* Add support for importing RSA-PSS keys in Transit
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* replace use of os.Unsetenv in test with t.Setenv and remove t.Parallel from test that rely on env being modified.
* experiment with using fromJSON function
* revert previous experiment
* including double quotes in the output value for the string ubuntu-latest
* use go run to launch gofumpt
* bug: correct handling of the zero int64 value
* Update changelog/18729.txt
---------
Co-authored-by: valli_0x <personallune@mail.ru>
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* glimmerize alert-banner
* structure for the DocLink todo: css important remove
* styling done. kind of strange, but should help in future
* clean up
* test coverage
* changelog
* address pr comments
* clean up
* amended language on banner to match most recent change.
* add return
* clean up
* modify the banner title and shorten message
* update language
* don't error for other message events
Signed-off-by: David van der Spek <vanderspek.david@gmail.com>
* add changelog
Signed-off-by: David van der Spek <vanderspek.david@gmail.com>
* rename release note for changelog
Signed-off-by: David van der Spek <vanderspek.david@gmail.com>
---------
Signed-off-by: David van der Spek <vanderspek.david@gmail.com>
* Migrate subset of CircleCI ci workflow to GitHub Actions
Runs test-go and test-go-remote-docker with a static splitting of test packages
* [skip actions] add comment to explain the purpose of test-generate-test-package-lists.sh and what to do if it fails
* change trigger to push
---------
Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
* Fix cubbyhole and revocation for legacy service tokens
Legacy service tokens generated in Vault 1.10+ with env var
VAULT_DISABLE_SERVER_SIDE_CONSISTENT_TOKENS=true are not assigned
a cubbyhole ID. The implication is that cubbyhole/ cannot be
used, nor can the tokens be revoked.
This commit assigns a cubbyhole ID to these tokens and adds
a new test case to see that cubbyhole and revocation works correctly.
* add changelog
* add godoc to test cases
* Docs - update ldap page to add clarity around sAMAccountName
Updated https://developer.hashicorp.com/vault/docs/secrets/ldap#active-directory-ad-1 to clarify customers configure username properly using username_template when sAMAccountName is involved.
* Docs - edit on last update for ldap page
Fixed the link /vault/docs/concepts/username-templating
* VAULT-13782 move keys tab next to issuers
* VAULT-13794 move private_key_format to key paramter toggle
* Fix failing tests!
* Move format and private key format out
* Address feedback and fix not valid after spacing
* Add more spacing and code cleanup
* Remove engines stylesheet
* Remove class conditional logic
* adds check for isSecureContext in identity-manager and falls back to incrementing ids
* adds uuid package to replace crypto.randomUUID
* adds test for okta number challenge nonce value validation
* Fix synopsis for PKI subcommand
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add transit command for synopsis, help text
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix nits around spacing
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix Vault Transit BYOK helper argument parsing
This commit fixes the following issues with the importer:
- More than two arguments were not supported, causing the CLI to error
out and resulting in a failure to import RSA keys.
- The @file notation support was not accepted for KEY, meaning
unencrypted keys had to be manually specified on the CLI.
- Parsing of additional argument data was done in a non-standard way.
- Fix parsing of command line options and ensure only relevant
options are included.
Additionally, some error messages and help text was clarified.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add missing documentation on Transit CLI to website
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add tests for Transit BYOK vault subcommand
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Appease CI
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* added responses for sys/internal/ui/mounts
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* responses for internal paths
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* added changelog
* add schema validation for internal/ui/mounts
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* add counters test
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* update test to use new method
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* use new method in TestSystemBackend_InternalUIMounts
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* :rage4: fixed test, diff between core.HandleRequest and backend.HandleRequest
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* test feature flags
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
---------
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* impr(auth/ldap): allow to dereference aliases in searches
* docs: add documentation for LDAP alias dereferencing
* chore(auth/ldap): add changelog entry for PR 18230
* chore: run formatter
* fix: update default LDAP configuration with new default
* Update website/content/docs/auth/ldap.mdx
Co-authored-by: tjperry07 <tjperry07@users.noreply.github.com>
* docs(ldap): add alias dereferencing to API docs for LDAP
---------
Co-authored-by: tjperry07 <tjperry07@users.noreply.github.com>
Mirror NSS's GET-vs-POST selection criteria, wherein GET is preferred
over POST (as the former might be a response from a cached CDN entry,
whereas the latter might hit a live responder). However, only accept it
if it definitively says "Good" or "Revoked" -- trigger a POST request
when an unknown or failure status is seen.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* add nil check for secret id entry on delete via accessor
* add changelog
* add godoc to test
* improve feedback on nil entry
* fix error reporting on invalid secret id accessor
* fix test to expect implemented error
* Address some small issues within pki health-check
- Notify user yaml output mode is not support with --list argument
- Output pure JSON in json output mode with --list argument
- If a checker returns a nil response, convert to an empty slice
- Add handler for permission errors to too many certs checker
- Add checks for permission issues within hardware_backed_root and root_issued_leaves
* Identify the role that contained the permission issue in role based checks
- Augument the role health checks to identify the role(s) that we have
insufficient permissions to read instead of an overall read failure
- Treat the failure to list roles as a complete failure for the check
