Initial version of an internal plugin interface for event subscription plugins,
and an AWS SQS plugin as an example.
Co-authored-by: Tom Proctor <tomhjp@users.noreply.github.com>
* Base Binary Cert and CSR Parse functions.
* Add otherSANS parsing.
* Notate what doesn't exist on a CSR.
* Fix otherSans call err-checking and add basic-constriants to CSR
* Move BasicConstraint parsing to be optionally set.
* Refactored to use existing ParseBasicConstraintsExtension.
* Add handling for the ChangeSubjectName ext on CSR that is needed for EST
* Remove ChangeSubjectName - it's an attribute, not an extension, and there is no clean way to parse it, so pair down for now.
* Make these public methods, so they can be used in vault.
* Add unit tests for certutil.ParseCertificateToCreationParameters.
Also add unit tests for certutil.ParseCertificateToFields.
* Cleanup TestParseCertificate.
* Add unit tests for certutil.ParseCsrToCreationParameters and ParseCsrToFields.
* Fix return values for "add_basic_constraints" in certutil.ParseCsrToFields.
Add a test for parsing CSRs where "add_basic_constraints" is false.
* Clear up some todos.
* Add a test for certutil.ParseCertificateToCreationParameters for non-CA cert.
* Tweak TestParseCertificate/full_non_CA_cert.
* Basics of three remaining fields - keyUsage; extKeyUsage; PolicyIdentifiers
* Fix tests and err handling
* Add unit tests for policy_identifiers; ext_key_usage_oids; key_usage
* Add test on ext_key_usage_oids
* Remove duplicate usages elsewhere.
* Add error handling to csr-checks.
* Remove extranames on returned types.
* Remove useless function.
---------
Co-authored-by: Victor Rodriguez <vrizo@hashicorp.com>
This PR introduces a new testonly endpoint for introspecting the
RequestLimiter state. It makes use of the endpoint to verify that changes to
the request_limiter config are honored across reload.
In the future, we may choose to make the sys/internal/request-limiter/status
endpoint available in normal binaries, but this is an expedient way to expose
the status for testing without having to rush the design.
In order to re-use as much of the existing command package utility funcionality
as possible without introducing sprawling code changes, I introduced a new
server_util.go and exported some fields via accessors.
The tests shook out a couple of bugs (including a deadlock and lack of
locking around the core limiterRegistry state).
* adds plugin identity token to secrets CLI for enable and tune
* adds plugin identity token to auth CLI for enable and tune
* adds field to mount config input and output
* adds changelog
* fix tests
* fix another test
I have an upcoming PR for event notifications that needs similar
exponential backoff logic, and I prefer the API and logic in the
auto-auth exponential backoff rather than that of
github.com/cenkalti/backoff/v3.
This does have a small behavior change: the auto-auth min backoff
will now be randomly reduced by up to 25% on the first call. This is
a desirable property to avoid thundering herd problems, where a bunch
of agents won't all try have the same retry timeout.
* VAULT-21427 change ui references from K/V to KV
* references in docs/
* website json data
* go command errors
* replace Key/Value with Key Value
* add changelog
* update test
* update secret list header badge
* two more test updates
* release log gate if disable-gated-logs flag is set
* CL
* Update changelog/24280.txt
Co-authored-by: Josh Black <raskchanky@gmail.com>
---------
Co-authored-by: Peter Wilson <peter.wilson@hashicorp.com>
Co-authored-by: Josh Black <raskchanky@gmail.com>
It is not sufficient to check that function setSeal in server.go does not return
an "unwrap seal". For migrations away from a Shamir seal, NewCore constructor
sets up an unwrap seal by calling method adjustForSealMigration.
Factor out new method checkForSealMigration out of adjustForSealMigration so
that NewCore can verify that there won't be a migration when returning early due
to running in recovery mode.
* Refactor plugin catalog into its own package
* Fix some unnecessarily slow tests due to accidentally running multiple plugin processes
* Clean up MakeTestPluginDir helper
* Move getBackendVersion tests to plugin catalog package
* Use corehelpers.MakeTestPlugin consistently
* Fix semgrep failure: check for nil value from logical.Storage
With the introduction of the Seal High Availability feature, the presence of
multiple seals in configuration does not necessarily mean that the configuration
entails a seal migration.
Instead of checking for multiple seals, check for the presence on an "unwrap"
seal, which is only used for seal migrations.
@mitchellh suggested we fork `cli` and switch to that.
Since we primarily use the interfaces in `cli`, and the new
fork has not changed those, this is (mostly) a drop-in replacement.
A small fix will be necessary for Vault Enterprise, I believe.
* fix -log-file so that it uses the correct name and only adds timestamps on rotation
* added some tests for naming/rotation
* changelog
* revert to previous way of getting created time
* remove unused stat
* comment shuffle
* Update changelog/24297.txt
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
* Update website/content/docs/agent-and-proxy/agent/index.mdx
Update 'agent' docs page
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/docs/agent-and-proxy/proxy/index.mdx
Update 'proxy' docs page
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/docs/commands/server.mdx
Update 'server' docs page
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* fix typos
---------
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* reload seals on SIGHUP
* add lock in SetSeals
* move lock
* use stubmaker and change wrapper finalize call
* change finalize logic so that old seals will be finalized after new seals are configured
* add changelog
* run make fmt
* fix fmt
* fix panic when reloading seals errors out
* Fix non-JSON log messages when using -log-format JSON
Removed the call to consul-template's logging.Setup inside the created of config for the Runner. Instead we call it when we assign the logger to the Agent command.
