Merge remote-tracking branch 'origin/master' into vault-monitor

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,4 @@
+contact_links:
+  - name: Ask a question
+    url: https://discuss.hashicorp.com/c/vault
+    about: For increased visibility, please post questions on the discussion forum.

CHANGELOG.md

@@ -7,15 +7,38 @@ CHANGES:
   indication. [[GH-8646](https://github.com/hashicorp/vault/pull/8646/files)]
 * token: Token renewals will now return token policies within the `token_policies` , identity policies within `identity_policies`, and the full policy set within `policies`. [[GH-8535](https://github.com/hashicorp/vault/pull/8535)]
 * kv: Return the value of delete_version_after when reading kv/config, even if it is set to the default. [[GH-42](https://github.com/hashicorp/vault-plugin-secrets-kv/pull/42)]
+* plugin: Add SDK method, `Sys.ReloadPlugin`, and CLI command, `vault plugin reload`, 
+  for reloading plugins. [[GH-8777](https://github.com/hashicorp/vault/pull/8777)]
+* sentinel: Add a sentinel config section, and "additional_enabled_modules", a list of Sentinel modules that may be imported in addition to the defaults.
+* cubbyhole: Reject reads and writes to an empty ("") path. [[GH-8971](https://github.com/hashicorp/vault/pull/8971)]
 
 IMPROVEMENTS:
 
 * secrets/gcp: Support BigQuery dataset ACLs in absence of IAM endpoints [[GH-78](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/78)]
+* sdk/framework: Support accepting TypeFloat parameters over the API [[GH-8923](https://github.com/hashicorp/vault/pull/8923)]
+* ui: Update TTL picker styling on SSH secret engine [[GH-8891](https://github.com/hashicorp/vault/pull/8891)]
+* ui: Only render the JWT input field of the Vault login form on mounts configured for JWT auth [[GH-8952](https://github.com/hashicorp/vault/pull/8952)]
 
 BUG FIXES:
 
 * secrets/database: Fix issue where rotating root database credentials while Vault's storage backend is unavailable causes Vault to lose access to the database [[GH-8782](https://github.com/hashicorp/vault/pull/8782)]
 * ui: Fix snowman that appears when namespaces have more than one period [[GH-8910](https://github.com/hashicorp/vault/pull/8910)]
+* ui: Add Toggle component into core addon so it is available in KMIP and other Ember Engines.[[GH-8913]](https://github.com/hashicorp/vault/pull/8913)
+
+## 1.4.2 (TBD)
+
+IMPROVEMENTS:
+
+* storage/raft: The storage stanza now accepts `leader_ca_cert_file`, `leader_client_cert_file`, and 
+  `leader_client_key_file` parameters to read and parse TLS certificate information from paths on disk.
+  Existing non-path based parameters will continue to work, but their values will need to be provided as a 
+  single-line string with newlines delimited by `\n`.  [[GH-8894](https://github.com/hashicorp/vault/pull/8894)]
+
+BUG FIXES:
+
+* sys: The path provided in `sys/internal/ui/mounts/:path` is now namespace-aware. This fixes an issue
+  with `vault kv` subcommands that had namespaces provided in the path returning permission denied all the time.
+  [[GH-8962](https://github.com/hashicorp/vault/pull/8962)]
 
 ## 1.4.1 (April 30th, 2020)
 

api/client.go

@@ -813,13 +813,10 @@ START:
 	}
 
 	if timeout != 0 {
-		// NOTE: this leaks a timer. But when we defer a cancel call here for
-		// the returned function we see errors in tests with contxt canceled.
-		// Although the request is done by the time we exit this function it is
-		// still causing something else to go wrong. Maybe it ends up being
-		// tied to the response somehow and reading the response body ends up
-		// checking it, or something. I don't know, but until we can chase this
-		// down, keep it not-canceled even though vet complains.
+		// Note: we purposefully do not call cancel manually. The reason is
+		// when canceled, the request.Body will EOF when reading due to the way
+		// it streams data in. Cancel will still be run when the timeout is
+		// hit, so this doesn't really harm anything.
 		ctx, _ = context.WithTimeout(ctx, timeout)
 	}
 	req.Request = req.Request.WithContext(ctx)

api/sys_plugins.go

@@ -225,6 +225,35 @@ func (c *Sys) DeregisterPlugin(i *DeregisterPluginInput) error {
 	return err
 }
 
