Commit Graph

400 Commits

Author SHA1 Message Date
Tero Saarni 8bca8984e6
Update github.com/prometheus/client_golang (#14190)
* Update github.com/prometheus/client_golang

Signed-off-by: Tero Saarni <tero.saarni@est.tech>

* Added changelog entry.
2022-02-23 09:31:58 -05:00
Hridoy Roy 57388d31cc
update sdk in go mod for vault and api (#14210)
* update sdk in go mod for vault and api

* revert sdk update for api as that requires bumping api
2022-02-22 15:55:31 -08:00
Nick Cabatoff 5fe1c16201
Remove support for etcd v2 storage backend. (#14193) 2022-02-22 16:48:04 -05:00
mickael-hc 6b753fb2f5
Replace dgrijava/jwt-go with golang-jwt/jwt (#14167) 2022-02-22 15:12:15 -05:00
Ben Ash a156036934
upgrade vault-plugin-auth-kubernetes (#14144)
- ensure valid entity alias names created for projected volume tokens.
2022-02-22 11:25:44 -05:00
Jason O'Donnell d848531cce
secrets/openldap: fix panic from nil logger (#14171)
* secrets/openldap: fix panic from nil logger

* changelog
2022-02-18 19:40:30 -05:00
Chris Capurso c7ba8b1f25
Add HTTP-level tests for KV subkeys endpoint (#14079)
* go get plugin-secrets-kv@v0.11.0; go mod tidy

* add HTTP-level tests for KV subkeys endpoint

* check status in TestKV_Subkeys_CurrentVersion

* some test cleanup
2022-02-18 11:54:36 -05:00
Jason O'Donnell 6b8e5b1e1f
auth/azure: update to v0.9.3 (#14138)
* auth/azure: update to v0.9.3

* changelog

* Rollback go-testing-interface

* go mod tidy
2022-02-18 09:42:48 -05:00
Josh Black e83471d7de
Login MFA (#14025)
* Login MFA

* ENT OSS segragation (#14088)

* Delete method id if not used in an MFA enforcement config (#14063)

* Delete an MFA methodID only if it is not used by an MFA enforcement config

* Fixing a bug: mfa/validate is an unauthenticated path, and goes through the handleLoginRequest path

* adding use_passcode field to DUO config (#14059)

* add changelog

* preventing replay attack on MFA passcodes (#14056)

* preventing replay attack on MFA passcodes

* using %w instead of %s for error

* Improve CLI command for login mfa (#14106)

CLI prints a warning message indicating the login request needs to get validated

* adding the validity period of a passcode to error messages (#14115)

* PR feedback

* duo to handle preventing passcode reuse

Co-authored-by: hghaf099 <83242695+hghaf099@users.noreply.github.com>
Co-authored-by: hamid ghaf <hamid@hashicorp.com>
2022-02-17 13:08:51 -08:00
Alexander Scheel 45c028a2fb
Allow specifying multiple allowed SSH key lengths (#13991)
* Allow specifying multiple allowed SSH key lengths

In the ssh secrets engine, only a single allowed key length was allowed
for each algorithm type. However, many algorithms have multiple safe
values (such as RSA and ECDSA); allowing a single role to have multiple
values for a single algorithm is thus helpful.

On creation or update, roles can now specify multiple types using a list
or comma separated string of allowed values:

    allowed_user_key_lengths: map[string][]int{"rsa": []int{2048, 4096}}

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Break out ssh upgrade logic into separate function

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update parseutil for optional lists of integers

    go get -u github.com/hashicorp/go-secure-stdlib/parseutil
    go mod tidy

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Simplify parse logic using new parseutil

The newly introduced parseutil.ParseIntSlice handles the more
complicated optional int-like slice logic for us.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-02-17 15:36:56 -05:00
Jordan Reimer b936db8332
Revert "MFA (#14049)" (#14135)
This reverts commit 5f17953b5980e6438215d5cb62c8575d16c63193.
2022-02-17 13:17:59 -07:00
Austin Gebauer e4aab1b0cc
secrets/azure: update plugin to v0.11.4 (#14130) 2022-02-17 12:09:36 -08:00
Jordan Reimer 36ccfaa3aa
MFA (#14049)
* adds development workflow to mirage config

