This causes the registry to now contain ent plugins on ent; previously it did not, though that appears to have been the intention. I believe this is because of the order in which inits were run.
Having changed this, various tests broke that were relying on the incorrect behaviour. Several tests were changed to rely less on opaque counts of expected plugins, instead they're now using explicit comparison by name.
* VAULT-19255 first pass at structure for event updater
* VAULT-19255 some more work, committign before rebase
* VAULT-19255 Mostly finish event updating scaffolding
* VAULT-19255 some additional coverage, clean-up, etc
* VAULT-19255 some clean-up
* VAULT-19255 fix tests
* VAULT-19255 more WIP event system integration
* VAULT-19255 More WIP
* VAULT-19255 more discovery
* VAULT-19255 add new test, some clean up
* VAULT-19255 fix bug, extra clean-up
* VAULT-19255 fix bugs, and clean up
* VAULT-19255 clean imports, add more godocs
* VAULT-19255 add config for test
* VAULT-19255 typo
* VAULT-19255 don't do the kv refactor in this PR
* VAULT-19255 update docs
* VAULT-19255 PR feedback
* VAULT-19255 More specific error messages
* redaction should only work for TCP listeners, also fix bug that allowed custom response headers for unix listeners
* fix failing test
* updates from PR feedback
* Correct the post-unseal meaning of the seal status type
And at the same time add a RecoverySealType to the response which preserves the old meaning.
Updated the CLI to display both when relevant.
* changelog
* no longer needed
* Don't need this field either, which fixes unit tests
* fix unit tests
* implement user lockout logger
* formatting
* make user lockout log interval configurable
* create func to get locked user count, and fix potential deadlock
* fix test
* fix test
* add changelog
* VAULT-19237 Add mount_type to secret response
* VAULT-19237 changelog
* VAULT-19237 make MountType generic
* VAULT-19237 clean up comment
* VAULT-19237 update changelog
* VAULT-19237 update test, remove mounttype from wrapped responses
* VAULT-19237 fix a lot of tests
* VAULT-19237 standby test
* ensure -log-level is added to core config (#23017)
* Feature/document tls servername (#22714)
* Add Raft TLS Helm examples
Co-authored-by: Pascal Reeb <pascal.reeb@adfinis.com>
---------
* Clean up unused CRL entries when issuer is removed (#23007)
* Clean up unused CRL entries when issuer is removed
When a issuer is removed, the space utilized by its CRL was not freed,
both from the CRL config mapping issuer IDs to CRL IDs and from the
CRL storage entry. We thus implement a two step cleanup, wherein
orphaned CRL IDs are removed from the config and any remaining full
CRL entries are removed from disk.
This relates to a Consul<->Vault interop issue (#22980), wherein Consul
creates a new issuer on every leadership election, causing this config
to grow. Deleting issuers manually does not entirely solve this problem
as the config does not fully reclaim space used in this entry.
Notably, an observation that when deleting issuers, the CRL was rebuilt
on secondary clusters (due to the invalidation not caring about type of
the operation); for consistency and to clean up the unified CRLs, we
also need to run the rebuild on the active primary cluster that deleted
the issuer as well.
This approach does allow cleanup on existing impacted clusters by simply
rebuilding the CRL.
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add test case on CRL removal
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* UI: Handle control group error on SSH (#23025)
* Handle control group error on SSH
* Add changelog
* Fix enterprise failure of TestCRLIssuerRemoval (#23038)
This fixes the enterprise failure of the test
```
=== FAIL: builtin/logical/pki TestCRLIssuerRemoval (0.00s)
crl_test.go:1456:
Error Trace: /home/runner/actions-runner/_work/vault-enterprise/vault-enterprise/builtin/logical/pki/crl_test.go:1456
Error: Received unexpected error:
Global, cross-cluster revocation queue cannot be enabled when auto rebuilding is disabled as the local cluster may not have the certificate entry!
