* add config changes for name and priority fields in seal stanza
* change env vars and fix tests
* add header and fix func call
* tweak limits on seals
* fix missing import
* add docstrings
* UI: HDS adoption replace AlertBanner part 1 (#21163)
* rename test selector
* replace db banner
* add class
* replace db role edit
* db creds
* generate creds
* simpler class
* license banner component
* oidc callback plash
* raft
* aws
* secret create or update
* change to compact alert for form field
* change back to inline
* combine alert banners
* wrap in conditional
* remove references to message class
* UI: HDS adoption replace AlertBanner part 2 (#21243)
* token expire warning
* delete css
* edit form
* item details distribute mfa step 2 transit verify
* back to secondary
* distribute
* oidc lease error
* sign
* kv obj and repl dash
* more repl
* update test selector
* show, creds
* shamir
* pki csr
* pki banners
* add hds library to ember engines
* woops comma
* fix k8 test
* update message error component for last!
* hold off MessageError changes until next pr
* revert test selectors
* update pki tests
* UI: part 3 remove alert banner (#21334)
* final component swap
* and actual final of MessageError
* update MessageError selectors
* delete alert-banner and remove references
* update next step alerts to highlight color
* finishing touches, auth form test and client dashboard inline link
* fix more selectors
* fix shamir flow test
* ui: part 4 final cleanup (#21365)
* replace AlertPopup
* add test tag
* move tag
* one more message error tag
* delete alert popup
* final css cleanup
* move preformatted flash into <p> tag
* ui: address comments for sidebranch (#21388)
* add periods, move link to trailing
* more periods and typo fix
* remove old references to pki and old adapter
* remove after model hook from list
* remove references to isEngine
* add test
* update test
* delete test
* fix test
* Replace all time.ParseDurations with testutil.ParseDurationSeconds
* Changelog
* Import formatting
* Import formatting
* Import formatting
* Import formatting
* Semgrep rule that runs as part of CI
These don't do anything but reject requests:
> The server will not issue certificates for the identifier:
> role (something) will not issue certificate for name
> xps15.local.cipherboy.com
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Supporting PR for Enterprise ACME PR cluster tests
- Some changes within the OSS test helpers to help in the ACME Enterprise test cases.
* Don't rename existing helper method to make oss/ent merge easier
* Adds automated ACME tests using Caddy.
* Do not use CheckSignatureFrom method to validate TLS-ALPN-01 challenges
* Uncomment TLS-ALPN test.
* Fix validation of tls-alpn-01 keyAuthz
Surprisingly, this failure was not caught by our earlier, but unmerged
acme.sh tests:
> 2023-06-07T19:35:27.6963070Z [32mPASS[0m builtin/logical/pkiext/pkiext_binary.Test_ACME/group/acme.sh_tls-alpn (33.06s)
from https://github.com/hashicorp/vault/pull/20987.
Notably, we had two failures:
1. The extension's raw value is not used, but is instead an OCTET
STRING encoded version:
> The extension has the following ASN.1 [X.680] format :
>
> Authorization ::= OCTET STRING (SIZE (32))
>
> The extnValue of the id-pe-acmeIdentifier extension is the ASN.1
> DER encoding [X.690] of the Authorization structure, which
> contains the SHA-256 digest of the key authorization for the
> challenge.
2. Unlike DNS, the SHA-256 is directly embedded in the authorization,
as evidenced by the `SIZE (32)` annotation in the quote above: we
were instead expecting this to be url base-64 encoded, which would
have a different size.
This failure was caught by Matt, testing with Caddy. :-)
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Quick gofmt run.
* Fix challenge encoding in TLS-ALPN-01 challenge tests
* Rename a PKI test helper that retrieves the Vault cluster listener's cert to distinguish it from the method that retrieves the PKI mount's CA cert. Combine a couple of Docker file copy commands into one.
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Steve Clark <steven.clark@hashicorp.com>
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
The main point of this work is to move runFilteredPathsEvaluation inside mountInternal/enableCredentialInternal, while we hold the lock. This requires that we grab both the mountsLock and authLock, for reasons that only make sense when looking at the ent code.
While fixing this I noticed that ListAuths grabs the wrong lock, so I also fixed that.
And I modified ClusterSetup: as a convenience, it now populates the factories for all the builtin engines in the config it returns.
Add paths for seal config to cache exceptions.
Add barrierSealConfigPath and recoverySealConfigPlaintextPath to
cacheExceptionsPaths in order to avoid a race that causes some
nodes to always see a nil value.
* Correctly validate ACME PoP against public key
ACME's proof of possession based revocation uses a signature from the
private key, but only sends the public copy along with the request.
Ensure the public copy matches the certificate, instead of failing to
cast it to a private key.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add ACME revocation tests
* Clarify commentary in acmeRevocationByPoP
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Steve Clark <steven.clark@hashicorp.com>
* Onboard Vault to the prepare workflow.
* remove after testing
* no message
* remove changes used for testing
* adding back comma - so as not to introduce unnecessary merge conflicts
