Commit graph

544 commits

Author SHA1 Message Date
Peter Wilson 138c516498
Update plugin consul template v0.29.5 (#17419)
* Updated consul-template to v0.29.5
2022-10-04 22:34:28 +01:00
Violet Hynes 6fddb953e9
VAULT-8631 Upgrade vault-plugin-secrets to v0.13.3, to enable synchronous KVV2 creation (#17406)
* VAULT-8631 Upgrade vault-plugin-secrets to v0.13.2

* VAULT-8631 Update version, go mod tidy

* VAULT-8631 Add changelog
2022-10-04 13:54:38 -04:00
Peter Wilson e307450c63
fix: upgrade vault-plugin-secrets-kv to v0.13.1 (#17339)
* fix: upgrade vault-plugin-secrets-kv to v0.13.1

* Added changelog

* Update changelog/17339.txt

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2022-09-28 18:36:10 +01:00
Alexander Scheel 3015689848
Update tlsutil to v0.1.2 for ecdsa algo naming (#17282)
* Update tlsutil in sdk

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update tlsutil in API

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update tlsutil to v0.1.2 for ecdsa algo naming

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-09-23 08:28:40 -04:00
Yoan Blanc fa8f7c793f
fix: PGP subkeys support (#16224)
* fix: PGP subkeys support

Signed-off-by: Yoan Blanc <yoan@dosimple.ch>

* fix: bump ProtonMail/go-crypto

Signed-off-by: Yoan Blanc <yoan@dosimple.ch>

* fix: bump ProtonMail/go-crypto

Signed-off-by: Yoan Blanc <yoan@dosimple.ch>

Signed-off-by: Yoan Blanc <yoan@dosimple.ch>
2022-09-22 09:12:41 -04:00
Milena Zlaticanin 6593466b3e
secret/database/redis: upgrade plugin to v0.1.0 (#17270) 2022-09-21 19:39:50 -05:00
Tom Proctor 4e51491f7a
Upgrade vault-plugin-auth-alicloud to v0.13.0 (#17251) 2022-09-21 21:05:18 +01:00
Kit Haines 45cb910d0b
Try to bring versions of gofumpt to be the same (so running make bootstrap doesn't change version of gofumpt needed for make fmt) (#17254) 2022-09-21 12:57:34 -04:00
Tom Proctor abfeb59646
Upgrade vault-plugin-auth-centrify to v0.13.0 (#17195) 2022-09-20 06:05:50 -04:00
Christopher Swenson 5a8a896b5a
fix: upgrade vault-plugin-database-elasticsearch to v0.12.0 (#17203) 2022-09-19 14:46:23 -07:00
Christopher Swenson 4ad2dcbfe3
fix: upgrade vault-plugin-database-couchbase to v0.8.0 (#17205) 2022-09-19 14:12:33 -07:00
Robert b8afefbc6a
secrets/ad: update plugin to v0.14.0 (#17214) 2022-09-19 16:03:17 -05:00
Ben Ash d76dbeead1
fix: upgrade vault-plugin-auth-oci to v0.12.0 (#17212) 2022-09-19 13:34:44 -07:00
Milena Zlaticanin f115a3929f
secrets/mongodbatlas: upgrade plugin to v0.8.0 (#17211) 2022-09-19 15:13:36 -05:00
Tom Proctor f7fdb7b7d0
Upgrade vault-plugin-auth-cf to v0.13.0 (#17196) 2022-09-19 19:24:24 +01:00
Tom Proctor bc5ac79928
Upgrade vault-plugin-auth-azure to v0.12.0 (#17194) 2022-09-19 19:22:09 +01:00
Ben Ash adf9b7eca0
fix: upgrade vault-plugin-secrets-alicloud to v0.13.0 (#17201) 2022-09-19 10:39:36 -07:00
Christopher Swenson 17fd8ad465
fix: upgrade vault-plugin-database-mongodbatlas to v0.8.0 (#17200) 2022-09-19 10:16:20 -07:00
vinay-gopalan f0d3cbaa43
bump secrets/azure to v0.14.0 (#17180) 2022-09-19 10:02:57 -07:00
Ben Ash bc8ab07b28
fix: upgrade vault-plugin-secrets-gcpkms to v0.13.0 (#17199) 2022-09-19 12:56:56 -04:00
vinay-gopalan fdebc2c2c3
bump secrets/kv to v0.13.0 (#17175) 2022-09-19 09:40:52 -07:00
Steven Clark 7f3dd736c9
Update OSS dependencies to match newer versions that ENT is using (#17188) 2022-09-19 10:33:36 -04:00
Steven Clark 05a5928b8d
Update missing go-kms-wrapping v2 dep and address some ENT->OSS drift (#17178)
* Update missing go-kms-wrapping v2 dep and address some ENT->OSS drift

* Bump go-kms-wrapping/wrappers/gcpckms/v2 to v2.0.1
2022-09-19 10:23:40 -04:00
Robert e529bac132
auth/kerberos: update plugin to v0.8.0 (#17173)
* Update plugin version to v0.8.0
2022-09-16 16:50:12 -05:00
Robert d89aeb7a3a
secrets/terraform: update plugin to v.0.6.0 (#17172)
* Update plugin version to v.0.6.0
2022-09-16 15:56:39 -05:00
Austin Gebauer 7b862f33c3
secrets/gcp: updates plugin to v0.14.0 (#17174)
* secrets/gcp: updates plugin to v0.14.0

