Commit graph

15231 commits

Author SHA1 Message Date
Violet Hynes 6d4497bcbf
VAULT-4306 Ensure /raft/bootstrap/challenge call ignores erroneous namespaces set (#15519)
* VAULT-4306 Ensure /raft/bootstrap/challenge call ignores erroneous namespaces set

* VAULT-4306 Add changelog

* VAULT-4306 Update changelog/15519.txt

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2022-05-19 16:27:51 -04:00
Robert 6425999ff2
secrets/consul: Use consistent parameter names (#15400)
* Add "consul_policies" parameter and deprecate "policies" parameter

* Update tests and remove superfluous log statements
2022-05-19 14:43:54 -05:00
Christopher Swenson e6fb16be9c
Remove spurious fmt.Printf calls including one of a key (#15344)
And add a semgrep for fmt.Printf/Println.
2022-05-19 12:27:02 -07:00
Alexander Scheel faea196991
Rebase #14178 / Add not_before_duration API parameter to Root/Intermediate CA generation (#15511)
* PKI - Add not_before_duration API parameter to:
  - Root CA generation
  - Intermediate CA generation
  - Intermediate CA signing

* Move not_before_duration to addCACommonFields

This gets applied on both root generation and intermediate signing,
which is the correct place to apply this.

Co-authored-by: guysv <sviryguy@gmail.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Resolves: #10631

Co-authored-by: guysv <sviryguy@gmail.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test case for root/generate, sign-intermediate

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update path role description

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add new not_before_duration to relevant docs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Co-authored-by: guysv <sviryguy@gmail.com>
2022-05-19 12:35:08 -04:00
Alexander Scheel f3d52108b4
Add more CA usage best practices (#15467)
* Add leaf not after best practice

Also suggest concrete recommendations for lifetimes of various issuers.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add advice to use a proper CA hierarchy

Also mention name constraints and HSM backing.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add section on safer usage of Roles

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add initial RBAC example for PKI

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-19 11:43:38 -04:00
Alexander Scheel c7efb97f08
Add warning on missing AIA info fields (#15509)
* Add warning on missing AIA info fields

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog:

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-19 11:12:10 -04:00
Alexander Scheel f31149089f
Update FIPS documentation to clarify mlock (#15502)
This clarifies a limitation of the FIPS based container images,
to note that due to OpenShift requirements, we need to suggest
ways of disabling mlock or allowing Vault to set mlock.
2022-05-19 09:31:47 -04:00
claire bontempo 7966a98fc2
UI/cleanup client charts for 1.11 (#15408)
* remove manipulations of data ranges;

* fix bar aligntment

* consume empty months existing on response

* revert grey bar transformation

* up one more line..

* remove attr
2022-05-18 16:47:16 -07:00
Robert c2f49204d9
Fix small typos, update docs terminology (#15504) 2022-05-18 17:23:46 -05:00
kitography 93a1f62567
Vault 6122 pki role issuer name validation (#15473)
* Add a warning when Issuing Certificate set on a role does not resolve.

* Ivanka's requests - add a warning on deleting issuer or changing it's name.

* reduce number of roles to iterate through; only verify roles after migration.  ignore roles deleted behind our back.
2022-05-18 16:21:17 -04:00
Nick Cabatoff bc9f69af2e
Forward autopilot state reqs, avoid self-dialing (#15493)
Make sure that autopilot is disabled when we step down from active node state.  Forward autopilot state requests to the active node.  Avoid self-dialing due to stale advertisement.
2022-05-18 14:50:18 -04:00
claire bontempo af2c9784df
UI/vault 6212/multiple issuer pki changes (#15464)
* pki copy changes

* change delete endpoint and remove warning

* update test

* fix typo

* remove delete capabilities in the ui

* add changelog

* typo fix
2022-05-18 11:31:17 -07:00
claire bontempo 92554ea04e
add 1.11 changelog for client counts1 (#15497) 2022-05-18 11:03:09 -07:00
Alexander Scheel 9a3f34a41e
Vault CLI: show detailed information with ListResponseWithInfo (#15417)
* CLI: Add ability to display ListResponseWithInfos

The Vault Server API includes a ListResponseWithInfo call, allowing LIST
responses to contain additional information about their keys. This is in
a key=value mapping format (both for each key, to get the additional
metadata, as well as within each metadata).

