Commit graph

221 commits

Author SHA1 Message Date
Victor Rodriguez e78cca413d
Document the managed key PKCS#11 parameter key_id. (#14476) 2022-03-14 12:08:14 -04:00
swayne275 ec4d013047
add tip for how to force a secrets engine disable (#14363)
* add tip for how to force a secrets engine disable

* add warning to force disable secrets instructions

* clean up wording

* add force secrets engine disable info to api doc

* Update website/content/api-docs/system/mounts.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/api-docs/system/mounts.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/api-docs/system/mounts.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/api-docs/system/mounts.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/api-docs/system/mounts.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/commands/secrets/disable.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/commands/secrets/disable.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* feedback updates

* impl taoism feedback

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-03-11 11:43:59 -07:00
Peter Sonnek c3dea33e92
added add_basic_constraints parameter to PKI API docs (#14457)
* added add_basic_constraints parameter to PKI API docs

Added add_basic_constraints parameter to PKI API docs for Generate Intermediate. 

Copied description from ba533d006f/builtin/logical/pki/path_intermediate.go (L34-L37)
2022-03-11 10:52:26 -05:00
naseemkullah 0667cb8b76
Update index.mdx (#14161) 2022-03-09 14:15:05 -08:00
hghaf099 b358bd6ffa
remove mount accessor from MFA config (#14406)
* remove mount accessor from MFA config

* Update login_mfa_duo_test.go

* DUO test with entity templating

* using identitytpl.PopulateString to perform templating

* minor refactoring

* fixing fmt failures in CI

* change username format to username template

* fixing username_template example
2022-03-09 09:14:30 -08:00
hghaf099 0bf9a38b36
Login MFA docs (#14317)
* MFA config docs

* correcting some issues

* feedback

* add a note about deleting methods

* Login MFA docs

* rename and mdx

* adding missing docs nav data

* some fixes

* interactive login request

* Apply suggestions from code review

Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>

* feedback

* feedback

* Apply suggestions from code review

Co-authored-by: Pratyoy Mukhopadhyay <35388175+pmmukh@users.noreply.github.com>

* feedback on mount accessor

* Apply suggestions from code review

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
Co-authored-by: Pratyoy Mukhopadhyay <35388175+pmmukh@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update login-mfa.mdx

Co-authored-by: Josh Black <raskchanky@gmail.com>
Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>
Co-authored-by: Pratyoy Mukhopadhyay <35388175+pmmukh@users.noreply.github.com>
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-03-07 16:26:00 -05:00
Rachel Culpepper 8aa18a20a2
Vault-4964: Update Managed Key documentation for AWS KMS (#14378)
* Add documentation for Managed Keys

 - Add concept, sys/api and pki updates related to managed keys

* Review feedback

 - Reworked quite a bit of the existing documentation based on feedback
   and a re-reading
 - Moved the managed keys out of the concepts section and into the
   enterprise section

* Address broken links and a few grammar tweaks

* add documentation for AWS KMS managed keys

* a couple small fixes

* # Conflicts:
#	website/content/api-docs/secret/pki.mdx
#	website/content/api-docs/system/managed-keys.mdx
#	website/content/docs/enterprise/managed-keys.mdx

* docs updates

* # Conflicts:
#	sdk/version/version_base.go
#	vault/seal_autoseal_test.go
#	website/content/api-docs/system/managed-keys.mdx
#	website/content/docs/enterprise/managed-keys.mdx

* remove endpoint env var

* Document Azure Key Vault parameters for managed keys.

* docs changes for aws kms managed keys

Co-authored-by: Steve Clark <steven.clark@hashicorp.com>
Co-authored-by: Victor Rodriguez <vrizo@hashicorp.com>
2022-03-07 14:22:42 -06:00
Josh Black cbfd2353c6
MFA docs for config endpoints (#14302) 2022-03-07 11:44:15 -08:00
Pratyoy Mukhopadhyay a85d4fe128
[VAULT-5268] Add mount move docs (#14314)
* add mount move docs

* add missed word

* Update website/content/api-docs/system/remount.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* one clarification

* docs changes from feedback

* couple things i missed

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-03-04 14:38:15 -08:00
Chris Capurso 617fbc4caf
specify LIST method in version-history API doc example (#14346) 2022-03-02 16:58:04 -05:00
Sean Ellefson 98d00d5c9d
Correcting API documentation to show status endpoints are unauthenticated (#13943) 2022-03-01 14:41:47 -08:00
tomthetommy 0b31c4a404
English Grammar. (#14247)
* English Grammar.

Simply missing a "to".

