* identity: Ensure state is changed on activation
This PR introduces some changes to the way activation flags are
processed in Vault.
Rather than reaching into subsystems and modifying
state from the activationflags package, each plugin can now register its
own ActivationFunc. Updates to activation flags now trigger the the
feature's ActivationFunc, which can encapsulate the associated
subsystem state.
We include a few bugfixes and minor cosmetic changes, like updates to
log lines and godocs.
* Check for nil system backend
* Move deduplication activation to common file
* Add identity dedup activation log lines
* Make interface methods clearer
* Clean up some comments
* More cleanups
* fixup! More cleanups
* fixup! More cleanups
* Move all pki-verification calls from sdk-Verify() to pki-specific
VerifyCertifcate(...); update sdk-Verify to allow multiple chains,
but validate that at least one of those chains is valid.
* Updates to Validate on Parse PEMBlock, so that a single cert or a single key parses (test fixes).
* Add changelog.
* Make test certificate expire in a while, not at linux epoch.
* Remove duplicate code.
* Fix header file + go mod tidy.
* Updates based on review.
* Fix "t.Fatal from a non-test goroutine" errors in cache_test.go
- t.Fatal(f) should not be called within a Go routine based on it's documentation and only from the main test's thread.
- In 1.24 this seems to cause build failures
* Address all "non-constant format string errors" from go vet
- Within 1.24 these now cause test builds to fail
…" from go vet
* Adds an option to enable sAMAccountname logins when upndomain is set
* Adds an option to enable sAMAccountname logins when upndomain is set
* Updated changelog entry
* Update 29118.txt
* Updated cap/ldap version due to needed dependency
* Updated cap/ldap version due to needed dependency
* Restart CI
* Updated LDAP api-docs and docs describing the enable_samaccountname_login option
* Added missing comma in config_test.go
* Update enables_samaccountname
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update enable_samaccountname_login feature documentation
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* sdk/physical: use permitpool from go-secure-stdlib
* physical: use permitpool from go-secure-stdlib
* fixup! sdk/physical: use permitpool from go-secure-stdlib
* fixup! sdk/physical: use permitpool from go-secure-stdlib
* ce changes for vault-31750
* add changelog
* make proto
* refactor naming
* clarify error message
* update changelog
* one more time
* make proto AGAIN
* sdk/db: do not hold the lock on Close
* fix missing locks on return; ensure we don't overrite instance
* add type and close timeout env vars
* changelog
* go get github.com/hashicorp/cap/ldap@main && go mod tidy
* add 1.19 upgrade note
* changelog
* cd sdk && go get github.com/hashicorp/cap/ldap@main && go mod tidy
* add more detail in changelog
* update changelog
* go mod tidy after resolving merge conflicts
* CE side changes to key policy engine for ML-DSA/Hybrid support
* fix ce mismatch for verify
* restore omitempty
* unnecessary
* Perform code reuse of ed25519 validation differently
* make parts of export testing ent only
* license
Support all fields of the name constraints extension when generating CA certs.
The PKI secrets engine only provided parameter permitted_dns_domains to create
the name constraints extension when generating CA certificates.
Add the following parameters to provide full support for the extension:
* permitted_email_addresses
* permitted_ip_ranges
* permitted_uri_domains
* excluded_dns_domains
* excluded_email_addresses
* excluded_ip_ranges
* excluded_uri_domains
Specifying any combination of these parameters will trigger the creation of the
name constraints extension as per RFC 5280 section 4.2.1.10.
