Commit graph

2759 commits

Author SHA1 Message Date
Violet Hynes bfeae1fe8e
VAULT-7707 OSS portion of changes (#18019)
* VAULT-7707 OSS portion of changes

* Revert "VAULT-7707 OSS portion of changes"

This reverts commit 5b8cf3882fb7e2427593d59e1439d46b3a5c20a7.

* VAULT-7707 smarter locking behaviour

* VAULT-7707 typo

* VAULT-7707 typo
2022-11-17 16:30:39 -05:00
davidadeleon 3394c28ce1
Deduplicate policies prior to generating ACL on request (#17914)
* Deduplicate policies prior to generating ACL on request

* add changelog

* edit changelog entry
2022-11-16 17:43:46 -05:00
Brian Kassouf 288b0567b1
Barrier: Fix potential locking issue (#17944)
* Barrier: Fix potential locking issue

* add changelog
2022-11-16 09:53:22 -08:00
akshya96 f3c9e98fd5
Vault-8306 User Lockout RPCs oss changes (#17765)
* adding oss file changes

* updating changes from ent
2022-11-15 15:07:52 -08:00
Josh Black 94739c1af6
Don't return a 204 if there's no historical data (#17935)
* don't return a 204 if there's no historical data

* add changelog
2022-11-15 12:15:51 -08:00
Mike Palmiotto 773f0d58ad
plugins: Filter builtins by RunningVersion (#17816)
This commit adds some logic to handle the case where a mount entry has a
non-builtin RunningVersion. This ensures that we only report deprecation
status for builtins.
2022-11-11 14:51:37 -05:00
Anton Averchenkov f9fac68980
Revert "Add mount path into the default generated openapi.json spec (#17839)" (#17890)
This reverts commit 02064eccb42bb2ec1a3d12ec0d49c661312acd2d.
2022-11-10 15:39:53 -08:00
Anton Averchenkov f3aea876b9
Add mount path into the default generated openapi.json spec (#17839)
The current behaviour is to only add mount paths into the generated `opeanpi.json` spec if a `generic_mount_paths` flag is added to the request. This means that we would have to maintain two different `openapi.json` files, which is not ideal. The new solution in this PR is to add `{mount_path}` into every path with a default value specified:

```diff
--    "/auth/token/accessors/": {
++    "/auth/{mount_path}/accessors/": {
      "parameters": [
        {
          "name": "mount_path",
          "description": "....",
          "in": "path",
          "schema": {
            "type": "string",
++          "default": "token"
          }
        }
      ],
```

Additionally, fixed the logic to generate the `operationId` (used to generate method names in the code generated from OpenAPI spec). It had a bug where the ID had `mountPath` in it. The new ID will look like this:

```diff
-- "operationId": "listAuthMountpathAccessors",
++ "operationId": "listTokenAccessors",
```
2022-11-10 15:44:43 -05:00
Josh Black a5c101d851
Fix activity log end time (#17856)
* Correct the end_time in the activity log output for partial counts

* use the real endTime not the passed in one

* add changelog
2022-11-10 12:11:23 -08:00
Violet Hynes 65e8eee0ba
VAULT-8703 Add warning for dangerous undocumented overrides, if used, in status response (#17855)
* VAULT-8703 Add warning for dangerous undocumented overrides, if used, in status response

* VAULT-8703 add changelog

* VAULT-8703 fix append
2022-11-09 11:04:36 -05:00
divyaac 2d3775a93b
Introspection API Implementation for Router Struct (#17789)
* OSS Commit from ENT for Introspection API

* Add changelog
2022-11-04 09:39:09 -07:00
Jason O'Donnell 4e122214f7
core: fix start up policy loading race condition on perf standbys (#17801)
* core: fix start up policy loading race condition on perf standbys

* Use correct bool for perf standby

* changelog
2022-11-03 13:01:39 -04:00
akshya96 2945924b2b
Vault 8305 Prevent Brute Forcing in Auth methods : Setting user lockout configuration (#17338)
* config file changes

* lockout config changes

* auth tune r/w and auth tune

* removing changes at enable

* removing q.Q

* go mod tidy

* removing comments

* changing struct name for config file

* fixing mount tune

* adding test file for user lockout

* fixing comments and add changelog

* addressing comments

* fixing mount table updates

* updating consts in auth_tune

* small fixes

* adding hcl parse test

* fixing config compare

* fixing github comments

* optimize userlockouts.go

* fixing test

* minor changes

* adding comments

* adding sort to flaky test

* fix flaky test
2022-11-01 11:02:07 -07:00
Mike Palmiotto a9dcc45f72
Tweak totp test to fix race failures (#17692) 2022-10-27 09:41:40 -04:00
akshya96 1e189016e2
update protoc version to 3.21.7 oss (#17499)
* update protoc to 3.21.7

* adding changelog
2022-10-26 16:49:44 -07:00
Mike Palmiotto cc96c6f470
Store login MFA secret with tokenhelper (#17040)
* Store login MFA secret with tokenhelper
* Clean up and refactor tokenhelper paths
* Refactor totp test code for re-use
* Add login MFA command tests
* Use longer sleep times and sha512 for totp test
* Add changelog
2022-10-26 17:02:26 -04:00
Violet Hynes 73f9b13762
VAULT-9451 Fix data race in entity merge (#17631) 2022-10-21 16:47:59 -04:00
Violet Hynes 5861c51e70
VAULT-8719 Support data array for alias clash error response so UI/machines can understand error (#17459)
* VAULT-8719 Support data array for alias clash error response so UI can understand error

* VAULT-8719 Changelog

* VAULT-8719 Update alias mount update logic

* VAULT-8719 Further restrict IsError()
2022-10-17 14:46:25 -04:00
Nick Cabatoff f94bd10540
Tolerate NamespaceByID returning (nil,nil) when looking up an mfa enforcement's ns (#17562) 2022-10-17 09:18:02 -04:00
Hamid Ghaf 8a624c1264
prevent memory leak when using control group factors in a policy (#17532)
* prevent a possible memory leak when using control group factors in a policy

* CL
2022-10-14 19:15:15 -04:00
Mike Palmiotto 81459de6fd
core: Move rollback period init to NewCore (#17547) 2022-10-13 18:39:00 -04:00
Nick Cabatoff 8e67651dcd
Fix a data race with rollbackPeriod. (#17387) 2022-10-13 09:59:07 -04:00
Chris Capurso 2c9b29ab42
fix off by one err in current month client count computation (#17457) 2022-10-07 12:37:09 -04:00
Nick Cabatoff 39c7e7c191
Add more raft metrics, emit more metrics on non-perf standbys (#12166)
Add some metrics helpful for monitoring raft cluster state.

