* handle HTTP PATCH requests as logical.PatchOperation
* update go.mod, go.sum
* a nil response for logical.PatchOperation should result in 404
* respond with 415 for incorrect MIME type in PATCH Content-Type header
* add abstraction to handle PatchOperation requests
* add ACLs for patch
* Adding JSON Merge support to the API client
* add HTTP PATCH tests to check high level response logic
* add permission-based 'kv patch' tests in prep to add HTTP PATCH
* adding more 'kv patch' CLI command tests
* fix TestHandler_Patch_NotFound
* Fix TestKvPatchCommand_StdinValue
* add audit log test for HTTP PATCH
* patch CLI changes
* add patch CLI tests
* change JSONMergePatch func to accept a ctx
* fix TestKVPatchCommand_RWMethodNotExists and TestKVPatchCommand_RWMethodSucceeds to specify -method flag
* go fmt
* add a test to verify patching works by default with the root token
* add changelog entry
* get vault-plugin-secrets-kv@add-patch-support
* PR feedback
* reorder some imports; go fmt
* add doc comment for HandlePatchOperation
* add json-patch@v5.5.0 to go.mod
* remove unnecessary cancelFunc for WriteBytes
* remove default for -method
* use stable version of json-patch; go mod tidy
* more PR feedback
* temp go get vault-plugin-secrets-kv@master until official release
Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>
* store unauthenticated path wildcards in map
* working unauthenticated paths with basic unit tests
* refactor wildcard logic
* add parseUnauthenticatedPaths unit tests
* use parseUnauthenticatedPaths when reloading backend
* add more wildcard test cases
* update special paths doc; add changelog
* remove buggy prefix check; add test cases
* prevent false positives for prefix matches
If we ever encounter a mismatched segment, break and set a flag to
prevent false positives for prefix matches.
If it is a match we need to do a prefix check. But we should not return
unless HasPrefix also evaluates to true. Otherwise we should let the for
loop continue to check other possibilities and only return false once
all wildcard paths have been evaluated.
* refactor switch and add more test cases
* remove comment leftover from debug session
* add more wildcard path validation and test cases
* update changelong; feature -> improvement
* simplify wildcard segment matching logic
* refactor wildcard matching into func
* fix glob matching, add more wildcard validation, refactor
* refactor common wildcard errors to func
* move doc comment to logical.Paths
* optimize wildcard paths storage with pre-split slices
* fix comment typo
* fix test case after changing wildcard paths storage type
* move prefix check to parseUnauthenticatedPaths
* tweak regex, remove unneeded array copy, refactor
* add test case around wildcard and glob matching
* Customizing HTTP headers in the config file
* Add changelog, fix bad imports
* fixing some bugs
* fixing interaction of custom headers and /ui
* Defining a member in core to set custom response headers
* missing additional file
* Some refactoring
* Adding automated tests for the feature
* Changing some error messages based on some recommendations
* Incorporating custom response headers struct into the request context
* removing some unused references
* fixing a test
* changing some error messages, removing a default header value from /ui
* fixing a test
* wrapping ResponseWriter to set the custom headers
* adding a new test
* some cleanup
* removing some extra lines
* Addressing comments
* fixing some agent tests
* skipping custom headers from agent listener config,
removing two of the default headers as they cause issues with Vault in UI mode
Adding X-Content-Type-Options to the ui default headers
Let Content-Type be set as before
* Removing default custom headers, and renaming some function varibles
* some refacotring
* Refactoring and addressing comments
* removing a function and fixing comments
* filter identity token keys
* Update test cases to associate keys with roles
* use getOIDCRole helper
* add func comment and test assertion
* add changelog
* remove unnecessary code
* build list of keys to return by starting with a list of roles
* move comment
* update changelog
* remove cruft
use helper
Add a helper for getting public key sizes
wip
* error names
* Fix ecdsa
* only if trace is on
* Log listener side as well
* rename
* Add remote address
* Make the log level configurable via the env var, and a member of the Listener and thus modifiable by tests
* Fix certutil_test
* Adds ability to define an inline policy and internal metadata to tokens
* Update comment on fetchEntityAndDerivedPolicies
* Simplify handling of inline policy
* Update comment on InternalMeta
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
* Improve argument name
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
* Use explicit SkipIdentityInheritance token field instead of implicit InlinePolicy behavior
* Add SkipIdentityInheritance to pb struct in token store create method
* Rename SkipIdentityInheritance to NoIdentityPolicies
* Merge latest from main and make proto
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
* move merge and compare states to vault core
* move MergeState, CompareStates and ParseRequiredStates to api package
* fix merge state reference in API Proxy
* move mergeStates test to api package
* add changelog
* ghost commit to trigger CI
* rename CompareStates to CompareReplicationStates
* rename MergeStates and make compareStates and parseStates private methods
* improved error messaging in parseReplicationState
* export ParseReplicationState for enterprise files
- When two entities are merged, remove the from entity ID in any
associated groups.
