Merge branch 'master' into f-embed-assets

* master: (78 commits) docs: update vault-helm to 0.11.0 (#11355) Add documentation for vault-csi-provider namespace config (#11344) docs: update vault-k8s to 0.10.0 (#11354) patch(docs): fix link color (#11352) Add TFE/TFC auth plugin to plugin portal (#11348) fix a couple typos (#11343) TLS Diagnose Formatting Fixes (#11342) Add More TLS Tests and Verification of TLS Root Certificate (#11300) Add HA only autopilot to changelog (#11339) Support autopilot when raft is for HA only (#11260) Fixes for db connection file type field (#11331) Fix flakey TestAgent_Template_Retry test (#11332) Darwin/ARM64 build target (#11321) Fix broken OIDC Providers link (#11327) Bug: DB secret engine not showing "Select one" in role select options (#11294) bumping alpine version, improving security (#11271) Run a more strict formatter over the code (#11312) docs: add persistent cache (#11272) Fix a few static analysis findings (#11307) Changing from "changelog" to "release-note" (#11303) ...
hashicorp · Apr 14, 2021 · 9430d67 · 9430d67
2 parents 3ea19f3 + 1b96d2c
commit 9430d67
Show file tree

Hide file tree

Showing 1,304 changed files with 18,351 additions and 6,706 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,22 +1,29 @@
 ## 1.8.0 (Unreleased)
 
-## 1.7.0-rc1
-### 10 March 2021
+## 1.7.0
+### 24 March 2021
 
 CHANGES:
 
-* go: Update go version to 1.15.8 [[GH-11060](https://github.com/hashicorp/vault/pull/11060)]
+* aws/auth: AWS Auth concepts and endpoints that use the "whitelist" and "blacklist" terms
+have been updated to more inclusive language (e.g. `/auth/aws/identity-whitelist` has been
+updated to`/auth/aws/identity-accesslist`). The old and new endpoints are aliases,
+sharing the same underlying data. The legacy endpoint names are considered **deprecated**
+and will be removed in a future release (not before Vault 1.9). The complete list of
+endpoint changes is available in the [AWS Auth API docs](/api-docs/auth/aws#deprecations-effective-in-vault-1-7).
+* go: Update Go version to 1.15.10 [[GH-11114](https://github.com/hashicorp/vault/pull/11114)] [[GH-11173](https://github.com/hashicorp/vault/pull/11173)]
 
 FEATURES:
 
