CVS commit: pkgsrc/security/vault

["Havard Eidnes" <he%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   he
Date:           Tue Jan  5 11:02:51 UTC 2021

Modified Files:
        pkgsrc/security/vault: Makefile distinfo
        pkgsrc/security/vault/patches:
            patch-vendor_github.com_docker_docker_client_client__unix.go

Log Message:
Upgrade vault to version 1.6.1:

Pkgsrc changes:
 * Added a patch to cope with docker client default settings (build
   also on NetBSD)

Upstream changes:

1.6.1
=====
December 16, 2020

SECURITY:
 * LDAP Auth Method: We addressed an issue where error messages
   returned by the LDAP auth methold allowed user enumeration
   [GH-10537]. This vulnerability affects Vault OSS and Vault Enterprise
   and is fixed in 1.5.6 and 1.6.1 (CVE-2020-35177).
 * Sentinel EGP: We've fixed incorrect handling of namespace paths
   to prevent users within namespaces from applying Sentinel EGP
   policies to paths above their namespace. This vulnerability
   affects Vault Enterprise and is fixed in 1.5.6 and 1.6.1
   (CVE-2020-35453).

IMPROVEMENTS:
 * auth/ldap: Improve consistency in error messages [GH-10537]
 * core/metrics: Added "vault operator usage" command. [GH-10365]
 * secrets/gcp: Truncate ServiceAccount display names longer than
   100 characters. [GH-10558]

BUG FIXES:
 * agent: Only set the namespace if the VAULT_NAMESPACE env var
   isn't present [GH-10556]
 * auth/jwt: Fixes bound_claims validation for provider-specific
   group and user info fetching. [GH-10546]
 * core (enterprise): Vault EGP policies attached to path * were
   not correctly scoped to the namespace.
 * core: Avoid deadlocks by ensuring that if grabLockOrStop returns
   stopped=true, the lock will not be held. [GH-10456]
 * core: Fix client.Clone() to include the address [GH-10077]
 * core: Fix rate limit resource quota migration from 1.5.x to
   1.6.x by ensuring purgeInterval and staleAge are set appropriately.
   [GH-10536]
 * core: Make all APIs that report init status consistent, and make
   them report initialized=true when a Raft join is in progress.
   [GH-10498]
 * secrets/database/influxdb: Fix issue where not all errors from
   InfluxDB were being handled [GH-10384]
 * secrets/database/mysql: Fixes issue where the DisplayName within
   generated usernames was the incorrect length [GH-10433]
 * secrets/database: Sanitize private_key field when reading database
   plugin config [GH-10416]
 * secrets/transit: allow for null string to be used for optional
   parameters in encrypt and decrypt [GH-10386]
 * storage/raft (enterprise): The parameter aws_s3_server_kms_key
   was misnamed and didn't work. Renamed to aws_s3_kms_key, and
   make it work so that when provided the given key will be used
   to encrypt the snapshot using AWS KMS.
 * transform (enterprise): Fix bug tokenization handling metadata
   on exportable stores
 * transform (enterprise): Fix transform configuration not handling
   stores parameter on the legacy path
 * transform (enterprise): Make expiration timestamps human readable
 * transform (enterprise): Return false for invalid tokens on the
   validate endpoint rather than returning an HTTP error
 * transform (enterprise): Fix bug where tokenization store changes
   are persisted but don't take effect
 * ui: Fix bug in Transform secret engine when a new role is added
   and then removed from a transformation [GH-10417]
 * ui: Fix footer URL linking to the correct version changelog.
   [GH-10491]
 * ui: Fox radio click on secrets and auth list pages. [GH-10586]

1.6.0
=====
November 11th, 2020

NOTE:

Binaries for 32-bit macOS (i.e. the darwin_386 build) will no longer
be published. This target was dropped in the latest version of the
Go compiler.

