Commit graph

14417 commits

Author SHA1 Message Date
mickael-hc 533f5e490e
Update production hardening guidelines (#12585)
* Update production hardening guidelines

* Apply suggestions from code review

Co-authored-by: Jamie Finnigan <jfinnigan@hashicorp.com>
2021-09-23 14:37:42 -04:00
Mike Green 373f50af47
Add rotate-root cli (#11192) 2021-09-23 09:00:25 -07:00
hghaf099 8b29493e76
fix writing back the Filename into unusedKeys in ParseConfig (#12615) 2021-09-23 09:30:44 -04:00
aphorise f4c1a09e25
Docs: Seal pkcs11 updated example with actual hex slot reference and … (#12530)
* Docs: Seal pkcs11 updated example with actual hex slot reference and notes related to decimal conversion. Minor correction to **Note** area in 'lib' parameter above 'slot'.

* Docs: Seal pkcs11 slot note correction.
2021-09-22 16:55:20 -04:00
Kamal Mahmud 9c0e439d33
Add additional info on v1 KV engine (#12522)
Added information flag to enable v1 KV secret engine in dev mode
2021-09-22 13:31:46 -07:00
Jinlong Chen 666b78911f
Fix client.go (#12608)
Modify one annotation.
2021-09-22 13:07:40 -07:00
Arnav Palnitkar 4f19fd1624
Added namespace search to client count (#12577)
* Added namespace search to client count

- Used existing search select component for namespace search

* Added changelog

* Added download csv component

- generate namespaces data in csv format
- Show root in top 10 namespaces
- Changed active direct tokens to non-entity tokens

* Added test for checking graph render

* Added documentation for the download csv component
2021-09-22 12:50:59 -07:00
Nick Cabatoff 4cca2e0303
Update telemetry docs to include HA forwarding metrics. (#12611) 2021-09-22 12:10:26 -04:00
Tom Proctor 181269f8e1
Revert "Update installation.mdx (#12516)" (#12571)
This reverts commit ab5ad87945177dd0bab6cbcfdf6cc8507bba8c5d.
2021-09-22 11:54:25 +01:00
Hridoy Roy dbd178250e
Port: Premature Rotation For autorotate (#12563)
* port of ldap fix for early cred rotation

* some more porting

* another couple lines to port

* final commits before report

* remove deadlock

* needs testing

* updates

* Sync with OpenLDAP PR

* Update the update error handling for items not found in the queue

* WIP unit tests
* Need to configure DB mount correctly, with db type mockv5
* Need to find a way to inject errors into that mock db

* throw error on role creation failure

* do not swallow error on role creation

* comment out wip tests and add in a test for disallowed role

* Use newly generated password in WAL

Co-authored-by: Michael Golowka <72365+pcman312@users.noreply.github.com>

* return err on popFromRotationQueueByKey error; cleanup on setStaticAccount

* test: fix TestPlugin_lifecycle

* Uncomment and fix unit tests
* Use mock database plugin to inject errors
* Tidy test code to rely less on code internals where possible
* Some stronger test assertions

* Undo logging updates

* Add changelog

* Remove ticker and background threads from WAL tests

* Keep pre-existing API behaviour of allowing update static role to act as a create

* Switch test back to update operation

* Revert my revert, and fix some test bugs

* Fix TestBackend_StaticRole_LockRegression

* clean up defer on TestPlugin_lifecycle

* unwrap reqs on cleanup

* setStaticAccount: don't hold a write lock

* TestStoredWALsCorrectlyProcessed: set replication state to unknown

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
Co-authored-by: Michael Golowka <72365+pcman312@users.noreply.github.com>
Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
2021-09-21 17:45:04 -07:00
Calvin Leung Huang 992b8089a2
dep: update vault-plugin-secrets-openldap to latest (#12600)
* dep: update vault-plugin-secrets-openldap to v0.5.2

* add changelog entry

* dep: update to use the plugin's master branch
2021-09-21 15:30:19 -07:00
Loann Le b1cff88fff
added browswer support (#12587) 2021-09-21 13:48:21 -07:00
Pratyoy Mukhopadhyay 8e6698fb4a
[VAULT-3519] Return no_default_policy on token role read (#12565)
* [VAULT-3519] Return no_default_policy on token role read if set

* [VAULT-3519] Add changelog

* [VAULT-3519] Always return token_no_default_policy on role read

* Fix broken test

* Update role read response in docs
2021-09-21 09:53:08 -07:00
Tiernan a538936367
Allow globbing dis/allowed_policies_glob in token roles (#7277)
* Add allowed_policies_glob and disallowed_policies_glob that are the same as allowed_policies and disallowed_policies but allow glob matching.

* Update changelog, docs, tests, and comments for (dis)allowed_token_glob token role feature.

