Commit Graph

16705 Commits

Author SHA1 Message Date
Alexander Scheel 9130a786bb
Document pki cross cluster behavior (#19031)
* Add documentation on cross-cluster CRLs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing revocation queue safety buffer

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-02-07 11:11:33 -05:00
Angel Garbarino 4e160284b3
Add updateRecord to role adapter (#18993)
* add updateRecord to role adapter to correctly handle the query when the the is not new.

* wip

* update and cancel test

* clean up

* wip

* final

* clean up

* split test in two

* clean up
2023-02-07 08:53:40 -07:00
kpcraig 5d1869d6fe
fix: upgrade vault-plugin-database-snowflake to v0.7.0 (#18985) 2023-02-07 10:24:46 -05:00
Max Winslow 54a4b9c4d3
docs: Typo (#18541) 2023-02-07 11:35:41 +00:00
miagilepner c49d180bc8
VAULT-13169 Require go docs for all new test functions (#18971)
* example for checking go doc tests

* add analyzer test and action

* get metadata step

* install revgrep

* fix for ci

* add revgrep to go.mod

* clarify how analysistest works
2023-02-07 10:41:04 +01:00
Bryce Kalow f33e779d5d
update learn links to point to developer locations (#19026) 2023-02-06 20:34:51 -08:00
Scott Miller 78aaa3ca92
Add a note that multi-cluster ENT setups can avoid this risk (#19024)
* wip

* all-seals

* typo

* add note about unreplicated items

* italics

* word-smithing
2023-02-06 19:25:14 -06:00
John-Michael Faircloth d0bf019be5
fix: upgrade vault-plugin-secrets-mongodbatlas to v0.9.0 (#19012) 2023-02-06 16:54:18 -06:00
Scott Miller acee981753
Remove accidental addition of a hackweek file (#19016) 2023-02-06 16:45:55 -06:00
Theron Voran 4278ed606c
docs/vault-k8s: 1.2.0 release updates (#19010) 2023-02-06 22:35:12 +00:00
Scott Miller b43e4fbd9c
Add a stronger warning about the usage of recovery keys (#19011)
* Add a stronger warning about the usage of recovery keys

* Update website/content/docs/concepts/seal.mdx

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>

* Keep the mitigation text in the warning box

---------

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2023-02-06 16:23:05 -06:00
John-Michael Faircloth aacaddc3c4
fix: upgrade vault-plugin-auth-alicloud to v0.14.0 (#19005)
* fix: upgrade vault-plugin-auth-alicloud to v0.14.0

* add changelog
2023-02-06 16:15:26 -06:00
Mike Baum 225fbb78d2
[QT-304] Ensure Chrome is only installed for vault-enterprise UI Test workflows (#19003) 2023-02-06 16:29:33 -05:00
Kyle Schochenmaier e5af4d34c1
update annotation docs for agent telemetry stanza (#18681)
* update annotation docs for telemetry stanza
Co-authored-by: Kendall Strautman <36613477+kendallstrautman@users.noreply.github.com>
2023-02-06 13:47:50 -06:00
Kianna 809757ac69
VAULT-13192 only validate form on submit instead of onChange (#19004) 2023-02-06 10:10:23 -08:00
miagilepner e873932bce
VAULT-8436 remove <-time.After statements in for loops (#18818)
* replace time.After with ticker in loops

* add semgrep rule

* update to use timers

* remove stop
2023-02-06 17:49:01 +01:00
Nick Cabatoff 53afd2627b
Make API not depend on SDK (#18962) 2023-02-06 09:41:56 -05:00
miagilepner 9d09dba7ac
VAULT-13061: Fix mount path discrepancy in activity log (#18916)
* use single function to convert mount accessor to mount path

* add changelog

* more context and comments for the tests
2023-02-06 10:26:32 +01:00
Matt Schultz 6bfebc3ce3
Transit Managed Keys Documentation (#18994)
* Document 'managed_key' key type for transit. Document new 'usages' parameter when creating a managed key in the system backend.

* Document new managed key parameters for transit managed key rotation.
2023-02-03 18:49:02 -06:00
Ben Ash e87e4f01d7
fix: upgrade vault-plugin-database-couchbase to v0.9.0 (#18999) 2023-02-03 23:17:44 +00:00
Jordan Reimer 9dc187ef5b
removes hardcoded pki mount path conditional (#18998) 2023-02-03 15:49:46 -07:00
John-Michael Faircloth 14e4d67026
test/plugin: refactor compilePlugin for reuse (#18952)
* test/plugin: refactor compilePlugin for reuse

- move compilePlugin to helper package
- make NewTestCluster use compilePlugin

* do not overwrite plugin directory in CoreConfig if set

* fix getting plugin directory path for go build
2023-02-03 16:27:11 -06:00
Alexander Scheel 660979d58b
Document Cross-Cluster CRLs/OCSP for Vault Enterprise (#18970)
* Add documentation on fetching unified CRLs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation on unified OCSP

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Clarify that OCSP requests need to be URL encoded

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Document new CRL config parameters

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Clarify notes about cross-cluster options

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2023-02-03 16:30:23 -05:00
Christopher Swenson 5864075c30
Add events sending routed from plugins (#18834)
This isn't perfect for sure, but it's solidifying and becoming a useful
base to work off.

