Commit graph

510 commits

Author SHA1 Message Date
hghaf099 b472d7ed3f
CLI request when namespace is in argument and part of the path (#12720)
* CLI makes request to incorrect URL when namespace is both provided as argument and part of the path
fixes #12675

* adding change log

* removing a switch and addressing a possibility of out of bound index
2021-10-21 22:35:13 -04:00
Jordan Reimer 16be98fa1c UI Conditionally Copy Tooltips (#12890)
* adds conditional tooltip copying to InfoTableRow component

* adds changelog entry
2021-10-21 09:26:56 -06:00
Nick Cabatoff d66fd98d4a
Add support for go-sockaddr templated addresses in config. (#9109) 2021-10-21 10:10:48 -04:00
claire bontempo 1898e6c301
UI/Remove spinner after token renew (#12887)
* fixes loading spinner

* adds changelog
2021-10-21 09:05:45 -05:00
Nick Cabatoff ff74f49047
Move to go 1.17 (#12868)
Also ensure that the go 1.17 breaking changes to net.ParseCIDR don't make us choke on stored CIDRs that were acceptable to older Go versions.
2021-10-21 09:32:03 -04:00
Scott Miller 9f62768cc7
Diagnose partial/missing telemetry configuration (#12802)
* Diagnose partial/missing telemetry configuration

* changelog

* fixup

* not sure which component?
2021-10-20 16:47:59 -05:00
vinay-gopalan 4834bb854c
[VAULT-3008] Update RabbitMQ dependency and fix regression in UserInfo.Tags in v3.9 (#12877) 2021-10-20 09:46:37 -07:00
Dave Du Cros ceac6e913d
operator generate-root -decode: allow token from stdin (#12881)
* operator generate-root -decode: allow token from stdin

Allow passing "-" as the value for -decode, causing the encoded token to
be read from stdin. This is intended to prevent leaking the encoded
token + otp into process logs in enterprise environments.

* add changelog entry for PR12881

* add check/test for empty decode value passed via stdin
2021-10-20 12:29:17 -04:00
Austin Gebauer c797ed1b5c
Updates vault-plugin-auth-jwt to v0.11.0 (#12876) 2021-10-19 15:22:52 -07:00
Philipp Hossner 824f097a7d
Let allowed_users template mix templated and non-templated parts (#10886)
* Let allowed_users template mix templated and non-templated parts (#10388)

* Add documentation

* Change test function names

* Add documentation

* Add changelog entry
2021-10-19 15:00:15 -07:00
vinay-gopalan 1eb73d9ef4
[VAULT-3379] Add support for contained DBs in MSSQL root rotation and lease revocation (#12839) 2021-10-19 14:11:47 -07:00
Vishal Nayak 6eead9f09b
Fix entity alias deletion (#12834)
* Fix entity alias deletion

* Fix tests

* Add CL
2021-10-19 15:05:06 -04:00
ludewigh 0b95a394d4
Fix auth/aws so that config/rotate-root saves new key pair to vault (#12715)
* test:  add test to verify Vault storage is updated

* bug: fix config/rotate-root to store new key

* choir: fix changelog name to match PR
2021-10-19 10:26:47 -04:00
Theron Voran ae79afdd26
agent: Use an in-process listener with cache (#12762)
Uses a bufconn listener between consul-template and vault-agent when
caching is enabled and either templates or a listener is defined. This
means no listeners need to be defined in vault-agent for just
templating. Always routes consul-template through the vault-agent
cache (instead of only when persistent cache is enabled).

Uses a local transportDialer interface in config.Cache{}. 

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
2021-10-15 17:22:19 -07:00
Steven Clark 3428de017a
Forbid ssh key signing with specified extensions when role allowed_extensions is not set (#12847)
* Forbid ssh key signing with specified extensions when role allowed_extensions is not set

 - This is a behaviour change on how we process the allowed_extensions role
   parameter when it does not contain a value. The previous handling allowed
   a client to override and specify any extension they requested.
 - We now require a role to explicitly set this behaviour by setting the parameter
   to a '*' value which matches the behaviour of other keys such as allowed_users
   within the role.
 - No migration of existing roles is provided either, so operators if they truly
   want this behaviour will need to update existing roles appropriately.
2021-10-15 17:55:18 -04:00
saltperfect 66369469d9
Removed unpublished:true for sys/internal/* endpoints (#12713)
* removed unpublished:true for sys/internal/* endpoints

* added changelog file

* updated change log and added placeholder summary as these endpoints are not mentioned in docs.

* added documentation for internal/ui/namspaces and resultant-acl

* updated log configs
2021-10-15 14:50:14 -04:00
claire bontempo 529e3c4073
UI/remove empty rows from DB config pages (#12819)
* adds helper so only rows with values display

* adds changelog

* add argument to is-empty-value helper to check for default

* adds test to helper for added named argument
2021-10-14 13:14:33 -07:00
Ben Ash 0b095588c6
api.Client: support isolated read-after-write (#12814)
- add new configuration option, ReadYourWrites, which enables a Client
  to provide cluster replication states to every request. A curated set
  of cluster replication states are stored in the replicationStateStore,
  and is shared across clones.
2021-10-14 14:51:31 -04:00
Pratyoy Mukhopadhyay 148109b8ed
[VAULT-3252] Disallow alias creation if entity/accessor combination exists (#12747)
* Disallow alias creation if entity/accessor combination exists

* Add changelog

* Address review comments

* Add handling to aliasUpdate, some field renaming

* Update tests to work under new entity-alias constraint

* Add check to entity merge, other review fixes

* Log duplicated accessors only once

* Fix flaky test

* Add note about new constraint to docs

* Update entity merge warn log
2021-10-14 09:52:07 -07:00
Hridoy Roy 1c427d3286
Port: add client ID to TWEs in activity log [vault-3136] (#12820)
* port for tracking twes as clients

* comment clean up

* changelog

* change changelog entry phrasing
2021-10-14 09:10:59 -07:00
Chelsea Shaw 1f6329b1c2
UI/OIDC provider (#12800)
* Add new route w/ controller oidc-provider

* oidc-provider controller has params, template has success message (temporary), model requests correct endpoint

* Move oidc-provider route to under identity

* Do not redirect after poll if on oidc-provider page

* WIP provider -- beforeModel handles prompt, logout, redirect

* Auth service fetch method rejects with fetch response if status >= 300

* New component OidcConsentBlock

* Fix redirect to/from auth with cluster name, show error and consent form if applicable

* Show error and consent form on template

* Add component test, update docs

* Test for oidc-consent-block component

* Add changelog

* fix tests

* Add authorize to end of router path

* Remove unused tests

* Update changelog with feature name

* Add descriptions for OidcConsentBlock component

* glimmerize token-expire-warning and don't override yield if on oidc-provider route

* remove text on token-expire-warning

* Fix null transition.to on cluster redirect

* Hide nav links if oidc-provider route
2021-10-13 15:04:39 -05:00
Chris Capurso bbb4ab4a41
Add HTTP PATCH support to KV (#12687)
* handle HTTP PATCH requests as logical.PatchOperation

* update go.mod, go.sum

* a nil response for logical.PatchOperation should result in 404

* respond with 415 for incorrect MIME type in PATCH Content-Type header

* add abstraction to handle PatchOperation requests

* add ACLs for patch

* Adding JSON Merge support to the API client

* add HTTP PATCH tests to check high level response logic

* add permission-based 'kv patch' tests in prep to add HTTP PATCH

* adding more 'kv patch' CLI command tests

* fix TestHandler_Patch_NotFound

* Fix TestKvPatchCommand_StdinValue

* add audit log test for HTTP PATCH

* patch CLI changes

* add patch CLI tests

* change JSONMergePatch func to accept a ctx

* fix TestKVPatchCommand_RWMethodNotExists and TestKVPatchCommand_RWMethodSucceeds to specify -method flag

* go fmt

* add a test to verify patching works by default with the root token

* add changelog entry

* get vault-plugin-secrets-kv@add-patch-support

* PR feedback

* reorder some imports; go fmt

* add doc comment for HandlePatchOperation

* add json-patch@v5.5.0 to go.mod

* remove unnecessary cancelFunc for WriteBytes

* remove default for -method

* use stable version of json-patch; go mod tidy

* more PR feedback

* temp go get vault-plugin-secrets-kv@master until official release

Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>
2021-10-13 15:24:31 -04:00
John-Michael Faircloth 2abf916ddb
Add support to parameterize unauthenticated paths (#12668)
* store unauthenticated path wildcards in map

* working unauthenticated paths with basic unit tests

* refactor wildcard logic

* add parseUnauthenticatedPaths unit tests

* use parseUnauthenticatedPaths when reloading backend

* add more wildcard test cases

* update special paths doc; add changelog

* remove buggy prefix check; add test cases

* prevent false positives for prefix matches

If we ever encounter a mismatched segment, break and set a flag to
prevent false positives for prefix matches.

