Merge remote-tracking branch 'origin/main' into VAULT-30850/sdk-updat…

…e-docker
hashicorp · Sep 23, 2024 · 3d6ce10 · 3d6ce10
2 parents 504fdcf + 12f03b0
commit 3d6ce10
Show file tree

Hide file tree

Showing 57 changed files with 3,338 additions and 367 deletions.
diff --git a/api/auth/approle/LICENSE b/api/auth/approle/LICENSE
diff --git a/api/auth/aws/LICENSE b/api/auth/aws/LICENSE
diff --git a/api/auth/azure/LICENSE b/api/auth/azure/LICENSE
diff --git a/api/auth/gcp/LICENSE b/api/auth/gcp/LICENSE
diff --git a/api/auth/kubernetes/LICENSE b/api/auth/kubernetes/LICENSE
diff --git a/api/auth/ldap/LICENSE b/api/auth/ldap/LICENSE
diff --git a/api/auth/userpass/LICENSE b/api/auth/userpass/LICENSE
diff --git a/builtin/credential/approle/path_login.go b/builtin/credential/approle/path_login.go
@@ -125,7 +125,7 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat
 	// RoleID must be supplied during every login
 	roleID := strings.TrimSpace(data.Get("role_id").(string))
 	if roleID == "" {
-		return logical.ErrorResponse("missing role_id"), nil
+		return nil, logical.ErrInvalidCredentials
 	}
 
 	// Look for the storage entry that maps the roleID to role

diff --git a/builtin/credential/userpass/path_login.go b/builtin/credential/userpass/path_login.go
@@ -67,7 +67,7 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
 
 	password := d.Get("password").(string)
 	if password == "" {
-		return nil, fmt.Errorf("missing password")
+		return nil, logical.ErrInvalidCredentials
 	}
 
 	// Get the user and validate auth

diff --git a/builtin/logical/ssh/backend_test.go b/builtin/logical/ssh/backend_test.go
@@ -1298,6 +1298,80 @@ func TestBackend_OptionsOverrideDefaults(t *testing.T) {
 	logicaltest.Test(t, testCase)
 }
 
+func TestBackend_EmptyPrincipals(t *testing.T) {
+	config := logical.TestBackendConfig()
+
+	b, err := Factory(context.Background(), config)
+	if err != nil {
+		t.Fatalf("Cannot create backend: %s", err)
+	}
+	testCase := logicaltest.TestCase{
+		LogicalBackend: b,
+		Steps: []logicaltest.TestStep{
+			configCaStep(testCAPublicKey, testCAPrivateKey),
+			createRoleStep("no_user_principals", map[string]interface{}{
+				"key_type":                "ca",
+				"allow_user_certificates": true,
+				"allowed_user_key_lengths": map[string]interface{}{
+					"rsa": 2048,
+				},
+				"allowed_users": "no_principals",
+			}),
+			{
+				Operation: logical.UpdateOperation,
+				Path:      "sign/no_user_principals",
+				Data: map[string]interface{}{
+					"public_key": testCAPublicKey,
+				},
+				ErrorOk: true,
+				Check: func(resp *logical.Response) error {
+					if resp.Data["error"] != "empty valid principals not allowed by role" {
+						return errors.New("expected empty valid principals not allowed by role")
+					}
+					return nil
+				},
+			},
+			createRoleStep("no_host_principals", map[string]interface{}{
+				"key_type":                "ca",
+				"allow_host_certificates": true,
+				"allowed_domains":         "*",
+			}),
+			{
+				Operation: logical.UpdateOperation,
+				Path:      "sign/no_host_principals",
+				Data: map[string]interface{}{
+					"cert_type":  "host",
+					"public_key": testCAPublicKeyEd25519,
+				},
+				ErrorOk: true,
+				Check: func(resp *logical.Response) error {
+					if resp.Data["error"] != "empty valid principals not allowed by role" {
+						return errors.New("expected empty valid principals not allowed by role")
+					}
+					return nil
+				},
+			},
+			{
+				Operation: logical.UpdateOperation,
+				Path:      "sign/no_host_principals",
+				Data: map[string]interface{}{
+					"cert_type":        "host",
+					"public_key":       testCAPublicKeyEd25519,
+					"valid_principals": "example.com",
+				},
+				ErrorOk: true,
+				Check: func(resp *logical.Response) error {
+					if resp.Data["error"] != nil {
+						return errors.New("expected no error")
+					}
+					return nil
+				},
+			},
+		},
+	}
+	logicaltest.Test(t, testCase)
+}
+
 func TestBackend_AllowedUserKeyLengths(t *testing.T) {
 	config := logical.TestBackendConfig()
 
