* PostgreSQL backend passwordless authentication in cloud
* adding changelog
* Updating deprecated docker test types
* adding unit tests for getAuthConfig
* removing cloud auth based tests due to failure in CI. Unit test should focus on the default flow.
* Adding function name for lint
* Add API warning based on DB type
* Add deprecation notice
* Add warning to the top of the docs pages
* Update capabilities table
* Filter SQLConnectionProducer fields from unrecognized parameters warning
* Add test case
* drop the actual value of the secret entered by the user from printing inside field validation
* add changelog
* upgrade vault radar version to 0.24.0
* feedback
* remove changelog
* require explicit value for disable_mlock
* set disable_mlock back to true for all docker tests
* fix build error
* update test config files
* change explicit mlock check to apply to integrated storage only.
* formatting and typo fixes
* added test for raft
* remove erroneous test
* remove unecessary doc line
* remove unecessary var
* pr suggestions
* test compile fix
* add mlock config value to enos tests
* enos lint
* update enos tests to pass disable_mlock value
* move mlock error to runtime to check for env var
* fixed mlock config detection logic
* call out mlock on/off tradeoffs to docs
* rewording production hardening section on mlock for clarity
* update error message when missing disable_mlock value to help customers with the previous default
* fix config doc error and update production-hardening doc to align with existing recommendations.
* remove extra check for mlock config value
* fix docker recovery test
* Update changelog/29974.txt
Explicitly call out that Vault will not start without disable_mlock included in the config.
Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
* more docker test experimentation.
* passing disable_mlock into test cluster
* add VAULT_DISABLE_MLOCK envvar to docker tests and pass through the value
* add missing envvar for docker env test
* upate additional docker test disable_mlock values
* Apply suggestions from code review
Use active voice.
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
---------
Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Introduce hashicorp/go-metrics compatibility
Compatability is attained with build tags
Using tag armonmetrics or no tag at all will result in the library utilizing github.com/armon/go-metrics for metrics emission
Using tag hashicorpmetrics will result in the library utilizing the updated github.com/hashicorp/go-metrics for metrics emission.
Bump root module go.mod to pull in indirect hashicorp/go-metrics dependency from the sdk module
Update module readme.
Updates
* Finish the sentence.
* Update sdk/README.md
Co-authored-by: Paul Banks <pbanks@hashicorp.com>
* Fix up errant usage of non-compat module
* Fix go fmt
---------
Co-authored-by: Paul Banks <pbanks@hashicorp.com>
Co-authored-by: Josh Black <raskchanky@gmail.com>
* outline of key usage fix
* Changelog, and test-fix
* Simplify code setting key_usage
* make fmt
* Per internal dicussion to align closer to the CAB guidelines, only allow DigitalSignature.
* Breaking Change: error if invalid key_usage to generate root or sign-intermediate.
* Change error to warning in order to not break backwards compatibility.
The test container that we use for many LDAP tests recently merged a
breaking change: https://github.com/rroemhild/docker-test-openldap/issues/62
Add support for using containers via references with digests and pin to the latest
version that worked. We can unpin later if so desired.
Signed-off-by: Ryan Cragun <me@ryan.ec>
* Update go-jose to v3.0.4
- Updating to address CVE-2025-27144
* Update v4 references in sdk and api
* Update go-jose across all api auth projects to v4.0.5
`gosimports` is the preferred style for module imports and it is
enforced via CI. I've found that things often manage to drift so I've
taken the liberty to update our pre-commit hook to verify our imports
formatting before a change is committed.
Along with updating the formatting helper I've also run `make fmt` to
resolve any formatting drift that managed to make it into the codebase.
Signed-off-by: Ryan Cragun <me@ryan.ec>
* identity: Ensure state is changed on activation
This PR introduces some changes to the way activation flags are
processed in Vault.
Rather than reaching into subsystems and modifying
state from the activationflags package, each plugin can now register its
own ActivationFunc. Updates to activation flags now trigger the the
feature's ActivationFunc, which can encapsulate the associated
subsystem state.
We include a few bugfixes and minor cosmetic changes, like updates to
log lines and godocs.
* Check for nil system backend
* Move deduplication activation to common file
* Add identity dedup activation log lines
* Make interface methods clearer
* Clean up some comments
* More cleanups
* fixup! More cleanups
* fixup! More cleanups
* Move all pki-verification calls from sdk-Verify() to pki-specific
VerifyCertifcate(...); update sdk-Verify to allow multiple chains,
but validate that at least one of those chains is valid.
* Updates to Validate on Parse PEMBlock, so that a single cert or a single key parses (test fixes).
* Add changelog.
* Make test certificate expire in a while, not at linux epoch.
* Remove duplicate code.
* Fix header file + go mod tidy.
* Updates based on review.
* Fix "t.Fatal from a non-test goroutine" errors in cache_test.go
- t.Fatal(f) should not be called within a Go routine based on it's documentation and only from the main test's thread.
- In 1.24 this seems to cause build failures
* Address all "non-constant format string errors" from go vet
- Within 1.24 these now cause test builds to fail
…" from go vet
* Adds an option to enable sAMAccountname logins when upndomain is set
* Adds an option to enable sAMAccountname logins when upndomain is set
* Updated changelog entry
* Update 29118.txt
* Updated cap/ldap version due to needed dependency
* Updated cap/ldap version due to needed dependency
* Restart CI
* Updated LDAP api-docs and docs describing the enable_samaccountname_login option
* Added missing comma in config_test.go
* Update enables_samaccountname
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update enable_samaccountname_login feature documentation
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* sdk/physical: use permitpool from go-secure-stdlib
* physical: use permitpool from go-secure-stdlib
* fixup! sdk/physical: use permitpool from go-secure-stdlib
* fixup! sdk/physical: use permitpool from go-secure-stdlib
* ce changes for vault-31750
* add changelog
* make proto
* refactor naming
* clarify error message
* update changelog
* one more time
* make proto AGAIN
* sdk/db: do not hold the lock on Close
* fix missing locks on return; ensure we don't overrite instance
* add type and close timeout env vars
* changelog
* go get github.com/hashicorp/cap/ldap@main && go mod tidy
* add 1.19 upgrade note
* changelog
* cd sdk && go get github.com/hashicorp/cap/ldap@main && go mod tidy
* add more detail in changelog
* update changelog
* go mod tidy after resolving merge conflicts
