diff --git a/CHANGELOG.md b/CHANGELOG.md index e55a40b6ee..74a95c9fe9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,60 @@ ## 0.3.0 (Unreleased) +FEATURES: + + * **Cubbyhole Backend**: This backend works similarly to the "generic" backend but provides a per-token workspace. This enables some additional authentication workflows (especially for containers) and can be useful to applications to e.g. store local credentials while being restarted or upgraded, rather than persisting to disk. [GH-612] + * **Global and Per-Mount Default/Max TTL Support**: You can now set the default and maximum Time To Live for leases both globally and per-mount. Per-mount settings override global settings. Not all backends honor these settings yet, but the maximum is a hard limit enforced outside the backend. [GH-469] + * **PGP Encryption for Unseal Keys**: When initializing or rotating Vault's master key, PGP/GPG public keys can now be provided. The output keys will be encrypted with the given keys, in order. [GH-570] + * **Codebase Audit**: Vault's codebase was audited by iSEC. (The terms of the audit contract do not allow us to make the results public.) [GH-220] + +DEPRECATIONS/BREAKING CHANGES: + +Note: deprecations and breaking changes in upcoming releaes are announced ahead of time on the "vault-tool" mailing list. + + * **Cookie Authentication Removed**: As of 0.3 the only way to authenticate is via the X-Vault-Token header. Cookie authentication was hard to properly test, could result in browsers/tools/applications saving tokens in plaintext on disk, and other issues. [GH-564] + * **Terminology/Field Names**: Vault is transitioning from overloading the term "lease" to mean both "a set of metadata" and "the amount of time the metadata is valid". The latter is now being referred to as TTL (or "lease_duration" for backwards-compatibility); some parts of Vault have already switched to using "ttl" and others will follow in upcoming releases. In particular, the "generic" backend accepts both "ttl" and "lease" but in 0.4 only "ttl" will be accepted. [GH-528] + + +IMPROVEMENTS: + + * audit: Log entries now contain a time field [GH-495] + * backends: Add ability for a cleanup function to be called on backend unmount [GH-608] + * core: If trying to mount in a location that is already mounted, be more helpful about the error [GH-510] + * core: Be more explicit on failure if the issue is invalid JSON [GH-553] + * core: Tokens can now revoke themselves [GH-620] + * credential/app-id: Give a more specific error when sending a duplicate POST to sys/auth/app-id [GH-392] + * credential/github: Support custom API endpoints (e.g. for Github Enterprise) [GH-572] + * credential/ldap: Add per-user policies and option to login with userPrincipalName [GH-420] + * scripts: Use /usr/bin/env to find Bash instead of hardcoding [GH-446] + * scripts: Use godep for build scripts to use same environment as tests [GH-404] + * secret/mysql: Allow reading configuration data [GH-529] + * secret/pki: Split "allow_any_name" logic to that and "enforce_hostnames", to allow for non-hostname values (e.g. for client certificates) [GH-555] + * telemetry: Put telemetry object in configuration to allow more flexibility [GH-419] + * testing: Disable mlock for testing of logical backends so as not to require root [GH-479] + BUG FIXES: -* cli: Fixed missing setup of client TLS certificates if no custom CA was provided + * audit/file: Do not enable auditing if file permissions are invalid [GH-550] + * backends: Allow hyphens in endpoint patterns (fixes AWS and others) [GH-559] + * cli: Fixed missing setup of client TLS certificates if no custom CA was provided + * cli/read: Do not include a carriage return when using raw field output [GH-624] + * core: Bad input data could lead to a panic for that session, rather than returning an error [GH-503] + * core: Allow SHA2-384/SHA2-512 hashed certificates [GH-448] + * core: Do not return a Secret if there are no uses left on a token (since it will be unable to be used) [GH-615] + * core: Code paths that called lookup-self would decrement num_uses and potentially immediately revoke a token [GH-552] + * core: Some /sys/ paths would not properly redirect from a standby to the leader [GH-499] [GH-551] + * credential/github: Integration failed if more than ten organizations or teams [GH-489] + * credential/token: Tokens with sudo access to "auth/token/create" can now use root-only options [GH-629] + * physical/zookeeper: Fix collisions in storage that could lead to data unavailability [GH-411] + * secret/cassandra: Work around backwards-incompatible change made in Cassandra 2.2 preventing Vault from properly setting/revoking leases [GH-549] + * secret/mysql: Use varbinary instead of varchar to avoid InnoDB/UTF-8 issues [GH-522] + * secret/postgres: Explicitly set timezone in connections [GH-597] + +MISC: + + * Various documentation fixes and improvements [GH-412] [GH-474] [GH-476] [GH-613] + * Less "armon"'" in stack traces [GH-453] + * Sourcegraph integration [GH-456] ## 0.2.0 (July 13, 