* PKI: Add a new leaf_not_after_behavior value to force erroring in all circumstances
- We introduce a new value called `always_enforce_err` for the existing
leaf_not_after_behavior on a PKI issuer. The new value will force we
error out all requests that have a TTL beyond the issuer's NotAfter value.
- This will apply to leaf certificates issued through the API as did err,
but now to CA issuance and ACME requests for which we previously changed
the err configuration to truncate.
* Add cl
* Update UI test
* Fix changelog type
* changes then onto tests
* fix wif test failures
* changelog
* clean up
* address pr comments
* only test one wif engine for relevant tests
* add back engine loop for tests that depend on type
* first round, there shall be more
* fix secret test
* more clean up
* maybe last round of clean up?
* this is going to take a while
* all the things or more of them at least
* this is the song that never ends...
* ... it goes on and on my friend.
* clean up clean up everybody lets clean up
* rename mount helper to mountBackend
* clean up 🧹
* address pr comments
---------
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* upgrade ember-data 5.3.2, uninstall legacy compat, upgrade ember-cli, ember-source
* use query instead of findAll for auth methods, update tests
* set mutableId for kmip
* show generated private key data before transitioning to details
* update kv metadata test
* remove deprecated methods from path help service
* add changelog, update readme version matrix
* remove toggle template helper
* rename store to pagination, remove store extension
* initial update of service test
* remove superfluous helper
* replace store with pagination service in main app
* update kmip engine syntax
* add pagination to kmip engine
* update to pagination in config-ui engine
* update sync engine to use pagination service
* use pagination service in kv engine
* use pagination service in ldap engine
* use pagination in pki engine
* update renaming clearDataset functions
* link to jira VAULT-31721
* remove comment
* [transit-pkcs1v15] transit support for the pkcs1v15 padding scheme – without UI tests (yet).
* [transit-pkcs1v15] renamed padding_scheme parameter in transit documentation.
* [transit-pkcs1v15] add changelog file.
* [transit-pkcs1v15] remove the algorithm path as padding_scheme is chosen by parameter.
* Update ui/app/templates/components/transit-key-action/datakey.hbs
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Update ui/app/templates/components/transit-key-action/datakey.hbs
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Update ui/app/templates/components/transit-key-action/datakey.hbs
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Update website/content/api-docs/secret/transit.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/api-docs/secret/transit.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/api-docs/secret/transit.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Add warnings to PKCS1v1.5 usage
* Update transit
* Update transit, including separating encrypt/decrypt paddings for rewrap
* Clean up factory use in the presence of padding
* address review feedback
* remove defaults
* lint
* more lint
* Some fixes for UI issues
- Fix padding scheme dropdown console error by adding values
to the transit-key-actions.hbs
- Populate both padding scheme drop down menus within rewrap,
not just the one padding_scheme
- Do not submit a padding_scheme value through POST for non-rsa keys
* Fix Transit rewrap API to use decrypt_padding_scheme, encrypt_padding_scheme
- Map the appropriate API fields for the RSA padding scheme to the
batch items within the rewrap API
- Add the ability to create RSA keys within the encrypt API endpoint
- Add test case for rewrap api that leverages the padding_scheme fields
* Fix code linting issues
* simply padding scheme enum
* Apply suggestions from code review
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Fix padding_scheme processing on data key api
- The data key api was using the incorrect parameter name for
the padding scheme
- Enforce that padding_scheme is only used on RSA keys, we
are punting on supporting it for managed keys at the moment.
* Add tests for parsePaddingSchemeArg
* Add missing copywrite headers
* Some small UI fixes
* Add missing param to datakey in api-docs
* Do not send padding_scheme for non-RSA key types within UI
* add UI tests for transit key actions form
---------
Co-authored-by: Marcel Lanz <marcellanz@n-1.ch>
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Co-authored-by: Steve Clark <steven.clark@hashicorp.com>
Co-authored-by: claire bontempo <cbontempo@hashicorp.com>
* use alias for router injection
* update @router declarations in engine files
* fix remaining pki router imports
* dynamically set router based on owner
* address replication routers
* update markdown docs
* use non-deprecated import for getOwner
* revert out of scope changes
* add transition-to test
* fix promise issues on transformation-edit
* fix one test and the transition problem
* cannot call capabilities service directly inside template because its an unresolved promise
* address transit capabilities issues
* remove deprecations line for promise-proxies
* handle hot mess of delete permissions and such
* blah
* update flash message language. It will now show a flash message for each role whose transformationw as not removed.
