Commit graph

2787 commits

Author SHA1 Message Date
Daniel Huckins f34313e611
VAULT-12144: add openapi responses for /sys/wrapping endpoints (#18627)
* add response structures for /sys/wrapping endpoints

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* added changelog

* dynamic tests should be nil

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

---------

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
2023-03-28 11:12:34 -04:00
Violet Hynes 44894253fc
VAULT-8337 OSS changes part 2 (#19698) 2023-03-28 10:32:30 -04:00
Daniel Huckins e3d3d6e528
VAULT-12144: add openapi responses for /sys/tools endpoints (#18626)
* add struct for /sys/tools/hash

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* added responses for /sys/tools paths

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add changelog

* verify respose structure for hash

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* verify respose structure for hash/random

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* use newer testing funct

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* use new test method

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

---------

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
2023-03-24 23:11:39 +00:00
Nick Cabatoff fae3e31fda
Address regression introduced by #15493 for non-raft storage backends. (#19721) 2023-03-24 10:15:25 -04:00
Violet Hynes db31cf2da2
Revert "VAULT-8337 OSS changes" (#19700)
This reverts commit 160196f4bc270ea0698b894d4f5f3e84426b77c9.
2023-03-23 11:47:10 -04:00
Nick Cabatoff 7de257de46
Make sure that we specify Backoff in conjunction with MinConnectTimeout, else we get a zero value. (#19701) 2023-03-23 10:21:28 -04:00
Nick Cabatoff 06e3f971ef
Allow overriding gRPC's connection timeout with VAULT_GRPC_MIN_CONNECT_TIMEOUT (#19676) 2023-03-22 18:51:37 +00:00
Chris Capurso 12cf80fafd
user Platform from host info for node status OS (#19611) 2023-03-21 09:53:31 -04:00
Mike Palmiotto d6a1cc63ac
activitylog: Fix pq.Get trace logger output (#19650) 2023-03-20 19:35:40 -04:00
Mike Palmiotto 2381e6be66
Add no-op CensusAgent (#19625)
* Add no-op CensusAgent

* Changelog for Census Agent background worker
2023-03-20 10:51:35 -04:00
Violet Hynes e627737fe8
VAULT-8337 OSS changes (#19580) 2023-03-20 09:04:55 -04:00
Tom Proctor f1f5c8444a
Suppress event broker not started log warning (#19593) 2023-03-20 11:14:14 +00:00
Chris Capurso 078d4eef7c
update link policy fetch URL (#19371)
* update link policy fetch URL

* fix fmt
2023-03-17 09:09:25 -04:00
Violet Hynes 943678e359
Fix remount for mounts with spaces in the name (#19585)
* Fix remount for mounts with spaces in the name

* Git mishap

* Git mishap

* Changelog

* Godocs for tests
2023-03-16 15:26:55 -04:00
Hamid Ghaf 27bb03bbc0
adding copyright header (#19555)
* adding copyright header

* fix fmt and a test
2023-03-15 09:00:52 -07:00
John-Michael Faircloth 1553c310c4
Fix a possible data race with rollback manager and plugin reload (#19468)
* fix data race on plugin reload

* add changelog

* add comment for posterity

* revert comment and return assignment in router.go

* rework plugin continue on error tests to use compilePlugin

* fix race condition on route entry

* add test for plugin reload and rollback race detection

* add go doc for test
2023-03-14 09:36:37 -05:00
Marc Boudreau f286ee5b3c
Fix failing TestHCPLinkConnected Test (#19474)
* replace use of os.Unsetenv in test with t.Setenv and remove t.Parallel from test that rely on env being modified.

* experiment with using fromJSON function

* revert previous experiment

* including double quotes in the output value for the string ubuntu-latest

* use go run to launch gofumpt
2023-03-09 13:46:54 -05:00
nsimons d91d2ceaf8
Fix cubbyhole and token revocation for legacy service tokens (#19416)
* Fix cubbyhole and revocation for legacy service tokens

Legacy service tokens generated in Vault 1.10+ with env var
VAULT_DISABLE_SERVER_SIDE_CONSISTENT_TOKENS=true are not assigned
a cubbyhole ID. The implication is that cubbyhole/ cannot be
used, nor can the tokens be revoked.

