* Fix various read only storage errors
A mistake we've seen multiple times in our own plugins and that we've
seen in the GCP plugin now is that control flow (how the code is
structured, helper functions, etc.) can obfuscate whether an error came
from storage or some other Vault-core location (in which case likely it
needs to be a 5XX message) or because of user input (thus 4XX). Error
handling for functions therefore often ends up always treating errors as
either user related or internal.
When the error is logical.ErrReadOnly this means that treating errors as
user errors skips the check that triggers forwarding, instead returning
a read only view error to the user.
While it's obviously more correct to fix that code, it's not always
immediately apparent to reviewers or fixers what the issue is and fixing
it when it's found both requires someone to hit the problem and report
it (thus exposing bugs to users) and selective targeted refactoring that
only helps that one specific case.
If instead we check whether the logical.Response is an error and, if so,
whether it contains the error value, we work around this in all of these
cases automatically. It feels hacky since it's a coding mistake, but
it's one we've made too multiple times, and avoiding bugs altogether is
better for our users.
* Implement SetCredentials for MongoDB, adding support for static accounts
* rework SetCredentials to split from CreateUser, and to parse the url for database
* Add integration test for mongodb static account rotation
* check the length of the password results to avoid out-of-bounds
* remove unused method
* use the pre-existing test helper for this. Add parse method to helper
* remove unused command
* temp support for mysql+static accounts
* remove create/update database user for static accounts
* update tests after create/delete removed
* small cleanups
* update postgresql setcredentials test
* temp support for mysql+static accounts
* Add Static Account support to MySQL
* add note that MySQL supports static roles
* remove code comment
* tidy up tests
* Update plugins/database/mysql/mysql_test.go
Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com>
* Update plugins/database/mysql/mysql.go
Co-Authored-By: Calvin Leung Huang <cleung2010@gmail.com>
* update what password we test
* refactor CreateUser and SetCredentials to use a common helper
* add close statements for statements in loops
* remove some redundant checks in the mysql test
* use root rotation statements as default for static accounts
* missed a file save
* switch to dynamic imports so that bundling doesn't include swagger-ui-dist in its vendor file
* remove ember-ajax
* delete comment
* update comment about lazy loading in the engine index.js
* storage/raft: When restoring a snapshot preseal first
* best-effort allow standbys to apply the restoreOp before sealing active node
* Don't cache the raft tls key
* Update physical/raft/raft.go
* Move pending raft peers to core
* Fix race on close bool
* Extend the leaderlease time for tests
* Update raft deps
* Fix audit hashing
* Fix race with auditing
* init dropdown
* add dropdown to storybook
* move http requests components into container
* add event handler for selecting new time window
* no need for this. in the template
* filter bar chart and table
* add bar chart transitions
* handle Last 12 Months in dropdown
* don't use fake data
* start tests
* add jsdoc and notes for storybook
* add container to storybook
* compute filteredCounters when counters change
* move static dropdown options to template
* add tests
* style the dropdown
* use this.elementId
* fix linting errors
* use ember array extensions
* use fillIn instead of page object and make dom assertions consistent
* calculate the correct percent change between months
* use data-test selector instead of id
* show plus or minus next to percent change
* adds allowed_roles field to identity token keys and updates tests
* removed a comment that was redundant
* allowed_roles uses role client_id s instead of role names
* renamed allowed_roles to allowed_clients
* renamed allowed_clients to allowed_clientIDs
* WIP
* Kinda working?
* Handle nil during rotation
* Update discovery document
* WIP
* removes some warning messages and checks on keys when creating a role
* Path issuer ns/specific
* Fix nspath handling
* Update issuer handling
* Add locking around key updates
* Cleanup
* Fix nextRun handling
* saving work
* Include namespace in token
* saving work
* saving work
* happy path
* saving work
* sharing debug msgs
* Merge branch 'master' into refactor_periodic_func_test
# Conflicts:
# vault/identity_store_oidc.go
# vault/identity_store_oidc_test.go
* use MatchingStorageByAPIPath instead of logical.InmemStorage
At the level of role config it doesn't mean anything to use
default-service or default-batch; that's for mount tuning. So disallow
it in tokenutil. This also fixes the fact that the switch statement
wasn't right.
* open-api-explorer engine with embedded swagger-ui
* move swagger config to a component, rely directly on swagger-ui
* filter operations by endpoint, hook up filter to query param, add namespace handling
* fix namespace handling
* update ember-engines so that we can app.import in a lazy engine
* use engine's included hook to move swagger-ui to engine-vendor.* files
* show flash message about this being a live vault server
* show a namespace reminder and override some styles from swagger-ui
* switch filter to use includes instead of startsWith
* move flash-message to alert-banner and fix namespace reminder with a block
* adds explore web-cli command to navigate to the api-explorer engine
* allow passing a preformatted string to flash messages
* add multi-line flash-message to api explorer
* invert control and trigger events on react app so we can control the layout more and use our components
* tweak styling some more and adjust message on the flash
* change web cli command from 'explore' to 'api'
* shorten namespace warning
* fix console
* fix comments
Add support for hashing time.Time within slices, which unbreaks auditing of requests returning the request counters.
Break Hash into struct-specific func like HashAuth, HashRequest. Move all the copying/hashing logic from FormatRequest/FormatResponse into the new Hash* funcs. HashStructure now modifies in place instead of copying.
Instead of returning an error when trying to hash map keys of type time.Time, ignore them, i.e. pass them through unhashed.
Enable auditing on test clusters by default if the caller didn't specify any audit backends. If they do, they're responsible for setting it up.
* Set MaxIdleConns to reduce connection churn (postgresql physical)
* Make new "max_idle_connection" config option for physical postgresql
* Add docs for "max_idle_connections" for postgresql storage
* Add minimum version to docs for max_idle_connections
* adds allowed_roles field to identity token keys and updates tests
* removed a comment that was redundant
* allowed_roles uses role client_id s instead of role names
* renamed allowed_roles to allowed_clients
* renamed allowed_clients to allowed_clientIDs
* removes some warning messages and checks on keys when creating a role
* removes name field being set unneededly
* add menu-loader component to show menu loading button when the model relationship isPending
* list what keys we've got in api-path error
* fix spacing issue on error flash
* add an action on list-controller that bubbles to the list-route mixin to refresh the route
* empty store when creating scopes
* don't delete _requestQuery in the loop, do it after
* add scope deletion from the scope list
* add deleteRecord to kmip adapters
* add model-wrap component
* delete role from detail page and list
* add revoke credentials functionality
* fix comment
* treat all operations fields specially on kmip roles
* adjust kmip role edit form for new fields
* fix api-path test
* update document blocks for menu-loader and model-wrap components
Earlier in tokenutil's dev it seemed like there was no reason to allow
auth plugins to toggle renewability off. However, it turns out Centrify
makes use of this for sensible reasons. As a result, move the forcing-on
of renewability into tokenutil, but then allow overriding after
PopulateTokenAuth is called.