Commit graph

582 commits

Author SHA1 Message Date
Nick Cabatoff 34af6bab1e
Add a check for missing entity during local alias invalidation. (#14622) 2022-03-21 15:09:31 -04:00
claire bontempo fbce5986c1
UI/Wrong sentinel error message for auth methods (#14551)
* priortize adapter error over model error

* glimmerize message-error component

* message error tweaks

* fix glimmerize

* fix some tests

* change error handling for mount backend form

* throw API error for secret engine not mounting

* fix tests"

* fix tests

* cleanup error handling for secret engine mounts

* fix test selector

* add changelog

* STOP BEING FLAKY
2022-03-18 16:47:42 -07:00
Victor Rodriguez 717514c044
Use FieldData.GetOkError() to access required Transit parameters. (#14593)
Instead of using the field FieldData.Raw, use method GetOkError() which does
type conversion but still allows to check whether a value for the parameter was
provided. Note that GetOkError() converts nil values to default or zero values,
so, for example, a nil plaintext value will result in the empty string being
encrypted.
2022-03-18 16:10:38 -04:00
Jordan Reimer 75c8672970
OIDC Logout Bug (#14545)
* fixes issue with token auth selected after logging out from oidc or jwt methods

* adds changelog entry

* reverts backendType var name change in auth-form authenticate method
2022-03-18 09:40:17 -06:00
Jason O'Donnell 219df7087c
identity/token: fix duplicate keys in well-known (#14543)
* identity/token: fix duplicate kids in well-known

* Remove unused check

* changelog

* use map-based approach to dedup key IDs

* improve changelog description

* move jwks closer to usage; specify capacity

Co-authored-by: Austin Gebauer <agebauer@hashicorp.com>
2022-03-16 18:48:10 -07:00
claire bontempo a003d9875e
UI/d3 DOM cleanup hover issue (#14493)
* fix duplicate rendering of chart elements

* organize SVG char elements into groups, give data-test attrs

* update tests

* tweak mirage

* add fake client counting start date

* fix test

* add waitUntil

* adds changelog

* add second waituntil
2022-03-16 13:36:41 -05:00
Hridoy Roy 0dfabe7ade
Server Side Consistency Docs (#14392)
* partial docs

* remove unnecessary docs link

* move SSCT upgrade notes to 1.10 instead of 0.10

* Update website/content/docs/enterprise/consistency.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/enterprise/consistency.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/enterprise/consistency.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/enterprise/consistency.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/enterprise/consistency.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/enterprise/consistency.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* docs updates

* Update website/content/docs/configuration/replication.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/configuration/replication.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-03-16 10:20:12 -07:00
Chelsea Shaw ecd4c1e514
UI/fix kv data cache (#14489)
* KV fetches recent version on every page, no longer disallow new version without metadata access

* Don't flash no read permissions warning

* Send noMetadataVersion on destroy if version is undefined

* test coverage

* add changelog, fix tests

* Fix failing test
2022-03-16 11:00:08 -05:00
Chelsea Shaw a5a6d99d11
UI: Parse OpenAPI response correctly if schema includes $ref (#14508)
* Parse OpenAPI response correctly if schema includes

* Add changelog

* small cleanup
2022-03-16 09:24:07 -05:00
Pratyoy Mukhopadhyay d222981cec
Fixes from mount move testing (#14492)
* Add validation, fix docs

* add changelog

* fmt fix

* Update vault/logical_system.go

Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>

* Update vault/logical_system.go

Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>

* Update vault/logical_system_test.go

Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>

* Update vault/logical_system_test.go

Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>

Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>
2022-03-15 11:11:23 -07:00
swayne275 6ae9c76970
only check Contains if IP address (#14487)
* only check Contains if IP address

* fix typo

* add bug fix changelog
2022-03-15 09:55:50 -06:00
Jason O'Donnell dd4a3b339e
auth/ldap: add username_as_alias config flag (#14324) 2022-03-15 10:21:40 -04:00
Vinny Mannello 2290ca5e83
[VAULT-5003] Use net/http client in Sys().RaftSnapshotRestore (#14269)
Use net/http client when body could be too big for retryablehttp client
2022-03-14 10:13:33 -07:00
Anton Averchenkov c425078008
Change OpenAPI code generator to extract request objects (#14217) 2022-03-11 19:00:26 -05:00
claire bontempo ce0c872478
UI/Hide empty masked PKI row values (#14400)
* fix empty masked inputs displaying

* Revert "fix empty masked inputs displaying"

This reverts commit 8b297df7cf971bce32d73c07fea2b1b8112c2f4b.

