mirror of
https://github.com/matter-labs/vault-auth-tee.git
synced 2025-07-21 07:43:57 +02:00
Hashicorp Vault plugin for authenticating Trusted Execution Environments (TEE) like SGX enclaves
b0653b4246
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [github.com/hashicorp/vault/api](https://togithub.com/hashicorp/vault) | `v1.11.0` -> `v1.12.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>hashicorp/vault (github.com/hashicorp/vault/api)</summary> ### [`v1.12.0`](https://togithub.com/hashicorp/vault/releases/tag/v1.12.0) [Compare Source](https://togithub.com/hashicorp/vault/compare/v1.11.0...v1.12.0) ##### 1.12.0 ##### October 13, 2022 CHANGES: - api: Exclusively use `GET /sys/plugins/catalog` endpoint for listing plugins, and add `details` field to list responses. \[[GH-17347](https://togithub.com/hashicorp/vault/pull/17347)] - auth: `GET /sys/auth/:name` endpoint now returns an additional `deprecation_status` field in the response data for builtins. \[[GH-16849](https://togithub.com/hashicorp/vault/pull/16849)] - auth: `GET /sys/auth` endpoint now returns an additional `deprecation_status` field in the response data for builtins. \[[GH-16849](https://togithub.com/hashicorp/vault/pull/16849)] - auth: `POST /sys/auth/:type` endpoint response contains a warning for `Deprecated` auth methods. \[[GH-17058](https://togithub.com/hashicorp/vault/pull/17058)] - auth: `auth enable` returns an error and `POST /sys/auth/:type` endpoint reports an error for `Pending Removal` auth methods. \[[GH-17005](https://togithub.com/hashicorp/vault/pull/17005)] - core/entities: Fixed stranding of aliases upon entity merge, and require explicit selection of which aliases should be kept when some must be deleted \[[GH-16539](https://togithub.com/hashicorp/vault/pull/16539)] - core: Bump Go version to 1.19.2. - core: Validate input parameters for vault operator init command. Vault 1.12 CLI version is needed to run operator init now. \[[GH-16379](https://togithub.com/hashicorp/vault/pull/16379)] - identity: a request to `/identity/group` that includes `member_group_ids` that contains a cycle will now be responded to with a 400 rather than 500 \[[GH-15912](https://togithub.com/hashicorp/vault/pull/15912)] - licensing (enterprise): Terminated licenses will no longer result in shutdown. Instead, upgrades will not be allowed if the license termination time is before the build date of the binary. - plugins: Add plugin version to auth register, list, and mount table \[[GH-16856](https://togithub.com/hashicorp/vault/pull/16856)] - plugins: `GET /sys/plugins/catalog/:type/:name` endpoint contains deprecation status for builtin plugins. \[[GH-17077](https://togithub.com/hashicorp/vault/pull/17077)] - plugins: `GET /sys/plugins/catalog/:type/:name` endpoint now returns an additional `version` field in the response data. \[[GH-16688](https://togithub.com/hashicorp/vault/pull/16688)] - plugins: `GET /sys/plugins/catalog/` endpoint contains deprecation status in `detailed` list. \[[GH-17077](https://togithub.com/hashicorp/vault/pull/17077)] - plugins: `GET /sys/plugins/catalog` endpoint now returns an additional `detailed` field in the response data with a list of additional plugin metadata. \[[GH-16688](https://togithub.com/hashicorp/vault/pull/16688)] - plugins: `plugin info` displays deprecation status for builtin plugins. \[[GH-17077](https://togithub.com/hashicorp/vault/pull/17077)] - plugins: `plugin list` now accepts a `-detailed` flag, which display deprecation status and version info. \[[GH-17077](https://togithub.com/hashicorp/vault/pull/17077)] - secrets/azure: Removed deprecated AAD graph API support from the secrets engine. \[[GH-17180](https://togithub.com/hashicorp/vault/pull/17180)] - secrets: All database-specific (standalone DB) secrets engines are now marked `Pending Removal`. \[[GH-17038](https://togithub.com/hashicorp/vault/pull/17038)] - secrets: `GET /sys/mounts/:name` endpoint now returns an additional `deprecation_status` field in the response data for builtins. \[[GH-16849](https://togithub.com/hashicorp/vault/pull/16849)] - secrets: `GET /sys/mounts` endpoint now returns an additional `deprecation_status` field in the response data for builtins. \[[GH-16849](https://togithub.com/hashicorp/vault/pull/16849)] - secrets: `POST /sys/mounts/:type` endpoint response contains a warning for `Deprecated` secrets engines. \[[GH-17058](https://togithub.com/hashicorp/vault/pull/17058)] - secrets: `secrets enable` returns an error and `POST /sys/mount/:type` endpoint