* adds mirage handler and factory for mfa workflow

* adds mfa handling to auth service and cluster adapter

* moves auth success logic from form to controller

* adds mfa form component

* shows delayed auth message for all methods

* adds new code delay to mfa form

* adds error views

* fixes merge conflict

* adds integration tests for mfa-form component

* fixes auth tests

* updates mfa response handling to align with backend

* updates mfa-form to handle multiple methods and constraints

* adds noDefault arg to Select component

* updates mirage mfa handler to align with backend and adds generator for various mfa scenarios

* adds tests

* flaky test fix attempt

* reverts test fix attempt

* adds changelog entry

* updates comments for todo items

* removes faker from mfa mirage factory and handler

* adds number to word helper

* fixes tests

* Revert "Merge branch 'main' into ui/mfa"

This reverts commit 8ee6a6aaa1b6c9ec16b985c10d91c3806819ec40, reversing
changes made to 2428dd6cca07bb41cda3f453619646ca3a88bfd0.

* format-ttl helper fix from main
2022-02-17 09:10:56 -07:00
Robert 91f5069c03
secret/consul: Add Consul ACL roles support (#14014)
Co-authored-by: Brandon Ingalls <brandon@ingalls.io>
2022-02-16 19:31:08 -06:00
Alexander Scheel f45ad6e284
Fix ed25519 generated SSH key marshalling (#14101)
* Ensure we can issue against generated SSH CA keys

This adds a test to ensure that we can issue leaf SSH certificates using
the newly generated SSH CA keys. Presently this fails because the
ed25519 key private is stored using PKIX's PKCS8 PrivateKey object
format rather than using OpenSSH's desired private key format:

> path_config_ca_test.go:211: bad case 12: err: failed to parse stored CA private key: ssh: invalid openssh private key format, resp: <nil>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add dependency on edkey for OpenSSH ed25519 keys

As mentioned in various terraform-provider-tls discussions, OpenSSH
doesn't understand the standard OpenSSL/PKIX ed25519 key structure (as
generated by PKCS8 marshalling). Instead, we need to place it into the
OpenSSH RFC 8709 format. As mentioned in this dependency's README,
support in golang.org/x/crypto/ssh is presently lacking for this.
When the associated CL is merged, we should be able to remove this dep
and rely on the (extended) standard library, however, no review progress
appears to have been made since the CL was opened by the author.

See also: https://go-review.googlesource.com/c/crypto/+/218620/

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-02-16 14:28:57 -05:00
Ben Ash 7aaee22e07
auth/kubernetes: Update plugin to v0.11.5 (#13925) 2022-02-10 12:23:19 -05:00
Robert d0832a1993
secret/consul: Add support for consul namespaces and admin partitions (#13850)
* Add support for consul namespaces and admin partitions
2022-02-09 15:44:00 -06:00
Jason O'Donnell fc69112f9a
secrets/gcp: update to v0.11.2 (#13974)
* secrets/gcp: update to v0.11.2

* Changelog
2022-02-09 12:57:53 -05:00
Jason O'Donnell 9218e8126e
secrets/azure: update to v0.11.3 (#13973)
* secrets/azure: update to v0.11.3

* Changelog
2022-02-09 11:58:53 -05:00
Jason O'Donnell 702399a156
go-mssqldb: update to v0.12.0 (#13951) 2022-02-08 11:45:55 -05:00
Tero Saarni f4eea60799
Switch/upgrade to influxdata/influxdb1-client (#12262)
* influxdb v1 client has been split into a separate module from the main influxdb
  code base. This changes uses the correct client, which also allows us to
  get updates and avoids confusing some vulnerability scanners that flagged 
  previous version incorrectly.

Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
2022-01-25 13:30:24 -05:00
Nick Cabatoff ddab893034
Update to raft lib v1.3.3 (#13703) 2022-01-24 09:50:23 -05:00
Nick Cabatoff 07555c8bfc
Depend explicitly on go-msgpack v1.1.5 (#13693) 2022-01-19 10:32:19 -05:00
Tero Saarni e2b17ca96b
auth/kubernetes: support for dynamically reloading short-lived tokens (#13595)
* auth/kubernetes: support for short-lived tokens

* Uplift new version of Kubernetes auth plugin that does not store the
  service account token persistently to Vault storage.

