* PKI: Add a new leaf_not_after_behavior value to force erroring in all circumstances
- We introduce a new value called `always_enforce_err` for the existing
leaf_not_after_behavior on a PKI issuer. The new value will force we
error out all requests that have a TTL beyond the issuer's NotAfter value.
- This will apply to leaf certificates issued through the API as did err,
but now to CA issuance and ACME requests for which we previously changed
the err configuration to truncate.
* Add cl
* Update UI test
* Fix changelog type
* changes then onto tests
* fix wif test failures
* changelog
* clean up
* address pr comments
* only test one wif engine for relevant tests
* add back engine loop for tests that depend on type
* first round, there shall be more
* fix secret test
* more clean up
* maybe last round of clean up?
* this is going to take a while
* all the things or more of them at least
* this is the song that never ends...
* ... it goes on and on my friend.
* clean up clean up everybody lets clean up
* rename mount helper to mountBackend
* clean up 🧹
* address pr comments
---------
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* rename store to pagination, remove store extension
* initial update of service test
* remove superfluous helper
* replace store with pagination service in main app
* update kmip engine syntax
* add pagination to kmip engine
* update to pagination in config-ui engine
* update sync engine to use pagination service
* use pagination service in kv engine
* use pagination service in ldap engine
* use pagination in pki engine
* update renaming clearDataset functions
* link to jira VAULT-31721
* remove comment
* [transit-pkcs1v15] transit support for the pkcs1v15 padding scheme – without UI tests (yet).
* [transit-pkcs1v15] renamed padding_scheme parameter in transit documentation.
* [transit-pkcs1v15] add changelog file.
* [transit-pkcs1v15] remove the algorithm path as padding_scheme is chosen by parameter.
* Update ui/app/templates/components/transit-key-action/datakey.hbs
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Update ui/app/templates/components/transit-key-action/datakey.hbs
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Update ui/app/templates/components/transit-key-action/datakey.hbs
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Update website/content/api-docs/secret/transit.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/api-docs/secret/transit.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/api-docs/secret/transit.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Add warnings to PKCS1v1.5 usage
* Update transit
* Update transit, including separating encrypt/decrypt paddings for rewrap
* Clean up factory use in the presence of padding
* address review feedback
* remove defaults
* lint
* more lint
* Some fixes for UI issues
- Fix padding scheme dropdown console error by adding values
to the transit-key-actions.hbs
- Populate both padding scheme drop down menus within rewrap,
not just the one padding_scheme
- Do not submit a padding_scheme value through POST for non-rsa keys
* Fix Transit rewrap API to use decrypt_padding_scheme, encrypt_padding_scheme
- Map the appropriate API fields for the RSA padding scheme to the
batch items within the rewrap API
- Add the ability to create RSA keys within the encrypt API endpoint
- Add test case for rewrap api that leverages the padding_scheme fields
* Fix code linting issues
* simply padding scheme enum
* Apply suggestions from code review
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Fix padding_scheme processing on data key api
- The data key api was using the incorrect parameter name for
the padding scheme
- Enforce that padding_scheme is only used on RSA keys, we
are punting on supporting it for managed keys at the moment.
* Add tests for parsePaddingSchemeArg
* Add missing copywrite headers
* Some small UI fixes
* Add missing param to datakey in api-docs
* Do not send padding_scheme for non-RSA key types within UI
* add UI tests for transit key actions form
---------
Co-authored-by: Marcel Lanz <marcellanz@n-1.ch>
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Co-authored-by: Steve Clark <steven.clark@hashicorp.com>
Co-authored-by: claire bontempo <cbontempo@hashicorp.com>
* fix promise issues on transformation-edit
* fix one test and the transition problem
* cannot call capabilities service directly inside template because its an unresolved promise
* address transit capabilities issues
* remove deprecations line for promise-proxies
* handle hot mess of delete permissions and such
* blah
* update flash message language. It will now show a flash message for each role whose transformationw as not removed.
* small wording change
* one small change to the default flash message
* Update ui/app/components/transformation-edit.js
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Update ui/app/components/transformation-edit.js
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Update ui/app/components/transformation-edit.js
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* fix policy flow
* fix linting and can't define let outside if block
* fix flashmessage things
* make show and edit use same param
---------
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* add auth-config/oidc to openapi model helper
* alphabetize
* update maskedinput selector to be standard data-test-input
* add test
* add changelog
* fix maskedinput test and kv selector
* final textarea selector!
* Track the last PKI auto-tidy time ran for use across nodes
- If the interval time for auto-tidy is longer then say a regularly
scheduled restart of Vault, auto-tidy is never run. This is due to
the time of the last run of tidy is only kept in memory and
initialized on startup to the current time
- Store the last run of any tidy, to maintain previous behavior, to
a cluster local file, which is read in/initialized upon a mount
initialization.
