* cli: only set default command parameter to plugin name if sha256 is provided
* api: write warnings to RegisterPluginResponse, propagate up to cli
* api: filter out 'Endpoint replaced the value of these parameters' warning before returning in RegisterPluginWithContext
* docs
* add TODO on filtering that links to api type parameter deprecation ticket
* fix tests
* allocate filteredWarning slice only if there are warnings
* improve deferred resp close and early error return conditionals in RegisterPluginWithContext
* refer to sha256 as cli option -sha256 in command cli usage
* break up ui error lines for sha256 and version flag check
* consolidate if statements for sha256 and command, oci_image check in cli
* consolidate if statements for sha256 and command, oci_image check in api
* new RegisterPluginV2 and RegisterPluginWithContextV2 api client functions for backward compatibility
* add changelog
* more descriptive changelog
* rename RegisterPluginV2 to RegisterPluginDetailed and RegisterPluginWithContextV2 to RegisterPluginWithContextDetailed
* return nil, nil if no warnings to preserve status code
* fix eof from decoding (check if no content before decoding)
* doc for RegisterPluginResponse
* only validate plugin.Command in plugin catalog set for downloaded and binary plugins, which rely on plugin.Command input; extracted artifact plugins don't rely on plugin.Command input
* Update website/content/api-docs/system/plugins-catalog.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/api-docs/system/plugins-catalog.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/api-docs/system/plugins-catalog.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/docs/commands/plugin/register.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/docs/commands/plugin/register.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/docs/commands/plugin/register.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/docs/commands/plugin/register.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* move up enterprise note on plugin register command doc
* [DOCS] Editorial suggestions for PR #30811 (#31111)
* suggestions
* move common reqs to a partial
* fix typo
* tweak reqs
* Update website/content/partials/plugins/prepare-plugin.mdx
Co-authored-by: helenfufu <25168806+helenfufu@users.noreply.github.com>
* Update website/content/partials/plugins/prepare-plugin.mdx
Co-authored-by: helenfufu <25168806+helenfufu@users.noreply.github.com>
* Update website/content/partials/plugins/prepare-plugin.mdx
Co-authored-by: helenfufu <25168806+helenfufu@users.noreply.github.com>
* tweak feedback
* remove deprecation
* Update website/content/partials/plugins/common-requirements.mdx
Co-authored-by: helenfufu <25168806+helenfufu@users.noreply.github.com>
* save
* Update website/content/docs/plugins/rollback.mdx
Co-authored-by: helenfufu <25168806+helenfufu@users.noreply.github.com>
* Update website/content/docs/plugins/upgrade.mdx
Co-authored-by: helenfufu <25168806+helenfufu@users.noreply.github.com>
* fix formatting
---------
Co-authored-by: helenfufu <25168806+helenfufu@users.noreply.github.com>
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* round up
* round up, test, update backoff
* add external test
* changelog
* use released version of go-retryablehttp
* update api version of go-retryablehttp
* fix name
* upgrade hcl dependency on api pkg
This upgrades the hcl dependency for the API pkg,
and adapts its usage so users of our API pkg are
not affected. There's no good way of communicating
a warning via a library call so we don't.
The tokenHelper which is used by all Vault CLI
commands in order to create the Vault client, as
well as directly used by the login and server
commands, is implemented on the api pkg, so this
upgrade also affects all of those commands. Seems
like this was only moved to the api pkg because
the Terraform provider uses it, and I thought
creating a full copy of all those files back under
command would be too much spaghetti.
Also leaving some TODOs to make next deprecation
steps easier.
