* add api docs for transform byok endpoints
* add byok description to transform index page
* fix merge conflicts
* remove import_version for FPE
* text edits and add note about convergent tokenization
* add note for convergent tokenization
* Add more notes about issuer revocation
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Note BYOC in considerations
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add note about http access to CRLs, OCSP
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Recommend enabling auto-tidy & crl rebuilding
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add missing paths to personas
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
- Update the documentation in regards to the private_key_format
argument only controls the behavior of the private_key response field
and does not modify the encoding of the private key within the
pem_bundle.
* Get import correct
* limits, docs
* changelog
* unit tests
* And fix import for hmac unit test
* typo
* Update website/content/api-docs/secret/transit.mdx
Co-authored-by: Matt Schultz <975680+schultz-is@users.noreply.github.com>
* Update builtin/logical/transit/path_keys.go
Co-authored-by: Matt Schultz <975680+schultz-is@users.noreply.github.com>
* Validate key sizes a bit more carefully
* Update sdk/helper/keysutil/policy.go
Co-authored-by: Matt Schultz <975680+schultz-is@users.noreply.github.com>
Co-authored-by: Matt Schultz <975680+schultz-is@users.noreply.github.com>
* Add fields 'ttl' and 'num_uses' to SecretID generation.
Add fields 'ttl' and 'num_uses' when generating/obtaining a SecretID.
Rather than just being able to use the Role's SecretID ttl and num uses. #14390
* Add secret_id_num_uses response field to generating SecretID
Add the response field secret_id_num_uses to the endpoints for generating
SecretIDs. Used in testing but also to supply the vendor with this variable.
* Add tests for new ttl and num_uses SecretID generation fields
Add tests to assert the new TTL and NumUses option in the SecretID entry.
Separate test for testing with just parameters vs a -force example.
* Patch up test for ttl and num_uses fields
* Add changelog entry for auth/approle 'ttl' and 'num_uses' fields
* Add fields to API Docs and AppRole Auth Docs example
* Correct error message for failing test on missing field.
Change the error message produced when a test fails due to a missing field.
Previous values did not map to correct fields.
* Remove unnecessary int cast to int "secret_id_num_uses" field.
Unnecessary cast to int where type already is int.
* Move numUses field check to after assignment.
* Remove metadata entry in sample payload to limit change to changes made.
Remove metadata entry in sample payload for custom-secret-id. The metadata was not
changed in the features pull request.
* Bind fields 'ttl' and 'num_uses' to role's configuration.
Rather than implicitly overriding, error when the ttl is lower than and the num
uses higher than the role's configuration. #14390
* Update changelog 14474 with a more detailed description.
More elaborate description for the changelog. Specifying the per-request based fields.
* Elaborate more on the bounds of the 'ttl' and 'num_uses' field.
Specify in both the api-docs and the CLI the limits of the fields.
Specify that the role's configuration is still the leading factor.
* Upper bound ttl with role secret id ttl
Upper bound ttl with role secret id ttl when creating a secret id
Adding test cases for infinite ttl and num uses
Adding test cases for negative ttl and num uses
Validation on infinite ttl and num uses
* Formatting issues. Removed unnecessary newline
* Update documentation for AppRole Secret ID and Role
Changed that TTL is not allowed to be shorter to longer
* Cleanup approle secret ID test and impl
* Define ttl and num_uses in every test
Define ttl and num_uses in every test despite them not being tested.
This is to ensure that no unexpected behaviour comes to mind.
* Rename test RoleSecretID -> RoleSecretIDWithoutFields
* Test secret id generation defaults to Role's config
Test secret id generation defaults to Role's configuration entries.
* Change finit -> finite
Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>
* Rephrase comments to the correct validation check
* Rephrase role-secret-id option description
* Remove "default" incorrect statement about ttl
* Remove "default" incorrect statement about ttl for custom secret id
* Touch up approle.mdx to align more with path_role documentation
Co-authored-by: Remco Buddelmeijer <r.buddelmeijer@fullstaq.com>
Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>
* Add path to manually rebuild delta CRLs
The crl/rotate-delta path behaves like crl/rotate, triggering a
cluster-local rebuild of just the delta CRL. This is useful for when
delta CRLs are enabled with a longer-than-desired auto-rebuild period
after some high-profile revocations occur.