 * **Aerospike Storage Backend**: Add support for using Aerospike as a storage backend [[GH-10131](https://github.com/hashicorp/vault/pull/10131)]
-* **Autopilot for Integrated Storage:** A set of features has been added to allow for automatic operator-friendly management of Vault servers. This is only applicable when integrated storage is in use.
-  - **Dead Server Cleanup:** Dead servers will periodically be cleaned up and removed from the Raft peer set, to prevent them from interfering with the quorum size and leader elections.
-  - **Server Health Checking:** An API has been added to track the state of servers, including their health.
-  - **New Server Stabilization:** When a new server is added to the cluster, there will be a waiting period where it must be healthy and stable for a certain amount of time before being promoted to a full, voting member.
+* **Autopilot for Integrated Storage**: A set of features has been added to allow for automatic operator-friendly management of Vault servers. This is only applicable when integrated storage is in use.
+  * **Dead Server Cleanup**: Dead servers will periodically be cleaned up and removed from the Raft peer set, to prevent them from interfering with the quorum size and leader elections.
+  * **Server Health Checking**: An API has been added to track the state of servers, including their health.
+  * **New Server Stabilization**: When a new server is added to the cluster, there will be a waiting period where it must be healthy and stable for a certain amount of time before being promoted to a full, voting member.
+* **Tokenization Secrets Engine (Enterprise)**: The Tokenization Secrets Engine is now generally available. We have added support for MySQL, key rotation, and snapshot/restore.
 * agent: Support for persisting the agent cache to disk [[GH-10938](https://github.com/hashicorp/vault/pull/10938)]
 * auth/jwt: Adds `max_age` role parameter and `auth_time` claim validation. [[GH-10919](https://github.com/hashicorp/vault/pull/10919)]
-* core (enterprise): X-Vault-Index and related headers can be used by clients to manage eventual consistency. 
+* core (enterprise): X-Vault-Index and related headers can be used by clients to manage eventual consistency.
 * kmip (enterprise): Use entropy augmentation to generate kmip certificates
 * sdk: Private key generation in the certutil package now allows custom io.Readers to be used. [[GH-10653](https://github.com/hashicorp/vault/pull/10653)]
 * secrets/aws: add IAM tagging support for iam_user roles [[GH-10953](https://github.com/hashicorp/vault/pull/10953)]
@@ -26,6 +33,9 @@ FEATURES:
 * secrets/database/mssql: Add ability to customize dynamic usernames [[GH-10767](https://github.com/hashicorp/vault/pull/10767)]
 * secrets/database/mysql: Add ability to customize dynamic usernames [[GH-10834](https://github.com/hashicorp/vault/pull/10834)]
 * secrets/database/postgresql: Add ability to customize dynamic usernames [[GH-10766](https://github.com/hashicorp/vault/pull/10766)]
+* secrets/db/snowflake: Added support for Snowflake to the Database Secret Engine [[GH-10603](https://github.com/hashicorp/vault/pull/10603)]
+* secrets/keymgmt (enterprise): Adds beta support for distributing and managing keys in AWS KMS.
+* secrets/keymgmt (enterprise): Adds general availability for distributing and managing keys in Azure Key Vault.
 * secrets/openldap: Added dynamic roles to OpenLDAP similar to the combined database engine [[GH-10996](https://github.com/hashicorp/vault/pull/10996)]
 * secrets/terraform: New secret engine for managing Terraform Cloud API tokens [[GH-10931](https://github.com/hashicorp/vault/pull/10931)]
 * ui: Adds check for feature flag on application, and updates namespace toolbar on login if present [[GH-10588](https://github.com/hashicorp/vault/pull/10588)]
@@ -49,7 +59,7 @@ IMPROVEMENTS:
 * core/metrics: New telemetry metrics reporting lease expirations by time interval and namespace [[GH-10375](https://github.com/hashicorp/vault/pull/10375)]
 * core: Added active since timestamp to the status output of active nodes. [[GH-10489](https://github.com/hashicorp/vault/pull/10489)]
 * core: Check audit device with a test message before adding it. [[GH-10520](https://github.com/hashicorp/vault/pull/10520)]
-* core: Track barrier encryption count and automatically rotate after a large number of operations or on a schedule [[GH-10744](https://github.com/hashicorp/vault/pull/10744)]
+* core: Track barrier encryption count and automatically rotate after a large number of operations or on a schedule [[GH-10774](https://github.com/hashicorp/vault/pull/10774)]
 * core: add metrics for active entity count [[GH-10514](https://github.com/hashicorp/vault/pull/10514)]
 * core: add partial month client count api [[GH-11022](https://github.com/hashicorp/vault/pull/11022)]
 * core: dev mode listener allows unauthenticated sys/metrics requests [[GH-10992](https://github.com/hashicorp/vault/pull/10992)]
@@ -58,6 +68,8 @@ IMPROVEMENTS:
 * storage/raft (enterprise): Listing of peers is now allowed on DR secondary
 cluster nodes, as an update operation that takes in DR operation token for
 authenticating the request.
+* transform (enterprise): Improve FPE transformation performance
+* transform (enterprise): Use transactions with batch tokenization operations for improved performance
 * ui: Clarify language on usage metrics page empty state [[GH-10951](https://github.com/hashicorp/vault/pull/10951)]
 * ui: Customize MongoDB input fields on Database Secrets Engine [[GH-10949](https://github.com/hashicorp/vault/pull/10949)]
 * ui: Upgrade Ember-cli from 3.8 to 3.22. [[GH-9972](https://github.com/hashicorp/vault/pull/9972)]
@@ -115,11 +127,16 @@ the given key will be used to encrypt the snapshot using AWS KMS.
 * transform (enterprise): Fix transform configuration not handling `stores` parameter on the legacy path
 * transform (enterprise): Make expiration timestamps human readable
 * transform (enterprise): Return false for invalid tokens on the validate endpoint rather than returning an HTTP error
+* ui: Add role from database connection automatically populates the database for new role [[GH-11119](https://github.com/hashicorp/vault/pull/11119)]
 * ui: Fix bug in Transform secret engine when a new role is added and then removed from a transformation [[GH-10417](https://github.com/hashicorp/vault/pull/10417)]
 * ui: Fix bug that double encodes secret route when there are spaces in the path and makes you unable to view the version history. [[GH-10596](https://github.com/hashicorp/vault/pull/10596)]
 * ui: Fix expected response from feature-flags endpoint [[GH-10684](https://github.com/hashicorp/vault/pull/10684)]
 * ui: Fix footer URL linking to the correct version changelog. [[GH-10491](https://github.com/hashicorp/vault/pull/10491)]
 