* adds changelog
2022-09-16 12:42:37 -07:00
vinay-gopalan ec76c2c8a3
update auth/gcp to v0.14.0 (#17160) 2022-09-16 09:39:34 -07:00
Max Coulombe a3f7a8c487
+ upgrade redis-elasticache plugin to v0.1.0 (#17163) 2022-09-16 12:32:12 -04:00
Theron Voran 81ea92459c
secrets/kubernetes: upgrade to v0.2.0 (#17164) 2022-09-16 08:31:53 -07:00
Theron Voran 37b30337a0
auth/kubernetes: upgrade to v0.14.0 (#17161) 2022-09-16 02:03:21 -04:00
Austin Gebauer c1f51417b0
Adds ldap secrets to plugin registry and updates to v0.9.0 (#17152)
* Adds ldap secrets to plugin registry and updates to v0.9.0

* adds changelog

* fix test
2022-09-15 22:19:24 -07:00
Christopher Swenson aa503ef7ff
fix: upgrade vault-plugin-database-snowflake to v0.6.0 (#17159)
fix: upgrade vault-plugin-database-snowflake to v0.6.0
2022-09-15 16:01:56 -07:00
Austin Gebauer c87954e7e3
auth/jwt: updates plugin to v0.14.0 (#17154) 2022-09-15 13:44:50 -07:00
Max Coulombe 6b2f4e5354
+ added redis elasticache as a built-in plugin (#17075)
* added redis elasticache as a built-in plugin
2022-09-09 16:16:30 -04:00
Milena Zlaticanin 0977bd1ddc
Import Redis OSS database plugin into Vault (#17070)
* Import Redis OSS database plugin into Vault

* update the total number of db plugins

* small nit for testing

* adding changelog
2022-09-09 13:42:25 -05:00
Max Coulombe f9b5d1a563
Multiplexing opt out flag (#16972)
* added mplexing opt-out flag
2022-09-08 11:32:46 -04:00
Hamid Ghaf a034ebfd27
HCP link integration (#16939)
* HCP link integration

* update configure-git.yml

* more OSS stuff

* removing internal repos

* adding a nil check

* removing config test to be included in ENT only

* updating hcp-sdk-go to v0.22.0

* remove Hostname and AuthURL link config params

Co-authored-by: Chris Capurso <1036769+ccapurso@users.noreply.github.com>
2022-09-06 14:11:04 -04:00
Jason O'Donnell e097e46a50
auth/kerberos: add config to include ldap groups in group alias (#16890) 2022-08-25 13:51:54 -07:00
Scott Miller 3bd38fd5dc
OSS portion of wrapper-v2 (#16811)
* OSS portion of wrapper-v2

* Prefetch barrier type to avoid encountering an error in the simple BarrierType() getter

* Rename the OveriddenType to WrapperType and use it for the barrier type prefetch

* Fix unit test
2022-08-23 15:37:16 -04:00
Nathan Coleman 99eca84c3b
Update crypto package to fix GO-2021-0356 (#16799) 2022-08-22 09:57:25 -07:00
John-Michael Faircloth d3c72080c4
update go-plugin to v1.4.5 (#16781) 2022-08-18 12:33:43 -04:00
Matt Schultz 14284c67f5
Update consul-template to v0.29.2. (#16764) 2022-08-17 11:24:40 -05:00
Robert 4bbdf61f52
auth/kerberos: update plugin version to v0.7.2 (#16636)
* Update plugin version to v0.7.2
2022-08-09 11:02:41 -05:00
Hridoy Roy a02c02ea68
upgrade raft to 1.3.10 (#16609)
* upgrade raft to 1.3.10

* changelog
2022-08-05 10:27:37 -07:00
Jason O'Donnell bc93baaaab
auth/kerberos: add remove_instance_name config (#16594)
* auth/kerberos: add remove_instance_name config

* Update website

* Fix doc

* Fix doc

* changelog
2022-08-04 16:38:12 -04:00
Austin Gebauer 30c75699f2
auth/jwt: updates dependency and adds changelogs (#16525)
* auth/jwt: updates dependency and adds changelogs

* adds changelog entries
2022-08-01 12:46:34 -07:00
Robert 36c2c11023
auth/gcp: add support for GCE regional instance groups (#16435)
* Update GCP auth to add support for regional instance groups

* Add changelog file
2022-07-22 17:31:25 -05:00
Austin Gebauer 5fd479a55a
deps: updates google.golang.org/api via plugins (#16405) 2022-07-21 13:07:57 -07:00
Austin Gebauer 7df39640e0
Update gopsutil to v3 to fix MacOS deprecation warnings (#16321)
* Update gopsutil to v3

* Adds v2 field names in host-info response to allow eventual deprecation in favor of v3 field names

* Map v3 to v2 field names to keep host-info api compat

* copy gopsutil license into source
2022-07-20 16:37:10 -07:00
Christopher Swenson 81b702b918
Remove gox in favor of go build. (#16353)
Remove gox in favor of go build.

`gox` hasn't had a release to update it in many years, so is missing
support for many modern systems, like `darwin/arm64`.

In any case, we only use it for dev builds, where we don't even use
the ability of it to build for multiple platforms. Release builds use
`go build` now.