If it is a match we need to do a prefix check. But we should not return
unless HasPrefix also evaluates to true. Otherwise we should let the for
loop continue to check other possibilities and only return false once
all wildcard paths have been evaluated.

* refactor switch and add more test cases

* remove comment leftover from debug session

* add more wildcard path validation and test cases

* update changelong; feature -> improvement

* simplify wildcard segment matching logic

* refactor wildcard matching into func

* fix glob matching, add more wildcard validation, refactor

* refactor common wildcard errors to func

* move doc comment to logical.Paths

* optimize wildcard paths storage with pre-split slices

* fix comment typo

* fix test case after changing wildcard paths storage type

* move prefix check to parseUnauthenticatedPaths

* tweak regex, remove unneeded array copy, refactor

* add test case around wildcard and glob matching
2021-10-13 11:51:20 -05:00
hghaf099 ad2ef412cc
Customizing HTTP headers in the config file (#12485)
* Customizing HTTP headers in the config file

* Add changelog, fix bad imports

* fixing some bugs

* fixing interaction of custom headers and /ui

* Defining a member in core to set custom response headers

* missing additional file

* Some refactoring

* Adding automated tests for the feature

* Changing some error messages based on some recommendations

* Incorporating custom response headers struct into the request context

* removing some unused references

* fixing a test

* changing some error messages, removing a default header value from /ui

* fixing a test

* wrapping ResponseWriter to set the custom headers

* adding a new test

* some cleanup

* removing some extra lines

* Addressing comments

* fixing some agent tests

* skipping custom headers from agent listener config,
removing two of the default headers as they cause issues with Vault in UI mode
Adding X-Content-Type-Options to the ui default headers
Let Content-Type be set as before

* Removing default custom headers, and renaming some function varibles

* some refacotring

* Refactoring and addressing comments

* removing a function and fixing comments
2021-10-13 11:06:33 -04:00
Matt Greenfield 0b3eea4441
Dedup from_entity_ids when merging two entities (#10101)
Fixes #10100
2021-10-12 15:35:19 -04:00
John-Michael Faircloth f30c3ac621
Filter identity token keys (#12780)
* filter identity token keys

* Update test cases to associate keys with roles

* use getOIDCRole helper

* add func comment and test assertion

* add changelog

* remove unnecessary code

* build list of keys to return by starting with a list of roles

* move comment

* update changelog
2021-10-12 11:14:03 -05:00
claire bontempo 3501507557
UI/Serialize DB Connection Attributes (#12770)
* creates serializer and moves available plugin types constant to util

* adds if block catch if no plugin_type, renames util file

* updates imports

* adds changelog

* fixes rendering of default attrs

* checks that plugin exists
2021-10-11 16:42:11 -07:00
Arnav Palnitkar d161bfe1a6
Added support for Oracle db connection (#12752)
* Added support for Oracle db connection

* Added changelog

* Fixed test

* Added test for role setting

* Skip full acceptance test in case of oracle db

* Fix db role test

* Update changelog

* Fix db role fields after rebase

* Added missing test
2021-10-11 09:20:23 -07:00
Rémi Lapeyre 308806eee3
Return 404 response when looking for a secret_id_accessor that does not exist (#12788)
* Return 404 response when looking for an secret_id_accessor that does not exist

Closes https://github.com/hashicorp/vault/issues/12660
2021-10-11 15:07:51 +01:00
Tom Proctor 0180ba2984
agent: tolerate partial restore failure from persistent cache (#12718)
* agent: tolerate partial restore failure from persistent cache

* Review comments: improved consistency, test robustness, comments, assertions
2021-10-08 11:30:04 +01:00
claire bontempo 4b709e8b3b
UI/Add Elasticsearch DB (#12672)
* displays empty state if database is not supported in the UI

* adds elasticsearch db plugin

* adds changelog

* updates elasticsearch attrs

* move tls_server_name to pluginConfig group

* move role setting fields to util

* updates comments and refactors using util function

* adds tests for elasticsearch

* fixes indentation

* when local host needs https

* adds line at bottom of hbs file
2021-10-07 14:00:42 -07:00
Tim Peoples 17eb29f1d3
Update plugin proto to send tls.ConnectionState (Op.2) (#12581) 2021-10-07 08:06:09 -04:00
vinay-gopalan 458927c2ed
[VAULT-3157] Move mergeStates utils from Agent to api module (#12731)
* move merge and compare states to vault core

* move MergeState, CompareStates and ParseRequiredStates to api package

* fix merge state reference in API Proxy

* move mergeStates test to api package

* add changelog

* ghost commit to trigger CI

* rename CompareStates to CompareReplicationStates

* rename MergeStates and make compareStates and parseStates private methods

* improved error messaging in parseReplicationState

* export ParseReplicationState for enterprise files
2021-10-06 10:57:06 -07:00
Michael Boulding 79662d0842
Patch to support VAULT_HTTP_PROXY variable (#12582)
* patch to support VAULT_HTTP_PROXY variable

* simplify the proxy replacement

* internal code review

* rename to VAULT_HTTP_PROXY, apply within ReadEnvironment

* clean up some unintended whitespace changes

* add docs for the new env variable and a changelog entry

Co-authored-by: Dave Du Cros <davidducros@gmail.com>
2021-10-06 09:40:31 -07:00
Anner J. Bonilla 8c29f49e1a
Add support for ed25519 (#11780)
* update azure instructions

Update instructions in regards to azure AD Authentication and OIDC

* Initial pass of ed25519

* Fix typos on marshal function

* test wip

* typo

* fix tests

* missef changelog

* fix mismatch between signature and algo

* added test coverage for ed25519

* remove pkcs1 since does not exist for ed25519

* add ed25519 support to getsigner

* pull request feedback

Signed-off-by: Anner J. Bonilla <abonilla@hoyosintegrity.com>

* typo on key

Signed-off-by: Anner J. Bonilla <abonilla@hoyosintegrity.com>

* cast mistake

Signed-off-by: Anner J. Bonilla <abonilla@hoyosintegrity.com>

Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
2021-10-05 11:28:49 -04:00
claire bontempo 42ae96ed1c
UI/ PKI UI Redesign (#12541)
* installs node-forge

* correctly displays and formats cert metadata

* removes labels

* uses helper in hbs file

* adds named arg to helper

* pki-ca-cert displays common name, issue & expiry date

* alphabetizes some attrs

* adds test for date helper
2021-10-04 14:31:36 -07:00
Scott Miller b84100d4a0
Upgrade go-kms-wrapping to pickup oci-go-sdk update (#12724)
* Upgrade go-kms-wrapping to pickup oci-go-sdk update

* changelog
2021-10-04 16:21:38 -05:00
Steven Clark fa57ba0ccf
Fix 1.8 regression preventing email addresses being used as common name within pki certificates (#12336) (#12716)
* Fix 1.8 regression preventing email addresses being used as common name within pki certs (#12336)

* Add changelog
2021-10-04 14:02:47 -04:00
hghaf099 a3796997d9
Fix a Deadlock on HA leadership transfer (#12691)
* Fix a Deadlock on HA leadership transfer when standby
was actively forwarding a request
fixes GH #12601

* adding the changelog
2021-10-04 13:55:15 -04:00
Chelsea Shaw c84bdbf1f6
Auth method role edit form should be valid by default (#12646)
* isFormInvalid should be false by default and update on keyup

* Add changelog
2021-10-04 11:53:24 -06:00
Ian Ferguson afb501a0d4
Upgrade pq to fix connection failure cleanup bug (v1.8.0 => v1.10.3) (#12413)
* Upgrade pq to fix connection failure cleanup bug (v1.8.0 => v1.10.3)

* Run go mod tidy after `go get -u github.com/lib/pq`

* include changelog/12413.txt
2021-10-01 14:35:51 -07:00
Matt Greenfield 8577602395
Fix entity group associations (#10085)
- When two entities are merged, remove the from entity ID in any
  associated groups.
- When two entities are merged, also merge their associated group
  memberships.