This routes events sent from auth and secrets plugins to the main
`EventBus` in the Vault Core. Events sent from plugins are automatically
tagged with the namespace and plugin information associated with them.
2023-02-03 13:24:16 -08:00
Christopher Swenson dfdeca7b5d
docs: Remove XKS proxy TLS setup note (#18988)
The TLS settings should not need to be modified as xks-proxy should
generate the certificate and key itself for listening.
2023-02-03 13:22:04 -08:00
claire bontempo 4426372f27
UI: add issuerRef getter in case issuer is nameless (#18968)
* add issuerRef getter in case issuer is nameless

* declare as getter

* remove changes to test, oops!
2023-02-03 13:07:59 -08:00
Alexander Scheel cb2f6ff7fe
Add docs on cross-cluster listing endpoints (#18987)
* Add docs on cross-cluster listing endpoints

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update website/content/api-docs/secret/pki.mdx

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2023-02-03 20:01:10 +00:00
Alexander Scheel 8b331fa769
Add notes on cross cluster CRLs (#18986)
* Group CRL related sections

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix casing

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add notes about cluster size and revocation

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Apply suggestions from code review

Thanks Yoko!

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2023-02-03 19:51:30 +00:00
Steven Clark 9e9d5d5645
Use the unified CRL on local CRL paths if UnifiedCRLOnExistingPaths is set (#18989)
* Use the unified CRL on legacy CRL paths if UnifiedCRLOnExistingPaths is set

 - If the crl configuration option unified_crl_on_existing_paths is set
   to true along with the unified_crl feature, provide the unified crl
   on the existing CRL paths.
 - Added some test helpers to help debugging, they are being used by
   the ENT test that validates this feature.

* Rename method to shouldLocalPathsUseUnified
2023-02-03 14:38:36 -05:00
Alexander Scheel fcb24ad8bc
Add support for missing attributes in PKI UI (#18953)
* Add additional OIDs for extKeyUsage

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Allow ignoring AIA info on issuers

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Tell users which extension OIDs are not allowed

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add commentary on cross-signing failure modes

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add parsing of keyUsage

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Remove ext_key_usage parsing - doesn't exist on API

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add support for parsing ip_sans attribute

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Use Uint8Array directly for key_usage parsing

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add error on unknown key usage values

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix typing of IPv6 SANs, verficiation of keyUsages

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Correctly format ip addresses

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* add ip_sans to details page

* fix typo

* update tests

* alphabetize attrs

* hold off on ip compression

* rename model attrs

* parse other_names

* is that illegal

* add parenthesis to labels

* update tests to account for other_sans

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: clairebontempo@gmail.com <clairebontempo@gmail.com>
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
2023-02-03 11:36:02 -08:00
Alexander Scheel 1a2eef482d
Add docs on cross cluster tidy operations (#18979)
* List tidy parameters in one place

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add new tidy status outputs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add docs on new tidy parameters

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-02-03 14:27:18 -05:00
Kianna 98c521c12c
UI: VAULT-13136 Update textfile to use native ember Textarea (#18990)
* VAULT-13136 Update use native ember Textarea instead of html textarea to avoid bugs!

* Add on change to Textarea

* Change back to on input
2023-02-03 11:10:32 -08:00
Rowan Smith 6c53845db9
docs allow_forwarding_via_token syntax update (#18956)
* allow_forwarding_via_token syntax update

the example syntax used for `allow_forwarding_via_token` marks the option as an array when it does not need to be, this updates the format on the page to be a code block and removes the square braces

* another update to `allow_forwarding_via_token` syntax
2023-02-03 10:58:19 -08:00
Jordan Reimer 8edfb21521
OpenAPI attributes not populating on pki/role model (#18980)
* fixes issue populating pki/role model with openAPI attributes

* adds missing service injections formerly inherited from parent class
2023-02-03 11:42:41 -07:00
Sascha Marcel Schmidt 544f07de66
docs: Change default value for ha_enabled to false (#18983)
see: https://github.com/hashicorp/vault/blob/main/physical/mysql/mysql.go#L132
2023-02-03 18:20:14 +00:00
Nick Cabatoff 4934b87038
Move to Go 1.20. (#18981) 2023-02-03 12:26:25 -05:00
Alexander Scheel b69055175a
Use UTC for leaf exceeding CA's notAfter (#18984)
* Use UTC for leaf exceeding CA's notAfter