@@ -1315,6 +1389,7 @@ func TestBackend_AllowedUserKeyLengths(t *testing.T) {
 				"allowed_user_key_lengths": map[string]interface{}{
 					"rsa": 4096,
 				},
+				"allowed_users": "guest",
 			}),
 			{
 				Operation: logical.UpdateOperation,
@@ -1336,21 +1411,24 @@ func TestBackend_AllowedUserKeyLengths(t *testing.T) {
 				"allowed_user_key_lengths": map[string]interface{}{
 					"rsa": 2048,
 				},
+				"allowed_users": "guest",
 			}),
 			// Pass with 2048 key
 			{
 				Operation: logical.UpdateOperation,
 				Path:      "sign/stdkey",
 				Data: map[string]interface{}{
-					"public_key": testCAPublicKey,
+					"public_key":       testCAPublicKey,
+					"valid_principals": "guest",
 				},
 			},
 			// Fail with 4096 key
 			{
 				Operation: logical.UpdateOperation,
 				Path:      "sign/stdkey",
 				Data: map[string]interface{}{
-					"public_key": publicKey4096,
+					"public_key":       publicKey4096,
+					"valid_principals": "guest",
 				},
 				ErrorOk: true,
 				Check: func(resp *logical.Response) error {
@@ -1366,21 +1444,24 @@ func TestBackend_AllowedUserKeyLengths(t *testing.T) {
 				"allowed_user_key_lengths": map[string]interface{}{
 					"rsa": []int{2048, 4096},
 				},
+				"allowed_users": "guest",
 			}),
 			// Pass with 2048-bit key
 			{
 				Operation: logical.UpdateOperation,
 				Path:      "sign/multikey",
 				Data: map[string]interface{}{
-					"public_key": testCAPublicKey,
+					"public_key":       testCAPublicKey,
+					"valid_principals": "guest",
 				},
 			},
 			// Pass with 4096-bit key
 			{
 				Operation: logical.UpdateOperation,
 				Path:      "sign/multikey",
 				Data: map[string]interface{}{
-					"public_key": publicKey4096,
+					"public_key":       publicKey4096,
+					"valid_principals": "guest",
 				},
 			},
 			// Fail with 3072-bit key
@@ -1403,7 +1484,8 @@ func TestBackend_AllowedUserKeyLengths(t *testing.T) {
 				Operation: logical.UpdateOperation,
 				Path:      "sign/multikey",
 				Data: map[string]interface{}{
-					"public_key": publicKeyECDSA256,
+					"public_key":       publicKeyECDSA256,
+					"valid_principals": "guest",
 				},
 				ErrorOk: true,
 				Check: func(resp *logical.Response) error {
@@ -1420,29 +1502,33 @@ func TestBackend_AllowedUserKeyLengths(t *testing.T) {
 					"ec":                  []int{256},
 					"ecdsa-sha2-nistp521": 0,
 				},
+				"allowed_users": "guest",
 			}),
 			// Pass with ECDSA P-256
 			{
 				Operation: logical.UpdateOperation,
 				Path:      "sign/ectypes",
 				Data: map[string]interface{}{
-					"public_key": publicKeyECDSA256,
+					"public_key":       publicKeyECDSA256,
+					"valid_principals": "guest",
 				},
 			},
 			// Pass with ECDSA P-521
 			{
 				Operation: logical.UpdateOperation,
 				Path:      "sign/ectypes",
 				Data: map[string]interface{}{
-					"public_key": publicKeyECDSA521,
+					"public_key":       publicKeyECDSA521,
+					"valid_principals": "guest",
 				},
 			},
 			// Fail with RSA key
 			{
 				Operation: logical.UpdateOperation,
 				Path:      "sign/ectypes",
 				Data: map[string]interface{}{
-					"public_key": publicKey3072,
+					"public_key":       publicKey3072,
+					"valid_principals": "guest",
 				},
 				ErrorOk: true,
 				Check: func(resp *logical.Response) error {
@@ -1896,6 +1982,7 @@ func TestSSHBackend_IssueSign(t *testing.T) {
 					"ecdsa-sha2-nistp521": 0,
 					"ed25519":             0,
 				},
+				"allow_empty_principals": true,
 			}),
 			// Key_type not in allowed_user_key_types_lengths
 			issueSSHKeyPairStep("testing", "ec", 256, true, "provided key_type value not in allowed_user_key_types"),
@@ -2726,13 +2813,14 @@ func TestProperAuthing(t *testing.T) {
 	_, err = client.Logical().WriteWithContext(ctx, "ssh/roles/test-ca", map[string]interface{}{
 		"key_type":                "ca",
 		"allow_user_certificates": true,
+		"allowed_users":           "toor",
 	})
 	if err != nil {
 		t.Fatal(err)
 	}
 