In the event delta CRLs are not enabled, this becomes a no-op.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add tests for Delta CRL rebuilding
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update documentation about Delta CRLs
Also fixes a omission in the If-Modified-Since docs to mention that the
response header should probably also be passed through.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Allow tidy operations to be cancelled
When tidy operations take a long time to execute (and especially when
executing them automatically), having the ability to cancel them becomes
useful to reduce strain on Vault clusters (and let them be rescheduled
at a later time).
To this end, we add the /tidy-cancel write endpoint.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add missing auto-tidy synopsis / description
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add a pause duration between tidying certificates
By setting pause_duration, operators can have a little control over the
resource utilization of a tidy operation. While the list of certificates
remain in memory throughout the entire operation, a pause is added
between processing certificates and the revocation lock is released.
This allows other operations to occur during this gap and potentially
allows the tidy operation to consume less resources per unit of time
(due to the sleep -- though obviously consumes the same resources over
the time of the operation).
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add tests for cancellation, pause
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add API docs on pause_duration, /tidy-cancel
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add lock releasing around tidy pause
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Reset cancel guard, return errors
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* accommodate salt lengths for RSA PSS
* address feedback
* generalise salt length to an int
* fix error reporting
* Revert "fix error reporting"
This reverts commit 8adfc15fe3303b8fdf9f094ea246945ab1364077.
* fix a faulty check
* check for min/max salt lengths
* stringly-typed HTTP param
* unit tests for sign/verify HTTP requests
also, add marshaling for both SDK and HTTP requests
* randomly sample valid salt length
* add changelog
* add documentation
* VAULT-7707 Add docs around making mass amounts of lease count quotas via automation
* VAULT-7707 Changelog
* VAULT-7707 add word
* VAULT-7707 Update some small wordings
* VAULT-7707 use a real em dash
* Add remove_roots_from_chain flag to sign and issue pki apis
- Add a new flag to allow end-users to control if we return the
root/self-signed CA certificate within the list of certificates in
ca_chain field on issue and sign api calls.
* Add cl
* PR feedback
* Add ability to perform automatic tidy operations
This enables the PKI secrets engine to allow tidy to be started
periodically by the engine itself, avoiding the need for interaction.
This operation is disabled by default (to avoid load on clusters which
don't need tidy to be run) but can be enabled.
In particular, a default tidy configuration is written (via
/config/auto-tidy) which mirrors the options passed to /tidy. Two
additional parameters, enabled and interval, are accepted, allowing
auto-tidy to be enabled or disabled and controlling the interval
(between successful tidy runs) to attempt auto-tidy.
Notably, a manual execution of tidy will delay additional auto-tidy
operations. Status is reported via the existing /tidy-status endpoint.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add documentation on auto-tidy
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add tests for auto-tidy
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Prevent race during parallel testing
We modified the RollbackManager's execution window to allow more
faithful testing of the periodicFunc. However, the TestAutoRebuild and
the new TestAutoTidy would then race against each other for modifying
the period and creating their clusters (before resetting to the old
value).
This changeset adds a lock around this, preventing the races.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Use tidyStatusLock to gate lastTidy time
This prevents a data race between the periodic func and the execution of
the running tidy.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add read lock around tidyStatus gauges
When reading from tidyStatus for computing gauges, since the underlying
values aren't atomics, we really should be gating these with a read lock
around the status access.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* honor header if-modified-since if present
* pathGetIssuerCRL first version
* check if modified since for CA endpoints
* fix date comparison for CA endpoints
* suggested changes and refactoring
* add writeIssuer to updateDefaultIssuerId and fix error
* Move methods out of storage.go into util.go
For the most part, these take a SC as param, but aren't directly storage
relevant operations. Move them out of storage.go as a result.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Use UTC timezone for storage
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Rework path_fetch for better if-modified-since handling
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Invalidate all issuers, CRLs on default write
When the default is updated, access under earlier timestamps will not
work as we're unclear if the timestamp is for this issuer or a previous
issuer. Thus, we need to invalidate the CRL and both issuers involved
(previous, next) by updating their LastModifiedTimes.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add tests for If-Modified-Since
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Correctly invalidate default issuer changes
When the default issuer changes, we'll have to mark the invalidation on
PR secondary clusters, so they know to update their CRL mapping as well.
