Vendor vault/api

vendor/github.com/hashicorp/vault/api/auth_token.go

@@ -25,6 +25,21 @@ func (c *TokenAuth) Create(opts *TokenCreateRequest) (*Secret, error) {
 	return ParseSecret(resp.Body)
 }
 
+func (c *TokenAuth) CreateOrphan(opts *TokenCreateRequest) (*Secret, error) {
+	r := c.c.NewRequest("POST", "/v1/auth/token/create-orphan")
+	if err := r.SetJSONBody(opts); err != nil {
+		return nil, err
+	}
+
+	resp, err := c.c.RawRequest(r)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	return ParseSecret(resp.Body)
+}
+
 func (c *TokenAuth) CreateWithRole(opts *TokenCreateRequest, roleName string) (*Secret, error) {
 	r := c.c.NewRequest("POST", "/v1/auth/token/create/"+roleName)
 	if err := r.SetJSONBody(opts); err != nil {
@@ -41,7 +56,12 @@ func (c *TokenAuth) CreateWithRole(opts *TokenCreateRequest, roleName string) (*
 }
 
 func (c *TokenAuth) Lookup(token string) (*Secret, error) {
-	r := c.c.NewRequest("GET", "/v1/auth/token/lookup/"+token)
+	r := c.c.NewRequest("POST", "/v1/auth/token/lookup")
+	if err := r.SetJSONBody(map[string]interface{}{
+		"token": token,
+	}); err != nil {
+		return nil, err
+	}
 
 	resp, err := c.c.RawRequest(r)
 	if err != nil {
@@ -53,8 +73,12 @@ func (c *TokenAuth) Lookup(token string) (*Secret, error) {
 }
 
 func (c *TokenAuth) LookupAccessor(accessor string) (*Secret, error) {
-	r := c.c.NewRequest("POST", "/v1/auth/token/lookup-accessor/"+accessor)
-
+	r := c.c.NewRequest("POST", "/v1/auth/token/lookup-accessor")
+	if err := r.SetJSONBody(map[string]interface{}{
+		"accessor": accessor,
+	}); err != nil {
+		return nil, err
+	}
 	resp, err := c.c.RawRequest(r)
 	if err != nil {
 		return nil, err
@@ -77,10 +101,11 @@ func (c *TokenAuth) LookupSelf() (*Secret, error) {
 }
 
 func (c *TokenAuth) Renew(token string, increment int) (*Secret, error) {
-	r := c.c.NewRequest("PUT", "/v1/auth/token/renew/"+token)
-
-	body := map[string]interface{}{"increment": increment}
-	if err := r.SetJSONBody(body); err != nil {
+	r := c.c.NewRequest("PUT", "/v1/auth/token/renew")
+	if err := r.SetJSONBody(map[string]interface{}{
+		"token":     token,
+		"increment": increment,
+	}); err != nil {
 		return nil, err
 	}
 
@@ -113,7 +138,12 @@ func (c *TokenAuth) RenewSelf(increment int) (*Secret, error) {
 // RevokeAccessor revokes a token associated with the given accessor
 // along with all the child tokens.
 func (c *TokenAuth) RevokeAccessor(accessor string) error {
-	r := c.c.NewRequest("POST", "/v1/auth/token/revoke-accessor/"+accessor)
+	r := c.c.NewRequest("POST", "/v1/auth/token/revoke-accessor")
+	if err := r.SetJSONBody(map[string]interface{}{
+		"accessor": accessor,
+	}); err != nil {
+		return err
+	}
 	resp, err := c.c.RawRequest(r)
 	if err != nil {
 		return err
@@ -126,7 +156,13 @@ func (c *TokenAuth) RevokeAccessor(accessor string) error {
 // RevokeOrphan revokes a token without revoking the tree underneath it (so
 // child tokens are orphaned rather than revoked)
 func (c *TokenAuth) RevokeOrphan(token string) error {
-	r := c.c.NewRequest("PUT", "/v1/auth/token/revoke-orphan/"+token)
+	r := c.c.NewRequest("PUT", "/v1/auth/token/revoke-orphan")
+	if err := r.SetJSONBody(map[string]interface{}{
+		"token": token,
+	}); err != nil {
+		return err
+	}
+
 	resp, err := c.c.RawRequest(r)
 	if err != nil {
 		return err
@@ -136,7 +172,9 @@ func (c *TokenAuth) RevokeOrphan(token string) error {
 	return nil
 }
 