This commit assigns a cubbyhole ID to these tokens and adds
a new test case to see that cubbyhole and revocation works correctly.

* add changelog

* add godoc to test cases
2023-03-06 15:09:45 -05:00
miagilepner ac36b31846
VAULT-13729 activity log test godocs (#19433)
* add godocs to activity log tests

* format

* add trailing periods
2023-03-06 13:08:22 +01:00
Daniel Huckins d9229a5fba
VAULT-12112: add openapi responses for /sys/internal endpoints (#18542)
* added responses for sys/internal/ui/mounts

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* responses for internal paths

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* added changelog

* add schema validation for internal/ui/mounts

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add counters test

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* update test to use new method

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* use new method in TestSystemBackend_InternalUIMounts

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* :rage4: fixed test, diff between core.HandleRequest and backend.HandleRequest

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* test feature flags

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

---------

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
2023-02-24 15:03:21 -05:00
miagilepner c31a10b90a
VAULT-13763 normalize activity log mount paths (#19343)
* add slashes to mount paths in activity log

* cleanup test

* fix test
2023-02-24 16:57:41 +01:00
Christopher Swenson 6b36cc7587
When copying test binary, delete first (#19331)
For plugin tests, we copy the test binary. On macOS, if the
destination binary already exists, then copying over it will result
in an invalid signature.

The easiest workaround is to delete the file before copying.
2023-02-23 15:10:13 -08:00
Jason O'Donnell f69297e0b3
Fix inmem layer unlock bug (#19323) 2023-02-23 20:16:49 +00:00
John-Michael Faircloth 0a7656ae5c
test: Fix bug in TestAddTestPlugin test helper (#19313)
* fix external plugin test failing locally

* Ensure file is closed and written in TestAddTestPlugin
2023-02-23 17:07:48 +00:00
Leland Ursu 432fad12b1
added in the missing test cases to validate response structures (#19277)
* added in the missing test cases to validate response structures

* added changelog file

* remove unneeded changelog file

* removed comment to update when indentity/entity is implemented

---------

Co-authored-by: lursu <leland.ursu@hashicorp.com>
2023-02-22 12:46:46 -05:00
Chris Capurso 3a361e1e83
add error consistency in link node status resp (#19279) 2023-02-22 11:53:29 -05:00
John-Michael Faircloth 2cc6117f28
test/plugin: add more test scenarios for external plugins (#19257) 2023-02-21 09:44:54 -06:00
Christopher Swenson 404d7a57bb
events: WS protobuf messages should be binary (#19232)
The [WebSockets spec](https://www.rfc-editor.org/rfc/rfc6455) states
that text messages must be valid UTF-8 encoded strings, which protobuf
messages virtually never are. This now correctly sends the protobuf events
as binary messages.

We change the format to correspond to CloudEvents, as originally intended,
and remove a redundant timestamp and newline.

We also bump the eventlogger to fix a race condition that this code triggers.
2023-02-17 11:38:03 -08:00
John-Michael Faircloth eca810d06e
test/plugin: test external database plugin workflows (#19191)
* test/plugin: test external db plugin

* use test helper to get cluster and plugins

* create test helper to create a vault admin user

* add step to revoke lease

* make tests parallel and add reload test

* use more descriptive name for test group; check response
2023-02-16 15:52:24 -06:00
Daniel Huckins 448f5dd33e
VAULT-12112: add openapi response structures for /sys/config and /sys/generate-root endpoints (#18472)
* some config responses

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* added response structs

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* added changelog

* add test for config/cors

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add (failing) tests

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* copy-pasta err

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* update tests for /sys/config/ui/headers/{header}

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

---------

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
2023-02-16 15:06:26 -05:00
Daniel Huckins 60488687ad
VAULT-12112: add openapi response structures for /sys/capabilities* endpoints (#18468)
* add capabilities

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* added change log

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add test

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* use nil for dynamic fields

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

---------

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
2023-02-16 15:04:37 -05:00
Daniel Huckins a9d15f1252
VAULT-12112: add openapi response structures for /sys/auth/* endpoints (#18465)
* added responses to /sys/auth/.../tune

* add response structure for auth/...

