* Upgrade pq to fix connection failure cleanup bug (v1.8.0 => v1.10.3)
* Run go mod tidy after `go get -u github.com/lib/pq`
* include changelog/12413.txt
- When two entities are merged, remove the from entity ID in any
associated groups.
- When two entities are merged, also merge their associated group
memberships.
Fixes#10084
* get credentials card test and setup
* call getcrednetials card and remove path test error
* configuration
* metadata search box
* changelog
* checking if it is noReadAccess
* try removing test
* blah
* a test
* blah
* stuff
* attempting a clean up to solve issue
* Another attempt
* test1
* test2
* test3
* test4
* test5
* test6
* test7
* finally?
* clean up
* Update Go client libraries for etcd
* Added etcd server container to run etcd3 tests automatically.
* Removed etcd2 test case: it fails the backend tests but the failure is
unrelated to the uplift. The etcd2 backend implementation does not
remove empty nested nodes when removing leaf (see comments in #11980).
* testing bar chart changeS
* Added namespace search to client count
- Used existing search select component for namespace search
* Added changelog
* Added download csv component
- generate namespaces data in csv format
- Show root in top 10 namespaces
- Changed active direct tokens to non-entity tokens
* Added test for checking graph render
* Added documentation for the download csv component
* correctly updates chart when data changes
* Cleaned up template and tooltip
* Added changelog
* updates label tooltip and regroups dom elements
Co-authored-by: Arnav Palnitkar <arnav@hashicorp.com>
* fix: upgrade vault-plugin-auth-kubernetes
- brings in the alias_name_source feature which allows for setting
alternate alias names based on the service accounts's namespace and
name
- document the seurity related aspects for the feature addition above.
* core: set namespace from the sysview's mount entry on GeneratePasswordFromPolicy
* test: update TestDynamicSystemView to be ns-aware, update tests
* add changelog entry
* Added namespace search to client count
- Used existing search select component for namespace search
* Added changelog
* Added download csv component
- generate namespaces data in csv format
- Show root in top 10 namespaces
- Changed active direct tokens to non-entity tokens
* Added test for checking graph render
* Added documentation for the download csv component
* port of ldap fix for early cred rotation
* some more porting
* another couple lines to port
* final commits before report
* remove deadlock
* needs testing
* updates
* Sync with OpenLDAP PR
* Update the update error handling for items not found in the queue
* WIP unit tests
* Need to configure DB mount correctly, with db type mockv5
* Need to find a way to inject errors into that mock db
* throw error on role creation failure
* do not swallow error on role creation
* comment out wip tests and add in a test for disallowed role
* Use newly generated password in WAL
Co-authored-by: Michael Golowka <72365+pcman312@users.noreply.github.com>
* return err on popFromRotationQueueByKey error; cleanup on setStaticAccount
* test: fix TestPlugin_lifecycle
* Uncomment and fix unit tests
* Use mock database plugin to inject errors
* Tidy test code to rely less on code internals where possible
* Some stronger test assertions
* Undo logging updates
* Add changelog
* Remove ticker and background threads from WAL tests
* Keep pre-existing API behaviour of allowing update static role to act as a create
* Switch test back to update operation
* Revert my revert, and fix some test bugs
* Fix TestBackend_StaticRole_LockRegression
* clean up defer on TestPlugin_lifecycle
* unwrap reqs on cleanup
* setStaticAccount: don't hold a write lock
* TestStoredWALsCorrectlyProcessed: set replication state to unknown
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
Co-authored-by: Michael Golowka <72365+pcman312@users.noreply.github.com>
Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
* [VAULT-3519] Return no_default_policy on token role read if set
* [VAULT-3519] Add changelog
* [VAULT-3519] Always return token_no_default_policy on role read
* Fix broken test
* Update role read response in docs
* Add allowed_policies_glob and disallowed_policies_glob that are the same as allowed_policies and disallowed_policies but allow glob matching.
* Update changelog, docs, tests, and comments for (dis)allowed_token_glob token role feature.
* Improve docs and unit tests for auth/token role policy globbing.
* Update github.com/ulikunitz/xz
* Bump xz which is transitive dependency of github.com/mholt/archiver.
Fixes known security vulnerability GHSA-25xm-hr59-7c27.
* Update github.com/ulikunitz/xz
* Added security advisory ID to changelog.
* Client count updates
- Added Current month tab which leverages partial monthly activity api
- Refactored Vault usage to Monthly history
- New client count history component based on StatText and BarChart component
- Restrict bar chart to showcase only top 10 namespaces
- Removed config route, as config and history component will be rendered based on query param
- Updated all metrics reference to clients
- Removed old tests and added integration test for current month
* Fixed navbar permission
- Added changelog
* Updated the model for current month data
* Fixed current month tests
* Fixed indentation and chart label
* Expose secret_id_accessor as WrappedAccessor when wrapping secret-id creation.
* Add changelog.
* Minor updates as suggested.
* Adding external test for wrapped accessor.
* Add check that mounttype is approle.
* Update changelog text to use improvement
* WIP: Unset the certificate's SignatureAlgorithm to allown cross-signing of different key types
* Allow signing self issued certs with a different public key algorithm
* Remove cruft
* Remove stale import
* changelog
* eliminate errwrap
* Add a test to cover the lack of opt-in flag
* Better comment
Co-authored-by: catsby <clint@ctshryock.com>
* Enforce Minimum cache size for transit backend
* enfore minimum cache size and log a warning during backend construction
* Update documentation for transit backend cache configuration
* Added changelog
* Addressed review feedback and added unit test
* Modify code in pathCacheConfigWrite to make use of the updated cache size
* Updated code to refresh cache size on transit backend without restart
* Update code to acquire read and write locks appropriately
Byte slices returned from Bolt are only valid during a transaction, so
this makes a copy.