Fixes #10084
2021-10-01 10:22:52 -04:00
Ben Ash dda2c1ed88
upgrade vault-plugin-auth-kubernetes (#12688)
* fix: upgrade vault-plugin-auth-kubernetes

-  on alias look ahead, validate JWT token against the role's configuration
2021-09-30 14:25:09 -04:00
vinay-gopalan 447fdf624a
Upgrade awsutil package version to 0.1.5 (#12621)
* upgrade awsutil version to 0.1.5

* add changelog

* update changelog
2021-09-29 14:45:35 -07:00
Chelsea Shaw e77e65d1b3
Docfix: "Fix" is not a valid release-note type (#12676) 2021-09-29 14:54:58 -06:00
Angel Garbarino 92223b600e
KV search box when no list access to metadata (#12626)
* get credentials card test and setup

* call getcrednetials card and remove path test error

* configuration

* metadata search box

* changelog

* checking if it is noReadAccess

* try removing test

* blah

* a test

* blah

* stuff

* attempting a clean up to solve issue

* Another attempt

* test1

* test2

* test3

* test4

* test5

* test6

* test7

* finally?

* clean up
2021-09-29 14:35:00 -06:00
Tero Saarni 944332d12d
Update Go client libraries for etcd (#11980)
* Update Go client libraries for etcd

* Added etcd server container to run etcd3 tests automatically.

* Removed etcd2 test case: it fails the backend tests but the failure is
  unrelated to the uplift.  The etcd2 backend implementation does not
  remove empty nested nodes when removing leaf (see comments in #11980).
2021-09-29 14:28:13 -04:00
Michael Golowka bee49a4c49
Update Azure secrets engine to use MS Graph (#12629) 2021-09-29 11:28:13 -06:00
Angel Garbarino 1d18b0a7fa
UI/kv creation time (#12663)
* add created time for secret version view

* complete functionality

* test coverage

* changelog

* version per list item

* clean up
2021-09-28 13:15:43 -06:00
divyapola5 2a194a0804
Add missing read unlock calls in transit backend code (#12652)
* Add missing read unlock calls in transit backend code

* Correct formatting in changelog entry
2021-09-28 11:59:30 -05:00
claire bontempo 2081bf1357
UI/bar chart updates (#12622)
* testing bar chart changeS

* Added namespace search to client count

- Used existing search select component for namespace search

* Added changelog

* Added download csv component

- generate namespaces data in csv format
- Show root in top 10 namespaces
- Changed active direct tokens to non-entity tokens

* Added test for checking graph render

* Added documentation for the download csv component

* correctly updates chart when data changes

* Cleaned up template and tooltip

* Added changelog

* updates label tooltip and regroups dom elements

Co-authored-by: Arnav Palnitkar <arnav@hashicorp.com>
2021-09-27 13:48:44 -07:00
Ben Ash b48debda2b
fix: upgrade vault-plugin-auth-kubernetes (#12633)
* fix: upgrade vault-plugin-auth-kubernetes

- brings in the alias_name_source feature which allows for setting
  alternate alias names based on the service accounts's namespace and
  name
- document the seurity related aspects for the feature addition above.
2021-09-27 13:10:55 -04:00
Calvin Leung Huang 7ad62f5be4
core: set namespace within GeneratePasswordFromPolicy (#12635)
* core: set namespace from the sysview's mount entry on GeneratePasswordFromPolicy

* test: update TestDynamicSystemView to be ns-aware, update tests

* add changelog entry
2021-09-27 09:08:07 -07:00
Arnav Palnitkar 4f19fd1624
Added namespace search to client count (#12577)
* Added namespace search to client count

- Used existing search select component for namespace search

* Added changelog

* Added download csv component

- generate namespaces data in csv format
- Show root in top 10 namespaces
- Changed active direct tokens to non-entity tokens

* Added test for checking graph render

* Added documentation for the download csv component
2021-09-22 12:50:59 -07:00
Hridoy Roy dbd178250e
Port: Premature Rotation For autorotate (#12563)
* port of ldap fix for early cred rotation

* some more porting

* another couple lines to port

* final commits before report

* remove deadlock

* needs testing

* updates

* Sync with OpenLDAP PR

* Update the update error handling for items not found in the queue

* WIP unit tests
* Need to configure DB mount correctly, with db type mockv5
* Need to find a way to inject errors into that mock db

* throw error on role creation failure

* do not swallow error on role creation

* comment out wip tests and add in a test for disallowed role

* Use newly generated password in WAL

Co-authored-by: Michael Golowka <72365+pcman312@users.noreply.github.com>

* return err on popFromRotationQueueByKey error; cleanup on setStaticAccount

* test: fix TestPlugin_lifecycle

* Uncomment and fix unit tests
* Use mock database plugin to inject errors
* Tidy test code to rely less on code internals where possible
* Some stronger test assertions

* Undo logging updates

* Add changelog

* Remove ticker and background threads from WAL tests

* Keep pre-existing API behaviour of allowing update static role to act as a create

* Switch test back to update operation

* Revert my revert, and fix some test bugs

* Fix TestBackend_StaticRole_LockRegression

* clean up defer on TestPlugin_lifecycle

* unwrap reqs on cleanup

* setStaticAccount: don't hold a write lock

* TestStoredWALsCorrectlyProcessed: set replication state to unknown

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
Co-authored-by: Michael Golowka <72365+pcman312@users.noreply.github.com>
Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
2021-09-21 17:45:04 -07:00
Calvin Leung Huang 992b8089a2
dep: update vault-plugin-secrets-openldap to latest (#12600)
* dep: update vault-plugin-secrets-openldap to v0.5.2

* add changelog entry

* dep: update to use the plugin's master branch
2021-09-21 15:30:19 -07:00
Pratyoy Mukhopadhyay 8e6698fb4a
[VAULT-3519] Return no_default_policy on token role read (#12565)
* [VAULT-3519] Return no_default_policy on token role read if set

* [VAULT-3519] Add changelog

* [VAULT-3519] Always return token_no_default_policy on role read

* Fix broken test

* Update role read response in docs
2021-09-21 09:53:08 -07:00
Tiernan a538936367
Allow globbing dis/allowed_policies_glob in token roles (#7277)
* Add allowed_policies_glob and disallowed_policies_glob that are the same as allowed_policies and disallowed_policies but allow glob matching.

* Update changelog, docs, tests, and comments for (dis)allowed_token_glob token role feature.

* Improve docs and unit tests for auth/token role policy globbing.
2021-09-21 08:25:06 -07:00
Nick Cabatoff 2bd95232cf
Fail alias rename if the resulting (name,accessor) exists already (#12473) 2021-09-21 08:19:44 -04:00
akshya96 c643dc1d53
Add Custom metadata field to alias (#12502)
* adding changes

* removing q.Q

* removing empty lines

* testing

* checking tests

* fixing tests

* adding changes

* added requested changes

* added requested changes

* added policy templating changes and fixed tests

* adding proto changes

* making changes

* adding unit tests

* using suggested function
2021-09-17 11:03:47 -07:00
Tero Saarni 105786cc27
Update github.com/ulikunitz/xz (#12253)
* Update github.com/ulikunitz/xz

* Bump xz which is transitive dependency of github.com/mholt/archiver.
  Fixes known security vulnerability GHSA-25xm-hr59-7c27.

* Update github.com/ulikunitz/xz

* Added security advisory ID to changelog.
2021-09-17 09:48:38 -07:00
Arnav Palnitkar 35c188fba7
Client count updates (#12554)
* Client count updates

- Added Current month tab which leverages partial monthly activity api
- Refactored Vault usage to Monthly history
- New client count history component based on StatText and BarChart component
- Restrict bar chart to showcase only top 10 namespaces
- Removed config route, as config and history component will be rendered based on query param
- Updated all metrics reference to clients
- Removed old tests and added integration test for current month

* Fixed navbar permission

- Added changelog

* Updated the model for current month data

* Fixed current month tests

* Fixed indentation and chart label
2021-09-16 15:28:03 -07:00
Michael Ward c15ac1053f
Expose secret_id_accessor as WrappedAccessor when wrapping secret-id creation. (#12425)
* Expose secret_id_accessor as WrappedAccessor when wrapping secret-id creation.

* Add changelog.

* Minor updates as suggested.

* Adding external test for wrapped accessor.

* Add check that mounttype is approle.

