Commit Graph

1740 Commits

Author SHA1 Message Date
Hamid Ghaf 22553906fb
Revert "Automatically track subloggers in allLoggers (#22038)" (#24005)
This reverts commit 4c8cc87794ed2d989f515cd30c1c1b953d092ef3.
2023-11-03 14:40:17 -07:00
hc-github-team-secure-vault-core c3ac053218
backport of commit 63ab253cb429c6fd7d7d61be6f76b25c742de7d1 (#23929)
Co-authored-by: Ellie <ellie.sterner@hashicorp.com>
2023-10-31 15:18:21 -05:00
hc-github-team-secure-vault-core bc19a6d305
api/seal-status: fix deadlock when namespace is set on seal-status calls (#23861) (#23879)
* api/seal-status: fix deadlock when namespace is set on seal-status calls

* changelog

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
2023-10-27 14:47:12 +00:00
hc-github-team-secure-vault-core 9c14ea8114
Revert "Implement user lockout log (#23140)" (#23741) (#23765)
This reverts commit 92fcfda8ad30a539be67b7fb7abff539bf93a098.

Co-authored-by: davidadeleon <56207066+davidadeleon@users.noreply.github.com>
2023-10-25 15:38:58 +00:00
hc-github-team-secure-vault-core 79441cfed7
backport of commit 7872338ec15b263cf53073e973fa92dfc5b7a506 (#23639)
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
2023-10-12 18:49:44 +00:00
davidadeleon ca247609c7
Backport of Implement user lockout log into release/1.14.x (#23630)
* Implement user lockout log (#23140)

* implement user lockout logger

* formatting

* make user lockout log interval configurable

* create func to get locked user count, and fix potential deadlock

* fix test

* fix test

* add changelog

* fix panic when unlocking unlocked user (#23611)
2023-10-12 11:24:52 -04:00
hc-github-team-secure-vault-core e5bee669e4
backport of commit d5f4243c9efe3970ccf0c6227c27bb2c03f02a31 (#23162)
Co-authored-by: Hamid Ghaf <83242695+hghaf099@users.noreply.github.com>
2023-09-19 16:03:52 +00:00
hc-github-team-secure-vault-core f8cc377db2
backport of commit 5a83838f1df3a2092119e1f7a7450795110c9e96 (#23020)
Co-authored-by: Chris Capurso <1036769+ccapurso@users.noreply.github.com>
2023-09-13 09:50:57 -04:00
hc-github-team-secure-vault-core d019802cc0
backport of commit 3130e8ba9483e10e6191d264dc97b597462bf7c1 (#22868) 2023-09-07 20:08:01 +00:00
hc-github-team-secure-vault-core d52cf3c46d
backport of commit 4c8cc87794ed2d989f515cd30c1c1b953d092ef3 (#22247)
Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
2023-09-01 13:02:28 -04:00
hc-github-team-secure-vault-core cb0784b87f
Add config value that gives users options to skip calculating role for each lease (#22651) (#22730)
* Add config value that gives users options to skip calculating role for each lease

