* initial WIP glimmerize the controller
* wip got the filter engine type by supported backends working
* got filter by engine type working
* wip need to refactor but working ish for name
* wip working state with both filters, does not work if both fiters are set
* fixed when you have two selected filters, but broken for multiples of the same type with different names
* remove repeated engineTypes in filter list
* add disabled to power select
* fix bug of glimmer for the concurrency task.
* wording fix
* remove linkableItem and the nested contextual compnents to help with loading speed.
* add changelog
* fix some tests
* add test coverage
* Update 20481.txt
update changelog text
* test fixes 🤞
* test fix?
* address a pr comment and save
* address pr comment
* import rsa and ecdsa public keys
* allow import_version to update public keys - wip
* allow import_version to update public keys
* move check key fields into func
* put private/public keys in same switch cases
* fix method in UpdateKeyVersion
* move asymmetrics keys switch to its own method - WIP
* test import public and update it with private counterpart
* test import public keys
* use public_key to encrypt if RSAKey is not present and failed to decrypt
if key version does not have a private key
* move key to KeyEntry parsing from Policy to KeyEntry method
* move extracting of key from input fields into helper function
* change back policy Import signature to keep backwards compatibility and
add new method to import private or public keys
* test import with imported public rsa and ecdsa keys
* descriptions and error messages
* error messages, remove comments and unused code
* changelog
* documentation - wip
* suggested changes - error messages/typos and unwrap public key passed
* fix unwrap key error
* fail if both key fields have been set
* fix in extractKeyFromFields, passing a PolicyRequest wouldn't not work
* checks for read, sign and verify endpoints so they don't return errors when a private key was not imported and tests
* handle panic on "export key" endpoint if imported key is public
* fmt
* remove 'isPrivateKey' argument from 'UpdateKeyVersion' and
'parseFromKey' methods
also: rename 'UpdateKeyVersion' method to 'ImportPrivateKeyForVersion' and 'IsPublicKeyImported' to 'IsPrivateKeyMissing'
* delete 'RSAPublicKey' when private key is imported
* path_export: return public_key for ecdsa and rsa when there's no private key imported
* allow signed data validation with pss algorithm
* remove NOTE comment
* fix typo in EC public key export where empty derBytes was being used
* export rsa public key in pkcs8 format instead of pkcs1 and improve test
* change logic on how check for is private key missing is calculated
---------
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
By reversing the logic and adding a `REMOVE_SYMBOLS` environment
variable that, when set, will remove symbols.
This has been requested to re-enable Dynatrace support, which
requires symbols are intact.
Sadly this increases the size (on my mac) from 192,609,682 bytes
to 236,696,722 bytes (+23% increase).
I confirmed that this adds symbols back, and that `dlv` will load
the Vault binary.
* Add Helios Design System Components (#19278)
* adds hds dependency
* updates reset import path
* sets minifyCSS advanced option to false
* Remove node-sass (#19376)
* removes node-sass and fixes sass compilation
* fixes active tab li class
* Sidebar Navigation Components (#19446)
* links ember-shared-components addon and imports styles
* adds sidebar frame and nav components
* updates HcNav component name to HcAppFrame and adds sidebar UserMenu component
* adds tests for sidebar components
* fixes tests
* updates user menu styling
* fixes typos in nav cluster component
* changes padding value in sidebar stylesheet to use variable
* Replace and remove old nav components with new ones (#19447)
* links ember-shared-components addon and imports styles
* adds sidebar frame and nav components
* updates activeCluster on auth service and adds activeSession prop for sidebar visibility
* replaces old nav components with new ones in templates
* fixes sidebar visibility issue and updates user menu label class
* removes NavHeader usage
* adds clients index route to redirect to dashboard
* removes unused HcAppFrame footer block and reduces page header top margin
* Nav component cleanup (#19681)
* removes nav-header components
* removes navbar styling
* removes status-menu component and styles
* removes cluster and auth info components
* removes menu-sidebar component and styling
* fixes tests
* Console Panel Updates (#19741)
* updates console panel styling
* adds test for opening and closing the console panel
* updates console panel background color to use hds token
* adds right margin to console panel input
* updates link-status banner styling
* updates hc nav components to new API
* Namespace Picker Updates (#19753)
* updates namespace-picker
* updates namespace picker menu styling
* adds bottom margin to env banner
* updates class order on namespace picker link
* restores manage namespaces refresh icon
* removes manage namespaces nav icon
* removes home link component (#20027)
* Auth and Error View Updates (#19749)
* adds vault logo to auth page
* updates top level error template
* updates loading substate handling and moves policies link from access to cluster nav (#20033)
* moves console panel to bottom of viewport (#20183)
* HDS Sidebar Nav Components (#20197)
* updates nav components to hds
* upgrades project yarn version to 3.5
* fixes issues in app frame component
* updates sidenav actions to use icon button component
* Sidebar navigation acceptance tests (#20270)
* adds sidebar navigation acceptance tests and fixes other test failures
* console panel styling tweaks
* bumps addon version
* remove and ignore yarn install-state file
* fixes auth service and console tests
* moves classes from deleted files after bulma merge
* fixes sass syntax errors blocking build
* cleans up dart sass deprecation warnings
* adds changelog entry
* hides namespace picker when sidebar nav panel is minimized
* style tweaks
* fixes sidebar nav tests
* bumps hds addon to latest version and removes style override
* updates modify-passthrough-response helper
* updates sidebar nav tests
* mfa-setup test fix attempt
* fixes cluster mfa setup test
* remove deprecated yarn ignore-optional flag from makefile
* removes another instance of yarn ignore-optional and updates ui readme
* removes unsupported yarn verbose flag from ci-helper
* hides nav headings when user does not have access to any sub links
* removes unused optional deps and moves lint-staged to dev deps
* updates has-permission helper and permissions service tests
* fixes issue with console panel not filling container width
* Add missing tidy-status state values
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add docs on auto-tidy reading
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add missing tidy status field revocation_queue_safety_buffer
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Include pause_duration in tidy-status docs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add date of last auto-tidy operation to status
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add additional existing keys response field
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update tests for validating existing keys
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update docs for import to include new fields
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update website/content/api-docs/secret/pki.mdx
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Step one: remove bulma (#19587)
* remove bulma and get app running
* add back in each statments from bulma variables
* remove space
* address pr comments
* add back copyright headedr
* Step two: add back and organize relevant Bulma classes (#19664)
* VAULT-14566 copy/paste bulma css for classes that it defines and we do not.
* add three new helper files and move helpers.scss to a new directory called helper-classes
* rename utils/colors to color_variables
* integrate all bulma sizing into previous utils/spacing doc, address obvious duplicates and rename to spacing_variables.
* small class name issues
* clean up
* comment clean up
* Step three: add Bulma classes to relevant component styles (#19683)
* add in bulma classes used in global-flash component
* add in bulma classes used in the modal component
* remaining bulma classes that can integrate into the vault css
* remove replication-header.scss and replace with helper.
