Commit Graph

17285 Commits

Author SHA1 Message Date
Jason O'Donnell 202d674682
command/server: add support to write pprof files to the filesystem via SIGUSR2 (#20609)
* core/server: add support to write pprof files to the filesystem via SIGUSR2

* changelog

* Fix filepath join

* Use core logger

* Simplify logic

* Break on error
2023-05-17 09:21:25 -04:00
Jordan Reimer 5cebced707
fixes command not found: export when running yarn start and updates caniuse-lite (#20610) 2023-05-16 15:48:49 -06:00
Ryan Cragun 2b5cb8d26b
test: use correct pool allocation for spot strategy (#20593)
Determine the allocation pool size for the spot fleet by the allocation
strategy. This allows us to ensure a consistent attribute plan during
re-runs which avoid rebuilding the target fleets.

Signed-off-by: Ryan Cragun <me@ryan.ec>
2023-05-16 14:00:20 -06:00
Angel Garbarino 74be2f8592
Fix flaky filtering test (#20605)
* fix failing test

* more specific
2023-05-16 14:39:19 -05:00
Jordan Reimer 43fae50512
MFA Create Enforcement Bug (#20603)
* fixes issue creating mfa enforcement from method enforcement tab toolbar action

* adds changelog entry
2023-05-16 10:38:53 -06:00
Anton Averchenkov 89e5b566ac
openapi: Fix ACME-related errors (#20599) 2023-05-16 16:05:07 +00:00
Steven Clark 57dc281561
Disable requiring EAB in ACME by default (#20600)
* Disable requiring EAB in ACME by default

 - After an internal meeting it was decided that enabling EAB support by default was probably not the right decision.
 - The main motivating factor being ease of use by end-users as the majority of implementations aren't expecting EAB to be required by default.

* Leverage function isPublicACMEDisabledByEnv and log parsing error

 - Add logging to the new isPublicACMEDisabledByEnv function if we fail to parse the env var
 - Leverage the function within the isAcmeDisabled function in acme_wrappers.go to not duplicate the env getting logic in two places.

* Fail closed when VAULT_DISABLE_PUBLIC_ACME is un-parsable.
2023-05-16 11:17:04 -04:00
Kianna 65c100182d
UI: Convert pki component files to ts (#20533) 2023-05-16 08:07:12 -07:00
miagilepner f14a039a65
VAULT-14733: Split logic of precomputedQueryWorker (#20073)
* split precomputed query worker and add unit tests

* add new client delete method and test

* add changelog

* fixes from pr review

* add missing comment

* fix comparison
2023-05-16 16:29:18 +02:00
Steven Clark b483288703
Add a last issued date on ACME accounts (#20534)
* Add a last issued date on ACME accounts

 - When we issue a new ACME certificate, attempt to update the account's last issued field
 - Within ACME account tidy, use both account creation and last issue date to provide a buffer before we mark the account as revoked.
 - Cleanup the cert serial to account tracker
 - Misc formatting fixes in JSON objects

* Move account max-cert-expiry updates within tidy

 - Perform the account update of max-cert-expiry within
   the tidy operation as it has the account write lock
   and is already iterating over all orders.
 - With this the order path does not need any account
   level locks

* Prefix ACME account status constants with AccountStatusX
2023-05-15 16:02:40 -04:00
Angel Garbarino 8d333a2c20
remove var (#20592) 2023-05-15 17:28:47 +00:00
Steven Clark b9b49116d0
Add External Account Binding support to ACME (#20523)
* Add Vault APIS to create, list, delete ACME EAB keys

 - Add Vault authenticated APIs to create, list and delete ACME
   EAB keys.
 - Add supporting tests for all new apis

* Add require_eab to acme configuration

* Add EAB support to ACME

* Add EAB support to ACME

* PR feedback 1

 - Address missing err return within DeleteEab
 - Move verifyEabPayload to acme_jws.go no code changes in this PR
 - Update error message returned for error on account storage with EAB.