So, this switches to `go build` everywhere.

I pulled this down and tested it in Windows as well. (Side note: I
couldn't get `gox` to work in Windows, so couldn't build before this
change.)
2022-07-20 10:44:41 -07:00
akshya96 42b13448f9
ActivityLog Implement HyperLogLog Store Functionality During Precomputation (#16146)
* adding hll for each month

* add changelog

* removing influxdb

* removing influxdb

* removing influxdb

* changing switch to if-else for semgrep
2022-06-27 09:38:32 -07:00
Christopher Swenson 2e56c7fe0a
Update consul-template to latest for pkiCert fix (#16087)
Update consul-template to latest for pkiCert fix

So that we get the fixes in https://github.com/hashicorp/consul-template/pull/1590
and https://github.com/hashicorp/consul-template/pull/1591.

I tested manually that this no longer causes `pkiCert` to get into an
infinite failure loop when the cert expires, and that the key and CA certificate are also accessible.

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
2022-06-27 08:39:36 -07:00
Calvin Leung Huang 08f148ba42
secrets/ad: update plugin to v0.13.1 (#16140) 2022-06-24 12:04:01 -07:00
Steven Clark 37edd59828
Match up dependency versions across OSS and ENT. (#15820)
- A few pinned dependency versions have been upgraded within ENT but were
   not upgraded in OSS. This will syncs the pinned versions across them.
2022-06-17 08:34:00 -04:00
Alexander Scheel 0cbbea1cbe
Update containerd/containerd indirect test dep (#15816)
* Update containerd/containerd indirect test dep

This dependency is pulled in from our testing infra and not in our final
Vault version. However, updating this dep pulls in newer versions of
other deps (such as protobuf) which are used at runtime. Updated via:

$ go get github.com/containerd/containerd@v1.5.13 && go mod tidy

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update moby/moby direct test dep

Since docker/docker has an indirect dep on containerd, I've updated it
as well:

$ go get github.com/docker/docker@v20.10.17 && go mod tidy

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-13 13:37:12 -04:00
Nick Cabatoff e18e8c3677
Fix broken rabbithole dep exposed by wiping my module cache. (#15867) 2022-06-08 10:31:43 -04:00
Austin Gebauer 18d25ca4d1
db/snowflake: updates plugin to v0.5.1 (#15814) 2022-06-06 09:28:06 -07:00
Chris Capurso 073cd369b6
bump vault-plugin-secrets-kv to v0.12.1 (#15792)
* bump vault-plugin-secrets-kv to v0.12.1

* add changelog entry
2022-06-03 16:01:35 -04:00
Alexander Scheel 03efc71e62
Update to fixed parseutil v0.1.6 (#15774)
Note that this only really applies to the SSH engine, nothing else uses
this helper. Other go.mod's updated for consistency.

See also: https://github.com/hashicorp/go-secure-stdlib/pull/40

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-02 17:31:45 -04:00
Robert d3654dd55c
Update terraform secrets to v0.5 (#15721) 2022-05-31 20:26:50 -05:00
Robert 3c057205ab
secrets/openldap: Update plugin to v0.8.0 (#15667) 2022-05-27 14:29:02 -05:00
Theron Voran e2a15cae83
secrets/kubernetes: update to v0.1.1 (#15655) 2022-05-26 15:44:03 -07:00
Calvin Leung Huang fddbd2fe66
auth/cf: update plugin to v0.12.0 (#15636) 2022-05-26 12:12:54 -07:00
Tom Proctor 60cc834322
upgrade azure, centrify and kerberos auth plugins (#15646) 2022-05-26 19:07:07 +01:00
John-Michael Faircloth 02b1db37fd
fix: upgrade vault-plugin-database-elasticsearch to v0.11.0 (#15614)
* fix: upgrade vault-plugin-database-elasticsearch to v0.11.0

* add changelog

* Update changelog/15614.txt

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
2022-05-26 10:20:52 -05:00
John-Michael Faircloth fd215fd6fe
fix: upgrade vault-plugin-database-mongodbatlas to v0.7.0 (#15621) 2022-05-26 08:55:14 -05:00
Calvin Leung Huang aa6bf94621
dep: go mod tidy (#15633) 2022-05-25 18:08:31 -07:00
Austin Gebauer af6b86258f
secrets/mongodbatlas: updates plugin to v0.7.0 (#15631) 2022-05-25 17:19:47 -07:00
vinay-gopalan 91628d4fe5
update vault-plugin-auth-oci to v0.11.0 (#15626) 2022-05-25 16:47:58 -07:00
vinay-gopalan b29cca207c
update gcpkms plugin to v0.12.0 (#15622) 2022-05-25 16:01:41 -07:00
Ben Ash 513150a443
fix: upgrade vault-plugin-secrets-azure to v0.13.0 (#15605) 2022-05-25 17:46:11 -04:00
John-Michael Faircloth c73bc88371
fix: upgrade vault-plugin-database-snowflake to v0.5.0 (#15608)
* fix: upgrade vault-plugin-database-snowflake to v0.5.0

