backport of commit eb70bfd

CODEOWNERS

@@ -47,37 +47,20 @@
 /enos/     @hashicorp/quality-team
 
 # Cryptosec
-/builtin/logical/pki/                                @hashicorp/vault-crypto
-/website/content/docs/secrets/pki/                   @hashicorp/vault-crypto
-/website/content/api-docs/secret/pki.mdx             @hashicorp/vault-crypto
-/builtin/credential/cert/                            @hashicorp/vault-crypto
-/website/content/docs/auth/cert.mdx                  @hashicorp/vault-crypto
-/website/content/api-docs/auth/cert.mdx              @hashicorp/vault-crypto
-/builtin/logical/ssh/                                @hashicorp/vault-crypto
-/website/content/docs/secrets/ssh/                   @hashicorp/vault-crypto
-/website/content/api-docs/secret/ssh.mdx             @hashicorp/vault-crypto
-/builtin/logical/transit/                            @hashicorp/vault-crypto
-/website/content/docs/secrets/transit/               @hashicorp/vault-crypto
-/website/content/api-docs/secret/transit.mdx         @hashicorp/vault-crypto
-/helper/random/                                      @hashicorp/vault-crypto
-/sdk/helper/certutil/                                @hashicorp/vault-crypto
-/sdk/helper/cryptoutil/                              @hashicorp/vault-crypto
-/sdk/helper/kdf/                                     @hashicorp/vault-crypto
-/sdk/helper/keysutil/                                @hashicorp/vault-crypto
-/sdk/helper/ocsp/                                    @hashicorp/vault-crypto
-/sdk/helper/salt/                                    @hashicorp/vault-crypto
-/sdk/helper/tlsutil/                                 @hashicorp/vault-crypto
-/shamir/                                             @hashicorp/vault-crypto
-/vault/barrier*                                      @hashicorp/vault-crypto
-/vault/managed_key*                                  @hashicorp/vault-crypto
-/vault/seal*                                         @hashicorp/vault-crypto
-/vault/seal/                                         @hashicorp/vault-crypto
-/website/content/docs/configuration/seal/            @hashicorp/vault-crypto
-/website/content/docs/enterprise/sealwrap.mdx        @hashicorp/vault-crypto
-/website/content/api-docs/system/sealwrap-rewrap.mdx @hashicorp/vault-crypto
-/website/content/docs/secrets/transform/             @hashicorp/vault-crypto
-/website/content/api-docs/secret/transform.mdx       @hashicorp/vault-crypto
-/website/content/docs/secrets/kmip-profiles.mdx      @hashicorp/vault-crypto
-/website/content/docs/secrets/kmip.mdx               @hashicorp/vault-crypto
-/website/content/api-docs/secret/kmip.mdx            @hashicorp/vault-crypto
-/website/content/docs/enterprise/fips/               @hashicorp/vault-crypto
+/builtin/logical/pki/         @hashicorp/vault-crypto
+/builtin/credential/cert/     @hashicorp/vault-crypto
+/builtin/logical/ssh/         @hashicorp/vault-crypto
+/builtin/logical/transit/     @hashicorp/vault-crypto
+/helper/random/               @hashicorp/vault-crypto
+/sdk/helper/certutil/         @hashicorp/vault-crypto
+/sdk/helper/cryptoutil/       @hashicorp/vault-crypto
+/sdk/helper/kdf/              @hashicorp/vault-crypto
+/sdk/helper/keysutil/         @hashicorp/vault-crypto
+/sdk/helper/ocsp/             @hashicorp/vault-crypto
+/sdk/helper/salt/             @hashicorp/vault-crypto
+/sdk/helper/tlsutil/          @hashicorp/vault-crypto
+/shamir/                      @hashicorp/vault-crypto
+/vault/barrier*               @hashicorp/vault-crypto
+/vault/managed_key*           @hashicorp/vault-crypto
+/vault/seal*                  @hashicorp/vault-crypto
+/vault/seal/                  @hashicorp/vault-crypto

