Sort CA chain into root and intermediates on VerifyCertificate.
In order for the Certificate.Verify method to work correctly, the certificates
in the CA chain need to be sorted into separate root and intermediate
certificate pools.
Add unit tests to verify that name constraints in both the root and intermediate
certificates are checked.
Support all fields of the name constraints extension when generating CA certs.
The PKI secrets engine only provided parameter permitted_dns_domains to create
the name constraints extension when generating CA certificates.
Add the following parameters to provide full support for the extension:
* permitted_email_addresses
* permitted_ip_ranges
* permitted_uri_domains
* excluded_dns_domains
* excluded_email_addresses
* excluded_ip_ranges
* excluded_uri_domains
Specifying any combination of these parameters will trigger the creation of the
name constraints extension as per RFC 5280 section 4.2.1.10.
* [VAULT-19467] Vault UI Breadcrumb Title Case
* should use Title Case
* update changelog
* rename changelog
* update tests
* more test updates
* update tests
---------
Co-authored-by: Tony Wittinger <anwittin@users.noreply.github.com>
Various different CI jobs need Go modules in order to build or test
Vault. To speed this up in CI we cache them in Github Actions.
The caching requires downloading all modules first in order to upload
them to the actions cache, which is performed by calling the
`go-mod-download` Make target. This target will iterate over the
directory tree and download Go modules in all directories that include
a `go.mod` file.
There are two small problems with this approach that we resolved with
this PR:
* Our `go-mod-download` target would download modules for all
`go.mod`'s present in the directory tree, regardless of whether or not
they are required to build or test Vault. Only downloading those
required results in slightly smaller caches.
* `tools/pipeline` is intentionally a separate Go module so as to not
require its modules in order to build Vault, however, our
`go-mod-download` downloading all modules requires the workflow
environment to include auth credentials for internal modules. If a
community contributed PRs modifies a `go.mod`, which in turn requires
a new cache, the PR will always fail because it cannot download
modules that require secrets.
Now we avoid installing our `tools/pipeline` modules when generating our
module cache which should allow community contributed PRs to execute
build and Go tests, while skipping enos workflows which already required
secrets and were thus skipped.
Signed-off-by: Ryan Cragun <me@ryan.ec>
* Update the page description for SEO improvement
* Update the description for SEO improvement
* Update the description
* Update website/content/docs/secrets/transform/ff3-tweak-details.mdx
Co-authored-by: Jonathan Frappier <92055993+jonathanfrappier@users.noreply.github.com>
* Fixing a typo
* Incorporate review feedback
---------
Co-authored-by: Jonathan Frappier <92055993+jonathanfrappier@users.noreply.github.com>
* transfer over all changes from original pr
* changelog
* add serialize catch for no empty string environment
* move ttl format logic to parent route
* Update 29047.txt
* clean up some comments
* Update changelog/29047.txt
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Update changelog/29047.txt
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Update ui/app/components/secret-engine/configure-azure.hbs
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* first round of addressing pr comments, holding off on the issue save flow for error messaging to keep separate
* Update CODEOWNERS
merge issue
* small clean up tasks
* updates
* test coverage
* small cleanup
* small clean up
* clean up
* clean up getters on model
---------
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
-path must bevor auth method, otherwise an error is thrown
"Command flags must be provided before positional arguments. The following arguments will not be parsed as flags: [-path=my-auth]"
Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
This PR introduces a new interface for conflict resolution of duplicate
Identity artifacts. The initial implementation just reorganizes the code
to use the interface with no behavior change.
The interface is intended to provide a minimal touchpoint for
implementing new conflict resolution behavior. Since those changes will
also introduce significant testcases, the aim here is to merge the new
interface and ensure the current code works as intended (according to
existing tests).
* docs: add Secrets Sync SSRF protection breaking change to 1.17 upgrade guide
The Secrets Sync feature in 1.17.3 introduced SSRF protection that blocks private IP ranges, affecting users accessing secret stores through private endpoints. This adds documentation about the change and available options.
* renamed issue
* referenced secret sync ssrf known issue
* re-ordered secret sync known issue in page
* Hide copy-to-clipboard button on the output example codeblock
---------
Co-authored-by: yhyakuna <yoko@hashicorp.com>
