* Fetch CRLs from a user defined CDP (PoC)
* Handle no param sent
* Move CRL fetch to a periodFunc. Use configured CA certs + system root as trusted certs for CRL fetch
* comments
* changelog
* Just use root trust
* cdp->url in api
* Store CRL and populate it initially in cdlWrite
* Update docs
* Update builtin/credential/cert/path_crls.go
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Handle pre-verification of a CRL url better
* just in case
* Fix crl write locking
* Add a CRL fetch unit test
* Remove unnecessary validity clear
* Better func name
* Don't exit early updating CRLs
* lock in updateCRLs
* gofumpt
* err-
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
Add plugin version to GRPC interface
Added a version interface in the sdk/logical so that it can be shared between all plugin types, and then wired it up to RunningVersion in the mounts, auth list, and database systems.
I've tested that this works with auth, database, and secrets plugin types, with the following logic to populate RunningVersion:
If a plugin has a PluginVersion() method implemented, then that is used
If not, and the plugin is built into the Vault binary, then the go.mod version is used
Otherwise, the it will be the empty string.
My apologies for the length of this PR.
* Placeholder backend should be external
We use a placeholder backend (previously a framework.Backend) before a
GRPC plugin is lazy-loaded. This makes us later think the plugin is a
builtin plugin.
So we added a `placeholderBackend` type that overrides the
`IsExternal()` method so that later we know that the plugin is external,
and don't give it a default builtin version.
* update modal copy to clarify when a user is unable to delete a specific version
* add tests
* cleanup tests, move console commands into helper function
* cleanup hbs
* add changelog
* OIDC Config Routing (#16028)
* adds oidc config routes
* renames oidc applications route to clients
* UI/vault 6646/landing page (#16069)
* add to sidebar
* add landing image and text
* add permissions
* add permissions to permissions service
* remove comment
* fix.
* UI/OIDC models (#16091)
* add models and fix routing
* add ClientsCreate route
* remove form functions from client model
* update comment
* address comments, cleanup models
* add comment
* OIDC Adapters and Serializers (#16120)
* adds named-path base adapter
* adds oidc adapters with tests
* adds oidc serializers
* fixes issue with supported_scopes relationship in oidc provider model
* make radio card size flex (#16125)
* OIDC config details routes (#16126)
* adds details routes for oidc config resources
* adds details templates for oidc config resources
* OIDC parent route and index redirection (#16139)
* adds parent oidc route with header and adds redirection if clients have been created
* updates learn link
* adds findRecord override to named-path adapter (#16145)
* OIDC Scope Create/Edit View (#16174)
* adds oidc scope-form to create and edit views
* moves oidc header set logic from route to controller
* OIDC Scope Details View (#16191)
* adds oidc scope details view
* removes disabled arg from scope delete confirm action
* updates oidc scope template params link to use DocLink and adds success message on scope create success
* updates oidc scope delete confirm action copy
* adds oidc scopes list (#16196)
* UI/vault 6655/OIDC create view (#16331)
* setup header
* wip
* wip
* wip
* validations
* error validations
* cleanup
* wip
* fix error
* clean up
* handle modelValidations
* add documentation on the decorator
* remove spread attrs
* first test and some fixes
* halfway with test
* fix error where the data object was sending param entiyIds and not entity_ids
* validations or situation
* fix test
* small nit:
* test if this fixes the test
* fix
* cleanup
* nit
* Assignments Update/Edit View (#16412)
* wip
* fix
* render search-select after promise is fulfilled
* add test coverage
Co-authored-by: clairebontempo@gmail.com <cbontempo@hashicorp.com>
* Added list view for keys (#16454)
* Added list view for providers (#16442)
* Added list view for providers
* Removed check for model data length
* Added new line at end of file
* Fixed linting issues causing ui tests to fail
* Added list view for application (#16469)
* UI/remove has many relationship (#16470)
* remove hasMany from models
* remove relationships from assignments create form
* update tests
* Assignment list view (#16340)
* inital setup
* handle default allow all
* add learn more link