* The elusive extra line
* Adjust the approach
* changelog
* Infer levels *with* timestamp prefix
* InferLeveslWithTimestamp required InferLevels
* Test to show -log-format and -log-file working in consul-template generated messages
* classic typo
---------
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
* Stop supporting vault plugin info and deregister without a type argument
* Make a best-effort attempt to report whether a plugin was actually deregistered and give more descriptive errors
* Fix error message for vault plugin reload
* Pulls in github.com/go-secure-stdlib/plugincontainer@v0.3.0 which exposes a new `Config.Rootless` option to opt in to extra container configuration options that allow establishing communication with a non-root plugin within a rootless container runtime.
* Adds a new "rootless" option for plugin runtimes, so Vault needs to be explicitly told whether the container runtime on the machine is rootless or not. It defaults to false as rootless installs are not the default.
* Updates `run_config.go` to use the new option when the plugin runtime is rootless.
* Adds new `-rootless` flag to `vault plugin runtime register`, and `rootless` API option to the register API.
* Adds rootless Docker installation to CI to support tests for the new functionality.
* Minor test refactor to minimise the number of test Vault cores that need to be made for the external plugin container tests.
* Documentation for the new rootless configuration and the new (reduced) set of restrictions for plugin containers.
* As well as adding rootless support, we've decided to drop explicit support for podman for now, but there's no barrier other than support burden to adding it back again in future so it will depend on demand.
* wip
* Work on the tuneable allowance and some bugs
* Call handleCancellableRequest instead, which gets the audit order more correct and includes the preauth response
* Get rid of no longer needed operation
* Phew, this wasn't necessary
* Add auth error handling by the backend, and fix a bug with handleInvalidCredentials
* Cleanup req/resp naming
* Use the new form, and data
* Discovered that tokens werent really being checked because isLoginRequest returns true for the re-request into the backend, when it shouldnt
* Add a few more checks in the delegated request handler for bad inputs
- Protect the delegated handler from bad inputs from the backend such
as an empty accessor, a path that isn't registered as a login request
- Add similar protections for bad auth results as we do in the normal
login request paths. Technically not 100% needed but if somehow the
handleCancelableRequest doesn't use the handleLoginRequest code path
we could get into trouble in the future
- Add delegated-auth-accessors flag to the secrets tune command and
api-docs
* Unit tests and some small fixes
* Remove transit preauth test, rely on unit tests
* Cleanup and add a little more commentary in tests
* Fix typos, add another failure use-case which we reference a disabled auth mount
* PR Feedback
- Use router to lookup mount instead of defining a new lookup method
- Enforce auth table types and namespace when mount is found
- Define a type alias for the handleInvalidCreds
- Fix typos/grammar
- Clean up globals in test
* Additional PR feedback
- Add test for delegated auth handler
- Force batch token usage
- Add a test to validate failures if a non-batch token is used
- Check for Data member being nil in test cases
* Update failure error message around requiring batch tokens
* Trap MFA requests
* Reword some error messages
* Add test and fixes for delegated response wrapping
* Move MFA test to dedicated mount
- If the delegated auth tests were running in parallel, the MFA test
case might influence the other tests, so move the MFA to a dedicated
mount
* PR feedback: use textproto.CanonicalMIMEHeaderKey
- Change the X-Vault-Wrap-Ttl constant to X-Vault-Wrap-TTL
and use textproto.CanonicalMIMEHeaderKey to format it
within the delete call.
- This protects the code around changes of the constant typing
* PR feedback
- Append Error to RequestDelegatedAuth
- Force error interface impl through explicit nil var assignment on
RequestDelegatedAuthError
- Clean up test factory and leverage NewTestSoloCluster
- Leverage newer maps.Clone as this is 1.16 only
---------
Co-authored-by: Scott G. Miller <smiller@hashicorp.com>
- Instead of relying on the initial call to import to generate the
wrapping key, generate it within the test setup with a longer
dedicated timeout.
- This hopefully is enough of a timeout for the 32 bit nightly runner
* VAULT-19239 create disable static secret caching config
* VAULT-19239 missed file
* VAULT-19239 didn't finish a log line
* VAULT-19239 adjust test to use new option
* Fix typo
Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
---------
Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
* add vault operator inspect command
* tidy
* add tests
* add changelog
* Update command/operator_raft_snapshot_inspect.go
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
* Update command/operator_raft_snapshot_inspect.go
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
* Update command/operator_raft_snapshot_inspect.go
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
* Update command/operator_raft_snapshot_inspect.go
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
* Update command/operator_raft_snapshot_inspect.go
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
* remove test.snapshot file and create snapshot during test
* fix help text and add custom format flag
* Update changelog/23457.txt
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
* add check that kvdepth is not less than zero
* remove kvprefix from flag names
* set details flag to default to true
* remove total size, we don't use it
* fix test that referenced old flag names
* add size calculations
* return all keys if depth set to 0
* Update command/operator_raft_snapshot_inspect.go
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
* Update command/operator_raft_snapshot_inspect.go
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
* Update command/operator_raft_snapshot_inspect.go
* revert go.mod
* update comment on temp file
* update comment on closing writer
* remove temporary file, and process state.bin in memory
* return metadata like info
* remove unnused function
* remove ReadSnapshot func, and unnecessary goroutine
* remove handler, and zero values
* move defer, and return error instead of logging
* add subcommand doc
* remove -format flag
* remove comments
* change copy to copyN
* remove formatters
* remove formatters
* remove duplicate check
* fix error checks
* remove unused consts
---------
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
