Commit graph

14707 commits

Author SHA1 Message Date
Meggie c80d5805dc
Make backport assistant work with ENT backport tags (#13876)
* Make backport assistant work with ENT backport tags

I want the regexp to include word characters and the plus sign on
enterprise. I'm confused about the levels of escaping required, because
this is a shell env var that gets passed to a go program as a regular
expression. I didn't escape the square brackets because the parens
weren't escaped. I matched what was done previously with the '.'s for
the '+' because I also want that literal, but it was unclear from
playing around with https://regex101.com/ and go regexps whether the
extra backslashes were required for the '+' char.

* Update .github/workflows/backport.yml

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2022-02-02 16:37:56 -05:00
claire bontempo 3d013bc266
UI/Fix activity and monthly serializer (#13879)
* return new object

* rename variables and return truncating of data to component (from serializer)

* fix serializer
2022-02-02 13:24:24 -08:00
Arnav Palnitkar 91e5877d4a
Fix kv secret access bug (#13872)
* Fix kv secret access bug

- Set permissions state when call is successful

* Added changelog
2022-02-03 01:46:03 +05:30
claire bontempo 34630f6557
UI/Add CSV export, update history and current tabs (#13812)
* add timestamp to attribution

* create usage stat component

* updates stat text boxes

* remove flex-header css

* remove comment

* add empty state if no data

* update monthly serializer

* remove empty state - unnecessary

* change tab to 'history'

* add usage stats to history view

* change css styling for upcased grey subtitle

* correctly exports namespace and auth data

* close modal on download

* test making a service?

* fix monthly attrs

* update csv content format

* remove component and make downloadCsv a service

* update function name

* wip//add warning labels, fixing up current and history tabs

* wip//clean up serializer fix with real data

* fix link styling:

* add conditionals for no data, add warning for 1.9 counting changes

* naming comment

* fix tooltip formatting

* fix number format and consolidate actions

* remove outdated test

* add revokeObjectURL and rename variable

* fix errors and empty state views when no activity data at all

* fix end time error

* fix comment

* return truncating to serializer

* PR review cleanup

* return new object
2022-02-02 11:46:59 -08:00
mickael-hc a562beaba8
update changelog with recent security entries (#13868)
This includes:
* HSEC-2021-33 / CVE-2021-45042
* HSEC-2021-30 / CVE-2021-43998
* HSEC-2021-27 / CVE-2021-41802
2022-02-02 11:12:54 -05:00
Angel Garbarino 53aae016f7
Client Count Calendar widget updates (#13777)
* setup

* handle current billing period

* handle billing period selection

* clean up

* clean up

* turn serializer to class

* change to classes

* placeholding, handles timezone issues for this.startTime

* put in depen

* fixing timezone issues for endTime

* clean up

* move formating on Get to the adapter. Still need to return formating from Get on serializer

* fix current billing period

* move all inside queryRecord to hit serilaizer

* move to serializer

* clean up

* calendar clean up

* clean up

* fix styling

* small fixes

* small fixes

Co-authored-by: Claire Bontempo <cbontempo@hashicorp.com>
2022-02-01 13:45:01 -07:00
Tom Proctor 5032cfaf47
Add make fmt CI check (#13803)
* Add make fmt CI check

* Don't suppress patch output
2022-01-31 23:24:16 +00:00
Tom Proctor fce9c92c5b
Update k8s auth long-lived token instructions (#13852) 2022-01-31 23:16:01 +00:00
Gregory Harris c260d35ab1
Support Y10K value in notAfter field when signing non-CA certificates (#13736)
* Support Y10K value in notAfter field when signing non-CA certificates

* Add changelog entry for 13736

* Add test for using not_after parameter for non-CA certificates that are being signed

* Fix CA value for test for not_after value when signing non-CA certs

* Address formatting

* Add changelog file

* Revert changelog entry commit f28b54e7b5ad21144c8a2da942d766e64a332caf
2022-01-31 15:37:50 -06:00
Anoop Vijayan Maniankara f5b9aefd1e
Update mssql.mdx with typo error (#13527)
user sa -> vaultuser
2022-01-31 14:56:37 -05:00
Matt Schultz 00bafb873e
Bump timeout for gauge testing to 500 ms from 100 ms. (#13836) 2022-01-31 12:01:48 -06:00
claire labry 2d2e116e1e
add security-scan for CRT (#13627)
* add security-scan

* updating the alpine version

* clean up

* update the alpine version to be more prescriptive
2022-01-31 11:35:25 -05:00
Noel Quiles 29ae450a09
chore: Add Demandbase tag to consent manager (#13796) 2022-01-28 14:15:07 -05:00
Sebastien Rosset fd209183d1
Update upgrade-to-1.3.10.mdx (#12341)
The upgrade guide indicates the upgrade path between two identical versions (1.3.10). Presumably you meant compared to 1.3.9?
2022-01-28 09:27:23 -08:00
Joshua Gilman de51e14f66
Add vaultrs Rust crate to community libraries (#12402)
This change proposes adding [vaultrs](https://crates.io/crates/vaultrs) to the list of community-supported libraries. This crate has a mature base and is expected to expand to accommodate most of the API.
2022-01-28 09:02:31 -08:00
Austin Gebauer 17b2e0d259
auth/oidc: Documentation updates for Azure AD applications (#13819) 2022-01-28 08:34:36 -08:00
Steven Clark 69ac11a564
Documentation updates for new keys for PKCS#11 unsealing (#13814)
* Document new force_rw_session parameter within pkcs11 seals

