* refactor (standardUnsealStrategy).unseal to reduce tech debt
* fix coding error that cause panic in runSetupFunctionsForUnseal
* split runSetupFunctionsForUnseal into 2 funcs to facilitate testing
* add go docs for functions
* fix compile errors from merge commit
* reload seals on SIGHUP
* add lock in SetSeals
* move lock
* use stubmaker and change wrapper finalize call
* change finalize logic so that old seals will be finalized after new seals are configured
* add changelog
* run make fmt
* fix fmt
* fix panic when reloading seals errors out
* add sighup tests and separate out docker utilities
* add test case
* fix typo
* remove build tag
* fix imports
* refactoring to make functions more general and avoid conflicts
* add utility funcs
* separate out config copy into function
* fix error message
* fix error messages
* Implement custom-message management endpoints in a namespace aware manner
* completion of non-enterprise version of custom-messages
* clean up of error handling and fixing a nil pointer error
* rename UICustomMessagesEntry to UICustomMessageEntry
* add unit tests to cover new functions in UIConfig related to custom messages
* unit tests for all custom message handling
* add missing header comments for new files
* add changelog file
* fix test setup error that led to unexpected failure
* change return type from slice of pointers to struct to slice of struct and add godocs to every function
* add Internal suffix to internal methods for the UIConfig struct
* add validation for start and end times of custom messages
* improvements based on review feedback
* explore new approach for custom messages
* introduce new error to force HTTP 404 when referencing non-existant UI custom message
* remove changelog entry until feature is complete
* implement CRUD endpoints using single storage entry per namespace
* add mutex to protect operations that read the storage entry and write it back
* add copyright header comment to new files
* fix failing tests due to change in target function behaviour in order to return 404 error when mandated
* feedback from review plus some improvements on my own as well
* define constants for recognized message types and replace hardcoded strings occurrences with new constants
* incorporate feedback comment
* beef up testing with non-root namespaces in putEntry and getEntryForNamespace
* renaming CreateMessage to AddMessage in uicustommessages.Manager and uicustommessages.Entry
* adding missing copyright header comments
It is not sufficient to check that function setSeal in server.go does not return
an "unwrap seal". For migrations away from a Shamir seal, NewCore constructor
sets up an unwrap seal by calling method adjustForSealMigration.
Factor out new method checkForSealMigration out of adjustForSealMigration so
that NewCore can verify that there won't be a migration when returning early due
to running in recovery mode.
Add support for testing `+ent.hsm` and `+ent.hsm.fips1402` Vault editions
with `pkcs11` seal types utilizing a shared `softhsm` token. Softhsm2 is
a software HSM that will load seal keys from a local disk via pkcs11.
The pkcs11 seal implementation is fairly complex as we have to create a
one or more shared tokens with various keys and distribute them to all
nodes in the cluster before starting Vault. We also have to ensure that
each sets labels are unique.
We also make a few quality of life updates by utilizing globals for
variants that don't often change and update base versions for various
scenarios.
* Add `seal_pkcs11` module for creating a `pkcs11` seal key using
`softhsm2` as our backing implementation.
* Require the latest enos provider to gain access to the `enos_user`
resource to ensure correct ownership and permissions of the
`softhsm2` data directory and files.
* Add `pkcs11` seal to all scenarios that support configuring a seal
type.
* Extract system package installation out of the `vault_cluster` module
and into its own `install_package` module that we can reuse.
* Fix a bug when using the local builder variant that mangled the path.
This likely slipped in during the migration to auto-version bumping.
* Fix an issue where restarting Vault nodes with a socket seal would
fail because a seal socket sync wasn't available on all nodes. Now we
start the socket listener on all nodes to ensure any node can become
primary and "audit" to the socket listner.
* Remove unused attributes from some verify modules.
* Go back to using cheaper AWS regions.
* Use globals for variants.
* Update initial vault version for `upgrade` and `autopilot` scenarios.
* Update the consul versions for all scenarios that support a consul
storage backend.
