vault

mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-22 21:05:03 +00:00

Author	SHA1	Message	Date
miagilepner	b4e2751a09	VAULT-14735: write mock activity log entity files (#20702 ) * support writing entities * tests for writing entity segments	2023-05-25 18:55:55 +02:00
Raymond Ho	4add914081	fix: upgrade vault-plugin-secrets-terraform to v0.7.1 (#20748 )	2023-05-25 16:47:08 +00:00
claire bontempo	d2189fdf56	UI: Transit Key TTL not initializing to toggled off (#20731 ) * add test * bug fix and tests * add changelog	2023-05-25 16:39:48 +00:00
Robert	45345e9dcb	secrets/gcpkms: upgrade plugin version (#20784 ) * Upgrade vault-plugin-secrets-gcpkms to v0.15.0	2023-05-25 16:39:00 +00:00
Yoko Hyakuna	e4a45efd99	Change the codeowner for docs PRs (#20779 )	2023-05-25 09:23:31 -07:00
Christopher Swenson	3690f784ac	fix: upgrade vault-plugin-database-couchbase to v0.9.2 (#20764 )	2023-05-25 09:17:36 -07:00
Raymond Ho	b091664390	fix: upgrade vault-plugin-secrets-mongodbatlas to v0.10.0 (#20742 )	2023-05-25 09:13:28 -07:00
Raymond Ho	a2016f7cac	fix: upgrade vault-plugin-auth-centrify to v0.15.1 (#20745 )	2023-05-25 09:13:11 -07:00
Marc Boudreau	ded0d56c18	update security-scanner version to latest to pickup changes that eliminate use of deprecated GitHub Actions commands (#20690 )	2023-05-25 12:09:43 -04:00
Max Coulombe	b6851cd0a8	Updated the azure secrets plugin (#20777 ) * updated the azure secrets plugin	2023-05-25 11:27:33 -04:00
Daniel Huckins	a66074425d	agent: Add implementation for injecting secrets as environment variables to vault agent cmd (#20739 ) * added exec and env_template config/parsing * add tests * we can reuse ctconfig here * do not create a non-nil map * check defaults * Apply suggestions from code review Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com> * first go of exec server Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * convert to list Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * convert to list Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * sig test Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * add failing example Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * refactor for config changes Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * add test for invalid signal Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * account for auth token changes Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * only start the runner once we have a token * tests in diff branch Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com> * fix rename Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * Update command/agent/exec/exec.go Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com> * apply suggestions from code review Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * cleanup Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * remove unnecessary lock Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * refactor to use enum Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * dont block Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * handle default Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * make more explicit Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * cleanup Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * remove unused Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * remove unused file Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * remove test app Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com> * apply suggestions from code review Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * update comment Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * add changelog Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * new channel for exec server token * wire to run with vault agent Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * watch for child process to exit on its own Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * block before returning Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> --------- Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>	2023-05-25 09:23:56 -04:00
Peter Wilson	ba33101192	updated Leader godoc comment to give a warning on possible deadlock (#20773 )	2023-05-25 12:02:39 +00:00
akshya96	85143e3f0d	Revert "User Lockout Perf Standby Error oss (#20766 )" (#20770 ) This reverts commit `7a546a96e4`.	2023-05-24 18:55:34 -07:00
akshya96	7a546a96e4	User Lockout Perf Standby Error oss (#20766 ) * adding changes from ent * add changelog * removing new line	2023-05-24 17:35:17 -07:00
Jonathan Frappier	c6970cd2fd	Add additional endpoints, remove non-protected endpoints (#20669 ) * Add additional endpoints, remove non-protected endpoints * Add step-down per engineering * Match HTTP verb to individual doc pages * Add /sys/internal/inspect/router to table * Apply additional suggestions * Updates based on engineering feedback * Adding unsaved changes	2023-05-24 17:32:53 -04:00
Angel Garbarino	735e2866db	Address Test-ui suite failure for package install issues (#20756 ) * fix * apparently its going to take me two commits.. for one line. * test removing the installation of the packages. * remove browser dependencies	2023-05-24 15:24:47 -06:00
