From 9a9c69cba255bcda4aacedfc28e5c4deaf02f7ea Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 28 Feb 2022 20:10:52 +0000 Subject: [PATCH 1/4] rebase: bump github.com/aws/aws-sdk-go from 1.43.3 to 1.43.8 Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.43.3 to 1.43.8. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.43.3...v1.43.8) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- go.mod | 6 +- go.sum | 11 +- .../aws/aws-sdk-go/aws/endpoints/defaults.go | 273 ++++++++++++++++++ .../github.com/aws/aws-sdk-go/aws/version.go | 2 +- .../aws/aws-sdk-go/service/ec2/api.go | 23 +- vendor/golang.org/x/term/codereview.cfg | 1 + vendor/golang.org/x/term/term.go | 2 + vendor/modules.txt | 6 +- 8 files changed, 311 insertions(+), 13 deletions(-) create mode 100644 vendor/golang.org/x/term/codereview.cfg diff --git a/go.mod b/go.mod index eff10b50a..3fac604e5 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.17 require ( github.com/IBM/keyprotect-go-client v0.7.0 - github.com/aws/aws-sdk-go v1.43.3 + github.com/aws/aws-sdk-go v1.43.8 github.com/ceph/ceph-csi/api v0.0.0-00010101000000-000000000000 github.com/ceph/go-ceph v0.14.0 github.com/container-storage-interface/spec v1.5.0 @@ -126,9 +126,9 @@ require ( go.opentelemetry.io/otel/trace v0.20.0 // indirect go.opentelemetry.io/proto/otlp v0.7.0 // indirect go.uber.org/atomic v1.9.0 // indirect - golang.org/x/net v0.0.0-20211216030914-fe4d6282115f // indirect + golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd // indirect golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f // indirect - golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b // indirect + golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect golang.org/x/text v0.3.7 // indirect golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect diff --git a/go.sum b/go.sum index 1ba7f428b..6b92190b1 100644 --- a/go.sum +++ b/go.sum @@ -138,8 +138,8 @@ github.com/aws/aws-sdk-go v1.25.37/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpi github.com/aws/aws-sdk-go v1.25.41/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.35.24/go.mod h1:tlPOdRjfxPBpNIwqDj61rmsnA85v9jc0Ps9+muhnW+k= github.com/aws/aws-sdk-go v1.38.49/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= -github.com/aws/aws-sdk-go v1.43.3 h1:qvCkC4FviA9rR4UvRk4ldr6f3mIJE0VaI3KrsDx1gTk= -github.com/aws/aws-sdk-go v1.43.3/go.mod h1:OGr6lGMAKGlG9CVrYnWYDKIyb829c6EVBRjxqjmPepc= +github.com/aws/aws-sdk-go v1.43.8 h1:8a/M9C4l5CxFNM6IuNx4F1p+ITJEX12VxWxUQo61cbc= +github.com/aws/aws-sdk-go v1.43.8/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f/go.mod h1:AuiFmCCPBSrqvVMvuqFuk0qogytodnVFVSN5CeJB8Gc= github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM= github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= @@ -1266,8 +1266,8 @@ golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qx golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20210825183410-e898025ed96a/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.0.0-20211216030914-fe4d6282115f h1:hEYJvxw1lSnWIl8X9ofsYMklzaDs90JI2az5YMd4fPM= -golang.org/x/net v0.0.0-20211216030914-fe4d6282115f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd h1:O7DYs+zxREGLKzKoMQrtrEacpb0ZVXA5rIwylE2Xchk= +golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20181203162652-d668ce993890/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190130055435-99b60b757ec1/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1395,8 +1395,9 @@ golang.org/x/sys v0.0.0-20220114195835-da31bd327af9 h1:XfKQ4OlFl8okEOr5UvAqFRVj8 golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b h1:9zKuko04nR4gjZ4+DNjHqRlAJqbJETHwiNKDqTfOjfE= golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= diff --git a/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go b/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go index d003c6e62..9a8a5fada 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go @@ -814,6 +814,61 @@ var awsPartition = partition{ }: endpoint{}, }, }, + "amplifyuibuilder": service{ + Endpoints: serviceEndpoints{ + endpointKey{ + Region: "ap-northeast-1", + }: endpoint{}, + endpointKey{ + Region: "ap-northeast-2", + }: endpoint{}, + endpointKey{ + Region: "ap-south-1", + }: endpoint{}, + endpointKey{ + Region: "ap-southeast-1", + }: endpoint{}, + endpointKey{ + Region: "ap-southeast-2", + }: endpoint{}, + endpointKey{ + Region: "ca-central-1", + }: endpoint{}, + endpointKey{ + Region: "eu-central-1", + }: endpoint{}, + endpointKey{ + Region: "eu-north-1", + }: endpoint{}, + endpointKey{ + Region: "eu-west-1", + }: endpoint{}, + endpointKey{ + Region: "eu-west-2", + }: endpoint{}, + endpointKey{ + Region: "eu-west-3", + }: endpoint{}, + endpointKey{ + Region: "me-south-1", + }: endpoint{}, + endpointKey{ + Region: "sa-east-1", + }: endpoint{}, + endpointKey{ + Region: "us-east-1", + }: endpoint{}, + endpointKey{ + Region: "us-east-2", + }: endpoint{}, + endpointKey{ + Region: "us-west-1", + }: endpoint{}, + endpointKey{ + Region: "us-west-2", + }: endpoint{}, + }, + }, "api.detective": service{ Defaults: endpointDefaults{ defaultKey{}: endpoint{ @@ -1669,6 +1724,147 @@ var awsPartition = partition{ }, }, }, + "api.tunneling.iot": service{ + Defaults: endpointDefaults{ + defaultKey{}: endpoint{}, + defaultKey{ + Variant: fipsVariant, + }: endpoint{ + Hostname: "api.tunneling.iot-fips.{region}.{dnsSuffix}", + }, + }, + Endpoints: serviceEndpoints{ + endpointKey{ + Region: "ap-east-1", + }: endpoint{}, + endpointKey{ + Region: "ap-northeast-1", + }: endpoint{}, + endpointKey{ + Region: "ap-northeast-2", + }: endpoint{}, + endpointKey{ + Region: "ap-south-1", + }: endpoint{}, + endpointKey{ + Region: "ap-southeast-1", + }: endpoint{}, + endpointKey{ + Region: "ap-southeast-2", + }: endpoint{}, + endpointKey{ + Region: "ca-central-1", + }: endpoint{}, + endpointKey{ + Region: "ca-central-1", + Variant: fipsVariant, + }: endpoint{ + Hostname: "api.tunneling.iot-fips.ca-central-1.amazonaws.com", + }, + endpointKey{ + Region: "eu-central-1", + }: endpoint{}, + endpointKey{ + Region: "eu-north-1", + }: endpoint{}, + endpointKey{ + Region: "eu-west-1", + }: endpoint{}, + endpointKey{ + Region: "eu-west-2", + }: endpoint{}, + endpointKey{ + Region: "eu-west-3", + }: endpoint{}, + endpointKey{ + Region: "fips-ca-central-1", + }: endpoint{ + Hostname: "api.tunneling.iot-fips.ca-central-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "ca-central-1", + }, + Deprecated: boxedTrue, + }, + endpointKey{ + Region: "fips-us-east-1", + }: endpoint{ + Hostname: "api.tunneling.iot-fips.us-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-east-1", + }, + Deprecated: boxedTrue, + }, + endpointKey{ + Region: "fips-us-east-2", + }: endpoint{ + Hostname: "api.tunneling.iot-fips.us-east-2.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-east-2", + }, + Deprecated: boxedTrue, + }, + endpointKey{ + Region: "fips-us-west-1", + }: endpoint{ + Hostname: "api.tunneling.iot-fips.us-west-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-west-1", + }, + Deprecated: boxedTrue, + }, + endpointKey{ + Region: "fips-us-west-2", + }: endpoint{ + Hostname: "api.tunneling.iot-fips.us-west-2.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-west-2", + }, + Deprecated: boxedTrue, + }, + endpointKey{ + Region: "me-south-1", + }: endpoint{}, + endpointKey{ + Region: "sa-east-1", + }: endpoint{}, + endpointKey{ + Region: "us-east-1", + }: endpoint{}, + endpointKey{ + Region: "us-east-1", + Variant: fipsVariant, + }: endpoint{ + Hostname: "api.tunneling.iot-fips.us-east-1.amazonaws.com", + }, + endpointKey{ + Region: "us-east-2", + }: endpoint{}, + endpointKey{ + Region: "us-east-2", + Variant: fipsVariant, + }: endpoint{ + Hostname: "api.tunneling.iot-fips.us-east-2.amazonaws.com", + }, + endpointKey{ + Region: "us-west-1", + }: endpoint{}, + endpointKey{ + Region: "us-west-1", + Variant: fipsVariant, + }: endpoint{ + Hostname: "api.tunneling.iot-fips.us-west-1.amazonaws.com", + }, + endpointKey{ + Region: "us-west-2", + }: endpoint{}, + endpointKey{ + Region: "us-west-2", + Variant: fipsVariant, + }: endpoint{ + Hostname: "api.tunneling.iot-fips.us-west-2.amazonaws.com", + }, + }, + }, "apigateway": service{ Endpoints: serviceEndpoints{ endpointKey{ @@ -2810,6 +3006,9 @@ var awsPartition = partition{ }, "braket": service{ Endpoints: serviceEndpoints{ + endpointKey{ + Region: "eu-west-2", + }: endpoint{}, endpointKey{ Region: "us-east-1", }: endpoint{}, @@ -21963,6 +22162,16 @@ var awscnPartition = partition{ }: endpoint{}, }, }, + "api.tunneling.iot": service{ + Endpoints: serviceEndpoints{ + endpointKey{ + Region: "cn-north-1", + }: endpoint{}, + endpointKey{ + Region: "cn-northwest-1", + }: endpoint{}, + }, + }, "apigateway": service{ Endpoints: serviceEndpoints{ endpointKey{ @@ -23471,6 +23680,14 @@ var awsusgovPartition = partition{ }, }, "acm": service{ + Defaults: endpointDefaults{ + defaultKey{}: endpoint{}, + defaultKey{ + Variant: fipsVariant, + }: endpoint{ + Hostname: "acm.{region}.{dnsSuffix}", + }, + }, Endpoints: serviceEndpoints{ endpointKey{ Region: "us-gov-east-1", @@ -23761,6 +23978,54 @@ var awsusgovPartition = partition{ }, }, }, + "api.tunneling.iot": service{ + Defaults: endpointDefaults{ + defaultKey{}: endpoint{}, + defaultKey{ + Variant: fipsVariant, + }: endpoint{ + Hostname: "api.tunneling.iot-fips.{region}.{dnsSuffix}", + }, + }, + Endpoints: serviceEndpoints{ + endpointKey{ + Region: "fips-us-gov-east-1", + }: endpoint{ + Hostname: "api.tunneling.iot-fips.us-gov-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-gov-east-1", + }, + Deprecated: boxedTrue, + }, + endpointKey{ + Region: "fips-us-gov-west-1", + }: endpoint{ + Hostname: "api.tunneling.iot-fips.us-gov-west-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-gov-west-1", + }, + Deprecated: boxedTrue, + }, + endpointKey{ + Region: "us-gov-east-1", + }: endpoint{}, + endpointKey{ + Region: "us-gov-east-1", + Variant: fipsVariant, + }: endpoint{ + Hostname: "api.tunneling.iot-fips.us-gov-east-1.amazonaws.com", + }, + endpointKey{ + Region: "us-gov-west-1", + }: endpoint{}, + endpointKey{ + Region: "us-gov-west-1", + Variant: fipsVariant, + }: endpoint{ + Hostname: "api.tunneling.iot-fips.us-gov-west-1.amazonaws.com", + }, + }, + }, "apigateway": service{ Endpoints: serviceEndpoints{ endpointKey{ @@ -24697,6 +24962,14 @@ var awsusgovPartition = partition{ }, }, "ec2": service{ + Defaults: endpointDefaults{ + defaultKey{}: endpoint{}, + defaultKey{ + Variant: fipsVariant, + }: endpoint{ + Hostname: "ec2.{region}.{dnsSuffix}", + }, + }, Endpoints: serviceEndpoints{ endpointKey{ Region: "us-gov-east-1", diff --git a/vendor/github.com/aws/aws-sdk-go/aws/version.go b/vendor/github.com/aws/aws-sdk-go/aws/version.go index 871130a44..9bded1622 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/version.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/version.go @@ -5,4 +5,4 @@ package aws const SDKName = "aws-sdk-go" // SDKVersion is the version of this SDK -const SDKVersion = "1.43.3" +const SDKVersion = "1.43.8" diff --git a/vendor/github.com/aws/aws-sdk-go/service/ec2/api.go b/vendor/github.com/aws/aws-sdk-go/service/ec2/api.go index b04750add..4cea26616 100644 --- a/vendor/github.com/aws/aws-sdk-go/service/ec2/api.go +++ b/vendor/github.com/aws/aws-sdk-go/service/ec2/api.go @@ -82303,7 +82303,7 @@ type DescribeImageAttributeOutput struct { // The block device mapping entries. BlockDeviceMappings []*BlockDeviceMapping `locationName:"blockDeviceMapping" locationNameList:"item" type:"list"` - // Describes a value for a resource attribute that is a String. + // The boot mode. BootMode *AttributeValue `locationName:"bootMode" type:"structure"` // A description for the AMI. @@ -82315,6 +82315,13 @@ type DescribeImageAttributeOutput struct { // The kernel ID. KernelId *AttributeValue `locationName:"kernel" type:"structure"` + // The date and time, in ISO 8601 date-time format (http://www.iso.org/iso/iso8601), + // when the AMI was last used to launch an EC2 instance. When the AMI is used, + // there is a 24-hour delay before that usage is reported. + // + // lastLaunchedTime data is available starting April 2017. + LastLaunchedTime *AttributeValue `locationName:"lastLaunchedTime" type:"structure"` + // The launch permissions. LaunchPermissions []*LaunchPermission `locationName:"launchPermission" locationNameList:"item" type:"list"` @@ -82377,6 +82384,12 @@ func (s *DescribeImageAttributeOutput) SetKernelId(v *AttributeValue) *DescribeI return s } +// SetLastLaunchedTime sets the LastLaunchedTime field's value. +func (s *DescribeImageAttributeOutput) SetLastLaunchedTime(v *AttributeValue) *DescribeImageAttributeOutput { + s.LastLaunchedTime = v + return s +} + // SetLaunchPermissions sets the LaunchPermissions field's value. func (s *DescribeImageAttributeOutput) SetLaunchPermissions(v []*LaunchPermission) *DescribeImageAttributeOutput { s.LaunchPermissions = v @@ -162064,6 +162077,9 @@ const ( // ImageAttributeNameBootMode is a ImageAttributeName enum value ImageAttributeNameBootMode = "bootMode" + + // ImageAttributeNameLastLaunchedTime is a ImageAttributeName enum value + ImageAttributeNameLastLaunchedTime = "lastLaunchedTime" ) // ImageAttributeName_Values returns all elements of the ImageAttributeName enum @@ -162077,6 +162093,7 @@ func ImageAttributeName_Values() []string { ImageAttributeNameBlockDeviceMapping, ImageAttributeNameSriovNetSupport, ImageAttributeNameBootMode, + ImageAttributeNameLastLaunchedTime, } } @@ -166134,6 +166151,9 @@ const ( // ResourceTypeSubnet is a ResourceType enum value ResourceTypeSubnet = "subnet" + // ResourceTypeSubnetCidrReservation is a ResourceType enum value + ResourceTypeSubnetCidrReservation = "subnet-cidr-reservation" + // ResourceTypeTrafficMirrorFilter is a ResourceType enum value ResourceTypeTrafficMirrorFilter = "traffic-mirror-filter" @@ -166237,6 +166257,7 @@ func ResourceType_Values() []string { ResourceTypeSpotFleetRequest, ResourceTypeSpotInstancesRequest, ResourceTypeSubnet, + ResourceTypeSubnetCidrReservation, ResourceTypeTrafficMirrorFilter, ResourceTypeTrafficMirrorSession, ResourceTypeTrafficMirrorTarget, diff --git a/vendor/golang.org/x/term/codereview.cfg b/vendor/golang.org/x/term/codereview.cfg new file mode 100644 index 000000000..3f8b14b64 --- /dev/null +++ b/vendor/golang.org/x/term/codereview.cfg @@ -0,0 +1 @@ +issuerepo: golang/go diff --git a/vendor/golang.org/x/term/term.go b/vendor/golang.org/x/term/term.go index 1f6a38fad..d59270880 100644 --- a/vendor/golang.org/x/term/term.go +++ b/vendor/golang.org/x/term/term.go @@ -12,6 +12,8 @@ // panic(err) // } // defer term.Restore(int(os.Stdin.Fd()), oldState) +// +// Note that on non-Unix systems os.Stdin.Fd() may not be 0. package term // State contains the state of a terminal. diff --git a/vendor/modules.txt b/vendor/modules.txt index 2443a7aa7..015085ad9 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -8,7 +8,7 @@ github.com/armon/go-metrics # github.com/armon/go-radix v1.0.0 ## explicit github.com/armon/go-radix -# github.com/aws/aws-sdk-go v1.43.3 +# github.com/aws/aws-sdk-go v1.43.8 ## explicit; go 1.11 github.com/aws/aws-sdk-go/aws github.com/aws/aws-sdk-go/aws/awserr @@ -521,7 +521,7 @@ golang.org/x/crypto/poly1305 golang.org/x/crypto/scrypt golang.org/x/crypto/ssh golang.org/x/crypto/ssh/internal/bcrypt_pbkdf -# golang.org/x/net v0.0.0-20211216030914-fe4d6282115f +# golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd ## explicit; go 1.17 golang.org/x/net/context golang.org/x/net/context/ctxhttp @@ -545,7 +545,7 @@ golang.org/x/sys/internal/unsafeheader golang.org/x/sys/plan9 golang.org/x/sys/unix golang.org/x/sys/windows -# golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b +# golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 ## explicit; go 1.17 golang.org/x/term # golang.org/x/text v0.3.7 From b1af5f63b5ab992579998bb42c04587f92788d46 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 28 Feb 2022 20:10:36 +0000 Subject: [PATCH 2/4] rebase: bump github.com/hashicorp/vault/api from 1.3.1 to 1.4.1 Bumps [github.com/hashicorp/vault/api](https://github.com/hashicorp/vault) from 1.3.1 to 1.4.1. - [Release notes](https://github.com/hashicorp/vault/releases) - [Changelog](https://github.com/hashicorp/vault/blob/main/CHANGELOG.md) - [Commits](https://github.com/hashicorp/vault/compare/v1.3.1...v1.4.1) --- updated-dependencies: - dependency-name: github.com/hashicorp/vault/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 4 +- go.sum | 8 +- .../github.com/hashicorp/vault/api/client.go | 91 +++++- .../hashicorp/vault/api/lifetime_watcher.go | 2 +- .../github.com/hashicorp/vault/api/logical.go | 5 +- .../hashicorp/vault/api/output_string.go | 24 +- .../hashicorp/vault/api/plugin_helpers.go | 1 - .../github.com/hashicorp/vault/api/secret.go | 3 + .../hashicorp/vault/api/sys_mounts.go | 91 +++++- .../vault/sdk/helper/certutil/helpers.go | 265 +++++++++++++---- .../vault/sdk/helper/certutil/types.go | 115 ++++--- .../vault/sdk/helper/compressutil/compress.go | 35 ++- .../vault/sdk/helper/consts/agent.go | 7 + .../vault/sdk/helper/consts/token_consts.go | 10 + .../sdk/helper/pluginutil/multiplexing.go | 47 +++ .../sdk/helper/pluginutil/multiplexing.pb.go | 213 +++++++++++++ .../sdk/helper/pluginutil/multiplexing.proto | 13 + .../helper/pluginutil/multiplexing_grpc.pb.go | 101 +++++++ .../vault/sdk/helper/pluginutil/run_config.go | 55 ++-- .../vault/sdk/helper/pluginutil/runner.go | 9 + .../vault/sdk/helper/pluginutil/tls.go | 2 - .../hashicorp/vault/sdk/logical/auth.go | 3 + .../hashicorp/vault/sdk/logical/connection.go | 3 + .../vault/sdk/logical/identity.pb.go | 280 ++++++++++++++++-- .../vault/sdk/logical/identity.proto | 17 +- .../hashicorp/vault/sdk/logical/logical.go | 10 +- .../vault/sdk/logical/managed_key.go | 84 ++++++ .../hashicorp/vault/sdk/logical/plugin.pb.go | 2 +- .../hashicorp/vault/sdk/logical/request.go | 15 + .../hashicorp/vault/sdk/logical/response.go | 103 ++++++- .../vault/sdk/logical/response_util.go | 2 +- .../vault/sdk/logical/system_view.go | 8 + .../hashicorp/vault/sdk/logical/token.go | 63 +++- .../vault/sdk/logical/translate_response.go | 8 +- .../hashicorp/vault/sdk/physical/cache.go | 2 +- .../hashicorp/vault/sdk/physical/physical.go | 1 + .../hashicorp/vault/sdk/version/cgo.go | 2 +- .../hashicorp/vault/sdk/version/version.go | 10 +- .../vault/sdk/version/version_base.go | 4 +- vendor/modules.txt | 4 +- 40 files changed, 1517 insertions(+), 205 deletions(-) create mode 100644 vendor/github.com/hashicorp/vault/sdk/helper/consts/token_consts.go create mode 100644 vendor/github.com/hashicorp/vault/sdk/helper/pluginutil/multiplexing.go create mode 100644 vendor/github.com/hashicorp/vault/sdk/helper/pluginutil/multiplexing.pb.go create mode 100644 vendor/github.com/hashicorp/vault/sdk/helper/pluginutil/multiplexing.proto create mode 100644 vendor/github.com/hashicorp/vault/sdk/helper/pluginutil/multiplexing_grpc.pb.go create mode 100644 vendor/github.com/hashicorp/vault/sdk/logical/managed_key.go diff --git a/go.mod b/go.mod index 3fac604e5..c3af45fbd 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,7 @@ require ( github.com/golang/protobuf v1.5.2 github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 - github.com/hashicorp/vault/api v1.3.1 + github.com/hashicorp/vault/api v1.4.1 github.com/kubernetes-csi/csi-lib-utils v0.10.0 github.com/kubernetes-csi/external-snapshotter/client/v4 v4.2.0 github.com/libopenstorage/secrets v0.0.0-20210908194121-a1d19aa9713a @@ -83,7 +83,7 @@ require ( github.com/hashicorp/golang-lru v0.5.4 // indirect github.com/hashicorp/hcl v1.0.0 // indirect github.com/hashicorp/vault v1.4.2 // indirect - github.com/hashicorp/vault/sdk v0.3.0 // indirect + github.com/hashicorp/vault/sdk v0.4.1 // indirect github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d // indirect github.com/imdario/mergo v0.3.12 // indirect github.com/inconshreveable/mousetrap v1.0.0 // indirect diff --git a/go.sum b/go.sum index 6b92190b1..3cc47e82b 100644 --- a/go.sum +++ b/go.sum @@ -635,8 +635,8 @@ github.com/hashicorp/vault/api v1.0.5-0.20191122173911-80fcc7907c78/go.mod h1:Uf github.com/hashicorp/vault/api v1.0.5-0.20200215224050-f6547fa8e820/go.mod h1:3f12BMfgDGjTsTtIUj+ZKZwSobQpZtYGFIEehOv5z1o= github.com/hashicorp/vault/api v1.0.5-0.20200317185738-82f498082f02/go.mod h1:3f12BMfgDGjTsTtIUj+ZKZwSobQpZtYGFIEehOv5z1o= github.com/hashicorp/vault/api v1.0.5-0.20200902155336-f9d5ce5a171a/go.mod h1:R3Umvhlxi2TN7Ex2hzOowyeNb+SfbVWI973N+ctaFMk= -github.com/hashicorp/vault/api v1.3.1 h1:pkDkcgTh47PRjY1NEFeofqR4W/HkNUi9qIakESO2aRM= -github.com/hashicorp/vault/api v1.3.1/go.mod h1:QeJoWxMFt+MsuWcYhmwRLwKEXrjwAFFywzhptMsTIUw= +github.com/hashicorp/vault/api v1.4.1 h1:mWLfPT0RhxBitjKr6swieCEP2v5pp/M//t70S3kMLRo= +github.com/hashicorp/vault/api v1.4.1/go.mod h1:LkMdrZnWNrFaQyYYazWVn7KshilfDidgVBq6YiTq/bM= github.com/hashicorp/vault/sdk v0.1.8/go.mod h1:tHZfc6St71twLizWNHvnnbiGFo1aq0eD2jGPLtP8kAU= github.com/hashicorp/vault/sdk v0.1.14-0.20190730042320-0dc007d98cc8/go.mod h1:B+hVj7TpuQY1Y/GPbCpffmgd+tSEwvhkWnjtSYCaS2M= github.com/hashicorp/vault/sdk v0.1.14-0.20191108161836-82f2b5571044/go.mod h1:PcekaFGiPJyHnFy+NZhP6ll650zEw51Ag7g/YEa+EOU= @@ -646,8 +646,8 @@ github.com/hashicorp/vault/sdk v0.1.14-0.20200317185738-82f498082f02/go.mod h1:W github.com/hashicorp/vault/sdk v0.1.14-0.20200427170607-03332aaf8d18/go.mod h1:WX57W2PwkrOPQ6rVQk+dy5/htHIaB4aBM70EwKThu10= github.com/hashicorp/vault/sdk v0.1.14-0.20200429182704-29fce8f27ce4/go.mod h1:WX57W2PwkrOPQ6rVQk+dy5/htHIaB4aBM70EwKThu10= github.com/hashicorp/vault/sdk v0.1.14-0.20200519221838-e0cfd64bc267/go.mod h1:WX57W2PwkrOPQ6rVQk+dy5/htHIaB4aBM70EwKThu10= -github.com/hashicorp/vault/sdk v0.3.0 h1:kR3dpxNkhh/wr6ycaJYqp6AFT/i2xaftbfnwZduTKEY= -github.com/hashicorp/vault/sdk v0.3.0/go.mod h1:aZ3fNuL5VNydQk8GcLJ2TV8YCRVvyaakYkhZRoVuhj0= +github.com/hashicorp/vault/sdk v0.4.1 h1:3SaHOJY687jY1fnB61PtL0cOkKItphrbLmux7T92HBo= +github.com/hashicorp/vault/sdk v0.4.1/go.mod h1:aZ3fNuL5VNydQk8GcLJ2TV8YCRVvyaakYkhZRoVuhj0= github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d h1:kJCB4vdITiW1eC1vq2e6IsrXKrZit1bv/TDYFGMp4BQ= github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= diff --git a/vendor/github.com/hashicorp/vault/api/client.go b/vendor/github.com/hashicorp/vault/api/client.go index b6c497d0b..6a804091a 100644 --- a/vendor/github.com/hashicorp/vault/api/client.go +++ b/vendor/github.com/hashicorp/vault/api/client.go @@ -51,6 +51,8 @@ const ( EnvRateLimit = "VAULT_RATE_LIMIT" EnvHTTPProxy = "VAULT_HTTP_PROXY" HeaderIndex = "X-Vault-Index" + HeaderForward = "X-Vault-Forward" + HeaderInconsistent = "X-Vault-Inconsistent" ) // Deprecated values @@ -132,6 +134,12 @@ type Config struct { // with the same client. Cloning a client will not clone this value. OutputCurlString bool + // curlCACert, curlCAPath, curlClientCert and curlClientKey are used to keep + // track of the name of the TLS certs and keys when OutputCurlString is set. + // Cloning a client will also not clone those values. + curlCACert, curlCAPath string + curlClientCert, curlClientKey string + // SRVLookup enables the client to lookup the host through DNS SRV lookup SRVLookup bool @@ -139,6 +147,9 @@ type Config struct { // its clone. CloneHeaders bool + // CloneToken from parent. + CloneToken bool + // ReadYourWrites ensures isolated read-after-write semantics by // providing discovered cluster replication states in each request. // The shared state is automatically propagated to all Client clones. @@ -180,7 +191,7 @@ type TLSConfig struct { // The default Address is https://127.0.0.1:8200, but this can be overridden by // setting the `VAULT_ADDR` environment variable. // -// If an error is encountered, this will return nil. +// If an error is encountered, the Error field on the returned *Config will be populated with the specific error. func DefaultConfig() *Config { config := &Config{ Address: "https://127.0.0.1:8200", @@ -222,9 +233,9 @@ func DefaultConfig() *Config { return config } -// ConfigureTLS takes a set of TLS configurations and applies those to the -// HTTP client. -func (c *Config) ConfigureTLS(t *TLSConfig) error { +// configureTLS is a lock free version of ConfigureTLS that can be used in +// ReadEnvironment where the lock is already hold +func (c *Config) configureTLS(t *TLSConfig) error { if c.HttpClient == nil { c.HttpClient = DefaultConfig().HttpClient } @@ -241,11 +252,15 @@ func (c *Config) ConfigureTLS(t *TLSConfig) error { return err } foundClientCert = true + c.curlClientCert = t.ClientCert + c.curlClientKey = t.ClientKey case t.ClientCert != "" || t.ClientKey != "": return fmt.Errorf("both client cert and client key must be provided") } if t.CACert != "" || t.CAPath != "" { + c.curlCACert = t.CACert + c.curlCAPath = t.CAPath rootConfig := &rootcerts.Config{ CAFile: t.CACert, CAPath: t.CAPath, @@ -275,6 +290,15 @@ func (c *Config) ConfigureTLS(t *TLSConfig) error { return nil } +// ConfigureTLS takes a set of TLS configurations and applies those to the +// HTTP client. +func (c *Config) ConfigureTLS(t *TLSConfig) error { + c.modifyLock.Lock() + defer c.modifyLock.Unlock() + + return c.configureTLS(t) +} + // ReadEnvironment reads configuration information from the environment. If // there is an error, no configuration value is updated. func (c *Config) ReadEnvironment() error { @@ -379,7 +403,7 @@ func (c *Config) ReadEnvironment() error { c.SRVLookup = envSRVLookup c.Limiter = limit - if err := c.ConfigureTLS(t); err != nil { + if err := c.configureTLS(t); err != nil { return err } @@ -547,6 +571,7 @@ func (c *Client) CloneConfig() *Config { newConfig.OutputCurlString = c.config.OutputCurlString newConfig.SRVLookup = c.config.SRVLookup newConfig.CloneHeaders = c.config.CloneHeaders + newConfig.CloneToken = c.config.CloneToken newConfig.ReadYourWrites = c.config.ReadYourWrites // we specifically want a _copy_ of the client here, not a pointer to the original one @@ -775,6 +800,12 @@ func (c *Client) setNamespace(namespace string) { c.headers.Set(consts.NamespaceHeaderName, namespace) } +func (c *Client) ClearNamespace() { + c.modifyLock.Lock() + defer c.modifyLock.Unlock() + c.headers.Del(consts.NamespaceHeaderName) +} + // Token returns the access token being used by this client. It will // return the empty string if there is no token set. func (c *Client) Token() string { @@ -873,6 +904,26 @@ func (c *Client) CloneHeaders() bool { return c.config.CloneHeaders } +// SetCloneToken from parent +func (c *Client) SetCloneToken(cloneToken bool) { + c.modifyLock.Lock() + defer c.modifyLock.Unlock() + c.config.modifyLock.Lock() + defer c.config.modifyLock.Unlock() + + c.config.CloneToken = cloneToken +} + +// CloneToken gets the configured CloneToken value. +func (c *Client) CloneToken() bool { + c.modifyLock.RLock() + defer c.modifyLock.RUnlock() + c.config.modifyLock.RLock() + defer c.config.modifyLock.RUnlock() + + return c.config.CloneToken +} + // SetReadYourWrites to prevent reading stale cluster replication state. func (c *Client) SetReadYourWrites(preventStaleReads bool) { c.modifyLock.Lock() @@ -904,12 +955,25 @@ func (c *Client) ReadYourWrites() bool { // Clone creates a new client with the same configuration. Note that the same // underlying http.Client is used; modifying the client from more than one // goroutine at once may not be safe, so modify the client as needed and then -// clone. +// clone. The headers are cloned based on the CloneHeaders property of the +// source config // // Also, only the client's config is currently copied; this means items not in // the api.Config struct, such as policy override and wrapping function // behavior, must currently then be set as desired on the new client. func (c *Client) Clone() (*Client, error) { + return c.clone(c.config.CloneHeaders) +} + +// CloneWithHeaders creates a new client similar to Clone, with the difference +// being that the headers are always cloned +func (c *Client) CloneWithHeaders() (*Client, error) { + return c.clone(true) +} + +// clone creates a new client, with the headers being cloned based on the +// passed in cloneheaders boolean +func (c *Client) clone(cloneHeaders bool) (*Client, error) { c.modifyLock.RLock() defer c.modifyLock.RUnlock() @@ -932,6 +996,7 @@ func (c *Client) Clone() (*Client, error) { AgentAddress: config.AgentAddress, SRVLookup: config.SRVLookup, CloneHeaders: config.CloneHeaders, + CloneToken: config.CloneToken, ReadYourWrites: config.ReadYourWrites, } client, err := NewClient(newConfig) @@ -939,10 +1004,14 @@ func (c *Client) Clone() (*Client, error) { return nil, err } - if config.CloneHeaders { + if cloneHeaders { client.SetHeaders(c.Headers().Clone()) } + if config.CloneToken { + client.SetToken(c.token) + } + client.replicationStateStore = c.replicationStateStore return client, nil @@ -1080,6 +1149,10 @@ START: LastOutputStringError = &OutputStringError{ Request: req, TLSSkipVerify: c.config.HttpClient.Transport.(*http.Transport).TLSClientConfig.InsecureSkipVerify, + ClientCert: c.config.curlClientCert, + ClientKey: c.config.curlClientKey, + ClientCACert: c.config.curlCACert, + ClientCAPath: c.config.curlCAPath, } return nil, LastOutputStringError } @@ -1330,7 +1403,7 @@ func ParseReplicationState(raw string, hmacKey []byte) (*logical.WALState, error // conjunction with RequireState. func ForwardInconsistent() RequestCallback { return func(req *Request) { - req.Headers.Set("X-Vault-Inconsistent", "forward-active-node") + req.Headers.Set(HeaderInconsistent, "forward-active-node") } } @@ -1339,7 +1412,7 @@ func ForwardInconsistent() RequestCallback { // This feature must be enabled in Vault's configuration. func ForwardAlways() RequestCallback { return func(req *Request) { - req.Headers.Set("X-Vault-Forward", "active-node") + req.Headers.Set(HeaderForward, "active-node") } } diff --git a/vendor/github.com/hashicorp/vault/api/lifetime_watcher.go b/vendor/github.com/hashicorp/vault/api/lifetime_watcher.go index b1d81332f..f775dfb15 100644 --- a/vendor/github.com/hashicorp/vault/api/lifetime_watcher.go +++ b/vendor/github.com/hashicorp/vault/api/lifetime_watcher.go @@ -225,7 +225,7 @@ func (r *LifetimeWatcher) Start() { r.doneCh <- r.doRenew() } -// Renew is for comnpatibility with the legacy api.Renewer. Calling Renew +// Renew is for compatibility with the legacy api.Renewer. Calling Renew // simply chains to Start. func (r *LifetimeWatcher) Renew() { r.Start() diff --git a/vendor/github.com/hashicorp/vault/api/logical.go b/vendor/github.com/hashicorp/vault/api/logical.go index 68f3e9100..f7d2b4a40 100644 --- a/vendor/github.com/hashicorp/vault/api/logical.go +++ b/vendor/github.com/hashicorp/vault/api/logical.go @@ -5,7 +5,6 @@ import ( "context" "fmt" "io" - "net/http" "net/url" "os" "strings" @@ -145,9 +144,7 @@ func (c *Logical) Write(path string, data map[string]interface{}) (*Secret, erro func (c *Logical) JSONMergePatch(ctx context.Context, path string, data map[string]interface{}) (*Secret, error) { r := c.c.NewRequest("PATCH", "/v1/"+path) - r.Headers = http.Header{ - "Content-Type": []string{"application/merge-patch+json"}, - } + r.Headers.Set("Content-Type", "application/merge-patch+json") if err := r.SetJSONBody(data); err != nil { return nil, err } diff --git a/vendor/github.com/hashicorp/vault/api/output_string.go b/vendor/github.com/hashicorp/vault/api/output_string.go index 8b654ad82..b30c06eee 100644 --- a/vendor/github.com/hashicorp/vault/api/output_string.go +++ b/vendor/github.com/hashicorp/vault/api/output_string.go @@ -15,9 +15,11 @@ var LastOutputStringError *OutputStringError type OutputStringError struct { *retryablehttp.Request - TLSSkipVerify bool - parsingError error - parsedCurlString string + TLSSkipVerify bool + ClientCACert, ClientCAPath string + ClientCert, ClientKey string + parsingError error + parsedCurlString string } func (d *OutputStringError) Error() string { @@ -46,6 +48,22 @@ func (d *OutputStringError) parseRequest() { if d.Request.Method != "GET" { d.parsedCurlString = fmt.Sprintf("%s-X %s ", d.parsedCurlString, d.Request.Method) } + if d.ClientCACert != "" { + clientCACert := strings.Replace(d.ClientCACert, "'", "'\"'\"'", -1) + d.parsedCurlString = fmt.Sprintf("%s--cacert '%s' ", d.parsedCurlString, clientCACert) + } + if d.ClientCAPath != "" { + clientCAPath := strings.Replace(d.ClientCAPath, "'", "'\"'\"'", -1) + d.parsedCurlString = fmt.Sprintf("%s--capath '%s' ", d.parsedCurlString, clientCAPath) + } + if d.ClientCert != "" { + clientCert := strings.Replace(d.ClientCert, "'", "'\"'\"'", -1) + d.parsedCurlString = fmt.Sprintf("%s--cert '%s' ", d.parsedCurlString, clientCert) + } + if d.ClientKey != "" { + clientKey := strings.Replace(d.ClientKey, "'", "'\"'\"'", -1) + d.parsedCurlString = fmt.Sprintf("%s--key '%s' ", d.parsedCurlString, clientKey) + } for k, v := range d.Request.Header { for _, h := range v { if strings.ToLower(k) == "x-vault-token" { diff --git a/vendor/github.com/hashicorp/vault/api/plugin_helpers.go b/vendor/github.com/hashicorp/vault/api/plugin_helpers.go index c2978b388..9acd6a58a 100644 --- a/vendor/github.com/hashicorp/vault/api/plugin_helpers.go +++ b/vendor/github.com/hashicorp/vault/api/plugin_helpers.go @@ -182,7 +182,6 @@ func VaultPluginTLSProvider(apiTLSConfig *TLSConfig) func() (*tls.Config, error) Certificates: []tls.Certificate{cert}, ServerName: serverCert.Subject.CommonName, } - tlsConfig.BuildNameToCertificate() return tlsConfig, nil } diff --git a/vendor/github.com/hashicorp/vault/api/secret.go b/vendor/github.com/hashicorp/vault/api/secret.go index 64865d0ba..a3a288bf1 100644 --- a/vendor/github.com/hashicorp/vault/api/secret.go +++ b/vendor/github.com/hashicorp/vault/api/secret.go @@ -9,6 +9,7 @@ import ( "github.com/hashicorp/errwrap" "github.com/hashicorp/go-secure-stdlib/parseutil" "github.com/hashicorp/vault/sdk/helper/jsonutil" + "github.com/hashicorp/vault/sdk/logical" ) // Secret is the structure returned for every secret within Vault. @@ -297,6 +298,8 @@ type SecretAuth struct { LeaseDuration int `json:"lease_duration"` Renewable bool `json:"renewable"` + + MFARequirement *logical.MFARequirement `json:"mfa_requirement"` } // ParseSecret is used to parse a secret value from JSON from an io.Reader. diff --git a/vendor/github.com/hashicorp/vault/api/sys_mounts.go b/vendor/github.com/hashicorp/vault/api/sys_mounts.go index 1d68a1063..8a0c5b985 100644 --- a/vendor/github.com/hashicorp/vault/api/sys_mounts.go +++ b/vendor/github.com/hashicorp/vault/api/sys_mounts.go @@ -4,6 +4,7 @@ import ( "context" "errors" "fmt" + "time" "github.com/mitchellh/mapstructure" ) @@ -65,7 +66,31 @@ func (c *Sys) Unmount(path string) error { return err } +// Remount kicks off a remount operation, polls the status endpoint using +// the migration ID till either success or failure state is observed func (c *Sys) Remount(from, to string) error { + remountResp, err := c.StartRemount(from, to) + if err != nil { + return err + } + + for { + remountStatusResp, err := c.RemountStatus(remountResp.MigrationID) + if err != nil { + return err + } + if remountStatusResp.MigrationInfo.MigrationStatus == "success" { + return nil + } + if remountStatusResp.MigrationInfo.MigrationStatus == "failure" { + return fmt.Errorf("Failure! Error encountered moving mount %s to %s, with migration ID %s", from, to, remountResp.MigrationID) + } + time.Sleep(1 * time.Second) + } +} + +// StartRemount kicks off a mount migration and returns a response with the migration ID +func (c *Sys) StartRemount(from, to string) (*MountMigrationOutput, error) { body := map[string]interface{}{ "from": from, "to": to, @@ -73,16 +98,59 @@ func (c *Sys) Remount(from, to string) error { r := c.c.NewRequest("POST", "/v1/sys/remount") if err := r.SetJSONBody(body); err != nil { - return err + return nil, err } ctx, cancelFunc := context.WithCancel(context.Background()) defer cancelFunc() resp, err := c.c.RawRequestWithContext(ctx, r) - if err == nil { - defer resp.Body.Close() + if err != nil { + return nil, err } - return err + defer resp.Body.Close() + secret, err := ParseSecret(resp.Body) + if err != nil { + return nil, err + } + if secret == nil || secret.Data == nil { + return nil, errors.New("data from server response is empty") + } + + var result MountMigrationOutput + err = mapstructure.Decode(secret.Data, &result) + if err != nil { + return nil, err + } + + return &result, err +} + +// RemountStatus checks the status of a mount migration operation with the provided ID +func (c *Sys) RemountStatus(migrationID string) (*MountMigrationStatusOutput, error) { + r := c.c.NewRequest("GET", fmt.Sprintf("/v1/sys/remount/status/%s", migrationID)) + + ctx, cancelFunc := context.WithCancel(context.Background()) + defer cancelFunc() + resp, err := c.c.RawRequestWithContext(ctx, r) + if err != nil { + return nil, err + } + defer resp.Body.Close() + secret, err := ParseSecret(resp.Body) + if err != nil { + return nil, err + } + if secret == nil || secret.Data == nil { + return nil, errors.New("data from server response is empty") + } + + var result MountMigrationStatusOutput + err = mapstructure.Decode(secret.Data, &result) + if err != nil { + return nil, err + } + + return &result, err } func (c *Sys) TuneMount(path string, config MountConfigInput) error { @@ -187,3 +255,18 @@ type MountConfigOutput struct { // Deprecated: This field will always be blank for newer server responses. PluginName string `json:"plugin_name,omitempty" mapstructure:"plugin_name"` } + +type MountMigrationOutput struct { + MigrationID string `mapstructure:"migration_id"` +} + +type MountMigrationStatusOutput struct { + MigrationID string `mapstructure:"migration_id"` + MigrationInfo *MountMigrationStatusInfo `mapstructure:"migration_info"` +} + +type MountMigrationStatusInfo struct { + SourceMount string `mapstructure:"source_mount"` + TargetMount string `mapstructure:"target_mount"` + MigrationStatus string `mapstructure:"status"` +} diff --git a/vendor/github.com/hashicorp/vault/sdk/helper/certutil/helpers.go b/vendor/github.com/hashicorp/vault/sdk/helper/certutil/helpers.go index e8edcfd29..b6bee2e34 100644 --- a/vendor/github.com/hashicorp/vault/sdk/helper/certutil/helpers.go +++ b/vendor/github.com/hashicorp/vault/sdk/helper/certutil/helpers.go @@ -33,6 +33,22 @@ import ( cbasn1 "golang.org/x/crypto/cryptobyte/asn1" ) +const rsaMinimumSecureKeySize = 2048 + +// Mapping of key types to default key lengths +var defaultAlgorithmKeyBits = map[string]int{ + "rsa": 2048, + "ec": 256, +} + +// Mapping of NIST P-Curve's key length to expected signature bits. +var expectedNISTPCurveHashBits = map[int]int{ + 224: 256, + 256: 256, + 384: 384, + 521: 512, +} + // GetHexFormatted returns the byte buffer formatted in hex with // the specified separator between bytes. func GetHexFormatted(buf []byte, sep string) string { @@ -61,21 +77,42 @@ func ParseHexFormatted(in, sep string) []byte { return ret.Bytes() } -// GetSubjKeyID returns the subject key ID, e.g. the SHA1 sum -// of the marshaled public key +// GetSubjKeyID returns the subject key ID. The computed ID is the SHA-1 hash of +// the marshaled public key according to +// https://tools.ietf.org/html/rfc5280#section-4.2.1.2 (1) func GetSubjKeyID(privateKey crypto.Signer) ([]byte, error) { if privateKey == nil { return nil, errutil.InternalError{Err: "passed-in private key is nil"} } + return getSubjectKeyID(privateKey.Public()) +} - marshaledKey, err := x509.MarshalPKIXPublicKey(privateKey.Public()) - if err != nil { - return nil, errutil.InternalError{Err: fmt.Sprintf("error marshalling public key: %s", err)} +func getSubjectKeyID(pub interface{}) ([]byte, error) { + var publicKeyBytes []byte + switch pub := pub.(type) { + case *rsa.PublicKey: + type pkcs1PublicKey struct { + N *big.Int + E int + } + + var err error + publicKeyBytes, err = asn1.Marshal(pkcs1PublicKey{ + N: pub.N, + E: pub.E, + }) + if err != nil { + return nil, errutil.InternalError{Err: fmt.Sprintf("error marshalling public key: %s", err)} + } + case *ecdsa.PublicKey: + publicKeyBytes = elliptic.Marshal(pub.Curve, pub.X, pub.Y) + case ed25519.PublicKey: + publicKeyBytes = pub + default: + return nil, errutil.InternalError{Err: fmt.Sprintf("unsupported public key type: %T", pub)} } - - subjKeyID := sha1.Sum(marshaledKey) - - return subjKeyID[:], nil + skid := sha1.Sum(publicKeyBytes) + return skid[:], nil } // ParsePKIMap takes a map (for instance, the Secret.Data @@ -354,6 +391,9 @@ func ComparePublicKeys(key1Iface, key2Iface crypto.PublicKey) (bool, error) { func ParsePublicKeyPEM(data []byte) (interface{}, error) { block, data := pem.Decode(data) if block != nil { + if len(bytes.TrimSpace(data)) > 0 { + return nil, errutil.UserError{Err: "unexpected trailing data after parsed PEM block"} + } var rawKey interface{} var err error if rawKey, err = x509.ParsePKIXPublicKey(block.Bytes); err != nil { @@ -364,17 +404,15 @@ func ParsePublicKeyPEM(data []byte) (interface{}, error) { } } - if rsaPublicKey, ok := rawKey.(*rsa.PublicKey); ok { - return rsaPublicKey, nil - } - if ecPublicKey, ok := rawKey.(*ecdsa.PublicKey); ok { - return ecPublicKey, nil - } - if edPublicKey, ok := rawKey.(ed25519.PublicKey); ok { - return edPublicKey, nil + switch key := rawKey.(type) { + case *rsa.PublicKey: + return key, nil + case *ecdsa.PublicKey: + return key, nil + case ed25519.PublicKey: + return key, nil } } - return nil, errors.New("data does not contain any valid public keys") } @@ -525,20 +563,118 @@ func StringToOid(in string) (asn1.ObjectIdentifier, error) { return asn1.ObjectIdentifier(ret), nil } -func ValidateSignatureLength(keyBits int) error { - switch keyBits { +// Returns default key bits for the specified key type, or the present value +// if keyBits is non-zero. +func DefaultOrValueKeyBits(keyType string, keyBits int) (int, error) { + if keyBits == 0 { + newValue, present := defaultAlgorithmKeyBits[keyType] + if present { + keyBits = newValue + } /* else { + // We cannot return an error here as ed25519 (and potentially ed448 + // in the future) aren't in defaultAlgorithmKeyBits -- the value of + // the keyBits parameter is ignored under that algorithm. + } */ + } + + return keyBits, nil +} + +// Returns default signature hash bit length for the specified key type and +// bits, or the present value if hashBits is non-zero. Returns an error under +// certain internal circumstances. +func DefaultOrValueHashBits(keyType string, keyBits int, hashBits int) (int, error) { + if keyType == "ec" { + // To comply with BSI recommendations Section 4.2 and Mozilla root + // store policy section 5.1.2, enforce that NIST P-curves use a hash + // length corresponding to curve length. Note that ed25519 does not + // the "ec" key type. + expectedHashBits := expectedNISTPCurveHashBits[keyBits] + + if expectedHashBits != hashBits && hashBits != 0 { + return hashBits, fmt.Errorf("unsupported signature hash algorithm length (%d) for NIST P-%d", hashBits, keyBits) + } else if hashBits == 0 { + hashBits = expectedHashBits + } + } else if keyType == "rsa" && hashBits == 0 { + // To match previous behavior (and ignoring NIST's recommendations for + // hash size to align with RSA key sizes), default to SHA-2-256. + hashBits = 256 + } else if keyType == "ed25519" || keyType == "ed448" { + // No-op; ed25519 and ed448 internally specify their own hash and + // we do not need to select one. Double hashing isn't supported in + // certificate signing and we must + return 0, nil + } + + return hashBits, nil +} + +// Validates that the combination of keyType, keyBits, and hashBits are +// valid together; replaces individual calls to ValidateSignatureLength and +// ValidateKeyTypeLength. Also updates the value of keyBits and hashBits on +// return. +func ValidateDefaultOrValueKeyTypeSignatureLength(keyType string, keyBits int, hashBits int) (int, int, error) { + var err error + + if keyBits, err = DefaultOrValueKeyBits(keyType, keyBits); err != nil { + return keyBits, hashBits, err + } + + if err = ValidateKeyTypeLength(keyType, keyBits); err != nil { + return keyBits, hashBits, err + } + + if hashBits, err = DefaultOrValueHashBits(keyType, keyBits, hashBits); err != nil { + return keyBits, hashBits, err + } + + // Note that this check must come after we've selected a value for + // hashBits above, in the event it was left as the default, but we + // were allowed to update it. + if err = ValidateSignatureLength(keyType, hashBits); err != nil { + return keyBits, hashBits, err + } + + return keyBits, hashBits, nil +} + +// Validates that the length of the hash (in bits) used in the signature +// calculation is a known, approved value. +func ValidateSignatureLength(keyType string, hashBits int) error { + if keyType == "ed25519" || keyType == "ed448" { + // ed25519 and ed448 include built-in hashing and is not externally + // configurable. There are three modes for each of these schemes: + // + // 1. Built-in hash (default, used in TLS, x509). + // 2. Double hash (notably used in some block-chain implementations, + // but largely regarded as a specialized use case with security + // concerns). + // 3. No hash (bring your own hash function, less commonly used). + // + // In all cases, we won't have a hash algorithm to validate here, so + // return nil. + return nil + } + + switch hashBits { case 256: case 384: case 512: default: - return fmt.Errorf("unsupported signature algorithm: %d", keyBits) + return fmt.Errorf("unsupported hash signature algorithm: %d", hashBits) } + return nil } func ValidateKeyTypeLength(keyType string, keyBits int) error { switch keyType { case "rsa": + if keyBits < rsaMinimumSecureKeySize { + return fmt.Errorf("RSA keys < %d bits are unsafe and not supported: got %d", rsaMinimumSecureKeySize, keyBits) + } + switch keyBits { case 2048: case 3072: @@ -548,12 +684,8 @@ func ValidateKeyTypeLength(keyType string, keyBits int) error { return fmt.Errorf("unsupported bit length for RSA key: %d", keyBits) } case "ec": - switch keyBits { - case 224: - case 256: - case 384: - case 521: - default: + _, present := expectedNISTPCurveHashBits[keyBits] + if !present { return fmt.Errorf("unsupported bit length for EC key: %d", keyBits) } case "any", "ed25519": @@ -567,16 +699,23 @@ func ValidateKeyTypeLength(keyType string, keyBits int) error { // CreateCertificate uses CreationBundle and the default rand.Reader to // generate a cert/keypair. func CreateCertificate(data *CreationBundle) (*ParsedCertBundle, error) { - return createCertificate(data, rand.Reader) + return createCertificate(data, rand.Reader, generatePrivateKey) } // CreateCertificateWithRandomSource uses CreationBundle and a custom // io.Reader for randomness to generate a cert/keypair. func CreateCertificateWithRandomSource(data *CreationBundle, randReader io.Reader) (*ParsedCertBundle, error) { - return createCertificate(data, randReader) + return createCertificate(data, randReader, generatePrivateKey) } -func createCertificate(data *CreationBundle, randReader io.Reader) (*ParsedCertBundle, error) { +// KeyGenerator Allow us to override how/what generates the private key +type KeyGenerator func(keyType string, keyBits int, container ParsedPrivateKeyContainer, entropyReader io.Reader) error + +func CreateCertificateWithKeyGenerator(data *CreationBundle, randReader io.Reader, keyGenerator KeyGenerator) (*ParsedCertBundle, error) { + return createCertificate(data, randReader, keyGenerator) +} + +func createCertificate(data *CreationBundle, randReader io.Reader, privateKeyGenerator KeyGenerator) (*ParsedCertBundle, error) { var err error result := &ParsedCertBundle{} @@ -585,7 +724,7 @@ func createCertificate(data *CreationBundle, randReader io.Reader) (*ParsedCertB return nil, err } - if err := generatePrivateKey(data.Params.KeyType, + if err := privateKeyGenerator(data.Params.KeyType, data.Params.KeyBits, result, randReader); err != nil { return nil, err @@ -655,14 +794,7 @@ func createCertificate(data *CreationBundle, randReader io.Reader) (*ParsedCertB case Ed25519PrivateKey: certTemplate.SignatureAlgorithm = x509.PureEd25519 case ECPrivateKey: - switch data.Params.SignatureBits { - case 256: - certTemplate.SignatureAlgorithm = x509.ECDSAWithSHA256 - case 384: - certTemplate.SignatureAlgorithm = x509.ECDSAWithSHA384 - case 512: - certTemplate.SignatureAlgorithm = x509.ECDSAWithSHA512 - } + certTemplate.SignatureAlgorithm = selectSignatureAlgorithmForECDSA(data.SigningBundle.PrivateKey.Public(), data.Params.SignatureBits) } caCert := data.SigningBundle.Certificate @@ -691,14 +823,7 @@ func createCertificate(data *CreationBundle, randReader io.Reader) (*ParsedCertB case "ed25519": certTemplate.SignatureAlgorithm = x509.PureEd25519 case "ec": - switch data.Params.SignatureBits { - case 256: - certTemplate.SignatureAlgorithm = x509.ECDSAWithSHA256 - case 384: - certTemplate.SignatureAlgorithm = x509.ECDSAWithSHA384 - case 512: - certTemplate.SignatureAlgorithm = x509.ECDSAWithSHA512 - } + certTemplate.SignatureAlgorithm = selectSignatureAlgorithmForECDSA(result.PrivateKey.Public(), data.Params.SignatureBits) } certTemplate.AuthorityKeyId = subjKeyID @@ -733,26 +858,59 @@ func createCertificate(data *CreationBundle, randReader io.Reader) (*ParsedCertB return result, nil } +func selectSignatureAlgorithmForECDSA(pub crypto.PublicKey, signatureBits int) x509.SignatureAlgorithm { + // If signature bits are configured, prefer them to the default choice. + switch signatureBits { + case 256: + return x509.ECDSAWithSHA256 + case 384: + return x509.ECDSAWithSHA384 + case 512: + return x509.ECDSAWithSHA512 + } + + key, ok := pub.