The swapped issuers will have an updated modification time (which will
eventually replicate down and thus be correct), but the CRL modification
time is cluster-local information and thus won't be replicated.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* make fmt
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Refactor sendNotModifiedResponseIfNecessary
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add documentation on if-modified-since
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Allow generation of up-to-date delta CRLs
While switching to periodic rebuilds of CRLs alleviates the constant
rebuild pressure on Vault during times of high revocation, the CRL
proper becomes stale. One response to this is to switch to OCSP, but not
every system has support for this. Additionally, OCSP usually requires
connectivity and isn't used to augment a pre-distributed CRL (and is
instead used independently).
By generating delta CRLs containing only new revocations, an existing
CRL can be supplemented with newer revocations without requiring Vault
to rebuild all complete CRLs. Admins can periodically fetch the delta
CRL and add it to the existing CRL and applications should be able to
support using serials from both.
Because delta CRLs are emptied when the next complete CRL is rebuilt, it
is important that applications fetch the delta CRL and correlate it to
their complete CRL; if their complete CRL is older than the delta CRL's
extension number, applications MUST fetch the newer complete CRL to
ensure they have a correct combination.
This modifies the revocation process and adds several new configuration
options, controlling whether Delta CRLs are enabled and when we'll
rebuild it.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add tests for delta CRLs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add documentation on delta CRLs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Address review feedback: fix several bugs
Thanks Steve!
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Correctly invoke periodic func on active nodes
We need to ensure we read the updated config (in case of OCSP request
handling on standby nodes), but otherwise want to avoid CRL/DeltaCRL
re-building.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Refactor tidy steps into two separate helpers
This refactors the tidy go routine into two separate helpers, making it
clear where the boundaries of each are: variables are passed into these
method and concerns are separated. As more operations are rolled into
tidy, we can continue adding more helpers as appropriate. Additionally,
as we move to make auto-tidy occur, we can use these as points to hook
into periodic tidying.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Refactor revInfo checking to helper
This allows us to validate whether or not a revInfo entry contains a
presently valid issuer, from the existing mapping. Coupled with the
changeset to identify the issuer on revocation, we can begin adding
capabilities to tidy to update this association, decreasing CRL build
time and increasing the performance of OCSP.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Refactor issuer fetching for revocation purposes
Revocation needs to gracefully handle using the old legacy cert bundle,
so fetching issuers (and parsing them) needs to be done slightly
differently than other places. Refactor this from revokeCert into a
common helper that can be used by tidy.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Allow tidy to associate revoked certs, issuers
When revoking a certificate, we need to associate the issuer that signed
its certificate back to the revInfo entry. Historically this was
performed during CRL building (and still remains so), but when running
without CRL building and with only OCSP, performance will degrade as the
issuer needs to be found each time.
Instead, allow the tidy operation to take over this role, allowing us to
increase the performance of OCSP and CRL in this scenario, by decoupling
issuer identification from CRL building in the ideal case.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add tests for tidy updates
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add documentation on new tidy parameter, metrics
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Refactor tidy config into shared struct
Finish adding metrics, status messages about new tidy operation.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add ocsp_expiry configuration field to PKI crl config
- Add a new configurable duration field to the crl configuration to
allow operator control of how long an OCSP response can be cached
for.
- This is useful for how long a server like NGINX/Apache is
allowed to cache the response for OCSP stapling.
- A value of 0 means no one should cache the response.
- Address an issue discovered that we did not upgrade existing crl
configurations properly
* PR feedback
* Allow correct importing of certs without CRL KU
When Vault imports certificates without KU for CRLSign, we shouldn't
provision CRLUsage on the backing issuer; otherwise, we'll attempt to
build CRLs and Go will cause us to err out. This change makes it clear
(at issuer configuration time) that we can't possibly support this
operation and hopefully prevent users from running into the more cryptic
Go error.
Note that this does not apply for OCSP EKU: the EKU exists, per RFC 6960
Section 2.6 OCSP Signature Authority Delegation, to allow delegation of
OCSP signing to a child certificate. This EKU is not necessary on the
issuer itself, and generally assumes issuers are allowed to issue OCSP
responses regardless of KU/EKU.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add docs to clarify issue with import, CRL usage
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update website/content/api-docs/secret/pki.mdx
* Add additional test assertion
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* updated usage example
* Docs: updated examples with base64 - removed herestring for echo instead that's more simple.
