Commit graph

15689 commits

Author SHA1 Message Date
John-Michael Faircloth dd4fb82b5d
unit test: remove postgres dependecy from testing.go (#16675) 2022-08-10 17:01:24 -05:00
Tom Proctor 2d167b3427
Docs: Update Vault CSI Provider SecretProviderClass config options (#16506) 2022-08-10 21:30:20 +01:00
linda9379 5cd1a12178
UI Support for Okta Number Challenge (#15998)
* Imported uuid library for initial commit to push a clean branch.

* Removed import statement in auth-form file since it was causing UI tests to fail as the import was not being used.

* Added nonce field to payload for okta sign in. (#16001)

* Added nonce field to payload for okta sign in.

* Added missing yarn package for uuid

* Fixed failing ui tests in cluster-test file to take into account of nonce field in the payload of okta login

* Removed uuid library and used crypto.randomUUID() to generate unique uuid values instead

* Fixed indent in package.json

* Removed uuid library since decided to use crypto.randomUUID() instead to generate unique uuid values

* Create polling function for correct answer in okta number challenge (#16070)

* Implemented polling function to get correct answer for okta number challenge.

* Disabled polling function for testing as it was causing acceptance test to fail in auth-test.js

* Changed API call to be the auth mount path instead of being static and created a variable to store the oktaNumberChallengeAnswer to be used later for the display screens

* Create component for okta number challenge screen (#16195)

* Implemented loading screen and display screen for correct answer for Okta Number Challenge

* Fixed linting issues on hbs files

* Added periods to parameter descriptions and made parameters optional

* Removed optional parameters from calling AuthForm component if authMethod is not Okta

* Implement error handling and screens for okta number challenge (#16276)

* Implemented loading screen and display screen for correct answer for Okta Number Challenge

* Fixed linting issues on hbs files

* Temporary changes to include error screen in okta number challenge

* Created error screen tests and made minor fixes

* Fixed error for wrong parameter name being passed in

* Fixed linting issues causing ui tests to fail

* Added periods at the end of param descriptions

* Imported uuid library for initial commit to push a clean branch.

* Removed import statement in auth-form file since it was causing UI tests to fail as the import was not being used.

* Removed uuid library since decided to use crypto.randomUUID() instead to generate unique uuid values

* Added nonce field to payload for okta sign in. (#16001)

* Added nonce field to payload for okta sign in.

* Added missing yarn package for uuid

* Fixed failing ui tests in cluster-test file to take into account of nonce field in the payload of okta login

* Removed uuid library and used crypto.randomUUID() to generate unique uuid values instead

* Fixed indent in package.json

* Create polling function for correct answer in okta number challenge (#16070)

* Implemented polling function to get correct answer for okta number challenge.

* Disabled polling function for testing as it was causing acceptance test to fail in auth-test.js

* Changed API call to be the auth mount path instead of being static and created a variable to store the oktaNumberChallengeAnswer to be used later for the display screens

* Create component for okta number challenge screen (#16195)

* Implemented loading screen and display screen for correct answer for Okta Number Challenge

* Fixed linting issues on hbs files

* Added periods to parameter descriptions and made parameters optional

* Removed optional parameters from calling AuthForm component if authMethod is not Okta

* Implement error handling and screens for okta number challenge (#16276)

* Implemented loading screen and display screen for correct answer for Okta Number Challenge

* Fixed linting issues on hbs files

* Temporary changes to include error screen in okta number challenge

* Created error screen tests and made minor fixes

* Fixed error for wrong parameter name being passed in

* Fixed linting issues causing ui tests to fail

* Added periods at the end of param descriptions

* UI/vault 7312/fix vault enterprise error for okta number challenge (#16568)

* Fixed bug with okta not working when selecting okta tab after being on other tab

* Fixed vault enterprise errors

* Fixed error when logging in with Okta in 'Other' tab

* Removed namespace parameter in option to use the default

* Added changelog
2022-08-10 15:46:04 -04:00
Michele Degges 5c4b1cc4ac
[CI-only] Use pattern matching for release_branches (#16375)
Pattern matching was [recently added](https://github.com/hashicorp/crt-orchestrator/pull/51) so that teams no longer have to explicitly list every branch that should trigger the CRT pipeline. This simplifies release preparation- anytime a new release branch is created, it will produce releasable artifacts and exercise the full pipeline.
2022-08-10 11:25:10 -07:00
Christopher Swenson c7c9abff32
Update OSS workflow so not all issues get put in the UI board (#16666)
If we don't guard against pull_request being null, we do a lot of extra
checkout and path filtering, and it ends up putting everything in the UI
board.