* Update the documentation to recommend local token again when running
  Vault inside cluster.

Signed-off-by: Tero Saarni <tero.saarni@est.tech>

* Added changelog entry

Signed-off-by: Tero Saarni <tero.saarni@est.tech>

* clarification to changelog entry, executed go mod tidy

* clarifications and added targeted release version
2022-01-14 19:55:15 -08:00
Chris Capurso d52d69e4bb
Add HTTP PATCH support for KV key metadata (#13215)
* go get vault-plugin-secrets-kv@vault-4290-patch-metadata

* add kv metadata patch command

* add changelog entry

* success tests for kv metadata patch flags

* add more kv metadata patch flags tests

* add kv metadata patch cas warning test

* add kv-v2 key metadata patch API docs

* add kv metadata patch to docs

* prevent unintentional field overwriting in kv metadata put cmd

* like create/update ops, prevent patch to paths ending in /

* fix kv metadata patch cmd in docs

* fix flag defaults for kv metadata put

* go get vault-plugin-secrets-kv@vault-4290-patch-metadata

* fix TestKvMetadataPatchCommand_Flags test

* doc fixes

* go get vault-plugin-secrets-kv@master; go mod tidy
2022-01-12 12:05:27 -05:00
Chris Capurso fea26266f3
update okta-sdk-golang to v2.9.1 (#13439)
* update okta-sdk-golang to v2.9.1

* go mod tidy

* add changelog entry
2022-01-06 09:42:51 -05:00
Austin Gebauer c21ff7e587
secrets/gcp: update plugin to v0.11.1 (#13548) 2022-01-03 11:18:48 -08:00
VAL 532dd354a6
update vault and auth submodules to api v1.3.1 (#13509) 2021-12-23 09:45:30 -08:00
Austin Gebauer 431376cb7f
auth/oidc: update plugin to v0.11.4 (#13492) 2021-12-21 16:48:53 -08:00
Jason O'Donnell 1966264bcd
auth/gcp: update to v0.11.3 (#13457)
* update gcp auth

* go mod tidy
2021-12-16 15:46:34 -05:00
John-Michael Faircloth 7f78f3357f
auth/jwt: Update plugin to v0.11.3 (#13365)
* auth/jwt: Update plugin to v0.11.3

* add changelog
2021-12-09 07:44:52 -06:00
VAL 82d49a08fb
Use real version of auth modules in root go.mod (#13321)
* Use real version of auth modules

* Keep replaces
2021-12-01 10:02:40 -08:00
Eugene R f39f1ce8de
Aerospike backend update (#12165)
* upgrade aerospike-client-go to v5.2.0

* use strings.Contains to check an error

* add changelog file

* go mod tidy

* go mod tidy

* update the changelog

* revert .gitignore update

* go mod tidy
2021-11-29 11:09:12 -08:00
Austin Gebauer 0ca08038d5
secrets/azure: Update plugin to v0.11.2 (#13277) 2021-11-29 09:05:23 -08:00
Chris Capurso 15b06780ab
remove nil response to 404 translation for PatchOperation (#13167)
* remove nil response to 404 translation for PatchOperation

* go get vault-plugin-secrets-kv@master
2021-11-23 13:57:22 -05:00
Nick Cabatoff eda9607c8a
Revert more downgrades from #12975. (#13168) 2021-11-16 15:07:03 -05:00
Nick Cabatoff 9e27ccbae1
Fix 1.9 regression with raft and stored time values (#13165) 2021-11-16 14:43:00 -05:00
Calvin Leung Huang 4a59b4c683
deps: update plugin versions for 1.9 release (#12975)
* deps: update plugin versions for 1.9 release

