At the level of role config it doesn't mean anything to use
default-service or default-batch; that's for mount tuning. So disallow
it in tokenutil. This also fixes the fact that the switch statement
wasn't right.
* open-api-explorer engine with embedded swagger-ui
* move swagger config to a component, rely directly on swagger-ui
* filter operations by endpoint, hook up filter to query param, add namespace handling
* fix namespace handling
* update ember-engines so that we can app.import in a lazy engine
* use engine's included hook to move swagger-ui to engine-vendor.* files
* show flash message about this being a live vault server
* show a namespace reminder and override some styles from swagger-ui
* switch filter to use includes instead of startsWith
* move flash-message to alert-banner and fix namespace reminder with a block
* adds explore web-cli command to navigate to the api-explorer engine
* allow passing a preformatted string to flash messages
* add multi-line flash-message to api explorer
* invert control and trigger events on react app so we can control the layout more and use our components
* tweak styling some more and adjust message on the flash
* change web cli command from 'explore' to 'api'
* shorten namespace warning
* fix console
* fix comments
Add support for hashing time.Time within slices, which unbreaks auditing of requests returning the request counters.
Break Hash into struct-specific func like HashAuth, HashRequest. Move all the copying/hashing logic from FormatRequest/FormatResponse into the new Hash* funcs. HashStructure now modifies in place instead of copying.
Instead of returning an error when trying to hash map keys of type time.Time, ignore them, i.e. pass them through unhashed.
Enable auditing on test clusters by default if the caller didn't specify any audit backends. If they do, they're responsible for setting it up.
* Set MaxIdleConns to reduce connection churn (postgresql physical)
* Make new "max_idle_connection" config option for physical postgresql
* Add docs for "max_idle_connections" for postgresql storage
* Add minimum version to docs for max_idle_connections
* adds allowed_roles field to identity token keys and updates tests
* removed a comment that was redundant
* allowed_roles uses role client_id s instead of role names
* renamed allowed_roles to allowed_clients
* renamed allowed_clients to allowed_clientIDs
* removes some warning messages and checks on keys when creating a role
* removes name field being set unneededly
* add menu-loader component to show menu loading button when the model relationship isPending
* list what keys we've got in api-path error
* fix spacing issue on error flash
* add an action on list-controller that bubbles to the list-route mixin to refresh the route
* empty store when creating scopes
* don't delete _requestQuery in the loop, do it after
* add scope deletion from the scope list
* add deleteRecord to kmip adapters
* add model-wrap component
* delete role from detail page and list
* add revoke credentials functionality
* fix comment
* treat all operations fields specially on kmip roles
* adjust kmip role edit form for new fields
* fix api-path test
* update document blocks for menu-loader and model-wrap components
Earlier in tokenutil's dev it seemed like there was no reason to allow
auth plugins to toggle renewability off. However, it turns out Centrify
makes use of this for sensible reasons. As a result, move the forcing-on
of renewability into tokenutil, but then allow overriding after
PopulateTokenAuth is called.
This was inspired by #7022 but has the advantage of avoiding
double-locking and needing to perform lock upgrades while also
simplifying the logic and being faster.
Original, #7022, this:
goos: linux
goarch: amd64
pkg: github.com/hashicorp/vault/builtin/audit/file
BenchmarkAuditFile_request-4 30000 60734 ns/op
PASS
ok github.com/hashicorp/vault/builtin/audit/file 2.428s
goos: linux
goarch: amd64
pkg: github.com/hashicorp/vault/builtin/audit/file
BenchmarkAuditFile_request-4 50000 34772 ns/op
PASS
ok github.com/hashicorp/vault/builtin/audit/file 2.086s
goos: linux
goarch: amd64
pkg: github.com/hashicorp/vault/builtin/audit/file
BenchmarkAuditFile_request-4 50000 25302 ns/op
PASS
ok github.com/hashicorp/vault/builtin/audit/file 1.542s
Fixes#7014Closes#7022
* Add leeway parameters to JWT auth doc
* Clarify leeway doc
* Apply suggestions from code review
Co-Authored-By: Jim Kalafut <jim@kalafut.net>
* Add note about only being applicable to JWT
* Update for negative values
Jim Kalafut