* PR feedback 2

 - Verify JWK signature payload after signature verification

* Introduce an ACME eab_policy in configuration

 - Instead of a boolean on/off for require_eab, introduce named policies for ACME behaviour enforcing eab.
 - The default policy of always-required, will force new accounts to have an EAB, and all operations in the future, will make sure the account has an EAB associated with it.
 - Two other policies, not-required will allow any anonymous users to use ACME within PKI and 'new-account-required' will enforce new accounts going forward to require an EAB, but existing accounts will still be allowed to use ACME if they don't have an EAB associated with the account.
 - Having 'always-required' as a policy, will override the environment variable to disable public acme as well.

* Add missing go-docs to new tests.

* Add valid eab_policy values in error message.
2023-05-15 13:15:20 -04:00
Angel Garbarino 00e06301f1
Filter Secret Engine List view by engineType and/or name (#20481)
* initial WIP glimmerize the controller

* wip got the filter engine type by supported backends working

* got filter by engine type working

* wip need to refactor but working ish for name

* wip working state with both filters, does not work if both fiters are set

* fixed when you have two selected filters, but broken for multiples of the same type with different names

* remove repeated engineTypes in filter list

* add disabled to power select

* fix bug of glimmer for the concurrency task.

* wording fix

* remove linkableItem and the nested contextual compnents to help with loading speed.

* add changelog

* fix some tests

* add test coverage

* Update 20481.txt

update changelog text

* test fixes 🤞

* test fix?

* address a pr comment and save

* address pr comment
2023-05-15 16:57:27 +00:00
Daniel Huckins 57e2657c3e
move private function to internal pkg for sharing (#20531)
* move private function to internal pkg for sharing

* rename to mc

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* rename to NewConfig

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

---------

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
2023-05-15 10:55:28 -04:00
Stefano Cattonar 023d847182
Fixed a typo in the "Environment Variable Example" because it was generating a parsing error (#20574)
Fixed a typo in the "Environment Variable Example" because it was generating a parsing error:

template server error: error="(dynamic): execute: template: :2:30: executing \"\" at <.Data.data.payments_api_key>: can't evaluate field data in type *dependency.Secret"
2023-05-12 22:34:51 +00:00
Jaymala fcfd0f9bb8
[QT-554] Remove Terraform validations from Enos replication scenario (#20570)
Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>
2023-05-12 16:06:46 -04:00
Josh Black 8c08ac8df4
add undo logs metrics to docs (#20568) 2023-05-11 18:28:25 -07:00
Rowan Smith 57af313dc8
Update server.mdx (#19881)
added a note detailing that usage of `-log-file` functions as an additional output, does not replace journald / stdout
2023-05-11 17:18:55 -07:00
Anton Averchenkov 31d33f189f
openapi: A few fixes for display attributes (#20549) 2023-05-11 17:20:11 -04:00
Gabriel Santos 05f3236c15
Provide public key encryption via transit engine (#17934)
* import rsa and ecdsa public keys

* allow import_version to update public keys - wip

* allow import_version to update public keys

* move check key fields into func

* put private/public keys in same switch cases

* fix method in UpdateKeyVersion

* move asymmetrics keys switch to its own method - WIP

* test import public and update it with private counterpart

* test import public keys

* use public_key to encrypt if RSAKey is not present and failed to decrypt
if key version does not have a private key

* move key to KeyEntry parsing from Policy to KeyEntry method

* move extracting of key from input fields into helper function

* change back policy Import signature to keep backwards compatibility and
add new method to import private or public keys

* test import with imported public rsa and ecdsa keys

* descriptions and error messages

* error messages, remove comments and unused code

* changelog

* documentation - wip

* suggested changes - error messages/typos and unwrap public key passed

* fix unwrap key error

* fail if both key fields have been set

* fix in extractKeyFromFields, passing a PolicyRequest wouldn't not work

* checks for read, sign and verify endpoints so they don't return errors when a private key was not imported and tests

* handle panic on "export key" endpoint if imported key is public

* fmt

* remove 'isPrivateKey' argument from 'UpdateKeyVersion' and
'parseFromKey' methods

also: rename 'UpdateKeyVersion' method to 'ImportPrivateKeyForVersion' and 'IsPublicKeyImported' to 'IsPrivateKeyMissing'

