Commit graph

2532 commits

Author SHA1 Message Date
Alexander Scheel 11e4f2600e
Add warning on missing entity information (#17428)
When requesting a SSH certificate with default_extension templating
enabled, if the request lacks entity information and a particular
extension requires templating, just these extensions will be elided.
Other extensions (if present) will still be on the final certificate.

Add a warning in the event of missing entity information and at least
one extension that was skipped as a result.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-06 14:00:56 -04:00
Alexander Scheel b85d6ec434
Fix RevocationSigAlgo support in OCSP (#17436)
* Allow OCSP to use issuer's RevocationSigAlgo

When an issuer specifies a RevocationSigAlgo, we should largely follow
this for both CRLs and OCSP. However, x/crypto/ocsp lacks support for
PSS signatures, so we drop these down to PKCS#1v1.5 instead.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add warning when issuer has PSS-based RevSigAlgo

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add note about OCSP and PSS support

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-06 12:01:12 -04:00
Steven Clark 10ecf10248
PKI: Add support for signature_bits param to the intermediate/generate api (#17388)
* PKI: Add support for signature_bits param to the intermediate/generate api

 - Mainly to work properly with GCP backed managed keys, we need to
   issue signatures that would match the GCP key algorithm.
 - At this time due to https://github.com/golang/go/issues/45990 we
   can't issue PSS signed CSRs, as the libraries in Go always request
   a PKCS1v15.
 - Add an extra check in intermediate/generate that validates the CSR's
   signature before providing it back to the client in case we generated
   a bad signature such as if an end-user used a GCP backed managed key
   with a RSA PSS algorithm.
   - GCP ignores the requested signature type and always signs with the
     key's algorithm which can lead to a CSR that says it is signed with
     a PKCS1v15 algorithm but is actually a RSA PSS signature

* Add cl

* PR feedback
2022-10-03 12:39:54 -04:00
Steven Clark bb1d36f401
PKI: Do not load revoked certificates if CRL has been disabled (#17385)
* PKI: Do not load revoked certificates if CRL has been disabled

 - Restore the prior behavior of not reading in all revoked certificates
   if the CRL has been disabled as there might be performance issues
   if a customer had or is still revoking a lot of certificates.

* Add cl
2022-10-03 10:04:32 -04:00
akshya96 542570c289
Return errInvalidCredentials when wrong credentials is provided for existent users (#17104)
* adding errInvalidCredentials

* fixing tests

* add changelog

* fixing fmt errors

* test if routeErr is seen externally and fixing error comment

* adding fmt changes

* adding comments
2022-09-27 16:49:14 -07:00
Alexander Scheel ccdd55529c
Remove delta indicator on main CRL (#17334)
When adding delta CRL support, we unconditionally added the delta
indicator extension to the main CRL. We shouldn't have done this, and
instead only added it conditionally when we were building delta CRLs.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-09-27 17:44:38 -04:00
Alexander Scheel f463b3d3e8
Increase sleep to fix CI cert auth test failure (#17332)
The periodic function only runs every 50ms, so waiting 60ms means we
might not be done fetching the CRL on slower CI systems or with high
test parallelism.

Tested with:

> untilfail -parallel=-9 ../../../cert.test -test.run=TestCRLFetch -test.count=1 -test.v

And shown to reliably fail before, fixed after.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-09-27 17:44:27 -04:00
Tom Proctor e21995fa27
Plugins: Update running version everywhere running sha256 is set (#17292) 2022-09-23 11:19:38 +01:00
Austin Gebauer a6139cd5b2
Fixes multiplexed plugin initialization after manual plugin reload (#17248)
* Fixes initialize not called after v5 plugin reload

* use request context instead of core activeContext
2022-09-22 10:16:21 -07:00
Christopher Swenson 2c8e88ab67
Check if plugin version matches running version (#17182)
Check if plugin version matches running version

When registering a plugin, we check if the request version matches the
self-reported version from the plugin. If these do not match, we log a
warning.

This uncovered a few missing pieces for getting the database version
code fully working.

We added an environment variable that helps us unit test the running
version behavior as well, but only for approle, postgresql, and consul
plugins.

Return 400 on plugin not found or version mismatch

Populate the running SHA256 of plugins in the mount and auth tables (#17217)
2022-09-21 12:25:04 -07:00
Kit Haines 2d58591feb
Fix non-atomic read of atomic value fix (#17255)
* Always load to access certCount

* Test-reads of the atomic value.
2022-09-21 11:24:34 -04:00
Alexander Scheel ad3a093b40
Prevent PSS with Go-incompatible CAs, CSRs, Private Keys (#17223)
* Fix interoperability concerns with PSS

When Go parses a certificate with rsaPSS OID, it will accept this
certificate but not parse the SubjectPublicKeyInfo, leaving the
PublicKeyAlgorithm and PublicKey fields blank, but otherwise not erring.
The same behavior occurs with rsaPSS OID CSRs.

On the other hand, when Go parses rsaPSS OID PKCS8 private keys, these
keys will fail to parse completely.

Thus, detect and fail on any empty PublicKey certs and CSRs, warning the
user that we cannot parse these correctly and thus refuse to operate.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Run more PKI tests in parallel

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add notes about PSS shortcomings to considerations

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-09-20 17:30:58 -04:00
Steven Clark 0856fa11a3
Fix fmt error (#17241) 2022-09-20 13:33:01 -07:00
Kit Haines f2adbb3e47
Basics of Cert-Count Non-Locking Telemetry (#16676)
Basics of Cert-Count Telemetry, changelog,  "best attempt" slice to capture (and test for) duplicates, Move sorting of possibleDoubleCountedRevokedSerials to after compare of entries. Add values to counter when still initializing.
Set lists to nil after use, Fix atomic2 import, Delay reporting metrics until after deduplication has completed, 
The test works now, Move string slice to helper function; Add backendUUID to gauge name.
2022-09-20 10:32:20 -07:00
vinay-gopalan c548ea39be
Re-initialize v5 backend after a plugin crash (#17140) 2022-09-19 16:48:45 -07:00
Alexander Scheel c0264c923d
Don't race for CRL rebuilding capability check (#17185)
* Don't race for CRL rebuilding capability check

Core has recently seen some data races during SystemView/replication
updates between them and the PKI subsystem. This is because this
SystemView access occurs outside of a request (during invalidation
handling) and thus the proper lock isn't held.

Because replication status cannot change within the lifetime of a plugin
(and instead, if a node switches replication status, the entire plugin
instance will be torn down and recreated), it is safe to cache this
once, at plugin startup, and use it throughout its lifetime.

Thus, we replace this SystemView access with a stored boolean variable
computed ahead of time.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update builtin/logical/pki/backend.go

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-09-19 11:41:32 -04:00
Alexander Scheel 9cd4850bc8
Fix race in cert auth tests (#17181)
There were two races here:

 1. Tests racing against periodic func on updating the backend.
 2. Tests racing internally to itself, to access the http-served
    CRL data.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-09-19 09:09:03 -04:00
Scott Miller 7f38b0440e
Fetch CRLs from a user defined URL (#17136)
* Fetch CRLs from a user defined CDP (PoC)

* Handle no param sent

* Move CRL fetch to a periodFunc.  Use configured CA certs + system root as trusted certs for CRL fetch

* comments

* changelog

* Just use root trust

* cdp->url in api

* Store CRL and populate it initially in cdlWrite

* Update docs

* Update builtin/credential/cert/path_crls.go

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

* Handle pre-verification of a CRL url better

* just in case

* Fix crl write locking

* Add a CRL fetch unit test

* Remove unnecessary validity clear

* Better func name

* Don't exit early updating CRLs

* lock in updateCRLs

* gofumpt

* err-

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2022-09-16 16:44:30 -05:00
Christopher Swenson b136a7ecd8
Add plugin version to GRPC interface (#17088)
Add plugin version to GRPC interface

Added a version interface in the sdk/logical so that it can be shared between all plugin types, and then wired it up to RunningVersion in the mounts, auth list, and database systems.

I've tested that this works with auth, database, and secrets plugin types, with the following logic to populate RunningVersion:

If a plugin has a PluginVersion() method implemented, then that is used
If not, and the plugin is built into the Vault binary, then the go.mod version is used
Otherwise, the it will be the empty string.
My apologies for the length of this PR.

* Placeholder backend should be external

We use a placeholder backend (previously a framework.Backend) before a
GRPC plugin is lazy-loaded. This makes us later think the plugin is a
builtin plugin.

So we added a `placeholderBackend` type that overrides the
`IsExternal()` method so that later we know that the plugin is external,
and don't give it a default builtin version.
2022-09-15 16:37:59 -07:00
Kit Haines 71d9c33802
Add "plumbing" for surfacing warnings, and warning overwriting ttl (#17073)
* Add "plumbing" for surfacing warnings, and add warning about TTL > maxTTL when issuing a cert.
2022-09-15 12:38:33 -07:00
Scott Miller 39af76279d
Populate during renew calls also (#17143) 2022-09-15 10:50:43 -05:00
Scott Miller 2152a933ff
Load existing CRLs on startup and after invalidate (#17138)
* Load existing CRLs on startup and after invalidate

* changelog
2022-09-14 15:30:44 -05:00
Steven Clark 12242d1a97
make fmt (#17131) 2022-09-14 07:45:50 -05:00
Scott Miller 12a8ef1cfd
Implement partial_failure_response_code_override for batch requests (#17118)
* Implement partial_failure_response_code_override for batch requests

* docs

* changelog

* one more test case
2022-09-13 12:51:09 -05:00
Steven Clark cfb56105b8
A PKI test to verify our defaults are the same for creates and update apis (#17094) 2022-09-12 09:22:56 -04:00
Alexander Scheel 6d90586ad6
Update issuer usage with ocsp-signing by default (#17087)
This option was elided from the default value for the usage field. This
results in issuers "losing" ocsp-signing when they're POST updated. Most
issuers will want OCSP signing by default, so it makes sense to add this
as the default.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-09-09 13:28:45 -04:00
Tom Proctor 65adf42d48
Support running versioned plugins from the catalog (#17015) 2022-09-09 18:14:26 +01:00
Tom Proctor aa50e42fca
Support version selection for database plugins (#16982)
* Support version selection for database plugins
* Don't consider unversioned plugins for version selection algorithm
* Added version to 'plugin not found' error
* Add PluginFactoryVersion function to avoid changing sdk/ API
2022-09-09 17:32:28 +01:00
Josh Black d8e0a13aae
update gofumpt to 0.3.1 and reformat the repo (#17055)
* update gofumpt to 0.3.1 and reformat the repo

* output the version of the formatter we're using
2022-09-07 17:31:20 -07:00
Alexander Scheel e9768b6bc6
Fix radiusd network connection limitations (#17049)
* Allow exposing access to the underlying container

This exposes the Container response from the Docker API, allowing
consumers of the testhelper to interact with the newly started running
container instance. This will be useful for two reasons:

 1. Allowing radiusd container to start its own daemon after modifying
    its configuration.
 2. For loading certificates into a future similar integration test
    using the PKI secrets engine.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Allow any client to connect to test radiusd daemon

This fixes test failures of the following form:

> 2022-09-07T10:46:19.332-0400 [TRACE] core: adding local paths: paths=[]
> 2022-09-07T10:46:19.333-0400 [INFO]  core: enabled credential backend: path=mnt/ type=test
> 2022-09-07T10:46:19.334-0400 [WARN]  Executing test step: step_number=1
> 2022-09-07T10:46:19.334-0400 [WARN]  Executing test step: step_number=2
> 2022-09-07T10:46:29.334-0400 [WARN]  Executing test step: step_number=3
> 2022-09-07T10:46:29.335-0400 [WARN]  Executing test step: step_number=4
> 2022-09-07T10:46:39.336-0400 [WARN]  Requesting RollbackOperation
> --- FAIL: TestBackend_acceptance (28.56s)
>     testing.go:364: Failed step 4: erroneous response:
>
>         &logical.Response{Secret:<nil>, Auth:<nil>, Data:map[string]interface {}{"error":"context deadline exceeded"}, Redirect:"", Warnings:[]string(nil), WrapInfo:(*wrapping.ResponseWrapInfo)(nil), Headers:map[string][]string(nil)}
> FAIL
> FAIL	github.com/hashicorp/vault/builtin/credential/radius	29.238s

In particular, radiusd container ships with a default clients.conf which
restricts connections to ranges associated with the Docker daemon. When
creating new networks (such as in CircleCI) or when running via Podman
(which has its own set of network ranges), this initial config will no
longer be applicable. We thus need to write a new config into the image;
while we could do this by rebuilding a new image on top of the existing
layers (provisioning our config), we then need to manage these changes
and give hooks for the service setup to build it.

Thus, post-startup modification is probably easier to execute in our
case.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-09-07 13:43:22 -04:00
Matt Schultz d50941ac85
Account for a possible error in Transit BYOK. (#17025) 2022-09-06 11:03:24 -07:00
Steven Clark 98fffbe949
Address failures in FIPS builds around new transit RSA PSS tests (#17024)
- When we added new tests that validate the RSA PSS feature, they
   work properly on normal Go builds, but tests underneath the Boring
   Crypto fips implementations fail due to a lack of SHA3 support in
   FIPS 140-2.
2022-09-06 13:40:13 -04:00
Scott Miller 606edb66d6
Add support for a dedicated HMAC type in Transit. (#16668)
* Get import correct

* limits, docs

* changelog

* unit tests

* And fix import for hmac unit test

* typo

* Update website/content/api-docs/secret/transit.mdx

Co-authored-by: Matt Schultz <975680+schultz-is@users.noreply.github.com>

* Update builtin/logical/transit/path_keys.go

Co-authored-by: Matt Schultz <975680+schultz-is@users.noreply.github.com>

* Validate key sizes a bit more carefully

* Update sdk/helper/keysutil/policy.go

Co-authored-by: Matt Schultz <975680+schultz-is@users.noreply.github.com>

Co-authored-by: Matt Schultz <975680+schultz-is@users.noreply.github.com>
2022-09-06 10:17:58 -05:00
Remco Buddelmeijer b93d6e44e0
Add fields 'ttl' and 'num_uses' to SecretID generation. (#14474)
* Add fields 'ttl' and 'num_uses' to SecretID generation.

Add fields 'ttl' and 'num_uses' when generating/obtaining a SecretID.
Rather than just being able to use the Role's SecretID ttl and num uses. #14390

* Add secret_id_num_uses response field to generating SecretID

Add the response field secret_id_num_uses to the endpoints for generating
SecretIDs. Used in testing but also to supply the vendor with this variable.

* Add tests for new ttl and num_uses SecretID generation fields

Add tests to assert the new TTL and NumUses option in the SecretID entry.
Separate test for testing with just parameters vs a -force example.

* Patch up test for ttl and num_uses fields

* Add changelog entry for auth/approle 'ttl' and 'num_uses' fields

* Add fields to API Docs and AppRole Auth Docs example

* Correct error message for failing test on missing field.
Change the error message produced when a test fails due to a missing field.
Previous values did not map to correct fields.

* Remove unnecessary int cast to int "secret_id_num_uses" field.
Unnecessary cast to int where type already is int.

* Move numUses field check to after assignment.

* Remove metadata entry in sample payload to limit change to changes made.
Remove metadata entry in sample payload for custom-secret-id. The metadata was not
changed in the features pull request.

* Bind fields 'ttl' and 'num_uses' to role's configuration.

Rather than implicitly overriding, error when the ttl is lower than and the num
uses higher than the role's configuration. #14390

* Update changelog 14474 with a more detailed description.

More elaborate description for the changelog. Specifying the per-request based fields.

* Elaborate more on the bounds of the 'ttl' and 'num_uses' field.

Specify in both the api-docs and the CLI the limits of the fields.
Specify that the role's configuration is still the leading factor.

* Upper bound ttl with role secret id ttl

Upper bound ttl with role secret id ttl when creating a secret id
Adding test cases for infinite ttl and num uses
Adding test cases for negative ttl and num uses
Validation on infinite ttl and num uses

* Formatting issues. Removed unnecessary newline

* Update documentation for AppRole Secret ID and Role

Changed that TTL is not allowed to be shorter to longer

* Cleanup approle secret ID test and impl

* Define ttl and num_uses in every test

Define ttl and num_uses in every test despite them not being tested.
This is to ensure that no unexpected behaviour comes to mind.

* Rename test RoleSecretID -> RoleSecretIDWithoutFields

* Test secret id generation defaults to Role's config

Test secret id generation defaults to Role's configuration entries.

* Change finit -> finite

Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>

* Rephrase comments to the correct validation check

* Rephrase role-secret-id option description

* Remove "default" incorrect statement about ttl

* Remove "default" incorrect statement about ttl for custom secret id

* Touch up approle.mdx to align more with path_role documentation

Co-authored-by: Remco Buddelmeijer <r.buddelmeijer@fullstaq.com>
Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>
2022-09-02 09:29:59 -07:00
Steven Clark 96f1443265
Fix various trivial warnings from staticcheck in the PKI plugin (#16946)
* Fix up simple warnings in production code

* Address warnings from static check in the PKI test classes
2022-08-31 16:25:14 -04:00
Alexander Scheel b8576a8de4
Add ability to request manual rebuild of Delta CRLs (#16964)
* Add path to manually rebuild delta CRLs

The crl/rotate-delta path behaves like crl/rotate, triggering a
cluster-local rebuild of just the delta CRL. This is useful for when
delta CRLs are enabled with a longer-than-desired auto-rebuild period
after some high-profile revocations occur.

In the event delta CRLs are not enabled, this becomes a no-op.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for Delta CRL rebuilding

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update documentation about Delta CRLs

Also fixes a omission in the If-Modified-Since docs to mention that the
response header should probably also be passed through.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-31 12:42:59 -07:00
Alexander Scheel f0a127487b
Add ability to cancel PKI tidy operations, pause between tidying certs (#16958)
* Allow tidy operations to be cancelled

When tidy operations take a long time to execute (and especially when
executing them automatically), having the ability to cancel them becomes
useful to reduce strain on Vault clusters (and let them be rescheduled
at a later time).

To this end, we add the /tidy-cancel write endpoint.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing auto-tidy synopsis / description

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add a pause duration between tidying certificates

By setting pause_duration, operators can have a little control over the
resource utilization of a tidy operation. While the list of certificates
remain in memory throughout the entire operation, a pause is added
between processing certificates and the revocation lock is released.
This allows other operations to occur during this gap and potentially
allows the tidy operation to consume less resources per unit of time
(due to the sleep -- though obviously consumes the same resources over
the time of the operation).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for cancellation, pause

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add API docs on pause_duration, /tidy-cancel

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add lock releasing around tidy pause

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Reset cancel guard, return errors

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-31 11:36:12 -07:00
Christopher Swenson 09ad6ab72c
Update mount table and CLI with plugin version for auth (#16856) 2022-08-31 19:23:05 +01:00
Trishank Karthik Kuppusamy 303f59dce3
Allow configuring the possible salt lengths for RSA PSS signatures (#16549)
* accommodate salt lengths for RSA PSS

* address feedback

* generalise salt length to an int

* fix error reporting

* Revert "fix error reporting"

This reverts commit 8adfc15fe3303b8fdf9f094ea246945ab1364077.

* fix a faulty check

* check for min/max salt lengths

* stringly-typed HTTP param

* unit tests for sign/verify HTTP requests

also, add marshaling for both SDK and HTTP requests

* randomly sample valid salt length

* add changelog

* add documentation
2022-08-31 12:27:03 -04:00
Steven Clark b21e06b917
Add remove_roots_from_chain to sign and issue pki apis (#16935)
* Add remove_roots_from_chain flag to sign and issue pki apis

 - Add a new flag to allow end-users to control if we return the
   root/self-signed CA certificate within the list of certificates in
   ca_chain field on issue and sign api calls.

* Add cl

* PR feedback
2022-08-31 09:51:26 -04:00
Alexander Scheel e87584f9ba
Fix comment of default value of tidy interval (#16948)
We switch these fields to use the explicit default value (computing the
time in seconds appropriately).

As reported by @beornf, thanks!

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-31 09:23:17 -04:00
Alexander Scheel a5fafd8163
Add ability to perform automatic tidy operations (#16900)
* Add ability to perform automatic tidy operations

This enables the PKI secrets engine to allow tidy to be started
periodically by the engine itself, avoiding the need for interaction.
This operation is disabled by default (to avoid load on clusters which
don't need tidy to be run) but can be enabled.

In particular, a default tidy configuration is written (via
/config/auto-tidy) which mirrors the options passed to /tidy. Two
additional parameters, enabled and interval, are accepted, allowing
auto-tidy to be enabled or disabled and controlling the interval
(between successful tidy runs) to attempt auto-tidy.

Notably, a manual execution of tidy will delay additional auto-tidy
operations. Status is reported via the existing /tidy-status endpoint.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation on auto-tidy

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for auto-tidy

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Prevent race during parallel testing

We modified the RollbackManager's execution window to allow more
faithful testing of the periodicFunc. However, the TestAutoRebuild and
the new TestAutoTidy would then race against each other for modifying
the period and creating their clusters (before resetting to the old
value).

