Refactor our connection checking into a new LDAP module that is capable
of running a search and waiting for success. We now call this module
while setting up the integration host and before enabling the LDAP
secrets engine.
We also fix two race conditions in the Agent and HA Seal scenarios where
we might attempt to verify and/or test LDAP before the integration host
has been set up.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: LT Carbonell <lt.carbonell@hashicorp.com>
* wip
* crud and internal lookups working
* worked with bob on tests
* add and fix some tests
* update logical identity protobuf
* pass in empty issuer via scim and add test
* tidy tests and address linter
* VAULT-42443 Update alias API for external JWT entity binding
* test cleanup
* changes
* changelog
* update fix
* address feedback
* whoopsie
* fix stubs
* namespace guarding, more test
* further fix
* Fixes
* I'm dumb
---------
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
Co-authored-by: davidadeleon <ddeleon@hashicorp.com>
* vault: lazily materialize external tokens
Implement stub-first auth flow to avoid token-store writes on read-only requests, materialize only on lease registration, cache materialized token IDs by fingerprint, and add coverage for standby/leader materialization behavior.
* vault: align lazy JWT materialization with main
Adjust standby materialization behavior to main branch APIs, keep lease-time forwarding conversion, and update enterprise tests to match current standby error paths.
* vault: align jwt lazy materialization follow-ups
Apply naming and test-practice follow-ups, document cache-size rationale, simplify stub-use gating, and add external JWT e2e/benchmark coverage that measures raft writes for passthrough vs leased flows.
* vault: sanitize jwt lazy materialization logs
* vault: move jwt stub audit labels to ent
* vault: keep ent token type in audit logs
Remove audit token_type override and jwt_stub audit labeling so enterprise JWT tokens are consistently reported as ent while preserving existing request handling behavior.
* vault: rename unpersisted JWT token state
Rename IsStub/JwtStub to IsUnpersisted/JwtUnpersisted and switch serialized key to jwt_unpersisted for clearer storage semantics.
* vault: use storage-backed JWT token naming
Rename JWT token persistence marker to IsStorageBacked/JwtStorageBacked and clarify docs that passthrough JWT requests may never write token state to storage.
* vault: address jwt token materialization regressions
Fix storage-backed checks for non-ent tokens, materialize JWTs for lookup endpoints, and add lookup-self regression coverage.
* vault: thread perf standby state into jwt materialization
Pass perf standby state through materializeEnterpriseTokenForLease call sites to avoid unsynchronized state reads in request handling paths.
* test: harden flaky enterprise timing checks
Increase timing tolerance in flaky CI tests without changing runtime behavior.
* test: document CI timing tolerance in flaky tests
Add comments clarifying widened waits are for CI scheduling jitter and asynchronous convergence, not behavior changes.
* vault: remove sensitive token logging
Drop clear-text token value from SSC token MAC mismatch debug logging and keep census test unchanged per request.
* vault: tighten request logging for security scan
Remove remaining error-derived logging fields in request handling token/JWT revoke paths to satisfy clear-text sensitive logging findings.
* vault: use typed no-rpc-client errors
Replace string-based no-rpc-client error matching with a dedicated error type and update perf-standby callsites to return it.
* test: harden perf-standby billing race assertions
Allow early active-node counts up to the number of standby operations before the eventual RPC delivery assertion, to avoid race-only CI flakes without changing behavior.
* revert: undo billing test race assertion changes
Revert the prior billing test hardening commit per user request to keep billing tests unchanged in PR #12909.
* vault: restore fetchCeilingPolicies after rebase
Re-add the enterprise fetchCeilingPolicies method from main that was dropped during rebase conflict resolution, fixing build failure in request_handling.go.
* vault: materialize JWT tokens for cubbyhole requests
Ensure enterprise JWT tokens are materialized for cubbyhole paths in addition to token lookup endpoints, preserving expected persisted token-entry behavior for cubbyhole-backed request flows and token-entry JWT tests.