+DEPRECATIONS:
+* aws/auth: AWS Auth endpoints that use the "whitelist" and "blacklist" terms have been deprecated.
+Refer to the CHANGES section for additional details.
+
 ## 1.6.3
 ### February 25, 2021
 

diff --git a/Makefile b/Makefile
@@ -15,7 +15,7 @@ EXTERNAL_TOOLS=\
 GOFMT_FILES?=$$(find . -name '*.go' | grep -v pb.go | grep -v vendor)
 
 
-GO_VERSION_MIN=1.15.3
+GO_VERSION_MIN=1.16.2
 GO_CMD?=go
 CGO_ENABLED?=0
 ifneq ($(FDB_ENABLED), )
@@ -202,7 +202,7 @@ fmtcheck:
 #@sh -c "'$(CURDIR)/scripts/gofmtcheck.sh'"
 
 fmt:
-	goimports -w $(GOFMT_FILES)
+	find . -name '*.go' | grep -v pb.go | grep -v vendor | xargs gofumpt -w
 
 assetcheck:
 	@echo "==> Checking compiled UI assets..."

diff --git a/README.md b/README.md
@@ -70,7 +70,7 @@ Developing Vault
 
 If you wish to work on Vault itself or any of its built-in systems, you'll
 first need [Go](https://www.golang.org) installed on your machine. Go version
-1.15.3+ is *required*.
+1.16.2+ is *required*.
 
 For local dev first make sure Go is properly installed, including setting up a
 [GOPATH](https://golang.org/doc/code.html#GOPATH). Ensure that `$GOPATH/bin` is in

diff --git a/api/client.go b/api/client.go
@@ -25,26 +25,30 @@ import (
 	"golang.org/x/time/rate"
 )
 