This changeset adds a lock around this, preventing the races.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Use tidyStatusLock to gate lastTidy time

This prevents a data race between the periodic func and the execution of
the running tidy.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add read lock around tidyStatus gauges

When reading from tidyStatus for computing gauges, since the underlying
values aren't atomics, we really should be gating these with a read lock
around the status access.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-30 15:45:54 -04:00
Alexander Scheel f34a93a560 Clean up behavior of If-Modified-Since header (#16929)
* Issuer renames should invalidate CRL cache times

When an issuer is renamed (or rather, two issuers' names are swapped in
quick succession), this is akin to the earlier identified default issuer
update condition. So, when any issuer is updated, go ahead and trigger
the invalidation logic.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix handling of delta CRL If-Modified-Since

The If-Modified-Since PR was proposed prior to the Delta CRL changes and
thus didn't take it into account. This follow-up commit fixes that,
addressing If-Modified-Since semantics for delta CRL fetching and
ensuring an accurate number is stored.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-30 13:25:36 -04:00
John-Michael Faircloth b6c05fae33
feature: secrets/auth plugin multiplexing (#14946)
* enable registering backend muxed plugins in plugin catalog

* set the sysview on the pluginconfig to allow enabling secrets/auth plugins

* store backend instances in map

* store single implementations in the instances map

cleanup instance map and ensure we don't deadlock

* fix system backend unit tests

move GetMultiplexIDFromContext to pluginutil package

fix pluginutil test

fix dbplugin ut

* return error(s) if we can't get the plugin client

update comments

* refactor/move GetMultiplexIDFromContext test

* add changelog

* remove unnecessary field on pluginClient

* add unit tests to PluginCatalog for secrets/auth plugins

* fix comment

* return pluginClient from TestRunTestPlugin

* add multiplexed backend test

* honor metadatamode value in newbackend pluginconfig

* check that connection exists on cleanup

* add automtls to secrets/auth plugins

* don't remove apiclientmeta parsing

* use formatting directive for fmt.Errorf

* fix ut: remove tls provider func

* remove tlsproviderfunc from backend plugin tests

* use env var to prevent test plugin from running as a unit test

* WIP: remove lazy loading

* move non lazy loaded backend to new package

* use version wrapper for backend plugin factory

* remove backendVersionWrapper type

* implement getBackendPluginType for plugin catalog

* handle backend plugin v4 registration

* add plugin automtls env guard

* modify plugin factory to determine the backend to use

* remove old pluginsets from v5 and log pid in plugin catalog

* add reload mechanism via context

* readd v3 and v4 to pluginset

* call cleanup from reload if non-muxed

* move v5 backend code to new package

* use context reload for for ErrPluginShutdown case

* add wrapper on v5 backend

* fix run config UTs

* fix unit tests

- use v4/v5 mapping for plugin versions
- fix test build err
- add reload method on fakePluginClient
- add multiplexed cases for integration tests

* remove comment and update AutoMTLS field in test

* remove comment

* remove errwrap and unused context

* only support metadatamode false for v5 backend plugins

* update plugin catalog errors

* use const for env variables

* rename locks and remove unused

* remove unneeded nil check

* improvements based on staticcheck recommendations

* use const for single implementation string

* use const for context key

* use info default log level

* move pid to pluginClient struct

* remove v3 and v4 from multiplexed plugin set

* return from reload when non-multiplexed

* update automtls env string

* combine getBackend and getBrokeredClient

* update comments for plugin reload, Backend return val and log

* revert Backend return type

* allow non-muxed plugins to serve v5

* move v5 code to existing sdk plugin package

* do next export sdk fields now that we have removed extra plugin pkg

* set TLSProvider in ServeMultiplex for backwards compat

* use bool to flag multiplexing support on grpc backend server

* revert userpass main.go

* refactor plugin sdk

- update comments
- make use of multiplexing boolean and single implementation ID const

* update comment and use multierr

* attempt v4 if dispense fails on getPluginTypeForUnknown

* update comments on sdk plugin backend
2022-08-29 21:42:26 -05:00
Gabriel Santos ff5ff849fd
PKI - Honor header If-Modified-Since if present (#16249)
* honor header if-modified-since if present

* pathGetIssuerCRL first version

* check if modified since for CA endpoints

* fix date comparison for CA endpoints

* suggested changes and refactoring

* add writeIssuer to updateDefaultIssuerId and fix error

* Move methods out of storage.go into util.go

For the most part, these take a SC as param, but aren't directly storage
relevant operations. Move them out of storage.go as a result.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Use UTC timezone for storage

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Rework path_fetch for better if-modified-since handling

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Invalidate all issuers, CRLs on default write

When the default is updated, access under earlier timestamps will not
work as we're unclear if the timestamp is for this issuer or a previous
issuer. Thus, we need to invalidate the CRL and both issuers involved
(previous, next) by updating their LastModifiedTimes.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for If-Modified-Since

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Correctly invalidate default issuer changes

When the default issuer changes, we'll have to mark the invalidation on
PR secondary clusters, so they know to update their CRL mapping as well.
The swapped issuers will have an updated modification time (which will
eventually replicate down and thus be correct), but the CRL modification
time is cluster-local information and thus won't be replicated.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* make fmt

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor sendNotModifiedResponseIfNecessary

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation on if-modified-since

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-29 15:28:47 -04:00
Alexander Scheel e03fb14be4
Support for generating Delta CRLs (#16773)
* Allow generation of up-to-date delta CRLs

While switching to periodic rebuilds of CRLs alleviates the constant
rebuild pressure on Vault during times of high revocation, the CRL
proper becomes stale. One response to this is to switch to OCSP, but not
every system has support for this. Additionally, OCSP usually requires
connectivity and isn't used to augment a pre-distributed CRL (and is
instead used independently).

By generating delta CRLs containing only new revocations, an existing
CRL can be supplemented with newer revocations without requiring Vault
to rebuild all complete CRLs. Admins can periodically fetch the delta
CRL and add it to the existing CRL and applications should be able to
support using serials from both.

Because delta CRLs are emptied when the next complete CRL is rebuilt, it
is important that applications fetch the delta CRL and correlate it to
their complete CRL; if their complete CRL is older than the delta CRL's
extension number, applications MUST fetch the newer complete CRL to
ensure they have a correct combination.

This modifies the revocation process and adds several new configuration
options, controlling whether Delta CRLs are enabled and when we'll
rebuild it.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for delta CRLs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation on delta CRLs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Address review feedback: fix several bugs

Thanks Steve!

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Correctly invoke periodic func on active nodes

We need to ensure we read the updated config (in case of OCSP request
handling on standby nodes), but otherwise want to avoid CRL/DeltaCRL
re-building.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-29 11:37:09 -04:00
Kit Haines 6ac085dc57
Fix CodeQL Errors - check allocation is smaller than 2^30 (#16869)
* Fix CodeQL Errors - check allocation is smaller than 32 bits.

* make fmt.
2022-08-26 13:26:11 -04:00
Alexander Scheel 43e722c69a
Let PKI tidy associate revoked certs with their issuers (#16871)
* Refactor tidy steps into two separate helpers

This refactors the tidy go routine into two separate helpers, making it
clear where the boundaries of each are: variables are passed into these
method and concerns are separated. As more operations are rolled into
tidy, we can continue adding more helpers as appropriate. Additionally,
as we move to make auto-tidy occur, we can use these as points to hook
into periodic tidying.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor revInfo checking to helper

This allows us to validate whether or not a revInfo entry contains a
presently valid issuer, from the existing mapping. Coupled with the
changeset to identify the issuer on revocation, we can begin adding
capabilities to tidy to update this association, decreasing CRL build
time and increasing the performance of OCSP.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor issuer fetching for revocation purposes

Revocation needs to gracefully handle using the old legacy cert bundle,
so fetching issuers (and parsing them) needs to be done slightly
differently than other places. Refactor this from revokeCert into a
common helper that can be used by tidy.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Allow tidy to associate revoked certs, issuers

When revoking a certificate, we need to associate the issuer that signed
its certificate back to the revInfo entry. Historically this was
performed during CRL building (and still remains so), but when running
without CRL building and with only OCSP, performance will degrade as the
issuer needs to be found each time.

Instead, allow the tidy operation to take over this role, allowing us to
increase the performance of OCSP and CRL in this scenario, by decoupling
issuer identification from CRL building in the ideal case.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for tidy updates

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation on new tidy parameter, metrics

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor tidy config into shared struct

Finish adding metrics, status messages about new tidy operation.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-26 10:13:45 -07:00
Brian Shumate 2ab4a58ba9
Transit: update documentation strings (#10027)
- Update descriptions to match field content
  (actually key name, not policy name)
2022-08-26 09:25:02 -07:00
Steven Clark 34ff0154e8
Add ocsp_expiry configuration field to PKI crl config (#16888)
* Add ocsp_expiry configuration field to PKI crl config

 - Add a new configurable duration field to the crl configuration to
   allow operator control of how long an OCSP response can be cached
   for.
 - This is useful for how long a server like NGINX/Apache is
   allowed to cache the response for OCSP stapling.
 - A value of 0 means no one should cache the response.
 - Address an issue discovered that we did not upgrade existing crl
   configurations properly

* PR feedback
2022-08-25 16:01:39 -04:00
Steven Clark 35689fa9dc
Add maximums on how much data we will read for OCSP requests (#16879)
* Add maximums on how much data we will read for OCSP requests

* Update max size to 2048
2022-08-25 12:59:49 -04:00
Alexander Scheel f7bc1c8e3c
Cleanup changes around issuer revocation (#16874)
* Refactor CRL tests to use /sys/mounts

Thanks Steve for the approach! This also address nits from Kit.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Skip CRL building steps when disabled

This skips a number of steps during CRL build when it is disabled (and
forceNew is not set). In particular, we avoid fetching issuers, we avoid
associating issuers with revocation entries (and building that in-memory
mapping), making CRL building more efficient.

This means that there'll again be very little overhead on clusters with
the CRL disabled.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Prevent revoking roots from appearing on own CRLs

This change ensures that when marking a root as revoked, it no longer
appears on its own CRL. Very few clients support this event (as
generally only leaves/intermediates are checked for presence on a
parent's CRL) and it is technically undefined behavior (if the root is
revoked, its own CRL should be untrusted and thus including it on its
own CRL isn't a safe/correct distribution channel).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Ensure stability of revInfo issuer identification

As mentioned by Kit, iterating through each revInfoEntry and associating
the first issuer which matches it can cause churn when many (equivalent)
issuers are in the system and issuers come and go (via CRLSigning usage,
which has been modified in this release as well). Because we'd not
include issuers without CRLSigning usage, we'd cause our verification
helper, isRevInfoIssuerValid, to think the issuer ID is no longer value
(when instead, it just lacks crlSigning bits).

We address this by pulling in all issuers we know of for the
identification. This allows us to keep valid-but-not-for-signing
issuers, and use other representatives of their identity set for
signing/building the CRL (if they are enabled for such usage).

As a side effect, we now no longer place these entries on the default
CRL in the event all issuers in the CRL set are without the usage.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

This is only for the last commit.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-25 11:36:37 -04:00
Tom Proctor a52fd805dd
Pin MongoDB test container images pre-v6 (#16880)
v6 was released in the last 24h, and our tests fail to connect to the db when v6 is used.
Using v6 needs investigating, but for now I'm pinning to the last known good version.
2022-08-25 08:14:37 -07:00
Alexander Scheel 96ea52343a
Identify issuer on revocation (#16763)
* Identify issuer on revocation

When we attempt to revoke a leaf certificate, we already parse all of
the issuers within the mount (to x509.Certificate) to ensure we don't
accidentally revoke an issuer via the leaf revocation endpoint. We can
reuse this information to associate the issuer (via issuer/subject
comparison and signature checking) to the revoked cert in its revocation
info. This will help OCSP, avoiding the case where the OCSP handler
needs to associate a certificate to its issuer.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test to ensure issuers are identified

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-24 12:23:27 -04:00
Alexander Scheel 6089d2e247
Don't allow crl-signing issuer usage without CRLSign KeyUsage (#16865)
* Allow correct importing of certs without CRL KU

When Vault imports certificates without KU for CRLSign, we shouldn't
provision CRLUsage on the backing issuer; otherwise, we'll attempt to
build CRLs and Go will cause us to err out. This change makes it clear
(at issuer configuration time) that we can't possibly support this
operation and hopefully prevent users from running into the more cryptic
Go error.

Note that this does not apply for OCSP EKU: the EKU exists, per RFC 6960
Section 2.6 OCSP Signature Authority Delegation, to allow delegation of
OCSP signing to a child certificate. This EKU is not necessary on the
issuer itself, and generally assumes issuers are allowed to issue OCSP
responses regardless of KU/EKU.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add docs to clarify issue with import, CRL usage

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update website/content/api-docs/secret/pki.mdx

* Add additional test assertion

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-24 07:45:54 -07:00
Steven Clark 312f7a1882
Handle multiple matching issuers in OCSP requests (#16848)
* Handle multiple matching issuers in OCSP requests

 - Select the first issuer that matches our request hashes and has
   the OCSP signing usage enabled. This might not match the exact
   issuer id that issued the certificate but the signatures will be
   okay.

* PR feedback
2022-08-24 09:00:40 -04:00
Alexander Scheel 231f422822
Finish refactor to remove global crlLifetime (#16835)
Previously we used the global backend-set crlLifetime as a default
value. However, this was refactored into a new defaultCrlConfig instead,
which we should reply with when the CRL configuration has not been set
yet. In particular, the 72h default expiry (and new 12h auto-rebuild
grace period) was added and made explicit.

This fixes the broken UI test.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-23 15:19:11 -04:00
Peter Verraedt f7fdf43c7e
auth/cert: Add metadata to identity-alias (#14751)
* auth/cert: Add metadata to identity-alias

Add the possibility to include certificate metadata in the created
logical.Alias (the identity alias), in addition to the metadata added
to logical.Auth. This is analogous to the behaviour of the ldap and
approle auth providers.

This possibility can be configured by the config endpoint of the
auth method mount and is disabled by default. We added the read
operation on this config endpoint as well.

Fixes: #14418

Signed-off-by: Peter Verraedt <peter.verraedt@kuleuven.be>

* Add changelog for #14751

Signed-off-by: Peter Verraedt <peter.verraedt@kuleuven.be>

* Test the usage of cert metadata in ACL policies

Signed-off-by: Peter Verraedt <peter@verraedt.be>

Signed-off-by: Peter Verraedt <peter.verraedt@kuleuven.be>
Signed-off-by: Peter Verraedt <peter@verraedt.be>
2022-08-23 11:03:53 -07:00
Alexander Scheel cacb23bda6
Enable periodic, automatic rebuilding of CRLs (#16762)
* Allow automatic rebuilding of CRLs

When enabled, periodic rebuilding of CRLs will improve PKI mounts in two
way:

 1. Reduced load during periods of high (new) revocations, as the CRL
    isn't rebuilt after each revocation but instead on a fixed schedule.
 2. Ensuring the CRL is never stale as long as the cluster remains up,
    by checking for next CRL expiry and regenerating CRLs before that
    happens. This may increase cluster load when operators have large
    CRLs that they'd prefer to let go stale, rather than regenerating
    fresh copies.

In particular, we set a grace period before expiration of CRLs where,
when the periodic function triggers (about once a minute), we check
upcoming CRL expirations and check if we need to rebuild the CRLs.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation on periodic rebuilding

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Allow modification of rollback period for testing

When testing backends that use the periodic func, and specifically,
testing the behavior of that periodic func, waiting for the usual 1m
interval can lead to excessively long test execution. By switching to a
shorter period--strictly for testing--we can make these tests execute
faster.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for auto-rebuilding of CRLs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Remove non-updating getConfig variant

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Avoid double reload of config

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-23 13:27:15 -04:00
Kit Haines e9e3b4995b
Add _remaining tidy metrics. (#16702)
* Add _remaining tidy metrics.

* Add two extra metrics during tidy.

* Update test and documentation for remaining tidy metrics.
2022-08-23 12:17:17 -04:00
Kit Haines b3e8098685
Fix LIST issuers endpoint (#16830)
* Fix LIST issuers endpoint ability to access, add a comment.

* Add changelog.
2022-08-23 11:08:23 -04:00
Steven Clark e024324c34
Add an OCSP responder to Vault's PKI plugin (#16723)
* Refactor existing CRL function to storage getRevocationConfig

* Introduce ocsp_disable config option in config/crl

* Introduce OCSPSigning usage flag on issuer

* Add ocsp-request passthrough within lower layers of Vault

* Add OCSP responder to Vault PKI

* Add API documentation for OCSP

* Add cl

* Revert PKI storage migration modifications for OCSP

* Smaller PR feedback items

 - pki.mdx doc update
 - parens around logical.go comment to indicate DER encoded request is
   related to OCSP and not the snapshots
 - Use AllIssuers instead of writing them all out
 - Drop zero initialization of crl config's Disable flag if not present
 - Upgrade issuer on the fly instead of an initial migration

* Additional clean up backing out the writeRevocationConfig refactoring

* Remove Dirty issuer flag and update comment about not writing upgrade to
storage

* Address PR feedback and return Unknown response when mismatching issuer

* make fmt

* PR Feedback.

* More PR feedback

 - Leverage ocsp response constant
 - Remove duplicate errors regarding unknown issuers
2022-08-22 14:06:15 -04:00
Steven Clark da7fd8f639
Migrate existing PKI mounts that only contains a key (#16813)
* Migrate existing PKI mounts that only contains a key

- We missed testing a use-case of the migration that someone has a PKI
  mount point that generated a CSR but never called set-signed back on
  that mount point so it only contains a key.

* Add cl
2022-08-22 10:11:21 -07:00
Alexander Scheel 49fd772fcc
Add per-issuer AIA URI information to PKI secrets engine (#16563)
* Add per-issuer AIA URI information

Per discussion on GitHub with @maxb, this allows issuers to have their
own copy of AIA URIs. Because each issuer has its own URLs (for CA and
CRL access), its necessary to mint their issued certs pointing to the
correct issuer and not to the global default issuer. For anyone using
multiple issuers within a mount, this change allows the issuer to point
back to itself via leaf's AIA info.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation on per-issuer AIA info

Also add it to the considerations page as something to watch out for.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for per-issuer AIA information

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor AIA setting on the issuer

This introduces a common helper per Steve's suggestion.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Clarify error messages w.r.t. AIA naming

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Clarify error messages regarding AIA URLs

This clarifies which request parameter the invalid URL is contained
in, disambiguating the sometimes ambiguous usage of AIA, per suggestion
by Max.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Rename getURLs -> getGlobalAIAURLs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Correct AIA acronym expansion word orders

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix bad comment suggesting re-generating roots

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add two entries to URL tests

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-19 11:43:44 -04:00
Alexander Scheel 0c22c76907
Allow marking issuers as revoked (#16621)
* Allow marking issuers as revoked

This allows PKI's issuers to be considered revoked and appear on each
others' CRLs. We disable issuance (via removing the usage) and prohibit
modifying the usage via the regular issuer management interface.

A separate endpoint is necessary because issuers (especially if signed
by a third-party CA using incremental serial numbers) might share a
serial number (e.g., an intermediate under cross-signing might share the
same number as an external root or an unrelated intermediate).

When the next CRL rebuild happens, this issuer will then appear on
others issuers CRLs, if they validate this issuer's certificate.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation on revoking issuers

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for issuer revocation semantics

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Notate that CRLs will be rebuilt

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix timestamp field from _utc -> to _rfc3339

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Ensure serial-based accesses shows as revoked

Thanks Kit!

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add warning when revoking default issuer

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-18 18:08:31 -04:00
Max Coulombe fa29ed9e0b
* setting uploadurl explicitly empty (#16779) 2022-08-18 16:26:55 -04:00
Jakob Beckmann 21a10e09b6
fix bug with allowed_users_template and add allowed_domains_template for SSH role (#16056)
* impr(ssh): fix bug with allowed_users_template and add allowed_domains_template field in SSH role configuration, closes #10943

* chore: add changelog entry
2022-08-16 14:59:29 -05:00
Alexander Scheel 1e6730573c
Add proof possession revocation for PKI secrets engine (#16566)
* Allow Proof of Possession based revocation

Revocation by proof of possession ensures that we have a private key
matching the (provided or stored) certificate. This allows callers to
revoke certificate they own (as proven by holding the corresponding
private key), without having an admin create innumerable ACLs around
the serial_number parameter for every issuance/user.

We base this on Go TLS stack's verification of certificate<->key
matching, but extend it where applicable to ensure curves match, the
private key is indeed valid, and has the same structure as the
corresponding public key from the certificate.

This endpoint currently is authenticated, allowing operators to disable
the endpoint if it isn't desirable to use, via ACL policies.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Clarify error message on ParseDERKey

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Leave revoke-with-key authenticated

After some discussion, given the potential for DoS (via submitting a lot
of keys/certs to validate, including invalid pairs), it seems best to
leave this as an authenticated endpoint. Presently in Vault, there's no
way to have an authenticated-but-unauthorized path (i.e., one which
bypasses ACL controls), so it is recommended (but not enforced) to make
this endpoint generally available by permissive ACL policies.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add API documentation on PoP

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add acceptance tests for Proof of Possession

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Exercise negative cases in PoP tests

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-16 14:01:26 -04:00
Alexander Scheel b8cfb4dde5
Ignore EC PARAMETER blocks during issuer import (#16721)
* Ignore EC PARAMETER blocks during issuer import

While older versions of Vault supported sending this, we broke such
support in 1.11. Ignore them from the manage issuers endpoint (which is
aliased to the old /config/ca path) -- but keep erring in the import
keys paths. The latter is a new endpoint not aliased to anything and
only expects a single PEM block.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add regression test for EC PARAMs during import

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-15 08:59:10 -07:00
Alexander Scheel e388cfec64
Add BYOC-based revocation to PKI secrets engine (#16564)
* Refactor serial creation to common helper

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add BYOC revocation to PKI mount

This allows operators to revoke certificates via a PEM blob passed to
Vault. In particular, Vault verifies the signature on the certificate
from an existing issuer within the mount, ensuring that one indeed
issued this certificate. The certificate is then added to storage and
its serial submitted for revocation.

