Commit Graph

17377 Commits

Author SHA1 Message Date
Robert 2fa0953759
auth/kerberos: upgrade plugin version (#20771)
* Upgrade vault-plugin-auth-kerberos to v0.10.0
2023-05-25 17:29:42 +00:00
Robert a7054c643b
database/redis: upgrade plugin version (#20763)
* Upgrade vault-plugin-database-redis to v0.2.1
2023-05-25 17:25:18 +00:00
Raymond Ho e010999167
fix: upgrade vault-plugin-auth-cf to v0.15.0 (#20785) 2023-05-25 17:10:51 +00:00
Robert bd528daeef
database/elasticsearch: upgrade plugin version (#20767)
* Upgrade vault-plugin-database-elasticsearch to v0.13.2
2023-05-25 17:09:41 +00:00
vinay-gopalan ae2ebb1b1b
upgrade vault-plugin-auth-alicloud to v0.15.0 (#20758) 2023-05-25 09:56:48 -07:00
miagilepner 741c890ce0
VAULT-14735: write mock activity log entity files (#20702)
* support writing entities

* tests for writing entity segments
2023-05-25 18:55:55 +02:00
Raymond Ho 0d1ecfdc7d
fix: upgrade vault-plugin-secrets-terraform to v0.7.1 (#20748) 2023-05-25 16:47:08 +00:00
claire bontempo eb53284e69
UI: Transit Key TTL not initializing to toggled off (#20731)
* add test

* bug fix and tests

* add changelog
2023-05-25 16:39:48 +00:00
Robert 9c09bf1501
secrets/gcpkms: upgrade plugin version (#20784)
* Upgrade vault-plugin-secrets-gcpkms to v0.15.0
2023-05-25 16:39:00 +00:00
Yoko Hyakuna fda4a6407f
Change the codeowner for docs PRs (#20779) 2023-05-25 09:23:31 -07:00
Christopher Swenson d0c364558c
fix: upgrade vault-plugin-database-couchbase to v0.9.2 (#20764) 2023-05-25 09:17:36 -07:00
Raymond Ho 8f83bee210
fix: upgrade vault-plugin-secrets-mongodbatlas to v0.10.0 (#20742) 2023-05-25 09:13:28 -07:00
Raymond Ho 400d47d93c
fix: upgrade vault-plugin-auth-centrify to v0.15.1 (#20745) 2023-05-25 09:13:11 -07:00
Marc Boudreau 6ef35feeb9
update security-scanner version to latest to pickup changes that eliminate use of deprecated GitHub Actions commands (#20690) 2023-05-25 12:09:43 -04:00
Max Coulombe 84b63ed833
Updated the azure secrets plugin (#20777)
* updated the azure secrets plugin
2023-05-25 11:27:33 -04:00
Daniel Huckins 958ccda6b1
agent: Add implementation for injecting secrets as environment variables to vault agent cmd (#20739)
* added exec and env_template config/parsing

* add tests

* we can reuse ctconfig here

* do not create a non-nil map

* check defaults

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* first go of exec server

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* convert to list

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* convert to list

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* sig test

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add failing example

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* refactor for config changes

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add test for invalid signal

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* account for auth token changes

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* only start the runner once we have a token

* tests in diff branch

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* fix rename

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Update command/agent/exec/exec.go

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* apply suggestions from code review

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* cleanup

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* remove unnecessary lock

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* refactor to use enum

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* dont block

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* handle default

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* make more explicit

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* cleanup

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* remove unused

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* remove unused file

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* remove test app

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* apply suggestions from code review

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* update comment

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add changelog

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* new channel for exec server token

* wire to run with vault agent

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* watch for child process to exit on its own

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* block before returning

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

---------

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-05-25 09:23:56 -04:00
Peter Wilson 9723462891
updated Leader godoc comment to give a warning on possible deadlock (#20773) 2023-05-25 12:02:39 +00:00
akshya96 38250d1917
Revert "User Lockout Perf Standby Error oss (#20766)" (#20770)
This reverts commit 7a546a96e41e24b8341bb890154c9093accb9dc9.
2023-05-24 18:55:34 -07:00
akshya96 3200310b90
User Lockout Perf Standby Error oss (#20766)
* adding changes from ent