* add bulma tabs classes to tabs component scss file
* remove ui-wizard style
* only do bulma explicit classes for now
* add in breadcrumb styling from bulma
* integrate bulma into css
* remove unecessary tabs bulma styling
* remove non-relevant bulma classes
* remove non relevant bulma css
* Step three cont. Bulma classes to component files (#19691)
* return box-label to as before now that you have those bulma classes
* missing modal bulma classes
* add bulma class to box component
* missed some bulma box classes
* remove scss unecessary
* add in bulma classes to icon component.
* move up icon
* missed modal class
* clean up
* size vars to icon
* Step four: address core directory files (#19719)
* move some basic helpers over to typography helper.
* rename helpers to other
* moveing generic classes to other relevant scss files.
* rename generic to link
* clean up
* clean up
* address core/box
* remove hero because the class is not used anywhere.
* add in level bulma css
* welp forgot a file.
* add in missing bulma classes into core/menu
* UI/step four core files 2 (#19754)
* address issue with input border and box shadow
* remove the is-white class, it was being used very poorly, replaced with exisiting helpers.
* organizing the forms and button core files
* small amount of clean up
* hot mess of colors dealing with just danger for now
* removed moved over bulma classes
* use helper for this one off
* clean up
* wip on the buttons
* fix select select:: after
* clean up select from bulma-classes.
* clean up
* clean up
* small fix
* Cleaning up the last of the core files (welp there's still more) (#19779)
* one missing thing for level core.
* replace no-underline and link-item with helper text-decoration-none
* core/menu double check
* handle core/message
* create and add to bulma classes for core/columns
* add in bulma-classes columns and column... not fun to qa later.
* remove core/notification
* core/progress bar
* revert the hbs changes
* fix over revert
* Core files cont. Focus on core/form (#19794)
* create input and textarea core files, move charts
* remove input and textarea classes from bulma classes
* remove input-hint component file, never a component
* fix the mess that is help-text:
* help and is-help and sub-text are a mess...
* fix switch alignment issues
* deal with file-name
* clean file out of bulma-classes
* create layout helper and move out some remaining button classes
* deal with core/title
* is-marginless move to helper
* helper layout add to core
* clean up
* remove core/tables
* test
* Revert "test"
This reverts commit e695dedfe933d71320cd7eeee33f6b21a8d54b37.
* Core files continued (#19896)
* test
* combine input and textarea
* clean up navbar brannd
* clean up the single instance delete class used on the modal and match with flight icon
* add back autocomplete to component
* create core/file
* alphabetize file css blocks
* core/checkboxes create and address
* combine b-checkboxes classes and remove from core the utils
* address duplicate helper
* Core files continued (#19930)
* clean up helper and remove duplicate class
* more clean up of the other helper
* fix pagination, hot mess
* add radio to checkbox styling
* tag to tags rename singular
* container core file
* finally... changing forms to one element, field
* finally remove bulma-classes
* cleanup
* comment cleanup
* add comment about pagination
* Consolidating our size variables with Bulma's (#19951)
* remove bulma-size variables that are duplicates of our own
* remove unused is-size-xx and duplicate font weights
* remove duplicate class
* ahh this is madness
* remove column-gap var
* remove duplicate sizing of
* clean up breakpoints
* replace border-radius:2px for var so folks know the common border-radius
* replace header-height with new spacing var
* replace body-size and console-size vars with other sizing vars
* clean up final of size vars
* radius override things blah fixed
* last size var
* add back
* Finish size var clean up (#19970)
* remove size-small, etc.
* fix size-small things
* remove label unused classes
* move out font-family utils
* Update Color Vars (remove bulma color vars and overrides) (#20031)
* remove bulma_variables file
* remove duplicate helper
* replace hardcoded with color vars when appropriate
* broaden font-family utils
* add back box-link-hover-shadow
* welp
* fix pagination coloring
* Small fixes post var and core file work (#20035)
* fix auth-login splash container
* fix some splash page issues
* fix status menu
* fix menu-list regression
* fix regression on button text-decoration
* fix tag regression
* fix regression on select select
* fix regression on field field
* regression on textarea
* button focus state regression
* fix inputs
* fix is-outlined buttons
* Remove bulma switch (#20065)
* remove bulma/switch
* fix disbled style
* Bulma removal: starting the clean up process (#20066)
* remove unused class name
* add todo
* wip shamir-modal-flow usage of file styling
* final fix
* fix message type message-body css
* better match
* fix a.active on popup-menu-content
* VAULT-14625 fix
* blah overrides overrides and oh another override
* fix breadcrumb link
* fixes
* fix readonly state and hover on inputs.scss
* fix button style issue
* fix modal title spacing issue
* clean up
* fix switch
* fix checkbox issue and pr comment
* fix issue with tabs
* pr comment
* Bulma clean up cont. (#20119)
* gotta use rem on page container... it makes a difference, can't switch to px
* missing helper for background color
* fix textarea with icon
* can't seem to replace rem with px ;/
* fix table issues
* clean up columns.scss file
* fix
* fix rem vs px issues
* address some todos
* fix todo on help is-danger
* best effort for sizing var clean up
* reomve duplicate
* clearify
* welp forgot a word
* address sr-only class definition
* move to helper
* replaced single use class with helper and cleaned up flexbox
* move to make more sense
* move around layout and container
* color things
* things
* Cleanup 🧹 (#20196)
* remove carry over classes from bulma
* clean up title.scss
* clean up title is-5 has-top-padding-m and box.scss
* clean up breadcrumbs, buttons, c&r, columns
* clean up core files
* clean up cont looking at component files
* clean up remaining component files
* fix pagination
* pr comments, thank you
* add in merge color helper
* Remove out of scope changes (#20218)
* remove out of scope changes
* fix test
* add changelog
* remove scope creep
* fix scope creep cont
* qa fixes
* Fixes found while QA'ing Secret Engines (#20264)
* fix active tab issue for both secret and auth mounts
* use helper instead of :not last on content margin which causes problems
* fix missing disabled on b-checkbox
* quick fix
* deal with body-size issue
* fix order of other helper
* small fixes from qa
* update comments on the core files and change desktop font size from px back to rem
* missed 16px replaced with 1rem
* address chelseas comments
* fixes that jordan noticed
* remove unstable flexbox test
* test fix
* rename other to general
* address claires qa comments
* add in missing helper must have missed in earlier merge
* fix button
* small small small fix
* Add enable_aia_url_templating to read issuer
This field was elided from read issuer responses, though the value
otherwise persisted correctly.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add comprehensive test for patching issuers
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add missing OpenAPI scheme definition
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* define ent paths in OSS codebase with common handler
* fixup! define ent paths in OSS codebase with common handler
* add missing path
* retain existing behaviour for replication/status path
* remove commented out path
* Add additional fields to LIST issuers for Web UI
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add infrastructure for warnings on CRL rebuilds
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add warning on issuer missing KU for CRL Signing
When an entire issuer equivalency class is missing CRL signing usage
(but otherwise has key material present), we should add a warning so
operators can either correct this issuer or create an equivalent version
with KU specified.
Resolves: https://github.com/hashicorp/vault/issues/20137
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add tests for issuer warnings
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix return order of CRL builders
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* remove intercepting helpText
* add subtext directly to StringList input component
* update tests and add coverage for new openapi-attrs util
* update test
* add warning validation to input
* lol is this right i dont know go
* literally no idea what im doing
* add Description to display attrs struct
* update struct comment
* add descriptions to remaining go fields
* add missing comma
* remaining commas..."
