Commit Graph

17155 Commits

Author SHA1 Message Date
Anton Averchenkov 3c76d90156
Small fixes for OpenAPI display attributes (#20285) 2023-04-21 17:04:12 +00:00
Alexander Scheel 3c8c46e172
Better ACME wildcard validation (#20289)
* Refactor wildcard validation checks

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add helper to determine if identifier is wildcard

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Better validate wildcard acceptance

This correctly validates wildcards to contain only a leading prefix
(*.) and must include another label, also ensuring that the remaining
domain components pass non-IP and IDNA validation, and removing them
from display on the authorization. Finally, we restrict the challenge
types available for various combinations of IP, DNS, and wildcard
addresses.

This then updates the tests to validate this as well.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-21 12:54:19 -04:00
Jaymala e3a39f4adc
[QT-517] Skip builds for docs PRs (#20036)
* [QT-517] Skip builds for docs changes

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* [QT-545] Enable Enos tests to also run on forked PRs

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Add comments and fix CI errors

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

---------

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>
2023-04-21 10:58:47 -04:00
Steven Clark 5a7173a154
Implement ACME CSR signing and certificate retrieval (#20266)
* WIP: Implement ACME CSR signing and certificate retrieval

* Add some validations within the ACME finalize API

 - Validate that the CSR we were given matches the DNS names
   and IP addresses within the order
 - Validate that the CSR does not share the same public as the
   account

* Gate ACME finalize order validating all authorizations are in valid state
2023-04-21 09:38:06 -04:00
miagilepner 564a7227e4
VAULT-15668: fix windows issues with -dev-tls flag (#20257)
* fix -dev-tls flag on windows

* changelog

* fix only hcl config

* fix import

* fmt
2023-04-21 10:54:38 +02:00
Luis (LT) Carbonell d308c31cbf
Add Configurable LDAP Max Page Size (#19032)
* Add config flag for LDAP max page size

* Add changelog

* move changelog to correct file

* cleanup

* Default to non-paged searching for with -1

* Update website/content/api-docs/auth/ldap.mdx

Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>

* Update website/content/docs/auth/ldap.mdx

Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>

* Update tests

---------

Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
2023-04-20 20:39:27 +00:00
Josh Black 1ae09ca6b6
OSS changes for new update-primary API endpoint (#20277)
* OSS changes for new update-primary API endpoint

* remove ENT specific piece

* remove another ENT specific field
2023-04-20 13:13:37 -07:00
Austin Gebauer eaf67b7c0e
Add OIDC provider docs for IBM ISAM (#19247)
* Add OIDC provider docs for IBM ISAM

* Add changelog, api docs and docs-nav-data

---------

Co-authored-by: Benjamin Voigt <benjamin.voigt@god.dev>
2023-04-20 11:30:59 -07:00
Alexander Scheel f0279b0d31
Move OCSP/PKI interop test to PKI engine (#20273)
This prevents SDK from having a circular import on the main Vault
package.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-20 14:57:20 +00:00
Chelsea Shaw 879844d300
UI: OIDC provider logo fix (#20263)
* glimmerize role-jwt model, update test for use new case

* Fix issue #8949

* Update test

* Add changelog
2023-04-19 14:30:18 -05:00
Nick Cabatoff 9e34c0b543
Add new method to access a client config's TLSConfig. (#20265) 2023-04-19 15:14:18 -04:00
Nick Cabatoff 21f3977639
Use a current version of etcd (#20261)
Use a current version of etcd, remove the replace hack in go.mod that was intended to be temporary.
2023-04-19 14:17:11 -04:00
Alexander Scheel 189a776307
Add warnings to crl rebuilds, allowing notifying operator of empty issuer equivalency sets (#20253)
* Add infrastructure for warnings on CRL rebuilds

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add warning on issuer missing KU for CRL Signing

When an entire issuer equivalency class is missing CRL signing usage
(but otherwise has key material present), we should add a warning so
operators can either correct this issuer or create an equivalent version
with KU specified.