2015) diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json index dc93cc9e89..3afaa09e3b 100644 --- a/Godeps/Godeps.json +++ b/Godeps/Godeps.json @@ -1,6 +1,6 @@ { "ImportPath": "github.com/hashicorp/vault", - "GoVersion": "go1.4.2", + "GoVersion": "go1.5.1", "Packages": [ "./..." ], @@ -101,10 +101,6 @@ "Comment": "1st_gen_framing-225-g9d122d6", "Rev": "9d122d6ceec00b4b73bfb70de5587cdee7078d17" }, - { - "ImportPath": "github.com/golang/groupcache/lru", - "Rev": "604ed5785183e59ae2789449d89e73f3a2a77987" - }, { "ImportPath": "github.com/golang/snappy", "Rev": "723cc1e459b8eea2dea4583200fd60757d40097a" diff --git a/Godeps/_workspace/src/github.com/golang/groupcache/lru/lru.go b/Godeps/_workspace/src/github.com/golang/groupcache/lru/lru.go deleted file mode 100644 index cdfe2991fd..0000000000 --- a/Godeps/_workspace/src/github.com/golang/groupcache/lru/lru.go +++ /dev/null @@ -1,121 +0,0 @@ -/* -Copyright 2013 Google Inc. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -// Package lru implements an LRU cache. -package lru - -import "container/list" - -// Cache is an LRU cache. It is not safe for concurrent access. -type Cache struct { - // MaxEntries is the maximum number of cache entries before - // an item is evicted. Zero means no limit. - MaxEntries int - - // OnEvicted optionally specificies a callback function to be - // executed when an entry is purged from the cache. - OnEvicted func(key Key, value interface{}) - - ll *list.List - cache map[interface{}]*list.Element -} - -// A Key may be any value that is comparable. See http://golang.org/ref/spec#Comparison_operators -type Key interface{} - -type entry struct { - key Key - value interface{} -} - -// New creates a new Cache. -// If maxEntries is zero, the cache has no limit and it's assumed -// that eviction is done by the caller. -func New(maxEntries int) *Cache { - return &Cache{ - MaxEntries: maxEntries, - ll: list.New(), - cache: make(map[interface{}]*list.Element), - } -} - -// Add adds a value to the cache. -func (c *Cache) Add(key Key, value interface{}) { - if c.cache == nil { - c.cache = make(map[interface{}]*list.Element) - c.ll = list.New() - } - if ee, ok := c.cache[key]; ok { - c.ll.MoveToFront(ee) - ee.Value.(*entry).value = value - return - } - ele := c.ll.PushFront(&entry{key, value}) - c.cache[key] = ele - if c.MaxEntries != 0 && c.ll.Len() > c.MaxEntries { - c.RemoveOldest() - } -} - -// Get looks up a key's value from the cache. -func (c *Cache) Get(key Key) (value interface{}, ok bool) { - if c.cache == nil { - return - } - if ele, hit := c.cache[key]; hit { - c.ll.MoveToFront(ele) - return ele.Value.(*entry).value, true - } - return -} - -// Remove removes the provided key from the cache. -func (c *Cache) Remove(key Key) { - if c.cache == nil { - return - } - if ele, hit := c.cache[key]; hit { - c.removeElement(ele) - } -} - -// RemoveOldest removes the oldest item from the cache. -func (c *Cache) RemoveOldest() { - if c.cache == nil { - return - } - ele := c.ll.Back() - if ele != nil { - c.removeElement(ele) - } -} - -func (c *Cache) removeElement(e *list.Element) { - c.ll.Remove(e) - kv := e.Value.(*entry) - delete(c.cache, kv.key) - if c.OnEvicted != nil { - c.OnEvicted(kv.key, kv.value) - } -} - -// Len returns the number of items in the cache. -func (c *Cache) Len() int { - if c.cache == nil { - return 0 - } - return c.ll.Len() -} diff --git a/Godeps/_workspace/src/github.com/golang/groupcache/lru/lru_test.go b/Godeps/_workspace/src/github.com/golang/groupcache/lru/lru_test.go deleted file mode 100644 index 98a2656e88..0000000000 --- a/Godeps/_workspace/src/github.com/golang/groupcache/lru/lru_test.go +++ /dev/null @@ -1,73 +0,0 @@ -/* -Copyright 2013 Google Inc. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package lru - -import ( - "testing" -) - -type simpleStruct struct { - int - string -} - -type complexStruct struct { - int - simpleStruct -} - -var getTests = []struct { - name string - keyToAdd interface{} - keyToGet interface{} - expectedOk bool -}{ - {"string_hit", "myKey", "myKey", true}, - {"string_miss", "myKey", "nonsense", false}, - {"simple_struct_hit", simpleStruct{1, "two"}, simpleStruct{1, "two"}, true}, - {"simeple_struct_miss", simpleStruct{1, "two"}, simpleStruct{0, "noway"}, false}, - {"complex_struct_hit", complexStruct{1, simpleStruct{2, "three"}}, - complexStruct{1, simpleStruct{2, "three"}}, true}, -} - -func TestGet(t *testing.T) { - for _, tt := range getTests { - lru := New(0) - lru.Add(tt.keyToAdd, 1234) - val, ok := lru.Get(tt.keyToGet) - if ok != tt.expectedOk { - t.Fatalf("%s: cache hit = %v; want %v", tt.name, ok, !ok) - } else if ok && val != 1234 { - t.Fatalf("%s expected get to return 1234 but got %v", tt.name, val) - } - } -} - -func TestRemove(t *testing.T) { - lru := New(0) - lru.Add("myKey", 1234) - if val, ok := lru.Get("myKey"); !ok { - t.Fatal("TestRemove returned no match") - } else if val != 1234 { - t.Fatalf("TestRemove failed. Expected %d, got %v", 1234, val) - } - - lru.Remove("myKey") - if _, ok := lru.Get("myKey"); ok { - t.Fatal("TestRemove returned a removed entry") - } -}