search

splunk / vault-plugin-secrets-artifactory

vault plugin for artifactory
Apache License 2.0
10 stars 5 forks source link

Bump github.com/hashicorp/vault/sdk from 0.5.2 to 0.6.0 #81

Closed dependabot[bot] closed 2 years ago

dependabot[bot] commented 2 years ago

Bumps github.com/hashicorp/vault/sdk from 0.5.2 to 0.6.0.

Changelog

Sourced from github.com/hashicorp/vault/sdk's changelog.

0.6.0 (June 14th, 2016)

SECURITY:

  • Although sys/revoke-prefix was intended to revoke prefixes of secrets (via lease IDs, which incorporate path information) and auth/token/revoke-prefix was intended to revoke prefixes of tokens (using the tokens' paths and, since 0.5.2, role information), in implementation they both behaved exactly the same way since a single component in Vault is responsible for managing lifetimes of both, and the type of the tracked lifetime was not being checked. The end result was that either endpoint could revoke both secret leases and tokens. We consider this a very minor security issue as there are a number of mitigating factors: both endpoints require sudo capability in addition to write capability, preventing blanket ACL path globs from providing access; both work by using the prefix to revoke as a part of the endpoint path, allowing them to be properly ACL'd; and both are intended for emergency scenarios and users should already not generally have access to either one. In order to prevent confusion, we have simply removed auth/token/revoke-prefix in 0.6, and sys/revoke-prefix will be meant for both leases and tokens instead.

DEPRECATIONS/CHANGES:

  • auth/token/revoke-prefix has been removed. See the security notice for details. GH-1280
  • Vault will now automatically register itself as the vault service when using the consul backend and will perform its own health checks. See the Consul backend documentation for information on how to disable auto-registration and service checks.
  • List operations that do not find any keys now return a 404 status code rather than an empty response object GH-1365
  • CA certificates issued from the pki backend no longer have associated leases, and any CA certs already issued will ignore revocation requests from the lease manager. This is to prevent CA certificates from being revoked when the token used to issue the certificate expires; it was not be obvious to users that they need to ensure that the token lifetime needed to be at least as long as a potentially very long-lived CA cert.

FEATURES:

  • AWS EC2 Auth Backend: Provides a secure introduction mechanism for AWS EC2 instances allowing automated retrieval of Vault tokens. Unlike most Vault authentication backends, this backend does not require first deploying or provisioning security-sensitive credentials (tokens, username/password, client certificates, etc). Instead, it treats AWS as a Trusted Third Party and uses the cryptographically signed dynamic metadata information that uniquely represents each EC2 instance. Vault Enterprise customers have access to a turnkey client that speaks the backend API and makes access to a Vault token easy.

... (truncated)

Commits
  • f627c01 Cut version 0.6.0
  • 5b7e680 Add updated wrapping information
  • 926e56e Merge pull request #1520 from hashicorp/wrapinfo-accessor
  • 65cdcd6 Add some commenting
  • 47dc1cc Add token accessor to wrap information if one exists
  • 4f039d0 Merge pull request #1518 from hashicorp/fix-bound-ami-id
  • e521894 Added bound_ami_id check
  • 117200c Fix mah broken tests
  • c6ded38 cubbyhole-response-wrapping -> response-wrapping
  • 1e67cd8 Merge pull request #1513 from hashicorp/field-data-get-default
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
codecov-commenter commented 2 years ago

Codecov Report

Merging #81 (8aea33e) into main (440eb66) will not change coverage. The diff coverage is n/a.

@@           Coverage Diff           @@
##             main      #81   +/-   ##
=======================================
  Coverage   41.03%   41.03%           
=======================================
  Files          10       10           
  Lines         675      675           
=======================================
  Hits          277      277           
  Misses        370      370           
  Partials       28       28
Flag Coverage Δ
unittests 41.03% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

dependabot[bot] commented 2 years ago

Superseded by #88.