* Fixed Oauth redirect not working on Android Chrome
This fixes the issue described in https://github.com/hashicorp/vault/issues/16778.
Navigation is blocked in Android chrome while redirecting back after OIDC authentication.
The issue is explained by the lead maintainer of
AppAuth(https://stackoverflow.com/a/41882732).
The latest Chrome version redirects to the app only if triggered by the user and not automatically redirect. Hence, a link is added in the UI to redirect back to the app.
* Update ui/app/templates/vault/cluster/oidc-provider.hbs
Co-authored-by: Chelsea Shaw <82459713+hashishaw@users.noreply.github.com>
* added requested changes
* Modified requested changes and added changelog
* Added requested change
* Modified requested changes
---------
Co-authored-by: Chelsea Shaw <82459713+hashishaw@users.noreply.github.com>
And set the `time.Time` option to use the go-msgpack-1.1.5-compatible
encoding in all the places, since that is the (now previous) version in
`go.mod`.
v2 2.1.1 was specifically designed to honor backwards compatibility
with 1.1.5 and 0.5.5, and to clean up the code base to be more
maintainable. There may performance lost with the 1.1.5 to 2.1.1
migration since the fastpath code was removed, but the increased safety
is probably worth it. See
[the release notes for go-msgkack 2.1.0](https://github.com/hashicorp/go-msgpack/releases/tag/v2.1.0)
for more details.
I tested this by running this code, and booting up a cluster with a node
also running Vault 1.15.0 (before the upgrade). Before I made the
changes to set the right `time.Time` option, the previous-version node
would throw a bunch of time-decoding errors. After fixing the option,
the node came up smoothly, even after changing leadership between them.
This relies on
- https://github.com/hashicorp/raft-boltdb/pull/38
- https://github.com/hashicorp/raft/pull/577
I did a simple pair of benchmarks (one with a final sync, one without)
and ran them before and after on both my Mac (M2 Max) laptop and my
Linux (AMD Threadripper 3970X) desktop.
tl;dr There was no performance difference for this benchmark.
```
goos: darwin
goarch: arm64
pkg: github.com/hashicorp/vault/physical/raft
│ a.txt │ b.txt │
│ sec/op │ sec/op vs base │
RaftWithNetwork-10 58.65m ± 2% 58.62m ± 2% ~ (p=0.937 n=6)
```
```
goos: linux
goarch: amd64
pkg: github.com/hashicorp/vault/physical/raft
cpu: AMD Ryzen Threadripper 3970X 32-Core Processor
│ c.txt │ d.txt │
│ sec/op │ sec/op vs base │
RaftWithNetwork-64 5.861m ± 1% 5.837m ± 0% ~ (p=0.240 n=6)
```
* feature(ember-exam): add ember-exam to split ui tests and run them in parallel
* update yarn.lock
* update package.json scripts
* test(oidc): comment out test with race condition in oidc test
* chore(test): use 127.0.0.1 in testem config and add uuid to pki mount path
* test(kv-workflow): make policy creation unique per-test
* chore(test): use --preserve-test-name so flakey test reporting is preserved
* yarn test:filter runs ember test instead of exam for easier filtering
* fix kv control group tests
---------
Co-authored-by: Chelsea Shaw <cshaw@hashicorp.com>
* Support reloading database plugins across multiple mounts
* Add clarifying comment to MountEntry.Path field
* Tests: Replace non-parallelisable t.Setenv with plugin env settings
* updates destination name filter to use FilterInput component
* simplifies destinations list redirect condition
* fixes issue with sync destination type filter and issue filtering by both name and type
* unsets page query param in sync destination secrets route
* add docs for configuring jwt validation pubkeys for vso and update jwt auth docs to mention key rotation
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* add foundation to allow enterprise edition to walk up from current namespace to root
* add sys/internal/ui/*-messages paths
* add tests for consume custom messages endpoints
* more tests and change structure of link parameter
* add error when multiple links are provided for a custom message
* Fix UI when editing database roles
When using a database role the UI will try to update the database connection
associated to the role. This is to make sure that the role is allowed to
use this connection:
async _updateAllowedRoles(store, { role, backend, db, type = 'add' }) {
const connection = await store.queryRecord('database/connection', { backend, id: db });
const roles = [...connection.allowed_roles];
const allowedRoles = type === 'add' ? addToArray([roles, role]) : removeFromArray([roles, role]);
connection.allowed_roles = allowedRoles;
return connection.save();
},
async createRecord(store, type, snapshot) {
const serializer = store.serializerFor(type.modelName);
const data = serializer.serialize(snapshot);
const roleType = snapshot.attr('type');
const backend = snapshot.attr('backend');
const id = snapshot.attr('name');
const db = snapshot.attr('database');
try {
await this._updateAllowedRoles(store, {
role: id,
backend,
db: db[0],
});
} catch (e) {
throw new Error('Could not update allowed roles for selected database. Check Vault logs for details');
}
return this.ajax(this.urlFor(backend, id, roleType), 'POST', { data }).then(() => {
// ember data doesn't like 204s if it's not a DELETE
return {
data: assign({}, data, { id }),
};
});
},
This is intended to help the administrator as the role will only work if
it is allowed by the database connection.
