Commit graph

17184 commits

Author SHA1 Message Date
Alexander Scheel a32342507f
Enforce proper URL in ACME headers (#20357)
See RFC 8555 Section 6.4.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-25 16:47:52 -04:00
Alexander Scheel 000df9559a
Start container-based PKI ACME tests (#20320)
* Start ACME containerized test suite

This starts a containerized ACME test suite using containers, running
both Vault and Certbot (in standalone mode) in the container to ensure
we successfully issue certificates.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Switch to using hashicorp mirror

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-25 19:11:35 +00:00
Ryan Cragun 33098fd1ae
enos: use initial version variable in autopilot (#20349)
Signed-off-by: Ryan Cragun <me@ryan.ec>
2023-04-25 12:37:11 -06:00
Braulio Gomes Rodrigues 627fe60044
Vault change doc main couchbase (#20314)
* changing chouchbase host variable

* Alterando linha 82 couchbase

* Changing couchbase host address in main document
2023-04-25 10:21:25 -07:00
Alexander Scheel 918305d450
Fix issuer patch of leaf_not_after_behavior (#20341)
* Fix patching issuer leaf_not_after_behavior

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for patching leaf_not_after_behavior

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-25 11:02:13 -04:00
Nick Cabatoff 1e433add83
Add ent-specific test binary build rules (#20334)
This fixes the binary building on ent, except because I ran into problems with the binary-based tests there, I've included a bunch of `github.repository != 'hashicorp/vault-enterprise'` conditions to disable the binary building.  I'll fix the test problems in a future PR and remove those repo conditions.
2023-04-25 10:49:34 -04:00
Luis (LT) Carbonell 8b4ce9c1c2
Re-run Milestone Check when Milestones are Applied (#20299)
* re-run when milestones are applied

* update milestone check conditions
2023-04-25 08:49:43 -05:00
Steven Clark 47605c0d48
Add support to load roles and issuers within ACME wrapper (#20333)
* Add support to load roles and issuers within ACME wrapper

* Add missing go doc to new test

* PR feedback

 - Move field definitions into fields.go
 - Update wording and associated errors to some role failures.
 - Add missing ':' to error messages
2023-04-25 13:29:07 +00:00
miagilepner 7d631cb44f
VAULT-15791: Update docs to use vault-java-driver fork (#20316) 2023-04-25 11:08:05 +02:00
Ryan Cragun b74e4bc781
enos: use artifactory release for auto-pilot upgrade (#20332)
Signed-off-by: Ryan Cragun <me@ryan.ec>
2023-04-24 18:57:08 +00:00
Nick Cabatoff 22b00eba12
Add support for docker testclusters (#20247) 2023-04-24 14:25:50 -04:00
Ryan Cragun a889ba1205
enos: always use the initial release during upgrades (#20321)
Signed-off-by: Ryan Cragun <me@ryan.ec>
2023-04-24 18:00:44 +00:00
Jaymala 2893342c60
Fix script to verify docs changes (#20317)
Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>
2023-04-24 13:16:01 -04:00
Nick Cabatoff 3ddb69bd2b
Fix docs-nav-data.json that I broke in #20312 (#20322) 2023-04-24 13:10:53 -04:00
Nick Cabatoff 4d42b08644
Add guidelines for agent/server version compatibility (#20312) 2023-04-24 11:49:50 -04:00
Nick Cabatoff b7e6090a21
Move all checkout@v2 users to v3. (#20315) 2023-04-24 15:25:58 +00:00
Nick Cabatoff 313957b911
Add tests based on vault binary (#20224)
First steps towards docker-based tests: tests using vault binary in -dev or -dev-three-node modes.
2023-04-24 09:57:37 -04:00
Braulio Gomes Rodrigues 03fa9432a4
changing chouchbase host variable (#19812)
* changing chouchbase host variable

* Alterando linha 82 couchbase
2023-04-24 13:56:56 +00:00
Nick Cabatoff 75ad9a1de8
Bump the sdk go version to 1.20, document when go versions should be updated (#20278) 2023-04-24 08:44:39 -04:00
Hamid Ghaf 0cd138c0eb
use tab in Makefile instead of spaces (#20305) 2023-04-24 04:51:37 -07:00
Ryan Cragun deeb1ece5b
[QT-530] enos: allow-list all public IP addresses (#20304)
The security groups that allow access to remote machines in Enos
scenarios have been configured to only allow port 22 (SSH) from the
public IP address of machine executing the Enos scenario. To achieve
this we previously utilized the `enos_environment.public_ip_address`
attribute. Sometime in mid March we started seeing sporadic SSH i/o
timeout errors when attempting to execute Enos resources against SSH
transport targets. We've only ever seen this when communicating from
Azure hosted runners to AWS hosted machines.