* fix empty masked inputs displaying

* fix info banner conditional

* add test coverage

* adds changelog

* fixes tests

* change other canParse conditional
2022-03-11 13:55:01 -08:00
Guillaume 6178f4e060
Added Enigma Vault secret plugin. Designed to be simple but complete, a good starting point for plugin developers (#14389) 2022-03-11 08:33:48 -05:00
Chelsea Shaw c6318713ee
UI/add managed ns redirect prefix (#14422)
* The UI redirects to properly prefixed namespace if some other namespace is passed instead, with tests

* Fix ordering

* Add changelog
2022-03-10 08:26:33 -06:00
Austin Gebauer d016b67915
identity/oidc: prevent key rotation on performance secondary clusters (#14426) 2022-03-09 15:41:02 -08:00
Ricky Grassmuck dac2a02570
Set service type to notify in systemd unit. (#14385)
Updates the systemd service shipped with Linux packages to `Type=notify`
2022-03-09 08:13:45 -05:00
VAL 63a2ed296b
Output full secret path in certain kv commands (#14301)
* Full secret path in table output of get and put

* Add path output to KV patch and metadata get

* Add changelog

* Don't print secret path for kv-v1

* Make more readable

* Switch around logic to not swallow error

* Add test for secret path

* Fix metadata test

* Add unit test for padequalsigns

* Remove wonky kv get tests
2022-03-08 13:17:27 -08:00
Rémi Lapeyre e89bbd51d9
Add support for PROXY protocol v2 in TCP listener (#13540)
* Add support for PROXY protocol v2 in TCP listener

I did not find tests for this so I added one trying to cover different
configurations to make sure I did not break something. As far as I know,
the behavior should be exactly the same as before except for one thing
when proxy_protocol_behavior is set to "deny_unauthorized", unauthorized
requests were previously silently reject because of https://github.com/armon/go-proxyproto/blob/7e956b284f0a/protocol.go#L81-L84
but it will now be logged.

Also fixes https://github.com/hashicorp/vault/issues/9462 by adding
support for `PROXY UNKNOWN` for PROXY protocol v1.

Closes https://github.com/hashicorp/vault/issues/3807

* Add changelog
2022-03-08 12:13:00 -05:00
Jordan Reimer 01738c8a0f
Logout with wrapped token (#14329)
* fixes issue passing wrapped_token query param to logout route

* adds changelog entry
2022-03-02 09:45:53 -07:00
Josh Black 214329636b
update MFA changelog (#14326)
* update MFA changelog

* Update changelog/14025.txt

Co-authored-by: Meggie <meggie@hashicorp.com>

Co-authored-by: Meggie <meggie@hashicorp.com>
2022-03-01 15:13:39 -08:00
Alexander Scheel 630c6bf915
Add warning when generate_lease=no_store=true when writing PKI role (#14292)
* Add warning when generate_lease=no_store=true

When no_store=true, the value of generate_lease is ignored completely
(and set to false). This means that when generate_lease=true is
specified by the caller of the API, it is silently swallowed. While
changing the behavior could break callers, setting a warning on the
response (changing from a 204->200 in the process) seems to make the
most sense.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-02-28 13:55:12 -05:00
Chelsea Shaw 67ba021e36
UI: add Database static role password rotation (#14268)
* Add UI feature allowing database role credential rotation

* Only show the 'rotate credentials' option for static roles

* rotate role path uses id for permissions

* Add rotate credentials button to show page on static role

* Mirage handlers for role for simple testing

* Add changelog

* lint rules

* fix lint

Co-authored-by: Bartek Marczak <bartek.marczak@gmail.com>
2022-02-25 12:16:54 -06:00
Tom Proctor 3668275903
Quit agent endpoint with config (#14223)
* Add agent/v1/quit endpoint
  * Closes https://github.com/hashicorp/vault/issues/11089
* Agent quit API behind config setting
* Normalise test config whitespace
* Document config option