Furthermore, we weren't emitting bolt metrics on regular (non-perf) standbys, and there were other metrics
in metricsLoop that would make sense to include in OSS but weren't.  We now have an active-node-only func,
emitMetricsActiveNode.  This runs metricsLoop on the active node.  Standbys and perf-standbys run metricsLoop
from a goroutine managed by the runStandby rungroup.
2022-10-07 09:09:08 -07:00
Josh Black ad1503ebcd
disable undo logs by default for 1.12.0 (#17453) 2022-10-07 08:47:40 -07:00
Tom Proctor df690ea414
Plugins: Add -version flag to 'vault plugin info' (#17454)
* Add -version flag to 'vault plugin info'
* Allow specifying a builtin tag when reading a single plugin from the catalog
2022-10-07 15:28:15 +01:00
Josh Black c45c6e51c0
only enable undo logs if all cluster members support it (#17378) 2022-10-06 11:24:16 -07:00
Christopher Swenson 06d843d3b0
Don't allow write perms to plugins in test (#17439)
We are specifically checking that the writes are now allowed for group
and other.

I don't know how this test was passing on non-arm64 platforms,
but hopefully this should fix it.
2022-10-06 10:09:27 -07:00
Tom Proctor 2cf29f93c7
Plugins: Add version info to CLI and server log output (#17430) 2022-10-06 12:54:27 +01:00
valli_0x 3ad4d3af6e
core: push entry table type-checking into for loop (#17220)
This commit refactors the `persistAudit`, `persistAuth`, and `persistMount` code paths to perform `entry.Table` type-checking within the same loop as the entry list appending. This saves cycles in the case of success; however, performs some unnecessary appends in the event that an entry has an incorrect table type/value combination.
2022-10-05 15:56:12 -04:00
Nick Cabatoff d5e0353696
Fix unsafe access to perf standby status from systemview (#17186)
Ensure that we don't try to access Core.perfStandby or Core.PerfStandby() from dynamicSystemView, which might be accessed with or without stateLock held.
2022-10-05 08:56:36 -04:00
Tom Proctor 3aa2fe8d8f
Plugins: Tighten requirements for multiplexing (#17403)
Change the multiplexing key to use all `PluginRunner` config (converted to a struct which is comparable), so that plugins with the same name but different env, args, types, versions etc are not incorrectly multiplexed together.

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>
2022-10-05 09:29:29 +01:00
Tom Proctor 4bd5af87f4
Plugins: Fix file permissions check to always use the correct path (#17340)
* Add failing test for when command != plugin name
* wrapFactoryCheckPerms uses pluginCatalog.Get to fetch the correct command
* Use filepath.Rel for consistency with plugin read API handler
2022-09-30 10:33:31 +01:00
Mike Palmiotto 0078822d1d
core: Parse VAULT_ALLOW_PENDING_REMOVAL_MOUNTS as bool (#17319)
* core: Parse VAULT_ALLOW_PENDING_REMOVAL_MOUNTS as bool

* docs: Update VAULT_ALLOW_PENDING_REMOVAL_MOUNTS doc
2022-09-29 14:35:52 -04:00
Tom Proctor 12ca81bc9b
cli/api: Update plugin listing to always include version info in the response (#17347) 2022-09-29 18:22:33 +01:00
Christopher Swenson 9d0e4986c2
Builtin plugins cannot be overridden in mounts (#17304)
Builtin plugins cannot be overridden in mounts

Before versioning, plugins with the same names as builtins (e.g., "kv")
could be registered, but trying to mount them would always use the
builtin versions.

With versioning, we still allow registering plugins with the same name
as a builtin. However, if the user tries to mount a versioned plugin
with the same name as a builtin, and specifies the non-builtin version
be used, we return an error.

Otherwise the user would see a confusing situation where the one or
both of the Version and RunningVersion would say they were using
the user-requested version, but in reality were using the builtin
version.

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2022-09-23 13:14:37 -07:00
Tom Proctor c778f2d822
Plugins: Handle plugins that may be registered with a slash in their name (#17301) 2022-09-23 20:00:10 +01:00
Tom Proctor e21995fa27
Plugins: Update running version everywhere running sha256 is set (#17292) 2022-09-23 11:19:38 +01:00
Tom Proctor c77f009759
Plugins: Allow explicitly specifying the builtin version of a plugin (#17289) 2022-09-22 23:15:46 +01:00
Violet Hynes 2b8d8a3c6a
VAULT-8630 Fix goroutine leak from RLQ initialize (#17281)
* VAULT-8630 Fix goroutine leak from RLQ initialize

* VAULT-8630 Changelog

* VAULT-8630 additional nil check
2022-09-22 15:59:53 -04:00
Tom Proctor 7d09d5a653
CLI: Tune plugin version for auth/secret mounts (#17277)
* Add -plugin-version flag to vault auth/secrets tune
* CLI tests for auth/secrets tune
* CLI test for plugin register
* Plugin catalog listing bug where plugins of different type with the same name could be double counted
* Use constant for -plugin-version flag name
2022-09-22 20:55:46 +01:00
Austin Gebauer a6139cd5b2
Fixes multiplexed plugin initialization after manual plugin reload (#17248)
* Fixes initialize not called after v5 plugin reload

* use request context instead of core activeContext
2022-09-22 10:16:21 -07:00
Yoan Blanc fa8f7c793f
fix: PGP subkeys support (#16224)
* fix: PGP subkeys support