* Fixed the default allow_all for assignment list view to match Figma design
* Fixed linting
* Fixed hbs file syntax
Co-authored-by: linda9379 <linda.jiang@hashicorp.com>
* configure mirage and helper (#16482)
* UI/OIDC client form (#16131)
* WIP client form
* wip
* still WIP
* fix form!;
* remove computeds, cache form attrs instead
* update scope form component name
* add white space validation
* add validations, cleanup
* add edit form
* fix link to in edit form
* disable edit form
* fix linkto
* wip/ search select filter
* WIP/search-select bug
* fix assignment save
* delete old modal js file
* glimmerize/create new search select modal component
* component cleanup
* fix bugginess
* fix search select and radio select action
* add tests
* revert some test changes
* oops, removed test tag
* add key list to response
* fix test
* move search select component to separate PR, revert changes
* one more revert
* remove oidc helper from this pr
* remove hasMany relationship
* minor cleanup
* update assignment form to use fallback
* fix allow_all appearing in dropdown on edit (#16508)
* UI/ OIDC Application (client) details view (#16507)
* fix test
* finish details page
* finish details view
* clean u[
* fix typo
* configure oidc mirage handler for tests
* remove params, add new route instead
* fix headers
* remove console.log
* remove controller/template reliance on tracked variable
* rename variable
* UI/Client route acceptance tests - fixed branch (#16654)
* WIP client route tests
* refactor client form so clientType is not edit-able
* fix ttl in client form
* wip// more acceptance tests and tags for hbs files
* fix typo
* fix syntax error
* finish tests
* fix client form test
* resolve commits
* update form test
* OIDC Assignments Details view. (#16511)
* setup
* cleanup
* view all fix
* wip setting up tabs
* wip
* revert to no queryParam or tabs
* add the read more component and styling
* rename folder
* cleanup
* fix
* UI/OIDC providers create/edit route (#16612)
* update to use DocLink component
* provider create form
* cleaup
* add formt est
* revert label text
* update doclink test
* disallow new scopes from ss
* fix test typo
* fix provider form flash message
* add period
* test new form field attr
* refactor form input
* fix edit portion of issuer field
* add test selector to new input field
* add comment
* Cleanup OIDC Config Mirage handler (#16674)
* cleaup mirage
* change to .then
* pull out into config file
* Scope acceptance tests (#16707)
* Started writing acceptance tests
* Added some more acceptance tests
* Added tags for hbs and more tests
* Modified variable names in scope form test
* Fixed tests and linting
* UI/OIDC Provider read view (#16632)
* add providers/provider/client route
* provider details view
* add disabled button and tooltip for default
* add toolbar separators
* revert unrelated change
* query all client records and filter by allowed client id"
* refactor adapter to filter for clientId
* cleanup adapter method
* update test
* refactor test
* fix tests to accommodate for serializer change
* update empty state message
* fix linting
* metadata for client list view (#16725)
* Added metadata for list view in clients
* Fixed linting
* Fixed failing ui test
* fix scopes and clients tests (#16768)
* Initial fix of tests
* Fixed failing scopes and clients acceptance tests
* Fixed linting
* UI: Key create/edit form (#16729)
* add route models
* add forms
* add test
* remove helperText attr
* metadata for provider list view (#16738)
* Added meta-data for provider list view
* Added comment for serializer
* Fixed import path for scopes and clients acceptance test files
* UI/Add client ids to search select (#16744)
* WIP use clientID instead of name
* add client ids to search select
* remove provider form component changes
* fix search select on edit
* cleanup comments and method
* fix adapter query method
* clean up comments
* add test
* remove destructuring so linting passes
* fix tests
* add accidentally deleted param
* add clarifying comments
* cleanup
* change how shouldRenderName is set
* cleanup tests
* address comments
* OIDC Assignment Acceptance tests (#16741)
* test and fixes
* merge stuff
* fix
* fixes
* add waituntil
* inconsistent nav issue
* fixes
* blah
* UI/Key details view (#16776)
* add details view
* reformat model file
* todo for when listing applications
* add comment
* update key form with refactored search select
* add applications list
* update test
* update test
