diff --git a/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/lifetime_watcher.go b/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/lifetime_watcher.go index 5c060e5a1..4bc1390b9 100644 --- a/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/lifetime_watcher.go +++ b/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/lifetime_watcher.go @@ -6,6 +6,7 @@ package api import ( "errors" "math/rand" + "strings" "sync" "time" @@ -31,6 +32,7 @@ var ( DefaultRenewerRenewBuffer = 5 ) +//go:generate enumer -type=RenewBehavior -trimprefix=RenewBehavior type RenewBehavior uint const ( @@ -288,12 +290,18 @@ func (r *LifetimeWatcher) doRenewWithOptions(tokenMode bool, nonRenewable bool, switch { case nonRenewable || r.renewBehavior == RenewBehaviorRenewDisabled: // Can't or won't renew, just keep the same expiration so we exit - // when it's reauthentication time + // when it's re-authentication time remainingLeaseDuration = fallbackLeaseDuration default: // Renew the token renewal, err = renew(credString, r.increment) + if err != nil && strings.Contains(err.Error(), "permission denied") { + // We can't renew since the token doesn't have permission to. Fall back + // to the code path for non-renewable tokens. + nonRenewable = true + continue + } if err != nil || renewal == nil || (tokenMode && renewal.Auth == nil) { if r.renewBehavior == RenewBehaviorErrorOnErrors { if err != nil { @@ -349,8 +357,11 @@ func (r *LifetimeWatcher) doRenewWithOptions(tokenMode bool, nonRenewable bool, if errorBackoff == nil { sleepDuration = r.calculateSleepDuration(remainingLeaseDuration, priorDuration) - } else if errorBackoff.NextBackOff() == backoff.Stop { - return err + } else { + sleepDuration = errorBackoff.NextBackOff() + if sleepDuration == backoff.Stop { + return err + } } // remainingLeaseDuration becomes the priorDuration for the next loop diff --git a/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/plugin_helpers.go b/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/plugin_helpers.go index 5d2593668..d330478f5 100644 --- a/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/plugin_helpers.go +++ b/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/plugin_helpers.go @@ -13,7 +13,8 @@ import ( "net/url" "os" - "github.com/go-jose/go-jose/v3/jwt" + jose "github.com/go-jose/go-jose/v4" + "github.com/go-jose/go-jose/v4/jwt" "github.com/hashicorp/errwrap" ) @@ -40,6 +41,11 @@ const ( // PluginUnwrapTokenEnv is the ENV name used to pass unwrap tokens to the // plugin. PluginUnwrapTokenEnv = "VAULT_UNWRAP_TOKEN" + + // CubbyHoleJWTSignatureAlgorithm is the signature algorithm used for + // the unwrap token that Vault passes to a plugin when auto-mTLS is + // not enabled. + CubbyHoleJWTSignatureAlgorithm = jose.ES512 ) // PluginAPIClientMeta is a helper that plugins can use to configure TLS connections @@ -102,7 +108,7 @@ func VaultPluginTLSProviderContext(ctx context.Context, apiTLSConfig *TLSConfig) return func() (*tls.Config, error) { unwrapToken := os.Getenv(PluginUnwrapTokenEnv) - parsedJWT, err := jwt.ParseSigned(unwrapToken) + parsedJWT, err := jwt.ParseSigned(unwrapToken, []jose.SignatureAlgorithm{CubbyHoleJWTSignatureAlgorithm}) if err != nil { return nil, errwrap.Wrapf("error parsing wrapping token: {{err}}", err) } diff --git a/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/plugin_runtime_types.go b/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/plugin_runtime_types.go index d3acd0d00..2514f1279 100644 --- a/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/plugin_runtime_types.go +++ b/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/plugin_runtime_types.go @@ -9,11 +9,9 @@ package api import "fmt" -var PluginRuntimeTypes = []PluginRuntimeType{ - PluginRuntimeTypeUnsupported, - PluginRuntimeTypeContainer, -} +var PluginRuntimeTypes = _PluginRuntimeTypeValues +//go:generate enumer -type=PluginRuntimeType -trimprefix=PluginRuntimeType -transform=snake type PluginRuntimeType uint32 // This is a list of PluginRuntimeTypes used by Vault. @@ -22,20 +20,11 @@ const ( PluginRuntimeTypeContainer ) -func (r PluginRuntimeType) String() string { - switch r { - case PluginRuntimeTypeContainer: - return "container" - default: - return "unsupported" - } -} - +// ParsePluginRuntimeType is a wrapper around PluginRuntimeTypeString kept for backwards compatibility. func ParsePluginRuntimeType(PluginRuntimeType string) (PluginRuntimeType, error) { - switch PluginRuntimeType { - case "container": - return PluginRuntimeTypeContainer, nil - default: + t, err := PluginRuntimeTypeString(PluginRuntimeType) + if