* delete 'RSAPublicKey' when private key is imported

* path_export: return public_key for ecdsa and rsa when there's no private key imported

* allow signed data validation with pss algorithm

* remove NOTE comment

* fix typo in EC public key export where empty derBytes was being used

* export rsa public key in pkcs8 format instead of pkcs1 and improve test

* change logic on how check for is private key missing is calculated

---------

Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-11 11:56:46 +00:00
Jonathan Frappier 82427e355f
Add requested generated secret example (#20556)
* Add requested generated secret example

* Fix code block types

* Update website/content/docs/secrets/kv/kv-v1.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

* Update website/content/docs/secrets/kv/kv-v2.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

---------

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2023-05-10 18:21:26 -04:00
Jaymala b5606770f6
Update verify-changes to support external docs branches (#20535)
* Update verify-changes to support external docs branches

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Revert QT-545 as it Enos workflow is not a workflow_run event

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

---------

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>
2023-05-08 15:03:23 -04:00
Hamid Ghaf 3553e75335
disable printing flags warning message for the ssh command (#20502)
* disable printing flags warning message for the ssh command

* adding a test

* CL

* add go doc on the test
2023-05-08 16:15:44 +00:00
claire bontempo c3c67f68da
UI: pki cross-signing acceptance tests (#20495)
* move selectors to helper file

* wip cross sign acceptance tests

* finish tests
2023-05-05 12:35:57 -07:00
Josh Black 726512b4e0
use internal docker mirror for CI (#20435)
* use internal docker mirror for CI

* maybe it needs to be https

* no just kidding it's docker://

* apparently overriding it globally causes creates to fail. time to override each image individually lol

* maybe this works
2023-05-05 09:37:31 -07:00
Kit Haines edbbd3106c
Structure of ACME Tidy (#20494)
* Structure of ACME Tidy.

* The tidy endpoints/call information.

* Counts for status plumbing.

* Update typo calls, add information saving date of account creation.

* Missed some field locations.

* Set-up of Tidy command.

* Proper tidy function; lock to work with

* Remove order safety buffer.

* Missed a field.

* Read lock for account creation; Write lock for tidy (account deletion)

* Type issues fixed.

* fix range operator.

* Fix path_tidy read.

* Add fields to auto-tidy config.

* Add (and standardize) Tidy Config Response

* Test pass, consistent fields

* Changes from PR-Reviews.

* Update test to updated default due to PR-Review.
2023-05-05 15:14:41 +00:00
Jens Hofmann b8ac5ec2da
Update elasticdb.mdx (#20437)
* Update elasticdb.mdx

Remove success message of vault write operations from text blocks to better support copy&paste to console

* Update code block types

---------

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2023-05-04 16:17:57 -07:00
Pratyoy Mukhopadhyay 7b807a9bb0
add ns path to granting_policies (#20522) 2023-05-04 15:08:22 -07:00
claire bontempo 949979dd14
UI: add info banner for not parsable certs (#20518)
* remove undefined payload.issuer_id

* add info banner to parsed display view

* add tests

* clean up conditional, add specific banner test selector

* check for undefined length
2023-05-04 20:54:10 +00:00
Christopher Swenson 42f7def9aa
Keep symbols by default (#20519)
By reversing the logic and adding a `REMOVE_SYMBOLS` environment
variable that, when set, will remove symbols.

This has been requested to re-enable Dynatrace support, which
requires symbols are intact.

Sadly this increases the size (on my mac) from 192,609,682 bytes
to 236,696,722 bytes (+23% increase).

I confirmed that this adds symbols back, and that `dlv` will load
the Vault binary.
2023-05-04 13:23:06 -07:00
Victor Rodriguez 2656c020ae
Convert seal.Access struct into a interface (OSS) (#20510)
* Move seal barrier type field from Access to autoSeal struct.

Remove method Access.SetType(), which was only being used by a single test, and
which can use the name option of NewTestSeal() to specify the type.

