* fixes issue with ttl picker not initially enabling in form field component
* adds changelog entry
* updates test
* updates initial ttl toggle state for default 0s value
* fixes issue with oidc auth method when MetaMask chrome extenstion is used
* adds changelog entry
* updates auth-jwt integration tests
* fixes race condition in runCommands ui-panel helper method where running multiple commands would not always result in the same output order
* Add native Login method for GCP auth backend
* Add native Login method for Azure auth backend
* Add changelog entry
* Use official azure library Environment struct rather than passing string, add timeouts
* Use v1.3.0 which now has interface definition
* Don't throw away error and close resp body
* Back to WithResource so we can support non-Azure URLs for aud
* Restrict ECDSA signatures with NIST P-Curve hashes
When using an ECDSA signature with a NIST P-Curve, we should follow
recommendations from BIS (Section 4.2) and Mozilla's root store policy
(section 5.1.2) to ensure that arbitrary selection of signature_bits
does not exceed what the curve is capable of signing.
Related: #11245
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Switch to certutil.ValidateKeyTypeSignatureLength(...)
Replaces previous calls to certutil.ValidateKeyTypeLength(...) and
certutil.ValidateSignatureLength(...) with a single call, allowing for
curve<->hash validation.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Switch to autodetection of signature_bits
This enables detection of whether the caller manually specified a value
for signature_bits or not; when not manually specified, we can provision
a value that complies with new NIST P-Curve policy.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Select hash function length automatically
Due to our change in behavior (to default to -1 as the value to
signature_bits to allow for automatic hash selection), switch
ValidateKeyTypeSignatureLength(...) to accept a pointer to hashBits and
provision it with valid default values.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Prevent invalid Curve size lookups
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Switch from -1 to 0 as default SignatureBits
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add a periodic test of the autoseal to detect loss of connectivity
* Keep the logic adjacent to autoseal
* imports
* typo, plus unnecessary constant time compare
* changelog
* pr feedback
* More feedback
* Add locking and a unit test
* unnecessary
* Add timeouts to encrypt/decrypt operations, capture activeContext before starting loop
* Add a block scope for the timeout
* copy/paste ftl
* Refactor to use two timeouts, and cleanup the repetitive failure code
* Readd 0ing gauge
* use millis
* Invert the unit test logic
* updates secret list header to display badge for all versions
* adds changelog entry
* updates secret list header to only show badge for kv and generic engine types
* adds secret-engine mirage factory
* adds test helper for pushing serialized mirage data into store and returning ember data models
* adds secret engine type version badge display test
* updates mirage application serializer to return singular type key
* small bar chart attr fix
* truncates and adds ellipsis of label is long
* adds tooltip for long labels
* updates storybook
* adds changelog
* only calculate overflow if query selectors grab elements
* moves tooltip pointer to left
* certutil: select appropriate hash algorithm for ECDSA signature
Select the appropriate signature algorithm for certificates signed
with an ECDSA private key.
The algorithm is selected based on the curve:
- P-256 -> x509.ECDSAWithSHA256
- P-384 -> x509.ECDSAWithSHA384
- P-521 -> x509.ECDSAWithSHA512
- Other -> x509.ECDSAWithSHA256
fixes#11006
VAULT-444: Add PKI tidy-status endpoint.
Add metrics so that the PKI tidy status can be monitored using telemetry as well.
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* chane form field to angle bracket syntax
* computes tuneAttrs depending on auth method type
* make all attrs linkable
* delete token_type for token auth methods before save
* adds changelog
* adds copy to unsupported auth methods
* adds doc link to copy
* adds test for linkable auth method list
* alphabetize DB plugin types
* adds changelog
* add postgres to database plugins
* add statement fields
* adds tests for postgres db
* add delete confirm modal to db connection
* fixes text for confirmation modal - transform
* editing tests for delete modal
* fixes tests, oracle must be last DB tested
* adds test for modal and updates old modal tests
* Update to hashicorp/go-kms-wrapping@v0.6.8
Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add documentation around Managed HSM KeyVault
This introduces the "resource" config parameter and the
AZURE_AD_RESOURCE environment variable from the updated go-kms-wrapping
dependency.
Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry for g-k-w changes
Includes changes from @stevendpclark.
Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
* Native Login method, userpass and approle interfaces to implement it
* Add AWS auth interface for Login, unexported struct fields for now
* Add Kubernetes client login
* Add changelog
* Add a test for approle client login
* Return errors from LoginOptions, use limited reader for secret ID
* Fix auth comment length
* Return actual type not interface, check for client token in tests
* Require specification of secret ID location using SecretID struct as AppRole arg
* Allow password from env, file, or plaintext
* Add flexibility in how to fetch k8s service token, but still with default
* Avoid passing strings that need to be validated by just having different login options
* Try a couple real tests with approle and userpass login
* Fix method name in comment
* Add context to Login methods, remove comments about certain sources being inherently insecure
* Perform read of secret ID at login time
* Read password from file at login time
* Pass context in integ tests
* Read env var values in at login time, add extra tests
* Update api version
* Revert "Update api version"
This reverts commit 1ef3949497dcf878c47e0e5ffcbc8cac1c3c1679.
* Update api version in all go.mod files
* go get vault-plugin-secrets-kv@extend-kv-metadata-to-get-and-put
* test for custom_metadata in kv get, put, patch command output
* remove flagFormat-specific check from TestKVMetadataGetCommand
* rewrite custom metadata changelog entry
* go get vault-plugin-secrets-kv@master
* go mod tidy
* CLI makes request to incorrect URL when namespace is both provided as argument and part of the path
fixes#12675
* adding change log
* removing a switch and addressing a possibility of out of bound index
* operator generate-root -decode: allow token from stdin
Allow passing "-" as the value for -decode, causing the encoded token to
be read from stdin. This is intended to prevent leaking the encoded
token + otp into process logs in enterprise environments.
* add changelog entry for PR12881
* add check/test for empty decode value passed via stdin
* Let allowed_users template mix templated and non-templated parts (#10388)
* Add documentation
* Change test function names
* Add documentation
* Add changelog entry
Uses a bufconn listener between consul-template and vault-agent when
caching is enabled and either templates or a listener is defined. This
means no listeners need to be defined in vault-agent for just
templating. Always routes consul-template through the vault-agent
cache (instead of only when persistent cache is enabled).
Uses a local transportDialer interface in config.Cache{}.
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
* Forbid ssh key signing with specified extensions when role allowed_extensions is not set
- This is a behaviour change on how we process the allowed_extensions role
parameter when it does not contain a value. The previous handling allowed
a client to override and specify any extension they requested.
- We now require a role to explicitly set this behaviour by setting the parameter
to a '*' value which matches the behaviour of other keys such as allowed_users
within the role.
- No migration of existing roles is provided either, so operators if they truly
want this behaviour will need to update existing roles appropriately.
* removed unpublished:true for sys/internal/* endpoints
* added changelog file
* updated change log and added placeholder summary as these endpoints are not mentioned in docs.
* added documentation for internal/ui/namspaces and resultant-acl
* updated log configs
* adds helper so only rows with values display
* adds changelog
* add argument to is-empty-value helper to check for default
* adds test to helper for added named argument
- add new configuration option, ReadYourWrites, which enables a Client
to provide cluster replication states to every request. A curated set
of cluster replication states are stored in the replicationStateStore,
and is shared across clones.