Test: TestCRLIssuerRemoval
Messages: failed enabling unified CRLs on enterprise
```
* fix LDAP auto auth changelog (#23027)
* VAULT-19233 First part of caching static secrets work
* VAULT-19233 update godoc
* VAULT-19233 invalidate cache on non-GET
* VAULT-19233 add locking to proxy cache writes
* VAULT-19233 add caching of capabilities map, and some additional test coverage
* VAULT-19233 Additional testing
* VAULT-19233 namespaces for cache ids
* VAULT-19233 cache-clear testing and implementation
* VAULT-19233 adjust format, add more tests
* VAULT-19233 some more docs
* VAULT-19233 Add RLock holding for map access
* VAULT-19233 PR comments
* VAULT-19233 Different table for capabilities indexes
* VAULT-19233 keep unique for request path
* VAULT-19233 passthrough for non-v1 requests
* VAULT-19233 some renames/PR comment updates
* VAULT-19233 remove type from capabilities index
* VAULT-19233 remove obsolete capabilities
* VAULT-19233 remove erroneous capabilities
* VAULT-19233 woops, missed a test
* VAULT-19233 typo
* VAULT-19233 add custom error for cachememdb
* VAULT-19233 fix cachememdb test
---------
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Chris Capurso <1036769+ccapurso@users.noreply.github.com>
Co-authored-by: Andreas Gruhler <andreas.gruhler@adfinis.com>
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
Co-authored-by: Chelsea Shaw <82459713+hashishaw@users.noreply.github.com>
* add redaction config settings to listener
* sys seal redaction + test modification for default handler properties
* build date should be redacted by 'redact_version' too
* sys-health redaction + test fiddling
* sys-leader redaction
* added changelog
* Lots of places need ListenerConfig
* Renamed options to something more specific for now
* tests for listener config options
* changelog updated
* updates based on PR comments
* updates based on PR comments - removed unrequired test case field
* fixes for docker tests and potentially server dev mode related flags
- Only enable the warning mode for seals being unavailable when
multiple exist when running within multi-seal mode.
- This addresses a panic that occurs when a legacy style
migration is attempted and the non-disabled seal is unavailable.
* Provide a better error message around initializing with multiple seals
- Specifically callout during cluster initialization or initial beta
seal migration that we can only have a single seal enabled with the
following error message:
`Initializing a cluster or enabling multi-seal on an existing cluster must occur with a single seal before adding additional seals`
- Handle the use case that we have multiple seals configured, but
some are disabled, leaving a single enabled seal. This is the legacy
seal migratation case that works without the BETA flag set, so should
work with it set as well.
* Update the expected error messages within seal tests
* Remove support for old style migration configurations in multi-seal
* Match multiple seals using name/type only
- This fix addresses an issue that changing any seal configuration in an existing seal stanza such as the Vault token would cause negate the seal matching.
- If this was the only seal that was previously used or slight tweaks happened to all the seals Vault would fail to start with an error of
"must have at least one seal in common with the old generation."
- Also add a little more output to the validation error messages about
the current seal and configured seal information to help in
diagnosing errors in the future
* Tweak formatting and text on method doc
* Update comment around forcing a seal rewrap
* fix panic: Fail in goroutine after TestProxy_Config_ReloadTls has completed
* fix proxy test
* feedback
* track the command output code and stdout/err
* allow users to specify files for child process stdout/stderr
* added changelog
* check if exec config is nil
* fix test
* first attempt at a test
* revise test
* passing test
* added failing test
* Apply suggestions from code review
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
* code review suggestions
* always close log files
* refactor to use real files
* hopefully fixed tests
* add back bool gates so we don't close global stdout/stderr
* compare to os.Stdout/os.Stderr
* remove unused
---------
Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>
If the agent fails to start, for example when a port conflict occurs,
we want the test to fail fast, rather than continuing until the test
times out.
If this 5-second timeout occurs waiting for the agent to start up,
then the it does not make logical sense to continue the test. So,
we use `t.Fatalf` to trigger the failure.
Subscribing to events through a WebSocket now support boolean
expressions to filter only the events wanted based on the fields
* `event_type`
* `operation`
* `source_plugin_mount`
* `data_path`
* `namespace`
Example expressions:
These can be passed to `vault events subscribe`, e.g.,:
* `event_type == abc`
* `source_plugin_mount == secret/`
* `event_type != def and operation != write`
```sh
vault events subscribe -filter='source_plugin_mount == secret/' 'kv*'
```
The docs for the `vault events subscribe` command and API endpoint
will be coming shortly in a different PR, and will include a better
specification for these expressions, similar to (or linking to)
https://developer.hashicorp.com/boundary/docs/concepts/filtering
The flag `events.alpha1` will no longer do anything, but we keep it
to prevent breaking users who have it in their configurations or
startup flags, or if it is referenced in other code.
- Doubtful this will ever happen in real life
- We would nil panic if the public_key field was not present in the
wrapping key response
- Also trap a casting error if the public key was not an RSA public key
Implements running plugins in containers to give them some degree
of isolation from the main Vault process and other plugins. It only
supports running on Linux initially, where it is easiest to manage unix
socket communication across the container boundary.
Additionally
* Adds -env arg to vault plugin register.
* Don't return env from 'vault plugin info'
Historically it's been omitted, and it could conceivably have secret information in
it, so if we want to return it in the response, it should probably only be via explicit
opt-in. Skipping for now though as it's not the main purpose of the commit.
* Add -dev-tls-san flag
This is helpful when wanting to set up a dev server with TLS in Kubernetes
and any other situations where the dev server may not be the same machine
as the Vault client (e.g. in combination with some /etc/hosts entries)
* Automatically add (best-effort only) -dev-listen-address host to extraSANs
