rebase: bump github.com/hashicorp/vault/api from 1.8.2 to 1.8.3

Bumps [github.com/hashicorp/vault/api](https://github.com/hashicorp/vault) from 1.8.2 to 1.8.3.
- [Release notes](https://github.com/hashicorp/vault/releases)
- [Changelog](https://github.com/hashicorp/vault/blob/main/CHANGELOG.md)
- [Commits](https://github.com/hashicorp/vault/compare/v1.8.2...v1.8.3)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/vault/api
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
This commit is contained in:
dependabot[bot] 2023-01-23 20:08:03 +00:00 committed by mergify[bot]
parent f852873e16
commit a31426e37f
33 changed files with 328 additions and 207 deletions

4
go.mod
View File

@ -18,7 +18,7 @@ require (
github.com/google/uuid v1.3.0 github.com/google/uuid v1.3.0
github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 github.com/grpc-ecosystem/go-grpc-middleware v1.3.0
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0
github.com/hashicorp/vault/api v1.8.2 github.com/hashicorp/vault/api v1.8.3
github.com/kubernetes-csi/csi-lib-utils v0.11.0 github.com/kubernetes-csi/csi-lib-utils v0.11.0
github.com/kubernetes-csi/external-snapshotter/client/v6 v6.2.0 github.com/kubernetes-csi/external-snapshotter/client/v6 v6.2.0
github.com/libopenstorage/secrets v0.0.0-20210908194121-a1d19aa9713a github.com/libopenstorage/secrets v0.0.0-20210908194121-a1d19aa9713a
@ -99,7 +99,7 @@ require (
github.com/hashicorp/golang-lru v0.5.4 // indirect github.com/hashicorp/golang-lru v0.5.4 // indirect
github.com/hashicorp/hcl v1.0.0 // indirect github.com/hashicorp/hcl v1.0.0 // indirect
github.com/hashicorp/vault v1.4.2 // indirect github.com/hashicorp/vault v1.4.2 // indirect
github.com/hashicorp/vault/sdk v0.6.0 // indirect github.com/hashicorp/vault/sdk v0.7.0 // indirect
github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d // indirect github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d // indirect
github.com/imdario/mergo v0.3.12 // indirect github.com/imdario/mergo v0.3.12 // indirect
github.com/inconshreveable/mousetrap v1.0.0 // indirect github.com/inconshreveable/mousetrap v1.0.0 // indirect

10
go.sum
View File

@ -582,7 +582,7 @@ github.com/hashicorp/go-secure-stdlib/password v0.1.1 h1:6JzmBqXprakgFEHwBgdchsj
github.com/hashicorp/go-secure-stdlib/strutil v0.1.1/go.mod h1:gKOamz3EwoIoJq7mlMIRBpVTAUn8qPCrEclOKKWhD3U= github.com/hashicorp/go-secure-stdlib/strutil v0.1.1/go.mod h1:gKOamz3EwoIoJq7mlMIRBpVTAUn8qPCrEclOKKWhD3U=
github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts= github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts=
github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4= github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4=
github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.1 h1:Yc026VyMyIpq1UWRnakHRG01U8fJm+nEfEmjoAb00n8= github.com/hashicorp/go-secure-stdlib/tlsutil v0.1.2 h1:phcbL8urUzF/kxA/Oj6awENaRwfWsjP59GW7u2qlDyY=
github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU= github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU=
github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc= github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc=
github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A= github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A=
@ -645,8 +645,8 @@ github.com/hashicorp/vault/api v1.0.5-0.20191122173911-80fcc7907c78/go.mod h1:Uf
github.com/hashicorp/vault/api v1.0.5-0.20200215224050-f6547fa8e820/go.mod h1:3f12BMfgDGjTsTtIUj+ZKZwSobQpZtYGFIEehOv5z1o= github.com/hashicorp/vault/api v1.0.5-0.20200215224050-f6547fa8e820/go.mod h1:3f12BMfgDGjTsTtIUj+ZKZwSobQpZtYGFIEehOv5z1o=
github.com/hashicorp/vault/api v1.0.5-0.20200317185738-82f498082f02/go.mod h1:3f12BMfgDGjTsTtIUj+ZKZwSobQpZtYGFIEehOv5z1o= github.com/hashicorp/vault/api v1.0.5-0.20200317185738-82f498082f02/go.mod h1:3f12BMfgDGjTsTtIUj+ZKZwSobQpZtYGFIEehOv5z1o=
github.com/hashicorp/vault/api v1.0.5-0.20200902155336-f9d5ce5a171a/go.mod h1:R3Umvhlxi2TN7Ex2hzOowyeNb+SfbVWI973N+ctaFMk= github.com/hashicorp/vault/api v1.0.5-0.20200902155336-f9d5ce5a171a/go.mod h1:R3Umvhlxi2TN7Ex2hzOowyeNb+SfbVWI973N+ctaFMk=
github.com/hashicorp/vault/api v1.8.2 h1:C7OL9YtOtwQbTKI9ogB0A1wffRbCN+rH/LLCHO3d8HM= github.com/hashicorp/vault/api v1.8.3 h1:cHQOLcMhBR+aVI0HzhPxO62w2+gJhIrKguQNONPzu6o=
github.com/hashicorp/vault/api v1.8.2/go.mod h1:ML8aYzBIhY5m1MD1B2Q0JV89cC85YVH4t5kBaZiyVaE= github.com/hashicorp/vault/api v1.8.3/go.mod h1:4g/9lj9lmuJQMtT6CmVMHC5FW1yENaVv+Nv4ZfG8fAg=
github.com/hashicorp/vault/sdk v0.1.8/go.mod h1:tHZfc6St71twLizWNHvnnbiGFo1aq0eD2jGPLtP8kAU= github.com/hashicorp/vault/sdk v0.1.8/go.mod h1:tHZfc6St71twLizWNHvnnbiGFo1aq0eD2jGPLtP8kAU=
github.com/hashicorp/vault/sdk v0.1.14-0.20190730042320-0dc007d98cc8/go.mod h1:B+hVj7TpuQY1Y/GPbCpffmgd+tSEwvhkWnjtSYCaS2M= github.com/hashicorp/vault/sdk v0.1.14-0.20190730042320-0dc007d98cc8/go.mod h1:B+hVj7TpuQY1Y/GPbCpffmgd+tSEwvhkWnjtSYCaS2M=
github.com/hashicorp/vault/sdk v0.1.14-0.20191108161836-82f2b5571044/go.mod h1:PcekaFGiPJyHnFy+NZhP6ll650zEw51Ag7g/YEa+EOU= github.com/hashicorp/vault/sdk v0.1.14-0.20191108161836-82f2b5571044/go.mod h1:PcekaFGiPJyHnFy+NZhP6ll650zEw51Ag7g/YEa+EOU=
@ -656,8 +656,8 @@ github.com/hashicorp/vault/sdk v0.1.14-0.20200317185738-82f498082f02/go.mod h1:W
github.com/hashicorp/vault/sdk v0.1.14-0.20200427170607-03332aaf8d18/go.mod h1:WX57W2PwkrOPQ6rVQk+dy5/htHIaB4aBM70EwKThu10= github.com/hashicorp/vault/sdk v0.1.14-0.20200427170607-03332aaf8d18/go.mod h1:WX57W2PwkrOPQ6rVQk+dy5/htHIaB4aBM70EwKThu10=
github.com/hashicorp/vault/sdk v0.1.14-0.20200429182704-29fce8f27ce4/go.mod h1:WX57W2PwkrOPQ6rVQk+dy5/htHIaB4aBM70EwKThu10= github.com/hashicorp/vault/sdk v0.1.14-0.20200429182704-29fce8f27ce4/go.mod h1:WX57W2PwkrOPQ6rVQk+dy5/htHIaB4aBM70EwKThu10=
github.com/hashicorp/vault/sdk v0.1.14-0.20200519221838-e0cfd64bc267/go.mod h1:WX57W2PwkrOPQ6rVQk+dy5/htHIaB4aBM70EwKThu10= github.com/hashicorp/vault/sdk v0.1.14-0.20200519221838-e0cfd64bc267/go.mod h1:WX57W2PwkrOPQ6rVQk+dy5/htHIaB4aBM70EwKThu10=
github.com/hashicorp/vault/sdk v0.6.0 h1:6Z+In5DXHiUfZvIZdMx7e2loL1PPyDjA4bVh9ZTIAhs= github.com/hashicorp/vault/sdk v0.7.0 h1:2pQRO40R1etpKkia5fb4kjrdYMx3BHklPxl1pxpxDHg=
github.com/hashicorp/vault/sdk v0.6.0/go.mod h1:+DRpzoXIdMvKc88R4qxr+edwy/RvH5QK8itmxLiDHLc= github.com/hashicorp/vault/sdk v0.7.0/go.mod h1:KyfArJkhooyba7gYCKSq8v66QdqJmnbAxtV/OX1+JTs=
github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d h1:kJCB4vdITiW1eC1vq2e6IsrXKrZit1bv/TDYFGMp4BQ= github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d h1:kJCB4vdITiW1eC1vq2e6IsrXKrZit1bv/TDYFGMp4BQ=
github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=

