diff --git a/vendor/github.com/hashicorp/vault/api/auth_token.go b/vendor/github.com/hashicorp/vault/api/auth_token.go index 1901ea110..aff10f410 100644 --- a/vendor/github.com/hashicorp/vault/api/auth_token.go +++ b/vendor/github.com/hashicorp/vault/api/auth_token.go @@ -25,6 +25,21 @@ func (c *TokenAuth) Create(opts *TokenCreateRequest) (*Secret, error) { return ParseSecret(resp.Body) } +func (c *TokenAuth) CreateOrphan(opts *TokenCreateRequest) (*Secret, error) { + r := c.c.NewRequest("POST", "/v1/auth/token/create-orphan") + if err := r.SetJSONBody(opts); err != nil { + return nil, err + } + + resp, err := c.c.RawRequest(r) + if err != nil { + return nil, err + } + defer resp.Body.Close() + + return ParseSecret(resp.Body) +} + func (c *TokenAuth) CreateWithRole(opts *TokenCreateRequest, roleName string) (*Secret, error) { r := c.c.NewRequest("POST", "/v1/auth/token/create/"+roleName) if err := r.SetJSONBody(opts); err != nil { @@ -41,7 +56,12 @@ func (c *TokenAuth) CreateWithRole(opts *TokenCreateRequest, roleName string) (* } func (c *TokenAuth) Lookup(token string) (*Secret, error) { - r := c.c.NewRequest("GET", "/v1/auth/token/lookup/"+token) + r := c.c.NewRequest("POST", "/v1/auth/token/lookup") + if err := r.SetJSONBody(map[string]interface{}{ + "token": token, + }); err != nil { + return nil, err + } resp, err := c.c.RawRequest(r) if err != nil { @@ -53,8 +73,12 @@ func (c *TokenAuth) Lookup(token string) (*Secret, error) { } func (c *TokenAuth) LookupAccessor(accessor string) (*Secret, error) { - r := c.c.NewRequest("POST", "/v1/auth/token/lookup-accessor/"+accessor) - + r := c.c.NewRequest("POST", "/v1/auth/token/lookup-accessor") + if err := r.SetJSONBody(map[string]interface{}{ + "accessor": accessor, + }); err != nil { + return nil, err + } resp, err := c.c.RawRequest(r) if err != nil { return nil, err @@ -77,10 +101,11 @@ func (c *TokenAuth) LookupSelf() (*Secret, error) { } func (c *TokenAuth) Renew(token string, increment int) (*Secret, error) { - r := c.c.NewRequest("PUT", "/v1/auth/token/renew/"+token) - - body := map[string]interface{}{"increment": increment} - if err := r.SetJSONBody(body); err != nil { + r := c.c.NewRequest("PUT", "/v1/auth/token/renew") + if err := r.SetJSONBody(map[string]interface{}{ + "token": token, + "increment": increment, + }); err != nil { return nil, err } @@ -113,7 +138,12 @@ func (c *TokenAuth) RenewSelf(increment int) (*Secret, error) { // RevokeAccessor revokes a token associated with the given accessor // along with all the child tokens. func (c *TokenAuth) RevokeAccessor(accessor string) error { - r := c.c.NewRequest("POST", "/v1/auth/token/revoke-accessor/"+accessor) + r := c.c.NewRequest("POST", "/v1/auth/token/revoke-accessor") + if err := r.SetJSONBody(map[string]interface{}{ + "accessor": accessor, + }); err != nil { + return err + } resp, err := c.c.RawRequest(r) if err != nil { return err @@ -126,7 +156,13 @@ func (c *TokenAuth) RevokeAccessor(accessor string) error { // RevokeOrphan revokes a token without revoking the tree underneath it (so // child tokens are orphaned rather than revoked) func (c *TokenAuth) RevokeOrphan(token string) error { - r := c.c.NewRequest("PUT", "/v1/auth/token/revoke-orphan/"+token) + r := c.c.NewRequest("PUT", "/v1/auth/token/revoke-orphan") + if err := r.SetJSONBody(map[string]interface{}{ + "token": token, + }); err != nil { + return err + } + resp, err := c.c.RawRequest(r) if err != nil { return err @@ -136,7 +172,9 @@ func (c *TokenAuth) RevokeOrphan(token string) error { return nil } -// RevokeSelf revokes the token making the call +// RevokeSelf revokes the token making the call. The `token` parameter is kept +// for backwards compatibility but is ignored; only the client's set token has +// an effect. func (c *TokenAuth) RevokeSelf(token string) error { r := c.c.NewRequest("PUT", "/v1/auth/token/revoke-self") resp, err := c.c.RawRequest(r) @@ -152,7 +190,13 @@ func (c *TokenAuth) RevokeSelf(token string) error { // the entire tree underneath -- all of its child tokens, their child tokens, // etc. func (c *TokenAuth) RevokeTree(token string) error { - r := c.c.NewRequest("PUT", "/v1/auth/token/revoke/"+token) + r := c.c.NewRequest("PUT", "/v1/auth/token/revoke") + if err := r.SetJSONBody(map[string]interface{}{ + "token": token, + }); err != nil { + return err + } + resp, err := c.c.RawRequest(r) if err != nil { return err diff --git a/vendor/github.com/hashicorp/vault/api/client.go b/vendor/github.com/hashicorp/vault/api/client.go index 179d2bdc9..88a8ea4f9 100644 --- a/vendor/github.com/hashicorp/vault/api/client.go +++ b/vendor/github.com/hashicorp/vault/api/client.go @@ -48,7 +48,7 @@ type Config struct { redirectSetup sync.Once // MaxRetries controls the maximum number of times to retry when a 5xx error - // occurs. Set to 0 or less to disable retrying. + // occurs. Set to 0 or less to disable retrying. Defaults to 0. MaxRetries int } @@ -99,12 +99,10 @@ func DefaultConfig() *Config { config.Address = v } - config.MaxRetries = pester.DefaultClient.MaxRetries - return config } -// ConfigureTLS takes a set of TLS configurations and applies those to the HTTP client. +// ConfigureTLS takes a set of TLS configurations and applies those to the the HTTP client. func (c *Config) ConfigureTLS(t *TLSConfig) error { if c.HttpClient == nil { @@ -289,6 +287,11 @@ func (c *Client) SetAddress(addr string) error { return nil } +// Address returns the Vault URL the client is configured to connect to +func (c *Client) Address() string { + return c.addr.String() +} + // SetWrappingLookupFunc sets a lookup function that returns desired wrap TTLs // for a given operation and path func (c *Client) SetWrappingLookupFunc(lookupFunc WrappingLookupFunc) { @@ -327,17 +330,19 @@ func (c *Client) NewRequest(method, path string) *Request { Params: make(map[string][]string), } + var lookupPath string + switch { + case strings.HasPrefix(path, "/v1/"): + lookupPath = strings.TrimPrefix(path, "/v1/") + case strings.HasPrefix(path, "v1/"): + lookupPath = strings.TrimPrefix(path, "v1/") + default: + lookupPath = path + } if c.wrappingLookupFunc != nil { - var lookupPath string - switch { - case strings.HasPrefix(path, "/v1/"): - lookupPath = strings.TrimPrefix(path, "/v1/") - case strings.HasPrefix(path, "v1/"): - lookupPath = strings.TrimPrefix(path, "v1/") - default: - lookupPath = path - } req.WrapTTL = c.wrappingLookupFunc(method, lookupPath) + } else { + req.WrapTTL = DefaultWrappingLookupFunc(method, lookupPath) } return req diff --git a/vendor/github.com/hashicorp/vault/api/logical.go b/vendor/github.com/hashicorp/vault/api/logical.go index fb8288e73..0d5e7d495 100644 --- a/vendor/github.com/hashicorp/vault/api/logical.go +++ b/vendor/github.com/hashicorp/vault/api/logical.go @@ -3,6 +3,8 @@ package api import ( "bytes" "fmt" + "net/http" + "os" "github.com/hashicorp/vault/helper/jsonutil" ) @@ -11,6 +13,26 @@ const ( wrappedResponseLocation = "cubbyhole/response" ) +var ( + // The default TTL that will be used with `sys/wrapping/wrap`, can be + // changed + DefaultWrappingTTL = "5m" + + // The default function used if no other function is set, which honors the + // env var and wraps `sys/wrapping/wrap` + DefaultWrappingLookupFunc = func(operation, path string) string { + if os.Getenv(EnvVaultWrapTTL) != "" { + return os.Getenv(EnvVaultWrapTTL) + } + + if (operation == "PUT" || operation == "POST") && path == "sys/wrapping/wrap" { + return DefaultWrappingTTL + } + + return "" + } +) + // Logical is used to perform logical backend operations on Vault. type Logical struct { c *Client @@ -38,7 +60,10 @@ func (c *Logical) Read(path string) (*Secret, error) { } func (c *Logical) List(path string) (*Secret, error) { - r := c.c.NewRequest("GET", "/v1/"+path) + r := c.c.NewRequest("LIST", "/v1/"+path) + // Set this for broader compatibility, but we use LIST above to be able to + // handle the wrapping lookup function + r.Method = "GET" r.Params.Set("list", "true") resp, err := c.c.RawRequest(r) if resp != nil { @@ -93,10 +118,48 @@ func (c *Logical) Delete(path string) (*Secret, error) { } func (c *Logical) Unwrap(wrappingToken string) (*Secret, error) { - origToken := c.c.Token() - defer c.c.SetToken(origToken) + var data map[string]interface{} + if wrappingToken != "" { + if c.c.Token() == "" { + c.c.SetToken(wrappingToken) + } else