Expand the `vault list` CLI command with a `-detailed` flag (and env var
VAULT_DETAILED_LISTS) to print this additional metadata. This looks
roughly like the following:

    $ vault list -detailed pki/issuers
    Keys                                    issuer_name
    ----                                    -----------
    0cba84d7-bbbe-836a-4ff6-a11b31dc0fb7    n/a
    35dfb02d-0cdb-3d35-ee64-d0cd6568c6b0    n/a
    382fad1e-e99c-9c54-e147-bb1faa8033d3    n/a
    8bb4a793-2ad9-460c-9fa8-574c84a981f7    n/a
    8bd231d7-20e2-f21f-ae1a-7aa3319715e7    n/a
    9425d51f-cb81-426d-d6ad-5147d092094e    n/a
    ae679732-b497-ab0d-3220-806a2b9d81ed    n/a
    c5a44a1f-2ae4-2140-3acf-74b2609448cc    utf8
    d41d2419-efce-0e36-c96b-e91179a24dc1    something

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Allow detailed printing of LIST responses in JSON

When using the JSON formatter, only the absolute list of keys were
returned. Reuse the `-detailed` flag value for the `-format=json` list
response printer, allowing us to show the complete API response returned
by Vault.

This returns something like the following:

    {
      "request_id": "e9a25dcd-b67a-97d7-0f08-3670918ef3ff",
      "lease_id": "",
      "lease_duration": 0,
      "renewable": false,
      "data": {
        "key_info": {
          "0cba84d7-bbbe-836a-4ff6-a11b31dc0fb7": {
            "issuer_name": ""
          },
          "35dfb02d-0cdb-3d35-ee64-d0cd6568c6b0": {
            "issuer_name": ""
          },
          "382fad1e-e99c-9c54-e147-bb1faa8033d3": {
            "issuer_name": ""
          },
          "8bb4a793-2ad9-460c-9fa8-574c84a981f7": {
            "issuer_name": ""
          },
          "8bd231d7-20e2-f21f-ae1a-7aa3319715e7": {
            "issuer_name": ""
          },
          "9425d51f-cb81-426d-d6ad-5147d092094e": {
            "issuer_name": ""
          },
          "ae679732-b497-ab0d-3220-806a2b9d81ed": {
            "issuer_name": ""
          },
          "c5a44a1f-2ae4-2140-3acf-74b2609448cc": {
            "issuer_name": "utf8"
          },
          "d41d2419-efce-0e36-c96b-e91179a24dc1": {
            "issuer_name": "something"
          }
        },
        "keys": [
          "0cba84d7-bbbe-836a-4ff6-a11b31dc0fb7",
          "35dfb02d-0cdb-3d35-ee64-d0cd6568c6b0",
          "382fad1e-e99c-9c54-e147-bb1faa8033d3",
          "8bb4a793-2ad9-460c-9fa8-574c84a981f7",
          "8bd231d7-20e2-f21f-ae1a-7aa3319715e7",
          "9425d51f-cb81-426d-d6ad-5147d092094e",
          "ae679732-b497-ab0d-3220-806a2b9d81ed",
          "c5a44a1f-2ae4-2140-3acf-74b2609448cc",
          "d41d2419-efce-0e36-c96b-e91179a24dc1"
        ]
      },
      "warnings": null
    }

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Use field on UI rather than secret.Data

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Only include headers from visitable key_infos

