Commit Graph

1726 Commits

Author SHA1 Message Date
hc-github-team-secure-vault-core 7e8c0a1cae
backport of commit 4c1a7b53d362ee733707de2fa3280596e35d7f03 (#21609)
Co-authored-by: Bianca Moreira <48203644+biazmoreira@users.noreply.github.com>
2023-07-06 12:05:43 +02:00
hc-github-team-secure-vault-core d21351f245
backport of commit 325233ea7dba833e987909b21af547d0933751e3 (#21519)
Co-authored-by: Christophe Deliens <chris@deliens.be>
2023-06-30 17:48:20 +00:00
hc-github-team-secure-vault-core 36365ed7f4
backport of commit 3a46ecc389e9096ccea6c6f847b68ada7f8068d7 (#21362)
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
2023-06-21 14:01:13 +00:00
hc-github-team-secure-vault-core ee92f78611
backport of commit f12c1285599a1519273bfa68472c598b1fd635bf (#21348)
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2023-06-19 11:40:23 -04:00
hc-github-team-secure-vault-core 100f402ac8
backport of commit 3908ec9dc44352548e08f4c86f9ad76c255ce493 (#21331)
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-06-16 17:33:30 -04:00
Mike Baum d323aa33df
Backport of audit file changes to release/1.14.x (#20985) 2023-06-05 11:46:59 -04:00
hc-github-team-secure-vault-core df28de636b
backport of commit 155003aa0cc054701096444b480bc7ab43d187b2 (#20973)
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-06-02 21:37:06 +00:00
hc-github-team-secure-vault-core 8497f132ac
backport of commit bc9a39a2f1e657c073406b287f3f4783f967d10c (#20954)
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-06-02 13:34:20 +00:00
hc-github-team-secure-vault-core 5a3f714215
backport of commit 8fe7076c02ac08e4e2e803243c2f9e4ae323ca10 (#20939)
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-06-02 02:05:51 +00:00
hc-github-team-secure-vault-core 0ac7213b73
backport of commit a5a49cde3ff8445b024c9652a088c078ebdd4595 (#20949)
Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>
2023-06-01 20:31:53 -04:00
hc-github-team-secure-vault-core ca57012072
backport of commit e4c19ac0af902c83e67c301b6d104d9f1a621750 (#20938)
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-06-01 19:14:17 +00:00
hc-github-team-secure-vault-core 4af350762e
backport of commit 9be2903a34df94a1cd380a03f04e6b9bde9ca5a6 (#20932)
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>
2023-06-01 12:01:14 -04:00
hc-github-team-secure-vault-core 94a7385904
backport of commit 360a406a2f924f0a46491a77bdd9e1fcf03b99fa (#20928)
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2023-06-01 14:34:52 +00:00
hc-github-team-secure-vault-core 76929df206
backport of commit 8ff31f32a525ed32273a65e6d28b88e24e9cf06e (#20895)
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-06-01 00:37:32 +00:00
hc-github-team-secure-vault-core afef4629c8
backport of commit 21eccf8b8df7868c7d454f8ba42d5bec5235a69e (#20866)
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-05-31 23:06:59 +00:00
hc-github-team-secure-vault-core 3a3e931cfd
backport of commit 7f2d3f2c5c783dfacc7bc3bb86da4008d8b61bd6 (#20860)
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-05-31 22:38:26 +00:00
hc-github-team-secure-vault-core 5cc92a20f1
backport of commit 344ee1ec3e5721dbc64b1e0f34e08e8c5ffb3bc8 (#20865)
Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>
2023-05-31 17:14:02 +00:00
hc-github-team-secure-vault-core 85dc9349cc
backport of commit fe53c4684c2c15425cda6d3d46de973d62230fe6 (#20894)
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-05-31 16:32:17 +00:00
hc-github-team-secure-vault-core c16d572ab8
backport of commit 3b5ca69b62a3c59468754278f579610c0902fa05 (#20839)
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2023-05-30 16:41:07 +00:00
Larroyo c32032c1f8
Make transit import command work for the transform backend (#20668)
* Add import and import-version commands for the transform backend
2023-05-25 15:33:27 -05:00
Daniel Huckins 958ccda6b1
agent: Add implementation for injecting secrets as environment variables to vault agent cmd (#20739)
* added exec and env_template config/parsing

* add tests

* we can reuse ctconfig here

* do not create a non-nil map

* check defaults

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* first go of exec server

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* convert to list

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* convert to list

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* sig test

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add failing example

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* refactor for config changes

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add test for invalid signal

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* account for auth token changes

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* only start the runner once we have a token

* tests in diff branch

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* fix rename

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Update command/agent/exec/exec.go

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* apply suggestions from code review

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* cleanup

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* remove unnecessary lock

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* refactor to use enum

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* dont block

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* handle default

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* make more explicit

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* cleanup

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* remove unused

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* remove unused file

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* remove test app

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* apply suggestions from code review

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* update comment

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add changelog

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* new channel for exec server token

* wire to run with vault agent

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* watch for child process to exit on its own