CHANGES:
 * agent: Agent now properly returns a non-zero exit code on error,
   such as one due to template rendering failure. Using
   error_on_missing_key in the template config will cause agent to
   immediately exit on failure. In order to make agent properly
   exit due to continuous failure from template rendering errors,
   the old behavior of indefinitely restarting the template server
   is now changed to exit once the default retry attempt of 12
   times (with exponential backoff) gets exhausted. [GH-9670]
 * token: Periodic tokens generated by auth methods will have the
   period value stored in its token entry. [GH-7885]
 * core: New telemetry metrics reporting mount table size and number
   of entries [GH-10201]
 * go: Updated Go version to 1.15.4 [GH-10366]

FEATURES:
 * Couchbase Secrets: Vault can now manage static and dynamic
   credentials for Couchbase. [GH-9664]
 * Expanded Password Policy Support: Custom password policies are
   now supported for all database engines.
 * Integrated Storage Auto Snapshots (Enterprise): This feature
   enables an operator to schedule snapshots of the integrated
   storage backend and ensure those snapshots are persisted elsewhere.
 * Integrated Storage Cloud Auto Join: This feature for integrated
   storage enables Vault nodes running in the cloud to automatically
   discover and join a Vault cluster via operator-supplied metadata.
 * Key Management Secrets Engine (Enterprise; Tech Preview): This
   new secret engine allows securely distributing and managing keys
   to Azure cloud KMS services.
 * Seal Migration: With Vault 1.6, we will support migrating from
   an auto unseal mechanism to a different mechanism of the same
   type. For example, if you were using an AWS KMS key to automatically
   unseal, you can now migrate to a different AWS KMS key.
 * Tokenization (Enterprise; Tech Preview): Tokenization supports
   creating irreversible "tokens" from sensitive data. Tokens can
   be used in less secure environments, protecting the original
   data.
 * Vault Client Count: Vault now counts the number of active entities
   (and non-entity tokens) per month and makes this information
   available via the "Metrics" section of the UI.

IMPROVEMENTS:
 * auth/approle: Role names can now be referenced in templated
   policies through the approle.metadata.role_name property [GH-9529]
 * auth/aws: Improve logic check on wildcard BoundIamPrincipalARNs
   and include role name on error messages on check failure [GH-10036]
 * auth/jwt: Add support for fetching groups and user information
   from G Suite during authentication. [GH-123]
 * auth/jwt: Adding EdDSA (ed25519) to supported algorithms [GH-129]
 * auth/jwt: Improve cli authorization error [GH-137]
 * auth/jwt: Add OIDC namespace_in_state option [GH-140]
 * secrets/transit: fix missing plaintext in bulk decrypt response [GH-9991]
 * command/server: Delay informational messages in -dev mode until
   logs have settled. [GH-9702]
 * command/server: Add environment variable support for disable_mlock.
   [GH-9931]
 * core/metrics: Add metrics for storage cache [GH_10079]
 * core/metrics: Add metrics for leader status [GH 10147]
 * physical/azure: Add the ability to use Azure Instance Metadata
   Service to set the credentials for Azure Blob storage on the
   backend. [GH-10189]
 * sdk/framework: Add a time type for API fields. [GH-9911]
 * secrets/database: Added support for password policies to all
   databases [GH-9641, and more]
 * secrets/database/cassandra: Added support for static credential
   rotation [GH-10051]
 * secrets/database/elasticsearch: Added support for static credential
   rotation [GH-19]
 * secrets/database/hanadb: Added support for root credential &
   static credential rotation [GH-10142]
 * secrets/database/hanadb: Default password generation now includes
   dashes. Custom statements may need to be updated to include
   quotes around the password field [GH-10142]
 * secrets/database/influxdb: Added support for static credential
   rotation [GH-10118]
 * secrets/database/mongodbatlas: Added support for root credential
   rotation [GH-14]
 * secrets/database/mongodbatlas: Support scopes field in creations
   statements for MongoDB Atlas database plugin [GH-15]
 * seal/awskms: Add logging during awskms auto-unseal [GH-9794]
 * storage/azure: Update SDK library to use azure-storage-blob-go
   since previous library has been deprecated. [GH-9577]
 * secrets/ad: rotate-root now supports POST requests like other
   secret engines [GH-70]
 * ui: Add ui functionality for the Transform Secret Engine [GH-9665]
 * ui: Pricing metrics dashboard [GH-10049]

