* add key types and encryption for cbc
* add decryption
* start adding tests
* add tests for policy functions
* add convergent case
* add enterprise check and key creation test cases
* fix key generation and add import/export
* add tests and fixes
* add changelog
* linter
* refactor policy functions and fix IV
* add ce change
* fix function calls
* fix factories in function call
* fix IV test case
* test fixes
* add cbc keys to read
* change iv
* fix merge errors
* make fmt
* change error name and add iv error
* fix tests
Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
* remove local time logic, and force cron to be UTC
* add test comment
* update docs
* add changelog
* change mesasge
* add utc clarification to docs
* remove utc reference in root token docs
* remove doc from partial
* consider possibility of NextVaultRotation being nil on queue population
* move test
* add changelog
* fix reference to nil, and improve debug log
* use helper function to write static roles to storage
* add password check in test
* fix godoc
* fix changelog and add remediation debug line
* force ticker to run, and make sure credential doesnt rotate
* add another edge case
* fix godoc
* check ttl is less in test
* check error case and if resp is nil
* make check on ttl more robust
* Add API warning based on DB type
* Add deprecation notice
* Add warning to the top of the docs pages
* Update capabilities table
* Filter SQLConnectionProducer fields from unrecognized parameters warning
* Add test case
* PR Review Feedback
* Remove openssl test, to be included in a separate testing PR.
* Openssl test for DeltaCRL + Move Test Helpers to test_helpers
* Switch to regex instead of contains due to different whitespace when running in CI.
* require explicit value for disable_mlock
* set disable_mlock back to true for all docker tests
* fix build error
* update test config files
* change explicit mlock check to apply to integrated storage only.
* formatting and typo fixes
* added test for raft
* remove erroneous test
* remove unecessary doc line
* remove unecessary var
* pr suggestions
* test compile fix
* add mlock config value to enos tests
* enos lint
* update enos tests to pass disable_mlock value
* move mlock error to runtime to check for env var
* fixed mlock config detection logic
* call out mlock on/off tradeoffs to docs
* rewording production hardening section on mlock for clarity
* update error message when missing disable_mlock value to help customers with the previous default
* fix config doc error and update production-hardening doc to align with existing recommendations.
* remove extra check for mlock config value
* fix docker recovery test
* Update changelog/29974.txt
Explicitly call out that Vault will not start without disable_mlock included in the config.
Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
* more docker test experimentation.
* passing disable_mlock into test cluster
* add VAULT_DISABLE_MLOCK envvar to docker tests and pass through the value
* add missing envvar for docker env test
* upate additional docker test disable_mlock values
* Apply suggestions from code review
Use active voice.
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
---------
Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* outline of key usage fix
* Changelog, and test-fix
* Simplify code setting key_usage
* make fmt
* Per internal dicussion to align closer to the CAB guidelines, only allow DigitalSignature.
* Breaking Change: error if invalid key_usage to generate root or sign-intermediate.
* Change error to warning in order to not break backwards compatibility.
* add ce changes for ssh managed keys
* fix key gen and storage logic
* update to include managed key name and uuid in storage
* change to ssh.PublicKey and add ssh.Signer functions
* fix managed key stored values
* database: fix reload to not fail early
* return logical.ErrorRresponse; add tests
* do not return noop warnings; add logs
* changelog
* use name for log; remove event doc
* Sign empty to cert on manual-chain update.
* Add role defaults.
* Add changelog.
* More useful error message.
* Suggestions from PR Review.
* Fixes to update as well as write; test that still fails; revert code.
* Unit Test fix.
* Add go doc to TestManualChainValidation
* Move all pki-verification calls from sdk-Verify() to pki-specific
VerifyCertifcate(...); update sdk-Verify to allow multiple chains,
but validate that at least one of those chains is valid.
* Updates to Validate on Parse PEMBlock, so that a single cert or a single key parses (test fixes).
* Add changelog.
* Make test certificate expire in a while, not at linux epoch.
* Remove duplicate code.
* Fix header file + go mod tidy.
* Updates based on review.
* Fix "t.Fatal from a non-test goroutine" errors in cache_test.go
- t.Fatal(f) should not be called within a Go routine based on it's documentation and only from the main test's thread.
- In 1.24 this seems to cause build failures
* Address all "non-constant format string errors" from go vet
- Within 1.24 these now cause test builds to fail
…" from go vet