This allows certificates generated with no_store=true to be submitted
for revocation afterwards, given a full copy of the certificate. As a
consequence, all roles can now safely move to no_store=true (if desired
for performance) and revocation can be done on a case-by-case basis.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add docs on BYOC revocation

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add PEM length check to BYOC import

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for BYOC

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Guard against legacy CA bundle usage

This prevents usage of the BYOC cert on a hybrid 1.10/1.12 cluster with
an non-upgraded CA issuer bundle.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-15 08:50:57 -05:00
Jason O'Donnell c97b982043
secret/database: fix bug where too many wal deletes are deferred (#16686)
* secret/database: fix bug where too many wal deletes are deferred

* changelog

* Update changelog/16686.txt

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
2022-08-11 16:22:53 -04:00
Alexander Scheel a259978a3d
Add warning when generate_lease=true (#16398)
This option is known to cause problems with large numbers of issued
certificates. Ensure admins are warned about the impact of this field
and encourage them to disable it.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-08 13:26:10 -04:00
Eng Zer Jun 61262ad98e
refactor: replace strings.Replace with strings.ReplaceAll (#15392)
strings.ReplaceAll(s, old, new) is a wrapper function for
strings.Replace(s, old, new, -1). But strings.ReplaceAll is more
readable and removes the hardcoded -1.

Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2022-08-03 15:22:48 -04:00
Robert 7f8c849b35
Update Consul bootstrap test case to conditionally add token to config (#16560)
* Fix bootstrap test to conditionally add Consul token

* Refactor bootstrap variable name to be more clear
2022-08-03 13:43:43 -05:00
swayne275 4632a26a09
Use %q for quoted strings where appropriate (#15216)
* change '%s' to %q where single vs double quotes shouldn't matter

* replace double quotes with %q in logs and errors
2022-08-03 12:32:45 -06:00
Alexander Scheel 8acbf7f480
Add PSS support to PKI Secrets Engine (#16519)
* Add PSS signature support to Vault PKI engine

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Use issuer's RevocationSigAlg for CRL signing

We introduce a new parameter on issuers, revocation_signature_algorithm
to control the signature algorithm used during CRL signing. This is
because the SignatureAlgorithm value from the certificate itself is
incorrect for this purpose: a RSA root could sign an ECDSA intermediate
with say, SHA256WithRSA, but when the intermediate goes to sign a CRL,
it must use ECDSAWithSHA256 or equivalent instead of SHA256WithRSA. When
coupled with support for PSS-only keys, allowing the user to set the
signature algorithm value as desired seems like the best approach.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add use_pss, revocation_signature_algorithm docs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add PSS to signature role issuance test matrix

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Allow roots to self-identify revocation alg

When using PSS support with a managed key, sometimes the underlying
device will not support PKCS#1v1.5 signatures. This results in CRL
building failing, unless we update the entry's signature algorithm
prior to building the CRL for the new root.

With a RSA-type key and use_pss=true, we use the signature bits value to
decide which hash function to use for PSS support.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add clearer error message on failed import

When CRL building fails during cert/key import, due to PSS failures,
give a better indication to the user that import succeeded its just CRL
building that failed. This tells them the parameter to adjust on the
issuer and warns that CRL building will fail until this is fixed.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add case insensitive SigAlgo matching

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Convert UsePSS back to regular bool

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor PSS->certTemplate into helper function

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Proper string output on rev_sig_alg display

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Copy root's SignatureAlgorithm for CRL building

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-03 12:42:24 -04:00
Alexander Scheel cf7105929f
Allow old certs to be cross-signed (#16494)
* Allow old certs to be cross-signed

In Vault 1.11, we introduced cross-signing support, but the earlier SKID
field change in Vault 1.10 causes problems: notably, certs created on
older versions of Vault (<=1.9) or outside of Vault (with a different
SKID method) cannot be cross-signed and validated in OpenSSL.

In particular, OpenSSL appears to be unique in requiring a SKID/AKID
match for chain building. If AKID and SKID are present on an otherwise
valid client/parent cert pair and the values are different, OpenSSL will
not build a valid path over those two, whereas most other chain
validation implementations will.

Regardless, to have proper cross-signing support, we really aught to
support copying an SKID. This adds such support to the sign-intermediate
endpoint. Support for the /issue endpoint is not added, as cross-signing
leaf certs isn't generally useful and can accept random SKIDs.

Resolves: #16461

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Address review feedback, fix tests

Also adds a known-answer test using LE R3 CA's SKID.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Address review feedback regarding separators

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-03 06:34:21 -07:00
Alexander Scheel 4dbbd3e1f8
Make PKI tests run in parallel (#16514)
This decreases the total time to run the test suite significantly. From
the last PR, we were at 151s:

> [cipherboy@xps15 pki]$ go test -count=1 github.com/hashicorp/vault/builtin/logical/pki
> ok  	github.com/hashicorp/vault/builtin/logical/pki	151.182s

Now we're around 60s:

> [cipherboy@xps15 pki]$ go test -count=1 github.com/hashicorp/vault/builtin/logical/pki
> ok  	github.com/hashicorp/vault/builtin/logical/pki	61.838s

Notably, Go will correctly handle parallelizing tests across both
packages and within a package, so this shouldn't really impact test
runners (if they're already saturated).

The only gotcha in this approach is that the call to t.Run(...) becomes
effectively async; this means we either need to not mark the test as
parallel or shadow any loop variables inside the scope of the loop to
allow the t.Run to have the correct copy.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-01 16:43:38 -04:00
Steven Clark 639fa64ce5
secret/ssh: Return errors for bad templates in roles as we did previously (#16505) 2022-07-29 15:18:22 +01:00
Ian Ferguson dc603b4f7f
Allow identity templates in ssh backend default_user field (#16351)
* Allow identity templates in ssh backend `default_user` field

* use correct test expected value

* include api docs for `default_user_template` field
2022-07-29 09:45:52 -04:00
Christopher Swenson b04d6e6720
Remove SHA1 for certs in prep for Go 1.18 (#16455)
Remove SHA1 for certs in prep for Go 1.18

* Remove certs with SHA1 from tests
* Use default SHA-256 with PKCS7 in AWS
* Update SHA1 deprecation note

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
2022-07-28 09:14:33 -07:00
Alexander Scheel aba72d7f7a
Add next-step warning on import without AIA URLs (#16392)
This tells the user that the next step should be to configure AIA URLs
on this newly imported issuer/mount point. Ideally this should occur
before any leaves are issued such that they have the correct
information.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-07-21 11:05:19 -04:00
John-Michael Faircloth a5349bd1ef
Revert "AutoMTLS for secrets/auth plugins (#15671)" (#16377)
This reverts commit 39bcd5c71529f5f4eb61aae68b17d06d192ea55f.
2022-07-20 10:36:23 -05:00
Violet Hynes 047b3106ff
VAULT-6727 Adjust cert and approle role resolution, add more tests (#16341)
* VAULT-6727 Adjust cert and approle role resolution, add more tests

* VAULT-6727 Add new test
2022-07-20 09:24:06 -04:00
John-Michael Faircloth 7e170e7d87
AutoMTLS for secrets/auth plugins (#15671)
* use automtls for v5 secrets/auth plugins

* add automtls env guard

* start backend without metadata mode

* use PluginClientConfig for backend's NewPluginClient param

refactor

* - fix pluginutil test
- do not expect plugin to be unloaded in UT
- fix pluginutil tests --need new env var
- use require in UT
- fix lazy load test

* add changelog

* prioritize automtls; improve comments

* user multierror; refactor pluginSet for v4 unit test

* add test cases for v4 and v5 plugin versions

* remove unnecessary call to AutoMTLSSupported

* update comment on pluginSets

* use runconfig directly in sdk newpluginclient

* use automtls without metadatamode for v5 backend plugin registration

* use multierror for plugin runconfig calls

* remove some unnecessary code
2022-07-18 16:25:18 -05:00
Steven Clark d04b143bd5
pki: When a role sets key_type to any ignore key_bits value when signing a csr (#16246)
* pki: When a role sets key_type to any ignore key_bits value when signing

 - Bypass the validation for the role's key_bits value when signing CSRs
   if the key_type is set to any. We still validate the key is at least
   2048 for RSA backed CSRs as we did in 1.9.x and lower.
2022-07-08 10:56:15 -04:00
Violet Hynes 0c80ee5cf5
VAULT-6614 Enable role based quotas for lease-count quotas (OSS) (#16157)
* VAULT-6613 add DetermineRoleFromLoginRequest function to Core

* Fix body handling

* Role resolution for rate limit quotas

* VAULT-6613 update precedence test

* Add changelog

* VAULT-6614 start of changes for roles in LCQs

* Expiration changes for leases

* Add role information to RequestAuth

* VAULT-6614 Test updates

* VAULT-6614 Add expiration test with roles

* VAULT-6614 fix comment

* VAULT-6614 Protobuf on OSS

* VAULT-6614 Add rlock to determine role code

* VAULT-6614 Try lock instead of rlock

* VAULT-6614 back to rlock while I think about this more

* VAULT-6614 Additional safety for nil dereference

* VAULT-6614 Use %q over %s

* VAULT-6614 Add overloading to plugin backends

* VAULT-6614 RLocks instead

* VAULT-6614 Fix return for backend factory
2022-07-05 13:02:00 -04:00
Alexander Scheel d353245af3
Remove structs, mapstructure from PKI storage (#16190)
structs and mapstructure aren't really used within Vault much any more,
so we should start removing them. Luckily there was only one externally
accessible place where structs was used (AIA URLs config) so that was
easy to remove. The rest is mostly structure tag changes.

path_roles_tests.go relied on mapstructure in some places that broke,
but otherwise backend_test.go hasn't yet been modified to remove the
dependency on mapstructure. These didn't break as the underlying
CertBundle didn't get mapstructure support removed (as its in the SDK).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-29 15:05:31 -04:00
Alexander Scheel 920ec37b21
Refactor PKI storage calls to take a shared struct (#16019)
This will allow us to refactor the storage functions to take additional
parameters (or backend-inferred values) in the future. In particular, as
we look towards adding a storage cache layer, we'll need to add this to
the backend, which is now accessible from all storage functions.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-29 12:00:44 -04:00
Alexander Scheel 75eedf1b97
Add warning on missing tidy targets (#16164)
When tidy is called without arguments, we kick off a tidy operation with
no targets. This results in nothing being done, though the user might
reasonably expect some results.

Throw a warning in this case, so the user knows not to expect anything.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-27 17:42:41 -04:00
Christopher Swenson 3bc56cfcca
Synchronize access to database plugin gauge process close (#16163)
And only call it once.

This fixes a panic that can happen when the plugin `Cleanup` is called
twice.
2022-06-27 13:41:23 -07:00
Christopher Swenson c57d053d28
Add database plugin metrics around connections (#16048)
Add database plugin metrics around connections

This is a replacement for #15923 that takes into account recent lock
cleanup.

I went ahead and added back in the hanging plugin test, which I meant to
add in #15944 but forgot.

I tested this by spinning up a statsd sink in the tests and verifying I
got a stream of metrics:

```
$ nc -u -l 8125 | grep backend
test.swenson-Q9Q0L72D39.secrets.database.backend.connections.count.pgx.5.:1.000000|g
test.swenson-Q9Q0L72D39.secrets.database.backend.connections.count.pgx.5.:0.000000|g
test.swenson-Q9Q0L72D39.secrets.database.backend.connections.count.pgx.5.:1.000000|g
test.swenson-Q9Q0L72D39.secrets.database.backend.connections.count.pgx.5.:0.000000|g
```

We have to rework the shared gauge code to work without a full
`ClusterMetricSink`, since we don't have access to the core metrics from
within a plugin.

This only reports metrics every 10 minutes by default, but it solves
some problems we would have had with the gauge values becoming stale and
needing to be re-sent.

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2022-06-27 09:34:45 -07:00
Alexander Scheel 327963af03
Return errors on short PEM bundles (keys, issuers) (#16142)
* Return errors on short PEM bundles (keys, issuers)

When users pass the path of the bundle to the API, rather than the
contents of the bundle (say, by omitting the `@` symbol on a Vault CLI
request), give a better error message indicating to the user what the
potential problem might be. While a larger bound for certificates was
given (75 bytes, likely 100 would be fine as well), a smaller bound had
to be chosen for keys as there's less standard DER encoding data around
them.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-24 15:32:56 -04:00
Alexander Scheel eeb4029eb1
Add signature_bits to sign-intermediate, sign-verbatim (#16124)
* Add signature_bits to sign-intermediate

This endpoint was lacking the signature_bits field like all the other
endpoints. Notably, in #15478, the ability to customize the intermediate
CSR's signature bits was removed without checking for the ability to
customize the final (root-signed) intermediate certificate's value.

This adds in that missing ability, bringing us parity with root
generation and role-based signing.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add signature_bits to sign-verbatim

This endpoint was also lacking the signature_bits field, preventing
other signature hash functions from being utilized here.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-23 14:07:27 -04:00
Violet Hynes 1aefd297e9
Add role resolution operations to cert and aws auth types (VAULT-6612) (#16079)
* VAULT-6612 Initial scaffolding for role determination

* VAULT-6612 Simplify code

* Fix fmt error that somehow happened

* VAULT-6612 Refactor resolve role response

* VAULT-6612 AWS Role resolution

* VAULT-6612 add Iam test

* VAULT-6612 Add cert role resolve operation

* Address comments

* Update builtin/credential/cert/path_login_test.go

Co-authored-by: Chris Capurso <1036769+ccapurso@users.noreply.github.com>

Co-authored-by: Chris Capurso <1036769+ccapurso@users.noreply.github.com>
2022-06-22 08:53:00 -04:00
Violet Hynes 56ed9ca8ae
Start of implementation of the plumbing for role resolution logic on auth mounts (#16049)
* VAULT-6612 Initial scaffolding for role determination

* VAULT-6612 Simplify code

* Fix fmt error that somehow happened

* VAULT-6612 Refactor resolve role response
2022-06-21 09:31:36 -04:00
Alexander Scheel 248990a1ec
Fix leaf revocation under intermediate CAs (#16052)
* Add test for revocation under intermediate CA

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Allow revocation of certs with key-less issuers

In Vault 1.11's multiple issuer functionality, we incorrectly fetched
the full CA signing bundle for validating revocation of leaf certs (when
attempting to prohibit revocation of issuers in the mount). When the
issuer lacked a key (such as the root issuer on an intermediate mount),
this signing bundle creation failed.

Instead of fetching the full CA signing bundle, fetch instead the raw
certutil.CertBundle and parse it (to x509.Certificate form) ourselves.

This manifests as the error on revocation:

> URL: PUT http://127.0.0.1:8200/v1/pki_int/revoke
> * could not fetch the CA certificate for issuer id 156e1b99-4f04-5b5e-0036-cc0422c0c0d3: unable to fetch corresponding key for issuer 156e1b99-4f04-5b5e-0036-cc0422c0c0d3; unable to use this issuer for signing

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-17 18:04:51 -04:00
Christopher Swenson 99bc3e7b0e
Cleanup and simplify lock usage in database plugin (#15944)
Cleanup and simplify lock usage in database plugin

Following up from discussions in #15923 and #15933, I wanted to split
out a separate PR that drastically reduced the complexity of the use of
the databaseBackend lock. We no longer need it at all for the
`credRotationQueue`, and we can move it to be solely used in a few,
small connections map management functions.

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
2022-06-17 10:05:27 -07:00
Steven Clark 8f118fcefb
ssh: Fix template regex test for defaultExtensions to allow additional text (#16018)
* ssh: Fix template regex test for defaultExtensions

 - The regex to identify if our defaultExtensions contains a template was
   a little too greedy, requiring the entire field to be just the regex. Allow
   additional text within the value field to be added

* Add cl
2022-06-17 11:06:17 -04:00
Alexander Scheel b00e32fec7
Fix format errors in PKI tests (#16015)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-16 07:41:05 -07:00
Alexander Scheel 4e6a9741ee
Add explicit cn_validations field to PKI Roles (#15996)
* Add cn_validations PKI Role parameter

This new parameter allows disabling all validations on a common name,
enabled by default on sign-verbatim and issuer generation options.

Presently, the default behavior is to allow either an email address
(denoted with an @ in the name) or a hostname to pass validation.
Operators can restrict roles to just a single option (e.g., for email
certs, limit CNs to have strictly email addresses and not hostnames).

By setting the value to `disabled`, CNs of other formats can be accepted
without validating their contents against our minimal correctness checks
for email/hostname/wildcard that we typically apply even when broad
permissions (allow_any_name=true, enforce_hostnames=false, and
allow_wildcard_certificates=true) are granted on the role.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update PKI tests for cn_validation support

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add PKI API documentation on cn_validations

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-16 06:53:27 -07:00
Alexander Scheel 3496bc0416
Refactor PKI tests for speed (#15999)
* Refactor role issuance tests to use direct backend

Before:
	github.com/hashicorp/vault/builtin/logical/pki	5.879s

After:
	github.com/hashicorp/vault/builtin/logical/pki	1.063s

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor role key bit tests to use direct backend

Also removes redundant cases.

Before:
	github.com/hashicorp/vault/builtin/logical/pki	136.605s

After:

	github.com/hashicorp/vault/builtin/logical/pki	24.713s

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor common name test to use direct backend

Before:
	github.com/hashicorp/vault/builtin/logical/pki	4.767s

After:

	github.com/hashicorp/vault/builtin/logical/pki	0.611s

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor device cert tests to use direct backend

Before:
	github.com/hashicorp/vault/builtin/logical/pki	4.725s

After:

	github.com/hashicorp/vault/builtin/logical/pki	0.402s

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor invalid parameter test to use direct backend

Before:
	github.com/hashicorp/vault/builtin/logical/pki	3.777s

After:
	github.com/hashicorp/vault/builtin/logical/pki	0.021s

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor Alt Issuer tests to use direct backend

Before:
	github.com/hashicorp/vault/builtin/logical/pki	4.560s

After:
	github.com/hashicorp/vault/builtin/logical/pki	0.111s

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor root idempotency tests to use direct backend

As a result, we've had to import a root cert from elsewhere in the test
suite, rather than using the one off the cluster.

Before:
	github.com/hashicorp/vault/builtin/logical/pki	4.399s

After:
	github.com/hashicorp/vault/builtin/logical/pki	0.523s

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Move PKI direct backend helpers to common location

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor OID SANs test to direct backend

Before:
	github.com/hashicorp/vault/builtin/logical/pki	5.284s

After:
	github.com/hashicorp/vault/builtin/logical/pki	0.808s

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor allowed serial numbers test to direct backend

Before:
	github.com/hashicorp/vault/builtin/logical/pki	4.789s

After:
	github.com/hashicorp/vault/builtin/logical/pki	0.600s

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor URI SANs to use direct backend

Before:
	github.com/hashicorp/vault/builtin/logical/pki	4.245s

After:
	github.com/hashicorp/vault/builtin/logical/pki	0.600s

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor Full Chain CA tests to direct backend

Before:
	github.com/hashicorp/vault/builtin/logical/pki	14.503s

After:
	github.com/hashicorp/vault/builtin/logical/pki	2.082s

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update Allow Past CA tests to use direct backend

Before:
	github.com/hashicorp/vault/builtin/logical/pki	4.323s

After:
	github.com/hashicorp/vault/builtin/logical/pki	0.322s

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Convert existing-key root test to direct backend

Before:
	github.com/hashicorp/vault/builtin/logical/pki	4.430s

After:
	github.com/hashicorp/vault/builtin/logical/pki	0.370s

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor CRL enable/disable tests to use direct backend

Before:
	github.com/hashicorp/vault/builtin/logical/pki	5.738s

After:
	github.com/hashicorp/vault/builtin/logical/pki	2.482s

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update intermediate existing key tests to use direct backend

Before:
	github.com/hashicorp/vault/builtin/logical/pki	4.182s

After:
	github.com/hashicorp/vault/builtin/logical/pki	0.416s

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor Issuance TTL verification tests to use direct backend

Also shorten sleep duration slightly by precisely calculating it
relative to the actual cert life time.

Before:
	github.com/hashicorp/vault/builtin/logical/pki	19.755s

After:
	github.com/hashicorp/vault/builtin/logical/pki	11.521s

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-16 09:11:22 -04:00
Josh Black d2ed39a04e
Correct drift between ENT and OSS (#15966) 2022-06-14 17:53:19 -07:00
Christopher Swenson dfd3eb8bb6
database plugin: Invalidate queue should cancel context first (#15933)
To signal to any credentials rotating goroutines that they should cancel
pending operations, which reduces lock contention.
2022-06-10 13:41:47 -07:00
Steven Clark ecb91cd7e1
ssh: Do not convert errors into logical.ErrorResponse in issue path (#15929) 2022-06-10 11:21:29 -04:00
Alexander Scheel 6f66e5cd48
Allow reading Nomad CA/Client cert configuration (#15809)
* Allow reading Nomad CA/Client cert configuration

In the Nomad secret engine, writing to /nomad/config/access allows users
to specify a CA certificate and client credential pair. However, these
values are not in the read of the endpoint, making it hard for operators
to see if these values were specified and if they need to be rotated.