-// RevokeSelf revokes the token making the call
+// RevokeSelf revokes the token making the call. The `token` parameter is kept
+// for backwards compatibility but is ignored; only the client's set token has
+// an effect.
 func (c *TokenAuth) RevokeSelf(token string) error {
 	r := c.c.NewRequest("PUT", "/v1/auth/token/revoke-self")
 	resp, err := c.c.RawRequest(r)
@@ -152,7 +190,13 @@ func (c *TokenAuth) RevokeSelf(token string) error {
 // the entire tree underneath -- all of its child tokens, their child tokens,
 // etc.
 func (c *TokenAuth) RevokeTree(token string) error {
-	r := c.c.NewRequest("PUT", "/v1/auth/token/revoke/"+token)
+	r := c.c.NewRequest("PUT", "/v1/auth/token/revoke")
+	if err := r.SetJSONBody(map[string]interface{}{
+		"token": token,
+	}); err != nil {
+		return err
+	}
+
 	resp, err := c.c.RawRequest(r)
 	if err != nil {
 		return err

vendor/github.com/hashicorp/vault/api/client.go

@@ -48,7 +48,7 @@ type Config struct {
 	redirectSetup sync.Once
 
 	// MaxRetries controls the maximum number of times to retry when a 5xx error
-	// occurs. Set to 0 or less to disable retrying.
+	// occurs. Set to 0 or less to disable retrying. Defaults to 0.
 	MaxRetries int
 }
 
@@ -99,12 +99,10 @@ func DefaultConfig() *Config {
 		config.Address = v
 	}
 
-	config.MaxRetries = pester.DefaultClient.MaxRetries
-
 	return config
 }
 
-// ConfigureTLS takes a set of TLS configurations and applies those to the HTTP client.
+// ConfigureTLS takes a set of TLS configurations and applies those to the the HTTP client.
 func (c *Config) ConfigureTLS(t *TLSConfig) error {
 
 	if c.HttpClient == nil {
@@ -289,6 +287,11 @@ func (c *Client) SetAddress(addr string) error {
 	return nil
 }
 
+// Address returns the Vault URL the client is configured to connect to
+func (c *Client) Address() string {
+	return c.addr.String()
+}
+
 // SetWrappingLookupFunc sets a lookup function that returns desired wrap TTLs
 // for a given operation and path
 func (c *Client) SetWrappingLookupFunc(lookupFunc WrappingLookupFunc) {
@@ -327,17 +330,19 @@ func (c *Client) NewRequest(method, path string) *Request {
 		Params:      make(map[string][]string),
 	}
 
+	var lookupPath string
+	switch {
+	case strings.HasPrefix(path, "/v1/"):
+		lookupPath = strings.TrimPrefix(path, "/v1/")
+	case strings.HasPrefix(path, "v1/"):
+		lookupPath = strings.TrimPrefix(path, "v1/")
+	default:
+		lookupPath = path
+	}
 	if c.wrappingLookupFunc != nil {
-		var lookupPath string
-		switch {
-		case strings.HasPrefix(path, "/v1/"):
-			lookupPath = strings.TrimPrefix(path, "/v1/")
-		case strings.HasPrefix(path, "v1/"):
-			lookupPath = strings.TrimPrefix(path, "v1/")
-		default:
-			lookupPath = path
-		}
 		req.WrapTTL = c.wrappingLookupFunc(method, lookupPath)
+	} else {
+		req.WrapTTL = DefaultWrappingLookupFunc(method, lookupPath)
 	}
 
 	return req

vendor/github.com/hashicorp/vault/api/logical.go

@@ -3,6 +3,8 @@ package api
 import (
 	"bytes"
 	"fmt"
+	"net/http"
+	"os"
 
 	"github.com/hashicorp/vault/helper/jsonutil"
 )
@@ -11,6 +13,26 @@ const (
 	wrappedResponseLocation = "cubbyhole/response"
 )
 
+var (
+	// The default TTL that will be used with `sys/wrapping/wrap`, can be
+	// changed
+	DefaultWrappingTTL = "5m"
+
+	// The default function used if no other function is set, which honors the
+	// env var and wraps `sys/wrapping/wrap`
+	DefaultWrappingLookupFunc = func(operation, path string) string {
+		if os.Getenv(EnvVaultWrapTTL) != "" {
+			return os.Getenv(EnvVaultWrapTTL)
+		}
+
+		if (operation == "PUT" || operation == "POST") && path == "sys/wrapping/wrap" {
+			return DefaultWrappingTTL
+		}
+
+		return ""
+	}
+)
+
 // Logical is used to perform logical backend operations on Vault.
 type Logical struct {
 	c *Client
@@ -38,7 +60,10 @@ func (c *Logical) Read(path string) (*Secret, error) {
 }
 
 func (c *Logical) List(path string) (*Secret, error) {
-	r := c.c.NewRequest("GET", "/v1/"+path)
+	r := c.c.NewRequest("LIST", "/v1/"+path)
+	// Set this for broader compatibility, but we use LIST above to be able to
+	// handle the wrapping lookup function
+	r.Method = "GET"
 	r.Params.Set("list", "true")
 	resp, err := c.c.RawRequest(r)
 	if resp != nil {
@@ -93,10 +118,48 @@ func (c *Logical) Delete(path string) (*Secret, error) {
 }
 
 func (c *Logical) Unwrap(wrappingToken string) (*Secret, error) {
-	origToken := c.c.Token()
-	defer c.c.SetToken(origToken)
+	var data map[string]interface{}
+	if wrappingToken != "" {
+		if c.c.Token() == "" {
+			c.c.SetToken(wrappingToken)
+		} else if wrappingToken != c.c.Token() {
+			data = map[string]interface{}{
+				"token": wrappingToken,
+			}
+		}
+	}
 