Certain API endpoints return data from non-visitable key_infos, by
virtue of using a hand-rolled response. Limit our headers to those
from visitable key_infos. This means we won't return entire columns with
n/a entries, if no key matches the key_info key that includes that
header.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Use setupEnv sourced detailed info

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix changelog environment variable

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix broken tests using setupEnv

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-18 13:00:50 -04:00
Pratyoy Mukhopadhyay 62c09bc2be
oss changes (#15487)
* oss changes

* add changelog
2022-05-18 09:16:13 -07:00
Loann Le 561d8d45f8
updated warning (#15459) 2022-05-18 08:26:25 -07:00
Steven Clark a2a7fdc43f
Fix a generic PKI description for key_name and issuer_name fields (#15495)
- The field could be used to be applied to keys/issuers being generated
   or to update the name on existing values.
2022-05-18 11:17:58 -04:00
Steven Clark 7bc9cd2867
Protect against key and issuer name re-use (#15481)
* Protect against key and issuer name re-use
 - While importing keys and issuers verify that the provided name if any has not been used by another key that we did not match against.
 - Validate an assumption within the key import api, that we were provided a single key
 - Add additional tests on the new key generation and key import handlers.

* Protect key import api end-users from using "default" as a name
 - Do not allow end-users to provide the value of default as a name for key imports
   as that would lead to weird and wonderful behaviors to the end-user.

* Add missing api-docs for PKI key import
2022-05-18 10:31:39 -04:00
Alexander Scheel 5ca7065bda
Warn on empty Subject field for issuers (#15494)
* Warn on empty Subject field for issuers

When generating a root or signing an intermediate certificate, it is
possible to have Vault generate a certificate with an empty Subject.
These don't validate in most TLS implementations well, so add a warning.
Note that non-Common Name fields could be present to make a non-empty
subject, so simply requiring a CommonName isn't strictly the best.

For example:

    $ vault write pki/root/generate/exported common_name=""
    WARNING! The following warnings were returned from Vault:
      * This issuer certificate was generated without a Subject; this makes
      it likely that issuing leaf certs with this certificate will cause TLS
      validation libraries to reject this certificate.
    ....

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-18 10:15:37 -04:00
Alexander Scheel 2518cd1d6c
Remove signature_bits on intermediate generate (#15478)
* Remove signature_bits on intermediate generate

This extraneous field wasn't respected during intermediate generation
and it isn't clear that it should be. Strictly, this field, if it were
to exist, would control the CSR's internal signature algorithm (certutil
defaults to the sane SHA-256 here). However, there's little value in
changing this as the signing authority can and probably will override
the final certificate's signature bits value, completely ignoring
whatever was in the provided CSR.

Removing this field will now cause warnings for those providing the
parameter (which already wasn't respected), which is the desired
behavior. No breakage should occur as a result of this change.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-18 09:36:39 -04:00
Tom Proctor 1bb40eee16
Update documentation for vault-helm v0.20.0 release (#15450) 2022-05-18 09:50:15 +01:00
Chelsea Shaw bab5fe34f0
UI: Better default transit auto-rotation (#15474)
* TTL Picker convers to largest unit when value is number

* Initial value for transit auto-rotation period is 30d

* Add auto-rotation check to transit test

* Add changelog

* Add clarifying comment
2022-05-17 16:06:57 -05:00
Jason O'Donnell d450b7899f
docs: add note about requiring 3.6+ helm (#15480) 2022-05-17 17:02:26 -04:00
Hamid Ghaf 66c6de50a7
Username format login mfa (#15363)
* change username_template to username_format for login MFA

* fixing a test

* Update website/content/docs/auth/login-mfa/faq.mdx

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
2022-05-17 16:31:50 -04:00
Hamid Ghaf 77be41c83d
possibly forward cached MFA auth response to leader (#15469)
* possibly forward cached MFA auth response to leader

* adding CL
2022-05-17 16:30:36 -04:00
Alexander Scheel f6ac1be13a
Start documentation for FIPS variants of Vault Enterprise (#15475)
* Begin restructuring FIPS documentation

This creates a new FIPS category under Enterprise and copies the
FIPS-specific seal wrap documentation into it.

