* added in the missing test cases to validate response structures
* added changelog file
* remove unneeded changelog file
* removed comment to update when indentity/entity is implemented
---------
Co-authored-by: lursu <leland.ursu@hashicorp.com>
* test/plugin: test external db plugin
* use test helper to get cluster and plugins
* create test helper to create a vault admin user
* add step to revoke lease
* make tests parallel and add reload test
* use more descriptive name for test group; check response
* Revert "Don't execute the seal recovery tests on ENT. (#18841)"
This reverts commit 990d3bacc203c229d0f6729929d7562e678a1ac2.
* Revert "Add the ability to unseal using recovery keys via an explicit seal option. (#18683)"
This reverts commit 2ffe49aab0fc1a527c5182637c8fa3ac39b08d45.
* Move some test helper stuff from the vault package to a new helper/testhelpers/corehelpers package. Consolidate on a single "noop audit" implementation.
* wip
* wip
* Got it 'working', but not happy about cleanliness yet
* Switch to a dedicated defaultSeal with recovery keys
This is simpler than trying to hijack SealAccess as before. Instead, if the operator
has requested recovery unseal mode (via a flag in the seal stanza), we new up a shamir
seal with the recovery unseal key path instead of the auto seal. Then everything proceeds
as if you had a shamir seal to begin with.
* Handle recovery rekeying
* changelog
* Revert go.mod redirect
* revert multi-blob info
* Dumb nil unmarshal target
* More comments
* Update vault/seal.go
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* Update changelog/18683.txt
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* pr feedback
* Fix recovery rekey, which needs to fetch root keys and restore them under the new recovery split
* Better comment on recovery seal during adjustSealMigration
* Make it possible to migrate from an auto-seal in recovery mode to shamir
* Fix sealMigrated to account for a recovery seal
* comments
* Update changelog/18683.txt
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* Address PR feedback
* Refactor duplicated migration code into helpers, using UnsealRecoveryKey/RecoveryKey where appropriate
* Don't shortcut the reast of seal migration
* get rid of redundant transit server cleanup
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* named MFA method configurations
* fix a test
* CL
* fix an issue with same config name different ID and add a test
* feedback
* feedback on test
* consistent use of passcode for all MFA methods (#18611)
* make use of passcode factor consistent for all MFA types
* improved type for MFA factors
* add method name to login CLI
* minor refactoring
* only accept MFA method name with its namespace path in the login request MFA header
* fix a bug
* fixing an ErrorOrNil return value
* more informative error message
* Apply suggestions from code review
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* feedback
* test refactor a bit
* adding godoc for a test
* feedback
* remove sanitize method name
* guard a possbile nil ref
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* code changes for unlock
* add test
* adding sys help
* adding sys help
* updating unlock user function
* edit test
* add changelog
* syshelp
* adding open api response definition
* removing response fields
* change path name
* add Link config, init, and capabilities
* add node status proto
* bump protoc version to 3.21.9
* make proto
* adding link tests
* remove wrapped link
* add changelog entry
* update changelog entry
Move version out of SDK. For now it's a copy rather than move: the part not addressed by this change is sdk/helper/useragent.String, which we'll want to remove in favour of PluginString. That will have to wait until we've removed uses of useragent.String from all builtins.
* adding oss file changes
* check disabled and read values from config
* isUserLocked, getUserLockout Configurations, check user lock before login and return error
* remove stale entry from storage during read
* added failed login process workflow
* success workflow updated
* user lockouts external tests
* changing update to support delete
* provide access to alias look ahead function
* adding path alias lookahead
* adding tests
* added changelog
* added comments
* adding changes from ent branch
* adding lock to UpdateUserFailedLoginInfo
* fix return default bug
Create global quotas of each type in every NewTestCluster. Also switch some key locks to use DeadlockMutex to make it easier to discover deadlocks in testing.
NewTestCluster also now starts the cluster, and the Start method becomes a no-op. Unless SkipInit is provided, we also wait for a node to become active, eliminating the need for WaitForActiveNode. This was needed because otherwise we can't safely make the quota api call. We can't do it in Start because Start doesn't return an error, and I didn't want to begin storing the testing object T instead TestCluster just so we could call t.Fatal inside Start.
The last change here was to address the problem of how to skip setting up quotas when creating a cluster with a nonstandard handler that might not even implement the quotas endpoint. The challenge is that because we were taking a func pointer to generate the real handler func, we didn't have any way to compare that func pointer to the standard handler-generating func http.Handler without creating a circular dependency between packages vault and http. The solution was to pass a method instead of an anonymous func pointer so that we can do reflection on it.
* Store login MFA secret with tokenhelper
* Clean up and refactor tokenhelper paths
* Refactor totp test code for re-use
* Add login MFA command tests
* Use longer sleep times and sha512 for totp test
* Add changelog
* VAULT-8719 Support data array for alias clash error response so UI can understand error
* VAULT-8719 Changelog
* VAULT-8719 Update alias mount update logic
* VAULT-8719 Further restrict IsError()
Factored out some plugin related tests into their own test package, and added a bunch of parallelism. Moved some non-plugin tests that were in logical_system_integ_test into another file (keeping them in vault package) just for cohesion.
