Commit graph

15661 commits

Author SHA1 Message Date
Alexander Scheel dc4965f27d
Fix naming of permitted_dns_domains in webui (#16739)
* Fix naming of permitted_dns_domains in webui

PKI has consistently used permitted_dns_domains since it was originally
introduced as a parameter. However, it appears the Web UI was updated to
add this field, but used an incorrect internal identifier
(permittedDnsNames rather than permittedDnsDomains).

This triggers a warning from the backend about an unknown parameter, and
the domain restriction isn't added:

> Endpoint ignored these unrecognized parameters: [permitted_dns_names]

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-16 14:57:05 -05:00
jweissig 2cdfce9967
docs: Update required OpenShift version (#9738)
Helm 3 support was added in OpenShift 4.3 [1]. So, we might support 4.X but if we require Helm 3 then we need to start at 4.3. Just didn't want someone to try 4.0-4.2 and wonder why it wasn't working because Helm 3 isn't supported.

[1] https://www.openshift.com/blog/openshift-4-3-deploy-applications-with-helm-3
2022-08-16 15:45:06 -04:00
Eadinator 0424db473d
docs: k8s auth, differentiate between different identities in use (#9288) 2022-08-16 15:39:01 -04:00
Alexander Scheel 1e6730573c
Add proof possession revocation for PKI secrets engine (#16566)
* Allow Proof of Possession based revocation

Revocation by proof of possession ensures that we have a private key
matching the (provided or stored) certificate. This allows callers to
revoke certificate they own (as proven by holding the corresponding
private key), without having an admin create innumerable ACLs around
the serial_number parameter for every issuance/user.

We base this on Go TLS stack's verification of certificate<->key
matching, but extend it where applicable to ensure curves match, the
private key is indeed valid, and has the same structure as the
corresponding public key from the certificate.

This endpoint currently is authenticated, allowing operators to disable
the endpoint if it isn't desirable to use, via ACL policies.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Clarify error message on ParseDERKey

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Leave revoke-with-key authenticated

After some discussion, given the potential for DoS (via submitting a lot
of keys/certs to validate, including invalid pairs), it seems best to
leave this as an authenticated endpoint. Presently in Vault, there's no
way to have an authenticated-but-unauthorized path (i.e., one which
bypasses ACL controls), so it is recommended (but not enforced) to make
this endpoint generally available by permissive ACL policies.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add API documentation on PoP

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add acceptance tests for Proof of Possession

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Exercise negative cases in PoP tests

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-16 14:01:26 -04:00
Chris van Meer d7da5da0f6
Removed the extra div around the radio button. (#16606) 2022-08-16 08:07:39 -05:00
Yoko Hyakuna 0926143363
Fix a typo -> 'authorised' should be 'authorized' (#16730) 2022-08-15 20:27:59 -07:00
akshya96 ba15b1f822
Remove extra empty lines from vault.log - Debug command (#16714)
* debug empty lines in vault.log

* minor grammar fix

* add changelog

* add fmt changes
2022-08-15 14:16:57 -07:00
Hridoy Roy 54444b9d2e
handle ssct errors in one other place (#16497) 2022-08-15 14:16:32 -07:00
Angel Garbarino 35af8d2626
UI/vault 7613/flaky test glimmerize confirm action (#16684)
* wip

* fix missing doc and therefor goose chase for what buttonClasses was

* glimmerize kmip role route which is the location of where the flaky test (some) are failing

* blah to un updated docs. Add a param, add to docs

* glimmerize header credential

* pr review changes

* fix super
2022-08-15 10:06:30 -06:00
Alexander Scheel b8cfb4dde5
Ignore EC PARAMETER blocks during issuer import (#16721)
* Ignore EC PARAMETER blocks during issuer import

While older versions of Vault supported sending this, we broke such
support in 1.11. Ignore them from the manage issuers endpoint (which is
aliased to the old /config/ca path) -- but keep erring in the import
keys paths. The latter is a new endpoint not aliased to anything and
only expects a single PEM block.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add regression test for EC PARAMs during import

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-15 08:59:10 -07:00
Alexander Scheel e388cfec64
Add BYOC-based revocation to PKI secrets engine (#16564)
* Refactor serial creation to common helper

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add BYOC revocation to PKI mount

This allows operators to revoke certificates via a PEM blob passed to
Vault. In particular, Vault verifies the signature on the certificate
from an existing issuer within the mount, ensuring that one indeed
issued this certificate. The certificate is then added to storage and
its serial submitted for revocation.

