Commit graph

753 commits

Author SHA1 Message Date
Jason O'Donnell dd2ced661b
agent: add disable_idle_connections configurable (#15986)
* agent: add disable_keep_alives configurable

* Add empty test

* Add website doc

* Change to disable_idle_connections

* Update tests and doc

* Add note about env

* Changelog

* Change to slice

* Remove unused disable keep alive methods

* Add invalid value test
2022-06-16 18:06:22 -04:00
Violet Hynes abed5cf6e7
(OSS) Path Suffix Support for Rate Limit Quotas (#15989)
* Support for rate limit path suffix quotas

* Support for rate limit path suffix quotas

* Precedence test for support for rate limit path suffix quotas

* Update clone method

* Fix mount determination

* Add changelog

* use constant for mounts

* Fix read endpoint, and remount/disable mount

* update godocs for queryquota
2022-06-16 13:23:02 -04:00
Alexander Scheel 4e6a9741ee
Add explicit cn_validations field to PKI Roles (#15996)
* Add cn_validations PKI Role parameter

This new parameter allows disabling all validations on a common name,
enabled by default on sign-verbatim and issuer generation options.

Presently, the default behavior is to allow either an email address
(denoted with an @ in the name) or a hostname to pass validation.
Operators can restrict roles to just a single option (e.g., for email
certs, limit CNs to have strictly email addresses and not hostnames).

By setting the value to `disabled`, CNs of other formats can be accepted
without validating their contents against our minimal correctness checks
for email/hostname/wildcard that we typically apply even when broad
permissions (allow_any_name=true, enforce_hostnames=false, and
allow_wildcard_certificates=true) are granted on the role.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update PKI tests for cn_validation support

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add PKI API documentation on cn_validations

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-16 06:53:27 -07:00
akshya96 7e313e29fd
Activity Log Filtering Limit Parameter (#16000)
* adding changes from ent branch

* adding fmt changes

* adding changelog
2022-06-15 15:41:31 -07:00
shujun10086 9f0a72ef2a
Fix keyring file missing after Vault restart (#15946) 2022-06-15 10:22:42 -07:00
Kerim Satirli c77199fe8d
updates leasId to leaseId (#15685)
* updates `leasId` to `leaseId`

* adds changelog
2022-06-13 13:17:07 -05:00
Chris Capurso 94c5936e27
return bad request instead of server error for identity group cycle detection (#15912)
* return bad request for identity group cycle detection

* add changelog entry

* use change release note instead of improvement

* fix err reference

* fix TestIdentityStore_GroupHierarchyCases
2022-06-10 10:15:31 -04:00
Alexander Scheel 6f66e5cd48
Allow reading Nomad CA/Client cert configuration (#15809)
* Allow reading Nomad CA/Client cert configuration

In the Nomad secret engine, writing to /nomad/config/access allows users
to specify a CA certificate and client credential pair. However, these
values are not in the read of the endpoint, making it hard for operators
to see if these values were specified and if they need to be rotated.

Add `ca_cert` and `client_cert` parameters to the response, eliding the
`client_key` parameter as it is more sensitive (and should most likely
be replaced at the same time as `client_cert`).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix tests to expect additional fields

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test with existing CA/client cert+key

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-10 10:09:54 -04:00
Gabriel Santos 57eeb33faa
SSH secrets engine - Enabled creation of key pairs (CA Mode) (#15561)
* Handle func

* Update - check if key_type and key_bits are allowed

* Update - fields

* Generating keys based on provided key_type and key_bits

* Returning signed key

* Refactor

* Refactor update to common logic function

* Descriptions

* Tests added

* Suggested changes and tests added and refactored

* Suggested changes and fmt run

* File refactoring

* Changelog file

* Update changelog/15561.txt

Co-authored-by: Alexander Scheel <alexander.m.scheel@gmail.com>

* Suggested changes - consistent returns and additional info to test messages

* ssh issue key pair documentation

Co-authored-by: Alexander Scheel <alexander.m.scheel@gmail.com>
2022-06-10 09:48:19 -04:00
Dave May 0f42131350
Fix debug bundle panic on Windows (#14399)
* Fix debug bundle panic on Windows

