Commit graph

382 commits

Author SHA1 Message Date
Tom Proctor 3668275903
Quit agent endpoint with config (#14223)
* Add agent/v1/quit endpoint
  * Closes https://github.com/hashicorp/vault/issues/11089
* Agent quit API behind config setting
* Normalise test config whitespace
* Document config option

Co-authored-by: Rémi Lapeyre <remi.lapeyre@lenstra.fr>
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
2022-02-25 10:29:05 +00:00
Hridoy Roy c2d7386be4
sdk changes for 1.10.0 release branch (#14264) 2022-02-24 16:39:14 -08:00
Hridoy Roy 45b3a7a8a9
sdk prerelease version upgrade (dev-1) (#14203)
* update prerelease version in sdk to be dev-1

* Update sdk/version/version_base.go

Co-authored-by: Meggie <meggie@hashicorp.com>

Co-authored-by: Meggie <meggie@hashicorp.com>
2022-02-22 14:25:24 -08:00
Calvin Leung Huang 2a937fe717
plugin/catalog: support plugin registration when type is explicitly provided (#14142)
* plugin/catalog: support plugin registration whe type is explicitly provided

* don't use database type on plugin backend test; mock doesn't satisfy the DB interface

* check multiplexing support from plugin directly on newPluginClient

* do not return mutiplexed bool on catalog helper funcs
2022-02-17 18:40:33 -08:00
Rémi Lapeyre 98b18ee08e
Add telemetry to Vault agent (#13675)
This patch adds a new /agent/v1/metrics that will return metrics on the
running Vault agent. Configuration is done using the same telemetry
stanza as the Vault server. For now default runtime metrics are
returned with a few additional ones specific to the agent:
  - `vault.agent.auth.failure` and `vault.agent.auth.success` to monitor
  the correct behavior of the auto auth mechanism
  - `vault.agent.proxy.success`, `vault.agent.proxy.client_error` and
  `vault.agent.proxy.error` to check the connection with the Vault server
  - `vault.agent.cache.hit` and `vault.agent.cache.miss` to monitor the
  cache

Closes https://github.com/hashicorp/vault/issues/8649

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
2022-02-17 17:10:26 -08:00
Josh Black e83471d7de
Login MFA (#14025)
* Login MFA

* ENT OSS segragation (#14088)

* Delete method id if not used in an MFA enforcement config (#14063)

* Delete an MFA methodID only if it is not used by an MFA enforcement config

* Fixing a bug: mfa/validate is an unauthenticated path, and goes through the handleLoginRequest path

* adding use_passcode field to DUO config (#14059)

* add changelog

* preventing replay attack on MFA passcodes (#14056)

* preventing replay attack on MFA passcodes

* using %w instead of %s for error

* Improve CLI command for login mfa (#14106)

CLI prints a warning message indicating the login request needs to get validated

* adding the validity period of a passcode to error messages (#14115)

* PR feedback

* duo to handle preventing passcode reuse

Co-authored-by: hghaf099 <83242695+hghaf099@users.noreply.github.com>
Co-authored-by: hamid ghaf <hamid@hashicorp.com>
2022-02-17 13:08:51 -08:00
Jordan Reimer b936db8332
Revert "MFA (#14049)" (#14135)
This reverts commit 5f17953b5980e6438215d5cb62c8575d16c63193.
2022-02-17 13:17:59 -07:00
Hridoy Roy ebf8e5308a
SSCT Tokens Feature [OSS] (#14109)
* port SSCT OSS

* port header hmac key to ent and generate token proto without make command

* remove extra nil check in request handling

* add changelog

* add comment to router.go

* change test var to use length constants

* remove local index is 0 check and extra defer which can be removed after use of ExternalID
2022-02-17 11:43:07 -08:00
Jordan Reimer 36ccfaa3aa
MFA (#14049)
* adds development workflow to mirage config

* adds mirage handler and factory for mfa workflow

* adds mfa handling to auth service and cluster adapter

* moves auth success logic from form to controller

* adds mfa form component

* shows delayed auth message for all methods

* adds new code delay to mfa form

* adds error views

* fixes merge conflict

* adds integration tests for mfa-form component

* fixes auth tests

* updates mfa response handling to align with backend

* updates mfa-form to handle multiple methods and constraints

* adds noDefault arg to Select component

* updates mirage mfa handler to align with backend and adds generator for various mfa scenarios

* adds tests

* flaky test fix attempt

* reverts test fix attempt

* adds changelog entry

* updates comments for todo items

* removes faker from mfa mirage factory and handler

* adds number to word helper

* fixes tests

* Revert "Merge branch 'main' into ui/mfa"

This reverts commit 8ee6a6aaa1b6c9ec16b985c10d91c3806819ec40, reversing
changes made to 2428dd6cca07bb41cda3f453619646ca3a88bfd0.