This allows certificates generated with no_store=true to be submitted
for revocation afterwards, given a full copy of the certificate. As a
consequence, all roles can now safely move to no_store=true (if desired
for performance) and revocation can be done on a case-by-case basis.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add docs on BYOC revocation

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add PEM length check to BYOC import

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for BYOC

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Guard against legacy CA bundle usage

This prevents usage of the BYOC cert on a hybrid 1.10/1.12 cluster with
an non-upgraded CA issuer bundle.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-15 08:50:57 -05:00
Anton Averchenkov 6d45a421ff
Add a sentinel error for missing KV secrets (#16699) 2022-08-12 19:29:42 -04:00
Loann Le 67f2f4ea2d
vault documentation: doc cleanup effort-batch4 (#16711)
* cleanup effort

* modified text

* Update website/content/docs/internals/integrated-storage.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2022-08-12 15:39:58 -07:00
Stuart Purgavie d17a32bad3
Update internal-ui-mounts.mdx (#16399)
* Update internal-ui-mounts.mdx

For sys/internal/ui/mounts:
Make it clear that this endpoint is not only being leveraged on the Web UI, but is also leveraged in other places such as `command/kv_helpers.go` for example. Also update response to standard Vault API response JSON, not just `data` portion of response, and include options data present on KV v2 mounts.

For sys/internal/ui/mounts/:path:
Add initial version of this endpoint family.

* docs(website/content/api-docs/system/internal): backwards compatibility disclaimer

* realign MD table

* restrict response sample to data portion to be in line with other docs

* docs(website/content/api-docs/system/internal): ui/mounts calling mode notes
2022-08-12 11:10:56 -07:00
Steven Clark 29099f2ef9
Do not mask RSA verification misuse errors as verification failures (#16695)
- Found by @trishankatdatadog in PR #16549, we were masking errors
   coming out of the rsa verification calls as verfication errors and
   not returning when they were usage errors.
2022-08-12 13:53:25 -04:00
mallika-hc 9e340ed7f8
Update health.mdx (#16645)
* Update health.mdx

Added sample request and response for customizing the status code being returned from the sys/health endpoint

* Update website/content/api-docs/system/health.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-08-12 10:39:51 -07:00
mallika-hc 4c0ccf28ec
Update replication-dr.mdx (#16665)
Updated the Revoke DR Secondary token section with detail about from where the command needs to be run
2022-08-12 09:10:40 -07:00
Jason O'Donnell c97b982043
secret/database: fix bug where too many wal deletes are deferred (#16686)
* secret/database: fix bug where too many wal deletes are deferred

* changelog

* Update changelog/16686.txt

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
2022-08-11 16:22:53 -04:00
claire labry eed4bdb050
add a note clarifying to leave website event in oss only (#16687) 2022-08-11 14:41:15 -05:00
John-Michael Faircloth bb58775bb5
secrets/auth: fix bug with aliased backends (#16673)
* secrets/auth: fix bug with aliased backends

* add changelog

* update changelog to include affected backends
2022-08-10 20:02:05 -05:00
Austin Gebauer 7bda58a1fd
secrets/db: update documentation on password policies (#16679) 2022-08-10 17:52:20 -07:00
Calvin Leung Huang 42de4a40b2
docs: update agent template certificate section (#16573)
* docs: update agent template certificate section

* extend template language section

* make recommendation to use pkiCert over secret
2022-08-10 19:38:56 -04:00
John-Michael Faircloth dd4fb82b5d
unit test: remove postgres dependecy from testing.go (#16675) 2022-08-10 17:01:24 -05:00
Tom Proctor 2d167b3427
Docs: Update Vault CSI Provider SecretProviderClass config options (#16506) 2022-08-10 21:30:20 +01:00
linda9379 5cd1a12178
UI Support for Okta Number Challenge (#15998)
* Imported uuid library for initial commit to push a clean branch.

* Removed import statement in auth-form file since it was causing UI tests to fail as the import was not being used.

* Added nonce field to payload for okta sign in. (#16001)

* Added nonce field to payload for okta sign in.

* Added missing yarn package for uuid

* Fixed failing ui tests in cluster-test file to take into account of nonce field in the payload of okta login

* Removed uuid library and used crypto.randomUUID() to generate unique uuid values instead

* Fixed indent in package.json

* Removed uuid library since decided to use crypto.randomUUID() instead to generate unique uuid values

* Create polling function for correct answer in okta number challenge (#16070)

* Implemented polling function to get correct answer for okta number challenge.