Add `ca_cert` and `client_cert` parameters to the response, eliding the
`client_key` parameter as it is more sensitive (and should most likely
be replaced at the same time as `client_cert`).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix tests to expect additional fields

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test with existing CA/client cert+key

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-10 10:09:54 -04:00
Gabriel Santos 57eeb33faa
SSH secrets engine - Enabled creation of key pairs (CA Mode) (#15561)
* Handle func

* Update - check if key_type and key_bits are allowed

* Update - fields

* Generating keys based on provided key_type and key_bits

* Returning signed key

* Refactor

* Refactor update to common logic function

* Descriptions

* Tests added

* Suggested changes and tests added and refactored

* Suggested changes and fmt run

* File refactoring

* Changelog file

* Update changelog/15561.txt

Co-authored-by: Alexander Scheel <alexander.m.scheel@gmail.com>

* Suggested changes - consistent returns and additional info to test messages

* ssh issue key pair documentation

Co-authored-by: Alexander Scheel <alexander.m.scheel@gmail.com>
2022-06-10 09:48:19 -04:00
Steven Clark 3b9f29fedd
pki: Do not use a static issuer/key name within the migration (#15886)
- Selecting a constant default value exposed a possible edge case
   that the migration would fail if a previous migration contained the
   same issuer or key name.
2022-06-08 15:31:30 -04:00
Alexander Scheel ea6452757f
Add parsing for NSS-wrapped Ed25519 keys (#15742)
* Add parsing for NSS-wrapped Ed25519 keys

NSS wraps Ed25519 using the PKCS#8 standard structure. The Go standard
library as of Go 1.18.x doesn't support parsing this key type with the
OID used by NSS; it requires the 1.3.101.112/RFC 8410 format, rather
than the RFC 5915-esque structure supported here.

Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add integration test with NSS-created wrapped key

Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
2022-06-06 18:09:21 -04:00
Kit Haines 4f532ecc4d
Support for CPS URLs in Custom Policy Identifiers. (#15751)
* Support for CPS URLs in Custom Policy Identifiers.

* go fmt

* Add Changelog

* Fix panic in test-cases.

* Update builtin/logical/pki/path_roles.go

Fix intial nil identifiers.

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

* Make valid policy OID so don't break ASN parse in test.

* Add test cases.

* go fmt.

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2022-06-03 14:50:46 -04:00
akshya96 fece4cf9ac
File Audit Mode 0000 bug (#15759)
* adding file mode changes

* add changelog

* adding error

* adding fmt changes
2022-06-03 09:17:41 -07:00
Steven Clark 0b6781e3b9
PKI: Only set issuers with an associated key as default on import (#15754)
- Do not set the first issuer we attempt to import as the default issuer unless
   it has a corresponding key.
 - Add the ability to set a default issuer if none exist and we import it's corresponding key after the fact.
 - Add a warning to an end-user if we imported multiple issuers with keys and we
   choose one of them as the default value.
2022-06-02 12:59:07 -04:00
Christopher Swenson a49f1b9e6b
Update AWS auth method certificates (#15719)
Update AWS auth method certificates

Add tests that the `rsa2048` document can also be verified using the
`pkcs7` field for AWS auth.

Due to the use of SHA-1-based signatures for the `identity` and `pkcs7`
methods, we want to encourage moving toward using the RSA 2048 workflow,
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-rsa2048.html

This doesn't require code changes for Vault necessarily, but adding in
the (many) certificates will help end users.

Also adds `rsa2048` option to API to fetch the RSA 2048 signature.

I will make a PR to update to the AWS auth docs to document the RSA 2048
flow soon after this.
2022-06-01 10:26:17 -07:00
Steven Clark 2e215975ff
Add integration tests for aliased PKI paths (root/rotate, root/replace) (#15703)
* Add integration tests for aliased PKI paths (root/rotate, root/replace)

 - Add tests for the two api endpoints
 - Also return the issuer_name field within the generate root api response

* Add key_name to generate root api endpoint response and doc updates

 - Since we are now returning issuer_name, we should also return key_name
 - Update the api-docs for the generate root endpoint responses and add
   missing arguments that we accept.
2022-05-31 15:00:20 -04:00
Matt Schultz 76086e2bb4
Updated base64 encoding of ciphertext for Transit BYOK import. (#15663) 2022-05-27 11:52:43 -05:00
Jim Kalafut a3b0b60a73
postgres: replace the package lib/pq with pgx (#15343)
* WIP replacing lib/pq

* change timezome param to be URI format

* add changelog

* add changelog for redshift

* update changelog

* add test for DSN style connection string

* more parseurl and quoteidentify to sdk; include copyright and license

* call dbutil.ParseURL instead, fix import ordering

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
2022-05-23 12:49:18 -07:00
Alexander Scheel 3166d1ff78
Allow issuer/:issuer_ref/sign-verbatim/:role, add error on missing role (#15543)
* Allow role-based sign-verbatim with chosen issuer

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add warning with missing requested verbatim role

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update builtin/logical/pki/backend.go

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2022-05-23 13:09:18 -04:00
Gabriel Santos 3e569ed186
Convert not_before_duration to seconds before returning it (#15559)
* Convert not_before_duration to seconds before returning it

* changelog file
2022-05-23 08:06:37 -04:00
Rémi Lapeyre d66333f7ac
Fix handling of username_as_alias during LDAP authentication (#15525)
* Fix handling of username_as_alias during LDAP authentication

There is a bug that was introduced in the LDAP authentication method by https://github.com/hashicorp/vault/pull/11000.
It was thought to be backward compatible but has broken a number of users. Later
a new parameter `username_as_alias` was introduced in https://github.com/hashicorp/vault/pull/14324
to make it possible for operators to restore the previous behavior.
The way it is currently working is not completely backward compatible thought
because when username_as_alias is set, a call to GetUserAliasAttributeValue() will
first be made, then this value is completely discarded in pathLogin() and replaced
by the username as expected.

This is an issue because it makes useless calls to the LDAP server and will break
backward compatibility if one of the constraints in GetUserAliasAttributeValue()
is not respected, even though the resulting value will be discarded anyway.

In order to maintain backward compatibility here we have to only call
GetUserAliasAttributeValue() if necessary.

Since this change of behavior was introduced in 1.9, this fix will need to be
backported to the 1.9, 1.10 and 1.11 branches.

* Add changelog

* Add tests

* Format code

* Update builtin/credential/ldap/backend.go

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

* Format and fix declaration

* Reword changelog

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
2022-05-20 14:17:26 -07:00
Robert 71a6505ddb
secrets/consul: Deprecate token_type and policy fields (#15550) 2022-05-20 15:48:02 -05:00
Alexander Scheel 69b870d675
Add role patching test case (#15545)
* Add tests for role patching

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Prevent bad issuer names on update

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation on PATCH operations

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-20 15:30:22 -04:00
kitography 024716421e
Vault 5917 allow patch operations to pki roles issuers (#15510)
* Add a warning when Issuing Certificate set on a role does not resolve.

* Ivanka's requests - add a warning on deleting issuer or changing it's name.

* Fix nil checks; reduce number of roles to iterate through; only verify roles after migration.

* Fix semgrep failure, ignore roles deleted behind our back.

* Patch functionality for roles

* Make Patch Roles work again, add back patch issuers.

* Add changelog.

* Fix nil-reversion on empty response.

* Panics are bad. don't do that.
2022-05-20 13:34:55 -04:00
Steven Clark 0e18a68691
PKI: Do not error out on unknown issuers/keys on delete api calls. (#15541)
- No longer error out when we fail to lookup the passed in issuer_ref
   or key_ref values on delete apis.
 - Add more key related unit tests
2022-05-20 13:33:26 -04:00
Steven Clark 892d4d1e37
Return the signed ca in the ca_chain response field within sign-intermediate api call. (#15524)
* Return signed ca as part of ca_chain field within sign-intermediate

 - When signing a CA certificate we should include it along with the signing CA's CA chain in the response.
2022-05-20 11:06:44 -04:00
Robert 6425999ff2
secrets/consul: Use consistent parameter names (#15400)
* Add "consul_policies" parameter and deprecate "policies" parameter

* Update tests and remove superfluous log statements
2022-05-19 14:43:54 -05:00
Christopher Swenson e6fb16be9c
Remove spurious fmt.Printf calls including one of a key (#15344)
And add a semgrep for fmt.Printf/Println.
2022-05-19 12:27:02 -07:00
Alexander Scheel faea196991
Rebase #14178 / Add not_before_duration API parameter to Root/Intermediate CA generation (#15511)
* PKI - Add not_before_duration API parameter to:
  - Root CA generation
  - Intermediate CA generation
  - Intermediate CA signing

* Move not_before_duration to addCACommonFields

This gets applied on both root generation and intermediate signing,
which is the correct place to apply this.

Co-authored-by: guysv <sviryguy@gmail.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Resolves: #10631

Co-authored-by: guysv <sviryguy@gmail.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test case for root/generate, sign-intermediate

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update path role description

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add new not_before_duration to relevant docs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Co-authored-by: guysv <sviryguy@gmail.com>
2022-05-19 12:35:08 -04:00
Alexander Scheel c7efb97f08
Add warning on missing AIA info fields (#15509)
* Add warning on missing AIA info fields

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog:

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-19 11:12:10 -04:00
Robert c2f49204d9
Fix small typos, update docs terminology (#15504) 2022-05-18 17:23:46 -05:00
kitography 93a1f62567
Vault 6122 pki role issuer name validation (#15473)
* Add a warning when Issuing Certificate set on a role does not resolve.

* Ivanka's requests - add a warning on deleting issuer or changing it's name.

* reduce number of roles to iterate through; only verify roles after migration.  ignore roles deleted behind our back.
2022-05-18 16:21:17 -04:00
Steven Clark a2a7fdc43f
Fix a generic PKI description for key_name and issuer_name fields (#15495)
- The field could be used to be applied to keys/issuers being generated
   or to update the name on existing values.
2022-05-18 11:17:58 -04:00
Steven Clark 7bc9cd2867
Protect against key and issuer name re-use (#15481)
* Protect against key and issuer name re-use
 - While importing keys and issuers verify that the provided name if any has not been used by another key that we did not match against.
 - Validate an assumption within the key import api, that we were provided a single key
 - Add additional tests on the new key generation and key import handlers.

* Protect key import api end-users from using "default" as a name
 - Do not allow end-users to provide the value of default as a name for key imports
   as that would lead to weird and wonderful behaviors to the end-user.

* Add missing api-docs for PKI key import
2022-05-18 10:31:39 -04:00
Alexander Scheel 5ca7065bda
Warn on empty Subject field for issuers (#15494)
* Warn on empty Subject field for issuers

When generating a root or signing an intermediate certificate, it is
possible to have Vault generate a certificate with an empty Subject.
These don't validate in most TLS implementations well, so add a warning.
Note that non-Common Name fields could be present to make a non-empty
subject, so simply requiring a CommonName isn't strictly the best.

For example:

    $ vault write pki/root/generate/exported common_name=""
    WARNING! The following warnings were returned from Vault:
      * This issuer certificate was generated without a Subject; this makes
      it likely that issuing leaf certs with this certificate will cause TLS
      validation libraries to reject this certificate.
    ....

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-18 10:15:37 -04:00
Alexander Scheel 2518cd1d6c
Remove signature_bits on intermediate generate (#15478)
* Remove signature_bits on intermediate generate

This extraneous field wasn't respected during intermediate generation
and it isn't clear that it should be. Strictly, this field, if it were
to exist, would control the CSR's internal signature algorithm (certutil
defaults to the sane SHA-256 here). However, there's little value in
changing this as the signing authority can and probably will override
the final certificate's signature bits value, completely ignoring
whatever was in the provided CSR.

Removing this field will now cause warnings for those providing the
parameter (which already wasn't respected), which is the desired
behavior. No breakage should occur as a result of this change.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-18 09:36:39 -04:00
Austin Gebauer d3629ab49d
secrets/database: adds ability to manage alternative credential types and configuration (#15376) 2022-05-17 09:21:26 -07:00
Alexander Scheel 3e7414b605
Always return PKI configs for CRLs, URLs (#15470)
* Always return non-nil CRL configuration

When using the default CRL configuration (as none has been set), return
the default configuration rather than inferring it in buildCRL. This
additionally allows us to return the default configuration on GET
operations to /config/crl.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Always return non-nil URL configuration

When using the default (empty) URL configuration as none has been set,
return the default configuration rather than inferring it inside of
fetchCAInfoByIssuerId or generateCert. This additionally allows us to
return the default configuration on GET operations to /config/urls.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-17 11:40:09 -04:00
Steven Clark 2fb8a9e667
secret/pki: Return correct algorithm type from key fetch API for managed keys (#15468)
* secret/pki: Return correct algorithm type from key fetch api for managed keys

 - fix an issue that key_type field returned from the key fetch api had
   the ManagedPrivateKey type instead of the real algorithm of the managed key.

* Remove key_type from key list PKI operation. Partial revert of #15435

 - The key_type field should be used solely for the key algorithm but as implemented
   we would be returning the value ManagedPrivateKey for managed keys which is not
   in sync with the rest of the apis. We also did not want to take the performance
   hit if many managed keys existed so we will simply remove the field from the list
   operation
2022-05-17 11:36:14 -04:00
Steven Clark aa868c5abf
Log less around the current status of the PKI migration (#15451)
- No point in writing any logs if no previous bundle exists
 - Only log output and schedule a CRL rebuild is we actually migration something
 - Do not log on PKI storage version set/checks.
2022-05-17 08:52:42 -04:00
Gabriel Santos 23e67be230
pki/sign-verbatim uses role not before duration (#15429)
* Use "not_before_duration" fiueld from role if above 0

* 'test' and update docs

* changelog file

* Requested changes - improved test and better description to changelog

* changelog description:

* update to ttl and not_before_duration API docs
2022-05-16 16:15:18 -04:00
Alexander Scheel 210045cd1f
Store migrated issuer, key in migration log (#15449)
If necessary, this will let us correlate migrated values afterwards.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-16 16:12:49 -04:00
Matt Schultz 3d1f40f850
Fix a keysutil policy lock (#15447)
* Defer an unlock call for keysutil policy imports.

* Make Transit import key type field case-insensitive for convenience.
2022-05-16 13:00:16 -05:00
Alexander Scheel 8750512f9f
Fix integer overflows with new parseutil (#15437)
* Use new parseutil helper: Safe variants

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update parseutil to v0.1.5

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix additional integer overflow in command/server

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-16 13:57:19 -04:00
Matt Schultz 611ab91e5a
Transit byok import endpoints (#15414)
* add import endpoint

* fix unlock

* add import_version

* refactor import endpoints and add tests

* add descriptions

* Update dependencies to include tink for Transit import operations. Convert Transit wrapping key endpoint to use shared wrapping key retrieval method. Disallow import of convergent keys to Transit via BYOK process.

* Include new 'hash_function' parameter on Transit import endpoints to specify OAEP random oracle hash function used to wrap ephemeral AES key.

* Add default values for Transit import endpoint fields. Prevent an OOB panic in Transit import. Proactively zero out ephemeral AES key used in Transit imports.

* Rename some Transit BYOK import variables. Ensure Transit BYOK ephemeral key is of the size specified byt the RFC.

* Add unit tests for Transit BYOK import endpoint.

* Simplify Transit BYOK import tests. Add a conditional on auto rotation to avoid errors on BYOK keys with allow_rotation=false.

* Added hash_function field to Transit import_version endpoint. Reworked Transit import unit tests. Added unit tests for Transit import_version endpoint.

* Add changelog entry for Transit BYOK.

* Transit BYOK formatting fixes.

* Omit 'convergent_encryption' field from Transit BYOK import endpoint, but reject with an error when the field is provided.

* Minor formatting fix in Transit import.

Co-authored-by: rculpepper <rculpepper@hashicorp.com>
2022-05-16 11:50:38 -05:00
Steven Clark 9607c5be97
Use backendUUID instead of mount points for managed keys (OSS) (#15441)
- Remove all references to mount point within PKI
 - Leverage the mount's backend UUID now instead of a mount point for all
   managed key lookups.
2022-05-16 12:48:54 -04:00
Alexander Scheel 0ce7c3b331
Add default timeout to legacy ssh.ClientConfig (#15440)
* Add default timeout to legacy ssh.ClientConfig

When using the deprecated Dynamic SSH Keys method, Vault will make an
outbound SSH connection to an arbitrary remote host to place SSH keys.
We now set a timeout of 1 minute for this connection.

It is strongly recommended consumers of this SSH secrets engine feature
migrate to the more secure, and otherwise equivalent, SSH certificates
method.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-16 12:36:47 -04:00
Alexander Scheel 71372e4ea8
Include default information in LIST keys, issuers (#15435)
This shows whether the specified key or issuer is default, along with
the private key type in the case of a LIST /keys (authenticated) call.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-16 11:22:17 -04:00
Alexander Scheel c64ac9d17a
Add tests for usage-based restrictions of issuers (#15411)
* Restructure leaf issuance test

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add usage-based testing of issuing leaves, CRLs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-13 09:57:58 -04:00
Gabriel Santos 469ad6d09a
not_before_duration added to SSH (#15250)
* add-not-before-duration-to-ssh

* Missing field

* Adding tests

* changelog file

* Backend test

* Requested changes

* Update builtin/logical/ssh/path_roles.go

Co-authored-by: Alexander Scheel <alexander.m.scheel@gmail.com>
2022-05-12 08:50:40 -04:00
Calvin Leung Huang ca44b5a3e0
auth/okta: Add support for Okta number challenge (#15361)
* POC of Okta Auth Number Challenge verification

* switch from callbacks to operations, forward validate to primary

* cleanup and nonce description update

* add changelog

* error on empty nonce, no forwarding, return correct_answer instead

* properly clean up verify goroutine

* add docs on new endpoint and parameters

* change polling frequency when WAITING to 1s

Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
2022-05-11 17:09:29 -07:00
Alexander Scheel b8142113bc
Add revocation check to chain building (#15371)
* Add CRL checking to chain building tests

This should ensure that, with our complex issuer setups, we can revoke
the issued certificates correctly and they'll show up on the correct
CRLs.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix related issuer detection in CRL building

When building our mapping of issuers, we incorrectly used the issuer's
RawIssuer field to construct the mapping, rather than the issuer's
RawSubject. This caused us to not correctly detect the cross-signed
issuers as having the same CRLs.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-11 13:49:20 -04:00
Steven Clark 24b168b250
Fix revoking certificates in pre-migration state within PKI (#15360)
* Address issues with revoke operations pre-migration of PKI issuers

 - Leverage the legacyBundleShimID though out the path of CRL building
   when legacy storage mode is active.
 - Instead of having multiple locations without a lock checking for the
   useLegacyBundleCaStorage flag is set, check it once and then use the
   same issuerId everywhere
 - Address some locking issues that might lead to a bad read/write when
   switching from legacy to non-legacy mode on startup and post-migration

* Add test suite for PKI apis pre-migration to new issuer storage format

 - Add tests that validate all apis work as expected in pre-migration mode
 - Add tests for apis that we don't expect to work, they should return a
   migration related error message
 - Add some missing validations on various new apis.
2022-05-11 13:33:04 -04:00
Alexander Scheel de00d14a51
Benchmark chain building (#15315)
* Refactor chain building test cases to be shared

This will allow us to execute these test cases and then benchmark just
the chain building, separate from the certificate creation (and without
the consistency tests).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Benchmark chain building code

Using the existing test cases (and a few special ones), generate some
simple chains and benchmark how long chain building takes. We switch
from generating a cluster (slow) to directly calling
createBackendWithStorage(), which improves test execution time too:

$ go test -count=1 -run=Test_CAChainBuilding github.com/hashicorp/vault/builtin/logical/pki
ok  	github.com/hashicorp/vault/builtin/logical/pki	0.764s

(previously it was 5-10 seconds, for fewer tests).

Additionally, we now have benchmarks:

$ go test -v -run=BenchmarkChainBuilding -bench=. github.com/hashicorp/vault/builtin/logical/pki
goos: linux
goarch: amd64
pkg: github.com/hashicorp/vault/builtin/logical/pki
cpu: Intel(R) Core(TM) i9-10885H CPU @ 2.40GHz
BenchmarkChainBuilding
BenchmarkChainBuilding/test-case-0
BenchmarkChainBuilding/test-case-0-16         	     616	   1921783 ns/op
BenchmarkChainBuilding/test-case-1
BenchmarkChainBuilding/test-case-1-16         	    1191	    998201 ns/op
BenchmarkChainBuilding/test-case-2
BenchmarkChainBuilding/test-case-2-16         	     547	   2229810 ns/op
BenchmarkChainBuilding/test-case-3
BenchmarkChainBuilding/test-case-3-16         	     525	   2264951 ns/op
BenchmarkChainBuilding/test-case-4
BenchmarkChainBuilding/test-case-4-16         	    1732	    693686 ns/op
BenchmarkChainBuilding/test-case-5
BenchmarkChainBuilding/test-case-5-16         	   51700	     23230 ns/op
BenchmarkChainBuilding/test-case-6
BenchmarkChainBuilding/test-case-6-16         	    9343	    124523 ns/op
BenchmarkChainBuilding/test-case-7
BenchmarkChainBuilding/test-case-7-16         	    5106	    234902 ns/op
BenchmarkChainBuilding/test-case-8
BenchmarkChainBuilding/test-case-8-16         	    2334	    494382 ns/op
PASS
ok  	github.com/hashicorp/vault/builtin/logical/pki	12.707s

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-11 13:29:57 -04:00
Steven Clark 20a78a2118
Rework locking within the PKI CRLBuilder (#15325)
- Do not grab a lock within the requestRebuildIfActiveNode function
   to avoid issues being called from the invalidate function
 - Leverage more atmoic operations, and only grab the lock if we are
   going to perform the rebuild.
2022-05-11 13:14:21 -04:00
Alexander Scheel 48f3279c49
Return names for leaf_not_after_behavior responses (#15336)
Previously we'd return the raw enum value, which the entity accessing
the API wouldn't have any easy way of translating back into string
values. Return the string value directly instead.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-11 13:12:04 -04:00
Steven Clark 76cf103fb4
Use Get lookup within PKI resolveXXX functions instead of list iterations (#15322)
- Leverage a Get lookup operation to see if our reference field is a UUID
   instead of listing all key/issuers and iterating over the list.
 - This should be faster and we get a cached lookup possibly if it was a
   UUID entry that we previously loaded.
 - Address some small feedback about migration wording as well.
2022-05-11 13:11:56 -04:00
Alexander Scheel 8408c19115
Root issuers lack CA Chain + Chain Building Bug Fix (#15306)
* Return the ca_chain response from root issued cert api

* Fix parent selection in cert chain building

When building chains, we'd choose the next neighbor from Go's
unordered map. However, this doesn't necessarily result in the most
optimal path: we want to prefer to visit roots over other
intermediates, as this allows us to have a more consistent chain,
putting roots before their cross-signed equivalents rather than
potentially at the end.