* format-ttl helper fix from main
2022-02-17 09:10:56 -07:00
John-Michael Faircloth 1cf74e1179
feature: multiplexing support for database plugins (#14033)
* feat: DB plugin multiplexing (#13734)

* WIP: start from main and get a plugin runner from core

* move MultiplexedClient map to plugin catalog
- call sys.NewPluginClient from PluginFactory
- updates to getPluginClient
- thread through isMetadataMode

* use go-plugin ClientProtocol interface
- call sys.NewPluginClient from dbplugin.NewPluginClient

* move PluginSets to dbplugin package
- export dbplugin HandshakeConfig
- small refactor of PluginCatalog.getPluginClient

* add removeMultiplexedClient; clean up on Close()
- call client.Kill from plugin catalog
- set rpcClient when muxed client exists

* add ID to dbplugin.DatabasePluginClient struct

* only create one plugin process per plugin type

* update NewPluginClient to return connection ID to sdk
- wrap grpc.ClientConn so we can inject the ID into context
- get ID from context on grpc server

* add v6 multiplexing  protocol version

* WIP: backwards compat for db plugins

* Ensure locking on plugin catalog access

- Create public GetPluginClient method for plugin catalog
- rename postgres db plugin

* use the New constructor for db plugins

* grpc server: use write lock for Close and rlock for CRUD

* cleanup MultiplexedClients on Close

* remove TODO

* fix multiplexing regression with grpc server connection

* cleanup grpc server instances on close

* embed ClientProtocol in Multiplexer interface

* use PluginClientConfig arg to make NewPluginClient plugin type agnostic

* create a new plugin process for non-muxed plugins

* feat: plugin multiplexing: handle plugin client cleanup (#13896)

* use closure for plugin client cleanup

* log and return errors; add comments

* move rpcClient wrapping to core for ID injection

* refactor core plugin client and sdk

* remove unused ID method

* refactor and only wrap clientConn on multiplexed plugins

* rename structs and do not export types

* Slight refactor of system view interface

* Revert "Slight refactor of system view interface"

This reverts commit 73d420e5cd2f0415e000c5a9284ea72a58016dd6.

* Revert "Revert "Slight refactor of system view interface""

This reverts commit f75527008a1db06d04a23e04c3059674be8adb5f.

* only provide pluginRunner arg to the internal newPluginClient method

* embed ClientProtocol in pluginClient and name logger

* Add back MLock support

* remove enableMlock arg from setupPluginCatalog

* rename plugin util interface to PluginClient

Co-authored-by: Brian Kassouf <bkassouf@hashicorp.com>

* feature: multiplexing: fix unit tests (#14007)

* fix grpc_server tests and add coverage

* update run_config tests

* add happy path test case for grpc_server ID from context

* update test helpers

* feat: multiplexing: handle v5 plugin compiled with new sdk

* add mux supported flag and increase test coverage

* set multiplexingSupport field in plugin server

* remove multiplexingSupport field in sdk

* revert postgres to non-multiplexed

* add comments on grpc server fields

* use pointer receiver on grpc server methods

* add changelog

* use pointer for grpcserver instance

* Use a gRPC server to determine if a plugin should be multiplexed

* Apply suggestions from code review

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* add lock to removePluginClient

* add multiplexingSupport field to externalPlugin struct

* do not send nil to grpc MultiplexingSupport

* check err before logging

* handle locking scenario for cleanupFunc

* allow ServeConfigMultiplex to dispense v5 plugin

* reposition structs, add err check and comments

* add comment on locking for cleanupExternalPlugin

Co-authored-by: Brian Kassouf <bkassouf@hashicorp.com>
Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
2022-02-17 08:50:33 -06:00
Matt Schultz c379e41c4c
Rename transit's auto_rotate_interval to auto_rotate_period for consistency and to achieve formatting benefits in CLI output. Update UI handling of the renamed field to account for recent data type change from time string to integral seconds. (#14103) 2022-02-16 14:33:13 -06:00
Brian Kassouf e94455e608
Improve code comments on logical.Paths object (#14080)
* Improve code comments on logical.Paths object

* Update sdk/logical/logical.go

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2022-02-15 11:00:48 -08:00
Scott Miller 0da4d59e3c
OSS of the managed key consumer pattern (#13940)
* OSS of the managed key consumer pattern

* Wrong changes
2022-02-07 15:01:42 -06:00
Alexander Scheel 33a9218115
Add full CA Chain to /pki/cert/ca_chain response (#13935)
* Include full chain in /cert/ca_chain response

This allows callers to get the full chain (including issuing
certificates) from a call to /cert/ca_chain. Previously, most endpoints
(including during issuance) do not include the root authority, requiring
an explicit call to /cert/ca to fetch. This allows full chains to be
constructed without without needing multiple calls to the API.