api/client.go

@@ -1362,7 +1362,6 @@ START:
 		LastOutputPolicyError = &OutputPolicyError{
 			method: req.Method,
 			path:   strings.TrimPrefix(req.URL.Path, "/v1"),
-			params: req.URL.Query(),
 		}
 		return nil, LastOutputPolicyError
 	}

api/lifetime_watcher.go

@@ -337,14 +337,24 @@ func (r *LifetimeWatcher) doRenewWithOptions(tokenMode bool, nonRenewable bool,
 
 		var sleepDuration time.Duration
 
-		if errorBackoff == nil {
-			sleepDuration = r.calculateSleepDuration(remainingLeaseDuration, priorDuration)
-		} else if errorBackoff.NextBackOff() == backoff.Stop {
-			return err
-		}
+		if errorBackoff != nil {
+			sleepDuration = errorBackoff.NextBackOff()
+			if sleepDuration == backoff.Stop {
+				return err
+			}
+		} else {
+			// We keep evaluating a new grace period so long as the lease is
+			// extending. Once it stops extending, we've hit the max and need to
+			// rely on the grace duration.
+			if remainingLeaseDuration > priorDuration {
+				r.calculateGrace(remainingLeaseDuration, time.Duration(r.increment)*time.Second)
+			}
+			priorDuration = remainingLeaseDuration
 
-		// remainingLeaseDuration becomes the priorDuration for the next loop
-		priorDuration = remainingLeaseDuration
+			// The sleep duration is set to 2/3 of the current lease duration plus
+			// 1/3 of the current grace period, which adds jitter.
+			sleepDuration = time.Duration(float64(remainingLeaseDuration.Nanoseconds())*2/3 + float64(r.grace.Nanoseconds())/3)
+		}
 
 		// If we are within grace, return now; or, if the amount of time we
 		// would sleep would land us in the grace period. This helps with short
@@ -367,21 +377,6 @@ func (r *LifetimeWatcher) doRenewWithOptions(tokenMode bool, nonRenewable bool,
 	}
 }
 
-// calculateSleepDuration calculates the amount of time the LifeTimeWatcher should sleep
-// before re-entering its loop.
-func (r *LifetimeWatcher) calculateSleepDuration(remainingLeaseDuration, priorDuration time.Duration) time.Duration {
-	// We keep evaluating a new grace period so long as the lease is
-	// extending. Once it stops extending, we've hit the max and need to
-	// rely on the grace duration.
-	if remainingLeaseDuration > priorDuration {
-		r.calculateGrace(remainingLeaseDuration, time.Duration(r.increment)*time.Second)
-	}
-
-	// The sleep duration is set to 2/3 of the current lease duration plus
-	// 1/3 of the current grace period, which adds jitter.
-	return time.Duration(float64(remainingLeaseDuration.Nanoseconds())*2/3 + float64(r.grace.Nanoseconds())/3)
-}
-
 // calculateGrace calculates the grace period based on the minimum of the
 // remaining lease duration and the token increment value; it also adds some
 // jitter to not have clients be in sync.

api/output_policy.go

@@ -4,7 +4,6 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
-	"strconv"
 	"strings"
 )
 
@@ -17,7 +16,6 @@ var LastOutputPolicyError *OutputPolicyError
 type OutputPolicyError struct {
 	method         string
 	path           string
-	params         url.Values
 	finalHCLString string
 }
 
@@ -46,22 +44,8 @@ func (d *OutputPolicyError) HCLString() (string, error) {
 
 // Builds a sample policy document from the request
 func (d *OutputPolicyError) buildSamplePolicy() (string, error) {
-	operation := d.method
-	// List is often defined as a URL param instead of as an http.Method
-	// this will check for the header and properly switch off of the intended functionality
-	if d.params.Has("list") {
-		isList, err := strconv.ParseBool(d.params.Get("list"))
-		if err != nil {
-			return "", fmt.Errorf("the value of the list url param is not a bool: %v", err)
-		}
-
-		if isList {
-			operation = "LIST"
-		}
-	}
-
 	var capabilities []string
-	switch operation {
+	switch d.method {
 	case http.MethodGet, "":
 		capabilities = append(capabilities, "read")
 	case http.MethodPost, http.MethodPut:
@@ -75,15 +59,17 @@ func (d *OutputPolicyError) buildSamplePolicy() (string, error) {
 		capabilities = append(capabilities, "list")
 	}
 
