Commit Graph

17323 Commits

Author SHA1 Message Date
Mike Palmiotto dc8d2af2d8
Add current_billing_period activity endpoint param (#20694)
* Add current_billing_period activity endpoint param

This commit introduces a new parameter: `current_billing_period`, which
can be used in lieu of `start_time` and `end_time` options.

GET ... /sys/internal/counters/activity?current_billing_period=true now
results in a response which contains the full billing period
information.

* changelog

* Update internal counters docs
2023-05-22 09:22:45 -04:00
Daniel Huckins 2658dcf48d
agent: Add support for parsing env_template configuration files (#20598)
* added exec and env_template config/parsing

* add tests

* we can reuse ctconfig here

* do not create a non-nil map

* check defaults

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* convert to list

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* convert to list

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* sig test

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add failing example

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* add test for invalid signal

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* Update command/agent/config/config.go

* use latest consul-template

* fix build

* fix test

* fix test fixtures

* make fmt

* test docs

* rename file

* env var -> environment variable

* default to SIGTERM

* empty line

* explicit naming

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* clean typo

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>

* replace $ HOME with /home/username in examples

* remove empty line

---------

Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
Co-authored-by: Anton Averchenkov <anton.averchenkov@hashicorp.com>
2023-05-19 18:11:41 -04:00
Mike Palmiotto a40341d176
Add client_type field to EntityRecord protobuf (#20626)
* Add client_type field to EntityRecord protobuf

* changelog

* Add ACME clientType verification
2023-05-19 20:30:12 +00:00
Christopher Swenson f80a73d0fe
docs: Traditional HA standby nodes do *not* serve read requests directly (#20687) 2023-05-19 13:00:57 -07:00
Alexander Scheel e552c06173
Properly validate int ca lifetime error, add warning on leaf cert with basic constraints (#20654)
* Ensure proper error message from CA validity period

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add warning to issuance of leaf cert with basic constraints

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-19 19:52:16 +00:00
Marc Boudreau 8928b30224
Refactor Code Focused on DevTLS Mode into New Function (#20376)
* refactor code focused on DevTLS mode into new function

* add tests for configureDevTLS function

* replace testcase comments with fields in testcase struct
2023-05-19 15:45:22 -04:00
John-Michael Faircloth 4330265469
secrets/aws: fix role field description (#20686) 2023-05-19 18:33:18 +00:00
Alexander Scheel 9d2af72bde
Fix entropy sourcing on Vault Enterprise (#20684)
Note the three overlapping scenarios discussed in the comments. In the
future, when this interface is more broadly supported, we should likely
add the interface directly to SystemView and implement it over the GRPC
interface, removing this nasty layering of already complex SystemView
implementations.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-19 14:15:43 -04:00
Anton Averchenkov f551f4e5ba
cli: Add 'agent generate-config' sub-command (#20530) 2023-05-19 13:42:19 -04:00
Violet Hynes 92dc054bb3
VAULT-15547 Agent/proxy decoupling, take two (#20634)
* VAULT-15547 Additional tests, refactoring, for proxy split

* VAULT-15547 Additional tests, refactoring, for proxy split

* VAULT-15547 Import reorganization

* VAULT-15547 Some missed updates for PersistConfig

* VAULT-15547 address comments

* VAULT-15547 address comments
2023-05-19 13:17:48 -04:00
Violet Hynes a47c0c7073
VAULT-15546 First pass at Vault Proxy docs (#20578)
* VAULT-15546 First pass at Vault Proxy docs

* VAULT-15546 correct errors

* VAULT-15546 fully qualify paths

* VAULT-15546 remove index

* VAULT-15546 Some typos and clean up

* VAULT-15546 fix link

* VAULT-15546 Add redirects so old links stay working

* VAULT-15546 more explicit redirects

* VAULT-15546 typo fixes

* Suggestions for Vault Agent & Vault Proxy docs (#20612)

* Rename 'agentandproxy' to 'agent-and-proxy' for better URL

* Update the index pages for each section

* VAULT-15546 fix link typo

---------

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2023-05-19 13:11:39 -04:00
Chelsea Shaw 7d0ae1622b
UI: View PKI issuer from overview page (#20655) 2023-05-19 11:54:08 -05:00
Jordan Reimer 0477762f1b
adds access nav component to settings auth route (#20662) 2023-05-19 10:52:57 -06:00
miagilepner 7aa1bce6fb
VAULT-15703: Reload automated reporting (#20680)
* support config reloading for census