I tested this in another repo, and it seems to behave correctly.
2022-08-10 08:53:45 -07:00
Violet Hynes 398d51bb3d
VAULT-6818 Docs for entity merge functionality (#16593)
* VAULT-6818 Docs for entity merge functionality

* VAULT-6818 Elaborate more on what happens to non-kept aliases
2022-08-10 09:10:10 -04:00
Violet Hynes 4850a3ff0e
VAULT-6818 - Restrict ability to merge entities with mount-accessor-conflicting aliases unless one is explicitly chosen to be kept (#16539)
* VAULT-6818 delete unmerged entity aliases instead of orphaning them

* VAULT-6818 Prevent merge with clashing aliases, allow for resolution of clashing entity aliases

* VAULT-6818 Small updates

* VAULT-6818 Restrict to only one clash merge at once

* VAULT-6818 changelog

* VAULT-6818 use strutil package instead of slices

* VAULT-6818 Update variable names for clarity

* VAULT-6818 Update test

* VAULT-6818 update error message

* VAULT-6818 Use helper method

* VAULT-6818 validate entityIds

* VAULT-6818 group imports better

* VAULT-6818 use change instead of bug

* VAULT-6818 use multierror instead of custom struct

* VAULT-6818 Use multierror properly

* VAULT-6818 Small refactor based on feedback
2022-08-10 09:10:02 -04:00
claire bontempo a1cef4a72a
UI/ fix tooltip submitting form (#16659)
* fix tooltip submitting form

* add changelog

* add changelog actually
2022-08-09 20:51:29 -07:00
Christopher Swenson 8b1a9da460
Update project auto-triage to use new token (#16660) 2022-08-09 19:29:39 -04:00
Loann Le 6d3cd5249e
modified wording (#16655) 2022-08-09 15:09:49 -07:00
Christopher Swenson 18d336b16c
Add Open Source project workflow (#16653)
Add Open Source project workflow

This will help us triage open source issues into our various internal
project boards.

I tested this on a separate repo, and it seems to work.
2022-08-09 17:52:07 -04:00
Rachel Culpepper c367f883a0
Vault-5626: add key wrapping guide for transit import (#16365)
* add key wrapping guide for transit import

* link to key wrap guide from transit overview

* add new page to nav

* fix formatting

* fix note format

* fix link
2022-08-09 16:14:15 -05:00
Josh Black 005903f1ae
Clarify upgrades post 1.11 (#16650) 2022-08-09 13:57:58 -07:00
Chris Capurso 52d6287d4b
update license FAQ docs with termination changes (#16634)
* update license FAQ docs with termination changes

* change intro statement

* change temp eval license issuance callout

* PR feedback

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-08-09 11:27:57 -07:00
Chris Capurso 707fcad006
Add custom metadata to namespace API and CLI docs (#16633)
* add custom_metadata to ns api docs

* update ns CLI docs to add custom-metadata flag
2022-08-09 14:10:41 -04:00
Kevin 9365250dfc
fix typo in Discovering the service account issuer (#16641) 2022-08-09 13:27:30 -04:00
Robert 4bbdf61f52
auth/kerberos: update plugin version to v0.7.2 (#16636)
* Update plugin version to v0.7.2
2022-08-09 11:02:41 -05:00
Chris Capurso a0c557f38a
VAULT-7256: Add custom_metadata to namespaces (#16640)
* add mapstructure tags to Namespace struct

* add custom metadata Parse helper

* add ns custom metadata and patch
2022-08-09 11:38:03 -04:00
Austin Gebauer e72b7a8938
identity/oidc: minor fixes to the API documentation (#16638) 2022-08-09 08:09:37 -07:00
Milena Zlaticanin 78e8c135fc
Hana - Add username customization (#16631)
* implement username customization feature

* adding changelog

* update database capabilities doc

* update database capabilities doc

Co-authored-by: Zlaticanin <milena@hashicorp.com>
2022-08-08 16:01:34 -05:00
Alexander Scheel a259978a3d
Add warning when generate_lease=true (#16398)
This option is known to cause problems with large numbers of issued
certificates. Ensure admins are warned about the impact of this field
and encourage them to disable it.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-08 13:26:10 -04:00
Austin Gebauer ed143c5678
identity/oidc: reorder authorization endpoint validation for invalid redirect uris (#16601)
* identity/oidc: reorder authorization endpoint validation for invalid redirect uris

