Merge remote-tracking branch 'oss/master' into lazy-load-expiration

* oss/master:
  Plugin Version Update (#3275)
  Lazy-load plugin mounts (#3255)
  changelog++
  changelog++
  Add pki/root/sign-self-issued. (#3274)
  Travis, be happier please
  changelog++
  Change auth helper interface to api.Secret. (#3263)
  changelog++
  Try reconnecting Mongo on EOF (#3269)
  Don't append a trailing slash to the request path if it doesn't actually help find something (#3271)
  changelog++
  Use TypeDurationSecond for TTL values in PKI. (#3270)
  changelog++
  changelog++
  Use net.SplitHostPort on Consul address (#3268)
  Normalize plugin_name option for mount and enable-auth (#3202)
  Updating Okta lib for credential backend (#3245)
  Explicitly mention that aws/aws-ec2 were unified under aws.

.travis.yml

@@ -20,5 +20,5 @@ branches:
 
 script:
   - make bootstrap
-  - travis_wait 45 make test
-  - travis_wait 45 make testrace
+  - travis_wait 75 make test
+  - travis_wait 75 make testrace

CHANGELOG.md

@@ -11,6 +11,8 @@ FEATURES:
 * **SSH CA Login with `vault ssh`**: `vault ssh` now supports the SSH CA
   backend for authenticating to machines. It also supports remote host key
   verification through the SSH CA backend, if enabled.
+* **Signing of Self-Issued Certs in PKI**: The `pki` backend now supports
+  signing self-issued CA certs. This is useful when switching root CAs.
 
 IMPROVEMENTS:
 
@@ -21,8 +23,20 @@ IMPROVEMENTS:
    case-preserving [GH-3240]
  * cli: Add subcommand autocompletion that can be enabled with 
    `vault -autocomplete-install` [GH-3223]
+ * cli: Add ability to handle wrapped responses when using `vault auth`. What
+   is output depends on the other given flags; see the help output for that
+   command for more information. [GH-3263]
  * core: TLS cipher suites used for cluster behavior can now be set via
    `cluster_cipher_suites` in configuration [GH-3228]
+ * core: The `plugin_name` can now either be specified directly as part of the
+   parameter or within the `config` object when mounting a secret or auth backend
+   via `sys/mounts/:path` or `sys/auth/:path` respectively [GH-3202]
+ * secret/databases/mongo: If an EOF is encountered, attempt reconnecting and
+   retrying the operation [GH-3269]
+ * secret/pki: TTLs can now be specified as a string or an integer number of
+   seconds [GH-3270]
+ * secret/pki: Self-issued certs can now be signed via
+   `pki/root/sign-self-issued` [GH-3274]
  * storage/gcp: Use application default credentials if they exist [GH-3248]
 
 BUG FIXES:
@@ -34,6 +48,8 @@ BUG FIXES:
  * core: Fix PROXY when underlying connection is TLS [GH-3195]
  * core: Policy-related commands would sometimes fail to act case-insensitively
    [GH-3210]
+ * storage/consul: Fix parsing TLS configuration when using a bare IPv6 address
+   [GH-3268]
 
 ## 0.8.1 (August 16th, 2017)
 
@@ -323,9 +339,9 @@ FEATURES:
    Lambda instances, and more. Signed client identity information retrieved
    using the AWS API `sts:GetCallerIdentity` is validated against the AWS STS
    service before issuing a Vault token. This backend is unified with the
-   `aws-ec2` authentication backend, and allows additional EC2-related
-   restrictions to be applied during the IAM authentication; the previous EC2
-   behavior is also still available. [GH-2441]
+   `aws-ec2` authentication backend under the name `aws`, and allows additional
+   EC2-related restrictions to be applied during the IAM authentication; the
+   previous EC2 behavior is also still available. [GH-2441]
  * **MSSQL Physical Backend**: You can now use Microsoft SQL Server as your
    Vault physical data store [GH-2546]
  * **Lease Listing and Lookup**: You can now introspect a lease to get its

api/sys_auth.go

@@ -82,10 +82,15 @@ func (c *Sys) DisableAuth(path string) error {
 // documentation. Please refer to that documentation for more details.
 
