This change adds the ability to set the signature algorithm of the
CAs that Vault generates and any certificates it signs. This is a
potentially useful stepping stone for a SHA3 transition down the line.
Summary:
* Adds the field "signature_bits" to CA and Sign endpoints
* Adds support for SHA256, SHA384 and SHA512 signatures on EC and RSA
keytypes.
* Fix pkcs7 parsing in some cases
brings in https://github.com/mozilla-services/pkcs7/pull/61 from upstream
In some cases but not all, aws includes a certificate in the pkcs7 response,
and currently vault fails to parse those certificates:
```
URL: PUT https://vault.example.com/v1/auth/aws/login
Code: 500. Errors
* failed to parse the BER encoded PKCS#7 signature: ber2der: Invalid BER format
```
This fixes logins on those instances. Note we could not readily ascertain why
some instances have those certificates and others don't.
* Add changelog entry
* Correct missed line
* pre-publish new signing keys for `rotation_period` of time before using
* Work In Progress: Prepublish JWKS and even cache control
* remove comments
* use math/rand instead of math/big
* update tests
* remove debug comment
* refactor cache control logic into func
* don't set expiry when create/update key
* update cachecontrol name in oidccache for test
* fix bug in periodicfunc test case
* add changelog
* remove confusing comment
* add logging and comments
* update change log from bug to improvement
Co-authored-by: Ian Ferguson <ian.ferguson@datadoghq.com>
While EKS may be the managed kubernetes environment under the hood, I believe the idea behind this section of the documentation is to use AWS KMS for seal/unseal operations, not EKS. (i.e. The surrounding documentation is discussing other Auto Unseal options such as Google KMS.)
The use of the term EKS instead of KMS made it hard for me to discover this section of documentation, and was a little confusing at first until I realized the possible error.
* identity: handle creation of role without a key parameter
* update docs to not require key parameter for creation of a role
* add changelog
* require key param when creating a role
* lock create/update role; remove now redundant key check
* update changelog and UTs
* update change log to refelct actual implementation
* remove deprecated test case
* creates bar chart component
* WIP//starts styling
* fixes width of bars
* WIP//barchart
* uses d3 max method instead of Math.max
* stacks data
* adds y axis
* fixes styling and spacing
* adds spacing between bars
* styling DONE
* adds legend
* adds tooltip
* tweaks styling adds pointer cursor to rects
* fixes tooltip placement
* moves starget from bar to whole area
* finishes hover selection styling
* cleans up
* cleans up a tiny bit
* stopping point
* adjusts tooltip placemnt
* WIP//clean up time
* sort of not broken
* unbroken, ish
* tooltip position fixed
* truncates text and adds tooltip
* changes tooltip width depending on content
* unbroken
* finishes initial refactor/cleanup
* finishes documentation
* passes in map legend to component
* more tidying
* add export option
* adds grid to header for export button option
* updates comments
* fix variable name change
* moves dataset formatting to parent
* removes unused code"
* adds assertions and empty state if no data
* cleans up comments adds assertion to check for map legend
* adds storybook
* adds changelog
* deletes dummy parent:
* restores index.hbs
* uses scss variables instead
* exchanges more variables
* remove unused variable in storybook
* writes basic test
* removes pauseTest()
* Auto-join support for IPv6 discovery
The go-discover library returns IP addresses and not URLs. It just so
happens net.URL parses "127.0.0.1", which isn't a valid URL.
Instead, we construct the URL ourselves. Being careful to check if it's
an ipv6 address and making sure it's in explicit form if so.
Fixes#12323
* feedback: addrs & ipv6 test
Rename addrs to clusterIPs to improve clarity and intent
Tighten up our IPv6 address detection to be more correct and to ensure
it's actually in implicit form
* OIDC Provider: implement discovery endpoint
* handle case when provider does not exist
* refactor providerDiscover struct and add scopes_supported
* fix authz endpoint
* Send x-forwarded-for in Okta Push Factor request
Why:
In order for Okta to properly report the location of the authentication
attempt, the X-Forwarded-For header must be included in the request to
Okta (if it exists).
This change addresses the need by:
* Duplicating the value of X-Forwarded-For if it's passed through to the
auth backend
* Add changelog entry for 12320
* Override loading behavior which breaks query params passed to API calls
* Only show loading state if transition is not queryparams only
* Add changelog
* Skip loader if testing
* initial setup
* form field editType kv is very helpful
* setting up things
* setup two routes for metadata
* routing
* clean up routing
* meh router changes not my favorite but its working
* show metadata
* add controller for backendCrumb mixin
* setting up edit metadata and trimming SecretEditMetadata component
* add edit metadata save functionality
* create new version work
* setup model and formfieldgroups for added config data.
* add config network request to secret-engine
* fix validations on config
* add config rows
* breaking up secret edit
* add validation for metadata on create
* stuff, but broken now on metadata tab
* fix metadata route error
* permissions
* saving small text changes
* permissions
* cleanup
* some test fixes and convert secret create or update to glimmer
* all these changes fix secret create kv test
* remove alert banners per design request
* fix error for array instead of object in jsonEditor
* add changelog
* styling
* turn into glimmer component
* cleanup
* test failure fix
* add delete or
* clean up
* remove all hardcoded for api integration
* add helper and fix create mode on create new version
* address chelseas pr comments
* add jsdocs to helper
* fix test
* Upgrade note for Alpine 3.14 docker images
It might break things for some people
* Add CVE #
Co-authored-by: mickael-hc <86245626+mickael-hc@users.noreply.github.com>
* Adding upgrade note to all relevant versions
Co-authored-by: mickael-hc <86245626+mickael-hc@users.noreply.github.com>
jhart-cpi