* Add changelog entry
2022-06-09 15:57:45 -07:00
akshya96 8f115a9904
Parse ha_storage in config (#15900)
* parsing values in config ha_storage

* adding changelog

* adding test to parse storage
2022-06-09 15:55:49 -07:00
Jordan Reimer 26b8de8286
Remove deprecated core-js version from production builds (#15898)
* updates deps and build to exclude deprecated core-js version and adds eslint compatibility plugin

* removes eslint compat plugin config from eslintrc and updates browserslistrc targets

* adds changelog entry
2022-06-09 09:12:59 -06:00
Tom Proctor ae711a4c81
Add change release note for Kubernetes auth (#15891) 2022-06-09 10:07:43 +01:00
bhowe34 763f9ad732
pass context to postgres queries (#15866)
* pass context to postgres queries

* add changelog

* Update changelog/15866.txt

Co-authored-by: Alexander Scheel <alexander.m.scheel@gmail.com>

Co-authored-by: Alexander Scheel <alexander.m.scheel@gmail.com>
2022-06-08 17:54:19 -04:00
Hridoy Roy 934989809b
Limit SSCT WAL Check on Perf Standbys to Raft Backends Only (#15879)
* ensure that ssct wal check only occurs for non-raft storage on perf standbys

* changelog
2022-06-08 13:58:22 -07:00
Alexander Scheel dd6c339440
Add warning about EA in FIPS mode (#15858)
* Add warning about EA in FIPS mode

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-08 08:57:48 -04:00
Angel Garbarino a86644968b
Change tooltip for token_bound_certs and glimmerize string-list component (#15852)
* wip

* wip

* glimmerization done?

* fix tests

* tooltip and test

* changelog

* clean up

* cleanup

* cleanup
2022-06-07 13:15:25 -06:00
Chelsea Shaw f6841806f3
UI: Fix metadata tab not showing given policy (#15824)
* Update path that metadata tab checks capabilities against

* Add changelog

* Update test to handle this case

* Fix tests url

Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
2022-06-07 10:56:44 -05:00
Alexander Scheel ea6452757f
Add parsing for NSS-wrapped Ed25519 keys (#15742)
* Add parsing for NSS-wrapped Ed25519 keys

NSS wraps Ed25519 using the PKCS#8 standard structure. The Go standard
library as of Go 1.18.x doesn't support parsing this key type with the
OID used by NSS; it requires the 1.3.101.112/RFC 8410 format, rather
than the RFC 5915-esque structure supported here.

Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add integration test with NSS-created wrapped key

Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
2022-06-06 18:09:21 -04:00
Steven Clark 9a0e4a9c2b
Rename the go version changelog (#15834) 2022-06-06 16:45:12 -04:00
Steven Clark a97da32b4b
Update Go to 1.17.11 (#15818)
* Update Go to 1.17.11

 See https://go.dev/doc/devel/release#go1.17.minor for release notes
2022-06-06 13:18:24 -04:00
Alexander Scheel 54b6cb9afe
Add more documentation on changelogs (#15701)
* Add more documentation on changelogs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add description of modes
2022-06-06 10:04:48 -04:00
Chelsea Shaw 7f7ef1cfe9
UI: calendar widget fix (#15789)
* Months after current are disabled, regardless of endTimeFromResponse

* move tracked values to getters for consistency

* months for widget are calculated in getter and then rendered

* Styling for current month is mix of hover and readonly

* Fix tests

* Add changelog

* Reset display year to endTimeFromResponse on toggle calendar

* update resetDisplayYear and naming

* Add test for displayYear when opened
2022-06-03 14:22:50 -07:00
Chris Capurso 073cd369b6
bump vault-plugin-secrets-kv to v0.12.1 (#15792)
* bump vault-plugin-secrets-kv to v0.12.1

* add changelog entry
2022-06-03 16:01:35 -04:00
Violet Hynes d62b140b7c
VAULT-6371 Fix issue with lease quotas on read requests that generate leases (#15735)
* VAULT-6371 Fix issue with lease quotas on non-auth mounts

* VAULT-6371 Add changelog

* VAULT-6371 Amend changelog given new understanding
2022-06-03 15:45:21 -04:00
Kit Haines 4f532ecc4d
Support for CPS URLs in Custom Policy Identifiers. (#15751)
* Support for CPS URLs in Custom Policy Identifiers.

