* check for nil signing key on rotation
* add changelog
* Update nil signing key handling
- bypass setting ExpireAt if signing key is nil in rotate
- return err if singing key is nil in signPayload
* add comment; update error msg on signPayload; refactor UT
* Add support for client certificates to -output-curl-string
I did not write tests for this feature as -output-curl-string was not
already tested and this is a simple change. Because the name of the
certificates would be lost once loaded I added fields to Config to keep
track of them. I did not add a public method for the user to set them
explicitely as I don't think anyone would need this functionnality
outside of the Vault CLI.
Closes https://github.com/hashicorp/vault/issues/13376
* Add changelog
* Add lock in ConfigureTLS
* Fix upndomain bug causing alias name to change
* Fix nil map
* Add changelog
* revert
* Update changelog
* Add test for alias metadata name
* Fix code comment
* Accept both -f and --force in the web terminal
This aligns the behavior of the web terminal with the `vault write ...`
command to make it a bit more user friendly.
* Add changelog
* Use === instead of ==
* Add auto_rotate_interval field to transit key creation path.
* Add auto_rotate_interval field to transit key config update path.
* Implement transit automatic key rotation on an hourly interval.
* Fixes transit key autorotation key listing typo.
* Add unit tests for transit key autorotation.
* Add unit tests for transit key creation with autorotation interval.
* Add unit tests for transit key config update with autorotation interval.
* Document new auto_rotate_interval fields in key creation and key config update endpoints.
* Add changelog for transit key autorotation.
* Wrap individual transit key autorotation in a policy lock.
* Add a safeguard to transit key autorotation to ensure only one execution happens simultaneously.
In doing some testing I found that the listener clusteraddr isn't really used, or at least isn't as important as the top-level clusteraddr setting. As such, go-sockaddr templating needs to be implemented for the top-level `cluster_addr` setting or it's unusable for HA.
Also fix a nil pointer panic I discovered at the same time.
The auth/token/revoke will not error out if the token does not exists, it
always tries to revoke the token and return success to the client whether
or not the token exists. This makes the behavior of
auth/token/revoke-accessor coherent with this and remove the need to
check whether the token still exists.
* auth/kubernetes: support for short-lived tokens
* Uplift new version of Kubernetes auth plugin that does not store the
service account token persistently to Vault storage.
* Update the documentation to recommend local token again when running
Vault inside cluster.
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
* Added changelog entry
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
* clarification to changelog entry, executed go mod tidy
* clarifications and added targeted release version
* go get vault-plugin-secrets-kv@vault-4290-patch-metadata
* add kv metadata patch command
* add changelog entry
* success tests for kv metadata patch flags
* add more kv metadata patch flags tests
* add kv metadata patch cas warning test
* add kv-v2 key metadata patch API docs
* add kv metadata patch to docs
* prevent unintentional field overwriting in kv metadata put cmd
* like create/update ops, prevent patch to paths ending in /
* fix kv metadata patch cmd in docs
* fix flag defaults for kv metadata put
* go get vault-plugin-secrets-kv@vault-4290-patch-metadata
* fix TestKvMetadataPatchCommand_Flags test
* doc fixes
* go get vault-plugin-secrets-kv@master; go mod tidy
* Add a parameter that disables escaping characters in the username or password fields for secrets engines database connections
* Always disallow template variables inside the username or password
* Fix info-table-row not rendering if alwaysRender=false and only block content present
* use defaultFields for form and nonOperationFields for adapter
* WIP: Move info table row template to addon component dir
* Refactor InfoTableRow to glimmer component
* Add changelog
* passthrough attributes, change @data-test-x to data-test-x on InfoTableRow invocations
* auth/cert: Add certificate extensions as metadata
Signed-off-by: Peter Verraedt <peter.verraedt@kuleuven.be>
* Add changelog for #13348
Signed-off-by: Peter Verraedt <peter.verraedt@kuleuven.be>
* Attempt to address a data race issue within identity store
* Testcase TestIdentityStore_LocalAliasInvalidations identified a data race issue.
* This reverts the previous attempt to address the issue from #13093
* Fixed null token panic from 'v1/auth/token/' endpoints and returned proper error response
* added changelog entry for PR #13233
* changed error message from 'bad token' to 'null token'
* rebased off of main
* Revert "changed error message from 'bad token' to 'null token'"
This reverts commit 381ed9b32c5ddd5e47adb1643ef7e46fb768bc76.
