* Imported uuid library for initial commit to push a clean branch.
* Removed import statement in auth-form file since it was causing UI tests to fail as the import was not being used.
* Added nonce field to payload for okta sign in. (#16001)
* Added nonce field to payload for okta sign in.
* Added missing yarn package for uuid
* Fixed failing ui tests in cluster-test file to take into account of nonce field in the payload of okta login
* Removed uuid library and used crypto.randomUUID() to generate unique uuid values instead
* Fixed indent in package.json
* Removed uuid library since decided to use crypto.randomUUID() instead to generate unique uuid values
* Create polling function for correct answer in okta number challenge (#16070)
* Implemented polling function to get correct answer for okta number challenge.
* Disabled polling function for testing as it was causing acceptance test to fail in auth-test.js
* Changed API call to be the auth mount path instead of being static and created a variable to store the oktaNumberChallengeAnswer to be used later for the display screens
* Create component for okta number challenge screen (#16195)
* Implemented loading screen and display screen for correct answer for Okta Number Challenge
* Fixed linting issues on hbs files
* Added periods to parameter descriptions and made parameters optional
* Removed optional parameters from calling AuthForm component if authMethod is not Okta
* Implement error handling and screens for okta number challenge (#16276)
* Implemented loading screen and display screen for correct answer for Okta Number Challenge
* Fixed linting issues on hbs files
* Temporary changes to include error screen in okta number challenge
* Created error screen tests and made minor fixes
* Fixed error for wrong parameter name being passed in
* Fixed linting issues causing ui tests to fail
* Added periods at the end of param descriptions
* Imported uuid library for initial commit to push a clean branch.
* Removed import statement in auth-form file since it was causing UI tests to fail as the import was not being used.
* Removed uuid library since decided to use crypto.randomUUID() instead to generate unique uuid values
* Added nonce field to payload for okta sign in. (#16001)
* Added nonce field to payload for okta sign in.
* Added missing yarn package for uuid
* Fixed failing ui tests in cluster-test file to take into account of nonce field in the payload of okta login
* Removed uuid library and used crypto.randomUUID() to generate unique uuid values instead
* Fixed indent in package.json
* Create polling function for correct answer in okta number challenge (#16070)
* Implemented polling function to get correct answer for okta number challenge.
* Disabled polling function for testing as it was causing acceptance test to fail in auth-test.js
* Changed API call to be the auth mount path instead of being static and created a variable to store the oktaNumberChallengeAnswer to be used later for the display screens
* Create component for okta number challenge screen (#16195)
* Implemented loading screen and display screen for correct answer for Okta Number Challenge
* Fixed linting issues on hbs files
* Added periods to parameter descriptions and made parameters optional
* Removed optional parameters from calling AuthForm component if authMethod is not Okta
* Implement error handling and screens for okta number challenge (#16276)
* Implemented loading screen and display screen for correct answer for Okta Number Challenge
* Fixed linting issues on hbs files
* Temporary changes to include error screen in okta number challenge
* Created error screen tests and made minor fixes
* Fixed error for wrong parameter name being passed in
* Fixed linting issues causing ui tests to fail
* Added periods at the end of param descriptions
* UI/vault 7312/fix vault enterprise error for okta number challenge (#16568)
* Fixed bug with okta not working when selecting okta tab after being on other tab
* Fixed vault enterprise errors
* Fixed error when logging in with Okta in 'Other' tab
* Removed namespace parameter in option to use the default
* Added changelog
Pattern matching was [recently added](https://github.com/hashicorp/crt-orchestrator/pull/51) so that teams no longer have to explicitly list every branch that should trigger the CRT pipeline. This simplifies release preparation- anytime a new release branch is created, it will produce releasable artifacts and exercise the full pipeline.
If we don't guard against pull_request being null, we do a lot of extra
checkout and path filtering, and it ends up putting everything in the UI
board.
I tested this in another repo, and it seems to behave correctly.
