* WIP: Unset the certificate's SignatureAlgorithm to allown cross-signing of different key types
* Allow signing self issued certs with a different public key algorithm
* Remove cruft
* Remove stale import
* changelog
* eliminate errwrap
* Add a test to cover the lack of opt-in flag
* Better comment
Co-authored-by: catsby <clint@ctshryock.com>
* Enforce Minimum cache size for transit backend
* enfore minimum cache size and log a warning during backend construction
* Update documentation for transit backend cache configuration
* Added changelog
* Addressed review feedback and added unit test
* Modify code in pathCacheConfigWrite to make use of the updated cache size
* Updated code to refresh cache size on transit backend without restart
* Update code to acquire read and write locks appropriately
This change adds the ability to set the signature algorithm of the
CAs that Vault generates and any certificates it signs. This is a
potentially useful stepping stone for a SHA3 transition down the line.
Summary:
* Adds the field "signature_bits" to CA and Sign endpoints
* Adds support for SHA256, SHA384 and SHA512 signatures on EC and RSA
keytypes.
* Fix pkcs7 parsing in some cases
brings in https://github.com/mozilla-services/pkcs7/pull/61 from upstream
In some cases but not all, aws includes a certificate in the pkcs7 response,
and currently vault fails to parse those certificates:
```
URL: PUT https://vault.example.com/v1/auth/aws/login
Code: 500. Errors
* failed to parse the BER encoded PKCS#7 signature: ber2der: Invalid BER format
```
This fixes logins on those instances. Note we could not readily ascertain why
some instances have those certificates and others don't.
* Add changelog entry
* Correct missed line
* Send x-forwarded-for in Okta Push Factor request
Why:
In order for Okta to properly report the location of the authentication
attempt, the X-Forwarded-For header must be included in the request to
Okta (if it exists).
This change addresses the need by:
* Duplicating the value of X-Forwarded-For if it's passed through to the
auth backend
* Add changelog entry for 12320
* update genUsername to cap STS usernames at 64 chars
* add changelog
* refactor tests into t.Run block
* patch: remove warningExpected bool and include expected string
* patch: revert sts to cap at 32 chars and add assume_role case in genUsername
* update changelog
* update genUsername to return error if username generated exceeds length limits
* update changelog
* add conditional default username template to provide custom STS usernames
* update changelog
* include test for failing STS length case
* update comments for more clarity
* Work around rabbitmq regression with UserInfo.Tags in rabbitmq 3.9: use v3.8 docker image in tests.
* Also pin cassandra docker image version to 3.11 (4.00 was making tests fail)
Unlike the other libraries that were migrated, there are no usages of
this lib in any of our plugins, and the only other known usage was in
go-kms-wrapping, which has been updated. Aliasing it like the other libs
would still keep the aws-sdk-go dep in the sdk module because of the
function signatures. So I've simply removed it entirely here.
* add ability to customize IAM usernames based on templates
* add changelog
* remove unnecessary logs
* patch: add test for readConfig
* patch: add default STS Template
* patch: remove unnecessary if cases
* patch: add regex checks in username test
* patch: update genUsername to return an error instead of warnings
* patch: separate tests for default and custom templates
* patch: return truncate warning from genUsername and trigger a 400 response on errors
* patch: truncate midString to 42 chars in default template
* docs: add new username_template field to aws docs
* fix: cap token TTL at login time based on default lease TTL
* add changelog file
* patch: update warning messages to not include 'at login'
* patch: remove default lease capping and test
* update changelog
* patch: revert warning message
* initializing resp variable with aa *logical.Response before using it to add warning for default-service or default-batch token type. Also adding guard around code that sets resp to a new logical.Response further on in the function.
* adding changelog entry
* renaming changelog file to match PR number
* add username customization for rabbitmq
* add changelog for rabbitmq
* Update builtin/logical/rabbitmq/path_config_connection.go
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* updating API docs
* moved to changelog folder
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* approle: convert Callbacks to Operations
The usage of oldstyle "Callbacks" is causing the `cannot write to readonly
storage` error message when `login` is attempted against a performance standby.
Use the newstyle "Operations" and additionally set the Forward
parameters to forward the request to the Active vault node.
* add changelog
* do not forward for alias lookahead operation
* remove forward fields and remove changelog
- Because this request is an UpdateOperation, it should have automatically been
routed to the primary/active by the router before it reaches the backend.
- changelog should not be needed as this change is only a refactor with
no user-facing behavior changes.
* feat(aws): add ability to provide a sessionName to sts credentials
Co-authored-by: Brad Vernon <bvernon@nvidia.com>
Co-authored-by: Jim Kalafut <jim@kalafut.net>
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* Add support for templated values in SSH CA DefaultExtensions.
* Reworking the logic per feedback, adding basic test.
* Adding test, so we cover both default extension templating & ignoring default when user-provided extensions are present.
* Fixed up an unintentional extension handling defect, added test to cover the case.
* Refactor Default Extension tests into `enabled` and `disabled`.
* Replace deprecated terms in AWS Auth
This PR is part of an effort to remove non-inclusive language throughout
Vault. The AWS Auth backend uses the "whitelist" and "blacklist" term
extensively, and these are the focus of the PR:
* Add new API endpoints that use the preferred terminology, while
deprecating the old endpoints. These endpoints offer identical
functionality and are basically aliases. This is the only functional
change in the PR except for terms in error messages.
* Replace "whitelist" -> "access list", "blacklist" -> "deny list" in
variable names, comments, etc.
Note that storage locations were *not* changed at this time, as that is
a more complex process involving versioning that we may tackle in a future
revision. We have reduced the occurrences of non-inclusive language,
however.
Reviewers should be sure to "Ignore Whitespace" in diffs, especially for
the tests, which were basically indented one level as part of looping
over the tests with both the old and new names.
* Added support for iam_tags for AWS secret roles
This change allows iam_users generated by the secrets engine
to add custom tags in the form of key-value pairs to users
that are created.