Resolves: https://github.com/hashicorp/vault/issues/20137

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for issuer warnings

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix return order of CRL builders

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-19 16:55:37 +00:00
Hugo Puntos dae5489787
Fix link for the tutorial about Key Management Secrets Engine with GCP Cloud KMS (#19418) 2023-04-19 12:43:21 -04:00
Alexander Scheel 005d989230
Add acme challenge validation engine (#20221)
* Allow creating storageContext with timeout

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add challenge validation engine to ACME

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Initialize the ACME challenge validation engine

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Trigger challenge validation on endpoint submission

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix GetKeyThumbprint to use raw base64

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Point at localhost for testing

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add cleanup of validation engine

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-19 12:31:19 -04:00
claire bontempo 5f64520dac
UI: remove references to comma separation for string array edit types (#20163)
* remove intercepting helpText

* add subtext directly to StringList input component

* update tests and add coverage for new openapi-attrs util

* update test

* add warning validation to input

* lol is this right i dont know go

* literally no idea what im doing

* add Description to display attrs struct

* update struct comment

* add descriptions to remaining go fields

* add missing comma

* remaining commas..."

* add description to display attrs

* update tests

* update tests

* add changelog;

* Update ui/app/utils/openapi-to-attrs.js

* update tests following backend changes

* clearly name variable

* format files

* no longer need to test for modified tooltip since coming from backend now
2023-04-19 16:16:30 +00:00
Chelsea Shaw d115fda4e0
UI: Remove usage of htmlSafe (#20235) 2023-04-19 15:40:33 +00:00
Jason O'Donnell b5822e612b
cli/namespace: add detailed flag to namespace list (#20243)
* cli/namespace: add detailed flag to namespace list

* changelog
2023-04-19 09:31:51 -04:00
Alexander Scheel 45acac0e64
Return OCSP errors on cert auth login failures (#20234)
* Return OCSP errors on cert auth login failures

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Switch to immediately returning the first match

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-19 08:54:45 -04:00
Sohil Kaushal 5424eb2e8f
docs(postgresql): Update Postgresql SE API doco (#19931)
* docs(postgresql): Update Postgresql SE API doco

Update the postgresql secret engine API docs to include some "caveats"
of the pgx library. In particular, this enhances the docs to inform the
user that if any sslcreds are supplied as a part of the Database
connection string, the user/vault admin will need to ensure that the
certificates are present at those paths.

* Chore: fixup minor error with db docs

* Keep the language simple

---------

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2023-04-19 00:17:44 +00:00
Yoko Hyakuna e7a43f86ba
[Docs] Mark the 'policies' parameter as deprecated for tokens (#20238)
* Mark the 'policies' parameter as deprecated

* Update website/content/partials/tokenfields.mdx

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

---------

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
2023-04-18 23:55:05 +00:00
Tom Proctor f2d8762679
Docs: CSI encoding config released in v1.3.0 (#20237) 2023-04-18 23:55:25 +01:00
Nathan Handler ad1c669d4b
Fix Indentation in Kubernetes Auth Example (#20216)
In the Kubernetes Auth Code Example, the indentation for the `auth` import is off, causing it to not be indented the same amount as the previous `vault` import. This change ensures that both imports use the same indentation.
2023-04-18 15:23:25 -07:00
Yura Shutkin 7de8a3bc31
Update wrapping-unwrap.mdx (#20109)
* Update wrapping-unwrap.mdx

It is possible to unwrap data without authentication in Vault. I've added an example of a curl request.

* Add changelog record
2023-04-18 14:20:27 -07:00
claire bontempo f4928cf7cb
Run UI tests on PRs with "ui" label (#20209)
* add conditional for label

* VAULT-14643 link jira
2023-04-18 12:03:35 -07:00
mickael-hc e258df032d
Add discuss links to changelog entries for previous releases (#20195)
* Update entries for 2023-03 release

* Update entries for 2023-02 release series

* update entries for 2022-07 release series

* update links

* update links
2023-04-18 14:54:41 -04:00
Jason O'Donnell bb82c679ad
docs/debug: add example policy for debug command (#20232) 2023-04-18 14:17:19 -04:00
Rachel Culpepper 074c9a5da2
add changelog for shamir change (#19566) 2023-04-18 16:34:43 +00:00
Max Bowsher 91abc177bb
Minor follow-ups to #16865 (#20220)
* Minor follow-ups to #16865

Fix PKI issuer upgrade logic when upgrading to 1.12 or later, to
actually turn off the issuer crl-signing usage when it intended to.