* add description to display attrs
* update tests
* update tests
* add changelog;
* Update ui/app/utils/openapi-to-attrs.js
* update tests following backend changes
* clearly name variable
* format files
* no longer need to test for modified tooltip since coming from backend now
* Return OCSP errors on cert auth login failures
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Switch to immediately returning the first match
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
In the Kubernetes Auth Code Example, the indentation for the `auth` import is off, causing it to not be indented the same amount as the previous `vault` import. This change ensures that both imports use the same indentation.
* Update wrapping-unwrap.mdx
It is possible to unwrap data without authentication in Vault. I've added an example of a curl request.
* Add changelog record
* Minor follow-ups to #16865
Fix PKI issuer upgrade logic when upgrading to 1.12 or later, to
actually turn off the issuer crl-signing usage when it intended to.
Fix minor typo in docs.
* changelog
* Remove extraneous certificate from OCSP response
Since the issuer used to sign the certificate also signs the OCSP
response, no additional information is added by sending the issuer again
in the certs field of the BasicOCSPResponse structure. Removing it saves
bytes and avoids confusing Go-based OCSP verifiers which cannot handle
the cert issuer being duplicated in the certs field.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add fix for Go x/crypto/ocsp failure case
When calling ocsp.ParseRequest(req, issue) with a non-nil issuer on a
ocsp request which _unknowingly_ contains an entry in the
BasicOCSPResponse's certs field, Go incorrectly assumes that the issuer
is a direct parent of the _first_ certificate in the certs field,
discarding the rest.
As documented in the Go issue, this is not a valid assumption and thus
causes OCSP verification to fail in Vault with an error like:
> bad OCSP signature: crypto/rsa: verification error
which ultimately leads to a cert auth login error of:
> no chain matching all constraints could be found for this login certificate
We address this by using the unsafe issuer=nil argument, taking on the
task of validating the OCSP response's signature as best we can in the
absence of full chain information on either side (both the trusted
certificate whose OCSP response we're verifying and the lack of any
additional certs the OCSP responder may have sent).
See also: https://github.com/golang/go/issues/59641
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add test case with Vault PKI
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* add max_entry_size to sanitized config output
* add changelog entry
* add test parallelism
* add inmem test case
* use named struct fields for TestSysConfigState_Sanitized cases
* updates clients config view for census reporting
* adds changelog entry
* fixes issue with modal staying open and error not showing on clients config save failure
* adds min retention months to clients config model and form validation
* revert STS lease changes, now create a lease for STS credentials but keep the ttl
Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
* Correctly find certificates for unified delta CRL
When building the unified delta CRL, WAL entries from the non-primary
cluster were ignored. This resulted in an incomplete delta CRL,
preventing some entries from appearing.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Correctly rebuild unified delta CRLs
When deciding if the Unified Delta CRL should be rebuilt, we need to
check the status of all clusters and their last revoked serial numbers.
If any new serial has been revoked on any cluster, we should rebuild the
unified delta CRLs.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Correctly persist Unified Delta CRL build entries
When building the unified CRL, we need to read the last seen serial
number from all clusters, not just the present cluster, and write it
to the last built serial for that cluster's unified delta WAL entry.
This prevents us from continuously rebuilding unified CRLs now that we
have fixed our rebuild heuristic.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix getLastWALSerial for unified delta CRLs
getLastWALSerial ignored its path argument, preventing it from reading
the specified cluster-specific WAL entry. On the primary cluster, this
was mostly equivalent, but now that we're correctly reading WAL entries
and revocations for other clusters, we need to handle reading these
entries correctly.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Copy delta WAL entries in event of failure
Any local delta WAL should be persisted to unified delta WAL space as
well. If such unified persistence fails, we need to ensure that they get
eventually moved up, otherwise they'll remain missing until the next
full CRL rebuild occurs, which might be significantly longer than when
the next delta CRL rebuild would otherwise occur. runUnifiedTransfer
already handles this for us, but it lacked logic for delta WAL serials.
The only interesting catch here is that we refuse to copy any entries
whose full unified revocation entry has not also been written.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Make doUnifiedTransferMissingLocalSerials log an error
This message is mostly an error and would always be helpful information
to have when troubleshooting failures.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Warn on cross-cluster write failures during revoke
When revoking certificates, we log cross-cluster revocation failures,
but we should really expose this information to the caller, that their
local revocation was successful, but their cross-cluster revocation
failed.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Ensure unified delta WAL entry has full entry
Delta WAL entries are empty files whose only information (a revoked
serial number) is contained in the file path. These depend implicitly on
a full revocation entry existing for this file (whether a cross-cluster
unified entry or a local entry).
We should not write unified delta WAL entries without the corresponding
full unified revocation entry existing. Add a warning in this case.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* fix console formatting for help output
* fix again
* fix again
* fix, add to ignore
* fix, add to ignore
* add to ignore file
* fix formatting, no verify
* remove lib/story.md
* add changelog
* hold off updating ignore list for separate ticket
* fix test
* Log, don't err, on unified delta WAL write failure
When the PBPWF fails on the Active node of a PR Secondary cluster with a
read-only failure, there is no value in forwarding this request up to
the Active node of the PR Primary cluster: it does not have the local
revocation context necessary to write a Delta WAL entry for this
request, and would likely end up writing a cross-cluster revocation
entry (if it is enabled) or else erring completely.
Instead, log this error like we do when failing to write unified CRL
entries. Switch both to using Error instead of Debug for this type of
failure.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* cleans up dependencies with critical warnigns
* adds changelog entry
* updates dockerfiles and ci github workflow to use node 16
* removes ui gh workflow not being used
* VAULT-12940 test for templating user agent
* VAULT-12940 User agent work so far
* VAULT-12940 Vault Agent uses Vault Agent specific User-Agent header when issuing requests
* VAULT-12940 Clean-up and godocs
* VAULT-12940 changelog
* VAULT-12940 Fix test checking headers
* VAULT-12940 Fix test checking headers
* VAULT-12940 Fix test checking headers
* VAULT-12940 Fix test checking headers
* VAULT-12940 copy/paste typos
* VAULT-12940 improve comments, use make(http.Header)
* VAULT-12940 small typos and clean-up
* ensure we supply the node type when it's for a voter
* bumped autopilot version back to v0.2.0 and ran go mod tidy
* changed condition in knownservers and added some comments
* Export GetRaftBackend
* Updated tests for autopilot (related to dead server cleanup)
* Export Raft NewDelegate
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* responses for rotate endpoints
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* added changelog
* add test for rotate config
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* update to use newer function
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* use new func
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
---------
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* added response struct for version-history
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* add response struct for leader
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* add response struct for ha-status
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* add response struct for host-info
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* add response struct for in-flight-req
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* added changelog
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* Apply suggestions from code review
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
* make fmt
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
---------
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
* add response structures for /sys/wrapping endpoints
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* added changelog
* dynamic tests should be nil
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
---------
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* add struct for /sys/tools/hash
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* added responses for /sys/tools paths
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* add changelog
* verify respose structure for hash
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* verify respose structure for hash/random
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* use newer testing funct
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* use new test method
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
---------
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* fixes issue navigating back a level using the breadcrumbs from kvv2 metadata view
* adds changelog entry
* deletes kv mount after breadcrumb test -- attempt to fix unrelated failing secrets tests
* Add header operation to sdk/logical
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add support for routing HEAD operations
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* add flag
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* handle kv paths
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* scaffold test
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* need metadata for list paths
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* add (broken) test
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* fix test
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* update docs
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* add changelog
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* format
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* add godoc
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* add test case for mount only
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* handle case of no unnamed arg
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* add non-mount behavior
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* add more detail to comment
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* add v1 tests
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
---------
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* Forward PKI revocation requests received by standby nodes to active node
- A refactoring that occurred in 1.13 timeframe removed what was
considered a specific check for standby nodes that wasn't required
as a writes should be returning ErrReadOnly.
