Upgrade vault to v1.8.1 and runc to 1.0.0-rc95

Also: go 1.16.6

Fixes:
* CVE-2020-16250
* CVE-2020-7220
* CVE-2021-32923
* GHSA-c3xm-pvg7-gh7r

Author: Michael Weber

.circleci/config.yml

@@ -10,7 +10,7 @@ jobs:
   build:
     working_directory: /go/workdir/src/github.com/splunk/vault-plugin-splunk
     docker:
-      - image: circleci/golang:1.13.4
+      - image: circleci/golang:1.16.6
         <<: *defaultenv
       - image: splunk/splunk:latest
         user: root

Makefile

@@ -1,4 +1,4 @@
-GOLANGCI_LINT_ARGS := --enable=gosec --enable=dupl
+GOLANGCI_LINT_ARGS := -v --enable=gosec --enable=dupl --timeout 5m
 TESTREPORT := test-results.xml
 
 # XXX BUG(mweber) "go env GOBIN" is empty?
@@ -36,7 +36,7 @@ lint: dep
 
 .PHONY: dep
 dep:
-	./scripts/golangci-lint.sh -b $(GOBIN) v1.20.0
+	./scripts/golangci-lint.sh -b $(GOBIN) v1.42.0
 
 .PHONY: clean
 clean:

backend.go

@@ -5,8 +5,8 @@ import (
 	"strings"
 	"sync"
 
-	"github.com/hashicorp/vault/logical"
-	"github.com/hashicorp/vault/logical/framework"
+	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/splunk/vault-plugin-splunk/clients/splunk"
 )
 

backend_test.go

@@ -6,8 +6,8 @@ import (
 	"testing"
 	"time"
 
-	"github.com/hashicorp/vault/logical"
-	logicaltest "github.com/hashicorp/vault/logical/testing"
+	logicaltest "github.com/hashicorp/vault/helper/testhelpers/logical"
+	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/mitchellh/mapstructure"
 	"gotest.tools/assert"
 

clients/splunk/testing.go

@@ -11,7 +11,6 @@ import (
 	"testing"
 	"time"
 
-	"github.com/hashicorp/errwrap"
 	"github.com/hashicorp/go-uuid"
 	"github.com/ory/dockertest"
 	"golang.org/x/oauth2"
@@ -137,13 +136,13 @@ func NewTestSplunkService() (cleanup func(), conn *API, err error) {
 	}
 	password, err := uuid.GenerateUUID()
 	if err != nil {
-		err = errwrap.Wrapf("error generating password: {{err}}", err)
+		err = fmt.Errorf("error generating password: %w", err)
 		return
 	}
 
 	pool, err := dockertest.NewPool("")
 	if err != nil {
-		err = errwrap.Wrapf("Failed to connect to docker: {{err}}", err)
+		err = fmt.Errorf("Failed to connect to docker: %w", err)
 		return
 	}
 
@@ -153,7 +152,7 @@ func NewTestSplunkService() (cleanup func(), conn *API, err error) {
 	}
 	resource, err := pool.Run(testDefaultSplunkContainer, testDefaultSplunkVersion, env)
 	if err != nil {
-		err = errwrap.Wrapf("failed to start local container: {{err}}", err)
+		err = fmt.Errorf("failed to start local container: %w", err)
 		return
 	}
 
@@ -173,7 +172,7 @@ func NewTestSplunkService() (cleanup func(), conn *API, err error) {
 		return err
 	})
 	if err != nil {
-		err = errwrap.Wrapf("Could not connect to Splunk container: {{err}}", err)
+		err = fmt.Errorf("Could not connect to Splunk container: %w", err)
 		return
 	}
 	return
@@ -196,7 +195,7 @@ func NewTestSplunkServiceWithTempAdmin() (cleanup func(), conn *API, err error)
 		Roles:    []string{"admin"},
 	})
 	if err != nil {
-		err = errwrap.Wrapf(fmt.Sprintf("unable to create test user %q: {{err}}", testUser), err)
+		err = fmt.Errorf("unable to create test user %q: %w", testUser, err)
 		return
 	}
 

cmd/vault-plugin-splunk/main.go

@@ -5,8 +5,8 @@ import (
 	"os"
 
 	"github.com/hashicorp/go-hclog"
-	"github.com/hashicorp/vault/helper/pluginutil"
-	"github.com/hashicorp/vault/logical/plugin"
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/sdk/plugin"
 
 	splunk "github.com/splunk/vault-plugin-splunk"
 )
@@ -20,7 +20,7 @@ var (
 )
 
 func main() {
-	apiClientMeta := &pluginutil.APIClientMeta{}
+	apiClientMeta := &api.PluginAPIClientMeta{}
 	flags := apiClientMeta.FlagSet()
 	printVersion := flags.Bool("version", false, "Prints version")
 