* add changelog

* change name

* add config for testing

* Update changelog/22651.txt



* update tests, docs and reorder logic in conditional

* fix comment

* update comment

* fix comment again

* Update comments and change if order

* change comment again

* add other comment

* fix tests

* add documentation

* edit docs

* Update http/util.go



* Update vault/core.go

* Update vault/core.go

* update var name

* udpate docs

* Update vault/request_handling.go



* 1 more docs change

---------

Co-authored-by: Ellie <ellie.sterner@hashicorp.com>
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
2023-09-01 08:07:47 -05:00
hc-github-team-secure-vault-core 4eb71df565
backport of commit 727c73cbd1ff3341ea7a19420f36dc8bd0dd8848 (#22684)
Co-authored-by: Luis (LT) Carbonell <lt.carbonell@hashicorp.com>
2023-08-31 13:18:25 +00:00
Tom Proctor ed25ab6cf4
Backport: Bump consul-template 0.32.0 -> 0.33.0 (#22322) (#22338)
Also adds a test to ensure the new VAULT_CACERT_BYTES functionality works.
Conflicts:
	go.mod
	go.sum
2023-08-15 14:36:26 +01:00
hc-github-team-secure-vault-core 94a3711e0f
backport of commit 7e5f2cebb787bd9045c29874b5e68c51a4fa1223 (#22274)
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
2023-08-10 10:56:45 -04:00
hc-github-team-secure-vault-core 7e8c0a1cae
backport of commit 4c1a7b53d362ee733707de2fa3280596e35d7f03 (#21609)
Co-authored-by: Bianca Moreira <48203644+biazmoreira@users.noreply.github.com>
2023-07-06 12:05:43 +02:00
hc-github-team-secure-vault-core d21351f245
backport of commit 325233ea7dba833e987909b21af547d0933751e3 (#21519)
Co-authored-by: Christophe Deliens <chris@deliens.be>
2023-06-30 17:48:20 +00:00
hc-github-team-secure-vault-core 36365ed7f4
backport of commit 3a46ecc389e9096ccea6c6f847b68ada7f8068d7 (#21362)
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
2023-06-21 14:01:13 +00:00
hc-github-team-secure-vault-core ee92f78611
backport of commit f12c1285599a1519273bfa68472c598b1fd635bf (#21348)
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2023-06-19 11:40:23 -04:00
hc-github-team-secure-vault-core 100f402ac8
backport of commit 3908ec9dc44352548e08f4c86f9ad76c255ce493 (#21331)
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-06-16 17:33:30 -04:00
Mike Baum d323aa33df
Backport of audit file changes to release/1.14.x (#20985) 2023-06-05 11:46:59 -04:00
hc-github-team-secure-vault-core df28de636b
backport of commit 155003aa0cc054701096444b480bc7ab43d187b2 (#20973)
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-06-02 21:37:06 +00:00
hc-github-team-secure-vault-core 8497f132ac
backport of commit bc9a39a2f1e657c073406b287f3f4783f967d10c (#20954)
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-06-02 13:34:20 +00:00
hc-github-team-secure-vault-core 5a3f714215
backport of commit 8fe7076c02ac08e4e2e803243c2f9e4ae323ca10 (#20939)
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-06-02 02:05:51 +00:00
hc-github-team-secure-vault-core 0ac7213b73
backport of commit a5a49cde3ff8445b024c9652a088c078ebdd4595 (#20949)
Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>
2023-06-01 20:31:53 -04:00
hc-github-team-secure-vault-core ca57012072
backport of commit e4c19ac0af902c83e67c301b6d104d9f1a621750 (#20938)
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-06-01 19:14:17 +00:00
hc-github-team-secure-vault-core 4af350762e
backport of commit 9be2903a34df94a1cd380a03f04e6b9bde9ca5a6 (#20932)
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>
2023-06-01 12:01:14 -04:00
hc-github-team-secure-vault-core 94a7385904
backport of commit 360a406a2f924f0a46491a77bdd9e1fcf03b99fa (#20928)
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2023-06-01 14:34:52 +00:00
hc-github-team-secure-vault-core 76929df206
backport of commit 8ff31f32a525ed32273a65e6d28b88e24e9cf06e (#20895)
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-06-01 00:37:32 +00:00
hc-github-team-secure-vault-core afef4629c8
backport of commit 21eccf8b8df7868c7d454f8ba42d5bec5235a69e (#20866)
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-05-31 23:06:59 +00:00
hc-github-team-secure-vault-core 3a3e931cfd
backport of commit 7f2d3f2c5c783dfacc7bc3bb86da4008d8b61bd6 (#20860)
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-05-31 22:38:26 +00:00
hc-github-team-secure-vault-core 5cc92a20f1
backport of commit 344ee1ec3e5721dbc64b1e0f34e08e8c5ffb3bc8 (#20865)
Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>
2023-05-31 17:14:02 +00:00
hc-github-team-secure-vault-core 85dc9349cc
backport of commit fe53c4684c2c15425cda6d3d46de973d62230fe6 (#20894)
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-05-31 16:32:17 +00:00
hc-github-team-secure-vault-core c16d572ab8
backport of commit 3b5ca69b62a3c59468754278f579610c0902fa05 (#20839)
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2023-05-30 16:41:07 +00:00
Larroyo c32032c1f8
Make transit import command work for the transform backend (#20668)
* Add import and import-version commands for the transform backend
2023-05-25 15:33:27 -05:00
Daniel Huckins 958ccda6b1
agent: Add implementation for injecting secrets as environment variables to vault agent cmd (#20739)
* added exec and env_template config/parsing