View File

@ -114,7 +114,11 @@ type Config struct {
// of three tries). // of three tries).
MaxRetries int MaxRetries int
// Timeout is for setting custom timeout parameter in the HttpClient // Timeout, given a non-negative value, will apply the request timeout
// to each request function unless an earlier deadline is passed to the
// request function through context.Context. Note that this timeout is
// not applicable to Logical().ReadRaw* (raw response) functions.
// Defaults to 60 seconds.
Timeout time.Duration Timeout time.Duration
// If there is an error when creating the configuration, this will be the // If there is an error when creating the configuration, this will be the

View File

@ -66,6 +66,53 @@ func (c *Logical) ReadWithDataWithContext(ctx context.Context, path string, data
defer cancelFunc() defer cancelFunc()
resp, err := c.readRawWithDataWithContext(ctx, path, data) resp, err := c.readRawWithDataWithContext(ctx, path, data)
return c.ParseRawResponseAndCloseBody(resp, err)
}
// ReadRaw attempts to read the value stored at the given Vault path
// (without '/v1/' prefix) and returns a raw *http.Response.
//
// Note: the raw-response functions do not respect the client-configured
// request timeout; if a timeout is desired, please use ReadRawWithContext
// instead and set the timeout through context.WithTimeout or context.WithDeadline.
func (c *Logical) ReadRaw(path string) (*Response, error) {
return c.ReadRawWithDataWithContext(context.Background(), path, nil)
}
// ReadRawWithContext attempts to read the value stored at the give Vault path
// (without '/v1/' prefix) and returns a raw *http.Response.
//
// Note: the raw-response functions do not respect the client-configured
// request timeout; if a timeout is desired, please set it through
// context.WithTimeout or context.WithDeadline.
func (c *Logical) ReadRawWithContext(ctx context.Context, path string) (*Response, error) {
return c.ReadRawWithDataWithContext(ctx, path, nil)
}
// ReadRawWithData attempts to read the value stored at the given Vault
// path (without '/v1/' prefix) and returns a raw *http.Response. The 'data' map
// is added as query parameters to the request.
//
// Note: the raw-response functions do not respect the client-configured
// request timeout; if a timeout is desired, please use
// ReadRawWithDataWithContext instead and set the timeout through
// context.WithTimeout or context.WithDeadline.
func (c *Logical) ReadRawWithData(path string, data map[string][]string) (*Response, error) {
return c.ReadRawWithDataWithContext(context.Background(), path, data)
}
// ReadRawWithDataWithContext attempts to read the value stored at the given
// Vault path (without '/v1/' prefix) and returns a raw *http.Response. The 'data'
// map is added as query parameters to the request.
//
// Note: the raw-response functions do not respect the client-configured
// request timeout; if a timeout is desired, please set it through
// context.WithTimeout or context.WithDeadline.
func (c *Logical) ReadRawWithDataWithContext(ctx context.Context, path string, data map[string][]string) (*Response, error) {
return c.readRawWithDataWithContext(ctx, path, data)
}
func (c *Logical) ParseRawResponseAndCloseBody(resp *Response, err error) (*Secret, error) {
if resp != nil { if resp != nil {
defer resp.Body.Close() defer resp.Body.Close()
} }
@ -90,21 +137,6 @@ func (c *Logical) ReadWithDataWithContext(ctx context.Context, path string, data
return ParseSecret(resp.Body) return ParseSecret(resp.Body)
} }
func (c *Logical) ReadRaw(path string) (*Response, error) {
return c.ReadRawWithData(path, nil)
}
func (c *Logical) ReadRawWithData(path string, data map[string][]string) (*Response, error) {
return c.ReadRawWithDataWithContext(context.Background(), path, data)
}
func (c *Logical) ReadRawWithDataWithContext(ctx context.Context, path string, data map[string][]string) (*Response, error) {
ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
defer cancelFunc()
return c.readRawWithDataWithContext(ctx, path, data)
}
func (c *Logical) readRawWithDataWithContext(ctx context.Context, path string, data map[string][]string) (*Response, error) { func (c *Logical) readRawWithDataWithContext(ctx context.Context, path string, data map[string][]string) (*Response, error) {
r := c.c.NewRequest(http.MethodGet, "/v1/"+path) r := c.c.NewRequest(http.MethodGet, "/v1/"+path)

