Commit graph

16514 commits

Author SHA1 Message Date
Kianna 748f1b5395
UI: VAULT-12357 VAULT-12356 Add PKI Beta tag and Modal (#18761)
* Initial beta modal set up

* Add back to old pki from engine

* Remove commented out code

* Add stylesheet and tests!

* Address feedback!

* Add id to input
2023-01-20 12:02:13 -08:00
Michael Anthony 3762cfaf0a
Add workflow for running Docker-only acc tests (#18672)
* Add workflow for running Docker-only acc tests

* Convert to caller/called workflow

* Add comments for posterity and change run trigger

* Standardize workflow names and adjust artifact retention time

* Consolidate metadata job into test job

* Shorten artifact retention time

* Standardize filenames

* Correct workflow reference

* Remove erroneous dependency reference
2023-01-20 12:57:56 -07:00
Christopher Swenson 4a93097895
Use schema for events in event broker (#18693)
For the new events schema. Based on the CloudEvents schema.
2023-01-20 10:18:23 -08:00
Anton Averchenkov 7097166b77
Update vault and api/auth submodules to use api/v1.8.3 (#18773) 2023-01-20 11:44:03 -05:00
Daniel Huckins fc6d13e29d
VAULT-12112: openapi response definitions: sys/audit (#18456)
* added audit-hash operations

* more audit paths

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* added audit fields

* add changelog file

* dynamic fields should be nil

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* start to add test helper

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add tests for /sys/audit openapi paths

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
Co-authored-by: Anton Averchenkov <anton.averchenkov@hashicorp.com>
2023-01-20 11:09:33 -05:00
Alexander Scheel 3adfed1af8
Add missing space in PKI error (#18778)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-01-20 11:02:17 -05:00
Hamid Ghaf 4b4e0437e1
enos: default undo-logs to cluster behavior (#18771)
* enos: default undo-logs to cluster behavior

* change a step dependency

* rearrange steps, wait a bit longer for undo logs
2023-01-20 10:25:14 -05:00
Anton Averchenkov 74b591c2c3
Update api & vault to use sdk v0.7.0 (#18765) 2023-01-19 15:21:10 -05:00
Josh Black fa1447cb3c
Add new clients into the monthly breakdown (#18766)
* Add new clients into the monthly breakdown

* add changelog
2023-01-19 09:12:17 -08:00
Tom Proctor 97eac57b4f
Docs: Add ACL hints to Consul secrets engine instructions (#18750) 2023-01-19 10:48:17 +00:00
Jaymala 9501b56ffa
Rename reusable enos-run workflow file (#18757)
* Rename reusable enos-run workflow file

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Update Enos README file

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>
2023-01-18 16:37:38 -07:00
Mike Baum da2849217c
[QT-441] Switch over to using new vault_ci AWS account for enos CI workflows (#18398) 2023-01-18 16:09:19 -05:00
Jordan Reimer 2e44d2020a
Kubernetes Secrets Engine (#17893)
* Ember Engine for Kubernetes Secrets Engine (#17881)

* adds in-repo ember engine for kubernetes secrets engine

* updates kubernetes engine class name

* Kubernetes route plumbing (#17895)

* kubernetes route plumbing

* adds kubernetes role index route with redirect to details

* adds kubernetes as mountable and supported secrets engine (#17891)

* adds models, adapters and serializers for kubernetes secrets engine (#18010)

* adds mirage factories and handlers for kubernetes (#17943)

* Kubernetes Secrets Engine Configuration (#18093)

* moves RadioCard component to core addon

* adds kubernetes configuration view

* fixes tests using RadioCard after label for and input id changes

* adds confirm modal when editing kubernetes config

* addresses review comments

* Kubernetes Configuration View (#18147)

* removes configuration edit and index routes

* adds kubernetes configuration view

* Kubernetes Roles List (#18211)

* removes configuration edit and index routes

* adds kubernetes configuration view

* adds kubernetes secrets engine roles list view

* updates role details disabled state to explicitly check for false

* VAULT-9863 Kubernetes Overview Page (#18232)

