Commit graph

185 commits

Author SHA1 Message Date
Jagger 1fd715f2cb
Fix typo (#18459)
If there are other typo related changes in flight, this fix can be included there.
2022-12-19 18:30:19 +00:00
Yoko Hyakuna fc79152c48
Update the notes about Consul Connect CA issue (#18444) 2022-12-16 10:52:42 -08:00
tjperry07 2e9f0e921b
remove semi colon (#18220) 2022-12-02 16:02:28 -05:00
Sudharshan K S 615aa4fdd9
Update nomad.mdx (#18134)
Corrected a typo
2022-11-29 09:39:15 -08:00
Chris Capurso a14ba5f044
Add Consul Dataplane compatibility info to docs (#18041)
* add compatibility info to consul service reg docs

* fix alert formatting

* add consul dataplane compatibility partial

* add compat partial to more consul doc pages

* fix links
2022-11-22 08:56:18 -05:00
Yoko Hyakuna 59cec0a96c
Add known issue about PKI secrets engine with Consul (#18003)
* Add known issue about PKI secrets engine with Consul

* Added KB article URL

* Update website/content/docs/secrets/pki/index.mdx

Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>

Co-authored-by: Jared Kirschner <85913323+jkirschner-hashicorp@users.noreply.github.com>
2022-11-17 10:09:41 -08:00
Alexander Scheel a43e428b01
Fix docs by adding self-closing BRs (#17958)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-16 10:01:43 -05:00
Alexander Scheel ab395f2c79
Clarify more documentation on audit logging (#17957)
Thanks to Khai Tran for identifying that syslogging has a lower limit
on message size and sometimes large CRLs can hit that limit.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-16 09:21:29 -05:00
Alexander Scheel 6cbfc4afb2
Docs clarifications around PKI considerations (#17916)
* Add clarifications on revocation

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Talk about rationale for separating roots from intermediates

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-15 08:43:40 -05:00
Alexander Scheel ffa4825693
PKI - Fix order of chain building writes (#17772)
* Ensure correct write ordering in rebuildIssuersChains

When troubleshooting a recent migration failure from 1.10->1.11, it was
noted that some PKI mounts had bad chain construction despite having
valid, chaining issuers. Due to the cluster's leadership trashing
between nodes, the migration logic was re-executed several times,
partially succeeding each time. While the legacy CA bundle migration
logic was written with this in mind, one shortcoming in the chain
building code lead us to truncate the ca_chain: by sorting the list of
issuers after including non-written issuers (with random IDs), these
issuers would occasionally be persisted prior to storage _prior_ to
existing CAs with modified chains.

The migration code carefully imported the active issuer prior to its
parents. However, due to this bug, there was a chance that, if write to
the pending parent succeeded but updating the active issuer didn't, the
active issuer's ca_chain field would only contain the self-reference and
not the parent's reference as well. Ultimately, a workaround of setting
and subsequently unsetting a manual chain would force a chain
regeneration.

In this patch, we simply fix the write ordering: because we need to
ensure a stable chain sorting, we leave the sort location in the same
place, but delay writing the provided referenceCert to the last
position. This is because the reference is meant to be the user-facing
action: without transactional write capabilities, other chains may
succeed, but if the last user-facing action fails, the user will
hopefully retry the action. This will also correct migration, by
ensuring the subsequent issuer import will be attempted again,
triggering another chain build and only persisting this issuer when
all other issuers have also been updated.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Remigrate ca_chains to fix any missing issuers

In the previous commit, we identified an issue that would occur on
legacy issuer migration to the new storage format. This is easy enough
to detect for any given mount (by an operator), but automating scanning
and remediating all PKI mounts in large deployments might be difficult.