err != nil { return PluginRuntimeTypeUnsupported, fmt.Errorf("%q is not a supported plugin runtime type", PluginRuntimeType) } + return t, nil } diff --git a/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/replication_status.go b/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/replication_status.go index 9bc02d539..d7224ff11 100644 --- a/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/replication_status.go +++ b/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/replication_status.go @@ -19,13 +19,14 @@ const ( ) type ClusterInfo struct { - APIAddr string `json:"api_address,omitempty" mapstructure:"api_address"` - ClusterAddress string `json:"cluster_address,omitempty" mapstructure:"cluster_address"` - ConnectionStatus string `json:"connection_status,omitempty" mapstructure:"connection_status"` - LastHeartBeat string `json:"last_heartbeat,omitempty" mapstructure:"last_heartbeat"` - LastHeartBeatDurationMillis string `json:"last_heartbeat_duration_ms,omitempty" mapstructure:"last_heartbeat_duration_ms"` - ClockSkewMillis string `json:"clock_skew_ms,omitempty" mapstructure:"clock_skew_ms"` - NodeID string `json:"node_id,omitempty" mapstructure:"node_id"` + APIAddr string `json:"api_address,omitempty" mapstructure:"api_address"` + ClusterAddress string `json:"cluster_address,omitempty" mapstructure:"cluster_address"` + ConnectionStatus string `json:"connection_status,omitempty" mapstructure:"connection_status"` + LastHeartBeat string `json:"last_heartbeat,omitempty" mapstructure:"last_heartbeat"` + LastHeartBeatDurationMillis string `json:"last_heartbeat_duration_ms,omitempty" mapstructure:"last_heartbeat_duration_ms"` + ClockSkewMillis string `json:"clock_skew_ms,omitempty" mapstructure:"clock_skew_ms"` + NodeID string `json:"node_id,omitempty" mapstructure:"node_id"` + ReplicationPrimaryCanaryAgeMillis string `json:"replication_primary_canary_age_ms,omitempty" mapstructure:"replication_primary_canary_age_ms"` } type ReplicationStatusGenericResponse struct { diff --git a/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_hastatus.go b/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_hastatus.go index 58a73b89c..2e54651e1 100644 --- a/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_hastatus.go +++ b/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_hastatus.go @@ -35,14 +35,15 @@ type HAStatusResponse struct { } type HANode struct { - Hostname string `json:"hostname"` - APIAddress string `json:"api_address"` - ClusterAddress string `json:"cluster_address"` - ActiveNode bool `json:"active_node"` - LastEcho *time.Time `json:"last_echo"` - EchoDurationMillis int64 `json:"echo_duration_ms"` - ClockSkewMillis int64 `json:"clock_skew_ms"` - Version string `json:"version"` - UpgradeVersion string `json:"upgrade_version,omitempty"` - RedundancyZone string `json:"redundancy_zone,omitempty"` + Hostname string `json:"hostname"` + APIAddress string `json:"api_address"` + ClusterAddress string `json:"cluster_address"` + ActiveNode bool `json:"active_node"` + LastEcho *time.Time `json:"last_echo"` + EchoDurationMillis int64 `json:"echo_duration_ms"` + ClockSkewMillis int64 `json:"clock_skew_ms"` + Version string `json:"version"` + UpgradeVersion string `json:"upgrade_version,omitempty"` + RedundancyZone string `json:"redundancy_zone,omitempty"` + ReplicationPrimaryCanaryAgeMillis int64 `json:"replication_primary_canary_age_ms"` } diff --git a/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_health.go b/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_health.go index 0dc849885..6868b96d7 100644 --- a/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_health.go +++ b/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_health.go @@ -38,18 +38,19 @@ func (c *Sys) HealthWithContext(ctx context.Context) (*HealthResponse, error) { } type HealthResponse struct { - Initialized bool `json:"initialized"` - Sealed bool `json:"sealed"` - Standby bool `json:"standby"` - PerformanceStandby bool `json:"performance_standby"` - ReplicationPerformanceMode string `json:"replication_performance_mode"` - ReplicationDRMode string `json:"replication_dr_mode"` - ServerTimeUTC int64 `json:"server_time_utc"` - Version string `json:"version"` - ClusterName string `json:"cluster_name,omitempty"` - ClusterID string `json:"cluster_id,omitempty"` - LastWAL uint64 `json:"last_wal,omitempty"` - Enterprise bool `json:"enterprise"` - EchoDurationMillis int64 `json:"echo_duration_ms"` - ClockSkewMillis int64 `json:"clock_skew_ms"` + Initialized bool `json:"initialized"` + Sealed bool `json:"sealed"` + Standby