* core: normalize JWT req client token to internal ID
Fix enterprise JWT request handling to replace req.ClientToken with the
internal jwt.<jti> token ID after JIT token entry creation, ensuring
downstream auth/lease flows use internal IDs instead of raw JWT strings.
Add regression assertions in request handling enterprise tests to verify
req/auth/token entry IDs are normalized and raw JWT is not propagated.
* vault: document perf-standby JIT forwarding
* vault: fix enterprise JWT RAR enforcement
Preserve internal JWT token-id normalization while enforcing RAR constraints from request-populated authorization details, with JWT parsing fallback for compatibility.
* Fix perf-standby JWT forwarding token restoration
Prefer inbound original token when restoring forwarding auth headers so perf-standby forwards raw JWT instead of normalized internal token ID.
Also add regression tests for header restoration behavior and clarify godocs for InboundSSCToken semantics.
* Add missing Go docs for forwarding tests
Fix code-checker lint failure by adding go doc comments to new Test* functions in request_handling_test.go.
* Address PR review feedback on type checks and CE wording
Split map lookup and type assertion in getMapString for clarity, and adjust InboundSSCToken doc wording to avoid JWT-specific language in CE file.
* Canonicalize enterprise token handling
Normalize enterprise token inputs to canonical internal IDs in token store paths and remove dual-representation RAR fallback.
* Address review nits on token normalization
Rename enterprise token normalization helper for clarity and update tests to use require.NoError/require.Equal as requested in review feedback.
* Guard sdk ent token tests with enterprise tag
Add enterprise build constraint to sdk/logical/token_ent_test.go so CE-mode sdk/logical checks can run without enterprise-only EntToken fields.
* Remove enterprise build tag from token_ent_test
Revert the temporary build constraint addition in sdk/logical/token_ent_test.go.
---------
Co-authored-by: Bianca <48203644+biazmoreira@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Move the exact UI Node version into devEngines.runtime so
package.json becomes the pnpm source of truth. Keep
engines.node broad, remove the workspace useNodeVersion
setting, and keep the root version files as manual mirrors.
Update the UI README to describe the root version files as
mirrors and refresh the lockfile to record the Node 20.20.2
runtime dependency.
Co-authored-by: Angelo Cordon <angelo.cordon@hashicorp.com>
Co-authored-by: OpenCode (gpt-5.4) <opencode.noreply@hashicorp.com>
* Attempt to fix build test failures due to docker user change
* Set SKIP_SETCAP as workaround
* SKIP_SETCAP in a few more places
* Try to run command as root for TestConsulFencing_PartitionedLeaderCantWrite test
* Add run as root on a few more commands
* Fix for TestSealHA_SealUnavailable
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
- Implement read configuration test
- Add read non-existent role error handling test
- Add read after update test
- Add list multiple roles test
- Follow established patterns with constants and helper reuse
- All tests verify no sensitive data in responses
Co-authored-by: Luis (LT) Carbonell <lt.carbonell@hashicorp.com>
Return a templating error if a rendered identity template contains a
glob (*) or directory wildcard (+) .
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Update the UI's direct handlebars dependency and refresh the
lockfile so the resolved dependency graph picks up 4.7.9.
This clears the open handlebars security findings without pulling in
unrelated dependency upgrades.
Co-authored-by: Angelo Cordon <angelo.cordon@hashicorp.com>
Co-authored-by: OpenCode (gpt-5.4) <opencode.noreply@hashicorp.com>
* fix(custom-messages): show end time for expired/inactive messages
* test: update tests to verify badge text and color combinations
* chore(test-selectors): prefer using generalized test selectors over individual data-test-*
Co-authored-by: Nina Bucholtz <nina.balachandranmary@gmail.com>
- Implement delete existing role test
- Add delete prevents credential access test
- Add delete idempotency test
- Add delete non-existent role test
- Follow established patterns with constants and helper reuse
- All tests verify proper cleanup and error handling
Co-authored-by: Luis (LT) Carbonell <lt.carbonell@hashicorp.com>
* go: resolve GHSA-92mm-2pjq-r785 by upgrade github.com/hashicorp/go-getter (#13878)
* go: resolve GHSA-92mm-2pjq-r785 by upgrade github.com/hashicorp/go-getter
Signed-off-by: Ryan Cragun <me@ryan.ec>
* go mod tidy
NOTE: go-getter is only used in vault-enterprise. As such this change
only represents modified transient dependencies.