* Use DRBG based RSA key generation everywhere
* switch to the conditional generator
* Use DRBG based RSA key generation everywhere
* switch to the conditional generator
* Add an ENV var to disable the DRBG in a pinch
* update go.mod
* Use DRBG based RSA key generation everywhere
* switch to the conditional generator
* Add an ENV var to disable the DRBG in a pinch
* Use DRBG based RSA key generation everywhere
* update go.mod
* fix import
* Remove rsa2 alias, remove test code
* move cryptoutil/rsa.go to sdk
* move imports too
* remove makefile change
* rsa2->rsa
* more rsa2->rsa, remove test code
* fix some overzelous search/replace
* Update to a real tag
* changelog
* copyright
* work around copyright check
* work around copyright check pt2
* bunch of dupe imports
* missing import
* wrong license
* fix go.mod conflict
* missed a spot
* dupe import
* Add an option to allow cert-auth to return metadata about client certs that fail login
* Add cl
* Update SPDX header for sdk/logical/response_test.go
* add ml-dsa key type and stubs
* add in sdk changes
* ent breakout
* fix private key func and run go mod tidy
* change function name
* tidy go.mod
---------
Co-authored-by: Scott G. Miller <smiller@hashicorp.com>
* Update to Go 1.23.3
- Update to latest major version of Go 1.23.3 from 1.22.8.
- Update github.com/sasha-s/go-deadlock to address deadlock timer
issue we were seeing.
- Fix one of our tests to only reset the member variable we change
instead of the entire Opts parameter to avoid a data race during
testing.
* Add workaround for MSSQL TLS certificate container issue
* PKI: Add a new leaf_not_after_behavior value to force erroring in all circumstances
- We introduce a new value called `always_enforce_err` for the existing
leaf_not_after_behavior on a PKI issuer. The new value will force we
error out all requests that have a TTL beyond the issuer's NotAfter value.
- This will apply to leaf certificates issued through the API as did err,
but now to CA issuance and ACME requests for which we previously changed
the err configuration to truncate.
* Add cl
* Update UI test
* Fix changelog type
* [transit-pkcs1v15] transit support for the pkcs1v15 padding scheme – without UI tests (yet).
* [transit-pkcs1v15] renamed padding_scheme parameter in transit documentation.
* [transit-pkcs1v15] add changelog file.
* [transit-pkcs1v15] remove the algorithm path as padding_scheme is chosen by parameter.
* Update ui/app/templates/components/transit-key-action/datakey.hbs
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Update ui/app/templates/components/transit-key-action/datakey.hbs
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Update ui/app/templates/components/transit-key-action/datakey.hbs
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Update website/content/api-docs/secret/transit.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/api-docs/secret/transit.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/api-docs/secret/transit.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Add warnings to PKCS1v1.5 usage
* Update transit
* Update transit, including separating encrypt/decrypt paddings for rewrap
* Clean up factory use in the presence of padding
* address review feedback
* remove defaults
* lint
* more lint
* Some fixes for UI issues
- Fix padding scheme dropdown console error by adding values
to the transit-key-actions.hbs
- Populate both padding scheme drop down menus within rewrap,
not just the one padding_scheme
- Do not submit a padding_scheme value through POST for non-rsa keys
* Fix Transit rewrap API to use decrypt_padding_scheme, encrypt_padding_scheme
- Map the appropriate API fields for the RSA padding scheme to the
batch items within the rewrap API
- Add the ability to create RSA keys within the encrypt API endpoint
- Add test case for rewrap api that leverages the padding_scheme fields
* Fix code linting issues
* simply padding scheme enum
* Apply suggestions from code review
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Fix padding_scheme processing on data key api
- The data key api was using the incorrect parameter name for
the padding scheme
- Enforce that padding_scheme is only used on RSA keys, we
are punting on supporting it for managed keys at the moment.
* Add tests for parsePaddingSchemeArg
* Add missing copywrite headers
* Some small UI fixes
* Add missing param to datakey in api-docs
* Do not send padding_scheme for non-RSA key types within UI
* add UI tests for transit key actions form
---------
Co-authored-by: Marcel Lanz <marcellanz@n-1.ch>
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Co-authored-by: Steve Clark <steven.clark@hashicorp.com>
Co-authored-by: claire bontempo <cbontempo@hashicorp.com>
