Commit graph

14838 commits

Author SHA1 Message Date
Alexander Scheel a0feefb2fa
Use application/pem-certificate-chain for PEMs (#13927)
* Use application/pem-certificate-chain for PEMs

As mentioned in #10948, it appears we're incorrectly using the
`application/pkix-cert` media type for PEM blobs, when
`application/x-pem-file` is more appropriate. Per RFC 5280 Section
4.2.1.13, `application/pkix-crl` is only appropriate when the CRL is in
DER form. Likewise, Section 4.2.2.1 states that `application/pkix-cert`
is only applicable when a single DER certificate is used.

Per recommendation in RFC 8555 ("ACME"), Section 7.4.2 and 9.1, we use
the newer `application/pem-certificate-chain` media type for
certificates. However, this is not applicable for CRLs, so we use fall
back to `application/x-pem-file` for these. Notably, no official IETF
source is present for the latter. On the OpenSSL PKI tutorial
(https://pki-tutorial.readthedocs.io/en/latest/mime.html), this type is
cited as coming from S/MIME's predecessor, PEM, but neither of the main
PEM RFCs (RFC 934, 1421, 1422, 1423, or 1424) mention this type.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-02-08 08:12:33 -05:00
cr48 1a4dc03bf7
Typo: Corrected same typo in 2 locations (on-premise to on-premises) (#13402)
* Fixed 2 typos on-premise to on-premises.

* Added changelog file.

* Removed 13402.txt file from changelog.

* Update website/content/docs/secrets/terraform.mdx

Co-authored-by: hghaf099 <83242695+hghaf099@users.noreply.github.com>
2022-02-07 18:59:46 -05:00
Scott Miller 0da4d59e3c
OSS of the managed key consumer pattern (#13940)
* OSS of the managed key consumer pattern

* Wrong changes
2022-02-07 15:01:42 -06:00
Austin Gebauer 4c12c2bb42
identity/oidc: adds tests for validation of loopback IP redirect URIs (#13939)
* identity/oidc: adds tests for validation of loopback IP redirect URIs

* Update vault/identity_store_oidc_provider_test.go

Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>

Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
2022-02-07 12:50:36 -08:00
Jordan Reimer e811821ac7
Transform Advanced Templating (#13908)
* updates regex-validator component to optionally show pattern input and adds capture groups support

* adds form-field-label component

* adds autocomplete-input component

* updates kv-object-editor component to yield block for value and glimmerizes

* updates transform template model

* adds transform-advanced-templating component

* updates form-field with child component changes

* updates transform template serializer to handle differences in regex named capture groups

* fixes regex-validator test

* adds changelog entry

* updates for pr review feedback

* reverts kv-object-editor guidFor removal
2022-02-07 13:07:53 -07:00
Alexander Scheel 33a9218115
Add full CA Chain to /pki/cert/ca_chain response (#13935)
* Include full chain in /cert/ca_chain response

This allows callers to get the full chain (including issuing
certificates) from a call to /cert/ca_chain. Previously, most endpoints
(including during issuance) do not include the root authority, requiring
an explicit call to /cert/ca to fetch. This allows full chains to be
constructed without without needing multiple calls to the API.

Resolves: #13489

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test case for full CA issuance

We test three main scenarios:

 1. A root-only CA's `/cert/ca_chain`'s `.data.ca_chain` field should
    contain only the root,
 2. An intermediate CA (with root provide) should contain both the root
    and the intermediate.
 3. An external (e.g., `/config/ca`-provided) CA with both root and
    intermediate should contain both certs.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation for new ca_chain field

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add note about where to find the entire chain

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-02-07 14:37:01 -05:00
Joe 8d169d48d3
identity/oidc: loopback redirect dynamic port (#13871)
* Add check for OIDC provider to permit a non-exact redirect URI from OIDC client if it is the IPv4 or IPv6 loopback address.

* Update changelog/13871.txt

Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>

* Update redirectURI check to match that for the OIDC auth method.

Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
2022-02-07 10:34:33 -08:00
Loann Le f85945d3aa
Vault documentation: updated What is a Client section (#13816)
* updated client doc

* fixed heading
2022-02-07 09:05:10 -08:00
Jason O'Donnell 7145fe49ff
docs/oracle: add wallet permissions example (#13924)
* docs/oracle: add wallet permissions example

* Update website/content/docs/secrets/databases/oracle.mdx

Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>

Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
2022-02-07 11:17:33 -05:00
Sarah Thompson e3304380f4
Turning off binary secret scanning to allow builds to be processed until https://github.com/hashicorp/security-scanner/issues/166 is addressed. (#13920) 2022-02-07 15:31:18 +00:00
Andrew Briening ed457aeae7
Adds "raw(/pem)" format to individual cert routes (#10947) (#10948)
Similar to "/pki/ca(/pem)" routes to retrieve
certificates in raw or pem formats, this adds
"pki/cert/{serial}/raw(/pem)" routes for any
certificate.
2022-02-07 09:47:13 -05:00
claire bontempo e611842ce0
UI/Fix parsing CRL in PKI engine (#13913)
* fix parsing of CRLs

* removes tests

* update comment
2022-02-04 18:26:29 -08:00
Benjamin Pannell 79e1087f0c
doc: Correctly close code-block in Azure API docs (#13222)
This resolves a rendering issue in the Azure API documentation which caused a section to be rendered in its raw markdown form instead of the rich documentation that was expected.
2022-02-04 14:02:49 -08:00
Victor Rodriguez 6f8def2873
Run 'make fmt'. (#13914) 2022-02-04 16:54:06 -05:00
Samori Gorse b2e3745837
typo: Updated terraform example (#13401)
The terraform example had a couple of issues:

- Tags was missing a `=`
- Attribute list is not supported
2022-02-04 13:08:16 -08:00
Chris Jones b97a1b3157
Add iam:GetUser permission to the example. (#13316)
Without `iam:GetUser` permission, I wasn't able to get Vault to rotate its own credentials.
2022-02-04 13:07:26 -08:00
Victor Rodriguez 0bb112520e
Seal wrap storage entries of the ManagedKeyRegistry. (#13905)
Seal wrap storage entries of the ManagedKeyRegistry.

Specify the managed key registry's path in SealWrapStorage in the SystemBackend.

Enable SealWrap in the system mount entry.
2022-02-04 16:06:32 -05:00
AnPucel 329342a1fa
Adding dotnet example app to docs (#13782) 2022-02-04 12:28:43 -08:00
Ricky Grassmuck edd5b69376
[API] Add LDAP auth method (#13841)
* [api] Add LDAP auth method

This commit adds LDAP to the available Vault API auth methods.

* Add changelog entry for PR 13841

* Obtain password for LDAPAuth from File/EnvVar

* Fix name of package in error message
2022-02-04 11:10:51 -08:00
Angel Garbarino 24695ddedc
Client count namespace filter (#13881)
* setup

* add forward slash

* fix icon issue

* add to current view

* fixes

* change

* final cleanup

* remove todo
2022-02-04 11:44:13 -07:00
mairandomness bc74650b98
Update delete.mdx (#13148)
Adding a note on the parameter necessary for deletion on a key deletion example seems like a good idea.
From my limited research I found other people that had trouble finding the relevant part of the documentation.
Though I'm not sure this is the best wording or formatting for it.
2022-02-04 10:13:24 -08:00
Stefan Kalscheuer f0a8199b19
Fix documentation of "replication_performance_mode" in health API (#13529)
The field "replication_per_mode" was renamed before this feature was
released, but the docs have never been updated. Update the documentation
to present the correct name.
2022-02-04 10:05:44 -08:00
Alexander Scheel dcdfaa8889
Switch from node-forge to PKI.js (#13894)
* Switch parse-pki-cert from node-forge to PKI.js

This replaces the implementation of parse-pki-cert to use PKI.js rather
than node-forge for two reasons:

 - PKI.js uses Web Crypto rather than maintaining a built-in
   implementation of several algorithms.
 - node-forge presently lacks support for ECDSA and Ed25519
   certificates.