Signed-off-by: Yoan Blanc <yoan@dosimple.ch>

* fix: bump ProtonMail/go-crypto

Signed-off-by: Yoan Blanc <yoan@dosimple.ch>

* fix: bump ProtonMail/go-crypto

Signed-off-by: Yoan Blanc <yoan@dosimple.ch>

Signed-off-by: Yoan Blanc <yoan@dosimple.ch>
2022-09-22 09:12:41 -04:00
Tom Proctor f920640db7
Plugins: Auto version selection for auth/secrets + tune version (#17167) 2022-09-22 13:53:52 +01:00
Christopher Swenson 895f2c9f3d
Change usages of RunningSha to RunningSha256 (#17266)
Some PRs got crossed and somehow these were missed in the
build checks for #17182.
2022-09-21 13:32:00 -07:00
Christopher Swenson 2c8e88ab67
Check if plugin version matches running version (#17182)
Check if plugin version matches running version

When registering a plugin, we check if the request version matches the
self-reported version from the plugin. If these do not match, we log a
warning.

This uncovered a few missing pieces for getting the database version
code fully working.

We added an environment variable that helps us unit test the running
version behavior as well, but only for approle, postgresql, and consul
plugins.

Return 400 on plugin not found or version mismatch

Populate the running SHA256 of plugins in the mount and auth tables (#17217)
2022-09-21 12:25:04 -07:00
Nick Cabatoff 559754d580
Break grabLockOrStop into two pieces to facilitate investigating deadlocks (#17187)
Break grabLockOrStop into two pieces to facilitate investigating deadlocks.  Without this change, the "grab" goroutine looks the same regardless of who was calling grabLockOrStop, so there's no way to identify one of the deadlock parties.
2022-09-20 11:03:16 -04:00
Nick Cabatoff d8101f82ee
Handle when pluginCatalog.Get returns (nil,nil) during cred backend creation (#17204) 2022-09-20 08:57:08 -04:00
Nick Cabatoff c7f4d79684
We don't need to test LifetimeWatcher's behaviour with database leases specifically. (#17208) 2022-09-20 08:23:51 -04:00
Tom Proctor f5655ae857
Plugins: Consistently use plugin_version (#17171)
* Delete Sha field, rename RunningSha -> RunningSha256
* Rename version -> plugin_version
2022-09-20 12:35:50 +01:00
Steven Clark dae2ef535b
Update protos to match update of protobuf go library (#17215) 2022-09-19 16:45:44 -04:00
Steven Clark 05a5928b8d
Update missing go-kms-wrapping v2 dep and address some ENT->OSS drift (#17178)
* Update missing go-kms-wrapping v2 dep and address some ENT->OSS drift

* Bump go-kms-wrapping/wrappers/gcpckms/v2 to v2.0.1
2022-09-19 10:23:40 -04:00
Mike Palmiotto 2bb11d2d4c
semgrep: Add replication-has-state and fix findings (#17179) 2022-09-19 08:15:27 -04:00
Nick Cabatoff b7c5dbd713
Reduce time taken to run the vault test package (#17157)
Factored out some plugin related tests into their own test package, and added a bunch of parallelism.  Moved some non-plugin tests that were in logical_system_integ_test into another file (keeping them in vault package) just for cohesion.
2022-09-16 09:53:16 -04:00
Christopher Swenson b136a7ecd8
Add plugin version to GRPC interface (#17088)
Add plugin version to GRPC interface

Added a version interface in the sdk/logical so that it can be shared between all plugin types, and then wired it up to RunningVersion in the mounts, auth list, and database systems.

I've tested that this works with auth, database, and secrets plugin types, with the following logic to populate RunningVersion:

If a plugin has a PluginVersion() method implemented, then that is used
If not, and the plugin is built into the Vault binary, then the go.mod version is used
Otherwise, the it will be the empty string.
My apologies for the length of this PR.

* Placeholder backend should be external

We use a placeholder backend (previously a framework.Backend) before a
GRPC plugin is lazy-loaded. This makes us later think the plugin is a
builtin plugin.

So we added a `placeholderBackend` type that overrides the
`IsExternal()` method so that later we know that the plugin is external,
and don't give it a default builtin version.
2022-09-15 16:37:59 -07:00
Josh Black 1e6401a8eb
make proto (#17120) 2022-09-13 16:06:11 -04:00
Josh Black 6d94dd991d
merkle sync undo logs (#17103) 2022-09-13 10:03:19 -07:00
georgethebeatle f9439a9c41
Make key completion work for both kv-v1 and kv-v2 (#16553)
Co-authored-by: Kieron Browne <kbrowne@vmware.com>
Co-authored-by: Georgi Sabev <georgethebeatle@gmail.com>
Co-authored-by: Danail Branekov <danailster@gmail.com>
2022-09-13 12:11:00 -04:00
Hamid Ghaf 77ec84cfb1
updating hcp link structs, and fix diagnose (#17097) 2022-09-12 11:10:01 -04:00
Max Coulombe 6b2f4e5354
+ added redis elasticache as a built-in plugin (#17075)
* added redis elasticache as a built-in plugin
2022-09-09 16:16:30 -04:00
Mike Palmiotto 9849af8663
Add deprecation status to plugin api and cli (#17077)
* api: Add deprecation status to plugin endpoints

* cli: Add -detailed flag to `plugin list`

* docs: Update plugin list/info docs
2022-09-09 16:03:07 -04:00
Hamid Ghaf 102f5f6832
node status as a module to be importable by HCP cloud (#17089) 2022-09-09 14:51:05 -04:00
Milena Zlaticanin 0977bd1ddc
Import Redis OSS database plugin into Vault (#17070)
* Import Redis OSS database plugin into Vault