* small wording change
* one small change to the default flash message
* Update ui/app/components/transformation-edit.js
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Update ui/app/components/transformation-edit.js
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Update ui/app/components/transformation-edit.js
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* fix policy flow
* fix linting and can't define let outside if block
* fix flashmessage things
* make show and edit use same param
---------
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* add auth-config/oidc to openapi model helper
* alphabetize
* update maskedinput selector to be standard data-test-input
* add test
* add changelog
* fix maskedinput test and kv selector
* final textarea selector!
* Track the last PKI auto-tidy time ran for use across nodes
- If the interval time for auto-tidy is longer then say a regularly
scheduled restart of Vault, auto-tidy is never run. This is due to
the time of the last run of tidy is only kept in memory and
initialized on startup to the current time
- Store the last run of any tidy, to maintain previous behavior, to
a cluster local file, which is read in/initialized upon a mount
initialization.
* Add auto-tidy configuration fields for backing off at startup
* Add new auto-tidy fields to UI
* Update api docs for auto-tidy
* Add cl
* Update field description text
* Apply Claire's suggestions from code review
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Implementing PR feedback from the UI team
* remove explicit defaults and types so we retrieve from backend, decouple enabling auto tidy from duration, move params to auto settings section
---------
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
Co-authored-by: claire bontempo <cbontempo@hashicorp.com>
* Add helper combineOpenApiAttrs + test
* hydrateModel working with upgradeModelSchema
* new registerNewModelWithAttrs method for generated models
* Add newFields to generated models
* copyright
* Glimmerize path-help service
* update generated-item-list adapter and path-help usage of it
* remove unused methods combineAttributes and combineFields
* move expandOpenApiProps to ts helper file
* fix auth test
* fix bug where adding user to second userpass mount saves to first mount
* Add mutableId
* fix ent test
* remove addressed deprecation
* Address PR comments
* [VAULT-31208] remove deprecation early-static from decorator tests
* rename validators util into model-helpers folder
* move kmip-role-fields to model-helpers
* fill out docs
* Move database-helpers into model-helpers
* broom
* update kmip/role model and adapter
* New KMIP role form component
* cleanup on kmip role adapter/model
* fix role details view
* update tests to check for kmip role form and details validity
* cleanup
* Add kmip-role-fields test
* add headers, remove old component
* Address PR comments
* add capabilities service to replication engine
* fix capabilities paths in route file
* pass updated capabilities using getters
* add changelog
* fix logic so default is based on undefined capabilities (not no mode)
* hide patch action for deleted or destroyed versions
* update jsdoc
* add conditional chaining for CE versions that dont have subkeys
* stub version for CE tests
* add comments
* Update ui/lib/kv/addon/routes/secret.js
* absolute hail mary
* what about this?
* that was not right
* nope
* refactor problematic test
* remove all of the runloop stuff, just chasing flaky tests
* chasing authPage
* move away from page objects for runCmd
* replace existing runCmd function
* add line
* test if removing chrome version helps this time?
* rerun tests
* rerun tests
* Revert "test if removing chrome version helps this time?"
This reverts commit 0b189c4f6978d6c55c283e3fe9fddd03d28c4377.
* remove await
* add trace log
* change test:oss command
* remove log tracing
* wip control group fix?
* dont rely on models for capabilities;
* Revert "wip control group fix?"
This reverts commit cf3e896ba05d2fdfe1f6287bba5c862df4e5d553.
* make explicit request for data
* remove dangerous triple curlies
* cleanup template logic and reuse each-in
* remove capability checks from model
* update tests to reflect new behavior
* add test coverage
* fix mirage factory, update details tests
* test control groups VAULT-29471
* finish patch test
* alphabetize!
* does await help?
* fix factory
* add conditionals for control group error
* UI: Implement overview page for KV v2 (#28162)
* build json editor patch form
* finish patch component and tests
* add tab to each route
* and path route
* add overview tab to tests
* update overview to use updated_time instead of created_time
* redirect relevant secret.details to secret.index
* compute secretState in component instead of pass as arg
* add capabilities service
* add error handling to fetchSubkeys adapter request
* add overview tabs to test
* add subtext to overview card
* remaining redirects in secret edit
* remove create new version from popup menu
* fix breadcrumbs for overview
* separate adding capabilities service
* add service to kv engine
* Revert "separate adding capabilities service"
This reverts commit bb70b12ab7dbcde0fbd2d4d81768e5c8b1c420cc.
* Revert "add service to kv engine"
This reverts commit bfa880535ef7d529d7610936b2c1aae55673d23f.