We additionally now ensure chains are stable.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Co-authored-by: Steve Clark <steven.clark@hashicorp.com>
2022-05-11 13:09:18 -04:00
Steven Clark cb1cf36fcb
Add parameter validation to the new generate key PKI api (#15319)
- Validate the key_type and key_bits arguments that were provided and
   perform the same default processing of 0 as we used to do for the
   generateRoot/generateIntermediate apis
 - Add a test that validates the behaviour
 - Update the field description blurbs.
2022-05-11 13:07:18 -04:00
Steven Clark 92dad0e0c0
Compare issuer certificates using cert, signature algo and signature fields (#15285)
* Move existing test helpers into a new test_helpers.go file within PKI

* Compare issuer certificates by cert, signature algo and signature

 - Instead of comparing the strings of a certificate, instead leverage
   the Go Raw attribute within a parsed certificate to compare. The Raw
   attribute is a byte array of an ASN.1 DER containing the cert,
   signature algo and signature.
 - Rework a bit of the importIssuers function as well to fail checks on the
   inbound issuer earlier as well as load keys/issuers just before we need
   them
2022-05-11 13:04:54 -04:00
Alexander Scheel 575099d085
Prevent revoking all issuer certificates (#15289)
* Prevent revocation of issuers using revokeCert

Similar to the existing behavior, we'll prevent the revocation of
existing issuer certificates from the existing /revoke/:serial endpoint
for now. This is because a serial number alone is not enough information
(in the worst case) to precisely identify an issuer (as intermediates
signed by two separate external (e.g., OpenSSL) CAs using incremental
serial numbers might have the same serial number).

Additionally, we fix revoking certs on performance secondary clusters,
when they've not yet been migrated.

In a separate change, we'll open up a separate code path to revoke
issuers, ensuring we know exactly which issuer is revoked (and which CRL
it should belong on at time of revocation).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add warning when revoking expired cert

This prevents confusion when a nil response (with no revocation info) is
returned; requesters are informed that the specified certificate has
already expired.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-11 13:03:49 -04:00
Alexander Scheel 8695b6cca6
Add doc information about useLegacyBundleCaStorage (#15303)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-11 13:02:46 -04:00
Alexander Scheel 4f6c6ac317
Allow Multiple Issuers in PKI Secret Engine Mounts - PKI Pod (#15277)
* Starter PKI CA Storage API (#14796)

* Simple starting PKI storage api for CA rotation
* Add key and issuer storage apis
* Add listKeys and listIssuers storage implementations
* Add simple keys and issuers configuration storage api methods

* Handle resolving key, issuer references

The API context will usually have a user-specified reference to the key.
This is either the literal string "default" to select the default key,
an identifier of the key, or a slug name for the key. Here, we wish to
resolve this reference to an actual identifier that can be understood by
storage.

Also adds the missing Name field to keys.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add method to fetch an issuer's cert bundle

This adds a method to construct a certutil.CertBundle from the specified
issuer identifier, optionally loading its corresponding key for signing.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor certutil PrivateKey PEM handling

This refactors the parsing of PrivateKeys from PEM blobs into shared
methods (ParsePEMKey, ParseDERKey) that can be reused by the existing
Bundle parsing logic (ParsePEMBundle) or independently in the new
issuers/key-based PKI storage code.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add importKey, importCert to PKI storage

importKey is generally preferable to the low-level writeKey for adding
new entries. This takes only the contents of the private key (as a
string -- so a PEM bundle or a managed key handle) and checks if it
already exists in the storage.

If it does, it returns the existing key instance.

Otherwise, we create a new one. In the process, we detect any issuers
using this key and link them back to the new key entry.

The same holds for importCert over importKey, with the note that keys
are not modified when importing certificates.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for importing issuers, keys

This adds tests for importing keys and issuers into the new storage
layout, ensuring that identifiers are correctly inferred and linked.

Note that directly writing entries to storage (writeKey/writeissuer)
will take KeyID links from the parent entry and should not be used for
import; only existing entries should be updated with this info.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Implement PKI storage migration.

 - Hook into the backend::initialize function, calling the migration on a primary only.
 - Migrate an existing certificate bundle to the new issuers and key layout

* Make fetchCAInfo aware of new storage layout

This allows fetchCAInfo to fetch a specified issuer, via a reference
parameter provided by the user. We pass that into the storage layer and
have it return a cert bundle for us. Finally, we need to validate that
it truly has the key desired.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Begin /issuers API endpoints

This implements the fetch operations around issuers in the PKI Secrets
Engine. We implement the following operations:

 - LIST /issuers - returns a list of known issuers' IDs and names.
 - GET /issuer/:ref - returns a JSON blob with information about this
   issuer.
 - POST /issuer/:ref - allows configuring information about issuers,
   presently just its name.
 - DELETE /issuer/:ref - allows deleting the specified issuer.
 - GET /issuer/:ref/{der,pem} - returns a raw API response with just
   the DER (or PEM) of the issuer's certificate.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add import to PKI Issuers API

This adds the two core import code paths to the API:
/issuers/import/cert and /issuers/import/bundle. The former differs from
the latter in that the latter allows the import of keys. This allows
operators to restrict importing of keys to privileged roles, while
allowing more operators permission to import additional certificates
(not used for signing, but instead for path/chain building).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add /issuer/:ref/sign-intermediate endpoint

This endpoint allows existing issuers to be used to sign intermediate
CA certificates. In the process, we've updated the existing
/root/sign-intermediate endpoint to be equivalent to a call to
/issuer/default/sign-intermediate.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add /issuer/:ref/sign-self-issued endpoint

This endpoint allows existing issuers to be used to sign self-signed
certificates. In the process, we've updated the existing
/root/sign-self-issued endpoint to be equivalent to a call to
/issuer/default/sign-self-issued.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add /issuer/:ref/sign-verbatim endpoint

This endpoint allows existing issuers to be used to directly sign CSRs.
In the process, we've updated the existing /sign-verbatim endpoint to be
equivalent to a call to /issuer/:ref/sign-verbatim.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Allow configuration of default issuers

Using the new updateDefaultIssuerId(...) from the storage migration PR
allows for easy implementation of configuring the default issuer. We
restrict callers from setting blank defaults and setting default to
default.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix fetching default issuers

After setting a default issuer, one should be able to use the old /ca,
/ca_chain, and /cert/{ca,ca_chain} endpoints to fetch the default issuer
(and its chain). Update the fetchCertBySerial helper to no longer
support fetching the ca and prefer fetchCAInfo for that instead (as
we've already updated that to support fetching the new issuer location).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add /issuer/:ref/{sign,issue}/:role

This updates the /sign and /issue endpoints, allowing them to take the
default issuer (if none is provided by a role) and adding
issuer-specific versions of them.

Note that at this point in time, the behavior isn't yet ideal (as
/sign/:role allows adding the ref=... parameter to override the default
issuer); a later change adding role-based issuer specification will fix
this incorrect behavior.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add support root issuer generation

* Add support for issuer generate intermediate end-point

* Update issuer and key arguments to consistent values

 - Update all new API endpoints to use the new agreed upon argument names.
   - issuer_ref & key_ref to refer to existing
   - issuer_name & key_name for new definitions
 - Update returned values to always user issuer_id and key_id

* Add utility methods to fetch common ref and name arguments

 - Add utility methods to fetch the issuer_name, issuer_ref, key_name and key_ref arguments from data fields.
 - Centralize the logic to clean up these inputs and apply various validations to all of them.

* Rename common PKI backend handlers

 - Use the buildPath convention for the function name instead of common...

* Move setting PKI defaults from writeCaBundle to proper import{keys,issuer} methods

 - PR feedback, move setting up the default configuration references within
   the import methods instead of within the writeCaBundle method. This should
   now cover all use cases of us setting up the defaults properly.

* Introduce constants for issuer_ref, rename isKeyDefaultSet...

* Fix legacy PKI sign-verbatim api path

 - Addresses some test failures due to an incorrect refactoring of a legacy api
   path /sign-verbatim within PKI

* Use import code to handle intermediate, config/ca

The existing bundle import code will satisfy the intermediate import;
use it instead of the old ca_bundle import logic. Additionally, update
/config/ca to use the new import code as well.

While testing, a panic was discovered:

> reflect.Value.SetMapIndex: value of type string is not assignable to type pki.keyId

This was caused by returning a map with type issuerId->keyId; instead
switch to returning string->string maps so the audit log can properly
HMAC them.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Clarify error message on missing defaults

When the default issuer and key are missing (and haven't yet been
specified), we should clarify that error message.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update test semantics for new changes

This makes two minor changes to the existing test suite:

 1. Importing partial bundles should now succeed, where they'd
    previously error.
 2. fetchCertBySerial no longer handles CA certificates.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add support for deleting all keys, issuers

The old DELETE /root code must now delete all keys and issuers for
backwards compatibility. We strongly suggest calling individual delete
methods (DELETE /key/:key_ref or DELETE /issuer/:issuer_ref) instead,
for finer control.

In the process, we detect whether the deleted key/issuers was set as the
default. This will allow us to warn (from the single key/deletion issuer
code) whether or not the default was deleted (while allowing the
operation to succeed).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Introduce defaultRef constant within PKI

 - Replace hardcoded "default" references with a constant to easily identify various usages.
 - Use the addIssuerRefField function instead of redefining the field in various locations.

* Rework PKI test TestBackend_Root_Idempotency

 - Validate that generate/root calls are no longer idempotent, but the bundle importing
   does not generate new keys/issuers
 - As before make sure that the delete root api resets everything
 - Address a bug within the storage that we bombed when we had multiple different
   key types within storage.

* Assign Name=current to migrated key and issuer

 - Detail I missed from the RFC was to assign the Name field as "current" for migrated key and issuer.

* Build CRL upon PKI intermediary set-signed api called

 - Add a call to buildCRL if we created an issuer within pathImportIssuers
 - Augment existing FullCAChain to verify we have a proper CRL post set-signed api call
 - Remove a code block writing out "ca" storage entry that is no longer used.

* Identify which certificate or key failed

When importing complex chains, we should identify in which certificate
or key the failure occurred.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* PKI migration writes out empty migration log entry

 - Since the elements of the struct were not exported we serialized an empty
   migration log to disk and would re-run the migration

* Add chain-building logic to PKI issuers path

With the one-entry-per-issuer approach, CA Chains become implicitly
constructed from the pool of issuers. This roughly matches the existing
expectations from /config/ca (wherein a chain could be provided) and
/intemediate/set-signed (where a chain may be provided). However, in
both of those cases, we simply accepted a chain. Here, we need to be
able to reconstruct the chain from parts on disk.

However, with potential rotation of roots, we need to be aware of
disparate chains. Simply concating together all issuers isn't
sufficient. Thus we need to be able to parse a certificate's Issuer and
Subject field and reconstruct valid (and potentially parallel)
parent<->child mappings.

This attempts to handle roots, intermediates, cross-signed
intermediates, cross-signed roots, and rotated keys (wherein one might
not have a valid signature due to changed key material with the same
subject).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Return CA Chain when fetching issuers

This returns the CA Chain attribute of an issuer, showing its computed
chain based on other issuers in the database, when fetching a specific
issuer.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add testing for chain building

Using the issuance infrastructure, we generate new certificates (either
roots or intermediates), positing that this is roughly equivalent to
importing an external bundle (minus error handling during partial
imports). This allows us to incrementally construct complex chains,
creating reissuance cliques and cross-signing cycles.

By using ECDSA certificates, we avoid high signature verification and
key generation times.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Allow manual construction of issuer chain

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix handling of duplicate names

With the new issuer field (manual_chain), we can no longer err when a
name already exists: we might be updating the existing issuer (with the
same name), but changing its manual_chain field. Detect this error and
correctly handle it.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for manual chain building

We break the clique, instead building these chains manually, ensuring
that the remaining chains do not change and only the modified certs
change. We then reset them (back to implicit chain building) and ensure
we get the same results as earlier.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add stricter verification of issuers PEM format

This ensures each issuer is only a single certificate entry (as
validated by count and parsing) without any trailing data.

We further ensure that each certificate PEM has leading and trailing
spaces removed with only a single trailing new line remaining.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix full chain building

Don't set the legacy IssuingCA field on the certificate bundle, as we
prefer the CAChain field over it.

Additionally, building the full chain could result in duplicate
certificates when the CAChain included the leaf certificate itself. When
building the full chain, ensure we don't include the bundle's
certificate twice.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add stricter tests for full chain construction

We wish to ensure that each desired certificate in the chain is only
present once.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Rename PKI types to avoid constant variable name collisions

 keyId -> keyID
 issuerId -> issuerID
 key -> keyEntry
 issuer -> issuerEntry
 keyConfig -> keyConfigEntry
 issuerConfig -> issuerConfigEntry

* Update CRL handling for multiple issuers

When building CRLs, we've gotta make sure certs issued by that issuer
land up on that issuer's CRL and not some other CRL. If no CRL is
found (matching a cert), we'll place it on the default CRL.
However, in the event of equivalent issuers (those with the same subject
AND the same key  material) -- perhaps due to reissuance -- we'll only
create a single (unified) CRL for them.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Allow fetching updated CRL locations

This updates fetchCertBySerial to support querying the default issuer's
CRL.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Remove legacy CRL storage location test case

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update to CRLv2 Format to copy RawIssuer

When using the older Certificate.CreateCRL(...) call, Go's x509 library
copies the parsed pkix.Name version of the CRL Issuer's Subject field.
For certain constructed CAs, this fails since pkix.Name is not suitable
for round-tripping. This also builds a CRLv1 (per RFC 5280) CRL.

In updating to the newer x509.CreateRevocationList(...) call, we can
construct the CRL in the CRLv2 format and correctly copy the issuer's
name. However, this requires holding an additional field per-CRL, the
CRLNumber field, which is required in Go's implementation of CRLv2
(though OPTIONAL in the spec). We store this on the new
LocalCRLConfigEntry object, per-CRL.

Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add comment regarding CRL non-assignment in GOTO

In previous versions of Vault, it was possible to sign an empty CRL
(when the CRL was disabled and a force-rebuild was requested). Add a
comment about this case.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Allow fetching the specified issuer's CRL

We add a new API endpoint to fetch the specified issuer's CRL directly
(rather than the default issuer's CRL at /crl and /certs/crl). We also
add a new test to validate the CRL in a multi-root scenario and ensure
it is signed with the correct keys.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add new PKI key prefix to seal wrapped storage (#15126)

* Refactor common backend initialization within backend_test

 - Leverage an existing helper method within the PKI backend tests to setup a PKI backend with storage.

* Add ability to read legacy cert bundle if the migration has not occurred on secondaries.

 - Track the migration state forbidding an issuer/key writing api call if we have not migrated
 - For operations that just need to read the CA bundle, use the same tracking variable to
   switch between reading the legacy bundle or use the new key/issuer storage.
 - Add an invalidation function that will listen for updates to our log path to refresh the state
   on secondary clusters.

* Always write migration entry to trigger secondary clusters to wake up

 - Some PR feedback and handle a case in which the primary cluster does
   not have a CA bundle within storage but somehow a secondary does.

* Update CA Chain to report entire chain

This merges the ca_chain JSON field (of the /certs/ca_chain path) with
the regular certificate field, returning the root of trust always. This
also affects the non-JSON (raw) endpoints as well.

We return the default issuer's chain here, rather than all known issuers
(as that may not form a strict chain).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Allow explicit issuer override on roles

When a role is used to generate a certificate (such as with the sign/
and issue/ legacy paths or the legacy sign-verbatim/ paths), we prefer
that issuer to the one on the request. This allows operators to set an
issuer (other than default) for requests to be issued against,
effectively making the change no different from the users' perspective
as it is "just" a different role name.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for role-based issuer selection

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Expand NotAfter limit enforcement behavior

Vault previously strictly enforced NotAfter/ttl values on certificate
requests, erring if the requested TTL extended past the NotAfter date of
the issuer. In the event of issuing an intermediate, this behavior was
ignored, instead permitting the issuance.

Users generally do not think to check their issuer's NotAfter date when
requesting a certificate; thus this behavior was generally surprising.

Per RFC 5280 however, issuers need to maintain status information
throughout the life cycle of the issued cert. If this leaf cert were to
be issued for a longer duration than the parent issuer, the CA must
still maintain revocation information past its expiration.

Thus, we add an option to the issuer to change the desired behavior:

 - err, to err out,
 - permit, to permit the longer NotAfter date, or
 - truncate, to silently truncate the expiration to the issuer's
   NotAfter date.

Since expiration of certificates in the system's trust store are not
generally validated (when validating an arbitrary leaf, e.g., during TLS
validation), permit should generally only be used in that case. However,
browsers usually validate intermediate's validity periods, and thus
truncate should likely be used (as with permit, the leaf's chain will
not validate towards the end of the issuance period).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for expanded issuance behaviors

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add warning on keyless default issuer (#15178)

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update PKI to new Operations framework (#15180)

The backend Framework has updated Callbacks (used extensively in PKI) to
become deprecated; Operations takes their place and clarifies forwarding
of requests.

We switch to the new format everywhere, updating some bad assumptions
about forwarding along the way. Anywhere writes are handled (that should
be propagated to all nodes in all clusters), we choose to forward the
request all the way up to the performance primary cluster's primary
node. This holds for issuers/keys, roles, and configs (such as CRL
config, which is globally set for all clusters despite all clusters
having their own separate CRL).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Kitography/vault 5474 rebase (#15150)

* These parts work (put in signature so that backend wouldn't break, but missing fields, desc, etc.)

* Import and Generate API calls w/ needed additions to SDK.

* make fmt

* Add Help/Sync Text, fix some of internal/exported/kms code.

* Fix PEM/DER Encoding issue.

* make fmt

* Standardize keyIdParam, keyNameParam, keyTypeParam

* Add error response if key to be deleted is in use.

* replaces all instances of "default" in code with defaultRef

* Updates from Callbacks to Operations Function with explicit forwarding.

* Fixes a panic with names not being updated everywhere.

* add a logged error in addition to warning on deleting default key.

* Normalize whitespace upon importing keys.

Authored-by: Alexander Scheel <alexander.m.scheel@gmail.com>

* Fix isKeyInUse functionality.

* Fixes tests associated with newline at end of key pem.

* Add alternative proposal PKI aliased paths (#15211)

* Add aliased path for root/rotate/:exported

This adds a user-friendly path name for generating a rotated root. We
automatically choose the name "next" for the newly generated root at
this path if it doesn't already exist.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add aliased path for intermediate/cross-sign

This allows cross-signatures to work.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add path for replacing the current root

This updates default to point to the value of the issuer with name
"next" rather than its current value.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Remove plural issuers/ in signing paths

These paths use a single issuer and thus shouldn't include the plural
issuers/ as a path prefix, instead using the singular issuer/ path
prefix.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Only warn if default issuer was imported

When the default issuer was not (re-)imported, we'd fail to find it,
causing an extraneous warning about missing keys, even though this
issuer indeed had a key.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing issuer sign/issue paths

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Clean up various warnings within the PKI package (#15230)

* Rebuild CRLs on secondary performance clusters post migration and on new/updated issuers

 - Hook into the backend invalidation function so that secondaries are notified of
   new/updated issuer or migrations occuring on the primary cluster. Upon notification
   schedule a CRL rebuild to take place upon the next process to read/update the CRL
   or within the periodic function if no request comes in.

* Schedule rebuilding PKI CRLs on active nodes only

 - Address an issue that we were scheduling the rebuilding of a CRL on standby
   nodes, which would not be able to write to storage.
 - Fix an issue with standby nodes not correctly determining that a migration previously
   occurred.

* Return legacy CRL storage path when no migration has occurred.

* Handle issuer, keys locking (#15227)

* Handle locking of issuers during writes

We need a write lock around writes to ensure serialization of
modifications. We use a single lock for both issuer and key
updates, in part because certain operations (like deletion) will
potentially affect both.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing b.useLegacyBundleCaStorage guards

Several locations needed to guard against early usage of the new issuers
endpoint pre-migration.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Address PKI to properly support managed keys (#15256)

* Address codebase for managed key fixes
* Add proper public key comparison for better managed key support to importKeys
* Remove redundant public key fetching within PKI importKeys

* Correctly handle rebuilding remaining chains

When deleting a specific issuer, we might impact the chains. From a
consistency perspective, we need to ensure the remaining chains are
correct and don't refer to the since-deleted issuer, so trigger a full
rebuild here.

