* add gosimport to make fmt and run it
* move installation to tools.sh
* correct weird spacing issue
* Update Makefile
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* fix a weird issue
---------
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* auth/aws: fix panic in IAM-based login when client config doesn't exist
* add changelog
* adds known issue for 1.15.0
* fixes up known issue with workaround
* fix link
* maintain behavior of client config not needing to exist for IAM login
* update changelog
* Support GET requests for aws-iam
This is required to support presigned requests from aws-sdk-go-v2
* Add GET method tests for aws-iam auth login path
* Update Website Documenation
* Validate GET action even if iam-server header is not set
* Combine URL checks
* Add const amzSignedHeaders to aws credential builtin
* Add test for multiple GET request actions
* Add Changelog Entry
---------
Co-authored-by: Max Coulombe <109547106+maxcoulombe@users.noreply.github.com>
* Adding explicit MPL license for sub-package.
This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository.
* Adding explicit MPL license for sub-package.
This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository.
* Updating the license from MPL to Business Source License.
Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at https://hashi.co/bsl-blog, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl.
* add missing license headers
* Update copyright file headers to BUS-1.1
* Fix test that expected exact offset on hcl file
---------
Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com>
Co-authored-by: Sarah Thompson <sthompson@hashicorp.com>
Co-authored-by: Brian Kassouf <bkassouf@hashicorp.com>
* Replace all time.ParseDurations with testutil.ParseDurationSeconds
* Changelog
* Import formatting
* Import formatting
* Import formatting
* Import formatting
* Semgrep rule that runs as part of CI
* remove intercepting helpText
* add subtext directly to StringList input component
* update tests and add coverage for new openapi-attrs util
* update test
* add warning validation to input
* lol is this right i dont know go
* literally no idea what im doing
* add Description to display attrs struct
* update struct comment
* add descriptions to remaining go fields
* add missing comma
* remaining commas..."
* add description to display attrs
* update tests
* update tests
* add changelog;
* Update ui/app/utils/openapi-to-attrs.js
* update tests following backend changes
* clearly name variable
* format files
* no longer need to test for modified tooltip since coming from backend now
* plugin/auth: enable multiplexing
- the plugin will be multiplexed when run as an external plugin
by vault versions that support secrets/auth plugin multiplexing (> 1.12)
- we continue to set the TLSProviderFunc to maintain backwards
compatibility with vault versions that don't support AutoMTLS (< 1.12)
* enable multiplexing for secrets engines
* add changelog
* revert call to ServeMultiplex for pki and transit
* Revert "revert call to ServeMultiplex for pki and transit"
This reverts commit 755be28d14b4c4c4d884d3cf4d2ec003dda579b9.
This was not copied over when the this code was
copied in https://github.com/hashicorp/vault/pull/12340.
Also adds a stub for the `.copywrite.hcl` file (for when
Vault is onboarded to Copywrite) and adds the `pkcs7` and
`ui/node_modules` to the ignore pattern.
Bad news: the hot patch we were using breaks in Go 1.19.4: 6109c07ec4
Good news: we can now patch with an environment variable at runtime.
Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>
Remove SHA1 for certs in prep for Go 1.18
* Remove certs with SHA1 from tests
* Use default SHA-256 with PKCS7 in AWS
* Update SHA1 deprecation note
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Update AWS auth method certificates
Add tests that the `rsa2048` document can also be verified using the
`pkcs7` field for AWS auth.
Due to the use of SHA-1-based signatures for the `identity` and `pkcs7`
methods, we want to encourage moving toward using the RSA 2048 workflow,
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-rsa2048.html
This doesn't require code changes for Vault necessarily, but adding in
the (many) certificates will help end users.
Also adds `rsa2048` option to API to fetch the RSA 2048 signature.
I will make a PR to update to the AWS auth docs to document the RSA 2048
flow soon after this.
* Fix pkcs7 parsing in some cases
brings in https://github.com/mozilla-services/pkcs7/pull/61 from upstream
In some cases but not all, aws includes a certificate in the pkcs7 response,
and currently vault fails to parse those certificates:
```
URL: PUT https://vault.example.com/v1/auth/aws/login
Code: 500. Errors
* failed to parse the BER encoded PKCS#7 signature: ber2der: Invalid BER format
```
This fixes logins on those instances. Note we could not readily ascertain why
some instances have those certificates and others don't.
* Add changelog entry
* Correct missed line
Unlike the other libraries that were migrated, there are no usages of
this lib in any of our plugins, and the only other known usage was in
go-kms-wrapping, which has been updated. Aliasing it like the other libs
would still keep the aws-sdk-go dep in the sdk module because of the
function signatures. So I've simply removed it entirely here.
* fix: cap token TTL at login time based on default lease TTL
* add changelog file
* patch: update warning messages to not include 'at login'
* patch: remove default lease capping and test
* update changelog
* patch: revert warning message