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* block before returning

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

---------

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-05-25 09:23:56 -04:00
Daniel Huckins 2343ff04f6
agent: Add implementation for injecting secrets as environment variables (#20628)
* added exec and env_template config/parsing

* add tests

* we can reuse ctconfig here

* do not create a non-nil map

* check defaults

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* first go of exec server

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* convert to list

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* convert to list

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* sig test

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add failing example

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* refactor for config changes

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add test for invalid signal

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* account for auth token changes

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* only start the runner once we have a token

* tests in diff branch

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* fix rename

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Update command/agent/exec/exec.go

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* apply suggestions from code review

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* cleanup

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* remove unnecessary lock

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* refactor to use enum

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* dont block

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* handle default

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* make more explicit

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* cleanup

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* remove unused

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* remove unused file

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* remove test app

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* apply suggestions from code review

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* update comment

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add changelog

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* watch for child process to exit on its own

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

---------

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-05-24 16:56:06 -04:00
Anton Averchenkov f3620b5b4f
agent: Add logic to validate env_template entries (#20569) 2023-05-23 18:37:08 +00:00
Steven Clark c8837f2010
Add ACME health checks to pki health-check CLI (#20619)
* Add ACME health checks to pki health-check CLI

 - Verify we have the required header values listed within allowed_response_headers: 'Replay-Nonce', 'Link', 'Location'
 - Make sure the local cluster config path variable contains an URL with an https scheme

* Split ACME health checks into two separate verifications

 - Promote ACME usage through the enable_acme_issuance check, if ACME is disabled currently
 - If ACME is enabled verify that we have a valid
    'path' field within local cluster configuration as well as the proper response headers allowed.
 - Factor out response header verifications into a separate check mainly to work around possible permission issues.

* Only recommend enabling ACME on mounts with intermediate issuers

* Attempt to connect to the ACME directory based on the cluster path variable

 - Final health check is to attempt to connect to the ACME directory based on the cluster local 'path' value. Only if we successfully connect do we say ACME is healthy.

* Fix broken unit test
2023-05-23 10:37:31 -04:00
Márk Sági-Kazár 258b2ef740
Upgrade go-jose library to v3 (#20559)
* upgrade go-jose library to v3

Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>

* chore: fix unnecessary import alias

Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>

* upgrade go-jose library to v2 in vault

Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>

---------

Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
2023-05-23 12:25:58 +00:00
Daniel Huckins 2658dcf48d
agent: Add support for parsing env_template configuration files (#20598)
* added exec and env_template config/parsing

* add tests

* we can reuse ctconfig here

* do not create a non-nil map

* check defaults

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* convert to list

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* convert to list

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* sig test

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add failing example

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add test for invalid signal

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Update command/agent/config/config.go

* use latest consul-template

* fix build

* fix test

* fix test fixtures

* make fmt

* test docs

* rename file

* env var -> environment variable

* default to SIGTERM

* empty line

* explicit naming

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* clean typo

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* replace $ HOME with /home/username in examples

* remove empty line

---------

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
Co-authored-by: Anton Averchenkov <anton.averchenkov@hashicorp.com>
2023-05-19 18:11:41 -04:00
Marc Boudreau 8928b30224
Refactor Code Focused on DevTLS Mode into New Function (#20376)
* refactor code focused on DevTLS mode into new function

* add tests for configureDevTLS function

* replace testcase comments with fields in testcase struct
2023-05-19 15:45:22 -04:00
Anton Averchenkov f551f4e5ba
cli: Add 'agent generate-config' sub-command (#20530) 2023-05-19 13:42:19 -04:00
Violet Hynes 92dc054bb3
VAULT-15547 Agent/proxy decoupling, take two (#20634)
* VAULT-15547 Additional tests, refactoring, for proxy split

* VAULT-15547 Additional tests, refactoring, for proxy split

* VAULT-15547 Import reorganization

* VAULT-15547 Some missed updates for PersistConfig

* VAULT-15547 address comments

* VAULT-15547 address comments
2023-05-19 13:17:48 -04:00
miagilepner 7aa1bce6fb
VAULT-15703: Reload automated reporting (#20680)
* support config reloading for census

* changelog

* second changelog entry for license updates

* correct changelog PR
2023-05-19 14:42:50 +00:00
Nick Cabatoff 1a8d3e8948
Make -dev-three-node use perf standbys for ent binaries (#20629) 2023-05-17 18:37:44 +00:00
Violet Hynes b2468d3481
VAULT-15547 First pass at agent/proxy decoupling (#20548)
* VAULT-15547 First pass at agent/proxy decoupling

* VAULT-15547 Fix some imports

* VAULT-15547 cases instead of string.Title

* VAULT-15547 changelog

* VAULT-15547 Fix some imports

* VAULT-15547 some more dependency updates

* VAULT-15547 More dependency paths

* VAULT-15547 godocs for tests

* VAULT-15547 godocs for tests

* VAULT-15547 test package updates

* VAULT-15547 test packages

* VAULT-15547 add proxy to test packages

* VAULT-15547 gitignore

* VAULT-15547 address comments

* VAULT-15547 Some typos and small fixes
2023-05-17 09:38:34 -04:00
Jason O'Donnell 202d674682
command/server: add support to write pprof files to the filesystem via SIGUSR2 (#20609)
* core/server: add support to write pprof files to the filesystem via SIGUSR2

