* Add a last issued date on ACME accounts
- When we issue a new ACME certificate, attempt to update the account's last issued field
- Within ACME account tidy, use both account creation and last issue date to provide a buffer before we mark the account as revoked.
- Cleanup the cert serial to account tracker
- Misc formatting fixes in JSON objects
* Move account max-cert-expiry updates within tidy
- Perform the account update of max-cert-expiry within
the tidy operation as it has the account write lock
and is already iterating over all orders.
- With this the order path does not need any account
level locks
* Prefix ACME account status constants with AccountStatusX
* Add Vault APIS to create, list, delete ACME EAB keys
- Add Vault authenticated APIs to create, list and delete ACME
EAB keys.
- Add supporting tests for all new apis
* Add require_eab to acme configuration
* Add EAB support to ACME
* Add EAB support to ACME
* PR feedback 1
- Address missing err return within DeleteEab
- Move verifyEabPayload to acme_jws.go no code changes in this PR
- Update error message returned for error on account storage with EAB.
* PR feedback 2
- Verify JWK signature payload after signature verification
* Introduce an ACME eab_policy in configuration
- Instead of a boolean on/off for require_eab, introduce named policies for ACME behaviour enforcing eab.
- The default policy of always-required, will force new accounts to have an EAB, and all operations in the future, will make sure the account has an EAB associated with it.
- Two other policies, not-required will allow any anonymous users to use ACME within PKI and 'new-account-required' will enforce new accounts going forward to require an EAB, but existing accounts will still be allowed to use ACME if they don't have an EAB associated with the account.
- Having 'always-required' as a policy, will override the environment variable to disable public acme as well.
* Add missing go-docs to new tests.
* Add valid eab_policy values in error message.
* initial WIP glimmerize the controller
* wip got the filter engine type by supported backends working
* got filter by engine type working
* wip need to refactor but working ish for name
* wip working state with both filters, does not work if both fiters are set
* fixed when you have two selected filters, but broken for multiples of the same type with different names
* remove repeated engineTypes in filter list
* add disabled to power select
* fix bug of glimmer for the concurrency task.
* wording fix
* remove linkableItem and the nested contextual compnents to help with loading speed.
* add changelog
* fix some tests
* add test coverage
* Update 20481.txt
update changelog text
* test fixes 🤞
* test fix?
* address a pr comment and save
* address pr comment
* move private function to internal pkg for sharing
* rename to mc
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* rename to NewConfig
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
---------
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
Fixed a typo in the "Environment Variable Example" because it was generating a parsing error:
template server error: error="(dynamic): execute: template: :2:30: executing \"\" at <.Data.data.payments_api_key>: can't evaluate field data in type *dependency.Secret"
* import rsa and ecdsa public keys
* allow import_version to update public keys - wip
* allow import_version to update public keys
* move check key fields into func
* put private/public keys in same switch cases
* fix method in UpdateKeyVersion
* move asymmetrics keys switch to its own method - WIP
* test import public and update it with private counterpart
* test import public keys
* use public_key to encrypt if RSAKey is not present and failed to decrypt
if key version does not have a private key
* move key to KeyEntry parsing from Policy to KeyEntry method
* move extracting of key from input fields into helper function
* change back policy Import signature to keep backwards compatibility and
add new method to import private or public keys
* test import with imported public rsa and ecdsa keys
* descriptions and error messages
* error messages, remove comments and unused code
* changelog
* documentation - wip
* suggested changes - error messages/typos and unwrap public key passed
* fix unwrap key error
* fail if both key fields have been set
* fix in extractKeyFromFields, passing a PolicyRequest wouldn't not work
* checks for read, sign and verify endpoints so they don't return errors when a private key was not imported and tests
* handle panic on "export key" endpoint if imported key is public
* fmt
* remove 'isPrivateKey' argument from 'UpdateKeyVersion' and
'parseFromKey' methods
also: rename 'UpdateKeyVersion' method to 'ImportPrivateKeyForVersion' and 'IsPublicKeyImported' to 'IsPrivateKeyMissing'
* delete 'RSAPublicKey' when private key is imported
* path_export: return public_key for ecdsa and rsa when there's no private key imported
* allow signed data validation with pss algorithm
* remove NOTE comment
* fix typo in EC public key export where empty derBytes was being used
* export rsa public key in pkcs8 format instead of pkcs1 and improve test
* change logic on how check for is private key missing is calculated
---------
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update verify-changes to support external docs branches
Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>
* Revert QT-545 as it Enos workflow is not a workflow_run event
Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>
---------
Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>
* use internal docker mirror for CI
* maybe it needs to be https
* no just kidding it's docker://
* apparently overriding it globally causes creates to fail. time to override each image individually lol
* maybe this works
* Structure of ACME Tidy.
