Commit Graph

1721 Commits

Author SHA1 Message Date
Marc Boudreau 84238dee52
Introduce GitHub Actions CI Workflow (#19449)
* Migrate subset of CircleCI ci workflow to GitHub Actions

Runs test-go and test-go-remote-docker with a static splitting of test packages

* [skip actions] add comment to explain the purpose of test-generate-test-package-lists.sh and what to do if it fails

* change trigger to push

---------

Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
2023-03-06 16:57:55 -05:00
Alexander Scheel 76269dfab9
Fix PKI Synopsis, add Transit help text and casing fixes (#19395)
* Fix synopsis for PKI subcommand

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add transit command for synopsis, help text

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix nits around spacing

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-02-28 14:43:05 +00:00
Alexander Scheel 7182949029
Fix transit byok tool, add docs, tests (#19373)
* Fix Vault Transit BYOK helper argument parsing

This commit fixes the following issues with the importer:

 - More than two arguments were not supported, causing the CLI to error
   out and resulting in a failure to import RSA keys.
 - The @file notation support was not accepted for KEY, meaning
   unencrypted keys had to be manually specified on the CLI.
 - Parsing of additional argument data was done in a non-standard way.
 - Fix parsing of command line options and ensure only relevant
   options are included.

Additionally, some error messages and help text was clarified.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing documentation on Transit CLI to website

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for Transit BYOK vault subcommand

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Appease CI

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-02-27 18:25:38 +00:00
Steven Clark 6747c546af
Address some small issues within pki health-check (#19295)
* Address some small issues within pki health-check

 - Notify user yaml output mode is not support with --list argument
 - Output pure JSON in json output mode with --list argument
 - If a checker returns a nil response, convert to an empty slice
 - Add handler for permission errors to too many certs checker
 - Add checks for permission issues within hardware_backed_root and root_issued_leaves

* Identify the role that contained the permission issue in role based checks

 - Augument the role health checks to identify the role(s) that we have
   insufficient permissions to read instead of an overall read failure
 - Treat the failure to list roles as a complete failure for the check
2023-02-24 13:00:09 -05:00
miagilepner 271e5b14d2
VAULT-12299 Use file.Stat when checking file permissions (#19311)
* use file.Stat for config files

* cleanup and add path

* include directory path

* revert changes to LoadConfigDir

* remove path, add additional test:

* add changelog
2023-02-23 18:05:00 +01:00
Peter Wilson 15302d9fe2
Restore 'server' and 'agent' base loggers to use their original names (#19304) 2023-02-23 14:56:21 +00:00
Steven Clark c40570c144
Handle permission issue on pki health-check tune checkers (#19276)
* Handle permission issue on pki health-check tune checkers

 - Prior to this fix, if the end-user's Vault token did not have permission to the
   mount's tune api, we would return as if the tunable params had not been set.
 - Now check to see if we encountered a permission issue and report that back to
   the end-user like the other checks do.
2023-02-22 09:01:29 -05:00
Steven Clark 95bdeafb3e
Fix role endpoint in pki health-check warnings (#19274)
* Fix role endpoint in pki health-check warnings

 - The various warning messages point to {{mount}}/role/<rolename>
   which is not a valid PKI path, it should be {{mount}}/roles/<rolename>

* Add cl
2023-02-21 14:48:50 -05:00
Steven Clark 8df0e9714c
Output default config output from pki health-check --list as json (#19269)
* Output default config output from health-check --list as json

 - Change the output of the default configuration as JSON so
   it's useable as an input to the health-check command

* Add cl
2023-02-21 12:41:04 -05:00
Leland Ursu 1b3083c98c
address various issues with the output-policy flag (#19160)
* update error message and properly handle list requests

* since we do agressive sanitizes we need to optionally check trailing slash

* added changelog record

* remove redundant path formating

* Update changelog/13106.txt

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* addressed comments from review

* also remove code that duplicates efforts in kv_list

* abstracted helper func for testing

* added test cases for the policy builder

* updated the changelog to the correct one

* removed calls that apear not to do anything given test case results

* fixed spacing issue in output string

* remove const representation of list url param

* addressed comments for pr

---------

Co-authored-by: lursu <leland.ursu@hashicorp.com>
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-02-21 10:12:45 -05:00
Steven Clark b6f3ba7d4f
pki health-check fails to read in int config values (#19265)
* pki health-check fails to read in int config values

 - Go's default behavior when decoding numbers to an interface{} is to use a float64 type which parseutil.SafeParseIntRange does not handle.
 - Switch to having the JSON decoder use json.Number which our parseutil library
  properly handles.

* Add cl
2023-02-21 08:52:19 -05:00
Alexander Scheel 8e1e95b2e2
Allow listing health checks without mount path (#19199)
* Allow listing health checks without mount path

This allows the bare:

    $ vault pki health-check -list

without a corresponding mount path to complete. Otherwise, users would
be greeted with a prompt for the mount, which is less than ideal.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix usage, use <mount> over pki

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-02-15 19:08:19 +00:00
Steven Clark 9338c22c53
Trap errors related to vault pki list-intermediate issuer reading (#19165)
* Rename files to match test suite and existing pattern

* Factor out issuer loading into a dedicated function

 - Add a little more checks/validation when loading the a PKI issuer
 - Factor out the issuer loading into a dedicated function
 - Leverage existing health check code to parse issuer certificates

* Read parent issuer once instead of reloading it for every child

 - Read in our parent issuer once instead of running it for every child
   we want to compare against
 - Provides clearer error message that we have failed reading from which
   path to the end user

* PR Feedback

 - Rename a variable for clarity
 - Use readIssuer in the validation of the parent issuer within
   pkiIssuer
 - Add some missing return 1 statements in error handlers that had been
   missed
2023-02-14 08:51:44 -05:00
Kit Haines 674d56d9c7
Vault 11799 Vault CLI Re-Issue (Templating based on existing certificate) (#18499)
* The verify-sign command in it's cleanest existing form.