* upgrade hcl dependency in vault and sdk pkgs
* upgrade hcl dependency in vault and sdk pkgs
* add CLI warnings to commands that take a config
- vault agent (unit test on CMD warning)
- vault proxy (unit test on CMD warning)
- vault server (no test for the warning)
- vault operator diagnose (no tests at all, uses the
same function as vault server
* ignore duplicates on ParseKMSes function
* Extend policy parsing functions and warn on policy store
* Add warning on policy fmt with duplicate attributes
* Add warnings when creating/updating policy with duplicate HCL attrs
* Add log warning when switchedGetPolicy finds duplicate attrs
Following operations can trigger this warning when they run into a policy
with duplicate attributes:
* replication filtered path namespaces invalidation
* policy read API
* building an ACL (for many different purposes like most authZ operations)
* looking up DR token policies
* creating a token with named policies
* when caching the policies for all namespaces during unseal
* Print log warnings when token inline policy has duplicate attrs
No unit tests on these as new test infra would have to be built on all.
Operations affected, which will now print a log warning when the retrieved
token has an inline policy with duplicate attributes:
* capabilities endpoints in sys mount
* handing events under a subscription with a token with duplicate
attrs in inline policies
* token used to create another token has duplicate attrs in inline
policies (sudo check)
* all uses of fetchACLTokenEntryAndEntity when the request uses a
token with inline policies with duplicate attrs. Almost all reqs
are subject to this
* when tokens are created with inline policies (unclear exactly how that
can happen)
* add changelog and deprecation notice
* add missing copywrite notice
* fix copy-paste mistake
good thing it was covered by unit tests
* Fix manual parsing of telemetry field in SharedConfig
This commit in the hcl library was not in the
v1.0.1-vault-5 version we're using but is
included in v1.0.1-vault-7:
e80118accb
This thing of reusing when parsing means that
our approach of manually re-parsing fields
on top of fields that have already been parsed
by the hcl annotation causes strings (maybe
more?) to concatenate.
Fix that by removing annotation. There's
actually more occurrences of this thing of
automatically parsing something that is also
manually parsing. In some places we could
just remove the boilerplate manual parsing, in
others we better remove the auto parsing, but
I don't wanna pull at that thread right now. I
just checked that all places at least fully
overwrite the automatically parsed field
instead of reusing it as the target of the
decode call. The only exception is the AOP
field on ent but that doesn't have maps or
slices, so I think it's fine.
An alternative approach would be to ensure
that the auto-parsed value is discarded,
like the current parseCache function does
note how it's template not templates
* Fix linter complaints
* Update command/base_predict.go
Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
* address review
* remove copywrite headers
* re-add copywrite headers
* make fmt
* Update website/content/partials/deprecation/duplicate-hcl-attributes.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/partials/deprecation/duplicate-hcl-attributes.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/partials/deprecation/duplicate-hcl-attributes.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* undo changes to deprecation.mdx
* remove deprecation doc
* fix conflict with changes from main
---------
Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* [OT] use `new` builtin for visual clarity
`new(ExternalTokenHelper)` is a lot easier to parse than
`(*ExternalTokenHelper)(nil)`
* add `Args` field to `ExternalTokenHelper`
This will be used to store any extra command arguments and allows
`BinaryPath` to hold *just* the binary path.
* remove shell invocation
Since `BinPath` no longer has to hold any additional arguments we can
execute the command directly without inoking the shell first.
* update `testExternalTokenHelper` to make use of the new `Args` field
* updated `ExternalTokenHelper` documentation
* Add changelog entry for token_helper without shell
Currently using 0.txt until we have a PR id.
* Rename 0.txt to 29653.txt
We got a PR ID, so fix the changelog file
---------
Co-authored-by: Roosevelt Burden <rburden@grantstreet.com>
Co-authored-by: Roosevelt Burden <roosevelt.burden@grantstreet.com>
* Rework certificate authentication api
- Use the passed in Vault api client to perform the connection
- This provides namespace support, retry behaviors and uses
the existing secret parsing logic instead of re-implementing it
- Change the cert auth role to be an optional argument
- Allow users to use a different cert auth mount point
* Clean up test name
Co-authored-by: Amir Aslamov <amir.aslamov@hashicorp.com>
---------
Co-authored-by: Amir Aslamov <amir.aslamov@hashicorp.com>
* Update go-jose to v3.0.4
- Updating to address CVE-2025-27144
* Update v4 references in sdk and api
* Update go-jose across all api auth projects to v4.0.5
* Fix "t.Fatal from a non-test goroutine" errors in cache_test.go
- t.Fatal(f) should not be called within a Go routine based on it's documentation and only from the main test's thread.