Fix minor typo in docs.

* changelog
2023-04-18 07:39:05 -04:00
Robert 750bc180ab
build: try creating the go bin directory (#19862)
* Try creating the output directory to ensure it always exists

* Use GOBIN path over GOPATH/bin if it is set
2023-04-17 22:57:17 +00:00
Milena Zlaticanin 42400699c0
add missing mongodb atlas fields to the docs (#20207) 2023-04-17 14:10:07 -07:00
Jason O'Donnell 6d9180f900
sdk/ldap: update interface to use DialURL (#20200)
* sdk/ldap: update interface to use DialURL

* Fix scheme

* Fix race condition

* Add tls config dialopt
2023-04-17 16:34:10 -04:00
Alexander Scheel 13dd4c0a99
Add ACME HTTP-01 Challenge (#20141)
* Add HTTP challenge validator

This will attempt to safely validate HTTP challenges, following a
limited number of redirects and timing out after too much time has
passed.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test for ValidateKeyAuthorization

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test cases for ValidateHTTP01Challenge

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add token to HTTP challenge

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-17 15:23:04 -04:00
Steven Clark 7361ce1e57
Add tests for fetching ACME authorizations and challenges (#20205)
- Add tests to validate that we can load authorizations and
   challenges from the server
2023-04-17 17:52:54 +00:00
Niranjan Shrestha adbfffc47b
Update userpass.mdx (#20121)
* Update userpass.mdx

vault write auth/userpass/users/mitchellh password=foo policies=admins
in the path "userpass" is actually a path, if custom path is defined, custom path need to used, instead of userpass.

* Add extra description

---------

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2023-04-17 16:52:13 +00:00
Alexander Scheel 4190212bbb
Remove extraneous certificate from OCSP response (#20201)
* Remove extraneous certificate from OCSP response

Since the issuer used to sign the certificate also signs the OCSP
response, no additional information is added by sending the issuer again
in the certs field of the BasicOCSPResponse structure. Removing it saves
bytes and avoids confusing Go-based OCSP verifiers which cannot handle
the cert issuer being duplicated in the certs field.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-17 16:40:26 +00:00
Chelsea Shaw dfbd9091b0
UI: PKI routes extend base Route (#20179) 2023-04-17 15:58:30 +00:00
Alexander Scheel ef7dd8c1bb
Add fix for Go x/crypto/ocsp failure case (#20181)
* Add fix for Go x/crypto/ocsp failure case

When calling ocsp.ParseRequest(req, issue) with a non-nil issuer on a
ocsp request which _unknowingly_ contains an entry in the
BasicOCSPResponse's certs field, Go incorrectly assumes that the issuer
is a direct parent of the _first_ certificate in the certs field,
discarding the rest.

As documented in the Go issue, this is not a valid assumption and thus
causes OCSP verification to fail in Vault with an error like:

> bad OCSP signature: crypto/rsa: verification error

which ultimately leads to a cert auth login error of:

> no chain matching all constraints could be found for this login certificate

We address this by using the unsafe issuer=nil argument, taking on the
task of validating the OCSP response's signature as best we can in the
absence of full chain information on either side (both the trusted
certificate whose OCSP response we're verifying and the lack of any
additional certs the OCSP responder may have sent).

