Merge branch 'master' into f-pki

2026-05-28 04:10:44 -04:00 · 2015-06-16 13:43:25 -04:00 · 2015-06-16 13:43:25 -04:00 · 79164f38ad
commit 79164f38ad
parent a2b3e1302a a98c07855b
9 changed files with 65 additions and 38 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -4,6 +4,10 @@ IMPROVEMENTS:

  * core: `/sys/auth` allows for PUT requests as well

+BUG FIXES:
+
+  * command/*: commands accepting `k=v` allow blank values
+
 ## 0.1.2 (May 11, 2015)

 FEATURES:
--- a/builtin/credential/cert/path_login.go
+++ b/builtin/credential/cert/path_login.go
@ -62,6 +62,7 @@ func (b *backend) pathLogin(
 			DisplayName: matched.Entry.DisplayName,
 			Metadata: map[string]string{
 				"cert_name": matched.Entry.Name,
+				"common_name": connState.PeerCertificates[0].Subject.CommonName,
 			},
 			LeaseOptions: logical.LeaseOptions{
 				Renewable: true,
--- a/builtin/credential/github/cli.go
+++ b/builtin/credential/github/cli.go
@ -43,6 +43,12 @@ account settings page on GitHub.

    Example: vault auth -method=github token=<token>

+Key/Value Pairs:
+
+    mount=github      The mountpoint for the GitHub credential provider.
+                      Defaults to "github"
+
+    token=<token>     The GitHub personal access token for authentication.
 	`

 	return strings.TrimSpace(help)
--- a/command/auth.go
+++ b/command/auth.go
@ -242,7 +242,13 @@ Usage: vault auth [options] [token or config...]
  By specifying -method, alternate authentication methods can be used
  such as OAuth or TLS certificates. For these, additional values for
  configuration can be specified with "key=value" pairs just like
-  "vault write".
+  "vault write". Specify the "-method-help" flag to get help for a specific
+  method.
+
+  If you've mounted a credential backend to a different path, such
+  as mounting "github" to "github-private", the "method" flag should
+  still be "github." Most credential providers support the "mount" option
+  to specify the mount point. See the "-method-help" for more info.

 General Options:

--- a/helper/kv-builder/builder.go
+++ b/helper/kv-builder/builder.go
@ -78,30 +78,32 @@ func (b *Builder) add(raw string) error {
 	}
 	key, value := parts[0], parts[1]

-	if len(value) > 0 && value[0] == '@' {
-		contents, err := ioutil.ReadFile(value[1:])
-		if err != nil {
-			return fmt.Errorf("error reading file: %s", err)
-		}
+	if len(value) > 0 {
+		if value[0] == '@' {
+			contents, err := ioutil.ReadFile(value[1:])
+			if err != nil {
+				return fmt.Errorf("error reading file: %s", err)
+			}

-		value = string(contents)
-	} else if value[0] == '\\' && value[1] == '@' {
-		value = value[1:]
-	} else if value == "-" {
-		if b.Stdin == nil {
-			return fmt.Errorf("stdin is not supported")
-		}
-		if b.stdin {
-			return fmt.Errorf("stdin already consumed")
-		}
-		b.stdin = true
+			value = string(contents)
+		} else if value[0] == '\\' && value[1] == '@' {
+			value = value[1:]
+		} else if value == "-" {
+			if b.Stdin == nil {
+				return fmt.Errorf("stdin is not supported")
+			}
+			if b.stdin {
+				return fmt.Errorf("stdin already consumed")
+			}
+			b.stdin = true

-		var buf bytes.Buffer
-		if _, err := io.Copy(&buf, b.Stdin); err != nil {
-			return err
-		}
+			var buf bytes.Buffer
+			if _, err := io.Copy(&buf, b.Stdin); err != nil {
+				return err
+			}

-		value = buf.String()
+			value = buf.String()
+		}
 	}

 	b.result[key] = value
--- a/helper/kv-builder/builder_test.go
+++ b/helper/kv-builder/builder_test.go
@ -8,7 +8,7 @@ import (