* Working state

* Updates to proper verification syntax

Co-authored-by: 'Alex Scheel' <alex.scheel@hashicorp.com>

* make fmt

* Base functionality.

* make fmt; changelog

* pki issue command.

* Make fmt. Changelog.

* Error Handling Is Almost A Tutorial

* Issue and ReIssue are Almost the Same Command

* Make Fmt + Changelog.

* Make some of the tests go.

* make fmt

* Merge fix (take 2)

* Fix existing support, add support for use_pss, max_path_length, not_after, permitted_dns_domains and skid

* Good Test which Fails

* Test-correction.

* Fix update to key_type key_bits; allow "," in OU or similar

* More specific includeCNinSANs

* Add tests around trying to use_pss on an ec key.

* GoDoc Test Paragraph thing.

---------

Co-authored-by: 'Alex Scheel' <alex.scheel@hashicorp.com>
2023-02-10 20:27:36 +00:00
Christopher Swenson 7d3d404ee2
events: Add websockets and command (#19057)
Also updates the event receieved to include a timestamp.
Websockets support both JSON and protobuf binary formats.

This can be used by either `wscat` or the new
`vault events subscribe`:

e.g.,
```sh
$ wscat -H "X-Vault-Token: $(vault print token)" --connect ws://127.0.0.1:8200/v1/sys/events/subscribe/abc?json=true
{"event":{"id":"5c5c8c83-bf43-7da5-fe88-fc3cac814b2e", "note":"testing"}, "eventType":"abc", "timestamp":"2023-02-07T18:40:50.598408Z"}
...
```

and

```sh
$ vault events subscribe abc
{"event":{"id":"5c5c8c83-bf43-7da5-fe88-fc3cac814b2e", "note":"testing"}, "eventType":"abc", "timestamp":"2023-02-07T18:40:50.598408Z"}
...
```

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2023-02-09 13:18:58 -08:00
mickael-hc 67f7c470ec
update diagnose command to no longer use docker (#19102)
docker dependency should no longer be included in the binary
2023-02-09 11:59:46 -05:00
Steven Clark 5329b92793
Stop using title capitalization for PKI help (#19104)
- Match the existing vault kv capitalization scheme for Synopsis help of each sub-command.
 - A few small tweaks as well to the messages text in a few cases
2023-02-09 16:40:26 +00:00
miagilepner e873932bce
VAULT-8436 remove <-time.After statements in for loops (#18818)
* replace time.After with ticker in loops

* add semgrep rule

* update to use timers

* remove stop
2023-02-06 17:49:01 +01:00
Nick Cabatoff 53afd2627b
Make API not depend on SDK (#18962) 2023-02-06 09:41:56 -05:00
Scott Miller 20551261bd
Revert #18683 (#18942)
* Revert "Don't execute the seal recovery tests on ENT. (#18841)"

This reverts commit 990d3bacc203c229d0f6729929d7562e678a1ac2.

* Revert "Add the ability to unseal using recovery keys via an explicit seal option. (#18683)"

This reverts commit 2ffe49aab0fc1a527c5182637c8fa3ac39b08d45.
2023-02-01 13:34:53 -06:00
Violet Hynes 0bb5cdbe75
VAULT-13056 fix leasecache usage, add test coverage (#18922)
* VAULT-13056 fix leasecache usage, add test coverage

* VAULT-13056 remove deprecated ioutil functions

* VAULT-13056 some test clean-up

* VAULT-13056 re-add environment variable thing

* VAULT-13056 add comment for clarity
2023-02-01 11:40:20 -05:00
Nick Cabatoff c2b222a11a
Vault test cluster helper refactorings, mostly audit related (#18928)
* Move some test helper stuff from the vault package to a new helper/testhelpers/corehelpers package.  Consolidate on a single "noop audit" implementation.
2023-02-01 08:33:16 -05:00
Alexander Scheel 9352e30d50
Fix command.RunCustom(...) correctly (#18904)
* Revert "Remove t.Parallel() due to initialization race (#18751)"

This reverts commit ebcd65310221aff1dfcb94a571d70e38944006df.

We're going to fix this properly, running initCommands exactly once.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Prevent parallel testing racing in initCommands(...)

When running initCommands(...) from multiple tests, they can potentially
race, causing a panic. Test callers needing to set formatting
information must use RunCustom(...) instead of directly invoking the
test backend directly. When using t.Parallel(...) in these top-level
tests, we thus could race.

This removes the Commands global variable, making it a local variable
instead as nothing else appears to use it. We'll update Enterprise to
add in the Enterprise-specific commands to the existing list.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-01-31 08:18:21 -05:00
Scott Miller 9d47c4b779
Transit Import Key CLI functionality (#18887)
* wip

* Transit byok cli

* It works!