Steven Clark	32532c61d1	Address various issues related to ACME EAB (#20755 ) * Fix various EAB related issues - List API wasn't plumbed through properly so it did not work as expected - Use random 32 bytes instead of an EC key for EAB key values - Update OpenAPI definitions * Clean up unused EAB keys within tidy * Move Vault EAB creation path to pki/acme/new-eab * Update eab vault responses to match up with docs	2023-05-24 21:17:33 +00:00
Alexander Scheel	36d4a25b25	Validate no_store=false on role configuration (#20757 ) Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>	2023-05-24 21:13:28 +00:00
Daniel Huckins	17a1e78ffb	agent: Add implementation for injecting secrets as environment variables (#20628 ) * added exec and env_template config/parsing * add tests * we can reuse ctconfig here * do not create a non-nil map * check defaults * Apply suggestions from code review Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com> * first go of exec server Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * convert to list Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * convert to list Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * sig test Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * add failing example Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * refactor for config changes Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * add test for invalid signal Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * account for auth token changes Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * only start the runner once we have a token * tests in diff branch Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com> * fix rename Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * Update command/agent/exec/exec.go Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com> * apply suggestions from code review Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * cleanup Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * remove unnecessary lock Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * refactor to use enum Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * dont block Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * handle default Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * make more explicit Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * cleanup Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * remove unused Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * remove unused file Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * remove test app Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com> * apply suggestions from code review Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * update comment Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * add changelog Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * watch for child process to exit on its own Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> --------- Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>	2023-05-24 16:56:06 -04:00
Raymond Ho	9a972382bb	fix: upgrade vault-plugin-secrets-openldap to v0.11.0 (#20753 )	2023-05-24 13:45:24 -07:00
vinay-gopalan	b5acdc3a0b	upgrade vault-plugin-secrets-ad to v0.16.0 (#20750 )	2023-05-24 13:37:41 -07:00
Nick Cabatoff	356b3899bb	Cluster test helper improvements (#20424 )	2023-05-24 20:21:10 +00:00
Christopher Swenson	22d341a403	fix: upgrade vault-plugin-database-redis-elasticache to v0.2.1 (#20751 )	2023-05-24 20:15:53 +00:00
kpcraig	cc8b856471	VAULT-12226: Add Static Roles to the AWS plugin (#20536 ) Add static roles to the aws secrets engine --------- Co-authored-by: maxcoulombe <max.coulombe@hashicorp.com> Co-authored-by: vinay-gopalan <86625824+vinay-gopalan@users.noreply.github.com> Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>	2023-05-24 14:55:13 -04:00
John-Michael Faircloth	d3e346543a	fix: upgrade vault-plugin-auth-oci to v0.14.0 (#20743 )	2023-05-24 13:00:49 -05:00
John-Michael Faircloth	fd8a9f7e31	fix: upgrade vault-plugin-secrets-kv to v0.15.0 (#20746 )	2023-05-24 13:00:23 -05:00
Steven Clark	ef6758222d	Enforce valid ACME accounts in challenge APIS (#20744 ) - Make sure we have an ACME account in a valid state and enforce EAB policies on that account for the challenge and revocation by account ACME apis.	2023-05-24 17:28:56 +00:00
Alexander Scheel	b6535f02ec	Move activityType to a constant, set precedence (#20738 ) Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>	2023-05-24 12:29:47 -04:00
Alexander Scheel	e82cc49071	Update transit public keys for Ed25519 support (#20727 ) * Refine documentation for public_key Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Support additional key types in importing version This originally left off the custom support for Ed25519 and RSA-PSS formatted keys that we've added manually. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add support for Ed25519 keys Here, we prevent importing public-key only keys with derived Ed25519 keys. Notably, we still allow import of derived Ed25519 keys via private key method, though this is a touch weird: this private key must have been packaged in an Ed25519 format (and parseable through Go as such), even though it is (strictly) an HKDF key and isn't ever used for Ed25519. Outside of this, importing non-derived Ed25519 keys works as expected. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add public-key only export method to Transit This allows the existing endpoints to retain private-key only, including empty strings for versions which lack private keys. On the public-key endpoint, all versions will have key material returned. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Update tests for exporting via public-key interface Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add public-key export option to docs Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>	2023-05-24 11:26:35 -04:00
