* Update to Go 1.23.3
- Update to latest major version of Go 1.23.3 from 1.22.8.
- Update github.com/sasha-s/go-deadlock to address deadlock timer
issue we were seeing.
- Fix one of our tests to only reset the member variable we change
instead of the entire Opts parameter to avoid a data race during
testing.
* Add workaround for MSSQL TLS certificate container issue
* PKI: Add a new leaf_not_after_behavior value to force erroring in all circumstances
- We introduce a new value called `always_enforce_err` for the existing
leaf_not_after_behavior on a PKI issuer. The new value will force we
error out all requests that have a TTL beyond the issuer's NotAfter value.
- This will apply to leaf certificates issued through the API as did err,
but now to CA issuance and ACME requests for which we previously changed
the err configuration to truncate.
* Add cl
* Update UI test
* Fix changelog type
* secrets/ssh: Return the allow_empty_principals field in read api
- Return the new field in the read response api and add a test case
that will catch these errors in the future of adding a field to
the ssh role and not returning it in the read api response
* Add cl
* expand the leading prefix check to check for double forward and back slashes
* improve the logic to be more concise
* add unit tests
* add a changelog
* make it a bug type
* feedback: reconstruct the check to explicitly check for backslash as well as slash followed by backslash
* Make identity store loading and alias merging deterministic
* Add CHANGELOG
* Refactor our Ent-only logic from determinism test
* Use stub-maker
* Add test godoc
* changes then onto tests
* fix wif test failures
* changelog
* clean up
* address pr comments
* only test one wif engine for relevant tests
* add back engine loop for tests that depend on type
- The key update API would release the lock a little too early
after it persisted the update so the reference could be updated
when it was preparing the response to the caller across updates
and/or key rotations
- The storage updates were okay, just the response back to the caller
of the update might see a mixture of different updates
* upgrade ember-data 5.3.2, uninstall legacy compat, upgrade ember-cli, ember-source
* use query instead of findAll for auth methods, update tests
* set mutableId for kmip
* show generated private key data before transitioning to details
* update kv metadata test
* remove deprecated methods from path help service
* add changelog, update readme version matrix
* remove toggle template helper
* updating audit file_path duplication
* update test
* updating tests
* fixing go test errors
* adding go test doc for TestCore_EnableExistingAudit
* adding go test doc for TestCore_EnableExistingAudit
* adding go test doc for TestCore_EnableExistingAudit
* adding changelog
* adding suggested comments
* Support trimming trailing slashes via a mount tuneable to support CMPv2
* changelog/
* Perform trimming in handleLoginRequest too
* Eagerly fetch the mount entry so we only test this once
* Add a mount match function that gets path and entry
* Update vault/request_handling.go
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* more docs
* Some patches (from ENT) didnt apply
* patch fail
* Update vault/router.go
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* PR feedback
* dupe
* another dupe
* Add support for enabling trim_request_trailing_slashes on mount creation
* Fix read mount api returning configuration for trim_request_trailing_slashes
* Fix test assertion
* Switch enable and tune arguments to BoolPtrVal to allow end-users to specify false flag
* Add trim-request-trailing-slashes to the auth enable API and CLI
---------
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Fix ACME http-01 challenges for IPv6 IPs
- We weren't properly encapsulating the IPv6 IP within the url provided
to the http client with [].
* Add cl
* Cleanup a test println
* wip
* Unit test the CRL limit, wire up config
* Bigger error
* API docs
* wording
* max_crl_entries, + ignore 0 or < -1 values to the config endpoint
* changelog
* rename field in docs
* Update website/content/api-docs/secret/pki/index.mdx
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Update website/content/api-docs/secret/pki/index.mdx
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
---------
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* [transit-pkcs1v15] transit support for the pkcs1v15 padding scheme – without UI tests (yet).
* [transit-pkcs1v15] renamed padding_scheme parameter in transit documentation.
* [transit-pkcs1v15] add changelog file.
* [transit-pkcs1v15] remove the algorithm path as padding_scheme is chosen by parameter.
