Commit graph

1221 commits

Author SHA1 Message Date
Calvin Leung Huang 7ad62f5be4
core: set namespace within GeneratePasswordFromPolicy (#12635)
* core: set namespace from the sysview's mount entry on GeneratePasswordFromPolicy

* test: update TestDynamicSystemView to be ns-aware, update tests

* add changelog entry
2021-09-27 09:08:07 -07:00
Calvin Leung Huang 3826042daf
test: pin docker image on postgres to 13.4-buster (#12636)
* test: pin docker image on postgres to 13.4-buster

* test: update all tests that uses postgres image to use 13.4-buster
2021-09-27 08:38:39 -07:00
Hridoy Roy dbd178250e
Port: Premature Rotation For autorotate (#12563)
* port of ldap fix for early cred rotation

* some more porting

* another couple lines to port

* final commits before report

* remove deadlock

* needs testing

* updates

* Sync with OpenLDAP PR

* Update the update error handling for items not found in the queue

* WIP unit tests
* Need to configure DB mount correctly, with db type mockv5
* Need to find a way to inject errors into that mock db

* throw error on role creation failure

* do not swallow error on role creation

* comment out wip tests and add in a test for disallowed role

* Use newly generated password in WAL

Co-authored-by: Michael Golowka <72365+pcman312@users.noreply.github.com>

* return err on popFromRotationQueueByKey error; cleanup on setStaticAccount

* test: fix TestPlugin_lifecycle

* Uncomment and fix unit tests
* Use mock database plugin to inject errors
* Tidy test code to rely less on code internals where possible
* Some stronger test assertions

* Undo logging updates

* Add changelog

* Remove ticker and background threads from WAL tests

* Keep pre-existing API behaviour of allowing update static role to act as a create

* Switch test back to update operation

* Revert my revert, and fix some test bugs

* Fix TestBackend_StaticRole_LockRegression

* clean up defer on TestPlugin_lifecycle

* unwrap reqs on cleanup

* setStaticAccount: don't hold a write lock

* TestStoredWALsCorrectlyProcessed: set replication state to unknown

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
Co-authored-by: Michael Golowka <72365+pcman312@users.noreply.github.com>
Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
2021-09-21 17:45:04 -07:00
Scott Miller 241a78a2f2
Use the system rand reader for SSH keypair generation (#12560)
* Use the system rand reader for SSH keypair generation

* changelog
2021-09-15 11:59:28 -05:00
Scott Miller 33d7dc5fb4
Use the system rand reader for CA root and intermediate generation (#12559)
* Use the system rand reader for CA root and intermediate generation

* changelog
2021-09-15 11:59:12 -05:00
Scott Miller 6f18a9b6be
Allow signing self issued certs with a different public key algorithm. (#12514)
* WIP: Unset the certificate's SignatureAlgorithm to allown cross-signing of different key types

* Allow signing self issued certs with a different public key algorithm

* Remove cruft

* Remove stale import

* changelog

* eliminate errwrap

* Add a test to cover the lack of opt-in flag

* Better comment

Co-authored-by: catsby <clint@ctshryock.com>
2021-09-14 10:07:27 -05:00
divyapola5 30563097ea
Enforce minimum cache size for transit backend (#12418)
* Enforce Minimum cache size for transit backend

* enfore minimum cache size and log a warning during backend construction

* Update documentation for transit backend cache configuration

* Added changelog

* Addressed review feedback and added unit test

* Modify code in pathCacheConfigWrite to make use of the updated cache size

* Updated code to refresh cache size on transit backend without restart

* Update code to acquire read and write locks appropriately
2021-09-13 16:44:56 -05:00
jhart-cpi fa1611f427
improvement: add signature_bits field to CA and signers (#11245)
This change adds the ability to set the signature algorithm of the
CAs that Vault generates and any certificates it signs.  This is a
potentially useful stepping stone for a SHA3 transition down the line.