Resolves: #13489

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test case for full CA issuance

We test three main scenarios:

 1. A root-only CA's `/cert/ca_chain`'s `.data.ca_chain` field should
    contain only the root,
 2. An intermediate CA (with root provide) should contain both the root
    and the intermediate.
 3. An external (e.g., `/config/ca`-provided) CA with both root and
    intermediate should contain both certs.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation for new ca_chain field

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add note about where to find the entire chain

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-02-07 14:37:01 -05:00
hghaf099 f541cf196b
adding docs for the framework Required field (#13884)
* adding docs for the framework Required field

* minor fix

* Update sdk/framework/backend.go

Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>

Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
2022-02-03 11:44:01 -05:00
Tom Proctor 5032cfaf47
Add make fmt CI check (#13803)
* Add make fmt CI check

* Don't suppress patch output
2022-01-31 23:24:16 +00:00
Dominik Roos 7a6ae24e9f
pki: calculate Subject Key Identifier according to RFC 5280 (#11218)
Calculate the Subject Key Identifier as suggested in RFC 5280, Section 4.2.1.2

> (1) The keyIdentifier is composed of the 160-bit SHA-1 hash of the
value of the BIT STRING subjectPublicKey (excluding the tag,
length, and number of unused bits).

fixes #11153
2022-01-28 10:46:51 -05:00
Alexander Scheel 705439885d
Remove deprecated call to BuildNameToCertificate (#13811)
This function call was previously used to generate mappings from
potential subjects (or SANs) to certificates within the TLS client
object. However, newer Go versions have deprecated this method, instead
building the mapping automatically based on present certificates at
request time. Because the corresponding client configuration field is
not used in Vault (NameToCertificate), it is safe to remove this call
and leave it nil.

See also: 67d894ee65
See also: https://pkg.go.dev/crypto/tls#Config.BuildNameToCertificate

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-01-27 14:56:21 -05:00
Josh Black d249fad2df
reformat using 'make fmt' (#13794) 2022-01-27 10:06:34 -08:00
Steven Clark 43087c96b2
OSS integration of the PKI plugin with managed key infrastructure (#13793)
- The OSS side of things to leverage managed keys from the PKI secrets engine
2022-01-26 23:06:25 -05:00
Rémi Lapeyre cf8b5642f2
Add remote_port in the audit logs when it is available (#12790)
* Add remote_port in the audit logs when it is available

The `request.remote_port` field is now present in the audit log when it
is available:

```
{
  "time": "2021-10-10T13:53:51.760039Z",
  "type": "response",
  "auth": {
    "client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf",
    "accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43",
    "display_name": "root",
    "policies": [
      "root"
    ],
    "token_policies": [
      "root"
    ],
    "token_type": "service",
    "token_issue_time": "2021-10-10T15:53:44+02:00"
  },
  "request": {
    "id": "829c04a1-0352-2d9d-9bc9-00b928d33df5",
    "operation": "update",
    "mount_type": "system",
    "client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf",
    "client_token_accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43",
    "namespace": {
      "id": "root"
    },
    "path": "sys/audit/file",
    "data": {
      "description": "hmac-sha256:321a1d105f8c6fd62be4f34c4da4f0e6d1cdee9eb2ff4af0b59e1410950fe86b",
      "local": false,
      "options": {
        "file_path": "hmac-sha256:2421b5bf8dab1f9775b2e6e66e58d7bca99ab729f3f311782fda50717eee55b3"
      },
      "type": "hmac-sha256:30dff9607b4087e3ae6808b4a3aa395b1fc064e467748c55c25ddf0e9b150fcc"
    },
    "remote_address": "127.0.0.1",
    "remote_port": 54798
  },
  "response": {
    "mount_type": "system"
  }
}
```

Closes https://github.com/hashicorp/vault/issues/7716

* Add changelog entry

* Empty commit to trigger CI

* Add test and explicit error handling

* Change temporary file pattern in test
2022-01-26 15:47:15 -08:00
Rémi Lapeyre 961ff4a363
Return num_uses during authentication (#12791)
* Return num_uses during authentication

https://github.com/hashicorp/vault/issues/10664

* Add changelog entry
2022-01-25 18:59:53 -08:00
Matt Schultz fc7deabfd7
Time-based transit key autorotation (#13691)
* Add auto_rotate_interval field to transit key creation path.

* Add auto_rotate_interval field to transit key config update path.

* Implement transit automatic key rotation on an hourly interval.

* Fixes transit key autorotation key listing typo.

* Add unit tests for transit key autorotation.

* Add unit tests for transit key creation with autorotation interval.

* Add unit tests for transit key config update with autorotation interval.

* Document new auto_rotate_interval fields in key creation and key config update endpoints.

* Add changelog for transit key autorotation.

* Wrap individual transit key autorotation in a policy lock.

* Add a safeguard to transit key autorotation to ensure only one execution happens simultaneously.
2022-01-20 09:10:15 -06:00
Sung Hon Wu 194c9e32d3
Enhance sys/raw to read and write values that cannot be encoded in json (#13537) 2022-01-20 07:52:53 -05:00
Scott Miller f7e3ab72a8
OSS side of the managed key interfaces (#13699)
* OSS side of the managed key interfaces

* Not needed in OSS
2022-01-19 11:15:33 -06:00
divyapola5 d9c9d06710
Add validation for nonce size when we aren't in convergent encryption mode within transit backend (#13690)
* Add validation for nonce size when we aren't in convergent encryption mode within transit backend

* Add changelog entry
2022-01-19 13:02:49 +05:30
VAL 6652203569
Distinguish LIST-only paths in OpenAPI (#13643)
* Distinguish LIST-only paths in OpenAPI