Co-authored-by: Rémi Lapeyre <remi.lapeyre@lenstra.fr>
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
2022-02-25 10:29:05 +00:00
hghaf099 671cdbcadb
interactive CLI for mfa login (#14131)
* Login MFA

* ENT OSS segragation (#14088)

* Delete method id if not used in an MFA enforcement config (#14063)

* Delete an MFA methodID only if it is not used by an MFA enforcement config

* Fixing a bug: mfa/validate is an unauthenticated path, and goes through the handleLoginRequest path

* adding use_passcode field to DUO config (#14059)

* add changelog

* preventing replay attack on MFA passcodes (#14056)

* preventing replay attack on MFA passcodes

* using %w instead of %s for error

* Improve CLI command for login mfa (#14106)

CLI prints a warning message indicating the login request needs to get validated

* adding the validity period of a passcode to error messages (#14115)

* interactive CLI for mfa login

* minor fixes

* bail if no input was inserted

* change label name

* interactive CLI when single methodID is returned from login request

* minor fix

* adding changelog

* addressing feedback

* a user with a terminal should be able to choose between interactive and non-interactive.  A user without a terminal should not be able to use the interactive mode.

Co-authored-by: Josh Black <raskchanky@gmail.com>
2022-02-24 15:16:15 -05:00
John-Michael Faircloth a0101257ed
update changelog to include db config connection return value change (#14256) 2022-02-24 14:03:11 -06:00
Dave Rawks 35ec91f1ca
Increase column width of vault_key on mysql (#14231)
* resolves The default schema used in the mysql backend is insufficient for KVv2 storage #14114
* increases column width of vault_key from 512 to 3072 in mysql physical backend
* updates changelog
2022-02-24 09:21:57 -05:00
Alexander Scheel 11c5068533
Add role parameter to restrict issuance of wildcard certificates (#14238)
* Add new AllowWildcardCertificate field to PKI role

This field allows the PKI role to control whether or not issuance of
wildcard certificates are allowed. We default (both on migration and
new role creation) to the less secure true value for backwards
compatibility with existing Vault versions.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor sanitizedName to reducedName

Per comment, this variable name was confusing during the reproduction
and subsequent fix of the earlier vulnerability and associated bug
report. Because the common name isn't necessarily _sanitized_ in any way
(and indeed must be considered in relation to other parts or the whole),
but portions of the entire name are removed, reducedName appears to make
the most sense.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Enforce AllowWildcardCertificates during issuance

This commit adds the bulk of correctly validating wildcard certificate
Common Names during issuance according to RFC 6125 Section 6.4.3
semantics. As part of this, support for RFC 2818-conforming wildcard
certificates (wherein there are almost no restrictions on issuance) has
been removed.

Note that this flag does take precedence over AllowAnyName, giving a
little more safety in wildcard issuance in this case.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update test cases to conform with RFC 6125

Test cases 19, 70+71, and 83+84 didn't conform with the RFC 6125, and so
should've been rejected under strict conformance. For 70+71 and 83+84,
we previously conditioned around the value of AllowSubdomains (allowing
issuance when true), but they likely should've been rejected either way.

Additionally, update the notes about globs matching wildcard
certificates to notate this is indeed the case.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Check AllowWildcardCertifciates in issuance tests

This allows for regression tests to cover the new
AllowWildcardCertificate conditional. We add additional test cases
ensuring that wildcard issuance is properly forbidden in all relevant
scenarios, while allowing the existing test cases to validate that
wildcard status doesn't affect non-wildcard certificates.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add Wildcard allowance during signing operations

When using sign-verbatim, sign-intermediate, or getting certificate
generation parameters, set AllowWildcardCertificates to mirror existing
policies.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-02-24 08:41:56 -05:00
Joe Andaverde 61313d86e0
Set header content type instead of overwriting all headers (#14222)
* Set header content type instead of overwriting all headers