* deps: update vault-plugin-secrets-azure to v0.11.1

* go get newest version of github.com/pkg/browser

* deps: update vault-plugin-secrets-alicloud v0.10.2

* deps: update vault-plugin-auth-jwt to v0.11.2

* deps: update vault-plugin-auth-gcp to v0.11.2

* Clean up some inflated indirect dep versions

* deps: update vault-plugin-auth-azure to v0.9.2

* deps: re-fetch x/oauth2 to adjust version

* deps: github.com/pkg/browser to v0.0.0-20210911075715-681adbf594b8

Co-authored-by: Ben Ash <bash@hashicorp.com>
Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
2021-11-01 14:18:21 -07:00
swayne275 8d238b8080
just update api (#12956) 2021-10-28 14:03:08 -06:00
Jim Kalafut 170421af31
Update parseutil dependency (#12947) 2021-10-28 09:15:42 -07:00
swayne275 849f4f8544
update sdk to 0.3.0 (#12946)
* update sdk to 0.3.0

* vault go mod update
2021-10-28 10:09:58 -06:00
Alexander Scheel 5579394b48
go-kms-wrapping update for Azure Key Vault's Managed HSM offering (#12934)
* Update to hashicorp/go-kms-wrapping@v0.6.8

Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation around Managed HSM KeyVault

This introduces the "resource" config parameter and the
AZURE_AD_RESOURCE environment variable from the updated go-kms-wrapping
dependency.

Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry for g-k-w changes

Includes changes from @stevendpclark.

Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
2021-10-27 12:07:18 -04:00
Ben Ash 6769ab37ea
fix: upgrade vault-plugin-auth-kerberos to v0.5.0 (#12930)
* Update docker helper code to match deps.
* Fix container variable name collides with import.
* Update vault-testing-stepwise to v0.1.2
2021-10-27 10:01:34 -04:00
VAL a44505dd06
Native Login method for Go client (#12796)
* Native Login method, userpass and approle interfaces to implement it

* Add AWS auth interface for Login, unexported struct fields for now

* Add Kubernetes client login

* Add changelog

* Add a test for approle client login

* Return errors from LoginOptions, use limited reader for secret ID

* Fix auth comment length

* Return actual type not interface, check for client token in tests

* Require specification of secret ID location using SecretID struct as AppRole arg

* Allow password from env, file, or plaintext

* Add flexibility in how to fetch k8s service token, but still with default

* Avoid passing strings that need to be validated by just having different login options

* Try a couple real tests with approle and userpass login

* Fix method name in comment

* Add context to Login methods, remove comments about certain sources being inherently insecure

* Perform read of secret ID at login time

* Read password from file at login time

* Pass context in integ tests

* Read env var values in at login time, add extra tests

* Update api version

* Revert "Update api version"

This reverts commit 1ef3949497dcf878c47e0e5ffcbc8cac1c3c1679.

* Update api version in all go.mod files
2021-10-26 16:48:48 -07:00
Chris Capurso a6b1cbad12
Extend kv metadata to get, put, and patch (#12907)
* go get vault-plugin-secrets-kv@extend-kv-metadata-to-get-and-put

* test for custom_metadata in kv get, put, patch command output

* remove flagFormat-specific check from TestKVMetadataGetCommand

* rewrite custom metadata changelog entry

* go get vault-plugin-secrets-kv@master

* go mod tidy
2021-10-26 15:38:56 -04:00
Ben Ash e44dbb01ba
fix: upgrade vault-plugin-auth-kubernetes to v0.11.2 (#12913)
* Update k8s.io/client-go to v0.22.2
2021-10-22 18:02:41 -04:00
Ben Ash f8914a273a
fix: upgrade vault-plugin-secrets-terraform to v0.3.0 (#12909) 2021-10-22 16:34:22 -04:00
Nick Cabatoff ff74f49047
Move to go 1.17 (#12868)
Also ensure that the go 1.17 breaking changes to net.ParseCIDR don't make us choke on stored CIDRs that were acceptable to older Go versions.
2021-10-21 09:32:03 -04:00
vinay-gopalan 4834bb854c
[VAULT-3008] Update RabbitMQ dependency and fix regression in UserInfo.Tags in v3.9 (#12877) 2021-10-20 09:46:37 -07:00
Austin Gebauer c797ed1b5c
Updates vault-plugin-auth-jwt to v0.11.0 (#12876) 2021-10-19 15:22:52 -07:00