This PR introduces a test which exercises Vault's renameResolver and
asserts deterministic state after invalidation. To ensure that automatic
de-duplication is consistent across all nodes, we detect the node's
cluster status and persist renames IFF the node is active.
The PR includes some modifications to deterministic reload testing,
since they now have the side-effect of persistence on active nodes, as
well as tests for consistency in the face of storagePacker bucket
invalidation.
This commit introduces a random seed variable to be used with UUID
generation in Identity Store determinism tests. The seed is
automatically generated or passed during Environment Variable and
displayed during test failure. This allows for easy reproduction
of any test failures for later debugging.
* VAULT-33074: add `github` sub-command to `pipeline`
Investigating test workflow failures is common task that engineers on the
sustaining rotation perform. This task often requires quite a bit of
manual labor by manually inspecting all failed/cancelled workflows in
the Github UI on per repo/branch/workflow basis and performing root cause
analysis.
As we work to improve our pipeline discoverability this PR adds a new `github`
sub-command to the `pipeline` utility that allows querying for such workflows
and returning either machine readable or human readable summaries in a single
place. Eventually we plan to automate sending a summary of this data to
an OTEL collector automatically but for now sustaining engineers can
utilize it to query for workflows with lots of various criteria.
A common pattern for investigating build/enos test failure workflows would be:
```shell
export GITHUB_TOKEN="YOUR_TOKEN"
go run -race ./tools/pipeline/... github list-workflow-runs -o hashicorp -r vault -d '2025-01-13..2025-01-23' --branch main --status failure build
```
This will list `build` workflow runs in `hashicorp/vault` repo for the
`main` branch with the `status` or `conclusion` of `failure` within the date
range of `2025-01-13..2025-01-23`.
A sustaining engineer will likely do this for both `vault` and
`vault-enterprise` repositories along with `enos-release-testing-oss` and
`enos-release-testing-ent` workflows in addition to `build` in order to
get a full picture of the last weeks failures.
You can also use this utility to summarize workflows based on other
statuses, branches, HEAD SHA's, event triggers, github actors, etc. For
a full list of filter arguments you can pass `-h` to the sub-command.
> [!CAUTION]
> Be careful not to run this without setting strict filter arguments.
> Failing to do so could result in trying to summarize way too many
> workflows resulting in your API token being disabled for an hour.
Signed-off-by: Ryan Cragun <me@ryan.ec>
* added the 1.18.4, 1.17.11, and 1.16.15 changelog entries
* added manual changelog entry
* Update CHANGELOG.md
Co-authored-by: Meggie <meggie@hashicorp.com>
* Update CHANGELOG.md
Co-authored-by: Meggie <meggie@hashicorp.com>
* moved the CL entry about a feature to improvement since we don't ship features in minor releases
* added more context to the dep change record
* updated an improvement to be inline with others
---------
Co-authored-by: lursu <leland.ursu@hashicorp.com>
Co-authored-by: Meggie <meggie@hashicorp.com>
* run oidcPeriodicFunc for each namespace id store
* remove unused noNamespace var
* properly check for errors getting namespace
not sure why I decided to ignore the NoNamespace error before
or not log the unexpected error, that doesn't make sense.
* add changelog
* improve changelog
* remove too many namespace warning for OIDC rotations
this was already in the ENT PR, I had already checked that the file didn't exist on CE before but somehow I missed it.
* identity: Ensure state is changed on activation
This PR introduces some changes to the way activation flags are
processed in Vault.
Rather than reaching into subsystems and modifying
state from the activationflags package, each plugin can now register its
own ActivationFunc. Updates to activation flags now trigger the the
feature's ActivationFunc, which can encapsulate the associated
subsystem state.
We include a few bugfixes and minor cosmetic changes, like updates to
log lines and godocs.
