diff --git a/CHANGELOG.md b/CHANGELOG.md index 63461b9ca2..deab5d39dd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ ## 0.6.2 (Unreleased) -DEPRECATIONS/BREAKING CHANGES: +DEPRECATIONS/CHANGES: IMPROVEMENTS: @@ -36,7 +36,7 @@ BUG FIXES: ## 0.6.1 (August 22, 2016) -DEPRECATIONS/BREAKING CHANGES: +DEPRECATIONS/CHANGES: * Once the active node is 0.6.1, standby nodes must also be 0.6.1 in order to connect to the HA cluster. We recommend following our [general upgrade @@ -233,7 +233,7 @@ SECURITY: confusion, we have simply removed `auth/token/revoke-prefix` in 0.6, and `sys/revoke-prefix` will be meant for both leases and tokens instead. -DEPRECATIONS/BREAKING CHANGES: +DEPRECATIONS/CHANGES: * `auth/token/revoke-prefix` has been removed. See the security notice for details. [GH-1280] @@ -508,7 +508,7 @@ BUG FIXES: ## 0.5.1 (February 25th, 2016) -DEPRECATIONS/BREAKING CHANGES: +DEPRECATIONS/CHANGES: * RSA keys less than 2048 bits are no longer supported in the PKI backend. 1024-bit keys are considered unsafe and are disallowed in the Internet PKI. @@ -592,7 +592,7 @@ SECURITY: would be a denial of service against a legitimate rekey operation by sending cancel requests over and over. Thanks to Josh Snyder for the report! -DEPRECATIONS/BREAKING CHANGES: +DEPRECATIONS/CHANGES: * `s3` physical backend: Environment variables are now preferred over configuration values. This makes it behave similar to the rest of Vault, @@ -777,7 +777,7 @@ against Go 1.5.3, there are no changes from 0.4.0. ## 0.4.0 (December 10, 2015) -DEPRECATIONS/BREAKING CHANGES: +DEPRECATIONS/CHANGES: * Policy Name Casing: Policy names are now normalized to lower-case on write, helping prevent accidental case mismatches. For backwards compatibility, @@ -927,7 +927,7 @@ MISC: ## 0.3.0 (September 28, 2015) -DEPRECATIONS/BREAKING CHANGES: +DEPRECATIONS/CHANGES: Note: deprecations and breaking changes in upcoming releases are announced ahead of time on the "vault-tool" mailing list. diff --git a/builtin/credential/approle/path_role.go b/builtin/credential/approle/path_role.go index d2565f4623..0b6a046684 100644 --- a/builtin/credential/approle/path_role.go +++ b/builtin/credential/approle/path_role.go @@ -521,8 +521,26 @@ func (b *backend) pathRoleSecretIDList(req *logical.Request, data *framework.Fie return logical.ListResponse(listItems), nil } -// setRoleEntry grabs a write lock and stores the options on an role into the storage. -// Also creates a reverse index from the role's RoleID to the role itself. +// validRoleConstraints tells if the role has at least one constraint enabled +func validRoleConstraints(role *roleStorageEntry) (bool, error) { + if role == nil { + return false, fmt.Errorf("nil role") + } + + // At least one constraint should be enabled on the role + switch { + case role.BindSecretID: + case role.BoundCIDRList != "": + default: + return false, fmt.Errorf("at least one constraint should be enabled on the role") + } + + return true, nil +} + +// setRoleEntry grabs a write lock and stores the options on an role into the +// storage. Also creates a reverse index from the role's RoleID to the role +// itself. func (b *backend) setRoleEntry(s logical.Storage, roleName string, role *roleStorageEntry, previousRoleID string) error { if roleName == "" { return fmt.Errorf("missing role name") @@ -532,12 +550,13 @@ func (b *backend) setRoleEntry(s logical.Storage, roleName string, role *roleSto return fmt.Errorf("nil role") } - // At least one constraint should be enabled on the role - switch { - case role.BindSecretID: - case role.BoundCIDRList != "": - default: - return fmt.Errorf("at least one constraint should be enabled on the role") + // Check if role constraints are properly set + valid, err := validRoleConstraints(role) + if err != nil { + return err + } + if !valid { + return fmt.Errorf("failed to validate role constraints") } // Create a storage entry for the role @@ -743,9 +762,15 @@ func (b *backend) pathRoleRead(req *logical.Request, data *framework.FieldData) delete(data, "role_id") delete(data, "hmac_key") - return &logical.Response{ + resp := &logical.Response{ Data: data, - }, nil + } + + if valid, _ := validRoleConstraints(role); !valid { + resp.AddWarning("Role does not have any constraints set on it. Updates to this role will require a constraint to be set") + } + + return resp, nil } } diff --git a/website/source/docs/install/upgrade-to-0.6.2.html.md b/website/source/docs/install/upgrade-to-0.6.2.html.md index 24754903a2..6d1a109d14 100644 --- a/website/source/docs/install/upgrade-to-0.6.2.html.md +++ b/website/source/docs/install/upgrade-to-0.6.2.html.md @@ -10,3 +10,11 @@ description: |- This page contains the list of breaking changes for Vault 0.6.2. Please read it carefully. + +## AppRole Role Constraints + +Creating or updating a role now requires at least one constraint to be enabled. +Currently there are only 2 constraints: `bind_secret_id` and `bound_cidr_list`. +`bind_secret_id` is enabled by default. Roles which had `bind_secret_id` +disabled and `bound_cidr_list` not set, will require a constraint to be +speficied during further updates.