- Implement delete existing role test
- Add delete prevents credential access test
- Add delete idempotency test
- Add delete non-existent role test
- Follow established patterns with constants and helper reuse
- All tests verify proper cleanup and error handling
Co-authored-by: Luis (LT) Carbonell <lt.carbonell@hashicorp.com>
* go: resolve GHSA-92mm-2pjq-r785 by upgrade github.com/hashicorp/go-getter (#13878)
* go: resolve GHSA-92mm-2pjq-r785 by upgrade github.com/hashicorp/go-getter
Signed-off-by: Ryan Cragun <me@ryan.ec>
* go mod tidy
NOTE: go-getter is only used in vault-enterprise. As such this change
only represents modified transient dependencies.
Signed-off-by: Ryan Cragun <me@ryan.ec>
---------
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* first LLM attempt
* temporarily return to version 2 to allow HCP image build
* fix test and set version back to 3
* undo version change
* lint and changelog
* rename changelog
* rename changelog.. again
Co-authored-by: Bruno Oliveira de Souza <bruno.souza@hashicorp.com>
* LDAP create role name field should only contain lowercase and alphanumeric characters
* Add changelog..
* Fix controller issue
Co-authored-by: Kianna <30884335+kiannaquach@users.noreply.github.com>
* identity: allow oauth profile alias accessors
Allow identity/entity-alias mount_accessor to use sys/config/oauth-resource-server/<profile> when the profile exists in the request namespace, while preserving existing mount accessor and namespace checks for real mounts.
Add focused identity alias tests for valid profile accessor acceptance and unknown profile rejection.
* identity: document alias accessor validation cases
Add GoDoc for validateAliasMountAccessor to clarify supported mount_accessor validation for auth-method aliases and OAuth/External JWT profile-style aliases.
* identity: use namespace+configid oauth alias accessor
Implement synthetic OAuth alias mount_accessor format as oauth_resource_server_<namespace_id>_<config_id> and validate by namespace and config ID for identity/entity-alias.
Add stable config_id to OAuth resource-server profiles, expose it on profile read responses, and add compatibility hydration for older stored profiles missing config_id.
Update identity alias tests for new accessor encoding and add cross-namespace rejection coverage.
* oauth: persist legacy profile config ids on read
Backfill missing OAuth Resource Server profile config_id under profile lock and persist it so config_id remains stable for synthetic identity alias accessors.
Update config-id lookup to resolve profiles through the read path so legacy entries are migrated before matching.
Add regression test covering legacy no-config_id profile migration and successful alias creation with migrated accessor.
* identity: clarify oauth profile existence check
Document that getOAuthResourceServerConfigProfileByConfigID is used only to verify the referenced OAuth profile exists during synthetic mount_accessor validation.
* oauth: add config-id index for O(1) lookup
Add profiles-by-config-id storage index and switch getOAuthResourceServerConfigProfileByConfigID to index-based resolution to avoid O(N) profile scans during alias accessor validation.
Persist index entries on profile upsert, clean them up on delete, and keep legacy config_id backfill path consistent with indexed storage.
Add regression tests for indexed lookup, missing-index behavior, and index cleanup on delete.
