From 35f1cfeb7734dd561c2d6aee3fdbb5558b5008ff Mon Sep 17 00:00:00 2001
From: Ryan Currah <ryan@currah.ca>
Date: Sat, 13 Jun 2015 12:03:57 -0400
Subject: [PATCH 1/8] Do not output the trailing newline in encoding.

Added -n to echo command to prevent newlines from showing up in encoding.
---
 website/source/docs/secrets/transit/index.html.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/website/source/docs/secrets/transit/index.html.md b/website/source/docs/secrets/transit/index.html.md
index 5073d8735e..3506eca03a 100644
--- a/website/source/docs/secrets/transit/index.html.md
+++ b/website/source/docs/secrets/transit/index.html.md
@@ -65,7 +65,7 @@ Now, if we wanted to encrypt a piece of plain text, we use the encrypt
 endpoint using our named key:
 
 ```
-$ echo "the quick brown fox" | base64 | vault write transit/encrypt/foo plaintext=-
+$ echo -n "the quick brown fox" | base64 | vault write transit/encrypt/foo plaintext=-
 Key       	Value
 ciphertext	vault:v0:czEwyKqGZY/limnuzDCUUe5AK0tbBObWqeZgFqxCuIqq7A84SeiOq3sKD0Y/KUvv
 ```

From f184c5985a36a7637b32cfc1f62e82216dc3144e Mon Sep 17 00:00:00 2001
From: Christian Svensson <blue@cmd.nu>
Date: Sun, 14 Jun 2015 23:18:21 +0100
Subject: [PATCH 2/8] Record the common name in TLS metadata

It is useful to be able to save the client cert's Common Name for auditing purposes when using a central CA.

This adds a "common_name" value to the Metadata structure passed from login.
---
 builtin/credential/cert/path_login.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/builtin/credential/cert/path_login.go b/builtin/credential/cert/path_login.go
index bb5b2358cc..14dbf8212a 100644
--- a/builtin/credential/cert/path_login.go
+++ b/builtin/credential/cert/path_login.go
@@ -62,6 +62,7 @@ func (b *backend) pathLogin(
 			DisplayName: matched.Entry.DisplayName,
 			Metadata: map[string]string{
 				"cert_name": matched.Entry.Name,
+				"common_name": connState.PeerCertificates[0].Subject.CommonName,
 			},
 			LeaseOptions: logical.LeaseOptions{
 				Renewable: true,

From 1131a61d22de32dd25d1e656448669ded43e15d8 Mon Sep 17 00:00:00 2001
From: Seth Vargo <sethvargo@gmail.com>
Date: Mon, 15 Jun 2015 13:54:36 -0400
Subject: [PATCH 3/8] Update gems

---
 website/Gemfile.lock | 31 +++++++++++++++++--------------
 1 file changed, 17 insertions(+), 14 deletions(-)

diff --git a/website/Gemfile.lock b/website/Gemfile.lock
index 7366999a6c..9448c1f9a8 100644
--- a/website/Gemfile.lock
+++ b/website/Gemfile.lock
@@ -26,7 +26,7 @@ GEM
       minitest (~> 5.1)
       thread_safe (~> 0.1)
       tzinfo (~> 1.1)
-    autoprefixer-rails (5.1.11)
+    autoprefixer-rails (5.2.0)
       execjs
       json
     bootstrap-sass (3.3.4.1)
@@ -67,10 +67,10 @@ GEM
     hitimes (1.2.2)
     hooks (0.4.0)
       uber (~> 0.0.4)
-    htmlcompressor (0.1.2)
+    htmlcompressor (0.2.0)
     http_parser.rb (0.6.0)
     i18n (0.7.0)
-    json (1.8.2)
+    json (1.8.3)
     kramdown (1.7.0)
     less (2.6.0)
       commonjs (~> 0.2.7)
@@ -79,18 +79,18 @@ GEM
       celluloid (~> 0.16.0)
       rb-fsevent (>= 0.9.3)
       rb-inotify (>= 0.9)
-    middleman (3.3.13)
+    middleman (3.3.12)
       coffee-script (~> 2.2)
       compass (>= 1.0.0, < 2.0.0)
       compass-import-once (= 1.0.5)
       execjs (~> 2.0)
       haml (>= 4.0.5)
       kramdown (~> 1.2)
-      middleman-core (= 3.3.13)
+      middleman-core (= 3.3.12)
       middleman-sprockets (>= 3.1.2)
       sass (>= 3.4.0, < 4.0)
       uglifier (~> 2.5)
-    middleman-core (3.3.13)
+    middleman-core (3.3.12)
       activesupport (~> 4.1.0)
       bundler (~> 1.1)
       erubis
@@ -106,8 +106,8 @@ GEM
       em-websocket (~> 0.5.1)
       middleman-core (>= 3.3)
       rack-livereload (~> 0.3.15)
-    middleman-minify-html (3.4.0)
-      htmlcompressor (~> 0.1.0)
+    middleman-minify-html (3.4.1)
+      htmlcompressor (~> 0.2.0)
       middleman-core (>= 3.2)
     middleman-sprockets (3.4.2)
       middleman-core (>= 3.3)
@@ -117,8 +117,8 @@ GEM
     middleman-syntax (2.0.0)
       middleman-core (~> 3.2)
       rouge (~> 1.0)
-    minitest (5.6.1)
-    multi_json (1.11.0)
+    minitest (5.7.0)
+    multi_json (1.11.1)
     padrino-helpers (0.12.5)
       i18n (~> 0.6, >= 0.6.7)
       padrino-support (= 0.12.5)
@@ -134,13 +134,13 @@ GEM
     rack-ssl-enforcer (0.2.8)
     rack-test (0.6.3)
       rack (>= 1.0)
-    rb-fsevent (0.9.4)
+    rb-fsevent (0.9.5)
     rb-inotify (0.9.5)
       ffi (>= 0.5.0)
-    redcarpet (3.2.3)
+    redcarpet (3.3.1)
     ref (1.0.5)
-    rouge (1.8.0)
-    sass (3.4.13)
+    rouge (1.9.0)
+    sass (3.4.14)
     sprockets (2.12.3)
       hike (~> 1.2)
       multi_json (~> 1.0)
@@ -175,3 +175,6 @@ PLATFORMS
 