* add names to flash messages
* add rollbackAttributes to delete catch (#16796)
* UI: Checks if records exists before creating record when URL contains :name (#16823)
* check for record existing in createRecord
* use error banner instead of flash messages for forms
* add inline form message for validations
* add error count message to inlinealert
* add test for adapter
* add tests
* remove unused vars
* UI: Disable limiting clients when creating key, filter clients when editing (#16926)
* add tooltip to disabled radio button
* pass query object to search select
* update copy
* add comment
* cleanup console log and comment
* fix tests
* revert change because addressed in other pr
* fix diff
* fix test
* UI: Add redirect when last client is deleted (#16927)
* afterModel redirect if no models exist
* fix test
* change space
* fix incorrect text
* UI: Add InfoTooltip to selected 'ghost' client_ids (#16942)
* return option if undefined
* add info tooltip to search select
* change word
* add test
* UI: OIDC config keys acceptance tests (#16968)
* add keys test
* update other oidc tests
* remove-search select comment
* UI: Filter Client providers list view (#17027)
* pass param to adapter
* add test
* UI: OIDC Config Acceptance Tests (#17050)
* WIP/provider acceptance tests"
* WIP/this commit breaks lots of things
* fix tests
* update test selectors
* combine key and client tests
* cleanup clients and keys test
* finish tests
* small tidying
* UI: Remove trailing comma from scopes, provider details page (#17069)
* use info table row to cleanup scope logic
* infotableitemarray cleanup
* tidying
* add changelog
* teeny little empty state
* fix wildcard string helper not working
Co-authored-by: Jordan Reimer <zofskeez@gmail.com>
Co-authored-by: Angel Garbarino <Monkeychip@users.noreply.github.com>
Co-authored-by: Angel Garbarino <argarbarino@gmail.com>
Co-authored-by: linda9379 <57650314+linda9379@users.noreply.github.com>
Co-authored-by: linda9379 <linda.jiang@hashicorp.com>
* adds LinkStatus component to NavHeader to display banner with HCP link status
* adds changelog entry
* adds period to connected status message
* updates hcp link status to current cluster polling to automatically update state
* OSS parts of ent #3157. Some activity log tests were flaky because background workers could race with them; now we overload DisableTimers to stop some of them from running, and add some channels we can use to wait for others to complete before we start testing.
* Add CL
* core: Handle deprecated mounts on enable and unseal
* changelog: Deprecation Status handling
* core: Add Pending Removal override var
* core: Add some documentation for Pending Removal override
OSS parts of ent PR #3172: assume nodes we haven't received heartbeats from are running the same version as we are. Failing to provide a version/upgrade_version will result in Autopilot (on ent) demoting those unversioned nodes to non-voters until we receive a heartbeat from them.
* Get import correct
* limits, docs
* changelog
* unit tests
* And fix import for hmac unit test
* typo
* Update website/content/api-docs/secret/transit.mdx
Co-authored-by: Matt Schultz <975680+schultz-is@users.noreply.github.com>
* Update builtin/logical/transit/path_keys.go
Co-authored-by: Matt Schultz <975680+schultz-is@users.noreply.github.com>
* Validate key sizes a bit more carefully
* Update sdk/helper/keysutil/policy.go
Co-authored-by: Matt Schultz <975680+schultz-is@users.noreply.github.com>
Co-authored-by: Matt Schultz <975680+schultz-is@users.noreply.github.com>
* Add fields 'ttl' and 'num_uses' to SecretID generation.
Add fields 'ttl' and 'num_uses' when generating/obtaining a SecretID.
Rather than just being able to use the Role's SecretID ttl and num uses. #14390
* Add secret_id_num_uses response field to generating SecretID
Add the response field secret_id_num_uses to the endpoints for generating
SecretIDs. Used in testing but also to supply the vendor with this variable.
* Add tests for new ttl and num_uses SecretID generation fields
Add tests to assert the new TTL and NumUses option in the SecretID entry.
Separate test for testing with just parameters vs a -force example.
* Patch up test for ttl and num_uses fields
* Add changelog entry for auth/approle 'ttl' and 'num_uses' fields
* Add fields to API Docs and AppRole Auth Docs example
* Correct error message for failing test on missing field.
Change the error message produced when a test fails due to a missing field.
