Merge remote-tracking branch 'oss/master' into database-refactor

CHANGELOG.md

@@ -8,21 +8,43 @@ DEPRECATIONS/CHANGES:
 
 FEATURES:
 
+ * **AWS IAM Authentication**: IAM principals can get Vault tokens
+   automatically, opening AWS-based authentication to users, ECS containers,
+   Lambda instances, and more. Signed client identity information retrieved
+   using the AWS API `sts:GetCallerIdentity` is validated against the AWS STS
+   service before issuing a Vault token. This backend is unified with the
+   `aws-ec2` authentication backend, and allows additional EC2-related
+   restrictions to be applied during the IAM authentication; the previous EC2
+   behavior is also still available. [GH-2441]
  * **MSSQL Physical Backend**: You can now use Microsoft SQL Server as your
    Vault physical data store [GH-2546]
+ * **Lease Listing and Lookup**: You can now introspect a lease to get its
+   creation and expiration properties via `sys/leases/lookup`; with `sudo`
+   capability you can also list leases for lookup, renewal, or revocation via
+   that endpoint. Various lease functions (renew, revoke, revoke-prefix,
+   revoke-force) have also been relocated to `sys/leases/`, but they also work
+   at the old paths for compatibility. Reading (but not listing) leases via
+   `sys/leases/lookup` is now a part of the current `default` policy. [GH-2650]
 
 IMPROVEMENTS:
 
+ * auth/cert: Support for constraints on subject Common Name and DNS/email
+   Subject Alternate Names in certificates [GH-2595]
  * auth/ldap: Use the binding credentials to search group membership rather
    than the user credentials [GH-2534]
  * cli/revoke: Add `-self` option to allow revoking the currently active token
    [GH-2596]
+ * core: Randomizing x coordinate in Shamir shares [GH-2621]
  * secret/pki: Add `no_store` option that allows certificates to be issued
    without being stored. This removes the ability to look up and/or add to a
    CRL but helps with scaling to very large numbers of certificates. [GH-2565]
  * secret/pki: If used with a role parameter, the `sign-verbatim/<role>`
    endpoint honors the values of `generate_lease`, `no_store`, `ttl` and
    `max_ttl` from the given role [GH-2593]
+ * secret/pki: Add role parameter `allow_glob_domains` that enables defining
+   names in `allowed_domains` containing `*` glob patterns [GH-2517]
+ * secret/pki: Update certificate storage to not use characters that are not
+   supported on some filesystems [GH-2575]
  * storage/etcd3: Add `discovery_srv` option to query for SRV records to find
    servers [GH-2521]
  * storage/s3: Support `max_parallel` option to limit concurrent outstanding
@@ -35,6 +57,8 @@ BUG FIXES:
  * api: Respect a configured path in Vault's address [GH-2588]
  * auth/aws-ec2: New bounds added as criteria to allow role creation [GH-2600]
  * auth/ldap: Don't lowercase groups attached to users [GH-2613]
+ * cli: Don't panic if `vault write` is used with the `force` flag but no path
+   [GH-2674]
  * secret/mssql: Update mssql driver to support queries with colons [GH-2610]
  * secret/pki: Don't lowercase O/OU values in certs [GH-2555]
  * secret/pki: Don't attempt to validate IP SANs if none are provided [GH-2574]

builtin/credential/approle/path_role_test.go

@@ -104,7 +104,7 @@ func TestAppRole_RoleConstraints(t *testing.T) {
 	roleData["bind_secret_id"] = false
 	resp, err = b.HandleRequest(roleReq)
 	if resp != nil && resp.IsError() {
-		t.Fatalf("resp:%#v", err, resp)
+		t.Fatalf("err:%v, resp:%#v", err, resp)
 	}
 	if err == nil {
 		t.Fatalf("expected an error")
@@ -433,7 +433,7 @@ func TestAppRole_RoleSecretIDAccessorReadDelete(t *testing.T) {
 	hmacReq.Operation = logical.ReadOperation
 	resp, err = b.HandleRequest(hmacReq)
 	if resp != nil && resp.IsError() {
-		t.Fatalf("error response:%#v", err, resp)
+		t.Fatalf("err:%v resp:%#v", err, resp)
 	}
 	if err == nil {
 		t.Fatalf("expected an error")

builtin/credential/approle/validation.go

@@ -352,7 +352,7 @@ func (b *backend) nonLockedSecretIDStorageEntry(s logical.Storage, roleNameHMAC,
 
 	if persistNeeded {
 		if err := b.nonLockedSetSecretIDStorageEntry(s, roleNameHMAC, secretIDHMAC, &result); err != nil {
-			return nil, fmt.Errorf("failed to upgrade role storage entry", err)
+			return nil, fmt.Errorf("failed to upgrade role storage entry %s", err)
 		}
 	}
 

builtin/credential/aws-ec2/backend.go → builtin/credential/aws/backend.go

@@ -1,4 +1,4 @@
-package awsec2
+package awsauth
 
 import (
 	"sync"