Commit graph

172 commits

Author SHA1 Message Date
Hridoy Roy d8155aa7c4
SSCT Optimizations (OSS) (#14323)
* update ci.hcl to remove 1.6.x and add in 1.10.x

* SSCT OSS PR review comments and optimizations

* check errors in populate token entry calls
2022-03-01 12:24:45 -08:00
Pratyoy Mukhopadhyay c8cca2cab5
add missed test (#14168) 2022-02-18 14:01:43 -08:00
Pratyoy Mukhopadhyay 475b55b460
Vault 4632 auth remount oss (#14141)
* Update plugin-portal.mdx (#13229)

Add a Vault plugin to allow authentication via SSH certificates and public keys

* oss changes

Co-authored-by: Wim <wim@42.be>
2022-02-18 08:04:21 -08:00
Jordan Reimer b936db8332
Revert "MFA (#14049)" (#14135)
This reverts commit 5f17953b5980e6438215d5cb62c8575d16c63193.
2022-02-17 13:17:59 -07:00
Jordan Reimer 36ccfaa3aa
MFA (#14049)
* adds development workflow to mirage config

* adds mirage handler and factory for mfa workflow

* adds mfa handling to auth service and cluster adapter

* moves auth success logic from form to controller

* adds mfa form component

* shows delayed auth message for all methods

* adds new code delay to mfa form

* adds error views

* fixes merge conflict

* adds integration tests for mfa-form component

* fixes auth tests

* updates mfa response handling to align with backend

* updates mfa-form to handle multiple methods and constraints

* adds noDefault arg to Select component

* updates mirage mfa handler to align with backend and adds generator for various mfa scenarios

* adds tests

* flaky test fix attempt

* reverts test fix attempt

* adds changelog entry

* updates comments for todo items

* removes faker from mfa mirage factory and handler

* adds number to word helper

* fixes tests

* Revert "Merge branch 'main' into ui/mfa"

This reverts commit 8ee6a6aaa1b6c9ec16b985c10d91c3806819ec40, reversing
changes made to 2428dd6cca07bb41cda3f453619646ca3a88bfd0.

* format-ttl helper fix from main
2022-02-17 09:10:56 -07:00
Pratyoy Mukhopadhyay 0ceccaa51d
oss changes for cross ns remount (#14104) 2022-02-16 11:21:42 -08:00
Victor Rodriguez 0bb112520e
Seal wrap storage entries of the ManagedKeyRegistry. (#13905)
Seal wrap storage entries of the ManagedKeyRegistry.

Specify the managed key registry's path in SealWrapStorage in the SystemBackend.

Enable SealWrap in the system mount entry.
2022-02-04 16:06:32 -05:00
Rémi Lapeyre 978311fee2
Add read support to sys/auth/:path (#12793)
* Add read support to sys/auth/:path

Closes https://github.com/hashicorp/vault/issues/7411

* Add changelog entry
2022-01-25 11:56:40 -08:00
Rémi Lapeyre d6a4a3b53c
Add LIST support to sys/policies/password (#12787)
* Add read support to sys/policies/password

Closes https://github.com/hashicorp/vault/issues/12562

* Add changelog

* Empty commit to trigger CI

* Add optional /

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>

* Use a ListOperation

Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
2022-01-24 13:42:14 -08:00
Sung Hon Wu 194c9e32d3
Enhance sys/raw to read and write values that cannot be encoded in json (#13537) 2022-01-20 07:52:53 -05:00
Matt Schultz 85f5cfc356
Adds support for SHA-3 to transit (#13367)
* Adding support for SHA3 in the transit backend.

* Adds SHA-3 tests for transit sign/verify path. Adds SHA-3 tests for logical system tools path hash functionality. Updates documentation to include SHA-3 algorithms in system tools path hashing.

* Adds changelog entry.

Co-authored-by: robison jacka <robison@packetized.io>
2021-12-08 12:29:33 -06:00
Rémi Lapeyre ae0b5e41e0
Add read support to sys/mounts/:path (#12792)
* Add read support to sys/mounts/:path

Closes https://github.com/hashicorp/vault/issues/12349

* Add changelog entry

* Empty commit to trigger CI

* Empty commit to trigger CI
2021-11-08 10:32:01 -08:00
Austin Gebauer 0551f91068
Adds OIDC Token and UserInfo endpoints (#12711) 2021-10-13 18:59:36 -07:00
Austin Gebauer b58913ad9f
Adds OIDC Authorization Endpoint to OIDC providers (#12538) 2021-09-27 10:55:29 -07:00
swayne275 fd517e6114
remove trailing / on leases API endpoint (#11959) 2021-06-30 13:02:26 -06:00
swayne275 67bc4fdabd
Require special privileges to list irrevocable leases (#11888)
* add leases path to sudo required set