* Update ui/app/templates/components/transit-key-action/datakey.hbs
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Update ui/app/templates/components/transit-key-action/datakey.hbs
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Update ui/app/templates/components/transit-key-action/datakey.hbs
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Update website/content/api-docs/secret/transit.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/api-docs/secret/transit.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/api-docs/secret/transit.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Add warnings to PKCS1v1.5 usage
* Update transit
* Update transit, including separating encrypt/decrypt paddings for rewrap
* Clean up factory use in the presence of padding
* address review feedback
* remove defaults
* lint
* more lint
* Some fixes for UI issues
- Fix padding scheme dropdown console error by adding values
to the transit-key-actions.hbs
- Populate both padding scheme drop down menus within rewrap,
not just the one padding_scheme
- Do not submit a padding_scheme value through POST for non-rsa keys
* Fix Transit rewrap API to use decrypt_padding_scheme, encrypt_padding_scheme
- Map the appropriate API fields for the RSA padding scheme to the
batch items within the rewrap API
- Add the ability to create RSA keys within the encrypt API endpoint
- Add test case for rewrap api that leverages the padding_scheme fields
* Fix code linting issues
* simply padding scheme enum
* Apply suggestions from code review
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Fix padding_scheme processing on data key api
- The data key api was using the incorrect parameter name for
the padding scheme
- Enforce that padding_scheme is only used on RSA keys, we
are punting on supporting it for managed keys at the moment.
* Add tests for parsePaddingSchemeArg
* Add missing copywrite headers
* Some small UI fixes
* Add missing param to datakey in api-docs
* Do not send padding_scheme for non-RSA key types within UI
* add UI tests for transit key actions form
---------
Co-authored-by: Marcel Lanz <marcellanz@n-1.ch>
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Co-authored-by: Steve Clark <steven.clark@hashicorp.com>
Co-authored-by: claire bontempo <cbontempo@hashicorp.com>
* include user-agent header in audit by default
* add user-agent audit tests
* update audit default headers docs
* add changelog entry
* remove temp changes from TestAuditedHeadersConfig_ApplyConfig
* more TestAuditedHeadersConfig_ApplyConfig fixes
* add some test comments
* verify type assertions in TestAudit_Headers
* more type assertion checks
* Set region parameter to be used for STS only on AWS secrets engine
* Add changelog
* Fix formatting
* region fix when not setting iam_endpoint or sts_endpoint
* Add 'sts_region' parameter for AWS secrets engine.
* Update TestBackend_PathConfigRoot for aws secrets
* Update changelog entry
---------
Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>
* Log when the seal is unavailable as error
* changelog
* Update changelog/28564.txt
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
---------
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* add warning for when MAP_POPULATE mmap flag not set
* Make mmap flags method handle any flags, where MAP_POPULATE is just one of them
* Only have the log print out on restores
* Add test, make logic more consistent
* Add changelog
* Add godoc for test
* Make test less dangerous
* add auth-config/oidc to openapi model helper
* alphabetize
* update maskedinput selector to be standard data-test-input
* add test
* add changelog
* fix maskedinput test and kv selector
* final textarea selector!
* Track the last PKI auto-tidy time ran for use across nodes
- If the interval time for auto-tidy is longer then say a regularly
scheduled restart of Vault, auto-tidy is never run. This is due to
the time of the last run of tidy is only kept in memory and
initialized on startup to the current time
- Store the last run of any tidy, to maintain previous behavior, to
a cluster local file, which is read in/initialized upon a mount
initialization.
* Add auto-tidy configuration fields for backing off at startup
* Add new auto-tidy fields to UI
* Update api docs for auto-tidy
* Add cl
* Update field description text
* Apply Claire's suggestions from code review
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Implementing PR feedback from the UI team
* remove explicit defaults and types so we retrieve from backend, decouple enabling auto tidy from duration, move params to auto settings section
---------
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
Co-authored-by: claire bontempo <cbontempo@hashicorp.com>
* Make reception of an empty valid principals configurable based on a role flag.
Adds allow_empty_principals, which if true allows valid_principals on credential generation calls
to be empty.
* changelog
* Allow empty principals on unrelated unit test
* whitespace