-const EnvVaultAddress = "VAULT_ADDR"
-const EnvVaultAgentAddr = "VAULT_AGENT_ADDR"
-const EnvVaultCACert = "VAULT_CACERT"
-const EnvVaultCAPath = "VAULT_CAPATH"
-const EnvVaultClientCert = "VAULT_CLIENT_CERT"
-const EnvVaultClientKey = "VAULT_CLIENT_KEY"
-const EnvVaultClientTimeout = "VAULT_CLIENT_TIMEOUT"
-const EnvVaultSRVLookup = "VAULT_SRV_LOOKUP"
-const EnvVaultSkipVerify = "VAULT_SKIP_VERIFY"
-const EnvVaultNamespace = "VAULT_NAMESPACE"
-const EnvVaultTLSServerName = "VAULT_TLS_SERVER_NAME"
-const EnvVaultWrapTTL = "VAULT_WRAP_TTL"
-const EnvVaultMaxRetries = "VAULT_MAX_RETRIES"
-const EnvVaultToken = "VAULT_TOKEN"
-const EnvVaultMFA = "VAULT_MFA"
-const EnvRateLimit = "VAULT_RATE_LIMIT"
+const (
+	EnvVaultAddress       = "VAULT_ADDR"
+	EnvVaultAgentAddr     = "VAULT_AGENT_ADDR"
+	EnvVaultCACert        = "VAULT_CACERT"
+	EnvVaultCAPath        = "VAULT_CAPATH"
+	EnvVaultClientCert    = "VAULT_CLIENT_CERT"
+	EnvVaultClientKey     = "VAULT_CLIENT_KEY"
+	EnvVaultClientTimeout = "VAULT_CLIENT_TIMEOUT"
+	EnvVaultSRVLookup     = "VAULT_SRV_LOOKUP"
+	EnvVaultSkipVerify    = "VAULT_SKIP_VERIFY"
+	EnvVaultNamespace     = "VAULT_NAMESPACE"
+	EnvVaultTLSServerName = "VAULT_TLS_SERVER_NAME"
+	EnvVaultWrapTTL       = "VAULT_WRAP_TTL"
+	EnvVaultMaxRetries    = "VAULT_MAX_RETRIES"
+	EnvVaultToken         = "VAULT_TOKEN"
+	EnvVaultMFA           = "VAULT_MFA"
+	EnvRateLimit          = "VAULT_RATE_LIMIT"
+)
 
 // Deprecated values
-const EnvVaultAgentAddress = "VAULT_AGENT_ADDR"
-const EnvVaultInsecure = "VAULT_SKIP_VERIFY"
+const (
+	EnvVaultAgentAddress = "VAULT_AGENT_ADDR"
+	EnvVaultInsecure     = "VAULT_SKIP_VERIFY"
+)
 
 // WrappingLookupFunc is a function that, given an HTTP verb and a path,
 // returns an optional string duration to be used for response wrapping (e.g.
@@ -359,7 +363,6 @@ func (c *Config) ReadEnvironment() error {
 }
 
 func parseRateLimit(val string) (rate float64, burst int, err error) {
-
 	_, err = fmt.Sscanf(val, "%f:%d", &rate, &burst)
 	if err != nil {
 		rate, err = strconv.ParseFloat(val, 64)
@@ -370,7 +373,6 @@ func parseRateLimit(val string) (rate float64, burst int, err error) {
 	}
 
 	return rate, burst, err
-
 }
 
 // Client is the client to the Vault API. Create a client with NewClient.
@@ -793,7 +795,7 @@ func (c *Client) NewRequest(method, requestPath string) *Request {
 	policyOverride := c.policyOverride
 	c.modifyLock.RUnlock()
 
-	var host = addr.Host
+	host := addr.Host
 	// if SRV records exist (see https://tools.ietf.org/html/draft-andrews-http-srv-02), lookup the SRV
 	// record and take the highest match; this is not designed for high-availability, just discovery
 	// Internet Draft specifies that the SRV record is ignored if a port is given
@@ -985,8 +987,10 @@ START:
 	return result, nil
 }
 
-type RequestCallback func(*Request)
-type ResponseCallback func(*Response)
+type (
+	RequestCallback  func(*Request)
+	ResponseCallback func(*Response)
+)
 
