This change adds the ability to set the signature algorithm of the
CAs that Vault generates and any certificates it signs. This is a
potentially useful stepping stone for a SHA3 transition down the line.
Summary:
* Adds the field "signature_bits" to CA and Sign endpoints
* Adds support for SHA256, SHA384 and SHA512 signatures on EC and RSA
keytypes.
* update genUsername to cap STS usernames at 64 chars
* add changelog
* refactor tests into t.Run block
* patch: remove warningExpected bool and include expected string
* patch: revert sts to cap at 32 chars and add assume_role case in genUsername
* update changelog
* update genUsername to return error if username generated exceeds length limits
* update changelog
* add conditional default username template to provide custom STS usernames
* update changelog
* include test for failing STS length case
* update comments for more clarity
* Work around rabbitmq regression with UserInfo.Tags in rabbitmq 3.9: use v3.8 docker image in tests.
* Also pin cassandra docker image version to 3.11 (4.00 was making tests fail)
Unlike the other libraries that were migrated, there are no usages of
this lib in any of our plugins, and the only other known usage was in
go-kms-wrapping, which has been updated. Aliasing it like the other libs
would still keep the aws-sdk-go dep in the sdk module because of the
function signatures. So I've simply removed it entirely here.
* add ability to customize IAM usernames based on templates
* add changelog
* remove unnecessary logs
* patch: add test for readConfig
* patch: add default STS Template
* patch: remove unnecessary if cases
* patch: add regex checks in username test
* patch: update genUsername to return an error instead of warnings
* patch: separate tests for default and custom templates
* patch: return truncate warning from genUsername and trigger a 400 response on errors
* patch: truncate midString to 42 chars in default template
* docs: add new username_template field to aws docs
* add username customization for rabbitmq
* add changelog for rabbitmq
* Update builtin/logical/rabbitmq/path_config_connection.go
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* updating API docs
* moved to changelog folder
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* feat(aws): add ability to provide a sessionName to sts credentials
Co-authored-by: Brad Vernon <bvernon@nvidia.com>
Co-authored-by: Jim Kalafut <jim@kalafut.net>
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* Add support for templated values in SSH CA DefaultExtensions.
* Reworking the logic per feedback, adding basic test.
* Adding test, so we cover both default extension templating & ignoring default when user-provided extensions are present.
* Fixed up an unintentional extension handling defect, added test to cover the case.
* Refactor Default Extension tests into `enabled` and `disabled`.
* Added support for iam_tags for AWS secret roles
This change allows iam_users generated by the secrets engine
to add custom tags in the form of key-value pairs to users
that are created.
* upgrade vault dependency set
* etcd and grpc issues:
* better for tests
* testing
* all upgrades for hashicorp deps
* kubernetes plugin upgrade seems to work
* kubernetes plugin upgrade seems to work
* etcd and a bunch of other stuff
* all vulnerable packages upgraded
* k8s is broken in linux env but not locally
* test fixes
* fix testing
* fix etcd and grpc
* fix etcd and grpc
* use master branch of go-testing-interface
* roll back etcd upgrade
* have to fix grpc since other vendors pull in grpc 1.35.0 but we cant due to etcd
* rolling back in the replace directives
* a few more testing dependencies to clean up
* fix go mod vendor
* Update go version to 1.15.3
* Fix OU ordering for go1.15.x testing
* Fix CI version
* Update docker image
* Fix test
* packagespec upgrade -version 0.1.8
Co-authored-by: Sam Salisbury <samsalisbury@gmail.com>
This also temporarily disables couchbase, elasticsearch, and
mongodbatlas because the `Serve` function needs to change signatures
and those plugins are vendored in from external repos, causing problems
when building.
This is part 1 of 4 for renaming the `newdbplugin` package. This copies the existing package to the new location but keeps the current one in place so we can migrate the existing references over more easily.
* Support salt in DeriveKey
* Revert "Support salt in DeriveKey"
This reverts commit b295ae42673308a2d66d66b53527c6f9aba92ac9.
* Refactor out key derivation, symmetric encryption, and symmetric decryption into generic functions
* comments
* comments
* go mod vendor
* bump both go.mods
* This one too
* bump
* bump
* bump
* Make the lesser used params of symmetric ops a struct
* go fmt
* Call GetKey instead of DeriveKey
* Address feedback
* Wrong rv
* Rename calls
* Assign the nonce field
* trivial change
* Check nonce len instead
* go mod vendor
Adds debug and warn logging around AWS credential chain generation,
specifically to help users debugging auto-unseal problems on AWS, by
logging which role is being used in the case of a webidentity token.
Adds a deferred call to flush the log output as well, to ensure logs
are output in the event of an initialization failure.