View File

@ -63,6 +63,7 @@ var sudoPaths = map[string]*regexp.Regexp{
"/sys/revoke-force/{prefix}": regexp.MustCompile(`^/sys/revoke-force/.+$`), "/sys/revoke-force/{prefix}": regexp.MustCompile(`^/sys/revoke-force/.+$`),
"/sys/revoke-prefix/{prefix}": regexp.MustCompile(`^/sys/revoke-prefix/.+$`), "/sys/revoke-prefix/{prefix}": regexp.MustCompile(`^/sys/revoke-prefix/.+$`),
"/sys/rotate": regexp.MustCompile(`^/sys/rotate$`), "/sys/rotate": regexp.MustCompile(`^/sys/rotate$`),
"/sys/internal/inspect/router/{tag}": regexp.MustCompile(`^/sys/internal/inspect/router/.+$`),
// enterprise-only paths // enterprise-only paths
"/sys/replication/dr/primary/secondary-token": regexp.MustCompile(`^/sys/replication/dr/primary/secondary-token$`), "/sys/replication/dr/primary/secondary-token": regexp.MustCompile(`^/sys/replication/dr/primary/secondary-token$`),

View File

@ -2,8 +2,11 @@ package api
import ( import (
"bytes" "bytes"
"encoding/json"
"fmt" "fmt"
"io" "io"
"reflect"
"strings"
"time" "time"
"github.com/hashicorp/errwrap" "github.com/hashicorp/errwrap"
@ -302,7 +305,15 @@ func ParseSecret(r io.Reader) (*Secret, error) {
// First read the data into a buffer. Not super efficient but we want to // First read the data into a buffer. Not super efficient but we want to
// know if we actually have a body or not. // know if we actually have a body or not.
var buf bytes.Buffer var buf bytes.Buffer
_, err := buf.ReadFrom(r)
// io.Reader is treated like a stream and cannot be read
// multiple times. Duplicating this stream using TeeReader
// to use this data in case there is no top-level data from
// api response
var teebuf bytes.Buffer
tee := io.TeeReader(r, &teebuf)
_, err := buf.ReadFrom(tee)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -316,5 +327,38 @@ func ParseSecret(r io.Reader) (*Secret, error) {
return nil, err return nil, err
} }
// If the secret is null, add raw data to secret data if present
if reflect.DeepEqual(secret, Secret{}) {
data := make(map[string]interface{})
if err := jsonutil.DecodeJSONFromReader(&teebuf, &data); err != nil {
return nil, err
}
errRaw, errPresent := data["errors"]
// if only errors are present in the resp.Body return nil
// to return value not found as it does not have any raw data
if len(data) == 1 && errPresent {
return nil, nil
}
// if errors are present along with raw data return the error
if errPresent {
var errStrArray []string
errBytes, err := json.Marshal(errRaw)
if err != nil {
return nil, err
}
if err := json.Unmarshal(errBytes, &errStrArray); err != nil {
return nil, err
}
return nil, fmt.Errorf(strings.Join(errStrArray, " "))
}
// if any raw data is present in resp.Body, add it to secret
if len(data) > 0 {
secret.Data = data
}
}
return &secret, nil return &secret, nil
} }

View File

@ -254,20 +254,20 @@ type MountInput struct {
} }
type MountConfigInput struct { type MountConfigInput struct {
Options map[string]string `json:"options" mapstructure:"options"` Options map[string]string `json:"options" mapstructure:"options"`
DefaultLeaseTTL string `json:"default_lease_ttl" mapstructure:"default_lease_ttl"` DefaultLeaseTTL string `json:"default_lease_ttl" mapstructure:"default_lease_ttl"`
Description *string `json:"description,omitempty" mapstructure:"description"` Description *string `json:"description,omitempty" mapstructure:"description"`
MaxLeaseTTL string `json:"max_lease_ttl" mapstructure:"max_lease_ttl"` MaxLeaseTTL string `json:"max_lease_ttl" mapstructure:"max_lease_ttl"`
ForceNoCache bool `json:"force_no_cache" mapstructure:"force_no_cache"` ForceNoCache bool `json:"force_no_cache" mapstructure:"force_no_cache"`
AuditNonHMACRequestKeys []string `json:"audit_non_hmac_request_keys,omitempty" mapstructure:"audit_non_hmac_request_keys"` AuditNonHMACRequestKeys []string `json:"audit_non_hmac_request_keys,omitempty" mapstructure:"audit_non_hmac_request_keys"`
AuditNonHMACResponseKeys []string `json:"audit_non_hmac_response_keys,omitempty" mapstructure:"audit_non_hmac_response_keys"` AuditNonHMACResponseKeys []string `json:"audit_non_hmac_response_keys,omitempty" mapstructure:"audit_non_hmac_response_keys"`
ListingVisibility string `json:"listing_visibility,omitempty" mapstructure:"listing_visibility"` ListingVisibility string `json:"listing_visibility,omitempty" mapstructure:"listing_visibility"`
PassthroughRequestHeaders []string `json:"passthrough_request_headers,omitempty" mapstructure:"passthrough_request_headers"` PassthroughRequestHeaders []string `json:"passthrough_request_headers,omitempty" mapstructure:"passthrough_request_headers"`
AllowedResponseHeaders []string `json:"allowed_response_headers,omitempty" mapstructure:"allowed_response_headers"` AllowedResponseHeaders []string `json:"allowed_response_headers,omitempty" mapstructure:"allowed_response_headers"`
TokenType string `json:"token_type,omitempty" mapstructure:"token_type"` TokenType string `json:"token_type,omitempty" mapstructure:"token_type"`
AllowedManagedKeys []string `json:"allowed_managed_keys,omitempty" mapstructure:"allowed_managed_keys"` AllowedManagedKeys []string `json:"allowed_managed_keys,omitempty" mapstructure:"allowed_managed_keys"`
PluginVersion string `json:"plugin_version,omitempty"` PluginVersion string `json:"plugin_version,omitempty"`
UserLockoutConfig *UserLockoutConfigInput `json:"user_lockout_config,omitempty"`
// Deprecated: This field will always be blank for newer server responses. // Deprecated: This field will always be blank for newer server responses.
PluginName string `json:"plugin_name,omitempty" mapstructure:"plugin_name"` PluginName string `json:"plugin_name,omitempty" mapstructure:"plugin_name"`
} }
@ -289,21 +289,35 @@ type MountOutput struct {
} }
type MountConfigOutput struct { type MountConfigOutput struct {
DefaultLeaseTTL int `json:"default_lease_ttl" mapstructure:"default_lease_ttl"` DefaultLeaseTTL int `json:"default_lease_ttl" mapstructure:"default_lease_ttl"`
MaxLeaseTTL int `json:"max_lease_ttl" mapstructure:"max_lease_ttl"` MaxLeaseTTL int `json:"max_lease_ttl" mapstructure:"max_lease_ttl"`
ForceNoCache bool `json:"force_no_cache" mapstructure:"force_no_cache"` ForceNoCache bool `json:"force_no_cache" mapstructure:"force_no_cache"`
AuditNonHMACRequestKeys []string `json:"audit_non_hmac_request_keys,omitempty" mapstructure:"audit_non_hmac_request_keys"` AuditNonHMACRequestKeys []string `json:"audit_non_hmac_request_keys,omitempty" mapstructure:"audit_non_hmac_request_keys"`
AuditNonHMACResponseKeys []string `json:"audit_non_hmac_response_keys,omitempty" mapstructure:"audit_non_hmac_response_keys"` AuditNonHMACResponseKeys []string `json:"audit_non_hmac_response_keys,omitempty" mapstructure:"audit_non_hmac_response_keys"`
ListingVisibility string `json:"listing_visibility,omitempty" mapstructure:"listing_visibility"` ListingVisibility string `json:"listing_visibility,omitempty" mapstructure:"listing_visibility"`
PassthroughRequestHeaders []string `json:"passthrough_request_headers,omitempty" mapstructure:"passthrough_request_headers"` PassthroughRequestHeaders []string `json:"passthrough_request_headers,omitempty" mapstructure:"passthrough_request_headers"`
AllowedResponseHeaders []string `json:"allowed_response_headers,omitempty" mapstructure:"allowed_response_headers"` AllowedResponseHeaders []string `json:"allowed_response_headers,omitempty" mapstructure:"allowed_response_headers"`
TokenType string `json:"token_type,omitempty" mapstructure:"token_type"` TokenType string `json:"token_type,omitempty" mapstructure:"token_type"`
AllowedManagedKeys []string `json:"allowed_managed_keys,omitempty" mapstructure:"allowed_managed_keys"` AllowedManagedKeys []string `json:"allowed_managed_keys,omitempty" mapstructure:"allowed_managed_keys"`
UserLockoutConfig *UserLockoutConfigOutput `json:"user_lockout_config,omitempty"`
// Deprecated: This field will always be blank for newer server responses. // Deprecated: This field will always be blank for newer server responses.
PluginName string `json:"plugin_name,omitempty" mapstructure:"plugin_name"` PluginName string `json:"plugin_name,omitempty" mapstructure:"plugin_name"`
} }
type UserLockoutConfigInput struct {
LockoutThreshold string `json:"lockout_threshold,omitempty" structs:"lockout_threshold" mapstructure:"lockout_threshold"`
LockoutDuration string `json:"lockout_duration,omitempty" structs:"lockout_duration" mapstructure:"lockout_duration"`
LockoutCounterResetDuration string `json:"lockout_counter_reset_duration,omitempty" structs:"lockout_counter_reset_duration" mapstructure:"lockout_counter_reset_duration"`
DisableLockout *bool `json:"lockout_disable,omitempty" structs:"lockout_disable" mapstructure:"lockout_disable"`
}
type UserLockoutConfigOutput struct {
LockoutThreshold uint `json:"lockout_threshold,omitempty" structs:"lockout_threshold" mapstructure:"lockout_threshold"`
LockoutDuration int `json:"lockout_duration,omitempty" structs:"lockout_duration" mapstructure:"lockout_duration"`
LockoutCounterReset int `json:"lockout_counter_reset,omitempty" structs:"lockout_counter_reset" mapstructure:"lockout_counter_reset"`
DisableLockout *bool `json:"disable_lockout,omitempty" structs:"disable_lockout" mapstructure:"disable_lockout"`
}
type MountMigrationOutput struct { type MountMigrationOutput struct {
MigrationID string `mapstructure:"migration_id"` MigrationID string `mapstructure:"migration_id"`
} }