 	_, err = client.Logical().WriteWithContext(ctx, "ssh/issue/test-ca", map[string]interface{}{
-		"username": "toor",
+		"valid_principals": "toor",
 	})
 	if err != nil {
 		t.Fatal(err)

diff --git a/builtin/logical/ssh/path_config_ca_test.go b/builtin/logical/ssh/path_config_ca_test.go
@@ -259,6 +259,7 @@ func TestSSH_ConfigCAKeyTypes(t *testing.T) {
 		"key_type":                "ca",
 		"ttl":                     "30s",
 		"not_before_duration":     "2h",
+		"allow_empty_principals":  true,
 	}
 	roleReq := &logical.Request{
 		Operation: logical.UpdateOperation,

diff --git a/builtin/logical/ssh/path_issue.go b/builtin/logical/ssh/path_issue.go
@@ -58,7 +58,7 @@ be later than the role max TTL.`,
 			},
 			"valid_principals": {
 				Type:        framework.TypeString,
-				Description: `Valid principals, either usernames or hostnames, that the certificate should be signed for.`,
+				Description: `Valid principals, either usernames or hostnames, that the certificate should be signed for.  Must be non-empty unless allow_empty_principals=true (not recommended) or a value for DefaultUser has been set in the role`,
 			},
 			"cert_type": {
 				Type:        framework.TypeString,

diff --git a/builtin/logical/ssh/path_issue_sign.go b/builtin/logical/ssh/path_issue_sign.go
@@ -189,10 +189,19 @@ func (b *backend) calculateValidPrincipals(data *framework.FieldData, req *logic
 		allowedPrincipals = strutil.RemoveDuplicates(strutil.ParseStringSlice(principalsAllowedByRole, ","), false)
 	}
 
+	if len(parsedPrincipals) == 0 && defaultPrincipal != "" {
+		// defaultPrincipal will either be the defaultUser or a rendered defaultUserTemplate
+		parsedPrincipals = []string{defaultPrincipal}
+	}
+
 	switch {
 	case len(parsedPrincipals) == 0:
-		// There is nothing to process
-		return nil, nil
+		if role.AllowEmptyPrincipals {
+			// There is nothing to process
+			return nil, nil
+		} else {
+			return nil, fmt.Errorf("empty valid principals not allowed by role")
+		}
 	case len(allowedPrincipals) == 0:
 		// User has requested principals to be set, but role is not configured
 		// with any principals