reports an error for `Pending Removal` secrets engines. \[[GH-17005](https://togithub.com/hashicorp/vault/pull/17005)] FEATURES: - **GCP Cloud KMS support for managed keys**: Managed keys now support using GCP Cloud KMS keys - **LDAP Secrets Engine**: Adds the `ldap` secrets engine with service account check-out functionality for all supported schemas. \[[GH-17152](https://togithub.com/hashicorp/vault/pull/17152)] - **OCSP Responder**: PKI mounts now have an OCSP responder that implements a subset of RFC6960, answering single serial number OCSP requests for a specific cluster's revoked certificates in a mount. \[[GH-16723](https://togithub.com/hashicorp/vault/pull/16723)] - **Redis DB Engine**: Adding the new Redis database engine that supports the generation of static and dynamic user roles and root credential rotation on a stand alone Redis server. \[[GH-17070](https://togithub.com/hashicorp/vault/pull/17070)] - **Redis ElastiCache DB Plugin**: Added Redis ElastiCache as a built-in plugin. \[[GH-17075](https://togithub.com/hashicorp/vault/pull/17075)] - **Secrets/auth plugin multiplexing**: manage multiple plugin configurations with a single plugin process \[[GH-14946](https://togithub.com/hashicorp/vault/pull/14946)] - **Transform Key Import (BYOK)**: The transform secrets engine now supports importing keys for tokenization and FPE transformations - HCP (enterprise): Adding foundational support for self-managed vault nodes to securely communicate with [HashiCorp Cloud Platform](https://cloud.hashicorp.com) as an opt-in feature - ui: UI support for Okta Number Challenge. \[[GH-15998](https://togithub.com/hashicorp/vault/pull/15998)] IMPROVEMENTS: - :core/managed-keys (enterprise): Allow operators to specify PSS signatures and/or hash algorithm for the test/sign api - activity (enterprise): Added new clients unit tests to test accuracy of estimates - agent/auto-auth: Add `exit_on_err` which when set to true, will cause Agent to exit if any errors are encountered during authentication. \[[GH-17091](https://togithub.com/hashicorp/vault/pull/17091)] - agent: Added `disable_idle_connections` configuration to disable leaving idle connections open in auto-auth, caching and templating. \[[GH-15986](https://togithub.com/hashicorp/vault/pull/15986)] - agent: Added `disable_keep_alives` configuration to disable keep alives in auto-auth, caching and templating. \[[GH-16479](https://togithub.com/hashicorp/vault/pull/16479)] - agent: JWT auto auth now supports a `remove_jwt_after_reading` config option which defaults to true. \[[GH-11969](https://togithub.com/hashicorp/vault/pull/11969)] - agent: Send notifications to systemd on start and stop. \[[GH-9802](https://togithub.com/hashicorp/vault/pull/9802)] - api/mfa: Add namespace path to the MFA read/list endpoint \[[GH-16911](https://togithub.com/hashicorp/vault/pull/16911)] - api: Add a sentinel error for missing KV secrets \[[GH-16699](https://togithub.com/hashicorp/vault/pull/16699)] - auth/alicloud: Enables AliCloud roles to be compatible with Vault's role based quotas. \[[GH-17251](https://togithub.com/hashicorp/vault/pull/17251)] - auth/approle: SecretIDs can now be generated with an per-request specified TTL and num_uses. When either the ttl and num_uses fields are not specified, the role's configuration is used. \[[GH-14474](https://togithub.com/hashicorp/vault/pull/14474)] - auth/aws: PKCS7 signatures will now use SHA256 by default in prep for Go 1.18 \[[GH-16455](https://togithub.com/hashicorp/vault/pull/16455)] - auth/azure: Enables Azure roles to be compatible with Vault's role based quotas. \[[GH-17194](https://togithub.com/hashicorp/vault/pull/17194)] - auth/cert: Add metadata to identity-alias \[[GH-14751](https://togithub.com/hashicorp/vault/pull/14751)] - auth/cert: Operators can now specify a CRL distribution point URL, in which case the cert auth engine will fetch and use the CRL from that location rather than needing to push CRLs directly to auth/cert. \[[GH-17136](https://togithub.com/hashicorp/vault/pull/17136)] - auth/cf: Enables CF roles to be compatible with Vault's role based quotas. \[[GH-17196](https://togithub.com/hashicorp/vault/pull/17196)] - auth/gcp: Add support for GCE regional instance groups \[[GH-16435](https://togithub.com/hashicorp/vault/pull/16435)] - auth/gcp: Updates dependencies: `google.golang.org/api@v0.83.0`, `github.com/hashicorp/go-gcp-common@v0.8.0`. \[[GH-17160](https://togithub.com/hashicorp/vault/pull/17160)] - auth/jwt: Adds support for Microsoft US Gov L4 to the Azure