Commit graph

16818 commits

Author SHA1 Message Date
Alexander Scheel 809957aac0
Refactor OCSP client to support better retries (#19345)
Mirror NSS's GET-vs-POST selection criteria, wherein GET is preferred
over POST (as the former might be a response from a cached CDN entry,
whereas the latter might hit a live responder). However, only accept it
if it definitively says "Good" or "Revoked" -- trigger a POST request
when an unknown or failure status is seen.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-02-24 13:18:37 -05:00
davidadeleon dd39b177f9
add nil check for secret id entry on delete via accessor (#19186)
* add nil check for secret id entry on delete via accessor

* add changelog

* add godoc to test

* improve feedback on nil entry

* fix error reporting on invalid secret id accessor

* fix test to expect implemented error
2023-02-24 13:18:08 -05:00
Steven Clark 6747c546af
Address some small issues within pki health-check (#19295)
* Address some small issues within pki health-check

 - Notify user yaml output mode is not support with --list argument
 - Output pure JSON in json output mode with --list argument
 - If a checker returns a nil response, convert to an empty slice
 - Add handler for permission errors to too many certs checker
 - Add checks for permission issues within hardware_backed_root and root_issued_leaves

* Identify the role that contained the permission issue in role based checks

 - Augument the role health checks to identify the role(s) that we have
   insufficient permissions to read instead of an overall read failure
 - Treat the failure to list roles as a complete failure for the check
2023-02-24 13:00:09 -05:00
miagilepner c31a10b90a
VAULT-13763 normalize activity log mount paths (#19343)
* add slashes to mount paths in activity log

* cleanup test

* fix test
2023-02-24 16:57:41 +01:00
claire bontempo 16baa1090f
UI: Pki model attribute consolidation (#19281) 2023-02-24 07:56:12 -08:00
Austin Gebauer d8348490d5
secrets/ad: change deprecation status to deprecated (#19334)
* secrets/ad: change deprecation status to deprecated

* adds changelog
2023-02-24 00:13:32 +00:00
Christopher Swenson 6b36cc7587
When copying test binary, delete first (#19331)
For plugin tests, we copy the test binary. On macOS, if the
destination binary already exists, then copying over it will result
in an invalid signature.

The easiest workaround is to delete the file before copying.
2023-02-23 15:10:13 -08:00
Jason O'Donnell f69297e0b3
Fix inmem layer unlock bug (#19323) 2023-02-23 20:16:49 +00:00
Angel Garbarino ede0000843
Auth method token_type possibleValues fix (#19290)
* language by design

* fix issue with active class not doing anything on the LinkTo

* changelog

* noDefault instead of empty string

* test coverage

* update test descriptions

* address pr comments

* welp
2023-02-23 11:59:21 -07:00
John-Michael Faircloth 0a7656ae5c
test: Fix bug in TestAddTestPlugin test helper (#19313)
* fix external plugin test failing locally

* Ensure file is closed and written in TestAddTestPlugin
2023-02-23 17:07:48 +00:00
miagilepner 271e5b14d2
VAULT-12299 Use file.Stat when checking file permissions (#19311)
* use file.Stat for config files

* cleanup and add path

* include directory path

* revert changes to LoadConfigDir

* remove path, add additional test:

* add changelog
2023-02-23 18:05:00 +01:00
Kianna f976e399f7
VAULT-13220 use decorator instead of extending overview route (#19294) 2023-02-23 08:35:07 -08:00
Jakob Beckmann 0bed33d84f
feat(auth/ldap): allow passing the LDAP password via an env var (#18225)
* feat(auth/ldap): allow passing the LDAP password via an environment variable when authenticating via the CLI

* chore(auth/ldap): add changelog entry for PR 18225
2023-02-23 11:16:17 -05:00
Peter Wilson 15302d9fe2
Restore 'server' and 'agent' base loggers to use their original names (#19304) 2023-02-23 14:56:21 +00:00
David Yu 9753379fe8
Update consul.mdx (#19300) 2023-02-22 17:45:26 -05:00
Austin Gebauer a8d382d52a
docs/oidc: make it clear that contents of CA certificate are expected (#19297) 2023-02-22 11:33:53 -08:00
Leland Ursu 432fad12b1
added in the missing test cases to validate response structures (#19277)
* added in the missing test cases to validate response structures

