Create global quotas of each type in every NewTestCluster. Also switch some key locks to use DeadlockMutex to make it easier to discover deadlocks in testing.
NewTestCluster also now starts the cluster, and the Start method becomes a no-op. Unless SkipInit is provided, we also wait for a node to become active, eliminating the need for WaitForActiveNode. This was needed because otherwise we can't safely make the quota api call. We can't do it in Start because Start doesn't return an error, and I didn't want to begin storing the testing object T instead TestCluster just so we could call t.Fatal inside Start.
The last change here was to address the problem of how to skip setting up quotas when creating a cluster with a nonstandard handler that might not even implement the quotas endpoint. The challenge is that because we were taking a func pointer to generate the real handler func, we didn't have any way to compare that func pointer to the standard handler-generating func http.Handler without creating a circular dependency between packages vault and http. The solution was to pass a method instead of an anonymous func pointer so that we can do reflection on it.
* Store login MFA secret with tokenhelper
* Clean up and refactor tokenhelper paths
* Refactor totp test code for re-use
* Add login MFA command tests
* Use longer sleep times and sha512 for totp test
* Add changelog
* VAULT-8719 Support data array for alias clash error response so UI can understand error
* VAULT-8719 Changelog
* VAULT-8719 Update alias mount update logic
* VAULT-8719 Further restrict IsError()
Factored out some plugin related tests into their own test package, and added a bunch of parallelism. Moved some non-plugin tests that were in logical_system_integ_test into another file (keeping them in vault package) just for cohesion.
OSS parts of ent PR #3172: assume nodes we haven't received heartbeats from are running the same version as we are. Failing to provide a version/upgrade_version will result in Autopilot (on ent) demoting those unversioned nodes to non-voters until we receive a heartbeat from them.
* VAULT-6433 Add namespace_path to MFA endpoints
* VAULT-6433 add changelog
* VAULT-6433 Return error in case of error
* VAULT-6433 Make logic a bit more concise
* OSS portion of wrapper-v2
* Prefetch barrier type to avoid encountering an error in the simple BarrierType() getter
* Rename the OveriddenType to WrapperType and use it for the barrier type prefetch
* Fix unit test
* VAULT-6818 delete unmerged entity aliases instead of orphaning them
* VAULT-6818 Prevent merge with clashing aliases, allow for resolution of clashing entity aliases
* VAULT-6818 Small updates
* VAULT-6818 Restrict to only one clash merge at once
* VAULT-6818 changelog
* VAULT-6818 use strutil package instead of slices
* VAULT-6818 Update variable names for clarity
* VAULT-6818 Update test
* VAULT-6818 update error message
* VAULT-6818 Use helper method
* VAULT-6818 validate entityIds
* VAULT-6818 group imports better
* VAULT-6818 use change instead of bug
* VAULT-6818 use multierror instead of custom struct
* VAULT-6818 Use multierror properly
* VAULT-6818 Small refactor based on feedback
* storage/raft: Fix cluster init with retry_join
Commit 8db66f4853abce3f432adcf1724b1f237b275415 introduced an error
wherein a join() would return nil (no error) with no information on its
channel if a joining node had been initialized. This was not handled
properly by the caller and resulted in a canceled `retry_join`.
Fix this by handling the `nil` channel respone by treating it as an
error and allowing the existing mechanics to work as intended.
* storage/raft: Improve retry_join go test
* storage/raft: Make VerifyRaftPeers pollable
* storage/raft: Add changelog entry for retry_join fix
* storage/raft: Add description to VerifyRaftPeers
* VAULT-6613 add DetermineRoleFromLoginRequest function to Core
* Fix body handling
* Role resolution for rate limit quotas
* VAULT-6613 update precedence test
* Add changelog
* Handle body error
* VAULT-6613 Return early if error with json parsing
* VAULT-6613 add to teardown function
* Add PutMetadata and PatchMetadata KV helpers
* Refactor tests, stop needlessly converting zero values to nil
* Merge fix for delete-version-after zero value bug
* Cast nils to zero value on Put
* Use 2 different structs for put/patch metadata input, clarity fixes
* Use local constants and simplify stringification
* Add Read methods for KVClient
* KV write helper
* Add changelog
* Add Delete method
* Use extractVersionMetadata inside extractDataAndVersionMetadata
* Return nil, nil for v1 writes
* Add test for extracting version metadata
* Split kv client into v1 and v2-specific clients
* Add ability to set options on Put
* Add test for KV helpers
* Add custom metadata to top level and allow for getting versions as sorted slice
* Update tests
* Separate KV v1 and v2 into different files
* Add test for GetVersionsAsList, rename Metadata key to VersionMetadata for clarity
* Move structs and godoc comments to more appropriate files
* Add more tests for extract methods
* Rework custom metadata helper to be more consistent with other helpers
* Remove KVSecret from custom metadata test now that we don't append to it as part of helper method
* Add Patch KV helper
* Add godoc comment and use WithOption ourselves in other KVOption functions
* Clean up options-handling and resp parsing logic; add more tests
* Add constants and more patch tests
* Add Read methods for KVClient
* KV write helper
* Add changelog
* Add Delete method
* Use extractVersionMetadata inside extractDataAndVersionMetadata
* Return nil, nil for v1 writes
* Add test for extracting version metadata
* Split kv client into v1 and v2-specific clients
* Add ability to set options on Put
* Add test for KV helpers
* Add custom metadata to top level and allow for getting versions as sorted slice
* Update tests
* Separate KV v1 and v2 into different files
* Add test for GetVersionsAsList, rename Metadata key to VersionMetadata for clarity
* Move structs and godoc comments to more appropriate files
* Add more tests for extract methods
* Rework custom metadata helper to be more consistent with other helpers
* Remove KVSecret from custom metadata test now that we don't append to it as part of helper method
* Return early for readability and make test value name less confusing
This requires bumping https://github.com/mitchellh/go-testing-interface.