* changelog

* document return codes

* Update command/transit_import_key.go

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

* make fmt

---------

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2023-01-30 12:46:57 -06:00
miagilepner 5d7a8aac2b
VAULT-12833 Update prompts for the rekey command (#18892)
* update prompts for rekey command

* cleanup additional places with unseal/recovery keys
2023-01-30 16:51:01 +00:00
Kit Haines b9bbc82078
Switch ed25519 keytype to ec keytype to make the fips build happy. (#18889) 2023-01-30 09:08:25 -05:00
Kit Haines 5ece71109a
Vault 11798 vault cli issue intermediate (#18467)
* The verify-sign command in it's cleanest existing form.

* Working state

* Updates to proper verification syntax

Co-authored-by: 'Alex Scheel' <alex.scheel@hashicorp.com>

* make fmt

* Git CI caught some stuff.

* Base functionality.

* make fmt; changelog

* pki issue command.

* Make fmt. Changelog.

* Error Handling Is Almost A Tutorial

* What I thought empty issuers response fix would be.

* Some tests

* PR-review updates.

* make fmt.

* Fix null response data for listing empty issuers causing a crash.

* Update command/pki_list_children_command.go

Fix double specifier

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

* Add test for pki_list_children.

* Fix tests.

* Update descriptions for correctness based on PR reviews.

* make fmt.

* Updates based on PR feedback.

* Allow multiple arguements (space separated)

* Remove bad merge-thing.

* White-space hell fix change.

* Tests, and return information for issue ca

* Fix make fmt error introduced here: https://github.com/hashicorp/vault/pull/18876

* Update command/pki_issue_intermediate.go

Puncutation.

Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Remove smart quotes for standard quotes.

* More information as part of the help text.

* Better help text.

* Add missing "/" into error message.

---------

Co-authored-by: 'Alex Scheel' <alex.scheel@hashicorp.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2023-01-27 16:41:16 -05:00
Alexander Scheel e02e5ecd33
Small cleanup pki commands (#18877)
* Reflow pki list-intermediates help text, add args

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Reflow pki verify-sign help text, add args

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Simplify boolean checks across PKI commands

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Clean up pki list-intermediate arg text

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Rename list_children->list_intermediate to align with command

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-01-27 16:37:42 +00:00
Kit Haines 1cef81f025
Vault 11796 vault cli list intermediates (#18463)
* Base functionality.

* make fmt; changelog

* What I thought empty issuers response fix would be.

* Fix null response data for listing empty issuers causing a crash.

* Update command/pki_list_children_command.go

Fix double specifier

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

* Add test for pki_list_children.

* Fix tests.

* Update descriptions for correctness based on PR reviews.

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2023-01-27 10:34:31 -05:00
Alexander Scheel fe289a8659
Shadow globally defined var to avoid race (#18856)
* Shadow globally defined var to avoid race

output is defined in format_test.go as a global variable, which the
login_test.go tests were unknowingly using. Since these tests execute in
parallel, under the correct circumstances, they'd race to write/read
from the same variable in separate tests.

Shadow to avoid the race.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Remove global output variable from tests

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-01-26 16:47:42 +00:00
Kit Haines 7ddac6e437
Vault 11795 vault cli verify s ign (#18437)
* The verify-sign command in it's cleanest existing form.

* Working state

* Updates to proper verification syntax

Co-authored-by: 'Alex Scheel' <alex.scheel@hashicorp.com>

* make fmt

* Git CI caught some stuff.

* Some tests

* PR-review updates.

* make fmt.

Co-authored-by: 'Alex Scheel' <alex.scheel@hashicorp.com>
2023-01-26 10:21:13 -05:00
Peter Wilson 292207b7d1
Parallel migration (#18815) (#18817)
* Parallel migration (#18815)
* flagParallel sanity check
* Attempt to use ErrGroups
* Updated docs
* Allow 'start' and 'max-parallel' together
* parallel flag renamed to max-parallel
* tests for start + parallel
* Removed permit pool
* Updated docs to make it clearer that a high setting might not be honored based on storage backend setting
* System dependent max int size
* Default max-parallel 1 => 10
* Test folder/paths updated

Co-authored-by: Tomasz Pawelczak <10206601+gites@users.noreply.github.com>
Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
2023-01-25 15:19:45 +00:00
Violet Hynes 6ec669bb07
VAULT-12564 Add new token_file auto-auth method (#18740)
* VAULT-12564 Work so far on token file auto-auth

* VAULT-12564 remove lifetime watcher struct modifications

* VAULT-12564 add other config items, and clean up

* VAULT-12564 clean-up and more tests

* VAULT-12564 clean-up

* VAULT-12564 lookup-self and some clean-up

* VAULT-12564 safer client usage

* VAULT-12564 some clean-up

* VAULT-12564 changelog

* VAULT-12564 some clean-ups

* VAULT-12564 batch token warning

* VAULT-12564 remove follow_symlink reference

* VAULT-12564 Remove redundant stat, change temp file creation

* VAULT-12564 Remove ability to delete token after auth
2023-01-24 16:09:32 -05:00
Scott Miller 25960fd034
Add the ability to unseal using recovery keys via an explicit seal option. (#18683)
* wip

* wip

* Got it 'working', but not happy about cleanliness yet

* Switch to a dedicated defaultSeal with recovery keys

This is simpler than trying to hijack SealAccess as before.  Instead, if the operator
has requested recovery unseal mode (via a flag in the seal stanza), we new up a shamir
seal with the recovery unseal key path instead of the auto seal.  Then everything proceeds
as if you had a shamir seal to begin with.

