Commit graph

15560 commits

Author SHA1 Message Date
Calvin Leung Huang 1254689dd4
docs: Fix sample request on okta verify nonce (#16026) 2022-06-16 14:36:12 -07:00
Loann Le 006b531bf9
Vault documentation: updated client count faqs for 1.11 (#16007)
* stashed changes

changes stashed

* Update faq.mdx

Updated links

* Update website/content/docs/concepts/client-count/faq.mdx

* added image

* fixed image name

* updated text

* fixed spacing

* fixed spacing

* added missing info

* missed a period
2022-06-16 11:05:55 -07:00
Alexander Scheel 6cf9cb7a93
Add additional usage clarifications to EA docs (#16017)
- Document Transit and sys random endpoint in 1.11+
 - Document PKI and SSH CAs only, no leaves

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-16 13:56:22 -04:00
Violet Hynes abed5cf6e7
(OSS) Path Suffix Support for Rate Limit Quotas (#15989)
* Support for rate limit path suffix quotas

* Support for rate limit path suffix quotas

* Precedence test for support for rate limit path suffix quotas

* Update clone method

* Fix mount determination

* Add changelog

* use constant for mounts

* Fix read endpoint, and remount/disable mount

* update godocs for queryquota
2022-06-16 13:23:02 -04:00
Alexander Scheel b00e32fec7
Fix format errors in PKI tests (#16015)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-16 07:41:05 -07:00
Alexander Scheel 491a2311b6
Document limitations in FIPS 140-2 migrations (#16012)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-16 10:18:47 -04:00
Alexander Scheel 4e6a9741ee
Add explicit cn_validations field to PKI Roles (#15996)
* Add cn_validations PKI Role parameter

This new parameter allows disabling all validations on a common name,
enabled by default on sign-verbatim and issuer generation options.

Presently, the default behavior is to allow either an email address
(denoted with an @ in the name) or a hostname to pass validation.
Operators can restrict roles to just a single option (e.g., for email
certs, limit CNs to have strictly email addresses and not hostnames).

By setting the value to `disabled`, CNs of other formats can be accepted
without validating their contents against our minimal correctness checks
for email/hostname/wildcard that we typically apply even when broad
permissions (allow_any_name=true, enforce_hostnames=false, and
allow_wildcard_certificates=true) are granted on the role.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update PKI tests for cn_validation support

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add PKI API documentation on cn_validations

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-16 06:53:27 -07:00
Alexander Scheel 3496bc0416
Refactor PKI tests for speed (#15999)
* Refactor role issuance tests to use direct backend

Before:
	github.com/hashicorp/vault/builtin/logical/pki	5.879s

After:
	github.com/hashicorp/vault/builtin/logical/pki	1.063s

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor role key bit tests to use direct backend

Also removes redundant cases.

Before:
	github.com/hashicorp/vault/builtin/logical/pki	136.605s

After:

	github.com/hashicorp/vault/builtin/logical/pki	24.713s

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor common name test to use direct backend

Before:
	github.com/hashicorp/vault/builtin/logical/pki	4.767s

After:

	github.com/hashicorp/vault/builtin/logical/pki	0.611s

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor device cert tests to use direct backend

Before:
	github.com/hashicorp/vault/builtin/logical/pki	4.725s

After:

	github.com/hashicorp/vault/builtin/logical/pki	0.402s

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor invalid parameter test to use direct backend

Before:
	github.com/hashicorp/vault/builtin/logical/pki	3.777s

After:
	github.com/hashicorp/vault/builtin/logical/pki	0.021s

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor Alt Issuer tests to use direct backend

Before:
	github.com/hashicorp/vault/builtin/logical/pki	4.560s

After:
	github.com/hashicorp/vault/builtin/logical/pki	0.111s

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor root idempotency tests to use direct backend

As a result, we've had to import a root cert from elsewhere in the test
suite, rather than using the one off the cluster.