* English Grammar
2022-02-28 10:05:32 -05:00
Robert 2ea8be0567
docs: consul secret engine improvements, database secrets engine disable_escaping parameter (#14260)
* Update consul secrets engine docs and api-docs
* Update databases secrets engine docs and api-docs
2022-02-25 17:43:18 -06:00
Alexander Scheel 6d18c3adaa
Sync PKI API and FrameworkField descriptions (#14286)
As pointed out internally, a lot of the API docs and FrameworkField
descriptions of parameters were out of date. This syncs a number of
them, updating their descriptions where relevant.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-02-25 14:06:41 -05:00
Jim Kalafut 8347d94114
Fix missing quote in docs (#14277) 2022-02-25 09:02:08 -08:00
Jim Kalafut 75caf59093
Replace docs references to PUT with POST (#14270)
The operations are handled identically, but ~85% of the references were
POST, and having a mix of PUT and POST was a source of questions.

A subsequent commit will update the internal use of "PUT" such as by
the API client and -output-curl-string.
2022-02-25 06:52:24 -08:00
Alexander Scheel 616940ed9d
Clarify documentation around certificate issuance (#14236)
We note that:

 - allow_bare_domains, allow_glob_domains, and allow_subdomains are all
   independent,
 - enforce_hostnames and allow_wildcard_certificates take precedence over
   allow_any_name,
 - We limit to RFC 6125 wildcards.
 - Clarify that both allow_bare_domains and allow_glob_domains will permit
   wildcard issuance in certain scenarios.

Co-authored-by: mickael-hc <86245626+mickael-hc@users.noreply.github.com>
Co-authored-by: Kit Haines <kit.haines@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Co-authored-by: mickael-hc <86245626+mickael-hc@users.noreply.github.com>
Co-authored-by: Kit Haines <kit.haines@hashicorp.com>
2022-02-24 08:42:11 -05:00
Steven Clark 69bb38450a
Add documentation for managed key test sign API (#14180)
* Add documentation for managed key test sign API

 - Add the documentation for the new managed key api that allows
   operators to test the managed key configuration by going through
   a sign/verify workflow with some randomly generated data.

* PR feedback
2022-02-23 09:14:59 -05:00
Wazery cd9ddc3d10
Fix a simple typo (#14181) 2022-02-21 21:31:33 -08:00
Alexander Scheel d72fb08884
Allow OpenSSH-style key type identifiers (#14143)
* Allow OpenSSH-style key type identifiers

To bring better parity with the changes of #14008, wherein we allowed
OpenSSH-style key identifiers during generation. When specifying a list
of allowed keys, validate against both OpenSSH-style key identifiers
and the usual simplified names as well ("rsa" or "ecdsa"). Notably, the
PKI secrets engine prefers "ec" over "ecdsa", so we permit both as well.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix missing quote in docs
2022-02-18 17:48:16 -05:00
Alexander Scheel f0dc3a553f
Switch to secure signing algorithm for SSH secrets engine (#14006)
* Explicitly call out SSH algorithm_signer default

Related: #11608

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Use rsa-sha2-256 as the default SSH CA hash algo

As mentioned in the OpenSSH 8.2 release notes, OpenSSH will no longer be
accepting ssh-rsa signatures by default as these use the insecure SHA-1
algorithm.

For roles in which an explicit signature type wasn't specified, we
should change the default from SHA-1 to SHA-256 for security and
compatibility with modern OpenSSH releases.

See also: https://www.openssh.com/txt/release-8.2

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update docs mentioning new algorithm change

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix missing parenthesis, clarify new default value

* Add to side bar

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-02-18 10:44:01 -05:00
Calvin Leung Huang c839fc78d8
auth/ldap: add resp warning if userfilter doesn't consider userattr (#14095)
* auth/ldap: add resp warning if userfilter doesn't consider userattr

* add changelog entry
2022-02-17 17:19:44 -08:00
Alexander Scheel 45c028a2fb
Allow specifying multiple allowed SSH key lengths (#13991)
* Allow specifying multiple allowed SSH key lengths

In the ssh secrets engine, only a single allowed key length was allowed
for each algorithm type. However, many algorithms have multiple safe
values (such as RSA and ECDSA); allowing a single role to have multiple
values for a single algorithm is thus helpful.