* Add overview page view

* Add overview page tests

* Address feedback to update tests and minor changes

* Use template built in helper for conditionally showing num roles

* Set up roleOptions in constructor

* Set up models in tests and fix minor bug

* Kubernetes Secrets Engine Create/Edit Views (#18271)

* moves kv-object-editor to core addon

* moves json-editor to core addon

* adds kubernetes secrets engine create/edit views

* updates kubernetes/role adapter test

* addresses feedback

* fixes issue with overview route showing 404 page (#18303)

* Kubernetes Role Details View (#18294)

* moves format-duration helper to core addon

* adds kubernetes secrets engine role details view

* adds tests for role details page component

* adds capabilities checks for toolbar actions

* fixes list link for secrets in an ember engine (#18313)

* Manual Testing: Bug Fixes and Improvements (#18333)

* updates overview, configuration and roles components to pass args for individual model properties

* bug fixes and improvements

* adds top level index route to redirect to overview

* VAULT-9877 Kubernetes Credential Generate/View Pages (#18270)

* Add credentials route with create and view components

* Update mirage response for creds and add ajax post call for creds in adapter

* Move credentials create and view into one component

* Add test classes

* Remove files and update backend property name

* Code cleanup and add tests

* Put test helper in helper function

* Add one more test!

* Add code optimizations

* Fix model in route and add form

* Add onSubmit to form and preventDefault

* Fix tests

* Update mock data for test to be strong rather than record

* adds acceptance tests for kubernetes secrets engine roles (#18360)

* VAULT-11862 Kubernetes acceptance tests (#18431)

* VAULT-12185 overview acceptance tests

* VAULT-12298 credentials acceptance tests

* VAULT-12186 configuration acceptance tests

* VAULT-12127 Refactor breadcrumbs to use breadcrumb component (#18489)

* VAULT-12127 Refactor breadcrumbs to use Page::Breadcrumbs component

* Fix failing tests by adding breadcrumbs properties

* VAULT-12166 add jsdocs to kubernetes secrets engine pages (#18509)

* fixes incorrect merge conflict resolution

* updates kubernetes check env vars endpoint (#18588)

* hides kubernetes ca cert field if not defined in configuration view

* fixes loading substate handling issue (#18592)

* adds changelog entry

Co-authored-by: Kianna <30884335+kiannaquach@users.noreply.github.com>
2023-01-18 15:02:41 -06:00
Max Coulombe 553e1cfb0d
* added the new redis parameter documentation (#18752)
* added the new redis parameter documentation
* added changelog
2023-01-18 15:51:15 -05:00
Alexander Scheel 6b4f770de9
Refactor CRL Building for unified CRLs (#18754)
* Refactor CRL building into separate functions

This will allow us to add the ability to add and build a unified CRL
across all clusters, reusing logic that is common to both, but letting
each have their own certificate lists.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Rename localCRLConfigEntry->internalCRLConfigEntry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Rename Delta WALs to Local Delta WALs

This adds clarity that we'll have a separate local and remote Delta CRL
and WALs for each.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-01-18 15:05:14 -05:00
Josh Brand f38c69559b
Add enterprise resources to CI cleanup (#18758) 2023-01-18 14:14:19 -05:00
Christopher Swenson fcbce0effd
Start events when core starts if enabled (#18742)
For example, using:

```sh
vault server -dev -experiment events.beta1
```

Tested by checking that the events were enabled and disabled
when the `-experiment events.beta1` flag was present and absent.

Also added a small fix to pass the `hclog.Logger` in now so that
the logging hierarchy and levels are respected.
2023-01-18 10:46:01 -08:00
Chelsea Shaw 81d36b61f1
UI: PKI Generate Root Form (#18712) 2023-01-18 12:20:44 -06:00
Kianna be5b38e53d
ui: VAULT-12670 Update pki list view labels for list items (#18744)
* VAULT-12670 Update pki list view labels for list items

* Fix failing tests!
2023-01-18 09:35:55 -08:00
Alexander Scheel 9f03ea75a3
Remove t.Parallel() due to initialization race (#18751)
Using RunCommand(...) to set format to JSON for PKI HC tests results in
multiple initCommands(...) being called, overwriting the same global
variable. Nobody else calls the test suite in this way, so remove
t.Parallel() as the CLI isn't really meant to be called in parallel and
there might be other issues.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-01-18 10:40:35 -05:00
Max Bowsher 4c5f583f39
OpenAPI generic_mount_paths follow-up (#18663)
* OpenAPI `generic_mount_paths` follow-up

An incremental improvement within larger context discussed in #18560.