Related: #13680

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add dependency on PKI.js

$ yarn add -D asn1js pvutils pkijs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Remove dependency on node-forge

$ yarn remove node-forge

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-02-04 12:52:28 -05:00
Rémi Lapeyre 2b3661b863
Document the use of inline SSL certificates for PostgreSQL (#11985)
Authored by @remilapeyre.
2022-02-04 11:48:19 -05:00
Maha Sharabinth c30fa154ff
Add a Rekey Example When Auto Unseal is Used (#13139)
Added an example to explicitly show how to perform a Rekey operation when the Vault cluster is using Auto Unseal.  This is placed as the second example. 
The existing example code combines with the PGP keys so added a simple example without the PGP keys.
2022-02-04 10:43:33 -05:00
Theron Voran c01b9915b1
docs/helm: fix duplicate ingress tls section (#13790)
Combined the two Ingress sections into one, hopefully in the right
spot this time.
2022-02-03 22:48:23 -08:00
Mark Lewis 919c197fe9
Update index.mdx (#12936)
Tidy a couple of bullets.
2022-02-03 17:49:46 -08:00
Matthew Irish 2f2243c021
line ending changes (#13765) 2022-02-03 16:53:36 -08:00
Hridoy Roy c9787695ce
cl update (#13798) 2022-02-03 16:52:45 -08:00
hghaf099 b3eb31b4d6
turning go modules to false until jwt cve issue fixed (#13888) 2022-02-03 13:57:47 -05:00
hghaf099 f541cf196b
adding docs for the framework Required field (#13884)
* adding docs for the framework Required field

* minor fix

* Update sdk/framework/backend.go

Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>

Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
2022-02-03 11:44:01 -05:00
Meggie c80d5805dc
Make backport assistant work with ENT backport tags (#13876)
* Make backport assistant work with ENT backport tags

I want the regexp to include word characters and the plus sign on
enterprise. I'm confused about the levels of escaping required, because
this is a shell env var that gets passed to a go program as a regular
expression. I didn't escape the square brackets because the parens
weren't escaped. I matched what was done previously with the '.'s for
the '+' because I also want that literal, but it was unclear from
playing around with https://regex101.com/ and go regexps whether the
extra backslashes were required for the '+' char.

* Update .github/workflows/backport.yml

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2022-02-02 16:37:56 -05:00
claire bontempo 3d013bc266
UI/Fix activity and monthly serializer (#13879)
* return new object

* rename variables and return truncating of data to component (from serializer)

* fix serializer
2022-02-02 13:24:24 -08:00
Arnav Palnitkar 91e5877d4a
Fix kv secret access bug (#13872)
* Fix kv secret access bug

- Set permissions state when call is successful

* Added changelog
2022-02-03 01:46:03 +05:30
claire bontempo 34630f6557
UI/Add CSV export, update history and current tabs (#13812)
* add timestamp to attribution

* create usage stat component

* updates stat text boxes

* remove flex-header css

* remove comment

* add empty state if no data

* update monthly serializer

* remove empty state - unnecessary

* change tab to 'history'

* add usage stats to history view

* change css styling for upcased grey subtitle

* correctly exports namespace and auth data

* close modal on download

* test making a service?

* fix monthly attrs

* update csv content format

* remove component and make downloadCsv a service

* update function name

* wip//add warning labels, fixing up current and history tabs

* wip//clean up serializer fix with real data

* fix link styling:

* add conditionals for no data, add warning for 1.9 counting changes

* naming comment

* fix tooltip formatting

* fix number format and consolidate actions

* remove outdated test

* add revokeObjectURL and rename variable

* fix errors and empty state views when no activity data at all

* fix end time error

* fix comment

* return truncating to serializer

* PR review cleanup

* return new object
2022-02-02 11:46:59 -08:00
mickael-hc a562beaba8
update changelog with recent security entries (#13868)
This includes:
* HSEC-2021-33 / CVE-2021-45042
* HSEC-2021-30 / CVE-2021-43998
* HSEC-2021-27 / CVE-2021-41802
2022-02-02 11:12:54 -05:00
Angel Garbarino 53aae016f7
Client Count Calendar widget updates (#13777)
* setup

