Merge remote-tracking branch 'upstream/master' into transit-exportable

* upstream/master:
  Add version sha to server startup output
  Change current version number
  changelog++
  Don't say mlock is supported on OSX when it isn't. (hashicorp#2120)
  Change command examples for First Secrets hashicorp#2116 (hashicorp#2117)
  changelog++
  cli: fix bug with 'vault read -field=...' when the field value contains a printf formatting verb (hashicorp#2109)
  Update docs to fix hashicorp#2102
  Updating changelog
  http: increase request limit from 8MB to 32MB
  http: limit maximum request size
  Update libraries doc for Haskell community library (hashicorp#2101)
  Don't exclude 0 from the set of valid polynomials in Shamir. This leads to a potential (although extremely trivial) amount of information leakage.
  Bump proto files after update
  changelog++
  check for failure on that mysql query (hashicorp#2105)
  Bump deps
  Document bug causing certain LDAP settings to be forgotten on upgrade to 0.6.1+.
  Set number of pester retries to zero by default and make seal command… (hashicorp#2093)

CHANGELOG.md

@@ -1,5 +1,10 @@
 ## Next (Unreleased)
 
+DEPRECATIONS/CHANGES:
+
+ * http: impose a maximum request size of 32MB to prevent a denial of service
+   with arbitrarily large requests. [GH-2108]
+
 IMPROVEMENTS:
 
  * auth/github: Policies can now be assigned to users as well as to teams
@@ -25,8 +30,13 @@ BUG FIXES:
  * api/unwrap, command/unwrap: Fix error when no client token exists [GH-2077]
  * command/ssh: Use temporary file for identity and ensure its deletion before
    the command returns [GH-2016]
+ * cli: Fix error printing values with `-field` if the values contained
+   formatting directives [GH-2109]
+ * command/server: Don't say mlock is supported on OSX when it isn't. [GH-2120]
  * core: Fix bug where a failure to come up as active node (e.g. if an audit
    backend failed) could lead to deadlock [GH-2083]
+ * physical/mysql: Fix potential crash during setup due to a query failure
+   [GH-2105]
 
 ## 0.6.2 (October 5, 2016)
 
@@ -170,11 +180,11 @@ DEPRECATIONS/CHANGES:
  * Status codes for sealed/uninitialized Vaults have changed to `503`/`501`
    respectively. See the [version-specific upgrade
    guide](https://www.vaultproject.io/docs/install/upgrade-to-0.6.1.html) for
-   more details. 
+   more details.
  * Root tokens (tokens with the `root` policy) can no longer be created except
    by another root token or the `generate-root` endpoint.
  * Issued certificates from the `pki` backend against new roles created or
-   modified after upgrading will contain a set of default key usages. 
+   modified after upgrading will contain a set of default key usages.
  * The `dynamodb` physical data store no longer supports HA by default. It has
    some non-ideal behavior around failover that was causing confusion. See the
    [documentation](https://www.vaultproject.io/docs/config/index.html#ha_enabled)
@@ -244,7 +254,7 @@ IMPROVEMENTS:
    the request portion of the response. [GH-1650]
  * auth/aws-ec2: Added a new constraint `bound_account_id` to the role
    [GH-1523]
- * auth/aws-ec2: Added a new constraint `bound_iam_role_arn` to the role 
+ * auth/aws-ec2: Added a new constraint `bound_iam_role_arn` to the role
    [GH-1522]
  * auth/aws-ec2: Added `ttl` field for the role [GH-1703]
  * auth/ldap, secret/cassandra, physical/consul: Clients with `tls.Config`
@@ -288,7 +298,7 @@ IMPROVEMENTS:
    configuration [GH-1581]
  * secret/mssql,mysql,postgresql: Reading of connection settings is supported
    in all the sql backends [GH-1515]
- * secret/mysql: Added optional maximum idle connections value to MySQL 
+ * secret/mysql: Added optional maximum idle connections value to MySQL
    connection configuration [GH-1635]
  * secret/mysql: Use a combination of the role name and token display name in
    generated user names and allow the length to be controlled [GH-1604]
@@ -631,7 +641,7 @@ BUG FIXES:
    during renewals [GH-1176]
 