* Handle recovery rekeying

* changelog

* Revert go.mod redirect

* revert multi-blob info

* Dumb nil unmarshal target

* More comments

* Update vault/seal.go

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>

* Update changelog/18683.txt

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>

* pr feedback

* Fix recovery rekey, which needs to fetch root keys and restore them under the new recovery split

* Better comment on recovery seal during adjustSealMigration

* Make it possible to migrate from an auto-seal in recovery mode to shamir

* Fix sealMigrated to account for a recovery seal

* comments

* Update changelog/18683.txt

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>

* Address PR feedback

* Refactor duplicated migration code into helpers, using UnsealRecoveryKey/RecoveryKey where appropriate

* Don't shortcut the reast of seal migration

* get rid of redundant transit server cleanup

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2023-01-24 14:57:56 -06:00
Hamid Ghaf 65a41d4f08
named Login MFA methods (#18610)
* named MFA method configurations

* fix a test

* CL

* fix an issue with same config name different ID and add a test

* feedback

* feedback on test

* consistent use of passcode for all MFA methods (#18611)

* make use of passcode factor consistent for all MFA types

* improved type for MFA factors

* add method name to login CLI

* minor refactoring

* only accept MFA method name with its namespace path in the login request MFA header

* fix a bug

* fixing an ErrorOrNil return value

* more informative error message

* Apply suggestions from code review

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>

* feedback

* test refactor a bit

* adding godoc for a test

* feedback

* remove sanitize method name

* guard a possbile nil ref

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2023-01-23 15:51:22 -05:00
Alexander Scheel 9f03ea75a3
Remove t.Parallel() due to initialization race (#18751)
Using RunCommand(...) to set format to JSON for PKI HC tests results in
multiple initCommands(...) being called, overwriting the same global
variable. Nobody else calls the test suite in this way, so remove
t.Parallel() as the CLI isn't really meant to be called in parallel and
there might be other issues.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-01-18 10:40:35 -05:00
Anton Averchenkov a4973bc45a
Remove timeout logic from ReadRaw functions and add ReadRawWithContext (#18708)
Removing the timeout logic from raw-response functions and adding documentation comments. The following functions are affected:

- `ReadRaw`
- `ReadRawWithContext` (newly added)
- `ReadRawWithData`
- `ReadRawWithDataWithContext`

The previous logic of using `ctx, _ = c.c.withConfiguredTimeout(ctx)` could cause a potential [context leak](https://pkg.go.dev/context):

> Failing to call the CancelFunc leaks the child and its children until the parent is canceled or the timer fires. The go vet tool checks that CancelFuncs are used on all control-flow paths.

Cancelling the context would have caused more issues since the context would be cancelled before the request body is closed.

Resolves: #18658
2023-01-17 15:41:59 -05:00
Tom Proctor d5c35f39c3
Add experiment system + events experiment (#18682) 2023-01-16 16:07:18 +00:00
Violet Hynes e8aa9c6429
VAULT-12542 Add info encouraging users to upgrade if agent version is different to server (#18684)
* VAULT-12542 Add info encouraging users to upgrade if agent version is different to server

* VAULT-12542 Changelog

* VAULT-12542 Language update
2023-01-13 09:49:36 -05:00
Peter Wilson 5f5cad736a
VAULT-12264: Fix log rotation params which require an integer (#18666)
* integer values for some log flags
* Adjusted `log_flags` to expect `int` for max files and max bytes
* Updated `server` and `agent`
 Renamed updateConfig (and updateLogConfig)
* Added int log params to test
* Adjust config/params so we can identify when they're not present
* Removed pointer confusion
2023-01-11 20:04:57 +00:00
Ellie 6f7757e949
add core state lock deadlock detection config option v2 (#18604)
* add core state lockd eadlock detection config option v2

* add changelog

* split out NewTestCluster function to maintain build flag

* replace long func with constant

* remove line

* rename file, and move where detect deadlock flag is set
2023-01-11 13:32:05 -06:00
Alexander Scheel a2c2f56923
Add pki health-check docs (#18517)
* Add documentation on vault pki health-check

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refer users to online docs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-01-11 11:46:30 -05:00
Peter Wilson e4685c10ef
VAULT-9883: Agent Reloadable Config (#18638)
* Update command/agent.go
* Attempt to only reload log level and certs
* Mimicked 'server' test for cert reload in 'agent'

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>

Left out the `c.config` tweak that meant changes to lots of lines of code within the `Run` function of Agent command. :)
2023-01-10 17:45:34 +00:00
Mike Palmiotto 43a78c85f4
Mark deprecated builtins Removed (#18039)
* Remove logical database builtins

* Drop removed builtins from registry keys

* Update plugin prediction test

* Remove app-id builtin

* Add changelog
2023-01-09 09:16:35 -05:00
Violet Hynes 0b15ad18a2
VAULT-12095 Support multiple config files for Vault Agent (#18403)
* VAULT-12095 Code changes for multi-config

* VAULT-12095 typo

* VAULT-12095 make vault non-nil during update

* VAULT-12095 docs

* VAULT-12095 small refactor

* VAULT-12095 typos
2023-01-03 12:50:19 -05:00
Alexander Scheel efd2799390
Add PKI base command (#18512)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-12-21 10:01:57 -05:00
divyaac f8ad8bc5a5
OSS PR for Config Changes PR (#18418)
* OSS PR for Config Changes PR