 func TestBuilder_basic(t *testing.T) {
 	var b Builder
-	err := b.Add("foo=bar", "bar=baz")
+	err := b.Add("foo=bar", "bar=baz", "baz=")
 	if err != nil {
 		t.Fatalf("err: %s", err)
 	}
@ -16,6 +16,7 @@ func TestBuilder_basic(t *testing.T) {
 	expected := map[string]interface{}{
 		"foo": "bar",
 		"bar": "baz",
+		"baz": "",
 	}
 	actual := b.Map()
 	if !reflect.DeepEqual(actual, expected) {
--- a/website/Gemfile.lock
+++ b/website/Gemfile.lock
@ -26,7 +26,7 @@ GEM
      minitest (~> 5.1)
      thread_safe (~> 0.1)
      tzinfo (~> 1.1)
-    autoprefixer-rails (5.1.11)
+    autoprefixer-rails (5.2.0)
      execjs
      json
    bootstrap-sass (3.3.4.1)
@ -67,10 +67,10 @@ GEM
    hitimes (1.2.2)
    hooks (0.4.0)
      uber (~> 0.0.4)
-    htmlcompressor (0.1.2)
+    htmlcompressor (0.2.0)
    http_parser.rb (0.6.0)
    i18n (0.7.0)
-    json (1.8.2)
+    json (1.8.3)
    kramdown (1.7.0)
    less (2.6.0)
      commonjs (~> 0.2.7)
@ -79,18 +79,18 @@ GEM
      celluloid (~> 0.16.0)
      rb-fsevent (>= 0.9.3)
      rb-inotify (>= 0.9)
-    middleman (3.3.13)
+    middleman (3.3.12)
      coffee-script (~> 2.2)
      compass (>= 1.0.0, < 2.0.0)
      compass-import-once (= 1.0.5)
      execjs (~> 2.0)
      haml (>= 4.0.5)
      kramdown (~> 1.2)
-      middleman-core (= 3.3.13)
+      middleman-core (= 3.3.12)
      middleman-sprockets (>= 3.1.2)
      sass (>= 3.4.0, < 4.0)
      uglifier (~> 2.5)
-    middleman-core (3.3.13)
+    middleman-core (3.3.12)
      activesupport (~> 4.1.0)
      bundler (~> 1.1)
      erubis
@ -106,8 +106,8 @@ GEM
      em-websocket (~> 0.5.1)
      middleman-core (>= 3.3)
      rack-livereload (~> 0.3.15)
-    middleman-minify-html (3.4.0)
-      htmlcompressor (~> 0.1.0)
+    middleman-minify-html (3.4.1)
+      htmlcompressor (~> 0.2.0)
      middleman-core (>= 3.2)
    middleman-sprockets (3.4.2)
      middleman-core (>= 3.3)
@ -117,8 +117,8 @@ GEM
    middleman-syntax (2.0.0)
      middleman-core (~> 3.2)
      rouge (~> 1.0)
-    minitest (5.6.1)
-    multi_json (1.11.0)
+    minitest (5.7.0)
+    multi_json (1.11.1)
    padrino-helpers (0.12.5)
      i18n (~> 0.6, >= 0.6.7)
      padrino-support (= 0.12.5)
@ -134,13 +134,13 @@ GEM
    rack-ssl-enforcer (0.2.8)
    rack-test (0.6.3)
      rack (>= 1.0)
-    rb-fsevent (0.9.4)
+    rb-fsevent (0.9.5)
    rb-inotify (0.9.5)
      ffi (>= 0.5.0)
-    redcarpet (3.2.3)
+    redcarpet (3.3.1)
    ref (1.0.5)
-    rouge (1.8.0)
-    sass (3.4.13)
+    rouge (1.9.0)
+    sass (3.4.14)
    sprockets (2.12.3)
      hike (~> 1.2)
      multi_json (~> 1.0)
@ -175,3 +175,6 @@ PLATFORMS

 DEPENDENCIES
  middleman-hashicorp!
+
+BUNDLED WITH
+   1.10.3
--- a/website/source/docs/concepts/policies.html.md
+++ b/website/source/docs/concepts/policies.html.md
@ -37,6 +37,10 @@ This works well due to Vault's architecture of being like a filesystem:
 everything has a path associated with it, including the core configuration
 mechanism under "sys".

+~> Policy paths are matched using a longest-prefix match, which is the most
+specific defined policy. This means if you define a policy for `"secret/foo"`,
+the policy would also match `"secret/foobar"`.
+
 ## Policies

 Allowed policies for a path are:
--- a/website/source/docs/secrets/transit/index.html.md
+++ b/website/source/docs/secrets/transit/index.html.md
@ -65,7 +65,7 @@ Now, if we wanted to encrypt a piece of plain text, we use the encrypt
 endpoint using our named key:

 ```
-$ echo "the quick brown fox" | base64 | vault write transit/encrypt/foo plaintext=-
+$ echo -n "the quick brown fox" | base64 | vault write transit/encrypt/foo plaintext=-
 Key       	Value
 ciphertext	vault:v0:czEwyKqGZY/limnuzDCUUe5AK0tbBObWqeZgFqxCuIqq7A84SeiOq3sKD0Y/KUvv
 ```