We don't need to call this in the delete-the-world (DELETE /root) code
path, as there shouldn't be any remaining issuers or chains to build.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Remove legacy CRL bundle on world deletion

When calling DELETE /root, we should remove the legacy CRL bundle, since
we're deleting the legacy CA issuer bundle as well.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Remove deleted issuers' CRL entries

Since CRLs are no longer resolvable after deletion (due to missing
issuer ID, which will cause resolution to fail regardless of if an ID or
a name/default reference was used), we should delete these CRLs from
storage to avoid leaking them.

In the event that this issuer comes back (with key material), we can
simply rebuild the CRL at that time (from the remaining revoked storage
entries).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add unauthed JSON fetching of CRLs, Issuers (#15253)

Default to fetching JSON CRL for consistency

This makes the bare issuer-specific CRL fetching endpoint return the
JSON-wrapped CRL by default, moving the DER CRL to a specific endpoint.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Add JSON-specific endpoint for fetching issuers

Unlike the unqualified /issuer/:ref endpoint (which also returns JSON),
we have a separate /issuer/:ref/json endpoint to return _only_ the
PEM-encoded certificate and the chain, mirroring the existing /cert/ca
endpoint but for a specific issuer. This allows us to make the endpoint
unauthenticated, whereas the bare endpoint would remain authenticated
and usually privileged.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Add tests for raw JSON endpoints

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add unauthenticated issuers endpoints to PKI table

This adds the unauthenticated issuers endpoints?

 - LIST /issuers,
 - Fetching _just_ the issuer certificates (in JSON/DER/PEM form), and
 - Fetching the CRL of this issuer (in JSON/DER/PEM form).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add issuer usage restrictions bitset

This allows issuers to have usage restrictions, limiting whether they
can be used to issue certificates or if they can generate CRLs. This
allows certain issuers to not generate a CRL (if the global config is
with the CRL enabled) or allows the issuer to not issue new certificates
(but potentially letting the CRL generation continue).

Setting both fields to false effectively forms a soft delete capability.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* PKI Pod rotation Add Base Changelog (#15283)

* PKI Pod rotation changelog.
* Use feature release-note formatting of changelog.

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
Co-authored-by: Kit Haines <kit.haines@hashicorp.com>
Co-authored-by: kitography <khaines@mit.edu>
2022-05-11 12:42:28 -04:00
Matt Schultz 5aabe4a5f8
Add Transit BYOK wrapping key endpoint (#15271)
* add wrapping key endpoint

* change how wrapping key is stored

* move wrapping key func to backend

* refactor wrapping key generation

* Initial unit tests for Transit wrapping key endpoint

* Wire up wrapping key unit tests to actual implementation.

* Clean up Transit BYOK wrapping key tests and imports.

* Fix Transit wrapping key endpoint formatting.

* Update transit wrapping key to use lock manager for safe concurrent use.

* Rename some Transit wrapping key variables. Ensure the Transit wrapping key is correctly typed and formatted in a unit test.

* Fix spacing issue in Transit wrapping key endpoint help string.

Co-authored-by: rculpepper <rculpepper@hashicorp.com>
2022-05-11 11:28:32 -05:00
Robert 738753b187
secrets/consul: Add support for generating tokens with service and node identities (#15295)
Co-authored-by: Thomas L. Kula <kula@tproa.net>
2022-05-09 20:07:35 -05:00
Steven Clark d80de5d9bb
Fix fmt error (#15266) 2022-05-03 10:07:23 -04:00
Scott Miller bef350c916
Allow callers to choose the entropy source for the random endpoints. (#15213)
* Allow callers to choose the entropy source for the random endpoints

* Put source in the URL for sys as well

* changelog

* docs

* Fix unit tests, and add coverage

* refactor to use a single common implementation

* Update documentation

* one more tweak

* more cleanup

* Readd lost test expected code

* fmt
2022-05-02 14:42:07 -05:00
Christopher Swenson aa6d61477e
VAULT-5827 Don't prepare SQL queries before executing them (#15166)
VAULT-5827 Don't prepare SQL queries before executing them

We don't support proper prepared statements, i.e., preparing once and
executing many times since we do our own templating. So preparing our
queries does not really accomplish anything, and can have severe
performance impacts (see
https://github.com/hashicorp/vault-plugin-database-snowflake/issues/13
for example).

This behavior seems to have been copy-pasted for many years but not for
any particular reason that we have been able to find. First use was in
https://github.com/hashicorp/vault/pull/15

So here we switch to new methods suffixed with `Direct` to indicate
that they don't `Prepare` before running `Exec`, and switch everything
here to use those. We maintain the older methods with the existing
behavior (with `Prepare`) for backwards compatibility.
2022-04-26 12:47:06 -07:00
kitography 87fa42db66
Fix the AllowedValues and description on "key_type" on the roles endpoint. (#15184) 2022-04-26 13:26:43 -04:00
Rémi Lapeyre bf4c4595f3
secrets/consul: Add support to auto-bootstrap Consul ACL system (#10751)
* Automatically bootstraps the Consul ACL system if no management token is given on the access config
2022-04-20 17:16:15 -05:00
Conor Mongey 9c294f1ef0
Bootstrap Nomad ACL system if no token is given (#12451)
* Bootstrap Nomad ACL system if no token is given

Similar to the [Bootstrap the Consul ACL system if no token is given][boostrap-consul]
it would be very useful to bootstrap Nomads ACL system and manage it in
Vault.

[boostrap-consul]:https://github.com/hashicorp/vault/pull/10751

* Add changelog entry

* Remove debug log line

* Remove redundant else

* Rename Nomad acl bootstrap param

* Replace sleep with attempt to list nomad leader, setup will retry until successful

* fmt
2022-04-20 11:06:25 -07:00
Steven Clark cb16c478e7
Refactor enterprise PKI managed key code (OSS) (#15102)
- As part of the PKI rotation project we need to hook into some of the functions
   that were factored out for managed keys in regards to key handling within the
   CA bundles.
 - Refactor the codebase so that we only extract managed key stuff from oss/ent
   and not additional business logic.
2022-04-20 13:46:01 -04:00
Hamid Ghaf 6ff678000e
deprecating Legacy MFA (#14869)
* deprecating Legacy MFA

* removing legacy MFA doc json entry

* CL

* changing the link to legacy MFA in CL

* removing legacy MFA stuff from credentials' cli
2022-04-19 21:19:34 -04:00
Christopher Swenson 457f28240e
VAULT-5827 Update mongodb, brotli (#15093)
VAULT-5827 Update mongodb, brotli

Closes https://github.com/hashicorp/vault-plugin-secrets-mongodbatlas/issues/11

* `brotli` 1.0.1 was withdrawn
* `go-client-mongodb-atlas` has an old dependency on a renamed repo, and
  has been renamed twice. This caused issues in
  https://github.com/hashicorp/vault-plugin-secrets-mongodbatlas/issues/11
  for example.
* VAULT-5827 Set unwrap token during database tests

The unwrap token is necessary for the plugins to start correctly when
running when running acceptance tests locally, e.g.,

```
$ VAULT_MONGODBATLAS_PROJECT_ID=... VAULT_MONGODBATLAS_PRIVATE_KEY=... VAULT_MONGODBATLAS_PUBLIC_KEY=... TEST='-run TestBackend_StaticRole_Rotations_MongoDBAtlas github.com/hashicorp/vault/builtin/logical/database'  make test

--- FAIL: TestBackend_StaticRole_Rotations_MongoDBAtlas (5.33s)
    rotation_test.go:818: err:%!s(<nil>) resp:&logical.Response{Secret:<nil>, Auth:<nil>, Data:map[string]interface {}{"error":"error creating database object: invalid database version: 2 errors occurred:\n\t* Unrecognized remote plugin message: PASS\n\nThis usually means that the plugin is either invalid or simply\nneeds to be recompiled to support the latest protocol.\n\t* Incompatible API version with plugin. Plugin version: 5, Client versions: [3 4]\n\n"}, Redirect:"", Warnings:[]string(nil), WrapInfo:(*wrapping.ResponseWrapInfo)(nil), Headers:map[string][]string(nil)}
```

Note the `PASS` message there, which indicates that the plugin exited
before starting the RPC server.
2022-04-19 15:26:22 -07:00
Hamid Ghaf 299d3f096e
supporting google authenticator with Okta auth (#14985)
* supporting google authenticator with Okta auth

* minor fix

* CL

* feedback

* Update changelog/14985.txt

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

* updating docs

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
2022-04-14 08:37:04 -04:00
Vishal Nayak ad3bf3173c
Warnings indicating ignored and replaced parameters (#14962)
* Warnings indicating ignored and replaced parameters

* Avoid additional var creation

* Add warnings only if the response is non-nil

* Return the response even when error is non-nil

* Fix tests

* Rearrange comments

* Print warning in the log

* Fix another test

* Add CL
2022-04-11 09:57:12 -04:00
Jose Estrada 103dd2ad0b
aws auth displayName (#14954)
* set displayName to include RoleSessionName
2022-04-08 14:37:49 -07:00
Anton Averchenkov 23a3f950e4
Revert the WithContext changes to vault tests (#14947) 2022-04-07 15:12:58 -04:00
Alexander Scheel 12d875c188
Fix handling of SignatureBits for ECDSA issuers (#14943)
When adding SignatureBits control logic, we incorrectly allowed
specification of SignatureBits in the case of an ECDSA issuer. As noted
in the original request, NIST and Mozilla (and others) are fairly
prescriptive in the choice of signatures (matching the size of the
NIST P-curve), and we shouldn't usually use a smaller (or worse, larger
and truncate!) hash.

Ignore the configuration of signature bits and always use autodetection
for ECDSA like ed25519.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-04-07 11:52:59 -04:00
Steven Clark 78a9a50cc9
Add extra test coverage to PKI (#14767)
* Add PKI test for delete role

 - Create a role, validate that defaults are what we expect
   and delete the role, verifying it is gone on subsequent read
   attempts.

* Add PKI test for crl/rotate command

 - Missing a unit test that validates the crl/rotate command works. The test validates the rotate command was successful
   by checking if we have a different/new update time on the CRL.

* Rework PKI TestBackend_PathFetchValidRaw test to not write directly to storage

 - Rework the existing test to not write directly to storage as we might change that in the future.
 - Add tests that validate the ca_chain behaviour of not returning the root authority cert

* PR Feedback

* Additional PR feedback
2022-04-06 09:14:41 -04:00
Alexander Scheel 8904f2a55a
Fix handling of default zero SignatureBits value with Any key type in PKI Secrets Engine (#14875)
* Correctly handle minimums, default SignatureBits

When using KeyType = "any" on a role (whether explicitly or implicitly
via a sign-verbatim like operation), we need to update the value of
SignatureBits from its new value 0 to a per-key-type default value. This
will allow sign operations on these paths to function correctly, having
the correctly inferred default signature bit length.

Additionally, this allows the computed default value for key type to be
used for minimum size validation in the RSA/ECDSA paths. We additionally
enforce the 2048-minimum in this case as well.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix defaults and validation of "any" KeyType

When certutil is given the placeholder any keytype, it attempts to
validate and update the default zero value. However, in lacking a
default value for SignatureBits, it cannot update the value from the
zero value, thus causing validation to fail.

Add more awareness to the placeholder "any" value to certutil.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add role-based regression tests for key bits

This adds regression tests for Key Type, Key Bits, and Signature Bits
parameters on the role. We test several values, including the "any"
value to ensure it correctly restricts key sizes.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add sign-verbatim test for key type

This ensures that we test sign-verbatim against a variety of key types.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2022-04-04 15:26:54 -04:00
Steven Clark f31dee885b
Address semgrep 0.86.x breakage (#14771)
* Fix semgrep 0.86.5 parsing failures
 - semgrep https://github.com/returntocorp/semgrep/pull/4671 seems to have
   introduce this parsing failure within version 0.86.0 and higher
 - Workaround parsing failure by breaking out the if error check.

* Pin semgrep version to 0.86.5

* Fix formatting issues
2022-03-30 15:03:21 -04:00
Chris Capurso 1454c8ea88
add value length check to approle createHMAC (#14746)
* add value length check to approle createHMAC

* add changelog entry

* fix changelog entry
2022-03-29 14:43:35 -04:00
Steven Clark 30a404c0a0
Add PKI CA workflow test (#14760)
- Add some extra validation that the certificates issued and generated
   are signed by the expected public keys
2022-03-29 14:02:59 -04:00
Ben Ash 287bb77abc
Ensure that URL encoded passwords are properly redacted. (#14744)
The URL password redaction operation did not handle the case where the
database connection URL was provided as a percent-encoded string, and
its password component contained reserved characters. It attempted to
redact the password by replacing the unescaped password in the
percent-encoded URL. This resulted in the password being revealed when
reading the configuration from Vault.
2022-03-29 10:33:55 -04:00
Anton Averchenkov 1222375d1a
Add context-aware functions to vault/api (#14388) 2022-03-23 17:47:43 -04:00
Steven Clark 1358134801
PKI: Add missing default cases within switch statements (#14661)
* Misc PKI code fixes.

 - Harden the code base a bit adding default's to switch statements
   to various error handlers and processing statements.
 - Fixup some error messages to include proper values we support.

* Additional default case missing within PKI

* Fix typo in PKI error message
2022-03-23 15:19:56 -04:00
Steven Clark 6c7eb4f08b
Add error check when looking up public key info for a managed key within PKI (#14639)
* Add error check when looking up public key info for a managed key within PKI

* Trap use case that an unknown public key is returned to PKI through managed keys
2022-03-22 13:20:14 -04:00
Victor Rodriguez 717514c044
Use FieldData.GetOkError() to access required Transit parameters. (#14593)
Instead of using the field FieldData.Raw, use method GetOkError() which does
type conversion but still allows to check whether a value for the parameter was
provided. Note that GetOkError() converts nil values to default or zero values,
so, for example, a nil plaintext value will result in the empty string being
encrypted.
2022-03-18 16:10:38 -04:00
Alexander Scheel ff62a34487
Update more PKI documentation (#14490)
* Update description of certificate fetch API

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Clarify /config/crl and /config/url PKI are empty

GET-ing these URLs will return 404 until such time as a config is posted
to them, even though (in the case of CRL), default values will be used.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Clarify usage of /pki/crl/rotate

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update documentation around PKI key_bits

This unifies the description of key_bits to match the API description
(which is consistent across all usages).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix indented field descriptions in PKI paths

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Clarify documentation around serial_number

Note that this field has no impact on the actual Serial Number field and
only an attribute in the requested certificate's Subject.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix spelling of localdomain

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-03-15 14:37:26 -04:00
Jason O'Donnell dd4a3b339e
auth/ldap: add username_as_alias config flag (#14324) 2022-03-15 10:21:40 -04:00
Scott Miller f753db2783
OSS side changes for PKI HSM type handling fix (#14364) 2022-03-03 15:30:18 -06:00
Alexander Scheel 97a86e1bd5
Remove duplicated certificates from chains (#14348)
As reported by Steve Clark, building an intermediate mount in PKI (and
calling /intermediate/set-signed) results in a duplicate intermediate CA
certificate in the full chain output (ca_chain field of the
/cert/ca_chain API endpoint response).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-03-03 09:47:34 -05:00
John-Michael Faircloth 14e231563f
db plugin multiplexing: add test coverage (#14330)
* db plugin multiplexing: add test coverage

* refactor: pass factory func directly
2022-03-03 08:40:46 -06:00
Alexander Scheel 630c6bf915
Add warning when generate_lease=no_store=true when writing PKI role (#14292)
* Add warning when generate_lease=no_store=true

When no_store=true, the value of generate_lease is ignored completely
(and set to false). This means that when generate_lease=true is
specified by the caller of the API, it is silently swallowed. While
changing the behavior could break callers, setting a warning on the
response (changing from a 204->200 in the process) seems to make the
most sense.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-02-28 13:55:12 -05:00
Alexander Scheel 6d18c3adaa
Sync PKI API and FrameworkField descriptions (#14286)
As pointed out internally, a lot of the API docs and FrameworkField
descriptions of parameters were out of date. This syncs a number of
them, updating their descriptions where relevant.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-02-25 14:06:41 -05:00
Steven Clark e7edaaffee
Force certain PKI operations to go to the Primary Performance cluster immediately (#14287) 2022-02-25 13:26:34 -05:00
Lars Lehtonen 2697050aba
builtin/logical/transit: fix dropped test error (#14244) 2022-02-24 09:20:47 -05:00
Alexander Scheel 11c5068533
Add role parameter to restrict issuance of wildcard certificates (#14238)
* Add new AllowWildcardCertificate field to PKI role

This field allows the PKI role to control whether or not issuance of
wildcard certificates are allowed. We default (both on migration and
new role creation) to the less secure true value for backwards
compatibility with existing Vault versions.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor sanitizedName to reducedName

Per comment, this variable name was confusing during the reproduction
and subsequent fix of the earlier vulnerability and associated bug
report. Because the common name isn't necessarily _sanitized_ in any way
(and indeed must be considered in relation to other parts or the whole),
but portions of the entire name are removed, reducedName appears to make
the most sense.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Enforce AllowWildcardCertificates during issuance

This commit adds the bulk of correctly validating wildcard certificate
Common Names during issuance according to RFC 6125 Section 6.4.3
semantics. As part of this, support for RFC 2818-conforming wildcard
certificates (wherein there are almost no restrictions on issuance) has
been removed.

Note that this flag does take precedence over AllowAnyName, giving a
little more safety in wildcard issuance in this case.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update test cases to conform with RFC 6125

Test cases 19, 70+71, and 83+84 didn't conform with the RFC 6125, and so
should've been rejected under strict conformance. For 70+71 and 83+84,
we previously conditioned around the value of AllowSubdomains (allowing
issuance when true), but they likely should've been rejected either way.

Additionally, update the notes about globs matching wildcard
certificates to notate this is indeed the case.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Check AllowWildcardCertifciates in issuance tests

This allows for regression tests to cover the new
AllowWildcardCertificate conditional. We add additional test cases
ensuring that wildcard issuance is properly forbidden in all relevant
scenarios, while allowing the existing test cases to validate that
wildcard status doesn't affect non-wildcard certificates.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add Wildcard allowance during signing operations

When using sign-verbatim, sign-intermediate, or getting certificate
generation parameters, set AllowWildcardCertificates to mirror existing
policies.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-02-24 08:41:56 -05:00
Alexander Scheel 1877fc16d7
Fix broken interactions between glob_domains and wildcards (#14235)
* Allow issuance of wildcard via glob match

From Vault v1.8.0 onwards, we would incorrectly disallow issuance of a
wildcard certificate when allow_glob_domain was enabled with a
multi-part glob domain in allowed_domains (such as *.*.foo) when
attempting to issue a wildcard for a subdomain (such as *.bar.foo).

This fixes that by reverting an errant change in the case insensitivity
patch. Here, when validating against a very powerful glob construct, we
leave the wildcard prefix (*.) from the raw common_name element, to
allow multi-part globs to match wildcard entries.

It is important to note that "sanitizedName" is an incorrect variable
naming here. Wildcard parsing (per RFC 6125 which supercedes RFC 2818)
must be in the left-most segment of the domain, but we lack validation
to ensure no internal wildcards exist. Additionally per item 3 of
section 6.4.3 of RFC 6125, wildcards MAY be internal to a domain
segment, in which case sanitizedName again leaves the wildcard in place.

Resolves: #13530

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Remove duplicate email address check

As pointed out by Steven Clark (author of the removed conditional in
70012cd865b3dcdab376dba0c0e0abc88c48f508), this is duplicate from the
now-reintroduced comparison against name (versus the erroneous
sanitizedName at the time of his commit).

This is a reversion of the changes to builtin/logical/pki/cert_util.go,
but keeping the additional valuable test cases.

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add multi-dimensional PKI role issuance tests

This commit introduces multi-dimensional testing of PKI secrets engine's
role-based certificate issuance with the intent of preventing future
regressions.

Here, dimensions of testing include:

 - AllowedDomains to decide which domains are approved for issuance,
 - AllowBareDomains to decide if raw entries of AllowedDomains are
   permitted,
 - AllowGlobDomains to decide if glob patterns in AllowedDomains are
   parsed,
 - AllowSubdomains to decide if subdomains of AllowedDomains are
   permitted,
 - AllowLocalhost to decide if localhost identifiers are permitted, and
 - CommonName of the certificate to request.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2022-02-23 16:44:09 -05:00
Victor Rodriguez 448fe34391
Check that all required fields in Transit API are present. (#14074)
* Check that all required fields in Transit API are present.

* Check for missing plaintext/ciphertext in batched Transit operations.
2022-02-22 16:00:25 -05:00
Steven Clark c1e80aeff9
Add checks for other error types within the PKI plugin (#14195)
* Add checks for other error types within the PKI plugin

 - The PKI plugin assumes the code it is calling always returns an error
   of type errutil.UserError or errutil.InternalError. While I believe
   so far this is still true, it would be easy to add a code path that
   just returns a generic error and we would completely ignore it.
 - This was found within some managed key testing where I forgot to wrap
   an error within one of the expected types

* Add changelog
2022-02-22 14:39:21 -05:00
Alexander Scheel d72fb08884
Allow OpenSSH-style key type identifiers (#14143)
* Allow OpenSSH-style key type identifiers

To bring better parity with the changes of #14008, wherein we allowed
OpenSSH-style key identifiers during generation. When specifying a list
of allowed keys, validate against both OpenSSH-style key identifiers
and the usual simplified names as well ("rsa" or "ecdsa"). Notably, the
PKI secrets engine prefers "ec" over "ecdsa", so we permit both as well.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix missing quote in docs
2022-02-18 17:48:16 -05:00
Alexander Scheel f0dc3a553f
Switch to secure signing algorithm for SSH secrets engine (#14006)
* Explicitly call out SSH algorithm_signer default

Related: #11608

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Use rsa-sha2-256 as the default SSH CA hash algo

As mentioned in the OpenSSH 8.2 release notes, OpenSSH will no longer be
accepting ssh-rsa signatures by default as these use the insecure SHA-1
algorithm.