provider for groups fetching. \[[GH-16525](https://togithub.com/hashicorp/vault/pull/16525)] - auth/jwt: Improves detection of Windows Subsystem for Linux (WSL) for CLI-based logins. \[[GH-16525](https://togithub.com/hashicorp/vault/pull/16525)] - auth/kerberos: add `add_group_aliases` config to include LDAP groups in Vault group aliases \[[GH-16890](https://togithub.com/hashicorp/vault/pull/16890)] - auth/kerberos: add `remove_instance_name` parameter to the login CLI and the Kerberos config in Vault. This removes any instance names found in the keytab service principal name. \[[GH-16594](https://togithub.com/hashicorp/vault/pull/16594)] - auth/kubernetes: Role resolution for K8S Auth \[[GH-156](https://togithub.com/hashicorp/vault-plugin-auth-kubernetes/pull/156)] \[[GH-17161](https://togithub.com/hashicorp/vault/pull/17161)] - auth/oci: Add support for role resolution. \[[GH-17212](https://togithub.com/hashicorp/vault/pull/17212)] - auth/oidc: Adds support for group membership parsing when using SecureAuth as an OIDC provider. \[[GH-16274](https://togithub.com/hashicorp/vault/pull/16274)] - cli: CLI commands will print a warning if flags will be ignored because they are passed after positional arguments. \[[GH-16441](https://togithub.com/hashicorp/vault/pull/16441)] - cli: `auth` and `secrets` list `-detailed` commands now show Deprecation Status for builtin plugins. \[[GH-16849](https://togithub.com/hashicorp/vault/pull/16849)] - cli: `vault plugin list` now has a `details` field in JSON format, and version and type information in table format. \[[GH-17347](https://togithub.com/hashicorp/vault/pull/17347)] - command/audit: Improve missing type error message \[[GH-16409](https://togithub.com/hashicorp/vault/pull/16409)] - command/server: add `-dev-tls` and `-dev-tls-cert-dir` subcommands to create a Vault dev server with generated certificates and private key. \[[GH-16421](https://togithub.com/hashicorp/vault/pull/16421)] - command: Fix shell completion for KV v2 mounts \[[GH-16553](https://togithub.com/hashicorp/vault/pull/16553)] - core (enterprise): Add HTTP PATCH support for namespaces with an associated `namespace patch` CLI command - core (enterprise): Add check to `vault server` command to ensure configured storage backend is supported. - core (enterprise): Add custom metadata support for namespaces - core/activity: generate hyperloglogs containing clientIds for each month during precomputation \[[GH-16146](https://togithub.com/hashicorp/vault/pull/16146)] - core/activity: refactor activity log api to reuse partial api functions in activity endpoint when current month is specified \[[GH-16162](https://togithub.com/hashicorp/vault/pull/16162)] - core/activity: use monthly hyperloglogs to calculate new clients approximation for current month \[[GH-16184](https://togithub.com/hashicorp/vault/pull/16184)] - core/quotas (enterprise): Added ability to add path suffixes for lease-count resource quotas - core/quotas (enterprise): Added ability to add role information for lease-count resource quotas, to limit login requests on auth mounts made using that role - core/quotas: Added ability to add path suffixes for rate-limit resource quotas \[[GH-15989](https://togithub.com/hashicorp/vault/pull/15989)] - core/quotas: Added ability to add role information for rate-limit resource quotas, to limit login requests on auth mounts made using that role \[[GH-16115](https://togithub.com/hashicorp/vault/pull/16115)] - core: Activity log goroutine management improvements to allow tests to be more deterministic. \[[GH-17028](https://togithub.com/hashicorp/vault/pull/17028)] - core: Add `sys/loggers` and `sys/loggers/:name` endpoints to provide ability to modify logging verbosity \[[GH-16111](https://togithub.com/hashicorp/vault/pull/16111)] - core: Handle and log deprecated builtin mounts. Introduces `VAULT_ALLOW_PENDING_REMOVAL_MOUNTS` to override shutdown and error when attempting to mount `Pending Removal` builtin plugins. \[[GH-17005](https://togithub.com/hashicorp/vault/pull/17005)] - core: Limit activity log client count usage by namespaces \[[GH-16000](https://togithub.com/hashicorp/vault/pull/16000)] - core: Upgrade github.com/hashicorp/raft \[[GH-16609](https://togithub.com/hashicorp/vault/pull/16609)] - core: remove gox \[[GH-16353](https://togithub.com/hashicorp/vault/pull/16353)] - docs: Clarify the behaviour of local mounts in the context of DR replication \[[GH-16218](https://togithub.com/hashicorp/vault/pull/16218)] - identity/oidc: Adds support for