When generating a leaf which exceeds the CA's validity period, Vault's
error message was confusing as the leaf would use the server's time
zone, but the CA's notAfter date would use UTC. This could cause
user confusion as the leaf's expiry might look before the latter, due
to using different time zones. E.g.:

> cannot satisfy request, as TTL would result in notAfter
> 2023-03-06T16:41:09.757694-08:00 that is beyond the expiration of
> the CA certificate at 2023-03-07T00:29:52Z

Consistently use UTC for this instead.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-02-03 17:00:42 +00:00
Angel Garbarino d02688fac0
revert to no margin as was before (#18967) 2023-02-03 09:04:14 -07:00
Mike Baum 3131c48501
[QT-304] Add enos ui scenario (#18518)
* Add enos ui scenario
* Add github action for running the UI scenario
2023-02-03 09:55:06 -05:00
Chris Capurso c74c057bdb
fix sys/leases panic when lease_id is nil (#18951)
* fix sys/leases panic when lease_id is nil

* add changelog entry
2023-02-03 09:51:10 -05:00
Kianna 10dd6614fe
VAULT-7254 beta pki modal bugfix (#18964)
* VAULT-7254 beta pki modal bugfix

* Add dyanmic segment value
2023-02-02 14:08:03 -08:00
Angel Garbarino 0249f6e240
prepend vault to model docLinks (#18965) 2023-02-02 14:17:13 -07:00
Anton Averchenkov 619f5b2edf
openapi: Ensure mount_path parameters are marked as required (#18955) 2023-02-02 14:39:09 -05:00
Kianna dd43deaf91
UI: VAULT-13044 pki cleanup attributes (#18954)
* Update form model attributes to be stringArray

* Update pki certificate sign to be string

* Update organization, ou, name to stringArray

* More organization, ou update to stringArray

* VAULT-13123 Update missing field attributes in create/role

* Fix formatting

* Revert "VAULT-13123 Update missing field attributes in create/role"

This reverts commit 6da5cb508588488789dc6cde412880e45425cce4.

* Fix failing test

* Add string array for SAN

* Update pki issuer uriSAN label
2023-02-02 09:23:15 -08:00
Chris Capurso 53390eaddf
Add ClusteName to GetClusterStatus response (#18950)
* bump github.com/hashicorp/vault/vault/hcp_link/proto

* add ClusterName to GetClusterStatus response
2023-02-02 09:27:55 -05:00
Steven Clark 449a0a68f5
Fix race accessing b.crls within cert auth (#18945)
* Fix race accessing b.crls within cert auth

 - Discovered by CircleCI the pathLogin, pathLoginRenew paths access
   and reloads the b.crls member variable without a lock.
 - Also discovered that pathLoginResolveRole never populated an empty
   b.crls before usage within b.verifyCredentials

* Add cl

* Misc cleanup

 - Introduce a login path wrapper instead of repeating in all the
   various login methods the crl reloading
 - Cleanup updatedConfig, never returned an error and nothing looked at
   the error returned
 - Make the test within TestCRLFetch a little less timing sensitive as
   I was able to trigger a failure due to my machine taking more than
   150ms to load the new CRL
2023-02-01 16:23:06 -05:00
Chris Capurso c8660ca2ea
add ClusterName to meta GetClusterStatusResponse (#18944)
* add ClusterName to meta GetClusterStatusResponse

* make proto
2023-02-01 15:15:04 -05:00
Scott Miller 20551261bd
Revert #18683 (#18942)
* Revert "Don't execute the seal recovery tests on ENT. (#18841)"

This reverts commit 990d3bacc203c229d0f6729929d7562e678a1ac2.

* Revert "Add the ability to unseal using recovery keys via an explicit seal option. (#18683)"

This reverts commit 2ffe49aab0fc1a527c5182637c8fa3ac39b08d45.
2023-02-01 13:34:53 -06:00
Austin Gebauer e165697ce7
secrets/azure: changes permission recommendation to be minimally permissive (#18937) 2023-02-01 11:07:57 -08:00
Violet Hynes 0bb5cdbe75
VAULT-13056 fix leasecache usage, add test coverage (#18922)
* VAULT-13056 fix leasecache usage, add test coverage

* VAULT-13056 remove deprecated ioutil functions

* VAULT-13056 some test clean-up

* VAULT-13056 re-add environment variable thing

* VAULT-13056 add comment for clarity
2023-02-01 11:40:20 -05:00