* Initial implementation of PKCS11 managed key support for SCEP
* Add test using managed keys for SCEP
* Tweak docs and make pkcs7 decrypter tests after initial direct key tests
* Add cl
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Delete cluster.Start for NewTestCluster clusters, and deprecate and clean up cluster.Cleanup for NewTestCluster clusters (#14014)
* progress
* more progress
* missed cleanup
* fix mistakes
* cleanup
* fix docker cleanup
* various fixes
* further fixes
* further cleanup
* the cleanup will continue until morale improves
* two morE
* more fixes
* how did I miss that
* new test cleanup
* update
* cleanup, attempt small de-flake
* fix and extra cleanup
* some docker cleanup
* newlines
* some testwaitactives
* CE changes
---------
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
* add resource orphaning to SCIM client delete
* add background orphaning handling
* delete instead of orphan, add retry and startup tests
* revert: undo accidental changes to Makefile and golang instructions
* fix tests
* stop log flood (try again)
* fix linter findings
* try to silence spam again
* try to silence spam once more
* dont allow running outside of active primary
* go docs
* fix active check and pass client id via context
* remove unnecessary change
* Remove Test_SCIM_ClientDeletion_Cascading
this test was added in another PR but mine already has a bunch of deleting test that work with the new behavior
Co-authored-by: Bruno Oliveira de Souza <bruno.souza@hashicorp.com>
* adding root rotation for ldap auth method for schema AD
* adding test cases for root rotation
* code fix and adding TestRotateRoot_EncodeUTF16LEBytes
* adding constants
* schema validation + unit test
* updated unit test
* removed duplicate enum
* adding acceptance test, unit test, changelog and updating schemaType to schema
* adding logs and comments for debugging
* added validation for config params
* adding validation and test cases to enforce encrypted connection requirements for AD password rotation
* adding fix to data race error in CI pipeline
* addressing PR comments
* fix for backward compatibility for schema and test
* adding validation and tests for multiple URLs for AD root rotation
---------
Co-authored-by: Stuti Srivastava <stuti.srivastava@hashicorp.com>
Co-authored-by: Prajna Nayak <prajna.nayak@hashicorp.com>
* base
* unit tests
* group tests
* groups test
* entity test
* alias test and fix error code
* fix error message
* lint
---------
Co-authored-by: miagilepner <mia.epner@hashicorp.com>
Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
* no-op commit
* Backport ce: Import PKI External CA plugin
* Rename from pki_external_ca to pki-external-ca
---------
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Make VAULT_EXPERIMENTS work as feature flags.
Make method IsFlagEnabled treat experiments as feature flags so that they
are accessible to plugins.
* Add experiment kmip.client_api.alpha1.
This experiment enables the KMIP client and template API endpoints.
* Use IsExperimentEnabled rather than ValidExperiments.
* Document TestCore_IsFlagEnabled.
Co-authored-by: Victor Rodriguez <vrizo@hashicorp.com>
* In the random APIs, add a 'prng' param that causes a DRBG seeded from the selected source(s) to be the source of the returned bytes
* fixes, unit test next
* unit tests
* changelog
* memory ramifications
* switch to using a string called drbg
* Update helper/random/random_api.go
* wrong changelog
---------
Co-authored-by: Scott Miller <smiller@hashicorp.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* PKI (SCEP): support compound octet strings for inner PKCS7 content (#12019)
* Support compound octet strings for inner PKCS7 content
* Add cl
* Remove hashicorp/go-cmp ENT dependency
---------
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* refactor dependencies and removes disallowed vault imports from builtin Okta auth (#10965)
* move SkipUnlessEnvVarsSet from vault/helper/testhelpers/ to vault/sdk/helper/testhelpers
* use unittest framework from vault-testing-stepwise module in place of sdk/logical
* refactor SkipUnlessEnvVarsSet() and NewAssertAuthPoliciesFunc() to sdk
* bump docker API version to 1.44 matching 2f33549
---------
Co-authored-by: Thy Ton <maithytonn@gmail.com>
* license: update headers to IBM Corp.
* `make proto`
* update offset because source file changed
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* Add digest OID to PKCS7/SCEP digest failure logs
- To help debugging in the future without requiring a full packet capture
lets add the digest oid that we used to select the hashing algorithm that
led to the digmest mismatch
* Add cl
* Fix type in CL header
* upgrade hcl dependency on api pkg
This upgrades the hcl dependency for the API pkg,
and adapts its usage so users of our API pkg are
not affected. There's no good way of communicating
a warning via a library call so we don't.
The tokenHelper which is used by all Vault CLI
commands in order to create the Vault client, as
well as directly used by the login and server
commands, is implemented on the api pkg, so this
upgrade also affects all of those commands. Seems
like this was only moved to the api pkg because
the Terraform provider uses it, and I thought
creating a full copy of all those files back under
command would be too much spaghetti.
Also leaving some TODOs to make next deprecation
steps easier.
* upgrade hcl dependency in vault and sdk pkgs
* upgrade hcl dependency in vault and sdk pkgs
* add CLI warnings to commands that take a config
- vault agent (unit test on CMD warning)
- vault proxy (unit test on CMD warning)
- vault server (no test for the warning)
- vault operator diagnose (no tests at all, uses the
same function as vault server
* ignore duplicates on ParseKMSes function
* Extend policy parsing functions and warn on policy store
* Add warning on policy fmt with duplicate attributes
* Add warnings when creating/updating policy with duplicate HCL attrs
* Add log warning when switchedGetPolicy finds duplicate attrs
Following operations can trigger this warning when they run into a policy
with duplicate attributes:
* replication filtered path namespaces invalidation
* policy read API
* building an ACL (for many different purposes like most authZ operations)
* looking up DR token policies
* creating a token with named policies
* when caching the policies for all namespaces during unseal
* Print log warnings when token inline policy has duplicate attrs
No unit tests on these as new test infra would have to be built on all.