* add changelog

* removing new line
2023-05-24 17:35:17 -07:00
Jonathan Frappier 24edfc6be4
Add additional endpoints, remove non-protected endpoints (#20669)
* Add additional endpoints, remove non-protected endpoints

* Add step-down per engineering

* Match HTTP verb to individual doc pages

* Add /sys/internal/inspect/router to table

* Apply additional suggestions

* Updates based on engineering feedback

* Adding unsaved changes
2023-05-24 17:32:53 -04:00
Angel Garbarino 4a402ca128
Address Test-ui suite failure for package install issues (#20756)
* fix

* apparently its going to take me two commits.. for one line.

* test removing the installation of the packages.

* remove browser dependencies
2023-05-24 15:24:47 -06:00
Steven Clark d2f74c3901
Address various issues related to ACME EAB (#20755)
* Fix various EAB related issues

 - List API wasn't plumbed through properly so it did not work as expected
 - Use random 32 bytes instead of an EC key for EAB key values
 - Update OpenAPI definitions

* Clean up unused EAB keys within tidy

* Move Vault EAB creation path to pki/acme/new-eab

* Update eab vault responses to match up with docs
2023-05-24 21:17:33 +00:00
Alexander Scheel f156a57325
Validate no_store=false on role configuration (#20757)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-24 21:13:28 +00:00
Daniel Huckins 2343ff04f6
agent: Add implementation for injecting secrets as environment variables (#20628)
* added exec and env_template config/parsing

* add tests

* we can reuse ctconfig here

* do not create a non-nil map

* check defaults

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* first go of exec server

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* convert to list

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* convert to list

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* sig test

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add failing example

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* refactor for config changes

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add test for invalid signal

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* account for auth token changes

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* only start the runner once we have a token

* tests in diff branch

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* fix rename

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Update command/agent/exec/exec.go

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* apply suggestions from code review

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* cleanup

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* remove unnecessary lock

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* refactor to use enum

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* dont block

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* handle default

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* make more explicit

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* cleanup

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* remove unused

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* remove unused file

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* remove test app

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* apply suggestions from code review

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* update comment

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add changelog

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* watch for child process to exit on its own

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

---------

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-05-24 16:56:06 -04:00
Raymond Ho c921a74b56
fix: upgrade vault-plugin-secrets-openldap to v0.11.0 (#20753) 2023-05-24 13:45:24 -07:00
vinay-gopalan 1ef982849b
upgrade vault-plugin-secrets-ad to v0.16.0 (#20750) 2023-05-24 13:37:41 -07:00
Nick Cabatoff 46b0b33bda
Cluster test helper improvements (#20424) 2023-05-24 20:21:10 +00:00
Christopher Swenson 7956c382e6
fix: upgrade vault-plugin-database-redis-elasticache to v0.2.1 (#20751) 2023-05-24 20:15:53 +00:00
kpcraig 628c51516a
VAULT-12226: Add Static Roles to the AWS plugin (#20536)
Add static roles to the aws secrets engine

---------

Co-authored-by: maxcoulombe <max.coulombe@hashicorp.com>
Co-authored-by: vinay-gopalan <86625824+vinay-gopalan@users.noreply.github.com>
Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2023-05-24 14:55:13 -04:00
John-Michael Faircloth a151ec76dd
fix: upgrade vault-plugin-auth-oci to v0.14.0 (#20743) 2023-05-24 13:00:49 -05:00
John-Michael Faircloth a123ca2b6a
fix: upgrade vault-plugin-secrets-kv to v0.15.0 (#20746) 2023-05-24 13:00:23 -05:00
Steven Clark f29fabe7c1
Enforce valid ACME accounts in challenge APIS (#20744)
- Make sure we have an ACME account in a valid state and
   enforce EAB policies on that account for the challenge
   and revocation by account ACME apis.
2023-05-24 17:28:56 +00:00
Alexander Scheel c67546511d
Move activityType to a constant, set precedence (#20738)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-24 12:29:47 -04:00
Alexander Scheel 04bb7eef15
Update transit public keys for Ed25519 support (#20727)
* Refine documentation for public_key

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Support additional key types in importing version

This originally left off the custom support for Ed25519 and RSA-PSS
formatted keys that we've added manually.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add support for Ed25519 keys

Here, we prevent importing public-key only keys with derived Ed25519
keys. Notably, we still allow import of derived Ed25519 keys via private
key method, though this is a touch weird: this private key must have
been packaged in an Ed25519 format (and parseable through Go as such),
even though it is (strictly) an HKDF key and isn't ever used for Ed25519.