* add tests

* we can reuse ctconfig here

* do not create a non-nil map

* check defaults

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* first go of exec server

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* convert to list

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* convert to list

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* sig test

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add failing example

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* refactor for config changes

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add test for invalid signal

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* account for auth token changes

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* only start the runner once we have a token

* tests in diff branch

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* fix rename

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Update command/agent/exec/exec.go

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* apply suggestions from code review

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* cleanup

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* remove unnecessary lock

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* refactor to use enum

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* dont block

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* handle default

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* make more explicit

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* cleanup

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* remove unused

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* remove unused file

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* remove test app

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* apply suggestions from code review

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* update comment

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add changelog

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* new channel for exec server token

* wire to run with vault agent

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* watch for child process to exit on its own

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* block before returning

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

---------

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-05-25 09:23:56 -04:00
Daniel Huckins 2343ff04f6
agent: Add implementation for injecting secrets as environment variables (#20628)
* added exec and env_template config/parsing

* add tests

* we can reuse ctconfig here

* do not create a non-nil map

* check defaults

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* first go of exec server

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* convert to list

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* convert to list

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* sig test

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add failing example

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* refactor for config changes

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add test for invalid signal

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* account for auth token changes

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* only start the runner once we have a token

* tests in diff branch

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* fix rename

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Update command/agent/exec/exec.go

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* apply suggestions from code review

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* cleanup

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* remove unnecessary lock

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* refactor to use enum

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* dont block

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* handle default

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* make more explicit

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* cleanup

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* remove unused

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* remove unused file

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* remove test app

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* apply suggestions from code review

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* update comment

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add changelog

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* watch for child process to exit on its own

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

---------

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-05-24 16:56:06 -04:00
Anton Averchenkov f3620b5b4f
agent: Add logic to validate env_template entries (#20569) 2023-05-23 18:37:08 +00:00
Steven Clark c8837f2010
Add ACME health checks to pki health-check CLI (#20619)
* Add ACME health checks to pki health-check CLI

 - Verify we have the required header values listed within allowed_response_headers: 'Replay-Nonce', 'Link', 'Location'
 - Make sure the local cluster config path variable contains an URL with an https scheme

* Split ACME health checks into two separate verifications

 - Promote ACME usage through the enable_acme_issuance check, if ACME is disabled currently
 - If ACME is enabled verify that we have a valid
    'path' field within local cluster configuration as well as the proper response headers allowed.
 - Factor out response header verifications into a separate check mainly to work around possible permission issues.

* Only recommend enabling ACME on mounts with intermediate issuers

* Attempt to connect to the ACME directory based on the cluster path variable

 - Final health check is to attempt to connect to the ACME directory based on the cluster local 'path' value. Only if we successfully connect do we say ACME is healthy.

* Fix broken unit test
2023-05-23 10:37:31 -04:00
Márk Sági-Kazár 258b2ef740
Upgrade go-jose library to v3 (#20559)
* upgrade go-jose library to v3

Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>

* chore: fix unnecessary import alias

Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>

* upgrade go-jose library to v2 in vault

Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>

---------

Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2023-05-23 12:25:58 +00:00
Daniel Huckins 2658dcf48d
agent: Add support for parsing env_template configuration files (#20598)
* added exec and env_template config/parsing

* add tests

* we can reuse ctconfig here

* do not create a non-nil map

* check defaults

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* convert to list

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* convert to list

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* sig test

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add failing example

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add test for invalid signal

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Update command/agent/config/config.go