For this new version, we have to create a wrapper to convert
the stdlib `testing.TB` interface to the
`mitchellh/go-testing-interface` `T` interface, since it uses
`Parallel()` now, which is not supported by `testing.TB`. This had to be
added to a new package, `benchhelpers`, to avoid a circular dependency
in `testhelpers`.
We also have to *unbump* https://github.com/armon/go-metrics since
updating it breaks our usage of
https://github.com/google/go-metrics-stackdriver
I verified that the new `pkiCert` template function works with agent
injection using annotations like:
```yaml
vault.hashicorp.com/agent-inject-secret-sample.crt: "pki/issue/example-dot-com"
vault.hashicorp.com/agent-inject-template-sample.crt: |
{{ pkiCert "pki/issue/example-dot-com" "common_name=foo.example.com" "ttl=1h" }}
```
* WIP: output policy
* Outputs example policy HCL for given request
* Simplify conditional
* Add PATCH capability
* Use OpenAPI spec and regex patterns to determine if path is sudo
* Add test for isSudoPath
* Add changelog
* Fix broken CLI tests
* Add output-policy to client cloning code
* Smaller fixes from PR comments
* Clone client instead of saving and restoring custom values
* Fix test
* Address comments
* Don't unset output-policy flag on KV requests otherwise the preflight request will fail and not populate LastOutputPolicyError
* Print errors saved in buffer from preflight KV requests
* Unescape characters in request URL
* Rename methods and properties to improve readability
* Put KV-specificness at front of KV-specific error
* Simplify logic by doing more direct returns of strings and errors
* Use precompiled regexes and move OpenAPI call to tests
* Remove commented out code
* Remove legacy MFA paths
* Remove unnecessary use of client
* Move sudo paths map to plugin helper
* Remove unused error return
* Add explanatory comment
* Remove need to pass in address
* Make {name} regex less greedy
* Use method and path instead of info from retryablerequest
* Add test for IsSudoPaths, use more idiomatic naming
* Use precompiled regexes and move OpenAPI call to tests (#15170)
* Use precompiled regexes and move OpenAPI call to tests
* Remove commented out code
* Remove legacy MFA paths
* Remove unnecessary use of client
* Move sudo paths map to plugin helper
* Remove unused error return
* Add explanatory comment
* Remove need to pass in address
* Make {name} regex less greedy
* Use method and path instead of info from retryablerequest
* Add test for IsSudoPaths, use more idiomatic naming
* Make stderr writing more obvious, fix nil pointer deref
* VAULT-5422: Add rate limit for TOTP passcode attempts
* fixing the docs
* CL
* feedback
* Additional info in doc
* rate limit is done per entity per methodID
* refactoring a test
* rate limit OSS work for policy MFA
* adding max_validation_attempts to TOTP config
* feedback
* checking for non-nil reference
* remove mount accessor from MFA config
* Update login_mfa_duo_test.go
* DUO test with entity templating
* using identitytpl.PopulateString to perform templating
* minor refactoring
* fixing fmt failures in CI
* change username format to username template
* fixing username_template example
* Login MFA
* ENT OSS segragation (#14088)
* Delete method id if not used in an MFA enforcement config (#14063)
* Delete an MFA methodID only if it is not used by an MFA enforcement config
* Fixing a bug: mfa/validate is an unauthenticated path, and goes through the handleLoginRequest path
* adding use_passcode field to DUO config (#14059)
* add changelog
* preventing replay attack on MFA passcodes (#14056)
* preventing replay attack on MFA passcodes
* using %w instead of %s for error
* Improve CLI command for login mfa (#14106)
CLI prints a warning message indicating the login request needs to get validated
* adding the validity period of a passcode to error messages (#14115)
* interactive CLI for mfa login
* minor fixes
* bail if no input was inserted
* change label name
* interactive CLI when single methodID is returned from login request
* minor fix
* adding changelog
* addressing feedback
* a user with a terminal should be able to choose between interactive and non-interactive. A user without a terminal should not be able to use the interactive mode.
Co-authored-by: Josh Black <raskchanky@gmail.com>
* go get plugin-secrets-kv@v0.11.0; go mod tidy
* add HTTP-level tests for KV subkeys endpoint
* check status in TestKV_Subkeys_CurrentVersion
* some test cleanup
* Login MFA
* ENT OSS segragation (#14088)
* Delete method id if not used in an MFA enforcement config (#14063)
* Delete an MFA methodID only if it is not used by an MFA enforcement config
* Fixing a bug: mfa/validate is an unauthenticated path, and goes through the handleLoginRequest path
* adding use_passcode field to DUO config (#14059)
* add changelog
* preventing replay attack on MFA passcodes (#14056)
* preventing replay attack on MFA passcodes
* using %w instead of %s for error
* Improve CLI command for login mfa (#14106)
CLI prints a warning message indicating the login request needs to get validated
* adding the validity period of a passcode to error messages (#14115)
* PR feedback
* duo to handle preventing passcode reuse
Co-authored-by: hghaf099 <83242695+hghaf099@users.noreply.github.com>
Co-authored-by: hamid ghaf <hamid@hashicorp.com>
* port SSCT OSS
* port header hmac key to ent and generate token proto without make command
* remove extra nil check in request handling
* add changelog
* add comment to router.go
* change test var to use length constants
* remove local index is 0 check and extra defer which can be removed after use of ExternalID
