Commit graph

16632 commits

Author SHA1 Message Date
Alexander Scheel 93a11a8678
Better docker support: image building + better command execution (#17231)
* Refactor Docker command execution

This refactor will allow others to interact with containers more easily,
providing two interfaces (RunCmdWithOutput and RunCmdInBackground) for
executing commands in running containers if they don't wish to do so
manually.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Allow building containerfiles in tests

By adding image building capabilities to testhelpers (and coupled with
the better command execution support), we can begin to build better,
more reliable integration tests on top of public base images without
needing to maintain separate forks of these images out-of-tree for any
shortcomings they might have.

In particular, rather than doing the rather messy echo hack for writing
clients.conf, it is far better to provision this via a slim
Containerfile overlay on top of the stock jumanjiman/radiusd:latest
image.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Correctly parse stdout/stderr in RunCmdWithOutput

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* ctx -> bCtx for BuildContext

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update errors to use %w instead of %v

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-12 10:29:39 -04:00
Alexander Scheel d48e739b1d
Fix tidy-status, tidy-cancel on PR Secondaries (#17497)
* Fix tidy-status, tidy-cancel on PR Secondaries

PKI's tidy-status included a bug that prevented PR secondary nodes from
responding with the status of the running tidy operation: while the
operation constructor correctly forwarded the node on PR standby
instances, the handler itself forwarded also on PR secondary nodes.

This is incorrect as the PR secondary nodes are the active node in the
local PR cluster, and run tidy operations otherwise.

This meant that while auto-tidy and tidy operations would run, there was
no insight into the process.

When implementing tidy-cancel, tidy-status's handler logic was reused,
duplicating the bug there as well.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-12 09:15:06 -04:00
Tom Proctor 918ce6f90e
Docs: Plugin versioning documentation (#17460)
Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
2022-10-11 23:12:02 +01:00
Violet Hynes ee85f0098a
VAULT-1603 add sys/quotas to root-only api path docs (#17496) 2022-10-11 15:09:29 -04:00
Mike Palmiotto aad41fba5b
docs: Update retry_join Known Issue versions (#17474)
Update the doc to show affected versions 1.11.2 and 1.10.6.
2022-10-11 11:54:36 -04:00
Mariano Asselborn 3c6c6df6c9
Enable Iron Bank integration (#17482) 2022-10-11 10:25:58 -04:00
Anton Averchenkov 1c102979ba
Remove Async-HVAC from recommended libraries list (#17480) 2022-10-10 17:15:32 -04:00
Austin Gebauer ae17e57e73
secrets/ldap: updates documentation (#17481)
* secrets/ldap: updates documentation

* Update website/content/docs/secrets/ldap.mdx

Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
2022-10-10 13:43:59 -07:00
Brian Shumate 5264783e6c
Docs: Update Transform API (#17477)
- Correct some methods in sample requests
2022-10-10 13:25:31 -04:00
Angel Garbarino a817eabc38
the fix (#17476) 2022-10-10 09:46:04 -07:00
aphorise e4960d0fb0
Docs: What is Vault missing 'S' resolves: #16587 (#17183) 2022-10-10 10:34:21 -04:00
Mike Palmiotto 9dc8744885
Update main to go 1.19.2 (#17437)
* Update go version to 1.19.2

This commit updates the default version of go to 1.19.2. This update
includes minor security fixes for archive/tar, net/http/httputil, and
regexp packages.

For more information on the release, see: https://go.dev/doc/devel/release#go1.19.2

* Update Docker versions in CI to 20.10.17

After updating Vault to go version 1.19.2, there were several SIGABRTs
in the vault tests. These were related to a missing `pthread_create`
syscall in Docker. Since CI was using a much older version of Docker,
the fix was to bump it to latest-1 (20.10.17).

While we're at it, add a note in the developer docs encouraging the use
of the latest Docker version.
2022-10-07 14:24:14 -04:00
Violet Hynes 4ba81e4174
Delete empty test (#17467) 2022-10-07 14:11:52 -04:00
Chris Capurso 2c9b29ab42
fix off by one err in current month client count computation (#17457) 2022-10-07 12:37:09 -04:00
Alexander Scheel fdb13d7481
Don't include issuers on delta CRLs (#17463)
When revoking an issuer, we immediately force a full rebuild of all CRLs
(complete and delta). However, we had forgotten to guard the delta CRL's
inclusion of augmented issuers, resulting in double-listing the issuer's
serial number on both the complete and the delta CRL. This isn't
necessary as the delta's referenced complete CRL number has incremented
to the point where the issuer itself was included on the complete CRL.

