* VAULT-22481: Audit filter node (#24465)
* Initial commit on adding filter nodes for audit
* tests for audit filter
* test: longer filter - more conditions
* copywrite headers
* Check interface for the right type
* Add audit filtering feature (#24554)
* Support filter nodes in backend factories and add some tests
* More tests and cleanup
* Attempt to move control of registration for nodes and pipelines to the audit broker (#24505)
* invert control of the pipelines/nodes to the audit broker vs. within each backend
* update noop audit test code to implement the pipeliner interface
* noop mount path has trailing slash
* attempting to make NoopAudit more friendly
* NoopAudit uses known salt
* Refactor audit.ProcessManual to support filter nodes
* HasFiltering
* rename the pipeliner
* use exported AuditEvent in Filter
* Add tests for registering and deregistering backends on the audit broker
* Add missing licence header to one file, fix a typo in two tests
---------
Co-authored-by: Peter Wilson <peter.wilson@hashicorp.com>
* Add changelog file
* update bexpr datum to use a strong type
* go docs updates
* test path
* PR review comments
* handle scenarios/outcomes from broker.send
* don't need to re-check the complete sinks
* add extra check to deregister to ensure that re-registering non-filtered device sets sink threshold
* Ensure that the multierror is appended before attempting to return it
---------
Co-authored-by: Peter Wilson <peter.wilson@hashicorp.com>
* Add obfuscateData method and tests
* add obscure option to JsonEditor + tests
* Enable obscured values for KV v2 details when secret is advanced
* coverage on kv acceptance test
* Add changelog
* VAULT-21427 change ui references from K/V to KV
* references in docs/
* website json data
* go command errors
* replace Key/Value with Key Value
* add changelog
* update test
* update secret list header badge
* two more test updates
* Add util for determining whether secret data is advanced
* Add test coverage for bug
* use non-dumb logic for detecting advanced object
* Add changelog
* Add header
* Move util to core
* Add escaped newline to test coverage
* headers again *eyeroll*
* Ember Engine Setup for Secrets Sync (#23653)
* ember engine setup for secrets sync
* Update ui/lib/sync/addon/routes.js
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
---------
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Sync Mirage Setup (#23683)
* adds mirage setup for sync endpoints
* updates secret_name default in sync-association mirage factory
* UI Secrets Sync: Ember data sync destinations (#23674)
* add models
* adapters
* base model adapter
* update test response
* add sync destinations helper
* finish renaming base destination model/adapter
* add comment
* add serializer
* use normalizeItems instead
* destination serializer test
* add destination find method;
* add conditional operand
* UI Secrets Sync: Overview landing page (#23696)
* add models
* adapters
* base model adapter
* update test response
* add sync destinations helper
* finish renaming base destination model/adapter
* add comment
* add serializer
* doc-link helper
* add version service
* landing and overview component
* overview page
* add tests
* UI Secrets Sync: Destinations adapter add LIST (#23716)
* add models
* adapters
* base model adapter
* update test response
* add sync destinations helper
* finish renaming base destination model/adapter
* add comment
* add serializer
* doc-link helper
* add version service
* landing and overview component
* overview page
* build out serializer and adapters
* update mirage
* fix merge conflicts
* one more conflict!
* pull transformQueryResponse to separate method in adapter
* move data transforming all to serializer and tests
* add note to paginationd ocs
docs
* conditionally render CTA
* add lazyPaginatedQuery method to destinations route
* remove partial error
* Secrets Sync: Destinations create - select type (#23792)
* add category to destinations
* build select type page
* refactor prompt config situation
* routing for destinations
* update select-type routing
* make card width fixed
* revert CTA routing change, keep shouldRenderOverview
* add header for gif demo to form
* cleanup scope
* more scope cleanup
* add test
* add type selector
* rename components
* rename again
* remove async
* fix tests
* fix select type rename in test
* delete renamed test
* fix import of general selectors
* rename using component syntax
* UI Secrets Sync: Create destination form and route (#23806)
* add model attribute metadata
* add form and save url, remove name and type from serializer
* move checkbox list to form field helper
* add styling to alert inline
* use newly made class
* fix cancel action and cleanup form
* change quotes
* remove checkbox action from form component
* add tests
* address feedback
* add API error test
* use create record method instead
* adapter test for create record
* return from find method if type is undefined
* cleanup test selectors
* secrets sync: refactor sync destinations helper (#23839)
* refactor getter in base destination model
* add getters back to model
* Secrets sync UI: Destination details page (#23842)
* change labels to match params
* add maskedParams to base model
* add details route
* add details view;
* update mirage
* fix secrets sync link;
* delete parent destination route
* add copyright header
* add secrets route
* move sync route outside of secrets/ route
* upate mirage
* export to-label
* finish tests
* make ternary
* rename header tabs
* fix selector in test
* Secrets Sync UI: Cleanup headers + tabs (#23873)
* remove destination header component, add headers/tabs to all routes
* fix header padding
* move tabs + toolbar back into component...
