Commit graph

15847 commits

Author SHA1 Message Date
swayne275 4632a26a09
Use %q for quoted strings where appropriate (#15216)
* change '%s' to %q where single vs double quotes shouldn't matter

* replace double quotes with %q in logs and errors
2022-08-03 12:32:45 -06:00
akshya96 fd1f581736
updating changelog for vault-951 (#16558) 2022-08-03 10:39:21 -07:00
Alexander Scheel 8acbf7f480
Add PSS support to PKI Secrets Engine (#16519)
* Add PSS signature support to Vault PKI engine

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Use issuer's RevocationSigAlg for CRL signing

We introduce a new parameter on issuers, revocation_signature_algorithm
to control the signature algorithm used during CRL signing. This is
because the SignatureAlgorithm value from the certificate itself is
incorrect for this purpose: a RSA root could sign an ECDSA intermediate
with say, SHA256WithRSA, but when the intermediate goes to sign a CRL,
it must use ECDSAWithSHA256 or equivalent instead of SHA256WithRSA. When
coupled with support for PSS-only keys, allowing the user to set the
signature algorithm value as desired seems like the best approach.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add use_pss, revocation_signature_algorithm docs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add PSS to signature role issuance test matrix

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Allow roots to self-identify revocation alg

When using PSS support with a managed key, sometimes the underlying
device will not support PKCS#1v1.5 signatures. This results in CRL
building failing, unless we update the entry's signature algorithm
prior to building the CRL for the new root.

With a RSA-type key and use_pss=true, we use the signature bits value to
decide which hash function to use for PSS support.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add clearer error message on failed import

When CRL building fails during cert/key import, due to PSS failures,
give a better indication to the user that import succeeded its just CRL
building that failed. This tells them the parameter to adjust on the
issuer and warns that CRL building will fail until this is fixed.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add case insensitive SigAlgo matching

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Convert UsePSS back to regular bool

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor PSS->certTemplate into helper function

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Proper string output on rev_sig_alg display

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Copy root's SignatureAlgorithm for CRL building

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-03 12:42:24 -04:00
Kevin Wang d136ba385a
fix(docs): typos (#16555) 2022-08-03 08:58:27 -07:00
Steven Clark fc4c8d8c67
Address test flakiness in TestLogical_AuditPort (#16546)
- Based on group test fixing session from July 29, 2022
 - Leverage the RetryUntil to catch and re-attempt a kv store creation
   if the test receives an error about upgrading the KV store
 - Update the expected audit log entries accordingly along with the
   captured failures if any
 - Fix up a copy/paste error within the test error message if the
   remote_address field is not of the expected type.
2022-08-03 10:14:17 -04:00
Meggie 13ba59f82a
changelog++ 2022-08-03 09:53:26 -04:00
Mike Palmiotto c4140522a6
Docs/vault 7338 retry join known issue (#16540)
* storage/raft: Add known issue for retry_join

* storage/raft: Update known issues with issue reference

* docs: Add return between includes
2022-08-03 15:42:51 +02:00
Alexander Scheel cf7105929f
Allow old certs to be cross-signed (#16494)
* Allow old certs to be cross-signed

In Vault 1.11, we introduced cross-signing support, but the earlier SKID
field change in Vault 1.10 causes problems: notably, certs created on
older versions of Vault (<=1.9) or outside of Vault (with a different
SKID method) cannot be cross-signed and validated in OpenSSL.

In particular, OpenSSL appears to be unique in requiring a SKID/AKID
match for chain building. If AKID and SKID are present on an otherwise
valid client/parent cert pair and the values are different, OpenSSL will
not build a valid path over those two, whereas most other chain
validation implementations will.

Regardless, to have proper cross-signing support, we really aught to
support copying an SKID. This adds such support to the sign-intermediate
endpoint. Support for the /issue endpoint is not added, as cross-signing
leaf certs isn't generally useful and can accept random SKIDs.

Resolves: #16461

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Address review feedback, fix tests

Also adds a known-answer test using LE R3 CA's SKID.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Address review feedback regarding separators

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-03 06:34:21 -07:00
Yoko Hyakuna dc0b4315f3
Move the IS Autopilot note from 1.11 upgrade guide (#16541)
* Move the IS Autopilot note from 1.11 upgrade guide

* Minor update to the verbiage

* Update website/content/docs/upgrading/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/upgrading/index.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Remove extra spaces

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-08-02 19:05:17 -07:00
Violet Hynes adb65bd0f2
VAULT-6615 Update docs for 1.12 quota changes (#16381)
* VAULT-6615 Update docs for 1.12 quota changes

* VAULT-6615 Add info about globbing

* VAULT-6615 some small updates for role param

* Update website/content/docs/enterprise/lease-count-quotas.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/api-docs/system/lease-count-quotas.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-08-02 15:37:56 -04:00
Loann Le ab27921d85
Vault documentation: updated install and ha files (#16498)
* revised content

* Update website/content/docs/install.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

* Update website/content/docs/internals/high-availability.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

* Update website/content/docs/internals/high-availability.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

* Update website/content/docs/internals/high-availability.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