* Add auto-tidy configuration fields for backing off at startup
* Add new auto-tidy fields to UI
* Update api docs for auto-tidy
* Add cl
* Update field description text
* Apply Claire's suggestions from code review
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Implementing PR feedback from the UI team
* remove explicit defaults and types so we retrieve from backend, decouple enabling auto tidy from duration, move params to auto settings section
---------
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
Co-authored-by: claire bontempo <cbontempo@hashicorp.com>
* rename validators util into model-helpers folder
* move kmip-role-fields to model-helpers
* fill out docs
* Move database-helpers into model-helpers
* broom
* add capabilities service to replication engine
* fix capabilities paths in route file
* pass updated capabilities using getters
* add changelog
* fix logic so default is based on undefined capabilities (not no mode)
* absolute hail mary
* what about this?
* that was not right
* nope
* refactor problematic test
* remove all of the runloop stuff, just chasing flaky tests
* chasing authPage
* move away from page objects for runCmd
* replace existing runCmd function
* add line
* test if removing chrome version helps this time?
* rerun tests
* rerun tests
* Revert "test if removing chrome version helps this time?"
This reverts commit 0b189c4f6978d6c55c283e3fe9fddd03d28c4377.
* remove await
* add trace log
* change test:oss command
* remove log tracing
* wip control group fix?
* dont rely on models for capabilities;
* Revert "wip control group fix?"
This reverts commit cf3e896ba05d2fdfe1f6287bba5c862df4e5d553.
* make explicit request for data
* remove dangerous triple curlies
* cleanup template logic and reuse each-in
* remove capability checks from model
* update tests to reflect new behavior
* add test coverage
* fix mirage factory, update details tests
* test control groups VAULT-29471
* finish patch test
* alphabetize!
* does await help?
* fix factory
* add conditionals for control group error
* UI: Implement overview page for KV v2 (#28162)
* build json editor patch form
* finish patch component and tests
* add tab to each route
* and path route
* add overview tab to tests
* update overview to use updated_time instead of created_time
* redirect relevant secret.details to secret.index
* compute secretState in component instead of pass as arg
* add capabilities service
* add error handling to fetchSubkeys adapter request
* add overview tabs to test
* add subtext to overview card
* remaining redirects in secret edit
* remove create new version from popup menu
* fix breadcrumbs for overview
* separate adding capabilities service
* add service to kv engine
* Revert "separate adding capabilities service"
This reverts commit bb70b12ab7dbcde0fbd2d4d81768e5c8b1c420cc.
* Revert "add service to kv engine"
This reverts commit bfa880535ef7d529d7610936b2c1aae55673d23f.
* update navigation test
* consistently navigate to secret.index route to be explicit
* finish overview navigation tests
* add copyright header
* update delete tests
* fix nav testrs
* cleanup secret edit redirects
* remove redundant async/awaits
* fix create test
* edge case tests
* secret acceptance tests
* final component tests
* rename kvSecretDetails external route to kvSecretOverview
* add comment
* UI: Add patch route and implement Page::Secret::Patch page component (sidebranch) (#28192)
* add tab to each route
* and path route
* add overview tab to tests
* update overview to use updated_time instead of created_time
* redirect relevant secret.details to secret.index
* compute secretState in component instead of pass as arg
* add capabilities service
* add error handling to fetchSubkeys adapter request
* add patch route and put in page component
* add patch secret action to subkeys card
* fix component name
* add patch capability
* alphabetize computed capabilities
* update links, cleanup selectors
* fix more merge conflict stuff
* add capabilities test
* add models to patch link
* add test for patch route
* rename external route
* add error templates
* make notes about enterprise tests, filter one
* remove errors, transition (redirect) instead
* redirect patch routes
* UI: Move fetching secret data to child route (#28198)
* remove @secret from metadata details
* use metadata model instead of secret in paths page
* put delete back into kv/data adapter
* grant access in control group test
* update metadata route and permissions
* remove secret from parent route, only fetch in details route
* change more permissions to route perms, add tests
* revert overview redirect from list view
* wrap model in conditional for perms
* remove redundant canReadCustomMetadata check
* rename adapter method
* handle overview 404
* remove comment
* add customMetadata as an arg
* update grantAccess in test
* make version param easier to follow
* VAULT-30494 handle 404 jira
* refactor capabilities to return an object
* update create tests
* add test for default truthy capabilities
* remove destroy-all-versions from kv/data adapter
* UI: Add enterprise checks (#28215)
* add enterprise check for subkey card
* add max height and scroll to subkey card
* only fetch subkeys if enterprise
* remove check in overview
* add test
* Update ui/tests/integration/components/kv/page/kv-page-overview-test.js
* fix test failures (#28222)
* add assertion
* add optional chaining
* create/delete versioned secret in each module
* wait for transition
* add another waitUntil
* UI: Add patch latest version to toolbar (#28223)
* add patch latest version action to toolbar
* make isPatchAllowed arg all encompassing
* no longer need model check
* use hash so both promises fire at the same time
* add subkeys to policy
* Update ui/lib/kv/addon/routes/secret.js
* add changelog
* small cleanup items! (#28229)
* add conditional for enterprise checking tabs
* cleanup fetchMultiplePaths method
* add test
* remove todo comment, ticket created and design wants to hold off
* keep transition, update comments
* cleanup tests, add index to breadcrumbs
* add some test coverage
* toggle so value is readable
* manual cherry pick to deal with all the merge things
* changelog
* test fixes
* Update 28148.txt
* fix tests failures after main merge
* fix test failures after main merge
* Add Access Type and conditionally render WIF fields (#28149)
* initial work.