* add changelog

* Put enum field inside schema
2022-01-18 09:21:44 -08:00
akshya96 319a76d8d1
Vault-3991 Code Scanning Alerts Changes (#13667)
* code scanning alerts changes

* adding changelog
2022-01-14 15:35:27 -08:00
Chris Capurso fc75aabd03
use GetOkErr in patch handler so type coercion errors result in error response (#13191)
* use GetOkErr in patch handler so unknown fields result in error response

* do not error on unknown fields for patch handling

* godoc update for HandlePatchOperation
2022-01-12 09:32:59 -05:00
Robert 15bd5fd6b6
secrets/database: Add parameter to disable escaping username and password chars for DB connections (#13414)
* Add a parameter that disables escaping characters in the username or password fields for secrets engines database connections

* Always disallow template variables inside the username or password
2022-01-10 12:05:17 -06:00
Scott Miller 89f617a97c
Convert to Go 1.17 go:build directive (#13579) 2022-01-05 12:02:03 -06:00
Vinny Mannello 2680f0b198
[Vault-4628] OpenAPI endpoint not expanding root alternations (#13487) 2021-12-22 15:36:47 -08:00
Vinny Mannello 62ecf23c2c
EscapeLDAPValue - catch trailing escape character (#13452)
* [VAULT-4018] - EscapeLDAPValue catch trailing escape character
2021-12-15 13:17:07 -08:00
Michele Degges ce163e36bb
Fix for main: Add vault revision to --version cmd (#13428) 2021-12-15 11:38:20 -08:00
Alexander Scheel 31ff2be589
Add universal default key_bits value for PKI endpoints (#13080)
* Allow universal default for key_bits

This allows the key_bits field to take a universal default value, 0,
which, depending on key_type, gets adjusted appropriately into a
specific default value (rsa->2048, ec->256, ignored under ed25519).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Handle universal default key size in certutil

Also move RSA < 2048 error message into certutil directly, instead of in
ca_util/path_roles.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing RSA key sizes to pki/backend_test.go

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Switch to returning updated values

When determining the default, don't pass in pointer types, but instead
return the newly updated value.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Re-add fix for ed25519 from #13254

Ed25519 internally specifies a hash length; by changing the default from
256 to 0, we fail validation in ValidateSignatureLength(...) unless we
specify the key algorithm.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2021-12-13 15:26:42 -05:00
hghaf099 65845c7531
VAULT-1564 report in-flight requests (#13024)
* VAULT-1564 report in-flight requests

* adding a changelog

* Changing some variable names and fixing comments

* minor style change

* adding unauthenticated support for in-flight-req

* adding documentation for the listener.profiling stanza

* adding an atomic counter for the inflight requests
addressing comments

* addressing comments

* logging completed requests

* fixing a test

* providing log_requests_info as a config option to determine at which level requests should be logged

* removing a member and a method from the StatusHeaderResponseWriter struct

* adding api docks

* revert changes in NewHTTPResponseWriter

* Fix logging invalid log_requests_info value

* Addressing comments

* Fixing a test

* use an tomic value for logRequestsInfo, and moving the CreateClientID function to Core

* fixing go.sum

* minor refactoring

* protecting InFlightRequests from data race

* another try on fixing a data race

* another try to fix a data race

* addressing comments

* fixing couple of tests

* changing log_requests_info to log_requests_level

* minor style change

* fixing a test

* removing the lock in InFlightRequests

* use single-argument form for interface assertion

* adding doc for the new configuration paramter

* adding the new doc to the nav data file

* minor fix
2021-12-08 17:34:42 -05:00
Matt Schultz 85f5cfc356
Adds support for SHA-3 to transit (#13367)
* Adding support for SHA3 in the transit backend.

* Adds SHA-3 tests for transit sign/verify path. Adds SHA-3 tests for logical system tools path hash functionality. Updates documentation to include SHA-3 algorithms in system tools path hashing.

* Adds changelog entry.

Co-authored-by: robison jacka <robison@packetized.io>
2021-12-08 12:29:33 -06:00
Pavlos Tzianos 0abc8f43fa
Add helper for encoding/decoding root tokens and OTP generation in SDK module (#10504) (#10505) 2021-12-01 08:05:49 -05:00
Jason O'Donnell 660a7be134
sdk/queue: move lock before checking queue length (#13146)
* sdk/queue: move lock before checking queue length

* Add changelog
2021-11-29 14:54:00 -05:00
Nick Cabatoff f85908e1df
Return an error when trying to store a too-large key with Raft (#13282) 2021-11-25 14:07:03 -05:00
Navaneeth Rameshan 201526e983
skip hash bits verification for ed25519 (#13254)
* skip hash bits verification for ed25519 #13253

The default value or *hashBits is 0 and will fail
at ValidateSignatureLength for ed25519. ed25519
specifies its own hash, so avoid hashBits validation for
ed25519 curve.
2021-11-23 15:28:18 -05:00
hghaf099 9640d35136
Unify HTTPResponseWriter and StatusHeaderResponseWriter (#13200)
* Unify NewHTTPResponseWriter ant NewStatusHeaderResponseWriter to fix ResponseWriter issues