 ## 0.5.1 (February 25th, 2016)
- 
+
 DEPRECATIONS/CHANGES:
 
  * RSA keys less than 2048 bits are no longer supported in the PKI backend.
@@ -661,7 +671,7 @@ IMPROVEMENTS:
  * api/health: Add the server's time in UTC to health responses [GH-1117]
  * command/rekey and command/generate-root: These now return the status at
    attempt initialization time, rather than requiring a separate fetch for the
-   nonce [GH-1054] 
+   nonce [GH-1054]
  * credential/cert: Don't require root/sudo tokens for the `certs/` and `crls/`
    paths; use normal ACL behavior instead [GH-468]
  * credential/github: The validity of the token used for login will be checked
@@ -791,7 +801,7 @@ FEATURES:
    documentation](https://vaultproject.io/docs/config/index.html) for details.
    [GH-945]
  * **STS Support in AWS Secret Backend**: You can now use the AWS secret
-   backend to fetch STS tokens rather than IAM users. [GH-927] 
+   backend to fetch STS tokens rather than IAM users. [GH-927]
  * **Speedups in the transit backend**: The `transit` backend has gained a
    cache, and now loads only the working set of keys (e.g. from the
    `min_decryption_version` to the current key version) into its working set.

api/client.go

@@ -48,7 +48,7 @@ type Config struct {
 	redirectSetup sync.Once
 
 	// MaxRetries controls the maximum number of times to retry when a 5xx error
-	// occurs. Set to 0 or less to disable retrying.
+	// occurs. Set to 0 or less to disable retrying. Defaults to 0.
 	MaxRetries int
 }
 
@@ -99,8 +99,6 @@ func DefaultConfig() *Config {
 		config.Address = v
 	}
 
-	config.MaxRetries = pester.DefaultClient.MaxRetries
-
 	return config
 }
 

command/server.go

@@ -350,7 +350,7 @@ func (c *ServerCommand) Run(args []string) int {
 	info["log level"] = logLevel
 	info["mlock"] = fmt.Sprintf(
 		"supported: %v, enabled: %v",
-		mlock.Supported(), !config.DisableMlock)
+		mlock.Supported(), !config.DisableMlock && mlock.Supported())
 	infoKeys = append(infoKeys, "log level", "mlock", "backend")
 
 	if config.HABackend != nil {
@@ -464,8 +464,10 @@ func (c *ServerCommand) Run(args []string) int {
 
 	defer c.cleanupGuard.Do(listenerCloseFunc)
 
-	infoKeys = append(infoKeys, "version")
-	info["version"] = version.GetVersion().FullVersionNumber()
+	infoKeys = append(infoKeys, "version", "version_sha")
+	verInfo := version.GetVersion()
+	info["version"] = verInfo.FullVersionNumber()
+	info["version_sha"] = strings.Trim(verInfo.Revision, "'")
 
 	// Server configuration output
 	padding := 24

command/util.go

@@ -79,7 +79,7 @@ func PrintRawField(ui cli.Ui, secret *api.Secret, field string) int {
 		// directly print the message. If mitchellh/cli exposes method
 		// to print without CR, this check needs to be removed.
 		if reflect.TypeOf(ui).String() == "*cli.BasicUi" {
-			fmt.Fprintf(os.Stdout, fmt.Sprintf("%v", val))
+			fmt.Fprintf(os.Stdout, "%v", val)
 		} else {
 			ui.Output(fmt.Sprintf("%v", val))
 		}

helper/mlock/mlock_unavail.go

@@ -1,4 +1,4 @@
-// +build android nacl netbsd plan9 windows
+// +build android darwin nacl netbsd plan9 windows
 
 package mlock
 

helper/mlock/mlock_unix.go

@@ -1,4 +1,4 @@
-// +build darwin dragonfly freebsd linux openbsd solaris
+// +build dragonfly freebsd linux openbsd solaris
 
 package mlock
 

http/handler.go

@@ -26,6 +26,11 @@ const (
 	// NoRequestForwardingHeaderName is the name of the header telling Vault
 	// not to use request forwarding
 	NoRequestForwardingHeaderName = "X-Vault-No-Request-Forwarding"
+
+	// MaxRequestSize is the maximum accepted request size. This is to prevent
+	// a denial of service attack where no Content-Length is provided and the server
+	// is fed ever more data until it exhausts memory.
+	MaxRequestSize = 32 * 1024 * 1024
 )
 