On creation or update, roles can now specify multiple types using a list
or comma separated string of allowed values:

    allowed_user_key_lengths: map[string][]int{"rsa": []int{2048, 4096}}

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Break out ssh upgrade logic into separate function

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update parseutil for optional lists of integers

    go get -u github.com/hashicorp/go-secure-stdlib/parseutil
    go mod tidy

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Simplify parse logic using new parseutil

The newly introduced parseutil.ParseIntSlice handles the more
complicated optional int-like slice logic for us.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-02-17 15:36:56 -05:00
Jordan Reimer b936db8332
Revert "MFA (#14049)" (#14135)
This reverts commit 5f17953b5980e6438215d5cb62c8575d16c63193.
2022-02-17 13:17:59 -07:00
Austin Gebauer e4aab1b0cc
secrets/azure: update plugin to v0.11.4 (#14130) 2022-02-17 12:09:36 -08:00
Alexander Scheel 1996336481
Update repository links to point to main (#14112)
* Update repository links to point to main

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix broken link in relatedtools.mdx

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2022-02-17 14:30:56 -05:00
Jordan Reimer 36ccfaa3aa
MFA (#14049)
* adds development workflow to mirage config

* adds mirage handler and factory for mfa workflow

* adds mfa handling to auth service and cluster adapter

* moves auth success logic from form to controller

* adds mfa form component

* shows delayed auth message for all methods

* adds new code delay to mfa form

* adds error views

* fixes merge conflict

* adds integration tests for mfa-form component

* fixes auth tests

* updates mfa response handling to align with backend

* updates mfa-form to handle multiple methods and constraints

* adds noDefault arg to Select component

* updates mirage mfa handler to align with backend and adds generator for various mfa scenarios

* adds tests

* flaky test fix attempt

* reverts test fix attempt

* adds changelog entry

* updates comments for todo items

* removes faker from mfa mirage factory and handler

* adds number to word helper

* fixes tests

* Revert "Merge branch 'main' into ui/mfa"

This reverts commit 8ee6a6aaa1b6c9ec16b985c10d91c3806819ec40, reversing
changes made to 2428dd6cca07bb41cda3f453619646ca3a88bfd0.

* format-ttl helper fix from main
2022-02-17 09:10:56 -07:00
Robert 91f5069c03
secret/consul: Add Consul ACL roles support (#14014)
Co-authored-by: Brandon Ingalls <brandon@ingalls.io>
2022-02-16 19:31:08 -06:00
Matt Schultz c379e41c4c
Rename transit's auto_rotate_interval to auto_rotate_period for consistency and to achieve formatting benefits in CLI output. Update UI handling of the renamed field to account for recent data type change from time string to integral seconds. (#14103) 2022-02-16 14:33:13 -06:00
Alexander Scheel 3da261518b
Allow generation of other types of SSH CA keys (#14008)
* Add generation support for other SSH CA key types

This adds two new arguments to config/ca, mirroring the values of PKI
secrets engine but tailored towards SSH mounts. Key types are specified
as x/crypto/ssh KeyAlgo identifiers (e.g., ssh-rsa or ssh-ed25519)
and respect current defaults (ssh-rsa/4096). Key bits defaults to 0,
which for ssh-rsa then takes a value of 4096.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation on key_type, key_bits for ssh/config/ca

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-02-15 14:14:05 -05:00
Victor Rodriguez 5ad48fc1c2
Restore tidy-status documentation. (#14075)
Restore tidy-status documentation.

Fixes VAULT-5113.
2022-02-15 11:04:21 -05:00
Victor Rodriguez 88e02feab0
Remove documentation for upcoming /pki/tidy-status endpoint. (#14044)
The documentation will be released along with the feature.
2022-02-14 15:41:50 -05:00
Chris Capurso 1b70677eba
add API docs for KVv2 subkeys endpoint (#13893)
* add API docs for KVv2 subkeys endpoint

* add changelog entry
2022-02-14 15:28:14 -05:00
Chris Capurso f9e9b4d327
Add sys/version-history endpoint and associated command (#13766)
* store version history as utc; add self-heal logic

* add sys/version-history endpoint

* change version history from GET to LIST, require auth

* add "vault version-history" CLI command

* add vault-version CLI error message for version string parsing

* adding version-history API and CLI docs

* add changelog entry

* some version-history command fixes

* remove extraneous cmd args

* fix version-history command help text

* specify in docs that endpoint was added in 1.10.0

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>

* enforce UTC within storeVersionTimestamp directly

* fix improper use of %w in logger.Warn

* remove extra err check and erroneous return from loadVersionTimestamps

* add >= 1.10.0 warning to version-history cmd

* move sys/version-history tests

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2022-02-14 15:26:57 -05:00
Ashlee M Boyer c0fe9bf14d
Adding empty lines around codeblock in Tab (#14030)
Only docs changes so I'm admin merging it.
2022-02-14 13:21:23 -05:00
Loann Le 296fee0193
changed to upper-case for integrated storage (#14037) 2022-02-14 08:38:06 -08:00
Rudy Gevaert d11bc6d316
Use secret_id_bound_cidrs instead of bound_cidr_list in approle docs (#12658)
bound_cidr_list has been deprecated since 1.2.0
2022-02-09 09:34:13 -08:00
Steven Clark 12b0e2a56b
Add documentation for Managed Keys (#13856)
* Add documentation for Managed Keys