BUG FIXES:
 * auth/jwt: Fix bug preventing config edit UI from rendering [GH-141]
 * cli: Don't open or overwrite a raft snapshot file on an unsuccessful
   vault operator raft snapshot [GH-9894]
 * core: Implement constant time version of shamir GF(2^8) math [GH-9932]
 * core: Fix resource leak in plugin API (plugin-dependent, not
   all plugins impacted) [GH-9557]
 * core: Fix race involved in enabling certain features via a
   license change
 * core: Fix error handling in HCL parsing of objects with invalid
   syntax [GH-410]
 * identity: Check for timeouts in entity API [GH-9925]
 * secrets/database: Fix handling of TLS options in mongodb connection
   strings [GH-9519]
 * secrets/gcp: Ensure that the IAM policy version is appropriately
   set after a roleset's bindings have changed. [GH-93]
 * ui: Mask LDAP bindpass while typing [GH-10087]
 * ui: Update language in promote dr modal flow [GH-10155]
 * ui: Update language on replication primary dashboard for clarity
   [GH-10205]
 * core: Fix bug where updating an existing path quota could
   introduce a conflict. [GH-10285]

1.5.6
=====
December 16, 2020

SECURITY:
 * LDAP Auth Method: We addressed an issue where error messages
   returned by the LDAP auth methold allowed user enumeration
   [GH-10537]. This vulnerability affects Vault OSS and Vault
   Enterprise and is fixed in 1.5.6 and 1.6.1 (CVE-2020-35177).
 * Sentinel EGP: We've fixed incorrect handling of namespace paths
   to prevent users within namespaces from applying Sentinel EGP
   policies to paths above their namespace. This vulnerability
   affects Vault Enterprise and is fixed in 1.5.6 and 1.6.1.

IMPROVEMENTS:
 * auth/ldap: Improve consistency in error messages [GH-10537]

BUG FIXES:
 * core (enterprise): Vault EGP policies attached to path * were
   not correctly scoped to the namespace.
 * core: Fix bug where updating an existing path quota could
   introduce a conflict [GH-10285]
 * core: Fix client.Clone() to include the address [GH-10077]
 * quotas (enterprise): Reset cache before loading quotas in the
   db during startup
 * secrets/transit: allow for null string to be used for optional
   parameters in encrypt and decrypt [GH-10386]

1.5.5
=====
October 21, 2020

IMPROVEMENTS:
 * auth/aws, core/seal, secret/aws: Set default IMDS timeouts to
   match AWS SDK [GH-10133]

BUG FIXES:
 * auth/aws: Restrict region selection when in the aws-us-gov
   partition to avoid IAM errors [GH-9947]
 * core (enterprise): Allow operators to add and remove (Raft)
   peers in a DR secondary cluster using Integrated Storage.
 * core (enterprise): Add DR operation token to the remove peer
   API and CLI command (when DR secondary).
 * core (enterprise): Fix deadlock in handling EGP policies
 * core (enterprise): Fix extraneous error messages in DR Cluster
 * secrets/mysql: Conditionally overwrite TLS parameters for MySQL
   secrets engine [GH-9729]
 * secrets/ad: Fix bug where password_policy setting was not using
   correct key when ad/config was read [GH-71]
 * ui: Fix issue with listing roles and methods on the same auth
   methods with different names [GH-10122]

1.5.4
=====
September 24th, 2020

SECURITY:
 * Batch Token Expiry: We addressed an issue where batch token
   leases could outlive their TTL because we were not scheduling
   the expiration time correctly. This vulnerability affects Vault
   OSS and Vault Enterprise 1.0 and newer and is fixed in 1.4.7
   and 1.5.4 (CVE-2020-25816).