 type EnableAuthOptions struct {
-	Type        string `json:"type" structs:"type"`
-	Description string `json:"description" structs:"description"`
-	Local       bool   `json:"local" structs:"local"`
-	PluginName  string `json:"plugin_name,omitempty" structs:"plugin_name,omitempty" mapstructure:"plugin_name"`
+	Type        string          `json:"type" structs:"type"`
+	Description string          `json:"description" structs:"description"`
+	Config      AuthConfigInput `json:"config" structs:"config"`
+	Local       bool            `json:"local" structs:"local"`
+	PluginName  string          `json:"plugin_name,omitempty" structs:"plugin_name,omitempty"`
+}
+
+type AuthConfigInput struct {
+	PluginName string `json:"plugin_name,omitempty" structs:"plugin_name,omitempty" mapstructure:"plugin_name"`
 }
 
 type AuthMount struct {

api/sys_mounts.go

@@ -124,6 +124,7 @@ type MountInput struct {
 	Description string           `json:"description" structs:"description"`
 	Config      MountConfigInput `json:"config" structs:"config"`
 	Local       bool             `json:"local" structs:"local"`
+	PluginName  string           `json:"plugin_name,omitempty" structs:"plugin_name"`
 }
 
 type MountConfigInput struct {

builtin/credential/aws/cli.go

@@ -69,7 +69,7 @@ func GenerateLoginData(accessKey, secretKey, sessionToken, headerValue string) (
 	return loginData, nil
 }
 
-func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (string, error) {
+func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, error) {
 	mount, ok := m["mount"]
 	if !ok {
 		mount = "aws"
@@ -87,23 +87,23 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (string, error) {
 
 	loginData, err := GenerateLoginData(m["aws_access_key_id"], m["aws_secret_access_key"], m["aws_security_token"], headerValue)
 	if err != nil {
-		return "", err
+		return nil, err
 	}
 	if loginData == nil {
-		return "", fmt.Errorf("got nil response from GenerateLoginData")
+		return nil, fmt.Errorf("got nil response from GenerateLoginData")
 	}
 	loginData["role"] = role
 	path := fmt.Sprintf("auth/%s/login", mount)
 	secret, err := c.Logical().Write(path, loginData)
 
 	if err != nil {
-		return "", err
+		return nil, err
 	}
 	if secret == nil {
-		return "", fmt.Errorf("empty response from credential provider")
+		return nil, fmt.Errorf("empty response from credential provider")
 	}
 
-	return secret.Auth.ClientToken, nil
+	return secret, nil
 }
 
 func (h *CLIHandler) Help() string {

builtin/credential/cert/cli.go

@@ -10,13 +10,13 @@ import (
 
 type CLIHandler struct{}
 
-func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (string, error) {
+func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, error) {
 	var data struct {
 		Mount string `mapstructure:"mount"`
 		Name  string `mapstructure:"name"`
 	}
 	if err := mapstructure.WeakDecode(m, &data); err != nil {
-		return "", err
+		return nil, err
 	}
 
 	if data.Mount == "" {
@@ -29,13 +29,13 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (string, error) {
 	path := fmt.Sprintf("auth/%s/login", data.Mount)
 	secret, err := c.Logical().Write(path, options)
 	if err != nil {
-		return "", err
+		return nil, err
 	}
 	if secret == nil {
-		return "", fmt.Errorf("empty response from credential provider")
+		return nil, fmt.Errorf("empty response from credential provider")
 	}
 
-	return secret.Auth.ClientToken, nil
+	return secret, nil
 }
 
 func (h *CLIHandler) Help() string {

builtin/credential/github/cli.go

@@ -10,7 +10,7 @@ import (
 
 type CLIHandler struct{}
 
-func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (string, error) {
+func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, error) {
 	mount, ok := m["mount"]
 	if !ok {
 		mount = "github"
@@ -19,7 +19,7 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (string, error) {
 	token, ok := m["token"]
 	if !ok {
 		if token = os.Getenv("VAULT_AUTH_GITHUB_TOKEN"); token == "" {
-			return "", fmt.Errorf("GitHub token should be provided either as 'value' for 'token' key,\nor via an env var VAULT_AUTH_GITHUB_TOKEN")
+			return nil, fmt.Errorf("GitHub token should be provided either as 'value' for 'token' key,\nor via an env var VAULT_AUTH_GITHUB_TOKEN")
 		}
 	}
 
@@ -28,13 +28,13 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (string, error) {
 		"token": token,
 	})
 	if err != nil {
-		return "", err
+		return nil, err
 	}
 	if secret == nil {
-		return "", fmt.Errorf("empty response from credential provider")
+		return nil, fmt.Errorf("empty response from credential provider")
 	}
 
-	return secret.Auth.ClientToken, nil
+	return secret, nil
 }
 
 func (h *CLIHandler) Help() string {

builtin/credential/ldap/cli.go

@@ -11,7 +11,7 @@ import (
 
 type CLIHandler struct{}
 
-func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (string, error) {
+func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, error) {
 	mount, ok := m["mount"]
 	if !ok {
 		mount = "ldap"
@@ -21,7 +21,7 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (string, error) {
 	if !ok {
 		username = usernameFromEnv()
 		if username == "" {
-			return "", fmt.Errorf("'username' not supplied and neither 'LOGNAME' nor 'USER' env vars set")
+			return nil, fmt.Errorf("'username' not supplied and neither 'LOGNAME' nor 'USER' env vars set")
 		}
 	}
 	password, ok := m["password"]
@@ -31,7 +31,7 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (string, error) {
 		password, err = pwd.Read(os.Stdin)
 		fmt.Println()
 		if err != nil {
-			return "", err
+			return nil, err
 		}
 	}
 
