Commit graph

17184 commits

Author SHA1 Message Date
Tom Proctor f2d8762679
Docs: CSI encoding config released in v1.3.0 (#20237) 2023-04-18 23:55:25 +01:00
Nathan Handler ad1c669d4b
Fix Indentation in Kubernetes Auth Example (#20216)
In the Kubernetes Auth Code Example, the indentation for the `auth` import is off, causing it to not be indented the same amount as the previous `vault` import. This change ensures that both imports use the same indentation.
2023-04-18 15:23:25 -07:00
Yura Shutkin 7de8a3bc31
Update wrapping-unwrap.mdx (#20109)
* Update wrapping-unwrap.mdx

It is possible to unwrap data without authentication in Vault. I've added an example of a curl request.

* Add changelog record
2023-04-18 14:20:27 -07:00
claire bontempo f4928cf7cb
Run UI tests on PRs with "ui" label (#20209)
* add conditional for label

* VAULT-14643 link jira
2023-04-18 12:03:35 -07:00
mickael-hc e258df032d
Add discuss links to changelog entries for previous releases (#20195)
* Update entries for 2023-03 release

* Update entries for 2023-02 release series

* update entries for 2022-07 release series

* update links

* update links
2023-04-18 14:54:41 -04:00
Jason O'Donnell bb82c679ad
docs/debug: add example policy for debug command (#20232) 2023-04-18 14:17:19 -04:00
Rachel Culpepper 074c9a5da2
add changelog for shamir change (#19566) 2023-04-18 16:34:43 +00:00
Max Bowsher 91abc177bb
Minor follow-ups to #16865 (#20220)
* Minor follow-ups to #16865

Fix PKI issuer upgrade logic when upgrading to 1.12 or later, to
actually turn off the issuer crl-signing usage when it intended to.

Fix minor typo in docs.

* changelog
2023-04-18 07:39:05 -04:00
Robert 750bc180ab
build: try creating the go bin directory (#19862)
* Try creating the output directory to ensure it always exists

* Use GOBIN path over GOPATH/bin if it is set
2023-04-17 22:57:17 +00:00
Milena Zlaticanin 42400699c0
add missing mongodb atlas fields to the docs (#20207) 2023-04-17 14:10:07 -07:00
Jason O'Donnell 6d9180f900
sdk/ldap: update interface to use DialURL (#20200)
* sdk/ldap: update interface to use DialURL

* Fix scheme

* Fix race condition

* Add tls config dialopt
2023-04-17 16:34:10 -04:00
Alexander Scheel 13dd4c0a99
Add ACME HTTP-01 Challenge (#20141)
* Add HTTP challenge validator

This will attempt to safely validate HTTP challenges, following a
limited number of redirects and timing out after too much time has
passed.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test for ValidateKeyAuthorization

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test cases for ValidateHTTP01Challenge

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add token to HTTP challenge

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-17 15:23:04 -04:00
Steven Clark 7361ce1e57
Add tests for fetching ACME authorizations and challenges (#20205)
- Add tests to validate that we can load authorizations and
   challenges from the server
2023-04-17 17:52:54 +00:00
Niranjan Shrestha adbfffc47b
Update userpass.mdx (#20121)
* Update userpass.mdx

vault write auth/userpass/users/mitchellh password=foo policies=admins
in the path "userpass" is actually a path, if custom path is defined, custom path need to used, instead of userpass.

* Add extra description

---------

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2023-04-17 16:52:13 +00:00
Alexander Scheel 4190212bbb
Remove extraneous certificate from OCSP response (#20201)
* Remove extraneous certificate from OCSP response

Since the issuer used to sign the certificate also signs the OCSP
response, no additional information is added by sending the issuer again
in the certs field of the BasicOCSPResponse structure. Removing it saves
bytes and avoids confusing Go-based OCSP verifiers which cannot handle
the cert issuer being duplicated in the certs field.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-17 16:40:26 +00:00
Chelsea Shaw dfbd9091b0
UI: PKI routes extend base Route (#20179) 2023-04-17 15:58:30 +00:00
Alexander Scheel ef7dd8c1bb
Add fix for Go x/crypto/ocsp failure case (#20181)
* Add fix for Go x/crypto/ocsp failure case

When calling ocsp.ParseRequest(req, issue) with a non-nil issuer on a
ocsp request which _unknowingly_ contains an entry in the
BasicOCSPResponse's certs field, Go incorrectly assumes that the issuer
is a direct parent of the _first_ certificate in the certs field,
discarding the rest.