- When two entities are merged, also merge their associated group
memberships.
Fixes#10084
* Update Go client libraries for etcd
* Added etcd server container to run etcd3 tests automatically.
* Removed etcd2 test case: it fails the backend tests but the failure is
unrelated to the uplift. The etcd2 backend implementation does not
remove empty nested nodes when removing leaf (see comments in #11980).
* core: set namespace from the sysview's mount entry on GeneratePasswordFromPolicy
* test: update TestDynamicSystemView to be ns-aware, update tests
* add changelog entry
* [VAULT-3519] Return no_default_policy on token role read if set
* [VAULT-3519] Add changelog
* [VAULT-3519] Always return token_no_default_policy on role read
* Fix broken test
* Update role read response in docs
* Add allowed_policies_glob and disallowed_policies_glob that are the same as allowed_policies and disallowed_policies but allow glob matching.
* Update changelog, docs, tests, and comments for (dis)allowed_token_glob token role feature.
* Improve docs and unit tests for auth/token role policy globbing.
* Expose secret_id_accessor as WrappedAccessor when wrapping secret-id creation.
* Add changelog.
* Minor updates as suggested.
* Adding external test for wrapped accessor.
* Add check that mounttype is approle.
* Update changelog text to use improvement
* add keys path and initial handler
* read provider public keys
* add test cases
* remove some debug logs
* update tests after merging main
* refactor list all clients
* refactor logic to collect Key IDs
* pre-publish new signing keys for `rotation_period` of time before using
* Work In Progress: Prepublish JWKS and even cache control
* remove comments
* use math/rand instead of math/big
* update tests
* remove debug comment
* refactor cache control logic into func
* don't set expiry when create/update key
* update cachecontrol name in oidccache for test
* fix bug in periodicfunc test case
* add changelog
* remove confusing comment
* add logging and comments
* update change log from bug to improvement
Co-authored-by: Ian Ferguson <ian.ferguson@datadoghq.com>
* identity: handle creation of role without a key parameter
* update docs to not require key parameter for creation of a role
* add changelog
* require key param when creating a role
* lock create/update role; remove now redundant key check
* update changelog and UTs
* update change log to refelct actual implementation
* remove deprecated test case
* Auto-join support for IPv6 discovery
The go-discover library returns IP addresses and not URLs. It just so
happens net.URL parses "127.0.0.1", which isn't a valid URL.
Instead, we construct the URL ourselves. Being careful to check if it's
an ipv6 address and making sure it's in explicit form if so.
Fixes#12323
* feedback: addrs & ipv6 test
Rename addrs to clusterIPs to improve clarity and intent
Tighten up our IPv6 address detection to be more correct and to ensure
it's actually in implicit form
* OIDC Provider: implement discovery endpoint
* handle case when provider does not exist
* refactor providerDiscover struct and add scopes_supported
* fix authz endpoint
* initial commit
* add read and delete operations
* fix bug in delete and add list unit test
* func doc typo fix
* add existence check for assignment
* remove locking on the assignment resource
It is not needed at this time.
