Commit Graph

16318 Commits

Author SHA1 Message Date
Nick Cabatoff 1b745aef58
Prevent autopilot from demoting voters when they join a 2nd time (#18263) 2022-12-07 14:17:45 -05:00
Nick Cabatoff 342b61984a
Move version out of SDK. (#14229)
Move version out of SDK.  For now it's a copy rather than move: the part not addressed by this change is sdk/helper/useragent.String, which we'll want to remove in favour of PluginString.  That will have to wait until we've removed uses of useragent.String from all builtins.
2022-12-07 13:29:51 -05:00
Roberto Pommella Alegro 5352c4b754
Docs: improve bound_audiences documentation for jwt role (#18265) 2022-12-07 12:50:09 -05:00
Peter Wilson f87b7f1737
Only attempt rotation if files already exist when a Write is requested. (#18262) 2022-12-07 15:47:43 +00:00
Peter Wilson 21a8bcaa7b
Updated go-hclog to v1.4.0 to allow access to GetLevel. Refactored TranslateLoggerLevel (#18260) 2022-12-07 14:25:54 +00:00
akshya96 1801f09c6a
Vault 8307 user lockout workflow oss (#17951)
* adding oss file changes

* check disabled and read values from config

* isUserLocked, getUserLockout Configurations, check user lock before login and return error

* remove stale entry from storage during read

* added failed login process workflow

* success workflow updated

* user lockouts external tests

* changing update to support delete

* provide access to alias look ahead function

* adding path alias lookahead

* adding tests

* added changelog

* added comments

* adding changes from ent branch

* adding lock to UpdateUserFailedLoginInfo

* fix return default bug
2022-12-06 17:22:46 -08:00
Peter Wilson 94a349c406
Ensure base logging uses IndependentLevels (#18249) 2022-12-06 22:10:44 +00:00
Chelsea Shaw 0a3aa7eaab
UI: PKI Role toolbar (#18229) 2022-12-06 20:34:43 +00:00
tjperry07 fe5c00deb9
Update CODEOWNERS (#18245)
Hi, I'm the new Vault Tech Writer! Adding myself for docs content. 👋🏾
2022-12-06 11:49:14 -08:00
mcollao-hc 4245c6e51f
Update security-scan.yml 2022-12-06 10:13:57 -06:00
mcollao-hc 009af4458d
Update security-scan.yml 2022-12-06 09:34:06 -06:00
Matt Schultz b2a7cf158f
Add ManagedMACKey interface to SDK. (#18231) 2022-12-05 17:26:16 -06:00
mcollao-hc cbc2ef31f8
Update security-scan.yml 2022-12-05 17:13:52 -06:00
mcollao-hc 571a61af01
Update security-scan.yml 2022-12-05 16:23:37 -06:00
mcollao-hc c660bbc03d
Update security-scan.yml 2022-12-05 16:00:36 -06:00
Anton Averchenkov 545ee098ab
Add openapi response definitions to approle/path_role.go (#18198)
This PR modifies the path schema of `approle/path_role.go`, switching the old `Callbacks` to the equivalent `Operations` objects with a list of response fields for the 200 responses. This will allow us to generate a response structures in openapi.json. This PR is split out from #18055 along with #18192.

### Example

For `GET "/auth/approle/role/{role_name}/bind-secret-id"` path, it will update the response as follows:

```diff
        "responses": {
          "200": {
            "description": "OK",
++            "content": {
++              "application/json": {
++                "schema": {
++                  "$ref": "#/components/schemas/ApproleRoleBindSecretIdResponse"
++                }
++             }
            }
          }
        }
```

And will add the actual response structure:

```diff
++      "ApproleRoleBindSecretIdResponse": {
++        "type": "object",
++        "properties": {
++          "bind_secret_id": {
++            "type": "boolean",
++            "description": "Impose secret_id to be presented when logging in using this role. Defaults to 'true'."
++          }
++        }
++      },
```
2022-12-05 16:55:13 -05:00
mcollao-hc a672ebb751
Delete codeql-analysis.yml 2022-12-05 14:28:07 -06:00
Anton Averchenkov a54678fb6b
Add logic to generate openapi response structures (#18192) 2022-12-05 11:11:06 -05:00
Violet Hynes 398cf38e1e
VAULT-11510 Vault Agent can start listeners without caching (#18137)
* VAULT-11510 Vault Agent can start listeners without caching