- That sadly exposed a long standing bug where the errors from the
storage layer were not being properly wrapped, hiding the ErrReadOnly
coming from a write and failing the request.
* Add cl
* Add test for basic PKI operations against standby nodes
* fix data race on plugin reload
* add changelog
* add comment for posterity
* revert comment and return assignment in router.go
* rework plugin continue on error tests to use compilePlugin
* fix race condition on route entry
* add test for plugin reload and rollback race detection
* add go doc for test
* Add support for importing RSA-PSS keys in Transit
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* bug: correct handling of the zero int64 value
* Update changelog/18729.txt
---------
Co-authored-by: valli_0x <personallune@mail.ru>
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* glimmerize alert-banner
* structure for the DocLink todo: css important remove
* styling done. kind of strange, but should help in future
* clean up
* test coverage
* changelog
* address pr comments
* clean up
* amended language on banner to match most recent change.
* add return
* clean up
* modify the banner title and shorten message
* update language
* don't error for other message events
Signed-off-by: David van der Spek <vanderspek.david@gmail.com>
* add changelog
Signed-off-by: David van der Spek <vanderspek.david@gmail.com>
* rename release note for changelog
Signed-off-by: David van der Spek <vanderspek.david@gmail.com>
---------
Signed-off-by: David van der Spek <vanderspek.david@gmail.com>
* Fix cubbyhole and revocation for legacy service tokens
Legacy service tokens generated in Vault 1.10+ with env var
VAULT_DISABLE_SERVER_SIDE_CONSISTENT_TOKENS=true are not assigned
a cubbyhole ID. The implication is that cubbyhole/ cannot be
used, nor can the tokens be revoked.
This commit assigns a cubbyhole ID to these tokens and adds
a new test case to see that cubbyhole and revocation works correctly.
* add changelog
* add godoc to test cases
* Fix Vault Transit BYOK helper argument parsing
This commit fixes the following issues with the importer:
- More than two arguments were not supported, causing the CLI to error
out and resulting in a failure to import RSA keys.
- The @file notation support was not accepted for KEY, meaning
unencrypted keys had to be manually specified on the CLI.
- Parsing of additional argument data was done in a non-standard way.
- Fix parsing of command line options and ensure only relevant
options are included.
Additionally, some error messages and help text was clarified.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add missing documentation on Transit CLI to website
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add tests for Transit BYOK vault subcommand
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Appease CI
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* added responses for sys/internal/ui/mounts
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* responses for internal paths
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* added changelog
* add schema validation for internal/ui/mounts
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* add counters test
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* update test to use new method
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* use new method in TestSystemBackend_InternalUIMounts
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* :rage4: fixed test, diff between core.HandleRequest and backend.HandleRequest
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* test feature flags
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
---------
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* impr(auth/ldap): allow to dereference aliases in searches
* docs: add documentation for LDAP alias dereferencing
* chore(auth/ldap): add changelog entry for PR 18230
* chore: run formatter
* fix: update default LDAP configuration with new default
* Update website/content/docs/auth/ldap.mdx
Co-authored-by: tjperry07 <tjperry07@users.noreply.github.com>
* docs(ldap): add alias dereferencing to API docs for LDAP
---------
Co-authored-by: tjperry07 <tjperry07@users.noreply.github.com>
* add nil check for secret id entry on delete via accessor
* add changelog
* add godoc to test
* improve feedback on nil entry
* fix error reporting on invalid secret id accessor
* fix test to expect implemented error
* language by design
* fix issue with active class not doing anything on the LinkTo
* changelog
* noDefault instead of empty string
* test coverage
* update test descriptions
* address pr comments
* welp
* feat(auth/ldap): allow passing the LDAP password via an environment variable when authenticating via the CLI
* chore(auth/ldap): add changelog entry for PR 18225
* Handle permission issue on pki health-check tune checkers
- Prior to this fix, if the end-user's Vault token did not have permission to the
mount's tune api, we would return as if the tunable params had not been set.
- Now check to see if we encountered a permission issue and report that back to
the end-user like the other checks do.
* Fix role endpoint in pki health-check warnings
- The various warning messages point to {{mount}}/role/<rolename>
which is not a valid PKI path, it should be {{mount}}/roles/<rolename>
* Add cl
* Output default config output from health-check --list as json
- Change the output of the default configuration as JSON so
it's useable as an input to the health-check command
* Add cl
* update error message and properly handle list requests
* since we do agressive sanitizes we need to optionally check trailing slash
* added changelog record
* remove redundant path formating
* Update changelog/13106.txt
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
* addressed comments from review
* also remove code that duplicates efforts in kv_list
* abstracted helper func for testing
* added test cases for the policy builder
* updated the changelog to the correct one
* removed calls that apear not to do anything given test case results
* fixed spacing issue in output string
* remove const representation of list url param
* addressed comments for pr
---------
Co-authored-by: lursu <leland.ursu@hashicorp.com>
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
* pki health-check fails to read in int config values
- Go's default behavior when decoding numbers to an interface{} is to use a float64 type which parseutil.SafeParseIntRange does not handle.
- Switch to having the JSON decoder use json.Number which our parseutil library
properly handles.
* Add cl
* plugin/auth: enable multiplexing
- the plugin will be multiplexed when run as an external plugin
by vault versions that support secrets/auth plugin multiplexing (> 1.12)
- we continue to set the TLSProviderFunc to maintain backwards
compatibility with vault versions that don't support AutoMTLS (< 1.12)
* enable multiplexing for secrets engines
* add changelog
* revert call to ServeMultiplex for pki and transit
* Revert "revert call to ServeMultiplex for pki and transit"
This reverts commit 755be28d14b4c4c4d884d3cf4d2ec003dda579b9.
* add capabilities
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* added change log
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* add test
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* use nil for dynamic fields
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
---------
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* added responses to /sys/auth/.../tune
* add response structure for auth/...