* convert Callbacks to Operations
- convert Callbacks to Operations
- add test case for update operations
* add CRUD operations and test cases
* add client api and tests
* remove use of oidcCache
* remove use of oidcCache
* add template validation and update tests
* remove usage of oidcCache
* refactor struct and var names
* harmonize test name conventions
* refactor struct and var names
* add changelog and refactor
- add changelog
- be more explicit in the case where we do not recieve a path field
* refactor
be more explicit in the case where a field is not provided
* remove extra period from changelog
* update scope path to be OIDC provider specific
* refactor naming conventions
* update assignment path
* update scope path
* enforce key existence on client creation
* removed unused name field
* removed unused name field
* removed unused name field
* prevent assignment deletion when ref'ed by a client
* enfoce assignment existence on client create/update
* update scope template description
* error when attempting to created scope with openid reserved name
* fix UT failures after requiring assignment existence
* disallow key deletion when ref'ed by existing client
* generate client_id and client_secret on CreateOp
* do not allow key modification on client update
* return client_id and client_secret on read ops
* small refactor
* fix bug in delete assignment op
* remove client secret get call
* OIDC Client API: add more test coverage
* change name convention in tests
* initial commit
* add read and delete operations
* fix bug in delete and add list unit test
* func doc typo fix
* add existence check for assignment
* remove locking on the assignment resource
It is not needed at this time.
* convert Callbacks to Operations
- convert Callbacks to Operations
- add test case for update operations
* add CRUD operations and test cases
* add client api and tests
* remove use of oidcCache
* remove use of oidcCache
* add template validation and update tests
* remove usage of oidcCache
* refactor struct and var names
* harmonize test name conventions
* refactor struct and var names
* add changelog and refactor
- add changelog
- be more explicit in the case where we do not recieve a path field
* refactor
be more explicit in the case where a field is not provided
* remove extra period from changelog
* update scope path to be OIDC provider specific
* refactor naming conventions
* update assignment path
* update scope path
* enforce key existence on client creation
* removed unused name field
* removed unused name field
* removed unused name field
* prevent assignment deletion when ref'ed by a client
* enfoce assignment existence on client create/update
* update scope template description
* error when attempting to created scope with openid reserved name
* fix UT failures after requiring assignment existence
* disallow key deletion when ref'ed by existing client
* generate client_id and client_secret on CreateOp
* do not allow key modification on client update
* return client_id and client_secret on read ops
* small refactor
* fix bug in delete assignment op
* remove client secret get call
* initial commit
* add read and delete operations
* fix bug in delete and add list unit test
* func doc typo fix
* add existence check for assignment
* remove locking on the assignment resource
It is not needed at this time.
* convert Callbacks to Operations
- convert Callbacks to Operations
- add test case for update operations
* add CRUD operations and test cases
* remove use of oidcCache
* remove use of oidcCache
* add template validation and update tests
* refactor struct and var names
* harmonize test name conventions
* refactor struct and var names
* add changelog and refactor
- add changelog
- be more explicit in the case where we do not recieve a path field
* refactor
be more explicit in the case where a field is not provided
* remove extra period from changelog
* update scope path to be OIDC provider specific
* update assignment path
* update scope path
* removed unused name field
* removed unused name field
* update scope template description
* error when attempting to created scope with openid reserved name
* oss part of vault 2399
* Update vault/quotas/quotas.go
Co-authored-by: Vishal Nayak <vishalnayak@users.noreply.github.com>
* use OSS PR number as changelog entry as indicated by the changelog guide
Co-authored-by: Vishal Nayak <vishalnayak@users.noreply.github.com>
* initial commit
* add read and delete operations
* fix bug in delete and add list unit test
* func doc typo fix
* add existence check for assignment
* remove locking on the assignment resource
It is not needed at this time.
