Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add nil check to secret get [VAULT-1392] #1447

Merged
merged 1 commit into from
Jan 22, 2021

Conversation

HridoyRoy
Copy link

Hi folks!

This PR is to fix hashicorp/vault#10715 . The associated Jira for this is: https://hashicorp.atlassian.net/browse/VAULT-1392.

Thanks so much!

@lornasong lornasong added the bug label Jan 22, 2021
@eikenb
Copy link
Contributor

eikenb commented Jan 22, 2021

Hey @HridoyRoy, thanks for the fix.

Pointer types seem to get over used in Go a lot. Nil checks everywhere. Gets annoying.
Nothing against you... just felt like it was time for a small rant. Thanks again.

@eikenb eikenb merged commit 929ea6a into hashicorp:master Jan 22, 2021
eikenb added a commit to hashicorp/hcat that referenced this pull request Jan 22, 2021
Fixes issue with vault's API returning pointer types for data field.
Requires a nil check.

Consul-template PR with more info.
hashicorp/consul-template#1447
@eikenb eikenb added this to the 0.25.2 milestone Feb 3, 2021
@eikenb
Copy link
Contributor

eikenb commented Feb 20, 2021

Fixes: #1450

wip-sync pushed a commit to NetBSD/pkgsrc-wip that referenced this pull request Apr 3, 2021
1.7.0
24 March 2021

CHANGES:

* aws/auth: AWS Auth concepts and endpoints that use the "whitelist" and
  "blacklist" terms have been updated to more inclusive
  language (e.g. /auth/aws/identity-whitelist has been updated
  to/auth/aws/identity-accesslist). The old and new endpoints are aliases,
  sharing the same underlying data. The legacy endpoint names are considered
  deprecated and will be removed in a future release (not before Vault
  1.9). The complete list of endpoint changes is available in the AWS Auth
  API docs.
* go: Update Go version to 1.15.10 [GH-11114] [GH-11173]

FEATURES:

* Aerospike Storage Backend: Add support for using Aerospike as a storage
  backend [GH-10131]
* Autopilot for Integrated Storage: A set of features has been added to
  allow for automatic operator-friendly management of Vault servers. This is
  only applicable when integrated storage is in use.
  * Dead Server Cleanup: Dead servers will periodically be cleaned up and
    removed from the Raft peer set, to prevent them from interfering with the
    quorum size and leader elections.
  * Server Health Checking: An API has been added to track the state of
    servers, including their health.
  * New Server Stabilization: When a new server is added to the cluster,
    there will be a waiting period where it must be healthy and stable for a
    certain amount of time before being promoted to a full, voting member.
* Tokenization Secrets Engine (Enterprise): The Tokenization Secrets Engine
  is now generally available. We have added support for MySQL, key rotation,
  and snapshot/restore.
* agent: Support for persisting the agent cache to disk [GH-10938]
* auth/jwt: Adds max_age role parameter and auth_time claim
  validation. [GH-10919]
* core (enterprise): X-Vault-Index and related headers can be used by
  clients to manage eventual consistency.
* kmip (enterprise): Use entropy augmentation to generate kmip certificates
* sdk: Private key generation in the certutil package now allows custom
  io.Readers to be used. [GH-10653]
* secrets/aws: add IAM tagging support for iam_user roles [GH-10953]
* secrets/database/cassandra: Add ability to customize dynamic usernames
  [GH-10906]
* secrets/database/couchbase: Add ability to customize dynamic usernames
  [GH-10995]
* secrets/database/mongodb: Add ability to customize dynamic usernames
  [GH-10858]
* secrets/database/mssql: Add ability to customize dynamic usernames
  [GH-10767]
* secrets/database/mysql: Add ability to customize dynamic usernames
  [GH-10834]
* secrets/database/postgresql: Add ability to customize dynamic usernames
  [GH-10766]
* secrets/db/snowflake: Added support for Snowflake to the Database Secret
  Engine [GH-10603]
* secrets/keymgmt (enterprise): Adds beta support for distributing and
  managing keys in AWS KMS.
* secrets/keymgmt (enterprise): Adds general availability for distributing
  and managing keys in Azure Key Vault.
* secrets/openldap: Added dynamic roles to OpenLDAP similar to the combined
  database engine [GH-10996]
* secrets/terraform: New secret engine for managing Terraform Cloud API
  tokens [GH-10931]
* ui: Adds check for feature flag on application, and updates namespace
  toolbar on login if present [GH-10588]
* ui: Adds the wizard to the Database Secret Engine [GH-10982]
* ui: Database secrets engine, supporting MongoDB only [GH-10655]