 // WithRequestCallbacks makes a shallow clone of Client, modifies it to use
 // the given callbacks, and returns it.  Each of the callbacks will be invoked

diff --git a/api/client_test.go b/api/client_test.go
@@ -369,8 +369,8 @@ func TestParsingRateOnly(t *testing.T) {
 }
 
 func TestParsingErrorCase(t *testing.T) {
-	var incorrectFormat = "foobar"
-	var _, _, err = parseRateLimit(incorrectFormat)
+	incorrectFormat := "foobar"
+	_, _, err := parseRateLimit(incorrectFormat)
 	if err == nil {
 		t.Error("Expected error, found no error")
 	}

diff --git a/api/lifetime_watcher.go b/api/lifetime_watcher.go
@@ -380,5 +380,7 @@ func (r *LifetimeWatcher) calculateGrace(leaseDuration time.Duration) {
 	r.grace = time.Duration(jitterMax) + time.Duration(uint64(r.random.Int63())%uint64(jitterMax))
 }
 
-type Renewer = LifetimeWatcher
-type RenewerInput = LifetimeWatcherInput
+type (
+	Renewer      = LifetimeWatcher
+	RenewerInput = LifetimeWatcherInput
+)
diff --git a/api/output_string.go b/api/output_string.go
@@ -11,9 +11,7 @@ const (
 	ErrOutputStringRequest = "output a string, please"
 )
 
-var (
-	LastOutputStringError *OutputStringError
-)
+var LastOutputStringError *OutputStringError
 
 type OutputStringError struct {
 	*retryablehttp.Request

diff --git a/api/plugin_helpers.go b/api/plugin_helpers.go
@@ -82,7 +82,7 @@ func VaultPluginTLSProvider(apiTLSConfig *TLSConfig) func() (*tls.Config, error)
 			return nil, errwrap.Wrapf("error parsing wrapping token: {{err}}", err)
 		}
 
-		var allClaims = make(map[string]interface{})
+		allClaims := make(map[string]interface{})
 		if err = parsedJWT.UnsafeClaimsWithoutVerification(&allClaims); err != nil {
 			return nil, errwrap.Wrapf("error parsing claims from wrapping token: {{err}}", err)
 		}

diff --git a/api/ssh_agent_test.go b/api/ssh_agent_test.go
@@ -33,7 +33,7 @@ func TestSSH_CreateTLSClient(t *testing.T) {
 
 func TestSSH_CreateTLSClient_tlsServerName(t *testing.T) {
 	// Ensure that the HTTP client is associated with the configured TLS server name.
-	var tlsServerName = "tls.server.name"
+	tlsServerName := "tls.server.name"
 
 	config, err := ParseSSHHelperConfig(fmt.Sprintf(`
 vault_addr = "1.2.3.4"
@@ -93,13 +93,12 @@ nope = "bad"
 }
 
 func TestParseSSHHelperConfig_tlsServerName(t *testing.T) {
-	var tlsServerName = "tls.server.name"
+	tlsServerName := "tls.server.name"
 
 	config, err := ParseSSHHelperConfig(fmt.Sprintf(`
 vault_addr = "1.2.3.4"
 tls_server_name = "%s"
 `, tlsServerName))
-
 	if err != nil {
 		t.Fatal(err)
 	}

diff --git a/api/sys_audit.go b/api/sys_audit.go
@@ -52,7 +52,6 @@ func (c *Sys) ListAudit() (map[string]*Audit, error) {
 	ctx, cancelFunc := context.WithCancel(context.Background())
 	defer cancelFunc()
 	resp, err := c.c.RawRequestWithContext(ctx, r)
-
 	if err != nil {
 		return nil, err
 	}
@@ -94,7 +93,6 @@ func (c *Sys) EnableAuditWithOptions(path string, options *EnableAuditOptions) e
 	ctx, cancelFunc := context.WithCancel(context.Background())
 	defer cancelFunc()
 	resp, err := c.c.RawRequestWithContext(ctx, r)
-
 	if err != nil {
 		return err
 	}

diff --git a/api/sys_auth.go b/api/sys_auth.go
@@ -74,7 +74,9 @@ func (c *Sys) DisableAuth(path string) error {
 }
 