-	c.c.SetToken(wrappingToken)
+	r := c.c.NewRequest("PUT", "/v1/sys/wrapping/unwrap")
+	if err := r.SetJSONBody(data); err != nil {
+		return nil, err
+	}
+
+	resp, err := c.c.RawRequest(r)
+	if resp != nil {
+		defer resp.Body.Close()
+	}
+	if err != nil {
+		if resp != nil && resp.StatusCode != 404 {
+			return nil, err
+		}
+	}
+	if resp == nil {
+		return nil, nil
+	}
+
+	switch resp.StatusCode {
+	case http.StatusOK: // New method is supported
+		return ParseSecret(resp.Body)
+	case http.StatusNotFound: // Fall back to old method
+	default:
+		return nil, nil
+	}
+
+	if wrappingToken != "" {
+		origToken := c.c.Token()
+		defer c.c.SetToken(origToken)
+		c.c.SetToken(wrappingToken)
+	}
 
 	secret, err := c.Read(wrappedResponseLocation)
 	if err != nil {

vendor/github.com/hashicorp/vault/api/ssh_agent.go

@@ -62,6 +62,7 @@ type SSHHelperConfig struct {
 	AllowedCidrList string `hcl:"allowed_cidr_list"`
 	AllowedRoles    string `hcl:"allowed_roles"`
 	TLSSkipVerify   bool   `hcl:"tls_skip_verify"`
+	TLSServerName   string `hcl:"tls_server_name"`
 }
 
 // SetTLSParameters sets the TLS parameters for this SSH agent.
@@ -70,6 +71,7 @@ func (c *SSHHelperConfig) SetTLSParameters(clientConfig *Config, certPool *x509.
 		InsecureSkipVerify: c.TLSSkipVerify,
 		MinVersion:         tls.VersionTLS12,
 		RootCAs:            certPool,
+		ServerName:         c.TLSServerName,
 	}
 
 	transport := cleanhttp.DefaultTransport()
@@ -77,6 +79,16 @@ func (c *SSHHelperConfig) SetTLSParameters(clientConfig *Config, certPool *x509.
 	clientConfig.HttpClient.Transport = transport
 }
 
+// Returns true if any of the following conditions are true:
+//   * CA cert is configured
+//   * CA path is configured
+//   * configured to skip certificate verification
+//   * TLS server name is configured
+//
+func (c *SSHHelperConfig) shouldSetTLSParameters() bool {
+	return c.CACert != "" || c.CAPath != "" || c.TLSServerName != "" || c.TLSSkipVerify
+}
+
 // NewClient returns a new client for the configuration. This client will be used by the
 // vault-ssh-helper to communicate with Vault server and verify the OTP entered by user.
 // If the configuration supplies Vault SSL certificates, then the client will
@@ -89,7 +101,7 @@ func (c *SSHHelperConfig) NewClient() (*Client, error) {
 	clientConfig.Address = c.VaultAddr
 
 	// Check if certificates are provided via config file.
-	if c.CACert != "" || c.CAPath != "" || c.TLSSkipVerify {
+	if c.shouldSetTLSParameters() {
 		rootConfig := &rootcerts.Config{
 			CAFile: c.CACert,
 			CAPath: c.CAPath,
@@ -145,6 +157,7 @@ func ParseSSHHelperConfig(contents string) (*SSHHelperConfig, error) {
 		"allowed_cidr_list",
 		"allowed_roles",
 		"tls_skip_verify",
+		"tls_server_name",
 	}
 	if err := checkHCLKeys(list, valid); err != nil {
 		return nil, multierror.Prefix(err, "ssh_helper:")

vendor/github.com/hashicorp/vault/api/sys_init.go

@@ -38,6 +38,7 @@ type InitRequest struct {
 	RecoveryShares    int      `json:"recovery_shares"`
 	RecoveryThreshold int      `json:"recovery_threshold"`
 	RecoveryPGPKeys   []string `json:"recovery_pgp_keys"`
+	RootTokenPGPKey   string   `json:"root_token_pgp_key"`
 }
 
 type InitStatusResponse struct {

vendor/vendor.json

@@ -774,10 +774,10 @@
 			"revisionTime": "2016-08-21T23:40:57Z"
 		},
 		{
-			"checksumSHA1": "JH8wmQ8cWdn7mYu1T7gJ3IMIrec=",
+			"checksumSHA1": "31yBeS6U3xm7VJ7ZvDxRgBxXP0A=",
 			"path": "github.com/hashicorp/vault/api",
-			"revision": "182ba68a9589d4cef95234134aaa498a686e3de3",
-			"revisionTime": "2016-08-21T23:40:57Z"
+			"revision": "f4adc7fa960ed8e828f94bc6785bcdbae8d1b263",
+			"revisionTime": "2016-12-16T21:07:16Z"
 		},
 		{
 			"checksumSHA1": "5lR6EdY0ARRdKAq3hZcL38STD8Q=",