Summary:
* Adds the field "signature_bits" to CA and Sign endpoints
* Adds support for SHA256, SHA384 and SHA512 signatures on EC and RSA
keytypes.
2021-09-10 14:39:05 -07:00
Lars Lehtonen 5af6d5f07f
builtin/logical/aws: fix dropped test error (#12417) 2021-08-26 15:55:39 +01:00
vinay-gopalan 23770cc2a7
Update genUsername to cap STS usernames at 32 chars (#12185)
* update genUsername to cap STS usernames at 64 chars

* add changelog

* refactor tests into t.Run block

* patch: remove warningExpected bool and include expected string

* patch: revert sts to cap at 32 chars and add assume_role case in genUsername

* update changelog

* update genUsername to return error if username generated exceeds length limits

* update changelog

* add conditional default username template to provide custom STS usernames

* update changelog

* include test for failing STS length case

* update comments for more clarity
2021-08-09 09:40:47 -07:00
Scott Miller 653bfef52e
Forward cert signing requests to the primary on perf secondaries as well as perf standbys (#12180) 2021-07-28 10:21:01 -05:00
Nick Cabatoff 03b2208f04
Pin RabbitMQ and Cassandra docker image versions (#12174)
* Work around rabbitmq regression with UserInfo.Tags in rabbitmq 3.9: use v3.8 docker image in tests.

* Also pin cassandra docker image version to 3.11 (4.00 was making tests fail)
2021-07-27 08:45:32 -04:00
Jeff Mitchell 33ff878946
Move awsutil over to the go-secure-stdlib version (#12128)
Unlike the other libraries that were migrated, there are no usages of
this lib in any of our plugins, and the only other known usage was in
go-kms-wrapping, which has been updated. Aliasing it like the other libs
would still keep the aws-sdk-go dep in the sdk module because of the
function signatures. So I've simply removed it entirely here.
2021-07-20 20:42:00 -04:00
Lars Lehtonen a9153d7348
builtin/logical/database: fix dropped test errors (#12123) 2021-07-20 11:13:50 -07:00
Jeff Mitchell fb473a8b9b
Swap out stepwise for external repo version (#12089) 2021-07-20 13:20:23 -04:00
vinay-gopalan 859b60cafc
[VAULT-1969] Add support for custom IAM usernames based on templates (#12066)
* add ability to customize IAM usernames based on templates

* add changelog

* remove unnecessary logs

* patch: add test for readConfig

* patch: add default STS Template

* patch: remove unnecessary if cases

* patch: add regex checks in username test

* patch: update genUsername to return an error instead of warnings

* patch: separate tests for default and custom templates

* patch: return truncate warning from genUsername and trigger a 400 response on errors

* patch: truncate midString to 42 chars in default template

* docs: add new username_template field to aws docs
2021-07-20 09:48:29 -07:00
swayne275 ed361ee8da
Fix minor typo in Internals/Plugins documentation (#12113)
* fix minor plugin doc typo

* fix limits of of typo and related

* forgot to save on this typo fix
2021-07-20 07:21:24 -06:00
Jeff Mitchell f7147025dd
Migrate to sdk/internalshared libs in go-secure-stdlib (#12090)
* Swap sdk/helper libs to go-secure-stdlib

* Migrate to go-secure-stdlib reloadutil

* Migrate to go-secure-stdlib kv-builder

* Migrate to go-secure-stdlib gatedwriter
2021-07-15 20:17:31 -04:00
Austin Gebauer d1c090fe63
secrets/database: fixes external plugin reconnect after shutdown for v4 and v5 interface (#12087)
* secrets/database: fixes external plugin shutdown reconnect for v5 interface

* adds changelog entry

* fixes handling of plugin shutdown for password generation on v4 interface
2021-07-15 13:41:04 -07:00
Jeff Mitchell fe18b6f9e0
Swap out sdk/helper libs with implementations in go-secure-stdlib (#12088)
* Swap out sdk/helper libs with implementations in go-secure-stdlib

* Fix transit batch test
2021-07-15 01:56:37 -04:00
Martin Lee 10f29e0503
base32.DecodeString expects length 8 for the buffer (#11887)
Add padding to the input key to ensure it reaches that length.
2021-07-14 07:38:10 -04:00
Lars Lehtonen b6f990d1b6
builtin/logical/nomad: fix dropped test errors (#12052) 2021-07-13 07:28:46 -04:00
Lars Lehtonen 0196f43cbe
builtin/logical/pki: fix dropped test errors (#12013) 2021-07-08 10:14:38 -04:00
MilenaHC 5483eba5fc
RabbitMQ - Add username customization (#11899)
* add username customization for rabbitmq