* use latest consul-template

* fix build

* fix test

* fix test fixtures

* make fmt

* test docs

* rename file

* env var -> environment variable

* default to SIGTERM

* empty line

* explicit naming

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* clean typo

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* replace $ HOME with /home/username in examples

* remove empty line

---------

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
Co-authored-by: Anton Averchenkov <anton.averchenkov@hashicorp.com>
2023-05-19 18:11:41 -04:00
Marc Boudreau 8928b30224
Refactor Code Focused on DevTLS Mode into New Function (#20376)
* refactor code focused on DevTLS mode into new function

* add tests for configureDevTLS function

* replace testcase comments with fields in testcase struct
2023-05-19 15:45:22 -04:00
Anton Averchenkov f551f4e5ba
cli: Add 'agent generate-config' sub-command (#20530) 2023-05-19 13:42:19 -04:00
Violet Hynes 92dc054bb3
VAULT-15547 Agent/proxy decoupling, take two (#20634)
* VAULT-15547 Additional tests, refactoring, for proxy split

* VAULT-15547 Additional tests, refactoring, for proxy split

* VAULT-15547 Import reorganization

* VAULT-15547 Some missed updates for PersistConfig

* VAULT-15547 address comments

* VAULT-15547 address comments
2023-05-19 13:17:48 -04:00
miagilepner 7aa1bce6fb
VAULT-15703: Reload automated reporting (#20680)
* support config reloading for census

* changelog

* second changelog entry for license updates

* correct changelog PR
2023-05-19 14:42:50 +00:00
Nick Cabatoff 1a8d3e8948
Make -dev-three-node use perf standbys for ent binaries (#20629) 2023-05-17 18:37:44 +00:00
Violet Hynes b2468d3481
VAULT-15547 First pass at agent/proxy decoupling (#20548)
* VAULT-15547 First pass at agent/proxy decoupling

* VAULT-15547 Fix some imports

* VAULT-15547 cases instead of string.Title

* VAULT-15547 changelog

* VAULT-15547 Fix some imports

* VAULT-15547 some more dependency updates

* VAULT-15547 More dependency paths

* VAULT-15547 godocs for tests

* VAULT-15547 godocs for tests

* VAULT-15547 test package updates

* VAULT-15547 test packages

* VAULT-15547 add proxy to test packages

* VAULT-15547 gitignore

* VAULT-15547 address comments

* VAULT-15547 Some typos and small fixes
2023-05-17 09:38:34 -04:00
Jason O'Donnell 202d674682
command/server: add support to write pprof files to the filesystem via SIGUSR2 (#20609)
* core/server: add support to write pprof files to the filesystem via SIGUSR2

* changelog

* Fix filepath join

* Use core logger

* Simplify logic

* Break on error
2023-05-17 09:21:25 -04:00
Daniel Huckins 57e2657c3e
move private function to internal pkg for sharing (#20531)
* move private function to internal pkg for sharing

* rename to mc

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* rename to NewConfig

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

---------

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
2023-05-15 10:55:28 -04:00
Hamid Ghaf 3553e75335
disable printing flags warning message for the ssh command (#20502)
* disable printing flags warning message for the ssh command

* adding a test

* CL

* add go doc on the test
2023-05-08 16:15:44 +00:00
Victor Rodriguez 2656c020ae
Convert seal.Access struct into a interface (OSS) (#20510)
* Move seal barrier type field from Access to autoSeal struct.

Remove method Access.SetType(), which was only being used by a single test, and
which can use the name option of NewTestSeal() to specify the type.

* Change method signatures of Access to match those of Wrapper.

* Turn seal.Access struct into an interface.

* Tweak Access implementation.

Change `access` struct to have a field of type wrapping.Wrapper, rather than
extending it.

* Add method Seal.GetShamirWrapper().

Add method Seal.GetShamirWrapper() for use by code that need to perform
Shamir-specific operations.
2023-05-04 14:22:30 -04:00