* Update changelog text to use improvement
2021-09-16 10:47:49 -07:00
Scott Miller 241a78a2f2
Use the system rand reader for SSH keypair generation (#12560)
* Use the system rand reader for SSH keypair generation

* changelog
2021-09-15 11:59:28 -05:00
Scott Miller 33d7dc5fb4
Use the system rand reader for CA root and intermediate generation (#12559)
* Use the system rand reader for CA root and intermediate generation

* changelog
2021-09-15 11:59:12 -05:00
Angel Garbarino 12b1dc0069
Bug fix: allow forward slash in paths for delete menu (#12550)
* fix bug and add test coverage

* changelog
2021-09-14 12:30:01 -06:00
Scott Miller 6f18a9b6be
Allow signing self issued certs with a different public key algorithm. (#12514)
* WIP: Unset the certificate's SignatureAlgorithm to allown cross-signing of different key types

* Allow signing self issued certs with a different public key algorithm

* Remove cruft

* Remove stale import

* changelog

* eliminate errwrap

* Add a test to cover the lack of opt-in flag

* Better comment

Co-authored-by: catsby <clint@ctshryock.com>
2021-09-14 10:07:27 -05:00
divyapola5 30563097ea
Enforce minimum cache size for transit backend (#12418)
* Enforce Minimum cache size for transit backend

* enfore minimum cache size and log a warning during backend construction

* Update documentation for transit backend cache configuration

* Added changelog

* Addressed review feedback and added unit test

* Modify code in pathCacheConfigWrite to make use of the updated cache size

* Updated code to refresh cache size on transit backend without restart

* Update code to acquire read and write locks appropriately
2021-09-13 16:44:56 -05:00
Theron Voran ae0bda77b3
vault-agent: copy values retrieved from bolt (#12534)
Byte slices returned from Bolt are only valid during a transaction, so
this makes a copy.

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2021-09-13 11:06:08 -07:00
jhart-cpi fa1611f427
improvement: add signature_bits field to CA and signers (#11245)
This change adds the ability to set the signature algorithm of the
CAs that Vault generates and any certificates it signs.  This is a
potentially useful stepping stone for a SHA3 transition down the line.

Summary:
* Adds the field "signature_bits" to CA and Sign endpoints
* Adds support for SHA256, SHA384 and SHA512 signatures on EC and RSA
keytypes.
2021-09-10 14:39:05 -07:00
Jacob Burroughs 65029f8c8f
Fix pkcs7 parsing in some cases (#12519)
* Fix pkcs7 parsing in some cases

brings in https://github.com/mozilla-services/pkcs7/pull/61 from upstream

In some cases but not all, aws includes a certificate in the pkcs7 response,
and currently vault fails to parse those certificates:
```
URL: PUT https://vault.example.com/v1/auth/aws/login
Code: 500. Errors
* failed to parse the BER encoded PKCS#7 signature: ber2der: Invalid BER format
```

This fixes logins on those instances.  Note we could not readily ascertain why
some instances have those certificates and others don't.

* Add changelog entry

* Correct missed line
2021-09-10 12:17:03 -04:00
John-Michael Faircloth c42bbb369c
Identity: prepublish jwt signing keys (#12414)
* pre-publish new signing keys for `rotation_period` of time before using

* Work In Progress: Prepublish JWKS and even cache control

* remove comments

* use math/rand instead of math/big

* update tests

* remove debug comment

* refactor cache control logic into func

* don't set expiry when create/update key

* update cachecontrol name in oidccache for test

* fix bug in periodicfunc test case

* add changelog

* remove confusing comment

* add logging and comments

* update change log from bug to improvement

Co-authored-by: Ian Ferguson <ian.ferguson@datadoghq.com>
2021-09-09 13:47:42 -05:00
Theron Voran 48e0c3fde7
dep: update consul-template to v0.27.0 (#12505) 2021-09-09 09:12:42 -07:00
John-Michael Faircloth 0d04a9892a
identity: enforce key param and key existence on role creation (#12208)
* identity: handle creation of role without a key parameter

* update docs to not require key parameter for creation of a role

* add changelog

* require key param when creating a role

* lock create/update role; remove now redundant key check

* update changelog and UTs

* update change log to refelct actual implementation

* remove deprecated test case
2021-09-08 10:46:58 -05:00
claire bontempo c9eb55cc16
UI/bar chart horizontal (#12437)
* creates bar chart component

* WIP//starts styling

* fixes width of bars

* WIP//barchart

* uses d3 max method instead of Math.max

* stacks data

* adds y axis

* fixes styling and spacing

* adds spacing between bars

* styling DONE

* adds legend

* adds tooltip

* tweaks styling adds pointer cursor to rects

* fixes tooltip placement

* moves starget from bar to whole area

* finishes hover selection styling

* cleans up

* cleans up a tiny bit

* stopping point

* adjusts tooltip placemnt

* WIP//clean up time

* sort of not broken

* unbroken, ish

* tooltip position fixed

* truncates text and adds tooltip

* changes tooltip width depending on content

* unbroken

* finishes initial refactor/cleanup

* finishes documentation

* passes in map legend to component

* more tidying

* add export option

* adds grid to header for export button option

* updates comments

* fix variable name change

* moves dataset formatting to parent

* removes unused code"

* adds assertions and empty state if no data

* cleans up comments adds assertion to check for map legend

* adds storybook

* adds changelog

* deletes dummy parent:

* restores index.hbs

* uses scss variables instead

* exchanges more variables

* remove unused variable in storybook

* writes basic test

* removes pauseTest()
2021-09-07 12:54:33 -07:00
Daniel Kimsey b4b61efc75
Auto-join support for IPv6 discovery (#12366)
* Auto-join support for IPv6 discovery

The go-discover library returns IP addresses and not URLs. It just so
happens net.URL parses "127.0.0.1", which isn't a valid URL.

Instead, we construct the URL ourselves. Being careful to check if it's
an ipv6 address and making sure it's in explicit form if so.

Fixes #12323

* feedback: addrs & ipv6 test

Rename addrs to clusterIPs to improve clarity and intent

Tighten up our IPv6 address detection to be more correct and to ensure
it's actually in implicit form
2021-09-07 11:55:07 -07:00
Tero Saarni 30ca69f16a
Update github.com/gogo/protobuf (#12255)
* Update github.com/gogo/protobuf

* Fixes #12254 (CVE-2021-3121)

* Update github.com/gogo/protobuf

* Added changelog

Signed-off-by: Tero Saarni <tero.saarni@est.tech>

* go mod tidy
2021-09-07 11:40:14 -07:00
John-Michael Faircloth 2cca67c96f
update couchbase plugin version (#12483)
* update couchbase plugin version

* add changelog

* go get main branch and go mod tidy
2021-09-07 11:48:10 -05:00
akshya96 f4bd14ed3f
Vault 2823 cc namespace (#12393)
* vault-2823 adding changes

* VAULT-2823 adding alias

* Vault-2823 addressing comments

* Vault-2823 removing comments

* Vault-2823 removing comments

* vault-2823 removing q debug

* adding changelog

* Vault-2823 updating external test

* adding approved changes

* fixing returns

* fixing returns
2021-09-07 09:16:12 -07:00
Nick Cabatoff 45a83d8e0f
Add code to api.RaftSnapshot to detect incomplete snapshots (#12388) 2021-09-07 11:16:37 -04:00
Blake Hitchcock cf15a60a87
Send x-forwarded-for in Okta Push Factor request (#12320)
* Send x-forwarded-for in Okta Push Factor request

Why:

In order for Okta to properly report the location of the authentication
attempt, the X-Forwarded-For header must be included in the request to
Okta (if it exists).

This change addresses the need by:

* Duplicating the value of X-Forwarded-For if it's passed through to the
  auth backend

* Add changelog entry for 12320
2021-09-03 13:09:11 -07:00
Chelsea Shaw 4f8d490419
UI: Fix missing nav links on namespace login (#12478)
* Override loading behavior which breaks query params passed to API calls

* Only show loading state if transition is not queryparams only

* Add changelog

* Skip loader if testing
2021-09-03 13:46:50 -05:00
Robert Balent e598ae711a
UI: Show day of month instead of day of year in the expiration warning dialog (#11984)
* Show day of month instead of day of year in expiration warning dialog

* Adding changelog
2021-09-02 18:06:55 -04:00
Angel Garbarino c013e4a741
UI add custom metadata to KV2 (#12169)
* initial setup

* form field editType kv is very helpful

* setting up things

* setup two routes for metadata

* routing

* clean up routing

* meh router changes not my favorite but its working

* show metadata

* add controller for backendCrumb mixin

* setting up edit metadata and trimming SecretEditMetadata component

* add edit metadata save functionality

* create new version work

* setup model and formfieldgroups for added config data.