if wrappingToken != c.c.Token() { + data = map[string]interface{}{ + "token": wrappingToken, + } + } + } - c.c.SetToken(wrappingToken) + r := c.c.NewRequest("PUT", "/v1/sys/wrapping/unwrap") + if err := r.SetJSONBody(data); err != nil { + return nil, err + } + + resp, err := c.c.RawRequest(r) + if resp != nil { + defer resp.Body.Close() + } + if err != nil { + if resp != nil && resp.StatusCode != 404 { + return nil, err + } + } + if resp == nil { + return nil, nil + } + + switch resp.StatusCode { + case http.StatusOK: // New method is supported + return ParseSecret(resp.Body) + case http.StatusNotFound: // Fall back to old method + default: + return nil, nil + } + + if wrappingToken != "" { + origToken := c.c.Token() + defer c.c.SetToken(origToken) + c.c.SetToken(wrappingToken) + } secret, err := c.Read(wrappedResponseLocation) if err != nil { diff --git a/vendor/github.com/hashicorp/vault/api/ssh_agent.go b/vendor/github.com/hashicorp/vault/api/ssh_agent.go index 5a8192ae9..729fd99c4 100644 --- a/vendor/github.com/hashicorp/vault/api/ssh_agent.go +++ b/vendor/github.com/hashicorp/vault/api/ssh_agent.go @@ -62,6 +62,7 @@ type SSHHelperConfig struct { AllowedCidrList string `hcl:"allowed_cidr_list"` AllowedRoles string `hcl:"allowed_roles"` TLSSkipVerify bool `hcl:"tls_skip_verify"` + TLSServerName string `hcl:"tls_server_name"` } // SetTLSParameters sets the TLS parameters for this SSH agent. @@ -70,6 +71,7 @@ func (c *SSHHelperConfig) SetTLSParameters(clientConfig *Config, certPool *x509. InsecureSkipVerify: c.TLSSkipVerify, MinVersion: tls.VersionTLS12, RootCAs: certPool, + ServerName: c.TLSServerName, } transport := cleanhttp.DefaultTransport() @@ -77,6 +79,16 @@ func (c *SSHHelperConfig) SetTLSParameters(clientConfig *Config, certPool *x509. clientConfig.HttpClient.Transport = transport } +// Returns true if any of the following conditions are true: +// * CA cert is configured +// * CA path is configured +// * configured to skip certificate verification +// * TLS server name is configured +// +func (c *SSHHelperConfig) shouldSetTLSParameters() bool { + return c.CACert != "" || c.CAPath != "" || c.TLSServerName != "" || c.TLSSkipVerify +} + // NewClient returns a new client for the configuration. This client will be used by the // vault-ssh-helper to communicate with Vault server and verify the OTP entered by user. // If the configuration supplies Vault SSL certificates, then the client will @@ -89,7 +101,7 @@ func (c *SSHHelperConfig) NewClient() (*Client, error) { clientConfig.Address = c.VaultAddr // Check if certificates are provided via config file. - if c.CACert != "" || c.CAPath != "" || c.TLSSkipVerify { + if c.shouldSetTLSParameters() { rootConfig := &rootcerts.Config{ CAFile: c.CACert, CAPath: c.CAPath, @@ -145,6 +157,7 @@ func ParseSSHHelperConfig(contents string) (*SSHHelperConfig, error) { "allowed_cidr_list", "allowed_roles", "tls_skip_verify", + "tls_server_name", } if err := checkHCLKeys(list, valid); err != nil { return nil, multierror.Prefix(err, "ssh_helper:") diff --git a/vendor/github.com/hashicorp/vault/api/sys_init.go b/vendor/github.com/hashicorp/vault/api/sys_init.go index d307f732b..f824ab7dd 100644 --- a/vendor/github.com/hashicorp/vault/api/sys_init.go +++ b/vendor/github.com/hashicorp/vault/api/sys_init.go @@ -38,6 +38,7 @@ type InitRequest struct { RecoveryShares int `json:"recovery_shares"` RecoveryThreshold int `json:"recovery_threshold"` RecoveryPGPKeys []string `json:"recovery_pgp_keys"` + RootTokenPGPKey string `json:"root_token_pgp_key"` } type InitStatusResponse struct { diff --git a/vendor/vendor.json b/vendor/vendor.json index 7667e51ec..fec434164 100644 --- a/vendor/vendor.json +++ b/vendor/vendor.json @@ -774,10 +774,10 @@ "revisionTime": "2016-08-21T23:40:57Z" }, { - "checksumSHA1": "JH8wmQ8cWdn7mYu1T7gJ3IMIrec=", + "checksumSHA1": "31yBeS6U3xm7VJ7ZvDxRgBxXP0A=", "path": "github.com/hashicorp/vault/api", - "revision": "182ba68a9589d4cef95234134aaa498a686e3de3", - "revisionTime": "2016-08-21T23:40:57Z" + "revision": "f4adc7fa960ed8e828f94bc6785bcdbae8d1b263", + "revisionTime": "2016-12-16T21:07:16Z" }, { "checksumSHA1": "5lR6EdY0ARRdKAq3hZcL38STD8Q=",