Peter Wilson	4b0d85e3bf	VAULT-11595: Augment forwarded requests with host:port info (from/to nodes) (Enterprise) (#20733 ) * Allow audit entries to contain forwarded from host info * adjust logical/request and audit format to use bool instead of string for 'to' host	2023-05-24 13:57:45 +01:00
Tom Proctor	e796005bb7	Docs: Updates for latest Vault CSI Provider releases (#20721 )	2023-05-24 13:07:00 +01:00
Peter Wilson	ee3847d954	Revert "Allow audit entries may contain forwarded to/from host info (#20689 )" (#20732 ) This reverts commit `732dda34e7`.	2023-05-24 09:44:57 +01:00
miagilepner	541f18eeb7	VAULT-14735: repeated and segmented activity log clients (#20699 ) * add repeated, segmented, and writing * simplify * pr fixes * remove comment * Update vault/logical_system_activity_write_testonly.go Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com> --------- Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>	2023-05-24 08:42:00 +00:00
claire bontempo	ec6a1f2934	UI: pki auto-tidy views (#20685 ) * UI: plumbing for pki tidy work (#20611) * update tidy model * Dynamic group on tidy based on version * UI: VAULT-16261 PKI autotidy config view (#20641) * UI: VAULT-16203 tidy status page (#20635) * ui: pki tidy form (#20630) * order routes to match tabs * add tidy routes * add tidy-status page component * update routes rename edit to configure, remove manage * add page component to route template * add comment * finish routing * change to queryRecord, delete old tidy file * remove findRecord * fix serializer name * tidy.index only needs controller empty state logic * build form and page components * update tidy model * alphabetize! * revert model changes * finish adapter * move form out of page folder in tests * refactor to accommodate model changes from chelseas pr * WIP tests * reuse shared fields in model * finish tests * update model hook and breadcrumbs * remove subtext for checkbox * fix tests add ACME fields * Update ui/app/adapters/pki/tidy.js * Update ui/app/adapters/pki/tidy.js * refactor intervalDuration using feedback suggested * move errors to second line, inside conditional brackets * add ternary operator to allByKey attr * surface error message * make polling request longer * UI: VAULT-16368 pki tidy custom method (#20696) * ui: adds empty state and updates modal (#20695) * add empty state to status page * update tidy modal * conditionally change cancel transition route for auto tidy form * teeny copy update * organize tidy-status conditoionals * a couple more template cleanups * fix conditional, change to settings * UI: VAULT-16367 VAULT-16378 Tidy acceptance tests + tidy toolbar cleanup (#20698) * update copy * move tidyRevokedCertIssuerAssociations up to applicable section * add tidy info to readme * update copy * UI: Add tidy as a tab to the error route (#20723) * small cleanup items * fix prettier * cancel polling when we leave tidy.index (status view) * revert changes to declaration file * remove space --------- Co-authored-by: Chelsea Shaw <cshaw@hashicorp.com> Co-authored-by: Chelsea Shaw <82459713+hashishaw@users.noreply.github.com> Co-authored-by: Kianna <30884335+kiannaquach@users.noreply.github.com>	2023-05-23 23:05:15 +00:00
claire bontempo	5e5e61b5a8	UI: add pki cluster config parameters (#20724 ) * add config directory, rename crl and urls models * fix imports * add cluster config fields to edit form * reorder url save * update tests * add to details page * add details test; * fix adapter name * fix cluster adapter test name * combine adapter tests * update imports * fix git diff * move crl and urls adapters to config folder * add config file * woops add config adapter * final renaming!! * fix imports after naming to base * add cluster to beforeModel hook * hide help text * maybe you should write tests that actually pass, claire * seriously claire its embarrassing	2023-05-23 15:24:53 -07:00
Alexander Scheel	b1f0d4e495	Add nonce service to sdk/helpers, use in PKI (#20688 ) * Build a better nonce service Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add internal nonce service for testing Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add benchmarks for nonce service Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add statistics around how long tidy took Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Replace ACME nonces with shared nonce service Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add an initialize method to nonce services Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Use the new initialize helper on nonce service in PKI Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add additional tests for nonces Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Format sdk/helper/nonce Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Use default 90s nonce expiry in PKI Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Remove parallel test case as covered by benchmark Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add additional commentary to encrypted nonce implementation Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add nonce to test_packages Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>	2023-05-23 19:44:05 +00:00