* vault: restore JWT token headers on perf-standby forward
* tests: fix jwt passthrough profile setup
* vault: clarify forwarding helper docs
* vault: cover jwt standby token endpoint behavior
* vault: remove enterprise JWT wording in comments
* vault: preserve materialized token request identity
* vault: stabilize external JWT readonly raft assertion
* vault: address PR 12909 review feedback
* tests: remove redundant NewTestCluster lifecycle calls
* vault: sanitize request handling token error logs
* vault: remove sensitive error fields in ent token cleanup logs
* vault: restore IsJWT wording
* vault: migrate jwt materialization tests to NewTestCluster
* tests: skip external jwt benchmark in CI
* Run make fmt
* Address PR review feedback
* Remove benchmark CI skip
* Move JWT materialization tests to external suite
---------
Co-authored-by: Bianca <48203644+biazmoreira@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Update config.go
* added validation and parsing
* tests
* move pki external config structs and validation into separate file
* update copywrite
* update configuration
* updates
* Moved tests to pki_external_config.go, comments, refactoring
* refactor
* add tests
* linter fix
* Consolidate to table tests
* consolidate to table tests
* remove APIVersion from PKIExternalCA
* added comments for explaining each struct
* Added ParsePKIExternalCA Test
* Update tests
* Added remaining constraints
* Added destination.template field
* changes
* Added validateListenerAddr
* refactor
* more comments
* changes
* Check for duplicates across blocks
* Make RSA bits a required field
* moved template to the top level
* added comment for test explanation
* move template to the top level
* Move pki config into pkiexternalca directory
* fix linting error
* move pkiconfig back into config folder
* fix failing unit tests
* added comments
* update to preserve order of templatePKIExternalCARefs
* Added comment descriptions for each struct member
* update to include warning
* bring in warning logger from upstream into the pki config parser
* Set default umask to 077
* added comments to each field in agent config
* execute tests in parallel
* combine tests into Validate
* Use assertion error func for tests
* assert error strings
* Removed warning for now
* removed normalization on values during validation
* added tests to ensure that user values are not overridden
* remove testparse
* Update command/agent/config/config.go
* change improvement to feature in changelog
* updated to add line number in error
* Added _ent suffix to files
* Implement CA manager for ACME-based workflows (#12827)
* Implement CA manager for ACME-based workflows
* refactor tests into table tests
* update with suggestions
* format
* fix challenge cleanup
* make fmt
* update with suggestions
* add _ent + build flags
* Add a runtime component for pkiexternalca (#12838)
* Implement CA manager for ACME-based workflows
* Add a runtime component for pkiexternalca
* make fmt
* refactor tests into table tests
* update with suggestions
* format
* fix challenge cleanup
* make fmt
* update with suggestions
* update with suggestions
* add _ent + build flags
* fix linters
* delete duplicate files
* fix changelog
* rename test files
* fix linter
* try to bypass false positive linter err
* fix
* Rename file
* fix linter
* fix linter
* remove go:build enterprise commends from _ent files
* update order statuses to use kebab case + fix scanner failures
* add missing order status
* Template Integration For pki_external_ca resources (#13069)
* Implement CA manager for ACME-based workflows
* Add a runtime component for pkiexternalca
* make fmt
* refactor tests into table tests
* update with suggestions
* initial commit
* fix test failure
* changes
* remove logger check
* remove redundant config by name check
* convert to table tests
* added comments
* updates
* Fix tests
* fix nil pointer issue
* move changes to _ent files
* remove ce duplicate files
* updates
* update template.go
* added changelog.txt
* create template_pem_ent_test.go
* added comment explanation
* update ca_manager_ent.go
* update changelog
* separate ce stubs into server_ce.go and common code into server.go
* Moved helper functions to bottom of test file. Added godocs.
* Make pkiExternalCA name required in template
* remove go:build enterprise commends from _ent files
* rename to template_pem_ent
* include ent tag in server_ent.go
* remove enterprise tag comment from server_ent.go
* create pki_external_config_ce.go
* update template_pem_ent_integration_test.go
* rename integration test
---------
---------
Co-authored-by: Jaired Jawed <jaired.jawed@hashicorp.com>
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
Co-authored-by: Zlaticanin <60530402+Zlaticanin@users.noreply.github.com>
Co-authored-by: Milena Zlaticanin <Milena.Zlaticanin@ibm.com>
During Vault upgrades to version 1.19.x, customers encountered failures when restoring entities, groups, and aliases from storage. The issue manifested as errors indicating that an alias was already tied to a different entity, preventing successful cluster startup and unseal.
My investigation revealed a complex data integrity issue involving corrupted entity aliases. Multiple alias instances existed with identical identifying factors (namespace, mount accessor, and name) but different alias IDs and different `merged_from_canonical_ids` values. Some aliases referenced entity IDs that no longer existed in storage (orphaned references from previous entity merges). And we even saw duplicate instances of the same aliases in the entity.
During entity restoration, the system would come across the dangling alias and persist it (because it couldn't be found by factors), then encounter valid aliases for the same mount/name combination but fail because the lookup by factors matched the already-persisted dangling alias.
This corruption likely originated from bugs in older Vault versions where entity merging didn't properly clean up all alias references.
Before my changes, when loading entities during upgrade or unseal, Vault would fail immediately upon detecting alias conflicts. There was no attempt was made to repair corrupted entity state and clusters could not successfully unseal.
Now we automatically detect and attempt to repair corrupted entities. We check for nil aliases, dangling aliases (pointing to non-existent entities), and duplicate alias instances (same alias ID appearing multiple times).
When repairing we remove any nil aliases from the entity, re-associates dangling aliases to the correct entity, rename dangling duplicate aliases to prevent them from becoming the canonical source during reload, and removes duplicate instances of the same alias.
NOTE: This code does not modify how we handle same-case alias duplicates. Customers will still need to resolve those after startup by deleting or merging the aliases before activating the identity de-duplication flag.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* removes doctoc, jsdoc-to-markdown and jsonlint packages and removes underscore version override
* removes generate-docs script which uses removed docfy-md scipt
Co-authored-by: Jordan Reimer <zofskeez@gmail.com>
* removing separate hds icon class
* removing duplicate class, adding separate class to handle toolbar link misalignment
Co-authored-by: Dan Rivera <dan.rivera@hashicorp.com>
* Add LDAP secrets engine blackbox tests
* Format
* format
* cleanup environment
* Install ldap-utils in CI for LDAP domain provisioning
* wrap in eventually
* debugging
* fix ip issues
Co-authored-by: Luis (LT) Carbonell <lt.carbonell@hashicorp.com>
* updating verbiage and testing with new listtable replacement
* remove and fix empty state
* cleanup
* rename
Co-authored-by: Dan Rivera <dan.rivera@hashicorp.com>
* adds constants util for wizards and updates service to use WizardId type
* updates wizards to use WIZARD_ID_MAP values
* updates wizard tests to use the service for dismissal
* updates playwright setup to add all wizard ids as dismissed in localStorage
* removes wizard dismissal step from existing playwright tests
* fixes issues accessing owner in beforeEach hooks of namespaces acceptance tests
Co-authored-by: Jordan Reimer <zofskeez@gmail.com>