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
This change adds the ability to set the signature algorithm of the
CAs that Vault generates and any certificates it signs. This is a
potentially useful stepping stone for a SHA3 transition down the line.
Summary:
* Adds the field "signature_bits" to CA and Sign endpoints
* Adds support for SHA256, SHA384 and SHA512 signatures on EC and RSA
keytypes.
* Fix pkcs7 parsing in some cases
brings in https://github.com/mozilla-services/pkcs7/pull/61 from upstream
In some cases but not all, aws includes a certificate in the pkcs7 response,
and currently vault fails to parse those certificates:
```
URL: PUT https://vault.example.com/v1/auth/aws/login
Code: 500. Errors
* failed to parse the BER encoded PKCS#7 signature: ber2der: Invalid BER format
```
This fixes logins on those instances. Note we could not readily ascertain why
some instances have those certificates and others don't.
* Add changelog entry
* Correct missed line
* pre-publish new signing keys for `rotation_period` of time before using
* Work In Progress: Prepublish JWKS and even cache control
* remove comments
* use math/rand instead of math/big
* update tests
* remove debug comment
* refactor cache control logic into func
* don't set expiry when create/update key
* update cachecontrol name in oidccache for test
* fix bug in periodicfunc test case
* add changelog
* remove confusing comment
* add logging and comments
* update change log from bug to improvement
Co-authored-by: Ian Ferguson <ian.ferguson@datadoghq.com>
* identity: handle creation of role without a key parameter
* update docs to not require key parameter for creation of a role
* add changelog
* require key param when creating a role
* lock create/update role; remove now redundant key check
* update changelog and UTs
* update change log to refelct actual implementation
* remove deprecated test case
* creates bar chart component
* WIP//starts styling
* fixes width of bars
* WIP//barchart
* uses d3 max method instead of Math.max
* stacks data
* adds y axis
* fixes styling and spacing
* adds spacing between bars
* styling DONE
* adds legend
* adds tooltip
* tweaks styling adds pointer cursor to rects
* fixes tooltip placement
* moves starget from bar to whole area
* finishes hover selection styling
* cleans up
* cleans up a tiny bit
* stopping point
* adjusts tooltip placemnt
* WIP//clean up time
* sort of not broken
* unbroken, ish
* tooltip position fixed
* truncates text and adds tooltip
* changes tooltip width depending on content
* unbroken
* finishes initial refactor/cleanup
* finishes documentation
* passes in map legend to component
* more tidying
* add export option
* adds grid to header for export button option
* updates comments
* fix variable name change
* moves dataset formatting to parent
* removes unused code"
* adds assertions and empty state if no data
* cleans up comments adds assertion to check for map legend
* adds storybook
* adds changelog
* deletes dummy parent:
* restores index.hbs
* uses scss variables instead
* exchanges more variables
* remove unused variable in storybook
* writes basic test
* removes pauseTest()
* Auto-join support for IPv6 discovery
The go-discover library returns IP addresses and not URLs. It just so
happens net.URL parses "127.0.0.1", which isn't a valid URL.
Instead, we construct the URL ourselves. Being careful to check if it's
an ipv6 address and making sure it's in explicit form if so.
Fixes#12323
* feedback: addrs & ipv6 test
Rename addrs to clusterIPs to improve clarity and intent
Tighten up our IPv6 address detection to be more correct and to ensure
it's actually in implicit form
* Send x-forwarded-for in Okta Push Factor request
Why:
In order for Okta to properly report the location of the authentication
attempt, the X-Forwarded-For header must be included in the request to
Okta (if it exists).
This change addresses the need by:
* Duplicating the value of X-Forwarded-For if it's passed through to the
auth backend
* Add changelog entry for 12320
* Override loading behavior which breaks query params passed to API calls
* Only show loading state if transition is not queryparams only
* Add changelog
* Skip loader if testing
* initial setup
* form field editType kv is very helpful
* setting up things
* setup two routes for metadata
* routing
* clean up routing
* meh router changes not my favorite but its working
* show metadata
* add controller for backendCrumb mixin
* setting up edit metadata and trimming SecretEditMetadata component
* add edit metadata save functionality
* create new version work
* setup model and formfieldgroups for added config data.
* add config network request to secret-engine
* fix validations on config
* add config rows
* breaking up secret edit
* add validation for metadata on create
* stuff, but broken now on metadata tab
* fix metadata route error
* permissions
* saving small text changes
* permissions
* cleanup
* some test fixes and convert secret create or update to glimmer
* all these changes fix secret create kv test
* remove alert banners per design request
* fix error for array instead of object in jsonEditor
* add changelog
* styling
* turn into glimmer component
* cleanup
* test failure fix
* add delete or
* clean up
* remove all hardcoded for api integration
* add helper and fix create mode on create new version
* address chelseas pr comments
* add jsdocs to helper
* fix test
* Client count config view
- Switched to toggle button from checkbox and updated the design
- Switched to ember octane
- Update ember concurrency dependency
* Fixed integration tests
* Added changelog
* Update switch label on toggle
* Code cleanup
* Fixed test
Scott Miller