* add copyright header
* add delete modal
* lol revert again
* add extra line after copyright header
* Secrets Sync Destinations List View (#23949)
* adds route and page component for sync destinations list view
* filters by type first for sync destinations
* adds test for store.filterData method
* Update ui/app/services/store.js
Co-authored-by: Kianna <30884335+kiannaquach@users.noreply.github.com>
* updates nav link label for secrets sync
* moves sync destinations types out of app-types
* moves loading-dropdown-option component to core addon and adds to destination list item menu
* change true assertion to deepEqual in sync destinations test
* adds copyright header to sync-destinations type file
* clear store dataset on sync destination create
---------
Co-authored-by: Kianna <30884335+kiannaquach@users.noreply.github.com>
* Sync Destinations Capabilities (#23953)
* adds route and page component for sync destinations list view
* filters by type first for sync destinations
* adds test for store.filterData method
* adds capabilities checks for sync destinations
* removes canList from sync destinations capabilities
* updates sync header tests
* Update ui/tests/integration/components/sync/sync-header-test.js
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* updates sync destination response serialization
* updates sync destination serializer test
* updates sync destinations page test assertions
* fixes mirage sync destinations payload issue
* removes commented out method in sync destination adapter
* fixes inconsistencies with url generation for sync destinations delete
* fixes sync destinations page test
---------
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Sync Associations Ember Data Setup (#24132)
* adds model, adapter and serializer for sync associations
* updates sync association adapter save methods to use adapterOptions to determine action
* Sync Destination Secrets Route and Page Component (#24155)
* renames sync destination header component and adds tests
* adds destination secrets route and page component
* adds setup-models helper for sync testing
* moves destination details test into subdir
* adds destination secrets page component tests
* adds controller for destination secrets route
* fixes pagination route on destination secrets view
* fixes sync association updated_at assertion based on timezone
* updates kv secret details external route name
* updates usage of old spacing style variable after merge
* use confirm action instead of contextual confirm (old) component (#24189)
* UI Secrets Sync: Adds secret status to kv v2 details page (#24208)
* woops! missed this styling for confirm action swap
* update link to go to destination secrets
* change edit to view secret from destination secrets list
* add synDestination to external routes for kv engine
* add sync status badge component
* export from addon
* splaattributes
* poll sync status for kv secret details and render
* move from controller to component
* update name to new destinationName key
* reorder list view items
* add refresh button
* add mirage data
* change to loading static
* update icons to be sync specific
* change name
* move button and change fetch to concurrency task
* add tests to kv details
* add color assertion
* add copyright header
* small test tweaks
* Update ui/tests/integration/components/sync-status-badge-test.js
* fixes test
---------
Co-authored-by: Jordan Reimer <zofskeez@gmail.com>
* Sync Secrets to Destination (#24247)
* fixes issue with filter-input debounce and updates to spread attributes for input rather than use args
* adds destination sync page component
* removes unused var in sync component
* adds test for manual mount path input in sync view
* updates mount filtering in destinations sync page to target kv v2
* Secrets Sync Landing Page Images (#24277)
* updates sync landing page to add marketing images
* removes top margin from sync landing-cta
* adds aria-describedby to sync landing images
* UI Secrets Sync: Serialize trailing slash from destination type (#24294)
* remove trailing slash from type in destination LIST response
* update keys in mirage and tests
* Sync Overview (#24340)
* updates landing-cta image to png with matching height
* adds ts definitons for sync adapters
* updates sync adapters and serializers to add methods for fetching overview data
* adds sync associations list handler to mirage and seeds more associations in scenario
* adds table and totals cards to sync overview page
* adds sync overview page component tests
* fixes tests
* changes lastSync key to lastUpdated for sync fetchByDestinations response
* adds emdash as placeholder for lastUpdated null value in secrets by destination table
* updates to handle 0 associations state for destination in overview table
* Secrets Sync UI: Add loading and error substates (#24353)