Avoid this double reference and don't include issuers on delta CRLs;
they should always appear only on the complete CRL.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-07 12:36:22 -04:00
Steven Clark f0bf670b0c
Unit tests that validate OCSP signatures leverage revocation signature algo (#17452)
- Add some unit tests around the OCSP response validation that we
   are using the proper signature algorithms.
 - Add in test cases as well to validate SHA384 and SHA512 requested hash support
2022-10-07 12:33:17 -04:00
Ruben De Visscher 1f0cf558a9
Fix for duplicate SANs in signed certificates (#16700)
* Fix for duplicate SANs in signed certificates when othernames are present in the CSR SAN extension and UseCSRValues is true.

When UseCSRValues is true (as is the case on the sign-verbatim endpoint), all extensions including Subject Alternative Names are copied from the CSR to the final certificate.
If the Subject Alternative Name in question contains any othernames (such as a Microsoft UPN) the SAN extension is added again as a workaround for an encoding issue (in function HandleOtherSANs).
Having duplicate x509v3 extensions is invalid and is rejected by openssl on Ubuntu 20.04, and also by Go since https://github.com/golang/go/issues/50988 (including in Go 1.19).

In this fix I do not add the extension from the CSR if it will be added during HandleOtherSANs.

* Added unittest and changelog entry.
2022-10-07 12:19:08 -04:00
Nick Cabatoff 39c7e7c191
Add more raft metrics, emit more metrics on non-perf standbys (#12166)
Add some metrics helpful for monitoring raft cluster state.

Furthermore, we weren't emitting bolt metrics on regular (non-perf) standbys, and there were other metrics
in metricsLoop that would make sense to include in OSS but weren't.  We now have an active-node-only func,
emitMetricsActiveNode.  This runs metricsLoop on the active node.  Standbys and perf-standbys run metricsLoop
from a goroutine managed by the runStandby rungroup.
2022-10-07 09:09:08 -07:00
Josh Black ad1503ebcd
disable undo logs by default for 1.12.0 (#17453) 2022-10-07 08:47:40 -07:00
Tom Proctor df690ea414
Plugins: Add -version flag to 'vault plugin info' (#17454)
* Add -version flag to 'vault plugin info'
* Allow specifying a builtin tag when reading a single plugin from the catalog
2022-10-07 15:28:15 +01:00
Austin Gebauer db8c690684
secrets/ldap: updates API documentation (#17448)
* secrets/ldap: updates API documentation

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update website/content/api-docs/secret/ldap.mdx

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>
2022-10-07 08:50:37 -05:00
Peter Wilson 191f6e4bf0
Add 'note' for surpassing dead server threshold time (#17455)
* Add 'note' for surpassing dead server threshold time

* Update website/content/docs/commands/operator/raft.mdx

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2022-10-07 14:26:56 +01:00
Alexander Scheel 412603befd
Fix RevocationSigAlg provisioning in GCP (#17449)
* Fix RevocationSigAlg provisioning in GCP

GCP restricts keys to a certain type of signature, including hash
algorithm, so we must provision our RevocationSigAlg from the root
itself unconditionally in order for GCP to work.

This does change the default, but only for newly created certificates.

Additionally, we clarify that CRL building is not fatal to the import
process.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add inverse mapping for SignatureAlgorithm

By default we'd use .String() on x509.SignatureAlgorithm, but this
doesn't round-trip. Switch to a custom map that is round-trippable
and matches the constant name as there is no other way to get this info
presently.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test to ensure root creation sets rev_sig_alg

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Test round-tripping of SigAlgoNames, InvSigAlgoNames

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix failing Default Update test

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-06 17:50:49 -04:00
Alexander Scheel a2b1f00a9b
Better docs on PKI key stuff (#17443)
* Clarify signature_bits restrictions apply relative to issuer's key

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Clarify key_type=any roles must sign CSRs; cannot generate keys

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-06 15:27:53 -04:00
HashiBot e54441b725
Upgrade next version (#17445)
Co-authored-by: Bryce Kalow <bkalow@hashicorp.com>
2022-10-06 15:19:11 -04:00
Josh Black c45c6e51c0
only enable undo logs if all cluster members support it (#17378) 2022-10-06 11:24:16 -07:00
Alexander Scheel 11e4f2600e
Add warning on missing entity information (#17428)
When requesting a SSH certificate with default_extension templating
enabled, if the request lacks entity information and a particular
extension requires templating, just these extensions will be elided.
Other extensions (if present) will still be on the final certificate.