While testing we were able to confirm that in some cases the public IP
address resolved using DNS over UDP4 to Google and OpenDNS name servers
did not match what was resolved when using the HTTPS/TCP IP address
service hosted by AWS. The Enos data source was implemented in a way
that we'd attempt resolution of a single name server and only attempt
resolving from the next if previous name server could not get a result.
We'd then allow-list that single IP address. That's a problem if we can
resolve two different public IP addresses depending our endpoint address.

This change utlizes the new `enos_environment.public_ip_addresses`
attribute and subsequent behavior change. Now the data source will
attempt to resolve our public IP address via name servers hosted by
Google, OpenDNS, Cloudflare, and AWS. We then return a unique set of
these IP addresses and allow-list all of them in our security group. It
is our hope that this resolves these i/o timeout errors that seem like
they're caused by the security group black-holing our attempted access
because the IP we resolved does not match what we're actually exiting
with.

Signed-off-by: Ryan Cragun <me@ryan.ec>
2023-04-23 16:25:32 -06:00
Josh Black 4b9599fddb
update website docs for new update-primary mode (#20302) 2023-04-21 15:21:28 -07:00
Marc Boudreau 895564d615
Provide Descriptive Error when Enterprise-only Paths Called in Open-source Version (#18870)
* define ent paths in OSS codebase with common handler

* fixup! define ent paths in OSS codebase with common handler

* add missing path

* retain existing behaviour for replication/status path

* remove commented out path
2023-04-21 16:14:40 -04:00
Mike Palmiotto 8001d76e28
Refactor reporter for unseal setup (#20296) 2023-04-21 15:29:37 -04:00
Alexander Scheel d7f67b8856
Add additional fields to LIST issuers for Web UI (#20276)
* Add additional fields to LIST issuers for Web UI

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-21 18:16:16 +00:00
Christopher Swenson 1415d47da8
Add symbols back to the build to fix Dynatrace support (#20294) 2023-04-21 17:15:56 +00:00
John Children bebe6dcaa0
Docs: Fix k8s injector templating example (#20271)
From every other example I can find, the secret name in the template should match the one in the inject annotation. Indeed the same example appears in the examples page.

https://github.com/hashicorp/vault/blob/main/website/content/docs/platform/k8s/injector/examples.mdx#patching-existing-pods
2023-04-21 17:12:13 +00:00
Alexander Scheel dfb29f3b96
Add ACME DNS validator (#20293)
* Add DNS challenge validation to ACME

This allows us to validate against wildcard domain names, as the HTTP-01
challenge does not support wildcard validation.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Properly delay challenge retry attempts

Previously we'd essentially semi-busy wait for a challenge to become
retry-able, as the queue itself had no knowledge of the retry after
value of the validation attempt. Now, we plumb through this value into
the queue itself, to aide selection of validations to attempt.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-21 13:08:27 -04:00
melmus c5d10e0b8b
doc/Update service_registration if use Vault HA (#19920)
* Update service_registration if use Vault HA

* Update protocol

* Minor updates for style consistency

---------

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2023-04-21 17:04:25 +00:00
Anton Averchenkov 3c76d90156
Small fixes for OpenAPI display attributes (#20285) 2023-04-21 17:04:12 +00:00
Alexander Scheel 3c8c46e172
Better ACME wildcard validation (#20289)
* Refactor wildcard validation checks

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add helper to determine if identifier is wildcard

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Better validate wildcard acceptance

This correctly validates wildcards to contain only a leading prefix
(*.) and must include another label, also ensuring that the remaining
domain components pass non-IP and IDNA validation, and removing them
from display on the authorization. Finally, we restrict the challenge
types available for various combinations of IP, DNS, and wildcard
addresses.

This then updates the tests to validate this as well.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-21 12:54:19 -04:00
Jaymala e3a39f4adc
[QT-517] Skip builds for docs PRs (#20036)
* [QT-517] Skip builds for docs changes

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* [QT-545] Enable Enos tests to also run on forked PRs

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

* Add comments and fix CI errors

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>

---------

Signed-off-by: Jaymala Sinha <jaymala@hashicorp.com>
2023-04-21 10:58:47 -04:00
Steven Clark 5a7173a154
Implement ACME CSR signing and certificate retrieval (#20266)
* WIP: Implement ACME CSR signing and certificate retrieval

* Add some validations within the ACME finalize API

 - Validate that the CSR we were given matches the DNS names
   and IP addresses within the order
 - Validate that the CSR does not share the same public as the
   account

* Gate ACME finalize order validating all authorizations are in valid state
2023-04-21 09:38:06 -04:00
miagilepner 564a7227e4
VAULT-15668: fix windows issues with -dev-tls flag (#20257)
* fix -dev-tls flag on windows

* changelog

* fix only hcl config

* fix import

* fmt
2023-04-21 10:54:38 +02:00
Luis (LT) Carbonell d308c31cbf
Add Configurable LDAP Max Page Size (#19032)
* Add config flag for LDAP max page size