 DEPENDENCIES
   middleman-hashicorp!
+
+BUNDLED WITH
+   1.10.3

From b9112733f388c3715eec3e3276a1ea4325808daf Mon Sep 17 00:00:00 2001
From: Seth Vargo <sethvargo@gmail.com>
Date: Mon, 15 Jun 2015 13:56:15 -0400
Subject: [PATCH 4/8] Document longest-prefix match

Fixes https://github.com/hashicorp/vault/issues/331
---
 website/source/docs/concepts/policies.html.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/website/source/docs/concepts/policies.html.md b/website/source/docs/concepts/policies.html.md
index ad44dea7c6..d7bba0b85d 100644
--- a/website/source/docs/concepts/policies.html.md
+++ b/website/source/docs/concepts/policies.html.md
@@ -37,6 +37,10 @@ This works well due to Vault's architecture of being like a filesystem:
 everything has a path associated with it, including the core configuration
 mechanism under "sys".
 
+~> Policy paths are matched using a longest-prefix match, which is the most
+specific defined policy. This means if you define a policy for `"secret/foo"`,
+the policy would also match `"secret/foobar"`.
+
 ## Policies
 
 Allowed policies for a path are:

From 4502bb71b852e4a57ce7d71ab5d888c3061338ef Mon Sep 17 00:00:00 2001
From: Mitchell Hashimoto <mitchell.hashimoto@gmail.com>
Date: Tue, 16 Jun 2015 10:00:02 -0700
Subject: [PATCH 5/8] helper/kv-builder: blank values should not panic

---
 helper/kv-builder/builder.go      | 44 ++++++++++++++++---------------
 helper/kv-builder/builder_test.go |  3 ++-
 2 files changed, 25 insertions(+), 22 deletions(-)

diff --git a/helper/kv-builder/builder.go b/helper/kv-builder/builder.go
index 767cff4b1c..f83eaf6c2d 100644
--- a/helper/kv-builder/builder.go
+++ b/helper/kv-builder/builder.go
@@ -78,30 +78,32 @@ func (b *Builder) add(raw string) error {
 	}
 	key, value := parts[0], parts[1]
 
-	if len(value) > 0 && value[0] == '@' {
-		contents, err := ioutil.ReadFile(value[1:])
-		if err != nil {
-			return fmt.Errorf("error reading file: %s", err)
-		}
+	if len(value) > 0 {
+		if value[0] == '@' {
+			contents, err := ioutil.ReadFile(value[1:])
+			if err != nil {
+				return fmt.Errorf("error reading file: %s", err)
+			}
 
-		value = string(contents)
-	} else if value[0] == '\\' && value[1] == '@' {
-		value = value[1:]
-	} else if value == "-" {
-		if b.Stdin == nil {
-			return fmt.Errorf("stdin is not supported")
-		}
-		if b.stdin {
-			return fmt.Errorf("stdin already consumed")
-		}
-		b.stdin = true
+			value = string(contents)
+		} else if value[0] == '\\' && value[1] == '@' {
+			value = value[1:]
+		} else if value == "-" {
+			if b.Stdin == nil {
+				return fmt.Errorf("stdin is not supported")
+			}
+			if b.stdin {
+				return fmt.Errorf("stdin already consumed")
+			}
+			b.stdin = true
 