(*ecdsa.PublicKey) + if !ok { + return x509.ECDSAWithSHA256 + } + switch key.Curve { + case elliptic.P224(), elliptic.P256(): + return x509.ECDSAWithSHA256 + case elliptic.P384(): + return x509.ECDSAWithSHA384 + case elliptic.P521(): + return x509.ECDSAWithSHA512 + default: + return x509.ECDSAWithSHA256 + } +} + var oidExtensionBasicConstraints = []int{2, 5, 29, 19} // CreateCSR creates a CSR with the default rand.Reader to // generate a cert/keypair. This is currently only meant // for use when generating an intermediate certificate. func CreateCSR(data *CreationBundle, addBasicConstraints bool) (*ParsedCSRBundle, error) { - return createCSR(data, addBasicConstraints, rand.Reader) + return createCSR(data, addBasicConstraints, rand.Reader, generatePrivateKey) } // CreateCSRWithRandomSource creates a CSR with a custom io.Reader // for randomness to generate a cert/keypair. func CreateCSRWithRandomSource(data *CreationBundle, addBasicConstraints bool, randReader io.Reader) (*ParsedCSRBundle, error) { - return createCSR(data, addBasicConstraints, randReader) + return createCSR(data, addBasicConstraints, randReader, generatePrivateKey) } -func createCSR(data *CreationBundle, addBasicConstraints bool, randReader io.Reader) (*ParsedCSRBundle, error) { +// CreateCSRWithKeyGenerator creates a CSR with a custom io.Reader +// for randomness to generate a cert/keypair with the provided private key generator. +func CreateCSRWithKeyGenerator(data *CreationBundle, addBasicConstraints bool, randReader io.Reader, keyGenerator KeyGenerator) (*ParsedCSRBundle, error) { + return createCSR(data, addBasicConstraints, randReader, keyGenerator) +} + +func createCSR(data *CreationBundle, addBasicConstraints bool, randReader io.Reader, keyGenerator KeyGenerator) (*ParsedCSRBundle, error) { var err error result := &ParsedCSRBundle{} - if err := generatePrivateKey(data.Params.KeyType, + if err := keyGenerator(data.Params.KeyType, data.Params.KeyBits, result, randReader); err != nil { return nil, err @@ -849,11 +1007,10 @@ func signCertificate(data *CreationBundle, randReader io.Reader) (*ParsedCertBun return nil, err } - marshaledKey, err := x509.MarshalPKIXPublicKey(data.CSR.PublicKey) + subjKeyID, err := getSubjectKeyID(data.CSR.PublicKey) if err != nil { - return nil, errutil.InternalError{Err: fmt.Sprintf("error marshalling public key: %s", err)} + return nil, err } - subjKeyID := sha1.Sum(marshaledKey) caCert := data.SigningBundle.Certificate diff --git a/vendor/github.com/hashicorp/vault/sdk/helper/certutil/types.go b/vendor/github.com/hashicorp/vault/sdk/helper/certutil/types.go index a557b5d73..076a4e352 100644 --- a/vendor/github.com/hashicorp/vault/sdk/helper/certutil/types.go +++ b/vendor/github.com/hashicorp/vault/sdk/helper/certutil/types.go @@ -58,6 +58,7 @@ const ( RSAPrivateKey PrivateKeyType = "rsa" ECPrivateKey PrivateKeyType = "ec" Ed25519PrivateKey PrivateKeyType = "ed25519" + ManagedPrivateKey PrivateKeyType = "ManagedPrivateKey" ) // TLSUsage controls whether the intended usage of a *tls.Config @@ -158,46 +159,21 @@ func (c *CertBundle) ToPEMBundle() string { // ToParsedCertBundle converts a string-based certificate bundle // to a byte-based raw certificate bundle func (c *CertBundle) ToParsedCertBundle() (*ParsedCertBundle, error) { - result := &ParsedCertBundle{} + return c.ToParsedCertBundleWithExtractor(extractAndSetPrivateKey) +} + +// PrivateKeyExtractor extract out a private key from the passed in +// CertBundle and set the appropriate bits within the ParsedCertBundle. +type PrivateKeyExtractor func(c *CertBundle, parsedBundle *ParsedCertBundle) error + +func (c *CertBundle) ToParsedCertBundleWithExtractor(privateKeyExtractor PrivateKeyExtractor) (*ParsedCertBundle, error) { var err error var pemBlock *pem.Block + result := &ParsedCertBundle{} - if len(c.PrivateKey) > 0 { - pemBlock, _ = pem.Decode([]byte(c.PrivateKey)) - if pemBlock == nil { - return nil, errutil.UserError{Err: "Error decoding private key from cert bundle"} - } - - result.PrivateKeyBytes = pemBlock.Bytes - result.PrivateKeyFormat = BlockType(strings.TrimSpace(pemBlock.Type)) - - switch result.PrivateKeyFormat { - case ECBlock: - result.PrivateKeyType, c.PrivateKeyType = ECPrivateKey, ECPrivateKey - case PKCS1Block: - c.PrivateKeyType, result.PrivateKeyType = RSAPrivateKey, RSAPrivateKey - case PKCS8Block: - t, err := getPKCS8Type(pemBlock.Bytes) - if err != nil { - return nil, errutil.UserError{Err: fmt.Sprintf("Error getting key type from pkcs#8: %v", err)} - } - result.PrivateKeyType = t - switch t { - case ECPrivateKey: - c.PrivateKeyType = ECPrivateKey - case RSAPrivateKey: - c.PrivateKeyType = RSAPrivateKey - case Ed25519PrivateKey: - c.PrivateKeyType = Ed25519PrivateKey - } - default: - return nil, errutil.UserError{Err: fmt.Sprintf("Unsupported key block type: %s", pemBlock.Type)} - } - - result.PrivateKey, err = result.getSigner() - if err != nil { - return nil, errutil.UserError{Err: fmt.Sprintf("Error getting signer: %s", err)} - } + err = privateKeyExtractor(c, result) + if err != nil { + return nil, err } if len(c.Certificate) > 0 { @@ -258,6 +234,52 @@ func (c *CertBundle) ToParsedCertBundle() (*ParsedCertBundle, error) { return result, nil } +func extractAndSetPrivateKey(c *CertBundle, parsedBundle *ParsedCertBundle) error { + if len(c.PrivateKey) == 0 { + return nil + } + + pemBlock, _ := pem.Decode([]byte(c.PrivateKey)) + if pemBlock == nil { + return errutil.UserError{Err: "Error decoding private key from cert bundle"} + } + + parsedBundle.PrivateKeyBytes = pemBlock.Bytes + parsedBundle.PrivateKeyFormat = BlockType(strings.TrimSpace(pemBlock.Type)) + + switch parsedBundle.PrivateKeyFormat { + case ECBlock: + parsedBundle.PrivateKeyType, c.PrivateKeyType = ECPrivateKey, ECPrivateKey + case PKCS1Block: + c.PrivateKeyType, parsedBundle.PrivateKeyType = RSAPrivateKey, RSAPrivateKey + case PKCS8Block: + t, err := getPKCS8Type(pemBlock.Bytes) + if err != nil { + return errutil.UserError{Err: fmt.Sprintf("Error getting key type from pkcs#8: %v", err)} + } + parsedBundle.PrivateKeyType = t + switch t { + case ECPrivateKey: + c.PrivateKeyType = ECPrivateKey + case RSAPrivateKey: + c.PrivateKeyType = RSAPrivateKey + case Ed25519PrivateKey: + c.PrivateKeyType = Ed25519PrivateKey + case ManagedPrivateKey: + c.PrivateKeyType = ManagedPrivateKey + } + default: + return errutil.UserError{Err: fmt.Sprintf("Unsupported key block type: %s", pemBlock.Type)} + } + + var err error + parsedBundle.PrivateKey, err = parsedBundle.getSigner() + if err != nil { + return errutil.UserError{Err: fmt.Sprintf("Error getting signer: %s", err)} + } + return nil +} + // ToCertBundle converts a byte-based raw DER certificate bundle // to a PEM-based string certificate bundle func (p *ParsedCertBundle) ToCertBundle() (*CertBundle, error) { @@ -505,6 +527,9 @@ func (p *ParsedCSRBundle) ToCSRBundle() (*CSRBundle, error) { case Ed25519PrivateKey: result.PrivateKeyType = "ed25519" block.Type = "PRIVATE KEY" + case ManagedPrivateKey: + result.PrivateKeyType = ManagedPrivateKey + block.Type = "PRIVATE KEY" default: return nil, errutil.InternalError{Err: "Could not determine private key type when creating block"} } @@ -613,7 +638,6 @@ func (p *ParsedCertBundle) GetTLSConfig(usage TLSUsage) (*tls.Config, error) { if tlsCert.Certificate != nil && len(tlsCert.Certificate) > 0 { tlsConfig.Certificates = []tls.Certificate{tlsCert} - tlsConfig.BuildNameToCertificate() } return tlsConfig, nil @@ -663,6 +687,21 @@ func (b *CAInfoBundle) GetCAChain() []*CertBlock { return chain } +func (b *CAInfoBundle) GetFullChain() []*CertBlock { + var chain []*CertBlock + + chain = append(chain, &CertBlock{ + Certificate: b.Certificate, + Bytes: b.CertificateBytes, + }) + + if len(b.CAChain) > 0 { + chain = append(chain, b.CAChain...) + } + + return chain +} + type CertExtKeyUsage int const ( diff --git a/vendor/github.com/hashicorp/vault/sdk/helper/compressutil/compress.go b/vendor/github.com/hashicorp/vault/sdk/helper/compressutil/compress.go index 356d4548f..924f82a2a 100644 --- a/vendor/github.com/hashicorp/vault/sdk/helper/compressutil/compress.go +++ b/vendor/github.com/hashicorp/vault/sdk/helper/compressutil/compress.go @@ -141,10 +141,21 @@ func Compress(data []byte, config *CompressionConfig) ([]byte, error) { // If the first byte isn't a canary byte, then the utility returns a boolean // value indicating that the input was not compressed. func Decompress(data []byte) ([]byte, bool, error) { + bytes, _, notCompressed, err := DecompressWithCanary(data) + return bytes, notCompressed, err +} + +// DecompressWithCanary checks if the first byte in the input matches the canary byte. +// If the first byte is a canary byte, then the input past the canary byte +// will be decompressed using the method specified in the given configuration. The type of compression used is also +// returned. If the first byte isn't a canary byte, then the utility returns a boolean +// value indicating that the input was not compressed. +func DecompressWithCanary(data []byte) ([]byte, string, bool, error) { var err error var reader io.ReadCloser + var compressionType string if data == nil || len(data) == 0 { - return nil, false, fmt.Errorf("'data' being decompressed is empty") + return nil, "", false, fmt.Errorf("'data' being decompressed is empty") } canary := data[0] @@ -155,43 +166,47 @@ func Decompress(data []byte) ([]byte, bool, error) { // byte and try to decompress the data that is after the canary. case CompressionCanaryGzip: if len(data) < 2 { - return nil, false, fmt.Errorf("invalid 'data' after the canary") + return nil, "", false, fmt.Errorf("invalid 'data' after the canary") } reader, err = gzip.NewReader(bytes.NewReader(cData)) + compressionType = CompressionTypeGzip case CompressionCanaryLZW: if len(data) < 2 { - return nil, false, fmt.Errorf("invalid 'data' after the canary") + return nil, "", false, fmt.Errorf("invalid 'data' after the canary") } reader = lzw.NewReader(bytes.NewReader(cData), lzw.LSB, 8) + compressionType = CompressionTypeLZW case CompressionCanarySnappy: if len(data) < 2 { - return nil, false, fmt.Errorf("invalid 'data' after the canary") + return nil, "", false, fmt.Errorf("invalid 'data' after the canary") } reader = &CompressUtilReadCloser{ Reader: snappy.NewReader(bytes.NewReader(cData)), } + compressionType = CompressionTypeSnappy case CompressionCanaryLZ4: if len(data) < 2 { - return nil, false, fmt.Errorf("invalid 'data' after the canary") + return nil, "", false, fmt.Errorf("invalid 'data' after the canary") } reader = &CompressUtilReadCloser{ Reader: lz4.NewReader(bytes.NewReader(cData)), } + compressionType = CompressionTypeLZ4 default: // If the first byte doesn't match the canary byte, it means // that the content was not compressed at all. Indicate the // caller that the input was not compressed. - return nil, true, nil + return nil, "", true, nil } if err != nil { - return nil, false, errwrap.Wrapf("failed to create a compression reader: {{err}}", err) + return nil, "", false, errwrap.Wrapf("failed to create a compression reader: {{err}}", err) } if reader == nil { - return nil, false, fmt.Errorf("failed to create a compression reader") + return nil, "", false, fmt.Errorf("failed to create a compression reader") } // Close the io.ReadCloser @@ -200,8 +215,8 @@ func Decompress(data []byte) ([]byte, bool, error) { // Read all the compressed data into a buffer var buf bytes.Buffer if _, err = io.Copy(&buf, reader); err != nil { - return nil, false, err + return nil, "", false, err } - return buf.Bytes(), false, nil + return buf.Bytes(), compressionType, false, nil } diff --git a/vendor/github.com/hashicorp/vault/sdk/helper/consts/agent.go b/vendor/github.com/hashicorp/vault/sdk/helper/consts/agent.go index b62962e37..55be844e1 100644 --- a/vendor/github.com/hashicorp/vault/sdk/helper/consts/agent.go +++ b/vendor/github.com/hashicorp/vault/sdk/helper/consts/agent.go @@ -3,3 +3,10 @@ package consts // AgentPathCacheClear is the path that the agent will use as its cache-clear // endpoint. const AgentPathCacheClear = "/agent/v1/cache-clear" + +// AgentPathMetrics is the path the the agent will use to expose its internal +// metrics. +const AgentPathMetrics = "/agent/v1/metrics" + +// AgentPathQuit is the path that the agent will use to trigger stopping it. +const AgentPathQuit = "/agent/v1/quit" diff --git a/vendor/github.com/hashicorp/vault/sdk/helper/consts/token_consts.go b/vendor/github.com/hashicorp/vault/sdk/helper/consts/token_consts.go new file mode 100644 index 000000000..2b4e0278b --- /dev/null +++ b/vendor/github.com/hashicorp/vault/sdk/helper/consts/token_consts.go @@ -0,0 +1,10 @@ +package consts + +const ( + ServiceTokenPrefix = "hvs." + BatchTokenPrefix = "hvb." + RecoveryTokenPrefix = "hvr." + LegacyServiceTokenPrefix = "s." + LegacyBatchTokenPrefix = "b." + LegacyRecoveryTokenPrefix = "r." +) diff --git a/vendor/github.com/hashicorp/vault/sdk/helper/pluginutil/multiplexing.go b/vendor/github.com/hashicorp/vault/sdk/helper/pluginutil/multiplexing.go new file mode 100644 index 000000000..cbf50335d --- /dev/null +++ b/vendor/github.com/hashicorp/vault/sdk/helper/pluginutil/multiplexing.go @@ -0,0 +1,47 @@ +package pluginutil + +import ( + context "context" + "fmt" + + grpc "google.golang.org/grpc" + codes "google.golang.org/grpc/codes" + status "google.golang.org/grpc/status" +) + +type PluginMultiplexingServerImpl struct { + UnimplementedPluginMultiplexingServer + + Supported bool +} + +func (pm