* remove access_type
* better no model logic well kind of
* rollback attrs
* remove defaults
* stopping point
* wip changing back to sidebranch
* hustling shuffling and serializing
* some of the component test coverage
* disable acces type if editing
* test coverage
* hide max retries that sneaky bugger
* cleanup
* cleanup
* Update root-config.js
* remove flash message check, locally passes great but on ci flaky
* clean up
* thank you chelsea
* test clean up per enterprise vs community
* address pr comments
* welp a miss add
* UI (sidebranch) WIF Issuer field (#28187)
* Add type declaration files for aws config models
* use updated task syntax for save method on configure-aws
* fix types on edit route
* fetch issuer on configure edit page if aws + enterprise
* track issuer within configure-aws component
* add placeholder support on form-field
* Add warning if issuer changed from previous value or could not be read
* cleanup
* preliminary tests
* dont use while loop so we can test the modal
* tests
* cleanup
* fix tests
* remove extra tracked value and duplicate changed attrs check
* modal footer
---------
Co-authored-by: Angel Garbarino <argarbarino@gmail.com>
* Display issuer on Configuration details (#28209)
* display issuer on configuration details
* workflow complete, now on to testing
* handle issuer things
* fix all the broken tests things
* add test coveragE:
* cleanup
* rename model/adapter
* Update configure-aws.ts
* Update aws-configuration-test.js
* 90 percent there for pr comments
* last one for tonight
* a few more because why not
* hasDirtyAttributes fixes
* revert back to previous noRead->queryIssuerError
---------
Co-authored-by: Chelsea Shaw <82459713+hashishaw@users.noreply.github.com>
* initial changes with no test coverage
* test coverage and fixes
* additional edit config test coverage
* clean up
* clean up
* Address pr feedback
* welp missed an await
* missed
* take back
* Update configure-ssh-test.js
* move date-from-now helper to addon
* make overview cards consistent across engines
* make kv-paths-card component
* remove overview margin all together
* small styling changes for paths card
* small selector additions
* add overview card test
* add overview page and test
* add default timestamp format
* cleanup paths test
* fix dateFromNow import
* fix selectors, cleanup pki selectors
* and more selector cleanup
* make deactivated state single arg
* fix template and remove @isDeleted and @isDestroyed
* add test and hide badge unless deactivated
* address failings from changing selectors
* oops, not ready to show overview tab just yet!
* add deletionTime to currentSecret metadata getter
* build kv-patch-editor component
* add tests
* use validator helpers in kv-object-editor
* update class name in version-history
* remove is- from css class
* move whitespace warning and non-string values warning messages to validators util
* break editor component into smaller ones
* fix typo
* add docs
* rename files and move to directory, add tests for new templates
* fix some bugs and add tests!
* fix validation bug and update tests
* capitalize item in helper
* remove comment
* and one more comment change
* initial changes
* test selector and duplicate tests clean up
* check for flashDanger
* rename to make it easier to parse
* clean up selector names
* clean up
* add component test coverage
* remove true
* move files around
* move fetches to config to the configuration.index route
* working... for aws, lots of clean up left
* move error handling to parent route
* standarize configModel param
* add test coverage
* welp a miss for non configurable engines
* pr comments
* remove mirage interrupts and test actual api
* update configuration details test to test for template only things
* api error coverage
* setup the toggle to display mount configuration options
* whew.. getting there. aws only, borked for ssh
* another round, better than before
* masked things
* changelog
* fix broken oss test
* move to component
* handle ssh things and cleanup
* wip test coverage
* test coverage for the component
* copywrite header miss
* update no model error
* setup configuration aws acceptance tests
* update CONFIURABLE_SECRET_ENGINES
* acceptance tests for aws
* ssh configuration
* clean up
* remove comment
* move to confirm model before destructuring
* pr comments
* fix check for ssh config error
* add message check in api error test
* pr comments
* move non user facing changes to another pr
* remove non-relevant test coverage
* address pr fixes
* Update mountable-secret-engines.js
* Update secrets-engine-mount-config.ts
* clean up
* put back console because of tests and use debug instead
* missed one
* blah fix
* move pageheader to route template
* remove title assertions because no longer reliant on isNew logic
* change @model to this.model
* remove test selectors
* add keys base breadcrumb
* update assertion count
* Create date-range component with tests
* update selectors and callback behavior
* update cc tests & selectors
* cleanup
* RIP calendar-widget and date-dropdown -- you were good components
* reset on close
* Add changelog
* use parseApiTimestamp
* fix test
* cleanup
* make date-range typescript, update behavior
* add words
* minor styling
* fix test
* yield all overview card actions
* yield remaining overview card content to the correct block
* close overview card in test
* fix typo
* fix route typo, add selectors where needed
* fix class typo add one more selector
