* go: bump to Go v1.26.3
* go: upgrade golang.org/x/net to resolve GO-2026-4918
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* go: resolve CVE-2026-39883 by upgrading go.opentelemetry.io/otel/sdk to v1.43.0
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
go: resolve CVE-2026-34986 and CVE-2026-34986 by upgrading github.com/go-jose/go-jose
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* license: update headers to IBM Corp.
* `make proto`
* update offset because source file changed
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* bump go-getter to 1.7.9 (#8899)
* bump go-getter to 1.7.9
* add changelog
* go mod tidy
Signed-off-by: Ryan Cragun <me@ryan.ec>
---------
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Josh Black <raskchanky@gmail.com>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* Rework certificate authentication api
- Use the passed in Vault api client to perform the connection
- This provides namespace support, retry behaviors and uses
the existing secret parsing logic instead of re-implementing it
- Change the cert auth role to be an optional argument
- Allow users to use a different cert auth mount point
* Clean up test name
Co-authored-by: Amir Aslamov <amir.aslamov@hashicorp.com>
---------
Co-authored-by: Amir Aslamov <amir.aslamov@hashicorp.com>
* Update go-jose to v3.0.4
- Updating to address CVE-2025-27144
* Update v4 references in sdk and api
* Update go-jose across all api auth projects to v4.0.5
Go module tooling mandates that each sub-module contains its own LICENSE file.
If absent, it defaults to the LICENSE file in the root of the git repository.
This resulted in the api/auth/* modules erroneously inheriting the BUSL
license instead of the correct MPL license, as indicated by the SPDX info in
the actual API code.
This update ensures that module documentation is displayed correctly on
pkg.go.dev and resolves issues with various tools showing incorrect license
information for the sub-modules.
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
Update AWS auth method certificates
Add tests that the `rsa2048` document can also be verified using the
`pkcs7` field for AWS auth.
Due to the use of SHA-1-based signatures for the `identity` and `pkcs7`
methods, we want to encourage moving toward using the RSA 2048 workflow,
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-rsa2048.html
This doesn't require code changes for Vault necessarily, but adding in
the (many) certificates will help end users.
Also adds `rsa2048` option to API to fetch the RSA 2048 signature.
I will make a PR to update to the AWS auth docs to document the RSA 2048
flow soon after this.
* [api] Add LDAP auth method
This commit adds LDAP to the available Vault API auth methods.
* Add changelog entry for PR 13841
* Obtain password for LDAPAuth from File/EnvVar
* Fix name of package in error message
* Add native Login method for GCP auth backend
* Add native Login method for Azure auth backend
* Add changelog entry
* Use official azure library Environment struct rather than passing string, add timeouts
* Use v1.3.0 which now has interface definition
* Don't throw away error and close resp body
* Back to WithResource so we can support non-Azure URLs for aud