Signed-off-by: Ryan Cragun <me@ryan.ec>
* redirect for deshow/details view
* test coverage
* not found test fix
* changelog
* test fixes and amend for create route with no secret
* handle router with no secret
* add more coverage
* Update 24339.txt
* Update secret-edit.js
* Update secret-edit.js
* restructure conditional because list-directory will never be a thing in this view
* Update secret-edit.js
* remove show for directory. that doesn't exists
* blah fix test
* fix conditional
* remove meep
* enable input component
* add more stars
* update css comments
* Update ui/app/styles/helper-classes/flexbox-and-grid.scss
* make attrOptions optional
* add subtext to textfile
* add docLink arg to form field textfile
* update form field test
* add test
* add comment
* update jsdoc
* remove unused class
* Update ui/tests/integration/components/enable-input-test.js
Co-authored-by: Jordan Reimer <zofskeez@gmail.com>
---------
Co-authored-by: Jordan Reimer <zofskeez@gmail.com>
This commit moves quota storage updates into the storage package to
facilitate testing. As a part of the change, we create a new
`ManagerFlags` struct to make Setup invocations a bit more ergnomic.
* add getter to metadata model
* add changelog and data model fix
* add test coverage
* add nested create coverage
* Update 24404.txt
* remove from data model
* return to how it was
* updated setup/teardown audit code and ordering within broker registration
* enable/disable audit: handle errors when attempting to register/deregister with the audit broker
* fix TestCore_MountTable_UpgradeToTyped
* missing context
* reinstated the missing Info log line, removed unrequired checks
* PKI refactoring to start breaking apart monolith into sub-packages
- This was broken down by commit within enterprise for ease of review
but would be too difficult to bring back individual commits back
to the CE repository. (they would be squashed anyways)
- This change was created by exporting a patch of the enterprise PR
and applying it to CE repository
* Fix TestBackend_OID_SANs to not be rely on map ordering
* Refactor plugin catalog into its own package
* Fix some unnecessarily slow tests due to accidentally running multiple plugin processes
* Clean up MakeTestPluginDir helper
* Move getBackendVersion tests to plugin catalog package
* Use corehelpers.MakeTestPlugin consistently
* Fix semgrep failure: check for nil value from logical.Storage
With the introduction of the Seal High Availability feature, the presence of
multiple seals in configuration does not necessarily mean that the configuration
entails a seal migration.
Instead of checking for multiple seals, check for the presence on an "unwrap"
seal, which is only used for seal migrations.
* Creating a Vault version explainer
The explainer is a partial that can be used on multiple pages. It gives an overview of our policies and version format and offers some recommendations about staying current.
* Apostrophe typo
Not saying I got all the typos, but got one anyway.
* Add a note about the very rare 4th digit
* Conform to subtitle best practices
Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
---------
Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
* upgrade to 3.1.0
* VAULT-22471 upgrade to latest version
* fix other selectors
* fix pki tests
* fix copy dropdown
* generated breadcrumbs
* mfa crumbs
* oidc crumbs
* identity crumbs
* use hds crumbs in page::breadcrumbs file
* rename selectors to be consistent
* remaining oidc
* update empty state link style to match hds
* repl empty state
* rep empty state 2
* policy and secret error template
* replace yielded KeyValueHeader elements directly with HDS breadcrumbs
* remove yield from KeyValueHeader
* use key value header in secret header
* update pki header
* kmip breadcrumbs
* replace key-value-header classes
* ssh sign
* replace key value with breadcrumbs
* update selectors part 1
* add a tags
* policy tests
* add crumb index back
* add current route to generated item
* another round of test updates
* remove root link test selector
* secrets/secrete test
* add changelog
* trailing icon
* delete breadcrumb css
* consistently change to sentence case
* titlsecase!
* upgrade to 3.1.0
* VAULT-22471 upgrade to latest version
* fix other selectors
* fix pki tests
* fix copy dropdown
* rename selectors to be consistent
* add replicationRedacted attribute to cluster model
* disallow access to replication pages if repl endpoints are redacted
* hide replicatio nav item
* Hide replication card on dashboard
- Noticed that our documentation was out of date, we allow 8192
bit RSA keys to be used as an argument to the various PKI
issuer/key creation APIs.
- Augument some unit tests to verify this continues to work