* Check for nil system backend
* Move deduplication activation to common file
* Add identity dedup activation log lines
* Make interface methods clearer
* Clean up some comments
* More cleanups
* fixup! More cleanups
* fixup! More cleanups
* gcp initial changes
* acceptance test coverage for gcp
* update config-wif component test so tests are passing
* specific gcp test coverage
* changelog
* comment clean up
* one more test
* comment things
* address pr comments
* adding overflow class to link text
* adding separate class to fix overflow text on list & card views
* adding class to search list items to handle overflow
* adding ellipsis instead of just hidden for visual indicator
* added changelog
* updating styling to use helper classes, added child class to global style, updated changelog
* added test checks for oveflow classes
* Move all pki-verification calls from sdk-Verify() to pki-specific
VerifyCertifcate(...); update sdk-Verify to allow multiple chains,
but validate that at least one of those chains is valid.
* Updates to Validate on Parse PEMBlock, so that a single cert or a single key parses (test fixes).
* Add changelog.
* Make test certificate expire in a while, not at linux epoch.
* Remove duplicate code.
* Fix header file + go mod tidy.
* Updates based on review.
USGv6[0] requires implementing §4.1.1 of the NISTv6-r1 profile[1] for
IPv6-Only capabilities. This section requires that whenever Vault
displays IPv6 addresses (including CLI output, Web UI, logs, etc.) that
_all_ IPv6 addresses must conform to RFC-5952 §4 text representation
recommendations[2].
These recommendations do not prevent us from accepting RFC-4241[3] IPv6
addresses, however, whenever these same addresses are displayed they
must conform to the strict RFC-5952 §4 guidelines.
This PR implements handling of IPv6 address conformance in our
`vault server` routine. We handle conformance normalization for all
server, http_proxy, listener, seal, storage and telemetry
configuration where an input could contain an IPv6 address, whether
configured via an HCL file or via corresponding environment variables.
The approach I've taken is to handle conformance normalization at
parse time to ensure that all log output and subsequent usage
inside of Vaults various subsystems always reference a conformant
address, that way we don't need concern ourselves with conformance
later. This approach ought to be backwards compatible to prior loose
address configuration requirements, with the understanding that
going forward all IPv6 representation will be strict regardless of
what has been configured.
In many cases I've updated our various parser functions to call the
new `configutil.NormalizeAddr()` to apply conformance normalization.
Others required no changes because they rely on standard library URL
string output, which always displays IPv6 URLs in a conformant way.
Not included in this changes is any other vault exec mode other than
server. Client, operator commands, agent mode, proxy mode, etc. will
be included in subsequent changes if necessary.
[0]: https://www.nist.gov/publications/usgv6-profile
[1]: https://www.nist.gov/publications/nist-ipv6-profile
[2]: https://www.rfc-editor.org/rfc/rfc5952.html#section-4
[3]: https://www.rfc-editor.org/rfc/rfc4291
Signed-off-by: Ryan Cragun <me@ryan.ec>
* Fix "t.Fatal from a non-test goroutine" errors in cache_test.go
- t.Fatal(f) should not be called within a Go routine based on it's documentation and only from the main test's thread.
- In 1.24 this seems to cause build failures
* Address all "non-constant format string errors" from go vet
- Within 1.24 these now cause test builds to fail
…" from go vet
* database/mssql: set default root rotation stmt for contained db
* changelog
* add rotate root test
* fix test
* update passwords to make mssql happy
* create admin user
* update contained user create query
* remove test
* Adds an option to enable sAMAccountname logins when upndomain is set
* Adds an option to enable sAMAccountname logins when upndomain is set
* Updated changelog entry
* Update 29118.txt
* Updated cap/ldap version due to needed dependency
* Updated cap/ldap version due to needed dependency
* Restart CI
* Updated LDAP api-docs and docs describing the enable_samaccountname_login option
* Added missing comma in config_test.go
* Update enables_samaccountname
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update enable_samaccountname_login feature documentation
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* make one component and make one test file for that component. remove the two components and associated files the new component replaces
* make access type subtext dynamic based on model type
* clean up
* clean up
* remove model attr for display purposes
* split out lease to another second config model type and make is-wif-engine helper
* welp missed the old controller
* small removal of overkill comment
* pr feedback
* save lease config if only thing changed
* error handling in acceptance test
* test fix
* replace notOk with throw
* move back error message
* clean up focused largely on wif component test
* replace ok with true