bool `json:"standby"` + PerformanceStandby bool `json:"performance_standby"` + ReplicationPerformanceMode string `json:"replication_performance_mode"` + ReplicationDRMode string `json:"replication_dr_mode"` + ServerTimeUTC int64 `json:"server_time_utc"` + Version string `json:"version"` + ClusterName string `json:"cluster_name,omitempty"` + ClusterID string `json:"cluster_id,omitempty"` + LastWAL uint64 `json:"last_wal,omitempty"` + Enterprise bool `json:"enterprise"` + EchoDurationMillis int64 `json:"echo_duration_ms"` + ClockSkewMillis int64 `json:"clock_skew_ms"` + ReplicationPrimaryCanaryAgeMillis int64 `json:"replication_primary_canary_age_ms"` } diff --git a/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_raft.go b/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_raft.go index 4b9487c61..699f6e9fd 100644 --- a/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_raft.go +++ b/third_party/VENDOR-LICENSE/github.com/hashicorp/vault/api/sys_raft.go @@ -9,6 +9,7 @@ import ( "context" "encoding/json" "errors" + "fmt" "io" "io/ioutil" "net/http" @@ -100,6 +101,23 @@ type AutopilotState struct { OptimisticFailureTolerance int `mapstructure:"optimistic_failure_tolerance,omitempty"` } +func (a *AutopilotState) String() string { + var result string + result += fmt.Sprintf("Healthy: %t. FailureTolerance: %d. Leader: %s. OptimisticFailureTolerance: %d\n", a.Healthy, a.FailureTolerance, a.Leader, a.OptimisticFailureTolerance) + for _, s := range a.Servers { + result += fmt.Sprintf("Server: %s\n", s) + } + result += fmt.Sprintf("Voters: %v\n", a.Voters) + result += fmt.Sprintf("NonVoters: %v\n", a.NonVoters) + + for name, zone := range a.RedundancyZones { + result += fmt.Sprintf("RedundancyZone %s: %s\n", name, &zone) + } + + result += fmt.Sprintf("Upgrade: %s", a.Upgrade) + return result +} + // AutopilotServer represents the server blocks in the response of the raft // autopilot state API. type AutopilotServer struct { @@ -119,12 +137,21 @@ type AutopilotServer struct { NodeType string `mapstructure:"node_type,omitempty"` } +func (a *AutopilotServer) String() string { + return fmt.Sprintf("ID: %s. Name: %s. Address: %s. NodeStatus: %s. LastContact: %s. LastTerm: %d. LastIndex: %d. Healthy: %t. StableSince: %s. Status: %s. Version: %s. UpgradeVersion: %s. RedundancyZone: %s. NodeType: %s", + a.ID, a.Name, a.Address, a.NodeStatus, a.LastContact, a.LastTerm, a.LastIndex, a.Healthy, a.StableSince, a.Status, a.Version, a.UpgradeVersion, a.RedundancyZone, a.NodeType) +} + type AutopilotZone struct { Servers []string `mapstructure:"servers,omitempty"` Voters []string `mapstructure:"voters,omitempty"` FailureTolerance int `mapstructure:"failure_tolerance,omitempty"` } +func (a *AutopilotZone) String() string { + return fmt.Sprintf("Servers: %v. Voters: %v. FailureTolerance: %d", a.Servers, a.Voters, a.FailureTolerance) +} + type AutopilotUpgrade struct { Status string `mapstructure:"status"` TargetVersion string `mapstructure:"target_version,omitempty"` @@ -137,6 +164,17 @@ type AutopilotUpgrade struct { RedundancyZones map[string]AutopilotZoneUpgradeVersions `mapstructure:"redundancy_zones,omitempty"` } +func (a *AutopilotUpgrade) String() string { + result := fmt.Sprintf("Status: %s. TargetVersion: %s. TargetVersionVoters: %v. TargetVersionNonVoters: %v. TargetVersionReadReplicas: %v. OtherVersionVoters: %v. OtherVersionNonVoters: %v. OtherVersionReadReplicas: %v", + a.Status, a.TargetVersion, a.TargetVersionVoters, a.TargetVersionNonVoters, a.TargetVersionReadReplicas, a.OtherVersionVoters, a.OtherVersionNonVoters, a.OtherVersionReadReplicas) + + for name, zone := range a.RedundancyZones { + result += fmt.Sprintf("Redundancy Zone %s: %s", name, zone) + } + + return result +} + type AutopilotZoneUpgradeVersions struct { TargetVersionVoters []string `mapstructure:"target_version_voters,omitempty"` TargetVersionNonVoters []string `mapstructure:"target_version_non_voters,omitempty"` @@ -144,6 +182,11 @@ type AutopilotZoneUpgradeVersions struct { OtherVersionNonVoters []string `mapstructure:"other_version_non_voters,omitempty"` } +func (a *AutopilotZoneUpgradeVersions) String() string { + return fmt.Sprintf("TargetVersionVoters: %v. TargetVersionNonVoters: %v. OtherVersionVoters: %v. OtherVersionNonVoters: %v", + a.TargetVersionVoters, a.TargetVersionNonVoters, a.OtherVersionVoters, a.OtherVersionNonVoters) +} + // RaftJoin wraps RaftJoinWithContext using context.Background. func (c *Sys) RaftJoin(opts *RaftJoinRequest) (*RaftJoinResponse, error) { return c.RaftJoinWithContext(context.Background(), opts)