* Change method signatures of Access to match those of Wrapper.

* Turn seal.Access struct into an interface.

* Tweak Access implementation.

Change `access` struct to have a field of type wrapping.Wrapper, rather than
extending it.

* Add method Seal.GetShamirWrapper().

Add method Seal.GetShamirWrapper() for use by code that need to perform
Shamir-specific operations.
2023-05-04 14:22:30 -04:00
Alex Cahn 976881954a
Update interoperability-matrix.mdx (#20501)
* Update interoperability-matrix.mdx

* Update interoperability-matrix.mdx

Added MySQL as well
2023-05-04 08:58:00 -07:00
Hamid Ghaf bf96f63649
CLI to take days as a unit of time (#20477)
* CLI to take days as a unit of time

* CL
2023-05-04 08:03:37 -07:00
Alexander Scheel 544ae3461f
Allow ensuring ticker is stopped multiple times (#20509)
When executing multi-stage, multi-namespace tests, stopping the ticker
multiple times (via closing the StopTicker channel) results in a panic.

Store whether or not we've stopped it once, and do not close it again.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-04 14:14:06 +00:00
Alexander Scheel c1bc341b88
Add note about cross-cluster write failures (#20506)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-04 13:05:14 +00:00
Chelsea Shaw 898bc50a76
UI: Stabilize KV secret tests (#20491) 2023-05-04 05:02:07 +00:00
Alexander Scheel c50de2ec0c
Add DNS wildcard tests to ACME test suite (#20486)
* Refactor setting local addresses

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Validate wildcard domains in ACME test suite

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add locking to DNS resolver

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Better removal semantics for records

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-03 20:23:44 +00:00
Kianna 650743e18f
UI: PKI error handling + some small bugs! (#20478) 2023-05-03 13:00:46 -07:00
Anton Averchenkov 3ff2b011ab
Clarify deprecation comments for RawRequest* functions (#20497) 2023-05-03 19:47:54 +00:00
claire bontempo f0ea1f5ed8
UI: update setting version service for sidebar frame test (#20496)
* refactor sidebar test

* swap out setFeatures

* make version test glimmery
2023-05-03 19:03:28 +00:00
Anton Averchenkov 11c92e9565
Move TestWalkSecretsTree to the correct file. (#20493) 2023-05-03 18:24:23 +00:00
Hamid Ghaf 148263084d
adding support for four cluster docker based test scenario (#20492) 2023-05-03 10:49:45 -07:00
Alexander Scheel d8c5456f8a
Add dns resolver to PKI Binary Cluster (#20485)
* Export DockerAPI for use by other consumers

As usage of DockerCluster gets more advanced, some users may want to
interact with the container nodes of the cluster. While, if you already
have a DockerAPI instance lying around you can reuse that safely, for
use cases where an existing e.g., docker/testhelpers's runner instance
is not available, reusing the existing cluster's DockerAPI is easiest.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add ability to exec commands without runner

When modifying DockerTestCluster's containers manually, we might not
have a Runner instance; instead, expose the ability to run commands via
a DockerAPI instance directly, as they're awfully convenient.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add DNS resolver into ACME tests

This updates the pkiext_binary tests to use an adjacent DNS resolver,
allowing these tests to eventually be extended to solve DNS challenges,
as modifying the /etc/hosts file does not allow this.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix loading DNS resolver onto network

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix bug with DNS configuration validation

Both conditionals here were inverted: address being empty means a bad
specification was given, and the parse being nil means that it was not a
valid IP address.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix specifying TXT records, allow removing records

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-03 17:32:39 +00:00
Anton Averchenkov b4bec9bd30
Improve addPrefixToKVPath helper (#20488) 2023-05-03 17:10:55 +00:00
Chelsea Shaw 973555cb9c
UI: Handle edge cases for PKI import results (#20474) 2023-05-03 12:02:39 -05:00
claire bontempo 5768ae4f9b
UI: add enterprise only pki/config/crl parameters to edit configuration form (#20479)
* update version service