See also: https://github.com/golang/go/issues/59641

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test case with Vault PKI

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-17 11:48:19 -04:00
Steven Clark 6211595bef
Add a helper function to build ACME API patterns (#20180)
- Add a helper function that can accept the final API path along with
   the pattern function for an ACME api definition and generate the
   various flavors for the given API
2023-04-14 18:48:33 +00:00
Steven Clark 138f36eafe
Move all ACME wrappers into a dedicated go file (#20174)
* Move all ACME wrappers into a dedicated go file

 - Make it easier to figure out where the various wrappers for
   ACME exist by locating them inside a dedicated go file instead
   of spread out across the various path_acme_xxx files.

* Add missing copyright headers to PKI files
2023-04-14 14:12:31 -04:00
Kianna 045de8a0b6
UI: VAULT-15385 VAULT-15386 VAULT-15487 Hide create role button, show mount configuration when pki not configured, update overview page so it's responsive (#20164) 2023-04-14 10:32:43 -07:00
Steven Clark d324aa0d15
Implement ACME order API (#20127)
* Implement ACME new-order API
 - This is a very rough draft for the new order ACME API

* Add ACME order list API

* Implement ACME Get order API

* Misc order related fixes

 - Filter authorizations in GetOrders for valid
 - Validate notBefore and notAfter dates make sense
 - Add <order>/cert URL path to order response if set to valid

* Return account status within err authorized, if the account key verified
2023-04-14 14:54:48 +00:00
Chris Capurso e7c0d5744b
add max_entry_size to sanitized config output (#20044)
* add max_entry_size to sanitized config output

* add changelog entry

* add test parallelism

* add inmem test case

* use named struct fields for TestSysConfigState_Sanitized cases
2023-04-14 09:52:23 -04:00
Anton Averchenkov 624acfe62a
openapi: Better comments for OperationPrefix/Verb/Suffix (#20162) 2023-04-13 18:47:14 -04:00
Jordan Reimer c36ab935c4
Clients config updates for census reporting (#20125)
* updates clients config view for census reporting

* adds changelog entry

* fixes issue with modal staying open and error not showing on clients config save failure

* adds min retention months to clients config model and form validation
2023-04-13 15:57:12 -06:00
Kyle Schochenmaier 1b4ff1b1b4
Revert changes to STS leases but keep the ttl field (#20034)
* revert STS lease changes, now create a lease for STS credentials but keep the ttl
Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
2023-04-13 15:02:39 -05:00
Ryan Cragun a19f7dbda5
[QT-525] enos: use spot instances for Vault targets (#20037)
The previous strategy for provisioning infrastructure targets was to use
the cheapest instances that could reliably perform as Vault cluster
nodes. With this change we introduce a new model for target node
infrastructure. We've replaced on-demand instances for a spot
fleet. While the spot price fluctuates based on dynamic pricing, 
capacity, region, instance type, and platform, cost savings for our
most common combinations range between 20-70%.

This change only includes spot fleet targets for Vault clusters.
We'll be updating our Consul backend bidding in another PR.

* Create a new `vault_cluster` module that handles installation,
  configuration, initializing, and unsealing Vault clusters.
* Create a `target_ec2_instances` module that can provision a group of
  instances on-demand.
* Create a `target_ec2_spot_fleet` module that can bid on a fleet of
  spot instances.
* Extend every Enos scenario to utilize the spot fleet target acquisition
  strategy and the `vault_cluster` module.
* Update our Enos CI modules to handle both the `aws-nuke` permissions
  and also the privileges to provision spot fleets.
* Only use us-east-1 and us-west-2 in our scenario matrices as costs are
  lower than us-west-1.

Signed-off-by: Ryan Cragun <me@ryan.ec>
2023-04-13 15:44:43 -04:00
Alexander Scheel 10e02aca02
Add missing cert auth ocsp read data (#20154)
* Add missing OCSP cert auth fields

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test to ensure OCSP values are persisted

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-13 18:59:09 +00:00
Mike Palmiotto c0b8a9eddb
Add minimum_retention_months to config endpoint (#20150) 2023-04-13 18:33:23 +00:00
Scott Miller 5be4d61d13
Add documentation for cert auth OCSP checking (#18064) 2023-04-13 18:33:21 +00:00