* Disallow alias creation if entity/accessor combination exists
* Add changelog
* Address review comments
* Add handling to aliasUpdate, some field renaming
* Update tests to work under new entity-alias constraint
* Add check to entity merge, other review fixes
* Log duplicated accessors only once
* Fix flaky test
* Add note about new constraint to docs
* Update entity merge warn log
* Add new route w/ controller oidc-provider
* oidc-provider controller has params, template has success message (temporary), model requests correct endpoint
* Move oidc-provider route to under identity
* Do not redirect after poll if on oidc-provider page
* WIP provider -- beforeModel handles prompt, logout, redirect
* Auth service fetch method rejects with fetch response if status >= 300
* New component OidcConsentBlock
* Fix redirect to/from auth with cluster name, show error and consent form if applicable
* Show error and consent form on template
* Add component test, update docs
* Test for oidc-consent-block component
* Add changelog
* fix tests
* Add authorize to end of router path
* Remove unused tests
* Update changelog with feature name
* Add descriptions for OidcConsentBlock component
* glimmerize token-expire-warning and don't override yield if on oidc-provider route
* remove text on token-expire-warning
* Fix null transition.to on cluster redirect
* Hide nav links if oidc-provider route
* handle HTTP PATCH requests as logical.PatchOperation
* update go.mod, go.sum
* a nil response for logical.PatchOperation should result in 404
* respond with 415 for incorrect MIME type in PATCH Content-Type header
* add abstraction to handle PatchOperation requests
* add ACLs for patch
* Adding JSON Merge support to the API client
* add HTTP PATCH tests to check high level response logic
* add permission-based 'kv patch' tests in prep to add HTTP PATCH
* adding more 'kv patch' CLI command tests
* fix TestHandler_Patch_NotFound
* Fix TestKvPatchCommand_StdinValue
* add audit log test for HTTP PATCH
* patch CLI changes
* add patch CLI tests
* change JSONMergePatch func to accept a ctx
* fix TestKVPatchCommand_RWMethodNotExists and TestKVPatchCommand_RWMethodSucceeds to specify -method flag
* go fmt
* add a test to verify patching works by default with the root token
* add changelog entry
* get vault-plugin-secrets-kv@add-patch-support
* PR feedback
* reorder some imports; go fmt
* add doc comment for HandlePatchOperation
* add json-patch@v5.5.0 to go.mod
* remove unnecessary cancelFunc for WriteBytes
* remove default for -method
* use stable version of json-patch; go mod tidy
* more PR feedback
* temp go get vault-plugin-secrets-kv@master until official release
Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>
* store unauthenticated path wildcards in map
* working unauthenticated paths with basic unit tests
* refactor wildcard logic
* add parseUnauthenticatedPaths unit tests
* use parseUnauthenticatedPaths when reloading backend
* add more wildcard test cases
* update special paths doc; add changelog
* remove buggy prefix check; add test cases
* prevent false positives for prefix matches
If we ever encounter a mismatched segment, break and set a flag to
prevent false positives for prefix matches.
If it is a match we need to do a prefix check. But we should not return
unless HasPrefix also evaluates to true. Otherwise we should let the for
loop continue to check other possibilities and only return false once
all wildcard paths have been evaluated.