* go fmt

* Add Changelog

* Fix panic in test-cases.

* Update builtin/logical/pki/path_roles.go

Fix intial nil identifiers.

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

* Make valid policy OID so don't break ASN parse in test.

* Add test cases.

* go fmt.

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2022-06-03 14:50:46 -04:00
akshya96 fece4cf9ac
File Audit Mode 0000 bug (#15759)
* adding file mode changes

* add changelog

* adding error

* adding fmt changes
2022-06-03 09:17:41 -07:00
Chelsea Shaw c67f4927b2
Revert UI: replace localStorage with sessionStorage (#15769)
* Revert UI: replace localStorage with sessionStorage

* Add changelog
2022-06-02 15:19:57 -05:00
Christopher Swenson a49f1b9e6b
Update AWS auth method certificates (#15719)
Update AWS auth method certificates

Add tests that the `rsa2048` document can also be verified using the
`pkcs7` field for AWS auth.

Due to the use of SHA-1-based signatures for the `identity` and `pkcs7`
methods, we want to encourage moving toward using the RSA 2048 workflow,
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-rsa2048.html

This doesn't require code changes for Vault necessarily, but adding in
the (many) certificates will help end users.

Also adds `rsa2048` option to API to fetch the RSA 2048 signature.

I will make a PR to update to the AWS auth docs to document the RSA 2048
flow soon after this.
2022-06-01 10:26:17 -07:00
linda9379 1996707b94
Removed red spellcheck underline that appears for sensitive values (#15681)
* Removed red spellcheck underline for sensitive and secret KV values

* Added changelog file

* Moved spellcheck change into masked-input component file so that spellcheck does not apply for all sensitive fields
2022-05-31 17:00:34 -04:00
Hamid Ghaf bf087f9d0d
prevent deleting MFA method through an invalid path (#15482)
* prevent deleting MFA method through an invalid path

* Adding CL
2022-05-31 14:22:04 -04:00
Nick Cabatoff 69c5e8c946
Avoid deadlocking on stateLock in emitMetrics (#15693)
When stopCh is closed we should stop trying to get the lock.
2022-05-31 12:15:39 -04:00
Violet Hynes 4aac96238c
VAULT-6131 OpenAPI schema now includes /auth/token endpoints when explicit permission has been granted (#15552)
* VAULT-6131 OpenAPI schema now includes /auth/token endpoints when explicit permission has been granted

* VAULT-6131 add changelog

* VAULT-6131 Update changelog and fix related bug
2022-05-31 11:25:27 -04:00
Theron Voran e2a15cae83
secrets/kubernetes: update to v0.1.1 (#15655) 2022-05-26 15:44:03 -07:00
Chris Capurso cdb73ab265
use provided namespace for wrapping lookup cubbyhole request (#15583)
* use provided namespace for wrapping lookup cubbyhole request

* add changelog entry
2022-05-26 15:17:29 -04:00
John-Michael Faircloth 02b1db37fd
fix: upgrade vault-plugin-database-elasticsearch to v0.11.0 (#15614)
* fix: upgrade vault-plugin-database-elasticsearch to v0.11.0

* add changelog

* Update changelog/15614.txt

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
2022-05-26 10:20:52 -05:00
Peter Wilson b7fc4645f3
Only add distinct policies to identity group (#15638)
* Only add distinct policies to identity group
2022-05-26 13:52:19 +01:00
John-Michael Faircloth fc04699f57
Fix plugin reload mounts (#15579)
* fix plugin reload mounts

* do not require sys/ prefix

* update plugin reload docs with examples

* fix unit test credential read path

* update docs to reflect correct cli usage

* allow sys/auth/foo or auth/foo

* append trailing slash if it doesn't exist in request

* add changelog

* use correct changelog number
2022-05-25 13:37:42 -05:00
claire bontempo d4f3fba56e
UI/Fix form validation issues (#15560)
* clean up validators

