-16T20:11:31Z" }, { - "checksumSHA1": "llLHR3FVdqtuFgjIoL9GNN8zKKI=", + "checksumSHA1": "Nd9aBfL80t7N8B9VVsNBgihA5f4=", "path": "github.com/hashicorp/vault-plugin-auth-gcp/plugin", - "revision": "4d63bbfe6fcf0363a2ea2c273846e88b95d85089", - "revisionTime": "2018-12-10T20:01:33Z" + "revision": "7d4c2101e7d0b61ec9fb0dc3c75d79920c6369c5", + "revisionTime": "2019-02-01T21:54:14Z" }, { - "checksumSHA1": "tt3FtyjXgdBI9Mb43UL4LtOZmAk=", + "checksumSHA1": "6B+p22t7wBR52hepGYd3t1JnDME=", "path": "github.com/hashicorp/vault-plugin-auth-jwt", - "revision": "f428c77917331c1b87dae2dd37016bd1dd4c55da", - "revisionTime": "2018-10-31T19:59:42Z" + "revision": "a608a5ad1c249797e266cb8fcb4eac336aa72bef", + "revisionTime": "2019-01-28T23:42:21Z" }, { - "checksumSHA1": "Ldg2jQeyPrpAupyQq4lRVN+jfFY=", + "checksumSHA1": "NfVgV3CmKXGRsXk1sYVgMMRZ5Zc=", "path": "github.com/hashicorp/vault-plugin-auth-kubernetes", - "revision": "091d9e5d5fabce920533eff31ad778778992a671", - "revisionTime": "2018-11-30T16:25:33Z" + "revision": "db96aa4ab438cbc1cf544cec758d0d16ca4e9681", + "revisionTime": "2019-02-01T22:22:09Z" }, { "checksumSHA1": "PmhyvCKVlEMEP6JO31ozW+CBIiE=", "path": "github.com/hashicorp/vault-plugin-secrets-ad/plugin", - "revision": "540c0b6f1f113a1c6bdaa130a35ee8530c072b5a", - "revisionTime": "2018-11-09T18:28:34Z" + "revision": "4796d99801253c6f10d7d96b968a3204a9a1ead8", + "revisionTime": "2019-01-31T22:24:16Z" }, { "checksumSHA1": "GOxdFElG31lXWgKFG9aqpDcG47M=", "path": "github.com/hashicorp/vault-plugin-secrets-ad/plugin/client", - "revision": "540c0b6f1f113a1c6bdaa130a35ee8530c072b5a", - "revisionTime": "2018-11-09T18:28:34Z" + "revision": "4796d99801253c6f10d7d96b968a3204a9a1ead8", + "revisionTime": "2019-01-31T22:24:16Z" }, { "checksumSHA1": "RaH2xTkjaToCk+RoPhap7I66ibo=", "path": "github.com/hashicorp/vault-plugin-secrets-ad/plugin/util", - "revision": "540c0b6f1f113a1c6bdaa130a35ee8530c072b5a", - "revisionTime": "2018-11-09T18:28:34Z" + "revision": "4796d99801253c6f10d7d96b968a3204a9a1ead8", + "revisionTime": "2019-01-31T22:24:16Z" }, { - "checksumSHA1": "VLXyxS5dEoiWTSFmpMJIz+Pwtmw=", + "checksumSHA1": "l0xVOHA0/SIjNfrmBRbrFvMVOaw=", "path": "github.com/hashicorp/vault-plugin-secrets-alicloud", - "revision": "2aee79cc5cbf1bbca654dbc594f809cafc19cd8d", - "revisionTime": "2018-11-09T18:14:53Z" + "revision": "b0abe36195cb171e673a9f6425df977eff1ef825", + "revisionTime": "2019-01-31T21:18:12Z" }, { - "checksumSHA1": "dqduixICi6NeyLNRCDdw62t1LFU=", + "checksumSHA1": "e96mN6plz/ApctpjvU2kiCumOl0=", "path": "github.com/hashicorp/vault-plugin-secrets-alicloud/clients", - "revision": "2aee79cc5cbf1bbca654dbc594f809cafc19cd8d", - "revisionTime": "2018-11-09T18:14:53Z" + "revision": "b0abe36195cb171e673a9f6425df977eff1ef825", + "revisionTime": "2019-01-31T21:18:12Z" }, { "checksumSHA1": "rgeBhrdLyF2orH3QA/H66ZSSbuo=", @@ -1475,16 +1475,16 @@ "revisionTime": "2018-09-21T17:32:00Z" }, { - "checksumSHA1": "TbPoZQkYZ7Bukdw6U+/GejbaZAs=", + "checksumSHA1": "StwRTX92gyH7iHkyZk4df+dLISM=", "path": "github.com/hashicorp/vault-plugin-secrets-gcpkms", - "revision": "6cd991800a6d7af69b1950ec4cbf402d021a099d", - "revisionTime": "2018-12-12T18:25:53Z" + "revision": "d6b25b0b4a39132ec3c02f19631b6a9bdadef042", + "revisionTime": "2019-01-16T16:49:38Z" }, { "checksumSHA1": "yhUUqN5rbEXnfI8WfGUofXToD+o=", "path": "github.com/hashicorp/vault-plugin-secrets-kv", - "revision": "9dbe04db0e34c9c3c75bedcdb16d8ff78f0c54bd", - "revisionTime": "2018-12-19T17:59:33Z" + "revision": "edbfe287c5d9277cecf2c91c79ffcc34f19d2049", + "revisionTime": "2019-01-15T20:37:47Z" }, { "checksumSHA1": "ldkAQ1CpiAaQ9sti0qIch+UyRsI=",