* added changelog

* Update vault/logical_system_paths.go

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* its TypeString

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* use nil for dynamic fields

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* test auth endpoint schema

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* kicking off ci

---------

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-02-16 15:03:19 -05:00
Tom Proctor 2472029a0a
Support event subscriptions with glob wildcards (#19205) 2023-02-16 17:22:56 +00:00
Leland Ursu 0704127020
added OpenAPI response objects for sys endpoints (#18633)
* added response objects for sys 3 section

* Update vault/logical_system_paths.go

Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Update vault/logical_raw.go

Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Update vault/logical_system_paths.go

Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Update vault/logical_system_quotas.go

Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Update vault/logical_system_quotas.go

Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Update vault/logical_system_quotas.go

Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add tests and update based on reviews

* added changelog file

* finally got make fmt to work...

* fixed copy pasta test case

* updated based on review

* Update vault/logical_system_quotas.go

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* Update vault/logical_system_test.go

Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Update vault/logical_system_test.go

Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>

---------

Co-authored-by: lursu <leland.ursu@hashicorp.com>
Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-02-15 15:02:21 -05:00
Leland Ursu 6425130605
Added OpenAPI response structures for sys endpoints (#18515)
* added response objects to all of the endpoints laid out by the ticket linked

* added changelog file and updated based on review

* added the required bool to the correct fields

* Update vault/logical_system_paths.go

Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Update vault/logical_system_paths.go

Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Update vault/logical_system_paths.go

Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Update vault/logical_system_paths.go

Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Update vault/logical_system_paths.go

Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Update vault/logical_system_paths.go

Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Update vault/logical_system_paths.go

Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* updated based on review

* Update vault/logical_system_paths.go

Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Update vault/logical_system_paths.go

Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* updated based on review and added test cases for validating response structures

* fix copy pasta issues breaking tests

* Update vault/logical_system_paths.go

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* fix test failures

* fixed issue with refrencing the wrong req var name

* fixed another test case and double checked the rest

* updated based on review

* updated in all locations

* Update vault/logical_system_paths.go

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* Update vault/logical_system_paths.go

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* fixed my brain fart

* Update vault/logical_system_paths.go

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* address fmt error

---------

Co-authored-by: lursu <leland.ursu@hashicorp.com>
Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-02-15 15:00:06 -05:00
Daniel Huckins 7fde5ecb83
Validate response schema for integration tests (#19043)
* add RequestResponseCallback to core/options

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* pass in router and apply function on requests

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add callback

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* cleanup

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* Update vault/core.go

* bad typo...

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* use pvt interface, can't downcast to child struct

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* finer grained errors

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* trim path for backend

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* remove entire mount point instead of just the first part of url

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Update vault/testing.go

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* add doc string

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* update docstring

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* reformat

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* added changelog

---------

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-02-15 14:57:57 -05:00
Christopher Swenson 020a3903ff
events: Remove subscriptions on timeout and cancel (#19185)
When subscriptions are too slow to accept messages on their channels,
then we should remove them from the fanout so that we don't have
dead subscriptions using up resources.

In addition, when a subscription is explicitly canceled, we should
also clean up after it remove the corresponding pipeline.

We also add a new metrics, `events.subscriptions`, to keep track
of the number of active subscriptions. This also helps us test.

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2023-02-15 11:13:15 -08:00
Christopher Swenson 7a977fd6ea
events: Check token and ACLs on request (#19138)
This checks the request against the `read` permission for
`sys/events/subscribe/{eventType}` on the initial subscribe.