* add changelog

* remove changelog since it already exists in vault
2022-05-25 16:04:45 -05:00
John-Michael Faircloth f7aaa4c512
fix: upgrade vault-plugin-database-couchbase to v0.7.0 (#15606) 2022-05-25 16:03:37 -05:00
Calvin Leung Huang 00f42065b1
secrets/alicloud: update plugin to v0.12.0 (#15607) 2022-05-25 13:33:07 -07:00
Austin Gebauer 6c9eaa95c4
secrets/gcp: updates plugin to v0.13.0 (#15603) 2022-05-25 12:45:40 -07:00
Calvin Leung Huang 829f1b1bb8
auth/alicloud: update plugin to v0.12.0 (#15602) 2022-05-25 12:30:35 -07:00
Ben Ash 7bd1485185
fix: upgrade vault-plugin-secrets-kv to v0.12.0 (#15600) 2022-05-25 15:01:36 -04:00
Austin Gebauer 28b3cf6352
auth/jwt: updates plugin to v0.13.0 (#15593) 2022-05-25 11:04:32 -07:00
Theron Voran 6f1ce1c690
upgrade vault-plugin-auth-kubernetes to v0.13.0 (#15584) 2022-05-25 10:41:53 -07:00
Ben Ash 5f58ff8512
fix: upgrade vault-plugin-secrets-ad to v0.13.0 (#15572) 2022-05-25 13:37:42 -04:00
Austin Gebauer c6b8a3be3a
auth/gcp: updates plugin to v0.13.0 (#15592) 2022-05-25 10:35:41 -07:00
Jim Kalafut a3b0b60a73
postgres: replace the package lib/pq with pgx (#15343)
* WIP replacing lib/pq

* change timezome param to be URI format

* add changelog

* add changelog for redshift

* update changelog

* add test for DSN style connection string

* more parseurl and quoteidentify to sdk; include copyright and license

* call dbutil.ParseURL instead, fix import ordering

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
2022-05-23 12:49:18 -07:00
Theron Voran 544b60b29c
Adding vault-plugin-secrets-kubernetes v0.1.0 (#15551) 2022-05-20 14:13:33 -07:00
Nick Cabatoff bc9f69af2e
Forward autopilot state reqs, avoid self-dialing (#15493)
Make sure that autopilot is disabled when we step down from active node state.  Forward autopilot state requests to the active node.  Avoid self-dialing due to stale advertisement.
2022-05-18 14:50:18 -04:00
Chris Hoffman 24e8b73c73
Updating Okta MFA to use official SDK (#15355)
* updating MFA to use official Okta SDK

* add changelog

* Update vault/login_mfa.go

Co-authored-by: swayne275 <swayne@hashicorp.com>

* cleanup query param building

* skip if not user factor

* updating struct tags to be more explicit

* fixing incorrect merge

* worrying that URL construction may change in the future, reimplementing GetFactorTransactionStatus

* adding some safety around url building

Co-authored-by: swayne275 <swayne@hashicorp.com>
2022-05-17 15:14:26 -04:00
Alexander Scheel 8750512f9f
Fix integer overflows with new parseutil (#15437)
* Use new parseutil helper: Safe variants

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update parseutil to v0.1.5

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix additional integer overflow in command/server

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-16 13:57:19 -04:00
Matt Schultz 611ab91e5a
Transit byok import endpoints (#15414)
* add import endpoint

* fix unlock

* add import_version

* refactor import endpoints and add tests

* add descriptions

* Update dependencies to include tink for Transit import operations. Convert Transit wrapping key endpoint to use shared wrapping key retrieval method. Disallow import of convergent keys to Transit via BYOK process.

* Include new 'hash_function' parameter on Transit import endpoints to specify OAEP random oracle hash function used to wrap ephemeral AES key.

* Add default values for Transit import endpoint fields. Prevent an OOB panic in Transit import. Proactively zero out ephemeral AES key used in Transit imports.

* Rename some Transit BYOK import variables. Ensure Transit BYOK ephemeral key is of the size specified byt the RFC.

* Add unit tests for Transit BYOK import endpoint.

* Simplify Transit BYOK import tests. Add a conditional on auto rotation to avoid errors on BYOK keys with allow_rotation=false.

* Added hash_function field to Transit import_version endpoint. Reworked Transit import unit tests. Added unit tests for Transit import_version endpoint.

* Add changelog entry for Transit BYOK.

* Transit BYOK formatting fixes.

* Omit 'convergent_encryption' field from Transit BYOK import endpoint, but reject with an error when the field is provided.

* Minor formatting fix in Transit import.

Co-authored-by: rculpepper <rculpepper@hashicorp.com>
2022-05-16 11:50:38 -05:00
John-Michael Faircloth 36f1938b30
update go-plugin to v1.4.4 (#15297) 2022-05-05 16:26:42 -05:00
Christopher Swenson 0affe226ad
Update deps for consul-template 0.29.0 (#15293)
This requires bumping https://github.com/mitchellh/go-testing-interface.
For this new version, we have to create a wrapper to convert
the stdlib `testing.TB` interface to the
`mitchellh/go-testing-interface` `T` interface, since it uses
`Parallel()` now, which is not supported by `testing.TB`. This had to be
added to a new package, `benchhelpers`, to avoid a circular dependency
in `testhelpers`.

