* Docs: Seal pkcs11 updated example with actual hex slot reference and notes related to decimal conversion. Minor correction to **Note** area in 'lib' parameter above 'slot'.
* Docs: Seal pkcs11 slot note correction.
* Added namespace search to client count
- Used existing search select component for namespace search
* Added changelog
* Added download csv component
- generate namespaces data in csv format
- Show root in top 10 namespaces
- Changed active direct tokens to non-entity tokens
* Added test for checking graph render
* Added documentation for the download csv component
* port of ldap fix for early cred rotation
* some more porting
* another couple lines to port
* final commits before report
* remove deadlock
* needs testing
* updates
* Sync with OpenLDAP PR
* Update the update error handling for items not found in the queue
* WIP unit tests
* Need to configure DB mount correctly, with db type mockv5
* Need to find a way to inject errors into that mock db
* throw error on role creation failure
* do not swallow error on role creation
* comment out wip tests and add in a test for disallowed role
* Use newly generated password in WAL
Co-authored-by: Michael Golowka <72365+pcman312@users.noreply.github.com>
* return err on popFromRotationQueueByKey error; cleanup on setStaticAccount
* test: fix TestPlugin_lifecycle
* Uncomment and fix unit tests
* Use mock database plugin to inject errors
* Tidy test code to rely less on code internals where possible
* Some stronger test assertions
* Undo logging updates
* Add changelog
* Remove ticker and background threads from WAL tests
* Keep pre-existing API behaviour of allowing update static role to act as a create
* Switch test back to update operation
* Revert my revert, and fix some test bugs
* Fix TestBackend_StaticRole_LockRegression
* clean up defer on TestPlugin_lifecycle
* unwrap reqs on cleanup
* setStaticAccount: don't hold a write lock
* TestStoredWALsCorrectlyProcessed: set replication state to unknown
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
Co-authored-by: Michael Golowka <72365+pcman312@users.noreply.github.com>
Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
* [VAULT-3519] Return no_default_policy on token role read if set
* [VAULT-3519] Add changelog
* [VAULT-3519] Always return token_no_default_policy on role read
* Fix broken test
* Update role read response in docs
* Add allowed_policies_glob and disallowed_policies_glob that are the same as allowed_policies and disallowed_policies but allow glob matching.
* Update changelog, docs, tests, and comments for (dis)allowed_token_glob token role feature.
* Improve docs and unit tests for auth/token role policy globbing.
* Update github.com/ulikunitz/xz
* Bump xz which is transitive dependency of github.com/mholt/archiver.
Fixes known security vulnerability GHSA-25xm-hr59-7c27.
* Update github.com/ulikunitz/xz
* Added security advisory ID to changelog.
* Client count updates
- Added Current month tab which leverages partial monthly activity api
- Refactored Vault usage to Monthly history
- New client count history component based on StatText and BarChart component
- Restrict bar chart to showcase only top 10 namespaces
- Removed config route, as config and history component will be rendered based on query param
- Updated all metrics reference to clients
- Removed old tests and added integration test for current month
* Fixed navbar permission
- Added changelog
* Updated the model for current month data
* Fixed current month tests
* Fixed indentation and chart label
* Expose secret_id_accessor as WrappedAccessor when wrapping secret-id creation.
* Add changelog.
* Minor updates as suggested.
* Adding external test for wrapped accessor.
* Add check that mounttype is approle.
* Update changelog text to use improvement
* add permissions and conditional
* stuff
* following the default setting to zero
* wip
* handle no permissions to mount sys
* maybe closer
* closer but configuration page not updating correctly with serializer issues
* wip but figured out configuration page and model
* clean up
* add test coverage
* clean up
* remove meep
* refactor
* clean test
* fix conditional on seralizer delete
* fix test
* test fixes
* fix test
* test fix
* more test stuff
* condense
* add keys path and initial handler
* read provider public keys
* add test cases
* remove some debug logs
* update tests after merging main
* refactor list all clients
* refactor logic to collect Key IDs
* WIP: Unset the certificate's SignatureAlgorithm to allown cross-signing of different key types
* Allow signing self issued certs with a different public key algorithm
* Remove cruft
* Remove stale import
* changelog
* eliminate errwrap
* Add a test to cover the lack of opt-in flag
* Better comment
Co-authored-by: catsby <clint@ctshryock.com>
* Enforce Minimum cache size for transit backend
* enfore minimum cache size and log a warning during backend construction
* Update documentation for transit backend cache configuration
* Added changelog
* Addressed review feedback and added unit test
* Modify code in pathCacheConfigWrite to make use of the updated cache size
* Updated code to refresh cache size on transit backend without restart
* Update code to acquire read and write locks appropriately
Byte slices returned from Bolt are only valid during a transaction, so
this makes a copy.
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
This change adds the ability to set the signature algorithm of the
CAs that Vault generates and any certificates it signs. This is a
potentially useful stepping stone for a SHA3 transition down the line.
Summary:
* Adds the field "signature_bits" to CA and Sign endpoints
* Adds support for SHA256, SHA384 and SHA512 signatures on EC and RSA
keytypes.
* Fix pkcs7 parsing in some cases
brings in https://github.com/mozilla-services/pkcs7/pull/61 from upstream
In some cases but not all, aws includes a certificate in the pkcs7 response,
and currently vault fails to parse those certificates:
```
URL: PUT https://vault.example.com/v1/auth/aws/login
Code: 500. Errors
* failed to parse the BER encoded PKCS#7 signature: ber2der: Invalid BER format
```
This fixes logins on those instances. Note we could not readily ascertain why
some instances have those certificates and others don't.
* Add changelog entry
* Correct missed line
* pre-publish new signing keys for `rotation_period` of time before using
* Work In Progress: Prepublish JWKS and even cache control
* remove comments
* use math/rand instead of math/big
* update tests
* remove debug comment
* refactor cache control logic into func
* don't set expiry when create/update key
* update cachecontrol name in oidccache for test
* fix bug in periodicfunc test case
* add changelog
* remove confusing comment
* add logging and comments
* update change log from bug to improvement
Co-authored-by: Ian Ferguson <ian.ferguson@datadoghq.com>