* add config network request to secret-engine

* fix validations on config

* add config rows

* breaking up secret edit

* add validation for metadata on create

* stuff, but broken now on metadata tab

* fix metadata route error

* permissions

* saving small text changes

* permissions

* cleanup

* some test fixes and convert secret create or update to glimmer

* all these changes fix secret create kv test

* remove alert banners per design request

* fix error for array instead of object in jsonEditor

* add changelog

* styling

* turn into glimmer component

* cleanup

* test failure fix

* add delete or

* clean up

* remove all hardcoded for api integration

* add helper and fix create mode on create new version

* address chelseas pr comments

* add jsdocs to helper

* fix test
2021-08-31 09:41:41 -06:00
Austin Gebauer 7f33648443
Removes changelog entry for unreleased feature (#12447) 2021-08-26 18:00:29 -07:00
Arnav Palnitkar 45d1b4708b
Client count config view (#12422)
* Client count config view

- Switched to toggle button from checkbox and updated the design
- Switched to ember octane
- Update ember concurrency dependency

* Fixed integration tests

* Added changelog

* Update switch label on toggle

* Code cleanup

* Fixed test
2021-08-25 14:22:15 -07:00
Pratyoy Mukhopadhyay c379fd43a9
[MAR-3131] Set grace to 0 on non-positive lease duration (#12372)
* [MAR-3131] Set grace to 0 on non-positive lease duration

* [MAR-3131] Add changelog

* [VAULT-3131] Add test for negative lease duration
2021-08-24 19:06:40 -07:00
Josh Black 0291e56e83
bump go to 1.16.7 (#12408) 2021-08-24 09:54:26 -07:00
Angel Garbarino 4031960551
Bug Fix: tab on MaskedInput for GeneratedItems it was clearing the value (#12409)
* fix tab issue

* add test coverage

* changelog

* update documentation

* remove meep:

* documentation
2021-08-24 08:59:37 -06:00
Chris Capurso 3f4a381f1b
Add kv custom key metadata (#12218)
* add custom-metdata flag to "kv metadata put" command

* add kv metadata put command test for custom-metadata flag

* add custom_metadata to kv-v2 api docs

* add custom_metadata to kv-v2 cli docs

* update go.mod

* Add custom metadata limits to docs

* add changelog entry

* update vault-plugin-secrets-kv to @master
2021-08-23 15:49:09 -04:00
Jason O'Donnell 1cf3ff046e
plugin/snowflake: update gosnowflake to v1.6.1 (#12378)
* plugin/snowflake: update gosnowflake to v1.6.1

* changelog

* go mod tidy
2021-08-20 11:52:31 -04:00
Austin Gebauer 437cb74c5a
Updates vault-plugin-secrets-gcp to v0.10.2 (#12379) 2021-08-19 16:33:34 -07:00
Pratyoy Mukhopadhyay 5fda05adee
[VAULT-3226] Use os.rename on windows os (#12377)
* [VAULT-3226] Use os.rename on windows os

* [VAULT-3226] Add changelog
2021-08-19 16:05:53 -07:00
Arnav Palnitkar 47d450a4b1
Handle api explorer routing error (#12354)
* Handle api explorer routing error

- For some reason when routing is done during async process, router transtionTo throws the TransitionAbortedError
- As a fix treat this particular error as success since it doesn't interfere in the routing
- Reference: https://github.com/emberjs/ember-test-helpers/issues/332

* Added changelog
2021-08-19 14:32:02 -07:00
Arnav Palnitkar 0b73135a8c
Fixed overflowing text of flash message container (#12357)
* Fixed overflowing text of flash message container

* Added changelog
2021-08-19 14:27:22 -07:00
Nick Cabatoff 124bc87381
Upgrade snappy to fix panic with identity/packer on Go 1.16+arm64. (#12371) 2021-08-19 15:51:06 -04:00
Nick Cabatoff 72499c3215
Check to make sure context isn't expired before doing a raft operation. (#12162) 2021-08-19 12:03:56 -04:00
Jason O'Donnell b55e1a31fc
creds/aws: Add support for DSA signature verification for EC2 (#12340)
* creds/aws: import pkcs7 verification package

* Add DSA support

* changelog

* Add DSA to correct verify function

* Remove unneeded tests

* Fix backend test

* Update builtin/credential/aws/pkcs7/README.md

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

* Update builtin/credential/aws/path_login.go

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
2021-08-19 09:16:31 -04:00
Calvin Leung Huang 05103627d3
dbplugin: fix error message in DeleteUser (#12351)
* dbplugin: fix error message in DeleteUser

* add changelog
2021-08-18 16:12:40 -07:00
Chelsea Shaw 92739f494f
UI: Allow metrics view without config read (#12348)
* pass default value for defaultSpan on pricing metrics dates component

* Add changelog

* Add test for no config policy
2021-08-18 15:33:39 -05:00
Clint 675e0c1383
Replace go-bindata-assetfs build dependency with native go:embed (#11208)
* copy over the webui

move web_ui to http

remove web ui files, add .gitkeep

updates, messing with gitkeep and ignoring web_ui

update ui scripts

gitkeep

ignore http/web_ui

Remove debugging

remove the jwt reference, that was from something else

restore old jwt plugin

move things around

Revert "move things around"

This reverts commit 2a35121850f5b6b82064ecf78ebee5246601c04f.

Update ui path handling to not need the web_ui name part

add desc

move the http.FS conversion internal to assetFS

update gitignore

remove bindata dep

clean up some comments

remove asset check script that's no longer needed

Update readme

remove more bindata things

restore asset check

update packagespec

update stub

stub the assetFS method and set uiBuiltIn to false for non-ui builds

update packagespec to build ui

* fail if assets aren't found

* tidy up vendor

* go mod tidy

* updating .circleci

* restore tools.go

* re-re-re-run make packages

* re-enable arm64

* Adding change log

* Removing a file

Co-authored-by: hamid ghaf <hamid@hashicorp.com>
2021-08-18 11:05:11 -04:00
Hridoy Roy 2554563268
(OSS Port) Restrict Quota Deletion to Primary Cluster [vault-2399] (#12339)
* oss part of vault 2399

* Update vault/quotas/quotas.go

Co-authored-by: Vishal Nayak <vishalnayak@users.noreply.github.com>

* use OSS PR number as changelog entry as indicated by the changelog guide

Co-authored-by: Vishal Nayak <vishalnayak@users.noreply.github.com>
2021-08-17 15:34:43 -07:00
John-Michael Faircloth 40fd60342a
feature: OIDC provider assignment API (#12198)
* initial commit

* add read and delete operations

* fix bug in delete and add list unit test

* func doc typo fix

* add existence check for assignment

* remove locking on the assignment resource

It is not needed at this time.

* convert Callbacks to Operations

- convert Callbacks to Operations
- add test case for update operations

* remove use of oidcCache

* refactor struct and var names

* harmonize test name conventions

* add changelog and refactor

- add changelog
- be more explicit in the case where we do not recieve a path field

* remove extra period from changelog

* update assignment path

* removed unused name field
2021-08-17 15:55:06 -05:00
Jason O'Donnell 5e86a34e3e
api: return parse errors if any for storage endpoints (#12338)
* logical/list: return parseErr if any

* changelog

* Add parseErr to other API endpoints

* Update 12338.txt
2021-08-17 13:19:39 -04:00
claire bontempo 5c7403e56f
UI/StatText Component (#12295)
* creates stattext component

* creates .scss file

* creates storybook

* fixes typo

* fixes readme

* adds changelog

* finishes tests
2021-08-16 11:55:12 -07:00
akshya96 9defbb47e7
Vault 2176 snapshot config issue (#12317)
* removing redirect line from handler.go

* adding changelog entry

* adding changes
2021-08-16 10:12:00 -07:00
Calvin Leung Huang d0adf67771
dep: update database-couchbase plugin to v0.4.1 (#12301)
* dep: update database-couchbase plugin to v0.4.1

* add CL entry
2021-08-12 11:54:19 -07:00
hghaf099 f885d97774
VAULT-2285 adding capability to accept comma separated entries for au… (#12126)
* VAULT-2285 adding capability to accept comma separated entries for auth enable/tune

* Adding changelog

* Adding logic to detect invalid input parameter for auth enable config

* Updating tune.mdx

* Updating secret enable/tune for comma separated parameters

* Adding further parameter checks for auth/secret tests
Fixing changelog
using builtin type for a switch statement
Fixing a possible panic scenario

* Changing a function name, using deep.Equal instead of what reflect package provides

* Fixing auth/secret enable/tune mdx files

* One more mdx file fix

* Only when users provide a single comma separated string in a curl command, split the entries by commas

* Fixing API docs for auth/mount enable/tune for comma separated entries

* updating docs, removing an unnecessary switch case
2021-08-09 15:37:03 -04:00
vinay-gopalan 23770cc2a7
Update genUsername to cap STS usernames at 32 chars (#12185)
* update genUsername to cap STS usernames at 64 chars

