* fix: cap token TTL at login time based on default lease TTL
* add changelog file
* patch: update warning messages to not include 'at login'
* patch: remove default lease capping and test
* update changelog
* patch: revert warning message
* hghaf099-VAULT-1303-Adding namespace in error when it is set
* casting ResponseWriter in handleMonitor to logical.NamespaceResponseWriter
* Casting ResponseWriter conditionally for http.Flusher
Adding changelog
* Improving changlog message
* Handle form validation for open api form
- Added required validator for all the default fields
* Fixed field group error and adedd comments
* Fixed acceptance tests
* Added changelog
* Fix validation in edit mode
- Handle read only inputs during edit mode
* Minor improvements
* Restrict validation only for userpass
* [VAULT-2825] Correctly respond with 400 rather than 500 for field validation errors
* [VAULT-2825] Add changelog entry
* [VAULT-2825] Simplify test assertion
* `vault delete` and `vault kv delete` should allow the same output options as `vault write`, as delete operations can similarly return data. This is needed if you want to use control groups with deletion.
* Update mongodb atlas plugin version
* go.mod was missing mongodbatlas plugin
* add changelog
* update build-go-dev circle ci job GOPROXY
* Revert "update build-go-dev circle ci job GOPROXY"
This reverts commit 0e6f339c779dac65ecb036735199f72d3d9e6a4a.
* ci: more complete go mod cache
* ci: doc use of go list ./... to populate mod cache
Co-authored-by: Sam Salisbury <samsalisbury@gmail.com>
* mongo doesnt allow periods in usernames
* Update mongodb.mdx
Update template in docs
* Move replace to the end
* Adding a test for dot replacement
* Create 11872.txt
* initializing resp variable with aa *logical.Response before using it to add warning for default-service or default-batch token type. Also adding guard around code that sets resp to a new logical.Response further on in the function.
* adding changelog entry
* renaming changelog file to match PR number
* add username customization for rabbitmq
* add changelog for rabbitmq
* Update builtin/logical/rabbitmq/path_config_connection.go
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* updating API docs
* moved to changelog folder
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* setup check when secret-v2 record is populated
* return network request of full paths
* modify/amend test
* remove console log
* fix test
* add changelog
* attempt to fix browserstack test issue
* remove find
* add trim
* another attempt
* agent: restart template runner on retry for unlimited retries
* template: log error message early
* template: delegate retries back to template if param is set to true
* agent: add and use the new template config stanza
* agent: fix panic, fix existing tests
* changelog: add changelog entry
* agent: add tests for exit_on_retry_failure
* agent: properly check on agent exit cases, add separate tests for missing key vs missing secrets
* agent: add note on difference between missing key vs missing secret
* docs: add docs for template_config
* Update website/content/docs/agent/template-config.mdx
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
* Update website/content/docs/agent/template-config.mdx
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
* Update website/content/docs/agent/template-config.mdx
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* Update website/content/docs/agent/template-config.mdx
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* Update website/content/docs/agent/template-config.mdx
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* docs: fix exit_on_retry_failure, fix Functionality section
* docs: update interaction title
* template: add internal note on behavior for persist case
* docs: update agent, template, and template-config docs
* docs: update agent docs on retry stanza
* Apply suggestions from code review
Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
* Update changelog/11775.txt
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
* agent/test: rename expectExit to expectExitFromError
* agent/test: add check on early exits on the happy path
* Update website/content/docs/agent/template-config.mdx
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
* Refactor TLS parsing
The ParsePEMBundle and ParsePKIJSON functions in the certutil package assumes
both a client certificate and a custom CA are specified. Cassandra needs to
allow for either a client certificate, a custom CA, or both. This revamps the
parsing of pem_json and pem_bundle to accomodate for any of these configurations
* initial setup
* initial validation setup for empty path object.
* removal console logs
* validation on keyup for kv
* in progress
* making some progress
* more progress
* closer
* done with create page now to fix edit page that I broke
* fix secret edit display on create
* test and final touches
* cleanup mountbackendform
* cleanup
* add changelog
* address pr comments
* address styling pr comment
* Displays Auth Method description on login page
* working on auth login form
* Keeps path name as LinkTo label adds description to paths
* removes commented and unused code
* removes trailing white space
* removes prettier package
* adds test for description
* removes extra white spaces
* adds changelog file
* build out lease count (not fully working), start lease list
* build out irrevocable lease list
* bookkeeping
* test irrevocable lease counts for API/CLI
* fix listIrrevocableLeases, test listIrrevocableLeases, cleanup
* test expiration API limit
* namespace tweaks, test force flag on lease list
* integration test leases/count API, plenty of fixes and improvements
* test lease list API, fixes and improvements
* test force flag for irrevocable lease list API
* i guess this wasn't saved on the last refactor...