* add changelog for rabbitmq

* Update builtin/logical/rabbitmq/path_config_connection.go

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

* updating API docs

* moved to changelog folder

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2021-06-22 14:50:46 -05:00
rerorero 9ebb14bab3
Fix: Transit encrypt batch does not honor key_version (#11628)
* fix(secret/transit): #10232 Transit encrypt batch does not honor key_version

* add changelog for 11628
2021-05-27 14:05:20 -05:00
Ricardo Cardenas d02a20bd2b
feat(aws): add ability to provide a role session name when generating STS credentials (#11345)
* feat(aws): add ability to provide a sessionName to sts credentials

Co-authored-by: Brad Vernon <bvernon@nvidia.com>
Co-authored-by: Jim Kalafut <jim@kalafut.net>
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2021-05-17 11:03:09 -07:00
Michael Golowka 056a59859f
Add ability to customize some timeouts in MongoDB database plugin (#11600) 2021-05-17 11:40:35 -06:00
Robison Jacka 491f71faf0
Add support for templated values in SSH CA DefaultExtensions. (#11495)
* Add support for templated values in SSH CA DefaultExtensions.

* Reworking the logic per feedback, adding basic test.

* Adding test, so we cover both default extension templating & ignoring default when user-provided extensions are present.

* Fixed up an unintentional extension handling defect, added test to cover the case.

* Refactor Default Extension tests into `enabled` and `disabled`.
2021-05-13 14:37:22 -07:00
Michael Golowka b27a3e9f70
DB engine: Check ErrPluginStaticUnsupported in rollback code (#11601) 2021-05-12 17:09:56 -06:00
Michael Golowka a18bd5ab94
Check ErrPluginStaticUnsupported for fallback to RotateRootCredentials (#11585) 2021-05-12 15:22:41 -06:00
Austin Gebauer 57b6e786fc
Update container image tag used in SSH secrets tests (#11548) 2021-05-06 11:57:54 -04:00
Lars Lehtonen d8f7dd364a
builtin: deprecate errwrap.Wrapf() throughout (#11430)
* audit: deprecate errwrap.Wrapf()

* builtin/audit/file: deprecate errwrap.Wrapf()

* builtin/crediential/app-id: deprecate errwrap.Wrapf()

* builtin/credential/approle: deprecate errwrap.Wrapf()

* builtin/credential/aws: deprecate errwrap.Wrapf()

* builtin/credentials/token: deprecate errwrap.Wrapf()

* builtin/credential/github: deprecate errwrap.Wrapf()

* builtin/credential/cert: deprecate errwrap.Wrapf()

* builtin/logical/transit: deprecate errwrap.Wrapf()

* builtin/logical/totp: deprecate errwrap.Wrapf()

* builtin/logical/ssh: deprecate errwrap.Wrapf()

* builtin/logical/rabbitmq: deprecate errwrap.Wrapf()

* builtin/logical/postgresql: deprecate errwrap.Wrapf()

* builtin/logical/pki: deprecate errwrap.Wrapf()

* builtin/logical/nomad: deprecate errwrap.Wrapf()

* builtin/logical/mssql: deprecate errwrap.Wrapf()

* builtin/logical/database: deprecate errwrap.Wrapf()

* builtin/logical/consul: deprecate errwrap.Wrapf()

* builtin/logical/cassandra: deprecate errwrap.Wrapf()

* builtin/logical/aws: deprecate errwrap.Wrapf()
2021-04-22 11:20:59 -04:00
Calvin Leung Huang a8cafab083
pki: fix tidy removal on revoked entries (#11367)
* pki: fix tidy removal on revoked entries

* add CL entry
2021-04-19 09:40:40 -07:00
Michael Golowka 4279bc8b34
Validate hostnames when using TLS in Cassandra (#11365) 2021-04-16 15:52:35 -06:00
Brian Kassouf 303c2aee7c
Run a more strict formatter over the code (#11312)
* Update tooling