* fix getter overriding user input

* add changelog

* remove asString option

* move invalid check up

* remove asString everywhere

* revert input value defaults

* undo form disabling if validation errors

* address comments

* remove or

* add validation message to form, create pseudo loading icon

* whole alert disappears with refresh

* glimmerize alert-inline

* add tests

* rename variables for consistency

* spread attributes to glimmerized component

* address comments

* add validation test
2022-05-25 11:22:36 -07:00
VAL 64448b62a4
KV helper methods for api package (#15305)
* Add Read methods for KVClient

* KV write helper

* Add changelog

* Add Delete method

* Use extractVersionMetadata inside extractDataAndVersionMetadata

* Return nil, nil for v1 writes

* Add test for extracting version metadata

* Split kv client into v1 and v2-specific clients

* Add ability to set options on Put

* Add test for KV helpers

* Add custom metadata to top level and allow for getting versions as sorted slice

* Update tests

* Separate KV v1 and v2 into different files

* Add test for GetVersionsAsList, rename Metadata key to VersionMetadata for clarity

* Move structs and godoc comments to more appropriate files

* Add more tests for extract methods

* Rework custom metadata helper to be more consistent with other helpers

* Remove KVSecret from custom metadata test now that we don't append to it as part of helper method

* Return early for readability and make test value name less confusing
2022-05-25 11:17:13 -07:00
Austin Gebauer 28b3cf6352
auth/jwt: updates plugin to v0.13.0 (#15593) 2022-05-25 11:04:32 -07:00
Theron Voran 6f1ce1c690
upgrade vault-plugin-auth-kubernetes to v0.13.0 (#15584) 2022-05-25 10:41:53 -07:00
Austin Gebauer c6b8a3be3a
auth/gcp: updates plugin to v0.13.0 (#15592) 2022-05-25 10:35:41 -07:00
Christopher Swenson 5f9386abad
Add deprecation note about X.509/SHA-1 (#15581)
Add deprecation note about X.509/SHA-1

In preparation for moving to Go 1.18 in Vault 1.12.

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-05-25 10:11:17 -07:00
linda9379 2a91a5c4e5
Remove unsupported fields for DB roles show page (#15573)
* Fixed unsupported revocation statements field display for DB roles

* Fixed linting

* Added changelog

* Fixed conditional to filter for only elasticsearch database and changed format of text in changelog

* Fixed conditional and added comment for bug fix
2022-05-25 11:28:19 -04:00
Brian Kassouf df8ae055be
Add an API for exporting activity log data (#15586)
* Add an API for exporting activity log data

* Add changelog entry

* Switch to error logs
2022-05-24 17:00:46 -07:00
Peter Wilson bcb30223bf
Added support for VAULT_PROXY_ADDR + Updated docs (#15377)
Updated documentation to describe the behavior when supplying `VAULT_HTTP_PROXY`. Also added support for `VAULT_PROXY_ADDR` as a 'better name' for `VAULT_HTTP_PROXY`.
2022-05-24 13:38:51 -04:00
davidadeleon 0026788d4b
api/monitor: Adding log format to monitor command and debug (#15536)
* Correct handling of "unspecified" log level

* Setting log-format default on monitor path

* Create changelog file

* Update website/content/api-docs/system/monitor.mdx

Co-authored-by: Chris Capurso <1036769+ccapurso@users.noreply.github.com>

Co-authored-by: Chris Capurso <1036769+ccapurso@users.noreply.github.com>
2022-05-24 13:10:53 -04:00
Jim Kalafut a3b0b60a73
postgres: replace the package lib/pq with pgx (#15343)
* WIP replacing lib/pq

* change timezome param to be URI format

* add changelog

* add changelog for redshift

* update changelog

* add test for DSN style connection string

* more parseurl and quoteidentify to sdk; include copyright and license

* call dbutil.ParseURL instead, fix import ordering

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
2022-05-23 12:49:18 -07:00
Alexander Scheel 3166d1ff78
Allow issuer/:issuer_ref/sign-verbatim/:role, add error on missing role (#15543)
* Allow role-based sign-verbatim with chosen issuer

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add warning with missing requested verbatim role

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update builtin/logical/pki/backend.go

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2022-05-23 13:09:18 -04:00