* Add changelog

* move changelog to correct file

* cleanup

* Default to non-paged searching for with -1

* Update website/content/api-docs/auth/ldap.mdx

Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>

* Update website/content/docs/auth/ldap.mdx

Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>

* Update tests

---------

Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
2023-04-20 20:39:27 +00:00
Josh Black 1ae09ca6b6
OSS changes for new update-primary API endpoint (#20277)
* OSS changes for new update-primary API endpoint

* remove ENT specific piece

* remove another ENT specific field
2023-04-20 13:13:37 -07:00
Austin Gebauer eaf67b7c0e
Add OIDC provider docs for IBM ISAM (#19247)
* Add OIDC provider docs for IBM ISAM

* Add changelog, api docs and docs-nav-data

---------

Co-authored-by: Benjamin Voigt <benjamin.voigt@god.dev>
2023-04-20 11:30:59 -07:00
Alexander Scheel f0279b0d31
Move OCSP/PKI interop test to PKI engine (#20273)
This prevents SDK from having a circular import on the main Vault
package.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-20 14:57:20 +00:00
Chelsea Shaw 879844d300
UI: OIDC provider logo fix (#20263)
* glimmerize role-jwt model, update test for use new case

* Fix issue #8949

* Update test

* Add changelog
2023-04-19 14:30:18 -05:00
Nick Cabatoff 9e34c0b543
Add new method to access a client config's TLSConfig. (#20265) 2023-04-19 15:14:18 -04:00
Nick Cabatoff 21f3977639
Use a current version of etcd (#20261)
Use a current version of etcd, remove the replace hack in go.mod that was intended to be temporary.
2023-04-19 14:17:11 -04:00
Alexander Scheel 189a776307
Add warnings to crl rebuilds, allowing notifying operator of empty issuer equivalency sets (#20253)
* Add infrastructure for warnings on CRL rebuilds

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add warning on issuer missing KU for CRL Signing

When an entire issuer equivalency class is missing CRL signing usage
(but otherwise has key material present), we should add a warning so
operators can either correct this issuer or create an equivalent version
with KU specified.

Resolves: https://github.com/hashicorp/vault/issues/20137

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for issuer warnings

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix return order of CRL builders

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-19 16:55:37 +00:00
Hugo Puntos dae5489787
Fix link for the tutorial about Key Management Secrets Engine with GCP Cloud KMS (#19418) 2023-04-19 12:43:21 -04:00
Alexander Scheel 005d989230
Add acme challenge validation engine (#20221)
* Allow creating storageContext with timeout

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add challenge validation engine to ACME

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Initialize the ACME challenge validation engine

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Trigger challenge validation on endpoint submission

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix GetKeyThumbprint to use raw base64

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Point at localhost for testing

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add cleanup of validation engine

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-19 12:31:19 -04:00
claire bontempo 5f64520dac
UI: remove references to comma separation for string array edit types (#20163)
* remove intercepting helpText

* add subtext directly to StringList input component

* update tests and add coverage for new openapi-attrs util

* update test

* add warning validation to input

* lol is this right i dont know go

* literally no idea what im doing

* add Description to display attrs struct

* update struct comment

* add descriptions to remaining go fields

* add missing comma

* remaining commas..."

* add description to display attrs

* update tests

* update tests

* add changelog;

* Update ui/app/utils/openapi-to-attrs.js

* update tests following backend changes

* clearly name variable

* format files

* no longer need to test for modified tooltip since coming from backend now
2023-04-19 16:16:30 +00:00
Chelsea Shaw d115fda4e0
UI: Remove usage of htmlSafe (#20235) 2023-04-19 15:40:33 +00:00
Jason O'Donnell b5822e612b
cli/namespace: add detailed flag to namespace list (#20243)
* cli/namespace: add detailed flag to namespace list

* changelog
2023-04-19 09:31:51 -04:00
Alexander Scheel 45acac0e64
Return OCSP errors on cert auth login failures (#20234)
* Return OCSP errors on cert auth login failures

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Switch to immediately returning the first match

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-19 08:54:45 -04:00
Sohil Kaushal 5424eb2e8f
docs(postgresql): Update Postgresql SE API doco (#19931)
* docs(postgresql): Update Postgresql SE API doco

Update the postgresql secret engine API docs to include some "caveats"
of the pgx library. In particular, this enhances the docs to inform the
user that if any sslcreds are supplied as a part of the Database
connection string, the user/vault admin will need to ensure that the
certificates are present at those paths.

* Chore: fixup minor error with db docs

* Keep the language simple

---------

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2023-04-19 00:17:44 +00:00
Yoko Hyakuna e7a43f86ba
[Docs] Mark the 'policies' parameter as deprecated for tokens (#20238)
* Mark the 'policies' parameter as deprecated

* Update website/content/partials/tokenfields.mdx

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>

---------

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
2023-04-18 23:55:05 +00:00