* update the total number of db plugins

* small nit for testing

* adding changelog
2022-09-09 13:42:25 -05:00
Tom Proctor 65adf42d48
Support running versioned plugins from the catalog (#17015) 2022-09-09 18:14:26 +01:00
Tom Proctor aa50e42fca
Support version selection for database plugins (#16982)
* Support version selection for database plugins
* Don't consider unversioned plugins for version selection algorithm
* Added version to 'plugin not found' error
* Add PluginFactoryVersion function to avoid changing sdk/ API
2022-09-09 17:32:28 +01:00
Nick Cabatoff 3075c5bd65
Do not attempt to write a new TLS keyring at startup if raft is already setup (#17079) 2022-09-09 12:19:57 -04:00
Max Coulombe f9b5d1a563
Multiplexing opt out flag (#16972)
* added mplexing opt-out flag
2022-09-08 11:32:46 -04:00
Mike Palmiotto 403fdd77be
api: Add deprecation warnings to secrets/auth POST endpoints (#17058)
* api: Add deprecation warnings to endpoints
* Add changelog
2022-09-08 09:15:10 -04:00
Josh Black d8e0a13aae
update gofumpt to 0.3.1 and reformat the repo (#17055)
* update gofumpt to 0.3.1 and reformat the repo

* output the version of the formatter we're using
2022-09-07 17:31:20 -07:00
Nick Cabatoff 7842b861b3
Make some activity log tests less flaky (#17028)
* OSS parts of ent #3157.  Some activity log tests were flaky because background workers could race with them; now we overload DisableTimers to stop some of them from running, and add some channels we can use to wait for others to complete before we start testing.

* Add CL
2022-09-07 09:06:15 -04:00
Mike Palmiotto bf744e3bde
Handle deprecated builtins (#17005)
* core: Handle deprecated mounts on enable and unseal
* changelog: Deprecation Status handling
* core: Add Pending Removal override var
* core: Add some documentation for Pending Removal override
2022-09-06 15:49:35 -04:00
Nick Cabatoff 5db952eada
autopilot: assume nodes we haven't received heartbeats from are running the same version as we are (#17019)
OSS parts of ent PR #3172: assume nodes we haven't received heartbeats from are running the same version as we are.  Failing to provide a version/upgrade_version will result in Autopilot (on ent) demoting those unversioned nodes to non-voters until we receive a heartbeat from them.
2022-09-06 14:49:04 -04:00
Hamid Ghaf a034ebfd27
HCP link integration (#16939)
* HCP link integration

* update configure-git.yml

* more OSS stuff

* removing internal repos

* adding a nil check

* removing config test to be included in ENT only

* updating hcp-sdk-go to v0.22.0

* remove Hostname and AuthURL link config params

Co-authored-by: Chris Capurso <1036769+ccapurso@users.noreply.github.com>
2022-09-06 14:11:04 -04:00
John-Michael Faircloth e6f5ffda4f
plugin: update debug logging (#16953) 2022-09-06 18:56:10 +02:00
Austin Gebauer 1ea50db6c6
identity/oidc: adds claims_supported to discovery document (#16992)
* identity/oidc: adds claims_supported to discovery document

* adds changelog
2022-09-02 09:19:25 -07:00
davidadeleon 24e346bf53
auth/token: Fix ignored parameter warnings for valid parameters on token create (#16938)
* Add fields to schema for relevant paths

* add changelog
2022-09-01 08:32:40 -04:00
Mike Palmiotto 2c16be25e3
Add deprecation status to auth/secrets list (#16849)
* auth: Add Deprecation Status to auth list -detailed
* secrets: Add Deprecation Status to secrets list -detailed
* Add changelog entry for deprecation status list
2022-08-31 16:11:14 -04:00
Christopher Swenson 09ad6ab72c
Update mount table and CLI with plugin version for auth (#16856) 2022-08-31 19:23:05 +01:00
Hridoy Roy 8e7fec59ef
Load SSCT Generation Counter Upon DR Promotion [OSS] (#16956)
* port ssct bugfix to load epoch from storage

* changelog

* update changelog to be user-facing

* change 2 to two
2022-08-31 11:05:21 -07:00
Max Bowsher ff23bbf1e4
Fix incorrect MaxNsIdLength (#16827)
Namespace IDs are 5 characters, not 4.
2022-08-31 08:56:45 -04:00
Alexander Scheel a5fafd8163
Add ability to perform automatic tidy operations (#16900)
* Add ability to perform automatic tidy operations

This enables the PKI secrets engine to allow tidy to be started
periodically by the engine itself, avoiding the need for interaction.
This operation is disabled by default (to avoid load on clusters which
don't need tidy to be run) but can be enabled.

In particular, a default tidy configuration is written (via
/config/auto-tidy) which mirrors the options passed to /tidy. Two
additional parameters, enabled and interval, are accepted, allowing
auto-tidy to be enabled or disabled and controlling the interval
(between successful tidy runs) to attempt auto-tidy.

Notably, a manual execution of tidy will delay additional auto-tidy
operations. Status is reported via the existing /tidy-status endpoint.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation on auto-tidy

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for auto-tidy

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Prevent race during parallel testing

We modified the RollbackManager's execution window to allow more
faithful testing of the periodicFunc. However, the TestAutoRebuild and
the new TestAutoTidy would then race against each other for modifying
the period and creating their clusters (before resetting to the old
value).

This changeset adds a lock around this, preventing the races.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Use tidyStatusLock to gate lastTidy time

This prevents a data race between the periodic func and the execution of
the running tidy.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add read lock around tidyStatus gauges

When reading from tidyStatus for computing gauges, since the underlying
values aren't atomics, we really should be gating these with a read lock
around the status access.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-30 15:45:54 -04:00
Violet Hynes 001e060e54
VAULT-6433 do not return nil resp if ns is nil (#16937)
* VAULT-6433 do not return nil resp if ns is nil

* VAULT-6433 typo
2022-08-30 13:53:41 -04:00
John-Michael Faircloth b6c05fae33
feature: secrets/auth plugin multiplexing (#14946)
* enable registering backend muxed plugins in plugin catalog