* added changelog file

* remove unneeded changelog file

* removed comment to update when indentity/entity is implemented

---------

Co-authored-by: lursu <leland.ursu@hashicorp.com>
2023-02-22 12:46:46 -05:00
Bryce Kalow 2fa1153e95
adds content-check command and README update (#19271) 2023-02-22 12:04:00 -05:00
Max Coulombe b9bcd135e5
Added disambiguation that creation request can also update roles (#17371)
+ added  disambiguation that creation request can also update roles
2023-02-22 12:02:31 -05:00
Chris Capurso 3a361e1e83
add error consistency in link node status resp (#19279) 2023-02-22 11:53:29 -05:00
Alexander Scheel fbebf2508b
Add note clarifying revoked issuer associations (#19289)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-02-22 15:48:20 +00:00
claire bontempo e51c9978c6
UI: fixes validation bug in sign certificate form (#19280)
* move validations to base certificate

* add test
2023-02-22 09:07:29 -06:00
Steven Clark c40570c144
Handle permission issue on pki health-check tune checkers (#19276)
* Handle permission issue on pki health-check tune checkers

 - Prior to this fix, if the end-user's Vault token did not have permission to the
   mount's tune api, we would return as if the tunable params had not been set.
 - Now check to see if we encountered a permission issue and report that back to
   the end-user like the other checks do.
2023-02-22 09:01:29 -05:00
Tom Proctor 5b52184766
Update x/net and x/crypto/ssh (#19282)
* Update x/net and x/crypto/ssh in api and sdk

* go mod tidy in root go module
2023-02-22 13:46:12 +00:00
Raymond Ho 57ff9835f7
use github token env var if present when fetching org id (#19244) 2023-02-21 12:17:35 -08:00
Steven Clark 95bdeafb3e
Fix role endpoint in pki health-check warnings (#19274)
* Fix role endpoint in pki health-check warnings

 - The various warning messages point to {{mount}}/role/<rolename>
   which is not a valid PKI path, it should be {{mount}}/roles/<rolename>

* Add cl
2023-02-21 14:48:50 -05:00
Steven Clark 8df0e9714c
Output default config output from pki health-check --list as json (#19269)
* Output default config output from health-check --list as json

 - Change the output of the default configuration as JSON so
   it's useable as an input to the health-check command

* Add cl
2023-02-21 12:41:04 -05:00
Tom Proctor a4616d7336
Test coverage for event format (#19264) 2023-02-21 17:18:37 +00:00
Christopher Swenson 724ccd5bc4
docs: Add page about events (#19243)
This page details the new events experiment that will be
released in Vault 1.13.

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2023-02-21 16:43:34 +00:00
John-Michael Faircloth 2cc6117f28
test/plugin: add more test scenarios for external plugins (#19257) 2023-02-21 09:44:54 -06:00
Leland Ursu 1b3083c98c
address various issues with the output-policy flag (#19160)
* update error message and properly handle list requests

* since we do agressive sanitizes we need to optionally check trailing slash

* added changelog record

* remove redundant path formating

* Update changelog/13106.txt

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* addressed comments from review

* also remove code that duplicates efforts in kv_list

* abstracted helper func for testing

* added test cases for the policy builder

* updated the changelog to the correct one

* removed calls that apear not to do anything given test case results

* fixed spacing issue in output string

* remove const representation of list url param

* addressed comments for pr

---------

Co-authored-by: lursu <leland.ursu@hashicorp.com>
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-02-21 10:12:45 -05:00
Steven Clark b6f3ba7d4f
pki health-check fails to read in int config values (#19265)
* pki health-check fails to read in int config values

 - Go's default behavior when decoding numbers to an interface{} is to use a float64 type which parseutil.SafeParseIntRange does not handle.
 - Switch to having the JSON decoder use json.Number which our parseutil library
  properly handles.