* added changelog
* Update vault/logical_system_paths.go
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
* its TypeString
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* use nil for dynamic fields
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* test auth endpoint schema
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* kicking off ci
---------
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
* fix, need to test and write test for
* the fix
* add test coverage
* changelog:
* woops param already existed
* remove test coverage
* Delete database-role-edit-test.js
* add allowed_response_headers
* fix empty state text
* add spaces
* add changelog
* updates skipped mount-secret-backend test to run
---------
Co-authored-by: Jordan Reimer <zofskeez@gmail.com>
* added response objects to all of the endpoints laid out by the ticket linked
* added changelog file and updated based on review
* added the required bool to the correct fields
* Update vault/logical_system_paths.go
Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* Update vault/logical_system_paths.go
Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* Update vault/logical_system_paths.go
Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* Update vault/logical_system_paths.go
Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* Update vault/logical_system_paths.go
Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* Update vault/logical_system_paths.go
Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* Update vault/logical_system_paths.go
Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* updated based on review
* Update vault/logical_system_paths.go
Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* Update vault/logical_system_paths.go
Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* updated based on review and added test cases for validating response structures
* fix copy pasta issues breaking tests
* Update vault/logical_system_paths.go
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
* fix test failures
* fixed issue with refrencing the wrong req var name
* fixed another test case and double checked the rest
* updated based on review
* updated in all locations
* Update vault/logical_system_paths.go
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
* Update vault/logical_system_paths.go
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
* fixed my brain fart
* Update vault/logical_system_paths.go
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
* address fmt error
---------
Co-authored-by: lursu <leland.ursu@hashicorp.com>
Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
* add RequestResponseCallback to core/options
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* pass in router and apply function on requests
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* add callback
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* cleanup
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* Apply suggestions from code review
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
* Update vault/core.go
* bad typo...
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* use pvt interface, can't downcast to child struct
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* finer grained errors
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* trim path for backend
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* remove entire mount point instead of just the first part of url
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* Update vault/testing.go
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
* add doc string
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* update docstring
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* reformat
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* added changelog
---------
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
* work in progress: got the expired banner set with license check
* wip: got the logic for both banners, need to test and write tests
* add notes
* prep for test writing
* test coverage
* add changelog
* clean up
* clarify dismissTypes and conditionals
* updates
* update comment
* update comment
* address pr comments
* update test
* small naming change
* small naming changes
* clean localStorage
* comment clean up
* another comment clean up
* remove meep
* add test coverage for new method in localStorage
* Telemetry Metrics Configuration.
* Err Shadowing Fix (woah, semgrep is cool).
* Fix TestBackend_RevokePlusTidy_Intermediate
* Add Changelog.
* Fix memory leak. Code cleanup as suggested by Steve.
* Turn off metrics by default, breaking-change.
* Show on tidy-status before start-up.
* Fix tests
* make fmt
* Add emit metrics to periodicFunc
* Test not delivering unavailable metrics + fix.
* Better error message.
* Fixing the false-error bug.
* make fmt.
* Try to fix race issue, remove confusing comments.
* Switch metric counter variables to an atomic.Uint32
- Switch the metric counter variables to an atomic variable type
so that we are forced to properly load/store values to it
* Fix race-issue better by trying until the metric is sunk.
* make fmt.
* empty commit to retrigger non-race tests that all pass locally
---------
Co-authored-by: Steve Clark <steven.clark@hashicorp.com>
* The verify-sign command in it's cleanest existing form.
* Working state
* Updates to proper verification syntax
Co-authored-by: 'Alex Scheel' <alex.scheel@hashicorp.com>
* make fmt
* Base functionality.
* make fmt; changelog
* pki issue command.
* Make fmt. Changelog.
* Error Handling Is Almost A Tutorial
* Issue and ReIssue are Almost the Same Command
* Make Fmt + Changelog.
* Make some of the tests go.
* make fmt
* Merge fix (take 2)
* Fix existing support, add support for use_pss, max_path_length, not_after, permitted_dns_domains and skid
* Good Test which Fails
* Test-correction.
* Fix update to key_type key_bits; allow "," in OU or similar
* More specific includeCNinSANs
* Add tests around trying to use_pss on an ec key.
* GoDoc Test Paragraph thing.
---------
Co-authored-by: 'Alex Scheel' <alex.scheel@hashicorp.com>
* fix: upgrade vault-plugin-secrets-mongodbatlas to v0.9.1
* add changelog
* Update changelog/19111.txt
Co-authored-by: Max Coulombe <109547106+maxcoulombe@users.noreply.github.com>
* use correct plugin type in changelog
---------
Co-authored-by: Max Coulombe <109547106+maxcoulombe@users.noreply.github.com>
* Use UTC for leaf exceeding CA's notAfter
When generating a leaf which exceeds the CA's validity period, Vault's
error message was confusing as the leaf would use the server's time
zone, but the CA's notAfter date would use UTC. This could cause
user confusion as the leaf's expiry might look before the latter, due
to using different time zones. E.g.:
> cannot satisfy request, as TTL would result in notAfter
> 2023-03-06T16:41:09.757694-08:00 that is beyond the expiration of
> the CA certificate at 2023-03-07T00:29:52Z
Consistently use UTC for this instead.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix race accessing b.crls within cert auth
- Discovered by CircleCI the pathLogin, pathLoginRenew paths access
and reloads the b.crls member variable without a lock.
- Also discovered that pathLoginResolveRole never populated an empty
b.crls before usage within b.verifyCredentials
* Add cl
* Misc cleanup
- Introduce a login path wrapper instead of repeating in all the
various login methods the crl reloading
- Cleanup updatedConfig, never returned an error and nothing looked at
the error returned
- Make the test within TestCRLFetch a little less timing sensitive as
I was able to trigger a failure due to my machine taking more than
150ms to load the new CRL
* Revert "Don't execute the seal recovery tests on ENT. (#18841)"
This reverts commit 990d3bacc203c229d0f6729929d7562e678a1ac2.
* Revert "Add the ability to unseal using recovery keys via an explicit seal option. (#18683)"
This reverts commit 2ffe49aab0fc1a527c5182637c8fa3ac39b08d45.
* Apply URL encoding/unencoding to OCSP Get requests
- Missed this during development and sadly the unit tests were written
at a level that did not expose this issue originally, there are
certain combinations of issuer cert + serial that lead to base64
data containing a '/' which will lead to the OCSP handler not getting
the full parameter.
- Do as the spec says, this should be treated as url-encoded data.
* Add cl
* Add higher level PKI OCSP GET/POST tests
* Rename PKI ocsp files to path_ocsp to follow naming conventions
* make fmt
* Add ability to clean up host keys for dynamic keys
This adds a new endpoint, tidy/dynamic-keys that removes any stale host
keys still present on the mount. This does not clean up any pending
dynamic key leases and will not remove these keys from systems with
authorized hosts entries created by Vault.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add documentation
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Regexp metacharacter `.` should be escaped when used literally
The paths including `/.well-known/` in the Vault API could currently
technically be invoked with any random character in place of the dot.
* Replace implementation of OpenAPI path translator with regexp AST-based one
* Add changelog
* Typo fix from PR review - thanks!
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
* Add comment based on review feedback
* Change style of error handling as suggested in code review
* Make a further tweak to the handling of the error case
* Add more tests, testing cases which fail with the previous implementation
* Resolve issue with a test, and improve comment
---------
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
* Remove dynamic keys from SSH Secrets Engine
This removes the functionality of Vault creating keys and adding them to
the authorized keys file on hosts.