* Edited tests

* typo

* Added changelog

* Remove changelog
2022-12-15 12:19:19 -08:00
Mike Palmiotto cb3406b1eb
plugins: Handle mount/enable for shadowed builtins (#17879)
* Allow mounting external plugins with same name/type as deprecated builtins
* Add some go tests for deprecation status handling
* Move timestamp storage to post-unseal
* Add upgrade-aware deprecation shutdown and tests
2022-12-14 13:06:33 -05:00
Mike Palmiotto 4b8747ab51
command/audit: Recommend multiple audit devices (#18348)
* command/audit: Add note about enabling multiple audit devices

* docs: Recommend multiple audit devices
2022-12-13 17:51:03 -05:00
Chris Capurso a545b1f22d
Add HCP connectivity info to `vault server` startup logs (#18315)
* add HCP org, proj, and resource ID to server startup logs

* add server config test for cloud stanza

* add changelog entry
2022-12-12 14:01:02 -05:00
Sanad Haj Yahya 3b2e74477e
Server: add and support unix listener (UDS) (#18227)
Co-authored-by: shaj13 <hajsanad@gamil.com>
2022-12-09 12:28:18 -08:00
Chris Capurso 4dc5155c5f
Link OSS (#18228)
* add Link config, init, and capabilities

* add node status proto

* bump protoc version to 3.21.9

* make proto

* adding link tests

* remove wrapped link

* add changelog entry

* update changelog entry
2022-12-08 15:02:18 -05:00
Nick Cabatoff 342b61984a
Move version out of SDK. (#14229)
Move version out of SDK.  For now it's a copy rather than move: the part not addressed by this change is sdk/helper/useragent.String, which we'll want to remove in favour of PluginString.  That will have to wait until we've removed uses of useragent.String from all builtins.
2022-12-07 13:29:51 -05:00
Violet Hynes 398cf38e1e
VAULT-11510 Vault Agent can start listeners without caching (#18137)
* VAULT-11510 Vault Agent can start listeners without caching

* VAULT-11510 fix order of imports

* VAULT-11510 changelog

* VAULT-11510 typo and better switch

* VAULT-11510 update name

* VAULT-11510 New api_proxy stanza to configure API proxy

* VAULT-11510 First pass at API Proxy docs

* VAULT-11510 nav data

* VAULT-11510 typo

* VAULT-11510 docs update
2022-12-05 10:51:03 -05:00
Alexander Scheel 2398634862
Respond with data to all writes in PKI engine (#18222)
* Respond with data to all writes in PKI engine

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-12-05 10:40:39 -05:00
Ellie 695fe367c9
Log environment variable keys at startup (#18125)
* Log environment variable keys at startup

* run make fmt

* change name

* add changelog

* fix changelog nubmer

* fix title

* add test

* fix message

* Update changelog/18125.txt

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>

* add trace test

* remove check for >= debug, trace

* Update changelog/18125.txt

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
2022-12-02 08:49:24 -06:00
Ellie 9dca708201
Fix vault cli namespace patch examples (#18143)
* fix vault cli namespace patch examples

* add changelog

* Update changelog/18143.txt

Co-authored-by: davidadeleon <56207066+davidadeleon@users.noreply.github.com>

Co-authored-by: davidadeleon <56207066+davidadeleon@users.noreply.github.com>
2022-12-01 14:42:40 -06:00
Luis (LT) Carbonell afdb571319
Skip Formatting For NIL Secret (#18163)
* Skip formatting for a nil secret data

* Same change for put

* Add changelog

* update changelog

* modify filtered output
2022-12-01 13:36:24 -06:00
Nick Cabatoff 12e1b609ac
Create global quotas of each type in every NewTestCluster. (#18038)
Create global quotas of each type in every NewTestCluster.  Also switch some key locks to use DeadlockMutex to make it easier to discover deadlocks in testing.

NewTestCluster also now starts the cluster, and the Start method becomes a no-op.  Unless SkipInit is provided, we also wait for a node to become active, eliminating the need for WaitForActiveNode.  This was needed because otherwise we can't safely make the quota api call.  We can't do it in Start because Start doesn't return an error, and I didn't want to begin storing the testing object T instead TestCluster just so we could call t.Fatal inside Start. 

The last change here was to address the problem of how to skip setting up quotas when creating a cluster with a nonstandard handler that might not even implement the quotas endpoint.  The challenge is that because we were taking a func pointer to generate the real handler func, we didn't have any way to compare that func pointer to the standard handler-generating func http.Handler without creating a circular dependency between packages vault and http.  The solution was to pass a method instead of an anonymous func pointer so that we can do reflection on it.
2022-11-29 14:38:33 -05:00
Peter Wilson 33e6a3a87c
VAULT-9900: Log rotation for 'agent' and 'server' commands (#18031)
* Work to unify log-file for agent/server and add rotation
* Updates to rotation code, tried to centralise the log config setup
* logging + tests
* Move LogFile to ShareConfig in test
* Docs
2022-11-29 14:07:04 +00:00
Violet Hynes 3d7f9a402f
VAULT-6368 Metrics-only listener for Agent (#18101)
* VAULT-6368 Metrics-only listener for Agent