View File

@ -93,22 +93,23 @@ func sealStatusRequestWithContext(ctx context.Context, c *Sys, r *Request) (*Sea
} }
type SealStatusResponse struct { type SealStatusResponse struct {
Type string `json:"type"` Type string `json:"type"`
Initialized bool `json:"initialized"` Initialized bool `json:"initialized"`
Sealed bool `json:"sealed"` Sealed bool `json:"sealed"`
T int `json:"t"` T int `json:"t"`
N int `json:"n"` N int `json:"n"`
Progress int `json:"progress"` Progress int `json:"progress"`
Nonce string `json:"nonce"` Nonce string `json:"nonce"`
Version string `json:"version"` Version string `json:"version"`
BuildDate string `json:"build_date"` BuildDate string `json:"build_date"`
Migration bool `json:"migration"` Migration bool `json:"migration"`
ClusterName string `json:"cluster_name,omitempty"` ClusterName string `json:"cluster_name,omitempty"`
ClusterID string `json:"cluster_id,omitempty"` ClusterID string `json:"cluster_id,omitempty"`
RecoverySeal bool `json:"recovery_seal"` RecoverySeal bool `json:"recovery_seal"`
StorageType string `json:"storage_type,omitempty"` StorageType string `json:"storage_type,omitempty"`
HCPLinkStatus string `json:"hcp_link_status,omitempty"` HCPLinkStatus string `json:"hcp_link_status,omitempty"`
HCPLinkResourceID string `json:"hcp_link_resource_ID,omitempty"` HCPLinkResourceID string `json:"hcp_link_resource_ID,omitempty"`
Warnings []string `json:"warnings,omitempty"`
} }
type UnsealOpts struct { type UnsealOpts struct {

View File

@ -1,3 +1,5 @@
Copyright (c) 2015 HashiCorp, Inc.
Mozilla Public License, version 2.0 Mozilla Public License, version 2.0
1. Definitions 1. Definitions