 // Rather than duplicate, we can use modern Go's type aliasing
-type EnableAuthOptions = MountInput
-type AuthConfigInput = MountConfigInput
-type AuthMount = MountOutput
-type AuthConfigOutput = MountConfigOutput
+type (
+	EnableAuthOptions = MountInput
+	AuthConfigInput   = MountConfigInput
+	AuthMount         = MountOutput
+	AuthConfigOutput  = MountConfigOutput
+)
diff --git a/api/sys_plugins.go b/api/sys_plugins.go
@@ -109,7 +109,6 @@ func (c *Sys) ListPlugins(i *ListPluginsInput) (*ListPluginsResponse, error) {
 			for i, nameIfc := range pluginsIfc {
 				name, ok := nameIfc.(string)
 				if !ok {
-
 				}
 				plugins[i] = name
 			}
@@ -323,7 +322,6 @@ func (c *Sys) ReloadPluginStatus(reloadStatusInput *ReloadPluginStatusInput) (*R
 		return &r, nil
 	}
 	return nil, nil
-
 }
 
 // catalogPathByType is a helper to construct the proper API path by plugin type

diff --git a/api/test-fixtures/keys/cert.pem b/api/test-fixtures/keys/cert.pem
@@ -19,4 +19,4 @@ aYqNKFWrRaBRAaaYZ/O1ApRTOrXqRx9Eqr0H1BXLsoAq+mWassL8sf6siae+CpwA
 KqBko5G0dNXq5T4i2LQbmoQSVetIrCJEeMrU+idkuqfV2h1BQKgSEhFDABjFdTCN
 QDAHsEHsi2M4/jRW9fqEuhHSDfl2n7tkFUI8wTHUUCl7gXwweJ4qtaSXIwKXYzNj
 xqKHA8Purc1Yfybz4iE1JCROi9fInKlzr5xABq8nb9Qc/J9DIQM+Xmk=
------END CERTIFICATE-----
+-----END CERTIFICATE-----
diff --git a/audit/format_json_test.go b/audit/format_json_test.go
@@ -4,14 +4,12 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"errors"
+	"fmt"
 	"strings"
 	"testing"
 	"time"
 
-	"errors"
-
-	"fmt"
-
 	"github.com/hashicorp/vault/helper/namespace"
 	"github.com/hashicorp/vault/sdk/helper/jsonutil"
 	"github.com/hashicorp/vault/sdk/helper/salt"
@@ -61,7 +59,7 @@ func TestFormatJSON_formatRequest(t *testing.T) {
 					TTL: 60 * time.Second,
 				},
 				Headers: map[string][]string{
-					"foo": []string{"bar"},
+					"foo": {"bar"},
 				},
 			},
 			errors.New("this is an error"),
@@ -92,7 +90,7 @@ func TestFormatJSON_formatRequest(t *testing.T) {
 					TTL: 60 * time.Second,
 				},
 				Headers: map[string][]string{
-					"foo": []string{"bar"},
+					"foo": {"bar"},
 				},
 			},
 			errors.New("this is an error"),
@@ -125,14 +123,14 @@ func TestFormatJSON_formatRequest(t *testing.T) {
 			t.Fatalf("no prefix: %s \n log: %s\nprefix: %s", name, expectedResultStr, tc.Prefix)
 		}
 
-		var expectedjson = new(AuditRequestEntry)
+		expectedjson := new(AuditRequestEntry)
 
 		if err := jsonutil.DecodeJSON([]byte(expectedResultStr), &expectedjson); err != nil {
 			t.Fatalf("bad json: %s", err)
 		}
 		expectedjson.Request.Namespace = &AuditNamespace{ID: "root"}
 
-		var actualjson = new(AuditRequestEntry)
+		actualjson := new(AuditRequestEntry)
 		if err := jsonutil.DecodeJSON([]byte(buf.String())[len(tc.Prefix):], &actualjson); err != nil {
 			t.Fatalf("bad json: %s", err)
 		}