Write a new storage migration version to regenerate all chains on
upgrade, once.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add issue to PKI considerations documentation

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Correct %v -> %w in chain building errs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-11-03 11:50:03 -04:00
Mark Lewis 0d3a4a3201
Update signed-ssh-certificates.mdx (#17746)
* Update signed-ssh-certificates.mdx

Add a pointer to the doc regarding reading back the pub key with the CLI

* Update website/content/docs/secrets/ssh/signed-ssh-certificates.mdx

Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-31 12:33:46 -04:00
Bryce Kalow 34339ec9a8
website: fixes redirected links (#17574)
* fixes redirected links

* fix broken link to key wrapping guide
2022-10-18 14:06:27 -04:00
Mike Wickett 33679fdd39
fix broken link to transit key wrap (#17566) 2022-10-18 09:54:29 -04:00
Alexander Scheel 26503e8540
Add note about transit BYOK key formats (#17529)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-13 09:10:26 -05:00
Alexander Scheel 838bac037d
Clarify language around PSS CSR issues (#17528)
* Clarify language around PSS CSR issues

Also point out that PKCS#11 tokens have the same problem.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update website/content/docs/secrets/pki/considerations.mdx

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2022-10-13 09:45:58 -04:00
Austin Gebauer ae17e57e73
secrets/ldap: updates documentation (#17481)
* secrets/ldap: updates documentation

* Update website/content/docs/secrets/ldap.mdx

Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
2022-10-10 13:43:59 -07:00
Alexander Scheel b85d6ec434
Fix RevocationSigAlgo support in OCSP (#17436)
* Allow OCSP to use issuer's RevocationSigAlgo

When an issuer specifies a RevocationSigAlgo, we should largely follow
this for both CRLs and OCSP. However, x/crypto/ocsp lacks support for
PSS signatures, so we drop these down to PKCS#1v1.5 instead.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add warning when issuer has PSS-based RevSigAlgo

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add note about OCSP and PSS support

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-10-06 12:01:12 -04:00
Austin Gebauer 6bba760da0
docs/ldap: rename openldap secrets to ldap secrets (#17433) 2022-10-05 13:16:26 -07:00
Florin Cătălin Țiucra-Popa 4af76eda14
Update oracle.mdx (#17401)
Remove the duplicated "the" word.
Instead of "the the" it should be only "the".
2022-10-05 10:29:35 -07:00
Divya Pola bc9be4064b
Add documentation for KMIP features implemented in 1.12 (#17294)
* Add documentation for KMIP features implemented in 1.12

* Add documentation for kmip-profiles

* Address PR review feedback

* PR review feedback - update links, add intro and remove collapsed tables

* Add PR review feedback
2022-10-03 12:39:04 -05:00
Steven Clark 10ecf10248
PKI: Add support for signature_bits param to the intermediate/generate api (#17388)
* PKI: Add support for signature_bits param to the intermediate/generate api

 - Mainly to work properly with GCP backed managed keys, we need to
   issue signatures that would match the GCP key algorithm.
 - At this time due to https://github.com/golang/go/issues/45990 we
   can't issue PSS signed CSRs, as the libraries in Go always request
   a PKCS1v15.
 - Add an extra check in intermediate/generate that validates the CSR's
   signature before providing it back to the client in case we generated
   a bad signature such as if an end-user used a GCP backed managed key
   with a RSA PSS algorithm.
   - GCP ignores the requested signature type and always signs with the
     key's algorithm which can lead to a CSR that says it is signed with
     a PKCS1v15 algorithm but is actually a RSA PSS signature

* Add cl

* PR feedback
2022-10-03 12:39:54 -04:00
Milena Zlaticanin 89aa236bc5
docs/api-docs for Redis (#17029)
* docs/api-docs for Redis