* update TestSystemBackend_RootPaths with new special privilege paths

* note that list-leases requires sudo

* minor typo fixes
2021-06-28 16:51:47 -06:00
swayne275 9724f59180
Vault 1979: Query API for Irrevocable Leases (#11607)
* build out lease count (not fully working), start lease list

* build out irrevocable lease list

* bookkeeping

* test irrevocable lease counts for API/CLI

* fix listIrrevocableLeases, test listIrrevocableLeases, cleanup

* test expiration API limit

* namespace tweaks, test force flag on lease list

* integration test leases/count API, plenty of fixes and improvements

* test lease list API, fixes and improvements

* test force flag for irrevocable lease list API

* i guess this wasn't saved on the last refactor...

* fixes and improvements found during my review

* better test error msg

* Update vault/logical_system_paths.go

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* Update vault/logical_system_paths.go

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>

* return warning with data if more than default leases to list without force flag

* make api doc more generalized

* list leases in general, not by mount point

* change force flag to include_large_results

* sort leases by LeaseID for consistent API response

* switch from bool flag for API limit to string value

* sort first by leaseID, then stable sort by expiration

* move some utils to be in oss and ent

* improve sort efficiency for API response

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
2021-06-02 10:11:30 -06:00
Scott Miller 4fc6e8b366
Fix barrier key autoration config edge cases (#11541)
* Add an Int64 type

* Use the new Int64 type so that even 32 bit builds can specify max_operations above 2^31

* Missed a spot

* go mod vendor

* fix cast

* changelog

* Update unit test to ensure this works on both 32 and 64-bit archs
2021-05-05 14:39:04 -05:00
Scott Miller fcb9bab51b
Fix rotate/config unit test for 32 bit yet again (#11491) 2021-04-30 10:31:11 -05:00
Nick Cabatoff 5a4151873c
Cast constant to int64 so it doesn't overflow. (#11466) 2021-04-26 10:04:39 -04:00
Brian Kassouf 303c2aee7c
Run a more strict formatter over the code (#11312)
* Update tooling

* Run gofumpt

* go mod vendor
2021-04-08 09:43:39 -07:00
Scott Miller b13b27f37e
OSS side barrier encryption tracking and automatic rotation (#11007)
* Automatic barrier key rotation, OSS portion

* Fix build issues

* Vendored version

* Add missing encs field, not sure where this got lost.
2021-02-25 14:27:25 -06:00
Matt Greenfield 2f369730e0
Validate to/from parameters when remounting a backend (#9890)
Vault uses http.ServeMux which issues an HTTP 301 redirect if the
request path contains a double slash (`//`). Additionally, vault
handles all paths to ensure that the path only contains printable
characters. Therefore use the same validation on the to/from parameters
for remounting.

Not doing this can result in a Vault mount that was originally mounted
at `pki/foo` to being remounted at `pki/foo//bar` resulting in mounts
that cannot be accessed.

Co-authored-by: Vishal Nayak <vishalnayak@users.noreply.github.com>
2020-10-29 14:06:07 -04:00
Nick Cabatoff 66274607b7
OSS changes for enterprise automated snapshots (#10160) 2020-10-16 14:57:11 -04:00
Scott Miller e92f8f5a81
Revert global plugin reload commits (#9344)
* Revert "Some of the OSS changes were clobbered when merging with quotas out of, master (#9343)"

This reverts commit 8719a9b7c4d6ca7afb2e0a85e7c570cc17081f41.

* Revert "OSS side of Global Plugin Reload (#9340)"

This reverts commit f98afb998ae50346849050e882b6be50807983ad.
2020-06-29 17:36:22 -05:00
Scott Miller a83fe0fc6d
OSS side of Global Plugin Reload (#9340)
* OSS side of Global Plugin Reload

* changelog++
2020-06-29 16:23:28 -05:00
Vishal Nayak c6876fe00f
Resource Quotas: Rate Limiting (#9330) 2020-06-26 17:13:16 -04:00
Michael Golowka f77bcc53c4
Move sdk/helper/random -> helper/random (#9226)
* This package is new for 1.5 so this is not a breaking change.
* This is being moved because this code was originally intended to be used
within plugins, however the design of password policies has changed such
that this is no longer needed. Thus, this code doesn't need to be in the
public SDK.
2020-06-17 14:24:38 -06:00
Michael Golowka a89f09802d
Integrate password policies into RabbitMQ secret engine (#9143)
* Add password policies to RabbitMQ & update docs
* Also updates some parts of the password policies to aid/fix testing
2020-06-11 16:08:20 -06:00
Michael Golowka b52950f884
Add user configurable password policies available to secret engines (#8637)
* Add random string generator with rules engine