Previous values did not map to correct fields.
* Remove unnecessary int cast to int "secret_id_num_uses" field.
Unnecessary cast to int where type already is int.
* Move numUses field check to after assignment.
* Remove metadata entry in sample payload to limit change to changes made.
Remove metadata entry in sample payload for custom-secret-id. The metadata was not
changed in the features pull request.
* Bind fields 'ttl' and 'num_uses' to role's configuration.
Rather than implicitly overriding, error when the ttl is lower than and the num
uses higher than the role's configuration. #14390
* Update changelog 14474 with a more detailed description.
More elaborate description for the changelog. Specifying the per-request based fields.
* Elaborate more on the bounds of the 'ttl' and 'num_uses' field.
Specify in both the api-docs and the CLI the limits of the fields.
Specify that the role's configuration is still the leading factor.
* Upper bound ttl with role secret id ttl
Upper bound ttl with role secret id ttl when creating a secret id
Adding test cases for infinite ttl and num uses
Adding test cases for negative ttl and num uses
Validation on infinite ttl and num uses
* Formatting issues. Removed unnecessary newline
* Update documentation for AppRole Secret ID and Role
Changed that TTL is not allowed to be shorter to longer
* Cleanup approle secret ID test and impl
* Define ttl and num_uses in every test
Define ttl and num_uses in every test despite them not being tested.
This is to ensure that no unexpected behaviour comes to mind.
* Rename test RoleSecretID -> RoleSecretIDWithoutFields
* Test secret id generation defaults to Role's config
Test secret id generation defaults to Role's configuration entries.
* Change finit -> finite
Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>
* Rephrase comments to the correct validation check
* Rephrase role-secret-id option description
* Remove "default" incorrect statement about ttl
* Remove "default" incorrect statement about ttl for custom secret id
* Touch up approle.mdx to align more with path_role documentation
Co-authored-by: Remco Buddelmeijer <r.buddelmeijer@fullstaq.com>
Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>
* removes on click modifier from LinkTo elements
* adds changelog
* reverts button changes and closes dropdown in next tick of runloop
* removes comment
* auth: Add Deprecation Status to auth list -detailed
* secrets: Add Deprecation Status to secrets list -detailed
* Add changelog entry for deprecation status list
* Allow tidy operations to be cancelled
When tidy operations take a long time to execute (and especially when
executing them automatically), having the ability to cancel them becomes
useful to reduce strain on Vault clusters (and let them be rescheduled
at a later time).
To this end, we add the /tidy-cancel write endpoint.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add missing auto-tidy synopsis / description
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add a pause duration between tidying certificates
By setting pause_duration, operators can have a little control over the
resource utilization of a tidy operation. While the list of certificates
remain in memory throughout the entire operation, a pause is added
between processing certificates and the revocation lock is released.
This allows other operations to occur during this gap and potentially
allows the tidy operation to consume less resources per unit of time
(due to the sleep -- though obviously consumes the same resources over
the time of the operation).
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add tests for cancellation, pause
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add API docs on pause_duration, /tidy-cancel
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add lock releasing around tidy pause
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Reset cancel guard, return errors
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* accommodate salt lengths for RSA PSS
* address feedback
* generalise salt length to an int
* fix error reporting
* Revert "fix error reporting"
This reverts commit 8adfc15fe3303b8fdf9f094ea246945ab1364077.
* fix a faulty check
* check for min/max salt lengths
* stringly-typed HTTP param
* unit tests for sign/verify HTTP requests
also, add marshaling for both SDK and HTTP requests
* randomly sample valid salt length
* add changelog
* add documentation
* VAULT-7707 Add docs around making mass amounts of lease count quotas via automation
* VAULT-7707 Changelog
* VAULT-7707 add word
* VAULT-7707 Update some small wordings
* VAULT-7707 use a real em dash
* Add remove_roots_from_chain flag to sign and issue pki apis
- Add a new flag to allow end-users to control if we return the
root/self-signed CA certificate within the list of certificates in
ca_chain field on issue and sign api calls.