* set the sysview on the pluginconfig to allow enabling secrets/auth plugins

* store backend instances in map

* store single implementations in the instances map

cleanup instance map and ensure we don't deadlock

* fix system backend unit tests

move GetMultiplexIDFromContext to pluginutil package

fix pluginutil test

fix dbplugin ut

* return error(s) if we can't get the plugin client

update comments

* refactor/move GetMultiplexIDFromContext test

* add changelog

* remove unnecessary field on pluginClient

* add unit tests to PluginCatalog for secrets/auth plugins

* fix comment

* return pluginClient from TestRunTestPlugin

* add multiplexed backend test

* honor metadatamode value in newbackend pluginconfig

* check that connection exists on cleanup

* add automtls to secrets/auth plugins

* don't remove apiclientmeta parsing

* use formatting directive for fmt.Errorf

* fix ut: remove tls provider func

* remove tlsproviderfunc from backend plugin tests

* use env var to prevent test plugin from running as a unit test

* WIP: remove lazy loading

* move non lazy loaded backend to new package

* use version wrapper for backend plugin factory

* remove backendVersionWrapper type

* implement getBackendPluginType for plugin catalog

* handle backend plugin v4 registration

* add plugin automtls env guard

* modify plugin factory to determine the backend to use

* remove old pluginsets from v5 and log pid in plugin catalog

* add reload mechanism via context

* readd v3 and v4 to pluginset

* call cleanup from reload if non-muxed

* move v5 backend code to new package

* use context reload for for ErrPluginShutdown case

* add wrapper on v5 backend

* fix run config UTs

* fix unit tests

- use v4/v5 mapping for plugin versions
- fix test build err
- add reload method on fakePluginClient
- add multiplexed cases for integration tests

* remove comment and update AutoMTLS field in test

* remove comment

* remove errwrap and unused context

* only support metadatamode false for v5 backend plugins

* update plugin catalog errors

* use const for env variables

* rename locks and remove unused

* remove unneeded nil check

* improvements based on staticcheck recommendations

* use const for single implementation string

* use const for context key

* use info default log level

* move pid to pluginClient struct

* remove v3 and v4 from multiplexed plugin set

* return from reload when non-multiplexed

* update automtls env string

* combine getBackend and getBrokeredClient

* update comments for plugin reload, Backend return val and log

* revert Backend return type

* allow non-muxed plugins to serve v5

* move v5 code to existing sdk plugin package

* do next export sdk fields now that we have removed extra plugin pkg

* set TLSProvider in ServeMultiplex for backwards compat

* use bool to flag multiplexing support on grpc backend server

* revert userpass main.go

* refactor plugin sdk

- update comments
- make use of multiplexing boolean and single implementation ID const

* update comment and use multierr

* attempt v4 if dispense fails on getPluginTypeForUnknown

* update comments on sdk plugin backend
2022-08-29 21:42:26 -05:00
Violet Hynes 8c9c1d2b2a
VAULT-6433: Add namespace path to MFA read/list endpoints (#16911)
* VAULT-6433 Add namespace_path to MFA endpoints

* VAULT-6433 add changelog

* VAULT-6433 Return error in case of error

* VAULT-6433 Make logic a bit more concise
2022-08-29 09:11:25 -04:00
Nick Cabatoff df61151034
Wait for standby to have a working grpc connection before we try to use it (#16905)
Also teach WaitForStandbyNode to do a better job waiting for standbys to be healthy.
2022-08-26 12:50:10 -04:00
Tom Proctor 4edf768f17
Version-aware plugin catalog (#16688)
Adds support for using semantic version information when registering
and managing plugins. New `detailed` field in the response data for listing
plugins and new `version` field in the response data for reading a
single plugin.
2022-08-25 21:31:42 +01:00
Mike Palmiotto 6a438fd087
Vault 7133/registry status (#16846)
* plugins: Add Deprecation Status to builtinRegistry

* changelog: Deprecation Status method
2022-08-23 16:34:30 -04:00
Jason O'Donnell 1200020fdc
identity/entity-alias: fix bug where alias metadata was shared if alias had same name (#16838) 2022-08-23 15:39:45 -04:00
Scott Miller 3bd38fd5dc
OSS portion of wrapper-v2 (#16811)
* OSS portion of wrapper-v2

* Prefetch barrier type to avoid encountering an error in the simple BarrierType() getter

* Rename the OveriddenType to WrapperType and use it for the barrier type prefetch

* Fix unit test
2022-08-23 15:37:16 -04:00
Alexander Scheel cacb23bda6
Enable periodic, automatic rebuilding of CRLs (#16762)
* Allow automatic rebuilding of CRLs

When enabled, periodic rebuilding of CRLs will improve PKI mounts in two
way:

 1. Reduced load during periods of high (new) revocations, as the CRL
    isn't rebuilt after each revocation but instead on a fixed schedule.
 2. Ensuring the CRL is never stale as long as the cluster remains up,
    by checking for next CRL expiry and regenerating CRLs before that
    happens. This may increase cluster load when operators have large
    CRLs that they'd prefer to let go stale, rather than regenerating
    fresh copies.

In particular, we set a grace period before expiration of CRLs where,
when the periodic function triggers (about once a minute), we check
upcoming CRL expirations and check if we need to rebuild the CRLs.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add documentation on periodic rebuilding

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Allow modification of rollback period for testing

When testing backends that use the periodic func, and specifically,
testing the behavior of that periodic func, waiting for the usual 1m
interval can lead to excessively long test execution. By switching to a
shorter period--strictly for testing--we can make these tests execute
faster.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add tests for auto-rebuilding of CRLs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Remove non-updating getConfig variant

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Avoid double reload of config

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-23 13:27:15 -04:00
Violet Hynes 0b3d7fdf10
VAULT-7698 Fix ignored parameter warnings for endpoint arbitrary data options (#16794)
* VAULT-7698 Fix warnings for endpoint arbitrary data options

* VAULT-7698 Add changelog
2022-08-23 08:51:23 -04:00
Hridoy Roy 7fb60a7617
oss port of vault-7225-bugfix (#16745) 2022-08-16 16:38:11 -07:00
Hridoy Roy 91ef527a1f
re-add namespace attribution to current month (#16473)
* re-add namespace attribution to current month