* Add changelog file
2022-02-23 17:09:57 -05:00
Chris Capurso 45875c7e71
prevent int64 overflow for default_lease_ttl and max_lease_ttl (#14206)
* prevent int64 overflow for default_lease_ttl and max_lease_ttl

* add changelog entry

* wording change in changelog entry
2022-02-23 17:08:52 -05:00
Alexander Scheel 1877fc16d7
Fix broken interactions between glob_domains and wildcards (#14235)
* Allow issuance of wildcard via glob match

From Vault v1.8.0 onwards, we would incorrectly disallow issuance of a
wildcard certificate when allow_glob_domain was enabled with a
multi-part glob domain in allowed_domains (such as *.*.foo) when
attempting to issue a wildcard for a subdomain (such as *.bar.foo).

This fixes that by reverting an errant change in the case insensitivity
patch. Here, when validating against a very powerful glob construct, we
leave the wildcard prefix (*.) from the raw common_name element, to
allow multi-part globs to match wildcard entries.

It is important to note that "sanitizedName" is an incorrect variable
naming here. Wildcard parsing (per RFC 6125 which supercedes RFC 2818)
must be in the left-most segment of the domain, but we lack validation
to ensure no internal wildcards exist. Additionally per item 3 of
section 6.4.3 of RFC 6125, wildcards MAY be internal to a domain
segment, in which case sanitizedName again leaves the wildcard in place.

Resolves: #13530

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Remove duplicate email address check

As pointed out by Steven Clark (author of the removed conditional in
70012cd865b3dcdab376dba0c0e0abc88c48f508), this is duplicate from the
now-reintroduced comparison against name (versus the erroneous
sanitizedName at the time of his commit).

This is a reversion of the changes to builtin/logical/pki/cert_util.go,
but keeping the additional valuable test cases.

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add multi-dimensional PKI role issuance tests

This commit introduces multi-dimensional testing of PKI secrets engine's
role-based certificate issuance with the intent of preventing future
regressions.

Here, dimensions of testing include:

 - AllowedDomains to decide which domains are approved for issuance,
 - AllowBareDomains to decide if raw entries of AllowedDomains are
   permitted,
 - AllowGlobDomains to decide if glob patterns in AllowedDomains are
   parsed,
 - AllowSubdomains to decide if subdomains of AllowedDomains are
   permitted,
 - AllowLocalhost to decide if localhost identifiers are permitted, and
 - CommonName of the certificate to request.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2022-02-23 16:44:09 -05:00
Chelsea Shaw 36430a34ac
UI: Fix incorrect validity modal on transit secrets engine (#14233)
* Fix incorrect validity modal on transit secrets engine

* Add changelog
2022-02-23 14:59:49 -06:00
Nick Cabatoff 6a452bc3e6
Update to Go 1.17.7 (#14232) 2022-02-23 15:08:08 -05:00
Austin Gebauer 4d94ba8e14
agent/azure: adds ability to use specific user-assigned managed identities for auto auth (#14214)
* agent/azure: adds ability to use specific user assigned managed identity for auto auth

* add changelog

* change wording in error and docs

* Update website/content/docs/agent/autoauth/methods/azure.mdx

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* Update website/content/docs/agent/autoauth/methods/azure.mdx

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

* docs formatting

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2022-02-23 11:43:36 -08:00
Chelsea Shaw 96f5f3cf50
UI/fix db role ttl display (#14224)
* Format duration for display if editType ttl

* Update ttl fields to default_ttl

* Fix db tests

* Add changelog
2022-02-23 10:00:20 -06:00
Nick Cabatoff 2551a3e8ce
Ensure that fewer goroutines survive after a test completes (#14197)
* Various changes to try to ensure that fewer goroutines survive after a test completes:
* add Core.ShutdownWait that doesn't return until shutdown is done
* create the usedCodes cache on seal and nil it out on pre-seal so that the finalizer kills the janitor goroutine
* stop seal health checks on seal rather than wait for them to discover the active context is done
* make sure all lease-loading goroutines are done before returning from restore
* make uniquePoliciesGc discover closed quitCh immediately instead of only when the ticker fires
* make sure all loading goroutines are done before returning from loadEntities, loadCachedEntitiesOfLocalAliases
2022-02-23 10:33:52 -05:00
Tero Saarni 8bca8984e6
Update github.com/prometheus/client_golang (#14190)
* Update github.com/prometheus/client_golang

