* Docs: New parameter for the K8s Secrets roles
* Fix: Apply text correction from review
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Co-authored-by: Peter Wilson <peter.wilson@hashicorp.com>
* allows use of pre-hashed passwords with userpass backend
* Remove unneeded error
* Single error check after switch
* use param name quoted in error message
* updated test for quoted param in error
* white space fixes for markdown doc
* More whitespace fixes
* added changelog
* Password/pre-hashed password are only required on 'create' operation
* docs indentation
* Update website/content/docs/auth/userpass.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Updated docs
* Check length of hash too
* Update builtin/credential/userpass/path_user_password_test.go
:)
Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
* PKI EST docs
Initial draft of the PKI EST setup and API docs for feedback
* Add missing enable_sentinel_parsing param to API docs
* Update grammar
* Some API doc feedback
* Note about dedicated auth mounts
* Additional PR feedback
---------
Co-authored-by: Scott G. Miller <smiller@hashicorp.com>
* Add note around OCSP GET request issue
- Fix some broken TOC links
- Add a note in the api-docs and in the considerations page
around Vault having issues with OCSP GET requests and that
POST requests should be preferred.
- Add existing known issue to all branches that are affected.
* Fix links to partial file for 1.12 and 1.13 upgrade docs
* Add new /sys/well-known interface to get information about registered labels
- Add two new interfaces LIST/GET /sys/well-known which will provide
a list of keys which are registered labels within the /.well-known space on
the local server, along with a detailed info map for each
- Add GET /sys/well-known/<label> to get details on a specific registered label
- Add docs and tests for the new api endpoints
* Add test doc and remove copied comment
* Rename returned fields to use snake case
* Remove extra newline added when resolving the merge conflict
* Apply suggestions from code review
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* remove uiCustomMessagePaths from System backend paths
* adjust documentation
* grammar improvements in docs
* add ENT badge to custom-message api docs page in ToC
* Cache trusted cert values, invalidating when anything changes
* rename to something more indicative
* defer
* changelog
* Use an LRU cache rather than a static map so we can't use too much memory. Add docs, unit tests
* Don't add to cache if disabled. But this races if just a bool, so make the disabled an atomic
* api documentation changes
* document management endpoints
* add new website page to the navigation
* include explanation message retrieval from namespaces up to root namespace
* added clarification statement to the create and update operations documentation
* fixed inconsistency in sample request
* Apply suggestions from code review
Co-authored-by: Jonathan Frappier <92055993+jonathanfrappier@users.noreply.github.com>
---------
Co-authored-by: Jonathan Frappier <92055993+jonathanfrappier@users.noreply.github.com>
* Update audit.mdx
Per the discussion here: https://hashicorp.enterprise.slack.com/archives/CPEPB6WRL/p1656678311708759
This parameter does not apply to DR replication.
This document should specify that the `local` parameter only applies to performance replication because even with this enabled the audit device configuration is still replicated to a DR cluster. This is also the expected and desired behavior.
* Fixed typos
---------
Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
* VAULT-21427 change ui references from K/V to KV
* references in docs/
* website json data
* go command errors
* replace Key/Value with Key Value
* add changelog
* update test
* update secret list header badge
* two more test updates
- Noticed that our documentation was out of date, we allow 8192
bit RSA keys to be used as an argument to the various PKI
issuer/key creation APIs.
- Augument some unit tests to verify this continues to work
* Pulls in github.com/go-secure-stdlib/plugincontainer@v0.3.0 which exposes a new `Config.Rootless` option to opt in to extra container configuration options that allow establishing communication with a non-root plugin within a rootless container runtime.
* Adds a new "rootless" option for plugin runtimes, so Vault needs to be explicitly told whether the container runtime on the machine is rootless or not. It defaults to false as rootless installs are not the default.
* Updates `run_config.go` to use the new option when the plugin runtime is rootless.
* Adds new `-rootless` flag to `vault plugin runtime register`, and `rootless` API option to the register API.
* Adds rootless Docker installation to CI to support tests for the new functionality.
* Minor test refactor to minimise the number of test Vault cores that need to be made for the external plugin container tests.
* Documentation for the new rootless configuration and the new (reduced) set of restrictions for plugin containers.
* As well as adding rootless support, we've decided to drop explicit support for podman for now, but there's no barrier other than support burden to adding it back again in future so it will depend on demand.
* wip
* Work on the tuneable allowance and some bugs
* Call handleCancellableRequest instead, which gets the audit order more correct and includes the preauth response
* Get rid of no longer needed operation
* Phew, this wasn't necessary
* Add auth error handling by the backend, and fix a bug with handleInvalidCredentials
* Cleanup req/resp naming
* Use the new form, and data
* Discovered that tokens werent really being checked because isLoginRequest returns true for the re-request into the backend, when it shouldnt
* Add a few more checks in the delegated request handler for bad inputs
- Protect the delegated handler from bad inputs from the backend such
as an empty accessor, a path that isn't registered as a login request
- Add similar protections for bad auth results as we do in the normal
login request paths. Technically not 100% needed but if somehow the
handleCancelableRequest doesn't use the handleLoginRequest code path
we could get into trouble in the future
- Add delegated-auth-accessors flag to the secrets tune command and
api-docs
* Unit tests and some small fixes
* Remove transit preauth test, rely on unit tests
* Cleanup and add a little more commentary in tests
* Fix typos, add another failure use-case which we reference a disabled auth mount
* PR Feedback
- Use router to lookup mount instead of defining a new lookup method
- Enforce auth table types and namespace when mount is found
- Define a type alias for the handleInvalidCreds
- Fix typos/grammar
- Clean up globals in test
* Additional PR feedback
- Add test for delegated auth handler
- Force batch token usage
- Add a test to validate failures if a non-batch token is used
- Check for Data member being nil in test cases
* Update failure error message around requiring batch tokens
* Trap MFA requests
* Reword some error messages
* Add test and fixes for delegated response wrapping
* Move MFA test to dedicated mount
- If the delegated auth tests were running in parallel, the MFA test
case might influence the other tests, so move the MFA to a dedicated
mount
* PR feedback: use textproto.CanonicalMIMEHeaderKey
- Change the X-Vault-Wrap-Ttl constant to X-Vault-Wrap-TTL
and use textproto.CanonicalMIMEHeaderKey to format it
within the delete call.
- This protects the code around changes of the constant typing
* PR feedback
- Append Error to RequestDelegatedAuth
- Force error interface impl through explicit nil var assignment on
RequestDelegatedAuthError
- Clean up test factory and leverage NewTestSoloCluster
- Leverage newer maps.Clone as this is 1.16 only
---------
Co-authored-by: Scott G. Miller <smiller@hashicorp.com>