* delete cl

* parity with ent branch
2022-08-16 16:27:20 -07:00
Hridoy Roy 54444b9d2e
handle ssct errors in one other place (#16497) 2022-08-15 14:16:32 -07:00
Anton Averchenkov 6d45a421ff
Add a sentinel error for missing KV secrets (#16699) 2022-08-12 19:29:42 -04:00
John-Michael Faircloth bb58775bb5
secrets/auth: fix bug with aliased backends (#16673)
* secrets/auth: fix bug with aliased backends

* add changelog

* update changelog to include affected backends
2022-08-10 20:02:05 -05:00
John-Michael Faircloth dd4fb82b5d
unit test: remove postgres dependecy from testing.go (#16675) 2022-08-10 17:01:24 -05:00
Violet Hynes 4850a3ff0e
VAULT-6818 - Restrict ability to merge entities with mount-accessor-conflicting aliases unless one is explicitly chosen to be kept (#16539)
* VAULT-6818 delete unmerged entity aliases instead of orphaning them

* VAULT-6818 Prevent merge with clashing aliases, allow for resolution of clashing entity aliases

* VAULT-6818 Small updates

* VAULT-6818 Restrict to only one clash merge at once

* VAULT-6818 changelog

* VAULT-6818 use strutil package instead of slices

* VAULT-6818 Update variable names for clarity

* VAULT-6818 Update test

* VAULT-6818 update error message

* VAULT-6818 Use helper method

* VAULT-6818 validate entityIds

* VAULT-6818 group imports better

* VAULT-6818 use change instead of bug

* VAULT-6818 use multierror instead of custom struct

* VAULT-6818 Use multierror properly

* VAULT-6818 Small refactor based on feedback
2022-08-10 09:10:02 -04:00
Austin Gebauer ed143c5678
identity/oidc: reorder authorization endpoint validation for invalid redirect uris (#16601)
* identity/oidc: reorder authorization endpoint validation for invalid redirect uris

* adds changelog

* use provider.allowedClientID
2022-08-08 09:02:18 -07:00
Austin Gebauer 59831a8d5c
identity/oidc: adds client_secret_post token endpoint authentication method (#16598)
* identity/oidc: adds client_secret_post token endpoint authentication method

* fix test

* adds changelog
2022-08-08 08:41:09 -07:00
Austin Gebauer 67339b71e8
identity/oidc: fixes validation of the request and request_uri parameters (#16600)
* identity/oidc: add request_parameter_supported to discovery document

* adds changelog
2022-08-05 11:55:15 -07:00
Austin Gebauer a2bc8cfb96
identity/oidc: change the state parameter to optional (#16599)
* identity/oidc: change the state parameter to optional

* adds changelog

* update docs
2022-08-05 11:37:24 -07:00
Austin Gebauer e2d3846a25
identity/oidc: adds detailed listing capability for clients and providers (#16567)
* identity/oidc: adds detailed listing capability for clients and providers

* change approach to use ListResponseWithInfo

* adds changelog
2022-08-04 10:10:28 -07:00
Violet Hynes ac582c86cd
VAULT-7432 Fix flaky expiration behaviour (#16586) 2022-08-04 10:47:14 -04:00
Mike Palmiotto cd1157a905
Vault 7338/fix retry join (#16550)
* storage/raft: Fix cluster init with retry_join

Commit 8db66f4853abce3f432adcf1724b1f237b275415 introduced an error
wherein a join() would return nil (no error) with no information on its
channel if a joining node had been initialized. This was not handled
properly by the caller and resulted in a canceled `retry_join`.

Fix this by handling the `nil` channel respone by treating it as an
error and allowing the existing mechanics to work as intended.

* storage/raft: Improve retry_join go test

* storage/raft: Make VerifyRaftPeers pollable

* storage/raft: Add changelog entry for retry_join fix

* storage/raft: Add description to VerifyRaftPeers
2022-08-03 20:44:57 -05:00
Mike Palmiotto 42900b554b
storage/raft: Make raftInfo atomic (#16565)
* storage/raft: Make raftInfo atomic

This fixes some racy behavior discovered in parallel testing. Change the
core struct member to an atomic and update references throughout.
2022-08-03 18:40:49 -04:00
Eng Zer Jun 61262ad98e
refactor: replace strings.Replace with strings.ReplaceAll (#15392)
strings.ReplaceAll(s, old, new) is a wrapper function for
strings.Replace(s, old, new, -1). But strings.ReplaceAll is more
readable and removes the hardcoded -1.

Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2022-08-03 15:22:48 -04:00
swayne275 4632a26a09
Use %q for quoted strings where appropriate (#15216)
* change '%s' to %q where single vs double quotes shouldn't matter

* replace double quotes with %q in logs and errors
2022-08-03 12:32:45 -06:00
Violet Hynes 6f89461d76
VAULT-7065 move lease-quota updating to process restore (#16422)
* VAULT-7065 move lease-quota updating to process restore

* VAULT-7065 Avoid off-by-one issue that can happen during Restore

* VAULT-7065 Add comment to explain why we don't count creates in restore mode
2022-08-02 09:43:54 -04:00
John-Michael Faircloth 528373de6c
oidc provider: use identity store's storage view in test (#16520) 2022-08-01 09:37:23 -06:00
Austin Gebauer b3f138679c
identity/oidc: allow filtering the list providers response by an allowed_client_id (#16181)
* identity/oidc: allow filtering the list providers response by an allowed_client_id

* adds changelog

* adds api documentation

* use identity store view in list provider test
2022-07-28 09:47:53 -07:00
Chris Capurso 013e1d12b1
move custom metadata validation logic to its own package (#16464)
* move custom metadata validation logic to its own package

* add comments

* add custom metadata Validate unit tests
2022-07-28 10:40:38 -04:00
Nick Cabatoff 488858e919
Clone created entities that were inserted into memdb... (#16487)
* Clone created entities that were inserted into memdb to prevent possibility of data race.
2022-07-28 09:43:24 -04:00
Nick Cabatoff b9181077fd
Fix a panic at cleanup time in an expiration restore lease benchmark. (#16485) 2022-07-28 05:54:03 -07:00
Hridoy Roy 3429d7dfc5
Current Month Activity Estimate, Probabilistic Tests, And Bugfixes (#16447)
* bugfixes and probabilistic hll tests