This functionality has been deprecated since Vault version 0.7.2.
The preferred alternative is to use the SSH CA method, which also allows
key generation but places limits on TTL and doesn't require Vault reach
out to provision each key on the specified host, making it much more
secure.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Remove dynamic ssh references from documentation
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Remove dynamic key secret type entirely
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Clarify changelog language
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add removal notice to the website
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Read total cert counts with atomic.LoadUint32(...)
When generating the tidy status, we read the values of two backend
atomics, b.certCount and b.revokedCertCount, without using the atomic
load operation. This resulted in a data race when the status was read
at the same time as an on-going tidy operation:
WARNING: DATA RACE
Write at 0x00c00c77680c by goroutine 90522:
sync/atomic.AddInt32()
/usr/local/go/src/runtime/race_amd64.s:281 +0xb
sync/atomic.AddUint32()
<autogenerated>:1 +0x1a
github.com/hashicorp/vault/builtin/logical/pki.(*backend).tidyStatusIncRevokedCertCount()
/home/circleci/go/src/github.com/hashicorp/vault/builtin/logical/pki/path_tidy.go:1236 +0x107
github.com/hashicorp/vault/builtin/logical/pki.(*backend).doTidyRevocationStore()
/home/circleci/go/src/github.com/hashicorp/vault/builtin/logical/pki/path_tidy.go:525 +0x1404
github.com/hashicorp/vault/builtin/logical/pki.(*backend).startTidyOperation.func1.1()
/home/circleci/go/src/github.com/hashicorp/vault/builtin/logical/pki/path_tidy.go:290 +0x1a4
github.com/hashicorp/vault/builtin/logical/pki.(*backend).startTidyOperation.func1()
/home/circleci/go/src/github.com/hashicorp/vault/builtin/logical/pki/path_tidy.go:342 +0x278
Previous read at 0x00c00c77680c by goroutine 90528:
reflect.Value.Uint()
/usr/local/go/src/reflect/value.go:2584 +0x195
encoding/json.uintEncoder()
/usr/local/go/src/encoding/json/encode.go:562 +0x45
encoding/json.ptrEncoder.encode()
/usr/local/go/src/encoding/json/encode.go:944 +0x3c2
encoding/json.ptrEncoder.encode-fm()
<autogenerated>:1 +0x90
encoding/json.(*encodeState).reflectValue()
/usr/local/go/src/encoding/json/encode.go:359 +0x88
encoding/json.interfaceEncoder()
/usr/local/go/src/encoding/json/encode.go:715 +0x17b
encoding/json.mapEncoder.encode()
/usr/local/go/src/encoding/json/encode.go:813 +0x854
... more stack trace pointing into JSON encoding and http
handler...
In particular, because the tidy status was directly reading the uint
value without resorting to the atomic side, the JSON serialization could
race with a later atomic update.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Also use atomic load in tests
Because no tidy operation is running here, it should be safe to read the
pointed value directly, but use the safer atomic.Load for consistency.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* wip
* Transit byok cli
* It works!
* changelog
* document return codes
* Update command/transit_import_key.go
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* make fmt
---------
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* The verify-sign command in it's cleanest existing form.
* Working state
* Updates to proper verification syntax
Co-authored-by: 'Alex Scheel' <alex.scheel@hashicorp.com>
* make fmt
* Git CI caught some stuff.
* Base functionality.
* make fmt; changelog
* pki issue command.
* Make fmt. Changelog.
* Error Handling Is Almost A Tutorial
* What I thought empty issuers response fix would be.
* Some tests
* PR-review updates.
* make fmt.
* Fix null response data for listing empty issuers causing a crash.
* Update command/pki_list_children_command.go
Fix double specifier
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Add test for pki_list_children.
* Fix tests.
* Update descriptions for correctness based on PR reviews.
* make fmt.
* Updates based on PR feedback.
* Allow multiple arguements (space separated)
* Remove bad merge-thing.
* White-space hell fix change.
* Tests, and return information for issue ca
* Fix make fmt error introduced here: https://github.com/hashicorp/vault/pull/18876
* Update command/pki_issue_intermediate.go
Puncutation.
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Remove smart quotes for standard quotes.
* More information as part of the help text.
* Better help text.
* Add missing "/" into error message.
---------
Co-authored-by: 'Alex Scheel' <alex.scheel@hashicorp.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Move cert auth backend setup into initialize
In further review with new understanding after #18244, loading
configuration and CRLs within the backend's initialize function is the
ideal approach: Factory construction is strictly serial, resulting in
backend initialization blocking until config and CRLs are loaded.
By using an InitializeFunc(...), we delay loading until after all
backends are constructed (either right on startup in 1.12+, else during
the initial PeriodicFunc(...) invocation on 1.11 and earlier).
We also invoke initialize automatically on test Factory construction.
Resolves: #17847
Co-authored-by: valli_0x <personallune@mail.ru>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: valli_0x <personallune@mail.ru>
* Base functionality.
* make fmt; changelog
* What I thought empty issuers response fix would be.
* Fix null response data for listing empty issuers causing a crash.
* Update command/pki_list_children_command.go
Fix double specifier
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Add test for pki_list_children.
* Fix tests.
* Update descriptions for correctness based on PR reviews.
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* WIP/initial routing-ish
* refactor date dropdown to reuse in modal and allowe current month selection
* swap linter disable line
* refactor date-dropdown to return object
* refactor calendar widget, add tests
* change calendar start and end args to getters
* refactor dashboard to use date objects instead of array of year, month
* remove dashboard files for easier to follow git diff
* comment out dashboard tab until route name updated
* delete current tab and route
* fix undefined banner time
* cleanup version history serializer and upgrade data
* first pass of updating tests
* add changelog
* update client count util test
* validate end time is after start time
* update comment
* add current month to calendar widget
* add comments for code changes to make following API update
* Removed a modified file from pull request
* address comments/cleanup
* update variables to const
* update test const
* rename history -> dashboard, fix tests
* fix timestamps for attribution chart
* update release note
* refactor using backend start and end time params
* add test for adapter formatting time params
* fix tests
* cleanup adapter comment and query params
* change back history file name for diff
* rename file using cli
* revert filenames
* rename files via git cli
* revert route file name
* last cli rename
* refactor mirage
* hold off on running total changes
* update params in test
* refactor to remove conditional assertions
* finish tests
* fix firefox tooltip
* remove current-when
* refactor version history
* add timezone/UTC note
* final cleanup!!!!
* fix test
* fix client count date tests
* fix date-dropdown test
* clear datedropdown completely
* update date selectors to accommodate new year (#18586)
* Revert "hold off on running total changes"
This reverts commit 8dc79a626d549df83bc47e290392a556c670f98f.
* remove assumed 0 values
* update average helper to only calculate for array of objects
* remove passing in bar chart data, map in running totals component instead
* cleanup usage stat component
* clear ss filters for new queries
* update csv export, add explanation to modal
* update test copy
* consistently return null if no upgrade during activity (instead of empty array)
* update description, add clarifying comments
* update tes
* add more clarifying comments
* fix historic single month chart
* remove old test tag
* Update ui/app/components/clients/dashboard.js
* The verify-sign command in it's cleanest existing form.