* Disabled polling function for testing as it was causing acceptance test to fail in auth-test.js

* Changed API call to be the auth mount path instead of being static and created a variable to store the oktaNumberChallengeAnswer to be used later for the display screens

* Create component for okta number challenge screen (#16195)

* Implemented loading screen and display screen for correct answer for Okta Number Challenge

* Fixed linting issues on hbs files

* Added periods to parameter descriptions and made parameters optional

* Removed optional parameters from calling AuthForm component if authMethod is not Okta

* Implement error handling and screens for okta number challenge (#16276)

* Implemented loading screen and display screen for correct answer for Okta Number Challenge

* Fixed linting issues on hbs files

* Temporary changes to include error screen in okta number challenge

* Created error screen tests and made minor fixes

* Fixed error for wrong parameter name being passed in

* Fixed linting issues causing ui tests to fail

* Added periods at the end of param descriptions

* Imported uuid library for initial commit to push a clean branch.

* Removed import statement in auth-form file since it was causing UI tests to fail as the import was not being used.

* Removed uuid library since decided to use crypto.randomUUID() instead to generate unique uuid values

* Added nonce field to payload for okta sign in. (#16001)

* Added nonce field to payload for okta sign in.

* Added missing yarn package for uuid

* Fixed failing ui tests in cluster-test file to take into account of nonce field in the payload of okta login

* Removed uuid library and used crypto.randomUUID() to generate unique uuid values instead

* Fixed indent in package.json

* Create polling function for correct answer in okta number challenge (#16070)

* Implemented polling function to get correct answer for okta number challenge.

* Disabled polling function for testing as it was causing acceptance test to fail in auth-test.js

* Changed API call to be the auth mount path instead of being static and created a variable to store the oktaNumberChallengeAnswer to be used later for the display screens

* Create component for okta number challenge screen (#16195)

* Implemented loading screen and display screen for correct answer for Okta Number Challenge

* Fixed linting issues on hbs files

* Added periods to parameter descriptions and made parameters optional

* Removed optional parameters from calling AuthForm component if authMethod is not Okta

* Implement error handling and screens for okta number challenge (#16276)

* Implemented loading screen and display screen for correct answer for Okta Number Challenge

* Fixed linting issues on hbs files

* Temporary changes to include error screen in okta number challenge

* Created error screen tests and made minor fixes

* Fixed error for wrong parameter name being passed in

* Fixed linting issues causing ui tests to fail

* Added periods at the end of param descriptions

* UI/vault 7312/fix vault enterprise error for okta number challenge (#16568)

* Fixed bug with okta not working when selecting okta tab after being on other tab

* Fixed vault enterprise errors

* Fixed error when logging in with Okta in 'Other' tab

* Removed namespace parameter in option to use the default

* Added changelog
2022-08-10 15:46:04 -04:00
Michele Degges 5c4b1cc4ac
[CI-only] Use pattern matching for release_branches (#16375)
Pattern matching was [recently added](https://github.com/hashicorp/crt-orchestrator/pull/51) so that teams no longer have to explicitly list every branch that should trigger the CRT pipeline. This simplifies release preparation- anytime a new release branch is created, it will produce releasable artifacts and exercise the full pipeline.
2022-08-10 11:25:10 -07:00
Christopher Swenson c7c9abff32
Update OSS workflow so not all issues get put in the UI board (#16666)
If we don't guard against pull_request being null, we do a lot of extra
checkout and path filtering, and it ends up putting everything in the UI
board.

I tested this in another repo, and it seems to behave correctly.
2022-08-10 08:53:45 -07:00
Violet Hynes 398d51bb3d
VAULT-6818 Docs for entity merge functionality (#16593)
* VAULT-6818 Docs for entity merge functionality

* VAULT-6818 Elaborate more on what happens to non-kept aliases
2022-08-10 09:10:10 -04:00
Violet Hynes 4850a3ff0e
VAULT-6818 - Restrict ability to merge entities with mount-accessor-conflicting aliases unless one is explicitly chosen to be kept (#16539)
* VAULT-6818 delete unmerged entity aliases instead of orphaning them

* VAULT-6818 Prevent merge with clashing aliases, allow for resolution of clashing entity aliases

* VAULT-6818 Small updates

* VAULT-6818 Restrict to only one clash merge at once

* VAULT-6818 changelog

* VAULT-6818 use strutil package instead of slices

* VAULT-6818 Update variable names for clarity

* VAULT-6818 Update test

* VAULT-6818 update error message

* VAULT-6818 Use helper method

* VAULT-6818 validate entityIds

* VAULT-6818 group imports better

* VAULT-6818 use change instead of bug

* VAULT-6818 use multierror instead of custom struct

* VAULT-6818 Use multierror properly

* VAULT-6818 Small refactor based on feedback
2022-08-10 09:10:02 -04:00
claire bontempo a1cef4a72a
UI/ fix tooltip submitting form (#16659)
* fix tooltip submitting form