* Update website/content/docs/internals/high-availability.mdx

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>

Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
2022-08-02 11:40:09 -07:00
Austin Gebauer 8e40390c44
secrets/gcp: adds changelog entry for bug fixes in release branches (#16534) 2022-08-02 10:52:23 -07:00
Christopher Swenson 1068a1b528
Update Go to 1.18 (#16522)
Update Go to 1.18

From 1.17.12

1.18.5 was just released, but not all packages have been updated, so I
went with 1.18.4

Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2022-08-02 10:36:12 -07:00
Chris Capurso 0474352f65
add merkle.flushDirty.outstanding_pages metric to docs (#16530) 2022-08-02 12:58:25 -04:00
Steven Clark 101b4b4c1b
Update Go version changelog checker to indicate underscore is required (#16528)
- Bringing back mdlalow's work that was done in ENT to OSS updating our
   filename checks for Go version bumps in the changelog checker
2022-08-02 12:41:14 -04:00
Violet Hynes 6f89461d76
VAULT-7065 move lease-quota updating to process restore (#16422)
* VAULT-7065 move lease-quota updating to process restore

* VAULT-7065 Avoid off-by-one issue that can happen during Restore

* VAULT-7065 Add comment to explain why we don't count creates in restore mode
2022-08-02 09:43:54 -04:00
Alexander Scheel 4dbbd3e1f8
Make PKI tests run in parallel (#16514)
This decreases the total time to run the test suite significantly. From
the last PR, we were at 151s:

> [cipherboy@xps15 pki]$ go test -count=1 github.com/hashicorp/vault/builtin/logical/pki
> ok  	github.com/hashicorp/vault/builtin/logical/pki	151.182s

Now we're around 60s:

> [cipherboy@xps15 pki]$ go test -count=1 github.com/hashicorp/vault/builtin/logical/pki
> ok  	github.com/hashicorp/vault/builtin/logical/pki	61.838s

Notably, Go will correctly handle parallelizing tests across both
packages and within a package, so this shouldn't really impact test
runners (if they're already saturated).

The only gotcha in this approach is that the call to t.Run(...) becomes
effectively async; this means we either need to not mark the test as
parallel or shadow any loop variables inside the scope of the loop to
allow the t.Run to have the correct copy.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-01 16:43:38 -04:00
Austin Gebauer 30c75699f2
auth/jwt: updates dependency and adds changelogs (#16525)
* auth/jwt: updates dependency and adds changelogs

* adds changelog entries
2022-08-01 12:46:34 -07:00
TheHussky 22b01bcd01
Fix last sample request (#16509)
Add a missing \
2022-08-01 14:09:12 -04:00
John-Michael Faircloth 528373de6c
oidc provider: use identity store's storage view in test (#16520) 2022-08-01 09:37:23 -06:00
Alexander Scheel 4987bcfcd6
Add KMIP CSPs + initial Seal Wrap list (#16515)
* Add note on KMIP EA usage

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add wrapped parameters section to Seal Wrap docs

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-08-01 10:32:47 -04:00
Angel Garbarino 8cb161bd5a
UI/glimmerize info table item array (#16495)
* wip

* fix

* fix test

* set new props

* fix tests

* clean up

* cleanup
2022-07-29 14:33:00 -06:00
mcollao-hc 03f7d98ed0
replace missing text 1.10.5 2022-07-29 15:21:25 -05:00
mcollao-hc 0de8ac58c2
update changelog for HCSEC-2022-15 2022-07-29 15:19:06 -05:00
Steven Clark 639fa64ce5
secret/ssh: Return errors for bad templates in roles as we did previously (#16505) 2022-07-29 15:18:22 +01:00
Chris Capurso 36e20779bc
VAULT-7256 - Add CustomMetadata to Namespace type (#16491)
* remove CustomMetadata type

* add custom metadata to namespace struct
2022-07-29 10:04:57 -04:00
Ian Ferguson dc603b4f7f
Allow identity templates in ssh backend default_user field (#16351)
* Allow identity templates in ssh backend `default_user` field

* use correct test expected value

* include api docs for `default_user_template` field
2022-07-29 09:45:52 -04:00
Theron Voran 4dc7b71a28
docs/vault-k8s: updated for v0.17.0 release (#16492) 2022-07-28 14:23:47 -07:00
Jason O'Donnell e3f942f51c
agent: add disable_keep_alives configurable (#16479)
agent: add disable_keep_alives config

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>
2022-07-28 12:59:49 -07:00
linda9379 6be7c6610e
Lookup, wrap, rewrap and unwrap token rename with description (#16489)
* Changed wrapping token to wrapped token

* Added descriptions and changed rewrap and unwrap labels

* Added changelog

* Fixed changelog
2022-07-28 14:33:47 -04:00
Chris Capurso d814ab3825
ignore leading slash in kv get command (#16443)
* ignore leading slash in kv get command

* add changelog entry
2022-07-28 14:11:58 -04:00
Austin Gebauer b3f138679c
identity/oidc: allow filtering the list providers response by an allowed_client_id (#16181)
* identity/oidc: allow filtering the list providers response by an allowed_client_id

