Allows vault roles to be associated with IAM groups in the AWS
secrets engine, since IAM groups are a recommended way to manage
IAM user policies. IAM users generated against a vault role will
be added to the IAM Groups. For a credential type of
`assumed_role` or `federation_token`, the policies sent to the
corresponding AWS call (sts:AssumeRole or sts:GetFederation) will
be the policies from each group in `iam_groups` combined with the
`policy_document` and `policy_arns` parameters.
Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
* Refactor PG container creation.
* Rework rotation tests to use shorter sleeps.
* Refactor rotation tests.
* Add a static role rotation test for MongoDB Atlas.
* Don't use string formatting to prepare queries.
We should, when possible, use the built-in params and ? format when
preparing and executing a query. This is done to prevent SQL Injection
attacks.
* Revert some changes due to failing tests, update mssql go driver
* Add docker container startup for some MSSQL tests
* Remove acceptance test flagging, add more SQL injection protection
* Refactor MSSQL prepareTestContainer to a test helper
Also, remove all ? references and convert them to @p*
* helpful errors: print not only CN but also exactly what we are comparing
* helpful errors: return different errors for non-existent and unknown keys
* helpful errors: print error about encrypted key instead of "private key not found"
* add aliasmetadata sdk helper and add to aws auth
* split into ec2_metadata and iam_metadata fields
* fix tests
* strip pointer
* add test of default metadata
* more test <3
* switch from interface to custom marshallers
* add tests for marshalling
* store nil when selected fields are default
* separate loop into pieces
* separate acc test into multiple
* Update builtin/credential/aws/path_login.go
Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>
* changes from feedback
* update aws test
* refactor to also populate auth metadata
* update how jsonification is tested
* only add populated metadata values
* add auth_type to ec2 logins
Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
* fix: rotate root credentials for database plugins using WAL
* test: adds a test for WAL rollback logic
* fix: progress on wal rollback
* docs: updates some comments
* docs: updates some comments
* test: adds additional test coverage for WAL rollback
* chore: remove unneeded log
* style: error handling, imports, signature line wraps
* fix: always close db plugin connection
Makes "ldap operation failed" error messages a little more useful. Also
makes the errors unique so it's easier to debug where an error is coming
from when one occurs.
Revamp race test to make it aware of when tidies start/stop, and to generate dangling accessors that need cleaning up. Also run for longer but with slightly less concurrency to ensure the writes and the cleanup actually overlap.
* RSA3072 implementation in transit secrets engine
* moved new KeyType at the end of the list
So already stored keys still work properly
Co-authored-by: Jim Kalafut <jim@kalafut.net>
* adding support for TLS 1.3 for TCP listeners
* removed test as CI uses go 1.12
* removed Cassandra support, added deprecation notice
* re-added TestTCPListener_tls13
AWS client object caches are by region. Some AWS API calls don't care
what region's client they use, but the existing getAnyRegionForAwsPartition
scheme was returning a random region, which in turn triggered maintaining many
more client objects than are necessary (e.g. 18 regions in the main AWS
partition). This can be an issue for heavy STS users bumping up against
STS rate limits, since 18 sets of creds are being cached and renewed per
STS role.
Upgrade to new official Okta sdk lib. Since it requires an API token, use old unofficial okta lib for no-apitoken case.
Update test to use newer field names. Remove obsolete test invalidated by #4798. Properly handle case where an error was expected and didn't occur.
* Switch mongodb driver to mongo-driver
* Tidy mod
* Make writeConcern private
* Implement review feedback
* Add retry functionality
* Added backoff time
* go mod vendor
* Fix failing test
* goimport
* fix aws region tests
* strip logger
* return an error, restore tests to master
* fix extra line at import
* revert changes in spacing and comments
* Update sdk/helper/awsutil/region.go
Co-Authored-By: Jim Kalafut <jkalafut@hashicorp.com>
* strip explicit nil value
Co-authored-by: Jim Kalafut <jim@kalafut.net>
* Add aws metadata to identity alias
This allows for writing identity token templates that include these attributes
(And including these attributes in path templates)
* Add alias metadata asserstion to IAM login check
If a CSR contains a SAN of type otherName, encoded in UTF-8, and the signing role specifies use_csr_sans, the otherName SAN will be included in the signed cert's SAN extension.
Allow single star in allowed_other_sans to match any OtherName. Update documentation to clarify globbing behaviour.