We also have to *unbump* https://github.com/armon/go-metrics since
updating it breaks our usage of
https://github.com/google/go-metrics-stackdriver

I verified that the new `pkiCert` template function works with agent
injection using annotations like:

```yaml
vault.hashicorp.com/agent-inject-secret-sample.crt: "pki/issue/example-dot-com"
vault.hashicorp.com/agent-inject-template-sample.crt: |
  {{ pkiCert "pki/issue/example-dot-com" "common_name=foo.example.com" "ttl=1h" }}
```
2022-05-05 10:30:40 -07:00
Nick Cabatoff c5928c1d15
Raft: use a larger initial heartbeat/election timeout (#15042) 2022-04-29 08:32:16 -04:00
Christopher Swenson 7713b67c15
fix: upgrade vault-plugin-database-snowflake to v0.4.1 (#15199) 2022-04-27 10:55:10 -07:00
Reuben James 92cd0e8248
Update golang.org/x/crypto/ssh (#15125)
* Update golang.org/x/crypto/ssh

* Add changelog comment
2022-04-22 12:58:23 -04:00
Christopher Swenson 457f28240e
VAULT-5827 Update mongodb, brotli (#15093)
VAULT-5827 Update mongodb, brotli

Closes https://github.com/hashicorp/vault-plugin-secrets-mongodbatlas/issues/11

* `brotli` 1.0.1 was withdrawn
* `go-client-mongodb-atlas` has an old dependency on a renamed repo, and
  has been renamed twice. This caused issues in
  https://github.com/hashicorp/vault-plugin-secrets-mongodbatlas/issues/11
  for example.
* VAULT-5827 Set unwrap token during database tests

The unwrap token is necessary for the plugins to start correctly when
running when running acceptance tests locally, e.g.,

```
$ VAULT_MONGODBATLAS_PROJECT_ID=... VAULT_MONGODBATLAS_PRIVATE_KEY=... VAULT_MONGODBATLAS_PUBLIC_KEY=... TEST='-run TestBackend_StaticRole_Rotations_MongoDBAtlas github.com/hashicorp/vault/builtin/logical/database'  make test

--- FAIL: TestBackend_StaticRole_Rotations_MongoDBAtlas (5.33s)
    rotation_test.go:818: err:%!s(<nil>) resp:&logical.Response{Secret:<nil>, Auth:<nil>, Data:map[string]interface {}{"error":"error creating database object: invalid database version: 2 errors occurred:\n\t* Unrecognized remote plugin message: PASS\n\nThis usually means that the plugin is either invalid or simply\nneeds to be recompiled to support the latest protocol.\n\t* Incompatible API version with plugin. Plugin version: 5, Client versions: [3 4]\n\n"}, Redirect:"", Warnings:[]string(nil), WrapInfo:(*wrapping.ResponseWrapInfo)(nil), Headers:map[string][]string(nil)}
```

Note the `PASS` message there, which indicates that the plugin exited
before starting the RPC server.
2022-04-19 15:26:22 -07:00
Tom Proctor b30e7d3545
Upgrade hashicorp/consul-template dependency (#15092)
* Includes sprig template functions
* Includes improvements to writeTo template function
* Add sprig functions test, improve failure message
2022-04-19 20:51:11 +01:00
Conrad Kleinespel 106ea2a2de
Update gocql to resolve #12878 (#14973) 2022-04-18 11:12:32 -07:00
Robert b56996b15d
Update vault-plugin-auth-gcp to newest pseudo-version (#14923) 2022-04-06 18:13:19 -05:00
swayne275 1a2eccf44b
update to new raft-snapshot to avoid snapshot decompression bombs (#14797) 2022-03-30 15:25:21 -06:00
Anton Averchenkov de6d55d4a9
Update Vault to use api/v1.5.0 (#14718) 2022-03-28 12:11:03 -04:00
Chris Capurso dc4aae642a
Fix panic caused by parsing json.Number values for TypeCommaStringSlice fields (#14522)
* go-secure-stdlib/parseutil to v0.1.4

* add TypeCommaStringSlice for json.Number

* add changelog entry

* upgrade go-secure-stdlib/parseutil to v0.1.4 in sdk

* move json number TypeCommaStringSlice test

* go mod download for api; go mod tidy
2022-03-28 11:07:55 -04:00
Chris Capurso 157a655632
Fix CLI panic caused by single backslash values (#14523)
* upgrade go-secure-stdlib/kv-builder to v0.1.2

* add kv test to ensure single backslash values no longer panic

* add changelog entry
2022-03-24 16:40:32 -04:00
Zach Stone b43ed904f2
Update mholt/archiver to v3.5.1 (#11584)
* Update mholt/archiver to v3.5.0

* Bump archiver to 3.5.1

* Vendor dependencies

* Use newer go

* go mod tidy

* Remove vendor

* Rm vendor

* Revert api and sdk sums

Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
2022-03-16 09:42:21 -05:00
Rémi Lapeyre e89bbd51d9
Add support for PROXY protocol v2 in TCP listener (#13540)
* Add support for PROXY protocol v2 in TCP listener

I did not find tests for this so I added one trying to cover different
configurations to make sure I did not break something. As far as I know,
the behavior should be exactly the same as before except for one thing
when proxy_protocol_behavior is set to "deny_unauthorized", unauthorized
requests were previously silently reject because of https://github.com/armon/go-proxyproto/blob/7e956b284f0a/protocol.go#L81-L84
but it will now be logged.

Also fixes https://github.com/hashicorp/vault/issues/9462 by adding
support for `PROXY UNKNOWN` for PROXY protocol v1.