IMPROVEMENTS:
 * secrets/pki: Handle expiration of a cert not in storage as a
   success [GH-9880]
 * auth/kubernetes: Add an option to disable defaulting to the
   local CA cert and service account JWT when running in a Kubernetes
   pod [GH-97]
 * secrets/gcp: Add check for 403 during rollback to prevent repeated
   deletion calls [GH-97]
 * core: Disable usage metrics collection on performance standby
   nodes. [GH-9966]
 * credential/aws: Added X-Amz-Content-Sha256 as a default STS
   request header [GH-10009]

BUG FIXES:
 * agent: Fix disable_fast_negotiation not being set on the auth
   method when configured by user. [GH-9892]
 * core (enterprise): Fix hang when cluster-wide plugin reload
   cleanup is slow on unseal
 * core (enterprise): Fix an error in cluster-wide plugin reload
   cleanup following such a reload
 * core: Fix crash when metrics collection encounters zero-length
   keys in KV store [GH-9811]
 * mfa (enterprise): Fix incorrect handling of PingID responses
   that could result in auth requests failing
 * replication (enterprise): Improve race condition when using a
   newly created token on a performance standby node
 * replication (enterprise): Only write failover cluster addresses
   if they've changed
 * ui: fix bug where dropdown for identity/entity management is not
   reflective of actual policy [GH-9958]


To generate a diff of this commit:
cvs rdiff -u -r1.59 -r1.60 pkgsrc/security/vault/Makefile
cvs rdiff -u -r1.24 -r1.25 pkgsrc/security/vault/distinfo
cvs rdiff -u -r1.1 -r1.2 \
    pkgsrc/security/vault/patches/patch-vendor_github.com_docker_docker_client_client__unix.go

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/vault/Makefile
diff -u pkgsrc/security/vault/Makefile:1.59 pkgsrc/security/vault/Makefile:1.60
--- pkgsrc/security/vault/Makefile:1.59 Fri Nov 13 19:26:21 2020
+++ pkgsrc/security/vault/Makefile      Tue Jan  5 11:02:51 2021
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.59 2020/11/13 19:26:21 bsiegert Exp $
+# $NetBSD: Makefile,v 1.60 2021/01/05 11:02:51 he Exp $
 
-DISTNAME=      vault-1.5.3
-PKGREVISION=   3
+DISTNAME=      vault-1.6.1
 CATEGORIES=    security
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=hashicorp/}
 
@@ -11,9 +10,12 @@ COMMENT=     Tool for managing secrets
 LICENSE=       mpl-2.0
 
 GITHUB_TAG=    v${PKGVERSION_NOREV}
+WORKSRC=       ${PKGNAME}
 
-GO_DIST_BASE=  ${DISTNAME}
-GO_SRCPATH=    github.com/hashicorp/vault
+GO_DIST_BASE=          ${DISTNAME}
+GO_SRCPATH=            github.com/hashicorp/vault
+# no "..." suffix here, triggered upstream ticket #10330 and #10638
+GO_BUILD_PATTERN=      ${GO_SRCPATH}/
 
 USE_TOOLS+=            bash gmake
 

Index: pkgsrc/security/vault/distinfo
diff -u pkgsrc/security/vault/distinfo:1.24 pkgsrc/security/vault/distinfo:1.25
--- pkgsrc/security/vault/distinfo:1.24 Thu Sep 10 22:10:59 2020
+++ pkgsrc/security/vault/distinfo      Tue Jan  5 11:02:51 2021
@@ -1,11 +1,11 @@
-$NetBSD: distinfo,v 1.24 2020/09/10 22:10:59 he Exp $
+$NetBSD: distinfo,v 1.25 2021/01/05 11:02:51 he Exp $
 
