* Add format-ttl helper
* Add autoRotateInterval to model and serializer for transit key
* Add goSafeTimeString to object returned from TtlPicker2 component
* Add auto rotate interval to transit key components
* clean up unit calculator on ttl-picker, with tests
* Fix tests, cleanup
* Add changelog
* Allow all other_sans in sign-intermediate and sign-verbatim
/sign-verbatim and /sign-intermediate are more dangerous endpoints in
that they (usually) do not have an associated role. In this case, a
permissive role is constructed during execution of these tests. However,
the AllowedOtherSANs field was missing from this, prohibiting its use
when issuing certificates.
Resolves: #13157
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add duration/count metrics to PKI issue and revoke flows
* docs, changelog
* tidy
* last tidy
* remove err
* Update callsites
* Simple returns
* Handle the fact that test cases don't have namespaces
* Add mount point to the request
* fmt
* Handle empty mount point, and add it to unit tests
* improvement
* Turns out sign-verbatim is tricky, it can take a role but doesn't have to
* Get around the field schema problem
* Use application/pem-certificate-chain for PEMs
As mentioned in #10948, it appears we're incorrectly using the
`application/pkix-cert` media type for PEM blobs, when
`application/x-pem-file` is more appropriate. Per RFC 5280 Section
4.2.1.13, `application/pkix-crl` is only appropriate when the CRL is in
DER form. Likewise, Section 4.2.2.1 states that `application/pkix-cert`
is only applicable when a single DER certificate is used.
Per recommendation in RFC 8555 ("ACME"), Section 7.4.2 and 9.1, we use
the newer `application/pem-certificate-chain` media type for
certificates. However, this is not applicable for CRLs, so we use fall
back to `application/x-pem-file` for these. Notably, no official IETF
source is present for the latter. On the OpenSSL PKI tutorial
(https://pki-tutorial.readthedocs.io/en/latest/mime.html), this type is
cited as coming from S/MIME's predecessor, PEM, but neither of the main
PEM RFCs (RFC 934, 1421, 1422, 1423, or 1424) mention this type.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* updates regex-validator component to optionally show pattern input and adds capture groups support
* adds form-field-label component
* adds autocomplete-input component
* updates kv-object-editor component to yield block for value and glimmerizes
* updates transform template model
* adds transform-advanced-templating component
* updates form-field with child component changes
* updates transform template serializer to handle differences in regex named capture groups
* fixes regex-validator test
* adds changelog entry
* updates for pr review feedback
* reverts kv-object-editor guidFor removal
* Include full chain in /cert/ca_chain response
This allows callers to get the full chain (including issuing
certificates) from a call to /cert/ca_chain. Previously, most endpoints
(including during issuance) do not include the root authority, requiring
an explicit call to /cert/ca to fetch. This allows full chains to be
constructed without without needing multiple calls to the API.
Resolves: #13489
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add test case for full CA issuance
We test three main scenarios:
1. A root-only CA's `/cert/ca_chain`'s `.data.ca_chain` field should
contain only the root,
2. An intermediate CA (with root provide) should contain both the root
and the intermediate.
3. An external (e.g., `/config/ca`-provided) CA with both root and
intermediate should contain both certs.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add documentation for new ca_chain field
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add note about where to find the entire chain
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add check for OIDC provider to permit a non-exact redirect URI from OIDC client if it is the IPv4 or IPv6 loopback address.
* Update changelog/13871.txt
Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
* Update redirectURI check to match that for the OIDC auth method.
Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
* [api] Add LDAP auth method
This commit adds LDAP to the available Vault API auth methods.
* Add changelog entry for PR 13841
* Obtain password for LDAPAuth from File/EnvVar
* Fix name of package in error message
* Switch parse-pki-cert from node-forge to PKI.js
This replaces the implementation of parse-pki-cert to use PKI.js rather
than node-forge for two reasons:
- PKI.js uses Web Crypto rather than maintaining a built-in
implementation of several algorithms.
- node-forge presently lacks support for ECDSA and Ed25519
certificates.