IMPROVEMENTS:

* agent: Add template-retry stanza to agent config. [GH-10644]
* agent: Agent can now run as a Windows service. [GH-10231]
* agent: Better concurrent request handling on identical requests proxied
  through Agent. [GH-10705]
* agent: Route templating server through cache when persistent cache is
  enabled. [GH-10927]
* agent: change auto-auth to preload an existing token on start [GH-10850]
* auth/ldap: Improve consistency in error messages [GH-10537]
* auth/okta: Adds support for Okta Verify TOTP MFA. [GH-10942]
* changelog: Add dependencies listed in dependencies/2-25-21 [GH-11015]
* command/debug: Now collects logs (at level trace) as a periodic
  output. [GH-10609]
* core (enterprise): "vault status" command works when a namespace is
  set. [GH-10725]
* core (enterprise): Update Trial Enterprise license from 30 minutes to 6
  hours
* core/metrics: Added "vault operator usage" command. [GH-10365]
* core/metrics: New telemetry metrics reporting lease expirations by time
  interval and namespace [GH-10375]
* core: Added active since timestamp to the status output of active
  nodes. [GH-10489]
* core: Check audit device with a test message before adding it. [GH-10520]
* core: Track barrier encryption count and automatically rotate after a
  large number of operations or on a schedule [GH-10774]
* core: add metrics for active entity count [GH-10514]
* core: add partial month client count api [GH-11022]
* core: dev mode listener allows unauthenticated sys/metrics requests
  [GH-10992]
* core: reduce memory used by leases [GH-10726]
* secrets/gcp: Truncate ServiceAccount display names longer than 100
  characters. [GH-10558]
* storage/raft (enterprise): Listing of peers is now allowed on DR
  secondary cluster nodes, as an update operation that takes in DR operation
  token for authenticating the request.
* transform (enterprise): Improve FPE transformation performance
* transform (enterprise): Use transactions with batch tokenization
  operations for improved performance
* ui: Clarify language on usage metrics page empty state [GH-10951]
* ui: Customize MongoDB input fields on Database Secrets Engine [GH-10949]
* ui: Upgrade Ember-cli from 3.8 to 3.22. [GH-9972]
* ui: Upgrade Storybook from 5.3.19 to 6.1.17. [GH-10904]
* ui: Upgrade date-fns from 1.3.0 to 2.16.1. [GH-10848]
* ui: Upgrade dependencies to resolve potential JS vulnerabilities
  [GH-10677]
* ui: better errors on Database secrets engine role create [GH-10980]

BUG FIXES:

* agent: Only set the namespace if the VAULT_NAMESPACE env var isn't
  present [GH-10556]
* agent: Set TokenParent correctly in the Index to be cached. [GH-10833]
* agent: Set namespace for template server in agent. [GH-10757]
* api/sys/config/ui: Fixes issue where multiple UI custom header values are
  ignored and only the first given value is used [GH-10490]
* api: Fixes CORS API methods that were outdated and invalid [GH-10444]
* auth/jwt: Fixes bound_claims validation for provider-specific group and
  user info fetching. [GH-10546]
* auth/jwt: Fixes an issue where JWT verification keys weren't updated
  after a jwks_url change. [GH-10919]
* auth/jwt: Fixes an issue where jwt_supported_algs were not being
  validated for JWT auth using jwks_url and
  jwt_validation_pubkeys. [GH-10919]
* auth/oci: Fixes alias name to use the role name, and not the literal
  string name [GH-10] [GH-10952]
* consul-template: Update consul-template vendor version and associated
  dependencies to master, pulling in
  hashicorp/consul-template#1447 [GH-10756]
* core (enterprise): Limit entropy augmentation during token generation to
  root tokens. [GH-10487]
* core (enterprise): Vault EGP policies attached to path * were not
  correctly scoped to the namespace.
* core/identity: Fix deadlock in entity merge endpoint. [GH-10877]
* core: Avoid deadlocks by ensuring that if grabLockOrStop returns
  stopped=true, the lock will not be held. [GH-10456]
* core: Avoid disclosing IP addresses in the errors of unauthenticated
  requests [GH-10579]
* core: Fix client.Clone() to include the address [GH-10077]
* core: Fix duplicate quotas on performance standby nodes. [GH-10855]
* core: Fix rate limit resource quota migration from 1.5.x to 1.6.x by
  ensuring purgeInterval and staleAge are set appropriately. [GH-10536]
* core: Make all APIs that report init status consistent, and make them
  report initialized=true when a Raft join is in progress. [GH-10498]
* core: Make the response to an unauthenticated request to sys/internal
  endpoints consistent regardless of mount existence. [GH-10650]
* core: Turn off case sensitivity for allowed entity alias check during
  token create operation. [GH-10743]
* http: change max_request_size to be unlimited when the config value is
  less than 0 [GH-10072]
* license: Fix license caching issue that prevents new licenses to get
  picked up by the license manager [GH-10424]
* metrics: Protect emitMetrics from panicking during post-seal [GH-10708]
* quotas/rate-limit: Fix quotas enforcing old rate limit quota paths
  [GH-10689]
* replication (enterprise): Fix bug with not starting merkle sync while
  requests are in progress
* secrets/database/influxdb: Fix issue where not all errors from InfluxDB
  were being handled [GH-10384]
* secrets/database/mysql: Fixes issue where the DisplayName within
  generated usernames was the incorrect length [GH-10433]
* secrets/database: Sanitize private_key field when reading database plugin
  config [GH-10416]
* secrets/gcp: Fix issue with account and iam_policy roleset WALs not being
  removed after attempts when GCP project no longer exists [GH-10759]
* secrets/transit: allow for null string to be used for optional parameters
  in encrypt and decrypt [GH-10386]
* serviceregistration: Fix race during shutdown of Consul service
  registration. [GH-10901]
* storage/raft (enterprise): Automated snapshots with Azure required
  specifying azure_blob_environment, which should have had as a default
  AZUREPUBLICCLOUD.
* storage/raft (enterprise): Reading a non-existent auto snapshot config
  now returns 404.
* storage/raft (enterprise): The parameter aws_s3_server_kms_key was
  misnamed and didn't work. Renamed to aws_s3_kms_key, and make it work so
  that when provided the given key will be used to encrypt the snapshot using
  AWS KMS.
* transform (enterprise): Fix bug tokenization handling metadata on
  exportable stores
* transform (enterprise): Fix bug where tokenization store changes are
  persisted but don't take effect
* transform (enterprise): Fix transform configuration not handling stores
  parameter on the legacy path
* transform (enterprise): Make expiration timestamps human readable
* transform (enterprise): Return false for invalid tokens on the validate
  endpoint rather than returning an HTTP error
* ui: Add role from database connection automatically populates the
  database for new role [GH-11119]
* ui: Fix bug in Transform secret engine when a new role is added and then
  removed from a transformation [GH-10417]
* ui: Fix bug that double encodes secret route when there are spaces in the
  path and makes you unable to view the version history. [GH-10596]
* ui: Fix expected response from feature-flags endpoint [GH-10684]
* ui: Fix footer URL linking to the correct version changelog. [GH-10491]

DEPRECATIONS:

* aws/auth: AWS Auth endpoints that use the "whitelist" and "blacklist"
  terms have been deprecated. Refer to the CHANGES section for additional
  details.