* changelog

* changelog fix

* remove activity log test and keep in ent

* update cl
2022-07-26 13:00:27 -07:00
Anton Averchenkov 166c618589
Fix linter issues in policy.go & acl.go (#16366) 2022-07-22 14:13:14 -04:00
Violet Hynes 8163271ee2
VAULT-7046 Allow trailing globbing at the end of a path suffix quota (#16386)
* VAULT-7046 OSS changes for trailing glob quotas

* VAULT-7046 allow glob of 'a*' to match 'a'

* VAULT-7046 Add changelog

* VAULT-7046 fix minor typo
2022-07-21 15:31:23 -04:00
Pratyoy Mukhopadhyay 77ca499c6e
oss changes (#16407) 2022-07-21 10:53:42 -07:00
Austin Gebauer 7df39640e0
Update gopsutil to v3 to fix MacOS deprecation warnings (#16321)
* Update gopsutil to v3

* Adds v2 field names in host-info response to allow eventual deprecation in favor of v3 field names

* Map v3 to v2 field names to keep host-info api compat

* copy gopsutil license into source
2022-07-20 16:37:10 -07:00
Brian Kassouf d6bb62a0ab
Increase the allowed concurrent gRPC streams (#16327)
* Increase the allowed concurrent gRPC streams

* Add a env override for the max streams setting

* Add changelog

* go fmt

* fix builds on 32bit systems
2022-07-20 15:26:52 -04:00
John-Michael Faircloth a5349bd1ef
Revert "AutoMTLS for secrets/auth plugins (#15671)" (#16377)
This reverts commit 39bcd5c71529f5f4eb61aae68b17d06d192ea55f.
2022-07-20 10:36:23 -05:00
John-Michael Faircloth 7e170e7d87
AutoMTLS for secrets/auth plugins (#15671)
* use automtls for v5 secrets/auth plugins

* add automtls env guard

* start backend without metadata mode

* use PluginClientConfig for backend's NewPluginClient param

refactor

* - fix pluginutil test
- do not expect plugin to be unloaded in UT
- fix pluginutil tests --need new env var
- use require in UT
- fix lazy load test

* add changelog

* prioritize automtls; improve comments

* user multierror; refactor pluginSet for v4 unit test

* add test cases for v4 and v5 plugin versions

* remove unnecessary call to AutoMTLSSupported

* update comment on pluginSets

* use runconfig directly in sdk newpluginclient

* use automtls without metadatamode for v5 backend plugin registration

* use multierror for plugin runconfig calls

* remove some unnecessary code
2022-07-18 16:25:18 -05:00
Mike Palmiotto 439e35f50f
Vault 6773/raft rejoin nonvoter (#16324)
* raft: Ensure init before setting suffrage

As reported in https://hashicorp.atlassian.net/browse/VAULT-6773:

	The /sys/storage/raft/join endpoint is intended to be unauthenticated. We rely
	on the seal to manage trust.

	It’s possible to use multiple join requests to switch nodes from voter to
	non-voter. The screenshot shows a 3 node cluster where vault_2 is the leader,
	and vault_3 and vault_4 are followers with non-voters set to false.  sent two
	requests to the raft join endpoint to have vault_3 and vault_4 join the cluster
	with non_voters:true.

This commit fixes the issue by delaying the call to SetDesiredSuffrage until after
the initialization check, preventing unauthenticated mangling of voter status.

Tested locally using
https://github.com/hashicorp/vault-tools/blob/main/users/ncabatoff/cluster/raft.sh
and the reproducer outlined in VAULT-6773.

* raft: Return join err on failure

This is necessary to correctly distinguish errors returned from the Join
workflow. Previously, errors were being masked as timeouts.

* raft: Default autopilot parameters in teststorage

Change some defaults so we don't have to pass in parameters or set them
in the originating tests. These storage types are only used in two
places:

1) Raft HA testing
2) Seal migration testing

Both consumers have been tested and pass with this change.

* changelog: Unauthn voter status change bugfix
2022-07-18 14:37:12 -04:00
Hridoy Roy 573e01af1d
Throw SSCT Error In Some Cases (#16270)
* throw the ssct error if it signifies that the server needs to take an action

* use errors.Is instead of checking string comparison
2022-07-11 11:12:02 -07:00
Chris Capurso 068a413311
remove GetCoreConfigInternal from logger API tests (#16263) 2022-07-08 19:23:18 +02:00
Violet Hynes 0c80ee5cf5
VAULT-6614 Enable role based quotas for lease-count quotas (OSS) (#16157)
* VAULT-6613 add DetermineRoleFromLoginRequest function to Core

* Fix body handling

* Role resolution for rate limit quotas

* VAULT-6613 update precedence test

* Add changelog

* VAULT-6614 start of changes for roles in LCQs

* Expiration changes for leases

* Add role information to RequestAuth

* VAULT-6614 Test updates

* VAULT-6614 Add expiration test with roles

* VAULT-6614 fix comment

* VAULT-6614 Protobuf on OSS

* VAULT-6614 Add rlock to determine role code

* VAULT-6614 Try lock instead of rlock

* VAULT-6614 back to rlock while I think about this more

* VAULT-6614 Additional safety for nil dereference

* VAULT-6614 Use %q over %s

* VAULT-6614 Add overloading to plugin backends

* VAULT-6614 RLocks instead

* VAULT-6614 Fix return for backend factory
2022-07-05 13:02:00 -04:00
AnPucel 3215cdbd32
Dynamic parameter for mountpaths in OpenApi Spec generation(#15835)
"generic_mount_paths" query parameter for OpenApiSpec generation
2022-06-30 07:43:04 -07:00
Hridoy Roy 2f14d60a4b
Port: Use Stored Hll to Compute New Clients For Current Month (#16184)
* port hll storage changes