* add error substate
* add loading substates
* delete loading from secrets route
* Remove is-version Helper (#24388)
* removes is-version helper and injects service into components
* updates sync tests using version service to new API
* adds comment back for tracked property in secret detials page component
* updates sync tests to use common selectors (#24397)
* update capitalization to consistently be titlecase, fix breadcrumb selector
* clears sync associations from store on destination sync page component destroy (#24450)
* KV Suggestion Input (#24447)
* updates filter-input component to conditionally show search icon
* adds kv-suggestion-input component to core addon
* updates destination sync page component to use KvSuggestionInput component
* fixes issue in kv-suggestion-input where a partial search term was not replaced with the selected suggestion value
* updates kv-suggestion-input to retain focus on suggestion click
* fixes test
* updates kv-suggestion-input to conditionally render label component
* adds comments to kv-suggestion-input regarding trigger
* moves alert banner in sync page below button set
* moves inputId from getter to class property on kv-suggestion-input
* Secrets Sync UI: Editing a destination (#24413)
* add form field groups to sync models
* update create-and-edit form to use confirmLeave and enableInput component
* enable input component
* add more stars
* update css comments
* Update ui/app/styles/helper-classes/flexbox-and-grid.scss
* make attrOptions optional
* remove decorator
* add env variables to subtexr
* add subtext to textfile
* fix overviwe transition bug
* remove breadcrumbs to getter
* WIP adapter update
* update mirage response
* add update method with PATCH
* add patch to application adapter
* fix typo
* finish tests
* remove validations because could use environment variables
* use getter and setter in model
* move update record business to serializer
* rest of logic in serializer;
gp
;
gp
* add model validation warnings
* cleanup getters
* pull create/update logic into method for mirage
* add test for validation warning
* update KV copy
* Sync Success Banner (#24491)
* adds success banner to destination sync page
* move submit disabled logic to getter in destination sync page
* adds id and for attributes to kv mount input in sync page
* hides sync success banner on submit
* use Sync secrets everywhere (remove new) (#24494)
* use Sync secrets everywhere (remove new)
* revert test name change
* Sync Destinations List Filter Bug (#24496)
* fixes issues filtering destinations list
* adds test
* fixes Sync now action text alignment in destination secrets list
* UI Secrets sync: Add purge query param to delete endpoint (#24497)
* adds updated_at to mirage set association handler
* adds changelog entry
* add enterprise in parenthesis for changelog
* addres a11y feedback
---------
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
Co-authored-by: clairebontempo@gmail.com <clairebontempo@gmail.com>
Co-authored-by: Kianna <30884335+kiannaquach@users.noreply.github.com>
* redirect for deshow/details view
* test coverage
* not found test fix
* changelog
* test fixes and amend for create route with no secret
* handle router with no secret
* add more coverage
* Update 24339.txt
* Update secret-edit.js
* Update secret-edit.js
* restructure conditional because list-directory will never be a thing in this view
* Update secret-edit.js
* remove show for directory. that doesn't exists
* blah fix test
* fix conditional
* remove meep
* add getter to metadata model
* add changelog and data model fix
* add test coverage
* add nested create coverage
* Update 24404.txt
* remove from data model
* return to how it was
* upgrade to 3.1.0
* VAULT-22471 upgrade to latest version
* fix other selectors
* fix pki tests
* fix copy dropdown
* generated breadcrumbs
* mfa crumbs
* oidc crumbs
* identity crumbs
* use hds crumbs in page::breadcrumbs file
* rename selectors to be consistent
* remaining oidc
* update empty state link style to match hds
* repl empty state
* rep empty state 2
* policy and secret error template
* replace yielded KeyValueHeader elements directly with HDS breadcrumbs
* remove yield from KeyValueHeader
* use key value header in secret header
* update pki header
* kmip breadcrumbs
* replace key-value-header classes
* ssh sign
* replace key value with breadcrumbs
* update selectors part 1
* add a tags
* policy tests
* add crumb index back
* add current route to generated item
* another round of test updates
* remove root link test selector
* secrets/secrete test
* add changelog
* trailing icon
* delete breadcrumb css
* consistently change to sentence case
* titlsecase!
Update requests to /sys/identity/entity/merge perform merges on perfStandby nodes in memory and skip the persist call.