 // Handler returns an http.Handler for the API. This can be used on
@@ -109,7 +114,10 @@ func stripPrefix(prefix, path string) (string, bool) {
 }
 
 func parseRequest(r *http.Request, out interface{}) error {
-	err := jsonutil.DecodeJSONFromReader(r.Body, out)
+	// Limit the maximum number of bytes to MaxRequestSize to protect
+	// against an indefinite amount of data being read.
+	limit := &io.LimitedReader{R: r.Body, N: MaxRequestSize}
+	err := jsonutil.DecodeJSONFromReader(limit, out)
 	if err != nil && err != io.EOF {
 		return fmt.Errorf("Failed to parse JSON input: %s", err)
 	}

http/logical.go

@@ -26,6 +26,11 @@ func buildLogicalRequest(core *vault.Core, w http.ResponseWriter, r *http.Reques
 		return nil, http.StatusNotFound, nil
 	}
 
+	// Verify the content length does not exceed the maximum size
+	if r.ContentLength >= MaxRequestSize {
+		return nil, http.StatusRequestEntityTooLarge, nil
+	}
+
 	// Determine the operation
 	var op logical.Operation
 	switch r.Method {

http/logical_test.go

@@ -231,3 +231,16 @@ func TestLogical_RawHTTP(t *testing.T) {
 		t.Fatalf("Bad: %s", body.Bytes())
 	}
 }
+
+func TestLogical_RequestSizeLimit(t *testing.T) {
+	core, _, token := vault.TestCoreUnsealed(t)
+	ln, addr := TestServer(t, core)
+	defer ln.Close()
+	TestServerAuth(t, addr, token)
+
+	// Write a very large object, should fail
+	resp := testHttpPut(t, token, addr+"/v1/secret/foo", map[string]interface{}{
+		"data": make([]byte, MaxRequestSize),
+	})
+	testResponseStatus(t, resp, 413)
+}

http/sys_seal.go

@@ -30,8 +30,13 @@ func handleSysSeal(core *vault.Core) http.Handler {
 
 		// Seal with the token above
 		if err := core.SealWithRequest(req); err != nil {
-			respondError(w, http.StatusInternalServerError, err)
-			return
+			if errwrap.Contains(err, logical.ErrPermissionDenied.Error()) {
+				respondError(w, http.StatusForbidden, err)
+				return
+			} else {
+				respondError(w, http.StatusInternalServerError, err)
+				return
+			}
 		}
 
 		respondOk(w, nil)

http/sys_seal_test.go

@@ -285,7 +285,7 @@ func TestSysSeal_Permissions(t *testing.T) {
 
 	// We expect this to fail since it needs update and sudo
 	httpResp := testHttpPut(t, "child", addr+"/v1/sys/seal", nil)
-	testResponseStatus(t, httpResp, 500)
+	testResponseStatus(t, httpResp, 403)
 
 	// Now modify to add update capability
 	req = &logical.Request{
@@ -306,7 +306,7 @@ func TestSysSeal_Permissions(t *testing.T) {
 
 	// We expect this to fail since it needs sudo
 	httpResp = testHttpPut(t, "child", addr+"/v1/sys/seal", nil)
-	testResponseStatus(t, httpResp, 500)
+	testResponseStatus(t, httpResp, 403)
 
 	// Now modify to just sudo capability
 	req = &logical.Request{
@@ -327,7 +327,7 @@ func TestSysSeal_Permissions(t *testing.T) {
 
 	// We expect this to fail since it needs update
 	httpResp = testHttpPut(t, "child", addr+"/v1/sys/seal", nil)
-	testResponseStatus(t, httpResp, 500)
+	testResponseStatus(t, httpResp, 403)
 
 	// Now modify to add all needed capabilities
 	req = &logical.Request{

physical/mysql.go

@@ -173,6 +173,9 @@ func (m *MySQLBackend) List(prefix string) ([]string, error) {
 	// Add the % wildcard to the prefix to do the prefix search
 	likePrefix := prefix + "%"
 	rows, err := m.statements["list"].Query(likePrefix)
+	if err != nil {
+		return nil, fmt.Errorf("failed to execute statement: %v", err)
+	}
 
 	var keys []string
 	for rows.Next() {