* Following the revert in #18617, re-introduce the change from
  `{mountPath}` to `{<path-of-mount>_mount_path}`; this is needed, as
  otherwise paths from multiple plugins would clash - e.g. almost every
  auth method would provide a conflicting definition for
  `auth/{mountPath}/login`, and the last one written into the map would
  win.

* Move the half of the functionality that was in `sdk/framework/` to
  `vault/logical_system.go` with the rest; this is needed, as
  `sdk/framework/` gets compiled in to externally built plugins, and
  therefore there may be version skew between it and the Vault main
  code. Implementing the `generic_mount_paths` feature entirely on one
  side of this boundary frees us from problems caused by this.

* Update the special exception that recognizes `system` and `identity`
  as singleton mounts to also include the other two singleton mounts,
  `cubbyhole` and `auth/token`.

* Include a comment that documents to restricted circumstances in which
  the `generic_mount_paths` option makes sense to use:

	    // Note that for this to actually be useful, you have to be using it with
	    // a Vault instance in which you have mounted one of each secrets engine
	    // and auth method of types you are interested in, at paths which identify
	    // their type, and for the KV secrets engine you will probably want to
	    // mount separate kv-v1 and kv-v2 mounts to include the documentation for
	    // each of those APIs.

* Fix tests

Also remove comment "// TODO update after kv repo update" which was
added 4 years ago in #5687 - the implied update has not happened.

* Add changelog

* Update 18663.txt
2023-01-17 23:07:11 -05:00
Jordan Reimer e742440686
PKI Certificate Details (#18737)
* adds pki certificate details page component

* adds tests for pki base adapter

* adds more comments

* updates remaining pki/certificate model references to pki/certificate/base
2023-01-18 00:52:47 +00:00
Jordan Reimer f58074a429
API Explorer Query Params (#18743)
* adds query params to api explorer test requests

* adds changelog entry
2023-01-17 16:37:07 -07:00
Ashlee M Boyer 0f1a82b377
Wrapping example link value with backticks (#18709) 2023-01-17 15:25:25 -08:00
akshya96 ab4f1719fd
user-lockout documentation changes (#18478)
* added user-lockout documentation changes

* add changelog

* remove new lines

* changing method name

* changing lockedusers to locked-users

* Update website/content/docs/concepts/user-lockout.mdx

Co-authored-by: Meggie <meggie@hashicorp.com>

* Update website/content/api-docs/system/user-lockout.mdx

Co-authored-by: Meggie <meggie@hashicorp.com>

* Update website/content/api-docs/system/user-lockout.mdx

Co-authored-by: Meggie <meggie@hashicorp.com>

* Update website/content/partials/user-lockout.mdx

Co-authored-by: Meggie <meggie@hashicorp.com>

* Update website/content/partials/user-lockout.mdx

Co-authored-by: Meggie <meggie@hashicorp.com>

* adding suggested changes

* adding bullet points to disable

* Update website/content/api-docs/system/user-lockout.mdx

Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>

* Update website/content/partials/user-lockout.mdx

Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>

* Update website/content/docs/commands/auth/tune.mdx

Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>

* Update website/content/docs/commands/auth/tune.mdx

Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>

* Update website/content/docs/concepts/user-lockout.mdx

Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>

Co-authored-by: Meggie <meggie@hashicorp.com>
Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>
Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
2023-01-17 15:12:16 -08:00
akshya96 6e04e4ede1
Prevent brute forcing : telemetry oss changes (#18718)
* Prevent brute forcing : telemetry oss changes

* adding changelog
2023-01-17 15:10:50 -08:00
Jaymala cdae007e30
Fix arch for backend storage in Enos replication scenario (#18741)
Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>
2023-01-17 22:28:30 +00:00
akshya96 b2276a369a
Prevent Brute Forcing: Create an api endpoint to list locked users OSS changes (#18675)
* api to list lockedusers oss changes

* add changelog
2023-01-17 14:25:56 -08:00
Josh Black c9763996d4
Enable undo logs by default (#18692)
* Enable undo logs by default

* add consul test

* update go.mod/sum

* add a better non-existent key
2023-01-17 13:38:18 -08:00
Christopher Swenson b95beeb675
Add basic event bus broker stub (#18640)
Creates a new `eventbus` package under `vault` with
an implementation of the `go-eventlogger` broker.