Operations affected, which will now print a log warning when the retrieved
token has an inline policy with duplicate attributes:
* capabilities endpoints in sys mount
* handing events under a subscription with a token with duplicate
attrs in inline policies
* token used to create another token has duplicate attrs in inline
policies (sudo check)
* all uses of fetchACLTokenEntryAndEntity when the request uses a
token with inline policies with duplicate attrs. Almost all reqs
are subject to this
* when tokens are created with inline policies (unclear exactly how that
can happen)
* add changelog and deprecation notice
* add missing copywrite notice
* fix copy-paste mistake
good thing it was covered by unit tests
* Fix manual parsing of telemetry field in SharedConfig
This commit in the hcl library was not in the
v1.0.1-vault-5 version we're using but is
included in v1.0.1-vault-7:
e80118accb
This thing of reusing when parsing means that
our approach of manually re-parsing fields
on top of fields that have already been parsed
by the hcl annotation causes strings (maybe
more?) to concatenate.
Fix that by removing annotation. There's
actually more occurrences of this thing of
automatically parsing something that is also
manually parsing. In some places we could
just remove the boilerplate manual parsing, in
others we better remove the auto parsing, but
I don't wanna pull at that thread right now. I
just checked that all places at least fully
overwrite the automatically parsed field
instead of reusing it as the target of the
decode call. The only exception is the AOP
field on ent but that doesn't have maps or
slices, so I think it's fine.
An alternative approach would be to ensure
that the auto-parsed value is discarded,
like the current parseCache function does
note how it's template not templates
* Fix linter complaints
* Update command/base_predict.go
Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
* address review
* remove copywrite headers
* re-add copywrite headers
* make fmt
* Update website/content/partials/deprecation/duplicate-hcl-attributes.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/partials/deprecation/duplicate-hcl-attributes.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/partials/deprecation/duplicate-hcl-attributes.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* undo changes to deprecation.mdx
* remove deprecation doc
* fix conflict with changes from main
---------
Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* full load
* snapshot manager tested
* integration test
* more tetsts
* remove obselete test
* fix failing test
* move tesdata to ent folder
* add test for RaftDataDirPath
* fix race condition, don't create new barrier instance
* check for nil result
* remove encryption from the barrier storage wrapper
* Update physical/raft/fsm.go
Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
* fmt
---------
Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
This PR fixes CompilePlugin which would fail when run locally in certain
situations based on relative directory paths. This change makes
CompilePlugin perform os.Stat on the full path to the plugin's main.go
file to ensure the test changes to the appropriate directory for
building the plugin.
- The function was incrementing and decrementing a global variable
but was never used so remove it completely and all the commented
out code that references the encodeIndent global.
The test container that we use for many LDAP tests recently merged a
breaking change: https://github.com/rroemhild/docker-test-openldap/issues/62
Add support for using containers via references with digests and pin to the latest
version that worked. We can unpin later if so desired.
Signed-off-by: Ryan Cragun <me@ryan.ec>
* Persist automatic entity merges
* Local aliases write in test
* Add identity entity merge unit property test
* N entities merge
* Persist alias duplication fix
---------
Co-authored-by: Paul Banks <pbanks@hashicorp.com>
Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
* identity: Ensure state is changed on activation
This PR introduces some changes to the way activation flags are
processed in Vault.
Rather than reaching into subsystems and modifying
state from the activationflags package, each plugin can now register its
own ActivationFunc. Updates to activation flags now trigger the the
feature's ActivationFunc, which can encapsulate the associated
subsystem state.
We include a few bugfixes and minor cosmetic changes, like updates to
log lines and godocs.
* Check for nil system backend
* Move deduplication activation to common file
* Add identity dedup activation log lines
* Make interface methods clearer
* Clean up some comments
* More cleanups
* fixup! More cleanups
* fixup! More cleanups
* Fix "t.Fatal from a non-test goroutine" errors in cache_test.go
- t.Fatal(f) should not be called within a Go routine based on it's documentation and only from the main test's thread.
- In 1.24 this seems to cause build failures
* Address all "non-constant format string errors" from go vet
- Within 1.24 these now cause test builds to fail
…" from go vet
This PR introduces a new type of conflict resolution for duplicate
Entities and Groups. Renaming provides a way of preventing Vault from
entering case-sensitive mode, which is the current behavior for any kind
of duplicate.
Renames append the conflicting identity artifact's UUID to its name and
updates a metadata field to indicate the pre-existing artifact's UUID.
The feature is gated by the force-identity-deduplication activation flag.
In order to maintain consistent behavior between the reporting resolver
and the rename operation, we need to adjust the behavior of generated
reports. Previously, they intentionally preserved existing Group merge
determinism, wherein the last MemDB update would win and all others
would be renamed. This approach is more complicated for the rename
resolver, since we would need to update any duplicated entity in the
cache while inserting the new duplicate (resulting in two MemDB
operations). Though we can ensure atomic updates of the two identity
artifacts with transactions (which we could get for groups with a minor
adjustment, and we will get along with batching of Entity upserts on
load), it's far simpler to just rename all but the first insert as proposed
in the current PR.
Since the feature is gated by an activation flag with appropriate
warnings of potential changes via the reporting resolver, we opt
for simplicity over maintaining pre-existing behavior. We can revisit
this assumption later if we think alignment with existing behavior
outweighs any potential complexity in the rename operation.
Entity alias resolution is left alone as a destructive merge operation
to prevent a potentially high-impact change in existing behavior.