For roles in which an explicit signature type wasn't specified, we
should change the default from SHA-1 to SHA-256 for security and
compatibility with modern OpenSSH releases.

See also: https://www.openssh.com/txt/release-8.2

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update docs mentioning new algorithm change

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix missing parenthesis, clarify new default value

* Add to side bar

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-02-18 10:44:01 -05:00
swayne275 24d512f0d1
Cleanup bool checks (#14102)
* clean up == true cases

* cleanup == false where it didn't seem to hurt readability
2022-02-18 07:35:53 -07:00
Calvin Leung Huang 2a937fe717
plugin/catalog: support plugin registration when type is explicitly provided (#14142)
* plugin/catalog: support plugin registration whe type is explicitly provided

* don't use database type on plugin backend test; mock doesn't satisfy the DB interface

* check multiplexing support from plugin directly on newPluginClient

* do not return mutiplexed bool on catalog helper funcs
2022-02-17 18:40:33 -08:00
Calvin Leung Huang c839fc78d8
auth/ldap: add resp warning if userfilter doesn't consider userattr (#14095)
* auth/ldap: add resp warning if userfilter doesn't consider userattr

* add changelog entry
2022-02-17 17:19:44 -08:00
Lars Lehtonen 7d9ba86145
builtin/logical/pki: fix dropped test error (#14140) 2022-02-17 17:44:42 -05:00
Alexander Scheel 45c028a2fb
Allow specifying multiple allowed SSH key lengths (#13991)
* Allow specifying multiple allowed SSH key lengths

In the ssh secrets engine, only a single allowed key length was allowed
for each algorithm type. However, many algorithms have multiple safe
values (such as RSA and ECDSA); allowing a single role to have multiple
values for a single algorithm is thus helpful.

On creation or update, roles can now specify multiple types using a list
or comma separated string of allowed values:

    allowed_user_key_lengths: map[string][]int{"rsa": []int{2048, 4096}}

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Break out ssh upgrade logic into separate function

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update parseutil for optional lists of integers

    go get -u github.com/hashicorp/go-secure-stdlib/parseutil
    go mod tidy

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Simplify parse logic using new parseutil

The newly introduced parseutil.ParseIntSlice handles the more
complicated optional int-like slice logic for us.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-02-17 15:36:56 -05:00
Jordan Reimer b936db8332
Revert "MFA (#14049)" (#14135)
This reverts commit 5f17953b5980e6438215d5cb62c8575d16c63193.
2022-02-17 13:17:59 -07:00
Jordan Reimer 36ccfaa3aa
MFA (#14049)
* adds development workflow to mirage config

* adds mirage handler and factory for mfa workflow

* adds mfa handling to auth service and cluster adapter

* moves auth success logic from form to controller

* adds mfa form component

* shows delayed auth message for all methods

* adds new code delay to mfa form

* adds error views

* fixes merge conflict

* adds integration tests for mfa-form component

* fixes auth tests

* updates mfa response handling to align with backend

* updates mfa-form to handle multiple methods and constraints

* adds noDefault arg to Select component

* updates mirage mfa handler to align with backend and adds generator for various mfa scenarios

* adds tests

* flaky test fix attempt

* reverts test fix attempt

* adds changelog entry

* updates comments for todo items

* removes faker from mfa mirage factory and handler

* adds number to word helper

* fixes tests

* Revert "Merge branch 'main' into ui/mfa"

This reverts commit 8ee6a6aaa1b6c9ec16b985c10d91c3806819ec40, reversing
changes made to 2428dd6cca07bb41cda3f453619646ca3a88bfd0.

* format-ttl helper fix from main
2022-02-17 09:10:56 -07:00
John-Michael Faircloth 1cf74e1179
feature: multiplexing support for database plugins (#14033)
* feat: DB plugin multiplexing (#13734)

* WIP: start from main and get a plugin runner from core

* move MultiplexedClient map to plugin catalog
- call sys.NewPluginClient from PluginFactory
- updates to getPluginClient
- thread through isMetadataMode

* use go-plugin ClientProtocol interface
- call sys.NewPluginClient from dbplugin.NewPluginClient

* move PluginSets to dbplugin package
- export dbplugin HandshakeConfig
- small refactor of PluginCatalog.getPluginClient

* add removeMultiplexedClient; clean up on Close()
- call client.Kill from plugin catalog
- set rpcClient when muxed client exists

* add ID to dbplugin.DatabasePluginClient struct

* only create one plugin process per plugin type

* update NewPluginClient to return connection ID to sdk
- wrap grpc.ClientConn so we can inject the ID into context
- get ID from context on grpc server

* add v6 multiplexing  protocol version

* WIP: backwards compat for db plugins

* Ensure locking on plugin catalog access

- Create public GetPluginClient method for plugin catalog
- rename postgres db plugin

* use the New constructor for db plugins

* grpc server: use write lock for Close and rlock for CRUD

* cleanup MultiplexedClients on Close

* remove TODO

* fix multiplexing regression with grpc server connection

* cleanup grpc server instances on close

* embed ClientProtocol in Multiplexer interface

* use PluginClientConfig arg to make NewPluginClient plugin type agnostic

* create a new plugin process for non-muxed plugins

* feat: plugin multiplexing: handle plugin client cleanup (#13896)

* use closure for plugin client cleanup

* log and return errors; add comments

* move rpcClient wrapping to core for ID injection

* refactor core plugin client and sdk

* remove unused ID method

* refactor and only wrap clientConn on multiplexed plugins

* rename structs and do not export types

* Slight refactor of system view interface

* Revert "Slight refactor of system view interface"

This reverts commit 73d420e5cd2f0415e000c5a9284ea72a58016dd6.

* Revert "Revert "Slight refactor of system view interface""

This reverts commit f75527008a1db06d04a23e04c3059674be8adb5f.

* only provide pluginRunner arg to the internal newPluginClient method

* embed ClientProtocol in pluginClient and name logger

* Add back MLock support

* remove enableMlock arg from setupPluginCatalog

* rename plugin util interface to PluginClient

Co-authored-by: Brian Kassouf <bkassouf@hashicorp.com>

* feature: multiplexing: fix unit tests (#14007)

* fix grpc_server tests and add coverage

* update run_config tests

* add happy path test case for grpc_server ID from context

* update test helpers

* feat: multiplexing: handle v5 plugin compiled with new sdk

* add mux supported flag and increase test coverage

* set multiplexingSupport field in plugin server

* remove multiplexingSupport field in sdk

* revert postgres to non-multiplexed

* add comments on grpc server fields

* use pointer receiver on grpc server methods

* add changelog

* use pointer for grpcserver instance

* Use a gRPC server to determine if a plugin should be multiplexed

* Apply suggestions from code review

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* add lock to removePluginClient

* add multiplexingSupport field to externalPlugin struct

* do not send nil to grpc MultiplexingSupport

* check err before logging

* handle locking scenario for cleanupFunc

* allow ServeConfigMultiplex to dispense v5 plugin

* reposition structs, add err check and comments

* add comment on locking for cleanupExternalPlugin

Co-authored-by: Brian Kassouf <bkassouf@hashicorp.com>
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
2022-02-17 08:50:33 -06:00
Robert 91f5069c03
secret/consul: Add Consul ACL roles support (#14014)
Co-authored-by: Brandon Ingalls <brandon@ingalls.io>
2022-02-16 19:31:08 -06:00
Chris Capurso 6059b65ed9
fix approle login IPBelongsToCIDRBlocksSlice err handling (#14107)
* fix approle login IPBelongsToCIDRBlocksSlice err handling

* add changelog entry
2022-02-16 16:30:11 -05:00
Matt Schultz c379e41c4c
Rename transit's auto_rotate_interval to auto_rotate_period for consistency and to achieve formatting benefits in CLI output. Update UI handling of the renamed field to account for recent data type change from time string to integral seconds. (#14103) 2022-02-16 14:33:13 -06:00
Alexander Scheel f45ad6e284
Fix ed25519 generated SSH key marshalling (#14101)
* Ensure we can issue against generated SSH CA keys

This adds a test to ensure that we can issue leaf SSH certificates using
the newly generated SSH CA keys. Presently this fails because the
ed25519 key private is stored using PKIX's PKCS8 PrivateKey object
format rather than using OpenSSH's desired private key format:

> path_config_ca_test.go:211: bad case 12: err: failed to parse stored CA private key: ssh: invalid openssh private key format, resp: <nil>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add dependency on edkey for OpenSSH ed25519 keys

As mentioned in various terraform-provider-tls discussions, OpenSSH
doesn't understand the standard OpenSSL/PKIX ed25519 key structure (as
generated by PKCS8 marshalling). Instead, we need to place it into the
OpenSSH RFC 8709 format. As mentioned in this dependency's README,
support in golang.org/x/crypto/ssh is presently lacking for this.
When the associated CL is merged, we should be able to remove this dep
and rely on the (extended) standard library, however, no review progress
appears to have been made since the CL was opened by the author.

See also: https://go-review.googlesource.com/c/crypto/+/218620/

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-02-16 14:28:57 -05:00
Matt Schultz 50b86240e8
Return integral seconds for transit auto_rotate_interval instead of a time string. (#14078)
* Return integral seconds for transit auto_rotate_interval instead of a time string.

* Fix transit unit tests around auto_rotate_interval.
2022-02-15 14:05:58 -06:00
Alexander Scheel 3da261518b
Allow generation of other types of SSH CA keys (#14008)
* Add generation support for other SSH CA key types

This adds two new arguments to config/ca, mirroring the values of PKI
secrets engine but tailored towards SSH mounts. Key types are specified
as x/crypto/ssh KeyAlgo identifiers (e.g., ssh-rsa or ssh-ed25519)
and respect current defaults (ssh-rsa/4096). Key bits defaults to 0,
which for ssh-rsa then takes a value of 4096.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation on key_type, key_bits for ssh/config/ca

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-02-15 14:14:05 -05:00
Jim Kalafut 0712ef13fc
Allow auto-detection of AWS region when using the vault CLI (#14051) 2022-02-14 12:01:27 -08:00
Robert d0832a1993
secret/consul: Add support for consul namespaces and admin partitions (#13850)
* Add support for consul namespaces and admin partitions
2022-02-09 15:44:00 -06:00
Alexander Scheel 26c993107d
Allow all other_sans in sign-intermediate and sign-verbatim (#13958)
* Allow all other_sans in sign-intermediate and sign-verbatim

/sign-verbatim and /sign-intermediate are more dangerous endpoints in
that they (usually) do not have an associated role. In this case, a
permissive role is constructed during execution of these tests. However,
the AllowedOtherSANs field was missing from this, prohibiting its use
when issuing certificates.

Resolves: #13157

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-02-09 10:09:19 -05:00
Scott Miller f226d0103f
Add duration/count metrics to PKI issue and revoke flows (#13889)
* Add duration/count metrics to PKI issue and revoke flows

* docs, changelog

* tidy

* last tidy

* remove err

* Update callsites

* Simple returns

* Handle the fact that test cases don't have namespaces

* Add mount point to the request

* fmt

* Handle empty mount point, and add it to unit tests

* improvement

* Turns out sign-verbatim is tricky, it can take a role but doesn't have to

* Get around the field schema problem
2022-02-08 10:37:40 -06:00
Alexander Scheel a0feefb2fa
Use application/pem-certificate-chain for PEMs (#13927)
* Use application/pem-certificate-chain for PEMs

As mentioned in #10948, it appears we're incorrectly using the
`application/pkix-cert` media type for PEM blobs, when
`application/x-pem-file` is more appropriate. Per RFC 5280 Section
4.2.1.13, `application/pkix-crl` is only appropriate when the CRL is in
DER form. Likewise, Section 4.2.2.1 states that `application/pkix-cert`
is only applicable when a single DER certificate is used.

Per recommendation in RFC 8555 ("ACME"), Section 7.4.2 and 9.1, we use
the newer `application/pem-certificate-chain` media type for
certificates. However, this is not applicable for CRLs, so we use fall
back to `application/x-pem-file` for these. Notably, no official IETF
source is present for the latter. On the OpenSSL PKI tutorial
(https://pki-tutorial.readthedocs.io/en/latest/mime.html), this type is
cited as coming from S/MIME's predecessor, PEM, but neither of the main
PEM RFCs (RFC 934, 1421, 1422, 1423, or 1424) mention this type.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-02-08 08:12:33 -05:00
Alexander Scheel 33a9218115
Add full CA Chain to /pki/cert/ca_chain response (#13935)
* Include full chain in /cert/ca_chain response

This allows callers to get the full chain (including issuing
certificates) from a call to /cert/ca_chain. Previously, most endpoints
(including during issuance) do not include the root authority, requiring
an explicit call to /cert/ca to fetch. This allows full chains to be
constructed without without needing multiple calls to the API.

Resolves: #13489

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test case for full CA issuance

We test three main scenarios:

 1. A root-only CA's `/cert/ca_chain`'s `.data.ca_chain` field should
    contain only the root,
 2. An intermediate CA (with root provide) should contain both the root
    and the intermediate.
 3. An external (e.g., `/config/ca`-provided) CA with both root and
    intermediate should contain both certs.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation for new ca_chain field

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add note about where to find the entire chain

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-02-07 14:37:01 -05:00
Andrew Briening ed457aeae7
Adds "raw(/pem)" format to individual cert routes (#10947) (#10948)
Similar to "/pki/ca(/pem)" routes to retrieve
certificates in raw or pem formats, this adds
"pki/cert/{serial}/raw(/pem)" routes for any
certificate.
2022-02-07 09:47:13 -05:00
Tom Proctor 5032cfaf47
Add make fmt CI check (#13803)
* Add make fmt CI check

* Don't suppress patch output
2022-01-31 23:24:16 +00:00
Gregory Harris c260d35ab1
Support Y10K value in notAfter field when signing non-CA certificates (#13736)
* Support Y10K value in notAfter field when signing non-CA certificates

* Add changelog entry for 13736

* Add test for using not_after parameter for non-CA certificates that are being signed

* Fix CA value for test for not_after value when signing non-CA certs

* Address formatting

* Add changelog file

* Revert changelog entry commit f28b54e7b5ad21144c8a2da942d766e64a332caf
2022-01-31 15:37:50 -06:00
Victor Rodriguez e58c80801e
Add new parameter managed_key_id for PKI CA key generation. (#13825) 2022-01-28 11:14:20 -05:00
Josh Black d249fad2df
reformat using 'make fmt' (#13794) 2022-01-27 10:06:34 -08:00
Matt Schultz b8f46407dd
Fix a transit deadlock (#13795)
* Fix a transit deadlock caused by indefinite lock holding in key autorotation.

* Move down manual policy locking in transit autorotation to avoid NPE.

* Wrap conditional transit key autorotation in a function to allow for cleaner policy lock management.

* Remove a dnagling continue statement from transit key autorotation.
2022-01-27 06:57:11 -06:00
Steven Clark 43087c96b2
OSS integration of the PKI plugin with managed key infrastructure (#13793)
- The OSS side of things to leverage managed keys from the PKI secrets engine
2022-01-26 23:06:25 -05:00
Scott Miller 4ee5a8b1cd
PKI - Allow performance secondaries to generate and store certificates locally to them (#13759)
* PKI - Allow performance secondaries to generate and store certificates locally to them

* changelog

Co-authored-by: divyapola5 <divya@hashicorp.com>
2022-01-24 10:03:04 -06:00
Jason O'Donnell 974dbf6082
auth/ldap: Add username to alias.metadata.name (#13669)
* Fix upndomain bug causing alias name to change

* Fix nil map

* Add changelog

* revert

* Update changelog

* Add test for alias metadata name

* Fix code comment
2022-01-20 12:30:26 -05:00
Matt Schultz fc7deabfd7
Time-based transit key autorotation (#13691)
* Add auto_rotate_interval field to transit key creation path.

* Add auto_rotate_interval field to transit key config update path.

* Implement transit automatic key rotation on an hourly interval.

* Fixes transit key autorotation key listing typo.

* Add unit tests for transit key autorotation.

* Add unit tests for transit key creation with autorotation interval.

* Add unit tests for transit key config update with autorotation interval.

* Document new auto_rotate_interval fields in key creation and key config update endpoints.

* Add changelog for transit key autorotation.

* Wrap individual transit key autorotation in a policy lock.

* Add a safeguard to transit key autorotation to ensure only one execution happens simultaneously.
2022-01-20 09:10:15 -06:00
divyapola5 d9c9d06710
Add validation for nonce size when we aren't in convergent encryption mode within transit backend (#13690)
* Add validation for nonce size when we aren't in convergent encryption mode within transit backend

* Add changelog entry
2022-01-19 13:02:49 +05:30
Lars Lehtonen 8a3501b7f0
builtin/credential/aws: fix dropped test error (#13609) 2022-01-10 08:58:20 -05:00
Scott Miller 89f617a97c
Convert to Go 1.17 go:build directive (#13579) 2022-01-05 12:02:03 -06:00
Peter Verraedt 504a8efd01
auth/cert: Add certificate extensions as metadata (#13348)
* auth/cert: Add certificate extensions as metadata

Signed-off-by: Peter Verraedt <peter.verraedt@kuleuven.be>

* Add changelog for #13348

Signed-off-by: Peter Verraedt <peter.verraedt@kuleuven.be>
2022-01-03 13:38:16 -08:00
divyapola5 e8a8853fcc
Replace '-' with ':' when listing certificate serial numbers (#13468)
* CLI changes for new mount tune config parameter allowed_managed_keys

* Correct allowed_managed_keys description in auth and secrets

* Documentation update for secrets and removed changes for auth

* Add changelog and remove documentation changes for auth

* removed changelog

* Correct the field description

* Replace - with : when listing certificate serials
2021-12-17 13:33:05 -06:00
Pete Bohman ccc1098ea3
Add allowed_uri_sans_template (#10249)
* Add allowed_uri_sans_template

Enables identity templating for the allowed_uri_sans field in PKI cert roles.

Implemented as suggested in #8509

* changelog++

* Update docs with URI SAN templating
2021-12-15 09:18:28 -06:00
John-Michael Faircloth a2da7b17f8
github auth: use org id to verify creds (#13332)
* github auth: use org id to verify creds

* add check for required org param; add test case

* update UTs

* add nil check for org

* add changelog

* fix typo in ut

* set org ID if it is unset; add more ut coverage

* add optional organization_id

* move client instantiation

* refactor parse URL; add UT for setting org ID

* fix comment in UT

* add nil check

* don't update org name on change; return warning

* refactor verifyCredentials

* error when unable to fetch org ID on config write; add warnings

* fix bug in log message

* update UT and small refactor

* update comments and log msg

* use getter for org ID
2021-12-14 16:37:19 -06:00
Alexander Scheel 31ff2be589
Add universal default key_bits value for PKI endpoints (#13080)
* Allow universal default for key_bits

This allows the key_bits field to take a universal default value, 0,
which, depending on key_type, gets adjusted appropriately into a
specific default value (rsa->2048, ec->256, ignored under ed25519).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Handle universal default key size in certutil

Also move RSA < 2048 error message into certutil directly, instead of in
ca_util/path_roles.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing RSA key sizes to pki/backend_test.go

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Switch to returning updated values

When determining the default, don't pass in pointer types, but instead
return the newly updated value.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Re-add fix for ed25519 from #13254

Ed25519 internally specifies a hash length; by changing the default from
256 to 0, we fail validation in ValidateSignatureLength(...) unless we
specify the key algorithm.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2021-12-13 15:26:42 -05:00
Steven Clark 834f0bd8ee
Fix test validating convergent encryption behaviour across key types (#13371)
- The test was attempting to test the convergent encryption behaviour
  with several key types but the common function never used the passed
  in key type. So we ran the test with the default aes256-gcm96 only.
2021-12-10 12:55:50 -05:00
Steven Clark f158382f56
Warn user supplying nonce values in FIPS mode for transit encryption requests (#13366)
* Warn user supplying nonce values in FIPS mode for transit encryption requests

 - Send back a warning within the response if an end-user supplies nonce
   values that we use within the various transit encrypt apis.
 - We do not send a warning if an end-user supplies a nonce value but we
   don't use it.
 - Affected api methods are encrypt, rewrap and datakey
 - The warning is only sent when we are operating in FIPS mode.
2021-12-08 14:37:25 -05:00
Matt Schultz 85f5cfc356
Adds support for SHA-3 to transit (#13367)
* Adding support for SHA3 in the transit backend.

* Adds SHA-3 tests for transit sign/verify path. Adds SHA-3 tests for logical system tools path hash functionality. Updates documentation to include SHA-3 algorithms in system tools path hashing.

* Adds changelog entry.

Co-authored-by: robison jacka <robison@packetized.io>
2021-12-08 12:29:33 -06:00
Theron Voran 81e8ad438e
aws/logical: fix backend test (#13323)
Remove the `[:64]` from
`TestAcceptanceBackend_AssumedRoleWithPolicyDoc()` since max length is
handled in `generateUniqueRoleName()`
2021-12-01 10:44:22 -08:00
Theron Voran 8353c27c24
tests: Add iam_tags to expected responses (#13150)
Update the AWS auth backend acceptance tests to account for the new
`iam_tags` field that comes back on responses.

