VAULT-444: Add PKI tidy-status endpoint.
Add metrics so that the PKI tidy status can be monitored using telemetry as well.
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Document allow_different_signature_algorithm param
* Flip the semantics of different key types for sign self issued
* More language tweaks
* Fix the field definition description
* Rework differenttype test for the new flag
* typo
* fix json code block in kv api docs
* add custom_metadata to GET, PUT, PATCH in kv api docs
* add custom_metadata to get, put, and patch in kv CLI docs
* add data patch section to kv-v2 api docs
* fix trucated output for kv put command with cas cmd in kv-v2 docs
* wip vault kv patch CLI docs
* add new flags to 'vault kv patch' CLI command docs
* fix cas_required formatting
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* fix cas formatting
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* additional format fixes
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Let allowed_users template mix templated and non-templated parts (#10388)
* Add documentation
* Change test function names
* Add documentation
* Add changelog entry
* Update website docs regarding ssh role allowed_extensions parameter
- Add note within the upgrading to 1.9.0 about behaviour change
- Prefix the important note block within the main documentation about
signed ssh certificates that it applies pre-vault 1.9
- Update api docs for the allowed_extensions parameter within the ssh
role parameter.
* Apply suggestions from code review
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* removed unpublished:true for sys/internal/* endpoints
* added changelog file
* updated change log and added placeholder summary as these endpoints are not mentioned in docs.
* added documentation for internal/ui/namspaces and resultant-acl
* updated log configs
* update azure instructions
Update instructions in regards to azure AD Authentication and OIDC
* Initial pass of ed25519
* Fix typos on marshal function
* test wip
* typo
* fix tests
* missef changelog
* fix mismatch between signature and algo
* added test coverage for ed25519
* remove pkcs1 since does not exist for ed25519
* add ed25519 support to getsigner
* pull request feedback
Signed-off-by: Anner J. Bonilla <abonilla@hoyosintegrity.com>
* typo on key
Signed-off-by: Anner J. Bonilla <abonilla@hoyosintegrity.com>
* cast mistake
Signed-off-by: Anner J. Bonilla <abonilla@hoyosintegrity.com>
Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
- When two entities are merged, remove the from entity ID in any
associated groups.
- When two entities are merged, also merge their associated group
memberships.
Fixes#10084
* fix: upgrade vault-plugin-auth-kubernetes
- brings in the alias_name_source feature which allows for setting
alternate alias names based on the service accounts's namespace and
name
- document the seurity related aspects for the feature addition above.
* [VAULT-3519] Return no_default_policy on token role read if set
* [VAULT-3519] Add changelog
* [VAULT-3519] Always return token_no_default_policy on role read
* Fix broken test
* Update role read response in docs
* Add allowed_policies_glob and disallowed_policies_glob that are the same as allowed_policies and disallowed_policies but allow glob matching.
* Update changelog, docs, tests, and comments for (dis)allowed_token_glob token role feature.
* Improve docs and unit tests for auth/token role policy globbing.
* Enforce Minimum cache size for transit backend
* enfore minimum cache size and log a warning during backend construction
* Update documentation for transit backend cache configuration
* Added changelog
* Addressed review feedback and added unit test
* Modify code in pathCacheConfigWrite to make use of the updated cache size
* Updated code to refresh cache size on transit backend without restart
* Update code to acquire read and write locks appropriately
* add custom-metdata flag to "kv metadata put" command
* add kv metadata put command test for custom-metadata flag
* add custom_metadata to kv-v2 api docs
* add custom_metadata to kv-v2 cli docs
* update go.mod
* Add custom metadata limits to docs
* add changelog entry
* update vault-plugin-secrets-kv to @master
* VAULT-2285 adding capability to accept comma separated entries for auth enable/tune
* Adding changelog
* Adding logic to detect invalid input parameter for auth enable config
* Updating tune.mdx
* Updating secret enable/tune for comma separated parameters
* Adding further parameter checks for auth/secret tests
Fixing changelog
using builtin type for a switch statement
Fixing a possible panic scenario
* Changing a function name, using deep.Equal instead of what reflect package provides
* Fixing auth/secret enable/tune mdx files
* One more mdx file fix
* Only when users provide a single comma separated string in a curl command, split the entries by commas
* Fixing API docs for auth/mount enable/tune for comma separated entries
* updating docs, removing an unnecessary switch case
* Document timeout setting for raft snapshots
We don't usually put this kind of information in the documentation, but
we are aware that snapshots can be slow and I could see this message
saving someone a lot of time. Open to closing this PR though if we
definitely don't want this kind of documentation.
* Fixing link
* add ability to customize IAM usernames based on templates
* add changelog
* remove unnecessary logs
* patch: add test for readConfig
* patch: add default STS Template
* patch: remove unnecessary if cases
* patch: add regex checks in username test
* patch: update genUsername to return an error instead of warnings
* patch: separate tests for default and custom templates
* patch: return truncate warning from genUsername and trigger a 400 response on errors
* patch: truncate midString to 42 chars in default template
* docs: add new username_template field to aws docs
* mongo doesnt allow periods in usernames
* Update mongodb.mdx
Update template in docs
* Move replace to the end
* Adding a test for dot replacement
* Create 11872.txt
* add username customization for rabbitmq
* add changelog for rabbitmq
* Update builtin/logical/rabbitmq/path_config_connection.go
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* updating API docs
* moved to changelog folder
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* Refactor TLS parsing
The ParsePEMBundle and ParsePKIJSON functions in the certutil package assumes
both a client certificate and a custom CA are specified. Cassandra needs to
allow for either a client certificate, a custom CA, or both. This revamps the
parsing of pem_json and pem_bundle to accomodate for any of these configurations
* build out lease count (not fully working), start lease list
* build out irrevocable lease list
* bookkeeping
* test irrevocable lease counts for API/CLI
* fix listIrrevocableLeases, test listIrrevocableLeases, cleanup
* test expiration API limit
* namespace tweaks, test force flag on lease list
* integration test leases/count API, plenty of fixes and improvements
* test lease list API, fixes and improvements
* test force flag for irrevocable lease list API
* i guess this wasn't saved on the last refactor...
* fixes and improvements found during my review
* better test error msg
* Update vault/logical_system_paths.go
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
* Update vault/logical_system_paths.go
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
* return warning with data if more than default leases to list without force flag
* make api doc more generalized
* list leases in general, not by mount point
* change force flag to include_large_results
* sort leases by LeaseID for consistent API response
* switch from bool flag for API limit to string value
* sort first by leaseID, then stable sort by expiration
* move some utils to be in oss and ent
* improve sort efficiency for API response
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
* feat(aws): add ability to provide a sessionName to sts credentials
Co-authored-by: Brad Vernon <bvernon@nvidia.com>
Co-authored-by: Jim Kalafut <jim@kalafut.net>
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>