Add a warning in the event of missing entity information and at least
one extension that was skipped as a result.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-06 14:00:56 -04:00
Christopher Swenson 06d843d3b0
Don't allow write perms to plugins in test (#17439)
We are specifically checking that the writes are now allowed for group
and other.

I don't know how this test was passing on non-arm64 platforms,
but hopefully this should fix it.
2022-10-06 10:09:27 -07:00
Alexander Scheel b85d6ec434
Fix RevocationSigAlgo support in OCSP (#17436)
* Allow OCSP to use issuer's RevocationSigAlgo

When an issuer specifies a RevocationSigAlgo, we should largely follow
this for both CRLs and OCSP. However, x/crypto/ocsp lacks support for
PSS signatures, so we drop these down to PKCS#1v1.5 instead.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add warning when issuer has PSS-based RevSigAlgo

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add note about OCSP and PSS support

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-06 12:01:12 -04:00
Nick Cabatoff c32fb1bd61
Add blurb about how you shouldn't import github.com/hashicorp/vault in your project. (#17427) 2022-10-06 09:06:46 -04:00
Tom Proctor 2cf29f93c7
Plugins: Add version info to CLI and server log output (#17430) 2022-10-06 12:54:27 +01:00
AnPucel d869496969
Fix for KV_V2 Custom Metadata Bug (#17395) 2022-10-05 16:43:54 -07:00
Austin Gebauer 6bba760da0
docs/ldap: rename openldap secrets to ldap secrets (#17433) 2022-10-05 13:16:26 -07:00
valli_0x 3ad4d3af6e
core: push entry table type-checking into for loop (#17220)
This commit refactors the `persistAudit`, `persistAuth`, and `persistMount` code paths to perform `entry.Table` type-checking within the same loop as the entry list appending. This saves cycles in the case of success; however, performs some unnecessary appends in the event that an entry has an incorrect table type/value combination.
2022-10-05 15:56:12 -04:00
Jaymala cae8fb1218
Fix Vault version verification for ent editions (#17431)
Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>
2022-10-05 14:09:06 -04:00
Florin Cătălin Țiucra-Popa 4af76eda14
Update oracle.mdx (#17401)
Remove the duplicated "the" word.
Instead of "the the" it should be only "the".
2022-10-05 10:29:35 -07:00
Nick Cabatoff d5e0353696
Fix unsafe access to perf standby status from systemview (#17186)
Ensure that we don't try to access Core.perfStandby or Core.PerfStandby() from dynamicSystemView, which might be accessed with or without stateLock held.
2022-10-05 08:56:36 -04:00
Tom Proctor 3aa2fe8d8f
Plugins: Tighten requirements for multiplexing (#17403)
Change the multiplexing key to use all `PluginRunner` config (converted to a struct which is comparable), so that plugins with the same name but different env, args, types, versions etc are not incorrectly multiplexed together.

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>
2022-10-05 09:29:29 +01:00
Peter Wilson 138c516498
Update plugin consul template v0.29.5 (#17419)
* Updated consul-template to v0.29.5
2022-10-04 22:34:28 +01:00
Jaymala 2321226d82
Update Vault version verification integration test (#17377)
* Update Vault version verification integration test

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Refactor to validate artifact build date

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Address review comments

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Fix capitalization in variable descriptions

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>
2022-10-04 16:08:26 -04:00
Angel Garbarino 345c65ff04
Bug Fix for Kymgmt keyType on default (#17407)
* the fix

* add test coverage

* changelog

* removes comment
2022-10-04 13:14:25 -06:00
Mike Palmiotto 805843beaa
changelog: fix 1.12.0-rc1, 1.11.4, 1.10.7, 1.9.10 (#17408)
* Update changelog with correct SHAs.
* Clean up some formatting.
2022-10-04 14:51:47 -04:00
Josh Black c7d8e7c7f6
Raft index telemetry and docs (#17397)
* add raft index to telemetry