* update doc

* add navigation to the docs

* Update website/content/api-docs/secret/databases/redis.mdx

Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>

* Update website/content/docs/secrets/databases/redis.mdx

Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>

* update setup list and lang tag for shell code blocks

* update language tag

* update based on suggestions

* update docs to include tls params

* add plugin to the plugin portal doc

* add -

* update api-docs-nav-data.json

* update field name

* Update website/content/docs/secrets/databases/redis.mdx

Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>

* Update website/content/docs/secrets/databases/redis.mdx

Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>

* Update website/content/docs/secrets/databases/redis.mdx

Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>

* Update website/content/docs/secrets/databases/redis.mdx

Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>

* Update website/content/api-docs/secret/databases/redis.mdx

Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>

* update docs

Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>
2022-09-23 10:25:43 -05:00
Alexander Scheel 0c76168d3d
Add note about issuer naming and CRLs (#17298)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-09-23 10:04:54 -04:00
Rachel Culpepper 1c69e690aa
Transform BYOK Documentation (#17121)
* add api docs for transform byok endpoints

* add byok description to transform index page

* fix merge conflicts

* remove import_version for FPE

* text edits and add note about convergent tokenization

* add note for convergent tokenization
2022-09-22 10:56:12 -05:00
Bryce Kalow dfc3ad015a
website: content updates for developer (#17035)
* Chore (dev portal): update learn nav data links  (#15515)

* Update docs-nav-data.json

* Update docs-nav-data.json

* website: fixes internal redirects (#15750)

* chore: remove duplicate overview item (#15805)

* Use `badge` for `<sup>` tags in nav data JSON files (#15928)

* Replacing <sup> tags with badge

* Adding type and color to badges

* fix broken links in vault docs (#15976)

* website: Update old learn links to redirect locations (#16047)

* update previews to render developer UI

* update redirects

* adjust content so it is backwards compat

Co-authored-by: HashiBot <62622282+hashibot-web@users.noreply.github.com>
Co-authored-by: Kendall Strautman <36613477+kendallstrautman@users.noreply.github.com>
Co-authored-by: Ashlee M Boyer <43934258+ashleemboyer@users.noreply.github.com>
2022-09-22 08:11:04 -07:00
Alexander Scheel ad3a093b40
Prevent PSS with Go-incompatible CAs, CSRs, Private Keys (#17223)
* Fix interoperability concerns with PSS

When Go parses a certificate with rsaPSS OID, it will accept this
certificate but not parse the SubjectPublicKeyInfo, leaving the
PublicKeyAlgorithm and PublicKey fields blank, but otherwise not erring.
The same behavior occurs with rsaPSS OID CSRs.

On the other hand, when Go parses rsaPSS OID PKCS8 private keys, these
keys will fail to parse completely.

Thus, detect and fail on any empty PublicKey certs and CSRs, warning the
user that we cannot parse these correctly and thus refuse to operate.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Run more PKI tests in parallel

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add notes about PSS shortcomings to considerations

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-09-20 17:30:58 -04:00
Yoko Hyakuna 402b8279b4
Fix a broken URL (#17192) 2022-09-19 08:57:07 -07:00
Max Coulombe 709c1bebf6
+ added Redis ElastiCache documentation (#17133)
* added Redis ElastiCache documentation
2022-09-19 10:26:49 -04:00
Devon Powley bb0f93044f
Update Vault Azure Secrets docs for permanent deletion feature (#17045)
* Update Vault Azure Secrets docs for permanent deletion feature

* Add changelog for vault azure doc update

* Update CL based on PR feedback

Co-authored-by: Devon Powley <dpowley@users.noreply.github.com>
2022-09-13 16:25:19 -07:00
Alexander Scheel 1bbabf19d7
Add more docs on revocation changes (#17085)
* Add more notes about issuer revocation

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Note BYOC in considerations

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add note about http access to CRLs, OCSP

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Recommend enabling auto-tidy & crl rebuilding

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add missing paths to personas

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-09-12 11:46:01 -05:00
Kevin Wang bc568c4dea
Update index.mdx to fix broken link (#17052) 2022-09-08 14:04:02 -04:00
Matt Schultz 1aaace756f
Update transform documentation to include MSSQL. (#17021) 2022-09-06 10:55:48 -05:00
Rachel Culpepper a1fba8d29a
add missing flag to wrapKey command (#16988) 2022-09-06 10:52:02 -05:00
Scott Miller 606edb66d6
Add support for a dedicated HMAC type in Transit. (#16668)
* Get import correct