* Working state
* Updates to proper verification syntax
Co-authored-by: 'Alex Scheel' <alex.scheel@hashicorp.com>
* make fmt
* Git CI caught some stuff.
* Some tests
* PR-review updates.
* make fmt.
Co-authored-by: 'Alex Scheel' <alex.scheel@hashicorp.com>
* The fields.
* UserID set, add to certificate
* Changelog.
* Fix test (set default).
* Add UserID constant to certutil, revert extension changes
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add user_ids as field for leaf signing
Presumably, this isn't necessary for CAs, given that CAs probably don't
have a user ID corresponding to them.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Support setting multiple user_ids in Subject
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Allow any User ID with sign-verbatim
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add tests for User IDs in PKI
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add docs about user_ids, allowed_user_ids
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Parallel migration (#18815)
* flagParallel sanity check
* Attempt to use ErrGroups
* Updated docs
* Allow 'start' and 'max-parallel' together
* parallel flag renamed to max-parallel
* tests for start + parallel
* Removed permit pool
* Updated docs to make it clearer that a high setting might not be honored based on storage backend setting
* System dependent max int size
* Default max-parallel 1 => 10
* Test folder/paths updated
Co-authored-by: Tomasz Pawelczak <10206601+gites@users.noreply.github.com>
Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
* wip
* wip
* Got it 'working', but not happy about cleanliness yet
* Switch to a dedicated defaultSeal with recovery keys
This is simpler than trying to hijack SealAccess as before. Instead, if the operator
has requested recovery unseal mode (via a flag in the seal stanza), we new up a shamir
seal with the recovery unseal key path instead of the auto seal. Then everything proceeds
as if you had a shamir seal to begin with.
* Handle recovery rekeying
* changelog
* Revert go.mod redirect
* revert multi-blob info
* Dumb nil unmarshal target
* More comments
* Update vault/seal.go
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* Update changelog/18683.txt
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* pr feedback
* Fix recovery rekey, which needs to fetch root keys and restore them under the new recovery split
* Better comment on recovery seal during adjustSealMigration
* Make it possible to migrate from an auto-seal in recovery mode to shamir
* Fix sealMigrated to account for a recovery seal
* comments
* Update changelog/18683.txt
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* Address PR feedback
* Refactor duplicated migration code into helpers, using UnsealRecoveryKey/RecoveryKey where appropriate
* Don't shortcut the reast of seal migration
* get rid of redundant transit server cleanup
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* named MFA method configurations
* fix a test
* CL
* fix an issue with same config name different ID and add a test
* feedback
* feedback on test
* consistent use of passcode for all MFA methods (#18611)
* make use of passcode factor consistent for all MFA types
* improved type for MFA factors
* add method name to login CLI
* minor refactoring
* only accept MFA method name with its namespace path in the login request MFA header
* fix a bug
* fixing an ErrorOrNil return value
* more informative error message
* Apply suggestions from code review
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* feedback
* test refactor a bit
* adding godoc for a test
* feedback
* remove sanitize method name
* guard a possbile nil ref
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* added audit-hash operations
* more audit paths
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* added audit fields
* add changelog file
* dynamic fields should be nil
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* start to add test helper
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* add tests for /sys/audit openapi paths
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
Co-authored-by: Anton Averchenkov <anton.averchenkov@hashicorp.com>
* Ember Engine for Kubernetes Secrets Engine (#17881)
* adds in-repo ember engine for kubernetes secrets engine
* updates kubernetes engine class name
* Kubernetes route plumbing (#17895)
* kubernetes route plumbing
* adds kubernetes role index route with redirect to details
* adds kubernetes as mountable and supported secrets engine (#17891)
* adds models, adapters and serializers for kubernetes secrets engine (#18010)
* adds mirage factories and handlers for kubernetes (#17943)
* Kubernetes Secrets Engine Configuration (#18093)
* moves RadioCard component to core addon
* adds kubernetes configuration view
* fixes tests using RadioCard after label for and input id changes
* adds confirm modal when editing kubernetes config
* addresses review comments
* Kubernetes Configuration View (#18147)
* removes configuration edit and index routes
* adds kubernetes configuration view
* Kubernetes Roles List (#18211)
* removes configuration edit and index routes
* adds kubernetes configuration view
* adds kubernetes secrets engine roles list view
* updates role details disabled state to explicitly check for false
* VAULT-9863 Kubernetes Overview Page (#18232)
* Add overview page view
* Add overview page tests
* Address feedback to update tests and minor changes
* Use template built in helper for conditionally showing num roles
* Set up roleOptions in constructor
* Set up models in tests and fix minor bug
* Kubernetes Secrets Engine Create/Edit Views (#18271)
* moves kv-object-editor to core addon
* moves json-editor to core addon
* adds kubernetes secrets engine create/edit views
* updates kubernetes/role adapter test
* addresses feedback
* fixes issue with overview route showing 404 page (#18303)
* Kubernetes Role Details View (#18294)
* moves format-duration helper to core addon
* adds kubernetes secrets engine role details view
* adds tests for role details page component
* adds capabilities checks for toolbar actions
* fixes list link for secrets in an ember engine (#18313)
* Manual Testing: Bug Fixes and Improvements (#18333)
* updates overview, configuration and roles components to pass args for individual model properties
* bug fixes and improvements
* adds top level index route to redirect to overview
* VAULT-9877 Kubernetes Credential Generate/View Pages (#18270)
* Add credentials route with create and view components
* Update mirage response for creds and add ajax post call for creds in adapter
* Move credentials create and view into one component
* Add test classes
* Remove files and update backend property name
* Code cleanup and add tests
* Put test helper in helper function
* Add one more test!
* Add code optimizations
* Fix model in route and add form
* Add onSubmit to form and preventDefault
* Fix tests
* Update mock data for test to be strong rather than record
* adds acceptance tests for kubernetes secrets engine roles (#18360)
* VAULT-11862 Kubernetes acceptance tests (#18431)
* VAULT-12185 overview acceptance tests
* VAULT-12298 credentials acceptance tests
* VAULT-12186 configuration acceptance tests
* VAULT-12127 Refactor breadcrumbs to use breadcrumb component (#18489)
* VAULT-12127 Refactor breadcrumbs to use Page::Breadcrumbs component
* Fix failing tests by adding breadcrumbs properties
* VAULT-12166 add jsdocs to kubernetes secrets engine pages (#18509)
* fixes incorrect merge conflict resolution
* updates kubernetes check env vars endpoint (#18588)
* hides kubernetes ca cert field if not defined in configuration view
* fixes loading substate handling issue (#18592)
* adds changelog entry
Co-authored-by: Kianna <30884335+kiannaquach@users.noreply.github.com>
* OpenAPI `generic_mount_paths` follow-up
An incremental improvement within larger context discussed in #18560.
* Following the revert in #18617, re-introduce the change from
`{mountPath}` to `{<path-of-mount>_mount_path}`; this is needed, as
otherwise paths from multiple plugins would clash - e.g. almost every
auth method would provide a conflicting definition for
`auth/{mountPath}/login`, and the last one written into the map would
win.
