Wrapping validation was deferring the function to audit log before
actually checking if we were sealed or standby, and without having the
read lock grabbed.
* upgrade aws roles
* test upgrade aws roles
* Initialize aws credential backend at mount time
* add a TODO
* create end-to-end test for builtin/credential/aws
* fix bug in initializer
* improve comments
* add Initialize() to logical.Backend
* use Initialize() in Core.enableCredentialInternal()
* use InitializeRequest to call Initialize()
* improve unit testing for framework.Backend
* call logical.Backend.Initialize() from all of the places that it needs to be called.
* implement backend.proto changes for logical.Backend.Initialize()
* persist current role storage version when upgrading aws roles
* format comments correctly
* improve comments
* use postUnseal funcs to initialize backends
* simplify test suite
* improve test suite
* simplify logic in aws role upgrade
* simplify aws credential initialization logic
* simplify logic in aws role upgrade
* use the core's activeContext for initialization
* refactor builtin/plugin/Backend
* use a goroutine to upgrade the aws roles
* misc improvements and cleanup
* do not run AWS role upgrade on DR Secondary
* always call logical.Backend.Initialize() when loading a plugin.
* improve comments
* on standbys and DR secondaries we do not want to run any kind of upgrade logic
* fix awsVersion struct
* clarify aws version upgrade
* make the upgrade logic for aws auth more explicit
* aws upgrade is now called from a switch
* fix fallthrough bug
* simplify logic
* simplify logic
* rename things
* introduce currentAwsVersion const to track aws version
* improve comments
* rearrange things once more
* conglomerate things into one function
* stub out aws auth initialize e2e test
* improve aws auth initialize e2e test
* finish aws auth initialize e2e test
* tinker with aws auth initialize e2e test
* tinker with aws auth initialize e2e test
* tinker with aws auth initialize e2e test
* fix typo in test suite
* simplify logic a tad
* rearrange assignment
* Fix a few lifecycle related issues in #7025 (#7075)
* Fix panic when plugin fails to load
* Fix various read only storage errors
A mistake we've seen multiple times in our own plugins and that we've
seen in the GCP plugin now is that control flow (how the code is
structured, helper functions, etc.) can obfuscate whether an error came
from storage or some other Vault-core location (in which case likely it
needs to be a 5XX message) or because of user input (thus 4XX). Error
handling for functions therefore often ends up always treating errors as
either user related or internal.
When the error is logical.ErrReadOnly this means that treating errors as
user errors skips the check that triggers forwarding, instead returning
a read only view error to the user.
While it's obviously more correct to fix that code, it's not always
immediately apparent to reviewers or fixers what the issue is and fixing
it when it's found both requires someone to hit the problem and report
it (thus exposing bugs to users) and selective targeted refactoring that
only helps that one specific case.
If instead we check whether the logical.Response is an error and, if so,
whether it contains the error value, we work around this in all of these
cases automatically. It feels hacky since it's a coding mistake, but
it's one we've made too multiple times, and avoiding bugs altogether is
better for our users.
* Implement SetCredentials for MongoDB, adding support for static accounts
* rework SetCredentials to split from CreateUser, and to parse the url for database
* Add integration test for mongodb static account rotation
* check the length of the password results to avoid out-of-bounds
* remove unused method
* use the pre-existing test helper for this. Add parse method to helper
* remove unused command
* temp support for mysql+static accounts
* remove create/update database user for static accounts
* update tests after create/delete removed
* small cleanups
* update postgresql setcredentials test
* temp support for mysql+static accounts
* Add Static Account support to MySQL
* add note that MySQL supports static roles
* remove code comment
* tidy up tests
* Update plugins/database/mysql/mysql_test.go
Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com>
* Update plugins/database/mysql/mysql.go
Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com>
* update what password we test
* refactor CreateUser and SetCredentials to use a common helper
* add close statements for statements in loops
* remove some redundant checks in the mysql test
* use root rotation statements as default for static accounts
* missed a file save
* switch to dynamic imports so that bundling doesn't include swagger-ui-dist in its vendor file
* remove ember-ajax
* delete comment
* update comment about lazy loading in the engine index.js
* storage/raft: When restoring a snapshot preseal first
* best-effort allow standbys to apply the restoreOp before sealing active node
* Don't cache the raft tls key
* Update physical/raft/raft.go
* Move pending raft peers to core
* Fix race on close bool
* Extend the leaderlease time for tests
* Update raft deps
* Fix audit hashing
* Fix race with auditing
* init dropdown
* add dropdown to storybook
* move http requests components into container
* add event handler for selecting new time window
* no need for this. in the template
* filter bar chart and table
* add bar chart transitions
* handle Last 12 Months in dropdown
* don't use fake data
* start tests
* add jsdoc and notes for storybook
* add container to storybook
* compute filteredCounters when counters change
* move static dropdown options to template
* add tests
* style the dropdown
* use this.elementId
* fix linting errors
* use ember array extensions
* use fillIn instead of page object and make dom assertions consistent
* calculate the correct percent change between months
* use data-test selector instead of id
* show plus or minus next to percent change
* adds allowed_roles field to identity token keys and updates tests
* removed a comment that was redundant
* allowed_roles uses role client_id s instead of role names
* renamed allowed_roles to allowed_clients
* renamed allowed_clients to allowed_clientIDs
* WIP
* Kinda working?
* Handle nil during rotation
* Update discovery document
* WIP
* removes some warning messages and checks on keys when creating a role
* Path issuer ns/specific
* Fix nspath handling
* Update issuer handling
* Add locking around key updates
* Cleanup
* Fix nextRun handling
* saving work
* Include namespace in token
* saving work
* saving work
* happy path
* saving work
* sharing debug msgs
* Merge branch 'master' into refactor_periodic_func_test
# Conflicts:
# vault/identity_store_oidc.go
# vault/identity_store_oidc_test.go
* use MatchingStorageByAPIPath instead of logical.InmemStorage
At the level of role config it doesn't mean anything to use
default-service or default-batch; that's for mount tuning. So disallow
it in tokenutil. This also fixes the fact that the switch statement
wasn't right.
Martin Lee