 - Add concept, sys/api and pki updates related to managed keys

* Review feedback

 - Reworked quite a bit of the existing documentation based on feedback
   and a re-reading
 - Moved the managed keys out of the concepts section and into the
   enterprise section

* Address broken links and a few grammar tweaks
2022-02-08 14:01:19 -05:00
Alexander Scheel 33a9218115
Add full CA Chain to /pki/cert/ca_chain response (#13935)
* Include full chain in /cert/ca_chain response

This allows callers to get the full chain (including issuing
certificates) from a call to /cert/ca_chain. Previously, most endpoints
(including during issuance) do not include the root authority, requiring
an explicit call to /cert/ca to fetch. This allows full chains to be
constructed without without needing multiple calls to the API.

Resolves: #13489

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test case for full CA issuance

We test three main scenarios:

 1. A root-only CA's `/cert/ca_chain`'s `.data.ca_chain` field should
    contain only the root,
 2. An intermediate CA (with root provide) should contain both the root
    and the intermediate.
 3. An external (e.g., `/config/ca`-provided) CA with both root and
    intermediate should contain both certs.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation for new ca_chain field

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add note about where to find the entire chain

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-02-07 14:37:01 -05:00
Andrew Briening ed457aeae7
Adds "raw(/pem)" format to individual cert routes (#10947) (#10948)
Similar to "/pki/ca(/pem)" routes to retrieve
certificates in raw or pem formats, this adds
"pki/cert/{serial}/raw(/pem)" routes for any
certificate.
2022-02-07 09:47:13 -05:00
AnPucel 329342a1fa
Adding dotnet example app to docs (#13782) 2022-02-04 12:28:43 -08:00
Stefan Kalscheuer f0a8199b19
Fix documentation of "replication_performance_mode" in health API (#13529)
The field "replication_per_mode" was renamed before this feature was
released, but the docs have never been updated. Update the documentation
to present the correct name.
2022-02-04 10:05:44 -08:00
Rémi Lapeyre 2b3661b863
Document the use of inline SSL certificates for PostgreSQL (#11985)
Authored by @remilapeyre.
2022-02-04 11:48:19 -05:00
Joshua Gilman de51e14f66
Add vaultrs Rust crate to community libraries (#12402)
This change proposes adding [vaultrs](https://crates.io/crates/vaultrs) to the list of community-supported libraries. This crate has a mature base and is expected to expand to accommodate most of the API.
2022-01-28 09:02:31 -08:00
Rémi Lapeyre 961ff4a363
Return num_uses during authentication (#12791)
* Return num_uses during authentication

https://github.com/hashicorp/vault/issues/10664

* Add changelog entry
2022-01-25 18:59:53 -08:00
Rémi Lapeyre 978311fee2
Add read support to sys/auth/:path (#12793)
* Add read support to sys/auth/:path

Closes https://github.com/hashicorp/vault/issues/7411

* Add changelog entry
2022-01-25 11:56:40 -08:00
Rémi Lapeyre d6a4a3b53c
Add LIST support to sys/policies/password (#12787)
* Add read support to sys/policies/password

Closes https://github.com/hashicorp/vault/issues/12562

* Add changelog

* Empty commit to trigger CI

* Add optional /

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

* Use a ListOperation

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
2022-01-24 13:42:14 -08:00
Matt Schultz fc7deabfd7
Time-based transit key autorotation (#13691)
* Add auto_rotate_interval field to transit key creation path.

* Add auto_rotate_interval field to transit key config update path.

* Implement transit automatic key rotation on an hourly interval.

* Fixes transit key autorotation key listing typo.

* Add unit tests for transit key autorotation.

* Add unit tests for transit key creation with autorotation interval.

* Add unit tests for transit key config update with autorotation interval.

* Document new auto_rotate_interval fields in key creation and key config update endpoints.

* Add changelog for transit key autorotation.

* Wrap individual transit key autorotation in a policy lock.

* Add a safeguard to transit key autorotation to ensure only one execution happens simultaneously.
2022-01-20 09:10:15 -06:00
Sung Hon Wu 194c9e32d3
Enhance sys/raw to read and write values that cannot be encoded in json (#13537) 2022-01-20 07:52:53 -05:00
James Bayer daefbd0a54
Remove extra commas (#13684)
The payload json example is invalid syntax.
2022-01-18 12:15:52 -05:00