-		var buf bytes.Buffer
-		if _, err := io.Copy(&buf, b.Stdin); err != nil {
-			return err
-		}
+			var buf bytes.Buffer
+			if _, err := io.Copy(&buf, b.Stdin); err != nil {
+				return err
+			}
 
-		value = buf.String()
+			value = buf.String()
+		}
 	}
 
 	b.result[key] = value
diff --git a/helper/kv-builder/builder_test.go b/helper/kv-builder/builder_test.go
index 90e892969a..f64c8e46e2 100644
--- a/helper/kv-builder/builder_test.go
+++ b/helper/kv-builder/builder_test.go
@@ -8,7 +8,7 @@ import (
 
 func TestBuilder_basic(t *testing.T) {
 	var b Builder
-	err := b.Add("foo=bar", "bar=baz")
+	err := b.Add("foo=bar", "bar=baz", "baz=")
 	if err != nil {
 		t.Fatalf("err: %s", err)
 	}
@@ -16,6 +16,7 @@ func TestBuilder_basic(t *testing.T) {
 	expected := map[string]interface{}{
 		"foo": "bar",
 		"bar": "baz",
+		"baz": "",
 	}
 	actual := b.Map()
 	if !reflect.DeepEqual(actual, expected) {

From 2d865b831d7ecd40469543229eb61340772cb843 Mon Sep 17 00:00:00 2001
From: Mitchell Hashimoto <mitchell.hashimoto@gmail.com>
Date: Tue, 16 Jun 2015 10:00:38 -0700
Subject: [PATCH 6/8] update CHANGELOG

---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a5d202718c..3540b315ae 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,10 @@ IMPROVEMENTS:
 
   * core: `/sys/auth` allows for PUT requests as well
 
+BUG FIXES:
+
+  * command/*: commands accepting `k=v` allow blank values
+
 ## 0.1.2 (May 11, 2015)
 
 FEATURES:

From dcc84749d1bfcbf623db4401bab9a2aa91b5364d Mon Sep 17 00:00:00 2001
From: Mitchell Hashimoto <mitchell.hashimoto@gmail.com>
Date: Tue, 16 Jun 2015 10:05:11 -0700
Subject: [PATCH 7/8] command/auth, github: improve cli docs

/cc @sethvargo
---
 builtin/credential/github/cli.go | 6 ++++++
 command/auth.go                  | 8 +++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/builtin/credential/github/cli.go b/builtin/credential/github/cli.go
index 6c8ec4e31b..05f1cf5899 100644
--- a/builtin/credential/github/cli.go
+++ b/builtin/credential/github/cli.go
@@ -43,6 +43,12 @@ account settings page on GitHub.
 
     Example: vault auth -method=github token=<token>
 
+Key/Value Pairs:
+
+    mount=github      The mountpoint for the GitHub credential provider.
+	                  Defaults to "github"
+
+    token=<token>     The GitHub personal access token for authentication.
 	`
 
 	return strings.TrimSpace(help)
diff --git a/command/auth.go b/command/auth.go
index af5945c870..130dd7d278 100644
--- a/command/auth.go
+++ b/command/auth.go
@@ -242,7 +242,13 @@ Usage: vault auth [options] [token or config...]
   By specifying -method, alternate authentication methods can be used
   such as OAuth or TLS certificates. For these, additional values for
   configuration can be specified with "key=value" pairs just like
-  "vault write".
+  "vault write". Specify the "-method-help" flag to get help for a specific
+  method.
+
+  If you've mounted a credential backend to a different path, such
+  as mounting "github" to "github-private", the "method" flag should
+  still be "github." Most credential providers support the "mount" option
+  to specify the mount point. See the "-method-help" for more info.
 
 General Options:
 

From a98c07855bb120b6ba24d8fba7dc408aa2252fb0 Mon Sep 17 00:00:00 2001
From: Mitchell Hashimoto <mitchell.hashimoto@gmail.com>
Date: Tue, 16 Jun 2015 10:05:51 -0700
Subject: [PATCH 8/8] credential/github: get rid of stray tab

---
 builtin/credential/github/cli.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/builtin/credential/github/cli.go b/builtin/credential/github/cli.go
index 05f1cf5899..aef1b7c88a 100644
--- a/builtin/credential/github/cli.go
+++ b/builtin/credential/github/cli.go
@@ -46,7 +46,7 @@ account settings page on GitHub.
 Key/Value Pairs:
 
     mount=github      The mountpoint for the GitHub credential provider.
-	                  Defaults to "github"
+                      Defaults to "github"
 
     token=<token>     The GitHub personal access token for authentication.
 	`