-SHA1 (vault-1.5.3.tar.gz) = ca11b81ffe657004023bd0388665bfe35ffe5962
-RMD160 (vault-1.5.3.tar.gz) = ad3b62e2e799c326dea17ea152b1a3b149fc10ea
-SHA512 (vault-1.5.3.tar.gz) = 2eaeabf939c20e914319f0038f7b2cea219618a5f830a7d250f4de447b1b7e9fab9fee611752fcd26086b67c3b5e32f403a88d4e7da1d94f34570e1a210bc4f8
-Size (vault-1.5.3.tar.gz) = 35123873 bytes
+SHA1 (vault-1.6.1.tar.gz) = 07853752d3b1a63f6b379a75b950ebdcb976da3d
+RMD160 (vault-1.6.1.tar.gz) = 649f268fda28ac0b4e1d092e984898b957e6e14e
+SHA512 (vault-1.6.1.tar.gz) = 3dd272b5ca6b2858ab9c65a1abcf25bfd01d554c8f8c380ab1384c216bf14f9719ae0947f764cd7a08688899b7e5805e3ce2a96086772035abe54012b5f4ea72
+Size (vault-1.6.1.tar.gz) = 39080880 bytes
 SHA1 (patch-scripts_gen__openapi.sh) = 1ad66480ef135adec05f58b088440e0bec6b4ab8
-SHA1 (patch-vendor_github.com_docker_docker_client_client__unix.go) = d9c6e3556519ae5ea419822a9b4c183461b033a7
+SHA1 (patch-vendor_github.com_docker_docker_client_client__unix.go) = 86d985a6aac6b0eaaf6bdc3b1e4a7e2d17454a6a
 SHA1 (patch-vendor_github.com_docker_docker_pkg_system_stat__netbsd.go) = 09c2f699b37fcb2ea05ca0df270359426a0629b7
 SHA1 (patch-vendor_github.com_ory_dockertest_docker_pkg_system_stat__netbsd.go) = 6bdcd546eb5ac7354d4bbe8abbb91cc000378101
 SHA1 (patch-vendor_github.com_ory_dockertest_docker_pkg_term_tc.go) = c88c7ade723612ec994fa0b53d6a08f3491226f8

Index: pkgsrc/security/vault/patches/patch-vendor_github.com_docker_docker_client_client__unix.go
diff -u pkgsrc/security/vault/patches/patch-vendor_github.com_docker_docker_client_client__unix.go:1.1 pkgsrc/security/vault/patches/patch-vendor_github.com_docker_docker_client_client__unix.go:1.2
--- pkgsrc/security/vault/patches/patch-vendor_github.com_docker_docker_client_client__unix.go:1.1      Thu Sep 10 22:10:59 2020
+++ pkgsrc/security/vault/patches/patch-vendor_github.com_docker_docker_client_client__unix.go  Tue Jan  5 11:02:51 2021
@@ -1,12 +1,12 @@
-$NetBSD: patch-vendor_github.com_docker_docker_client_client__unix.go,v 1.1 2020/09/10 22:10:59 he Exp $
+$NetBSD: patch-vendor_github.com_docker_docker_client_client__unix.go,v 1.2 2021/01/05 11:02:51 he Exp $
 
 Build this also on NetBSD.
 
---- vendor/github.com/docker/docker/client/client_unix.go.orig 2020-08-26 22:40:59.000000000 +0000
+--- vendor/github.com/docker/docker/client/client_unix.go.orig 2020-11-02 20:22:40.000000000 +0000
 +++ vendor/github.com/docker/docker/client/client_unix.go
 @@ -1,4 +1,4 @@
--// +build linux freebsd openbsd darwin solaris illumos
-+// +build linux freebsd openbsd darwin solaris illumos netbsd
+-// +build linux freebsd openbsd darwin
++// +build linux freebsd openbsd darwin netbsd
  
  package client // import "github.com/docker/docker/client"