This adds a random string generation library that validates random
strings against a set of rules. The library is designed for use as generating
passwords, but can be used to generate any random strings.
2020-05-27 12:28:00 -06:00
Vitaly Velikodny 3ae6568512
Add missed description field for GET /sys/auth/:path/tune endpoint (#8193)
* fix #7623: add missed description field for GET /sys/auth/:path/tune endpoint

* fix #7623: allow empty description

* fix #7623: update tests with description field
2020-02-15 10:32:47 -08:00
Jim Kalafut 59e526614d
Run go fmt (#7823) 2019-11-07 08:54:34 -08:00
Lexman c86fe212c0
oss changes for entropy augmentation feature (#7670)
* oss changes for entropy augmentation feature

* fix oss command/server/config tests

* update go.sum

* fix logical_system and http/ tests

* adds vendored files

* removes unused variable
2019-10-17 10:33:00 -07:00
Nicolas Corrarello 446b564a2c Add maximum amount of random entropy requested (#7144)
* Add maximum amount of random characters requested at any given time

* Readability changes

* Removing sys/tools/random from the default policy

* Setting the maxBytes value as const

* Declaring maxBytes in the package to use it everywhere

* Using maxBytes in the error message
2019-07-24 18:22:23 -07:00
Vishal Nayak 550f2a52bd
Storage packer V1 updates (#6531)
* spv1 updates

* fix tests
2019-05-07 15:29:51 -04:00
Brian Kassouf 04d0ddfdae
Add mount UUID to the secret and auth list API responses (#6633) 2019-04-24 12:27:43 -07:00
Jeff Mitchell 9ebc57581d
Switch to go modules (#6585)
* Switch to go modules

* Make fmt
2019-04-13 03:44:06 -04:00
Jeff Mitchell 8bcb533a1b
Create sdk/ and api/ submodules (#6583) 2019-04-12 17:54:35 -04:00
Jeff Mitchell aa6fafced9 Fix hasMountPath for segment wildcard mounts; introduce priority order (#6532)
* Add prioritization when multiple segment/glob rules can match.

* Disallow ambiguous "+*" in policy paths.
2019-04-10 17:46:17 -04:00
Brian Kassouf ad3605e657
Revert "filtered-path endpoint (#6132)" (#6337)
This reverts commit dfdbb0bad975fab447f49766baaa5a6c956f8e3d.
2019-03-04 14:08:21 -08:00
ncabatoff 8814fe1ba5 filtered-path endpoint (#6132)
* First pass at filtered-path endpoint.  It seems to be working, but there are tests missing, and possibly some optimization to handle large key sets.

* Vendor go-cmp.

* Fix incomplete vendoring of go-cmp.

* Improve test coverage.  Fix bug whereby access to a subtree named X would expose existence of a the key named X at the same level.

* Add benchmarks, which showed that hasNonDenyCapability would be "expensive" to call for every member of a large folder.  Made a couple of minor tweaks so that now it can be done without allocations.

* Comment cleanup.

* Review requested changes: rename some funcs, use routeCommon instead of
querying storage directly.

* Keep the same endpoint for now, but move it from a LIST to a POST and allow multiple paths to be queried in one operation.

* Modify test to pass multiple paths in at once.

* Add endpoint to default policy.

* Move endpoint to /sys/access/filtered-path.
2019-03-04 11:04:29 -08:00
Brian Kassouf efe5671f36 make fmt 2019-02-20 12:12:21 -08:00
ncabatoff 4cf1e24a9e Fix TestSystemBackend_mount, TestSystemBackend_mounts. (#6247) 2019-02-15 11:14:45 -08:00
Calvin Leung Huang 35ecaa2b6b fix TestSystemBackend_InternalUIMounts 2019-02-15 10:46:38 -08:00
Jeff Mitchell 5fa9e48b21
Don't duplicate CORS headers (#6207)
Fixes #6182
2019-02-11 13:10:26 -05:00
Becca Petrin 7bd22e6779
Run all builtins as plugins (#5536) 2018-11-06 17:21:24 -08:00
Jim Kalafut 5806179144
Update sys path definitions for OpenAPI (#5687) 2018-11-06 10:09:06 -08:00
Jim Kalafut 8ac04495d3
Framework and API changes to support OpenAPI (#5546) 2018-11-05 12:24:39 -08:00
Vishal Nayak 332e32294a
Remove namespace.TestContext and namespace.TestNamespace (#5682) 2018-11-05 11:11:32 -05:00
Jeff Mitchell a64fc7d7cb
Batch tokens (#755) 2018-10-15 12:56:24 -04:00