* added response objects to all of the endpoints laid out by the ticket linked
* added changelog file and updated based on review
* added the required bool to the correct fields
* Update vault/logical_system_paths.go
Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* Update vault/logical_system_paths.go
Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* Update vault/logical_system_paths.go
Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* Update vault/logical_system_paths.go
Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* Update vault/logical_system_paths.go
Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* Update vault/logical_system_paths.go
Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* Update vault/logical_system_paths.go
Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* updated based on review
* Update vault/logical_system_paths.go
Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* Update vault/logical_system_paths.go
Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* updated based on review and added test cases for validating response structures
* fix copy pasta issues breaking tests
* Update vault/logical_system_paths.go
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
* fix test failures
* fixed issue with refrencing the wrong req var name
* fixed another test case and double checked the rest
* updated based on review
* updated in all locations
* Update vault/logical_system_paths.go
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
* Update vault/logical_system_paths.go
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
* fixed my brain fart
* Update vault/logical_system_paths.go
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
* address fmt error
---------
Co-authored-by: lursu <leland.ursu@hashicorp.com>
Co-authored-by: Daniel Huckins <dhuckins@users.noreply.github.com>
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
* add RequestResponseCallback to core/options
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* pass in router and apply function on requests
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* add callback
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* cleanup
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* Apply suggestions from code review
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
* Update vault/core.go
* bad typo...
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* use pvt interface, can't downcast to child struct
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* finer grained errors
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* trim path for backend
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* remove entire mount point instead of just the first part of url
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* Update vault/testing.go
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
* add doc string
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* update docstring
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* reformat
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
* added changelog
---------
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
* work in progress: got the expired banner set with license check
* wip: got the logic for both banners, need to test and write tests
* add notes
* prep for test writing
* test coverage
* add changelog
* clean up
* clarify dismissTypes and conditionals
* updates
* update comment
* update comment
* address pr comments
* update test
* small naming change
* small naming changes
* clean localStorage
* comment clean up
* another comment clean up
* remove meep
* add test coverage for new method in localStorage
* Telemetry Metrics Configuration.
* Err Shadowing Fix (woah, semgrep is cool).
* Fix TestBackend_RevokePlusTidy_Intermediate
* Add Changelog.
* Fix memory leak. Code cleanup as suggested by Steve.
* Turn off metrics by default, breaking-change.
* Show on tidy-status before start-up.
* Fix tests
* make fmt
* Add emit metrics to periodicFunc
* Test not delivering unavailable metrics + fix.
* Better error message.
* Fixing the false-error bug.
* make fmt.
* Try to fix race issue, remove confusing comments.
* Switch metric counter variables to an atomic.Uint32
- Switch the metric counter variables to an atomic variable type
so that we are forced to properly load/store values to it
* Fix race-issue better by trying until the metric is sunk.
* make fmt.
* empty commit to retrigger non-race tests that all pass locally
---------
Co-authored-by: Steve Clark <steven.clark@hashicorp.com>
* The verify-sign command in it's cleanest existing form.
* Working state
* Updates to proper verification syntax
Co-authored-by: 'Alex Scheel' <alex.scheel@hashicorp.com>
* make fmt
* Base functionality.
* make fmt; changelog
* pki issue command.
* Make fmt. Changelog.
* Error Handling Is Almost A Tutorial
* Issue and ReIssue are Almost the Same Command
* Make Fmt + Changelog.
* Make some of the tests go.
* make fmt
* Merge fix (take 2)
* Fix existing support, add support for use_pss, max_path_length, not_after, permitted_dns_domains and skid
* Good Test which Fails
* Test-correction.
* Fix update to key_type key_bits; allow "," in OU or similar
* More specific includeCNinSANs
* Add tests around trying to use_pss on an ec key.
* GoDoc Test Paragraph thing.
---------
Co-authored-by: 'Alex Scheel' <alex.scheel@hashicorp.com>
* fix: upgrade vault-plugin-secrets-mongodbatlas to v0.9.1
* add changelog
* Update changelog/19111.txt
Co-authored-by: Max Coulombe <109547106+maxcoulombe@users.noreply.github.com>
* use correct plugin type in changelog
---------
Co-authored-by: Max Coulombe <109547106+maxcoulombe@users.noreply.github.com>
* Use UTC for leaf exceeding CA's notAfter
When generating a leaf which exceeds the CA's validity period, Vault's
error message was confusing as the leaf would use the server's time
zone, but the CA's notAfter date would use UTC. This could cause
user confusion as the leaf's expiry might look before the latter, due
to using different time zones. E.g.:
> cannot satisfy request, as TTL would result in notAfter
> 2023-03-06T16:41:09.757694-08:00 that is beyond the expiration of
> the CA certificate at 2023-03-07T00:29:52Z
Consistently use UTC for this instead.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix race accessing b.crls within cert auth
- Discovered by CircleCI the pathLogin, pathLoginRenew paths access
and reloads the b.crls member variable without a lock.
- Also discovered that pathLoginResolveRole never populated an empty
b.crls before usage within b.verifyCredentials
* Add cl
* Misc cleanup
- Introduce a login path wrapper instead of repeating in all the
various login methods the crl reloading
- Cleanup updatedConfig, never returned an error and nothing looked at
the error returned
- Make the test within TestCRLFetch a little less timing sensitive as
I was able to trigger a failure due to my machine taking more than
150ms to load the new CRL
* Revert "Don't execute the seal recovery tests on ENT. (#18841)"
This reverts commit 990d3bacc203c229d0f6729929d7562e678a1ac2.
* Revert "Add the ability to unseal using recovery keys via an explicit seal option. (#18683)"
This reverts commit 2ffe49aab0fc1a527c5182637c8fa3ac39b08d45.
* Apply URL encoding/unencoding to OCSP Get requests
- Missed this during development and sadly the unit tests were written
at a level that did not expose this issue originally, there are
certain combinations of issuer cert + serial that lead to base64
data containing a '/' which will lead to the OCSP handler not getting
the full parameter.
- Do as the spec says, this should be treated as url-encoded data.
* Add cl
* Add higher level PKI OCSP GET/POST tests
* Rename PKI ocsp files to path_ocsp to follow naming conventions
* make fmt
* Add ability to clean up host keys for dynamic keys
This adds a new endpoint, tidy/dynamic-keys that removes any stale host
keys still present on the mount. This does not clean up any pending
dynamic key leases and will not remove these keys from systems with
authorized hosts entries created by Vault.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add documentation
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Regexp metacharacter `.` should be escaped when used literally
The paths including `/.well-known/` in the Vault API could currently
technically be invoked with any random character in place of the dot.
* Replace implementation of OpenAPI path translator with regexp AST-based one
* Add changelog
* Typo fix from PR review - thanks!
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
* Add comment based on review feedback
* Change style of error handling as suggested in code review
* Make a further tweak to the handling of the error case
* Add more tests, testing cases which fail with the previous implementation
* Resolve issue with a test, and improve comment
---------
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
* Remove dynamic keys from SSH Secrets Engine
This removes the functionality of Vault creating keys and adding them to
the authorized keys file on hosts.
This functionality has been deprecated since Vault version 0.7.2.
The preferred alternative is to use the SSH CA method, which also allows
key generation but places limits on TTL and doesn't require Vault reach
out to provision each key on the specified host, making it much more
secure.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Remove dynamic ssh references from documentation
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Remove dynamic key secret type entirely
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Clarify changelog language
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add removal notice to the website
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