This commit changes the behavior for the merge endpoint, forcing it to be forwarded from the standby to the active node. This change is specifically scoped to manual merges, as automatic merges are not isolated to a specific endpoint and require careful consideration for all callers.
* fix -log-file so that it uses the correct name and only adds timestamps on rotation
* added some tests for naming/rotation
* changelog
* revert to previous way of getting created time
* remove unused stat
* comment shuffle
* Update changelog/24297.txt
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
* Update website/content/docs/agent-and-proxy/agent/index.mdx
Update 'agent' docs page
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/docs/agent-and-proxy/proxy/index.mdx
Update 'proxy' docs page
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/docs/commands/server.mdx
Update 'server' docs page
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* fix typos
---------
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* replace paddingTop with clas
* use hds alert for AlertInline component
* remve isSmall arg
* add test selector back
* remove mimicRefresh arg
* update assertion for alert inline component
* update string-list
* use alert inline for string-list
* add changelog
* update block instances of alert inline
* remove p tags from test selectors
* minor cleanup
* reload seals on SIGHUP
* add lock in SetSeals
* move lock
* use stubmaker and change wrapper finalize call
* change finalize logic so that old seals will be finalized after new seals are configured
* add changelog
* run make fmt
* fix fmt
* fix panic when reloading seals errors out
This adds a very basic implementation of a list of namespace+eventType
combinations that each node is interested in by just running the
glob operations in for-loops. Some parallelization is possible, but
not enabled by default.
It only wires up keeping track of what the local event bus is interested
in for now (but doesn't use it yet to filter messages).
Also updates the cloudevents source URL to indicate the Vault node that generated the event.
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* Fix non-JSON log messages when using -log-format JSON
Removed the call to consul-template's logging.Setup inside the created of config for the Runner. Instead we call it when we assign the logger to the Agent command.
* The elusive extra line
* Adjust the approach
* changelog
* Infer levels *with* timestamp prefix
* InferLeveslWithTimestamp required InferLevels
* Test to show -log-format and -log-file working in consul-template generated messages
* classic typo
---------
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
* Stop supporting vault plugin info and deregister without a type argument
* Make a best-effort attempt to report whether a plugin was actually deregistered and give more descriptive errors
* Fix error message for vault plugin reload
* Pulls in github.com/go-secure-stdlib/plugincontainer@v0.3.0 which exposes a new `Config.Rootless` option to opt in to extra container configuration options that allow establishing communication with a non-root plugin within a rootless container runtime.
* Adds a new "rootless" option for plugin runtimes, so Vault needs to be explicitly told whether the container runtime on the machine is rootless or not. It defaults to false as rootless installs are not the default.
* Updates `run_config.go` to use the new option when the plugin runtime is rootless.
* Adds new `-rootless` flag to `vault plugin runtime register`, and `rootless` API option to the register API.
* Adds rootless Docker installation to CI to support tests for the new functionality.
* Minor test refactor to minimise the number of test Vault cores that need to be made for the external plugin container tests.
* Documentation for the new rootless configuration and the new (reduced) set of restrictions for plugin containers.
* As well as adding rootless support, we've decided to drop explicit support for podman for now, but there's no barrier other than support burden to adding it back again in future so it will depend on demand.
* added a 5s timeout to attempts to process nodes in the audit pipeline for logging a response
* added changelog
* ensure we supply namespace to the new context
* Add getRelativePath helper and use to calculate relativeNamespace
* Always request capabilities-self on users root ns and prefix body with relative path
* Update capabilities adapter with test
* add changelog
* Simplify getRelativePath logic
* test update
* Handle expired OCSP responses from server
- If a server replied with what we considered an expired OCSP response (nextUpdate is now or in the past), and it was our only response we would panic due to missing error handling logic.
* Add cl
* Use seal wrappers rather than config to determine autoSeal barrier type.
A seal's Access object contains all seal configuration, which in the case of
seal migration includes the "unwrap seal" as well as the barrier seal. Thus, to
determine whether an autoSeal is of a specific type such as 'Transit' or whether
it is a 'Multiseal', use the wrappers of the seal's Access.
* Fix seal type reported by /sys/seal-status.
Fix an error that resulted in the wrong seal type being reported while Vault is
in seal migration mode.
* allow to skip TLS check in acme http-01 challenge
* remove configurable logic, just ignore TLS
* add changelog
* Add test case
---------
Co-authored-by: Steve Clark <steven.clark@hashicorp.com>
