This adds a very basic implementation of a list of namespace+eventType
combinations that each node is interested in by just running the
glob operations in for-loops. Some parallelization is possible, but
not enabled by default.
It only wires up keeping track of what the local event bus is interested
in for now (but doesn't use it yet to filter messages).
Also updates the cloudevents source URL to indicate the Vault node that generated the event.
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* Fix non-JSON log messages when using -log-format JSON
Removed the call to consul-template's logging.Setup inside the created of config for the Runner. Instead we call it when we assign the logger to the Agent command.
* The elusive extra line
* Adjust the approach
* changelog
* Infer levels *with* timestamp prefix
* InferLeveslWithTimestamp required InferLevels
* Test to show -log-format and -log-file working in consul-template generated messages
* classic typo
---------
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
* Remove duplicate function NewToggleableTestSeal.
NewToggleableTestSeal is almost the same as NewTestSeal, so remove it and adapt
the callers to use the duplicated function.
* Remove unnecessary function CreateTestSealWrappers.
The only caller of CreateTestSealWrappers can use NewTestSeal instead and
obtain the wrappers from the seal Access object instead.
* Ensure NewTestSeal does not generate "duplicate" wrappers.
NewTestSeal uses TestWrappers to create multi-seal Access objects. However, the
default behaviour for TestWrapper is to reverse the byte slice, which means that
two different wrappers will be identical, which is a problem for testing since
one wrapper will be able do "decrypt" another wrapper's encryption.
To fix this problem, NewTestSeal now creates TestWrappers with a different
secret for each one.
* Make NewTestSeal give unique Key IDs to its test wrappers.
* Fix some typos.
* Detect multi-seal wrappers producing duplicate Key IDs.
The Access object relies on all the encryption wrappers generating distinct key
IDs, so guard against this happening.
If a duplicate key ID is detected, do not use the encrypted value produced by
the wrappers that generated it. Return an error instead.
* Stop supporting vault plugin info and deregister without a type argument
* Make a best-effort attempt to report whether a plugin was actually deregistered and give more descriptive errors
* Fix error message for vault plugin reload
* Pulls in github.com/go-secure-stdlib/plugincontainer@v0.3.0 which exposes a new `Config.Rootless` option to opt in to extra container configuration options that allow establishing communication with a non-root plugin within a rootless container runtime.
* Adds a new "rootless" option for plugin runtimes, so Vault needs to be explicitly told whether the container runtime on the machine is rootless or not. It defaults to false as rootless installs are not the default.
* Updates `run_config.go` to use the new option when the plugin runtime is rootless.
* Adds new `-rootless` flag to `vault plugin runtime register`, and `rootless` API option to the register API.
* Adds rootless Docker installation to CI to support tests for the new functionality.
* Minor test refactor to minimise the number of test Vault cores that need to be made for the external plugin container tests.
* Documentation for the new rootless configuration and the new (reduced) set of restrictions for plugin containers.
* As well as adding rootless support, we've decided to drop explicit support for podman for now, but there's no barrier other than support burden to adding it back again in future so it will depend on demand.
* make splash page view only block content
* change invocation of component
* address some of the pr comments
* add test coverage
* remove conditional because of issue with it always showing
* solve for mfa errors
* move altcontent outside
* added a 5s timeout to attempts to process nodes in the audit pipeline for logging a response
* added changelog
* ensure we supply namespace to the new context
* wip
* Work on the tuneable allowance and some bugs
* Call handleCancellableRequest instead, which gets the audit order more correct and includes the preauth response
* Get rid of no longer needed operation
* Phew, this wasn't necessary
* Add auth error handling by the backend, and fix a bug with handleInvalidCredentials
* Cleanup req/resp naming
* Use the new form, and data
* Discovered that tokens werent really being checked because isLoginRequest returns true for the re-request into the backend, when it shouldnt
* Add a few more checks in the delegated request handler for bad inputs
- Protect the delegated handler from bad inputs from the backend such
as an empty accessor, a path that isn't registered as a login request
- Add similar protections for bad auth results as we do in the normal
login request paths. Technically not 100% needed but if somehow the
handleCancelableRequest doesn't use the handleLoginRequest code path
we could get into trouble in the future
- Add delegated-auth-accessors flag to the secrets tune command and
api-docs
* Unit tests and some small fixes
* Remove transit preauth test, rely on unit tests
* Cleanup and add a little more commentary in tests
* Fix typos, add another failure use-case which we reference a disabled auth mount
* PR Feedback
- Use router to lookup mount instead of defining a new lookup method
- Enforce auth table types and namespace when mount is found
- Define a type alias for the handleInvalidCreds
- Fix typos/grammar
- Clean up globals in test
* Additional PR feedback
- Add test for delegated auth handler
- Force batch token usage
- Add a test to validate failures if a non-batch token is used
- Check for Data member being nil in test cases
* Update failure error message around requiring batch tokens
* Trap MFA requests
* Reword some error messages
* Add test and fixes for delegated response wrapping
* Move MFA test to dedicated mount
- If the delegated auth tests were running in parallel, the MFA test
case might influence the other tests, so move the MFA to a dedicated
mount
* PR feedback: use textproto.CanonicalMIMEHeaderKey
- Change the X-Vault-Wrap-Ttl constant to X-Vault-Wrap-TTL
and use textproto.CanonicalMIMEHeaderKey to format it
within the delete call.
- This protects the code around changes of the constant typing
* PR feedback
- Append Error to RequestDelegatedAuth
- Force error interface impl through explicit nil var assignment on
RequestDelegatedAuthError
- Clean up test factory and leverage NewTestSoloCluster
- Leverage newer maps.Clone as this is 1.16 only
---------
Co-authored-by: Scott G. Miller <smiller@hashicorp.com>
* replication directory components update
* need to wait for another pr to merge for revoke and fixing a one off in distribute:
* clean up
* amend revoke with new ConfirmAction work.
* some PR comments
* remove wrapping LinkTo
* Update ui/lib/replication/addon/templates/mode/secondaries/revoke.hbs
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
---------
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
- Instead of relying on the initial call to import to generate the
wrapping key, generate it within the test setup with a longer
dedicated timeout.
- This hopefully is enough of a timeout for the 32 bit nightly runner
* Add getRelativePath helper and use to calculate relativeNamespace
* Always request capabilities-self on users root ns and prefix body with relative path
* Update capabilities adapter with test
* add changelog
* Simplify getRelativePath logic
* test update
* Handle expired OCSP responses from server
- If a server replied with what we considered an expired OCSP response (nextUpdate is now or in the past), and it was our only response we would panic due to missing error handling logic.
* Add cl
Adding overview docs for using GKE workload identity with Vault
Secrets Operator under Secret Sources/Vault/Auth Methods/. Updates the
Vault Auth method section in the Vault/Auth Methods overview page with
links to the VSO API sections for the other supported auth methods
(until they have their own pages).
---------
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