* adds changelog

* adds api documentation

* use identity store view in list provider test
2022-07-28 09:47:53 -07:00
Christopher Swenson b04d6e6720
Remove SHA1 for certs in prep for Go 1.18 (#16455)
Remove SHA1 for certs in prep for Go 1.18

* Remove certs with SHA1 from tests
* Use default SHA-256 with PKCS7 in AWS
* Update SHA1 deprecation note

Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
2022-07-28 09:14:33 -07:00
Chris Capurso 013e1d12b1
move custom metadata validation logic to its own package (#16464)
* move custom metadata validation logic to its own package

* add comments

* add custom metadata Validate unit tests
2022-07-28 10:40:38 -04:00
Nick Cabatoff 488858e919
Clone created entities that were inserted into memdb... (#16487)
* Clone created entities that were inserted into memdb to prevent possibility of data race.
2022-07-28 09:43:24 -04:00
Nick Cabatoff b9181077fd
Fix a panic at cleanup time in an expiration restore lease benchmark. (#16485) 2022-07-28 05:54:03 -07:00
Calvin Leung Huang 6c87ff92b4
changelog: Add entry for AD secrets engine bug fix (#16480) 2022-07-27 15:51:53 -07:00
claire bontempo 9ea4c8b037
UI/vault 7196/search select with modal (#16456)
* add validator

* generate search select with modal component

* finish tests

* remove store from test

* address comments, add tests
2022-07-27 14:18:22 -07:00
Chelsea Shaw e0961cd2c4
UI: fix jwt auth failure (#16466)
* only OIDC type gets token

* Add acceptance test for JWT login flow

* Add acceptance test for JWT login flow

* Add changelog

* maybe fix pki tests
2022-07-27 15:22:38 -05:00
Max Coulombe aa3e1c8a2f
Added a small utility method to display warnings when parsing command arguments. (#16441)
* Added a small utility method to display warnings when parsing command arguments

Will print warning if flag is passed after arguments e.g.
vault <command> -a b -c
In this example -c will be interpreted as an argument which may be misleading
2022-07-27 14:00:03 -04:00
Scott Miller 1b1c6fe168
Correct the Transit HMAC key source in docs (#16463)
* Correct the Transit HMAC key source in docs

* Update website/content/api-docs/secret/transit.mdx

Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>

Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-07-27 11:48:41 -05:00
Kaevon 8c3acac173
Fixed grammar errors (#16459) 2022-07-27 07:30:55 -04:00
Theron Voran 66ef22b735
docs/k8s: adding terraform config examples (#16121)
Adding a terraform examples page for configuring vault-helm.

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2022-07-26 20:43:26 -04:00
Hridoy Roy 3429d7dfc5
Current Month Activity Estimate, Probabilistic Tests, And Bugfixes (#16447)
* bugfixes and probabilistic hll tests

* changelog

* changelog fix

* remove activity log test and keep in ent

* update cl
2022-07-26 13:00:27 -07:00
Tom Proctor bd0461619c
Docs: Add list of supported k8s versions for agent injector (#16433) 2022-07-26 15:59:27 +01:00
akshya96 6e0c04d602
vault-951Documentation (#16434) 2022-07-25 16:53:03 -07:00
Yoko Hyakuna 7b43bf4c68
Add a note referring to automated upgrade (#16444)
* Add a note referring to automated upgrade

* Update website/content/docs/upgrading/upgrade-to-1.11.x.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/upgrading/upgrade-to-1.11.x.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/upgrading/upgrade-to-1.11.x.mdx

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
2022-07-25 15:03:55 -07:00
akshya96 6e5b4ec8c9
Validate parameters for vault operator init (#16379)
* adding code changes to check parameters for vault operator init

* fixing defaults in cli

* fixing comments

* remove unused consts

* adding validate parameters test

* add changelog

* adding changes to validation

* adding fmt changes

* fixing test

* add test for auto unseal
2022-07-25 12:45:04 -07:00
Steven Clark 96a355c53d
Leverage upstream docker image returntocorp/semgrep in CircleCI (#16440)
- Instead of installing semgrep through PyPI on every run, leverage
   the upstream docker image.
 - This should isolate us from dependency updates required to run newer
   versions of semgrep
2022-07-25 14:04:12 -04:00
tdsacilowski 887e77c2ae
Agent JWT auto auth remove_jwt_after_reading config option (#11969)
Add a new config option for Vault Agent's JWT auto auth
`remove_jwt_after_reading`, which defaults to true. Can stop
Agent from attempting to delete the file, which is useful in k8s
where the service account JWT is mounted as a read-only file
and so any attempt to delete it generates spammy error logs.

When leaving the JWT file in place, the read period for new
tokens is 1 minute instead of 500ms to reflect the assumption
that there will always be a file there, so finding a file does not
provide any signal that it needs to be re-read. Kubernetes
has a minimum TTL of 10 minutes for tokens, so a period of
1 minute gives Agent plenty of time to detect new tokens,
without leaving it too unresponsive. We may want to add a
config option to override these default periods in the future.

Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
2022-07-25 07:42:09 -06:00