* PKI: Add a new leaf_not_after_behavior value to force erroring in all circumstances
- We introduce a new value called `always_enforce_err` for the existing
leaf_not_after_behavior on a PKI issuer. The new value will force we
error out all requests that have a TTL beyond the issuer's NotAfter value.
- This will apply to leaf certificates issued through the API as did err,
but now to CA issuance and ACME requests for which we previously changed
the err configuration to truncate.
* Add cl
* Update UI test
* Fix changelog type
* secrets/ssh: Return the allow_empty_principals field in read api
- Return the new field in the read response api and add a test case
that will catch these errors in the future of adding a field to
the ssh role and not returning it in the read api response
* Add cl
* Pull versioned golang images in Zlint testsuite to avoid pulling with latest
- Leverage the versioned golang images which should be more static avoiding
issues we somtimes encounter pulling latest images from our docker mirror.
- We use the golang runtime version to avoid having to update this test
continuously.
* Fallback to latest if the version tag isn't a release tag
- The key update API would release the lock a little too early
after it persisted the update so the reference could be updated
when it was preparing the response to the caller across updates
and/or key rotations
- The storage updates were okay, just the response back to the caller
of the update might see a mixture of different updates
* Fix ACME http-01 challenges for IPv6 IPs
- We weren't properly encapsulating the IPv6 IP within the url provided
to the http client with [].
* Add cl
* Cleanup a test println
* wip
* Unit test the CRL limit, wire up config
* Bigger error
* API docs
* wording
* max_crl_entries, + ignore 0 or < -1 values to the config endpoint
* changelog
* rename field in docs
* Update website/content/api-docs/secret/pki/index.mdx
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Update website/content/api-docs/secret/pki/index.mdx
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
---------
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* [transit-pkcs1v15] transit support for the pkcs1v15 padding scheme – without UI tests (yet).
* [transit-pkcs1v15] renamed padding_scheme parameter in transit documentation.
* [transit-pkcs1v15] add changelog file.
* [transit-pkcs1v15] remove the algorithm path as padding_scheme is chosen by parameter.
* Update ui/app/templates/components/transit-key-action/datakey.hbs
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Update ui/app/templates/components/transit-key-action/datakey.hbs
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Update ui/app/templates/components/transit-key-action/datakey.hbs
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Update website/content/api-docs/secret/transit.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/api-docs/secret/transit.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/api-docs/secret/transit.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Add warnings to PKCS1v1.5 usage
* Update transit
* Update transit, including separating encrypt/decrypt paddings for rewrap
* Clean up factory use in the presence of padding
* address review feedback
* remove defaults
* lint
* more lint
* Some fixes for UI issues
- Fix padding scheme dropdown console error by adding values
to the transit-key-actions.hbs
- Populate both padding scheme drop down menus within rewrap,
not just the one padding_scheme
- Do not submit a padding_scheme value through POST for non-rsa keys
* Fix Transit rewrap API to use decrypt_padding_scheme, encrypt_padding_scheme
- Map the appropriate API fields for the RSA padding scheme to the
batch items within the rewrap API
- Add the ability to create RSA keys within the encrypt API endpoint
- Add test case for rewrap api that leverages the padding_scheme fields
* Fix code linting issues
* simply padding scheme enum
* Apply suggestions from code review
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Fix padding_scheme processing on data key api
- The data key api was using the incorrect parameter name for
the padding scheme
- Enforce that padding_scheme is only used on RSA keys, we
are punting on supporting it for managed keys at the moment.
* Add tests for parsePaddingSchemeArg
* Add missing copywrite headers
* Some small UI fixes
* Add missing param to datakey in api-docs
* Do not send padding_scheme for non-RSA key types within UI
* add UI tests for transit key actions form
---------
Co-authored-by: Marcel Lanz <marcellanz@n-1.ch>
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Co-authored-by: Steve Clark <steven.clark@hashicorp.com>
Co-authored-by: claire bontempo <cbontempo@hashicorp.com>
* Set region parameter to be used for STS only on AWS secrets engine
* Add changelog
* Fix formatting
* region fix when not setting iam_endpoint or sts_endpoint
* Add 'sts_region' parameter for AWS secrets engine.
