* store version history as utc; add self-heal logic
* add sys/version-history endpoint
* change version history from GET to LIST, require auth
* add "vault version-history" CLI command
* add vault-version CLI error message for version string parsing
* adding version-history API and CLI docs
* add changelog entry
* some version-history command fixes
* remove extraneous cmd args
* fix version-history command help text
* specify in docs that endpoint was added in 1.10.0
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* enforce UTC within storeVersionTimestamp directly
* fix improper use of %w in logger.Warn
* remove extra err check and erroneous return from loadVersionTimestamps
* add >= 1.10.0 warning to version-history cmd
* move sys/version-history tests
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* save billing start in local storage
* customize enterprise vs oss copy
* change stored date from requested to response date
* delete license date from local storage when navigating away from parent route
* initial reshuffle to use outlet and remove dashboard and index replace with higher level parent clients
* loading
* clean up
* test clean up
* clean up
* adds date picker if no license start date found
* handle permissions denied for license endpoint
* handle permissions errors if no license start date
* change empty state copy for OSS
* fix tests and empty state view
* update nav links
* remove ternary
Co-authored-by: Chelsea Shaw <82459713+hashishaw@users.noreply.github.com>
* simplify hbs boolean
Co-authored-by: Chelsea Shaw <82459713+hashishaw@users.noreply.github.com>
* organize history file
* organize current file
* rerun tests
* fix conditional to show attribution chart
* match main
Co-authored-by: Chelsea Shaw <82459713+hashishaw@users.noreply.github.com>
* first tooltip for next year disabled
* workable for left tooltip
* styling
* make dry
* forgot this one
* remove right tooltip
* clean up
* bug fix
* add bullets when two error messages in one
* fix to isAfter on range comparisons
* remove
* update message per design
* only warning for startTime
* fix for firefox
* added TestDeleteUserContainedDB | testContainedDBCredsExist helper function
* unit test contained db sanitization
Co-authored-by: Gary Frederick <imtahghost@protonmail.com>
* Clarify subject of this w.r.t. TLS configuration
Thanks to @aphorise for pointing this out internally.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Clarify vague this in secrets/gcp docs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Clarify vague this in secrets/aws docs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Clarify vague this in secrets/database/oracle.mdx
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Clarify vague this in seal/pkcs11 docs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Clarify vague this in agent/autoauth docs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add format-ttl helper
* Add autoRotateInterval to model and serializer for transit key
* Add goSafeTimeString to object returned from TtlPicker2 component
* Add auto rotate interval to transit key components
* clean up unit calculator on ttl-picker, with tests
* Fix tests, cleanup
* Add changelog
* Allow all other_sans in sign-intermediate and sign-verbatim
/sign-verbatim and /sign-intermediate are more dangerous endpoints in
that they (usually) do not have an associated role. In this case, a
permissive role is constructed during execution of these tests. However,
the AllowedOtherSANs field was missing from this, prohibiting its use
when issuing certificates.
Resolves: #13157
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* updates data with response returned after dates queried
* alphabetize todo
* clarify comments
* change dashboard.js to history.js
* separate clients route, add history and config
* add loading to config template
* Add failsafes for no data
* remove commented code
* update all LinkTos with new routes, remove params
* return response if no data
* fix tests
* cleanup
* fixes template with namespace filter
* fixes tests with namespace filter merged
* fix namespace array mapping
* add version history to test object
Co-authored-by: hashishaw <cshaw@hashicorp.com>
* Add documentation for Managed Keys
- Add concept, sys/api and pki updates related to managed keys
* Review feedback
- Reworked quite a bit of the existing documentation based on feedback
and a re-reading
- Moved the managed keys out of the concepts section and into the
enterprise section
* Address broken links and a few grammar tweaks
* Add duration/count metrics to PKI issue and revoke flows
* docs, changelog
* tidy
* last tidy
* remove err
* Update callsites
* Simple returns
* Handle the fact that test cases don't have namespaces
* Add mount point to the request
* fmt
* Handle empty mount point, and add it to unit tests
* improvement
* Turns out sign-verbatim is tricky, it can take a role but doesn't have to
* Get around the field schema problem
* Use application/pem-certificate-chain for PEMs
As mentioned in #10948, it appears we're incorrectly using the
`application/pkix-cert` media type for PEM blobs, when
`application/x-pem-file` is more appropriate. Per RFC 5280 Section
4.2.1.13, `application/pkix-crl` is only appropriate when the CRL is in
DER form. Likewise, Section 4.2.2.1 states that `application/pkix-cert`
is only applicable when a single DER certificate is used.
Per recommendation in RFC 8555 ("ACME"), Section 7.4.2 and 9.1, we use
the newer `application/pem-certificate-chain` media type for
certificates. However, this is not applicable for CRLs, so we use fall
back to `application/x-pem-file` for these. Notably, no official IETF
source is present for the latter. On the OpenSSL PKI tutorial
(https://pki-tutorial.readthedocs.io/en/latest/mime.html), this type is
cited as coming from S/MIME's predecessor, PEM, but neither of the main
PEM RFCs (RFC 934, 1421, 1422, 1423, or 1424) mention this type.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* updates regex-validator component to optionally show pattern input and adds capture groups support
* adds form-field-label component
* adds autocomplete-input component
* updates kv-object-editor component to yield block for value and glimmerizes
* updates transform template model
* adds transform-advanced-templating component
* updates form-field with child component changes
* updates transform template serializer to handle differences in regex named capture groups
* fixes regex-validator test
* adds changelog entry
* updates for pr review feedback
* reverts kv-object-editor guidFor removal
* Include full chain in /cert/ca_chain response
This allows callers to get the full chain (including issuing
certificates) from a call to /cert/ca_chain. Previously, most endpoints
(including during issuance) do not include the root authority, requiring
an explicit call to /cert/ca to fetch. This allows full chains to be
constructed without without needing multiple calls to the API.
Resolves: #13489
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add test case for full CA issuance
We test three main scenarios:
1. A root-only CA's `/cert/ca_chain`'s `.data.ca_chain` field should
contain only the root,
2. An intermediate CA (with root provide) should contain both the root
and the intermediate.
3. An external (e.g., `/config/ca`-provided) CA with both root and
intermediate should contain both certs.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add documentation for new ca_chain field
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add note about where to find the entire chain
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>