* changelog

* second changelog entry for license updates

* correct changelog PR
2023-05-19 14:42:50 +00:00
Marc Boudreau c61941c443
VAULT-5094: Deal with identity_policies Set to nil in Secret Data Field (#20636)
* fix: deal with identity_policies set to nil

* add changelog file
2023-05-19 09:51:52 -04:00
Alexander Scheel ea3441333a
Fix tidy with maintain_stored_certificate_counts == publish_stored_certificate_count_metrics == false (#20664)
* Fix tidy with maintain_stored_certificate_counts == publish_stored_certificate_count_metrics == false

The logic around the check to set both to false was wrong, and should
be validated independently.

Additionally, these fields should only exist on auto-tidy and not on the
manual tidy endpoint.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update builtin/logical/pki/path_tidy.go

Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
2023-05-19 12:09:48 +00:00
claire bontempo 7753808910
ctivated (#20670) 2023-05-19 07:38:13 -04:00
Equus quagga 0750d31a4c
Added a note to remove-peer (#20583)
* Update raft.mdx

* Update website/content/docs/commands/operator/raft.mdx

Co-authored-by: Josh Black <raskchanky@gmail.com>

---------

Co-authored-by: Josh Black <raskchanky@gmail.com>
2023-05-19 12:21:30 +02:00
Equus quagga 5ff1bfc1e8
Update docs/secrets/databases/mssql.mdx (#20623)
Added a note in the `Example for Azure SQL Database` section stating that we only support SQL auth and no Azure AD auth.
2023-05-18 19:33:55 -07:00
l-with d1d3d697da
Add possibility to decode generated encoded root token to api (#20595) 2023-05-18 15:18:19 -04:00
Alexander Scheel f9fdac0345
Transit UX improvements: show key policy, configs on write (#20652)
* Respond with cache size on config write

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Respond with key policy on write

This includes creating a key, but also trimming or rotating an
existing key.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Correctly handle locking around policy formatting

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Validate that responses are non-empty

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-18 14:36:10 -04:00
Theron Voran f219d7a77c
dockerfile: ubi-minimal:8.7 -> 8.8 (#20640) 2023-05-18 10:02:18 -07:00
John-Michael Faircloth f9541a1c96
pki: add subject key identifier to read key response (#20642)
* pki: add subject key identifier to read key response

This will be helpful for the Terraform Vault Provider to detect
migration of pre-1.11 exported keys (from CA generation) into post-1.11
Vault.

* add changelog

* Update builtin/logical/pki/path_fetch_keys.go

Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>

* check for managed key first

* Validate the SKID matches on root CAs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Validate SKID matches on int CAs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix formatting of tests

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-18 16:49:22 +00:00
Jonathan Frappier 03a684eb7e
Add root protected endpoint table (#20650)
* Add root protected endpoint table

* Fix heading case
2023-05-18 11:53:22 -04:00
Kianna 517d4b92aa
UI: VAULT-16309 Update OIDC navbar name to OIDC provider (#20631) 2023-05-18 15:52:28 +00:00
Alexander Scheel 2b5f3509e5
Correctly search for namespace path, not id (#20651)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2023-05-18 15:41:16 +00:00
Hamid Ghaf 04d81e1c27
report intermediate error messages during request forwarding (#20643)
* report intermediate error messages during request forwarding

* CL
2023-05-18 05:07:54 -07:00
Luis (LT) Carbonell 95e6723aa9
Correct Default for MaximumPageSize (#20453)
* default max page size for config

* Add changelog

* update test int to *int

* add testing defaults

* update default to -1, i.e. dont paginate

* update test

* Add error message for invalid search

* Make 0 the default

* cleanup

* Add to known issues doc

* Update website/content/docs/upgrading/upgrade-to-1.13.x.mdx

* Update website/content/docs/upgrading/upgrade-to-1.11.x.mdx

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>

* Update website/content/docs/upgrading/upgrade-to-1.13.x.mdx

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>

* Update website/content/docs/upgrading/upgrade-to-1.12.x.mdx

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>

* Add workaround to docs

* Update changelog/20453.txt

Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>

---------

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
2023-05-17 20:56:53 +00:00
Alexander Scheel b204e51263
ACME tests for Intermediate CA issuance prevention (#20633)
* Do not set use_csr_values when issuing ACME certs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Ensure CSRs with Basic Constraints are rejected

