Merge branch 'master-oss' into entity-read-groups

CHANGELOG.md

@@ -18,6 +18,7 @@ DEPRECATIONS/CHANGES:
    a string. This better matches the API elsewhere in Vault.
 
 FEATURES:
+
  * ** RSA Support for Transit Backend**: Transit backend can now generate RSA
    keys which can be used for encryption and signing. [GH-3489]
 
@@ -50,6 +51,8 @@ BUG FIXES:
    responses when requests were forwarded to the active node [GH-3485]
  * physical/etcd3: Fix some listing issues due to how etcd3 does prefix
    matching [GH-3406]
+ * physical/etcd3: Fix case where standbys can lose their etcd client lease
+   [GH-3031]
  * physical/file: Fix listing when underscores are the first component of a
    path [GH-3476]
  * plugins: Allow response errors to be returned from backend plugins [GH-3412]

builtin/credential/aws/backend.go

@@ -99,6 +99,9 @@ func Backend(conf *logical.BackendConfig) (*backend, error) {
 			LocalStorage: []string{
 				"whitelist/identity/",
 			},
+			SealWrapStorage: []string{
+				"config/client",
+			},
 		},
 		Paths: []*framework.Path{
 			pathLogin(b),

builtin/credential/ldap/backend.go

@@ -31,6 +31,10 @@ func Backend() *backend {
 			Unauthenticated: []string{
 				"login/*",
 			},
+
+			SealWrapStorage: []string{
+				"config",
+			},
 		},
 
 		Paths: append([]*framework.Path{

builtin/credential/okta/backend.go

@@ -25,6 +25,9 @@ func Backend() *backend {
 			Unauthenticated: []string{
 				"login/*",
 			},
+			SealWrapStorage: []string{
+				"config",
+			},
 		},
 
 		Paths: append([]*framework.Path{

builtin/credential/radius/backend.go

@@ -26,6 +26,10 @@ func Backend() *backend {
 				"login",
 				"login/*",
 			},
+
+			SealWrapStorage: []string{
+				"config",
+			},
 		},
 
 		Paths: append([]*framework.Path{

builtin/logical/aws/backend.go

@@ -25,6 +25,9 @@ func Backend() *backend {
 			LocalStorage: []string{
 				framework.WALPrefix,
 			},
+			SealWrapStorage: []string{
+				"config/root",
+			},
 		},
 
 		Paths: []*framework.Path{

builtin/logical/cassandra/backend.go

@@ -25,6 +25,12 @@ func Backend() *backend {
 	b.Backend = &framework.Backend{
 		Help: strings.TrimSpace(backendHelp),
 
+		PathsSpecial: &logical.Paths{
+			SealWrapStorage: []string{
+				"config/connection",
+			},
+		},
+
 		Paths: []*framework.Path{
 			pathConfigConnection(&b),
 			pathRoles(&b),

builtin/logical/consul/backend.go

@@ -16,6 +16,12 @@ func Factory(conf *logical.BackendConfig) (logical.Backend, error) {
 func Backend() *backend {
 	var b backend
 	b.Backend = &framework.Backend{
+		PathsSpecial: &logical.Paths{
+			SealWrapStorage: []string{
+				"config/access",
+			},
+		},
+
 		Paths: []*framework.Path{
 			pathConfigAccess(),
 			pathListRoles(&b),

builtin/logical/database/backend.go

@@ -28,6 +28,12 @@ func Backend(conf *logical.BackendConfig) *databaseBackend {
 	b.Backend = &framework.Backend{
 		Help: strings.TrimSpace(backendHelp),
 
+		PathsSpecial: &logical.Paths{
+			SealWrapStorage: []string{
+				"config/*",
+			},
+		},
+
 		Paths: []*framework.Path{
 			pathListPluginConnection(&b),
 			pathConfigurePluginConnection(&b),

builtin/logical/mongodb/backend.go

@@ -24,6 +24,12 @@ func Backend() *framework.Backend {
 	b.Backend = &framework.Backend{
 		Help: strings.TrimSpace(backendHelp),
 
+		PathsSpecial: &logical.Paths{
+			SealWrapStorage: []string{
+				"config/connection",
+			},
+		},
+
 		Paths: []*framework.Path{
 			pathConfigConnection(&b),
 			pathConfigLease(&b),

builtin/logical/mssql/backend.go

@@ -24,6 +24,12 @@ func Backend() *backend {
 	b.Backend = &framework.Backend{
 		Help: strings.TrimSpace(backendHelp),
 
+		PathsSpecial: &logical.Paths{
+			SealWrapStorage: []string{
+				"config/connection",
+			},
+		},
+
 		Paths: []*framework.Path{
 			pathConfigConnection(&b),
 			pathConfigLease(&b),

builtin/logical/mysql/backend.go

@@ -24,6 +24,12 @@ func Backend() *backend {
 	b.Backend = &framework.Backend{
 		Help: strings.TrimSpace(backendHelp),
 
+		PathsSpecial: &logical.Paths{
+			SealWrapStorage: []string{
+				"config/connection",
+			},
+		},
+
 		Paths: []*framework.Path{
 			pathConfigConnection(&b),
 			pathConfigLease(&b),

builtin/logical/postgresql/backend.go

@@ -25,6 +25,12 @@ func Backend(conf *logical.BackendConfig) *backend {
 	b.Backend = &framework.Backend{
 		Help: strings.TrimSpace(backendHelp),
 
+		PathsSpecial: &logical.Paths{
+			SealWrapStorage: []string{
+				"config/connection",
+			},
+		},
+
 		Paths: []*framework.Path{
 			pathConfigConnection(&b),
 			pathConfigLease(&b),

builtin/logical/rabbitmq/backend.go

@@ -26,6 +26,12 @@ func Backend() *backend {
 	b.Backend = &framework.Backend{
 		Help: strings.TrimSpace(backendHelp),
 
+		PathsSpecial: &logical.Paths{
+			SealWrapStorage: []string{
+				"config/connection",
+			},
+		},
+
 		Paths: []*framework.Path{
 			pathConfigConnection(&b),
 			pathConfigLease(&b),

physical/etcd/etcd3.go

@@ -267,6 +267,21 @@ func (c *EtcdLock) Lock(stopCh <-chan struct{}) (<-chan struct{}, error) {
 		return nil, EtcdLockHeldError
 	}
 
+	select {
+	case _, ok := <-c.etcdSession.Done():
+		if !ok {
+			// The session's done channel is closed, so the session is over,
+			// and we need a new one
+			session, err := concurrency.NewSession(c.etcd, concurrency.WithTTL(etcd3LockTimeoutInSeconds))
+			if err != nil {
+				return nil, err
+			}
+			c.etcdSession = session
+			c.etcdMu = concurrency.NewMutex(session, c.prefix)
+		}
+	default:
+	}
+
 	ctx, cancel := context.WithCancel(context.Background())
 	go func() {
 		<-stopCh