* implement SSRF protection header
* add test for SSRF protection header
* cleanup
* refactor
* implement SSRF header on a per-listener basis
* cleanup
* cleanup
* creat unit test for agent SSRF
* improve unit test for agent SSRF
* add VaultRequest SSRF header to CLI
* fix unit test
* cleanup
* improve test suite
* simplify check for Vault-Request header
* add constant for Vault-Request header
* improve test suite
* change 'config' to 'agentConfig'
* Revert "change 'config' to 'agentConfig'"
This reverts commit 14ee72d21fff8027966ee3c89dd3ac41d849206f.
* do not remove header from request
* change header name to X-Vault-Request
* simplify http.Handler logic
* cleanup
* simplify http.Handler logic
* use stdlib errors package
Currently in the C* database plugin, connection validation errors, as
well as a parsing error, can lead us to return an error and never use an
open gocql session, which may in fact have many open connections. These
connections stay open forever. If you end up in an error loop due to,
for example, a problem with permissions, you will eventually exhaust
file descriptors on the machine.
We simply need to close the session if we aren't going to use it.
* check for model in the edit form before rolling back
* make sure namespace service name is consistent in the auth service
* actually tell it what service to inject
* do not swallow ControlGroupErrors when viewing or editing kvv2 secrets
* test kv v2 control group workflow
* do not manually clearModelCache when logging out since this already happens when leaving the logout route
* remove pauseTest
* update comments
* wip - looking into why restricted user can see the control group protected secret after it has already been unwrapped once
* strip version from query params so we can unwrap a secret after it is authorized
* use attachCapabilities instead of lazyCapabilities to ensure models are cleaned up properly
* remove comment
* make ControlGroupError extend AdapterError
* fix broken redirect_to test
* one day i will remember to remove my debugger statements; today is not that day
* no need to check for a ControlGroupError since it extends an AdapterError
* see if using EmberError instead of AdapterError fixes the browserstack tests
* Revert "see if using EmberError instead of AdapterError fixes the browserstack tests"
This reverts commit 14ddd67cacbf1ccecb8cc2d1f59a2c273866da72.
Seal keys can be rotated. When this happens, the barrier and recovery
keys should be re-encrypted with the new seal key. This change
automatically re-encrypts the barrier and recovery keys with the latest
seal key on the active node during the 'postUnseal' phase.