View File

@ -64,6 +64,20 @@ var SignatureAlgorithmNames = map[string]x509.SignatureAlgorithm{
"ed25519": x509.PureEd25519, // Duplicated for clarity; most won't expect the "Pure" prefix. "ed25519": x509.PureEd25519, // Duplicated for clarity; most won't expect the "Pure" prefix.
} }
// Mapping of constant values<->constant names for SignatureAlgorithm
var InvSignatureAlgorithmNames = map[x509.SignatureAlgorithm]string{
x509.SHA256WithRSA: "SHA256WithRSA",
x509.SHA384WithRSA: "SHA384WithRSA",
x509.SHA512WithRSA: "SHA512WithRSA",
x509.ECDSAWithSHA256: "ECDSAWithSHA256",
x509.ECDSAWithSHA384: "ECDSAWithSHA384",
x509.ECDSAWithSHA512: "ECDSAWithSHA512",
x509.SHA256WithRSAPSS: "SHA256WithRSAPSS",
x509.SHA384WithRSAPSS: "SHA384WithRSAPSS",
x509.SHA512WithRSAPSS: "SHA512WithRSAPSS",
x509.PureEd25519: "Ed25519",
}
// OID for RFC 5280 Delta CRL Indicator CRL extension. // OID for RFC 5280 Delta CRL Indicator CRL extension.
// //
// > id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 } // > id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= { id-ce 27 }
@ -86,13 +100,13 @@ func GetHexFormatted(buf []byte, sep string) string {
func ParseHexFormatted(in, sep string) []byte { func ParseHexFormatted(in, sep string) []byte {
var ret bytes.Buffer var ret bytes.Buffer
var err error var err error
var inBits int64 var inBits uint64
inBytes := strings.Split(in, sep) inBytes := strings.Split(in, sep)
for _, inByte := range inBytes { for _, inByte := range inBytes {
if inBits, err = strconv.ParseInt(inByte, 16, 8); err != nil { if inBits, err = strconv.ParseUint(inByte, 16, 8); err != nil {
return nil return nil
} }
ret.WriteByte(byte(inBits)) ret.WriteByte(uint8(inBits))
} }
return ret.Bytes() return ret.Bytes()
} }
@ -789,7 +803,7 @@ func CreateCertificateWithKeyGenerator(data *CreationBundle, randReader io.Reade
return createCertificate(data, randReader, keyGenerator) return createCertificate(data, randReader, keyGenerator)
} }
// Set correct correct RSA sig algo // Set correct RSA sig algo
func certTemplateSetSigAlgo(certTemplate *x509.Certificate, data *CreationBundle) { func certTemplateSetSigAlgo(certTemplate *x509.Certificate, data *CreationBundle) {
if data.Params.UsePSS { if data.Params.UsePSS {
switch data.Params.SignatureBits { switch data.Params.SignatureBits {
@ -812,6 +826,35 @@ func certTemplateSetSigAlgo(certTemplate *x509.Certificate, data *CreationBundle
} }
} }
// selectSignatureAlgorithmForRSA returns the proper x509.SignatureAlgorithm based on various properties set in the
// Creation Bundle parameter. This method will default to a SHA256 signature algorithm if the requested signature
// bits is not set/unknown.
func selectSignatureAlgorithmForRSA(data *CreationBundle) x509.SignatureAlgorithm {
if data.Params.UsePSS {
switch data.Params.SignatureBits {
case 256:
return x509.SHA256WithRSAPSS
case 384:
return x509.SHA384WithRSAPSS
case 512:
return x509.SHA512WithRSAPSS
default:
return x509.SHA256WithRSAPSS
}
}
switch data.Params.SignatureBits {
case 256:
return x509.SHA256WithRSA
case 384:
return x509.SHA384WithRSA
case 512:
return x509.SHA512WithRSA
default:
return x509.SHA256WithRSA
}
}
func createCertificate(data *CreationBundle, randReader io.Reader, privateKeyGenerator KeyGenerator) (*ParsedCertBundle, error) { func createCertificate(data *CreationBundle, randReader io.Reader, privateKeyGenerator KeyGenerator) (*ParsedCertBundle, error) {
var err error var err error
result := &ParsedCertBundle{} result := &ParsedCertBundle{}
@ -878,7 +921,11 @@ func createCertificate(data *CreationBundle, randReader io.Reader, privateKeyGen
var certBytes []byte var certBytes []byte
if data.SigningBundle != nil { if data.SigningBundle != nil {
switch data.SigningBundle.PrivateKeyType { privateKeyType := data.SigningBundle.PrivateKeyType
if privateKeyType == ManagedPrivateKey {
privateKeyType = GetPrivateKeyTypeFromSigner(data.SigningBundle.PrivateKey)
}
switch privateKeyType {
case RSAPrivateKey: case RSAPrivateKey:
certTemplateSetSigAlgo(certTemplate, data) certTemplateSetSigAlgo(certTemplate, data)
case Ed25519PrivateKey: case Ed25519PrivateKey:
@ -986,7 +1033,10 @@ func selectSignatureAlgorithmForECDSA(pub crypto.PublicKey, signatureBits int) x
} }
} }
var oidExtensionBasicConstraints = []int{2, 5, 29, 19} var (
oidExtensionBasicConstraints = []int{2, 5, 29, 19}
oidExtensionSubjectAltName = []int{2, 5, 29, 17}
)
// CreateCSR creates a CSR with the default rand.Reader to // CreateCSR creates a CSR with the default rand.Reader to
// generate a cert/keypair. This is currently only meant // generate a cert/keypair. This is currently only meant
@ -1049,9 +1099,10 @@ func createCSR(data *CreationBundle, addBasicConstraints bool, randReader io.Rea
switch data.Params.KeyType { switch data.Params.KeyType {
case "rsa": case "rsa":
csrTemplate.SignatureAlgorithm = x509.SHA256WithRSA // use specified RSA algorithm defaulting to the appropriate SHA256 RSA signature type
csrTemplate.SignatureAlgorithm = selectSignatureAlgorithmForRSA(data)
case "ec": case "ec":
csrTemplate.SignatureAlgorithm = x509.ECDSAWithSHA256 csrTemplate.SignatureAlgorithm = selectSignatureAlgorithmForECDSA(result.PrivateKey.Public(), data.Params.SignatureBits)
case "ed25519": case "ed25519":
csrTemplate.SignatureAlgorithm = x509.PureEd25519 csrTemplate.SignatureAlgorithm = x509.PureEd25519
} }
@ -1067,6 +1118,10 @@ func createCSR(data *CreationBundle, addBasicConstraints bool, randReader io.Rea
return nil, errutil.InternalError{Err: fmt.Sprintf("unable to parse created certificate: %v", err)} return nil, errutil.InternalError{Err: fmt.Sprintf("unable to parse created certificate: %v", err)}
} }
if err = result.CSR.CheckSignature(); err != nil {
return nil, errors.New("failed signature validation for CSR")
}
return result, nil return result, nil
} }
@ -1127,7 +1182,12 @@ func signCertificate(data *CreationBundle, randReader io.Reader) (*ParsedCertBun
certTemplate.NotBefore = time.Now().Add(-1 * data.Params.NotBeforeDuration) certTemplate.NotBefore = time.Now().Add(-1 * data.Params.NotBeforeDuration)
} }
switch data.SigningBundle.PrivateKeyType { privateKeyType := data.SigningBundle.PrivateKeyType
if privateKeyType == ManagedPrivateKey {
privateKeyType = GetPrivateKeyTypeFromSigner(data.SigningBundle.PrivateKey)
}
switch privateKeyType {
case RSAPrivateKey: case RSAPrivateKey:
certTemplateSetSigAlgo(certTemplate, data) certTemplateSetSigAlgo(certTemplate, data)
case ECPrivateKey: case ECPrivateKey:
@ -1151,7 +1211,7 @@ func signCertificate(data *CreationBundle, randReader io.Reader) (*ParsedCertBun
certTemplate.URIs = data.CSR.URIs certTemplate.URIs = data.CSR.URIs
for _, name := range data.CSR.Extensions { for _, name := range data.CSR.Extensions {
if !name.Id.Equal(oidExtensionBasicConstraints) { if !name.Id.Equal(oidExtensionBasicConstraints) && !(len(data.Params.OtherSANs) > 0 && name.Id.Equal(oidExtensionSubjectAltName)) {
certTemplate.ExtraExtensions = append(certTemplate.ExtraExtensions, name) certTemplate.ExtraExtensions = append(certTemplate.ExtraExtensions, name)
} }
} }