* The tidy endpoints/call information.
* Counts for status plumbing.
* Update typo calls, add information saving date of account creation.
* Missed some field locations.
* Set-up of Tidy command.
* Proper tidy function; lock to work with
* Remove order safety buffer.
* Missed a field.
* Read lock for account creation; Write lock for tidy (account deletion)
* Type issues fixed.
* fix range operator.
* Fix path_tidy read.
* Add fields to auto-tidy config.
* Add (and standardize) Tidy Config Response
* Test pass, consistent fields
* Changes from PR-Reviews.
* Update test to updated default due to PR-Review.
* Update elasticdb.mdx
Remove success message of vault write operations from text blocks to better support copy&paste to console
* Update code block types
---------
Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
* remove undefined payload.issuer_id
* add info banner to parsed display view
* add tests
* clean up conditional, add specific banner test selector
* check for undefined length
By reversing the logic and adding a `REMOVE_SYMBOLS` environment
variable that, when set, will remove symbols.
This has been requested to re-enable Dynatrace support, which
requires symbols are intact.
Sadly this increases the size (on my mac) from 192,609,682 bytes
to 236,696,722 bytes (+23% increase).
I confirmed that this adds symbols back, and that `dlv` will load
the Vault binary.
* Move seal barrier type field from Access to autoSeal struct.
Remove method Access.SetType(), which was only being used by a single test, and
which can use the name option of NewTestSeal() to specify the type.
* Change method signatures of Access to match those of Wrapper.
* Turn seal.Access struct into an interface.
* Tweak Access implementation.
Change `access` struct to have a field of type wrapping.Wrapper, rather than
extending it.
* Add method Seal.GetShamirWrapper().
Add method Seal.GetShamirWrapper() for use by code that need to perform
Shamir-specific operations.
When executing multi-stage, multi-namespace tests, stopping the ticker
multiple times (via closing the StopTicker channel) results in a panic.
Store whether or not we've stopped it once, and do not close it again.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Refactor setting local addresses
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Validate wildcard domains in ACME test suite
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add locking to DNS resolver
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Better removal semantics for records
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Export DockerAPI for use by other consumers
As usage of DockerCluster gets more advanced, some users may want to
interact with the container nodes of the cluster. While, if you already
have a DockerAPI instance lying around you can reuse that safely, for
use cases where an existing e.g., docker/testhelpers's runner instance
is not available, reusing the existing cluster's DockerAPI is easiest.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add ability to exec commands without runner
When modifying DockerTestCluster's containers manually, we might not
have a Runner instance; instead, expose the ability to run commands via
a DockerAPI instance directly, as they're awfully convenient.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add DNS resolver into ACME tests
This updates the pkiext_binary tests to use an adjacent DNS resolver,
allowing these tests to eventually be extended to solve DNS challenges,
as modifying the /etc/hosts file does not allow this.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix loading DNS resolver onto network
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix bug with DNS configuration validation
Both conditionals here were inverted: address being empty means a bad
specification was given, and the parse being nil means that it was not a
valid IP address.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix specifying TXT records, allow removing records
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* update version service
* render enterprise groups
* render enterprise params
* move group headers to within loop
* cleanup template
* update form tests
* change version service references to hasFeature to hasControlGroups getter
* add params to details view
* update version service test
- Do not serialize the entire internal object, instead return
just the Type and Value fields back to the caller.