Before:
	github.com/hashicorp/vault/builtin/logical/pki	4.399s

After:
	github.com/hashicorp/vault/builtin/logical/pki	0.523s

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Move PKI direct backend helpers to common location

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor OID SANs test to direct backend

Before:
	github.com/hashicorp/vault/builtin/logical/pki	5.284s

After:
	github.com/hashicorp/vault/builtin/logical/pki	0.808s

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor allowed serial numbers test to direct backend

Before:
	github.com/hashicorp/vault/builtin/logical/pki	4.789s

After:
	github.com/hashicorp/vault/builtin/logical/pki	0.600s

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor URI SANs to use direct backend

Before:
	github.com/hashicorp/vault/builtin/logical/pki	4.245s

After:
	github.com/hashicorp/vault/builtin/logical/pki	0.600s

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor Full Chain CA tests to direct backend

Before:
	github.com/hashicorp/vault/builtin/logical/pki	14.503s

After:
	github.com/hashicorp/vault/builtin/logical/pki	2.082s

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update Allow Past CA tests to use direct backend

Before:
	github.com/hashicorp/vault/builtin/logical/pki	4.323s

After:
	github.com/hashicorp/vault/builtin/logical/pki	0.322s

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Convert existing-key root test to direct backend

Before:
	github.com/hashicorp/vault/builtin/logical/pki	4.430s

After:
	github.com/hashicorp/vault/builtin/logical/pki	0.370s

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor CRL enable/disable tests to use direct backend

Before:
	github.com/hashicorp/vault/builtin/logical/pki	5.738s

After:
	github.com/hashicorp/vault/builtin/logical/pki	2.482s

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update intermediate existing key tests to use direct backend

Before:
	github.com/hashicorp/vault/builtin/logical/pki	4.182s

After:
	github.com/hashicorp/vault/builtin/logical/pki	0.416s

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor Issuance TTL verification tests to use direct backend

Also shorten sleep duration slightly by precisely calculating it
relative to the actual cert life time.

Before:
	github.com/hashicorp/vault/builtin/logical/pki	19.755s

After:
	github.com/hashicorp/vault/builtin/logical/pki	11.521s

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-16 09:11:22 -04:00
Loann Le 11121a829a
Vault documentation: release notes for 1.11.0 (#16005)
* added new content

* new content

* Update website/content/docs/release-notes/1.11.0.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

* Update website/content/docs/release-notes/1.11.0.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

* Update website/content/docs/release-notes/1.11.0.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

* Update website/content/docs/release-notes/1.11.0.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

* Update website/content/docs/release-notes/1.11.0.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

* Update website/content/docs/release-notes/1.11.0.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2022-06-15 18:25:14 -07:00
Angel Garbarino f67efae0a9
PKI cleanup continued: queryParams and moving routes/models/serializers to pki folder (#15980)
* routing params

* wip for cert

* move pki-config

* clean up
2022-06-15 17:51:42 -06:00
VAL 753e925f22
Use new -mount syntax for all KV subcommands in 1.11 docs (#16002)
* Use new -mount syntax for all KV subcommands in 1.11 docs

* Use more appropriate heading size for mount flag syntax

* Add the explanatory syntax blurb from the -help text

* Adjust some wording
2022-06-15 19:07:50 -04:00
akshya96 7e313e29fd
Activity Log Filtering Limit Parameter (#16000)
* adding changes from ent branch

* adding fmt changes

* adding changelog
2022-06-15 15:41:31 -07:00
claire bontempo 28ada99c48
UI/VAULT-3645/Remove browserstack (#15997)
* remove browserstack
2022-06-15 14:50:44 -07:00
swayne275 54262d2f4e
clarify lazy revoke prefix if not sync (#15967)
* clarify lazy revoke prefix if not sync

* comment improvement
2022-06-15 12:03:56 -06:00
shujun10086 9f0a72ef2a
Fix keyring file missing after Vault restart (#15946) 2022-06-15 10:22:42 -07:00
Austin Gebauer 7d0a252d55
auth/gcp: adds note on custom endpoints to configuration section (#15990) 2022-06-15 10:06:58 -07:00
Loann Le 1d90d2c674
updated table for vault 1.11 release (#15856) 2022-06-15 09:40:49 -07:00
Steven Clark 9a31a52870
Update semgrep to the latest version - 0.97.0 (#15987) 2022-06-15 10:05:47 -04:00
Josh Black d2ed39a04e
Correct drift between ENT and OSS (#15966) 2022-06-14 17:53:19 -07:00
Arnav Palnitkar 86a9c1f7d5
KMSE provider list menu fix (#15979)
* KMSE provider list menu fix

- Backend value had to be mapped to the payload so capabilities call
can be triggered. Based on the response from capabilities, options are
rendered in the more menu dropdown.