Anton Averchenkov	a051ab443f	agent: Add logic to validate env_template entries (#20569 )	2023-05-23 18:37:08 +00:00
Christopher Swenson	6be214f070	fix: upgrade vault-plugin-auth-gcp to v0.16.0 (#20725 )	2023-05-23 11:24:33 -07:00
miagilepner	018ea84997	VAULT-15395: Support mocking time functions in the activity log (#20720 ) * mock time in the activity log * cleanup * fix comment * pr fixes * update comment to explain why new timer is needed	2023-05-23 16:25:23 +00:00
Steven Clark	476bec104e	Add ACME health checks to pki health-check CLI (#20619 ) * Add ACME health checks to pki health-check CLI - Verify we have the required header values listed within allowed_response_headers: 'Replay-Nonce', 'Link', 'Location' - Make sure the local cluster config path variable contains an URL with an https scheme * Split ACME health checks into two separate verifications - Promote ACME usage through the enable_acme_issuance check, if ACME is disabled currently - If ACME is enabled verify that we have a valid 'path' field within local cluster configuration as well as the proper response headers allowed. - Factor out response header verifications into a separate check mainly to work around possible permission issues. * Only recommend enabling ACME on mounts with intermediate issuers * Attempt to connect to the ACME directory based on the cluster path variable - Final health check is to attempt to connect to the ACME directory based on the cluster local 'path' value. Only if we successfully connect do we say ACME is healthy. * Fix broken unit test	2023-05-23 10:37:31 -04:00
Peter Wilson	676d1c69fe	Docs: audit - add warning when disabling device regarding HMAC (#20715 ) * added note to warn of potential issues in disabling audit when using HMAC * added to command docs pages too	2023-05-23 14:55:55 +01:00
Ethan Lowman	e2e4a9faf2	Correct signing terminology in comments and error messages (#20714 )	2023-05-23 12:44:06 +00:00
Márk Sági-Kazár	200f0c0e03	Upgrade go-jose library to v3 (#20559 ) * upgrade go-jose library to v3 Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com> * chore: fix unnecessary import alias Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com> * upgrade go-jose library to v2 in vault Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com> --------- Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>	2023-05-23 12:25:58 +00:00
miagilepner	5b23dd506f	VAULT-14735: generate mock clients for activity log (#20252 ) * first part of segment client generation * fix imports * initial pr fixes * refactor and fix * update comments * assign client type	2023-05-23 11:58:51 +02:00
claire bontempo	2ef3f7c5bf	UI: Add PKI readme and changelog for UI improvements (#20706 ) * update pki readme * add readme * make it fancier * add more info * add config improvements to entry * move changelog info to release notes * reword action summary * stop yelling in bullet points * update action	2023-05-22 21:20:13 +00:00
claire bontempo	58f299b63b	remove paragraph (#20709 )	2023-05-22 16:14:17 -04:00
Peter Wilson	732dda34e7	Allow audit entries may contain forwarded to/from host info (#20689 )	2023-05-22 20:17:20 +01:00
Alexander Scheel	0ac2fa19aa	Fix race in PKI's runUnifiedTransfer (#20701 ) * Fix race in PKI's runUnifiedTransfer During this race, we'll sometimes start (or fail to start) an additional unified transfer if the updated last run timestamp was written at the same time as another thread was reading it. Instead, delay this check until we're holding the CAS guard; this will occasionally result in more messages saying that an existing process is already running, but otherwise shouldn't impact the functionality at all. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog entry Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> --------- Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>	2023-05-22 18:31:19 +00:00
Ryan Cragun	157b976253	ci: request vpc quota increase (#20360 ) * Fix regions on two service quotas * Request an increase in VPCs per region * Pin github actions workflows Signed-off-by: Ryan Cragun <me@ryan.ec>	2023-05-22 11:18:06 -06:00
Mike Palmiotto	810d504e4f	Add current_billing_period activity endpoint param (#20694 ) * Add current_billing_period activity endpoint param This commit introduces a new parameter: `current_billing_period`, which can be used in lieu of `start_time` and `end_time` options. GET ... /sys/internal/counters/activity?current_billing_period=true now results in a response which contains the full billing period information. * changelog * Update internal counters docs	2023-05-22 09:22:45 -04:00

... 26 27 28 29 30 ...

18722 Commits