* add changelog

* refactor tests into t.Run block

* patch: remove warningExpected bool and include expected string

* patch: revert sts to cap at 32 chars and add assume_role case in genUsername

* update changelog

* update genUsername to return error if username generated exceeds length limits

* update changelog

* add conditional default username template to provide custom STS usernames

* update changelog

* include test for failing STS length case

* update comments for more clarity
2021-08-09 09:40:47 -07:00
Austin Gebauer 53373f78ed
Updates vault-plugin-auth-jwt to v0.10.1 (#12265) 2021-08-04 13:13:02 -07:00
Calvin Leung Huang 4546318eb7
changelog: remove 12251 entry (#12256) 2021-08-04 11:11:21 -07:00
John-Michael Faircloth 0d94a6530f
identity: allow creating a role with a non-existent key (#12251)
* identity: allow creating a role with a non-existent key

* remove whitespace

* add changelog
2021-08-04 11:01:13 -07:00
Meggie 6a32c01c8a
Updating go version to 1.16.6 for security fix (#12245)
* Updating go version to 1.16.6 for security fix

* Changelog
2021-08-04 11:30:43 -04:00
claire bontempo fe7ce777dc
UI/TTL helperEnabled/DisabledText fix (#12212)
* fixes helperTextDisabled/Enabled
2021-08-03 15:50:49 -07:00
Calvin Leung Huang c35044010e
serviceregistration: add external-source meta value (#12163)
* serviceregistration: add external-source meta value

* add changelog file
2021-08-03 09:31:01 -07:00
Hridoy Roy a3fefdca35
oss part of license diagnose test fix (#12234)
* oss part of license diagnose test fix

* cl
2021-08-02 10:50:49 -07:00
Hridoy Roy 28f33d2384
Fix Diagnose Formatting In Disk Usage Checks (#12229)
* save

* fix diagnose formatting errors

* fix diagnose formatting errors

* change powers

* change powers

* use humanize instead of doing the conversion to mb manually

* cl
2021-08-02 10:06:04 -07:00
hghaf099 90c5b3c1c5
VAULT-1303 when a request to vault fails, show namespace if set (#12196)
* VAULT-1303 when a request to vault fails, show namespace if set

* Adding changelog

* Fix Changelog file name

* Set namespace in ResponseWriter headers if it is set

* Using consts.NamespaceHeaderName instead of the literal string
2021-07-30 12:32:05 -04:00
John-Michael Faircloth 39c744ca4e
identity: do not allow a role's token_ttl to be longer than verification_ttl (#12151)
* do not allow token_ttl to be longer than verification_ttl

* add verification when updating an existing key

When updating a key, ensure any roles referencing the key do not already
have a token_ttl greater than the key's verification_ttl

* add changelog

* remove unneeded UT check and comment

* refactor based on PR comments

- remove make slice in favor of var delcaration
- remove unneeded if check
- validate expiry value during token generation
- update changelog as bug

* refactor get roles referencing target key names logic

* add note about thread safety to helper func

* update func comment

* sort array and refactor func names

* add warning to return response

* remove unnecessary code from unit test

* Update vault/identity_store_oidc.go

Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>

Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
2021-07-28 20:34:52 -05:00
Nick Cabatoff 6016e86115
Fix vault debug so that captured logs include newlines. (#12175) 2021-07-27 09:15:24 -04:00
Hridoy Roy fff7dc7a40
Diagnose docs + changelog (#12159)
* save

* diagnose docs

* changelog

* changelog formatting
2021-07-26 08:45:12 -07:00
Arnav Palnitkar c71a6b6312
Update node to latest stable version (#12049)
* Update node to latest stable version

- v10 has reached EOL so upgrading node to v14 which is the latest
stable build

* Added changelog

* Resolve merge conflicts
2021-07-22 14:09:12 -07:00
Tor E Hagemann de2ee46525
fix: print consul svc addr in debug log (#12115)
* fix: print consul svc addr in debug log

* fix: add small change log 12115.txt
2021-07-21 13:12:49 -07:00
claire bontempo b05ffa88d5
Improve Secret Empty States (#12084)
* adds conditional to render 'minus plain' icon when key doesn't exist

* shows a hyphen when KV secret doesn't have a key and/or value

* fixes tests
2021-07-21 12:47:52 -07:00
vinay-gopalan 859b60cafc
[VAULT-1969] Add support for custom IAM usernames based on templates (#12066)
* add ability to customize IAM usernames based on templates

* add changelog

* remove unnecessary logs

* patch: add test for readConfig

* patch: add default STS Template

* patch: remove unnecessary if cases

* patch: add regex checks in username test

* patch: update genUsername to return an error instead of warnings

* patch: separate tests for default and custom templates

* patch: return truncate warning from genUsername and trigger a 400 response on errors

* patch: truncate midString to 42 chars in default template

* docs: add new username_template field to aws docs
2021-07-20 09:48:29 -07:00
Chelsea Shaw 4a9669a1bc
UI/database cg read role (#12111)
* Add type param to secret show, handle CG in database role show

* If roleType is passed to credential, only make one creds API call

* Clean up db role adapter and serializer

* url param roleType passed to credentials call

* Role list capabilities check for static and dynamic separately

* Add changelog

* Consistent adapter response for single or double call

* Prioritize dynamic response if control group on role/creds
2021-07-20 11:28:44 -05:00
Ben Ash e899e2adfa
Add ability to optionally clone an api.Client's headers (#12117) 2021-07-19 17:15:31 -04:00
Austin Gebauer f7586e475d
changelog: update feature formatting for gcp and key management secrets (#12120) 2021-07-19 12:16:27 -07:00
Jason O'Donnell afc33ba7aa
Change changelog type for openldap bug fix (#12112) 2021-07-16 16:37:21 -04:00
John-Michael Faircloth 3baff15c9d
mongodbatlas: update changelog for username customization (#12098) 2021-07-15 15:44:03 -05:00
Austin Gebauer d1c090fe63
secrets/database: fixes external plugin reconnect after shutdown for v4 and v5 interface (#12087)
* secrets/database: fixes external plugin shutdown reconnect for v5 interface

* adds changelog entry

* fixes handling of plugin shutdown for password generation on v4 interface
2021-07-15 13:41:04 -07:00
Jason O'Donnell 03788bdba2
secrets/ad: change improvement to feature in changelog (#12095)
* secrets/ad: change improvement to feature in changelog

* Update per feature requirements
2021-07-15 15:55:40 -04:00
vinay-gopalan c20b5f1040
[VAULT-1986] Cap AWS Token TTL based on Default Lease TTL (#12026)
* fix: cap token TTL at login time based on default lease TTL

* add changelog file

* patch: update warning messages to not include 'at login'

* patch: remove default lease capping and test

* update changelog

* patch: revert warning message
2021-07-15 10:05:38 -07:00
Nick Cabatoff f027a1b1ff
Revert #12061 due to failures in TestLogical_RequestSizeLimit (#12093) 2021-07-15 12:55:09 -04:00
Tom Proctor 491c0ca78b
Update kubernetes auth plugin with AliasLookahead fix (#12073) 2021-07-15 14:35:40 +01:00
Angel Garbarino 84da2424a7
Fix KV Version History queryParams on the component LinkedBlock (#12079)
* fix the issue

* add test coverage

* add documentation to link-block

* add changelog

* modify for browserstack
2021-07-14 15:38:55 -06:00
hghaf099 f7635ec1b8
Add namespace in error (#12061)
* hghaf099-VAULT-1303-Adding namespace in error when it is set

* casting ResponseWriter in handleMonitor to logical.NamespaceResponseWriter

* Casting ResponseWriter conditionally for http.Flusher
Adding changelog

* Improving changlog message
2021-07-14 15:55:55 -04:00
Chelsea Shaw 50e5e2f48a
UI: Automatically refresh page on logout (#12035) 2021-07-14 10:01:14 -05:00
Scott Miller ec4b1b69d3
Enable building darwin arm64 for 1.8.x (#11855) (#12071)
* Enable building darwin arm64 for 1.8.x (#11855)

* Changelog

Co-authored-by: Vishal Nayak <vishalnayak@users.noreply.github.com>
2021-07-14 09:26:37 -05:00
Martin Lee 10f29e0503
base32.DecodeString expects length 8 for the buffer (#11887)
Add padding to the input key to ensure it reaches that length.
2021-07-14 07:38:10 -04:00
Arnav Palnitkar d1cc297cd9
Handle form validation for open api form (#11963)
* Handle form validation for open api form

- Added required validator for all the default fields

* Fixed field group error and adedd comments

* Fixed acceptance tests

* Added changelog

* Fix validation in edit mode

- Handle read only inputs during edit mode

* Minor improvements

* Restrict validation only for userpass
2021-07-13 15:50:27 -07:00
Yong Wen Chua 7ea650bc06
Update Documentation for GCP Static Account (#12027)
* Update API Docs for Static Account

