* Correctly handle minimums, default SignatureBits
When using KeyType = "any" on a role (whether explicitly or implicitly
via a sign-verbatim like operation), we need to update the value of
SignatureBits from its new value 0 to a per-key-type default value. This
will allow sign operations on these paths to function correctly, having
the correctly inferred default signature bit length.
Additionally, this allows the computed default value for key type to be
used for minimum size validation in the RSA/ECDSA paths. We additionally
enforce the 2048-minimum in this case as well.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix defaults and validation of "any" KeyType
When certutil is given the placeholder any keytype, it attempts to
validate and update the default zero value. However, in lacking a
default value for SignatureBits, it cannot update the value from the
zero value, thus causing validation to fail.
Add more awareness to the placeholder "any" value to certutil.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add role-based regression tests for key bits
This adds regression tests for Key Type, Key Bits, and Signature Bits
parameters on the role. We test several values, including the "any"
value to ensure it correctly restricts key sizes.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add sign-verbatim test for key type
This ensures that we test sign-verbatim against a variety of key types.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* only show value in edit form if has read capabilities
* revert messing with form
* delete secret data from secret
* add check for selected version
* remove added line
* add changelog
* Fix semgrep 0.86.5 parsing failures
- semgrep https://github.com/returntocorp/semgrep/pull/4671 seems to have
introduce this parsing failure within version 0.86.0 and higher
- Workaround parsing failure by breaking out the if error check.
* Pin semgrep version to 0.86.5
* Fix formatting issues
* Address incorrect table metric value for local mounts
- Reported within issue #14750 as a panic, it was identified that
we were using the wrong value for local mounts within the table metrics.
* Add changelog
This commit adds high-availability support to the CockroachDB backend. The
locking strategy implemented is heavily influenced from the very similar
Postgres backend.
The URL password redaction operation did not handle the case where the
database connection URL was provided as a percent-encoded string, and
its password component contained reserved characters. It attempted to
redact the password by replacing the unescaped password in the
percent-encoded URL. This resulted in the password being revealed when
reading the configuration from Vault.
* go-secure-stdlib/parseutil to v0.1.4
* add TypeCommaStringSlice for json.Number
* add changelog entry
* upgrade go-secure-stdlib/parseutil to v0.1.4 in sdk
* move json number TypeCommaStringSlice test
* go mod download for api; go mod tidy
👋 This PR adds a `.release/release-metadata.hcl` file to the repo. This contains static metadata that will be processed and sent as part of the payload in RelAPI POST requests, which will be sent when staging and production releases are triggered.
This can be merged now, but will not have any effect until after the RelAPI launch. This will need to be backported to all active release branches, as well. Similar additions are being added across all projects that publish to releases.hashicorp.com.