* adding changelog

* removing unnecessary function from the WrappingResponseWriter interface

* changing logical requests responseWriter type

* reverting change to HTTPResponseWriter
2021-11-23 14:30:25 -05:00
Chris Capurso 15b06780ab
remove nil response to 404 translation for PatchOperation (#13167)
* remove nil response to 404 translation for PatchOperation

* go get vault-plugin-secrets-kv@master
2021-11-23 13:57:22 -05:00
Alexander Scheel 3bad83f76f
Prevent CWE-190/AllocationSizeOverflow in KDF (#13237)
In the Counter-mode KBKDF implementation, due to the nature of the PRF
(being implemented as a function rather than a hash.Hash instance), we
need to allocate a buffer capable of storing the entire input to the
PRF. This consists of the user-supplied context with 8 additional bytes
(4 before and 4 after) of encoded integers.

If the user supplies a maximally-sized context, the internally allocated
buffer's size computation will overflow, resulting in a runtime panic.
Guard against this condition.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2021-11-22 12:25:50 -05:00
Joseph Crosland dd11865597
Return a UserError if aead.Open() fails to align with documentation (#10914)
Return a UserError is aead.Open() fails and assume by that stage there is a problem with the user input for said decryption
2021-11-17 11:40:43 -05:00
Steven Clark 2d21c00476
Add extra debugging to help identify failures within mssql test (#13142)
* Add extra debugging to help identify failures within mssql test
* Switch up the AssertInitialized method for mssql tests by marking the test as failed instead of
   immediately failing, this will also allow us to see what happens even if this assertion fails to the rest
   of the test.
2021-11-15 12:51:16 -05:00
Alexander Scheel cd213f5fca
Restrict ECDSA/NIST P-Curve hash function sizes for cert signing (#12872)
* Restrict ECDSA signatures with NIST P-Curve hashes

When using an ECDSA signature with a NIST P-Curve, we should follow
recommendations from BIS (Section 4.2) and Mozilla's root store policy
(section 5.1.2) to ensure that arbitrary selection of signature_bits
does not exceed what the curve is capable of signing.

Related: #11245

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Switch to certutil.ValidateKeyTypeSignatureLength(...)

Replaces previous calls to certutil.ValidateKeyTypeLength(...) and
certutil.ValidateSignatureLength(...) with a single call, allowing for
curve<->hash validation.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Switch to autodetection of signature_bits

This enables detection of whether the caller manually specified a value
for signature_bits or not; when not manually specified, we can provision
a value that complies with new NIST P-Curve policy.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Select hash function length automatically

Due to our change in behavior (to default to -1 as the value to
signature_bits to allow for automatic hash selection), switch
ValidateKeyTypeSignatureLength(...) to accept a pointer to hashBits and
provision it with valid default values.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Prevent invalid Curve size lookups

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Switch from -1 to 0 as default SignatureBits

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2021-11-12 12:18:38 -05:00
Dominik Roos 114e172437
certutil: select appropriate hash algorithm for ECDSA signature (#11216)
* certutil: select appropriate hash algorithm for ECDSA signature

Select the appropriate signature algorithm for certificates signed
with an ECDSA private key.

The algorithm is selected based on the curve:

- P-256 -> x509.ECDSAWithSHA256
- P-384 -> x509.ECDSAWithSHA384
- P-521 -> x509.ECDSAWithSHA512
- Other -> x509.ECDSAWithSHA256

fixes #11006
2021-11-04 16:33:01 -04:00
Meggie 627c43e496
1.10.0-dev version bump (#12987)
* 1.10.0-dev version bump

* Remove hard-coded versions from tests. (#13026)

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2021-11-03 12:50:12 -04:00
Pratyoy Mukhopadhyay 90578d3cb3
[VAULT-4034] Revert back to caching nil values (#13013)
* Revert "[VAULT-4034] Only cache non-nil values (#12993)"

This reverts commit 67e1ed06c7199856f8493f416df55f06603881c6.

* Update sdk/physical/cache.go

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2021-11-02 12:00:37 -07:00
Pratyoy Mukhopadhyay 0ea9285d77
[VAULT-4034] Only cache non-nil values (#12993)
* Only cache non-nil values

* Add changelog
2021-11-01 13:47:45 -07:00
John-Michael Faircloth 792400a24c
ensure errors are checked (#12989) 2021-11-01 13:34:51 -05:00
Guillaume b9b7f5a9a3
Added support for a LDAP user search filter. Documentation, tests and UI included (#11000) 2021-10-26 10:39:12 -07:00
swayne275 0ce5701935
backport error changes from ent PR (#12926) 2021-10-26 10:11:24 -06:00
Hridoy Roy 1d29b93eb5
fix adding clientID to request in audit log (#12919)
* fix adding clientID to request in audit log

* fix boolean statement

* use standard encoding for client ID instead of urlEncoding

* change encoding in tests

* add in client counts to request handling

* remove redundant client ID generation in request handling

* directly add clientID to req after handling token usage
2021-10-26 09:02:13 -07:00
Alexander Scheel 6e069e94ca
Fix PKI Weak Cryptographic Key Lenghths Warning (#12886)
* Modernize SSH key lengths

No default change was made in this commit; note that the code already
enforced a default of 2048 bits. ssh-keygen and Go's RSA key generation
allows for key sizes including 3072, 4096, 8192; update the values of
SSH key generation to match PKI's allowed RSA key sizes (from
certutil.ValidateKeyTypeLength(...)). We still allow the legacy SSH key
size of 1024; in the near future we should likely remove it.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Ensure minimum of 2048-bit PKI RSA keys

While the stated path is a false-positive, verifying all paths is
non-trivial. We largely validate API call lengths using
certutil.ValidateKeyTypeLength(...), but ensuring no other path calls
certutil.generatePrivateKey(...) --- directly or indirectly --- is
non-trivial. Thus enforcing a minimum in this method sounds like a sane
compromise.