* VAULT-11510 fix order of imports

* VAULT-11510 changelog

* VAULT-11510 typo and better switch

* VAULT-11510 update name

* VAULT-11510 New api_proxy stanza to configure API proxy

* VAULT-11510 First pass at API Proxy docs

* VAULT-11510 nav data

* VAULT-11510 typo

* VAULT-11510 docs update
2022-12-05 10:51:03 -05:00
Alexander Scheel 2398634862
Respond with data to all writes in PKI engine (#18222)
* Respond with data to all writes in PKI engine

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-12-05 10:40:39 -05:00
Alexander Scheel f86fdf530f
Allow templating cluster-local AIA URIs (#18199)
* Allow templating of cluster-local AIA URIs

This adds a new configuration path, /config/cluster, which retains
cluster-local configuration. By extending /config/urls and its issuer
counterpart to include an enable_templating parameter, we can allow
operators to correctly identify the particular cluster a cert was
issued on, and tie its AIA information to this (cluster, issuer) pair
dynamically.

Notably, this does not solve all usage issues around AIA URIs: the CRL
and OCSP responder remain local, meaning that some merge capability is
required prior to passing it to other systems if they use CRL files and
must validate requests with certs from any arbitrary PR cluster.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation about templated AIAs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* AIA URIs -> AIA URLs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* issuer.AIAURIs might be nil

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Allow non-nil response to config/urls

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Always validate URLs on config update

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Ensure URLs lack templating parameters

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Review feedback

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-12-05 10:38:26 -05:00
tjperry07 2e9f0e921b
remove semi colon (#18220) 2022-12-02 16:02:28 -05:00
Mike Baum cdb6303c4d
[QT-318] Add workflow dispatch trigger for bootstrap workflow, update ssh key name (#18174)
* Added a workflow dispatch trigger for bootstrap workflow, updated ssh key name
* Ensure the bootstrap workflow is only run for PRs that change the bootstrapping code
2022-12-02 14:29:20 -05:00
Mike Palmiotto ea41e62e83
plugins: Mount missing plugin entries and skip loading (#18189)
* Skip plugin startup for missing plugins
* Skip secrets startup for missing plugins
* Add changelog for bugfix
* Make plugin handling on unseal version-aware
* Update plugin lazy-load logic/comments for readability
* Add register/mount/deregister/seal/unseal go test
* Consolidate lazy mount logic to prevent inconsistencies

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2022-12-02 13:16:31 -05:00
Christopher Swenson eba490ccef
Check if sys view is missing in GRPC sys view (#18210)
And return an error instead of panicking.

This situation can occur if a plugin attempts to access the system
view during setup when Vault is checking the plugin metadata.

Fixes #17878.
2022-12-02 10:12:05 -08:00
Alex Cahn 71b790bd0f
Add Nutanix to the interoperability matrix (#18218) 2022-12-02 12:57:40 -05:00
Chelsea Shaw bc2f0a3a81
UI: PKI Roles Edit (#18194) 2022-12-02 16:42:14 +00:00
Ellie 695fe367c9
Log environment variable keys at startup (#18125)
* Log environment variable keys at startup

* run make fmt

* change name

* add changelog

* fix changelog nubmer

* fix title

* add test

* fix message

* Update changelog/18125.txt

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>

* add trace test

* remove check for >= debug, trace

* Update changelog/18125.txt

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
2022-12-02 08:49:24 -06:00
claire bontempo 80d2caee9e
change release note (#18182) 2022-12-01 16:56:59 -08:00
Ellie 9dca708201
Fix vault cli namespace patch examples (#18143)
* fix vault cli namespace patch examples

* add changelog

* Update changelog/18143.txt

Co-authored-by: davidadeleon <56207066+davidadeleon@users.noreply.github.com>

Co-authored-by: davidadeleon <56207066+davidadeleon@users.noreply.github.com>
2022-12-01 14:42:40 -06:00
Luis (LT) Carbonell afdb571319
Skip Formatting For NIL Secret (#18163)
* Skip formatting for a nil secret data

* Same change for put

* Add changelog

* update changelog

* modify filtered output
2022-12-01 13:36:24 -06:00
mcollao-hc 495c503b11
Update security-scan.yml (#18180) 2022-12-01 13:05:21 -06:00
Steven Clark 9bf3b4c582
Do not use possibly nil HttpRequest object in default OCSP handler (#18190) 2022-12-01 13:23:41 -05:00
Tom Proctor f5543bd25b
Docs: Add known issue for 1.12 plugin list endpoint (#18191) 2022-12-01 18:06:07 +00:00
Chelsea Shaw 0ea02992b7
UI: TTL picker cleanup (#18114) 2022-12-01 09:33:30 -06:00
Steven Clark 826e87884e
Address a nil panic when writing an empty POST request to the ocsp handler (#18184)
* Address a nil panic when writing an empty POST request to the ocsp handler

 - Seems when no JSON body is sent with a POST request Vault will not
   populate the HTTPRequest member variable which caused the nil panic
   - vault write -force pki/ocsp
 - Add a check for it and the Body member variable to be nil before use.