* Improve docs and unit tests for auth/token role policy globbing.
2021-09-21 08:25:06 -07:00
Nick Cabatoff 8a0250d277
Fix a couple of typos in the namespace api docs. (#12593) 2021-09-21 09:15:51 -04:00
Nick Cabatoff 2bd95232cf
Fail alias rename if the resulting (name,accessor) exists already (#12473) 2021-09-21 08:19:44 -04:00
Rachel Culpepper 9ff3fd39a2
fix build tag (#12588) 2021-09-20 17:10:54 -04:00
Yoko Hyakuna 8a122201bc
Add code snippet to demonstrate GCP auth in Go (#12578)
* Add code snippet to demonstrate GCP auth in Go

* Fix a grammatical error
2021-09-17 20:51:07 -07:00
akshya96 c643dc1d53
Add Custom metadata field to alias (#12502)
* adding changes

* removing q.Q

* removing empty lines

* testing

* checking tests

* fixing tests

* adding changes

* added requested changes

* added requested changes

* added policy templating changes and fixed tests

* adding proto changes

* making changes

* adding unit tests

* using suggested function
2021-09-17 11:03:47 -07:00
Tero Saarni 105786cc27
Update github.com/ulikunitz/xz (#12253)
* Update github.com/ulikunitz/xz

* Bump xz which is transitive dependency of github.com/mholt/archiver.
  Fixes known security vulnerability GHSA-25xm-hr59-7c27.

* Update github.com/ulikunitz/xz

* Added security advisory ID to changelog.
2021-09-17 09:48:38 -07:00
John-Michael Faircloth bee9f25277
OIDC provider: show success message in CLI (#12574) 2021-09-17 11:41:08 -05:00
Lukas Grossar 5c94e5157c
Update example responses for /sys/seal-status (#9621) 2021-09-17 09:38:36 -07:00
Pratyoy Mukhopadhyay 0819eac6a8
Update token renew docs (#12572)
* Update docs for token renew api and cli

* Clarify api docs for renew/renew-self

* Update wording around periodic tokens
2021-09-16 16:54:46 -07:00
Arnav Palnitkar 35c188fba7
Client count updates (#12554)
* Client count updates

- Added Current month tab which leverages partial monthly activity api
- Refactored Vault usage to Monthly history
- New client count history component based on StatText and BarChart component
- Restrict bar chart to showcase only top 10 namespaces
- Removed config route, as config and history component will be rendered based on query param
- Updated all metrics reference to clients
- Removed old tests and added integration test for current month

* Fixed navbar permission

- Added changelog

* Updated the model for current month data

* Fixed current month tests

* Fixed indentation and chart label
2021-09-16 15:28:03 -07:00
Theron Voran b2418a3a8c
docs: vault-k8s 0.13.0 and vault-helm 0.16.0 (#12573) 2021-09-16 14:58:02 -07:00
Michael Ward c15ac1053f
Expose secret_id_accessor as WrappedAccessor when wrapping secret-id creation. (#12425)
* Expose secret_id_accessor as WrappedAccessor when wrapping secret-id creation.

* Add changelog.

* Minor updates as suggested.

* Adding external test for wrapped accessor.

* Add check that mounttype is approle.

* Update changelog text to use improvement
2021-09-16 10:47:49 -07:00
Meggie 78bb7d3808
Some docs notes (seal migration + go discover link) (#12542)
* Was confused by pre1.5.1 auto->auto note

* Helpful note on go-discover
2021-09-16 10:22:38 -04:00
Justin Kromlinger f1448e2e6d
Upgrade go-limiter to v0.7.1 to fix build failure in go1.17.1 (#12557)
See 748ae80bc1
2021-09-16 06:13:46 -07:00
John-Michael Faircloth 4ed0eb4493
identity: fix bug and increase logging for jwks cache control max age test (#12561)
* identity: increase logging for jwks cache control max age test

* clarify comment

* add more logging for jwks cache control max age in test
2021-09-15 14:38:29 -05:00
Angel Garbarino 508860b73b
KV: handle permissions on config and mount/sys when enabling a KV engine (#12498)
* add permissions and conditional

* stuff

* following the default setting to zero

* wip

* handle no permissions to mount sys

* maybe closer

* closer but configuration page not updating correctly with serializer issues

* wip but figured out configuration page and model

* clean up

* add test coverage

* clean up

* remove meep

* refactor

* clean test

* fix conditional on seralizer delete

* fix test

* test fixes

* fix test

* test fix

* more test stuff

* condense
2021-09-15 12:14:18 -06:00
Scott Miller 241a78a2f2
Use the system rand reader for SSH keypair generation (#12560)
* Use the system rand reader for SSH keypair generation

* changelog
2021-09-15 11:59:28 -05:00
Scott Miller 33d7dc5fb4
Use the system rand reader for CA root and intermediate generation (#12559)
* Use the system rand reader for CA root and intermediate generation

* changelog
2021-09-15 11:59:12 -05:00
John-Michael Faircloth c42c9993a0
feature: OIDC keys endpoint (#12525)
* add keys path and initial handler

* read provider public keys

* add test cases

* remove some debug logs

* update tests after merging main

* refactor list all clients

* refactor logic to collect Key IDs
2021-09-14 15:37:53 -05:00
Angel Garbarino 12b1dc0069
Bug fix: allow forward slash in paths for delete menu (#12550)
* fix bug and add test coverage