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test to ensure CA certificates cannot be issued

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update builtin/logical/pkiext/pkiext_binary/acme_test.go

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

* Update builtin/logical/pkiext/pkiext_binary/acme_test.go

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

* Update acme_test.go to include certutil

* Update acme_test.go - unused imports, reformat

* Update acme_test.go - hex really was used

This is why I can't use the GH web editor. :-)

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2023-05-17 19:54:37 +00:00
Mark Collao 143a785c21
update changelog 2023-05-17 14:35:38 -05:00
Marc Boudreau b35ded0cb8
VAULT-16217 Fixing Broken OpenAPI Specification Generation (#20597)
* including path parameters into stub Paths for enterprise-only endpoints

* Set Required to true for path parameters in enterprise-only path stubs

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

* properly format go code

* re-adding initialization of Fields and Operations fields in the stubbed Path struct

---------

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
2023-05-17 14:56:45 -04:00
Nick Cabatoff 1a8d3e8948
Make -dev-three-node use perf standbys for ent binaries (#20629) 2023-05-17 18:37:44 +00:00
Rachel Culpepper 11f9603b37
Vault-12308: Change password policy testing to be deterministic (#20625)
* change testing password policy to be deterministic

* fix panic

* test password against rules

* improve error message

* make test password gen more random

* fix check on test password length
2023-05-17 18:22:19 +00:00
Chelsea Shaw 722c578ff4
UI/console update (#20590) 2023-05-17 11:41:02 -05:00
Alexander Scheel e58f3816a4
Start counting ACME certificate issuance as client activity (#20520)
* Add stub ACME billing interfaces

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add initial implementation of client count

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Correctly attribute to mount, namespace

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor adding entities of custom types

This begins to add custom types of events; presently these are counted
as non-entity tokens, but prefixed with a custom ClientID prefix.

In the future, this will be the basis for counting these events
separately (into separate buckets and separate storage segments).

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor creation of ACME mounts

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add test case for billing

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Better support managed key system view casting

Without an additional parameter, SystemView could be of a different
internal implementation type that cannot be directly casted to in OSS.
Use a separate parameter for the managed key system view to use instead.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor creation of mounts for enterprise

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Validate mounts in ACME billing tests

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Use a hopefully unique separator for encoded identifiers

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Use mount accesor, not path

Co-authored-by: miagilepner <mia.epner@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Rename AddEventToFragment->AddActivityToFragment

Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

---------

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: miagilepner <mia.epner@hashicorp.com>
Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
2023-05-17 16:12:04 +00:00
Steven Clark e3a99fdaab
Update ACME endpoint help synopsis and description (#20624)
- Use generic help synopsis and help description values for the various ACME endpoints defined.
 - Add missing values for the Vault ACME EAB apis
2023-05-17 13:59:30 +00:00
Violet Hynes b2468d3481
VAULT-15547 First pass at agent/proxy decoupling (#20548)
* VAULT-15547 First pass at agent/proxy decoupling

* VAULT-15547 Fix some imports

* VAULT-15547 cases instead of string.Title

* VAULT-15547 changelog

* VAULT-15547 Fix some imports

* VAULT-15547 some more dependency updates

* VAULT-15547 More dependency paths

* VAULT-15547 godocs for tests

* VAULT-15547 godocs for tests

* VAULT-15547 test package updates

* VAULT-15547 test packages

* VAULT-15547 add proxy to test packages

* VAULT-15547 gitignore

* VAULT-15547 address comments

* VAULT-15547 Some typos and small fixes
2023-05-17 09:38:34 -04:00
Paul Banks 66a6e18283
Bump Go to 1.20.4 for Vault 1.14.0 (#20615) 2023-05-17 14:30:04 +01:00
Jason O'Donnell 202d674682
command/server: add support to write pprof files to the filesystem via SIGUSR2 (#20609)
* core/server: add support to write pprof files to the filesystem via SIGUSR2

* changelog

* Fix filepath join

* Use core logger

* Simplify logic

* Break on error
2023-05-17 09:21:25 -04:00
Jordan Reimer 5cebced707
fixes command not found: export when running yarn start and updates caniuse-lite (#20610) 2023-05-16 15:48:49 -06:00
Ryan Cragun 2b5cb8d26b
test: use correct pool allocation for spot strategy (#20593)
Determine the allocation pool size for the spot fleet by the allocation
strategy. This allows us to ensure a consistent attribute plan during
re-runs which avoid rebuilding the target fleets.