* refactor switch and add more test cases
* remove comment leftover from debug session
* add more wildcard path validation and test cases
* update changelong; feature -> improvement
* simplify wildcard segment matching logic
* refactor wildcard matching into func
* fix glob matching, add more wildcard validation, refactor
* refactor common wildcard errors to func
* move doc comment to logical.Paths
* optimize wildcard paths storage with pre-split slices
* fix comment typo
* fix test case after changing wildcard paths storage type
* move prefix check to parseUnauthenticatedPaths
* tweak regex, remove unneeded array copy, refactor
* add test case around wildcard and glob matching
* Customizing HTTP headers in the config file
* Add changelog, fix bad imports
* fixing some bugs
* fixing interaction of custom headers and /ui
* Defining a member in core to set custom response headers
* missing additional file
* Some refactoring
* Adding automated tests for the feature
* Changing some error messages based on some recommendations
* Incorporating custom response headers struct into the request context
* removing some unused references
* fixing a test
* changing some error messages, removing a default header value from /ui
* fixing a test
* wrapping ResponseWriter to set the custom headers
* adding a new test
* some cleanup
* removing some extra lines
* Addressing comments
* fixing some agent tests
* skipping custom headers from agent listener config,
removing two of the default headers as they cause issues with Vault in UI mode
Adding X-Content-Type-Options to the ui default headers
Let Content-Type be set as before
* Removing default custom headers, and renaming some function varibles
* some refacotring
* Refactoring and addressing comments
* removing a function and fixing comments
* filter identity token keys
* Update test cases to associate keys with roles
* use getOIDCRole helper
* add func comment and test assertion
* add changelog
* remove unnecessary code
* build list of keys to return by starting with a list of roles
* move comment
* update changelog
* creates serializer and moves available plugin types constant to util
* adds if block catch if no plugin_type, renames util file
* updates imports
* adds changelog
* fixes rendering of default attrs
* checks that plugin exists
* Added support for Oracle db connection
* Added changelog
* Fixed test
* Added test for role setting
* Skip full acceptance test in case of oracle db
* Fix db role test
* Update changelog
* Fix db role fields after rebase
* Added missing test
* displays empty state if database is not supported in the UI
* adds elasticsearch db plugin
* adds changelog
* updates elasticsearch attrs
* move tls_server_name to pluginConfig group
* move role setting fields to util
* updates comments and refactors using util function
* adds tests for elasticsearch
* fixes indentation
* when local host needs https
* adds line at bottom of hbs file
* move merge and compare states to vault core
* move MergeState, CompareStates and ParseRequiredStates to api package
* fix merge state reference in API Proxy
* move mergeStates test to api package
* add changelog
* ghost commit to trigger CI
* rename CompareStates to CompareReplicationStates
* rename MergeStates and make compareStates and parseStates private methods
* improved error messaging in parseReplicationState
* export ParseReplicationState for enterprise files
* patch to support VAULT_HTTP_PROXY variable
* simplify the proxy replacement
* internal code review
* rename to VAULT_HTTP_PROXY, apply within ReadEnvironment
* clean up some unintended whitespace changes
* add docs for the new env variable and a changelog entry
Co-authored-by: Dave Du Cros <davidducros@gmail.com>
* update azure instructions
Update instructions in regards to azure AD Authentication and OIDC
* Initial pass of ed25519
* Fix typos on marshal function
* test wip
* typo
* fix tests
* missef changelog
* fix mismatch between signature and algo
* added test coverage for ed25519
* remove pkcs1 since does not exist for ed25519
* add ed25519 support to getsigner
* pull request feedback
Signed-off-by: Anner J. Bonilla <abonilla@hoyosintegrity.com>
* typo on key
Signed-off-by: Anner J. Bonilla <abonilla@hoyosintegrity.com>
* cast mistake
Signed-off-by: Anner J. Bonilla <abonilla@hoyosintegrity.com>
Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
* installs node-forge
* correctly displays and formats cert metadata
* removes labels
* uses helper in hbs file
* adds named arg to helper
* pki-ca-cert displays common name, issue & expiry date
* alphabetizes some attrs
* adds test for date helper
* Upgrade pq to fix connection failure cleanup bug (v1.8.0 => v1.10.3)
* Run go mod tidy after `go get -u github.com/lib/pq`
* include changelog/12413.txt
- When two entities are merged, remove the from entity ID in any
associated groups.
- When two entities are merged, also merge their associated group
memberships.
Fixes#10084
* get credentials card test and setup
* call getcrednetials card and remove path test error
* configuration
* metadata search box
* changelog
* checking if it is noReadAccess
* try removing test
* blah
* a test
* blah
* stuff
* attempting a clean up to solve issue
* Another attempt
* test1
* test2
* test3
* test4
* test5
* test6
* test7
* finally?
* clean up
* Update Go client libraries for etcd
* Added etcd server container to run etcd3 tests automatically.
* Removed etcd2 test case: it fails the backend tests but the failure is
unrelated to the uplift. The etcd2 backend implementation does not
remove empty nested nodes when removing leaf (see comments in #11980).