* vault: isolate oauth alias validation by build tag
* vault: move oauth accessor constants to enterprise file
* vault: tighten alias accessor validation returns
* vault: require oauth profile config_id on read
* vault: redact oauth profile identifiers in logs
* vault: remove oauth profile identifiers from logs
* vault: harden oauth log redaction paths
* vault: fix oauth invalidation replicated-path test fixture
* vault: remove sensitive error payloads from oauth logs
* Address PR review feedback for logging and tests
- restore operational error logging in OAuth invalidation/read/delete paths
- improve nil synthetic alias validator diagnostics with explicit log + internal error
- move config_id index tests from core-based vault tests to external NewTestCluster tests
- export GetOAuthResourceServerConfigProfileByConfigID for external coverage
* Apply review feedback for alias validator nil case
- include mount_accessor context in operational log when synthetic validator is nil
- return accessor-specific internal configuration error for easier troubleshooting
* Consolidate OAuth config_id tests into existing storage test file
- move config_id index coverage into oauth_resource_storage_ent_test.go
- remove standalone oauth_resource_config_id_index_ent_test.go
* Apply review nit for accessor prefix constant
- trim oauthResourceServerAliasAccessorPrefix to remove trailing underscore
- build synthetic accessor using explicit separator concatenation
* tests: migrate oauth alias accessor coverage to external
* identity: switch oauth synthetic accessor prefix to hyphenated
---------
Co-authored-by: Bianca <48203644+biazmoreira@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* add freshest crl to base
* add test
* add helper, add test case for delta crl
* add openssl test
* add changelog
* add removed nil check
* add go doc
* change keytype to ec
* rotate CRL instead of role/issue/revoke a cert and add ldap url test case
* move root generation outside test loop
* remove length check so urls are always set for each test case
* remove unnecessary clearing
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
Pull in the patched DOMPurify release used by the UI sanitizer helper and Carbon Charts.
Co-authored-by: Angelo Cordon <angelo.cordon@hashicorp.com>
Co-authored-by: OpenCode Agent (GPT-5.4) <opencode-agent@users.noreply.github.com>
* go: resolve CVE-2026-39883 by upgrading go.opentelemetry.io/otel/sdk to v1.43.0
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* Add PostgreSQL Blackbox Coverage for DB Connection Management (#13313)
* Add blackbox test for PostgreSQL database config create endpoint
* Moving to postgresql folder
* Adding test case for multi-host PostgreSQL connection
* Adding DSN test case
* Adding Connection verification test
* Get Connection verification test
* Adding test cases for list/delete/reset connections
* Refactoring and adding helper
* Refactoring and adding helper
---------
Co-authored-by: Kajal Kusum <kajal.kusum@ibm.com>
* Move postgres tests to database subdirectory to match modular structure
* go mod
* go mod
* pgx
---------
Co-authored-by: KajalKusum <kajal.kusum@hashicorp.com>
Co-authored-by: Kajal Kusum <kajal.kusum@ibm.com>
Co-authored-by: LT Carbonell <ltcarbonell@pm.me>
- Resolve GHSA-xmrv-pmrh-hhx2 by upgrading our AWS v2 modules.
- Add an exemption for GHSA-6jwv-w5xf-7j27 as it is not really an issue. See the note in the scanner config for more info.
- Resolve GO-2026-4870, GO-2026-4947, GO-2026-4866, GO-2026-4864, GO-2026-4869, GO-2026-4865, and GO-2026-4946 by upgrading to Go 1.26.2
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
parse token from request body instead of targeting the request token
---------
Co-authored-by: Michael Stott <michael.stott@hashicorp.com>
Co-authored-by: mstott2 <michael.stott@hashicorp.com`>
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
* no-op commit
* [Mongo SDK Plugin] (enos): Add MongoDB plugin test framework for Enos (#13576)
* Add modular database infrastructure for Enos testing
Infrastructure Changes:
- Created generic database_container module supporting PostgreSQL, MongoDB, MySQL
- Consolidated database configs in enos-globals.hcl with dynamic port generation
- Refactored set_up_external_integration_target to use generic module with for_each
- Updated enos-scenario-plugin.hcl to pass database_configs from globals
Test Organization:
- Reorganized test structure: moved postgres/ and mongodb/ into database/ directory
- Maintains existing production-ready test helpers
- Structure: plugins/database/{postgres,mongodb}/ for better organization
Benefits:
- Easy to add new databases (just add to database_configs in globals)
- No code duplication across database types
- Consistent patterns for all database testing
- Supports both Docker containers and external database URLs
---------
Co-authored-by: Luis (LT) Carbonell <lt.carbonell@hashicorp.com>
* removes unnecessary version overrides for deps
* reverts unpinning @embroider/macros
* bumps @embroider/macros to latest and removes pin
Co-authored-by: Jordan Reimer <zofskeez@gmail.com>