Closes https://github.com/hashicorp/vault/issues/3807

* Add changelog
2022-03-08 12:13:00 -05:00
Calvin Leung Huang 149b54932b
deps: update plugin versions for Vault 1.10 (#14293)
* deps: update plugin versions for Vault 1.10

* update vault-plugin-secrets-alicloud to v0.11.1

* downgrade alibaba-cloud-sdk-go

* update auth-jwt and auth-gcp, revert non-plugin deps
2022-02-25 16:36:06 -08:00
Steven Clark e7edaaffee
Force certain PKI operations to go to the Primary Performance cluster immediately (#14287) 2022-02-25 13:26:34 -05:00
Tero Saarni 8bca8984e6
Update github.com/prometheus/client_golang (#14190)
* Update github.com/prometheus/client_golang

Signed-off-by: Tero Saarni <tero.saarni@est.tech>

* Added changelog entry.
2022-02-23 09:31:58 -05:00
mickael-hc 6b753fb2f5
Replace dgrijava/jwt-go with golang-jwt/jwt (#14167) 2022-02-22 15:12:15 -05:00
Ben Ash a156036934
upgrade vault-plugin-auth-kubernetes (#14144)
- ensure valid entity alias names created for projected volume tokens.
2022-02-22 11:25:44 -05:00
Jason O'Donnell d848531cce
secrets/openldap: fix panic from nil logger (#14171)
* secrets/openldap: fix panic from nil logger

* changelog
2022-02-18 19:40:30 -05:00
Chris Capurso c7ba8b1f25
Add HTTP-level tests for KV subkeys endpoint (#14079)
* go get plugin-secrets-kv@v0.11.0; go mod tidy

* add HTTP-level tests for KV subkeys endpoint

* check status in TestKV_Subkeys_CurrentVersion

* some test cleanup
2022-02-18 11:54:36 -05:00
Jason O'Donnell 6b8e5b1e1f
auth/azure: update to v0.9.3 (#14138)
* auth/azure: update to v0.9.3

* changelog

* Rollback go-testing-interface

* go mod tidy
2022-02-18 09:42:48 -05:00
Josh Black e83471d7de
Login MFA (#14025)
* Login MFA

* ENT OSS segragation (#14088)

* Delete method id if not used in an MFA enforcement config (#14063)

* Delete an MFA methodID only if it is not used by an MFA enforcement config

* Fixing a bug: mfa/validate is an unauthenticated path, and goes through the handleLoginRequest path

* adding use_passcode field to DUO config (#14059)

* add changelog

* preventing replay attack on MFA passcodes (#14056)

* preventing replay attack on MFA passcodes

* using %w instead of %s for error

* Improve CLI command for login mfa (#14106)

CLI prints a warning message indicating the login request needs to get validated

* adding the validity period of a passcode to error messages (#14115)

* PR feedback

* duo to handle preventing passcode reuse

Co-authored-by: hghaf099 <83242695+hghaf099@users.noreply.github.com>
Co-authored-by: hamid ghaf <hamid@hashicorp.com>
2022-02-17 13:08:51 -08:00
Alexander Scheel 45c028a2fb
Allow specifying multiple allowed SSH key lengths (#13991)
* Allow specifying multiple allowed SSH key lengths

In the ssh secrets engine, only a single allowed key length was allowed
for each algorithm type. However, many algorithms have multiple safe
values (such as RSA and ECDSA); allowing a single role to have multiple
values for a single algorithm is thus helpful.

On creation or update, roles can now specify multiple types using a list
or comma separated string of allowed values:

    allowed_user_key_lengths: map[string][]int{"rsa": []int{2048, 4096}}

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Break out ssh upgrade logic into separate function

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update parseutil for optional lists of integers

    go get -u github.com/hashicorp/go-secure-stdlib/parseutil
    go mod tidy

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Simplify parse logic using new parseutil

The newly introduced parseutil.ParseIntSlice handles the more
complicated optional int-like slice logic for us.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-02-17 15:36:56 -05:00
Jordan Reimer b936db8332
Revert "MFA (#14049)" (#14135)
This reverts commit 5f17953b5980e6438215d5cb62c8575d16c63193.
2022-02-17 13:17:59 -07:00
Austin Gebauer e4aab1b0cc
secrets/azure: update plugin to v0.11.4 (#14130) 2022-02-17 12:09:36 -08:00
Jordan Reimer 36ccfaa3aa
MFA (#14049)
* adds development workflow to mirage config

* adds mirage handler and factory for mfa workflow

* adds mfa handling to auth service and cluster adapter

* moves auth success logic from form to controller

* adds mfa form component

* shows delayed auth message for all methods

* adds new code delay to mfa form

* adds error views

* fixes merge conflict

* adds integration tests for mfa-form component

* fixes auth tests

* updates mfa response handling to align with backend

* updates mfa-form to handle multiple methods and constraints

* adds noDefault arg to Select component

* updates mirage mfa handler to align with backend and adds generator for various mfa scenarios

* adds tests

* flaky test fix attempt

* reverts test fix attempt

* adds changelog entry

* updates comments for todo items

* removes faker from mfa mirage factory and handler

* adds number to word helper

* fixes tests

* Revert "Merge branch 'main' into ui/mfa"

This reverts commit 8ee6a6aaa1b6c9ec16b985c10d91c3806819ec40, reversing
changes made to 2428dd6cca07bb41cda3f453619646ca3a88bfd0.