* fixes and improvements found during my review
* better test error msg
* Update vault/logical_system_paths.go
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
* Update vault/logical_system_paths.go
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
* return warning with data if more than default leases to list without force flag
* make api doc more generalized
* list leases in general, not by mount point
* change force flag to include_large_results
* sort leases by LeaseID for consistent API response
* switch from bool flag for API limit to string value
* sort first by leaseID, then stable sort by expiration
* move some utils to be in oss and ent
* improve sort efficiency for API response
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
* Update cluster status partial to component
* Added changelog
* Close menu when link is clicked
* Upgraded to glimmer components
* Fixed indentations
Added back activeCluster
Updated changelog
* Styling for empty-state and splash-page
* Update shamir-flow language and trigger onError on non-400 error
* Add license terminated screen to unseal
* Add changelog
* hash tools from partial to component
* initial setup of tools random, but issue remaining with bytes
* rewrap
* unwrap
* final two partials
* fix issues with actions on tool wrap
* fix hash
* changelog
* address pr comments
* fix onClear
* trigger run
* triggering test suite
* initial setup, modify toolbar header
* footer buttons setup
* setup first delete version delete method
* clean up
* handle destory all versions
* handle undelete
* conditional for modal and undelete
* remove delete from version area
* modelForData in permissions
* setup for soft delete and modify adpater to allow DELETE in additon to POST
* dropdown for soft delete
* stuck
* handle all soft deletes
* conditional for destroy all versions
* remove old functionality from secret-version-menu
* glimmerize secret-version-menu
* Updated secret version menu and version history
* Updated icons and columns in version history
* create new component
* clean up
* glimmerize secret delete menu
* fix undelete
* Fixed radio labels in version delete menu
* handle v1 delete
* refining
* handle errors with flash messages
* add changelog
* fix test
* add to test
* amend test
* address PR comments
* whoopies
* add urlEncoding
Co-authored-by: Arnav Palnitkar <arnav@hashicorp.com>
* feat(aws): add ability to provide a sessionName to sts credentials
Co-authored-by: Brad Vernon <bvernon@nvidia.com>
Co-authored-by: Jim Kalafut <jim@kalafut.net>
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* Add support for templated values in SSH CA DefaultExtensions.
* Reworking the logic per feedback, adding basic test.
* Adding test, so we cover both default extension templating & ignoring default when user-provided extensions are present.
* Fixed up an unintentional extension handling defect, added test to cover the case.
* Refactor Default Extension tests into `enabled` and `disabled`.
* initial setup
* add delay and modify message
* test
* changing to different style because unable to interrupt the yield of authentication
* cleanup
* more consitency in messssage placement
* fix test
* clean up test notification
* clean up
* remove click
* changelog
* Update 11442.txt
* revert changes so a message is delayed by not calling yield
* amend test
* remove padding-bottom as no longer needed with reposition of message location
* Add MySQL DB Support
* Add other versions of MySQL to database options
* Save incoming root_credentials_rotate_statements as root_rotation_statements for display
* Handle errors correctly on database connection form for edit
* Add tests for mysql database
* Add UI feature changelog
* Updated code mirror component for consistency
- Hide gutters, line number and selection while read only
- Show toolbar with copy functionality for all instances
* Moved toolbar and actions to json editor component
* Updated form-field-from-model template
* Added test for toolbar
* Add an Int64 type
* Use the new Int64 type so that even 32 bit builds can specify max_operations above 2^31
* Missed a spot
* go mod vendor
* fix cast
* changelog
* Update unit test to ensure this works on both 32 and 64-bit archs
* Update Agent Auth with GCP to use new SignJWT endpoint
* use iamcredentials name instead of renaming the package on import
* add changelog
* Update changelog/11473.txt
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
* new font and add as font-family to be used in masked-input
* clean up logic
* refactor for displayOnly
* start cert masking
* work on certificates
* upload cert work
* fix global styling
* fix styling for class no longer used
* make mask by default and remove option
* glimmerize start and certificate on LDAP a file field
* glimmerize actions
* first part of glimmerizing text-file still need to do some clean up
* not doing awesome over here
* getting ready to un-glimmer
* unglimmerize
* remove placeholder based on conversations with design
* clean up text-file
* cleanup
* fix class bindings
* handle class binding
* set up for test
* fix elementId
* track down index
* update masked-input test
* add more to the masked-input test
* test-file test
* fix broken test
* clear old style
* clean up
* remove pgp key masked font, this really needs to be refactored to text-file component
* changelog
* cover other certificate view
* add allowCopy
* address some pr styling comments
* improve test coverage
* fix some issues
* add attr.options.masked
* Add support for unauthenticated pprof access on a per-listener basis, as we do for metrics.