* update serializer to retain existing values
2022-06-14 11:36:26 -07:00
claire bontempo bd16f2a0de
UI/Update CircleCi Config for UI Tests (#15964)
* change docker image

* re-add exit if branch ui/

* update test name

* remove set -x
2022-06-14 11:20:15 -07:00
Theron Voran 7992c7b22e
docs/vault-k8s: update the service annotation (#15965)
The injector's `service` annotation is really the vault address to
use, and not just the name of the service.

Also change a couple mentions of "controller" to "injector".
2022-06-14 11:03:00 -07:00
Jordan Reimer 8374956ebe
KMSE distribute key bug (#15971)
* fixes issue with distributed kmse key not appearing on provider until after refresh

* updates provider-edit test and adds enterprise to kmse acceptance test module name

* updates keymgmt acceptance test module name
2022-06-14 11:12:37 -06:00
Jordan Reimer 318eb68442
fixes issue with error being swallowed from secrets backend list item delete (#15975) 2022-06-14 11:12:03 -06:00
Alexander Scheel aeb09e8ec9
Clarify permitted_dns_domains are Name Constraints (#15972)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-14 12:46:56 -04:00
Angel Garbarino b06573a903
Move PKI components to PKI Folder (#15963)
* params

* fix tests

* role-pki to pki-role

* role-pki-edit to pki/role-pki-edit

* configure-pki-secret component

* config-pki and config-pki-ca components

* fix tests

* pki-cert-show and pki-cert-popup

* fix
2022-06-14 10:18:06 -06:00
Steven Clark f920400f95
TestLifetimeWatcher: Address race condition in test assertions (#15969)
- If the timing is correct, a delay in the test's select might see the
   doneCh signal before the renew channels signal. If that happens, the
   test fails as it assumes we will receive signals across different
   channels in order.
 - Rework the test to make sure that we read from the renew channel if expected
   and the done channel so that any errors might not be escaping from detection
   on a renew.
2022-06-14 09:44:51 -04:00
Kerim Satirli c77199fe8d
updates leasId to leaseId (#15685)
* updates `leasId` to `leaseId`

* adds changelog
2022-06-13 13:17:07 -05:00
Kyle MacDonald 9a003cb7b3
docs: update double use of "note" in client faq (#15958) 2022-06-13 13:37:58 -04:00
Alexander Scheel 0cbbea1cbe
Update containerd/containerd indirect test dep (#15816)
* Update containerd/containerd indirect test dep

This dependency is pulled in from our testing infra and not in our final
Vault version. However, updating this dep pulls in newer versions of
other deps (such as protobuf) which are used at runtime. Updated via:

$ go get github.com/containerd/containerd@v1.5.13 && go mod tidy

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update moby/moby direct test dep

Since docker/docker has an indirect dep on containerd, I've updated it
as well:

$ go get github.com/docker/docker@v20.10.17 && go mod tidy

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-13 13:37:12 -04:00
Alexander Scheel 28916301c1
Document agent injecting PKI CAs (#15930)
* Document agent injecting PKI CAs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Remove extra empty-string conditional
2022-06-13 13:15:54 -04:00
Nick Cabatoff 9ffa7ae257
Add 1.10 upgrade note for SSCT on Consul. (#15873) 2022-06-13 11:48:53 -04:00
Violet Hynes c1e2d9c062
VAULT-6091 Document Duration Format String (#15920)
* VAULT-6091 Document duration format

* VAULT-6091 Document duration format

* VAULT-6091 Update wording

* VAULT-6091 Update to duration format string, replace everywhere I've found so far

* VAULT-6091 Add the word 'string' to the nav bar

* VAULT-6091 fix link

* VAULT-6091 fix link

* VAULT-6091 Fix time/string, add another reference

* VAULT-6091 add some misses for references to this format
2022-06-13 08:51:07 -04:00
Luciano Di Lalla 08fa708225
Update CHANGELOG.md (#15919)
* Update CHANGELOG.md