Future work includes moving this to its own verb (`subscribe`)
and periodically rechecking the request.

Tested locally by minting a token with the wrong permissions
and verifying that they are rejected as expected, and that
they work if the policy is adjusted to `sys/event/subscribe/*`
(or the specific topic name) with `read` permissions.

I had to change the `core.checkToken()` to be publicly accessible,
as it seems like the easiest way to check the token on the
`logical.Request` against all relevant policies, but without
going into all of the complex logic further in `handleLogical()`.

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2023-02-10 20:56:00 +00:00
Christopher Swenson 7d3d404ee2
events: Add websockets and command (#19057)
Also updates the event receieved to include a timestamp.
Websockets support both JSON and protobuf binary formats.

This can be used by either `wscat` or the new
`vault events subscribe`:

e.g.,
```sh
$ wscat -H "X-Vault-Token: $(vault print token)" --connect ws://127.0.0.1:8200/v1/sys/events/subscribe/abc?json=true
{"event":{"id":"5c5c8c83-bf43-7da5-fe88-fc3cac814b2e", "note":"testing"}, "eventType":"abc", "timestamp":"2023-02-07T18:40:50.598408Z"}
...
```

and

```sh
$ vault events subscribe abc
{"event":{"id":"5c5c8c83-bf43-7da5-fe88-fc3cac814b2e", "note":"testing"}, "eventType":"abc", "timestamp":"2023-02-07T18:40:50.598408Z"}
...
```

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2023-02-09 13:18:58 -08:00
Tom Proctor 78d83c9136
Make experiments API authenticated (#18966) 2023-02-09 20:18:14 +00:00
John-Michael Faircloth 34fd57ac08
test/plugin: test external plugin workflows (#19090)
* test/plugin: test external plugin workflows

* update secrets engine test
2023-02-09 10:16:16 -06:00
Nick Cabatoff ec2af04ec6
Remove the last vestiges of sdk/version. (#19068) 2023-02-08 12:30:27 -05:00
Scott Miller acee981753
Remove accidental addition of a hackweek file (#19016) 2023-02-06 16:45:55 -06:00
Scott Miller b43e4fbd9c
Add a stronger warning about the usage of recovery keys (#19011)
* Add a stronger warning about the usage of recovery keys

* Update website/content/docs/concepts/seal.mdx

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>

* Keep the mitigation text in the warning box

---------

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2023-02-06 16:23:05 -06:00
miagilepner e873932bce
VAULT-8436 remove <-time.After statements in for loops (#18818)
* replace time.After with ticker in loops

* add semgrep rule

* update to use timers

* remove stop
2023-02-06 17:49:01 +01:00
miagilepner 9d09dba7ac
VAULT-13061: Fix mount path discrepancy in activity log (#18916)
* use single function to convert mount accessor to mount path

* add changelog

* more context and comments for the tests
2023-02-06 10:26:32 +01:00
John-Michael Faircloth 14e4d67026
test/plugin: refactor compilePlugin for reuse (#18952)
* test/plugin: refactor compilePlugin for reuse

- move compilePlugin to helper package
- make NewTestCluster use compilePlugin

* do not overwrite plugin directory in CoreConfig if set

* fix getting plugin directory path for go build
2023-02-03 16:27:11 -06:00
Christopher Swenson 5864075c30
Add events sending routed from plugins (#18834)
This isn't perfect for sure, but it's solidifying and becoming a useful
base to work off.

This routes events sent from auth and secrets plugins to the main
`EventBus` in the Vault Core. Events sent from plugins are automatically
tagged with the namespace and plugin information associated with them.
2023-02-03 13:24:16 -08:00
Chris Capurso c74c057bdb
fix sys/leases panic when lease_id is nil (#18951)
* fix sys/leases panic when lease_id is nil

* add changelog entry
2023-02-03 09:51:10 -05:00
Anton Averchenkov 619f5b2edf
openapi: Ensure mount_path parameters are marked as required (#18955) 2023-02-02 14:39:09 -05:00