This is however an issue if the person doing the update does not have
the permission to update the connection: they will not be able to use
the UI to update the role even though they have the appropriate permissions
to do so (using the CLI or the API will work for example).
This is often the case when the database connections are created by a
centralized system but a human operator needs to create the roles.
You can try this with the following test case:
$ cat main.tf
resource "vault_auth_backend" "userpass" {
type = "userpass"
}
resource "vault_generic_endpoint" "alice" {
depends_on = [vault_auth_backend.userpass]
path = "auth/userpass/users/alice"
ignore_absent_fields = true
data_json = jsonencode({
"policies" : ["root"],
"password" : "alice"
})
}
data "vault_policy_document" "db_admin" {
rule {
path = "database/roles/*"
capabilities = ["create", "read", "update", "delete", "list"]
}
}
resource "vault_policy" "db_admin" {
name = "db-admin"
policy = data.vault_policy_document.db_admin.hcl
}
resource "vault_generic_endpoint" "bob" {
depends_on = [vault_auth_backend.userpass]
path = "auth/userpass/users/bob"
ignore_absent_fields = true
data_json = jsonencode({
"policies" : [vault_policy.db_admin.name],
"password" : "bob"
})
}
resource "vault_mount" "db" {
path = "database"
type = "database"
}
resource "vault_database_secret_backend_connection" "postgres" {
backend = vault_mount.db.path
name = "postgres"
allowed_roles = ["*"]
verify_connection = false
postgresql {
connection_url = "postgres://username:password@localhost/database"
}
}
$ terraform apply --auto-approve
then using bob to create a role associated to the `postgres` connection.
This patch changes the way the UI does the update: it still tries to
update the database connection but if it fails to do so because it does not
have the permission it just silently skip this part and updates the role.
This also update the error message returned to the user in case of issues
to include the actual errors.
* Add changelog
* Also ignore error when deleting a role
* Address code review comments
---------
Co-authored-by: Chelsea Shaw <82459713+hashishaw@users.noreply.github.com>
* update header to refer to destination name
* teeny design improvements VAULT-22943
* update azure model attrs
* remove padding, add destination type to description VAULT-22930 VAULT-22943
* fix overview popupmenu nav to sync secrets VAULT-22944
* update sync banner, hyperlink secret
* redirect when all destinations are deleted VAULT-22945
* add keyVaultUri to credentials for editing
* fix extra space and test for sync banner
* use localName to get dynamic route section to fix pagination transition error
* add copy header remove duplicate app type
* add cloud param to azure mirage destination
* add comments
* enter line
* conditionally render view synced secrets button
* revert pagination route change
* combine buttons and add logic for args
* rename to route
* remove model arg
I have an upcoming PR for event notifications that needs similar
exponential backoff logic, and I prefer the API and logic in the
auto-auth exponential backoff rather than that of
github.com/cenkalti/backoff/v3.
This does have a small behavior change: the auto-auth min backoff
will now be randomly reduced by up to 25% on the first call. This is
a desirable property to avoid thundering herd problems, where a bunch
of agents won't all try have the same retry timeout.