* Add cl
2022-12-01 15:10:12 +00:00
Tom Proctor 05aeab2752
Fix plugin list API when audit logging enabled (#18173)
* Add test that fails due to audit log panic
* Rebuild VersionedPlugin as map of primitive types before adding to response
* Changelog
* Fix casting in external plugin tests
2022-12-01 10:44:44 +00:00
claire bontempo 5f79edc49c
ui: delete pki key functionality (#18146)
* add deletekey

* fix types

* move page components into folder

* finish tests

* make linting changes

* declare flashmessages ts service

* restructure pki test files

* add delete test

* add more folders
2022-12-01 01:24:40 +00:00
Josh Black e75633eddc
Don't panic on unknown raft ops (#17732)
* Don't panic on unknown raft ops

* avoid excessive logging

* track at the struct level, not the function level

* add changelog
2022-11-30 15:37:58 -08:00
Chris Capurso 5b731699a1
ENT supported storage updates (#17885)
* note that ENT supported storage check will log warning

* callout difference between 1.12.0 and 1.12.2

* add a bit more guidance

* startup -> start
2022-11-30 18:34:17 -05:00
Mike Palmiotto 117b09808d
docs: Add 1.12 upgrade note for pending removal builtins (#18176) 2022-11-30 23:07:00 +00:00
Calvin Leung Huang 72a79f70b5
changelog: add entries for 1.10.9, 1.11.6, 1.12.2 (#18144)
* changelog: add entries for 1.10.9, 1.11.6, 1.12.2

* update entries for 1.13.0

* update release dates
2022-11-30 14:18:04 -08:00
Christopher Swenson cbdbad0629
Add doc for AWS XKS Proxy with PKCS#11 Provider (#18149)
AWS announced [KMS External Key Store](https://aws.amazon.com/blogs/aws/announcing-aws-kms-external-key-store-xks/),
which we support using their reference [`xks-proxy`](https://github.com/aws-samples/aws-kms-xks-proxy)
software.
This adds a documentation page showing how to configure KMIP and the
PKCS#11 provider to to work with KMS and `xks-proxy`.

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
2022-11-30 13:49:27 -08:00
Peter Wilson 427816c0f4
Updated changelogs from 'feature' to 'improvement' (#18171) 2022-11-30 20:08:49 +00:00
Tom Proctor 48987ce052
Add stack trace to audit logging panic recovery (#18121) 2022-11-30 17:59:05 +00:00
Mike Baum b03da5157e
[QT-318] Add Vault CI bootstrap scenarios (#17907) 2022-11-30 12:44:02 -05:00
Nick Cabatoff 547cb27b8a
Simplify go version update (#17821)
* make ci-config now updates @executors based on go-version

* Update to latest ubuntu-2004 for machine executors.
2022-11-30 08:37:26 -05:00
Nick Cabatoff 12e1b609ac
Create global quotas of each type in every NewTestCluster. (#18038)
Create global quotas of each type in every NewTestCluster.  Also switch some key locks to use DeadlockMutex to make it easier to discover deadlocks in testing.

NewTestCluster also now starts the cluster, and the Start method becomes a no-op.  Unless SkipInit is provided, we also wait for a node to become active, eliminating the need for WaitForActiveNode.  This was needed because otherwise we can't safely make the quota api call.  We can't do it in Start because Start doesn't return an error, and I didn't want to begin storing the testing object T instead TestCluster just so we could call t.Fatal inside Start. 

The last change here was to address the problem of how to skip setting up quotas when creating a cluster with a nonstandard handler that might not even implement the quotas endpoint.  The challenge is that because we were taking a func pointer to generate the real handler func, we didn't have any way to compare that func pointer to the standard handler-generating func http.Handler without creating a circular dependency between packages vault and http.  The solution was to pass a method instead of an anonymous func pointer so that we can do reflection on it.
2022-11-29 14:38:33 -05:00
Alexander Scheel 347cdf811c
Disable nginx integration test in pki test suites (#18141)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-29 13:30:25 -05:00
Violet Hynes 78efcb7d6a
VAULT-11786 OSS changes for this change (#18140) 2022-11-29 13:22:15 -05:00