diff --git a/builtin/logical/ssh/path_roles.go b/builtin/logical/ssh/path_roles.go
@@ -66,6 +66,7 @@ type sshRole struct {
 	AlgorithmSigner            string            `mapstructure:"algorithm_signer" json:"algorithm_signer"`
 	Version                    int               `mapstructure:"role_version" json:"role_version"`
 	NotBeforeDuration          time.Duration     `mapstructure:"not_before_duration" json:"not_before_duration"`
+	AllowEmptyPrincipals       bool              `mapstructure:"allow_empty_principals" json:"allow_empty_principals"`
 }
 
 func pathListRoles(b *backend) *framework.Path {
@@ -363,6 +364,11 @@ func pathRoles(b *backend) *framework.Path {
 					Value: 30,
 				},
 			},
+			"allow_empty_principals": {
+				Type:        framework.TypeBool,
+				Description: `Whether to allow issuing certificates with no valid principals (meaning any valid principal).  Exists for backwards compatibility only, the default of false is highly recommended.`,
+				Default:     false,
+			},
 		},
 
 		Callbacks: map[logical.Operation]framework.OperationFunc{
@@ -499,6 +505,7 @@ func (b *backend) createCARole(allowedUsers, defaultUser, signer string, data *f
 		AlgorithmSigner:           signer,
 		Version:                   roleEntryVersion,
 		NotBeforeDuration:         time.Duration(data.Get("not_before_duration").(int)) * time.Second,
+		AllowEmptyPrincipals:      data.Get("allow_empty_principals").(bool),
 	}
 
 	if !role.AllowUserCertificates && !role.AllowHostCertificates {

diff --git a/changelog/27920.txt b/changelog/27920.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core/api: Added missing LICENSE files to API sub-modules to ensure Go module tooling recognizes MPL-2.0 license.
+```
diff --git a/changelog/27927.txt b/changelog/27927.txt
@@ -0,0 +1,6 @@
+```release-note:improvement
+storage/s3: Pass context to AWS SDK calls
+```
+```release-note:improvement
+storage/dynamodb: Pass context to AWS SDK calls
+```
diff --git a/changelog/28441.txt b/changelog/28441.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+auth: Updated error handling for missing login credentials in AppRole and UserPass auth methods to return a 400 error instead of a 500 error.
+```
diff --git a/changelog/28450.txt b/changelog/28450.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+auth/cert: During certificate validation, OCSP requests are debug logged even if Vault's log level is above DEBUG.
+```
diff --git a/changelog/28466.txt b/changelog/28466.txt
@@ -0,0 +1,3 @@
+```release-note:change
+secrets/ssh: Add a flag, `allow_empty_principals` to allow keys or certs to apply to any user/principal.
+```
diff --git a/changelog/28479.txt b/changelog/28479.txt
@@ -0,0 +1,3 @@
+```release-note:change
+secrets/openldap: Update plugin to v0.14.1
+```
diff --git a/go.mod b/go.mod
@@ -150,7 +150,7 @@ require (
 	github.com/hashicorp/vault-plugin-secrets-kubernetes v0.9.0
 	github.com/hashicorp/vault-plugin-secrets-kv v0.20.0
 	github.com/hashicorp/vault-plugin-secrets-mongodbatlas v0.13.0
-	github.com/hashicorp/vault-plugin-secrets-openldap v0.14.0
+	github.com/hashicorp/vault-plugin-secrets-openldap v0.14.1
 	github.com/hashicorp/vault-plugin-secrets-terraform v0.10.0
 	github.com/hashicorp/vault-testing-stepwise v0.3.2
 	github.com/hashicorp/vault/api v1.15.0