Resolves: https://github.com/hashicorp/vault/security/code-scanning/55

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2021-10-26 09:30:09 -04:00
Vishal Nayak 476fb08e0d
Local aliases OSS patch (#12848)
* Local aliases OSS patch

* build fix
2021-10-15 15:20:00 -04:00
swayne275 abe53e9fb3
Add Root Token check for TokenEntry (#12835)
* add TokenEntry root token check

* add changelog

* remove ent changelog
2021-10-14 13:21:54 -06:00
Brian Kassouf 57c568e511
Update some SDK dependency versions (#12828)
* Update some SDK dependency versions

* Update API go.sum

* Update jsonpatch to v5
2021-10-14 09:47:32 -07:00
Hridoy Roy 1c427d3286
Port: add client ID to TWEs in activity log [vault-3136] (#12820)
* port for tracking twes as clients

* comment clean up

* changelog

* change changelog entry phrasing
2021-10-14 09:10:59 -07:00
Austin Gebauer 0551f91068
Adds OIDC Token and UserInfo endpoints (#12711) 2021-10-13 18:59:36 -07:00
swayne275 76556c867b
port relevant ent changes (#12823) 2021-10-13 18:15:54 -06:00
Chris Capurso bbb4ab4a41
Add HTTP PATCH support to KV (#12687)
* handle HTTP PATCH requests as logical.PatchOperation

* update go.mod, go.sum

* a nil response for logical.PatchOperation should result in 404

* respond with 415 for incorrect MIME type in PATCH Content-Type header

* add abstraction to handle PatchOperation requests

* add ACLs for patch

* Adding JSON Merge support to the API client

* add HTTP PATCH tests to check high level response logic

* add permission-based 'kv patch' tests in prep to add HTTP PATCH

* adding more 'kv patch' CLI command tests

* fix TestHandler_Patch_NotFound

* Fix TestKvPatchCommand_StdinValue

* add audit log test for HTTP PATCH

* patch CLI changes

* add patch CLI tests

* change JSONMergePatch func to accept a ctx

* fix TestKVPatchCommand_RWMethodNotExists and TestKVPatchCommand_RWMethodSucceeds to specify -method flag

* go fmt

* add a test to verify patching works by default with the root token

* add changelog entry

* get vault-plugin-secrets-kv@add-patch-support

* PR feedback

* reorder some imports; go fmt

* add doc comment for HandlePatchOperation

* add json-patch@v5.5.0 to go.mod

* remove unnecessary cancelFunc for WriteBytes

* remove default for -method

* use stable version of json-patch; go mod tidy

* more PR feedback

* temp go get vault-plugin-secrets-kv@master until official release

Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>
2021-10-13 15:24:31 -04:00
John-Michael Faircloth 2abf916ddb
Add support to parameterize unauthenticated paths (#12668)
* store unauthenticated path wildcards in map

* working unauthenticated paths with basic unit tests

* refactor wildcard logic

* add parseUnauthenticatedPaths unit tests

* use parseUnauthenticatedPaths when reloading backend

* add more wildcard test cases

* update special paths doc; add changelog

* remove buggy prefix check; add test cases

* prevent false positives for prefix matches

If we ever encounter a mismatched segment, break and set a flag to
prevent false positives for prefix matches.

If it is a match we need to do a prefix check. But we should not return
unless HasPrefix also evaluates to true. Otherwise we should let the for
loop continue to check other possibilities and only return false once
all wildcard paths have been evaluated.

* refactor switch and add more test cases

* remove comment leftover from debug session

* add more wildcard path validation and test cases

* update changelong; feature -> improvement

* simplify wildcard segment matching logic

* refactor wildcard matching into func

* fix glob matching, add more wildcard validation, refactor

* refactor common wildcard errors to func

* move doc comment to logical.Paths

* optimize wildcard paths storage with pre-split slices

* fix comment typo

* fix test case after changing wildcard paths storage type

* move prefix check to parseUnauthenticatedPaths

* tweak regex, remove unneeded array copy, refactor

* add test case around wildcard and glob matching
2021-10-13 11:51:20 -05:00
Scott Miller 1097f356af
Add a TRACE log with TLS connection details on replication connections (#12754)
* remove cruft
use helper
Add a helper for getting public key sizes
wip

* error names

* Fix ecdsa

* only if trace is on

* Log listener side as well

* rename

* Add remote address

* Make the log level configurable via the env var, and a member of the Listener and thus modifiable by tests