* handle current billing period

* handle billing period selection

* clean up

* clean up

* turn serializer to class

* change to classes

* placeholding, handles timezone issues for this.startTime

* put in depen

* fixing timezone issues for endTime

* clean up

* move formating on Get to the adapter. Still need to return formating from Get on serializer

* fix current billing period

* move all inside queryRecord to hit serilaizer

* move to serializer

* clean up

* calendar clean up

* clean up

* fix styling

* small fixes

* small fixes

Co-authored-by: Claire Bontempo <cbontempo@hashicorp.com>
2022-02-01 13:45:01 -07:00
Tom Proctor 5032cfaf47
Add make fmt CI check (#13803)
* Add make fmt CI check

* Don't suppress patch output
2022-01-31 23:24:16 +00:00
Tom Proctor fce9c92c5b
Update k8s auth long-lived token instructions (#13852) 2022-01-31 23:16:01 +00:00
Gregory Harris c260d35ab1
Support Y10K value in notAfter field when signing non-CA certificates (#13736)
* Support Y10K value in notAfter field when signing non-CA certificates

* Add changelog entry for 13736

* Add test for using not_after parameter for non-CA certificates that are being signed

* Fix CA value for test for not_after value when signing non-CA certs

* Address formatting

* Add changelog file

* Revert changelog entry commit f28b54e7b5ad21144c8a2da942d766e64a332caf
2022-01-31 15:37:50 -06:00
Anoop Vijayan Maniankara f5b9aefd1e
Update mssql.mdx with typo error (#13527)
user sa -> vaultuser
2022-01-31 14:56:37 -05:00
Matt Schultz 00bafb873e
Bump timeout for gauge testing to 500 ms from 100 ms. (#13836) 2022-01-31 12:01:48 -06:00
claire labry 2d2e116e1e
add security-scan for CRT (#13627)
* add security-scan

* updating the alpine version

* clean up

* update the alpine version to be more prescriptive
2022-01-31 11:35:25 -05:00
Noel Quiles 29ae450a09
chore: Add Demandbase tag to consent manager (#13796) 2022-01-28 14:15:07 -05:00
Sebastien Rosset fd209183d1
Update upgrade-to-1.3.10.mdx (#12341)
The upgrade guide indicates the upgrade path between two identical versions (1.3.10). Presumably you meant compared to 1.3.9?
2022-01-28 09:27:23 -08:00
Joshua Gilman de51e14f66
Add vaultrs Rust crate to community libraries (#12402)
This change proposes adding [vaultrs](https://crates.io/crates/vaultrs) to the list of community-supported libraries. This crate has a mature base and is expected to expand to accommodate most of the API.
2022-01-28 09:02:31 -08:00
Austin Gebauer 17b2e0d259
auth/oidc: Documentation updates for Azure AD applications (#13819) 2022-01-28 08:34:36 -08:00
Steven Clark 69ac11a564
Documentation updates for new keys for PKCS#11 unsealing (#13814)
* Document new force_rw_session parameter within pkcs11 seals

* documentation for key_id and hmac_key_id fields

* Apply suggestions from code review

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/configuration/seal/pkcs11.mdx

Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>

Co-authored-by: rculpepper <rculpepper@hashicorp.com>
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-01-28 11:25:02 -05:00
Victor Rodriguez e58c80801e
Add new parameter managed_key_id for PKI CA key generation. (#13825) 2022-01-28 11:14:20 -05:00
Dominik Roos 7a6ae24e9f
pki: calculate Subject Key Identifier according to RFC 5280 (#11218)
Calculate the Subject Key Identifier as suggested in RFC 5280, Section 4.2.1.2

> (1) The keyIdentifier is composed of the 160-bit SHA-1 hash of the
value of the BIT STRING subjectPublicKey (excluding the tag,
length, and number of unused bits).

fixes #11153
2022-01-28 10:46:51 -05:00