* format-ttl helper fix from main
2022-02-17 09:10:56 -07:00
Robert 91f5069c03
secret/consul: Add Consul ACL roles support (#14014)
Co-authored-by: Brandon Ingalls <brandon@ingalls.io>
2022-02-16 19:31:08 -06:00
Alexander Scheel f45ad6e284
Fix ed25519 generated SSH key marshalling (#14101)
* Ensure we can issue against generated SSH CA keys

This adds a test to ensure that we can issue leaf SSH certificates using
the newly generated SSH CA keys. Presently this fails because the
ed25519 key private is stored using PKIX's PKCS8 PrivateKey object
format rather than using OpenSSH's desired private key format:

> path_config_ca_test.go:211: bad case 12: err: failed to parse stored CA private key: ssh: invalid openssh private key format, resp: <nil>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add dependency on edkey for OpenSSH ed25519 keys

As mentioned in various terraform-provider-tls discussions, OpenSSH
doesn't understand the standard OpenSSL/PKIX ed25519 key structure (as
generated by PKCS8 marshalling). Instead, we need to place it into the
OpenSSH RFC 8709 format. As mentioned in this dependency's README,
support in golang.org/x/crypto/ssh is presently lacking for this.
When the associated CL is merged, we should be able to remove this dep
and rely on the (extended) standard library, however, no review progress
appears to have been made since the CL was opened by the author.

See also: https://go-review.googlesource.com/c/crypto/+/218620/

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-02-16 14:28:57 -05:00
Ben Ash 7aaee22e07
auth/kubernetes: Update plugin to v0.11.5 (#13925) 2022-02-10 12:23:19 -05:00
Robert d0832a1993
secret/consul: Add support for consul namespaces and admin partitions (#13850)
* Add support for consul namespaces and admin partitions
2022-02-09 15:44:00 -06:00
Jason O'Donnell fc69112f9a
secrets/gcp: update to v0.11.2 (#13974)
* secrets/gcp: update to v0.11.2

* Changelog
2022-02-09 12:57:53 -05:00
Jason O'Donnell 9218e8126e
secrets/azure: update to v0.11.3 (#13973)
* secrets/azure: update to v0.11.3

* Changelog
2022-02-09 11:58:53 -05:00
Jason O'Donnell 702399a156
go-mssqldb: update to v0.12.0 (#13951) 2022-02-08 11:45:55 -05:00
Tero Saarni f4eea60799
Switch/upgrade to influxdata/influxdb1-client (#12262)
* influxdb v1 client has been split into a separate module from the main influxdb
  code base. This changes uses the correct client, which also allows us to
  get updates and avoids confusing some vulnerability scanners that flagged 
  previous version incorrectly.

Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
2022-01-25 13:30:24 -05:00
Nick Cabatoff ddab893034
Update to raft lib v1.3.3 (#13703) 2022-01-24 09:50:23 -05:00
Tero Saarni e2b17ca96b
auth/kubernetes: support for dynamically reloading short-lived tokens (#13595)
* auth/kubernetes: support for short-lived tokens

* Uplift new version of Kubernetes auth plugin that does not store the
  service account token persistently to Vault storage.

* Update the documentation to recommend local token again when running
  Vault inside cluster.

Signed-off-by: Tero Saarni <tero.saarni@est.tech>

* Added changelog entry

Signed-off-by: Tero Saarni <tero.saarni@est.tech>

* clarification to changelog entry, executed go mod tidy

* clarifications and added targeted release version
2022-01-14 19:55:15 -08:00
Chris Capurso d52d69e4bb
Add HTTP PATCH support for KV key metadata (#13215)
* go get vault-plugin-secrets-kv@vault-4290-patch-metadata

* add kv metadata patch command

* add changelog entry

* success tests for kv metadata patch flags

* add more kv metadata patch flags tests

* add kv metadata patch cas warning test

* add kv-v2 key metadata patch API docs

* add kv metadata patch to docs

* prevent unintentional field overwriting in kv metadata put cmd

* like create/update ops, prevent patch to paths ending in /

* fix kv metadata patch cmd in docs

* fix flag defaults for kv metadata put

* go get vault-plugin-secrets-kv@vault-4290-patch-metadata

* fix TestKvMetadataPatchCommand_Flags test

* doc fixes

* go get vault-plugin-secrets-kv@master; go mod tidy
2022-01-12 12:05:27 -05:00
Chris Capurso fea26266f3
update okta-sdk-golang to v2.9.1 (#13439)
* update okta-sdk-golang to v2.9.1

* go mod tidy

* add changelog entry
2022-01-06 09:42:51 -05:00
Austin Gebauer c21ff7e587
secrets/gcp: update plugin to v0.11.1 (#13548) 2022-01-03 11:18:48 -08:00
Austin Gebauer 431376cb7f
auth/oidc: update plugin to v0.11.4 (#13492) 2021-12-21 16:48:53 -08:00
Jason O'Donnell 1966264bcd
auth/gcp: update to v0.11.3 (#13457)
* update gcp auth