* VAULT-6368 changelog

* VAULT-6368 Update config to use string instead of bool

* VAULT-6368 Fix leftover code

* VAULT-6368 Fix changelog

* VAULT-6368 fix typo

* VAULT-6368 recommended doc update

* VAULT-6368 use != over !(==)
2022-11-25 16:00:56 -05:00
Alexander Scheel 5ee7cc5e6d
Various health check improvements + tests (#18096)
* Rename common.go->healthcheck.go

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Push handling of no resources to the health checks

This allows us to better run on empty mounts.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Exit when no issuers are found

This makes health checks less useful.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add additional test criteria, refactor tests

This will allow us to setup more tests.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add more OK statuses when checks are good

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test cases for all bad results

The test for too-many-certs was elided for now due to being too hard to
setup in CI.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test for missing mount

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add expected failure test on empty mount

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test for only having an issuer in the mount

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* More consistently perform permission checks

Also return them to the caller when they're relevant.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test without token

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Run health check tests in parallel

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update command/healthcheck/healthcheck.go

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

* Update command/healthcheck/healthcheck.go

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2022-11-23 14:42:19 +00:00
Alexander Scheel e938f2080d
Add mount tuning health checks (#17902)
* Add shared helpers across health checks

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add audit_visibility health check

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add allow_if_modified_since health check

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add mount-related health checks to CLI

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-22 15:44:34 +00:00
Hamid Ghaf 22f51dc6d6
improve kv CLI to remove data or custom metadata using kv patch (#18067)
* improve kv CLI to remove data or custom metadata using kv patch

* CL

* adding a comment
2022-11-21 17:11:36 -05:00
Alexander Scheel 1ba5e5fa28
Rename PKI health check helpers (#18017)
* Rename fetch helpers

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Soften language around managed key roots

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-18 13:42:48 -05:00
Alexander Scheel 8461f096e2
Add auto-tidy, last-tidy, and leaf cert health checks (#17901)
* Add enable_auto_tidy health check

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tidy_last_run health check

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add too_many_certs health check

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tidy, CRL, cert count checks to CLI

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Cache stored leaf cert count

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Correctly parse last run

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-18 11:04:58 -05:00
Alexander Scheel 0217f7de65
Add role-based health checks to PKI Health Check (#17877)
* Add more PKI related common utilities

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add role_allows_localhost health check

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add role_allows_glob_wildcards health checks

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add role_no_store_false health check

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add new checks to the CLI

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Switch to new guard style

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Provision role for test

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Address review feedback

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix invalid version check

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix message with auto-rebuild enabled

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-17 15:31:58 -05:00
Michael Anthony 0624d8f36e
[QT-309] Ensure environment variables are populated before proceeding (#17915)
* Ensure environment variables are populated before proceeding

* DRY up credNames var
2022-11-17 11:55:17 -07:00
akshya96 22029c696b
Vault 9800 Fix vault read handling for endpoints with no top-level data object (#17913)
* fix vault read

* changing json unmarshal

* adding changelog

* removing line

* removing format=raw

* add test

* fix tests

* add fix for resp.Errors

* adding comments
2022-11-17 10:51:37 -08:00
Alexander Scheel b6e27b7f8f
Fix semgrep false-positive due to co-dependent returns (#17984)
We previously tried to extract this log into a function (shouldExit),
but semgrep doesn't expand function invocations, leading us to be forced
to add another rule to the regex.

Instead, add the extraneous `err != nil` conditional into the if
statements, even though skip/err should always be true in these cases
and it should never be evaluated.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-17 09:26:13 -05:00
Nick Cabatoff 87f0939d11
I think there was a plan at some point to support a "vault server -diagnose" command line option, but that doesn't seem to have ever come to pass. Removing the dead code. (#17983) 2022-11-17 09:25:27 +00:00
Hamid Ghaf 07fe063a4b
fixing a typo in command login (#17996) 2022-11-16 19:21:01 -05:00
Alexander Scheel d1c078381e
Add hardware_backed_root, root_issued_leaves health checks (#17865)
* Add hardware_backed_root health check

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add root_issued_leaves health check

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add new health checks to CLI

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add more helpers to common PKI health-check code

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Show config when listing, stable output order

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix %v->%w

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-16 15:24:54 -05:00
Alexander Scheel 5101e31857
PKI Health Check Command (#17750)
* Stub out initial health check command

This command will be used to generate health check results for the PKI
engine.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Start common health check implementation

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add common health check utilities

These utilities will collect helpers not specific to PKI health checks,
such as formatting longer durations more legibly.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add PKI health check common utils

Many health checks will need issuer and/or CRL information in order to
execute. We've centrally located these helpers to avoid particular
health checks from needing to reimplement them each time.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Adding ca_validity_period health check

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Begin using health-checks in PKI command

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Allow parsing raw requests afterwards

This shifts the last of the logic difference between Read(...) and
ReadRaw(...) to a new helper, allowing ReadRaw(...) requests to be
parsed into the same response structure afterwards as Read(...); this
allows API callers to fetch the raw secret and inspect the raw response
object in case something went wrong (error code &c) -- and when the
request succeeds, they can still get the api.Secret out.

This will be used with the PKI health check functionality, making both
LIST and READ operations use ReadRaw, and optionally parsing the secret
afterwards.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add crl_validity_period health check

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for PKI health check

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix bug in raw reading with contexts

When reading raw objects, don't manually call the context cancellation:
this causes timeouts and/or EOF errors when attempting to read or parse
the response body. See message in client.RawRequestWithContext(...) for
more information.