* Add missing pprof sub-targets like 'allocs' and 'block'. Capture the goroutine subtarget a second time in text form. This is mostly a convenience, but also I think the pprof format might be a bit lossy?
* Update default form values for kv
* Group kv version option in 'Method Options' group
* Fix tests, explicitly set if select input does not have default
* Handle array of objects from adapterError.errors in MessageError component
* Add changelog
Remove template_retry config section. Add new vault.retry section which only has num_retries field; if num_retries is 0 or absent, default it to 12 for backwards compat with pre-1.7 template retrying. Setting num_retries=-1 disables retries.
Configured retries are used for both templating and api proxy, though if template requests go through proxy (currently requires persistence enabled) we'll only configure retries for the latter to avoid duplicate retrying. Though there is some duplicate retrying already because whenever the template server does a retry when not going through the proxy, the Vault client it uses allows for 2 behind-the-scenes retries for some 400/500 http error codes.
* snapshot
* basic test
* update command and add documentation
* update help text
* typo
* add changelog for lease lookup command
* run go mod vendor
* remove tabs from help output
Adds the option of a write-through cache, backed by boltdb
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Co-authored-by: Calvin Leung Huang <cleung2010@gmail.com>
* sketch out partial month activity log client API
* unit test partialMonthClientCount
* cleanup api
* add api doc, fix test, update api nomenclature to match existing
* cleanup
* add PR changelog file
* integration test for API
* report entities and tokens separately
* Replace deprecated terms in AWS Auth
This PR is part of an effort to remove non-inclusive language throughout
Vault. The AWS Auth backend uses the "whitelist" and "blacklist" term
extensively, and these are the focus of the PR:
* Add new API endpoints that use the preferred terminology, while
deprecating the old endpoints. These endpoints offer identical
functionality and are basically aliases. This is the only functional
change in the PR except for terms in error messages.
* Replace "whitelist" -> "access list", "blacklist" -> "deny list" in
variable names, comments, etc.
Note that storage locations were *not* changed at this time, as that is
a more complex process involving versioning that we may tackle in a future
revision. We have reduced the occurrences of non-inclusive language,
however.
Reviewers should be sure to "Ignore Whitespace" in diffs, especially for
the tests, which were basically indented one level as part of looping
over the tests with both the old and new names.
* Update role toolbar, serialization for special mongo values
* Only show defaultShown if no value on info table row
* Remove root_rotation_statements from mongo connection fields
* Wrap this.router in try/catch if in then statement
* Add changelog
* move the ttls on enable for db to default and not as options
* refactor form field to angle brackets
* add database to supported backend
* initial setup of components and models
* setup selectable cards, need to make own component
* styling setup
* subtext and links
* number styling
* search select put in place and button, all pretty things
* search label text
* messy but closer to data configuration. making models and fetching those models on routes
* connection adapter and serializer that is pulled in by the overview route
* clean up and add new model params connections and roles to overview route hbs
* setting up overview as route with SecretHeader component. TODO, show Overview tab, but have link to route. It's going be on the secret header list component
* setup overview tab on secret-list-header to go to overview page
* setup id in overview route
* Correct link on secrets engine list for database and others
* Roles tab on database fetches correct model
* Update options for backend with hasOverview param so overview tab is rendered conditionally on secret list header
* create new getCrendentialsComponent
* Rename database connection parent component and start working on display
* setup routing to credentials route for database from overview page
* setup network request for the credentials of role
* setup serializer for credentials
* redirect previous route
* fix border color on button disable
* add margin to back button
* change to glimmer component
* glimmerize and clean up the get-credentials-card
* Begin database connection show and create form
* add component test for the get-credentials-card
* Database connection model and field groups
* add static roles to searhSelect
* add staticRoles on overview page
* Toolbar and tabs on database connection show view looks correct
* combine static and dynamic role models for pagination
* Update database-list-item with real link to connection
* Add support for optionalText edit type on form-field
* handle situation when no static and/or dynamic roles
* turn partial into component so can handle computed and eventually click actions, similar to transform
* glimmerize database-list-item
* use lazy capabilities on list role and static-role actions
* Create connection works and redirects to show page
* creds request based on dynamic or static and unload the store by record creds when they transition away.