@@ -44,7 +44,7 @@ func main() {
 	}
 
 	tlsConfig := apiClientMeta.GetTLSConfig()
-	tlsProviderFunc := pluginutil.VaultPluginTLSProvider(tlsConfig)
+	tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig)
 
 	err := plugin.Serve(&plugin.ServeOpts{
 		BackendFactoryFunc: splunk.Factory,

conn.go

@@ -9,13 +9,12 @@ import (
 	"time"
 
 	"github.com/fatih/structs"
-	"github.com/hashicorp/errwrap"
 	uuid "github.com/hashicorp/go-uuid"
-	"github.com/hashicorp/vault/helper/certutil"
-	"github.com/hashicorp/vault/helper/tlsutil"
-	"github.com/hashicorp/vault/helper/useragent"
-	"github.com/hashicorp/vault/logical"
-	"github.com/hashicorp/vault/logical/framework"
+	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/helper/certutil"
+	"github.com/hashicorp/vault/sdk/helper/tlsutil"
+	"github.com/hashicorp/vault/sdk/helper/useragent"
+	"github.com/hashicorp/vault/sdk/logical"
 	"golang.org/x/oauth2"
 
 	"github.com/splunk/vault-plugin-splunk/clients/splunk"
@@ -72,7 +71,7 @@ func (config *splunkConfig) store(ctx context.Context, s logical.Storage, name s
 		var walID string
 		walID, err = framework.PutWAL(ctx, s, walTypeConn, &walConnection{oldConfigID})
 		if err != nil {
-			return errwrap.Wrapf("unable to create WAL for deleting cached connection: {{err}}", err)
+			return fmt.Errorf("unable to create WAL for deleting cached connection: %w", err)
 		}
 
 		defer func() {
@@ -87,16 +86,16 @@ func (config *splunkConfig) store(ctx context.Context, s logical.Storage, name s
 
 	config.ID, err = uuid.GenerateUUID()
 	if err != nil {
-		return errwrap.Wrapf("error generating new configuration ID: {{err}}", err)
+		return fmt.Errorf("error generating new configuration ID: %w", err)
 	}
 
 	var newEntry *logical.StorageEntry
 	newEntry, err = logical.StorageEntryJSON(fmt.Sprintf("config/%s", name), config)
 	if err != nil {
-		return errwrap.Wrapf(fmt.Sprintf("error writing config/%s JSON: {{err}}", name), err)
+		return fmt.Errorf("error writing config/%s JSON: %w", name, err)
 	}
 	if err = s.Put(ctx, newEntry); err != nil {
-		return errwrap.Wrapf(fmt.Sprintf("error saving new config/%s: {{err}}", name), err)
+		return fmt.Errorf("error saving new config/%s: %w", name, err)
 	}
 
 	// if config.Verify {
@@ -113,7 +112,7 @@ func connectionConfigExists(ctx context.Context, s logical.Storage, name string)
 
 	entry, err := s.Get(ctx, fmt.Sprintf("config/%s", name))
 	if err != nil {
-		return false, errwrap.Wrapf("error reading connection configuration: {{err}}", err)
+		return false, fmt.Errorf("error reading connection configuration: %w", err)
 	}
 	return entry != nil, nil
 }
@@ -124,7 +123,7 @@ func connectionConfigLoad(ctx context.Context, s logical.Storage, name string) (
 	}
 	entry, err := s.Get(ctx, fmt.Sprintf("config/%s", name))
 	if err != nil {
-		return nil, errwrap.Wrapf("error reading connection configuration: {{err}}", err)
+		return nil, fmt.Errorf("error reading connection configuration: %w", err)
 	}
 	if entry == nil {
 		return nil, fmt.Errorf("connection configuration not found: %q", name)
@@ -180,15 +179,17 @@ func (config *splunkConfig) tlsConfig() (tlsConfig *tls.Config, err error) {
 		}
 		parsedCertBundle, err := certBundle.ToParsedCertBundle()
 		if err != nil {
-			return nil, errwrap.Wrapf("failed to parse certificate bundle: {{err}}", err)
+			return nil, fmt.Errorf("failed to parse certificate bundle: %w", err)
 		}
 
 		tlsConfig, err = parsedCertBundle.GetTLSConfig(certutil.TLSClient)
 		if err != nil || tlsConfig == nil {
-			return nil, errwrap.Wrapf(fmt.Sprintf("failed to get TLS configuration: tlsConfig: %#v; {{err}}", tlsConfig), err)
+			return nil, fmt.Errorf("failed to get TLS configuration: tlsConfig: %#v; %w", tlsConfig, err)
 		}
 	} else {
-		tlsConfig = &tls.Config{}
+		tlsConfig = &tls.Config{
+			MinVersion: tls.VersionTLS12, // gosec G402
+		}
 	}
 
