Merge branch 'master-oss' into encrypt-rsa

CHANGELOG.md

@@ -1,27 +1,56 @@
 ## 0.8.4 (Unreleased)
 
+DEPRECATIONS/CHANGES:
+
+ * API HTTP client behavior: When calling `NewClient` the API no longer
+   modifies the provided client/transport. In particular this means it will no
+   longer enable redirection limiting and HTTP/2 support on custom clients. It
+   is suggested that if you want to make changes to an HTTP client that you use
+   one created by `DefaultConfig` as a starting point.
+ * AWS EC2 client nonce behavior: The client nonce generated by the backend
+   that gets returned along with the authentication response will be audited in
+   plaintext. If this is undesired, the clients can choose to supply a custom
+   nonce to the login endpoint. The custom nonce set by the client will from
+   now on, not be returned back with the authentication response, and hence not
+   audit logged.
+ * SSH CA role read changes: When reading back a role from the `ssh` backend,
+   the TTL/max TTL values will now be an integer number of seconds rather than
+   a string. This better matches the API elsewhere in Vault.
+
 IMPROVEMENTS:
 
  * api: Add ability to set custom headers on each call [GH-3394]
  * command/server: Add config option to disable requesting client certificates
    [GH-3373]
+ * physical/file: Use `700` as permissions when creating directories. The files
+   themselves were `600` and are all encrypted, but this doesn't hurt.
  * secret/cassandra: Work around Cassandra ignoring consistency levels for a
    user listing query [GH-3469]
  * secret/pki: Allow entering URLs for `pki` as both comma-separated strings and JSON
    arrays [GH-3409]
+ * secret/ssh: Role TTL/max TTL can now be specified as either a string or an
+   integer [GH-3507]
  * secret/transit: Sign and verify operations now support a `none` hash
    algorithm to allow signing/verifying pre-hashed data [GH-3448]
- * physical/file: Use `700` as permissions when creating directories. The files
-   themselves were `600` and are all encrypted, but this doesn't hurt.
+ * secret/database: Add the ability to glob allowed roles in the Database Backend [GH-3387]
 
 BUG FIXES:
 
  * api: Fix panic when setting a custom HTTP client but with a nil transport
-   [GH-3437]
+   [GH-3435] [GH-3437]
  * auth/radius: Fix logging in in some situations [GH-3461]
+ * core: Fix memleak when a connection would connect to the cluster port and
+   then go away [GH-3513]
+ * core: Fix panic if a single-use token is used to step-down or seal [GH-3497]
+ * core: Set rather than add headers to prevent some duplicated headers in
+   responses when requests were forwarded to the active node [GH-3485]
  * physical/etcd3: Fix some listing issues due to how etcd3 does prefix
    matching [GH-3406]
+ * physical/file: Fix listing when underscores are the first component of a
+   path [GH-3476]
  * plugins: Allow response errors to be returned from backend plugins [GH-3412]
+ * secret/transit: Fix panic if the length of the input ciphertext was less
+   than the expected nonce length [GH-3521]
 
 ## 0.8.3 (September 19th, 2017)
 

Makefile

@@ -69,7 +69,7 @@ vet:
 prep: fmtcheck
 	@sh -c "'$(CURDIR)/scripts/goversioncheck.sh' '$(GO_VERSION_MIN)'"
 	go generate $(go list ./... | grep -v /vendor/)
-	cp .hooks/* .git/hooks/
+	@if [ -d .git/hooks ]; then cp .hooks/* .git/hooks/; fi
 
 # bootstrap the build by downloading additional tools
 bootstrap:

api/api_test.go

@@ -5,8 +5,6 @@ import (
 	"net"
 	"net/http"
 	"testing"
-
-	"golang.org/x/net/http2"
 )
 
 // testHTTPServer creates a test HTTP server that handles requests until
@@ -19,9 +17,6 @@ func testHTTPServer(
 	}
 
 	server := &http.Server{Handler: handler}
-	if err := http2.ConfigureServer(server, nil); err != nil {
-		t.Fatal(err)
-	}
 	go server.Serve(ln)
 
 	config := DefaultConfig()