pkgsrc-WIP-changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

vault: Update to 1.2.2

Module Name:	pkgsrc-wip
Committed By:	Iku Iwasa <>
Pushed By:	iquiw
Date:		Sun Sep 8 10:01:05 2019 +0900
Changeset:	13a687bd16f0d84e4344c7ad7334ae6fa23a949f

Modified Files:
Added Files:

Log Message:
vault: Update to 1.2.2

1.2.2 (August 15, 2019)


* auth/pcf: The signature format has been updated to use the standard
  Base64 encoding instead of the URL-safe variant. Signatures created using
  the previous format will continue to be accepted [PCF-27]
* core: The http response code returned when an identity token key is not
  found has been changed from 400 to 404


* identity: Remove 512 entity limit for groups [GH-7317]


* auth/approle: Fix an error where an empty token_type string was not being
  correctly handled as TokenTypeDefault [GH-7273]
* auth/radius: Fix panic when logging in [GH-7286]
* ui: the string-list widget will now honor multiline input [GH-7254]
* ui: various visual bugs in the KV interface were addressed [GH-7307]
* ui: fixed incorrect URL to access help in LDAP auth [GH-7299]

1.2.1 (August 6th, 2019)


* agent: Fix a panic on creds pulling in some error conditions in aws and
  alicloud auth methods [GH-7238]
* auth/approle: Fix error reading role-id on a role created pre-1.2
* auth/token: Fix sudo check in non-root namespaces on create [GH-7224]
* core: Fix health checks with perfstandbyok=true returning the wrong
  status code [GH-7240]
* ui: The web CLI will now parse input as a shell string, with special
  characters escaped [GH-7206]
* ui: The UI will now redirect to a page after authentication [GH-7088]
* ui (Enterprise): The list of namespaces is now cleared when logging out

1.2.0 (July 30th, 2019)


* Token store roles use new, common token fields for the values that
  overlap with other auth backends. period, explicit_max_ttl, and bound_cidrs
  will continue to work, with priority being given to the token_ prefixed
  versions of those parameters. They will also be returned when doing a read
  on the role if they were used to provide values initially; however, in
  Vault 1.4 if period or explicit_max_ttl is zero they will no longer be
  returned. (explicit_max_ttl was already not returned if empty.)
* Due to underlying changes in Go version 1.12 and Go > 1.11.5, Vault is
  now stricter about what characters it will accept in path names. Whereas
  before it would filter out unprintable characters (and this could be turned
  off), control characters and other invalid characters are now rejected
  within Go's HTTP library before the request is passed to Vault, and this
  cannot be disabled. To continue using these (e.g. for already-written
  paths), they must be properly percent-encoded (e.g. \r becomes %0D, \x00
  becomes %00, and so on).
* The user-configured regions on the AWSKMS seal stanza will now be
  preferred over regions set in the enclosing environment. This is a breaking
* All values in audit logs now are omitted if they are empty. This helps
  reduce the size of audit log entries by not reproducing keys in each entry
  that commonly don't contain any value, which can help in cases where audit
  log entries are above the maximum UDP packet size and others.
* Both PeriodicFunc and WALRollback functions will be called if both are
  provided. Previously WALRollback would only be called if PeriodicFunc was
  not set. See GH-6717 for details.
* Vault now uses Go's official dependency management system, Go Modules, to
  manage dependencies. As a result to both reduce transitive dependencies for
  API library users and plugin authors, and to work around various conflicts,
  we have moved various helpers around, mostly under an sdk/ submodule. A
  couple of functions have also moved from plugin helper code to the api/
  submodule. If you are a plugin author, take a look at some of our official
  plugins and the paths they are importing for guidance.
* AppRole uses new, common token fields for values that overlap with other
  auth backends. period and policies will continue to work, with priority
  being given to the token_ prefixed versions of those parameters. They will
  also be returned when doing a read on the role if they were used to provide
  values initially.
* In AppRole, "default" is no longer automatically added to the policies
  parameter. This was a no-op since it would always be added anyways by
  Vault's core; however, this can now be explicitly disabled with the new
  token_no_default_policy field.
* In AppRole, bound_cidr_list is no longer returned when reading a role
* rollback: Rollback will no longer display log messages when it runs; it
  will only display messages on error.
* Database plugins will now default to 4 max_open_connections rather than 2.