detailed listing of clients and providers. \[[GH-16567](https://togithub.com/hashicorp/vault/pull/16567)] - identity/oidc: Adds the `client_secret_post` token endpoint authentication method. \[[GH-16598](https://togithub.com/hashicorp/vault/pull/16598)] - identity/oidc: allows filtering the list providers response by an allowed_client_id \[[GH-16181](https://togithub.com/hashicorp/vault/pull/16181)] - identity: Prevent possibility of data races on entity creation. \[[GH-16487](https://togithub.com/hashicorp/vault/pull/16487)] - physical/postgresql: pass context to queries to propagate timeouts and cancellations on requests. \[[GH-15866](https://togithub.com/hashicorp/vault/pull/15866)] - plugins/multiplexing: Added multiplexing support to database plugins if run as external plugins \[[GH-16995](https://togithub.com/hashicorp/vault/pull/16995)] - plugins: Add Deprecation Status method to builtinregistry. \[[GH-16846](https://togithub.com/hashicorp/vault/pull/16846)] - plugins: Added environment variable flag to opt-out specific plugins from multiplexing \[[GH-16972](https://togithub.com/hashicorp/vault/pull/16972)] - plugins: Adding version to plugin GRPC interface \[[GH-17088](https://togithub.com/hashicorp/vault/pull/17088)] - plugins: Plugin catalog supports registering and managing plugins with semantic version information. \[[GH-16688](https://togithub.com/hashicorp/vault/pull/16688)] - replication (enterprise): Fix race in merkle sync that can prevent streaming by returning key value matching provided hash if found in log shipper buffer. - secret/nomad: allow reading CA and client auth certificate from /nomad/config/access \[[GH-15809](https://togithub.com/hashicorp/vault/pull/15809)] - secret/pki: Add RSA PSS signature support for issuing certificates, signing CRLs \[[GH-16519](https://togithub.com/hashicorp/vault/pull/16519)] - secret/pki: Add signature_bits to sign-intermediate, sign-verbatim endpoints \[[GH-16124](https://togithub.com/hashicorp/vault/pull/16124)] - secret/pki: Allow issuing certificates with non-domain, non-email Common Names from roles, sign-verbatim, and as issuers (`cn_validations`). \[[GH-15996](https://togithub.com/hashicorp/vault/pull/15996)] - secret/pki: Allow specifying SKID for cross-signed issuance from older Vault versions. \[[GH-16494](https://togithub.com/hashicorp/vault/pull/16494)] - secret/transit: Allow importing [`Ed25519`](https://togithub.com/hashicorp/vault/commit/Ed25519) keys from [PKCS#8](https://togithub.com/PKCS/vault/issues/8) with inner RFC 5915 ECPrivateKey blobs (NSS-wrapped keys). \[[GH-15742](https://togithub.com/hashicorp/vault/pull/15742)] - secrets/ad: set config default length only if password_policy is missing \[[GH-16140](https://togithub.com/hashicorp/vault/pull/16140)] - secrets/azure: Adds option to permanently delete AzureAD objects created by Vault. \[[GH-17045](https://togithub.com/hashicorp/vault/pull/17045)] - secrets/database/hana: Add ability to customize dynamic usernames \[[GH-16631](https://togithub.com/hashicorp/vault/pull/16631)] - secrets/database/snowflake: Add multiplexing support \[[GH-17159](https://togithub.com/hashicorp/vault/pull/17159)] - secrets/gcp: Updates dependencies: `google.golang.org/api@v0.83.0`, `github.com/hashicorp/go-gcp-common@v0.8.0`. \[[GH-17174](https://togithub.com/hashicorp/vault/pull/17174)] - secrets/gcpkms: Update dependencies: google.golang.org/api@v0.83.0. \[[GH-17199](https://togithub.com/hashicorp/vault/pull/17199)] - secrets/kubernetes: upgrade to v0.2.0 \[[GH-17164](https://togithub.com/hashicorp/vault/pull/17164)] - secrets/pki/tidy: Add another pair of metrics counting certificates not deleted by the tidy operation. \[[GH-16702](https://togithub.com/hashicorp/vault/pull/16702)] - secrets/pki: Add a new flag to issue/sign APIs which can filter out root CAs from the returned ca_chain field \[[GH-16935](https://togithub.com/hashicorp/vault/pull/16935)] - secrets/pki: Add a warning to any successful response when the requested TTL is overwritten by MaxTTL \[[GH-17073](https://togithub.com/hashicorp/vault/pull/17073)] - secrets/pki: Add ability to cancel tidy operations, control tidy resource usage. \[[GH-16958](https://togithub.com/hashicorp/vault/pull/16958)] - secrets/pki: Add ability to periodically rebuild CRL before expiry \[[GH-16762](https://togithub.com/hashicorp/vault/pull/16762)] - secrets/pki: Add ability to periodically run tidy operations to remove expired certificates. \[[GH-16900](https://togithub.com/hashicorp/vault/pull/16900)] - secrets/pki: Add support for per-issuer Authority Information Access (AIA) URLs \[[GH-16563](https://togithub.com/hashicorp/vault/pull/16563)] - secrets/pki: Add support to specify signature bits when generating CSRs through intermediate/generate apis \[[GH-17388](https://togithub.com/hashicorp/vault/pull/17388)] - secrets/pki: Added gauge metrics "secrets.pki.total_revoked_certificates_stored" and "secrets.pki.total_certificates_stored" to track the number of certificates in storage. \[[GH-16676](https://togithub.com/hashicorp/vault/pull/16676)] - secrets/pki: Allow revocation of certificates with explicitly provided certificate (bring your own certificate / BYOC). \[[GH-16564](https://togithub.com/hashicorp/vault/pull/16564)] - secrets/pki: Allow revocation via proving possession of certificate's private key \[[GH-16566](https://togithub.com/hashicorp/vault/pull/16566)] - secrets/pki: Allow tidy to associate revoked certs with their issuers for OCSP performance \[[GH-16871](https://togithub.com/hashicorp/vault/pull/16871)] - secrets/pki: Honor If-Modified-Since header on CA, CRL fetch; requires passthrough_request_headers modification on the mount point. \[[GH-16249](https://togithub.com/hashicorp/vault/pull/16249)] - secrets/pki: Improve stability of association of revoked cert with its parent issuer; when an issuer loses crl-signing usage, do not place certs on default issuer's CRL. \[[GH-16874](https://togithub.com/hashicorp/vault/pull/16874)] - secrets/pki: Support generating delta CRLs for up-to-date CRLs when auto-building is enabled. \[[GH-16773](https://togithub.com/hashicorp/vault/pull/16773)] - secrets/ssh: Add allowed_domains_template to allow templating of allowed_domains. \[[GH-16056](https://togithub.com/hashicorp/vault/pull/16056)] - secrets/ssh: Allow additional text along with a template definition in defaultExtension value fields. \[[GH-16018](https://togithub.com/hashicorp/vault/pull/16018)] - secrets/ssh: Allow the use of Identity templates in the `default_user` field \[[GH-16351](https://togithub.com/hashicorp/vault/pull/16351)] - secrets/transit: Add a dedicated HMAC key type, which can be used with key import. \[[GH-16668](https://togithub.com/hashicorp/vault/pull/16668)] - secrets/transit: Added a parameter to encrypt/decrypt batch operations to allow the caller to override the HTTP response code in case of partial user-input failures. \[[GH-17118](https://togithub.com/hashicorp/vault/pull/17118)] - secrets/transit: Allow configuring the possible salt lengths for RSA PSS signatures. \[[GH-16549](https://togithub.com/hashicorp/vault/pull/16549)] - ssh: Addition of an endpoint `ssh/issue/:role` to allow the creation of signed key pairs \[[GH-15561](https://togithub.com/hashicorp/vault/pull/15561)] - storage/cassandra: tuning parameters for clustered environments `connection_timeout`, `initial_connection_timeout`, `simple_retry_policy_retries`. \[[GH-10467](https://togithub.com/hashicorp/vault/pull/10467)] - storage/gcs: Add documentation explaining how to configure the gcs backend using environment variables instead of options in the configuration stanza \[[GH-14455](https://togithub.com/hashicorp/vault/pull/14455)] - ui: Changed the tokenBoundCidrs tooltip content to clarify that comma separated values are not accepted in this field. \[[GH-15852](https://togithub.com/hashicorp/vault/pull/15852)] - ui: Prevents requests to /sys/internal/ui/resultant-acl endpoint when unauthenticated \[[GH-17139](https://togithub.com/hashicorp/vault/pull/17139)] - ui: Removed deprecated version of core-js 2.6.11 \[[GH-15898](https://togithub.com/hashicorp/vault/pull/15898)] - ui: Renamed labels under Tools for wrap, lookup, rewrap and unwrap with description. \[[GH-16489](https://togithub.com/hashicorp/vault/pull/16489)] - ui: Replaces non-inclusive terms \[[GH-17116](https://togithub.com/hashicorp/vault/pull/17116)] - ui: redirect_to param forwards from auth route when authenticated \[[GH-16821](https://togithub.com/hashicorp/vault/pull/16821)] - website/docs: API generate-recovery-token documentation. \[[GH-16213](https://togithub.com/hashicorp/vault/pull/16213)] - website/docs: Add documentation around the expensiveness of making lots of lease count quotas in a short period \[[GH-16950](https://togithub.com/hashicorp/vault/pull/16950)] - website/docs: Removes mentions of unauthenticated from internal ui resultant-acl doc \[[GH-17139](https://togithub.com/hashicorp/vault/pull/17139)] - website/docs: Update replication docs to mention Integrated