* changelog

* Fix filepath join

* Use core logger

* Simplify logic

* Break on error
2023-05-17 09:21:25 -04:00
Daniel Huckins 57e2657c3e
move private function to internal pkg for sharing (#20531)
* move private function to internal pkg for sharing

* rename to mc

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* rename to NewConfig

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

---------

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
2023-05-15 10:55:28 -04:00
Hamid Ghaf 3553e75335
disable printing flags warning message for the ssh command (#20502)
* disable printing flags warning message for the ssh command

* adding a test

* CL

* add go doc on the test
2023-05-08 16:15:44 +00:00
Victor Rodriguez 2656c020ae
Convert seal.Access struct into a interface (OSS) (#20510)
* Move seal barrier type field from Access to autoSeal struct.

Remove method Access.SetType(), which was only being used by a single test, and
which can use the name option of NewTestSeal() to specify the type.

* Change method signatures of Access to match those of Wrapper.

* Turn seal.Access struct into an interface.

* Tweak Access implementation.

Change `access` struct to have a field of type wrapping.Wrapper, rather than
extending it.

* Add method Seal.GetShamirWrapper().

Add method Seal.GetShamirWrapper() for use by code that need to perform
Shamir-specific operations.
2023-05-04 14:22:30 -04:00
Hamid Ghaf bf96f63649
CLI to take days as a unit of time (#20477)
* CLI to take days as a unit of time

* CL
2023-05-04 08:03:37 -07:00
Anton Averchenkov 11c92e9565
Move TestWalkSecretsTree to the correct file. (#20493) 2023-05-03 18:24:23 +00:00
Anton Averchenkov b4bec9bd30
Improve addPrefixToKVPath helper (#20488) 2023-05-03 17:10:55 +00:00
Anton Averchenkov 8e19338ef5
Add walkSecretsTree helper function (#20464) 2023-05-02 15:23:43 -04:00
Peter Wilson a592e3a023
Fix panic when Vault enters recovery mode, added test (#20418)
* Fix panic when Vault enters recovery mode, added test

* Added changelog
2023-04-28 12:41:19 +00:00
Nick Cabatoff 22b00eba12
Add support for docker testclusters (#20247) 2023-04-24 14:25:50 -04:00
Nick Cabatoff 313957b911
Add tests based on vault binary (#20224)
First steps towards docker-based tests: tests using vault binary in -dev or -dev-three-node modes.
2023-04-24 09:57:37 -04:00
miagilepner 564a7227e4
VAULT-15668: fix windows issues with -dev-tls flag (#20257)
* fix -dev-tls flag on windows

* changelog

* fix only hcl config

* fix import

* fmt
2023-04-21 10:54:38 +02:00
Jason O'Donnell b5822e612b
cli/namespace: add detailed flag to namespace list (#20243)
* cli/namespace: add detailed flag to namespace list

* changelog
2023-04-19 09:31:51 -04:00
Chris Capurso e7c0d5744b
add max_entry_size to sanitized config output (#20044)
* add max_entry_size to sanitized config output

* add changelog entry

* add test parallelism

* add inmem test case

* use named struct fields for TestSysConfigState_Sanitized cases
2023-04-14 09:52:23 -04:00
Violet Hynes a2f457e10c
VAULT-12940 Vault Agent uses Vault Agent specific User-Agent header when issuing requests (#19776)
* VAULT-12940 test for templating user agent

* VAULT-12940 User agent work so far

* VAULT-12940 Vault Agent uses Vault Agent specific User-Agent header when issuing requests

* VAULT-12940 Clean-up and godocs

* VAULT-12940 changelog

* VAULT-12940 Fix test checking headers

* VAULT-12940 Fix test checking headers

* VAULT-12940 Fix test checking headers

* VAULT-12940 Fix test checking headers

* VAULT-12940 copy/paste typos

* VAULT-12940 improve comments, use make(http.Header)

* VAULT-12940 small typos and clean-up
2023-04-03 14:14:47 -04:00
miagilepner de56c728a1
VAULT-13191: OSS changes (#19891)
* add open source changes for reporting

* fix function signature

* add changelog
2023-03-31 15:05:16 +00:00
Karel 7469b0828a
Fix: Optionally reload x509 key-pair from disk on agent auto-auth (#19002)
* Optionally reload x509 key-pair from disk

* Document 'reload' config value

* Added changelog release note
2023-03-22 11:01:58 -04:00
Daniel Huckins 058710d33d
Add `-mount` flag to kv list command (#19378)
* add flag

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* handle kv paths

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* scaffold test

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* need metadata for list paths

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add (broken) test

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* fix test

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* update docs

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add changelog

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* format

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add godoc

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add test case for mount only

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* handle case of no unnamed arg

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add non-mount behavior

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add more detail to comment

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add v1 tests

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

---------

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
2023-03-20 16:26:21 -04:00