* impr(auth/ldap): allow to dereference aliases in searches
* docs: add documentation for LDAP alias dereferencing
* chore(auth/ldap): add changelog entry for PR 18230
* chore: run formatter
* fix: update default LDAP configuration with new default
* Update website/content/docs/auth/ldap.mdx
Co-authored-by: tjperry07 <tjperry07@users.noreply.github.com>
* docs(ldap): add alias dereferencing to API docs for LDAP
---------
Co-authored-by: tjperry07 <tjperry07@users.noreply.github.com>
Mirror NSS's GET-vs-POST selection criteria, wherein GET is preferred
over POST (as the former might be a response from a cached CDN entry,
whereas the latter might hit a live responder). However, only accept it
if it definitively says "Good" or "Revoked" -- trigger a POST request
when an unknown or failure status is seen.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* add nil check for secret id entry on delete via accessor
* add changelog
* add godoc to test
* improve feedback on nil entry
* fix error reporting on invalid secret id accessor
* fix test to expect implemented error
* Address some small issues within pki health-check
- Notify user yaml output mode is not support with --list argument
- Output pure JSON in json output mode with --list argument
- If a checker returns a nil response, convert to an empty slice
- Add handler for permission errors to too many certs checker
- Add checks for permission issues within hardware_backed_root and root_issued_leaves
* Identify the role that contained the permission issue in role based checks
- Augument the role health checks to identify the role(s) that we have
insufficient permissions to read instead of an overall read failure
- Treat the failure to list roles as a complete failure for the check
For plugin tests, we copy the test binary. On macOS, if the
destination binary already exists, then copying over it will result
in an invalid signature.
The easiest workaround is to delete the file before copying.
* language by design
* fix issue with active class not doing anything on the LinkTo
* changelog
* noDefault instead of empty string
* test coverage
* update test descriptions
* address pr comments
* welp
* feat(auth/ldap): allow passing the LDAP password via an environment variable when authenticating via the CLI
* chore(auth/ldap): add changelog entry for PR 18225
* added in the missing test cases to validate response structures
* added changelog file
* remove unneeded changelog file
* removed comment to update when indentity/entity is implemented
---------
Co-authored-by: lursu <leland.ursu@hashicorp.com>
* Handle permission issue on pki health-check tune checkers
- Prior to this fix, if the end-user's Vault token did not have permission to the
mount's tune api, we would return as if the tunable params had not been set.
- Now check to see if we encountered a permission issue and report that back to
the end-user like the other checks do.
* Fix role endpoint in pki health-check warnings
- The various warning messages point to {{mount}}/role/<rolename>
which is not a valid PKI path, it should be {{mount}}/roles/<rolename>
* Add cl
* Output default config output from health-check --list as json
- Change the output of the default configuration as JSON so
it's useable as an input to the health-check command
* Add cl
* update error message and properly handle list requests
* since we do agressive sanitizes we need to optionally check trailing slash
* added changelog record
* remove redundant path formating
* Update changelog/13106.txt
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
* addressed comments from review
* also remove code that duplicates efforts in kv_list
* abstracted helper func for testing
* added test cases for the policy builder
* updated the changelog to the correct one
* removed calls that apear not to do anything given test case results
* fixed spacing issue in output string
* remove const representation of list url param
* addressed comments for pr
---------
Co-authored-by: lursu <leland.ursu@hashicorp.com>
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
* pki health-check fails to read in int config values
- Go's default behavior when decoding numbers to an interface{} is to use a float64 type which parseutil.SafeParseIntRange does not handle.
- Switch to having the JSON decoder use json.Number which our parseutil library
properly handles.
* Add cl
The [WebSockets spec](https://www.rfc-editor.org/rfc/rfc6455) states
that text messages must be valid UTF-8 encoded strings, which protobuf
messages virtually never are. This now correctly sends the protobuf events
as binary messages.
We change the format to correspond to CloudEvents, as originally intended,
and remove a redundant timestamp and newline.
We also bump the eventlogger to fix a race condition that this code triggers.
* plugin/auth: enable multiplexing
- the plugin will be multiplexed when run as an external plugin
by vault versions that support secrets/auth plugin multiplexing (> 1.12)
- we continue to set the TLSProviderFunc to maintain backwards
compatibility with vault versions that don't support AutoMTLS (< 1.12)
* enable multiplexing for secrets engines
* add changelog
* revert call to ServeMultiplex for pki and transit
* Revert "revert call to ServeMultiplex for pki and transit"
This reverts commit 755be28d14b4c4c4d884d3cf4d2ec003dda579b9.
* test/plugin: test external db plugin
* use test helper to get cluster and plugins
* create test helper to create a vault admin user
* add step to revoke lease
* make tests parallel and add reload test
* use more descriptive name for test group; check response
Steven Clark