* Expose secret_id_accessor as WrappedAccessor when wrapping secret-id creation.
* Add changelog.
* Minor updates as suggested.
* Adding external test for wrapped accessor.
* Add check that mounttype is approle.
* Update changelog text to use improvement
* add permissions and conditional
* stuff
* following the default setting to zero
* wip
* handle no permissions to mount sys
* maybe closer
* closer but configuration page not updating correctly with serializer issues
* wip but figured out configuration page and model
* clean up
* add test coverage
* clean up
* remove meep
* refactor
* clean test
* fix conditional on seralizer delete
* fix test
* test fixes
* fix test
* test fix
* more test stuff
* condense
* add keys path and initial handler
* read provider public keys
* add test cases
* remove some debug logs
* update tests after merging main
* refactor list all clients
* refactor logic to collect Key IDs
* WIP: Unset the certificate's SignatureAlgorithm to allown cross-signing of different key types
* Allow signing self issued certs with a different public key algorithm
* Remove cruft
* Remove stale import
* changelog
* eliminate errwrap
* Add a test to cover the lack of opt-in flag
* Better comment
Co-authored-by: catsby <clint@ctshryock.com>
* Enforce Minimum cache size for transit backend
* enfore minimum cache size and log a warning during backend construction
* Update documentation for transit backend cache configuration
* Added changelog
* Addressed review feedback and added unit test
* Modify code in pathCacheConfigWrite to make use of the updated cache size
* Updated code to refresh cache size on transit backend without restart
* Update code to acquire read and write locks appropriately
Byte slices returned from Bolt are only valid during a transaction, so
this makes a copy.
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
This change adds the ability to set the signature algorithm of the
CAs that Vault generates and any certificates it signs. This is a
potentially useful stepping stone for a SHA3 transition down the line.
Summary:
* Adds the field "signature_bits" to CA and Sign endpoints
* Adds support for SHA256, SHA384 and SHA512 signatures on EC and RSA
keytypes.
* Fix pkcs7 parsing in some cases
brings in https://github.com/mozilla-services/pkcs7/pull/61 from upstream
In some cases but not all, aws includes a certificate in the pkcs7 response,
and currently vault fails to parse those certificates:
```
URL: PUT https://vault.example.com/v1/auth/aws/login
Code: 500. Errors
* failed to parse the BER encoded PKCS#7 signature: ber2der: Invalid BER format
```
This fixes logins on those instances. Note we could not readily ascertain why
some instances have those certificates and others don't.
* Add changelog entry
* Correct missed line
* pre-publish new signing keys for `rotation_period` of time before using
* Work In Progress: Prepublish JWKS and even cache control
* remove comments
* use math/rand instead of math/big
* update tests
* remove debug comment
* refactor cache control logic into func
* don't set expiry when create/update key
* update cachecontrol name in oidccache for test
* fix bug in periodicfunc test case
* add changelog
* remove confusing comment
* add logging and comments
* update change log from bug to improvement
Co-authored-by: Ian Ferguson <ian.ferguson@datadoghq.com>
While EKS may be the managed kubernetes environment under the hood, I believe the idea behind this section of the documentation is to use AWS KMS for seal/unseal operations, not EKS. (i.e. The surrounding documentation is discussing other Auto Unseal options such as Google KMS.)
The use of the term EKS instead of KMS made it hard for me to discover this section of documentation, and was a little confusing at first until I realized the possible error.
* identity: handle creation of role without a key parameter
* update docs to not require key parameter for creation of a role
* add changelog
* require key param when creating a role
* lock create/update role; remove now redundant key check
* update changelog and UTs
* update change log to refelct actual implementation
* remove deprecated test case
* creates bar chart component
* WIP//starts styling
* fixes width of bars
* WIP//barchart
* uses d3 max method instead of Math.max
* stacks data
* adds y axis
* fixes styling and spacing
* adds spacing between bars
* styling DONE
* adds legend
* adds tooltip
* tweaks styling adds pointer cursor to rects
* fixes tooltip placement
* moves starget from bar to whole area
* finishes hover selection styling
* cleans up
* cleans up a tiny bit
* stopping point
* adjusts tooltip placemnt
* WIP//clean up time
* sort of not broken
* unbroken, ish
* tooltip position fixed
* truncates text and adds tooltip
* changes tooltip width depending on content
* unbroken
* finishes initial refactor/cleanup
* finishes documentation
* passes in map legend to component
* more tidying
* add export option
* adds grid to header for export button option
* updates comments
* fix variable name change
* moves dataset formatting to parent
* removes unused code"
* adds assertions and empty state if no data
* cleans up comments adds assertion to check for map legend
* adds storybook
* adds changelog
* deletes dummy parent:
* restores index.hbs
* uses scss variables instead
* exchanges more variables
* remove unused variable in storybook
* writes basic test
* removes pauseTest()
* Auto-join support for IPv6 discovery
The go-discover library returns IP addresses and not URLs. It just so
happens net.URL parses "127.0.0.1", which isn't a valid URL.
Instead, we construct the URL ourselves. Being careful to check if it's
an ipv6 address and making sure it's in explicit form if so.
Fixes#12323
* feedback: addrs & ipv6 test
Rename addrs to clusterIPs to improve clarity and intent
Tighten up our IPv6 address detection to be more correct and to ensure
it's actually in implicit form
* OIDC Provider: implement discovery endpoint
* handle case when provider does not exist
* refactor providerDiscover struct and add scopes_supported
* fix authz endpoint
* Send x-forwarded-for in Okta Push Factor request
Why:
In order for Okta to properly report the location of the authentication
attempt, the X-Forwarded-For header must be included in the request to
Okta (if it exists).
This change addresses the need by:
* Duplicating the value of X-Forwarded-For if it's passed through to the
auth backend
* Add changelog entry for 12320
* Override loading behavior which breaks query params passed to API calls
* Only show loading state if transition is not queryparams only
* Add changelog
* Skip loader if testing