* convert Callbacks to Operations
- convert Callbacks to Operations
- add test case for update operations
* remove use of oidcCache
* refactor struct and var names
* harmonize test name conventions
* add changelog and refactor
- add changelog
- be more explicit in the case where we do not recieve a path field
* remove extra period from changelog
* update assignment path
* removed unused name field
* VAULT-2285 adding capability to accept comma separated entries for auth enable/tune
* Adding changelog
* Adding logic to detect invalid input parameter for auth enable config
* Updating tune.mdx
* Updating secret enable/tune for comma separated parameters
* Adding further parameter checks for auth/secret tests
Fixing changelog
using builtin type for a switch statement
Fixing a possible panic scenario
* Changing a function name, using deep.Equal instead of what reflect package provides
* Fixing auth/secret enable/tune mdx files
* One more mdx file fix
* Only when users provide a single comma separated string in a curl command, split the entries by commas
* Fixing API docs for auth/mount enable/tune for comma separated entries
* updating docs, removing an unnecessary switch case
* do not allow token_ttl to be longer than verification_ttl
* add verification when updating an existing key
When updating a key, ensure any roles referencing the key do not already
have a token_ttl greater than the key's verification_ttl
* add changelog
* remove unneeded UT check and comment
* refactor based on PR comments
- remove make slice in favor of var delcaration
- remove unneeded if check
- validate expiry value during token generation
- update changelog as bug
* refactor get roles referencing target key names logic
* add note about thread safety to helper func
* update func comment
* sort array and refactor func names
* add warning to return response
* remove unnecessary code from unit test
* Update vault/identity_store_oidc.go
Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
* hghaf099-VAULT-1303-Adding namespace in error when it is set
* casting ResponseWriter in handleMonitor to logical.NamespaceResponseWriter
* Casting ResponseWriter conditionally for http.Flusher
Adding changelog
* Improving changlog message
* save
* save
* save
* first round of the diagnose language pass
* capitalization
* first round of feedback
* fix bug in advise
* a few more nouns to verbs
* prototype function to retry irrevocable lease revocation, clean up comment
* setup irrevocable lease revoke retry on expiration manager creation
* reduce expiration lag to 1 hour, use core context and timeout on retry attempts
* add lease namespace to revocation call
* start irrevocable revocation attempts in setupExpiration
* grab reference to channel to avoid race test failures
* add leases path to sudo required set
* update TestSystemBackend_RootPaths with new special privilege paths
* note that list-leases requires sudo
* minor typo fixes
* diagnose: Add seal transit tls check
* Fixing the path to the config file and the path to the cert files
* Addressing comment
* Addressing seal transit tls check comments
* tls verification bugfix
* tls verification bugfix
* allow diagnose fail to report status when there are also warnings
* allow diagnose fail to report status when there are also warnings
* Update vault/diagnose/helpers_test.go
Co-authored-by: swayne275 <swayne275@gmail.com>
* comments
Co-authored-by: swayne275 <swayne275@gmail.com>
* Checking Validity of all Certs in the chain
* Addressing Comments for TLS cert validation
* Fixing tls_verification tests
* Fixing minor issue in tls_verification tests
* Addressing Comments, Rebasing with main
* Adding comment on top of a test
* Actually call config.Validate in diagnose
* Wire configuration checks into diagnose and fix resulting bugs.
* go mod vendor
* Merge to vendorless version
* Remove sentinel section to allow diagnose_ok to pass
* Fix unit tests
* raft file and quorum checks
* raft checks
* backup
* raft file checks test
* address comments and add more raft and file and process checks
* syntax issues
* modularize functions to compile differently on different os
* compile raft checks everywhere
* more build tag issues
* raft-diagnose
* correct file permission checks
* upgrade tests and add a getConfigOffline test that currently does not work
* comment
* update file checks method signature on windows
* Update physical/raft/raft_test.go
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
* raft tests
* add todo comment for windows root ownership
* voter count message
* raft checks test fixes
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
* initial refactoring of unseal step in run
* remove waitgroup
* remove waitgroup
* backup work
* backup
* backup
* completely modularize run and move into diagnose
* add diagnose errors for incorrect number of unseal keys
* comment tests back in
* backup
* first subspan
* finished subspanning but running into error with timeouts
* remove runtime checks
* merge main branch
* meeting updates
* remove telemetry block
* roy comment
* subspans for seal finalization and wrapping diagnose latency checks
* backup while I fix something else
* fix storage latency test errors
* runtime checks
* diagnose with timeout on seal
* Acquire a per-lock lease to make renew and revoke atomic wrt each other.
This means we don't have to hold pendingLock during I/O.
* Attempted fix for deadlock in token revocation.
* Comment fix.
* Fix error checking in loadEntry.
* Add benchmark
* Add a few additional locking locations
* Improve benchmark slightly
* Update vault/expiration.go
Co-authored-by: swayne275 <swayne275@gmail.com>
* Update vault/expiration.go
Co-authored-by: swayne275 <swayne275@gmail.com>
* Add a lease lock into tidy
Co-authored-by: Scott Miller <smiller@hashicorp.com>
Co-authored-by: Brian Kassouf <bkassouf@hashicorp.com>
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
Co-authored-by: swayne275 <swayne275@gmail.com>