* documentation for key_id and hmac_key_id fields

* Apply suggestions from code review

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/configuration/seal/pkcs11.mdx

Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>

Co-authored-by: rculpepper <rculpepper@hashicorp.com>
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-01-28 11:25:02 -05:00
Victor Rodriguez e58c80801e
Add new parameter managed_key_id for PKI CA key generation. (#13825) 2022-01-28 11:14:20 -05:00
Dominik Roos 7a6ae24e9f
pki: calculate Subject Key Identifier according to RFC 5280 (#11218)
Calculate the Subject Key Identifier as suggested in RFC 5280, Section 4.2.1.2

> (1) The keyIdentifier is composed of the 160-bit SHA-1 hash of the
value of the BIT STRING subjectPublicKey (excluding the tag,
length, and number of unused bits).

fixes #11153
2022-01-28 10:46:51 -05:00
mickael-hc 45875e2e9d
docs: add cluster-to-cluster communications to external threat overview (#13805) 2022-01-28 10:15:22 -05:00
Gary Frederick ff7a08c364
Remove fmt strings and replace with inline queries (#13799)
* removed fmt strings and replaced with inline SQL | added unit tests

* changelog++
2022-01-27 15:20:13 -08:00
Scott Miller 86175b2e82
Add notes on the PKI cert generation forwarding regression (#13815)
* Add notes on the PKI cert generation forwarding regression

* content

* typo

* iterate

* extra space
2022-01-27 16:36:50 -06:00
Scott Miller 743b0e1905
Clarify that backend authors can specify that all or no values are sealwrapped (#13813)
* Clarify that backend authors can specify that all or no values are sealwrapped rather than the vague statement that all values _may_ be seal wrapped

* typo
2022-01-27 15:30:55 -06:00
Alexander Scheel 705439885d
Remove deprecated call to BuildNameToCertificate (#13811)
This function call was previously used to generate mappings from
potential subjects (or SANs) to certificates within the TLS client
object. However, newer Go versions have deprecated this method, instead
building the mapping automatically based on present certificates at
request time. Because the corresponding client configuration field is
not used in Vault (NameToCertificate), it is safe to remove this call
and leave it nil.

See also: 67d894ee65
See also: https://pkg.go.dev/crypto/tls#Config.BuildNameToCertificate

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-01-27 14:56:21 -05:00
claire bontempo 34ad4ca9f1
UI/Current month view (#13788)
* add timestamp to attribution

* create usage stat component

* updates stat text boxes

* remove flex-header css

* remove comment

* add empty state if no data

* update monthly serializer

* remove empty state - unnecessary
2022-01-27 10:59:08 -08:00
Meggie d0efb80c23
Updating website for 1.9.3 (#13808) 2022-01-27 13:56:27 -05:00
Meggie c613208815
changelog++
Fixing formatting
2022-01-27 13:08:02 -05:00
Josh Black d249fad2df
reformat using 'make fmt' (#13794) 2022-01-27 10:06:34 -08:00
Meggie 031786617e
changelog++ 2022-01-27 13:04:45 -05:00
Meggie 851675dbe6
changelog++
Still need to update the 1.10 pending changes
2022-01-27 11:46:58 -05:00
Matt Schultz b8f46407dd
Fix a transit deadlock (#13795)
* Fix a transit deadlock caused by indefinite lock holding in key autorotation.

* Move down manual policy locking in transit autorotation to avoid NPE.

* Wrap conditional transit key autorotation in a function to allow for cleaner policy lock management.

* Remove a dnagling continue statement from transit key autorotation.
2022-01-27 06:57:11 -06:00
Steven Clark 43087c96b2
OSS integration of the PKI plugin with managed key infrastructure (#13793)
- The OSS side of things to leverage managed keys from the PKI secrets engine
2022-01-26 23:06:25 -05:00
Rémi Lapeyre cf8b5642f2
Add remote_port in the audit logs when it is available (#12790)
* Add remote_port in the audit logs when it is available

The `request.remote_port` field is now present in the audit log when it
is available:

```
{
  "time": "2021-10-10T13:53:51.760039Z",
  "type": "response",
  "auth": {
    "client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf",
    "accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43",
    "display_name": "root",
    "policies": [
      "root"
    ],
    "token_policies": [
      "root"
    ],
    "token_type": "service",
    "token_issue_time": "2021-10-10T15:53:44+02:00"
  },
  "request": {
    "id": "829c04a1-0352-2d9d-9bc9-00b928d33df5",
    "operation": "update",
    "mount_type": "system",
    "client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf",
    "client_token_accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43",
    "namespace": {
      "id": "root"
    },
    "path": "sys/audit/file",
    "data": {
      "description": "hmac-sha256:321a1d105f8c6fd62be4f34c4da4f0e6d1cdee9eb2ff4af0b59e1410950fe86b",
      "local": false,
      "options": {
        "file_path": "hmac-sha256:2421b5bf8dab1f9775b2e6e66e58d7bca99ab729f3f311782fda50717eee55b3"
      },
      "type": "hmac-sha256:30dff9607b4087e3ae6808b4a3aa395b1fc064e467748c55c25ddf0e9b150fcc"
    },
    "remote_address": "127.0.0.1",
    "remote_port": 54798
  },
  "response": {
    "mount_type": "system"
  }
}
```