Also creates a stub of a common broker that will be accessible
in the core, and creates a simple event sending interface.
2023-01-17 13:34:37 -08:00
Kianna f3a8fdd4f0
ui: VAULT-6511 PKI Overview Page (#18599)
* Inital pki overview page code setup

* Add more properties to pki-overview

* Remove previous selectable card component and update template

* Add capability check for roles and issuers

* Add acceptance tests for overview page

* Update SelectableCardForm component

* Code refactor!

* Add selectable-card-form test

* More code cleanup and move function to test helper file

* Address most feedback. Pending refactor of issue certificate card!

* Add integration test

* Moves form to SelectableCard and add tests

* Add jsdoc props to SelectableCard and fix placeholder

* Move back SelectableCard

* Covert to typescript and finish up tests

* Dont use try catch for hasConfig

* Add overview card test

* More overview card tests

* Address feedback!
2023-01-17 13:30:31 -08:00
Kianna 64f38ffd57
ui: VAULT-8673 Add empty states to certificates and roles (#18702)
* Add empty states to certificates and roles

* Add tests for empty state

* Fix naming of model properties
2023-01-17 13:30:14 -08:00
Anton Averchenkov a4973bc45a
Remove timeout logic from ReadRaw functions and add ReadRawWithContext (#18708)
Removing the timeout logic from raw-response functions and adding documentation comments. The following functions are affected:

- `ReadRaw`
- `ReadRawWithContext` (newly added)
- `ReadRawWithData`
- `ReadRawWithDataWithContext`

The previous logic of using `ctx, _ = c.c.withConfiguredTimeout(ctx)` could cause a potential [context leak](https://pkg.go.dev/context):

> Failing to call the CancelFunc leaks the child and its children until the parent is canceled or the timer fires. The go vet tool checks that CancelFuncs are used on all control-flow paths.

Cancelling the context would have caused more issues since the context would be cancelled before the request body is closed.

Resolves: #18658
2023-01-17 15:41:59 -05:00
Mike Palmiotto 41f8d2edc6
[QT-309] Ensure creds are available for OCI and S3 (#18602)
* Ensure OCI creds are set for acc test

* Ensure AWS creds are resolvable before testing

Co-authored-by: Michael Anthony <5498095+manthonygfp@users.noreply.github.com>
2023-01-17 14:15:40 -05:00
Kendall Strautman 19b863404c
docs: updates inline alert authoring info (#18713)
* docs: updates inline alert authoring info

* chore: other readme updates

* chore: update package, fix typo

* chore: update to stable
2023-01-17 14:13:09 -05:00
Max Bowsher 91855bce22
Fix a very old comment to include query-string parameters (#18557)
Vault has gradually had the ability to pass query-string parameters
added to GET, then DELETE, and now recently LIST requests. Update
a comment which seems to date back to when no query-string parameters
were used at all.
2023-01-17 12:29:30 -05:00
claire bontempo 09a6515ad8
add is default text (#18717) 2023-01-17 10:34:09 -06:00
tjperry07 9f488db88e
added jwt token validation (#18703) 2023-01-17 09:57:40 -05:00
Nick Cabatoff 07d1e26ff3
Fix changelog for #18401 (#18727) 2023-01-16 13:49:28 -05:00
Nick Cabatoff b5f19fffe9
Speculative fix for a panic that might arise during raft teardown (#18704) 2023-01-16 13:49:11 -05:00
Tom Proctor d5c35f39c3
Add experiment system + events experiment (#18682) 2023-01-16 16:07:18 +00:00
Peter Wilson 59450ecb82
Revert "Add new clients into the monthly breakdown (#18629)" (#18726)
This reverts commit d641bbc28e5e8cc12b81d409e5d5fc1f2cb7f66c.
2023-01-16 15:51:19 +00:00
Ben Ash 3ff530e001
auth/kubernetes: upgrade to v0.14.1 (#18716) 2023-01-13 19:00:18 -05:00
Ben Ash 02018f1d1d
Revert "auth/kubernetes: upgrade to v0.14.1 (#18711)" (#18715)
This reverts commit ed244a9263255affa797fe032a5b103d7ae41891.
2023-01-13 18:17:12 -05:00
Ben Ash 6bcd9f4458
auth/kubernetes: upgrade to v0.14.1 (#18711) 2023-01-13 17:15:35 -05:00
Anton Averchenkov 6ae09f3074
Add AppRole response schema validation tests (#18636)
This PR modifies every test in `builtin/credentials/approle/path_role_test.go` with new validation checks to ensure that approle/path_role  successful responses align with the declared response schema.

