* identity: Ensure state is changed on activation
This PR introduces some changes to the way activation flags are
processed in Vault.
Rather than reaching into subsystems and modifying
state from the activationflags package, each plugin can now register its
own ActivationFunc. Updates to activation flags now trigger the the
feature's ActivationFunc, which can encapsulate the associated
subsystem state.
We include a few bugfixes and minor cosmetic changes, like updates to
log lines and godocs.
* Check for nil system backend
* Move deduplication activation to common file
* Add identity dedup activation log lines
* Make interface methods clearer
* Clean up some comments
* More cleanups
* fixup! More cleanups
* fixup! More cleanups
* Fix "t.Fatal from a non-test goroutine" errors in cache_test.go
- t.Fatal(f) should not be called within a Go routine based on it's documentation and only from the main test's thread.
- In 1.24 this seems to cause build failures
* Address all "non-constant format string errors" from go vet
- Within 1.24 these now cause test builds to fail
…" from go vet
This PR introduces a new type of conflict resolution for duplicate
Entities and Groups. Renaming provides a way of preventing Vault from
entering case-sensitive mode, which is the current behavior for any kind
of duplicate.
Renames append the conflicting identity artifact's UUID to its name and
updates a metadata field to indicate the pre-existing artifact's UUID.
The feature is gated by the force-identity-deduplication activation flag.
In order to maintain consistent behavior between the reporting resolver
and the rename operation, we need to adjust the behavior of generated
reports. Previously, they intentionally preserved existing Group merge
determinism, wherein the last MemDB update would win and all others
would be renamed. This approach is more complicated for the rename
resolver, since we would need to update any duplicated entity in the
cache while inserting the new duplicate (resulting in two MemDB
operations). Though we can ensure atomic updates of the two identity
artifacts with transactions (which we could get for groups with a minor
adjustment, and we will get along with batching of Entity upserts on
load), it's far simpler to just rename all but the first insert as proposed
in the current PR.
Since the feature is gated by an activation flag with appropriate
warnings of potential changes via the reporting resolver, we opt
for simplicity over maintaining pre-existing behavior. We can revisit
this assumption later if we think alignment with existing behavior
outweighs any potential complexity in the rename operation.
Entity alias resolution is left alone as a destructive merge operation
to prevent a potentially high-impact change in existing behavior.
* Do not use static certificates for diagnose tests
* Fix operator command tests, move PKI CA creation code into testhelper lib
* Fix compilation error from refactoring
* Use DRBG based RSA key generation everywhere
* switch to the conditional generator
* Use DRBG based RSA key generation everywhere
* switch to the conditional generator
* Add an ENV var to disable the DRBG in a pinch
* update go.mod
* Use DRBG based RSA key generation everywhere
* switch to the conditional generator
* Add an ENV var to disable the DRBG in a pinch
* Use DRBG based RSA key generation everywhere
* update go.mod
* fix import
* Remove rsa2 alias, remove test code
* move cryptoutil/rsa.go to sdk
* move imports too
* remove makefile change
* rsa2->rsa
* more rsa2->rsa, remove test code
* fix some overzelous search/replace
* Update to a real tag
* changelog
* copyright
* work around copyright check
* work around copyright check pt2
* bunch of dupe imports
* missing import
* wrong license
* fix go.mod conflict
* missed a spot
* dupe import
* initial implementation of unseal trace
* close file if we fail to start the trace
didn't bother to check the error from traceFile.Close()
* use reloadable config instead of env var
* license
* remove leftover
* allow setting custom dir and remove new package
* bring back StartDebugTrace
after talking to Kuba it sounds like it's a good idea to try to move stuff out of core, so even if there's no immediate need for a generic debug trace function it's still fair to add it
* track postUnseal instead of unsealInternal
also some usability improvements from manual testing
* address PR comments
* address security review
there were concerns about using the /tmp directory because of permissions, or having a default dir at all, so now it's required to set a dir in order to generate the traces.
* add unit tests to StartDebugTrace
* move back to default dir
* document new parameters
* add tiny integration test
* avoid column in trace filename
sounds like it might be forbidden in Windows and possibly cause problems in some MacOS applications.
* address PR feedback
* add go doc to test
CI was complaining about missing comments on the new test function. It feels a bit silly to require this of tests but whatever XD
* fix tests
* Update to Go 1.23.3
- Update to latest major version of Go 1.23.3 from 1.22.8.
- Update github.com/sasha-s/go-deadlock to address deadlock timer
issue we were seeing.
- Fix one of our tests to only reset the member variable we change
instead of the entire Opts parameter to avoid a data race during
testing.
* Add workaround for MSSQL TLS certificate container issue
* Add a core test logger to help capture the MSSQL container output
- I believe the if t.Failed prevents the logging of the container
logging as when executed the test isn't considered failed yet.
- Use a test core logger so that we can capture the container output
all the time and get it from the captured log files when the test
fails
* bump image tag to 2022-latest
---------
Co-authored-by: JM Faircloth <jmfaircloth@hashicorp.com>
- Get better test failure error messages by not shadowing the errors
when we are attempting to start the MSSQL docker container, so
we can fail the tests with the proper error message that is occuring
instead of mssqlhelper.go:60: Could not start docker MSSQL: %!s(<nil>)
* add inline cert auth to postres db plugin
* handle both sslinline and new TLS plugin fields
* refactor PrepareTestContainerWithSSL
* add tests for postgres inline TLS fields
* changelog
* revert back to errwrap since the middleware sanitizing depends on it
* enable only setting sslrootcert
* adds sslinline option to postgres conn string
* for database secrets type postgres, inspects the connection string for sslinline and generates a tlsconfig from the connection string.
* support fallback hosts
* remove broken multihost test
* bootstrap container with cert material
* overwrite pg config and set key file perms
* add feature flag check
* add tests
* add license and comments
* test all ssl modes
* add test cases for dsn (key/value) connection strings
* add fallback test cases
* fix error formatting
* add test for multi-host when using pgx native conn url parsing
---------
Co-authored-by: Branden Horiuchi <Branden.Horiuchi@blackline.com>
* timeout 'testListenerConnFn' waiting on the server connection after 3 secs
* return the invalid upstream error so the library knows not to stop listening/serving
* update go-proxyproto to use fork/tag
* test that fails before library and code update, but passes afterwards
* improve: extract logic to select either locking.DeadlockRWMutex or locking.SyncRWMutex out of CreateCore and into their own functions
* add copyright header for new files
* move new files to helper/locking package
* adjust names of helper functions moved to locking package
* Add new func RetryUntilAtCadenceWithHandler to testhelpers.go.
* Correct godoc comment for RetryUntilAtCadenceWithHandles.
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
---------
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