We leave the existing Seal Wrap page at the old path, but document that
the FIPS-specific portions of it have moved.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add initial FIPS 140-2 inside documentation

This documents the new FIPS 140-2 Inside binary and how to use and
validate it. This also documents which algorithms are certified for
use in the BoringCrypto distribution.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add notes about FIPS algorithm restrictions

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-17 16:28:20 -04:00
Hridoy Roy 679ccc81a5
Query and Precompute Non-Contiguous Segments in the Activity Log (#15352)
* query and precompute non-contiguous segments in the activity log

* changelog

* newline formatting

* make fmt

* report listener and storage types as found keys

* report listener and storage types as found keys

* Update vault/activity_log_test.go

Co-authored-by: Chris Capurso <1036769+ccapurso@users.noreply.github.com>

* review comments

* merge conflict

* merge conflict

* merge conflict

* fix unchecked merge conflict

Co-authored-by: Chris Capurso <1036769+ccapurso@users.noreply.github.com>
2022-05-17 12:17:32 -07:00
Chris Hoffman 24e8b73c73
Updating Okta MFA to use official SDK (#15355)
* updating MFA to use official Okta SDK

* add changelog

* Update vault/login_mfa.go

Co-authored-by: swayne275 <swayne@hashicorp.com>

* cleanup query param building

* skip if not user factor

* updating struct tags to be more explicit

* fixing incorrect merge

* worrying that URL construction may change in the future, reimplementing GetFactorTransactionStatus

* adding some safety around url building

Co-authored-by: swayne275 <swayne@hashicorp.com>
2022-05-17 15:14:26 -04:00
Hamid Ghaf 364f8789cd
Globally scoped MFA method Get/List endpoints (#15248)
* Globally scoped MFA method Get/List endpoints

* Adding CL

* minor changes

* removing unwanted information from an error msg
2022-05-17 14:54:16 -04:00
akshya96 4e9e9b7eda
Vault-6037 making filesystem permissions check opt-in (#15452)
* adding env var changes

* adding changelog

* adding strcov.ParseBool
2022-05-17 11:34:31 -07:00
Violet Hynes 2c6bcbdeb5
VAULT-5885: Fix erroneous success message in case of two-phase MFA, and provide MFA information in table format (#15428)
* VAULT-5885: Fix erroneous success message in case of two-phase MFA, and provide MFA information in table format

* VAULT-5885 Add changelog

* VAULT-5885 Update changelog as per PR comments

* VAULT-5885 Update changelog category to just 'auth'

* VAULT-5885 Hide useless token info in two-phase MFA case

* VAULT-5885 Update changelog to reflect token info now no longer present

* VAULT-5885 split up changelog into three blocks
2022-05-17 14:03:02 -04:00
Tom Proctor ab0b0c96ca
api: make ListPlugins parse only known plugin types (#15434) 2022-05-17 17:41:26 +01:00
Austin Gebauer d3629ab49d
secrets/database: adds ability to manage alternative credential types and configuration (#15376) 2022-05-17 09:21:26 -07:00
Alexander Scheel 60acf9ad6e
Update parseutil in API, SDK (#15465)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-17 11:44:32 -04:00
Alexander Scheel a8c0efb487
Add documentation on rotation primitives (#15466)
* Begin PKI rotation primitive documentation

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Finish importing rotation primitive docs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update all titles consistently

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing links in rotation primitives doc

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add sections documenting execution in Vault

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* typo fixes

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-17 11:44:17 -04:00
Jason O'Donnell 9024b94731
docs: add note about upndomain for AD secret engine (#15445) 2022-05-17 11:42:16 -04:00
Alexander Scheel 3e7414b605
Always return PKI configs for CRLs, URLs (#15470)
* Always return non-nil CRL configuration