It also introduces a test helper in `sdk/helper/testhelpers`:

```go
func FindResponseSchema(t *testing.T, ...)
```

This test helper will be useful for all plugins that require similar response schema validation in tests.

### Background

This PR is part of the ongoing work to add structured responses in Vault OpenAPI (VLT-234)
2023-01-13 15:23:36 -05:00
Anton Averchenkov 9696600e59
Add response schema validation methods & test helpers (#18635)
This pull request adds 3 functions (and corresponding tests):

`testhelpers/response_validation.go`:

  - `ValidateResponse`
  - `ValidateResponseData`
  
field_data.go:

  - `ValidateStrict` (has the "strict" validation logic)

The functions are primarily meant to be used in tests to ensure that the responses are consistent with the defined response schema. An example of how the functions can be used in tests can be found in #18636.

### Background

This PR is part of the ongoing work to add structured responses in Vault OpenAPI (VLT-234)
2023-01-13 14:55:56 -05:00
Yoko Hyakuna 0899635ce3
Add VAULT_LOG_LEVEL to the environment var list (#18694) 2023-01-13 12:54:51 -05:00
Jaymala ca18e2fffe
[QT-19] Enable Enos replication scenario (#17748)
* Add initial replication scenario config

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Add support for replication with different backend and seal types

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Update Consul versions

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Additional config for replicaiton scenario

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Update replication scenario modules

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Refactor replication modules

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Add more steps for replication

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Work in progress with unsealing followers on secondary cluster

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Add more replication scenario steps

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* More updates

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Working shamir scenario

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Update to unify get Vault IP module

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Remove duplicate module

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Fix race condition for secondary followers unseal

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Use consistent naming for module directories

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Update replication scenario with latest test matrix

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Verify replication with awskms

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Add write and retrive data support for all scenarios

* Update all scenarios to verify write and read kv data

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Fix write and read data modules

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Add comments explaining the module run

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Address review feedback and update consul version

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Address more review feedback

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Remove vault debug logging

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Exclude ent.fips1402 and ent.hsm.fips1402 packages from Enos test matrix

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Add verification for replication connection status

* Currently this verification fails on Consul due to VAULT-12332

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Add replication scenario to Enos README

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Update README as per review suggesstions

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* [QT-452] Add recovery keys to scenario outputs

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Fix replication output var

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Fix autopilot scenario deps and add retry for read data

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>
2023-01-13 11:43:26 -05:00
Steven Clark e0e957731b
Refactor the PKI revocation handler to prep for unified revocation (#18685)
* Rename revokeCert variable to identify serial number formatting

* Refactor out lease specific behavior out of revokeCert

 - Isolate the specific behavior regarding revoking lease specific
   certificates outside of the revokeCert function and into the only
   caller that leveraged used it.
 - This allows us to simplify revokeCert a little bit and keeps the
   function purely about revoking a certificate

* Within revokeCert short circuit the already revoked use-case

 - Make the function a little easier to process by exiting early
   if the certificate has already been revoked.

* Do not load certificates from storage multiple times during revocation

 - Isolate the loading of a certificate and parsing of a certificate
   into a single attempt, either when provided the certificate for BYOC
   revocation or strictly from storage for the other revocation types.

* With BYOC write certificate entry using dashes not the legacy colon char
2023-01-13 10:31:03 -05:00