 	tlsConfig.InsecureSkipVerify = config.InsecureTLS

go.mod

@@ -1,63 +1,26 @@
 module github.com/splunk/vault-plugin-splunk
 
-go 1.12
+go 1.16
 
 require (
-	github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect
-	github.com/Microsoft/go-winio v0.4.13 // indirect
-	github.com/NYTimes/gziphandler v1.1.1 // indirect
-	github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect
-	github.com/armon/go-metrics v0.0.0-20190430140413-ec5e00d3c878 // indirect
-	github.com/armon/go-radix v1.0.0 // indirect
-	github.com/cenkalti/backoff v2.2.1+incompatible // indirect
-	github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc // indirect
 	github.com/dghubble/sling v1.3.0
-	github.com/docker/go-connections v0.4.0 // indirect
-	github.com/docker/go-units v0.4.0 // indirect
-	github.com/elazarl/go-bindata-assetfs v1.0.0 // indirect
+	github.com/fatih/color v1.12.0 // indirect
 	github.com/fatih/structs v1.1.0
-	github.com/go-sql-driver/mysql v1.4.1 // indirect
-	github.com/go-test/deep v1.0.5 // indirect
-	github.com/golang/snappy v0.0.1 // indirect
 	github.com/google/go-querystring v1.0.0
-	github.com/gotestyourself/gotestyourself v2.2.0+incompatible // indirect
-	github.com/hashicorp/errwrap v1.0.0
-	github.com/hashicorp/go-cleanhttp v0.5.1 // indirect
-	github.com/hashicorp/go-hclog v0.9.2
-	github.com/hashicorp/go-memdb v1.0.3 // indirect
-	github.com/hashicorp/go-plugin v1.0.1 // indirect
-	github.com/hashicorp/go-retryablehttp v0.5.4 // indirect
-	github.com/hashicorp/go-rootcerts v1.0.1 // indirect
-	github.com/hashicorp/go-sockaddr v1.0.2 // indirect
-	github.com/hashicorp/go-uuid v1.0.1
-	github.com/hashicorp/go-version v1.2.0 // indirect
-	github.com/hashicorp/golang-lru v0.5.3 // indirect
-	github.com/hashicorp/hcl v1.0.0 // indirect
-	github.com/hashicorp/vault v1.1.4
-	github.com/jefferai/jsonx v1.0.1 // indirect
-	github.com/keybase/go-crypto v0.0.0-20190416182011-b785b22cc757 // indirect
-	github.com/lib/pq v1.2.0 // indirect
-	github.com/mitchellh/copystructure v1.0.0 // indirect
-	github.com/mitchellh/go-testing-interface v1.0.0 // indirect
-	github.com/mitchellh/mapstructure v1.1.2
-	github.com/mitchellh/reflectwalk v1.0.1 // indirect
+	github.com/hashicorp/go-hclog v0.16.1
+	github.com/hashicorp/go-uuid v1.0.2
+	github.com/hashicorp/vault v1.8.1
+	github.com/hashicorp/vault/api v1.1.2-0.20210713235431-1fc8af4c041f
+	github.com/hashicorp/vault/sdk v0.2.2-0.20210713235431-1fc8af4c041f
+	github.com/mattn/go-isatty v0.0.13 // indirect
+	github.com/mitchellh/mapstructure v1.3.3
 	github.com/mr-tron/base58 v1.1.3
-	github.com/opencontainers/go-digest v1.0.0-rc1 // indirect
-	github.com/opencontainers/image-spec v1.0.1 // indirect
-	github.com/opencontainers/runc v0.1.1 // indirect
-	github.com/ory/dockertest v3.3.4+incompatible
-	github.com/patrickmn/go-cache v2.1.0+incompatible // indirect
-	github.com/pierrec/lz4 v2.2.6+incompatible // indirect
-	github.com/prometheus/client_golang v1.1.0 // indirect
-	github.com/ryanuber/go-glob v1.0.0 // indirect
+	github.com/opencontainers/runc v1.0.0-rc95 // indirect
+	github.com/ory/dockertest v3.3.5+incompatible
 	github.com/sethvargo/go-password v0.1.3
-	github.com/sirupsen/logrus v1.4.2 // indirect
-	golang.org/x/net v0.0.0-20190620200207-3b0461eec859 // indirect
-	golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
-	golang.org/x/sys v0.0.0-20190804053845-51ab0e2deafa // indirect
-	golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 // indirect
-	google.golang.org/appengine v1.6.0 // indirect
-	google.golang.org/grpc v1.22.1 // indirect
-	gopkg.in/square/go-jose.v2 v2.3.1 // indirect
+	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
+	golang.org/x/sys v0.0.0-20210818153620-00dd8d7831e7 // indirect
+	golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b // indirect
+	golang.org/x/tools v0.1.5 // indirect
 	gotest.tools v2.2.0+incompatible
 )