View File

@ -148,16 +148,16 @@ type KeyBundle struct {
} }
func GetPrivateKeyTypeFromSigner(signer crypto.Signer) PrivateKeyType { func GetPrivateKeyTypeFromSigner(signer crypto.Signer) PrivateKeyType {
switch signer.(type) { // We look at the public key types to work-around limitations/typing of managed keys.
case *rsa.PrivateKey: switch signer.Public().(type) {
case *rsa.PublicKey:
return RSAPrivateKey return RSAPrivateKey
case *ecdsa.PrivateKey: case *ecdsa.PublicKey:
return ECPrivateKey return ECPrivateKey
case ed25519.PrivateKey: case ed25519.PublicKey:
return Ed25519PrivateKey return Ed25519PrivateKey
default:
return UnknownPrivateKey
} }
return UnknownPrivateKey
} }
// ToPEMBundle converts a string-based certificate bundle // ToPEMBundle converts a string-based certificate bundle

View File

@ -4,7 +4,7 @@ package consts
// endpoint. // endpoint.
const AgentPathCacheClear = "/agent/v1/cache-clear" const AgentPathCacheClear = "/agent/v1/cache-clear"
// AgentPathMetrics is the path the the agent will use to expose its internal // AgentPathMetrics is the path the agent will use to expose its internal
// metrics. // metrics.
const AgentPathMetrics = "/agent/v1/metrics" const AgentPathMetrics = "/agent/v1/metrics"

View File

@ -34,4 +34,6 @@ const (
ReplicationResolverALPN = "replication_resolver_v1" ReplicationResolverALPN = "replication_resolver_v1"
VaultEnableFilePermissionsCheckEnv = "VAULT_ENABLE_FILE_PERMISSIONS_CHECK" VaultEnableFilePermissionsCheckEnv = "VAULT_ENABLE_FILE_PERMISSIONS_CHECK"
VaultDisableUserLockout = "VAULT_DISABLE_USER_LOCKOUT"
) )

View File

@ -1,6 +1,9 @@
package consts package consts
const VaultAllowPendingRemovalMountsEnv = "VAULT_ALLOW_PENDING_REMOVAL_MOUNTS" // EnvVaultAllowPendingRemovalMounts allows Pending Removal builtins to be
// mounted as if they are Deprecated to facilitate migration to supported
// builtin plugins.
const EnvVaultAllowPendingRemovalMounts = "VAULT_ALLOW_PENDING_REMOVAL_MOUNTS"
// DeprecationStatus represents the current deprecation state for builtins // DeprecationStatus represents the current deprecation state for builtins
type DeprecationStatus uint32 type DeprecationStatus uint32

View File

@ -60,16 +60,13 @@ func ParseLogFormat(format string) (LogFormat, error) {
case "json": case "json":
return JSONFormat, nil return JSONFormat, nil
default: default:
return UnspecifiedFormat, fmt.Errorf("Unknown log format: %s", format) return UnspecifiedFormat, fmt.Errorf("unknown log format: %s", format)
} }
} }
// ParseEnvLogFormat parses the log format from an environment variable. // ParseEnvLogFormat parses the log format from an environment variable.
func ParseEnvLogFormat() LogFormat { func ParseEnvLogFormat() LogFormat {
logFormat := os.Getenv("VAULT_LOG_FORMAT") logFormat := os.Getenv("VAULT_LOG_FORMAT")
if logFormat == "" {
logFormat = os.Getenv("LOGXI_FORMAT")
}
switch strings.ToLower(logFormat) { switch strings.ToLower(logFormat) {
case "json", "vault_json", "vault-json", "vaultjson": case "json", "vault_json", "vault-json", "vaultjson":
return JSONFormat return JSONFormat

View File

@ -2,6 +2,7 @@ package pluginutil
import ( import (
"context" "context"
"errors"
"fmt" "fmt"
"os" "os"
"strings" "strings"
@ -13,6 +14,8 @@ import (
"google.golang.org/grpc/status" "google.golang.org/grpc/status"
) )
var ErrNoMultiplexingIDFound = errors.New("no multiplexing ID found")
type PluginMultiplexingServerImpl struct { type PluginMultiplexingServerImpl struct {
UnimplementedPluginMultiplexingServer UnimplementedPluginMultiplexingServer
@ -62,7 +65,9 @@ func GetMultiplexIDFromContext(ctx context.Context) (string, error) {
} }
multiplexIDs := md[MultiplexingCtxKey] multiplexIDs := md[MultiplexingCtxKey]
if len(multiplexIDs) != 1 { if len(multiplexIDs) == 0 {
return "", ErrNoMultiplexingIDFound
} else if len(multiplexIDs) != 1 {
return "", fmt.Errorf("unexpected number of IDs in metadata: (%d)", len(multiplexIDs)) return "", fmt.Errorf("unexpected number of IDs in metadata: (%d)", len(multiplexIDs))
} }

View File

@ -1,7 +1,7 @@
// Code generated by protoc-gen-go. DO NOT EDIT. // Code generated by protoc-gen-go. DO NOT EDIT.
// versions: // versions:
// protoc-gen-go v1.28.1 // protoc-gen-go v1.28.1
// protoc v3.21.5 // protoc v3.21.9
// source: sdk/helper/pluginutil/multiplexing.proto // source: sdk/helper/pluginutil/multiplexing.proto
package pluginutil package pluginutil

View File

@ -10,7 +10,6 @@ import (
log "github.com/hashicorp/go-hclog" log "github.com/hashicorp/go-hclog"
"github.com/hashicorp/go-plugin" "github.com/hashicorp/go-plugin"
"github.com/hashicorp/vault/sdk/helper/consts" "github.com/hashicorp/vault/sdk/helper/consts"
"github.com/hashicorp/vault/sdk/version"
) )
type PluginClientConfig struct { type PluginClientConfig struct {
@ -46,7 +45,11 @@ func (rc runConfig) makeConfig(ctx context.Context) (*plugin.ClientConfig, error
if rc.MLock || (rc.Wrapper != nil && rc.Wrapper.MlockEnabled()) { if rc.MLock || (rc.Wrapper != nil && rc.Wrapper.MlockEnabled()) {
cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", PluginMlockEnabled, "true")) cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", PluginMlockEnabled, "true"))
} }
cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", PluginVaultVersionEnv, version.GetVersion().Version)) version, err := rc.Wrapper.VaultVersion(ctx)
if err != nil {
return nil, err
}
cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", PluginVaultVersionEnv, version))
if rc.IsMetadataMode { if rc.IsMetadataMode {
rc.Logger = rc.Logger.With("metadata", "true") rc.Logger = rc.Logger.With("metadata", "true")

View File

@ -27,6 +27,7 @@ type RunnerUtil interface {
NewPluginClient(ctx context.Context, config PluginClientConfig) (PluginClient, error) NewPluginClient(ctx context.Context, config PluginClientConfig) (PluginClient, error)
ResponseWrapData(ctx context.Context, data map[string]interface{}, ttl time.Duration, jwt bool) (*wrapping.ResponseWrapInfo, error) ResponseWrapData(ctx context.Context, data map[string]interface{}, ttl time.Duration, jwt bool) (*wrapping.ResponseWrapInfo, error)
MlockEnabled() bool MlockEnabled() bool
VaultVersion(ctx context.Context) (string, error)
} }
// LookRunnerUtil defines the functions for both Looker and Wrapper // LookRunnerUtil defines the functions for both Looker and Wrapper