Outside of this, importing non-derived Ed25519 keys works as expected.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add public-key only export method to Transit

This allows the existing endpoints to retain private-key only, including
empty strings for versions which lack private keys. On the public-key
endpoint, all versions will have key material returned.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update tests for exporting via public-key interface

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add public-key export option to docs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-24 11:26:35 -04:00
Peter Wilson 8698650394
VAULT-11595: Augment forwarded requests with host:port info (from/to nodes) (Enterprise) (#20733)
* Allow audit entries to contain forwarded from host info
* adjust logical/request and audit format to use bool instead of string for 'to' host
2023-05-24 13:57:45 +01:00
Tom Proctor e41119d5f4
Docs: Updates for latest Vault CSI Provider releases (#20721) 2023-05-24 13:07:00 +01:00
Peter Wilson 21d6432ea6
Revert "Allow audit entries may contain forwarded to/from host info (#20689)" (#20732)
This reverts commit 732dda34e726859fbb24ea51a87f3a1772bf9b7a.
2023-05-24 09:44:57 +01:00
miagilepner fdecd99d26
VAULT-14735: repeated and segmented activity log clients (#20699)
* add repeated, segmented, and writing

* simplify

* pr fixes

* remove comment

* Update vault/logical_system_activity_write_testonly.go

Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>

---------

Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
2023-05-24 08:42:00 +00:00
claire bontempo 4da72c45ce
UI: pki auto-tidy views (#20685)
* UI: plumbing for pki tidy work (#20611)

* update tidy model

* Dynamic group on tidy based on version

* UI: VAULT-16261 PKI autotidy config view (#20641)

* UI: VAULT-16203 tidy status page (#20635)

* ui: pki tidy form (#20630)

* order routes to match tabs

* add tidy routes

* add tidy-status page component

* update routes rename edit to configure, remove manage

* add page component to route template

* add comment

* finish routing

* change to queryRecord, delete old tidy file

* remove findRecord

* fix serializer name

* tidy.index only needs controller empty state logic

* build form and page components

* update tidy model

* alphabetize!

* revert model changes

* finish adapter

* move form out of page folder in tests

* refactor to accommodate model changes from chelseas pr

* WIP tests

* reuse shared fields in model

* finish tests

* update model hook and breadcrumbs

* remove subtext for checkbox

* fix tests add ACME fields

* Update ui/app/adapters/pki/tidy.js

* Update ui/app/adapters/pki/tidy.js

* refactor intervalDuration using feedback suggested

* move errors to second line, inside conditional brackets

* add ternary operator to allByKey attr

* surface error message

* make polling request longer

* UI: VAULT-16368 pki tidy custom method (#20696)

* ui: adds empty state and updates modal (#20695)

* add empty state to status page

* update tidy modal

* conditionally change cancel transition route for auto tidy form

* teeny copy update

* organize tidy-status conditoionals

* a couple more template cleanups

* fix conditional, change to settings

* UI: VAULT-16367 VAULT-16378 Tidy acceptance tests + tidy toolbar cleanup (#20698)

* update copy

* move tidyRevokedCertIssuerAssociations up to applicable section

* add tidy info to readme

* update copy

* UI: Add tidy as a tab to the error route (#20723)

* small cleanup items

* fix prettier

* cancel polling when we leave tidy.index (status view)

* revert changes to declaration file

* remove space

---------

Co-authored-by: Chelsea Shaw <cshaw@hashicorp.com>
Co-authored-by: Chelsea Shaw <82459713+hashishaw@users.noreply.github.com>
Co-authored-by: Kianna <30884335+kiannaquach@users.noreply.github.com>
2023-05-23 23:05:15 +00:00
claire bontempo 527f4fe2ba
UI: add pki cluster config parameters (#20724)
* add config directory, rename crl and urls models

* fix imports

* add cluster config fields to edit form

* reorder url save

* update tests

* add to details page

* add details test;

* fix adapter name

* fix cluster adapter test name

* combine adapter tests

* update imports

* fix git diff

* move crl and urls adapters to config folder

* add config file

* woops add config adapter

* final renaming!!