When using the default CRL configuration (as none has been set), return
the default configuration rather than inferring it in buildCRL. This
additionally allows us to return the default configuration on GET
operations to /config/crl.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Always return non-nil URL configuration

When using the default (empty) URL configuration as none has been set,
return the default configuration rather than inferring it inside of
fetchCAInfoByIssuerId or generateCert. This additionally allows us to
return the default configuration on GET operations to /config/urls.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-17 11:40:09 -04:00
Steven Clark 2fb8a9e667
secret/pki: Return correct algorithm type from key fetch API for managed keys (#15468)
* secret/pki: Return correct algorithm type from key fetch api for managed keys

 - fix an issue that key_type field returned from the key fetch api had
   the ManagedPrivateKey type instead of the real algorithm of the managed key.

* Remove key_type from key list PKI operation. Partial revert of #15435

 - The key_type field should be used solely for the key algorithm but as implemented
   we would be returning the value ManagedPrivateKey for managed keys which is not
   in sync with the rest of the apis. We also did not want to take the performance
   hit if many managed keys existed so we will simply remove the field from the list
   operation
2022-05-17 11:36:14 -04:00
Alexander Scheel bd3658912b
Fix value of VAULT_DISABLE_FILE_PERMISSIONS_CHECK (#15438)
This variable doesn't use ParseBool and thus strictly requires "true" as
the value.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-17 09:43:01 -04:00
Steven Clark aa868c5abf
Log less around the current status of the PKI migration (#15451)
- No point in writing any logs if no previous bundle exists
 - Only log output and schedule a CRL rebuild is we actually migration something
 - Do not log on PKI storage version set/checks.
2022-05-17 08:52:42 -04:00
Brian Kassouf b5472aadf3
Add list of granting policies audit logs (#15457)
* Add list of granting policies audit logs

* Add changelog
2022-05-16 16:23:08 -07:00
Austin Gebauer ec6e362d83
auth/oidc: adds documentation for JSON pointer user claim (#15454) 2022-05-16 15:31:02 -07:00
Austin Gebauer d3b167d029
auth/oidc: documents user claim constraint for optional google workspace config (#15456) 2022-05-16 15:29:58 -07:00
Loann Le bbbb0bfc14
Vault documentation: updated unseal information (#15446)
* updated unseal info

* Update architecture.mdx

fixed spelling error

* updated based on feedback

* added new image

* Update website/content/docs/commands/operator/init.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

* Updates for accuracy

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2022-05-16 14:44:23 -07:00
Chris Hoffman b14dc0d95d Remove duplicate policies when creating/updating identity groups (#15055)
* Remove duplicate policies for identity groups

* adding changelog

* test cleanup
2022-05-16 17:20:48 -04:00
Gabriel Santos 23e67be230
pki/sign-verbatim uses role not before duration (#15429)
* Use "not_before_duration" fiueld from role if above 0

* 'test' and update docs

* changelog file

* Requested changes - improved test and better description to changelog

* changelog description:

* update to ttl and not_before_duration API docs
2022-05-16 16:15:18 -04:00
Alexander Scheel 210045cd1f
Store migrated issuer, key in migration log (#15449)
If necessary, this will let us correlate migrated values afterwards.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-16 16:12:49 -04:00
Hridoy Roy 90538739bd
append nil months to query get to cover all requested months (OSS) (#15420)
* fill out nil response months in activity log query handle response based on requested month data

* changelog

* reverse month ordering for nil end months

* typo caught in ent test
2022-05-16 13:01:28 -07:00
AnPucel 390310409e
Add note about concurrency to plugin dev docs (#15357)
* Add note about concurrency

* Adding arrow syntax
2022-05-16 11:42:38 -07:00
Matt Schultz 3d1f40f850
Fix a keysutil policy lock (#15447)
* Defer an unlock call for keysutil policy imports.

* Make Transit import key type field case-insensitive for convenience.
2022-05-16 13:00:16 -05:00