* Integrated Storage: Vault 1.2 includes a tech preview of a new way to
  manage storage directly within a Vault cluster. This new integrated storage
  solution is based on the Raft protocol which is also used to back HashiCorp
  Consul and HashiCorp Nomad.
* Combined DB credential rotation: Alternative mode for the Combined DB
  Secret Engine to automatically rotate existing database account credentials
  and set Vault as the source of truth for credentials.
* Identity Tokens: Vault's Identity system can now generate OIDC-compliant
  ID tokens. These customizable tokens allow encapsulating a signed,
  verifiable snapshot of identity information and metadata. They can be use
  by other applications—even those without Vault authorization—as a way of
  establishing identity based on a Vault entity.
* Pivotal Cloud Foundry plugin: New auth method using Pivotal Cloud Foundry
  certificates for Vault authentication.
* ElasticSearch database plugin: New ElasticSearch database plugin issues
  unique, short-lived ElasticSearch credentials.
* New UI Features: An HTTP Request Volume Page and new UI for editing LDAP
  Users and Groups have been added.
* HA support for Postgres: PostgreSQL versions >= 9.5 may now but used as
  and HA storage backend.
* KMIP secrets engine (Enterprise): Allows Vault to operate as a KMIP
  Server, seamlessly brokering cryptographic operations for traditional
* Common Token Fields: Auth methods now use common fields for controlling
  token behavior, making it easier to understand configuration across
* Vault API explorer: The Vault UI now includes an embedded API explorer
  where you can browse the endpoints avaliable to you and make requests. To
  try it out, open the Web CLI and type api.


* agent: Allow EC2 nonce to be passed in [GH-6953]
* agent: Add optional namespace parameter, which sets the default namespace
  for the auto-auth functionality [GH-6988]
* agent: Add cert auto-auth method [GH-6652]
* api: Add support for passing data to delete operations via DeleteWithData
* audit/file: Dramatically speed up file operations by changing
  locking/marshaling order [GH-7024]
* auth/jwt: A JWKS endpoint may now be configured for signature
  verification [JWT-43]
* auth/jwt: A new verbose_oidc_logging role parameter has been added to
  help troubleshoot OIDC configuration [JWT-57]
* auth/jwt: bound_claims will now match received claims that are lists if
  any element of the list is one of the expected values [JWT-50]
* auth/jwt: Leeways for nbf and exp are now configurable, as is clock skew
  leeway [JWT-53]
* auth/kubernetes: Allow service names/namespaces to be configured as globs
* auth/token: Allow the support of the identity system for the token
  backend via token roles [GH-6267]
* auth/token: Add a large set of token configuration options to token store
  roles [GH-6662]
* cli: path-help now allows -format=json to be specified, which will output
  OpenAPI [GH-7006]
* cli: Add support for passing parameters to vault delete operations
* cli: Add a log-format CLI flag that can specify either "standard" or
  "json" for the log format for the vault servercommand. [GH-6840]
* cli: Add -dev-no-store-token to allow dev servers to not store the
  generated token at the tokenhelper location [GH-7104]
* identity: Allow a group alias' canonical ID to be modified
* namespaces: Namespaces can now be created and deleted from performance
  replication secondaries
* plugins: Change the default for max_open_connections for DB plugins to 4
* replication: Client TLS authentication is now supported when enabling or
  updating a replication secondary
* secrets/database: Cassandra operations will now cancel on client timeout
* secrets/kv: Add optional delete_version_after parameter, which takes a
  duration and can be set on the mount and/or the metadata for a specific key
* storage/postgres: LIST now performs better on large datasets [GH-6546]
* storage/s3: A new path parameter allows selecting the path within a
  bucket for Vault data [GH-7157]
* ui: KV v1 and v2 will now gracefully degrade allowing a write without
  read workflow in the UI [GH-6570]
* ui: Many visual improvements with the addition of Toolbars [GH-6626], the
  restyling of the Confirm Action component [GH-6741], and using a new set of
  glyphs for our Icon component [GH-6736]
* ui: Lazy loading parts of the application so that the total initial
  payload is smaller [GH-6718]
* ui: Tabbing to auto-complete in filters will first complete a common
  prefix if there is one [GH-6759]
* ui: Removing jQuery from the application makes the initial JS payload
  smaller [GH-6768]


* audit: Log requests and responses due to invalid wrapping token provided
* audit: Fix bug preventing request counter queries from working with
  auditing enabled [GH-6767
* auth/aws: AWS Roles are now upgraded and saved to the latest version just
  after the AWS credential plugin is mounted. [GH-7025]
* auth/aws: Fix a case where a panic could stem from a malformed
  assumed-role ARN when parsing this value [GH-6917]
* auth/aws: Fix an error complaining about a read-only view that could
  occur during updating of a role when on a performance replication secondary
* auth/jwt: Fix a regression introduced in 1.1.1 that disabled checking of
  client_id for OIDC logins [JWT-54]
* auth/jwt: Fix a panic during OIDC CLI logins that could occur if the
  Vault server response is empty [JWT-55]
* auth/jwt: Fix issue where OIDC logins might intermittently fail when
  using performance standbys [JWT-61]
* identity: Fix a case where modifying aliases of an entity could end up
  moving the entity into the wrong namespace
* namespaces: Fix a behavior (currently only known to be benign) where we
  wouldn't delete policies through the official functions before wiping the
  namespaces on deletion
* secrets/pki: Forward revocation requests to active node when on a
  performance standby [GH-7173]
* ui: Fix timestamp on some transit keys [GH-6827]
* ui: Show Entities and Groups in Side Navigation [GH-7138]
* ui: Ensure dropdown updates selected item on HTTP Request Metrics page
* secret/database: Escape username/password before using in connection URL