* Docs: updated examples with base64 - removed herestring for echo instead that's more simple.
Co-authored-by: Mehdi Ahmadi <aphorise@gmail.com>
* Allow automatic rebuilding of CRLs
When enabled, periodic rebuilding of CRLs will improve PKI mounts in two
way:
1. Reduced load during periods of high (new) revocations, as the CRL
isn't rebuilt after each revocation but instead on a fixed schedule.
2. Ensuring the CRL is never stale as long as the cluster remains up,
by checking for next CRL expiry and regenerating CRLs before that
happens. This may increase cluster load when operators have large
CRLs that they'd prefer to let go stale, rather than regenerating
fresh copies.
In particular, we set a grace period before expiration of CRLs where,
when the periodic function triggers (about once a minute), we check
upcoming CRL expirations and check if we need to rebuild the CRLs.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add documentation on periodic rebuilding
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Allow modification of rollback period for testing
When testing backends that use the periodic func, and specifically,
testing the behavior of that periodic func, waiting for the usual 1m
interval can lead to excessively long test execution. By switching to a
shorter period--strictly for testing--we can make these tests execute
faster.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add tests for auto-rebuilding of CRLs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Remove non-updating getConfig variant
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Avoid double reload of config
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Refactor existing CRL function to storage getRevocationConfig
* Introduce ocsp_disable config option in config/crl
* Introduce OCSPSigning usage flag on issuer
* Add ocsp-request passthrough within lower layers of Vault
* Add OCSP responder to Vault PKI
* Add API documentation for OCSP
* Add cl
* Revert PKI storage migration modifications for OCSP
* Smaller PR feedback items
- pki.mdx doc update
- parens around logical.go comment to indicate DER encoded request is
related to OCSP and not the snapshots
- Use AllIssuers instead of writing them all out
- Drop zero initialization of crl config's Disable flag if not present
- Upgrade issuer on the fly instead of an initial migration
* Additional clean up backing out the writeRevocationConfig refactoring
* Remove Dirty issuer flag and update comment about not writing upgrade to
storage
* Address PR feedback and return Unknown response when mismatching issuer
* make fmt
* PR Feedback.
* More PR feedback
- Leverage ocsp response constant
- Remove duplicate errors regarding unknown issuers
* Add per-issuer AIA URI information
Per discussion on GitHub with @maxb, this allows issuers to have their
own copy of AIA URIs. Because each issuer has its own URLs (for CA and
CRL access), its necessary to mint their issued certs pointing to the
correct issuer and not to the global default issuer. For anyone using
multiple issuers within a mount, this change allows the issuer to point
back to itself via leaf's AIA info.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add documentation on per-issuer AIA info
Also add it to the considerations page as something to watch out for.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add tests for per-issuer AIA information
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Refactor AIA setting on the issuer
This introduces a common helper per Steve's suggestion.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Clarify error messages w.r.t. AIA naming
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Clarify error messages regarding AIA URLs
This clarifies which request parameter the invalid URL is contained
in, disambiguating the sometimes ambiguous usage of AIA, per suggestion
by Max.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Rename getURLs -> getGlobalAIAURLs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Correct AIA acronym expansion word orders
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix bad comment suggesting re-generating roots
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add two entries to URL tests
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Allow marking issuers as revoked
This allows PKI's issuers to be considered revoked and appear on each
others' CRLs. We disable issuance (via removing the usage) and prohibit
modifying the usage via the regular issuer management interface.
A separate endpoint is necessary because issuers (especially if signed
by a third-party CA using incremental serial numbers) might share a
serial number (e.g., an intermediate under cross-signing might share the
same number as an external root or an unrelated intermediate).
When the next CRL rebuild happens, this issuer will then appear on
others issuers CRLs, if they validate this issuer's certificate.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add documentation on revoking issuers
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add tests for issuer revocation semantics
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Notate that CRLs will be rebuilt
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix timestamp field from _utc -> to _rfc3339
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Ensure serial-based accesses shows as revoked
Thanks Kit!