* add definitions and defaults to both autopilot pages

* adjust messages

* Revert "add raft index to telemetry"

This reverts commit 010b091c7e35c1da677567746db90b490ca707ab.
2022-10-04 11:46:11 -07:00
Violet Hynes 6fddb953e9
VAULT-8631 Upgrade vault-plugin-secrets to v0.13.3, to enable synchronous KVV2 creation (#17406)
* VAULT-8631 Upgrade vault-plugin-secrets to v0.13.2

* VAULT-8631 Update version, go mod tidy

* VAULT-8631 Add changelog
2022-10-04 13:54:38 -04:00
Renato Costa ea1257be2e
fix incorrect use of loop variable (#16872)
This fixes a couple of references to loop variables in parallel tests
and deferred functions. When running a parallel test (calling
`t.Parallel()`) combined with the table-driven pattern, it's necessary
to copy the test case loop variable, otherwise only the last test case
is exercised. This is documented in the `testing` package:

https://pkg.go.dev/testing#hdr-Subtests_and_Sub_benchmarks

`defer` statements that invoke a closure should also not reference a
loop variable directly as the referenced value will change in each
iteration of the loop.

Issues were automatically found with the `loopvarcapture` linter.
2022-10-04 09:23:37 -04:00
Christopher Swenson ff8d8338cc
docs: Add docs for PKCS#11 provider (#17312)
docs: Add docs for PKCS#11 provider

The PKCS#11 provider is being released shortly.
This moves over the preliminary docs and cleans them up.

I added them as a new section under "Vault Enterprise" ->
"PKCS#11 Provider", but I am open to suggestion on if there is a
better place for them, e.g., "Platforms", or somehow merging
with "Vault Enterprise" -> "HSM"?

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-10-03 11:11:46 -07:00
claire bontempo 9cc2f52bc1
UI: Glimmerize search select component (#17276)
* initial commit for glimmerizing search-select

* fix credentials card tests

* WIP/fixing manually passed in options

* note for small change made in other PR

* still a work in progress, but maybe fixed some tests...maybe

* fix path filter config tests

* remove comments

* clean up merge conflicts

* remove redundant subLabel

* remove subLabel, change default label to form field size

* split up format method

* cleanup, try to keep types consistent

* change logic for ss lable

* remove comment

* cleanup naming

* fix incorrect glimmer change

* refactor to allow for parent handling selected options

* update jsdoc and reogranize functions

* add test to path filter config

* address comments, small cleanup

* add test for path filter config ss

* rearrange functions so git diff is easier to compare

* change isNotSectionHeader to isSectionHeader

* add more explicit test coverage, tidying for search select

* small doc tidy

* add comments, one more test! last cleanup!

* fix search select tests
2022-10-03 11:01:34 -07:00
Divya Pola bc9be4064b
Add documentation for KMIP features implemented in 1.12 (#17294)
* Add documentation for KMIP features implemented in 1.12

* Add documentation for kmip-profiles

* Address PR review feedback

* PR review feedback - update links, add intro and remove collapsed tables

* Add PR review feedback
2022-10-03 12:39:04 -05:00
Steven Clark 10ecf10248
PKI: Add support for signature_bits param to the intermediate/generate api (#17388)
* PKI: Add support for signature_bits param to the intermediate/generate api

 - Mainly to work properly with GCP backed managed keys, we need to
   issue signatures that would match the GCP key algorithm.
 - At this time due to https://github.com/golang/go/issues/45990 we
   can't issue PSS signed CSRs, as the libraries in Go always request
   a PKCS1v15.
 - Add an extra check in intermediate/generate that validates the CSR's
   signature before providing it back to the client in case we generated
   a bad signature such as if an end-user used a GCP backed managed key
   with a RSA PSS algorithm.
   - GCP ignores the requested signature type and always signs with the
     key's algorithm which can lead to a CSR that says it is signed with
     a PKCS1v15 algorithm but is actually a RSA PSS signature

* Add cl

* PR feedback
2022-10-03 12:39:54 -04:00
Austin Gebauer fdc6e2e46a
auth/oidc: fix documentation link anchors for Google Workspace integration (#17379) 2022-10-03 09:09:35 -07:00