Commit graph

17136 commits

Author SHA1 Message Date
Alexander Scheel b4edc81cd5
Add ACME authorizations & challenges (#20113)
* Distinguish POST-as-GET from POST-with-empty-body

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add ACME authorization, identifier, and challenge types

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add ability to load and save authorizations

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add ACME authorizations path handling

This supports two methods: a fetch handler over the authorization, to
expose the underlying challenges, and a deactivate handler to revoke
the authorization and mark its challenges invalid.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add ACME challenge path handling

These paths kick off processing and validation of the challenge by the
ACME client.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-12 16:55:25 +00:00
miagilepner 1ea85c56d7
VAULT-14734: activity log write endpoint (#20019)
* add noop endpoint with testonly build flag

* add tests for endpoint

* cleanup

* fix test name

* add changelog

* pr fixes
2023-04-12 18:26:26 +02:00
Kianna e6b890f7ed
UI: VAULT-14972 VAULT-13808 VAULT-12777 Remove pki beta, old pki, remove unused cert attributes (#20062) 2023-04-12 09:18:46 -07:00
Mike Palmiotto 1b5d527521
api: Add reporting fields to activitylog config endpoint (#20086)
This PR adds the internal reporting state to the
`internal/counters/config` read endpoint:
* reporting_enabled
* billing_start_timestamp
2023-04-12 12:02:28 -04:00
Steven Clark 8458154fc3
Use a UUID for ACME kid instead of a key fingerprint (#20110)
* Use a UUID for ACME kid instead of a key fingerprint

* PR feedback

 - Calculate thumbprint within CreateAccount instead of passing it in
 - Reorder writes within CreateAccount to now write out thumbprint entry
   first as we can easily recover/overwrite it if we fail mid-way
 - Change back LoadAccount in acme to return an error if it fails to
   lookup the entry

* Clearify comment within ACME CreateAccount
2023-04-12 15:29:54 +00:00
Hamid Ghaf 976ab9c87f
Revert "Remove dead licensing code and extra core setup (#20080)" (#20112)
This reverts commit 60d8bff89c490c5489c97b98b168de9a50239815.
2023-04-12 13:46:15 +00:00
Violet Hynes 918d1001e0
Docs: remove use_auto_auth token from cache docs (#20111) 2023-04-12 13:26:36 +00:00
Steven Clark 4e6b88d58c
Rework ACME workflow test to leverage Golang's ACME client library (#19949)
* Rework ACME workflow test to leverage Golang's ACME client library

 - Instead of testing manually, leverage the Golang ACME library
   to test against our implementation from the unit tests.

* Add tests for new-account and misc fixes

 - Set and return the account status for registration
 - Add handlers for the account/ api/updates
 - Switch acme/ to cluster local storage
 - Disable terms of service checks for now as we don't set the url

* PR feedback

 - Implement account deactivation
 - Create separate account update handler, to not mix account creation
   logic
 - Add kid field to account update definition
 - Add support to update contact details on an existing account
2023-04-12 09:05:42 -04:00
Chelsea Shaw 282279121d
UI: Show parsed certificate data in PKI (#19990) 2023-04-11 21:04:35 +00:00
Yoko Hyakuna 0b3f24a2d8
Update the HTTP verb for consistency (#20056) 2023-04-11 13:35:06 -07:00
Mike Palmiotto 3ebe35b0d4
Fix RFC3339 comment typo (#20100) 2023-04-11 20:11:05 +00:00
Anton Averchenkov 618e79af82
openapi: Add display attributes for identity/mfa (#19757) 2023-04-11 16:00:35 -04:00
claire bontempo f5435aa28e
UI/add prettier ignore for ui console file (#20094)
* fix template-lintrc file

* add prettier ignore
2023-04-11 18:50:04 +00:00
Austin Gebauer 787c5971ab
docs/oidc: fixes Azure user.read permission link (#20079) 2023-04-11 11:34:38 -07:00
Kuba Wieczorek 7e48d06e20
Add smaller runner groups for CI jobs (#20081) 2023-04-11 14:05:15 -04:00
Alexander Scheel 73a05ebbe5
Fix building unified delta WAL, unified delta CRLs (#20058)
* Correctly find certificates for unified delta CRL

When building the unified delta CRL, WAL entries from the non-primary
cluster were ignored. This resulted in an incomplete delta CRL,
preventing some entries from appearing.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Correctly rebuild unified delta CRLs

When deciding if the Unified Delta CRL should be rebuilt, we need to
check the status of all clusters and their last revoked serial numbers.
If any new serial has been revoked on any cluster, we should rebuild the
unified delta CRLs.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Correctly persist Unified Delta CRL build entries