* changelog
2022-06-29 10:51:23 -07:00
Hamid Ghaf fa754c7fa5
Replicate member_entity_ids and policies in identity/group across nodes identically (#16088)
* Replicate values of group member_entity_ids and policies across nodes identically

* Adding CL

* fixing tests
2022-06-28 19:54:24 -04:00
Hridoy Roy 895e422c4c
move unused GetCoreConfigInternal to common file to prevent ent panics (#16165) 2022-06-27 14:41:56 -07:00
Hridoy Roy b3959534c2
activity log refactoring port (#16162)
* activity log refactoring port

* changelog
2022-06-27 13:33:45 -07:00
akshya96 42b13448f9
ActivityLog Implement HyperLogLog Store Functionality During Precomputation (#16146)
* adding hll for each month

* add changelog

* removing influxdb

* removing influxdb

* removing influxdb

* changing switch to if-else for semgrep
2022-06-27 09:38:32 -07:00
Chris Capurso 9501d44ed5
Add endpoints to provide ability to modify logging verbosity (#16111)
* add func to set level for specific logger

* add endpoints to modify log level

* initialize base logger with IndependentLevels

* test to ensure other loggers remain unchanged

* add DELETE loggers endpoints to revert back to config

* add API docs page

* add changelog entry

* remove extraneous line

* add log level field to Core struct

* add godoc for getLogLevel

* add some loggers to c.allLoggers
2022-06-27 11:39:53 -04:00
Violet Hynes 5d21fa1e8f
VAULT-6613 Missed a part of OSS for rate limit role quotas (#16132)
* VAULT-6613 add DetermineRoleFromLoginRequest function to Core

* Fix body handling

* Role resolution for rate limit quotas

* VAULT-6613 update precedence test

* Add changelog

* Handle body error

* VAULT-6613 Return early if error with json parsing

* VAULT-6613 add to teardown function
2022-06-24 09:45:53 -04:00
Violet Hynes d57fea2cd1
VAULT-6613 Add role support for rate limit quotas (OSS Changes) (#16115)
* VAULT-6613 add DetermineRoleFromLoginRequest function to Core

* Fix body handling

* Role resolution for rate limit quotas

* VAULT-6613 update precedence test

* Add changelog

* Handle body error

* VAULT-6613 Return early if error with json parsing
2022-06-24 08:58:02 -04:00
Josh Black 2ee2b6ed7c
Return a 403 for a bad SSCT instead of 500 (#16112) 2022-06-23 13:01:20 -07:00
Jason O'Donnell f957573108
Fix bug where id not existing in multiplexing map causes panic (#16094)
* multiplexing: guard against connection panic

* changelog

* Update vault/plugin_catalog.go

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
2022-06-22 14:29:25 -04:00
Violet Hynes 56ed9ca8ae
Start of implementation of the plumbing for role resolution logic on auth mounts (#16049)
* VAULT-6612 Initial scaffolding for role determination

* VAULT-6612 Simplify code

* Fix fmt error that somehow happened

* VAULT-6612 Refactor resolve role response
2022-06-21 09:31:36 -04:00
Nick Cabatoff 27ea9a0e41
Set NumCores=1 since we only return a single client anyway. (#16039) 2022-06-17 11:28:25 -04:00
Violet Hynes 96371ed0a5
Small refactor of mount entry manipulation (#16024) 2022-06-17 08:52:43 -04:00
Violet Hynes abed5cf6e7
(OSS) Path Suffix Support for Rate Limit Quotas (#15989)
* Support for rate limit path suffix quotas

* Support for rate limit path suffix quotas

* Precedence test for support for rate limit path suffix quotas

* Update clone method

* Fix mount determination

* Add changelog

* use constant for mounts

* Fix read endpoint, and remount/disable mount

* update godocs for queryquota
2022-06-16 13:23:02 -04:00
akshya96 7e313e29fd
Activity Log Filtering Limit Parameter (#16000)
* adding changes from ent branch

* adding fmt changes

* adding changelog
2022-06-15 15:41:31 -07:00
swayne275 54262d2f4e
clarify lazy revoke prefix if not sync (#15967)
* clarify lazy revoke prefix if not sync

* comment improvement
2022-06-15 12:03:56 -06:00
Josh Black d2ed39a04e
Correct drift between ENT and OSS (#15966) 2022-06-14 17:53:19 -07:00
Chris Capurso 94c5936e27
return bad request instead of server error for identity group cycle detection (#15912)
* return bad request for identity group cycle detection

* add changelog entry

* use change release note instead of improvement

* fix err reference

* fix TestIdentityStore_GroupHierarchyCases
2022-06-10 10:15:31 -04:00
Hridoy Roy 934989809b
Limit SSCT WAL Check on Perf Standbys to Raft Backends Only (#15879)
* ensure that ssct wal check only occurs for non-raft storage on perf standbys

* changelog
2022-06-08 13:58:22 -07:00
VAL 98ed9c7ab9
Add PutMetadata and PatchMetadata KV helpers (#15755)
* Add PutMetadata and PatchMetadata KV helpers

* Refactor tests, stop needlessly converting zero values to nil

* Merge fix for delete-version-after zero value bug

* Cast nils to zero value on Put

* Use 2 different structs for put/patch metadata input, clarity fixes

* Use local constants and simplify stringification
2022-06-08 09:29:22 -07:00
Alexander Scheel b3ad79fb70
Fix listing_visibility value documentation (#15833)
* Match listing_visibility in system/auth with system/mounts

See also: #15209

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix path-help for listing_visibility

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-06-06 16:44:46 -04:00
Josh Black 9c48c62d6e
Use the incoming request version to populate follower state (#15806) 2022-06-06 08:44:24 -07:00
Violet Hynes d62b140b7c
VAULT-6371 Fix issue with lease quotas on read requests that generate leases (#15735)
* VAULT-6371 Fix issue with lease quotas on non-auth mounts

* VAULT-6371 Add changelog

* VAULT-6371 Amend changelog given new understanding
2022-06-03 15:45:21 -04:00