* changelog
2021-09-14 12:30:01 -06:00
Scott Miller 6f18a9b6be
Allow signing self issued certs with a different public key algorithm. (#12514)
* WIP: Unset the certificate's SignatureAlgorithm to allown cross-signing of different key types

* Allow signing self issued certs with a different public key algorithm

* Remove cruft

* Remove stale import

* changelog

* eliminate errwrap

* Add a test to cover the lack of opt-in flag

* Better comment

Co-authored-by: catsby <clint@ctshryock.com>
2021-09-14 10:07:27 -05:00
Mitali Bisht 89271bf0ca
Added Artifactory secrets plugin (#12528)
* Added Artifactory secrets plugin

Added Artifactory secrets vault plugin under partner programs

* Update plugin-portal.mdx
2021-09-13 15:30:31 -07:00
divyapola5 30563097ea
Enforce minimum cache size for transit backend (#12418)
* Enforce Minimum cache size for transit backend

* enfore minimum cache size and log a warning during backend construction

* Update documentation for transit backend cache configuration

* Added changelog

* Addressed review feedback and added unit test

* Modify code in pathCacheConfigWrite to make use of the updated cache size

* Updated code to refresh cache size on transit backend without restart

* Update code to acquire read and write locks appropriately
2021-09-13 16:44:56 -05:00
Aaditya S fbe2462420
Fix typo in lease renew documentation (#10651)
The documentation for `renew` is showing the output for `revoke`.
2021-09-13 11:57:10 -07:00
Theron Voran ae0bda77b3
vault-agent: copy values retrieved from bolt (#12534)
Byte slices returned from Bolt are only valid during a transaction, so
this makes a copy.

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2021-09-13 11:06:08 -07:00
Chelsea Shaw f850ba08a5
Remove attributes used only on kv-v2 config (#12529) 2021-09-13 09:33:12 -06:00
hghaf099 2576be23d0
Fixing a flaky test TestQuotas_RateLimitQuota_ExemptPaths (#12532)
* Fixing a flaky test TestQuotas_RateLimitQuota_ExemptPaths

* fixing a string formatting by removing an extra parameter
2021-09-10 17:41:14 -04:00
Lukas Grossar 2f025ef30f
Add link to go-discover README to raft documentation (#10679) 2021-09-10 14:40:36 -07:00
jhart-cpi fa1611f427
improvement: add signature_bits field to CA and signers (#11245)
This change adds the ability to set the signature algorithm of the
CAs that Vault generates and any certificates it signs.  This is a
potentially useful stepping stone for a SHA3 transition down the line.

Summary:
* Adds the field "signature_bits" to CA and Sign endpoints
* Adds support for SHA256, SHA384 and SHA512 signatures on EC and RSA
keytypes.
2021-09-10 14:39:05 -07:00
John-Michael Faircloth 22c9be3835
identity: fix identity token introspect doc (#12531) 2021-09-10 11:41:32 -05:00
Jacob Burroughs 65029f8c8f
Fix pkcs7 parsing in some cases (#12519)
* Fix pkcs7 parsing in some cases

brings in https://github.com/mozilla-services/pkcs7/pull/61 from upstream

In some cases but not all, aws includes a certificate in the pkcs7 response,
and currently vault fails to parse those certificates:
```
URL: PUT https://vault.example.com/v1/auth/aws/login
Code: 500. Errors
* failed to parse the BER encoded PKCS#7 signature: ber2der: Invalid BER format
```

This fixes logins on those instances.  Note we could not readily ascertain why
some instances have those certificates and others don't.

* Add changelog entry

* Correct missed line
2021-09-10 12:17:03 -04:00
Mike Green 68c561389f
add example for secret tuning (#12503) 2021-09-10 09:10:33 -07:00
Justin Weissig 8a721ef225
docs: update packaging (#12527)
* docs: update packaging

Update language to support current enterprise packaging.

* Update performance-standby.mdx
2021-09-09 14:36:15 -07:00
John-Michael Faircloth c42bbb369c
Identity: prepublish jwt signing keys (#12414)
* pre-publish new signing keys for `rotation_period` of time before using

* Work In Progress: Prepublish JWKS and even cache control

* remove comments

* use math/rand instead of math/big

* update tests

* remove debug comment

* refactor cache control logic into func

* don't set expiry when create/update key

* update cachecontrol name in oidccache for test

* fix bug in periodicfunc test case

* add changelog

* remove confusing comment

* add logging and comments

* update change log from bug to improvement

Co-authored-by: Ian Ferguson <ian.ferguson@datadoghq.com>
2021-09-09 13:47:42 -05:00
Mike Green d4656971b1
Add link to integrated storage docs page for learn tutorial (#12501)
* Help find the learn tutorial

* Add common API path header and move learn link

@ncabatoff suggestion
2021-09-09 09:51:45 -07:00
Theron Voran 48e0c3fde7
dep: update consul-template to v0.27.0 (#12505) 2021-09-09 09:12:42 -07:00