* New PKI API to generate and sign a CRL based on input data
- Add a new PKI API that allows an end-user to feed in all the
information required to generate and sign a CRL by a given issuer.
- This is pretty powerful API allowing an escape hatch for 3rd parties
to craft customized CRLs with extensions based on their individual
needs
* Add api-docs and error if reserved extension is provided as input
* Fix copy/paste error in Object Identifier constants
* Return nil on errors instead of partially filled slices
* Add cl
* Add shared helpers across health checks
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add audit_visibility health check
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add allow_if_modified_since health check
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add mount-related health checks to CLI
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* add compatibility info to consul service reg docs
* fix alert formatting
* add consul dataplane compatibility partial
* add compat partial to more consul doc pages
* fix links
* wip
* Add cached OCSP client support to Cert Auth
* ->pointer
* Code cleanup
* Fix unit tests
* Use an LRU cache, and only persist up to 1000 of the most recently used values to stay under the storage entry limit
* Fix caching, add fail open mode parameter to cert auth roles
* reduce logging
* Add the retry client and GET then POST logic
* Drop persisted cache, make cache size configurable, allow for parallel testing of multiple servers
* dead code
* Update builtin/credential/cert/path_certs.go
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Hook invalidate to reinit the ocsp cache size
* locking
* Conditionally init the ocsp client
* Remove cache size config from cert configs, it's a backend global
* Add field
* Remove strangely complex validity logic
* Address more feedback
* Rework error returning logic
* More edge cases
* MORE edge cases
* Add a test matrix with a builtin responder
* changelog
* Use an atomic for configUpdated
* Actually use ocsp_enabled, and bind to a random port for testing
* Update builtin/credential/cert/path_login.go
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Refactor unit tests
* Add status to cache
* Make some functions private
* Rename for testing, and attribute
* Up to date gofumpt
* remove hash from key, and disable the vault dependent unit test
* Comment out TestMultiOCSP
* imports
* more imports
* Address semgrep results
* Attempt to pass some sort of logging to test_responder
* fix overzealous search&replace
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
* refactor ss+modal to accept multiple models
* create policy form
* cleanup and fix test
* add tabs to policy modal form
* add search select with modal to entity form
* update group form;
* allow modal to fit-content
* add changelog
* add check for policy create ability
* add id so tests pass
* filter out root option
* fix test
* add cleanup method
* add ACL policy link
* cleanup from comments
* refactor sending action to parent
* refactor, data down actions up!
* cleanup comments
* form field refactor
* add ternary to options
* update tests
* Remodel component structure for clearer logic
Includes fixing the wizard
* address comments
* cleanup args
* refactor inline oidc assignment form
* add line break
* cleanup comments
* fix tests
* add policy template to ss+modal test
* cleanup =true from test
* final cleanup!!!!!!
* actual final cleanup
* fix typo, please be done
Co-authored-by: Chelsea Shaw <82459713+hashishaw@users.noreply.github.com>
* Rename fetch helpers
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Soften language around managed key roots
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add crl list capabilities to cert auth
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add docs on cert auth CRL listing
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add test for cert auth listing
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add enable_auto_tidy health check
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add tidy_last_run health check
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add too_many_certs health check
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add tidy, CRL, cert count checks to CLI
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Cache stored leaf cert count
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Correctly parse last run
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add new PKI api to combine and sign different CRLs from the same issuer
- Add a new PKI api /issuer/<issuer ref>/resign-crls that will allow
combining and signing different CRLs that were signed by the same
issuer.
- This allows external actors to combine CRLs into a single CRL across
different Vault clusters that share the CA certificate and key material
such as performance replica clusters and the primary cluster
* Update API docs
* PR Feedback - Delta CRL rename
* Update to latest version of main
* PR Feedback - Get rid of the new caEntry struct
* Address PR feedback in api-docs and PEM encoded response
* Add more PKI related common utilities
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add role_allows_localhost health check
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add role_allows_glob_wildcards health checks
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add role_no_store_false health check
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add new checks to the CLI
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Switch to new guard style
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Provision role for test
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Address review feedback
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix invalid version check
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix message with auto-rebuild enabled
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add known issue about PKI secrets engine with Consul
* Added KB article URL
* Update website/content/docs/secrets/pki/index.mdx
Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>
Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>
We previously tried to extract this log into a function (shouldExit),
but semgrep doesn't expand function invocations, leading us to be forced
to add another rule to the regex.
Instead, add the extraneous `err != nil` conditional into the if
statements, even though skip/err should always be true in these cases
and it should never be evaluated.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
- Within the table specifying the various paths to generate a CSR
in the PKI docs, the new issuers based api has a typo in it missing
the issuers/ prefix.
- Brought to our attention by Chelsea and Claire, thanks!
* Add hardware_backed_root health check
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add root_issued_leaves health check
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add new health checks to CLI
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add more helpers to common PKI health-check code
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Show config when listing, stable output order
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix %v->%w
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
mcollao-hc