* go mod tidy
2021-12-16 15:46:34 -05:00
John-Michael Faircloth 7f78f3357f
auth/jwt: Update plugin to v0.11.3 (#13365)
* auth/jwt: Update plugin to v0.11.3

* add changelog
2021-12-09 07:44:52 -06:00
Eugene R f39f1ce8de
Aerospike backend update (#12165)
* upgrade aerospike-client-go to v5.2.0

* use strings.Contains to check an error

* add changelog file

* go mod tidy

* go mod tidy

* update the changelog

* revert .gitignore update

* go mod tidy
2021-11-29 11:09:12 -08:00
Austin Gebauer 0ca08038d5
secrets/azure: Update plugin to v0.11.2 (#13277) 2021-11-29 09:05:23 -08:00
Chris Capurso 15b06780ab
remove nil response to 404 translation for PatchOperation (#13167)
* remove nil response to 404 translation for PatchOperation

* go get vault-plugin-secrets-kv@master
2021-11-23 13:57:22 -05:00
Austin Gebauer d5f4fbecc1
identity/oidc: optional nonce parameter for authorize request (#13231) 2021-11-22 09:42:22 -08:00
Nick Cabatoff eda9607c8a
Revert more downgrades from #12975. (#13168) 2021-11-16 15:07:03 -05:00
Nick Cabatoff 9e27ccbae1
Fix 1.9 regression with raft and stored time values (#13165) 2021-11-16 14:43:00 -05:00
Calvin Leung Huang 4a59b4c683
deps: update plugin versions for 1.9 release (#12975)
* deps: update plugin versions for 1.9 release

* deps: update vault-plugin-secrets-azure to v0.11.1

* go get newest version of github.com/pkg/browser

* deps: update vault-plugin-secrets-alicloud v0.10.2

* deps: update vault-plugin-auth-jwt to v0.11.2

* deps: update vault-plugin-auth-gcp to v0.11.2

* Clean up some inflated indirect dep versions

* deps: update vault-plugin-auth-azure to v0.9.2

* deps: re-fetch x/oauth2 to adjust version

* deps: github.com/pkg/browser to v0.0.0-20210911075715-681adbf594b8

Co-authored-by: Ben Ash <bash@hashicorp.com>
Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
2021-11-01 14:18:21 -07:00
Jim Kalafut 170421af31
Update parseutil dependency (#12947) 2021-10-28 09:15:42 -07:00
Alexander Scheel 5579394b48
go-kms-wrapping update for Azure Key Vault's Managed HSM offering (#12934)
* Update to hashicorp/go-kms-wrapping@v0.6.8

Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation around Managed HSM KeyVault

This introduces the "resource" config parameter and the
AZURE_AD_RESOURCE environment variable from the updated go-kms-wrapping
dependency.

Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry for g-k-w changes

Includes changes from @stevendpclark.

Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
2021-10-27 12:07:18 -04:00
Ben Ash 6769ab37ea
fix: upgrade vault-plugin-auth-kerberos to v0.5.0 (#12930)
* Update docker helper code to match deps.
* Fix container variable name collides with import.
* Update vault-testing-stepwise to v0.1.2
2021-10-27 10:01:34 -04:00
Chris Capurso a6b1cbad12
Extend kv metadata to get, put, and patch (#12907)
* go get vault-plugin-secrets-kv@extend-kv-metadata-to-get-and-put

* test for custom_metadata in kv get, put, patch command output

* remove flagFormat-specific check from TestKVMetadataGetCommand

* rewrite custom metadata changelog entry

* go get vault-plugin-secrets-kv@master

* go mod tidy
2021-10-26 15:38:56 -04:00
Ben Ash e44dbb01ba
fix: upgrade vault-plugin-auth-kubernetes to v0.11.2 (#12913)
* Update k8s.io/client-go to v0.22.2
2021-10-22 18:02:41 -04:00
Ben Ash f8914a273a
fix: upgrade vault-plugin-secrets-terraform to v0.3.0 (#12909) 2021-10-22 16:34:22 -04:00
Nick Cabatoff ff74f49047
Move to go 1.17 (#12868)
Also ensure that the go 1.17 breaking changes to net.ParseCIDR don't make us choke on stored CIDRs that were acceptable to older Go versions.
2021-10-21 09:32:03 -04:00
vinay-gopalan 4834bb854c
[VAULT-3008] Update RabbitMQ dependency and fix regression in UserInfo.Tags in v3.9 (#12877) 2021-10-20 09:46:37 -07:00
Austin Gebauer c797ed1b5c
Updates vault-plugin-auth-jwt to v0.11.0 (#12876) 2021-10-19 15:22:52 -07:00
vinay-gopalan 1eb73d9ef4
[VAULT-3379] Add support for contained DBs in MSSQL root rotation and lease revocation (#12839) 2021-10-19 14:11:47 -07:00
Ben Ash 5be11c78d6
Update k8s-auth to v0.11.1 (#12865) 2021-10-19 15:30:02 -04:00
Theron Voran ae79afdd26
agent: Use an in-process listener with cache (#12762)
Uses a bufconn listener between consul-template and vault-agent when
caching is enabled and either templates or a listener is defined. This
means no listeners need to be defined in vault-agent for just
templating. Always routes consul-template through the vault-agent
cache (instead of only when persistent cache is enabled).

Uses a local transportDialer interface in config.Cache{}. 

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
2021-10-15 17:22:19 -07:00