* Fix certutil_test
2021-10-07 14:17:31 -05:00
Austin Gebauer e09657e1f3
Adds ability to define an inline policy and internal metadata on tokens (#12682)
* Adds ability to define an inline policy and internal metadata to tokens

* Update comment on fetchEntityAndDerivedPolicies

* Simplify handling of inline policy

* Update comment on InternalMeta

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* Improve argument name

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* Use explicit SkipIdentityInheritance token field instead of implicit InlinePolicy behavior

* Add SkipIdentityInheritance to pb struct in token store create method

* Rename SkipIdentityInheritance to NoIdentityPolicies

* Merge latest from main and make proto

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
2021-10-07 10:36:22 -07:00
swayne275 b9fde1dd6f
oss port (#12755) 2021-10-07 11:25:16 -06:00
Tim Peoples 17eb29f1d3
Update plugin proto to send tls.ConnectionState (Op.2) (#12581) 2021-10-07 08:06:09 -04:00
Anner J. Bonilla 8c29f49e1a
Add support for ed25519 (#11780)
* update azure instructions

Update instructions in regards to azure AD Authentication and OIDC

* Initial pass of ed25519

* Fix typos on marshal function

* test wip

* typo

* fix tests

* missef changelog

* fix mismatch between signature and algo

* added test coverage for ed25519

* remove pkcs1 since does not exist for ed25519

* add ed25519 support to getsigner

* pull request feedback

Signed-off-by: Anner J. Bonilla <abonilla@hoyosintegrity.com>

* typo on key

Signed-off-by: Anner J. Bonilla <abonilla@hoyosintegrity.com>

* cast mistake

Signed-off-by: Anner J. Bonilla <abonilla@hoyosintegrity.com>

Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
2021-10-05 11:28:49 -04:00
Brian Kassouf 39a9727c8b
Update protobuf & grpc libraries and protoc plugins (#12679) 2021-09-29 18:25:15 -07:00
akshya96 c643dc1d53
Add Custom metadata field to alias (#12502)
* adding changes

* removing q.Q

* removing empty lines

* testing

* checking tests

* fixing tests

* adding changes

* added requested changes

* added requested changes

* added policy templating changes and fixed tests

* adding proto changes

* making changes

* adding unit tests

* using suggested function
2021-09-17 11:03:47 -07:00
Michael Ward c15ac1053f
Expose secret_id_accessor as WrappedAccessor when wrapping secret-id creation. (#12425)
* Expose secret_id_accessor as WrappedAccessor when wrapping secret-id creation.

* Add changelog.

* Minor updates as suggested.

* Adding external test for wrapped accessor.

* Add check that mounttype is approle.

* Update changelog text to use improvement
2021-09-16 10:47:49 -07:00
divyapola5 30563097ea
Enforce minimum cache size for transit backend (#12418)
* Enforce Minimum cache size for transit backend

* enfore minimum cache size and log a warning during backend construction

* Update documentation for transit backend cache configuration

* Added changelog

* Addressed review feedback and added unit test

* Modify code in pathCacheConfigWrite to make use of the updated cache size

* Updated code to refresh cache size on transit backend without restart

* Update code to acquire read and write locks appropriately
2021-09-13 16:44:56 -05:00
jhart-cpi fa1611f427
improvement: add signature_bits field to CA and signers (#11245)
This change adds the ability to set the signature algorithm of the
CAs that Vault generates and any certificates it signs.  This is a
potentially useful stepping stone for a SHA3 transition down the line.

Summary:
* Adds the field "signature_bits" to CA and Sign endpoints
* Adds support for SHA256, SHA384 and SHA512 signatures on EC and RSA
keytypes.
2021-09-10 14:39:05 -07:00
Nick Cabatoff 0762f9003d
Refactor usages of Core in IdentityStore so they can be decoupled. (#12461) 2021-08-30 15:31:11 -04:00
John-Michael Faircloth a8ee8854e3
fix struct tags and test in ldaputil (#12376)
* fix struct tags and test in ldaputil

* update test to include ClientTLSCert and ClientTLSKey

* add cert and key to TestConfig test case
2021-08-30 14:09:03 -05:00
Nick Cabatoff 124bc87381
Upgrade snappy to fix panic with identity/packer on Go 1.16+arm64. (#12371) 2021-08-19 15:51:06 -04:00
Calvin Leung Huang 05103627d3
dbplugin: fix error message in DeleteUser (#12351)
* dbplugin: fix error message in DeleteUser

* add changelog
2021-08-18 16:12:40 -07:00
Meggie df1ad39083
Updating SDK version for 1.9 dev (#12246) 2021-08-04 11:47:06 -04:00
Pratyoy Mukhopadhyay 113b6885c3
[VAULT-2852] deprecate req counters in oss (#12197) 2021-07-29 10:21:40 -07:00
Pratyoy Mukhopadhyay fa29e780f0
[NO-TICKET] Upgrade protoc-gen-go to 1.26, upgrade protoc to 3.17.3 (#12171)
* [NO-TICKET] Set protoc-gen-go to 1.23, upgrade protoc to 3.17.3