View File

@ -17,6 +17,11 @@ var (
// ErrPermissionDenied is returned if the client is not authorized // ErrPermissionDenied is returned if the client is not authorized
ErrPermissionDenied = errors.New("permission denied") ErrPermissionDenied = errors.New("permission denied")
// ErrInvalidCredentials is returned when the provided credentials are incorrect
// This is used internally for user lockout purposes. This is not seen externally.
// The status code returned does not change because of this error
ErrInvalidCredentials = errors.New("invalid credentials")
// ErrMultiAuthzPending is returned if the the request needs more // ErrMultiAuthzPending is returned if the the request needs more
// authorizations // authorizations
ErrMultiAuthzPending = errors.New("request needs further approval") ErrMultiAuthzPending = errors.New("request needs further approval")

View File

@ -1,7 +1,7 @@
// Code generated by protoc-gen-go. DO NOT EDIT. // Code generated by protoc-gen-go. DO NOT EDIT.
// versions: // versions:
// protoc-gen-go v1.28.1 // protoc-gen-go v1.28.1
// protoc v3.21.5 // protoc v3.21.9
// source: sdk/logical/identity.proto // source: sdk/logical/identity.proto
package logical package logical

View File

@ -34,9 +34,11 @@ type ManagedKey interface {
} }
type ( type (
ManagedKeyConsumer func(context.Context, ManagedKey) error ManagedKeyConsumer func(context.Context, ManagedKey) error
ManagedSigningKeyConsumer func(context.Context, ManagedSigningKey) error ManagedSigningKeyConsumer func(context.Context, ManagedSigningKey) error
ManagedEncryptingKeyConsumer func(context.Context, ManagedEncryptingKey) error ManagedEncryptingKeyConsumer func(context.Context, ManagedEncryptingKey) error
ManagedMACKeyConsumer func(context.Context, ManagedMACKey) error
ManagedKeyRandomSourceConsumer func(context.Context, ManagedKeyRandomSource) error
) )
type ManagedKeySystemView interface { type ManagedKeySystemView interface {
@ -59,6 +61,12 @@ type ManagedKeySystemView interface {
// WithManagedSigningKeyByUUID retrieves an instantiated managed signing key for consumption by the given function, // WithManagedSigningKeyByUUID retrieves an instantiated managed signing key for consumption by the given function,
// with the same semantics as WithManagedKeyByUUID // with the same semantics as WithManagedKeyByUUID
WithManagedEncryptingKeyByUUID(ctx context.Context, keyUuid, backendUUID string, f ManagedEncryptingKeyConsumer) error WithManagedEncryptingKeyByUUID(ctx context.Context, keyUuid, backendUUID string, f ManagedEncryptingKeyConsumer) error
// WithManagedMACKeyByName retrieves an instantiated managed MAC key by name for consumption by the given function,
// with the same semantics as WithManagedKeyByName.
WithManagedMACKeyByName(ctx context.Context, keyName, backendUUID string, f ManagedMACKeyConsumer) error
// WithManagedMACKeyByUUID retrieves an instantiated managed MAC key by UUID for consumption by the given function,
// with the same semantics as WithManagedKeyByUUID.
WithManagedMACKeyByUUID(ctx context.Context, keyUUID, backendUUID string, f ManagedMACKeyConsumer) error
} }
type ManagedAsymmetricKey interface { type ManagedAsymmetricKey interface {
@ -95,3 +103,17 @@ type ManagedEncryptingKey interface {
ManagedKey ManagedKey
GetAEAD(iv []byte) (cipher.AEAD, error) GetAEAD(iv []byte) (cipher.AEAD, error)
} }
type ManagedMACKey interface {
ManagedKey
// MAC generates a MAC tag using the provided algorithm for the provided value.
MAC(ctx context.Context, algorithm string, data []byte) ([]byte, error)
}
type ManagedKeyRandomSource interface {
ManagedKey
// GetRandomBytes returns a number (specified by the count parameter) of random bytes sourced from the target managed key.
GetRandomBytes(ctx context.Context, count int) ([]byte, error)
}

View File

@ -1,7 +1,7 @@
// Code generated by protoc-gen-go. DO NOT EDIT. // Code generated by protoc-gen-go. DO NOT EDIT.
// versions: // versions:
// protoc-gen-go v1.28.1 // protoc-gen-go v1.28.1
// protoc v3.21.5 // protoc v3.21.9
// source: sdk/logical/plugin.proto // source: sdk/logical/plugin.proto
package logical package logical

View File

@ -92,7 +92,8 @@ func (r *Response) AddWarning(warning string) {
// IsError returns true if this response seems to indicate an error. // IsError returns true if this response seems to indicate an error.
func (r *Response) IsError() bool { func (r *Response) IsError() bool {
return r != nil && r.Data != nil && len(r.Data) == 1 && r.Data["error"] != nil // If the response data contains only an 'error' element, or an 'error' and a 'data' element only
return r != nil && r.Data != nil && r.Data["error"] != nil && (len(r.Data) == 1 || (r.Data["data"] != nil && len(r.Data) == 2))
} }
func (r *Response) Error() error { func (r *Response) Error() error {

View File

@ -122,6 +122,8 @@ func RespondErrorCommon(req *Request, resp *Response, err error) (int, error) {
statusCode = http.StatusNotFound statusCode = http.StatusNotFound
case errwrap.Contains(err, ErrRelativePath.Error()): case errwrap.Contains(err, ErrRelativePath.Error()):
statusCode = http.StatusBadRequest statusCode = http.StatusBadRequest
case errwrap.Contains(err, ErrInvalidCredentials.Error()):
statusCode = http.StatusBadRequest
} }
} }
@ -180,3 +182,23 @@ func RespondError(w http.ResponseWriter, status int, err error) {
enc := json.NewEncoder(w) enc := json.NewEncoder(w)
enc.Encode(resp) enc.Encode(resp)
} }
func RespondErrorAndData(w http.ResponseWriter, status int, data interface{}, err error) {
AdjustErrorStatusCode(&status, err)
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(status)
type ErrorAndDataResponse struct {
Errors []string `json:"errors"`
Data interface{} `json:"data""`
}
resp := &ErrorAndDataResponse{Errors: make([]string, 0, 1)}
if err != nil {
resp.Errors = append(resp.Errors, err.Error())
}
resp.Data = data
enc := json.NewEncoder(w)
enc.Encode(resp)
}