To see a diff of this commit:;a=commitdiff;h=13a687bd16f0d84e4344c7ad7334ae6fa23a949f

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

 vault/Makefile                                         |  2 +-
 vault/distinfo                                         | 10 ++++++----
 ...om_ory_dockertest_docker_pkg_system_stat__netbsd.go | 18 ++++++++++++++++++
 ....com_ory_dockertest_docker_pkg_term_termios__bsd.go | 10 ++++++++++
 4 files changed, 35 insertions(+), 5 deletions(-)

diff --git a/vault/Makefile b/vault/Makefile
index c2fcc234b6..31cc457ac8 100644
--- a/vault/Makefile
+++ b/vault/Makefile
@@ -1,6 +1,6 @@
 # $NetBSD$
-DISTNAME=	vault-1.1.5
+DISTNAME=	vault-1.2.2
 CATEGORIES=	security
diff --git a/vault/distinfo b/vault/distinfo
index 942034621d..30eead79d8 100644
--- a/vault/distinfo
+++ b/vault/distinfo
@@ -1,6 +1,8 @@
-SHA1 (vault-1.1.5.tar.gz) = 9aafc892bb8c4b9b646f37a6817ce65a95903067
-RMD160 (vault-1.1.5.tar.gz) = 2f6fdcef84eef9159586a4a3ea88449857cc2f56
-SHA512 (vault-1.1.5.tar.gz) = e93d5f65862c649671495b54588a304b5edcb764dadfdb25f7d5c410a71c14cdff3581ed5422618b5609cb3c429c1641945c2c87e0c75972c08bd4cbc9683387
-Size (vault-1.1.5.tar.gz) = 26032926 bytes
+SHA1 (vault-1.2.2.tar.gz) = 1d6904980f0e02ef09d8a74fc4b7a8080af8e0be
+RMD160 (vault-1.2.2.tar.gz) = f51bab81cae7b5951ca48ae7249cecf9bb787c42
+SHA512 (vault-1.2.2.tar.gz) = ce9211b3deb1839759646f8488fe2b89fec379bafed472921a62cd507f842ed05647fe4da7cb9482d195b028a29eb576f947da24aecd8b19181c7282fd3a155d
+Size (vault-1.2.2.tar.gz) = 27588019 bytes
+SHA1 (patch-vendor_github.com_ory_dockertest_docker_pkg_system_stat__netbsd.go) = ae03a0790d6cebaca808db07f55ac3c34539329a
+SHA1 (patch-vendor_github.com_ory_dockertest_docker_pkg_term_termios__bsd.go) = d13fe7d333f1b892de6d385acc53482d268dd474
diff --git a/vault/patches/patch-vendor_github.com_ory_dockertest_docker_pkg_system_stat__netbsd.go b/vault/patches/patch-vendor_github.com_ory_dockertest_docker_pkg_system_stat__netbsd.go
new file mode 100644
index 0000000000..9adea9a664
--- /dev/null
+++ b/vault/patches/patch-vendor_github.com_ory_dockertest_docker_pkg_system_stat__netbsd.go
@@ -0,0 +1,18 @@
+--- vendor/	2019-09-08 00:43:25.064582087 +0000
++++ vendor/
+@@ -0,0 +1,13 @@
++package system // import ""
++import "syscall"
++// fromStatT converts a syscall.Stat_t type to a system.Stat_t type
++func fromStatT(s *syscall.Stat_t) (*StatT, error) {
++	return &StatT{size: s.Size,
++		mode: uint32(s.Mode),
++		uid:  s.Uid,
++		gid:  s.Gid,
++		rdev: uint64(s.Rdev),
++		mtim: s.Mtimespec}, nil
diff --git a/vault/patches/patch-vendor_github.com_ory_dockertest_docker_pkg_term_termios__bsd.go b/vault/patches/patch-vendor_github.com_ory_dockertest_docker_pkg_term_termios__bsd.go
new file mode 100644
index 0000000000..c17a62ef76
--- /dev/null
+++ b/vault/patches/patch-vendor_github.com_ory_dockertest_docker_pkg_term_termios__bsd.go
@@ -0,0 +1,10 @@
+--- vendor/	2019-08-14 23:03:48.000000000 +0000
++++ vendor/
+@@ -1,4 +1,4 @@
+-// +build darwin freebsd openbsd
++// +build darwin freebsd openbsd netbsd
+ package term // import ""

Home | Main Index | Thread Index | Old Index