* [NO-TICKET] Upgrade version of protoc-gen-go to 1.26
2021-07-28 14:51:36 -07:00
Jeff Mitchell 33ff878946
Move awsutil over to the go-secure-stdlib version (#12128)
Unlike the other libraries that were migrated, there are no usages of
this lib in any of our plugins, and the only other known usage was in
go-kms-wrapping, which has been updated. Aliasing it like the other libs
would still keep the aws-sdk-go dep in the sdk module because of the
function signatures. So I've simply removed it entirely here.
2021-07-20 20:42:00 -04:00
Jeff Mitchell fb473a8b9b
Swap out stepwise for external repo version (#12089) 2021-07-20 13:20:23 -04:00
Jeff Mitchell f7147025dd
Migrate to sdk/internalshared libs in go-secure-stdlib (#12090)
* Swap sdk/helper libs to go-secure-stdlib

* Migrate to go-secure-stdlib reloadutil

* Migrate to go-secure-stdlib kv-builder

* Migrate to go-secure-stdlib gatedwriter
2021-07-15 20:17:31 -04:00
Nick Cabatoff f027a1b1ff
Revert #12061 due to failures in TestLogical_RequestSizeLimit (#12093) 2021-07-15 12:55:09 -04:00
Jeff Mitchell fe18b6f9e0
Swap out sdk/helper libs with implementations in go-secure-stdlib (#12088)
* Swap out sdk/helper libs with implementations in go-secure-stdlib

* Fix transit batch test
2021-07-15 01:56:37 -04:00
hghaf099 f7635ec1b8
Add namespace in error (#12061)
* hghaf099-VAULT-1303-Adding namespace in error when it is set

* casting ResponseWriter in handleMonitor to logical.NamespaceResponseWriter

* Casting ResponseWriter conditionally for http.Flusher
Adding changelog

* Improving changlog message
2021-07-14 15:55:55 -04:00
Scott Miller ecb5474466
Update Vault main to new API/SDK Tags. (#12069)
* Update Vault main to new api/sdk tags

* go mod tidy

* Go mod tidy

* Go mod tidy on api

* go mod download on root
2021-07-13 18:54:31 -05:00
Chris Capurso 505e3f9a89
[VAULT-2825] Fix erroneous 500 resp for field validation errors (#12042)
* [VAULT-2825] Correctly respond with 400 rather than 500 for field validation errors

* [VAULT-2825] Add changelog entry

* [VAULT-2825] Simplify test assertion
2021-07-12 13:39:28 -04:00
John-Michael Faircloth 9832517d27
[ldap] auth method fix request_timeout (#11975)
* [ldap] auth method fix request_timeout

* add changelog

* Update sdk/helper/ldaputil/config_test.go

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

* Update sdk/helper/ldaputil/config_test.go

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

* Update changelog/11975.txt

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
2021-07-01 13:33:01 -05:00
swayne275 67bc4fdabd
Require special privileges to list irrevocable leases (#11888)
* add leases path to sudo required set

* update TestSystemBackend_RootPaths with new special privilege paths

* note that list-leases requires sudo

* minor typo fixes
2021-06-28 16:51:47 -06:00
Nick Cabatoff bddd2888e8
Make latency injector duration atomic. This is a prerequisite for a deadlock fix to the ent integ tests. (#11875) 2021-06-16 11:48:39 -04:00
Nick Cabatoff 2ce2617a8a
Reorganize request handling code so that we don't touch storage until we have the stateLock. (#11835) 2021-06-11 13:18:16 -04:00
Scott Miller 221700fd24
Try a 5s request timeout (#11738) 2021-06-01 12:24:33 -05:00
Jason O'Donnell 5ed63d4ce1
logical/aw: move sts signing request to awsutil (#11704) 2021-05-26 13:30:46 -04:00
Vishal Nayak 6ec8cd8f28
Tokenutil: Perform num uses check earlier (#11647)
* Perform num uses check earlier

* Add CL

* Ensure that login works
2021-05-19 14:06:08 -04:00
Scott Miller 6b8d7fe2e6
Patch expiration fix over from ENT (#11650)
* Patch expiration fix over from ENT

* Rename changelog
2021-05-18 14:55:38 -07:00
Alexander d4b206ed4b
Add a reasonable application_name for PostgreSQL (#11048)
Signed-off-by: Alexander Sosna <alexander@sosna.de>
2021-05-10 11:56:47 -05:00
Scott Miller 4fc6e8b366
Fix barrier key autoration config edge cases (#11541)
* Add an Int64 type

* Use the new Int64 type so that even 32 bit builds can specify max_operations above 2^31

* Missed a spot

* go mod vendor

* fix cast

* changelog

* Update unit test to ensure this works on both 32 and 64-bit archs
2021-05-05 14:39:04 -05:00
Scott Miller 7d9524be2f
Expose unknown fields and duplicate sections as diagnose warnings (#11455)
* Expose unknown fields and duplicate sections as diagnose warnings

* section counts not needed, already handled

* Address PR feedback

* Prune more of the new fields before tests call deep.Equals

* Update go.mod
2021-05-04 14:47:56 -05:00