Related: #13680
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add dependency on PKI.js
$ yarn add -D asn1js pvutils pkijs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Remove dependency on node-forge
$ yarn remove node-forge
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Support Y10K value in notAfter field when signing non-CA certificates
* Add changelog entry for 13736
* Add test for using not_after parameter for non-CA certificates that are being signed
* Fix CA value for test for not_after value when signing non-CA certs
* Address formatting
* Add changelog file
* Revert changelog entry commit f28b54e7b5ad21144c8a2da942d766e64a332caf
Calculate the Subject Key Identifier as suggested in RFC 5280, Section 4.2.1.2
> (1) The keyIdentifier is composed of the 160-bit SHA-1 hash of the
value of the BIT STRING subjectPublicKey (excluding the tag,
length, and number of unused bits).
fixes#11153
* influxdb v1 client has been split into a separate module from the main influxdb
code base. This changes uses the correct client, which also allows us to
get updates and avoids confusing some vulnerability scanners that flagged
previous version incorrectly.
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
* check for nil signing key on rotation
* add changelog
* Update nil signing key handling
- bypass setting ExpireAt if signing key is nil in rotate
- return err if singing key is nil in signPayload
* add comment; update error msg on signPayload; refactor UT
* Add support for client certificates to -output-curl-string
I did not write tests for this feature as -output-curl-string was not
already tested and this is a simple change. Because the name of the
certificates would be lost once loaded I added fields to Config to keep
track of them. I did not add a public method for the user to set them
explicitely as I don't think anyone would need this functionnality
outside of the Vault CLI.
Closes https://github.com/hashicorp/vault/issues/13376
* Add changelog
* Add lock in ConfigureTLS
* Fix upndomain bug causing alias name to change
* Fix nil map
* Add changelog
* revert
* Update changelog
* Add test for alias metadata name
* Fix code comment
* Accept both -f and --force in the web terminal
This aligns the behavior of the web terminal with the `vault write ...`
command to make it a bit more user friendly.
* Add changelog
* Use === instead of ==
* Add auto_rotate_interval field to transit key creation path.
* Add auto_rotate_interval field to transit key config update path.
* Implement transit automatic key rotation on an hourly interval.
* Fixes transit key autorotation key listing typo.
* Add unit tests for transit key autorotation.
* Add unit tests for transit key creation with autorotation interval.
* Add unit tests for transit key config update with autorotation interval.
* Document new auto_rotate_interval fields in key creation and key config update endpoints.
* Add changelog for transit key autorotation.
* Wrap individual transit key autorotation in a policy lock.
* Add a safeguard to transit key autorotation to ensure only one execution happens simultaneously.
In doing some testing I found that the listener clusteraddr isn't really used, or at least isn't as important as the top-level clusteraddr setting. As such, go-sockaddr templating needs to be implemented for the top-level `cluster_addr` setting or it's unusable for HA.
Also fix a nil pointer panic I discovered at the same time.
The auth/token/revoke will not error out if the token does not exists, it
always tries to revoke the token and return success to the client whether
or not the token exists. This makes the behavior of
auth/token/revoke-accessor coherent with this and remove the need to
check whether the token still exists.
* auth/kubernetes: support for short-lived tokens
* Uplift new version of Kubernetes auth plugin that does not store the
service account token persistently to Vault storage.
* Update the documentation to recommend local token again when running
Vault inside cluster.
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
* Added changelog entry
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
* clarification to changelog entry, executed go mod tidy
* clarifications and added targeted release version
* go get vault-plugin-secrets-kv@vault-4290-patch-metadata
* add kv metadata patch command
* add changelog entry
* success tests for kv metadata patch flags
* add more kv metadata patch flags tests
* add kv metadata patch cas warning test
* add kv-v2 key metadata patch API docs
* add kv metadata patch to docs
* prevent unintentional field overwriting in kv metadata put cmd
* like create/update ops, prevent patch to paths ending in /
* fix kv metadata patch cmd in docs
* fix flag defaults for kv metadata put
* go get vault-plugin-secrets-kv@vault-4290-patch-metadata
* fix TestKvMetadataPatchCommand_Flags test
* doc fixes
* go get vault-plugin-secrets-kv@master; go mod tidy
* Add a parameter that disables escaping characters in the username or password fields for secrets engines database connections
* Always disallow template variables inside the username or password
* Fix info-table-row not rendering if alwaysRender=false and only block content present
* use defaultFields for form and nonOperationFields for adapter
* WIP: Move info table row template to addon component dir
* Refactor InfoTableRow to glimmer component
* Add changelog
* passthrough attributes, change @data-test-x to data-test-x on InfoTableRow invocations
Jason O'Donnell