+	// sanitize, then trim the Vault address and v1 from the front of the path
+	path, err := url.PathUnescape(d.path)
+	if err != nil {
+		return "", fmt.Errorf("failed to unescape request URL characters: %v", err)
+	}
+
 	// determine whether to add sudo capability
-	if IsSudoPath(d.path) {
+	if IsSudoPath(path) {
 		capabilities = append(capabilities, "sudo")
 	}
 
-	return formatOutputPolicy(d.path, capabilities), nil
-}
-
-func formatOutputPolicy(path string, capabilities []string) string {
 	// the OpenAPI response has a / in front of each path,
 	// but policies need the path without that leading slash
 	path = strings.TrimLeft(path, "/")
@@ -92,5 +78,5 @@ func formatOutputPolicy(path string, capabilities []string) string {
 	return fmt.Sprintf(
 		`path "%s" {
   capabilities = ["%s"]
-}`, path, capStr)
+}`, path, capStr), nil
 }

api/plugin_helpers.go

@@ -37,7 +37,7 @@ const (
 // path matches that path or not (useful specifically for the paths that
 // contain templated fields.)
 var sudoPaths = map[string]*regexp.Regexp{
-	"/auth/token/accessors/":                        regexp.MustCompile(`^/auth/token/accessors/?$`),
+	"/auth/token/accessors/":                        regexp.MustCompile(`^/auth/token/accessors/$`),
 	"/pki/root":                                     regexp.MustCompile(`^/pki/root$`),
 	"/pki/root/sign-self-issued":                    regexp.MustCompile(`^/pki/root/sign-self-issued$`),
 	"/sys/audit":                                    regexp.MustCompile(`^/sys/audit$`),
@@ -47,10 +47,10 @@ var sudoPaths = map[string]*regexp.Regexp{
 	"/sys/config/auditing/request-headers":          regexp.MustCompile(`^/sys/config/auditing/request-headers$`),
 	"/sys/config/auditing/request-headers/{header}": regexp.MustCompile(`^/sys/config/auditing/request-headers/.+$`),
 	"/sys/config/cors":                              regexp.MustCompile(`^/sys/config/cors$`),
-	"/sys/config/ui/headers/":                       regexp.MustCompile(`^/sys/config/ui/headers/?$`),
+	"/sys/config/ui/headers/":                       regexp.MustCompile(`^/sys/config/ui/headers/$`),
 	"/sys/config/ui/headers/{header}":               regexp.MustCompile(`^/sys/config/ui/headers/.+$`),
 	"/sys/leases":                                   regexp.MustCompile(`^/sys/leases$`),
-	"/sys/leases/lookup/":                           regexp.MustCompile(`^/sys/leases/lookup/?$`),
+	"/sys/leases/lookup/":                           regexp.MustCompile(`^/sys/leases/lookup/$`),
 	"/sys/leases/lookup/{prefix}":                   regexp.MustCompile(`^/sys/leases/lookup/.+$`),
 	"/sys/leases/revoke-force/{prefix}":             regexp.MustCompile(`^/sys/leases/revoke-force/.+$`),
 	"/sys/leases/revoke-prefix/{prefix}":            regexp.MustCompile(`^/sys/leases/revoke-prefix/.+$`),
@@ -70,7 +70,7 @@ var sudoPaths = map[string]*regexp.Regexp{
 	"/sys/replication/performance/primary/secondary-token": regexp.MustCompile(`^/sys/replication/performance/primary/secondary-token$`),
 	"/sys/replication/primary/secondary-token":             regexp.MustCompile(`^/sys/replication/primary/secondary-token$`),
 	"/sys/replication/reindex":                             regexp.MustCompile(`^/sys/replication/reindex$`),
-	"/sys/storage/raft/snapshot-auto/config/":              regexp.MustCompile(`^/sys/storage/raft/snapshot-auto/config/?$`),
+	"/sys/storage/raft/snapshot-auto/config/":              regexp.MustCompile(`^/sys/storage/raft/snapshot-auto/config/$`),
 	"/sys/storage/raft/snapshot-auto/config/{name}":        regexp.MustCompile(`^/sys/storage/raft/snapshot-auto/config/[^/]+$`),
 }
 