When building the unified CRL, we need to read the last seen serial
number from all clusters, not just the present cluster, and write it
to the last built serial for that cluster's unified delta WAL entry.
This prevents us from continuously rebuilding unified CRLs now that we
have fixed our rebuild heuristic.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix getLastWALSerial for unified delta CRLs

getLastWALSerial ignored its path argument, preventing it from reading
the specified cluster-specific WAL entry. On the primary cluster, this
was mostly equivalent, but now that we're correctly reading WAL entries
and revocations for other clusters, we need to handle reading these
entries correctly.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Copy delta WAL entries in event of failure

Any local delta WAL should be persisted to unified delta WAL space as
well. If such unified persistence fails, we need to ensure that they get
eventually moved up, otherwise they'll remain missing until the next
full CRL rebuild occurs, which might be significantly longer than when
the next delta CRL rebuild would otherwise occur. runUnifiedTransfer
already handles this for us, but it lacked logic for delta WAL serials.

The only interesting catch here is that we refuse to copy any entries
whose full unified revocation entry has not also been written.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Make doUnifiedTransferMissingLocalSerials log an error

This message is mostly an error and would always be helpful information
to have when troubleshooting failures.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Warn on cross-cluster write failures during revoke

When revoking certificates, we log cross-cluster revocation failures,
but we should really expose this information to the caller, that their
local revocation was successful, but their cross-cluster revocation
failed.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Ensure unified delta WAL entry has full entry

Delta WAL entries are empty files whose only information (a revoked
serial number) is contained in the file path. These depend implicitly on
a full revocation entry existing for this file (whether a cross-cluster
unified entry or a local entry).

We should not write unified delta WAL entries without the corresponding
full unified revocation entry existing. Add a warning in this case.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-11 18:02:58 +00:00
Anton Averchenkov 5a57db3f32
openapi: Remove pcf plugin (#20067) 2023-04-11 13:54:12 -04:00
claire bontempo 70e9558cec
UI: fix browser console formatting (#20064)
* fix console formatting for help output

* fix again

* fix again

* fix, add to ignore

* fix, add to ignore

* add to ignore file

* fix formatting, no verify

* remove lib/story.md

* add changelog

* hold off updating ignore list for separate ticket

* fix test
2023-04-11 10:42:50 -07:00
Christopher Swenson df8d0444dd
Remove dead licensing code and extra core setup (#20080)
The extra core setup is no longer needed in Vault Enterprise, and the
licensing code here has no effect here or in Vault Enterprise.

I pulled this commit into Vault Enterprise and it still compiled fine,
and all tests pass. (Though a few functions can be deleted there as
well after this is merged.)
2023-04-11 10:30:05 -07:00
Jaymala d414a703e4
Use absolute path for debug datadir (#20069)
Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>
2023-04-11 13:06:51 -04:00
Jonathan Frappier 6980579388
Fix list formatting (#20076) 2023-04-11 09:25:12 -07:00
miagilepner c8b4afd189
Require activity log retention months at least the minimum (#20078)
* reject retention month updates that are less than min retention months

* add changelog

* reword error

* switch to retention_months
2023-04-11 15:09:01 +00:00
Alexander Scheel 5389477107
Make config load consistent with config write (#20059)
When reading the config, we attempt to detect if the running Vault
instance has been changed from its Enterprise status on write.
Similarly, we should detect if the mount is a local mount instead. While
this isn't changeable at runtime, using sys/raw to side-load an invalid
config could be possible.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-11 11:05:43 -04:00
Alexander Scheel 3e36a58cf7
Support namespaces in test helpers (#20048)
Sometimes the tests will modify the client to set a namespace; this
results in testhelpers sometimes trying to access sys/ endpoints with a
namespace, which usually don't work well.

Detect an unset namespaces, if present, before executing, and restore
afterwards so as not to affect the tests.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-11 14:09:16 +00:00
John-Michael Faircloth 8a4e50fa64
secrets/openldap: add creds/ endpoint to API docs (#19973) 2023-04-11 08:42:50 -05:00
Alexander Scheel 509f862494
Log, don't err, on unified delta WAL write failure (#20057)
* Log, don't err, on unified delta WAL write failure

When the PBPWF fails on the Active node of a PR Secondary cluster with a
read-only failure, there is no value in forwarding this request up to
the Active node of the PR Primary cluster: it does not have the local
revocation context necessary to write a Delta WAL entry for this
request, and would likely end up writing a cross-cluster revocation
entry (if it is enabled) or else erring completely.