This was causing the test suite to randomly fail, due to the context
cancelling. The test suite's client usually had a default timeout,
whereas the CLI didn't, and thus didn't exhibit the same issue.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix typo in permissions message

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Move %v->%w for errs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-16 09:27:56 -05:00
Jason O'Donnell de70878e16
core/server: Add environment variable to write stacktrace to file (#17929)
* Add env to write stacktrace to file

* changelog

* Use os.MkdirTemp

* Properly close file

* Adding path override

* Use temp file
2022-11-15 12:03:17 -05:00
Alexander Scheel c25b90831e
Move pki docker tests to pkiext (#17928)
* Export CreateBackendWithStorage for pkiext

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Move zlint_test.go to pkiext

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix mount all test to ignore pkiext

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-14 18:26:26 -05:00
Peter Wilson 0fad0c3864
VAULT-8732: Add `log-file` to Vault Agent (#17841)
* Started work on adding log-file support to Agent
* Allow log file to be picked up and appended
* Use NewLogFile everywhere
* Tried to pull out the config aggregation from Agent.Run

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2022-11-11 10:59:16 +00:00
Chris Capurso b31dc45ced
add noop ent supported storage check (#17883) 2022-11-10 16:46:59 -05:00
Violet Hynes 65e8eee0ba
VAULT-8703 Add warning for dangerous undocumented overrides, if used, in status response (#17855)
* VAULT-8703 Add warning for dangerous undocumented overrides, if used, in status response

* VAULT-8703 add changelog

* VAULT-8703 fix append
2022-11-09 11:04:36 -05:00
Peter Wilson 469c102fd3
Removed the legacy env var: LOGXI_FORMAT (#17822)
* Removed the legacy env var: LOGXI_FORMAT

* Added changelog

* Actually filled in the CL

* Added the name of legacy env var
2022-11-04 22:16:18 +00:00
Alexander Scheel 8e6e53cf63
Use hashicorp mirror for container pulls (#17778)
When running the test suite in CI (where requests are centralized from
relatively few IPs), we'd occasionally hit Dockerhub's rate limits.
Luckily Hashicorp runs a (limited) public mirror of the containers we
need, so we can switch to them here in the tests.

For consistency between developer and CI, we've opted to have the tests
always pull from the Hashicorp mirror, rather than updating the CI
runner to prefer the mirror.

We exclude nomad and influxdb as we don't presently mirror these repos.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-02 13:33:17 -04:00
Violet Hynes a11f62abf2
VAULT-8518 Increase HMAC limit to 4096, and limit approle names to the same limit (#17768)
* VAULT-8518 Increase HMAC limit to 4096, and limit approle names to the same limit

* VAULT-8518 Changelog

* VAULT-8518 Sprintf the byte limit
2022-11-02 10:42:09 -04:00
akshya96 2945924b2b
Vault 8305 Prevent Brute Forcing in Auth methods : Setting user lockout configuration (#17338)
* config file changes

* lockout config changes

* auth tune r/w and auth tune

* removing changes at enable

* removing q.Q

* go mod tidy

* removing comments

* changing struct name for config file

* fixing mount tune

* adding test file for user lockout

* fixing comments and add changelog

* addressing comments

* fixing mount table updates

* updating consts in auth_tune

* small fixes

* adding hcl parse test

* fixing config compare

* fixing github comments

* optimize userlockouts.go

* fixing test

* minor changes

* adding comments

* adding sort to flaky test

* fix flaky test
2022-11-01 11:02:07 -07:00
Chris Capurso f1f8bc1a0a
Fix kv -mount flag error when mount and secret path are the same (#17679)
* fix mount flag behavior for kv subcommands

* fix mount flag behavior for kv metadata subcommands

* add tests

* add changelog entry
2022-11-01 09:57:23 -04:00
Alexander Scheel 6d92ef4d9a
Fix raw format for other commands, add to docs! (#17730)
* Clarify when -format=raw fails

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Document Vault read's new -format=raw mode

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add raw format to usage, completion

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing support for raw format field printing

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Prohibit command execution with wrong formatter

This allows us to restrict the raw formatter to only commands that
understand it; otherwise, when running `vault write -format=raw`, we'd
actually hit the Vault server, but hide the output from the user. By
switching this to a flag-parse time check, we avoid running the rest of
the command if a bad formatter was specified.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-28 12:53:23 -04:00
Alexander Scheel df07170d26
Vault Raw Read Support (CLI & Client) (#14945)
* Expose raw request from client.Logical()

Not all Vault API endpoints return well-formatted JSON objects.
Sometimes, in the case of the PKI secrets engine, they're not even
printable (/pki/ca returns a binary (DER-encoded) certificate). While
this endpoint isn't authenticated, in general the API caller would
either need to use Client.RawRequestWithContext(...) directly (which
the docs advise against), or setup their own net/http client and
re-create much of Client and/or Client.Logical.

