* Build a better nonce service
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add internal nonce service for testing
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add benchmarks for nonce service
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add statistics around how long tidy took
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Replace ACME nonces with shared nonce service
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add an initialize method to nonce services
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Use the new initialize helper on nonce service in PKI
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add additional tests for nonces
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Format sdk/helper/nonce
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Use default 90s nonce expiry in PKI
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Remove parallel test case as covered by benchmark
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add additional commentary to encrypted nonce implementation
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add nonce to test_packages
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add ACME health checks to pki health-check CLI
- Verify we have the required header values listed within allowed_response_headers: 'Replay-Nonce', 'Link', 'Location'
- Make sure the local cluster config path variable contains an URL with an https scheme
* Split ACME health checks into two separate verifications
- Promote ACME usage through the enable_acme_issuance check, if ACME is disabled currently
- If ACME is enabled verify that we have a valid
'path' field within local cluster configuration as well as the proper response headers allowed.
- Factor out response header verifications into a separate check mainly to work around possible permission issues.
* Only recommend enabling ACME on mounts with intermediate issuers
* Attempt to connect to the ACME directory based on the cluster path variable
- Final health check is to attempt to connect to the ACME directory based on the cluster local 'path' value. Only if we successfully connect do we say ACME is healthy.
* Fix broken unit test
* upgrade go-jose library to v3
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
* chore: fix unnecessary import alias
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
* upgrade go-jose library to v2 in vault
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
---------
Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
* Fix race in PKI's runUnifiedTransfer
During this race, we'll sometimes start (or fail to start) an additional
unified transfer if the updated last run timestamp was written at the
same time as another thread was reading it.
Instead, delay this check until we're holding the CAS guard; this will
occasionally result in more messages saying that an existing process is
already running, but otherwise shouldn't impact the functionality at
all.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add current_billing_period activity endpoint param
This commit introduces a new parameter: `current_billing_period`, which
can be used in lieu of `start_time` and `end_time` options.
GET ... /sys/internal/counters/activity?current_billing_period=true now
results in a response which contains the full billing period
information.
* changelog
* Update internal counters docs
* added exec and env_template config/parsing
* add tests
* we can reuse ctconfig here
* do not create a non-nil map
* check defaults
* Apply suggestions from code review
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
* Apply suggestions from code review
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
* convert to list
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* convert to list
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* sig test
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* add failing example
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* add test for invalid signal
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* Update command/agent/config/config.go
* use latest consul-template
* fix build
* fix test
* fix test fixtures
* make fmt
* test docs
* rename file
* env var -> environment variable
* default to SIGTERM
* empty line
* explicit naming
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* clean typo
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* replace $ HOME with /home/username in examples
* remove empty line
---------
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
Co-authored-by: Anton Averchenkov <anton.averchenkov@hashicorp.com>
* Ensure proper error message from CA validity period
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add warning to issuance of leaf cert with basic constraints
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* refactor code focused on DevTLS mode into new function
* add tests for configureDevTLS function
* replace testcase comments with fields in testcase struct
Note the three overlapping scenarios discussed in the comments. In the
future, when this interface is more broadly supported, we should likely
add the interface directly to SystemView and implement it over the GRPC
interface, removing this nasty layering of already complex SystemView
implementations.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* VAULT-15546 First pass at Vault Proxy docs
* VAULT-15546 correct errors
* VAULT-15546 fully qualify paths
* VAULT-15546 remove index
* VAULT-15546 Some typos and clean up
* VAULT-15546 fix link
* VAULT-15546 Add redirects so old links stay working
* VAULT-15546 more explicit redirects
* VAULT-15546 typo fixes
* Suggestions for Vault Agent & Vault Proxy docs (#20612)
* Rename 'agentandproxy' to 'agent-and-proxy' for better URL
* Update the index pages for each section
* VAULT-15546 fix link typo
---------
Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
* Fix tidy with maintain_stored_certificate_counts == publish_stored_certificate_count_metrics == false
The logic around the check to set both to false was wrong, and should
be validated independently.
Additionally, these fields should only exist on auto-tidy and not on the
manual tidy endpoint.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update builtin/logical/pki/path_tidy.go
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Respond with cache size on config write
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Respond with key policy on write
This includes creating a key, but also trimming or rotating an
existing key.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Correctly handle locking around policy formatting
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Validate that responses are non-empty
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* pki: add subject key identifier to read key response
This will be helpful for the Terraform Vault Provider to detect
migration of pre-1.11 exported keys (from CA generation) into post-1.11
Vault.
* add changelog
* Update builtin/logical/pki/path_fetch_keys.go
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
* check for managed key first
* Validate the SKID matches on root CAs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Validate SKID matches on int CAs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix formatting of tests
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Do not set use_csr_values when issuing ACME certs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Ensure CSRs with Basic Constraints are rejected
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add test to ensure CA certificates cannot be issued
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update builtin/logical/pkiext/pkiext_binary/acme_test.go
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Update builtin/logical/pkiext/pkiext_binary/acme_test.go
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Update acme_test.go to include certutil
* Update acme_test.go - unused imports, reformat
* Update acme_test.go - hex really was used
This is why I can't use the GH web editor. :-)
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>