@@ -51,13 +51,13 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (string, error) {
 	path := fmt.Sprintf("auth/%s/login/%s", mount, username)
 	secret, err := c.Logical().Write(path, data)
 	if err != nil {
-		return "", err
+		return nil, err
 	}
 	if secret == nil {
-		return "", fmt.Errorf("empty response from credential provider")
+		return nil, fmt.Errorf("empty response from credential provider")
 	}
 
-	return secret.Auth.ClientToken, nil
+	return secret, nil
 }
 
 func (h *CLIHandler) Help() string {

builtin/credential/okta/backend.go

@@ -3,6 +3,7 @@ package okta
 import (
 	"fmt"
 
+	"github.com/chrismalek/oktasdk-go/okta"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
 )
@@ -56,18 +57,44 @@ func (b *backend) Login(req *logical.Request, username string, password string)
 	}
 
 	client := cfg.OktaClient()
-	auth, err := client.Authenticate(username, password)
+
+	type embeddedResult struct {
+		User okta.User `json:"user"`
+	}
+
+	type authResult struct {
+		Embedded embeddedResult `json:"_embedded"`
+	}
+
+	authReq, err := client.NewRequest("POST", "authn", map[string]interface{}{
+		"username": username,
+		"password": password,
+	})
+	if err != nil {
+		return nil, nil, err
+	}
+
+	var result authResult
+	rsp, err := client.Do(authReq, &result)
 	if err != nil {
 		return nil, logical.ErrorResponse(fmt.Sprintf("Okta auth failed: %v", err)), nil
 	}
-	if auth == nil {
+	if rsp == nil {
 		return nil, logical.ErrorResponse("okta auth backend unexpected failure"), nil
 	}
 
-	oktaGroups, err := b.getOktaGroups(cfg, auth.Embedded.User.ID)
+	oktaUser := &result.Embedded.User
+	rsp, err = client.Users.PopulateGroups(oktaUser)
 	if err != nil {
 		return nil, logical.ErrorResponse(err.Error()), nil
 	}
+	if rsp == nil {
+		return nil, logical.ErrorResponse("okta auth backend unexpected failure"), nil
+	}
+	oktaGroups := make([]string, 0, len(oktaUser.Groups))
+	for _, group := range oktaUser.Groups {
+		oktaGroups = append(oktaGroups, group.Profile.Name)
+	}
 	if b.Logger().IsDebug() {
 		b.Logger().Debug("auth/okta: Groups fetched from Okta", "num_groups", len(oktaGroups), "groups", oktaGroups)
 	}
@@ -130,23 +157,6 @@ func (b *backend) Login(req *logical.Request, username string, password string)
 	return policies, oktaResponse, nil
 }
 
-func (b *backend) getOktaGroups(cfg *ConfigEntry, userID string) ([]string, error) {
-	if cfg.Token != "" {
-		client := cfg.OktaClient()
-		groups, err := client.Groups(userID)
-		if err != nil {
-			return nil, err
-		}
-
-		oktaGroups := make([]string, 0, len(*groups))
-		for _, group := range *groups {
-			oktaGroups = append(oktaGroups, group.Profile.Name)
-		}
-		return oktaGroups, err
-	}
-	return nil, nil
-}
-
 const backendHelp = `
 The Okta credential provider allows authentication querying,
 checking username and password, and associating policies.  If an api token is configure

builtin/credential/okta/cli.go

@@ -13,15 +13,15 @@ import (
 type CLIHandler struct{}
 
 // Auth cli method
-func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (string, error) {
+func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (*api.Secret, error) {
 	mount, ok := m["mount"]
 	if !ok {
 		mount = "okta"
 	}
 
 	username, ok := m["username"]
 	if !ok {
-		return "", fmt.Errorf("'username' var must be set")
+		return nil, fmt.Errorf("'username' var must be set")
 	}
 	password, ok := m["password"]
 	if !ok {
@@ -30,7 +30,7 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (string, error) {
 		password, err = pwd.Read(os.Stdin)
 		fmt.Println()
 		if err != nil {
-			return "", err
+			return nil, err
 		}
 	}
 
@@ -41,13 +41,13 @@ func (h *CLIHandler) Auth(c *api.Client, m map[string]string) (string, error) {
 	path := fmt.Sprintf("auth/%s/login/%s", mount, username)
 	secret, err := c.Logical().Write(path, data)
 	if err != nil {
-		return "", err
+		return nil, err
 	}
 	if secret == nil {
-		return "", fmt.Errorf("empty response from credential provider")
+		return nil, fmt.Errorf("empty response from credential provider")
 	}
 
-	return secret.Auth.ClientToken, nil
+	return secret, nil
 }
 
 // Help method for okta cli