* Update CHANGELOG.md

Co-authored-by: Meggie <meggie@hashicorp.com>

* Update CHANGELOG.md

Co-authored-by: Meggie <meggie@hashicorp.com>

* Update CHANGELOG.md

Co-authored-by: Meggie <meggie@hashicorp.com>

* Update CHANGELOG.md

* Update CHANGELOG.md

Co-authored-by: Meggie <meggie@hashicorp.com>

* Update CHANGELOG.md

Co-authored-by: Meggie <meggie@hashicorp.com>

* Update CHANGELOG.md

Co-authored-by: Meggie <meggie@hashicorp.com>

* Update CHANGELOG.md

Co-authored-by: Meggie <meggie@hashicorp.com>

Co-authored-by: Meggie <meggie@hashicorp.com>
2022-06-10 21:28:14 -04:00
Austin Gebauer ec778e3d9f
docs/oidc: adds missing steps for Google Workspace configuration (#15943) 2022-06-10 16:29:49 -07:00
Christopher Swenson dfd3eb8bb6
database plugin: Invalidate queue should cancel context first (#15933)
To signal to any credentials rotating goroutines that they should cancel
pending operations, which reduces lock contention.
2022-06-10 13:41:47 -07:00
Hridoy Roy 0514503d2c
docs for activity log noncontiguous billing period changes (#15882)
* docs for activity log noncontiguous return changes

* add description of default start and end time to clarify meaning of billing period
2022-06-10 09:27:24 -07:00
Violet Hynes abf65c8a0b
VAULT-5095 Update docs to reflect that child namespaces do not inherit parent quotas (#15906)
* VAULT-5095 Update docs to reflect current behaviour

* Update website/content/api-docs/system/lease-count-quotas.mdx

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>

* Update website/content/api-docs/system/rate-limit-quotas.mdx

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2022-06-10 11:53:01 -04:00
Mark Lewis 50a5a1d16f
Update index.mdx (#15861)
Typo
2022-06-10 11:44:43 -04:00
Steven Clark ecb91cd7e1
ssh: Do not convert errors into logical.ErrorResponse in issue path (#15929) 2022-06-10 11:21:29 -04:00
Chris Capurso 94c5936e27
return bad request instead of server error for identity group cycle detection (#15912)
* return bad request for identity group cycle detection

* add changelog entry

* use change release note instead of improvement

* fix err reference

* fix TestIdentityStore_GroupHierarchyCases
2022-06-10 10:15:31 -04:00
Alexander Scheel 0320673c97
Fix location of not_before_duration on ssh docs (#15926)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-10 10:14:44 -04:00
Alexander Scheel 6f66e5cd48
Allow reading Nomad CA/Client cert configuration (#15809)
* Allow reading Nomad CA/Client cert configuration

In the Nomad secret engine, writing to /nomad/config/access allows users
to specify a CA certificate and client credential pair. However, these
values are not in the read of the endpoint, making it hard for operators
to see if these values were specified and if they need to be rotated.

Add `ca_cert` and `client_cert` parameters to the response, eliding the
`client_key` parameter as it is more sensitive (and should most likely
be replaced at the same time as `client_cert`).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix tests to expect additional fields

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test with existing CA/client cert+key

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-10 10:09:54 -04:00
Gabriel Santos 57eeb33faa
SSH secrets engine - Enabled creation of key pairs (CA Mode) (#15561)
* Handle func

* Update - check if key_type and key_bits are allowed

* Update - fields

* Generating keys based on provided key_type and key_bits

* Returning signed key

* Refactor

* Refactor update to common logic function

* Descriptions

* Tests added

* Suggested changes and tests added and refactored

* Suggested changes and fmt run

* File refactoring

* Changelog file

* Update changelog/15561.txt

Co-authored-by: Alexander Scheel <alexander.m.scheel@gmail.com>

* Suggested changes - consistent returns and additional info to test messages

* ssh issue key pair documentation

Co-authored-by: Alexander Scheel <alexander.m.scheel@gmail.com>
2022-06-10 09:48:19 -04:00
Angel Garbarino 17eed2a814
Quick Bug Fix: missing database icon on overview page (#15921)
* fix missing icon

* fix:
2022-06-09 19:43:36 -06:00
Angel Garbarino ccc584efa1
Glimmerize mount-backend-form (#15911)
* glimmerize

* clean up

* fix
2022-06-09 19:15:49 -06:00
Dave May 0f42131350
Fix debug bundle panic on Windows (#14399)
* Fix debug bundle panic on Windows

* Add changelog entry
2022-06-09 15:57:45 -07:00
Austin Gebauer 1bd49383cd
secrets/db: documents credential types and snowflake key pair auth (#15892) 2022-06-09 15:56:50 -07:00
akshya96 8f115a9904
Parse ha_storage in config (#15900)
* parsing values in config ha_storage

* adding changelog

* adding test to parse storage
2022-06-09 15:55:49 -07:00
Austin Gebauer 4cfec18bae
docs/postgres: replaces lib/pq with pgx (#15901) 2022-06-09 14:37:14 -07:00