* Update CHANGELOGs

* Update guide

* Clarify IAM

* More refinement

* Fix missing replace of roleset while copy/pasting

Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>

* Remove CHANGELOG

* Fix some double ticks

* Apply suggestions from code review

Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>

* Update examples

Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
2021-07-13 09:36:05 -07:00
Chelsea Shaw b1a9e4fe58
UI/control group db cred (#12024) 2021-07-12 12:50:30 -05:00
Chris Capurso 505e3f9a89
[VAULT-2825] Fix erroneous 500 resp for field validation errors (#12042)
* [VAULT-2825] Correctly respond with 400 rather than 500 for field validation errors

* [VAULT-2825] Add changelog entry

* [VAULT-2825] Simplify test assertion
2021-07-12 13:39:28 -04:00
Pratyoy Mukhopadhyay 9b5e89bd34
[VAULT-2776] Add prefix_filter option to Vault (#12025)
* [VAULT-2776] Add prefix_filter support to vault

* [VAULT-2776] Add filter_default config, update docs

* [VAULT-2776] Add changelog file

* [VAULT-2776] Update telemetry tests and error handling

* [VAULT-2776] Add test fixtures, update test

* [VAULT-2776] Update gitignore hcl filter
2021-07-09 14:49:53 -05:00
Nick Cabatoff a3ac49aa05
VAULT-2809: Tweak creation of vault.db file (#12034) 2021-07-09 14:45:50 -04:00
Nick Cabatoff 518944c599
Make the list and kv list commands work with wrapping, e.g. for controlgroups (#12031) 2021-07-09 12:08:58 -04:00
Chris Capurso 349378454a
[VAULT-1836] Support kv-v1 generic mounts for vault.kv.secret.count metric (#12020)
* [VAULT-1836] Support kv-v1 generic mounts for vault.kv.secret.count metric

* [VAULT-1836] Add changelog entry
2021-07-09 11:05:05 -04:00
Austin Gebauer f54338977d
secrets/gcp: update to v0.10.1 for static accounts (#12023) 2021-07-08 13:53:45 -07:00
Jason O'Donnell af51033214
secrets/openldap: add schema config to rotate-root (#12019)
* update go mod & go mod tidy

* Changelog
2021-07-08 13:53:17 -04:00
MilenaHC 3c3b6529fd
Redshift - Add username customization (#12016)
* username customization for redshift

* adding changelog and updating api-docs
2021-07-08 10:29:12 -05:00
claire bontempo 72e3d29abc
Truncate Secret Engine Description Text (#11995)
Co-authored-by: hashishaw <cshaw@hashicorp.com>
2021-07-08 08:21:10 -07:00
claire bontempo 08d117ae5b
Adds transform secrets engine to feature (#12003)
* adds transform secrets engine to features list
2021-07-07 16:14:54 -07:00
Pratyoy Mukhopadhyay adbaad17db
[VAULT-708] Zero out request counter on preSeal (#11970)
* [VAULT-708] Zero out request counter on preSeal

* [VAULT-708] Added changelog entry

* [VAULT-708] Add comment clarifying request counter zeroing
2021-07-07 14:03:39 -05:00
Angel Garbarino 5fe59a685b
Reverting fix on KV 2 for duplicate paths (#12008)
* revert changes

* changelog

* add test coverage for max versions
2021-07-07 11:50:00 -06:00
MilenaHC 4430a11bc5
Update SnowflakeDB plugin to v0.2.0 (#11997)
* update snowflake database plugin to v0.2.0

* add changelog

* update api-docs
2021-07-06 13:23:03 -05:00
Nick Cabatoff a2dcb131ee
vault delete should allow the same output options as vault write,… (#11992)
* `vault delete` and `vault kv delete` should allow the same output options as `vault write`, as delete operations can similarly return data.  This is needed if you want to use control groups with deletion.
2021-07-06 10:36:07 -04:00
John-Michael Faircloth aa6afd50f6
Update mongodb atlas plugin version (#11956)
* Update mongodb atlas plugin version

* go.mod was missing mongodbatlas plugin

* add changelog

* update build-go-dev circle ci job GOPROXY

* Revert "update build-go-dev circle ci job GOPROXY"

This reverts commit 0e6f339c779dac65ecb036735199f72d3d9e6a4a.

* ci: more complete go mod cache

* ci: doc use of go list ./... to populate mod cache

Co-authored-by: Sam Salisbury <samsalisbury@gmail.com>
2021-07-06 08:24:10 -05:00
John-Michael Faircloth 9832517d27
[ldap] auth method fix request_timeout (#11975)
* [ldap] auth method fix request_timeout

* add changelog

* Update sdk/helper/ldaputil/config_test.go

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

* Update sdk/helper/ldaputil/config_test.go

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

* Update changelog/11975.txt

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
2021-07-01 13:33:01 -05:00
Austin Gebauer b34e24fa64
docs: AWS KMS updates for key management secrets engine (#11958) 2021-06-29 10:31:25 -07:00
MilenaHC 02d45f3a66
Update ElasticSearch DB plugin to v0.8.0 (#11957)
* update elasticsearch database plugin to v0.8.0

* add changelog

* update api-docs
2021-06-29 08:07:00 -05:00
Theron Voran 52f78f1d54
Adding changelog for #11502 (#11944) 2021-06-25 15:41:08 -07:00
Jason O'Donnell b2c9b3c344
plugins/ad: Add rotate-role endpoint (#11942)
* plugins/ad: add rotate-role

* Add doc

* changelog

* Add note about rotate-role in overview
2021-06-25 14:00:03 -04:00
Jason O'Donnell b2b25be0ce
agent/template: add static_secret_render_interval configurable (#11934)
* agent/template: add default_lease_duration config

* go mod tidy

* Add changelog

* Fix panic

* Add documentation

* Change to static_secret_render_interval

* Update doc

* Update command/agent/template/template.go

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* Update changelog/11934.txt

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* Update website/content/docs/agent/template-config.mdx

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
2021-06-24 15:40:31 -04:00
mr-miles 9e031b5766
Mongo doesnt allow periods in usernames (#11872)
* mongo doesnt allow periods in usernames

* Update mongodb.mdx

Update template in docs

* Move replace to the end

* Adding a test for dot replacement

* Create 11872.txt
2021-06-24 13:26:31 -04:00
Marc Boudreau 3c35a25d36
Fix for Issue 11863 - Panic when creating/updating approle role with token_type (#11864)
* initializing resp variable with aa *logical.Response before using it to add warning for default-service or default-batch token type.  Also adding guard around code that sets resp to a new logical.Response further on in the function.

* adding changelog entry

* renaming changelog file to match PR number
2021-06-24 13:03:41 -04:00
MilenaHC 5483eba5fc
RabbitMQ - Add username customization (#11899)
* add username customization for rabbitmq

* add changelog for rabbitmq

* Update builtin/logical/rabbitmq/path_config_connection.go

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

* updating API docs

* moved to changelog folder

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2021-06-22 14:50:46 -05:00
Nick Cabatoff 9bcb480cb7
Fixes #11914. (#11915) 2021-06-22 12:39:23 -04:00
Angel Garbarino 94e11af37a
UI/cp validations kv duplicate path (#11878)
* setup check when secret-v2 record is populated

* return network request of full paths

* modify/amend test

* remove console log

* fix test

* add changelog

* attempt to fix browserstack test issue

* remove find

* add trim

* another attempt
2021-06-22 10:34:00 -06:00
Calvin Leung Huang c1a2a939f9
agent: restart template runner on retry for unlimited retries (#11775)
* agent: restart template runner on retry for unlimited retries

* template: log error message early

* template: delegate retries back to template if param is set to true

* agent: add and use the new template config stanza

* agent: fix panic, fix existing tests

* changelog: add changelog entry

* agent: add tests for exit_on_retry_failure

* agent: properly check on agent exit cases, add separate tests for missing key vs missing secrets

* agent: add note on difference between missing key vs missing secret

* docs: add docs for template_config

* Update website/content/docs/agent/template-config.mdx

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>

* Update website/content/docs/agent/template-config.mdx

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>

* Update website/content/docs/agent/template-config.mdx

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

* Update website/content/docs/agent/template-config.mdx

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

* Update website/content/docs/agent/template-config.mdx

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

* docs: fix exit_on_retry_failure, fix Functionality section

* docs: update interaction title

* template: add internal note on behavior for persist case

* docs: update agent, template, and template-config docs

* docs: update agent docs on retry stanza

* Apply suggestions from code review

Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

* Update changelog/11775.txt

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* agent/test: rename expectExit to expectExitFromError