+// ReloadPluginInput is used as input to the ReloadPlugin function.
+type ReloadPluginInput struct {
+	// Plugin is the name of the plugin to reload, as registered in the plugin catalog
+	Plugin string `json:"plugin"`
+
+	// Mounts is the array of string mount paths of the plugin backends to reload
+	Mounts []string `json:"mounts"`
+}
+
+// ReloadPlugin reloads mounted plugin backends
+func (c *Sys) ReloadPlugin(i *ReloadPluginInput) error {
+	path := "/v1/sys/plugins/reload/backend"
+	req := c.c.NewRequest(http.MethodPut, path)
+
+	if err := req.SetJSONBody(i); err != nil {
+		return err
+	}
+
+	ctx, cancelFunc := context.WithCancel(context.Background())
+	defer cancelFunc()
+
+	resp, err := c.c.RawRequestWithContext(ctx, req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+	return err
+}
+
 // catalogPathByType is a helper to construct the proper API path by plugin type
 func catalogPathByType(pluginType consts.PluginType, name string) string {
 	path := fmt.Sprintf("/v1/sys/plugins/catalog/%s/%s", pluginType, name)

command/commands.go

@@ -442,6 +442,11 @@ func initCommands(ui, serverCmdUi cli.Ui, runOpts *RunOptions) {
 				BaseCommand: getBaseCommand(),
 			}, nil
 		},
+		"plugin reload": func() (cli.Command, error) {
+			return &PluginReloadCommand{
+				BaseCommand: getBaseCommand(),
+			}, nil
+		},
 		"policy": func() (cli.Command, error) {
 			return &PolicyCommand{
 				BaseCommand: getBaseCommand(),

command/plugin_reload.go

@@ -0,0 +1,110 @@
+package command
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/mitchellh/cli"
+	"github.com/posener/complete"
+)
+
+var _ cli.Command = (*PluginReloadCommand)(nil)
+var _ cli.CommandAutocomplete = (*PluginReloadCommand)(nil)
+
+type PluginReloadCommand struct {
+	*BaseCommand
+	plugin string
+	mounts []string
+}
+
+func (c *PluginReloadCommand) Synopsis() string {
+	return "Reload mounted plugin backend"
+}
+
+func (c *PluginReloadCommand) Help() string {
+	helpText := `
+Usage: vault plugin reload [options]
+
+  Reloads mounted plugins. Either the plugin name or the desired plugin 
+  mount(s) must be provided, but not both. In case the plugin name is provided,
+  all of its corresponding mounted paths that use the plugin backend will be reloaded.
+
+  Reload the plugin named "my-custom-plugin":
+
+	  $ vault plugin reload -plugin=my-custom-plugin
+
+` + c.Flags().Help()
+
+	return strings.TrimSpace(helpText)
+}
+
+func (c *PluginReloadCommand) Flags() *FlagSets {
+	set := c.flagSet(FlagSetHTTP)
+
+	f := set.NewFlagSet("Command Options")
+
+	f.StringVar(&StringVar{
+		Name:       "plugin",
+		Target:     &c.plugin,
+		Completion: complete.PredictAnything,
+		Usage:      "The name of the plugin to reload, as registered in the plugin catalog.",
+	})
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:       "mounts",
+		Target:     &c.mounts,
+		Completion: complete.PredictAnything,
+		Usage:      "Array or comma-separated string mount paths of the plugin backends to reload.",
+	})
+
+	return set
+}
+
+func (c *PluginReloadCommand) AutocompleteArgs() complete.Predictor {
+	return nil
+}
+
+func (c *PluginReloadCommand) AutocompleteFlags() complete.Flags {
+	return c.Flags().Completions()
+}
+
+func (c *PluginReloadCommand) Run(args []string) int {
+	f := c.Flags()
+
+	if err := f.Parse(args); err != nil {
+		c.UI.Error(err.Error())
+		return 1
+	}
+
+	switch {
+	case c.plugin == "" && len(c.mounts) == 0:
+		c.UI.Error(fmt.Sprintf("Not enough arguments (expected 1, got %d)", len(args)))
+		return 1
+	case c.plugin != "" && len(c.mounts) > 0:
+		c.UI.Error(fmt.Sprintf("Too many arguments (expected 1, got %d)", len(args)))
+		return 1
+	}
+
+	client, err := c.Client()
+	if err != nil {
+		c.UI.Error(err.Error())
+		return 2
+	}
+
+	if err := client.Sys().ReloadPlugin(&api.ReloadPluginInput{
+		Plugin: c.plugin,
+		Mounts: c.mounts,
+	}); err != nil {
+		c.UI.Error(fmt.Sprintf("Error reloading plugin/mounts: %s", err))
+		return 2
+	}
+
+	if len(c.mounts) > 0 {
+		c.UI.Output(fmt.Sprintf("Success! Reloaded mounts: %s", c.mounts))
+	} else {
+		c.UI.Output(fmt.Sprintf("Success! Reloaded plugin: %s", c.plugin))
+	}
+
+	return 0
+}