* dynamcially add in backend for queries
* fixes on overview page for get credentials with hardcoded backend and layout for static creds
* Rotate and Reset connection actions working on connection
* get credentials set the query params
* setup async for handling permission errors on overivew
* Move query logic to store for getting both types of role
* Filtering works on combined role models
* cleanup
* Fix no meta on connections list
* better handle the situation where you don't have access to list roles but do to generate
* implment updated empty state component and add to credentials page when roleType is noRoleType
* glimmerize the input search component
* move logic for generate credentials urlto the generate creds component
* remove query param for role type
* handle permissions on the overview page
* permissions for role list
* New roles route for backends
* handle different permissions for empty return on 404 vs 403 on overview page
* fix links on overview page
* Connetions WIP
* setup lazy caps for the connections model and list
* add computed to role and static role models to clean up permissions
* setup actions for connections list
* Update form-field to show password type and update json input to angle bracket syntax with optional theme option
* setup capabilities on overview for empty state
* fix hardcoded on the backend
* toggle inner label has width 100%
* Add custom update password togglable input on database connection edit form, and only submit defined attrs
* Add updateRecord to connection adapter
* glimmerize secret list header and make new component which either shows or does not show the tab based on permissions
* Remove tabs on show connection
* add peek record
* Update database role to get both models on a single model, remove static-role model and adapter, remove roles route
* fix creds permissions on database-list-item
* add component info and rename for secret-list-header-tab
* fix issues on overview page
* Add path to individual role on serializer
* add accetpance test for testing the engine
* fix transform test
* test fix
* Update connection before role created, disable button with tooltip if user cannot update path
* Add add-to-array and remove-from-array helpers with tests
* Clean up connection update on delete or create role, cleanup logs, role create link works
* Database role create and edit forms with readonly fields and validation. Add readonly-form-field
* Add field div around ttl picker for correct spacing on form-field
* fix the breadcrumbs
* PLaceholder test for readonly form field
* create new helper to format time duration
* tooltip and formatting on static role
* more on static roles time stuff
* clean up
* clean up
* fixes on the test and addition of another helper test
* fix secrets machine test
* Add modal to connection creation flow
* fix issue with readonly form field test
* Add is-empty-object helper and tests
* Role error handling
* Remove Atlas option from connection list, add defaults to db role form
* clean up stuff though might have made it uglier
* clean up
* Add capabilities checks on connection actions
* Fix jsdocs on readonly-form-field
* Fix json editor height on form field
* Readonly form has notallowed cursor, readonly form field updates
* Add blank field rendering to info-table-row
* Start writing readonly form field tests
* Address some PR comments
* fix fallback action on search select
* cleanup per comments
* fix readonly form field test and lint
* Cleanup string helpers
* Replace renderBlank with alwaysRender logic
* re-humanize label on readonly form field
* Show defaultShown value on info-table-row if no value and always render
* Show default on role and connection show table
* Add changelog
Co-authored-by: Chelsea Shaw <chelshaw.dev@gmail.com>
* first round of fixes and setup
* test fixes
* fix dumb options on new method
* test fix
* clean up
* fixes
* clean up
* handle utc time
* add changelog
* Updates identity/group to allow updating a group by name (#10223)
* Now that lookup by name is outside handleGroupUpdateCommon, do not
use the second name lookup as the object to update.
* Added changelog.
Co-authored-by: dr-db <25711615+dr-db@users.noreply.github.com>
* pull in newest consul template with bugfix and all dependencies
* pull in newest consul template with bugfix and all dependencies
* Rename readme.md to README.md
* add changelog
* Redirect to url with namespace param if user logged into root namespace without permission
* Feature flag service for managing flags
* Redirect with namespace query param if no current namespace param AND managed root namespace set
* Test coverage for managed namespace changes
* Handle null body case on feature-flag response, add pretender route for feature-flags on shamir test
* Make the error response to the sys/internal/ui/mounts with no client token consistent
* changelog
* Don't test against an empty mount path
* One other spot
* Instead, do all token checks first and early out before even looking for the mount
* removing extra information from the returned error, to avoid leaking it to unauthenticated requests
* removing extra information from the returned error, to avoid leaking it to unauthenticated requests
* Changelog entry for #10516
* Change the error message in a way that is retains the HTTP status code
* Change changelog file num
* And right back where we started...
Co-authored-by: bruj0 <ramakandra@gmail.com>
* setup for concept it works, but probably not the best solution
* add comment and remove console and test var
* use normalize path higher up to fix issu
* add test for bug that fixing
* forgot a couple of changes
* changelog