Signed-off-by: Ryan Cragun <me@ryan.ec>
2023-05-16 14:00:20 -06:00
Angel Garbarino 74be2f8592
Fix flaky filtering test (#20605)
* fix failing test

* more specific
2023-05-16 14:39:19 -05:00
Jordan Reimer 43fae50512
MFA Create Enforcement Bug (#20603)
* fixes issue creating mfa enforcement from method enforcement tab toolbar action

* adds changelog entry
2023-05-16 10:38:53 -06:00
Anton Averchenkov 89e5b566ac
openapi: Fix ACME-related errors (#20599) 2023-05-16 16:05:07 +00:00
Steven Clark 57dc281561
Disable requiring EAB in ACME by default (#20600)
* Disable requiring EAB in ACME by default

 - After an internal meeting it was decided that enabling EAB support by default was probably not the right decision.
 - The main motivating factor being ease of use by end-users as the majority of implementations aren't expecting EAB to be required by default.

* Leverage function isPublicACMEDisabledByEnv and log parsing error

 - Add logging to the new isPublicACMEDisabledByEnv function if we fail to parse the env var
 - Leverage the function within the isAcmeDisabled function in acme_wrappers.go to not duplicate the env getting logic in two places.

* Fail closed when VAULT_DISABLE_PUBLIC_ACME is un-parsable.
2023-05-16 11:17:04 -04:00
Kianna 65c100182d
UI: Convert pki component files to ts (#20533) 2023-05-16 08:07:12 -07:00
miagilepner f14a039a65
VAULT-14733: Split logic of precomputedQueryWorker (#20073)
* split precomputed query worker and add unit tests

* add new client delete method and test

* add changelog

* fixes from pr review

* add missing comment

* fix comparison
2023-05-16 16:29:18 +02:00
Steven Clark b483288703
Add a last issued date on ACME accounts (#20534)
* Add a last issued date on ACME accounts

 - When we issue a new ACME certificate, attempt to update the account's last issued field
 - Within ACME account tidy, use both account creation and last issue date to provide a buffer before we mark the account as revoked.
 - Cleanup the cert serial to account tracker
 - Misc formatting fixes in JSON objects

* Move account max-cert-expiry updates within tidy

 - Perform the account update of max-cert-expiry within
   the tidy operation as it has the account write lock
   and is already iterating over all orders.
 - With this the order path does not need any account
   level locks

* Prefix ACME account status constants with AccountStatusX
2023-05-15 16:02:40 -04:00
Angel Garbarino 8d333a2c20
remove var (#20592) 2023-05-15 17:28:47 +00:00
Steven Clark b9b49116d0
Add External Account Binding support to ACME (#20523)
* Add Vault APIS to create, list, delete ACME EAB keys

 - Add Vault authenticated APIs to create, list and delete ACME
   EAB keys.
 - Add supporting tests for all new apis

* Add require_eab to acme configuration

* Add EAB support to ACME

* Add EAB support to ACME

* PR feedback 1

 - Address missing err return within DeleteEab
 - Move verifyEabPayload to acme_jws.go no code changes in this PR
 - Update error message returned for error on account storage with EAB.

* PR feedback 2

 - Verify JWK signature payload after signature verification

* Introduce an ACME eab_policy in configuration

 - Instead of a boolean on/off for require_eab, introduce named policies for ACME behaviour enforcing eab.
 - The default policy of always-required, will force new accounts to have an EAB, and all operations in the future, will make sure the account has an EAB associated with it.
 - Two other policies, not-required will allow any anonymous users to use ACME within PKI and 'new-account-required' will enforce new accounts going forward to require an EAB, but existing accounts will still be allowed to use ACME if they don't have an EAB associated with the account.
 - Having 'always-required' as a policy, will override the environment variable to disable public acme as well.

* Add missing go-docs to new tests.

* Add valid eab_policy values in error message.
2023-05-15 13:15:20 -04:00