View File

@ -83,6 +83,9 @@ type SystemView interface {
// PluginEnv returns Vault environment information used by plugins // PluginEnv returns Vault environment information used by plugins
PluginEnv(context.Context) (*PluginEnvironment, error) PluginEnv(context.Context) (*PluginEnvironment, error)
// VaultVersion returns the version string for the currently running Vault.
VaultVersion(context.Context) (string, error)
// GeneratePasswordFromPolicy generates a password from the policy referenced. // GeneratePasswordFromPolicy generates a password from the policy referenced.
// If the policy does not exist, this will return an error. // If the policy does not exist, this will return an error.
GeneratePasswordFromPolicy(ctx context.Context, policyName string) (password string, err error) GeneratePasswordFromPolicy(ctx context.Context, policyName string) (password string, err error)
@ -113,9 +116,9 @@ type StaticSystemView struct {
EntityVal *Entity EntityVal *Entity
GroupsVal []*Group GroupsVal []*Group
Features license.Features Features license.Features
VaultVersion string
PluginEnvironment *PluginEnvironment PluginEnvironment *PluginEnvironment
PasswordPolicies map[string]PasswordGenerator PasswordPolicies map[string]PasswordGenerator
VersionString string
} }
type noopAuditor struct{} type noopAuditor struct{}
@ -204,6 +207,10 @@ func (d StaticSystemView) PluginEnv(_ context.Context) (*PluginEnvironment, erro
return d.PluginEnvironment, nil return d.PluginEnvironment, nil
} }
func (d StaticSystemView) VaultVersion(_ context.Context) (string, error) {
return d.VersionString, nil
}
func (d StaticSystemView) GeneratePasswordFromPolicy(ctx context.Context, policyName string) (password string, err error) { func (d StaticSystemView) GeneratePasswordFromPolicy(ctx context.Context, policyName string) (password string, err error) {
select { select {
case <-ctx.Done(): case <-ctx.Done():

View File

@ -73,6 +73,7 @@ func TestSystemView() *StaticSystemView {
return &StaticSystemView{ return &StaticSystemView{
DefaultLeaseTTLVal: defaultLeaseTTLVal, DefaultLeaseTTLVal: defaultLeaseTTLVal,
MaxLeaseTTLVal: maxLeaseTTLVal, MaxLeaseTTLVal: maxLeaseTTLVal,
VersionString: "testVersionString",
} }
} }

View File

@ -1,7 +1,7 @@
// Code generated by protoc-gen-go. DO NOT EDIT. // Code generated by protoc-gen-go. DO NOT EDIT.
// versions: // versions:
// protoc-gen-go v1.28.1 // protoc-gen-go v1.28.1
// protoc v3.21.5 // protoc v3.21.9
// source: sdk/logical/version.proto // source: sdk/logical/version.proto
package logical package logical

View File

@ -29,7 +29,6 @@ var cacheExceptionsPaths = []string{
"sys/expire/", "sys/expire/",
"core/poison-pill", "core/poison-pill",
"core/raft/tls", "core/raft/tls",
"core/license",
} }
// CacheRefreshContext returns a context with an added value denoting if the // CacheRefreshContext returns a context with an added value denoting if the

View File

@ -1,7 +0,0 @@
//go:build cgo
package version
func init() {
CgoEnabled = true
}

View File

@ -1,80 +0,0 @@
package version
import (
"bytes"
"fmt"
)
// VersionInfo
type VersionInfo struct {
Revision string `json:"revision,omitempty"`
Version string `json:"version,omitempty"`
VersionPrerelease string `json:"version_prerelease,omitempty"`
VersionMetadata string `json:"version_metadata,omitempty"`
BuildDate string `json:"build_date,omitempty"`
}
func GetVersion() *VersionInfo {
ver := Version
rel := VersionPrerelease
md := VersionMetadata
if GitDescribe != "" {
ver = GitDescribe
}
if GitDescribe == "" && rel == "" && VersionPrerelease != "" {
rel = "dev"
}
return &VersionInfo{
Revision: GitCommit,
Version: ver,
VersionPrerelease: rel,
VersionMetadata: md,
BuildDate: BuildDate,
}
}
func (c *VersionInfo) VersionNumber() string {
if Version == "unknown" && VersionPrerelease == "unknown" {
return "(version unknown)"
}
version := c.Version
if c.VersionPrerelease != "" {
version = fmt.Sprintf("%s-%s", version, c.VersionPrerelease)
}
if c.VersionMetadata != "" {
version = fmt.Sprintf("%s+%s", version, c.VersionMetadata)
}
return version
}
func (c *VersionInfo) FullVersionNumber(rev bool) string {
var versionString bytes.Buffer
if Version == "unknown" && VersionPrerelease == "unknown" {
return "Vault (version unknown)"
}
fmt.Fprintf(&versionString, "Vault v%s", c.Version)
if c.VersionPrerelease != "" {
fmt.Fprintf(&versionString, "-%s", c.VersionPrerelease)
}
if c.VersionMetadata != "" {
fmt.Fprintf(&versionString, "+%s", c.VersionMetadata)
}
if rev && c.Revision != "" {
fmt.Fprintf(&versionString, " (%s)", c.Revision)
}
if c.BuildDate != "" {
fmt.Fprintf(&versionString, ", built %s", c.BuildDate)
}
return versionString.String()
}

View File

@ -1,17 +0,0 @@
package version
var (
// The git commit that was compiled. This will be filled in by the compiler.
GitCommit string
GitDescribe string
// The compilation date. This will be filled in by the compiler.
BuildDate string
// Whether cgo is enabled or not; set at build time
CgoEnabled bool
Version = "1.12.0"
VersionPrerelease = "dev1"
VersionMetadata = ""
)

5
vendor/modules.txt vendored
View File

@ -329,10 +329,10 @@ github.com/hashicorp/hcl/json/token
## explicit; go 1.13 ## explicit; go 1.13
github.com/hashicorp/vault/command/agent/auth github.com/hashicorp/vault/command/agent/auth
github.com/hashicorp/vault/command/agent/auth/kubernetes github.com/hashicorp/vault/command/agent/auth/kubernetes
# github.com/hashicorp/vault/api v1.8.2 # github.com/hashicorp/vault/api v1.8.3
## explicit; go 1.19 ## explicit; go 1.19
github.com/hashicorp/vault/api github.com/hashicorp/vault/api
# github.com/hashicorp/vault/sdk v0.6.0 # github.com/hashicorp/vault/sdk v0.7.0
## explicit; go 1.19 ## explicit; go 1.19
github.com/hashicorp/vault/sdk/helper/certutil github.com/hashicorp/vault/sdk/helper/certutil
github.com/hashicorp/vault/sdk/helper/compressutil github.com/hashicorp/vault/sdk/helper/compressutil
@ -351,7 +351,6 @@ github.com/hashicorp/vault/sdk/helper/wrapping
github.com/hashicorp/vault/sdk/logical github.com/hashicorp/vault/sdk/logical
github.com/hashicorp/vault/sdk/physical github.com/hashicorp/vault/sdk/physical
github.com/hashicorp/vault/sdk/physical/inmem github.com/hashicorp/vault/sdk/physical/inmem
github.com/hashicorp/vault/sdk/version
# github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d # github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d
## explicit ## explicit
github.com/hashicorp/yamux github.com/hashicorp/yamux