* limits, docs

* changelog

* unit tests

* And fix import for hmac unit test

* typo

* Update website/content/api-docs/secret/transit.mdx

Co-authored-by: Matt Schultz <975680+schultz-is@users.noreply.github.com>

* Update builtin/logical/transit/path_keys.go

Co-authored-by: Matt Schultz <975680+schultz-is@users.noreply.github.com>

* Validate key sizes a bit more carefully

* Update sdk/helper/keysutil/policy.go

Co-authored-by: Matt Schultz <975680+schultz-is@users.noreply.github.com>

Co-authored-by: Matt Schultz <975680+schultz-is@users.noreply.github.com>
2022-09-06 10:17:58 -05:00
aphorise aab9c50577
Docs: PostgreSQL Docs added DB name note for connection_url. (#16789)
* Docs: PostgreSQL Docs added DB name note for connection_url. Relates to #12458.

* Trigger CI

Co-authored-by: Zlaticanin <zlaticaninmilena@gmail.com>
2022-09-06 08:10:50 -04:00
John-Michael Faircloth 96b97017b1
docs: update plugin docs for secrets/auth multiplexing (#16923)
* docs: update plugin docs for secrets/auth multiplexing

* update index

* update plugin development

* fix spacing in code snippet

* update links to multiplexing resources

* add note on sdk version and update db example text

* Update website/content/docs/plugins/plugin-architecture.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* reword index intro

* Update website/content/docs/plugins/plugin-development.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/plugins/plugin-development.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* remove word and fix code format

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-08-31 11:21:20 -07:00
Viacheslav Vasilyev d0b7362e36
OpenLDAP secrets documentation, reflect some other objects may have userPassword (#8918)
* Update index.mdx

* Docs: OpenLDAP userPassword clarity

corrected grammar slightly

Co-authored-by: aphorise <aphorise@gmail.com>
2022-08-31 09:58:25 -07:00
Milena Zlaticanin cf332842cc
update azure docs (#16819) 2022-08-29 14:55:37 -05:00
DevOps Rob 9e20e4128d
updated usage example (#9081)
* updated usage example

* Docs: updated examples with base64 - removed herestring for echo instead that's more simple.

* Docs: updated examples with base64 - removed herestring for echo instead that's more simple.

Co-authored-by: Mehdi Ahmadi <aphorise@gmail.com>
2022-08-24 09:03:30 -04:00
aphorise d0eb5b9cfc
Docs: SSH CA Config & Comments. Resolves: #7529 (#16826)
* Docs: SSH CA Config & Comments. Resolves: #7529

* Docs: SSH CA Config & Comments. Added changelog note.

* Docs: SSH CA Config & Comments.

* Docs: SSH CA Config & Comments. Cipher feedback.

* Docs: SSH CA Config & Comments. Removed changelog file not needed for docs.
2022-08-24 08:27:36 -04:00
Yoko Hyakuna 483886f227
Change all occurrence of 'backend' to 'secrets engine' (#16859) 2022-08-23 19:58:54 -07:00
Alexander Scheel 49fd772fcc
Add per-issuer AIA URI information to PKI secrets engine (#16563)
* Add per-issuer AIA URI information

Per discussion on GitHub with @maxb, this allows issuers to have their
own copy of AIA URIs. Because each issuer has its own URLs (for CA and
CRL access), its necessary to mint their issued certs pointing to the
correct issuer and not to the global default issuer. For anyone using
multiple issuers within a mount, this change allows the issuer to point
back to itself via leaf's AIA info.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation on per-issuer AIA info

Also add it to the considerations page as something to watch out for.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for per-issuer AIA information

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor AIA setting on the issuer

This introduces a common helper per Steve's suggestion.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Clarify error messages w.r.t. AIA naming

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Clarify error messages regarding AIA URLs

This clarifies which request parameter the invalid URL is contained
in, disambiguating the sometimes ambiguous usage of AIA, per suggestion
by Max.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Rename getURLs -> getGlobalAIAURLs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Correct AIA acronym expansion word orders

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix bad comment suggesting re-generating roots

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add two entries to URL tests

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-19 11:43:44 -04:00
Alexander Scheel 0c22c76907
Allow marking issuers as revoked (#16621)
* Allow marking issuers as revoked

This allows PKI's issuers to be considered revoked and appear on each
others' CRLs. We disable issuance (via removing the usage) and prohibit
modifying the usage via the regular issuer management interface.