* adds changelog

* use provider.allowedClientID
2022-08-08 09:02:18 -07:00
claire labry 326936b1ef
introduces the post publish website event (#16328) 2022-08-08 16:51:03 +01:00
Austin Gebauer 59831a8d5c
identity/oidc: adds client_secret_post token endpoint authentication method (#16598)
* identity/oidc: adds client_secret_post token endpoint authentication method

* fix test

* adds changelog
2022-08-08 08:41:09 -07:00
Meggie b7365df464
Adding PGX change to release & upgrade notes (#16613)
Also some heading size tidying
2022-08-05 14:57:47 -04:00
Austin Gebauer 67339b71e8
identity/oidc: fixes validation of the request and request_uri parameters (#16600)
* identity/oidc: add request_parameter_supported to discovery document

* adds changelog
2022-08-05 11:55:15 -07:00
Austin Gebauer a2bc8cfb96
identity/oidc: change the state parameter to optional (#16599)
* identity/oidc: change the state parameter to optional

* adds changelog

* update docs
2022-08-05 11:37:24 -07:00
Hridoy Roy a02c02ea68
upgrade raft to 1.3.10 (#16609)
* upgrade raft to 1.3.10

* changelog
2022-08-05 10:27:37 -07:00
David Fleming f08143cec8
Fix Link: OIDC Provider Config - Okta (#16607)
Okta was pointing at /docs/auth/jwt/oidc-providers/kubernetes.  Updated to point at /docs/auth/jwt/oidc-providers/okta
2022-08-05 12:40:03 -04:00
Jason O'Donnell bc93baaaab
auth/kerberos: add remove_instance_name config (#16594)
* auth/kerberos: add remove_instance_name config

* Update website

* Fix doc

* Fix doc

* changelog
2022-08-04 16:38:12 -04:00
Loann Le 85539da102
vault documentation: updated architecture doc page (#16569)
* updated content

* fixed spelling error

* Update website/content/docs/internals/architecture.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

* Update website/content/docs/internals/architecture.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

* Update website/content/docs/internals/architecture.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

* Update website/content/docs/internals/architecture.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

* Update website/content/docs/internals/architecture.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

* updated content

* italicized barrier

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2022-08-04 11:29:31 -07:00
Austin Gebauer e2d3846a25
identity/oidc: adds detailed listing capability for clients and providers (#16567)
* identity/oidc: adds detailed listing capability for clients and providers

* change approach to use ListResponseWithInfo

* adds changelog
2022-08-04 10:10:28 -07:00
Chris Capurso 1820b771ce
fix typo in certificate (#16588) 2022-08-04 13:01:34 -04:00
Violet Hynes ac582c86cd
VAULT-7432 Fix flaky expiration behaviour (#16586) 2022-08-04 10:47:14 -04:00
Robert de Bock 4a6218ca45
Update raft.mdx (#16579)
Explicitly explain that the content of a certificate or key is expected, not a path.
2022-08-04 09:56:23 -04:00
Nick Cabatoff 5e504944d7
Document how replication uses cluster addresses. (#16545) 2022-08-04 09:10:23 -04:00
Ikko Ashimine 49bfd3a944
Fix typo in managed-keys.mdx (#16578)
targetting -> targeting
2022-08-04 09:02:13 -04:00
Mike Palmiotto cd1157a905
Vault 7338/fix retry join (#16550)
* storage/raft: Fix cluster init with retry_join

Commit 8db66f4853abce3f432adcf1724b1f237b275415 introduced an error
wherein a join() would return nil (no error) with no information on its
channel if a joining node had been initialized. This was not handled
properly by the caller and resulted in a canceled `retry_join`.

Fix this by handling the `nil` channel respone by treating it as an
error and allowing the existing mechanics to work as intended.

* storage/raft: Improve retry_join go test

* storage/raft: Make VerifyRaftPeers pollable

* storage/raft: Add changelog entry for retry_join fix

* storage/raft: Add description to VerifyRaftPeers
2022-08-03 20:44:57 -05:00
Mike Palmiotto 42900b554b
storage/raft: Make raftInfo atomic (#16565)
* storage/raft: Make raftInfo atomic

This fixes some racy behavior discovered in parallel testing. Change the
core struct member to an atomic and update references throughout.
2022-08-03 18:40:49 -04:00
Eng Zer Jun 61262ad98e
refactor: replace strings.Replace with strings.ReplaceAll (#15392)
strings.ReplaceAll(s, old, new) is a wrapper function for
strings.Replace(s, old, new, -1). But strings.ReplaceAll is more
readable and removes the hardcoded -1.

Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2022-08-03 15:22:48 -04:00
FalcoSuessgott f7cb95968e
Add vkv to related tools list (#16285) 2022-08-03 15:18:54 -04:00
Robert 7f8c849b35
Update Consul bootstrap test case to conditionally add token to config (#16560)
* Fix bootstrap test to conditionally add Consul token

* Refactor bootstrap variable name to be more clear
2022-08-03 13:43:43 -05:00
swayne275 4632a26a09
Use %q for quoted strings where appropriate (#15216)
* change '%s' to %q where single vs double quotes shouldn't matter

* replace double quotes with %q in logs and errors
2022-08-03 12:32:45 -06:00
akshya96 fd1f581736
updating changelog for vault-951 (#16558) 2022-08-03 10:39:21 -07:00
Alexander Scheel 8acbf7f480
Add PSS support to PKI Secrets Engine (#16519)
* Add PSS signature support to Vault PKI engine

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Use issuer's RevocationSigAlg for CRL signing

We introduce a new parameter on issuers, revocation_signature_algorithm
to control the signature algorithm used during CRL signing. This is
because the SignatureAlgorithm value from the certificate itself is
incorrect for this purpose: a RSA root could sign an ECDSA intermediate
with say, SHA256WithRSA, but when the intermediate goes to sign a CRL,
it must use ECDSAWithSHA256 or equivalent instead of SHA256WithRSA. When
coupled with support for PSS-only keys, allowing the user to set the
signature algorithm value as desired seems like the best approach.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add use_pss, revocation_signature_algorithm docs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add PSS to signature role issuance test matrix

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Allow roots to self-identify revocation alg

When using PSS support with a managed key, sometimes the underlying
device will not support PKCS#1v1.5 signatures. This results in CRL
building failing, unless we update the entry's signature algorithm
prior to building the CRL for the new root.

With a RSA-type key and use_pss=true, we use the signature bits value to
decide which hash function to use for PSS support.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add clearer error message on failed import

When CRL building fails during cert/key import, due to PSS failures,
give a better indication to the user that import succeeded its just CRL
building that failed. This tells them the parameter to adjust on the
issuer and warns that CRL building will fail until this is fixed.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add case insensitive SigAlgo matching

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Convert UsePSS back to regular bool

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor PSS->certTemplate into helper function

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Proper string output on rev_sig_alg display

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Copy root's SignatureAlgorithm for CRL building

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-03 12:42:24 -04:00
Kevin Wang d136ba385a
fix(docs): typos (#16555) 2022-08-03 08:58:27 -07:00
Steven Clark fc4c8d8c67
Address test flakiness in TestLogical_AuditPort (#16546)
- Based on group test fixing session from July 29, 2022
 - Leverage the RetryUntil to catch and re-attempt a kv store creation
   if the test receives an error about upgrading the KV store
 - Update the expected audit log entries accordingly along with the
   captured failures if any
 - Fix up a copy/paste error within the test error message if the
   remote_address field is not of the expected type.
2022-08-03 10:14:17 -04:00
Meggie 13ba59f82a
changelog++ 2022-08-03 09:53:26 -04:00
Mike Palmiotto c4140522a6
Docs/vault 7338 retry join known issue (#16540)
* storage/raft: Add known issue for retry_join

* storage/raft: Update known issues with issue reference

* docs: Add return between includes
2022-08-03 15:42:51 +02:00
Alexander Scheel cf7105929f
Allow old certs to be cross-signed (#16494)
* Allow old certs to be cross-signed

In Vault 1.11, we introduced cross-signing support, but the earlier SKID
field change in Vault 1.10 causes problems: notably, certs created on
older versions of Vault (<=1.9) or outside of Vault (with a different
SKID method) cannot be cross-signed and validated in OpenSSL.

In particular, OpenSSL appears to be unique in requiring a SKID/AKID
match for chain building. If AKID and SKID are present on an otherwise
valid client/parent cert pair and the values are different, OpenSSL will
not build a valid path over those two, whereas most other chain
validation implementations will.

Regardless, to have proper cross-signing support, we really aught to
support copying an SKID. This adds such support to the sign-intermediate
endpoint. Support for the /issue endpoint is not added, as cross-signing
leaf certs isn't generally useful and can accept random SKIDs.

Resolves: #16461

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Address review feedback, fix tests

Also adds a known-answer test using LE R3 CA's SKID.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Address review feedback regarding separators

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-03 06:34:21 -07:00