* add changelog

* add changelog actually
2022-08-09 20:51:29 -07:00
Christopher Swenson 8b1a9da460
Update project auto-triage to use new token (#16660) 2022-08-09 19:29:39 -04:00
Loann Le 6d3cd5249e
modified wording (#16655) 2022-08-09 15:09:49 -07:00
Christopher Swenson 18d336b16c
Add Open Source project workflow (#16653)
Add Open Source project workflow

This will help us triage open source issues into our various internal
project boards.

I tested this on a separate repo, and it seems to work.
2022-08-09 17:52:07 -04:00
Rachel Culpepper c367f883a0
Vault-5626: add key wrapping guide for transit import (#16365)
* add key wrapping guide for transit import

* link to key wrap guide from transit overview

* add new page to nav

* fix formatting

* fix note format

* fix link
2022-08-09 16:14:15 -05:00
Josh Black 005903f1ae
Clarify upgrades post 1.11 (#16650) 2022-08-09 13:57:58 -07:00
Chris Capurso 52d6287d4b
update license FAQ docs with termination changes (#16634)
* update license FAQ docs with termination changes

* change intro statement

* change temp eval license issuance callout

* PR feedback

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-08-09 11:27:57 -07:00
Chris Capurso 707fcad006
Add custom metadata to namespace API and CLI docs (#16633)
* add custom_metadata to ns api docs

* update ns CLI docs to add custom-metadata flag
2022-08-09 14:10:41 -04:00
Kevin 9365250dfc
fix typo in Discovering the service account issuer (#16641) 2022-08-09 13:27:30 -04:00
Robert 4bbdf61f52
auth/kerberos: update plugin version to v0.7.2 (#16636)
* Update plugin version to v0.7.2
2022-08-09 11:02:41 -05:00
Chris Capurso a0c557f38a
VAULT-7256: Add custom_metadata to namespaces (#16640)
* add mapstructure tags to Namespace struct

* add custom metadata Parse helper

* add ns custom metadata and patch
2022-08-09 11:38:03 -04:00
Austin Gebauer e72b7a8938
identity/oidc: minor fixes to the API documentation (#16638) 2022-08-09 08:09:37 -07:00
Milena Zlaticanin 78e8c135fc
Hana - Add username customization (#16631)
* implement username customization feature

* adding changelog

* update database capabilities doc

* update database capabilities doc

Co-authored-by: Zlaticanin <milena@hashicorp.com>
2022-08-08 16:01:34 -05:00
Alexander Scheel a259978a3d
Add warning when generate_lease=true (#16398)
This option is known to cause problems with large numbers of issued
certificates. Ensure admins are warned about the impact of this field
and encourage them to disable it.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-08 13:26:10 -04:00
Austin Gebauer ed143c5678
identity/oidc: reorder authorization endpoint validation for invalid redirect uris (#16601)
* identity/oidc: reorder authorization endpoint validation for invalid redirect uris

* adds changelog

* use provider.allowedClientID
2022-08-08 09:02:18 -07:00
claire labry 326936b1ef
introduces the post publish website event (#16328) 2022-08-08 16:51:03 +01:00
Austin Gebauer 59831a8d5c
identity/oidc: adds client_secret_post token endpoint authentication method (#16598)
* identity/oidc: adds client_secret_post token endpoint authentication method

* fix test

* adds changelog
2022-08-08 08:41:09 -07:00
Meggie b7365df464
Adding PGX change to release & upgrade notes (#16613)
Also some heading size tidying
2022-08-05 14:57:47 -04:00
Austin Gebauer 67339b71e8
identity/oidc: fixes validation of the request and request_uri parameters (#16600)
* identity/oidc: add request_parameter_supported to discovery document

* adds changelog
2022-08-05 11:55:15 -07:00
Austin Gebauer a2bc8cfb96
identity/oidc: change the state parameter to optional (#16599)
* identity/oidc: change the state parameter to optional

* adds changelog

* update docs
2022-08-05 11:37:24 -07:00
Hridoy Roy a02c02ea68
upgrade raft to 1.3.10 (#16609)
* upgrade raft to 1.3.10

* changelog
2022-08-05 10:27:37 -07:00