Instead, log this error like we do when failing to write unified CRL
entries. Switch both to using Error instead of Debug for this type of
failure.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-11 09:36:10 -04:00
Kianna 6873c3c58e
UI: VAULT-9409 Pki Tidy Form (#20043) 2023-04-10 23:07:26 -07:00
claire bontempo 45737ddd3c
UI: Fix remaining DocLink paths (#20070)
* fix remaining doclinks

* add changelog

* Apply suggestions from code review

fix links
2023-04-10 23:26:50 +00:00
Anton Averchenkov 194ce13a95
openapi: Add display attributes for database plugin (#19414) 2023-04-10 14:22:02 -04:00
Anton Averchenkov 9d3ab193a5
openapi: Add display attributes for transit plugin (#19575) 2023-04-10 14:20:53 -04:00
Anton Averchenkov f257d68576
openapi: Add display attributes for RabbitMQ plugin (#19540) 2023-04-10 14:19:32 -04:00
Anton Averchenkov c61052ef29
openapi: Add display attributes for SSH plugin (#19543) 2023-04-10 14:18:00 -04:00
Anton Averchenkov 592d3464f6
openapi: Add display attributes for TOTP plugin (#19544) 2023-04-10 13:32:15 -04:00
Alexander Scheel f0fc48c788
Only log stopping rollback manager once (#20041)
When testing the Rollback Manager's one-time invocation in Enterprise,
it was noticed that due to the channel being closed, we'd always hit
this case and thus spam logs rather quickly with this message.

Switch to a boolean flip to log this once, as it is not executed in
parallel and thus doesn't need a sync.Once.

This only affected anyone calling the test core's
StopAutomaticRollbacks() helper.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-10 13:24:03 -04:00
Yoko Hyakuna de1eeffdcf
[Docs] Add tutorial links to install doc (#20051)
* Add tutorial links for additional guidance

* Removed extra space
2023-04-10 08:52:48 -07:00
Chelsea Shaw bb6964e18e
UI: Mount PKI options + allowed_managed_keys (#19791) 2023-04-07 14:05:29 -07:00
Christopher Swenson 43912fe0e2
Update docs for Helm 0.24.0 release (#20049)
Release: https://github.com/hashicorp/vault-helm/releases/tag/v0.24.0
2023-04-07 14:03:43 -07:00
Anton Averchenkov f61ce6874c
Use vault/sdk v0.9.0 (#20050) 2023-04-07 15:14:35 -04:00
Kyle Schochenmaier c3ef3d9c3f
add upgrade documentation around STS lease_duration issue (#20011)
* add upgrade documentation around STS lease_duration issue

Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>
2023-04-07 17:34:42 +00:00
Anton Averchenkov 33bc8f5d00
openapi: Add display attributes for GitHub auth (#19384)
Please see https://github.com/hashicorp/vault/pull/19319 for more details on how this will affect the generated OpenAPI schema.

____

### The following OperationID's will be generated for GitHub auth:

github-read-configuration
github-configure
github-log-in
github-read-teams
github-read-team-mapping
github-write-team-mapping
github-delete-team-mapping
github-read-users
github-read-user-mapping
github-write-user-mapping
github-delete-user-mapping
2023-04-07 13:30:26 -04:00
Anton Averchenkov 7ed4a429f7
openapi: Add display attributes for Nomad plugin (#19415)
Please see #19319 for more details on how this will affect the generated OpenAPI schema.
___

The following OperationID's will be generated for Nomad plugin:

nomad-read-access-configuration
nomad-configure-access
nomad-delete-access-configuration
nomad-read-lease-configuration
nomad-configure-lease
nomad-delete-lease-configuration
nomad-generate-credentials
nomad-list-roles
nomad-read-role
nomad-write-role
nomad-delete-role
2023-04-07 13:21:21 -04:00
Anton Averchenkov c915dea526
openapi: Add display attributes for LDAP auth (#19389) 2023-04-07 13:16:17 -04:00
Anton Averchenkov 2ec2d050c0
openapi: Add display attributes for Radius auth (#19392) 2023-04-07 13:14:44 -04:00
Anton Averchenkov 44d4f39e1b
openapi: Add display attributes for cert auth (#19383) 2023-04-07 13:12:56 -04:00
Andreas Gruhler 0036a35c58
Update helm.mdx (#20020)
I was wondering why the default VaultAuth CR was not created. It was due the fact that I copy/pasted the snippet from the docs here, which has the wrong key.
2023-04-07 09:31:08 -07:00
ram-parameswaran 29182ae562
update index.mdx with correct installation doc ref (#19932)
* update index.mdx with correct installation doc ref

update index.mdx with installation doc ref to point to the right installation.mdx path

* Update installation ref

Update installation ref

* Update index ref without relative path

Update installation doc index ref without relative path
2023-04-07 08:48:23 -07:00
Brian Shumate 29fdfeeb04
API docs: update Transit restore payload example (#20032)
- Correct JSON payload example
2023-04-07 08:14:43 -04:00
Kuba Wieczorek af0adf85fa
Fix issues tripping the actionlint linter again (#20026) 2023-04-06 17:04:09 +00:00
Anton Averchenkov 56698d6d15
openapi: Add display attributes for token/ (#19399) 2023-04-06 11:11:49 -04:00
Anton Averchenkov 543efc83e4
openapi: Add display attributes for PKI plugin (#19422) 2023-04-06 11:10:01 -04:00