Signed-off-by: Ryan Cragun <me@ryan.ec>
---------
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* first LLM attempt
* temporarily return to version 2 to allow HCP image build
* fix test and set version back to 3
* undo version change
* lint and changelog
* rename changelog
* rename changelog.. again
Co-authored-by: Bruno Oliveira de Souza <bruno.souza@hashicorp.com>
* LDAP create role name field should only contain lowercase and alphanumeric characters
* Add changelog..
* Fix controller issue
Co-authored-by: Kianna <30884335+kiannaquach@users.noreply.github.com>
* identity: allow oauth profile alias accessors
Allow identity/entity-alias mount_accessor to use sys/config/oauth-resource-server/<profile> when the profile exists in the request namespace, while preserving existing mount accessor and namespace checks for real mounts.
Add focused identity alias tests for valid profile accessor acceptance and unknown profile rejection.
* identity: document alias accessor validation cases
Add GoDoc for validateAliasMountAccessor to clarify supported mount_accessor validation for auth-method aliases and OAuth/External JWT profile-style aliases.
* identity: use namespace+configid oauth alias accessor
Implement synthetic OAuth alias mount_accessor format as oauth_resource_server_<namespace_id>_<config_id> and validate by namespace and config ID for identity/entity-alias.
Add stable config_id to OAuth resource-server profiles, expose it on profile read responses, and add compatibility hydration for older stored profiles missing config_id.
Update identity alias tests for new accessor encoding and add cross-namespace rejection coverage.
* oauth: persist legacy profile config ids on read
Backfill missing OAuth Resource Server profile config_id under profile lock and persist it so config_id remains stable for synthetic identity alias accessors.
Update config-id lookup to resolve profiles through the read path so legacy entries are migrated before matching.
Add regression test covering legacy no-config_id profile migration and successful alias creation with migrated accessor.
* identity: clarify oauth profile existence check
Document that getOAuthResourceServerConfigProfileByConfigID is used only to verify the referenced OAuth profile exists during synthetic mount_accessor validation.
* oauth: add config-id index for O(1) lookup
Add profiles-by-config-id storage index and switch getOAuthResourceServerConfigProfileByConfigID to index-based resolution to avoid O(N) profile scans during alias accessor validation.
Persist index entries on profile upsert, clean them up on delete, and keep legacy config_id backfill path consistent with indexed storage.
Add regression tests for indexed lookup, missing-index behavior, and index cleanup on delete.
* vault: isolate oauth alias validation by build tag
* vault: move oauth accessor constants to enterprise file
* vault: tighten alias accessor validation returns
* vault: require oauth profile config_id on read
* vault: redact oauth profile identifiers in logs
* vault: remove oauth profile identifiers from logs
* vault: harden oauth log redaction paths
* vault: fix oauth invalidation replicated-path test fixture
* vault: remove sensitive error payloads from oauth logs
* Address PR review feedback for logging and tests
- restore operational error logging in OAuth invalidation/read/delete paths
- improve nil synthetic alias validator diagnostics with explicit log + internal error
- move config_id index tests from core-based vault tests to external NewTestCluster tests
- export GetOAuthResourceServerConfigProfileByConfigID for external coverage
* Apply review feedback for alias validator nil case
- include mount_accessor context in operational log when synthetic validator is nil
- return accessor-specific internal configuration error for easier troubleshooting
* Consolidate OAuth config_id tests into existing storage test file
- move config_id index coverage into oauth_resource_storage_ent_test.go
- remove standalone oauth_resource_config_id_index_ent_test.go
* Apply review nit for accessor prefix constant
- trim oauthResourceServerAliasAccessorPrefix to remove trailing underscore
- build synthetic accessor using explicit separator concatenation
* tests: migrate oauth alias accessor coverage to external
* identity: switch oauth synthetic accessor prefix to hyphenated
---------
Co-authored-by: Bianca <48203644+biazmoreira@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