* Add cl
2023-02-21 08:52:19 -05:00
Tero Saarni b634bb897b
docs/k8s: updated helm doc for short-lived SA tokens (#15675)
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
2023-02-21 12:09:27 +00:00
Tom Proctor fa298906b2
Events API uses consistent error codes (#19246) 2023-02-20 16:24:27 +00:00
Max Winslow 3a132c2428
Add vault print token to commands in Vault docs (#19183)
* doc-update

* Update website/content/docs/commands/print.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

---------

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2023-02-17 20:51:48 -08:00
Anton Averchenkov e5770359b5
Simplify gen_openapi.sh script (#19245)
* Simplify gen_openapi.sh script

* Update scripts/gen_openapi.sh

Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* use correct import

---------

Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>
2023-02-17 14:48:05 -05:00
Christopher Swenson 404d7a57bb
events: WS protobuf messages should be binary (#19232)
The [WebSockets spec](https://www.rfc-editor.org/rfc/rfc6455) states
that text messages must be valid UTF-8 encoded strings, which protobuf
messages virtually never are. This now correctly sends the protobuf events
as binary messages.

We change the format to correspond to CloudEvents, as originally intended,
and remove a redundant timestamp and newline.

We also bump the eventlogger to fix a race condition that this code triggers.
2023-02-17 11:38:03 -08:00
Scott Miller 0a5f3208fd
Document the 'convergent' tokenization transform option (#19249) 2023-02-17 13:15:40 -06:00
Anton Averchenkov 76d8d2b88a
Stop vault on exit in gen_openapi.sh (#19252) 2023-02-17 13:06:00 -05:00
Alexander Scheel dd3356752a
Add note on client cert definition (#19248)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-02-17 11:36:41 -05:00
AnPucel 4c0895188a
Adding PKI Responses 3 (#18596) 2023-02-16 17:31:45 -08:00
John-Michael Faircloth 9c837ef4b5
docs/upgrade guide: add changes to plugin loading (#19231)
* docs/upgrade guide: add changes to plugin loading

* clarify this is for external plugins
2023-02-16 22:47:29 +00:00
Chelsea Shaw 698a652a92
UI: Remove Wizard (#19220)
* Remove UI Wizard temporarily [GH-19000]
2023-02-16 22:44:33 +00:00
claire bontempo a5a80b895d
replace whitelist with allow (#19217) 2023-02-16 14:35:30 -08:00
John-Michael Faircloth 678556f3df
plugin/secrets/auth: enable multiplexing (#19215)
* plugin/auth: enable multiplexing

- the plugin will be multiplexed when run as an external plugin
  by vault versions that support secrets/auth plugin multiplexing (> 1.12)
- we continue to set the TLSProviderFunc to maintain backwards
  compatibility with vault versions that don't support AutoMTLS (< 1.12)

* enable multiplexing for secrets engines

* add changelog

* revert call to ServeMultiplex for pki and transit

* Revert "revert call to ServeMultiplex for pki and transit"

This reverts commit 755be28d14b4c4c4d884d3cf4d2ec003dda579b9.
2023-02-16 22:25:15 +00:00
John-Michael Faircloth eca810d06e
test/plugin: test external database plugin workflows (#19191)
* test/plugin: test external db plugin

* use test helper to get cluster and plugins

* create test helper to create a vault admin user

* add step to revoke lease

* make tests parallel and add reload test

* use more descriptive name for test group; check response
2023-02-16 15:52:24 -06:00
Tony Wittinger ef367ecc90
Update changelog 1.13.0-rc1 (#19221)
* Update changelog 1.13.0-rc1

* Remove 1.13.0 Unreleased content
2023-02-16 16:30:12 -05:00
Daniel Huckins 448f5dd33e
VAULT-12112: add openapi response structures for /sys/config and /sys/generate-root endpoints (#18472)
* some config responses

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* added response structs

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* added changelog

* add test for config/cors

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add (failing) tests

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* copy-pasta err

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* update tests for /sys/config/ui/headers/{header}

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

---------

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
2023-02-16 15:06:26 -05:00
Daniel Huckins 60488687ad
VAULT-12112: add openapi response structures for /sys/capabilities* endpoints (#18468)
* add capabilities

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* added change log

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add test

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* use nil for dynamic fields

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

---------

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
2023-02-16 15:04:37 -05:00
Daniel Huckins a9d15f1252
VAULT-12112: add openapi response structures for /sys/auth/* endpoints (#18465)
* added responses to /sys/auth/.../tune

* add response structure for auth/...

* added changelog

* Update vault/logical_system_paths.go

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* its TypeString

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* use nil for dynamic fields

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* test auth endpoint schema

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* kicking off ci

---------

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-02-16 15:03:19 -05:00