api/renewer_test.go

@@ -3,10 +3,7 @@ package api
 import (
 	"errors"
 	"fmt"
-	"math/rand"
-	"reflect"
 	"testing"
-	"testing/quick"
 	"time"
 
 	"github.com/go-test/deep"
@@ -236,47 +233,3 @@ func TestLifetimeWatcher(t *testing.T) {
 		})
 	}
 }
-
-// TestCalcSleepPeriod uses property based testing to evaluate the calculateSleepDuration
-// function of LifeTimeWatchers, but also incidentally tests "calculateGrace".
-// This is on account of "calculateSleepDuration" performing the "calculateGrace"
-// function in particular instances.
-// Both of these functions support the vital functionality of the LifeTimeWatcher
-// and therefore should be tested rigorously.
-func TestCalcSleepPeriod(t *testing.T) {
-	c := quick.Config{
-		MaxCount: 10000,
-		Values: func(values []reflect.Value, r *rand.Rand) {
-			leaseDuration := r.Int63()
-			priorDuration := r.Int63n(leaseDuration)
-			remainingLeaseDuration := r.Int63n(priorDuration)
-			increment := r.Int63n(remainingLeaseDuration)
-
-			values[0] = reflect.ValueOf(r)
-			values[1] = reflect.ValueOf(time.Duration(leaseDuration))
-			values[2] = reflect.ValueOf(time.Duration(priorDuration))
-			values[3] = reflect.ValueOf(time.Duration(remainingLeaseDuration))
-			values[4] = reflect.ValueOf(time.Duration(increment))
-		},
-	}
-
-	// tests that "calculateSleepDuration" will always return a value less than
-	// the remaining lease duration given a random leaseDuration, priorDuration, remainingLeaseDuration, and increment.
-	// Inputs are generated so that:
-	// leaseDuration > priorDuration > remainingLeaseDuration
-	// and remainingLeaseDuration > increment
-	if err := quick.Check(func(r *rand.Rand, leaseDuration, priorDuration, remainingLeaseDuration, increment time.Duration) bool {
-		lw := LifetimeWatcher{
-			grace:     0,
-			increment: int(increment.Seconds()),
-			random:    r,
-		}
-
-		lw.calculateGrace(remainingLeaseDuration, increment)
-
-		// ensure that we sleep for less than the remaining lease.
-		return lw.calculateSleepDuration(remainingLeaseDuration, priorDuration) < remainingLeaseDuration
-	}, &c); err != nil {
-		t.Error(err)
-	}
-}

builtin/credential/approle/cmd/approle/main.go

@@ -17,11 +17,9 @@ func main() {
 	tlsConfig := apiClientMeta.GetTLSConfig()
 	tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig)
 
-	if err := plugin.ServeMultiplex(&plugin.ServeOpts{
+	if err := plugin.Serve(&plugin.ServeOpts{
 		BackendFactoryFunc: approle.Factory,
-		// set the TLSProviderFunc so that the plugin maintains backwards
-		// compatibility with Vault versions that don’t support plugin AutoMTLS
-		TLSProviderFunc: tlsProviderFunc,
+		TLSProviderFunc:    tlsProviderFunc,
 	}); err != nil {
 		logger := hclog.New(&hclog.LoggerOptions{})