Signed-off-by: Tero Saarni <tero.saarni@est.tech>

* Added changelog entry.
2022-02-23 09:31:58 -05:00
Nick Cabatoff 5fe1c16201
Remove support for etcd v2 storage backend. (#14193) 2022-02-22 16:48:04 -05:00
Victor Rodriguez 448fe34391
Check that all required fields in Transit API are present. (#14074)
* Check that all required fields in Transit API are present.

* Check for missing plaintext/ciphertext in batched Transit operations.
2022-02-22 16:00:25 -05:00
Steven Clark c1e80aeff9
Add checks for other error types within the PKI plugin (#14195)
* Add checks for other error types within the PKI plugin

 - The PKI plugin assumes the code it is calling always returns an error
   of type errutil.UserError or errutil.InternalError. While I believe
   so far this is still true, it would be easy to add a code path that
   just returns a generic error and we would completely ignore it.
 - This was found within some managed key testing where I forgot to wrap
   an error within one of the expected types

* Add changelog
2022-02-22 14:39:21 -05:00
claire bontempo 7c11323d71
UI/Client counts changelog 1.10 (#14166)
* adds changelog for client counts work

* capitalizes feature

* delete old client count files

* remove import from core.scss
2022-02-22 12:08:11 -07:00
Austin Gebauer 462a924722
identity/oidc: Adds default provider, key, and allow_all assignment (#14119) 2022-02-22 08:33:19 -08:00
Ben Ash a156036934
upgrade vault-plugin-auth-kubernetes (#14144)
- ensure valid entity alias names created for projected volume tokens.
2022-02-22 11:25:44 -05:00
Jason O'Donnell d848531cce
secrets/openldap: fix panic from nil logger (#14171)
* secrets/openldap: fix panic from nil logger

* changelog
2022-02-18 19:40:30 -05:00
Alexander Scheel f0dc3a553f
Switch to secure signing algorithm for SSH secrets engine (#14006)
* Explicitly call out SSH algorithm_signer default

Related: #11608

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Use rsa-sha2-256 as the default SSH CA hash algo

As mentioned in the OpenSSH 8.2 release notes, OpenSSH will no longer be
accepting ssh-rsa signatures by default as these use the insecure SHA-1
algorithm.

For roles in which an explicit signature type wasn't specified, we
should change the default from SHA-1 to SHA-256 for security and
compatibility with modern OpenSSH releases.

See also: https://www.openssh.com/txt/release-8.2

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update docs mentioning new algorithm change

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix missing parenthesis, clarify new default value

* Add to side bar

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-02-18 10:44:01 -05:00
Jason O'Donnell 6b8e5b1e1f
auth/azure: update to v0.9.3 (#14138)
* auth/azure: update to v0.9.3

* changelog

* Rollback go-testing-interface

* go mod tidy
2022-02-18 09:42:48 -05:00
Calvin Leung Huang c839fc78d8
auth/ldap: add resp warning if userfilter doesn't consider userattr (#14095)
* auth/ldap: add resp warning if userfilter doesn't consider userattr

* add changelog entry
2022-02-17 17:19:44 -08:00
Rémi Lapeyre 98b18ee08e
Add telemetry to Vault agent (#13675)
This patch adds a new /agent/v1/metrics that will return metrics on the
running Vault agent. Configuration is done using the same telemetry
stanza as the Vault server. For now default runtime metrics are
returned with a few additional ones specific to the agent:
  - `vault.agent.auth.failure` and `vault.agent.auth.success` to monitor
  the correct behavior of the auto auth mechanism
  - `vault.agent.proxy.success`, `vault.agent.proxy.client_error` and
  `vault.agent.proxy.error` to check the connection with the Vault server
  - `vault.agent.cache.hit` and `vault.agent.cache.miss` to monitor the
  cache

Closes https://github.com/hashicorp/vault/issues/8649

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
2022-02-17 17:10:26 -08:00