A separate endpoint is necessary because issuers (especially if signed
by a third-party CA using incremental serial numbers) might share a
serial number (e.g., an intermediate under cross-signing might share the
same number as an external root or an unrelated intermediate).

When the next CRL rebuild happens, this issuer will then appear on
others issuers CRLs, if they validate this issuer's certificate.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation on revoking issuers

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for issuer revocation semantics

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Notate that CRLs will be rebuilt

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix timestamp field from _utc -> to _rfc3339

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Ensure serial-based accesses shows as revoked

Thanks Kit!

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add warning when revoking default issuer

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-18 18:08:31 -04:00
Robert f7c20bc745
docs: add multi-host connection string info to postgres secrets API docs (#16780)
* Add multihost connection string information to postgres API docs

* Add note about replication manager
2022-08-18 14:38:30 -05:00
Yoko Hyakuna 404edd4c08
Mount paths case-sensitivity (#16743)
* Add a callout note about case-sensitivity

* Update website/content/docs/commands/secrets/enable.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/secrets/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/secrets/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/secrets/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/secrets/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-08-17 09:57:47 -07:00
Alexander Scheel 1e6730573c
Add proof possession revocation for PKI secrets engine (#16566)
* Allow Proof of Possession based revocation

Revocation by proof of possession ensures that we have a private key
matching the (provided or stored) certificate. This allows callers to
revoke certificate they own (as proven by holding the corresponding
private key), without having an admin create innumerable ACLs around
the serial_number parameter for every issuance/user.

We base this on Go TLS stack's verification of certificate<->key
matching, but extend it where applicable to ensure curves match, the
private key is indeed valid, and has the same structure as the
corresponding public key from the certificate.

This endpoint currently is authenticated, allowing operators to disable
the endpoint if it isn't desirable to use, via ACL policies.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Clarify error message on ParseDERKey

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Leave revoke-with-key authenticated

After some discussion, given the potential for DoS (via submitting a lot
of keys/certs to validate, including invalid pairs), it seems best to
leave this as an authenticated endpoint. Presently in Vault, there's no
way to have an authenticated-but-unauthorized path (i.e., one which
bypasses ACL controls), so it is recommended (but not enforced) to make
this endpoint generally available by permissive ACL policies.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add API documentation on PoP

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add acceptance tests for Proof of Possession

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Exercise negative cases in PoP tests

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-16 14:01:26 -04:00
Austin Gebauer 7bda58a1fd
secrets/db: update documentation on password policies (#16679) 2022-08-10 17:52:20 -07:00
Rachel Culpepper c367f883a0
Vault-5626: add key wrapping guide for transit import (#16365)
* add key wrapping guide for transit import

* link to key wrap guide from transit overview

* add new page to nav

* fix formatting

* fix note format

* fix link
2022-08-09 16:14:15 -05:00
Milena Zlaticanin 78e8c135fc
Hana - Add username customization (#16631)
* implement username customization feature

* adding changelog

* update database capabilities doc

* update database capabilities doc

Co-authored-by: Zlaticanin <milena@hashicorp.com>
2022-08-08 16:01:34 -05:00
Austin Gebauer 59831a8d5c
identity/oidc: adds client_secret_post token endpoint authentication method (#16598)
* identity/oidc: adds client_secret_post token endpoint authentication method

* fix test

* adds changelog
2022-08-08 08:41:09 -07:00