* VAULT-6818 delete unmerged entity aliases instead of orphaning them
* VAULT-6818 Prevent merge with clashing aliases, allow for resolution of clashing entity aliases
* VAULT-6818 Small updates
* VAULT-6818 Restrict to only one clash merge at once
* VAULT-6818 changelog
* VAULT-6818 use strutil package instead of slices
* VAULT-6818 Update variable names for clarity
* VAULT-6818 Update test
* VAULT-6818 update error message
* VAULT-6818 Use helper method
* VAULT-6818 validate entityIds
* VAULT-6818 group imports better
* VAULT-6818 use change instead of bug
* VAULT-6818 use multierror instead of custom struct
* VAULT-6818 Use multierror properly
* VAULT-6818 Small refactor based on feedback
Add Open Source project workflow
This will help us triage open source issues into our various internal
project boards.
I tested this on a separate repo, and it seems to work.
* add key wrapping guide for transit import
* link to key wrap guide from transit overview
* add new page to nav
* fix formatting
* fix note format
* fix link
This option is known to cause problems with large numbers of issued
certificates. Ensure admins are warned about the impact of this field
and encourage them to disable it.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* storage/raft: Fix cluster init with retry_join
Commit 8db66f4853abce3f432adcf1724b1f237b275415 introduced an error
wherein a join() would return nil (no error) with no information on its
channel if a joining node had been initialized. This was not handled
properly by the caller and resulted in a canceled `retry_join`.
Fix this by handling the `nil` channel respone by treating it as an
error and allowing the existing mechanics to work as intended.
* storage/raft: Improve retry_join go test
* storage/raft: Make VerifyRaftPeers pollable
* storage/raft: Add changelog entry for retry_join fix
* storage/raft: Add description to VerifyRaftPeers
* storage/raft: Make raftInfo atomic
This fixes some racy behavior discovered in parallel testing. Change the
core struct member to an atomic and update references throughout.
strings.ReplaceAll(s, old, new) is a wrapper function for
strings.Replace(s, old, new, -1). But strings.ReplaceAll is more
readable and removes the hardcoded -1.
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
* Add PSS signature support to Vault PKI engine
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Use issuer's RevocationSigAlg for CRL signing
We introduce a new parameter on issuers, revocation_signature_algorithm
to control the signature algorithm used during CRL signing. This is
because the SignatureAlgorithm value from the certificate itself is
incorrect for this purpose: a RSA root could sign an ECDSA intermediate
with say, SHA256WithRSA, but when the intermediate goes to sign a CRL,
it must use ECDSAWithSHA256 or equivalent instead of SHA256WithRSA. When
coupled with support for PSS-only keys, allowing the user to set the
signature algorithm value as desired seems like the best approach.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add use_pss, revocation_signature_algorithm docs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add PSS to signature role issuance test matrix
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Allow roots to self-identify revocation alg
When using PSS support with a managed key, sometimes the underlying
device will not support PKCS#1v1.5 signatures. This results in CRL
building failing, unless we update the entry's signature algorithm
prior to building the CRL for the new root.
With a RSA-type key and use_pss=true, we use the signature bits value to
decide which hash function to use for PSS support.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add clearer error message on failed import
When CRL building fails during cert/key import, due to PSS failures,
give a better indication to the user that import succeeded its just CRL
building that failed. This tells them the parameter to adjust on the
issuer and warns that CRL building will fail until this is fixed.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add case insensitive SigAlgo matching
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Convert UsePSS back to regular bool
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Refactor PSS->certTemplate into helper function
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Proper string output on rev_sig_alg display
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Copy root's SignatureAlgorithm for CRL building
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
- Based on group test fixing session from July 29, 2022
- Leverage the RetryUntil to catch and re-attempt a kv store creation
if the test receives an error about upgrading the KV store
- Update the expected audit log entries accordingly along with the
captured failures if any
- Fix up a copy/paste error within the test error message if the
remote_address field is not of the expected type.
John-Michael Faircloth