* changed 'bad token' error message to 'invalid token' after revert
* remove unnecessary vault-data folder
* Update browserslist
* Add browserslistrc
* ember-cli-update --to 3.26, fix conflicts
* Run codemodes that start with ember-*
* More codemods - before cp*
* More codemods (curly data-test-*)
* WIP ember-basic-dropdown template errors
* updates ember-basic-dropdown and related deps to fix build issues
* updates basic dropdown instances to new version API
* updates more deps -- ember-template-lint is working again
* runs no-implicit-this codemod
* creates and runs no-quoteless-attributes codemod
* runs angle brackets codemod
* updates lint:hbs globs to only touch hbs files
* removes yield only templates
* creates and runs deprecated args transform
* supresses lint error for invokeAction on LinkTo component
* resolves remaining ambiguous path lint errors
* resolves simple-unless lint errors
* adds warnings for deprecated tagName arg on LinkTo components
* adds warnings for remaining curly component invocation
* updates global template lint rules
* resolves remaining template lint errors
* disables some ember specfic lint rules that target pre octane patterns
* js lint fix run
* resolves remaining js lint errors
* fixes test run
* adds npm-run-all dep
* fixes test attribute issues
* fixes console acceptance tests
* fixes tests
* adds yield only wizard/tutorial-active template
* fixes more tests
* attempts to fix more flaky tests
* removes commented out settled in transit test
* updates deprecations workflow and adds initializer to filter by version
* updates flaky policies acl old test
* updates to flaky transit test
* bumps ember deps down to LTS version
* runs linters after main merge
* fixes client count tests after bad merge conflict fixes
* fixes client count history test
* more updates to lint config
* another round of hbs lint fixes after extending stylistic rule
* updates lint-staged commands
* removes indent eslint rule since it seems to break things
* fixes bad attribute in transform-edit-form template
* test fixes
* fixes enterprise tests
* adds changelog
* removes deprecated ember-concurrency-test-waiters dep and adds @ember/test-waiters
* flaky test fix
Co-authored-by: hashishaw <cshaw@hashicorp.com>
* Add allowed_uri_sans_template
Enables identity templating for the allowed_uri_sans field in PKI cert roles.
Implemented as suggested in #8509
* changelog++
* Update docs with URI SAN templating
* github auth: use org id to verify creds
* add check for required org param; add test case
* update UTs
* add nil check for org
* add changelog
* fix typo in ut
* set org ID if it is unset; add more ut coverage
* add optional organization_id
* move client instantiation
* refactor parse URL; add UT for setting org ID
* fix comment in UT
* add nil check
* don't update org name on change; return warning
* refactor verifyCredentials
* error when unable to fetch org ID on config write; add warnings
* fix bug in log message
* update UT and small refactor
* update comments and log msg
* use getter for org ID
* Allow universal default for key_bits
This allows the key_bits field to take a universal default value, 0,
which, depending on key_type, gets adjusted appropriately into a
specific default value (rsa->2048, ec->256, ignored under ed25519).
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Handle universal default key size in certutil
Also move RSA < 2048 error message into certutil directly, instead of in
ca_util/path_roles.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add missing RSA key sizes to pki/backend_test.go
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Switch to returning updated values
When determining the default, don't pass in pointer types, but instead
return the newly updated value.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Re-add fix for ed25519 from #13254
Ed25519 internally specifies a hash length; by changing the default from
256 to 0, we fail validation in ValidateSignatureLength(...) unless we
specify the key algorithm.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Support clearing an identity alias' custom_metadata
Previously, an update to an entity alias supported updating the
custom_metadata as long as the update was not empty, which makes it
impossible to clear the metadata values completely.
Fixes:
- empty custom_metadata parameters are honoured on entity alias update
- update related tests
- drop dependency on mapstructure
- reformat with gofumpt
* VAULT-1564 report in-flight requests
* adding a changelog
* Changing some variable names and fixing comments
* minor style change
* adding unauthenticated support for in-flight-req
* adding documentation for the listener.profiling stanza
* adding an atomic counter for the inflight requests
addressing comments
* addressing comments
* logging completed requests
* fixing a test
* providing log_requests_info as a config option to determine at which level requests should be logged
* removing a member and a method from the StatusHeaderResponseWriter struct
* adding api docks
* revert changes in NewHTTPResponseWriter
* Fix logging invalid log_requests_info value
* Addressing comments
* Fixing a test
* use an tomic value for logRequestsInfo, and moving the CreateClientID function to Core
* fixing go.sum
* minor refactoring
* protecting InFlightRequests from data race
* another try on fixing a data race
* another try to fix a data race
* addressing comments
* fixing couple of tests
* changing log_requests_info to log_requests_level
* minor style change
* fixing a test
* removing the lock in InFlightRequests
* use single-argument form for interface assertion
* adding doc for the new configuration paramter
* adding the new doc to the nav data file
* minor fix
* Adding support for SHA3 in the transit backend.
* Adds SHA-3 tests for transit sign/verify path. Adds SHA-3 tests for logical system tools path hash functionality. Updates documentation to include SHA-3 algorithms in system tools path hashing.
* Adds changelog entry.
Co-authored-by: robison jacka <robison@packetized.io>