Instead, exposing the raw Request (via the new ReadRawWithData(...))
allows callers to directly consume these non-JSON endpoints like they
would nearly any other endpoint.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add raw formatter for direct []byte data

As mentioned in the previous commit, some API endpoints return non-JSON
data. We get as far as fetching this data (via client.Logical().Read),
but parsing it as an api.Secret fails (as in this case, it is non-JSON).
Given that we intend to update `vault read` to support such endpoints,
we'll need a "raw" formatter that accepts []byte-encoded data and simply
writes it to the UI.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add support for reading raw API endpoints

Some endpoints, such as `pki/ca` and `pki/ca/pem` return non-JSON
objects. When calling `vault read` on these endpoints, an error
is returned because they cannot be parsed as api.Secret instances:

> Error reading pki/ca/pem: invalid character '-' in numeric literal

Indeed, we go to all the trouble of (successfully) fetching this value,
only to be unable to Unmarshal into a Secrets value. Instead, add
support for a new -format=raw option, allowing these endpoints to be
consumed by callers of `vault read` directly.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Remove panic

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-28 09:45:32 -04:00
Violet Hynes 6d9ea2862e
VAULT-8519 fix spurious "unknown or unsupported fields" warnings for JSON config (#17660)
* VAULT-8519 add tests for HCL unknown field bug

* VAULT-8519 upversion hcl

* VAULT-8519 include correct comitts in tag

* VAULT-8519 Add changelog
2022-10-27 10:28:03 -04:00
Mike Palmiotto cc96c6f470
Store login MFA secret with tokenhelper (#17040)
* Store login MFA secret with tokenhelper
* Clean up and refactor tokenhelper paths
* Refactor totp test code for re-use
* Add login MFA command tests
* Use longer sleep times and sha512 for totp test
* Add changelog
2022-10-26 17:02:26 -04:00
Alexander Scheel c81bec4d06
Clean up dev cert construction (#17657)
Vault's new TLS devvault mode has two nits with certificate
construction:

 1. The CA doesn't need to include any SANs, as these aren't checked.
    Technically this means the CA could be reused as a leaf certificate
    for the one specified IP SAN, which is less desirable.
 2. Add hostname to SANs in addition to CNs. This is a best practice, as
    (when the CN is a hostname), it is preferable to have everything in
    SANs as well.

Neither of these are major changes.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-26 15:29:37 -04:00
Alexander Scheel 1721cc9f75
Add PATCH support to Vault CLI (#17650)
* Add patch support to CLI

This is based off the existing write command, using the
JSONMergePatch(...) API client method rather than Write(...), allowing
us to update specific fields.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation on PATCH support

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-26 14:30:40 -04:00
Peter Wilson 19d220cb82
Fixed typo in USAGE line (#17582) 2022-10-18 20:08:25 +01:00
Tom Proctor 455f1f6073
CLI: Fix secrets list -detailed headings (#17577) 2022-10-18 14:46:11 +01:00
akshya96 2d6c6c01c4
vault operator init -output-curl-string bug (#17514)
* fixing -output-curl-string bug

* add changelog

* fix for -output-policy

* adding comment for -output-policy
2022-10-13 15:15:01 -07:00
Tom Proctor df690ea414
Plugins: Add -version flag to 'vault plugin info' (#17454)
* Add -version flag to 'vault plugin info'
* Allow specifying a builtin tag when reading a single plugin from the catalog
2022-10-07 15:28:15 +01:00
Tom Proctor 2cf29f93c7
Plugins: Add version info to CLI and server log output (#17430) 2022-10-06 12:54:27 +01:00
Renato Costa ea1257be2e
fix incorrect use of loop variable (#16872)
This fixes a couple of references to loop variables in parallel tests
and deferred functions. When running a parallel test (calling
`t.Parallel()`) combined with the table-driven pattern, it's necessary
to copy the test case loop variable, otherwise only the last test case
is exercised. This is documented in the `testing` package:

https://pkg.go.dev/testing#hdr-Subtests_and_Sub_benchmarks

`defer` statements that invoke a closure should also not reference a
loop variable directly as the referenced value will change in each
iteration of the loop.

Issues were automatically found with the `loopvarcapture` linter.
2022-10-04 09:23:37 -04:00
Peter Wilson 42ba1384ff
Added flag and env var which will disable client redirection (#17352)
* Added flag and env var which will disable client redirection

* Added changelog

* Docs fix for unsaved file, and test single request made

* Updated test for case when redirect is enabled, updated docs based on suggestions
2022-09-30 09:29:37 +01:00
Mike Palmiotto 0078822d1d
core: Parse VAULT_ALLOW_PENDING_REMOVAL_MOUNTS as bool (#17319)
* core: Parse VAULT_ALLOW_PENDING_REMOVAL_MOUNTS as bool

* docs: Update VAULT_ALLOW_PENDING_REMOVAL_MOUNTS doc
2022-09-29 14:35:52 -04:00
Tom Proctor 12ca81bc9b
cli/api: Update plugin listing to always include version info in the response (#17347) 2022-09-29 18:22:33 +01:00
Alexander Scheel 3eaa4b0d75
Write explicit -help output to stdout (#17308)
* Write explicit -help output to stdout

Per the consensus of most programs, and mirroring the GNU Coding
Standards for CLI design, when users request -help explicitly via the
CLI, this should be written to stdout to allow paging of output. stderr
is fine when an invalid usage triggers the help text however.

In our case, mitchellh/cli helpfully adds a HelpWriter that we
previously set to stderr explicitly. This writer is only called to print
user-requested help text; it is not called on error cases (e.g., bad
usage triggering additional help text to the user).

Thus it should safely be settable to stdout, enabling pagers without
additional redirects.

Notably, we do have to set ErrorWriter as it defaults to initializing to
the value of HelpWriter, which we want to set to stdout now, which is
less useful.

See also: https://www.gnu.org/prep/standards/html_node/_002d_002dhelp.html
Resolves: #17004

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-09-26 12:15:48 -04:00