* Add cl
* PR feedback
* Add ability to perform automatic tidy operations
This enables the PKI secrets engine to allow tidy to be started
periodically by the engine itself, avoiding the need for interaction.
This operation is disabled by default (to avoid load on clusters which
don't need tidy to be run) but can be enabled.
In particular, a default tidy configuration is written (via
/config/auto-tidy) which mirrors the options passed to /tidy. Two
additional parameters, enabled and interval, are accepted, allowing
auto-tidy to be enabled or disabled and controlling the interval
(between successful tidy runs) to attempt auto-tidy.
Notably, a manual execution of tidy will delay additional auto-tidy
operations. Status is reported via the existing /tidy-status endpoint.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add documentation on auto-tidy
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add tests for auto-tidy
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Prevent race during parallel testing
We modified the RollbackManager's execution window to allow more
faithful testing of the periodicFunc. However, the TestAutoRebuild and
the new TestAutoTidy would then race against each other for modifying
the period and creating their clusters (before resetting to the old
value).
This changeset adds a lock around this, preventing the races.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Use tidyStatusLock to gate lastTidy time
This prevents a data race between the periodic func and the execution of
the running tidy.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add read lock around tidyStatus gauges
When reading from tidyStatus for computing gauges, since the underlying
values aren't atomics, we really should be gating these with a read lock
around the status access.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* enable registering backend muxed plugins in plugin catalog
* set the sysview on the pluginconfig to allow enabling secrets/auth plugins
* store backend instances in map
* store single implementations in the instances map
cleanup instance map and ensure we don't deadlock
* fix system backend unit tests
move GetMultiplexIDFromContext to pluginutil package
fix pluginutil test
fix dbplugin ut
* return error(s) if we can't get the plugin client
update comments
* refactor/move GetMultiplexIDFromContext test
* add changelog
* remove unnecessary field on pluginClient
* add unit tests to PluginCatalog for secrets/auth plugins
* fix comment
* return pluginClient from TestRunTestPlugin
* add multiplexed backend test
* honor metadatamode value in newbackend pluginconfig
* check that connection exists on cleanup
* add automtls to secrets/auth plugins
* don't remove apiclientmeta parsing
* use formatting directive for fmt.Errorf
* fix ut: remove tls provider func
* remove tlsproviderfunc from backend plugin tests
* use env var to prevent test plugin from running as a unit test
* WIP: remove lazy loading
* move non lazy loaded backend to new package
* use version wrapper for backend plugin factory
* remove backendVersionWrapper type
* implement getBackendPluginType for plugin catalog
* handle backend plugin v4 registration
* add plugin automtls env guard
* modify plugin factory to determine the backend to use
* remove old pluginsets from v5 and log pid in plugin catalog
* add reload mechanism via context
* readd v3 and v4 to pluginset
* call cleanup from reload if non-muxed
* move v5 backend code to new package
* use context reload for for ErrPluginShutdown case
* add wrapper on v5 backend
* fix run config UTs
* fix unit tests
- use v4/v5 mapping for plugin versions
- fix test build err
- add reload method on fakePluginClient
- add multiplexed cases for integration tests
* remove comment and update AutoMTLS field in test
* remove comment
* remove errwrap and unused context
* only support metadatamode false for v5 backend plugins
* update plugin catalog errors
* use const for env variables
* rename locks and remove unused
* remove unneeded nil check
* improvements based on staticcheck recommendations
* use const for single implementation string
* use const for context key
* use info default log level
* move pid to pluginClient struct
* remove v3 and v4 from multiplexed plugin set
* return from reload when non-multiplexed
* update automtls env string
* combine getBackend and getBrokeredClient
* update comments for plugin reload, Backend return val and log
* revert Backend return type
* allow non-muxed plugins to serve v5
* move v5 code to existing sdk plugin package
* do next export sdk fields now that we have removed extra plugin pkg
* set TLSProvider in ServeMultiplex for backwards compat
* use bool to flag multiplexing support on grpc backend server
* revert userpass main.go
* refactor plugin sdk
- update comments
- make use of multiplexing boolean and single implementation ID const
* update comment and use multierr
* attempt v4 if dispense fails on getPluginTypeForUnknown
* update comments on sdk plugin backend