command/plugin_reload_test.go

@@ -0,0 +1,110 @@
+package command
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/sdk/helper/consts"
+	"github.com/mitchellh/cli"
+)
+
+func testPluginReloadCommand(tb testing.TB) (*cli.MockUi, *PluginReloadCommand) {
+	tb.Helper()
+
+	ui := cli.NewMockUi()
+	return ui, &PluginReloadCommand{
+		BaseCommand: &BaseCommand{
+			UI: ui,
+		},
+	}
+}
+
+func TestPluginReloadCommand_Run(t *testing.T) {
+	t.Parallel()
+
+	cases := []struct {
+		name string
+		args []string
+		out  string
+		code int
+	}{
+		{
+			"not_enough_args",
+			nil,
+			"Not enough arguments",
+			1,
+		},
+		{
+			"too_many_args",
+			[]string{"-plugin", "foo", "-mounts", "bar"},
+			"Too many arguments",
+			1,
+		},
+	}
+
+	for _, tc := range cases {
+		tc := tc
+
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			client, closer := testVaultServer(t)
+			defer closer()
+
+			ui, cmd := testPluginReloadCommand(t)
+			cmd.client = client
+
+			args := append([]string{}, tc.args...)
+			code := cmd.Run(args)
+			if code != tc.code {
+				t.Errorf("expected %d to be %d", code, tc.code)
+			}
+
+			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+			if !strings.Contains(combined, tc.out) {
+				t.Errorf("expected %q to contain %q", combined, tc.out)
+			}
+		})
+	}
+
+	t.Run("integration", func(t *testing.T) {
+		t.Parallel()
+
+		pluginDir, cleanup := testPluginDir(t)
+		defer cleanup(t)
+
+		client, _, closer := testVaultServerPluginDir(t, pluginDir)
+		defer closer()
+
+		pluginName := "my-plugin"
+		_, sha256Sum := testPluginCreateAndRegister(t, client, pluginDir, pluginName, consts.PluginTypeCredential)
+
+		ui, cmd := testPluginReloadCommand(t)
+		cmd.client = client
+
+		if err := client.Sys().RegisterPlugin(&api.RegisterPluginInput{
+			Name:    pluginName,
+			Type:    consts.PluginTypeCredential,
+			Command: pluginName,
+			SHA256:  sha256Sum,
+		}); err != nil {
+			t.Fatal(err)
+		}
+
+		code := cmd.Run([]string{
+			"-plugin", pluginName,
+		})
+		if exp := 0; code != exp {
+			t.Errorf("expected %d to be %d", code, exp)
+		}
+
+		expected := "Success! Reloaded plugin: "
+		combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
+		if !strings.Contains(combined, expected) {
+			t.Errorf("expected %q to contain %q", combined, expected)
+		}
+
+	})
+
+}

go.mod

@@ -37,7 +37,7 @@ require (
 	github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa
 	github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32
 	github.com/go-errors/errors v1.0.1
-	github.com/go-ldap/ldap/v3 v3.1.3
+	github.com/go-ldap/ldap/v3 v3.1.10
 	github.com/go-ole/go-ole v1.2.1 // indirect
 	github.com/go-sql-driver/mysql v1.4.1
 	github.com/go-test/deep v1.0.2

go.sum

@@ -214,6 +214,8 @@ github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-ldap/ldap/v3 v3.1.3 h1:RIgdpHXJpsUqUK5WXwKyVsESrGFqo5BRWPk3RR4/ogQ=
 github.com/go-ldap/ldap/v3 v3.1.3/go.mod h1:3rbOH3jRS2u6jg2rJnKAMLE/xQyCKIveG2Sa/Cohzb8=
+github.com/go-ldap/ldap/v3 v3.1.10 h1:7WsKqasmPThNvdl0Q5GPpbTDD/ZD98CfuawrMIuh7qQ=
+github.com/go-ldap/ldap/v3 v3.1.10/go.mod h1:5Zun81jBTabRaI8lzN7E1JjyEl1g6zI6u9pd8luAK4Q=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-martini/martini v0.0.0-20170121215854-22fa46961aab h1:xveKWz2iaueeTaUgdetzel+U7exyigDYBryyVfV/rZk=