For now, only the leader of a cluster can handle subscription requests,
so we forward the connection request otherwise.
We forward using a 307 temporary redirect (the fallback way).
Forwarding a request over gRPC currently only supports a single request
and response, but a websocket connection is long-lived with potentially
many messages back and forth.
We modified the `vault events subscribe` command to honor those
redirects. `wscat` supports them with the `-L` flag.
In the future, we may add a gRPC method to handle forwarding WebSocket
requests, but doing so adds quite a bit of complexity (even over
normal request forwarding) due to the intricate nature of the `http` /
`vault.Core` interactions required. (I initially went down this path.)
I added tests for the forwarding header, and also tested manually.
(Testing with `-dev-three-node` is a little clumsy since it does not
properly support experiments, for some reason.)
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* Add `subscribe` capability to policies
... and `subscribe_event_types` to the policy body.
These are not currently enforced in the events system (as that
will require populating the full secrets path in the event).
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* setup initial boilerplate code for sign csr endpoint
* add function to sign csr
* working version of sign csr endpoint
* improving errors for csr create and sign endpoint
* initial implementation for import leaf certificate endpoint
* check if more than one certificate was provided in the ceritificate chain
* improve validate cert public key matches transit key
* convert provided cert chain from PEM to DER so it can be parsed by
x509.ParseCertificates and fixing other bugs
* fix creation of csr from csrTemplate
* add missing persist of certificate chain after validations in set-certificate endpoint
* allow exporting a certificate-chain
* move function declaration to end of page
* improving variable and function names, removing comments
* fix certificate chain parsing - work in progress
* test for signCsr endpoint
* use Operations instead of Callbacks in framework.Path
* setup test for set-certificate endpoint
fix problems with sign-csr endpoint returning base64
* finish set-certificate endpoint test
* use public key KeyEntry fields instead of retrieving public key from private
* improve error message and make better distinction between client and server error
also moved check of key types before checking if key match to endpoint handler
* check if private key has been imported for key version selected when signing a csr
* improve errors
* add endpoint description and synopsis
* fix functions calls in backend as function names changed
* improve import cert chain test
* trim whitespaces on export certificate chain
* changelog
* pass context from handler function to policy Persist
* make fmt run
* fix: assign returned error from PersistCertificateChain to err so it can be evaluated
* additional validations and improvements to parseCertificateChain function
* add validation to check if there is only one certificate in the certificate chain and it is in the first position
* import cert chain test: move creation of cluster to exported test function
* move check of end-cert pub key algorithm and key transit algorithm match into a separate function
* test export certificate chain
* Update sdk/helper/keysutil/policy.go
Co-authored-by: Alexander Scheel <alexander.m.scheel@gmail.com>
* fix validateLeafCertPosition
* reject certificate actions on policies that allow key derivation and remove derived checks
* return UserError from CreateCSR SDK function as 400 in transit API handler
* add derived check for ED5519 keys on CreateCSR SDK func
* remove unecessary calls of x509.CreateCertificateRequest
* move validate key type match back into SDK ValidateLeafCertMatch function
* add additional validations (ValidateLeafCertKeyMatch, etc) in SDK PersistCertificateChain function
* remove uncessary call of ValidateLeafCertKeyMatch in parseImportCertChainWrite
* store certificate chain as a [][]byte instead of []*x509.Certificate
* include persisted ca chain in import cert-chain response
* remove NOTE comment
* allow exporting cert-chain even if exportable is set as false
* remove NOTE comment
* add certifcate chain to formatKeyPublic if present
also added an additional check to validate if field is added when
certchain is present
---------
Co-authored-by: Alexander Scheel <alexander.m.scheel@gmail.com>
* bolt.write.time should actually be a counter, not a gauge
* add changelog
* Update website/content/docs/upgrading/upgrade-to-1.14.x.mdx
Co-authored-by: Paul Banks <pbanks@hashicorp.com>
* correct changelog
---------
Co-authored-by: Paul Banks <pbanks@hashicorp.com>
* Fix misattribution of activity log entries to incorrect auth methods
In a production Vault Enterprise instance, I noticed incorrect
information in the sys/internal/counters/activity endpoints. Eventually,
I was able to spot a pattern of entities being misattributed to auth
methods of the same name in child namespaces, which led me to this bug
in the code.
When attempting to map from a token's path to an auth method, we need to
do so with respect to the namespace of the token, which may be different
from the namespace of the request, as tokens from parent namespaces can
make requests that reach into child namespaces.
* Changelog
* Use a real namespace ID in tests where it now matters
* gofumpt
---------
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
* best-practice: prom format by header
* move config related doc closer to config example
---------
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
* adding testonly CI test job
* small instance for testonly tests
* feedback
* shopt
* disable glob expansion
* revert back to a large instance
* fix a mistake
In 00e13ab we updated the activity/write endpoint to get rid of the CreateOperation in favor of the UpdateOperation. At the time, testonly tests weren't running, but they're about to be, so go ahead and fix this before re-activating.
* Add permet pool metrics to dynamo db backend
* Fmt and use permit pool with metrics
* Add changelog
---------
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
* Update oracle-tde.mdx to remove deprecated sqlnet.ora configuration steps
* Remove text regarding updating sqlnet.ora in the Enable TDE section.
* Add steps to set the wallet location using parameters.
* Update Oracle Documentation references from 12c docs to 19c docs.
* Update website/content/docs/enterprise/pkcs11-provider/oracle-tde.mdx
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Fix link formatting in Vault lambda extension docs
The link pointing to supported lambda runtimes does not use correct markdown formatting so it is not rendered as a link on developer.hashicorp.com. This commit renders it as a link again.
* Add changelog entry
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* add escape hatch to use feature flag for reversion of audit behavior
* Setup pipeline which ends with a NoopSink
* explicitly call out old way of running test
* old behavior for audit trail tests
* More manual forcing of tests to legacy audit system
* Add NOTE: to suggest that the feature flag is temporary
* Clarify Tokens use and structure recommendation
* Update website/content/docs/concepts/tokens.mdx
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* add a test to show the bug
* do not output a "Success!" message if a specific field was requested
* Create 21545.txt
* Fix changelog name
---------
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