* fix imports after naming to base

* add cluster to beforeModel hook

* hide help text

* maybe you should write tests that actually pass, claire

* seriously claire its embarrassing
2023-05-23 15:24:53 -07:00
Alexander Scheel 83d32240c7
Add nonce service to sdk/helpers, use in PKI (#20688)
* Build a better nonce service

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add internal nonce service for testing

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add benchmarks for nonce service

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add statistics around how long tidy took

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Replace ACME nonces with shared nonce service

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add an initialize method to nonce services

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Use the new initialize helper on nonce service in PKI

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add additional tests for nonces

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Format sdk/helper/nonce

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Use default 90s nonce expiry in PKI

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Remove parallel test case as covered by benchmark

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add additional commentary to encrypted nonce implementation

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add nonce to test_packages

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-23 19:44:05 +00:00
Anton Averchenkov f3620b5b4f
agent: Add logic to validate env_template entries (#20569) 2023-05-23 18:37:08 +00:00
Christopher Swenson d12604eff2
fix: upgrade vault-plugin-auth-gcp to v0.16.0 (#20725) 2023-05-23 11:24:33 -07:00
miagilepner 06055fb668
VAULT-15395: Support mocking time functions in the activity log (#20720)
* mock time in the activity log

* cleanup

* fix comment

* pr fixes

* update comment to explain why new timer is needed
2023-05-23 16:25:23 +00:00
Steven Clark c8837f2010
Add ACME health checks to pki health-check CLI (#20619)
* Add ACME health checks to pki health-check CLI

 - Verify we have the required header values listed within allowed_response_headers: 'Replay-Nonce', 'Link', 'Location'
 - Make sure the local cluster config path variable contains an URL with an https scheme

* Split ACME health checks into two separate verifications

 - Promote ACME usage through the enable_acme_issuance check, if ACME is disabled currently
 - If ACME is enabled verify that we have a valid
    'path' field within local cluster configuration as well as the proper response headers allowed.
 - Factor out response header verifications into a separate check mainly to work around possible permission issues.

* Only recommend enabling ACME on mounts with intermediate issuers

* Attempt to connect to the ACME directory based on the cluster path variable

 - Final health check is to attempt to connect to the ACME directory based on the cluster local 'path' value. Only if we successfully connect do we say ACME is healthy.

* Fix broken unit test
2023-05-23 10:37:31 -04:00
Peter Wilson 5eb03f785e
Docs: audit - add warning when disabling device regarding HMAC (#20715)
* added note to warn of potential issues in disabling audit when using HMAC

* added to command docs pages too
2023-05-23 14:55:55 +01:00
Ethan Lowman 3f4dc700bd
Correct signing terminology in comments and error messages (#20714) 2023-05-23 12:44:06 +00:00
Márk Sági-Kazár 258b2ef740
Upgrade go-jose library to v3 (#20559)
* upgrade go-jose library to v3

Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>

* chore: fix unnecessary import alias

Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>

* upgrade go-jose library to v2 in vault

Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>

---------

Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2023-05-23 12:25:58 +00:00
miagilepner bff8931640
VAULT-14735: generate mock clients for activity log (#20252)
* first part of segment client generation

* fix imports

* initial pr fixes

* refactor and fix

* update comments

* assign client type
2023-05-23 11:58:51 +02:00
claire bontempo 4f77524ad4
UI: Add PKI readme and changelog for UI improvements (#20706)
* update pki readme

* add readme

* make it fancier

* add more info

* add config improvements to entry

* move changelog info to release notes

* reword action summary

* stop yelling in bullet points

* update action
2023-05-22 21:20:13 +00:00