PluginMultiplexingServerImpl) MultiplexingSupport(ctx context.Context, req *MultiplexingSupportRequest) (*MultiplexingSupportResponse, error) { + return &MultiplexingSupportResponse{ + Supported: pm.Supported, + }, nil +} + +func MultiplexingSupported(ctx context.Context, cc grpc.ClientConnInterface) (bool, error) { + if cc == nil { + return false, fmt.Errorf("client connection is nil") + } + + req := new(MultiplexingSupportRequest) + resp, err := NewPluginMultiplexingClient(cc).MultiplexingSupport(ctx, req) + if err != nil { + + // If the server does not implement the multiplexing server then we can + // assume it is not multiplexed + if status.Code(err) == codes.Unimplemented { + return false, nil + } + + return false, err + } + if resp == nil { + // Somehow got a nil response, assume not multiplexed + return false, nil + } + + return resp.Supported, nil +} diff --git a/vendor/github.com/hashicorp/vault/sdk/helper/pluginutil/multiplexing.pb.go b/vendor/github.com/hashicorp/vault/sdk/helper/pluginutil/multiplexing.pb.go new file mode 100644 index 000000000..fa3357d49 --- /dev/null +++ b/vendor/github.com/hashicorp/vault/sdk/helper/pluginutil/multiplexing.pb.go @@ -0,0 +1,213 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.27.1 +// protoc v3.19.3 +// source: sdk/helper/pluginutil/multiplexing.proto + +package pluginutil + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +type MultiplexingSupportRequest struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields +} + +func (x *MultiplexingSupportRequest) Reset() { + *x = MultiplexingSupportRequest{} + if protoimpl.UnsafeEnabled { + mi := &file_sdk_helper_pluginutil_multiplexing_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *MultiplexingSupportRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*MultiplexingSupportRequest) ProtoMessage() {} + +func (x *MultiplexingSupportRequest) ProtoReflect() protoreflect.Message { + mi := &file_sdk_helper_pluginutil_multiplexing_proto_msgTypes[0] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use MultiplexingSupportRequest.ProtoReflect.Descriptor instead. +func (*MultiplexingSupportRequest) Descriptor() ([]byte, []int) { + return file_sdk_helper_pluginutil_multiplexing_proto_rawDescGZIP(), []int{0} +} + +type MultiplexingSupportResponse struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Supported bool `protobuf:"varint,1,opt,name=supported,proto3" json:"supported,omitempty"` +} + +func (x *MultiplexingSupportResponse) Reset() { + *x = MultiplexingSupportResponse{} + if protoimpl.UnsafeEnabled { + mi := &file_sdk_helper_pluginutil_multiplexing_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *MultiplexingSupportResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*MultiplexingSupportResponse) ProtoMessage() {} + +func (x *MultiplexingSupportResponse) ProtoReflect() protoreflect.Message { + mi := &file_sdk_helper_pluginutil_multiplexing_proto_msgTypes[1] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use MultiplexingSupportResponse.ProtoReflect.Descriptor instead. +func (*MultiplexingSupportResponse) Descriptor() ([]byte, []int) { + return file_sdk_helper_pluginutil_multiplexing_proto_rawDescGZIP(), []int{1} +} + +func (x *MultiplexingSupportResponse) GetSupported() bool { + if x != nil { + return x.Supported + } + return false +} + +var File_sdk_helper_pluginutil_multiplexing_proto protoreflect.FileDescriptor + +var file_sdk_helper_pluginutil_multiplexing_proto_rawDesc = []byte{ + 0x0a, 0x28, 0x73, 0x64, 0x6b, 0x2f, 0x68, 0x65, 0x6c, 0x70, 0x65, 0x72, 0x2f, 0x70, 0x6c, 0x75, + 0x67, 0x69, 0x6e, 0x75, 0x74, 0x69, 0x6c, 0x2f, 0x6d, 0x75, 0x6c, 0x74, 0x69, 0x70, 0x6c, 0x65, + 0x78, 0x69, 0x6e, 0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x17, 0x70, 0x6c, 0x75, 0x67, + 0x69, 0x6e, 0x75, 0x74, 0x69, 0x6c, 0x2e, 0x6d, 0x75, 0x6c, 0x74, 0x69, 0x70, 0x6c, 0x65, 0x78, + 0x69, 0x6e, 0x67, 0x22, 0x1c, 0x0a, 0x1a, 0x4d, 0x75, 0x6c, 0x74, 0x69, 0x70, 0x6c, 0x65, 0x78, + 0x69, 0x6e, 0x67, 0x53, 0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, + 0x74, 0x22, 0x3b, 0x0a, 0x1b, 0x4d, 0x75, 0x6c, 0x74, 0x69, 0x70, 0x6c, 0x65, 0x78, 0x69, 0x6e, + 0x67, 0x53, 0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, + 0x12, 0x1c, 0x0a, 0x09, 0x73, 0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x08, 0x52, 0x09, 0x73, 0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x32, 0x97, + 0x01, 0x0a, 0x12, 0x50, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x4d, 0x75, 0x6c, 0x74, 0x69, 0x70, 0x6c, + 0x65, 0x78, 0x69, 0x6e, 0x67, 0x12, 0x80, 0x01, 0x0a, 0x13, 0x4d, 0x75, 0x6c, 0x74, 0x69, 0x70, + 0x6c, 0x65, 0x78, 0x69, 0x6e, 0x67, 0x53, 0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x12, 0x33, 0x2e, + 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x75, 0x74, 0x69, 0x6c, 0x2e, 0x6d, 0x75, 0x6c, 0x74, 0x69, + 0x70, 0x6c, 0x65, 0x78, 0x69, 0x6e, 0x67, 0x2e, 0x4d, 0x75, 0x6c, 0x74, 0x69, 0x70, 0x6c, 0x65, + 0x78, 0x69, 0x6e, 0x67, 0x53, 0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, + 0x73, 0x74, 0x1a, 0x34, 0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x75, 0x74, 0x69, 0x6c, 0x2e, + 0x6d, 0x75, 0x6c, 0x74, 0x69, 0x70, 0x6c, 0x65, 0x78, 0x69, 0x6e, 0x67, 0x2e, 0x4d, 0x75, 0x6c, + 0x74, 0x69, 0x70, 0x6c, 0x65, 0x78, 0x69, 0x6e, 0x67, 0x53, 0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, + 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x32, 0x5a, 0x30, 0x67, 0x69, 0x74, 0x68, + 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, + 0x2f, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x2f, 0x73, 0x64, 0x6b, 0x2f, 0x68, 0x65, 0x6c, 0x70, 0x65, + 0x72, 0x2f, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x75, 0x74, 0x69, 0x6c, 0x62, 0x06, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x33, +} + +var ( + file_sdk_helper_pluginutil_multiplexing_proto_rawDescOnce sync.Once + file_sdk_helper_pluginutil_multiplexing_proto_rawDescData = file_sdk_helper_pluginutil_multiplexing_proto_rawDesc +) + +func file_sdk_helper_pluginutil_multiplexing_proto_rawDescGZIP() []byte { + file_sdk_helper_pluginutil_multiplexing_proto_rawDescOnce.Do(func() { + file_sdk_helper_pluginutil_multiplexing_proto_rawDescData = protoimpl.X.CompressGZIP(file_sdk_helper_pluginutil_multiplexing_proto_rawDescData) + }) + return file_sdk_helper_pluginutil_multiplexing_proto_rawDescData +} + +var file_sdk_helper_pluginutil_multiplexing_proto_msgTypes = make([]protoimpl.MessageInfo, 2) +var file_sdk_helper_pluginutil_multiplexing_proto_goTypes = []interface{}{ + (*MultiplexingSupportRequest)(nil), // 0: pluginutil.multiplexing.MultiplexingSupportRequest + (*MultiplexingSupportResponse)(nil), // 1: pluginutil.multiplexing.MultiplexingSupportResponse +} +var file_sdk_helper_pluginutil_multiplexing_proto_depIdxs = []int32{ + 0, // 0: pluginutil.multiplexing.PluginMultiplexing.MultiplexingSupport:input_type -> pluginutil.multiplexing.MultiplexingSupportRequest + 1, // 1: pluginutil.multiplexing.PluginMultiplexing.MultiplexingSupport:output_type -> pluginutil.multiplexing.MultiplexingSupportResponse + 1, // [1:2] is the sub-list for method output_type + 0, // [0:1] is the sub-list for method input_type + 0, // [0:0] is the sub-list for extension type_name + 0, // [0:0] is the sub-list for extension extendee + 0, // [0:0] is the sub-list for field type_name +} + +func init() { file_sdk_helper_pluginutil_multiplexing_proto_init() } +func file_sdk_helper_pluginutil_multiplexing_proto_init() { + if File_sdk_helper_pluginutil_multiplexing_proto != nil { + return + } + if !protoimpl.UnsafeEnabled { + file_sdk_helper_pluginutil_multiplexing_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*MultiplexingSupportRequest); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_sdk_helper_pluginutil_multiplexing_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*MultiplexingSupportResponse); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_sdk_helper_pluginutil_multiplexing_proto_rawDesc, + NumEnums: 0, + NumMessages: 2, + NumExtensions: 0, + NumServices: 1, + }, + GoTypes: file_sdk_helper_pluginutil_multiplexing_proto_goTypes, + DependencyIndexes: file_sdk_helper_pluginutil_multiplexing_proto_depIdxs, + MessageInfos: file_sdk_helper_pluginutil_multiplexing_proto_msgTypes, + }.Build() + File_sdk_helper_pluginutil_multiplexing_proto = out.File + file_sdk_helper_pluginutil_multiplexing_proto_rawDesc = nil + file_sdk_helper_pluginutil_multiplexing_proto_goTypes = nil + file_sdk_helper_pluginutil_multiplexing_proto_depIdxs = nil +} diff --git a/vendor/github.com/hashicorp/vault/sdk/helper/pluginutil/multiplexing.proto b/vendor/github.com/hashicorp/vault/sdk/helper/pluginutil/multiplexing.proto new file mode 100644 index 000000000..aa2438b07 --- /dev/null +++ b/vendor/github.com/hashicorp/vault/sdk/helper/pluginutil/multiplexing.proto @@ -0,0 +1,13 @@ +syntax = "proto3"; +package pluginutil.multiplexing; + +option go_package = "github.com/hashicorp/vault/sdk/helper/pluginutil"; + +message MultiplexingSupportRequest {} +message MultiplexingSupportResponse { + bool supported = 1; +} + +service PluginMultiplexing { + rpc MultiplexingSupport(MultiplexingSupportRequest) returns (MultiplexingSupportResponse); +} diff --git a/vendor/github.com/hashicorp/vault/sdk/helper/pluginutil/multiplexing_grpc.pb.go b/vendor/github.com/hashicorp/vault/sdk/helper/pluginutil/multiplexing_grpc.pb.go new file mode 100644 index 000000000..aa8d0e47b --- /dev/null +++ b/vendor/github.com/hashicorp/vault/sdk/helper/pluginutil/multiplexing_grpc.pb.go @@ -0,0 +1,101 @@ +// Code generated by protoc-gen-go-grpc. DO NOT EDIT. + +package pluginutil + +import ( + context "context" + grpc "google.golang.org/grpc" + codes "google.golang.org/grpc/codes" + status "google.golang.org/grpc/status" +) + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the grpc package it is being compiled against. +// Requires gRPC-Go v1.32.0 or later. +const _ = grpc.SupportPackageIsVersion7 + +// PluginMultiplexingClient is the client API for PluginMultiplexing service. +// +// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream. +type PluginMultiplexingClient interface { + MultiplexingSupport(ctx context.Context, in *MultiplexingSupportRequest, opts ...grpc.CallOption) (*MultiplexingSupportResponse, error) +} + +type pluginMultiplexingClient struct { + cc grpc.ClientConnInterface +} + +func NewPluginMultiplexingClient(cc grpc.ClientConnInterface) PluginMultiplexingClient { + return &pluginMultiplexingClient{cc} +} + +func (c *pluginMultiplexingClient) MultiplexingSupport(ctx context.Context, in *MultiplexingSupportRequest, opts ...grpc.CallOption) (*MultiplexingSupportResponse, error) { + out := new(MultiplexingSupportResponse) + err := c.cc.Invoke(ctx, "/pluginutil.multiplexing.PluginMultiplexing/MultiplexingSupport", in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +// PluginMultiplexingServer is the server API for PluginMultiplexing service. +// All implementations must embed UnimplementedPluginMultiplexingServer +// for forward compatibility +type PluginMultiplexingServer interface { + MultiplexingSupport(context.Context, *MultiplexingSupportRequest) (*MultiplexingSupportResponse, error) + mustEmbedUnimplementedPluginMultiplexingServer() +} + +// UnimplementedPluginMultiplexingServer must be embedded to have forward compatible implementations. +type UnimplementedPluginMultiplexingServer struct { +} + +func (UnimplementedPluginMultiplexingServer) MultiplexingSupport(context.Context, *MultiplexingSupportRequest) (*MultiplexingSupportResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method MultiplexingSupport not implemented") +} +func (UnimplementedPluginMultiplexingServer) mustEmbedUnimplementedPluginMultiplexingServer() {} + +// UnsafePluginMultiplexingServer may be embedded to opt out of forward compatibility for this service. +// Use of this interface is not recommended, as added methods to PluginMultiplexingServer will +// result in compilation errors. +type UnsafePluginMultiplexingServer interface { + mustEmbedUnimplementedPluginMultiplexingServer() +} + +func RegisterPluginMultiplexingServer(s grpc.ServiceRegistrar, srv PluginMultiplexingServer) { + s.RegisterService(&PluginMultiplexing_ServiceDesc, srv) +} + +func _PluginMultiplexing_MultiplexingSupport_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(MultiplexingSupportRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(PluginMultiplexingServer).MultiplexingSupport(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: "/pluginutil.multiplexing.PluginMultiplexing/MultiplexingSupport", + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(PluginMultiplexingServer).MultiplexingSupport(ctx, req.(*MultiplexingSupportRequest)) + } + return interceptor(ctx, in, info, handler) +} + +// PluginMultiplexing_ServiceDesc is the grpc.ServiceDesc for PluginMultiplexing service. +// It's only intended for direct use with grpc.RegisterService, +// and not to be introspected or modified (even as a copy) +var PluginMultiplexing_ServiceDesc = grpc.ServiceDesc{ + ServiceName: "pluginutil.multiplexing.PluginMultiplexing", + HandlerType: (*PluginMultiplexingServer)(nil), + Methods: []grpc.MethodDesc{ + { + MethodName: "MultiplexingSupport", + Handler: _PluginMultiplexing_MultiplexingSupport_Handler, + }, + }, + Streams: []grpc.StreamDesc{}, + Metadata: "sdk/helper/pluginutil/multiplexing.proto", +} diff --git a/vendor/github.com/hashicorp/vault/sdk/helper/pluginutil/run_config.go b/vendor/github.com/hashicorp/vault/sdk/helper/pluginutil/run_config.go index f801287d7..cb804f60d 100644 --- a/vendor/github.com/hashicorp/vault/sdk/helper/pluginutil/run_config.go +++ b/vendor/github.com/hashicorp/vault/sdk/helper/pluginutil/run_config.go @@ -9,9 +9,21 @@ import ( log "github.com/hashicorp/go-hclog" "github.com/hashicorp/go-plugin" + "github.com/hashicorp/vault/sdk/helper/consts" "github.com/hashicorp/vault/sdk/version" ) +type PluginClientConfig struct { + Name string + PluginType consts.PluginType + PluginSets map[int]plugin.PluginSet + HandshakeConfig plugin.HandshakeConfig + Logger log.Logger + IsMetadataMode bool + AutoMTLS bool + MLock bool +} + type runConfig struct { // Provided by PluginRunner command string @@ -21,12 +33,9 @@ type runConfig struct { // Initialized with what's in PluginRunner.Env, but can be added to env []string - wrapper RunnerUtil - pluginSets map[int]plugin.PluginSet - hs plugin.HandshakeConfig - logger log.Logger - isMetadataMode bool - autoMTLS bool + wrapper RunnerUtil + + PluginClientConfig } func (rc runConfig) makeConfig(ctx context.Context) (*plugin.ClientConfig, error) { @@ -34,19 +43,19 @@ func (rc runConfig) makeConfig(ctx context.Context) (*plugin.ClientConfig, error cmd.Env = append(cmd.Env, rc.env...) // Add the mlock setting to the ENV of the plugin - if rc.wrapper != nil && rc.wrapper.MlockEnabled() { + if rc.MLock || (rc.wrapper != nil && rc.wrapper.MlockEnabled()) { cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", PluginMlockEnabled, "true")) } cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", PluginVaultVersionEnv, version.GetVersion().Version)) - if rc.isMetadataMode { - rc.logger = rc.logger.With("metadata", "true") + if rc.IsMetadataMode { + rc.Logger = rc.Logger.With("metadata", "true") } - metadataEnv := fmt.Sprintf("%s=%t", PluginMetadataModeEnv, rc.isMetadataMode) + metadataEnv := fmt.Sprintf("%s=%t", PluginMetadataModeEnv, rc.IsMetadataMode) cmd.Env = append(cmd.Env, metadataEnv) var clientTLSConfig *tls.Config - if !rc.autoMTLS && !rc.isMetadataMode { + if !rc.AutoMTLS && !rc.IsMetadataMode { // Get a CA TLS Certificate certBytes, key, err := generateCert() if err != nil { @@ -76,17 +85,17 @@ func (rc runConfig) makeConfig(ctx context.Context) (*plugin.ClientConfig, error } clientConfig := &plugin.ClientConfig{ - HandshakeConfig: rc.hs, - VersionedPlugins: rc.pluginSets, + HandshakeConfig: rc.HandshakeConfig, + VersionedPlugins: rc.PluginSets, Cmd: cmd, SecureConfig: secureConfig, TLSConfig: clientTLSConfig, - Logger: rc.logger, + Logger: rc.Logger, AllowedProtocols: []plugin.Protocol{ plugin.ProtocolNetRPC, plugin.ProtocolGRPC, }, - AutoMTLS: rc.autoMTLS, + AutoMTLS: rc.AutoMTLS, } return clientConfig, nil } @@ -117,31 +126,37 @@ func Runner(wrapper RunnerUtil) RunOpt { func PluginSets(pluginSets map[int]plugin.PluginSet) RunOpt { return func(rc *runConfig) { - rc.pluginSets = pluginSets + rc.PluginSets = pluginSets } } func HandshakeConfig(hs plugin.HandshakeConfig) RunOpt { return func(rc *runConfig) { - rc.hs = hs + rc.HandshakeConfig = hs } } func Logger(logger log.Logger) RunOpt { return func(rc *runConfig) { - rc.logger = logger + rc.Logger = logger } } func MetadataMode(isMetadataMode bool) RunOpt { return func(rc *runConfig) { - rc.isMetadataMode = isMetadataMode + rc.IsMetadataMode = isMetadataMode } } func AutoMTLS(autoMTLS bool) RunOpt { return func(rc *runConfig) { - rc.autoMTLS = autoMTLS + rc.AutoMTLS = autoMTLS + } +} + +func MLock(mlock bool) RunOpt { + return func(rc *runConfig) { + rc.MLock = mlock } } diff --git a/vendor/github.com/hashicorp/vault/sdk/helper/pluginutil/runner.go b/vendor/github.com/hashicorp/vault/sdk/helper/pluginutil/runner.go index ecd60eeb3..f2822efc1 100644 --- a/vendor/github.com/hashicorp/vault/sdk/helper/pluginutil/runner.go +++ b/vendor/github.com/hashicorp/vault/sdk/helper/pluginutil/runner.go @@ -8,6 +8,7 @@ import ( plugin "github.com/hashicorp/go-plugin" "github.com/hashicorp/vault/sdk/helper/consts" "github.com/hashicorp/vault/sdk/helper/wrapping" + "google.golang.org/grpc" ) // Looker defines the plugin Lookup function that looks into the plugin catalog @@ -21,6 +22,7 @@ type Looker interface { // configuration and wrapping data in a response wrapped token. // logical.SystemView implementations satisfy this interface. type RunnerUtil interface { + NewPluginClient(ctx context.Context, config PluginClientConfig) (PluginClient, error) ResponseWrapData(ctx context.Context, data map[string]interface{}, ttl time.Duration, jwt bool) (*wrapping.ResponseWrapInfo, error) MlockEnabled() bool } @@ -31,6 +33,13 @@ type LookRunnerUtil interface { RunnerUtil } +type PluginClient interface { + Conn() grpc.ClientConnInterface + plugin.ClientProtocol +} + +const MultiplexingCtxKey string = "multiplex_id" + // PluginRunner defines the metadata needed to run a plugin securely with // go-plugin. type PluginRunner struct { diff --git a/vendor/github.com/hashicorp/vault/sdk/helper/pluginutil/tls.go b/vendor/github.com/hashicorp/vault/sdk/helper/pluginutil/tls.go index f78f04014..c5fff6d70 100644 --- a/vendor/github.com/hashicorp/vault/sdk/helper/pluginutil/tls.go +++ b/vendor/github.com/hashicorp/vault/sdk/helper/pluginutil/tls.go @@ -83,8 +83,6 @@ func createClientTLSConfig(certBytes []byte, key *ecdsa.PrivateKey) (*tls.Config MinVersion: tls.VersionTLS12, } - tlsConfig.BuildNameToCertificate() - return tlsConfig, nil } diff --git a/vendor/github.com/hashicorp/vault/sdk/logical/auth.go b/vendor/github.com/hashicorp/vault/sdk/logical/auth.go index 2bfb6e001..7f68bc936 100644 --- a/vendor/github.com/hashicorp/vault/sdk/logical/auth.go +++ b/vendor/github.com/hashicorp/vault/sdk/logical/auth.go @@ -100,6 +100,9 @@ type Auth struct { // Orphan is set if the token does not have a parent Orphan bool `json:"orphan"` + + // MFARequirement + MFARequirement *MFARequirement `json:"mfa_requirement"` } func (a *Auth) GoString() string { diff --git a/vendor/github.com/hashicorp/vault/sdk/logical/connection.go b/vendor/github.com/hashicorp/vault/sdk/logical/connection.go index a504b10c3..5be863077 100644 --- a/vendor/github.com/hashicorp/vault/sdk/logical/connection.go +++ b/vendor/github.com/hashicorp/vault/sdk/logical/connection.go @@ -10,6 +10,9 @@ type Connection struct { // RemoteAddr is the network address that sent the request. RemoteAddr string `json:"remote_addr"` + // RemotePort is the network port that sent the request. + RemotePort int `json:"remote_port"` + // ConnState is the TLS connection state if applicable. ConnState *tls.ConnectionState `sentinel:""` } diff --git a/vendor/github.com/hashicorp/vault/sdk/logical/identity.pb.go b/vendor/github.com/hashicorp/vault/sdk/logical/identity.pb.go index b221ccc3b..c472b68a0 100644 --- a/vendor/github.com/hashicorp/vault/sdk/logical/identity.pb.go +++ b/vendor/github.com/hashicorp/vault/sdk/logical/identity.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.27.1 -// protoc v3.17.3 +// protoc v3.19.3 // source: sdk/logical/identity.proto package logical @@ -310,6 +310,171 @@ func (x *Group) GetNamespaceID() string { return "" } +type MFAMethodID struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Type string `protobuf:"bytes,1,opt,name=type,proto3" json:"type,omitempty"` + ID string `protobuf:"bytes,2,opt,name=id,proto3" json:"id,omitempty"` + UsesPasscode bool `protobuf:"varint,3,opt,name=uses_passcode,json=usesPasscode,proto3" json:"uses_passcode,omitempty"` +} + +func (x *MFAMethodID) Reset() { + *x = MFAMethodID{} + if protoimpl.UnsafeEnabled { + mi := &file_sdk_logical_identity_proto_msgTypes[3] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *MFAMethodID) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*MFAMethodID) ProtoMessage() {} + +func (x *MFAMethodID) ProtoReflect() protoreflect.Message { + mi := &file_sdk_logical_identity_proto_msgTypes[3] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use MFAMethodID.ProtoReflect.Descriptor instead. +func (*MFAMethodID) Descriptor() ([]byte, []int) { + return file_sdk_logical_identity_proto_rawDescGZIP(), []int{3} +} + +func (x *MFAMethodID) GetType() string { + if x != nil { + return x.Type + } + return "" +} + +func (x *MFAMethodID) GetID() string { + if x != nil { + return x.ID + } + return "" +} + +func (x *MFAMethodID) GetUsesPasscode() bool { + if x != nil { + return x.UsesPasscode + } + return false +} + +type MFAConstraintAny struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Any []*MFAMethodID `protobuf:"bytes,1,rep,name=any,proto3" json:"any,omitempty"` +} + +func (x *MFAConstraintAny) Reset() { + *x = MFAConstraintAny{} + if protoimpl.UnsafeEnabled { + mi := &file_sdk_logical_identity_proto_msgTypes[4] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *MFAConstraintAny) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*MFAConstraintAny) ProtoMessage() {} + +func (x *MFAConstraintAny) ProtoReflect() protoreflect.Message { + mi := &file_sdk_logical_identity_proto_msgTypes[4] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use MFAConstraintAny.ProtoReflect.Descriptor instead. +func (*MFAConstraintAny) Descriptor() ([]byte, []int) { + return file_sdk_logical_identity_proto_rawDescGZIP(), []int{4} +} + +func (x *MFAConstraintAny) GetAny() []*MFAMethodID { + if x != nil { + return x.Any + } + return nil +} + +type MFARequirement struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + MFARequestID string `protobuf:"bytes,1,opt,name=mfa_request_id,json=mfaRequestId,proto3" json:"mfa_request_id,omitempty"` + MFAConstraints map[string]*MFAConstraintAny `protobuf:"bytes,2,rep,name=mfa_constraints,json=mfaConstraints,proto3" json:"mfa_constraints,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` +} + +func (x *MFARequirement) Reset() { + *x = MFARequirement{} + if protoimpl.UnsafeEnabled { + mi := &file_sdk_logical_identity_proto_msgTypes[5] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *MFARequirement) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*MFARequirement) ProtoMessage() {} + +func (x *MFARequirement) ProtoReflect() protoreflect.Message { + mi := &file_sdk_logical_identity_proto_msgTypes[5] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use MFARequirement.ProtoReflect.Descriptor instead. +func (*MFARequirement) Descriptor() ([]byte, []int) { + return file_sdk_logical_identity_proto_rawDescGZIP(), []int{5} +} + +func (x *MFARequirement) GetMFARequestID() string { + if x != nil { + return x.MFARequestID + } + return "" +} + +func (x *MFARequirement) GetMFAConstraints() map[string]*MFAConstraintAny { + if x != nil { + return x.MFAConstraints + } + return nil +} + var File_sdk_logical_identity_proto protoreflect.FileDescriptor var file_sdk_logical_identity_proto_rawDesc = []byte{ @@ -372,10 +537,34 @@ var file_sdk_logical_identity_proto_rawDesc = []byte{ 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, - 0x01, 0x42, 0x28, 0x5a, 0x26, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, - 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f, 0x76, 0x61, 0x75, 0x6c, 0x74, 0x2f, - 0x73, 0x64, 0x6b, 0x2f, 0x6c, 0x6f, 0x67, 0x69, 0x63, 0x61, 0x6c, 0x62, 0x06, 0x70, 0x72, 0x6f, - 0x74, 0x6f, 0x33, + 0x01, 0x22, 0x56, 0x0a, 0x0b, 0x4d, 0x46, 0x41, 0x4d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x49, 0x44, + 0x12, 0x12, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, + 0x74, 0x79, 0x70, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x02, 0x69, 0x64, 0x12, 0x23, 0x0a, 0x0d, 0x75, 0x73, 0x65, 0x73, 0x5f, 0x70, 0x61, 0x73, + 0x73, 0x63, 0x6f, 0x64, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0c, 0x75, 0x73, 0x65, + 0x73, 0x50, 0x61, 0x73, 0x73, 0x63, 0x6f, 0x64, 0x65, 0x22, 0x3a, 0x0a, 0x10, 0x4d, 0x46, 0x41, + 0x43, 0x6f, 0x6e, 0x73, 0x74, 0x72, 0x61, 0x69, 0x6e, 0x74, 0x41, 0x6e, 0x79, 0x12, 0x26, 0x0a, + 0x03, 0x61, 0x6e, 0x79, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x6c, 0x6f, 0x67, + 0x69, 0x63, 0x61, 0x6c, 0x2e, 0x4d, 0x46, 0x41, 0x4d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x49, 0x44, + 0x52, 0x03, 0x61, 0x6e, 0x79, 0x22, 0xea, 0x01, 0x0a, 0x0e, 0x4d, 0x46, 0x41, 0x52, 0x65, 0x71, + 0x75, 0x69, 0x72, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x12, 0x24, 0x0a, 0x0e, 0x6d, 0x66, 0x61, 0x5f, + 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, + 0x52, 0x0c, 0x6d, 0x66, 0x61, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x49, 0x64, 0x12, 0x54, + 0x0a, 0x0f, 0x6d, 0x66, 0x61, 0x5f, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x72, 0x61, 0x69, 0x6e, 0x74, + 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x6c, 0x6f, 0x67, 0x69, 0x63, 0x61, + 0x6c, 0x2e, 0x4d, 0x46, 0x41, 0x52, 0x65, 0x71, 0x75, 0x69, 0x72, 0x65, 0x6d, 0x65, 0x6e, 0x74, + 0x2e, 0x4d, 0x66, 0x61, 0x43, 0x6f, 0x6e, 0x73, 0x74, 0x72, 0x61, 0x69, 0x6e, 0x74, 0x73, 0x45, + 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0e, 0x6d, 0x66, 0x61, 0x43, 0x6f, 0x6e, 0x73, 0x74, 0x72, 0x61, + 0x69, 0x6e, 0x74, 0x73, 0x1a, 0x5c, 0x0a, 0x13, 0x4d, 0x66, 0x61, 0x43, 0x6f, 0x6e, 0x73, 0x74, + 0x72, 0x61, 0x69, 0x6e, 0x74, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, + 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x2f, 0x0a, + 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x6c, + 0x6f, 0x67, 0x69, 0x63, 0x61, 0x6c, 0x2e, 0x4d, 0x46, 0x41, 0x43, 0x6f, 0x6e, 0x73, 0x74, 0x72, + 0x61, 0x69, 0x6e, 0x74, 0x41, 0x6e, 0x79, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, + 0x38, 0x01, 0x42, 0x28, 0x5a, 0x26, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, + 0x2f, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f, 0x76, 0x61, 0x75, 0x6c, 0x74, + 0x2f, 0x73, 0x64, 0x6b, 0x2f, 0x6c, 0x6f, 0x67, 0x69, 0x63, 0x61, 0x6c, 0x62, 0x06, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -390,27 +579,34 @@ func file_sdk_logical_identity_proto_rawDescGZIP() []byte { return file_sdk_logical_identity_proto_rawDescData } -var file_sdk_logical_identity_proto_msgTypes = make([]protoimpl.MessageInfo, 7) +var file_sdk_logical_identity_proto_msgTypes = make([]protoimpl.MessageInfo, 11) var file_sdk_logical_identity_proto_goTypes = []interface{}{ - (*Entity)(nil), // 0: logical.Entity - (*Alias)(nil), // 1: logical.Alias - (*Group)(nil), // 2: logical.Group - nil, // 3: logical.Entity.MetadataEntry - nil, // 4: logical.Alias.MetadataEntry - nil, // 5: logical.Alias.CustomMetadataEntry - nil, // 6: logical.Group.MetadataEntry + (*Entity)(nil), // 0: logical.Entity + (*Alias)(nil), // 1: logical.Alias + (*Group)(nil), // 2: logical.Group + (*MFAMethodID)(nil), // 3: logical.MFAMethodID + (*MFAConstraintAny)(nil), // 4: logical.MFAConstraintAny + (*MFARequirement)(nil), // 5: logical.MFARequirement + nil, // 6: logical.Entity.MetadataEntry + nil, // 7: logical.Alias.MetadataEntry + nil, // 8: logical.Alias.CustomMetadataEntry + nil, // 9: logical.Group.MetadataEntry + nil, // 10: logical.MFARequirement.MFAConstraintsEntry } var file_sdk_logical_identity_proto_depIDxs = []int32{ - 1, // 0: logical.Entity.aliases:type_name -> logical.Alias - 3, // 1: logical.Entity.metadata:type_name -> logical.Entity.MetadataEntry - 4, // 2: logical.Alias.metadata:type_name -> logical.Alias.MetadataEntry - 5, // 3: logical.Alias.custom_metadata:type_name -> logical.Alias.CustomMetadataEntry - 6, // 4: logical.Group.metadata:type_name -> logical.Group.MetadataEntry - 5, // [5:5] is the sub-list for method output_type - 5, // [5:5] is the sub-list for method input_type - 5, // [5:5] is the sub-list for extension type_name - 5, // [5:5] is the sub-list for extension extendee - 0, // [0:5] is the sub-list for field type_name + 1, // 0: logical.Entity.aliases:type_name -> logical.Alias + 6, // 1: logical.Entity.metadata:type_name -> logical.Entity.MetadataEntry + 7, // 2: logical.Alias.metadata:type_name -> logical.Alias.MetadataEntry + 8, // 3: logical.Alias.custom_metadata:type_name -> logical.Alias.CustomMetadataEntry + 9, // 4: logical.Group.metadata:type_name -> logical.Group.MetadataEntry + 3, // 5: logical.MFAConstraintAny.any:type_name -> logical.MFAMethodID + 10, // 6: logical.MFARequirement.mfa_constraints:type_name -> logical.MFARequirement.MFAConstraintsEntry + 4, // 7: logical.MFARequirement.MFAConstraintsEntry.value:type_name -> logical.MFAConstraintAny + 8, // [8:8] is the sub-list for method output_type + 8, // [8:8] is the sub-list for method input_type + 8, // [8:8] is the sub-list for extension type_name + 8, // [8:8] is the sub-list for extension extendee + 0, // [0:8] is the sub-list for field type_name } func init() { file_sdk_logical_identity_proto_init() } @@ -455,6 +651,42 @@ func file_sdk_logical_identity_proto_init() { return nil } } + file_sdk_logical_identity_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*MFAMethodID); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_sdk_logical_identity_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*MFAConstraintAny); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_sdk_logical_identity_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*MFARequirement); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } } type x struct{} out := protoimpl.TypeBuilder{ @@ -462,7 +694,7 @@ func file_sdk_logical_identity_proto_init() { GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_sdk_logical_identity_proto_rawDesc, NumEnums: 0, - NumMessages: 7, + NumMessages: 11, NumExtensions: 0, NumServices: 0, }, diff --git a/vendor/github.com/hashicorp/vault/sdk/logical/identity.proto b/vendor/github.com/hashicorp/vault/sdk/logical/identity.proto index 11c767823..ea2e373b1 100644 --- a/vendor/github.com/hashicorp/vault/sdk/logical/identity.proto +++ b/vendor/github.com/hashicorp/vault/sdk/logical/identity.proto @@ -73,4 +73,19 @@ message Group { // NamespaceID is the identifier of the namespace to which this group // belongs to. string namespace_id = 4; -} +} + +message MFAMethodID { + string type = 1; + string id = 2; + bool uses_passcode = 3; +} + +message MFAConstraintAny { + repeated MFAMethodID any = 1; +} + +message MFARequirement { + string mfa_request_id = 1; + map mfa_constraints = 2; +} diff --git a/vendor/github.com/hashicorp/vault/sdk/logical/logical.go b/vendor/github.com/hashicorp/vault/sdk/logical/logical.go index cec2d19c0..fb9619ae2 100644 --- a/vendor/github.com/hashicorp/vault/sdk/logical/logical.go +++ b/vendor/github.com/hashicorp/vault/sdk/logical/logical.go @@ -38,7 +38,6 @@ func (b BackendType) String() string { // allows for a "procfs" like interaction, as internal state can be exposed by // acting like a logical backend and being mounted. type Backend interface { - // Initialize is used to initialize a plugin after it has been mounted. Initialize(context.Context, *InitializationRequest) error @@ -113,18 +112,19 @@ type Factory func(context.Context, *BackendConfig) (Backend, error) // Paths is the structure of special paths that is used for SpecialPaths. type Paths struct { - // Root are the paths that require a root token to access + // Root are the API paths that require a root token to access Root []string - // Unauthenticated are the paths that can be accessed without any auth. + // Unauthenticated are the API paths that can be accessed without any auth. // These can't be regular expressions, it is either exact match, a prefix // match and/or a wildcard match. For prefix match, append '*' as a suffix. // For a wildcard match, use '+' in the segment to match any identifier // (e.g. 