As documented in the Go issue, this is not a valid assumption and thus
causes OCSP verification to fail in Vault with an error like:

> bad OCSP signature: crypto/rsa: verification error

which ultimately leads to a cert auth login error of:

> no chain matching all constraints could be found for this login certificate

We address this by using the unsafe issuer=nil argument, taking on the
task of validating the OCSP response's signature as best we can in the
absence of full chain information on either side (both the trusted
certificate whose OCSP response we're verifying and the lack of any
additional certs the OCSP responder may have sent).

See also: https://github.com/golang/go/issues/59641

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test case with Vault PKI

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-17 11:48:19 -04:00
Steven Clark 6211595bef
Add a helper function to build ACME API patterns (#20180)
- Add a helper function that can accept the final API path along with
   the pattern function for an ACME api definition and generate the
   various flavors for the given API
2023-04-14 18:48:33 +00:00
Steven Clark 138f36eafe
Move all ACME wrappers into a dedicated go file (#20174)
* Move all ACME wrappers into a dedicated go file

 - Make it easier to figure out where the various wrappers for
   ACME exist by locating them inside a dedicated go file instead
   of spread out across the various path_acme_xxx files.

* Add missing copyright headers to PKI files
2023-04-14 14:12:31 -04:00
Kianna 045de8a0b6
UI: VAULT-15385 VAULT-15386 VAULT-15487 Hide create role button, show mount configuration when pki not configured, update overview page so it's responsive (#20164) 2023-04-14 10:32:43 -07:00
Steven Clark d324aa0d15
Implement ACME order API (#20127)
* Implement ACME new-order API
 - This is a very rough draft for the new order ACME API

* Add ACME order list API

* Implement ACME Get order API

* Misc order related fixes

 - Filter authorizations in GetOrders for valid
 - Validate notBefore and notAfter dates make sense
 - Add <order>/cert URL path to order response if set to valid

* Return account status within err authorized, if the account key verified
2023-04-14 14:54:48 +00:00
Chris Capurso e7c0d5744b
add max_entry_size to sanitized config output (#20044)
* add max_entry_size to sanitized config output

* add changelog entry

* add test parallelism

* add inmem test case

* use named struct fields for TestSysConfigState_Sanitized cases
2023-04-14 09:52:23 -04:00
Anton Averchenkov 624acfe62a
openapi: Better comments for OperationPrefix/Verb/Suffix (#20162) 2023-04-13 18:47:14 -04:00
Jordan Reimer c36ab935c4
Clients config updates for census reporting (#20125)
* updates clients config view for census reporting

* adds changelog entry

* fixes issue with modal staying open and error not showing on clients config save failure

* adds min retention months to clients config model and form validation
2023-04-13 15:57:12 -06:00
Kyle Schochenmaier 1b4ff1b1b4
Revert changes to STS leases but keep the ttl field (#20034)
* revert STS lease changes, now create a lease for STS credentials but keep the ttl
Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
2023-04-13 15:02:39 -05:00
Ryan Cragun a19f7dbda5
[QT-525] enos: use spot instances for Vault targets (#20037)
The previous strategy for provisioning infrastructure targets was to use
the cheapest instances that could reliably perform as Vault cluster
nodes. With this change we introduce a new model for target node
infrastructure. We've replaced on-demand instances for a spot
fleet. While the spot price fluctuates based on dynamic pricing, 
capacity, region, instance type, and platform, cost savings for our
most common combinations range between 20-70%.

This change only includes spot fleet targets for Vault clusters.
We'll be updating our Consul backend bidding in another PR.

* Create a new `vault_cluster` module that handles installation,
  configuration, initializing, and unsealing Vault clusters.
* Create a `target_ec2_instances` module that can provision a group of
  instances on-demand.
* Create a `target_ec2_spot_fleet` module that can bid on a fleet of
  spot instances.
* Extend every Enos scenario to utilize the spot fleet target acquisition
  strategy and the `vault_cluster` module.
* Update our Enos CI modules to handle both the `aws-nuke` permissions
  and also the privileges to provision spot fleets.
* Only use us-east-1 and us-west-2 in our scenario matrices as costs are
  lower than us-west-1.