- In 1.24 this seems to cause build failures
* Address all "non-constant format string errors" from go vet
- Within 1.24 these now cause test builds to fail
…" from go vet
* logic
* actually got test working
* heartbeat health test
* fix healthy definition and add changelog
* fix test condition
* actually fix test condition
* Update vault/testing.go
Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
* close body
---------
Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
* Support trimming trailing slashes via a mount tuneable to support CMPv2
* changelog/
* Perform trimming in handleLoginRequest too
* Eagerly fetch the mount entry so we only test this once
* Add a mount match function that gets path and entry
* Update vault/request_handling.go
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* more docs
* Some patches (from ENT) didnt apply
* patch fail
* Update vault/router.go
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* PR feedback
* dupe
* another dupe
* Add support for enabling trim_request_trailing_slashes on mount creation
* Fix read mount api returning configuration for trim_request_trailing_slashes
* Fix test assertion
* Switch enable and tune arguments to BoolPtrVal to allow end-users to specify false flag
* Add trim-request-trailing-slashes to the auth enable API and CLI
---------
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
Go module tooling mandates that each sub-module contains its own LICENSE file.
If absent, it defaults to the LICENSE file in the root of the git repository.
This resulted in the api/auth/* modules erroneously inheriting the BUSL
license instead of the correct MPL license, as indicated by the SPDX info in
the actual API code.
This update ensures that module documentation is displayed correctly on
pkg.go.dev and resolves issues with various tools showing incorrect license
information for the sub-modules.
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
* VAULT-28577: change CSV MIME type to text/csv
* VAULT-28578: require sudo for export API
* add validation and associated error handling
* change export API default to 204 if no data returned
* VAULT-28579: allow export API in non-root namespace, add filtering support
* update test fixtures to reflect filtering changes
* TestActivityLog_Export moved to ENT-only test
* add test to verify sudo access
* add changelog entry
This makes it so projects that are already using backoff don't need to
pull up an old version of it just because of vault/api. This major
version change is compatible with existing usage in code.
Refs #24707.
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
* check if "identity_policies" is nil to fix cli vault login error
* add changelog
* skip add identity_policies to resp when there's no identity_policies associated in token's namespace
This is an edge case, when an entity has identity_policies associated in other namespaces but no identity_policies in this token's namespace, `identityPolicies[out.NamespaceID]` is nil, client side doesn't handle nil which raises error.
* update changelog
---------
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
* VAULT-25341 Address issue where having no permissions to renew caused Agent and Proxy auth to attempt to renew with no backoff
* Fiddle with go.mod changes that shouldn't have happened
* VAULT-25341 small cleanup and extra test
* VAULT-25341 backoff only in error case
* VAULT-25341 godocs
* VAULT-25342 changelog
* Update command/agent_test.go
Co-authored-by: divyaac <divya.chandrasekaran@hashicorp.com>
* VAULT-25341 rename file audit
---------
Co-authored-by: divyaac <divya.chandrasekaran@hashicorp.com>
We have many hand-written String() methods (and similar) for enums.
These require more maintenance and are more error-prone than using
automatically generated methods. In addition, the auto-generated
versions can be more efficient.
Here, we switch to using https://github.com/loggerhead/enumer, itself
a fork of https://github.com/diegostamigni/enumer, no longer maintained,
and a fork of the mostly standard tool
https://pkg.go.dev/golang.org/x/tools/cmd/stringer.
We use this fork of enumer for Go 1.20+ compatibility and because
we require the `-transform` flag to be able to generate
constants that match our current code base.
Some enums were not targeted for this change:
* Move command/config + command/token to api/cliconfig + api/tokenhelper
* Remove unused functions and unused import
* Simplify and inline function copied from SDK
* Delete unused duplicated/forwarding config implementation from command package
* Delete unused code, unexport API surface that's only used internally to the package
* Fix up license headers
* Add changelog
* Tweak .gitignore to track hcl files in testdata/ folders