* agent/test: add check on early exits on the happy path

* Update website/content/docs/agent/template-config.mdx

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
2021-06-21 16:10:15 -07:00
Brian Kassouf a794a6244f
raft: Set BatchApplyCh for more consistent batch sizes (#11907)
* raft: Set BatchApplyCh for more consistent batch sizes

* Add changelog file
2021-06-21 12:00:41 -07:00
Josh Black 8c069936e9
Add new boltdb options (#11895) 2021-06-21 11:35:40 -07:00
Michael Golowka 7f6a1739a3
Cassandra: Refactor PEM parsing logic (#11861)
* Refactor TLS parsing

The ParsePEMBundle and ParsePKIJSON functions in the certutil package assumes
both a client certificate and a custom CA are specified. Cassandra needs to
allow for either a client certificate, a custom CA, or both. This revamps the
parsing of pem_json and pem_bundle to accomodate for any of these configurations
2021-06-21 11:38:08 -06:00
MilenaHC 545c423f8a
add changelog to influxdb (#11896) 2021-06-18 14:56:41 -05:00
Chelsea Shaw 565871f63c
UI/fix safari oidc login (#11884)
* use window.postMessage instead of localStorage on oidc callback
2021-06-17 15:56:04 -05:00
Angel Garbarino d99742c6c5
Implement ember-cp-validations on KV secret engine (#11785)
* initial setup

* initial validation setup for empty path object.

* removal console logs

* validation on keyup for kv

* in progress

* making some progress

* more progress

* closer

* done with create page now to fix edit page that I broke

* fix secret edit display on create

* test and final touches

* cleanup mountbackendform

* cleanup

* add changelog

* address pr comments

* address styling pr comment
2021-06-15 09:21:54 -06:00
claire bontempo 58a5f17288
Displays Auth Method description on Vault UI login page (#11795)
* Displays Auth Method description on login page

* working on auth login form

* Keeps path name as LinkTo label adds description to paths

* removes commented and unused code

* removes trailing white space

* removes prettier package

* adds test for description

* removes extra white spaces

* adds changelog file
2021-06-14 13:03:49 -07:00
Jason O'Donnell 4cc1402e52
mod: update vault-plugin-secrets-ad@v0.9.1 (#11837)
* mod: update vault-plugin-secrets-ad@v0.9.1

* changelog
2021-06-11 13:40:51 -04:00
Calvin Leung Huang 1239217cd5
dep: update consul-template to v0.26.0 (#11838)
* dep: update consul-template to v0.26.0

* changelog: add a CL entry
2021-06-11 10:29:40 -07:00
Jason O'Donnell 36cc4d8e87
db/cassandra: Adding changelog and documentation (#11822)
* db/cassandra: add tls_server_name

* Remove changes from deprecated engine

* Add changelog and doc
2021-06-10 19:06:40 -04:00
Brian Kassouf b42529dd17
Omit wrapping tokens and control groups from client counts (#11826)
* Omit wrapping tokens and control groups from client counts

* add changelog note
2021-06-10 15:57:51 -07:00
Vishal Nayak c11c771737
Udate to Go 1.16.5 (#11802)
* Udate to Go 1.16.5

* Add CL

* Update packages-oss.yml

* Update go_test.yml
2021-06-09 10:38:52 -04:00
Austin Gebauer cdc56809a2
Updates the JWT/OIDC auth plugin to v0.9.4 (#11784) 2021-06-07 16:02:57 -07:00
Chelsea Shaw 468331fa61
UI/license page with autoload (#11778) 2021-06-07 12:44:39 -05:00
Hridoy Roy 1782b4e880
oss part of control groups upgrade (#11772)
* oss part of control groups upgrade

* changelog and docs

* formatting

* formatting
2021-06-07 09:15:35 -07:00
Chelsea Shaw f9ccd941ad
UI/license banners (#11759) 2021-06-03 15:30:26 -05:00
swayne275 9724f59180
Vault 1979: Query API for Irrevocable Leases (#11607)
* build out lease count (not fully working), start lease list

* build out irrevocable lease list

* bookkeeping

* test irrevocable lease counts for API/CLI

* fix listIrrevocableLeases, test listIrrevocableLeases, cleanup

* test expiration API limit

* namespace tweaks, test force flag on lease list

* integration test leases/count API, plenty of fixes and improvements

* test lease list API, fixes and improvements

* test force flag for irrevocable lease list API

* i guess this wasn't saved on the last refactor...

* fixes and improvements found during my review

* better test error msg

* Update vault/logical_system_paths.go

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update vault/logical_system_paths.go

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* return warning with data if more than default leases to list without force flag

* make api doc more generalized

* list leases in general, not by mount point

* change force flag to include_large_results

* sort leases by LeaseID for consistent API response

* switch from bool flag for API limit to string value

* sort first by leaseID, then stable sort by expiration

* move some utils to be in oss and ent

* improve sort efficiency for API response

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
2021-06-02 10:11:30 -06:00
Chelsea Shaw cef14f0236
UI: allow reset on database json fields (#11708) 2021-05-27 16:25:58 -05:00
rerorero 9ebb14bab3
Fix: Transit encrypt batch does not honor key_version (#11628)
* fix(secret/transit): #10232 Transit encrypt batch does not honor key_version

* add changelog for 11628
2021-05-27 14:05:20 -05:00
Calvin Leung Huang 3d94bcade5
changelog: add entry for #11696 (#11715)
* changelog: add entry for #11696

* Update 11696.txt

* Update 11696.txt
2021-05-27 10:57:59 -07:00
Arnav Palnitkar f2552b708b
Update cluster status partial to component (#11680)
* Update cluster status partial to component

* Added changelog

* Close menu when link is clicked

* Upgraded to glimmer components

* Fixed indentations
Added back activeCluster
Updated changelog
2021-05-27 09:52:51 -07:00
Chelsea Shaw 36c8366d5d
UI unseal screen updates (#11705)
* Styling for empty-state and splash-page

* Update shamir-flow language and trigger onError on non-400 error

* Add license terminated screen to unseal

* Add changelog
2021-05-26 13:59:11 -05:00
Angel Garbarino cf511a895b
UI/tools partial (#11672)
* hash tools from partial to component

* initial setup of tools random, but issue remaining with bytes

* rewrap

* unwrap

* final two partials

* fix issues with actions on tool wrap

* fix hash

* changelog

* address pr comments

* fix onClear

* trigger run

* triggering test suite
2021-05-24 10:45:35 -06:00
Vishal Nayak 6ec8cd8f28
Tokenutil: Perform num uses check earlier (#11647)
* Perform num uses check earlier

* Add CL

* Ensure that login works
2021-05-19 14:06:08 -04:00
Angel Garbarino 8f5d62139c
KV 2 Toolbar delete redesign (#11530)
* initial setup, modify toolbar header

* footer buttons setup

* setup first delete version delete method

* clean up

* handle destory all versions

* handle undelete

* conditional for modal and undelete

* remove delete from version area

* modelForData in permissions

* setup for soft delete and modify adpater to allow DELETE in additon to POST

* dropdown for soft delete

* stuck

* handle all soft deletes

* conditional for destroy all versions

* remove old functionality from secret-version-menu

* glimmerize secret-version-menu

* Updated secret version menu and version history

* Updated icons and columns in version history

* create new component

* clean up

* glimmerize secret delete menu

* fix undelete

* Fixed radio labels in version delete menu

* handle v1 delete

* refining

* handle errors with flash messages

* add changelog

* fix test

* add to test

* amend test

* address PR comments

* whoopies

* add urlEncoding

Co-authored-by: Arnav Palnitkar <arnav@hashicorp.com>
2021-05-19 10:43:55 -06:00
Scott Miller 6b8d7fe2e6
Patch expiration fix over from ENT (#11650)
* Patch expiration fix over from ENT

* Rename changelog
2021-05-18 14:55:38 -07:00
Chelsea Shaw 19c5f27434
UI/fix identity model (#11641) 2021-05-17 16:41:39 -05:00
Michael Golowka 10b1ff8f69
AWS Auth: Update error message to include underlying error (#11638) 2021-05-17 13:56:35 -06:00
Ricardo Cardenas d02a20bd2b
feat(aws): add ability to provide a role session name when generating STS credentials (#11345)
* feat(aws): add ability to provide a sessionName to sts credentials

Co-authored-by: Brad Vernon <bvernon@nvidia.com>
Co-authored-by: Jim Kalafut <jim@kalafut.net>
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2021-05-17 11:03:09 -07:00
Michael Golowka 056a59859f
Add ability to customize some timeouts in MongoDB database plugin (#11600) 2021-05-17 11:40:35 -06:00