Closes https://github.com/hashicorp/vault/issues/7716

* Add changelog entry

* Empty commit to trigger CI

* Add test and explicit error handling

* Change temporary file pattern in test
2022-01-26 15:47:15 -08:00
Noel Quiles 9e08637e3a
Add tag to consent manager (#13768) 2022-01-26 16:17:26 -05:00
Rosemary Wang e1165737dc
Update CSI provider installation on OpenShift (#13763)
Include recommendation to use Vault agent injector on OpenShift
instead of CSI due to production security constraints.
Additional instructions included for testing and development
clusters.
2022-01-26 07:44:15 -08:00
Rémi Lapeyre 961ff4a363
Return num_uses during authentication (#12791)
* Return num_uses during authentication

https://github.com/hashicorp/vault/issues/10664

* Add changelog entry
2022-01-25 18:59:53 -08:00
claire bontempo 0e1424782b
UI/Revert client count work pushed to 1.11, add monthly and activity serializers (#13717)
* adds serializer

* removes all 1.11 related work to monthly/new client counting

* move from new-init-activity to activity

* merge setup changes add monthly model/adapter

* delete new-init-activity files

* add graph to current month view
2022-01-25 14:06:56 -08:00
mickael-hc 3a1a8c4cbf
Fix limits docs to reflect listener variable name (#13776) 2022-01-25 16:45:56 -05:00
Jordan Reimer 8786b6fd08
Remove Faker (#13778)
* removes faker

* attempts to fix global error in circle ci run

* adds comments for destroyed check in file-to-array-buffer component
2022-01-25 13:27:26 -07:00
Rémi Lapeyre 978311fee2
Add read support to sys/auth/:path (#12793)
* Add read support to sys/auth/:path

Closes https://github.com/hashicorp/vault/issues/7411

* Add changelog entry
2022-01-25 11:56:40 -08:00
Tero Saarni f4eea60799
Switch/upgrade to influxdata/influxdb1-client (#12262)
* influxdb v1 client has been split into a separate module from the main influxdb
  code base. This changes uses the correct client, which also allows us to
  get updates and avoids confusing some vulnerability scanners that flagged 
  previous version incorrectly.

Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
2022-01-25 13:30:24 -05:00
Loann Le 02074f40e7
added missing title (#13775) 2022-01-25 10:19:10 -08:00
Caleb Lemoine f03a176ac3
docs: add vault-plugin-secrets-jenkins to plugin portal page (#13531)
Signed-off-by: circa10a <caleblemoine@gmail.com>
2022-01-24 19:36:42 -08:00
Theron Voran a0ccdfcdb1
docs/k8s: Updates for vault-k8s 0.14.2 and vault-helm 0.19.0 (#13748)
Updated vault and chart versions, and some formatting from the
pre-commit hook. Also updated chart values.
2022-01-24 15:25:52 -08:00
James Bayer 2d3db5ce78
Updated spelling (#13751) 2022-01-24 14:38:13 -08:00
Rémi Lapeyre d6a4a3b53c
Add LIST support to sys/policies/password (#12787)
* Add read support to sys/policies/password

Closes https://github.com/hashicorp/vault/issues/12562

* Add changelog

* Empty commit to trigger CI

* Add optional /

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

* Use a ListOperation

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
2022-01-24 13:42:14 -08:00
Angel Garbarino 6474e73c97
Client count 1.10 reshuffle (#13767)
* shuffling shuffling i be shuffling

* clean up

* to pass test?
2022-01-24 13:35:46 -07:00
John-Michael Faircloth 4f40189d1a
oidc: check for nil signing key on rotation (#13716)
* check for nil signing key on rotation

* add changelog

* Update nil signing key handling

- bypass setting ExpireAt if signing key is nil in rotate
- return err if singing key is nil in signPayload

* add comment; update error msg on signPayload; refactor UT
2022-01-24 12:05:49 -06:00
Scott Miller 4ee5a8b1cd
PKI - Allow performance secondaries to generate and store certificates locally to them (#13759)
* PKI - Allow performance secondaries to generate and store certificates locally to them

* changelog

Co-authored-by: divyapola5 <divya@hashicorp.com>
2022-01-24 10:03:04 -06:00
davidadeleon 96dfbfbd02
Raft/fix raft telemetry metric unit (#13749)
Converting raft time metrics to Milliseconds over Default Nanoseconds to maintain consistency
2022-01-24 10:51:35 -05:00