* render enterprise groups

* render enterprise params

* move group headers to within loop

* cleanup template

* update form tests

* change version service references to hasFeature to hasControlGroups getter

* add params to details view

* update version service test
2023-05-03 09:48:08 -07:00
Nick Cabatoff 3eb5fb3eb7
Use newer version of backport-assistant (#20484) 2023-05-03 12:40:01 -04:00
Steven Clark aa3c61c85b
In ACME responses only return Type, Value fields (#20480)
- Do not serialize the entire internal object, instead return
   just the Type and Value fields back to the caller.
 - Also within authorization responses, return the base domain
   on wildcard queries, dropping the *. as the RFC requests.
 - Update tests to reflect/test this logic.
2023-05-03 09:53:33 -04:00
Jordan Reimer c84d267c61
Sidebar Navigation (#19296)
* Add Helios Design System Components (#19278)

* adds hds dependency

* updates reset import path

* sets minifyCSS advanced option to false

* Remove node-sass (#19376)

* removes node-sass and fixes sass compilation

* fixes active tab li class

* Sidebar Navigation Components (#19446)

* links ember-shared-components addon and imports styles

* adds sidebar frame and nav components

* updates HcNav component name to HcAppFrame and adds sidebar UserMenu component

* adds tests for sidebar components

* fixes tests

* updates user menu styling

* fixes typos in nav cluster component

* changes padding value in sidebar stylesheet to use variable

* Replace and remove old nav components with new ones (#19447)

* links ember-shared-components addon and imports styles

* adds sidebar frame and nav components

* updates activeCluster on auth service and adds activeSession prop for sidebar visibility

* replaces old nav components with new ones in templates

* fixes sidebar visibility issue and updates user menu label class

* removes NavHeader usage

* adds clients index route to redirect to dashboard

* removes unused HcAppFrame footer block and reduces page header top margin

* Nav component cleanup (#19681)

* removes nav-header components

* removes navbar styling

* removes status-menu component and styles

* removes cluster and auth info components

* removes menu-sidebar component and styling

* fixes tests

* Console Panel Updates (#19741)

* updates console panel styling

* adds test for opening and closing the console panel

* updates console panel background color to use hds token

* adds right margin to console panel input

* updates link-status banner styling

* updates hc nav components to new API

* Namespace Picker Updates (#19753)

* updates namespace-picker

* updates namespace picker menu styling

* adds bottom margin to env banner

* updates class order on namespace picker link

* restores manage namespaces refresh icon

* removes manage namespaces nav icon

* removes home link component (#20027)

* Auth and Error View Updates (#19749)

* adds vault logo to auth page

* updates top level error template

* updates loading substate handling and moves policies link from access to cluster nav (#20033)

* moves console panel to bottom of viewport (#20183)

* HDS Sidebar Nav Components (#20197)

* updates nav components to hds

* upgrades project yarn version to 3.5

* fixes issues in app frame component

* updates sidenav actions to use icon button component

* Sidebar navigation acceptance tests (#20270)

* adds sidebar navigation acceptance tests and fixes other test failures

* console panel styling tweaks

* bumps addon version

* remove and ignore yarn install-state file

* fixes auth service and console tests

* moves classes from deleted files after bulma merge

* fixes sass syntax errors blocking build

* cleans up dart sass deprecation warnings

* adds changelog entry

* hides namespace picker when sidebar nav panel is minimized

* style tweaks

* fixes sidebar nav tests

* bumps hds addon to latest version and removes style override

* updates modify-passthrough-response helper

* updates sidebar nav tests

* mfa-setup test fix attempt

* fixes cluster mfa setup test

* remove deprecated yarn ignore-optional flag from makefile

* removes another instance of yarn ignore-optional and updates ui readme

* removes unsupported yarn verbose flag from ci-helper

* hides nav headings when user does not have access to any sub links

* removes unused optional deps and moves lint-staged to dev deps

* updates has-permission helper and permissions service tests

* fixes issue with console panel not filling container width
2023-05-02 19:36:15 -06:00
claire bontempo 00e43b88b4
fix typo (#20473) 2023-05-02 19:29:14 +00:00