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add warning when revoking default issuer
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* impr(ssh): fix bug with allowed_users_template and add allowed_domains_template field in SSH role configuration, closes#10943
* chore: add changelog entry
* Allow Proof of Possession based revocation
Revocation by proof of possession ensures that we have a private key
matching the (provided or stored) certificate. This allows callers to
revoke certificate they own (as proven by holding the corresponding
private key), without having an admin create innumerable ACLs around
the serial_number parameter for every issuance/user.
We base this on Go TLS stack's verification of certificate<->key
matching, but extend it where applicable to ensure curves match, the
private key is indeed valid, and has the same structure as the
corresponding public key from the certificate.
This endpoint currently is authenticated, allowing operators to disable
the endpoint if it isn't desirable to use, via ACL policies.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Clarify error message on ParseDERKey
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Leave revoke-with-key authenticated
After some discussion, given the potential for DoS (via submitting a lot
of keys/certs to validate, including invalid pairs), it seems best to
leave this as an authenticated endpoint. Presently in Vault, there's no
way to have an authenticated-but-unauthorized path (i.e., one which
bypasses ACL controls), so it is recommended (but not enforced) to make
this endpoint generally available by permissive ACL policies.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add API documentation on PoP
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add acceptance tests for Proof of Possession
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Exercise negative cases in PoP tests
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Refactor serial creation to common helper
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add BYOC revocation to PKI mount
This allows operators to revoke certificates via a PEM blob passed to
Vault. In particular, Vault verifies the signature on the certificate
from an existing issuer within the mount, ensuring that one indeed
issued this certificate. The certificate is then added to storage and
its serial submitted for revocation.
This allows certificates generated with no_store=true to be submitted
for revocation afterwards, given a full copy of the certificate. As a
consequence, all roles can now safely move to no_store=true (if desired
for performance) and revocation can be done on a case-by-case basis.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add docs on BYOC revocation
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add PEM length check to BYOC import
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add tests for BYOC
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Guard against legacy CA bundle usage
This prevents usage of the BYOC cert on a hybrid 1.10/1.12 cluster with
an non-upgraded CA issuer bundle.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update internal-ui-mounts.mdx
For sys/internal/ui/mounts:
Make it clear that this endpoint is not only being leveraged on the Web UI, but is also leveraged in other places such as `command/kv_helpers.go` for example. Also update response to standard Vault API response JSON, not just `data` portion of response, and include options data present on KV v2 mounts.
For sys/internal/ui/mounts/:path:
Add initial version of this endpoint family.
* docs(website/content/api-docs/system/internal): backwards compatibility disclaimer
* realign MD table
* restrict response sample to data portion to be in line with other docs
* docs(website/content/api-docs/system/internal): ui/mounts calling mode notes
* Update health.mdx
Added sample request and response for customizing the status code being returned from the sys/health endpoint
* Update website/content/api-docs/system/health.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Add PSS signature support to Vault PKI engine
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Use issuer's RevocationSigAlg for CRL signing
We introduce a new parameter on issuers, revocation_signature_algorithm
to control the signature algorithm used during CRL signing. This is
because the SignatureAlgorithm value from the certificate itself is
incorrect for this purpose: a RSA root could sign an ECDSA intermediate
with say, SHA256WithRSA, but when the intermediate goes to sign a CRL,
it must use ECDSAWithSHA256 or equivalent instead of SHA256WithRSA. When
coupled with support for PSS-only keys, allowing the user to set the
signature algorithm value as desired seems like the best approach.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add use_pss, revocation_signature_algorithm docs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add PSS to signature role issuance test matrix
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Allow roots to self-identify revocation alg
When using PSS support with a managed key, sometimes the underlying
device will not support PKCS#1v1.5 signatures. This results in CRL
building failing, unless we update the entry's signature algorithm
prior to building the CRL for the new root.
With a RSA-type key and use_pss=true, we use the signature bits value to
decide which hash function to use for PSS support.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add clearer error message on failed import
When CRL building fails during cert/key import, due to PSS failures,
give a better indication to the user that import succeeded its just CRL
building that failed. This tells them the parameter to adjust on the
issuer and warns that CRL building will fail until this is fixed.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add case insensitive SigAlgo matching
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Convert UsePSS back to regular bool
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Refactor PSS->certTemplate into helper function
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Proper string output on rev_sig_alg display
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Copy root's SignatureAlgorithm for CRL building
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Allow old certs to be cross-signed
In Vault 1.11, we introduced cross-signing support, but the earlier SKID
field change in Vault 1.10 causes problems: notably, certs created on
older versions of Vault (<=1.9) or outside of Vault (with a different
SKID method) cannot be cross-signed and validated in OpenSSL.