* Move the half of the functionality that was in `sdk/framework/` to
`vault/logical_system.go` with the rest; this is needed, as
`sdk/framework/` gets compiled in to externally built plugins, and
therefore there may be version skew between it and the Vault main
code. Implementing the `generic_mount_paths` feature entirely on one
side of this boundary frees us from problems caused by this.
* Update the special exception that recognizes `system` and `identity`
as singleton mounts to also include the other two singleton mounts,
`cubbyhole` and `auth/token`.
* Include a comment that documents to restricted circumstances in which
the `generic_mount_paths` option makes sense to use:
// Note that for this to actually be useful, you have to be using it with
// a Vault instance in which you have mounted one of each secrets engine
// and auth method of types you are interested in, at paths which identify
// their type, and for the KV secrets engine you will probably want to
// mount separate kv-v1 and kv-v2 mounts to include the documentation for
// each of those APIs.
* Fix tests
Also remove comment "// TODO update after kv repo update" which was
added 4 years ago in #5687 - the implied update has not happened.
* Add changelog
* Update 18663.txt
Removing the timeout logic from raw-response functions and adding documentation comments. The following functions are affected:
- `ReadRaw`
- `ReadRawWithContext` (newly added)
- `ReadRawWithData`
- `ReadRawWithDataWithContext`
The previous logic of using `ctx, _ = c.c.withConfiguredTimeout(ctx)` could cause a potential [context leak](https://pkg.go.dev/context):
> Failing to call the CancelFunc leaks the child and its children until the parent is canceled or the timer fires. The go vet tool checks that CancelFuncs are used on all control-flow paths.
Cancelling the context would have caused more issues since the context would be cancelled before the request body is closed.
Resolves: #18658
This PR modifies every test in `builtin/credentials/approle/path_role_test.go` with new validation checks to ensure that approle/path_role successful responses align with the declared response schema.
It also introduces a test helper in `sdk/helper/testhelpers`:
```go
func FindResponseSchema(t *testing.T, ...)
```
This test helper will be useful for all plugins that require similar response schema validation in tests.
### Background
This PR is part of the ongoing work to add structured responses in Vault OpenAPI (VLT-234)
This pull request adds 3 functions (and corresponding tests):
`testhelpers/response_validation.go`:
- `ValidateResponse`
- `ValidateResponseData`
field_data.go:
- `ValidateStrict` (has the "strict" validation logic)
The functions are primarily meant to be used in tests to ensure that the responses are consistent with the defined response schema. An example of how the functions can be used in tests can be found in #18636.
### Background
This PR is part of the ongoing work to add structured responses in Vault OpenAPI (VLT-234)
This PR relates to a feature request logged through HashiCorp commercial
support.
Vault lacks pagination in its APIs. As a result, certain list operations
can return **very** large responses. The user's chosen audit sinks may
experience difficulty consuming audit records that swell to tens of
megabytes of JSON.
In our case, one of the systems consuming audit log data could not cope,
and failed.
The responses of list operations are typically not very interesting, as
they are mostly lists of keys, or, even when they include a "key_info"
field, are not returning confidential information. They become even less
interesting once HMAC-ed by the audit system.
Some example Vault "list" operations that are prone to becoming very
large in an active Vault installation are:
auth/token/accessors/
identity/entity/id/
identity/entity-alias/id/
pki/certs/
In response, I've coded a new option that can be applied to audit
backends, `elide_list_responses`. When enabled, response data is elided
from audit logs, only when the operation type is "list".
For added safety, the elision only applies to the "keys" and "key_info"
fields within the response data - these are conventionally the only
fields present in a list response - see logical.ListResponse, and
logical.ListResponseWithInfo. However, other fields are technically
possible if a plugin author writes unusual code, and these will be
preserved in the audit log even with this option enabled.
The elision replaces the values of the "keys" and "key_info" fields with
an integer count of the number of entries. This allows even the elided
audit logs to still be useful for answering questions like "Was any data
returned?" or "How many records were listed?".
* add core state lockd eadlock detection config option v2
* add changelog
* split out NewTestCluster function to maintain build flag
* replace long func with constant
* remove line
* rename file, and move where detect deadlock flag is set
* Allow tidy to backup legacy CA bundles
With the new tidy_move_legacy_ca_bundle option, we'll use tidy to move
the legacy CA bundle from /config/ca_bundle to /config/ca_bundle.bak.
This does two things:
1. Removes ca_bundle from the hot-path of initialization after initial
migration has completed. Because this entry is seal wrapped, this
may result in performance improvements.
2. Allows recovery of this value in the event of some other failure
with migration.
Notably, this cannot occur during migration in the unlikely (and largely
unsupported) case that the operator immediately downgrades to Vault
<1.11.x. Thus, we reuse issuer_safety_buffer; while potentially long,
tidy can always be run manually with a shorter buffer (and only this
flag) to manually move the bundle if necessary.
In the event of needing to recover or undo this operation, it is
sufficient to use sys/raw to read the backed up value and subsequently
write it to its old path (/config/ca_bundle).
The new entry remains seal wrapped, but otherwise isn't used within the
code and so has better performance characteristics.
Performing a fat deletion (DELETE /root) will again remove the backup
like the old legacy bundle, preserving its wipe characteristics.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add documentation about new tidy parameter
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add tests for migration scenarios
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Clean up time comparisons
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update command/agent.go
* Attempt to only reload log level and certs
* Mimicked 'server' test for cert reload in 'agent'
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
Left out the `c.config` tweak that meant changes to lots of lines of code within the `Run` function of Agent command. :)
* Correctly distinguish empty issuer names
When using client.Logical().JSONMergePatch(...) with an empty issuer
name, patch incorrectly reports:
> issuer name contained invalid characters
In this case, both the error in getIssuerName(...) is incorrect and
patch should allow setting an empty issuer name explicitly.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add tests
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* expand NodeStatusReporter with new fields
* only call IsRaftVoter if using raft storage
* add changelog entry
* fix listeners
* return LogLevel as enum
* update github.com/hashicorp/vault/vault/hcp_link/proto
* add changelog entry
* bump github.com/hashicorp/vault/vault/hcp_link/proto
* go mod tidy
* go get link proto @vault-11829-meta-get-cluster-status
* add HA status
* add HAEnabled method
* add raft config
* allocate HA nodes based on actual count
* add raft autopilot status
* add raft quorum warnings
* add ClusterID method
* add StorageType
* add ClusterID
* update github.com/hashicorp/vault/vault/hcp_link/proto
* add changelog entry
* fix raft config panic
* remove "Warning" quorum message prefix
* add error wrapping
* add Core.HAStateWithLock method
* reduce quorum warnings to single string
* fix HCP_API_HOST test env var check
* Revert "fix HCP_API_HOST test env var check"
This reverts commit 97c73c4798b77b84aea84f341f2c63c4d657914d.
Too many newlines are stripped, which is responsible for the `FEATURES:`
heading in the current in-progress 1.13.0 changelog entry being
erroneously appended to the end of the last bullet point of the previous
`CHANGES:` section.