1.6.3
February 25, 2021

SECURITY:

* Limited Unauthenticated License Metadata Read: We addressed a security
  vulnerability that allowed for the unauthenticated reading of Vault license
  metadata from DR Secondaries. This vulnerability affects Vault Enterprise
  and is fixed in 1.6.3 (CVE-2021-27668).

CHANGES:

* secrets/mongodbatlas: Move from whitelist to access list API [GH-10966]

IMPROVEMENTS:

* ui: Clarify language on usage metrics page empty state [GH-10951]

BUG FIXES:

* auth/kubernetes: Cancel API calls to TokenReview endpoint when request
  context is closed [GH-10930]
* core/identity: Fix deadlock in entity merge endpoint. [GH-10877]
* quotas: Fix duplicate quotas on performance standby nodes. [GH-10855]
* quotas/rate-limit: Fix quotas enforcing old rate limit quota paths
  [GH-10689]
* replication (enterprise): Don't write request count data on DR
  Secondaries. Fixes DR Secondaries becoming out of sync approximately every
  30s. [GH-10970]
* secrets/azure (enterprise): Forward service principal credential creation
  to the primary cluster if called on a performance standby or performance
  secondary. [GH-10902]

1.6.2
January 29, 2021

SECURITY:

* IP Address Disclosure: We fixed a vulnerability where, under some error
  conditions, Vault would return an error message disclosing internal IP
  addresses. This vulnerability affects Vault and Vault Enterprise and is
  fixed in 1.6.2 (CVE-2021-3024).
* Limited Unauthenticated Remove Peer: As of Vault 1.6, the remove-peer
  command on DR secondaries did not require authentication. This issue
  impacts the stability of HA architecture, as a bad actor could remove all
  standby nodes from a DR secondary. This issue affects Vault Enterprise
  1.6.0 and 1.6.1, and is fixed in 1.6.2 (CVE-2021-3282).
* Mount Path Disclosure: Vault previously returned different HTTP status
  codes for existent and non-existent mount paths. This behavior would allow
  unauthenticated brute force attacks to reveal which paths had valid
  mounts. This issue affects Vault and Vault Enterprise and is fixed in
  1.6.2 (CVE-2020-25594).

CHANGES:

* go: Update go version to 1.15.7 [GH-10730]

FEATURES:

* ui: Adds check for feature flag on application, and updates namespace
  toolbar on login if present [GH-10588]

IMPROVEMENTS:

* core (enterprise): "vault status" command works when a namespace is
  set. [GH-10725]
* core: reduce memory used by leases [GH-10726]
* storage/raft (enterprise): Listing of peers is now allowed on DR
  secondary cluster nodes, as an update operation that takes in DR operation
  token for authenticating the request.
* core: allow setting tls_servername for raft retry/auto-join [GH-10698]

BUG FIXES:

* agent: Set namespace for template server in agent. [GH-10757]
* core: Make the response to an unauthenticated request to sys/internal
  endpoints consistent regardless of mount existence. [GH-10650]
* metrics: Protect emitMetrics from panicking during post-seal [GH-10708]
* secrets/gcp: Fix issue with account and iam_policy roleset WALs not being
  removed after attempts when GCP project no longer exists [GH-10759]
* storage/raft (enterprise): Automated snapshots with Azure required
  specifying azure_blob_environment, which should have had as a default
  AZUREPUBLICCLOUD.
* storage/raft (enterprise): Autosnapshots config and storage weren't
  excluded from performance replication, causing conflicts and errors.
* ui: Fix bug that double encodes secret route when there are spaces in the
  path and makes you unable to view the version history. [GH-10596]
* ui: Fix expected response from feature-flags endpoint [GH-10684]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Vault panic, when vault-agent try renew token
3 participants