* Update TestBackend_PathConfigRoot for aws secrets
* Update changelog entry
---------
Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>
- I have a suspicion the for loop with the timer can be infinite loops
in certain circumstances. Instead leverage the normal test helpers
for fetching tidy status
* Track the last PKI auto-tidy time ran for use across nodes
- If the interval time for auto-tidy is longer then say a regularly
scheduled restart of Vault, auto-tidy is never run. This is due to
the time of the last run of tidy is only kept in memory and
initialized on startup to the current time
- Store the last run of any tidy, to maintain previous behavior, to
a cluster local file, which is read in/initialized upon a mount
initialization.
* Add auto-tidy configuration fields for backing off at startup
* Add new auto-tidy fields to UI
* Update api docs for auto-tidy
* Add cl
* Update field description text
* Apply Claire's suggestions from code review
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Implementing PR feedback from the UI team
* remove explicit defaults and types so we retrieve from backend, decouple enabling auto tidy from duration, move params to auto settings section
---------
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
Co-authored-by: claire bontempo <cbontempo@hashicorp.com>
* Split the Key_Usage Field into separate fields - one for the Cert
Endpoints (Sign-intermediate/Generate Root) the other for the CSR
Endpoint (intermediate generate). These have different defaults,
and descriptions.
* Fix schema test.
* Make reception of an empty valid principals configurable based on a role flag.
Adds allow_empty_principals, which if true allows valid_principals on credential generation calls
to be empty.
* changelog
* Allow empty principals on unrelated unit test
* whitespace
* adding a check for nil values returned by the queue
* adding changelog
* changing to be more idiomatic
* fixing error message to be a bit more clear
* reverting change to error handling
* Update builtin/logical/aws/path_static_roles.go
Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
---------
Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
* Ferry ocsp_ca_certificates over the OCSP ValidationConf
* changelog
* First check issuer, then check extraCAS
* Use the correct cert when the signature validation from issuer succeeds
* Validate via extraCas in the cert missing case as well
* dedupe logic
* remove CA test
* Add missing revocation storage lock on RevokeCert refactoring
* Refactor internal PKI revocation API
- Process the odd logical.Response/error returns internally to make
the returns better consumable from other users.
- Leverage the GetConfigWithUpdate to fetch the current CRL config, otherwise we can use older or nil configs.
- Sometimes we are failing to pull the zlint tagged version from
GitHub when building up the test containers. Add a simple retry
around the container building step to see if this resolves the
issue.
* skip connection verification on config read
* ensure appropriate default on config update call that results in a creation
* changelog
* leave verify_connection in config read response
* update test to handle output of verify_connection parameter
* fix remaining tests
* add inline cert auth to postres db plugin
* handle both sslinline and new TLS plugin fields
* refactor PrepareTestContainerWithSSL
* add tests for postgres inline TLS fields
* changelog
* revert back to errwrap since the middleware sanitizing depends on it
* enable only setting sslrootcert
- Avoid this error for now
zlint_test.go:149: got unexpected error from test e_subj_orgunit_in_ca_cert: map[details:The OU attribute in the Subject is prohibited in Root and TLS CA certificates result:error]
* adds sslinline option to postgres conn string
* for database secrets type postgres, inspects the connection string for sslinline and generates a tlsconfig from the connection string.
* support fallback hosts
* remove broken multihost test
* bootstrap container with cert material
* overwrite pg config and set key file perms
* add feature flag check
* add tests
* add license and comments
* test all ssl modes
* add test cases for dsn (key/value) connection strings
* add fallback test cases
* fix error formatting
* add test for multi-host when using pgx native conn url parsing
---------
Co-authored-by: Branden Horiuchi <Branden.Horiuchi@blackline.com>
* Improve trusted cert loading in Certificate Auth
Currently, cert auth has a cache of certName->trusted certificate data. This cache is updated lazily on login. In highly concurrent situations, several logins
of the same cert or more likely, logins not specifying role name may happen simulataneously. In the status quo, each results in going to storage, fetching the role data
(or all roles!), unmarshalling, and certificate parsing.
This change puts a lock matrix in front of the cache miss scenario, so only one of the logins will load and process the role data. In addition, we treat
the absent role name specially, caching it separately so that it cannot be flushed by eviction on the role cache.
* changelog
* cleanup
* Return the proper serial number in OCSP verification errors
- We returned the issuer's certificate number instead of the serial
number of the actual certificate we validated from an OCSP request.
- The problematic serial number within the error are never shown
currently in Vault. The only user of this library is cert-auth
which swallows errors around revoked certificates and returns
a boolean false instead of the actual error message.
* Add cl
* Use previously formatted serial in error msg