* update navigation test
* consistently navigate to secret.index route to be explicit
* finish overview navigation tests
* add copyright header
* update delete tests
* fix nav testrs
* cleanup secret edit redirects
* remove redundant async/awaits
* fix create test
* edge case tests
* secret acceptance tests
* final component tests
* rename kvSecretDetails external route to kvSecretOverview
* add comment
* UI: Add patch route and implement Page::Secret::Patch page component (sidebranch) (#28192)
* add tab to each route
* and path route
* add overview tab to tests
* update overview to use updated_time instead of created_time
* redirect relevant secret.details to secret.index
* compute secretState in component instead of pass as arg
* add capabilities service
* add error handling to fetchSubkeys adapter request
* add patch route and put in page component
* add patch secret action to subkeys card
* fix component name
* add patch capability
* alphabetize computed capabilities
* update links, cleanup selectors
* fix more merge conflict stuff
* add capabilities test
* add models to patch link
* add test for patch route
* rename external route
* add error templates
* make notes about enterprise tests, filter one
* remove errors, transition (redirect) instead
* redirect patch routes
* UI: Move fetching secret data to child route (#28198)
* remove @secret from metadata details
* use metadata model instead of secret in paths page
* put delete back into kv/data adapter
* grant access in control group test
* update metadata route and permissions
* remove secret from parent route, only fetch in details route
* change more permissions to route perms, add tests
* revert overview redirect from list view
* wrap model in conditional for perms
* remove redundant canReadCustomMetadata check
* rename adapter method
* handle overview 404
* remove comment
* add customMetadata as an arg
* update grantAccess in test
* make version param easier to follow
* VAULT-30494 handle 404 jira
* refactor capabilities to return an object
* update create tests
* add test for default truthy capabilities
* remove destroy-all-versions from kv/data adapter
* UI: Add enterprise checks (#28215)
* add enterprise check for subkey card
* add max height and scroll to subkey card
* only fetch subkeys if enterprise
* remove check in overview
* add test
* Update ui/tests/integration/components/kv/page/kv-page-overview-test.js
* fix test failures (#28222)
* add assertion
* add optional chaining
* create/delete versioned secret in each module
* wait for transition
* add another waitUntil
* UI: Add patch latest version to toolbar (#28223)
* add patch latest version action to toolbar
* make isPatchAllowed arg all encompassing
* no longer need model check
* use hash so both promises fire at the same time
* add subkeys to policy
* Update ui/lib/kv/addon/routes/secret.js
* add changelog
* small cleanup items! (#28229)
* add conditional for enterprise checking tabs
* cleanup fetchMultiplePaths method
* add test
* remove todo comment, ticket created and design wants to hold off
* keep transition, update comments
* cleanup tests, add index to breadcrumbs
* add some test coverage
* toggle so value is readable
* manual cherry pick to deal with all the merge things
* changelog
* test fixes
* Update 28148.txt
* fix tests failures after main merge
* fix test failures after main merge
* Add Access Type and conditionally render WIF fields (#28149)
* initial work.
* remove access_type
* better no model logic well kind of
* rollback attrs
* remove defaults
* stopping point
* wip changing back to sidebranch
* hustling shuffling and serializing
* some of the component test coverage
* disable acces type if editing
* test coverage
* hide max retries that sneaky bugger
* cleanup
* cleanup
* Update root-config.js
* remove flash message check, locally passes great but on ci flaky
* clean up
* thank you chelsea
* test clean up per enterprise vs community
* address pr comments
* welp a miss add
* UI (sidebranch) WIF Issuer field (#28187)
* Add type declaration files for aws config models
* use updated task syntax for save method on configure-aws
* fix types on edit route
* fetch issuer on configure edit page if aws + enterprise
* track issuer within configure-aws component
* add placeholder support on form-field
* Add warning if issuer changed from previous value or could not be read
* cleanup
* preliminary tests
* dont use while loop so we can test the modal
* tests
* cleanup
* fix tests
* remove extra tracked value and duplicate changed attrs check
* modal footer
---------
Co-authored-by: Angel Garbarino <argarbarino@gmail.com>
* Display issuer on Configuration details (#28209)
* display issuer on configuration details
* workflow complete, now on to testing
* handle issuer things
* fix all the broken tests things
* add test coveragE:
* cleanup
* rename model/adapter
* Update configure-aws.ts
* Update aws-configuration-test.js
* 90 percent there for pr comments
* last one for tonight
* a few more because why not
* hasDirtyAttributes fixes
* revert back to previous noRead->queryIssuerError
---------
Co-authored-by: Chelsea Shaw <82459713+hashishaw@users.noreply.github.com>
* add capabilities service
* remove from kv engine for now
* add canRead
* move await helper to addon
* add test
* update capabilities service to accommodate multiple paths
* address comments, make methods more explicit
* remove namespace key
* fix typo in test
* add namespace back!
* round out tests for other methods
* add test
* add comment