Storage \[[GH-16063](https://togithub.com/hashicorp/vault/pull/16063)] - website/docs: changed to echo for all string examples instead of (<<<) here-string. \[[GH-9081](https://togithub.com/hashicorp/vault/pull/9081)] BUG FIXES: - agent/template: Fix parsing error for the exec stanza \[[GH-16231](https://togithub.com/hashicorp/vault/pull/16231)] - agent: Agent will now respect `max_retries` retry configuration even when caching is set. \[[GH-16970](https://togithub.com/hashicorp/vault/pull/16970)] - agent: Update consul-template for pkiCert bug fixes \[[GH-16087](https://togithub.com/hashicorp/vault/pull/16087)] - api/sys/internal/specs/openapi: support a new "dynamic" query parameter to generate generic mountpaths \[[GH-15835](https://togithub.com/hashicorp/vault/pull/15835)] - api: Fixed erroneous warnings of unrecognized parameters when unwrapping data. \[[GH-16794](https://togithub.com/hashicorp/vault/pull/16794)] - api: Fixed issue with internal/ui/mounts and internal/ui/mounts/(?P<path>.+) endpoints where it was not properly handling /auth/ \[[GH-15552](https://togithub.com/hashicorp/vault/pull/15552)] - api: properly handle switching to/from unix domain socket when changing client address \[[GH-11904](https://togithub.com/hashicorp/vault/pull/11904)] - auth/cert: Vault does not initially load the CRLs in cert auth unless the read/write CRL endpoint is hit. \[[GH-17138](https://togithub.com/hashicorp/vault/pull/17138)] - auth/kerberos: Maintain headers set by the client \[[GH-16636](https://togithub.com/hashicorp/vault/pull/16636)] - auth/kubernetes: Restore support for JWT signature algorithm ES384 \[[GH-160](https://togithub.com/hashicorp/vault-plugin-auth-kubernetes/pull/160)] \[[GH-17161](https://togithub.com/hashicorp/vault/pull/17161)] - auth/token: Fix ignored parameter warnings for valid parameters on token create \[[GH-16938](https://togithub.com/hashicorp/vault/pull/16938)] - command/debug: fix bug where monitor was not honoring configured duration \[[GH-16834](https://togithub.com/hashicorp/vault/pull/16834)] - core (enterprise): Fix bug where wrapping token lookup does not work within namespaces. \[[GH-15583](https://togithub.com/hashicorp/vault/pull/15583)] - core (enterprise): Fix creation of duplicate entities via alias metadata changes on local auth mounts. - core/auth: Return a 403 instead of a 500 for a malformed SSCT \[[GH-16112](https://togithub.com/hashicorp/vault/pull/16112)] - core/identity: Replicate member_entity_ids and policies in identity/group across nodes identically \[[GH-16088](https://togithub.com/hashicorp/vault/pull/16088)] - core/license (enterprise): Always remove stored license and allow unseal to complete when license cleanup fails - core/managed-keys (enterprise): fix panic when having `cache_disable` true - core/quotas (enterprise): Fixed issue with improper counting of leases if lease count quota created after leases - core/quotas: Added globbing functionality on the end of path suffix quota paths \[[GH-16386](https://togithub.com/hashicorp/vault/pull/16386)] - core/quotas: Fix goroutine leak caused by the seal process not fully cleaning up Rate Limit Quotas. \[[GH-17281](https://togithub.com/hashicorp/vault/pull/17281)] - core/replication (enterprise): Don't flush merkle tree pages to disk after losing active duty - core/seal: Fix possible keyring truncation when using the file backend. \[[GH-15946](https://togithub.com/hashicorp/vault/pull/15946)] - core: Fix panic when the plugin catalog returns neither a plugin nor an error. \[[GH-17204](https://togithub.com/hashicorp/vault/pull/17204)] - core: Fixes parsing boolean values for ha_storage backends in config \[[GH-15900](https://togithub.com/hashicorp/vault/pull/15900)] - core: Increase the allowed concurrent gRPC streams over the cluster port. \[[GH-16327](https://togithub.com/hashicorp/vault/pull/16327)] - core: Prevent two or more DR failovers from invalidating SSCT tokens generated on the previous primaries. \[[GH-16956](https://togithub.com/hashicorp/vault/pull/16956)] - database: Invalidate queue should cancel context first to avoid deadlock \[[GH-15933](https://togithub.com/hashicorp/vault/pull/15933)] - debug: Fix panic when capturing debug bundle on Windows \[[GH-14399](https://togithub.com/hashicorp/vault/pull/14399)] - debug: Remove extra empty lines from vault.log when debug command is run \[[GH-16714](https://togithub.com/hashicorp/vault/pull/16714)] - identity (enterprise): Fix a data race when creating an entity for a local alias. - identity/oidc: Adds `claims_supported` to discovery document. \[[GH-16992](https://togithub.com/hashicorp/vault/pull/16992)] - identity/oidc: Change the `state` parameter of the Authorization Endpoint to optional. \[[GH-16599](https://togithub.com/hashicorp/vault/pull/16599)] - identity/oidc: Detect invalid `redirect_uri` values sooner in validation of the Authorization Endpoint. \[[GH-16601](https://togithub.com/hashicorp/vault/pull/16601)] - identity/oidc: Fixes validation of the `request` and `request_uri` parameters. \[[GH-16600](https://togithub.com/hashicorp/vault/pull/16600)] - openapi: Fixed issue where information about /auth/token endpoints was not present with explicit policy permissions \[[GH-15552](https://togithub.com/hashicorp/vault/pull/15552)] - plugin/multiplexing: Fix panic when id doesn't exist in connection map \[[GH-16094](https://togithub.com/hashicorp/vault/pull/16094)] - plugin/secrets/auth: Fix a bug with aliased backends such as aws-ec2 or generic \[[GH-16673](https://togithub.com/hashicorp/vault/pull/16673)] - plugins: Corrected the path to check permissions on when the registered plugin name does not match the plugin binary's filename. \[[GH-17340](https://togithub.com/hashicorp/vault/pull/17340)] - quotas/lease-count: Fix lease-count quotas on mounts not properly being enforced when the lease generating request is a read \[[GH-15735](https://togithub.com/hashicorp/vault/pull/15735)] - replication (enterprise): Fix data race in SaveCheckpoint() - replication (enterprise): Fix data race in saveCheckpoint. - replication (enterprise): Fix possible data race during merkle diff/sync - secret/pki: Do not fail validation with a legacy key_bits default value and key_type=any when signing CSRs \[[GH-16246](https://togithub.com/hashicorp/vault/pull/16246)] - secrets/database: Fix a bug where the secret engine would queue up a lot of WAL deletes during startup. \[[GH-16686](https://togithub.com/hashicorp/vault/pull/16686)] - secrets/gcp: Fixes duplicate static account key creation from performance secondary clusters. \[[GH-16534](https://togithub.com/hashicorp/vault/pull/16534)] - secrets/kv: Fix `kv get` issue preventing the ability to read a secret when providing a leading slash \[[GH-16443](https://togithub.com/hashicorp/vault/pull/16443)] - secrets/pki: Allow import of issuers without CRLSign KeyUsage; prohibit setting crl-signing usage on such issuers \[[GH-16865](https://togithub.com/hashicorp/vault/pull/16865)] - secrets/pki: Do not ignore provided signature bits value when signing intermediate and leaf certificates with a managed key \[[GH-17328](https://togithub.com/hashicorp/vault/pull/17328)] - secrets/pki: Do not read revoked certificates from backend when CRL is disabled \[[GH-17385](https://togithub.com/hashicorp/vault/pull/17385)] - secrets/pki: Fix migration to properly handle mounts that contain only keys, no certificates \[[GH-16813](https://togithub.com/hashicorp/vault/pull/16813)] - secrets/pki: Ignore EC PARAMETER PEM blocks during issuer import (/config/ca, /issuers/import/\*, and /intermediate/set-signed) \[[GH-16721](https://togithub.com/hashicorp/vault/pull/16721)] - secrets/pki: LIST issuers endpoint is now unauthenticated. \[[GH-16830](https://togithub.com/hashicorp/vault/pull/16830)] - secrets/transform (enterprise): Fix an issue loading tokenization transform configuration after a specific sequence of reconfigurations. - secrets/transform (enterprise): Fix persistence problem with tokenization store credentials. - storage/raft (enterprise): Fix some storage-modifying RPCs used by perf standbys that weren't returning the resulting WAL state. - storage/raft (enterprise): Prevent unauthenticated voter status change with rejoin \[[GH-16324](https://togithub.com/hashicorp/vault/pull/16324)] - storage/raft: Fix retry_join initialization failure \[[GH-16550](https://togithub.com/hashicorp/vault/pull/16550)] - storage/raft: Nodes no longer get demoted to nonvoter if we don't know their version due to missing heartbeats. \[[GH-17019](https://togithub.com/hashicorp/vault/pull/17019)] - ui/keymgmt: Sets the defaultValue for type when creating a key. \[[GH-17407](https://togithub.com/hashicorp/vault/pull/17407)] - ui: Fix OIDC callback to accept namespace flag in different formats \[[GH-16886](https://togithub.com/hashicorp/vault/pull/16886)] - ui: Fix info tooltip submitting form \[[GH-16659](https://togithub.com/hashicorp/vault/pull/16659)] - ui: Fix issue logging in with JWT auth method \[[GH-16466](https://togithub.com/hashicorp/vault/pull/16466)] - ui: Fix lease force revoke action \[[GH-16930](https://togithub.com/hashicorp/vault/pull/16930)] - ui: Fix naming of permitted_dns_domains form parameter on CA creation (root generation and sign intermediate). \[[GH-16739](https://togithub.com/hashicorp/vault/pull/16739)] - ui: Fixed bug where red spellcheck underline appears in sensitive/secret kv values when it should not appear \[[GH-15681](https://togithub.com/hashicorp/vault/pull/15681)] - ui: Fixes secret version and status menu links transitioning to auth screen \[[GH-16983](https://togithub.com/hashicorp/vault/pull/16983)] - ui: OIDC login type uses localStorage instead of sessionStorage \[[GH-16170](https://togithub.com/hashicorp/vault/pull/16170)] - vault: Fix a bug where duplicate policies could be added to an identity group. \[[GH-15638](https://togithub.com/hashicorp/vault/pull/15638)] </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/matter-labs/vault-auth-tee). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMzUuMCIsInVwZGF0ZWRJblZlciI6IjM3LjE3My4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> |
||
|---|---|---|
| .github | ||
| cmd/vault-auth-tee | ||
| test-fixtures/keys | ||
| .gitignore | ||
| backend.go | ||
| backend_test.go | ||
| CONTRIBUTING.md | ||
| Dockerfile | ||
| flake.lock | ||
| flake.nix | ||
| go.mod | ||
| go.sum | ||
| LICENSE | ||
| path_info.go | ||
| path_login.go | ||
| path_login_test.go | ||
| path_tees.go | ||
| README.md | ||
| renovate.json | ||
| roughntstime.go | ||
| SECURITY.md | ||
| sgxquote.go | ||
| sgxquote_test.go | ||
| test_responder.go | ||
| version.go | ||
vault-auth-tee
TEE remote attestation plugin for Hashicorp Vault
⚠️☢️☣️ WARNING: not yet for production use ☣️☢️⚠️
License
All of the code is licensed under the Mozilla Public License 2.0 unless otherwise specified.
Most of the vault plugin code is based on the vault builtin/credential/cert plugin.
Build Setup
$ wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add -
$ sudo bash -c 'echo "deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" > /etc/apt/sources.list.d/intel-sgx.list'
$ sudo apt update
$ sudo apt install -y --no-install-recommends \
libsgx-headers \
libsgx-enclave-common \
libsgx-urts \
libsgx-dcap-quote-verify \
libsgx-dcap-quote-verify-dev
Configuration
Create or Update via the ${plugin}/tees/$name endpoint
{
"name": "TEE_role_name",
"token_policies": "policy1,policy2,...",
"types": "sgx",
"sgx_mrsigner": "298037d88782e022e019b3020745b78aa40ed95c77da4bf7f3253d3a44c4fd7e",
"sgx_mrenclave": "18946b3547d3ca036f4df7b516857e28fd512d69fed3411dc660537912faabf8",
"sgx_isv_prodid": 0,
"sgx_min_isv_svn": 0,
"sgx_allowed_tcb_levels": "Ok,ConfigNeeded,OutOfDate,OutOfDateConfigNeeded,SwHardeningNeeded,ConfigAndSwHardeningNeeded"
}
- At least one of
sgx_mrsignerorsgx_mrenclavemust be set. If both are set, both are used for matching. sgx_isv_prodidis optional and defaults to0.sgx_min_isv_svnis optional and defaults to0.sgx_allowed_tcb_levelsis optional and defaults toOk.
Authentication
- Client TEE generates a self-signed TLS client certificate
- Client TEE generates an attestation report, which includes the hash of the public key of the client certificate (in case of SGX, a sha256 sum of the public key)
- Client TEE fetches all collateral material via e.g. Intel DCAP (
tee_qv_get_collateral) - Client TEE sends POST request with a TLS connection using the client certificate
to Vault via the
${plugin}/loginendpoint with the name, attestation report and the attestation collateral material - An optional challenge can be included in the POST request, which is then included in the attestation report of the vault response
{
"name": "The name of the TEE role to authenticate against.",
"quote": "The quote Base64 encoded.",
"collateral": "The collateral Json string encoded.",
"challenge": "An optional challenge hex encoded."
}
The response contains the Vault token and, if a challenge was included, the vault attestation report, which must contain the challenge bytes in the report_data of the quote.
{
"auth": {
"client_token": "The Vault token.",
"....": "...."
},
"data": {
"quote": "The vault quote Base64 encoded.",
"collateral": "The vault collateral Json string encoded."
}
}
Collateral Json encoding
{
"major_version": uint16,
"minor_version": uint16,
"tee_type": uint32,
"pck_crl_issuer_chain": []byte,
"root_ca_crl": []byte,
"pck_crl": []byte,
"tcb_info_issuer_chain": []byte,
"tcb_info": []byte,
"qe_identity_issuer_chain": []byte,
"qe_identity": []byte
}