OSS parts of ent PR #3172: assume nodes we haven't received heartbeats from are running the same version as we are. Failing to provide a version/upgrade_version will result in Autopilot (on ent) demoting those unversioned nodes to non-voters until we receive a heartbeat from them.
* VAULT-6433 Add namespace_path to MFA endpoints
* VAULT-6433 add changelog
* VAULT-6433 Return error in case of error
* VAULT-6433 Make logic a bit more concise
* OSS portion of wrapper-v2
* Prefetch barrier type to avoid encountering an error in the simple BarrierType() getter
* Rename the OveriddenType to WrapperType and use it for the barrier type prefetch
* Fix unit test
* VAULT-6818 delete unmerged entity aliases instead of orphaning them
* VAULT-6818 Prevent merge with clashing aliases, allow for resolution of clashing entity aliases
* VAULT-6818 Small updates
* VAULT-6818 Restrict to only one clash merge at once
* VAULT-6818 changelog
* VAULT-6818 use strutil package instead of slices
* VAULT-6818 Update variable names for clarity
* VAULT-6818 Update test
* VAULT-6818 update error message
* VAULT-6818 Use helper method
* VAULT-6818 validate entityIds
* VAULT-6818 group imports better
* VAULT-6818 use change instead of bug
* VAULT-6818 use multierror instead of custom struct
* VAULT-6818 Use multierror properly
* VAULT-6818 Small refactor based on feedback
* storage/raft: Fix cluster init with retry_join
Commit 8db66f4853abce3f432adcf1724b1f237b275415 introduced an error
wherein a join() would return nil (no error) with no information on its
channel if a joining node had been initialized. This was not handled
properly by the caller and resulted in a canceled `retry_join`.
Fix this by handling the `nil` channel respone by treating it as an
error and allowing the existing mechanics to work as intended.
* storage/raft: Improve retry_join go test
* storage/raft: Make VerifyRaftPeers pollable
* storage/raft: Add changelog entry for retry_join fix
* storage/raft: Add description to VerifyRaftPeers
* VAULT-6613 add DetermineRoleFromLoginRequest function to Core
* Fix body handling
* Role resolution for rate limit quotas
* VAULT-6613 update precedence test
* Add changelog
* Handle body error
* VAULT-6613 Return early if error with json parsing
* VAULT-6613 add to teardown function
* Add PutMetadata and PatchMetadata KV helpers
* Refactor tests, stop needlessly converting zero values to nil
* Merge fix for delete-version-after zero value bug
* Cast nils to zero value on Put
* Use 2 different structs for put/patch metadata input, clarity fixes
* Use local constants and simplify stringification
* Add Read methods for KVClient
* KV write helper
* Add changelog
* Add Delete method
* Use extractVersionMetadata inside extractDataAndVersionMetadata
* Return nil, nil for v1 writes
* Add test for extracting version metadata
* Split kv client into v1 and v2-specific clients
* Add ability to set options on Put
* Add test for KV helpers
* Add custom metadata to top level and allow for getting versions as sorted slice
* Update tests
* Separate KV v1 and v2 into different files
* Add test for GetVersionsAsList, rename Metadata key to VersionMetadata for clarity
* Move structs and godoc comments to more appropriate files
* Add more tests for extract methods
* Rework custom metadata helper to be more consistent with other helpers
* Remove KVSecret from custom metadata test now that we don't append to it as part of helper method
* Add Patch KV helper
* Add godoc comment and use WithOption ourselves in other KVOption functions
* Clean up options-handling and resp parsing logic; add more tests
* Add constants and more patch tests
* Add Read methods for KVClient
* KV write helper
* Add changelog
* Add Delete method
* Use extractVersionMetadata inside extractDataAndVersionMetadata
* Return nil, nil for v1 writes
* Add test for extracting version metadata
* Split kv client into v1 and v2-specific clients
* Add ability to set options on Put
* Add test for KV helpers
* Add custom metadata to top level and allow for getting versions as sorted slice
* Update tests
* Separate KV v1 and v2 into different files
* Add test for GetVersionsAsList, rename Metadata key to VersionMetadata for clarity
* Move structs and godoc comments to more appropriate files
* Add more tests for extract methods
* Rework custom metadata helper to be more consistent with other helpers
* Remove KVSecret from custom metadata test now that we don't append to it as part of helper method
* Return early for readability and make test value name less confusing
This requires bumping https://github.com/mitchellh/go-testing-interface.
For this new version, we have to create a wrapper to convert
the stdlib `testing.TB` interface to the
`mitchellh/go-testing-interface` `T` interface, since it uses
`Parallel()` now, which is not supported by `testing.TB`. This had to be
added to a new package, `benchhelpers`, to avoid a circular dependency
in `testhelpers`.
We also have to *unbump* https://github.com/armon/go-metrics since
updating it breaks our usage of
https://github.com/google/go-metrics-stackdriver
I verified that the new `pkiCert` template function works with agent
injection using annotations like:
```yaml
vault.hashicorp.com/agent-inject-secret-sample.crt: "pki/issue/example-dot-com"
vault.hashicorp.com/agent-inject-template-sample.crt: |
{{ pkiCert "pki/issue/example-dot-com" "common_name=foo.example.com" "ttl=1h" }}
```