* Run gofumpt

* go mod vendor
2021-04-08 09:43:39 -07:00
Scott Miller 7ecbbcd5b9
Make all duplicate removals stable in PKI (#11259) 2021-04-02 10:33:24 -05:00
Clint dcf3344887
Extract replication state before go routine for initQueue (#11161)
Querying the state before launching the go routine avoids a possible
race condition with replication.
2021-03-30 15:19:00 -05:00
Evgeniy Kosov cf39c9e161
Wrap sign error from an external lib (#10301) 2021-03-15 16:26:06 -06:00
Liwei Fu 170a0800e6
Make cert domain name validation case insensitive (#10959)
* make cert domain name validation case insensitive

* reafctor TestPki_PermitFQDNs mutliple cases

* TestPki_PermitFQDNS: fail uppercase alt_name

* add change log

* fix tests

* use EqualFold for potential utf-8 string comparison

Co-authored-by: Freyert <Freyert@users.noreply.github.com>
2021-03-09 21:28:27 -08:00
Lauren Voswinkel 075898cf73
Add IAM tagging support for iam_user roles in AWS secret engine (#10953)
* Added support for iam_tags for AWS secret roles

This change allows iam_users generated by the secrets engine
to add custom tags in the form of key-value pairs to users
that are created.
2021-02-25 16:03:24 -08:00
Hridoy Roy 4a96126d5a
Revert "Vault Dependency Upgrades [VAULT-871] (#10903)" (#10939)
This reverts commit eb74ca61fc4dcb7038f39defb127d5d639ba0ca1.
2021-02-18 15:40:18 -05:00
Hridoy Roy a26d1300e8
Vault Dependency Upgrades [VAULT-871] (#10903)
* upgrade vault dependency set

* etcd and grpc issues:

* better for tests

* testing

* all upgrades for hashicorp deps

* kubernetes plugin upgrade seems to work

* kubernetes plugin upgrade seems to work

* etcd and a bunch of other stuff

* all vulnerable packages upgraded

* k8s is broken in linux env but not locally

* test fixes

* fix testing

* fix etcd and grpc

* fix etcd and grpc

* use master branch of go-testing-interface

* roll back etcd upgrade

* have to fix grpc since other vendors pull in grpc 1.35.0 but we cant due to etcd

* rolling back in the replace directives

* a few more testing dependencies to clean up

* fix go mod vendor
2021-02-18 12:31:57 -08:00
Jim Kalafut 42bae71806
Improve error messages (#10843)
- Fix: "bytes" should be less than %!s(int=131072) message
- Also add a missing openapi type that was throwing warnings
2021-02-11 19:51:12 -08:00
Hridoy Roy 0e3bddf295
Revert "allow create to create transit keys (#10706)" (#10724)
This reverts commit 4144ee0d3da10fbfef4d081aa72529f2e513f8e2.
2021-01-19 11:49:57 -08:00
Hridoy Roy e8164ad09a
allow create to create transit keys (#10706)
* allow create to create transit keys

* changelog
2021-01-15 12:20:32 -08:00
Hridoy Roy 2c4e299391
allow null types in batch encryption [VAULT-849] (#10386)
* allow null types in batch encryption

* dont allow plaintext to be null
2020-11-23 11:55:08 -08:00
Tom Proctor b9b3796cfe
Sanitize private_key from returned db plugin config (#10416) 2020-11-19 10:58:55 +00:00
Michael Golowka bfd57bc2e8
Error on root rotation when username is empty (#10344)
* Error on root rotation when username is empty

* Don't panic if the field doesn't exist
2020-11-09 15:12:09 +00:00
Brian Kassouf 10668331e4
Update go version to 1.15.3 (#10279)
* Update go version to 1.15.3

* Fix OU ordering for go1.15.x testing

* Fix CI version

* Update docker image

* Fix test

* packagespec upgrade -version 0.1.8

Co-authored-by: Sam Salisbury <samsalisbury@gmail.com>
2020-10-30 16:44:06 -04:00
Michael Golowka bd79fbafb3
Add couchbase, elasticsearch, and mongodbatlas back (#10222)
Updated the `Serve` function so these can be added back into Vault
2020-10-22 17:20:17 -06:00