* marked only tests requiring creds as acceptance

Renamed TestBackend_* to TestAcceptanceBackend_* if the test requires
AWS credentials. Otherwise left the name as TestBackend_* and set
`AcceptanceTest: false`.

* ensure generated names aren't too long

IAM roles and users have a 64 character limit, and adding Acceptance
to the test names was putting some over the length limit, so modified
generateUniqueName() to take a max length parameter and added
functions for each type of name generation (user, role, group).
2021-11-29 16:00:42 -08:00
Navaneeth Rameshan 4e05632881
recognize ed25519 key type and return PKCS8 format (#13257)
* return pkcs8 format for ed25519 curve

convertRespToPKCS8 does not recognize the ed25519 key. Changes
to recognize ed25519 key and return its PKCS8 format
2021-11-24 14:24:06 -05:00
Nick Cabatoff c01b993bd3
Fix regression in returning empty value for approle cidrlist. (#13235) 2021-11-23 12:13:47 -05:00
Matt Schultz 0abd248c9f
Return non-retryable errors on transit encrypt and decrypt failures (#13111)
* Return HTTP 400s on transit decrypt requests where decryption fails. (#10842)

* Don't abort transit batch encryption when a single batch item fails.

* Add unit tests for updated transit batch decryption behavior.

* Add changelog entry for transit encrypt/decrypt batch abort fix.

* Simplify transit batch error message generation when ciphertext is empty.

* Return error HTTP status codes in transit on partial batch decrypt failure.

* Return error HTTP status codes in transit on partial batch encrypt failure.

* Properly account for non-batch transit decryption failure return. Simplify transit batch decryption test data. Ensure HTTP status codes are expected values on batch transit batch decryption partial failure.

* Properly account for non-batch transit encryption failure return. Actually return error HTTP status code on transit batch encryption failure (partial or full).
2021-11-15 15:53:22 -06:00
Alexander Scheel cd213f5fca
Restrict ECDSA/NIST P-Curve hash function sizes for cert signing (#12872)
* Restrict ECDSA signatures with NIST P-Curve hashes

When using an ECDSA signature with a NIST P-Curve, we should follow
recommendations from BIS (Section 4.2) and Mozilla's root store policy
(section 5.1.2) to ensure that arbitrary selection of signature_bits
does not exceed what the curve is capable of signing.

Related: #11245

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Switch to certutil.ValidateKeyTypeSignatureLength(...)

Replaces previous calls to certutil.ValidateKeyTypeLength(...) and
certutil.ValidateSignatureLength(...) with a single call, allowing for
curve<->hash validation.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Switch to autodetection of signature_bits

This enables detection of whether the caller manually specified a value
for signature_bits or not; when not manually specified, we can provision
a value that complies with new NIST P-Curve policy.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Select hash function length automatically

Due to our change in behavior (to default to -1 as the value to
signature_bits to allow for automatic hash selection), switch
ValidateKeyTypeSignatureLength(...) to accept a pointer to hashBits and
provision it with valid default values.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Prevent invalid Curve size lookups

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Switch from -1 to 0 as default SignatureBits

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2021-11-12 12:18:38 -05:00
skhilar 7adacfaf03
Added notAfter and support Y10K expiry for IEEE 802.1AR-2018 (#12795) 2021-11-10 19:09:06 -05:00
Victor Rodriguez 991ab5aeed
VAULT-444: Use sync.RWMutex rather than DeadlockRWMutex in PKI backend. (#13018) 2021-11-02 17:02:54 -04:00
Victor Rodriguez f6e35369f0
VAULT-444: Add PKI tidy-status endpoint. (#12885)
VAULT-444: Add PKI tidy-status endpoint.

Add metrics so that the PKI tidy status can be monitored using telemetry as well.

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2021-11-02 11:12:49 -04:00
Scott Miller 33edf1f556
Flip the semantics of the matching key algorithms in sign-self-issued. (#12988)
* Document allow_different_signature_algorithm param

* Flip the semantics of different key types for sign self issued

* More language tweaks

* Fix the field definition description

* Rework differenttype test for the new flag

* typo
2021-11-01 14:42:25 -05:00
VAL a44505dd06
Native Login method for Go client (#12796)
* Native Login method, userpass and approle interfaces to implement it

* Add AWS auth interface for Login, unexported struct fields for now

* Add Kubernetes client login

* Add changelog

* Add a test for approle client login

* Return errors from LoginOptions, use limited reader for secret ID

* Fix auth comment length

* Return actual type not interface, check for client token in tests

* Require specification of secret ID location using SecretID struct as AppRole arg

* Allow password from env, file, or plaintext

* Add flexibility in how to fetch k8s service token, but still with default

* Avoid passing strings that need to be validated by just having different login options

* Try a couple real tests with approle and userpass login

* Fix method name in comment

* Add context to Login methods, remove comments about certain sources being inherently insecure

* Perform read of secret ID at login time

* Read password from file at login time

* Pass context in integ tests

* Read env var values in at login time, add extra tests

* Update api version

* Revert "Update api version"

This reverts commit 1ef3949497dcf878c47e0e5ffcbc8cac1c3c1679.

* Update api version in all go.mod files
2021-10-26 16:48:48 -07:00
Guillaume b9b7f5a9a3
Added support for a LDAP user search filter. Documentation, tests and UI included (#11000) 2021-10-26 10:39:12 -07:00
Alexander Scheel 6e069e94ca
Fix PKI Weak Cryptographic Key Lenghths Warning (#12886)
* Modernize SSH key lengths

No default change was made in this commit; note that the code already
enforced a default of 2048 bits. ssh-keygen and Go's RSA key generation
allows for key sizes including 3072, 4096, 8192; update the values of
SSH key generation to match PKI's allowed RSA key sizes (from
certutil.ValidateKeyTypeLength(...)). We still allow the legacy SSH key
size of 1024; in the near future we should likely remove it.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Ensure minimum of 2048-bit PKI RSA keys

While the stated path is a false-positive, verifying all paths is
non-trivial. We largely validate API call lengths using
certutil.ValidateKeyTypeLength(...), but ensuring no other path calls
certutil.generatePrivateKey(...) --- directly or indirectly --- is
non-trivial. Thus enforcing a minimum in this method sounds like a sane
compromise.

Resolves: https://github.com/hashicorp/vault/security/code-scanning/55

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2021-10-26 09:30:09 -04:00
Nick Cabatoff ff74f49047
Move to go 1.17 (#12868)
Also ensure that the go 1.17 breaking changes to net.ParseCIDR don't make us choke on stored CIDRs that were acceptable to older Go versions.
2021-10-21 09:32:03 -04:00
vinay-gopalan 4834bb854c
[VAULT-3008] Update RabbitMQ dependency and fix regression in UserInfo.Tags in v3.9 (#12877) 2021-10-20 09:46:37 -07:00
Philipp Hossner 824f097a7d
Let allowed_users template mix templated and non-templated parts (#10886)
* Let allowed_users template mix templated and non-templated parts (#10388)

* Add documentation

* Change test function names

* Add documentation

* Add changelog entry
2021-10-19 15:00:15 -07:00
ludewigh 0b95a394d4
Fix auth/aws so that config/rotate-root saves new key pair to vault (#12715)
* test:  add test to verify Vault storage is updated

* bug: fix config/rotate-root to store new key

* choir: fix changelog name to match PR
2021-10-19 10:26:47 -04:00
Brian Kassouf c705adc79c
Fix some linting errors (#12860) 2021-10-18 17:29:47 -07:00
Steven Clark 3428de017a
Forbid ssh key signing with specified extensions when role allowed_extensions is not set (#12847)
* Forbid ssh key signing with specified extensions when role allowed_extensions is not set

 - This is a behaviour change on how we process the allowed_extensions role
   parameter when it does not contain a value. The previous handling allowed
   a client to override and specify any extension they requested.
 - We now require a role to explicitly set this behaviour by setting the parameter
   to a '*' value which matches the behaviour of other keys such as allowed_users
   within the role.
 - No migration of existing roles is provided either, so operators if they truly
   want this behaviour will need to update existing roles appropriately.
2021-10-15 17:55:18 -04:00
Rémi Lapeyre 308806eee3
Return 404 response when looking for a secret_id_accessor that does not exist (#12788)
* Return 404 response when looking for an secret_id_accessor that does not exist

Closes https://github.com/hashicorp/vault/issues/12660
2021-10-11 15:07:51 +01:00
Anner J. Bonilla 8c29f49e1a
Add support for ed25519 (#11780)
* update azure instructions

Update instructions in regards to azure AD Authentication and OIDC

* Initial pass of ed25519

* Fix typos on marshal function

* test wip

* typo

* fix tests

* missef changelog

* fix mismatch between signature and algo

* added test coverage for ed25519

* remove pkcs1 since does not exist for ed25519

* add ed25519 support to getsigner

* pull request feedback

Signed-off-by: Anner J. Bonilla <abonilla@hoyosintegrity.com>

* typo on key

Signed-off-by: Anner J. Bonilla <abonilla@hoyosintegrity.com>

* cast mistake

Signed-off-by: Anner J. Bonilla <abonilla@hoyosintegrity.com>

Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
2021-10-05 11:28:49 -04:00
Lars Lehtonen 838e20778d
builtin/logical/consul: fix dropped test error (#12733) 2021-10-05 12:09:13 +01:00
Steven Clark fa57ba0ccf
Fix 1.8 regression preventing email addresses being used as common name within pki certificates (#12336) (#12716)
* Fix 1.8 regression preventing email addresses being used as common name within pki certs (#12336)

* Add changelog
2021-10-04 14:02:47 -04:00
divyapola5 2a194a0804
Add missing read unlock calls in transit backend code (#12652)
* Add missing read unlock calls in transit backend code

* Correct formatting in changelog entry
2021-09-28 11:59:30 -05:00
Calvin Leung Huang 7ad62f5be4
core: set namespace within GeneratePasswordFromPolicy (#12635)
* core: set namespace from the sysview's mount entry on GeneratePasswordFromPolicy

* test: update TestDynamicSystemView to be ns-aware, update tests

* add changelog entry
2021-09-27 09:08:07 -07:00
Calvin Leung Huang 3826042daf
test: pin docker image on postgres to 13.4-buster (#12636)
* test: pin docker image on postgres to 13.4-buster

* test: update all tests that uses postgres image to use 13.4-buster
2021-09-27 08:38:39 -07:00
Hridoy Roy dbd178250e
Port: Premature Rotation For autorotate (#12563)
* port of ldap fix for early cred rotation

* some more porting

* another couple lines to port

* final commits before report

* remove deadlock

* needs testing

* updates

* Sync with OpenLDAP PR

* Update the update error handling for items not found in the queue

* WIP unit tests
* Need to configure DB mount correctly, with db type mockv5
* Need to find a way to inject errors into that mock db

* throw error on role creation failure

* do not swallow error on role creation

* comment out wip tests and add in a test for disallowed role

* Use newly generated password in WAL

Co-authored-by: Michael Golowka <72365+pcman312@users.noreply.github.com>

* return err on popFromRotationQueueByKey error; cleanup on setStaticAccount

* test: fix TestPlugin_lifecycle

* Uncomment and fix unit tests
* Use mock database plugin to inject errors
* Tidy test code to rely less on code internals where possible
* Some stronger test assertions

* Undo logging updates

* Add changelog

* Remove ticker and background threads from WAL tests

* Keep pre-existing API behaviour of allowing update static role to act as a create

* Switch test back to update operation

* Revert my revert, and fix some test bugs

* Fix TestBackend_StaticRole_LockRegression

* clean up defer on TestPlugin_lifecycle

* unwrap reqs on cleanup

* setStaticAccount: don't hold a write lock

* TestStoredWALsCorrectlyProcessed: set replication state to unknown

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
Co-authored-by: Michael Golowka <72365+pcman312@users.noreply.github.com>
Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
2021-09-21 17:45:04 -07:00
Scott Miller 241a78a2f2
Use the system rand reader for SSH keypair generation (#12560)
* Use the system rand reader for SSH keypair generation

* changelog
2021-09-15 11:59:28 -05:00
Scott Miller 33d7dc5fb4
Use the system rand reader for CA root and intermediate generation (#12559)
* Use the system rand reader for CA root and intermediate generation

* changelog
2021-09-15 11:59:12 -05:00
Scott Miller 6f18a9b6be
Allow signing self issued certs with a different public key algorithm. (#12514)
* WIP: Unset the certificate's SignatureAlgorithm to allown cross-signing of different key types

* Allow signing self issued certs with a different public key algorithm

* Remove cruft

* Remove stale import

* changelog

* eliminate errwrap

* Add a test to cover the lack of opt-in flag

* Better comment

Co-authored-by: catsby <clint@ctshryock.com>
2021-09-14 10:07:27 -05:00
divyapola5 30563097ea
Enforce minimum cache size for transit backend (#12418)
* Enforce Minimum cache size for transit backend

* enfore minimum cache size and log a warning during backend construction

* Update documentation for transit backend cache configuration

* Added changelog

* Addressed review feedback and added unit test

* Modify code in pathCacheConfigWrite to make use of the updated cache size

* Updated code to refresh cache size on transit backend without restart

* Update code to acquire read and write locks appropriately
2021-09-13 16:44:56 -05:00
jhart-cpi fa1611f427
improvement: add signature_bits field to CA and signers (#11245)
This change adds the ability to set the signature algorithm of the
CAs that Vault generates and any certificates it signs.  This is a
potentially useful stepping stone for a SHA3 transition down the line.

Summary:
* Adds the field "signature_bits" to CA and Sign endpoints
* Adds support for SHA256, SHA384 and SHA512 signatures on EC and RSA
keytypes.
2021-09-10 14:39:05 -07:00
Jacob Burroughs 65029f8c8f
Fix pkcs7 parsing in some cases (#12519)
* Fix pkcs7 parsing in some cases

brings in https://github.com/mozilla-services/pkcs7/pull/61 from upstream

In some cases but not all, aws includes a certificate in the pkcs7 response,
and currently vault fails to parse those certificates:
```
URL: PUT https://vault.example.com/v1/auth/aws/login
Code: 500. Errors
* failed to parse the BER encoded PKCS#7 signature: ber2der: Invalid BER format
```

This fixes logins on those instances.  Note we could not readily ascertain why
some instances have those certificates and others don't.

* Add changelog entry

* Correct missed line
2021-09-10 12:17:03 -04:00
Blake Hitchcock cf15a60a87
Send x-forwarded-for in Okta Push Factor request (#12320)
* Send x-forwarded-for in Okta Push Factor request

Why:

In order for Okta to properly report the location of the authentication
attempt, the X-Forwarded-For header must be included in the request to
Okta (if it exists).

This change addresses the need by:

* Duplicating the value of X-Forwarded-For if it's passed through to the
  auth backend

* Add changelog entry for 12320
2021-09-03 13:09:11 -07:00
Lars Lehtonen 5af6d5f07f
builtin/logical/aws: fix dropped test error (#12417) 2021-08-26 15:55:39 +01:00
Jason O'Donnell b55e1a31fc
creds/aws: Add support for DSA signature verification for EC2 (#12340)
* creds/aws: import pkcs7 verification package

* Add DSA support

* changelog

* Add DSA to correct verify function

* Remove unneeded tests

* Fix backend test

* Update builtin/credential/aws/pkcs7/README.md

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

* Update builtin/credential/aws/path_login.go

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
2021-08-19 09:16:31 -04:00
vinay-gopalan 23770cc2a7
Update genUsername to cap STS usernames at 32 chars (#12185)
* update genUsername to cap STS usernames at 64 chars

* add changelog

* refactor tests into t.Run block

* patch: remove warningExpected bool and include expected string

* patch: revert sts to cap at 32 chars and add assume_role case in genUsername

* update changelog

* update genUsername to return error if username generated exceeds length limits

* update changelog

* add conditional default username template to provide custom STS usernames

* update changelog

* include test for failing STS length case

* update comments for more clarity
2021-08-09 09:40:47 -07:00
Lars Lehtonen 7f6602d017
builtin/credential/cert: fix dropped test error (#12184) 2021-07-28 13:19:23 -07:00
Scott Miller 653bfef52e
Forward cert signing requests to the primary on perf secondaries as well as perf standbys (#12180) 2021-07-28 10:21:01 -05:00
Nick Cabatoff 03b2208f04
Pin RabbitMQ and Cassandra docker image versions (#12174)
* Work around rabbitmq regression with UserInfo.Tags in rabbitmq 3.9: use v3.8 docker image in tests.

* Also pin cassandra docker image version to 3.11 (4.00 was making tests fail)
2021-07-27 08:45:32 -04:00
Jeff Mitchell 33ff878946
Move awsutil over to the go-secure-stdlib version (#12128)
Unlike the other libraries that were migrated, there are no usages of
this lib in any of our plugins, and the only other known usage was in
go-kms-wrapping, which has been updated. Aliasing it like the other libs
would still keep the aws-sdk-go dep in the sdk module because of the
function signatures. So I've simply removed it entirely here.
2021-07-20 20:42:00 -04:00
Lars Lehtonen a9153d7348
builtin/logical/database: fix dropped test errors (#12123) 2021-07-20 11:13:50 -07:00
Jeff Mitchell fb473a8b9b
Swap out stepwise for external repo version (#12089) 2021-07-20 13:20:23 -04:00
vinay-gopalan 859b60cafc
[VAULT-1969] Add support for custom IAM usernames based on templates (#12066)
* add ability to customize IAM usernames based on templates

* add changelog

* remove unnecessary logs

* patch: add test for readConfig

* patch: add default STS Template

* patch: remove unnecessary if cases

* patch: add regex checks in username test

* patch: update genUsername to return an error instead of warnings

* patch: separate tests for default and custom templates

* patch: return truncate warning from genUsername and trigger a 400 response on errors

* patch: truncate midString to 42 chars in default template

* docs: add new username_template field to aws docs
2021-07-20 09:48:29 -07:00
swayne275 ed361ee8da
Fix minor typo in Internals/Plugins documentation (#12113)
* fix minor plugin doc typo

* fix limits of of typo and related

* forgot to save on this typo fix
2021-07-20 07:21:24 -06:00
Jeff Mitchell f7147025dd
Migrate to sdk/internalshared libs in go-secure-stdlib (#12090)
* Swap sdk/helper libs to go-secure-stdlib

* Migrate to go-secure-stdlib reloadutil

* Migrate to go-secure-stdlib kv-builder

* Migrate to go-secure-stdlib gatedwriter
2021-07-15 20:17:31 -04:00
Austin Gebauer d1c090fe63
secrets/database: fixes external plugin reconnect after shutdown for v4 and v5 interface (#12087)
* secrets/database: fixes external plugin shutdown reconnect for v5 interface

* adds changelog entry

* fixes handling of plugin shutdown for password generation on v4 interface
2021-07-15 13:41:04 -07:00
vinay-gopalan c20b5f1040
[VAULT-1986] Cap AWS Token TTL based on Default Lease TTL (#12026)
* fix: cap token TTL at login time based on default lease TTL

* add changelog file

* patch: update warning messages to not include 'at login'

* patch: remove default lease capping and test

* update changelog

* patch: revert warning message
2021-07-15 10:05:38 -07:00
Jeff Mitchell fe18b6f9e0
Swap out sdk/helper libs with implementations in go-secure-stdlib (#12088)
* Swap out sdk/helper libs with implementations in go-secure-stdlib

* Fix transit batch test
2021-07-15 01:56:37 -04:00
Martin Lee 10f29e0503
base32.DecodeString expects length 8 for the buffer (#11887)
Add padding to the input key to ensure it reaches that length.
2021-07-14 07:38:10 -04:00
Lars Lehtonen b6f990d1b6
builtin/logical/nomad: fix dropped test errors (#12052) 2021-07-13 07:28:46 -04:00
Lars Lehtonen 0196f43cbe
builtin/logical/pki: fix dropped test errors (#12013) 2021-07-08 10:14:38 -04:00
Lars Lehtonen 159272db7f
builtin/credential/approle: fix dropped test errors (#11990) 2021-07-05 11:00:12 -04:00
Marc Boudreau 3c35a25d36
Fix for Issue 11863 - Panic when creating/updating approle role with token_type (#11864)
* initializing resp variable with aa *logical.Response before using it to add warning for default-service or default-batch token type.  Also adding guard around code that sets resp to a new logical.Response further on in the function.

* adding changelog entry

* renaming changelog file to match PR number
2021-06-24 13:03:41 -04:00
MilenaHC 5483eba5fc
RabbitMQ - Add username customization (#11899)
* add username customization for rabbitmq

* add changelog for rabbitmq

* Update builtin/logical/rabbitmq/path_config_connection.go

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>

* updating API docs

* moved to changelog folder

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2021-06-22 14:50:46 -05:00
John-Michael Faircloth 096a354626
approle: convert Callbacks to Operations (#11893)
* approle: convert Callbacks to Operations

The usage of oldstyle "Callbacks" is causing the `cannot write to readonly
storage` error message when `login` is attempted against a performance standby.

Use the newstyle "Operations" and additionally set the Forward
parameters to forward the request to the Active vault node.

* add changelog

* do not forward for alias lookahead operation

* remove forward fields and remove changelog

- Because this request is an UpdateOperation, it should have automatically been
routed to the primary/active by the router before it reaches the backend.
- changelog should not be needed as this change is only a refactor with
no user-facing behavior changes.
2021-06-21 13:38:22 -05:00
rerorero 9ebb14bab3
Fix: Transit encrypt batch does not honor key_version (#11628)
* fix(secret/transit): #10232 Transit encrypt batch does not honor key_version

* add changelog for 11628
2021-05-27 14:05:20 -05:00