Signed-off-by: Ryan Cragun <me@ryan.ec>
2023-04-13 15:44:43 -04:00
Alexander Scheel 10e02aca02
Add missing cert auth ocsp read data (#20154)
* Add missing OCSP cert auth fields

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test to ensure OCSP values are persisted

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-13 18:59:09 +00:00
Mike Palmiotto c0b8a9eddb
Add minimum_retention_months to config endpoint (#20150) 2023-04-13 18:33:23 +00:00
Scott Miller 5be4d61d13
Add documentation for cert auth OCSP checking (#18064) 2023-04-13 18:33:21 +00:00
Kuba Wieczorek deb215a8e1
Stop running UI tests on every PR into a release branch in CI (#20149) 2023-04-13 18:10:17 +00:00
Jason O'Donnell ec9e08c931
sdk/ldaputil: add connection_timeout configurable (#20144)
* sdk/ldaputil: add connection_timeout configurable

* changelog

* Update doc

* Fix test

* Change default to 30s
2023-04-13 12:43:28 -04:00
Anton Averchenkov 7e12300d7c
openapi: Add display attributes for cubbyhole/ (#19880) 2023-04-13 11:33:21 -04:00
Anton Averchenkov 14ac4fc045
openapi: Add display attributes for /sys (p2) (#19707) 2023-04-13 11:32:57 -04:00
Anton Averchenkov 254c5e2568
openapi: Add display attributes for /sys (p1) (#19706) 2023-04-13 11:32:26 -04:00
Anton Averchenkov c025747e46
openapi: Add display attributes for Consul (#19413) 2023-04-13 11:31:37 -04:00
Anton Averchenkov c8803cb571
openapi: Add display attributes for userpass (#19411) 2023-04-13 11:30:54 -04:00
Anton Averchenkov 9a654ac3f1
openapi: Add display attributes for Okta auth (#19391) 2023-04-13 11:29:59 -04:00
Kuba Wieczorek 21b6eee698
Update Go version to 1.20.3 (#20139) 2023-04-13 13:35:02 +01:00
Bryce Kalow 9f9bceda88
remove check-legacy-links-format workflow (#20115) 2023-04-12 21:52:54 -04:00
Josh Black cf20bb9233
Add additional clarity around autopilot upgrade versions (#20129) 2023-04-12 17:21:50 -07:00
Alexander Scheel c0a91042c0
Delete unnecessary changelog from #20114 (#20126) 2023-04-12 21:28:45 +00:00
James King 0b6327eda9
Potentially Malicious Link (#20114)
* Potentially Malicious Link

The current link redirects to a personal beauty sales site.

* Create 20114.txt
2023-04-12 20:23:41 +00:00
Anton Averchenkov d0cc7bc71a
openapi: Add display attributes for identity/ (remaining) (#19763) 2023-04-12 15:46:01 -04:00
Anton Averchenkov 31e123f7a0
openapi: Add display attributes for identity/group (#19762) 2023-04-12 15:45:12 -04:00
Anton Averchenkov 4b94669779
openapi: Add display attributes for identity/entity (#19760) 2023-04-12 15:44:43 -04:00
Anton Averchenkov f69bea9161
openapi: Add display attributes for identity/oidc (#19758) 2023-04-12 15:44:07 -04:00
Tom Proctor 9aa9686c81
Simplify tracking of external plugins (#20009) 2023-04-12 18:34:35 +01:00
Matt Schultz 2310e13cf1
Update docs to include specifics and caveats around Transit Managed Keys support. (#20099) 2023-04-12 12:19:25 -05:00
Alexander Scheel b4edc81cd5
Add ACME authorizations & challenges (#20113)
* Distinguish POST-as-GET from POST-with-empty-body

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add ACME authorization, identifier, and challenge types

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add ability to load and save authorizations

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add ACME authorizations path handling

This supports two methods: a fetch handler over the authorization, to
expose the underlying challenges, and a deactivate handler to revoke
the authorization and mark its challenges invalid.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add ACME challenge path handling

These paths kick off processing and validation of the challenge by the
ACME client.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-04-12 16:55:25 +00:00
miagilepner 1ea85c56d7
VAULT-14734: activity log write endpoint (#20019)
* add noop endpoint with testonly build flag

* add tests for endpoint

* cleanup

* fix test name

* add changelog

* pr fixes
2023-04-12 18:26:26 +02:00