- Also within authorization responses, return the base domain
on wildcard queries, dropping the *. as the RFC requests.
- Update tests to reflect/test this logic.
* Add Helios Design System Components (#19278)
* adds hds dependency
* updates reset import path
* sets minifyCSS advanced option to false
* Remove node-sass (#19376)
* removes node-sass and fixes sass compilation
* fixes active tab li class
* Sidebar Navigation Components (#19446)
* links ember-shared-components addon and imports styles
* adds sidebar frame and nav components
* updates HcNav component name to HcAppFrame and adds sidebar UserMenu component
* adds tests for sidebar components
* fixes tests
* updates user menu styling
* fixes typos in nav cluster component
* changes padding value in sidebar stylesheet to use variable
* Replace and remove old nav components with new ones (#19447)
* links ember-shared-components addon and imports styles
* adds sidebar frame and nav components
* updates activeCluster on auth service and adds activeSession prop for sidebar visibility
* replaces old nav components with new ones in templates
* fixes sidebar visibility issue and updates user menu label class
* removes NavHeader usage
* adds clients index route to redirect to dashboard
* removes unused HcAppFrame footer block and reduces page header top margin
* Nav component cleanup (#19681)
* removes nav-header components
* removes navbar styling
* removes status-menu component and styles
* removes cluster and auth info components
* removes menu-sidebar component and styling
* fixes tests
* Console Panel Updates (#19741)
* updates console panel styling
* adds test for opening and closing the console panel
* updates console panel background color to use hds token
* adds right margin to console panel input
* updates link-status banner styling
* updates hc nav components to new API
* Namespace Picker Updates (#19753)
* updates namespace-picker
* updates namespace picker menu styling
* adds bottom margin to env banner
* updates class order on namespace picker link
* restores manage namespaces refresh icon
* removes manage namespaces nav icon
* removes home link component (#20027)
* Auth and Error View Updates (#19749)
* adds vault logo to auth page
* updates top level error template
* updates loading substate handling and moves policies link from access to cluster nav (#20033)
* moves console panel to bottom of viewport (#20183)
* HDS Sidebar Nav Components (#20197)
* updates nav components to hds
* upgrades project yarn version to 3.5
* fixes issues in app frame component
* updates sidenav actions to use icon button component
* Sidebar navigation acceptance tests (#20270)
* adds sidebar navigation acceptance tests and fixes other test failures
* console panel styling tweaks
* bumps addon version
* remove and ignore yarn install-state file
* fixes auth service and console tests
* moves classes from deleted files after bulma merge
* fixes sass syntax errors blocking build
* cleans up dart sass deprecation warnings
* adds changelog entry
* hides namespace picker when sidebar nav panel is minimized
* style tweaks
* fixes sidebar nav tests
* bumps hds addon to latest version and removes style override
* updates modify-passthrough-response helper
* updates sidebar nav tests
* mfa-setup test fix attempt
* fixes cluster mfa setup test
* remove deprecated yarn ignore-optional flag from makefile
* removes another instance of yarn ignore-optional and updates ui readme
* removes unsupported yarn verbose flag from ci-helper
* hides nav headings when user does not have access to any sub links
* removes unused optional deps and moves lint-staged to dev deps
* updates has-permission helper and permissions service tests
* fixes issue with console panel not filling container width
- We have a known issue that is difficult to address in released versions of Vault that OCSP GET requests can contain consecutive / characters which the Golang HTTP mux will force a redirection.
- Instead of failing various PRs and runs with this known issue, check to see if we are about to trigger it and if so skip the test. We have already at this point tested the POST version of the API.