'foo/+/bar'). Note that '+' can't be adjacent to a non-slash. Unauthenticated []string - // LocalStorage are paths (prefixes) that are local to this instance; this - // indicates that these paths should not be replicated + // LocalStorage are storage paths (prefixes) that are local to this cluster; + // this indicates that these paths should not be replicated across performance clusters + // (DR replication is unaffected). LocalStorage []string // SealWrapStorage are storage paths that, when using a capable seal, diff --git a/vendor/github.com/hashicorp/vault/sdk/logical/managed_key.go b/vendor/github.com/hashicorp/vault/sdk/logical/managed_key.go new file mode 100644 index 000000000..917d1c5e5 --- /dev/null +++ b/vendor/github.com/hashicorp/vault/sdk/logical/managed_key.go @@ -0,0 +1,84 @@ +package logical + +import ( + "context" + "crypto" + "io" +) + +type KeyUsage int + +const ( + KeyUsageEncrypt KeyUsage = 1 + iota + KeyUsageDecrypt + KeyUsageSign + KeyUsageVerify + KeyUsageWrap + KeyUsageUnwrap +) + +type ManagedKey interface { + // Name is a human-readable identifier for a managed key that may change/renamed. Use Uuid if a + // long term consistent identifier is needed. + Name() string + // UUID is a unique identifier for a managed key that is guaranteed to remain + // consistent even if a key is migrated or renamed. + UUID() string + // Present returns true if the key is established in the KMS. This may return false if for example + // an HSM library is not configured on all cluster nodes. + Present(ctx context.Context) (bool, error) + + // AllowsAll returns true if all the requested usages are supported by the managed key. + AllowsAll(usages []KeyUsage) bool +} + +type ( + ManagedKeyConsumer func(context.Context, ManagedKey) error + ManagedSigningKeyConsumer func(context.Context, ManagedSigningKey) error +) + +type ManagedKeySystemView interface { + // WithManagedKeyByName retrieves an instantiated managed key for consumption by the given function. The + // provided key can only be used within the scope of that function call + WithManagedKeyByName(ctx context.Context, keyName, mountPoint string, f ManagedKeyConsumer) error + // WithManagedKeyByUUID retrieves an instantiated managed key for consumption by the given function. The + // provided key can only be used within the scope of that function call + WithManagedKeyByUUID(ctx context.Context, keyUuid, mountPoint string, f ManagedKeyConsumer) error + + // WithManagedSigningKeyByName retrieves an instantiated managed signing key for consumption by the given function, + // with the same semantics as WithManagedKeyByName + WithManagedSigningKeyByName(ctx context.Context, keyName, mountPoint string, f ManagedSigningKeyConsumer) error + // WithManagedSigningKeyByUUID retrieves an instantiated managed signing key for consumption by the given function, + // with the same semantics as WithManagedKeyByUUID + WithManagedSigningKeyByUUID(ctx context.Context, keyUuid, mountPoint string, f ManagedSigningKeyConsumer) error +} + +type ManagedAsymmetricKey interface { + ManagedKey + GetPublicKey(ctx context.Context) (crypto.PublicKey, error) +} + +type ManagedKeyLifecycle interface { + // GenerateKey generates a key in the KMS if it didn't yet exist, returning the id. + // If it already existed, returns the existing id. KMSKey's key material is ignored if present. + GenerateKey(ctx context.Context) (string, error) +} + +type ManagedSigningKey interface { + ManagedAsymmetricKey + + // Sign returns a digital signature of the provided value. The SignerOpts param must provide the hash function + // that generated the value (if any). + // The optional randomSource specifies the source of random values and may be ignored by the implementation + // (such as on HSMs with their own internal RNG) + Sign(ctx context.Context, value []byte, randomSource io.Reader, opts crypto.SignerOpts) ([]byte, error) + + // Verify verifies the provided signature against the value. The SignerOpts param must provide the hash function + // that generated the value (if any). + // If true is returned the signature is correct, false otherwise. + Verify(ctx context.Context, signature, value []byte, opts crypto.SignerOpts) (bool, error) + + // GetSigner returns an implementation of crypto.Signer backed by the managed key. This should be called + // as needed so as to use per request contexts. + GetSigner(context.Context) (crypto.Signer, error) +} diff --git a/vendor/github.com/hashicorp/vault/sdk/logical/plugin.pb.go b/vendor/github.com/hashicorp/vault/sdk/logical/plugin.pb.go index 46de77666..d4722ce09 100644 --- a/vendor/github.com/hashicorp/vault/sdk/logical/plugin.pb.go +++ b/vendor/github.com/hashicorp/vault/sdk/logical/plugin.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.27.1 -// protoc v3.17.3 +// protoc v3.19.3 // source: sdk/logical/plugin.proto package logical diff --git a/vendor/github.com/hashicorp/vault/sdk/logical/request.go b/vendor/github.com/hashicorp/vault/sdk/logical/request.go index 829c155fd..1c400a4cb 100644 --- a/vendor/github.com/hashicorp/vault/sdk/logical/request.go +++ b/vendor/github.com/hashicorp/vault/sdk/logical/request.go @@ -220,6 +220,10 @@ type Request struct { // this will be the sha256(sorted policies + namespace) associated with the // client token. ClientID string `json:"client_id" structs:"client_id" mapstructure:"client_id" sentinel:""` + + // InboundSSCToken is the token that arrives on an inbound request, supplied + // by the vault user. + InboundSSCToken string } // Clone returns a deep copy of the request by using copystructure @@ -377,3 +381,14 @@ type InitializationRequest struct { // Storage can be used to durably store and retrieve state. Storage Storage } + +type CustomHeader struct { + Name string + Value string +} + +type CtxKeyInFlightRequestID struct{} + +func (c CtxKeyInFlightRequestID) String() string { + return "in-flight-request-ID" +} diff --git a/vendor/github.com/hashicorp/vault/sdk/logical/response.go b/vendor/github.com/hashicorp/vault/sdk/logical/response.go index a67511253..e8276c789 100644 --- a/vendor/github.com/hashicorp/vault/sdk/logical/response.go +++ b/vendor/github.com/hashicorp/vault/sdk/logical/response.go @@ -5,6 +5,7 @@ import ( "errors" "fmt" "net/http" + "strconv" "sync/atomic" "github.com/hashicorp/vault/sdk/helper/wrapping" @@ -209,13 +210,103 @@ func NewHTTPResponseWriter(w http.ResponseWriter) *HTTPResponseWriter { } // Write will write the bytes to the underlying io.Writer. -func (rw *HTTPResponseWriter) Write(bytes []byte) (int, error) { - atomic.StoreUint32(rw.written, 1) - - return rw.ResponseWriter.Write(bytes) +func (w *HTTPResponseWriter) Write(bytes []byte) (int, error) { + atomic.StoreUint32(w.written, 1) + return w.ResponseWriter.Write(bytes) } // Written tells us if the writer has been written to yet. -func (rw *HTTPResponseWriter) Written() bool { - return atomic.LoadUint32(rw.written) == 1 +func (w *HTTPResponseWriter) Written() bool { + return atomic.LoadUint32(w.written) == 1 } + +type WrappingResponseWriter interface { + http.ResponseWriter + Wrapped() http.ResponseWriter +} + +type StatusHeaderResponseWriter struct { + wrapped http.ResponseWriter + wroteHeader bool + StatusCode int + headers map[string][]*CustomHeader +} + +func NewStatusHeaderResponseWriter(w http.ResponseWriter, h map[string][]*CustomHeader) *StatusHeaderResponseWriter { + return &StatusHeaderResponseWriter{ + wrapped: w, + wroteHeader: false, + StatusCode: 200, + headers: h, + } +} + +func (w *StatusHeaderResponseWriter) Wrapped() http.ResponseWriter { + return w.wrapped +} + +func (w *StatusHeaderResponseWriter) Header() http.Header { + return w.wrapped.Header() +} + +func (w *StatusHeaderResponseWriter) Write(buf []byte) (int, error) { + // It is allowed to only call ResponseWriter.Write and skip + // ResponseWriter.WriteHeader. An example of such a situation is + // "handleUIStub". The Write function will internally set the status code + // 200 for the response for which that call might invoke other + // implementations of the WriteHeader function. So, we still need to set + // the custom headers. In cases where both WriteHeader and Write of + // statusHeaderResponseWriter struct are called the internal call to the + // WriterHeader invoked from inside Write method won't change the headers. + if !w.wroteHeader { + w.setCustomResponseHeaders(w.StatusCode) + } + + return w.wrapped.Write(buf) +} + +func (w *StatusHeaderResponseWriter) WriteHeader(statusCode int) { + w.setCustomResponseHeaders(statusCode) + w.wrapped.WriteHeader(statusCode) + w.StatusCode = statusCode + // in cases where Write is called after WriteHeader, let's prevent setting + // ResponseWriter headers twice + w.wroteHeader = true +} + +func (w *StatusHeaderResponseWriter) setCustomResponseHeaders(status int) { + sch := w.headers + if sch == nil { + return + } + + // Checking the validity of the status code + if status >= 600 || status < 100 { + return + } + + // setter function to set the headers + setter := func(hvl []*CustomHeader) { + for _, hv := range hvl { + w.Header().Set(hv.Name, hv.Value) + } + } + + // Setting the default headers first + setter(sch["default"]) + + // setting the Xyy pattern first + d := fmt.Sprintf("%vxx", status/100) + if val, ok := sch[d]; ok { + setter(val) + } + + // Setting the specific headers + if val, ok := sch[strconv.Itoa(status)]; ok { + setter(val) + } + + return +} + +var _ WrappingResponseWriter = &StatusHeaderResponseWriter{} diff --git a/vendor/github.com/hashicorp/vault/sdk/logical/response_util.go b/vendor/github.com/hashicorp/vault/sdk/logical/response_util.go index 353ef569a..92e3483d8 100644 --- a/vendor/github.com/hashicorp/vault/sdk/logical/response_util.go +++ b/vendor/github.com/hashicorp/vault/sdk/logical/response_util.go @@ -17,7 +17,7 @@ import ( func RespondErrorCommon(req *Request, resp *Response, err error) (int, error) { if err == nil && (resp == nil || !resp.IsError()) { switch { - case req.Operation == ReadOperation, req.Operation == PatchOperation: + case req.Operation == ReadOperation: if resp == nil { return http.StatusNotFound, nil } diff --git a/vendor/github.com/hashicorp/vault/sdk/logical/system_view.go b/vendor/github.com/hashicorp/vault/sdk/logical/system_view.go index 8ea6766b9..83b4a951e 100644 --- a/vendor/github.com/hashicorp/vault/sdk/logical/system_view.go +++ b/vendor/github.com/hashicorp/vault/sdk/logical/system_view.go @@ -56,6 +56,10 @@ type SystemView interface { // name. Returns a PluginRunner or an error if a plugin can not be found. LookupPlugin(context.Context, string, consts.PluginType) (*pluginutil.PluginRunner, error) + // NewPluginClient returns a client for managing the lifecycle of plugin + // processes + NewPluginClient(ctx context.Context, config pluginutil.PluginClientConfig) (pluginutil.PluginClient, error) + // MlockEnabled returns the configuration setting for enabling mlock on // plugins. MlockEnabled() bool @@ -152,6 +156,10 @@ func (d StaticSystemView) ReplicationState() consts.ReplicationState { return d.ReplicationStateVal } +func (d StaticSystemView) NewPluginClient(ctx context.Context, config pluginutil.PluginClientConfig) (pluginutil.PluginClient, error) { + return nil, errors.New("NewPluginClient is not implemented in StaticSystemView") +} + func (d StaticSystemView) ResponseWrapData(_ context.Context, data map[string]interface{}, ttl time.Duration, jwt bool) (*wrapping.ResponseWrapInfo, error) { return nil, errors.New("ResponseWrapData is not implemented in StaticSystemView") } diff --git a/vendor/github.com/hashicorp/vault/sdk/logical/token.go b/vendor/github.com/hashicorp/vault/sdk/logical/token.go index 0586d768e..ebebd4ad9 100644 --- a/vendor/github.com/hashicorp/vault/sdk/logical/token.go +++ b/vendor/github.com/hashicorp/vault/sdk/logical/token.go @@ -1,7 +1,11 @@ package logical import ( + "crypto/sha256" + "encoding/base64" "fmt" + "sort" + "strings" "time" sockaddr "github.com/hashicorp/go-sockaddr" @@ -20,13 +24,24 @@ const ( // TokenTypeBatch is a batch token TokenTypeBatch - // TokenTypeDefaultService, configured on a mount, means that if + // TokenTypeDefaultService configured on a mount, means that if // TokenTypeDefault is sent back by the mount, create Service tokens TokenTypeDefaultService - // TokenTypeDefaultBatch, configured on a mount, means that if + // TokenTypeDefaultBatch configured on a mount, means that if // TokenTypeDefault is sent back by the mount, create Batch tokens TokenTypeDefaultBatch + + // ClientIDTWEDelimiter Delimiter between the string fields used to generate a client + // ID for tokens without entities. This is the 0 character, which + // is a non-printable string. Please see unicode.IsPrint for details. + ClientIDTWEDelimiter = rune('\x00') + + // SortedPoliciesTWEDelimiter Delimiter between each policy in the sorted policies used to + // generate a client ID for tokens without entities. This is the 127 + // character, which is a non-printable string. Please see unicode.IsPrint + // for details. + SortedPoliciesTWEDelimiter = rune('\x7F') ) func (t *TokenType) UnmarshalJSON(b []byte) error { @@ -78,6 +93,10 @@ type TokenEntry struct { // ID of this entry, generally a random UUID ID string `json:"id" mapstructure:"id" structs:"id" sentinel:""` + // ExternalID is the ID of a newly created service + // token that will be returned to a user + ExternalID string `json:"-"` + // Accessor for this token, a random UUID Accessor string `json:"accessor" mapstructure:"accessor" structs:"accessor" sentinel:""` @@ -154,6 +173,46 @@ type TokenEntry struct { CubbyholeID string `json:"cubbyhole_id" mapstructure:"cubbyhole_id" structs:"cubbyhole_id" sentinel:""` } +// CreateClientID returns the client ID, and a boolean which is false if the clientID +// has an entity, and true otherwise +func (te *TokenEntry) CreateClientID() (string, bool) { + var clientIDInputBuilder strings.Builder + + // if entry has an associated entity ID, return it + if te.EntityID != "" { + return te.EntityID, false + } + + // The entry is associated with a TWE (token without entity). In this case + // we must create a client ID by calculating the following formula: + // clientID = SHA256(sorted policies + namespace) + + // Step 1: Copy entry policies to a new struct + sortedPolicies := make([]string, len(te.Policies)) + copy(sortedPolicies, te.Policies) + + // Step 2: Sort and join copied policies + sort.Strings(sortedPolicies) + for _, pol := range sortedPolicies { + clientIDInputBuilder.WriteRune(SortedPoliciesTWEDelimiter) + clientIDInputBuilder.WriteString(pol) + } + + // Step 3: Add namespace ID + clientIDInputBuilder.WriteRune(ClientIDTWEDelimiter) + clientIDInputBuilder.WriteString(te.NamespaceID) + + if clientIDInputBuilder.Len() == 0 { + return "", true + } + // Step 4: Remove the first character in the string, as it's an unnecessary delimiter + clientIDInput := clientIDInputBuilder.String()[1:] + + // Step 5: Hash the sum + hashed := sha256.Sum256([]byte(clientIDInput)) + return base64.StdEncoding.EncodeToString(hashed[:]), true +} + func (te *TokenEntry) SentinelGet(key string) (interface{}, error) { if te == nil { return nil, nil diff --git a/vendor/github.com/hashicorp/vault/sdk/logical/translate_response.go b/vendor/github.com/hashicorp/vault/sdk/logical/translate_response.go index 6f0ff342f..de5ea8fdb 100644 --- a/vendor/github.com/hashicorp/vault/sdk/logical/translate_response.go +++ b/vendor/github.com/hashicorp/vault/sdk/logical/translate_response.go @@ -39,6 +39,8 @@ func LogicalResponseToHTTPResponse(input *Response) *HTTPResponse { EntityID: input.Auth.EntityID, TokenType: input.Auth.TokenType.String(), Orphan: input.Auth.Orphan, + MFARequirement: input.Auth.MFARequirement, + NumUses: input.Auth.NumUses, } } @@ -108,6 +110,8 @@ type HTTPAuth struct { EntityID string `json:"entity_id"` TokenType string `json:"token_type"` Orphan bool `json:"orphan"` + MFARequirement *MFARequirement `json:"mfa_requirement"` + NumUses int `json:"num_uses"` } type HTTPWrapInfo struct { @@ -134,8 +138,8 @@ func (h HTTPSysInjector) MarshalJSON() ([]byte, error) { } // Marshaling a response will always be a JSON object, meaning it will // always start with '{', so we hijack this to prepend necessary values - // Make a guess at the capacity, and write the object opener - buf := bytes.NewBuffer(make([]byte, 0, len(j)*2)) + + var buf bytes.Buffer buf.WriteRune('{') for k, v := range h.Response.Data { // Marshal each key/value individually diff --git a/vendor/github.com/hashicorp/vault/sdk/physical/cache.go b/vendor/github.com/hashicorp/vault/sdk/physical/cache.go index 52768776a..ffac33189 100644 --- a/vendor/github.com/hashicorp/vault/sdk/physical/cache.go +++ b/vendor/github.com/hashicorp/vault/sdk/physical/cache.go @@ -184,7 +184,7 @@ func (c *Cache) Get(ctx context.Context, key string) (*Entry, error) { return nil, err } - // Cache the result + // Cache the result, even if nil c.lru.Add(key, ent) return ent, nil diff --git a/vendor/github.com/hashicorp/vault/sdk/physical/physical.go b/vendor/github.com/hashicorp/vault/sdk/physical/physical.go index 8cc4e9ab1..808abd50f 100644 --- a/vendor/github.com/hashicorp/vault/sdk/physical/physical.go +++ b/vendor/github.com/hashicorp/vault/sdk/physical/physical.go @@ -21,6 +21,7 @@ const ( const ( ErrValueTooLarge = "put failed due to value being too large" + ErrKeyTooLarge = "put failed due to key being too large" ) // Backend is the interface required for a physical diff --git a/vendor/github.com/hashicorp/vault/sdk/version/cgo.go b/vendor/github.com/hashicorp/vault/sdk/version/cgo.go index 2ed493a1f..5bc93e5bf 100644 --- a/vendor/github.com/hashicorp/vault/sdk/version/cgo.go +++ b/vendor/github.com/hashicorp/vault/sdk/version/cgo.go @@ -1,4 +1,4 @@ -// +build cgo +//go:build cgo package version diff --git a/vendor/github.com/hashicorp/vault/sdk/version/version.go b/vendor/github.com/hashicorp/vault/sdk/version/version.go index e0db36e8f..1a4521ae6 100644 --- a/vendor/github.com/hashicorp/vault/sdk/version/version.go +++ b/vendor/github.com/hashicorp/vault/sdk/version/version.go @@ -7,10 +7,10 @@ import ( // VersionInfo type VersionInfo struct { - Revision string - Version string - VersionPrerelease string - VersionMetadata string + Revision string `json:"revision,omitempty"` + Version string `json:"version,omitempty"` + VersionPrerelease string `json:"version_prerelease,omitempty"` + VersionMetadata string `json:"version_metadata,omitempty"` } func GetVersion() *VersionInfo { @@ -37,7 +37,7 @@ func (c *VersionInfo) VersionNumber() string { return "(version unknown)" } - version := fmt.Sprintf("%s", c.Version) + version := c.Version if c.VersionPrerelease != "" { version = fmt.Sprintf("%s-%s", version, c.VersionPrerelease) diff --git a/vendor/github.com/hashicorp/vault/sdk/version/version_base.go b/vendor/github.com/hashicorp/vault/sdk/version/version_base.go index 272099247..5211c15ba 100644 --- a/vendor/github.com/hashicorp/vault/sdk/version/version_base.go +++ b/vendor/github.com/hashicorp/vault/sdk/version/version_base.go @@ -8,7 +8,7 @@ var ( // Whether cgo is enabled or not; set at build time CgoEnabled bool - Version = "1.9.0" - VersionPrerelease = "dev" + Version = "1.10.0" + VersionPrerelease = "dev1" VersionMetadata = "" ) diff --git a/vendor/modules.txt b/vendor/modules.txt index 015085ad9..09d16acd2 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -242,10 +242,10 @@ github.com/hashicorp/hcl/json/token ## explicit; go 1.13 github.com/hashicorp/vault/command/agent/auth github.com/hashicorp/vault/command/agent/auth/kubernetes -# github.com/hashicorp/vault/api v1.3.1 +# github.com/hashicorp/vault/api v1.4.1 ## explicit; go 1.13 github.com/hashicorp/vault/api -# github.com/hashicorp/vault/sdk v0.3.0 +# github.com/hashicorp/vault/sdk v0.4.1 ## explicit; go 1.16 github.com/hashicorp/vault/sdk/helper/certutil github.com/hashicorp/vault/sdk/helper/compressutil From 1f012004a68ef3b990d047f4310da7c6e15dc26d Mon Sep 17 00:00:00 2001 From: Niels de Vos Date: Tue, 1 Mar 2022 11:45:37 +0100 Subject: [PATCH 3/4] util: configure tenants vaultAuthNamespace if not set When a tenant provides a configuration that includes the `vaultNamespace` option, the `vaultAuthNamespace` option is still taken from the global configuration. This is not wanted in all cases, as the `vaultAuthNamespace` option defauls to the `vaultNamespace` option which the tenant may want to override as well. The following behaviour is now better defined: 1. no `vaultAuthNamespace` in the global configuration: A tenant can override the `vaultNamespace` option and that will also set the `vaultAuthNamespace` option to the same value. 2. `vaultAuthNamespace` and `vaultNamespace` in the global configuration: When both options are set to different values in the global configuration, the tenant `vaultNamespace` option will not override the global `vaultAuthNamespace` option. The tenant can configure `vaultAuthNamespace` with a different value if required. Signed-off-by: Niels de Vos --- internal/kms/vault_tokens.go | 55 ++++++++++++++++++ internal/kms/vault_tokens_test.go | 93 +++++++++++++++++++++++++++++++ 2 files changed, 148 insertions(+) diff --git a/internal/kms/vault_tokens.go b/internal/kms/vault_tokens.go index af604372b..5c7c96e90 100644 --- a/internal/kms/vault_tokens.go +++ b/internal/kms/vault_tokens.go @@ -27,6 +27,7 @@ import ( "github.com/ceph/ceph-csi/internal/util/k8s" "github.com/hashicorp/vault/api" + loss "github.com/libopenstorage/secrets" apierrs "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/kubernetes" @@ -596,9 +597,63 @@ func (vtc *vaultTenantConnection) parseTenantConfig() (map[string]interface{}, e return nil, nil } + vtc.setTenantAuthNamespace(config) + return config, nil } +// setTenantAuthNamespace configures the vaultAuthNamespace for the tenant. +// vaultAuthNamespace defaults to vaultNamespace from the global configuration, +// even if the tenant has vaultNamespace configured. Users expect to have the +// vaultAuthNamespace updated when they configure vaultNamespace, if +// vaultAuthNamespace was not explicitly set in the global configuration. +func (vtc *vaultTenantConnection) setTenantAuthNamespace(tenantConfig map[string]interface{}) { + vaultAuthNamespace, ok := vtc.keyContext[loss.KeyVaultNamespace] + if !ok { + // nothing to do, global connection config does not have the + // vaultAuthNamespace set + return + } + + vaultNamespace, ok := vtc.vaultConfig[api.EnvVaultNamespace] + if !ok { + // nothing to do, global connection config does not have the + // vaultNamespace set, not overriding vaultAuthNamespace with + // vaultNamespace from the tenant + return + } + + if vaultAuthNamespace != vaultNamespace { + // vaultAuthNamespace and vaultNamespace have been configured + // differently in the global connection. Not going to override + // those pre-defined options if the tenantConfig does not have + // them set. + return + } + + // if we reached here, we need to make sure that the vaultAuthNamespace + // gets configured for the tenant, in case the tenant config has + // vaultNamespace set + + _, ok = tenantConfig["vaultAuthNamespace"] + if ok { + // the tenant already has vaultAuthNamespace configured, no + // action needed + return + } + + tenantNamespace, ok := tenantConfig["vaultNamespace"] + if !ok { + // the tenant does not have vaultNamespace configured, no need + // to set vaultAuthNamespace either + return + } + + // the tenant has vaultNamespace configured, use that for + // vaultAuthNamespace as well + tenantConfig["vaultAuthNamespace"] = tenantNamespace +} + // fetchTenantConfig fetches the configuration for the tenant if it exists. func fetchTenantConfig(config map[string]interface{}, tenant string) (map[string]interface{}, bool) { tenantsMap, ok := config["tenants"] diff --git a/internal/kms/vault_tokens_test.go b/internal/kms/vault_tokens_test.go index 63093ebcb..abf9cc85e 100644 --- a/internal/kms/vault_tokens_test.go +++ b/internal/kms/vault_tokens_test.go @@ -235,3 +235,96 @@ func TestVaultTokensKMSRegistered(t *testing.T) { _, ok := kmsManager.providers[kmsTypeVaultTokens] assert.True(t, ok) } + +func TestSetTenantAuthNamespace(t *testing.T) { + t.Parallel() + + vaultNamespace := "tenant" + + t.Run("override vaultAuthNamespace", func(tt *testing.T) { + tt.Parallel() + + kms := &vaultTenantConnection{} + kms.keyContext = map[string]string{ + loss.KeyVaultNamespace: "global", + } + kms.vaultConfig = map[string]interface{}{ + api.EnvVaultNamespace: "global", + } + + config := map[string]interface{}{ + "vaultNamespace": vaultNamespace, + } + + kms.setTenantAuthNamespace(config) + + assert.Equal(tt, vaultNamespace, config["vaultAuthNamespace"]) + }) + + t.Run("inherit vaultAuthNamespace", func(tt *testing.T) { + tt.Parallel() + + vaultAuthNamespace := "configured" + + kms := &vaultTenantConnection{} + kms.keyContext = map[string]string{ + loss.KeyVaultNamespace: vaultAuthNamespace, + } + kms.vaultConfig = map[string]interface{}{ + api.EnvVaultNamespace: "global", + } + + config := map[string]interface{}{ + "vaultNamespace": vaultNamespace, + } + + kms.setTenantAuthNamespace(config) + + // when inheriting from the global config, the config of the + // tenant should not have vaultAuthNamespace configured + assert.Equal(tt, nil, config["vaultAuthNamespace"]) + }) + + t.Run("unset vaultAuthNamespace", func(tt *testing.T) { + tt.Parallel() + + kms := &vaultTenantConnection{} + kms.keyContext = map[string]string{ + // no vaultAuthNamespace configured + } + kms.vaultConfig = map[string]interface{}{ + api.EnvVaultNamespace: "global", + } + + config := map[string]interface{}{ + "vaultNamespace": vaultNamespace, + } + + kms.setTenantAuthNamespace(config) + + // global vaultAuthNamespace is not set, tenant + // vaultAuthNamespace will be configured as vaultNamespace by + // default + assert.Equal(tt, nil, config["vaultAuthNamespace"]) + }) + + t.Run("no vaultNamespace", func(tt *testing.T) { + tt.Parallel() + + kms := &vaultTenantConnection{} + kms.keyContext = map[string]string{ + // no vaultAuthNamespace configured + } + kms.vaultConfig = map[string]interface{}{ + // no vaultNamespace configured + } + + config := map[string]interface{}{ + // no tenant namespaces configured + } + + kms.setTenantAuthNamespace(config) + + assert.Equal(tt, nil, config["vaultAuthNamespace"]) + }) +} From dd960246204dec8f9051b9daa2bf99bf0222e6dd Mon Sep 17 00:00:00 2001 From: Madhu Rajanna Date: Tue, 1 Mar 2022 11:24:13 +0530 Subject: [PATCH 4/4] doc: remove mention of image feature dependency avoid specifying the image feature dependencies and add a link to rbd official document for reference to the image feature dependencies. Signed-off-by: Madhu Rajanna --- charts/ceph-csi-rbd/values.yaml | 5 +++-- docs/deploy-rbd.md | 2 +- examples/rbd/storageclass.yaml | 5 +++-- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/charts/ceph-csi-rbd/values.yaml b/charts/ceph-csi-rbd/values.yaml index 5f404a10e..a7bd91765 100644 --- a/charts/ceph-csi-rbd/values.yaml +++ b/charts/ceph-csi-rbd/values.yaml @@ -281,8 +281,9 @@ storageClass: # (optional) RBD image features, CSI creates image with image-format 2 CSI # RBD currently supports `layering`, `journaling`, `exclusive-lock`, - # `object-map`, `fast-diff`, `deep-flatten` features. If `journaling` is - # enabled, must enable `exclusive-lock` too. + # `object-map`, `fast-diff`, `deep-flatten` features. + # Refer https://docs.ceph.com/en/latest/rbd/rbd-config-ref/#image-features + # for image feature dependencies. # imageFeatures: layering,journaling,exclusive-lock,object-map,fast-diff imageFeatures: "layering" diff --git a/docs/deploy-rbd.md b/docs/deploy-rbd.md index 4afbe71fc..166f89f2e 100644 --- a/docs/deploy-rbd.md +++ b/docs/deploy-rbd.md @@ -56,7 +56,7 @@ make image-cephcsi | `dataPool` | no | Ceph pool used for the data of the RBD images. | | `volumeNamePrefix` | no | Prefix to use for naming RBD images (defaults to `csi-vol-`). | | `snapshotNamePrefix` | no | Prefix to use for naming RBD snapshot images (defaults to `csi-snap-`). | -| `imageFeatures` | no | RBD image features. CSI RBD currently supports `layering`, `journaling`, `exclusive-lock`, `object-map`, `fast-diff`, `deep-flatten` features. If `journaling` is enabled, must enable `exclusive-lock` too. See [man pages](http://docs.ceph.com/docs/master/man/8/rbd/#cmdoption-rbd-image-feature) Note that the required support for [object-map and fast-diff were added in 5.3, deep-flatten was added in 5.1 and journaling does not have KRBD support yet](https://docs.ceph.com/en/latest/rbd/rbd-config-ref/#image-features). deep-flatten is added for cloned images. | +| `imageFeatures` | no | RBD image features. CSI RBD currently supports `layering`, `journaling`, `exclusive-lock`, `object-map`, `fast-diff`, `deep-flatten` features. deep-flatten is added for cloned images. Refer for image feature dependencies. | | `tryOtherMounters` | no | Specifies whether to try other mounters in case if the current mounter fails to mount the rbd image for any reason | | `mapOptions` | no | Map options to use when mapping rbd image. See [krbd](https://docs.ceph.com/docs/master/man/8/rbd/#kernel-rbd-krbd-options) and [nbd](https://docs.ceph.com/docs/master/man/8/rbd-nbd/#options) options. | | `unmapOptions` | no | Unmap options to use when unmapping rbd image. See [krbd](https://docs.ceph.com/docs/master/man/8/rbd/#kernel-rbd-krbd-options) and [nbd](https://docs.ceph.com/docs/master/man/8/rbd-nbd/#options) options. | diff --git a/examples/rbd/storageclass.yaml b/examples/rbd/storageclass.yaml index b38c27c2f..94c9413e1 100644 --- a/examples/rbd/storageclass.yaml +++ b/examples/rbd/storageclass.yaml @@ -31,8 +31,9 @@ parameters: # (optional) RBD image features, CSI creates image with image-format 2 CSI # RBD currently supports `layering`, `journaling`, `exclusive-lock`, - # `object-map`, `fast-diff`, `deep-flatten` features. If `journaling` is - # enabled, must enable `exclusive-lock` too. + # `object-map`, `fast-diff`, `deep-flatten` features. + # Refer https://docs.ceph.com/en/latest/rbd/rbd-config-ref/#image-features + # for image feature dependencies. # imageFeatures: layering,journaling,exclusive-lock,object-map,fast-diff imageFeatures: "layering"