diff --git a/go.sum b/go.sum
@@ -1590,8 +1590,8 @@ github.com/hashicorp/vault-plugin-secrets-kv v0.20.0 h1:p1RVmd4x1rgGK0tN8DDu21J2
 github.com/hashicorp/vault-plugin-secrets-kv v0.20.0/go.mod h1:bCpMggD3Z0+H+3dOmTCoQjBHC53jA08lPqOLmFrHBi8=
 github.com/hashicorp/vault-plugin-secrets-mongodbatlas v0.13.0 h1:BeDS7luTeOW0braIbtuyairFF8SEz7k3nvi9e+mJ2Ok=
 github.com/hashicorp/vault-plugin-secrets-mongodbatlas v0.13.0/go.mod h1:sprde+S70PBIbgOLUAKDxR+xNF714ksBBVh77O3hnWc=
-github.com/hashicorp/vault-plugin-secrets-openldap v0.14.0 h1:hhuh8FwP2jJ6dlOKOO/wDmwt1eEmhy0Hw0OjdkioP5c=
-github.com/hashicorp/vault-plugin-secrets-openldap v0.14.0/go.mod h1:wqOf/QJqrrNXjnm0eLUnm5Ju9s/LIZUl6wEKmnFL9Uo=
+github.com/hashicorp/vault-plugin-secrets-openldap v0.14.1 h1:5l7/83OCZsHL1PYkFJd8xjLtKQEz3vpbIbaEzHL5qeU=
+github.com/hashicorp/vault-plugin-secrets-openldap v0.14.1/go.mod h1:wqOf/QJqrrNXjnm0eLUnm5Ju9s/LIZUl6wEKmnFL9Uo=
 github.com/hashicorp/vault-plugin-secrets-terraform v0.10.0 h1:YzOJrpuDRNrw5SQ4i7IEjedF40I/7ejupQy+gAyQ6Zg=
 github.com/hashicorp/vault-plugin-secrets-terraform v0.10.0/go.mod h1:j2nbB//xAQMD+5JivVDalwDEyzJY3AWzKIkw6k65xJQ=
 github.com/hashicorp/vault-testing-stepwise v0.3.2 h1:FCe0yrbK/hHiHqzu7utLcvCTTKjghWHyXwOQ2lxfoQM=

diff --git a/helper/testhelpers/mssql/mssqlhelper.go b/helper/testhelpers/mssql/mssqlhelper.go
@@ -13,6 +13,7 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
 	"github.com/hashicorp/vault/sdk/helper/docker"
 )
 
@@ -32,32 +33,36 @@ func PrepareMSSQLTestContainer(t *testing.T) (cleanup func(), retURL string) {
 		return func() {}, os.Getenv("MSSQL_URL")
 	}
 
+	logger := corehelpers.NewTestLogger(t)
+
 	var err error
 	for i := 0; i < numRetries; i++ {
 		var svc *docker.Service
-		runner, err := docker.NewServiceRunner(docker.RunOptions{
+		var runner *docker.Runner
+		runner, err = docker.NewServiceRunner(docker.RunOptions{
 			ContainerName: "sqlserver",
 			ImageRepo:     "mcr.microsoft.com/mssql/server",
-			ImageTag:      "2017-latest-ubuntu",
+			ImageTag:      "2022-latest",
 			Env:           []string{"ACCEPT_EULA=Y", "SA_PASSWORD=" + mssqlPassword},
 			Ports:         []string{"1433/tcp"},
 			LogConsumer: func(s string) {
-				if t.Failed() {
-					t.Logf("container logs: %s", s)
-				}
+				logger.Info(s)
 			},
 		})
 		if err != nil {
-			t.Fatalf("Could not start docker MSSQL: %s", err)
+			logger.Error("failed creating new service runner", "error", err.Error())
+			continue
 		}
 
 		svc, err = runner.StartService(context.Background(), connectMSSQL)
 		if err == nil {
 			return svc.Cleanup, svc.Config.URL().String()
 		}
+
+		logger.Error("failed starting service", "error", err.Error())
 	}
 
-	t.Fatalf("Could not start docker MSSQL: %s", err)
+	t.Fatalf("Could not start docker MSSQL last error: %v", err)
 	return nil, ""
 }