In particular, OpenSSL appears to be unique in requiring a SKID/AKID
match for chain building. If AKID and SKID are present on an otherwise
valid client/parent cert pair and the values are different, OpenSSL will
not build a valid path over those two, whereas most other chain
validation implementations will.
Regardless, to have proper cross-signing support, we really aught to
support copying an SKID. This adds such support to the sign-intermediate
endpoint. Support for the /issue endpoint is not added, as cross-signing
leaf certs isn't generally useful and can accept random SKIDs.
Resolves: #16461
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Address review feedback, fix tests
Also adds a known-answer test using LE R3 CA's SKID.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Address review feedback regarding separators
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* VAULT-6615 Update docs for 1.12 quota changes
* VAULT-6615 Add info about globbing
* VAULT-6615 some small updates for role param
* Update website/content/docs/enterprise/lease-count-quotas.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Update website/content/api-docs/system/lease-count-quotas.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* identity/oidc: allow filtering the list providers response by an allowed_client_id
* adds changelog
* adds api documentation
* use identity store view in list provider test
* Correct the Transit HMAC key source in docs
* Update website/content/api-docs/secret/transit.mdx
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Alexander Scheel <alex.scheel@hashicorp.com>
* docs(#16222): add documentation for changes in PR hashicorp/vault-plugin-secrets-kubernetes#10
* docs(#16222): add changelog entry
* docs(#16222): improve documentation to make the use case of setting both allowed_kubernetes_namespaces and allowed_kubernetes_namespace_selector parameters for role configuration
* pki: When a role sets key_type to any ignore key_bits value when signing
- Bypass the validation for the role's key_bits value when signing CSRs
if the key_type is set to any. We still validate the key is at least
2048 for RSA backed CSRs as we did in 1.9.x and lower.
- Make the dev quick start link readily available on the client library documentation page
- Move the full code samples to the top of the dev quickstart page so that they're easily accessible.
- Update the api/readme to have a link to the dev quickstart
* add func to set level for specific logger
* add endpoints to modify log level
* initialize base logger with IndependentLevels
* test to ensure other loggers remain unchanged
* add DELETE loggers endpoints to revert back to config
* add API docs page
* add changelog entry
* remove extraneous line
* add log level field to Core struct
* add godoc for getLogLevel
* add some loggers to c.allLoggers
* Add signature_bits to sign-intermediate
This endpoint was lacking the signature_bits field like all the other
endpoints. Notably, in #15478, the ability to customize the intermediate
CSR's signature bits was removed without checking for the ability to
customize the final (root-signed) intermediate certificate's value.
This adds in that missing ability, bringing us parity with root
generation and role-based signing.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add signature_bits to sign-verbatim
This endpoint was also lacking the signature_bits field, preventing
other signature hash functions from being utilized here.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
The KMIP backend has four new parameters for the API call to create or update a
role:
- operation_decrypt
- operation_encrypt
- operation_import
- operation_query
The returned chain on the issuer is presented both for signing request
responses and (if the default issuer) on the /ca_chain path. Overriding
the issuers' automatically constructed chain with a manual_chain allows
removal of the root CA if desired.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add cn_validations PKI Role parameter
This new parameter allows disabling all validations on a common name,
enabled by default on sign-verbatim and issuer generation options.
Presently, the default behavior is to allow either an email address
(denoted with an @ in the name) or a hostname to pass validation.
Operators can restrict roles to just a single option (e.g., for email
certs, limit CNs to have strictly email addresses and not hostnames).
By setting the value to `disabled`, CNs of other formats can be accepted
without validating their contents against our minimal correctness checks
for email/hostname/wildcard that we typically apply even when broad
permissions (allow_any_name=true, enforce_hostnames=false, and
allow_wildcard_certificates=true) are granted on the role.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update PKI tests for cn_validation support
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add PKI API documentation on cn_validations
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* VAULT-6091 Document duration format
* VAULT-6091 Document duration format
* VAULT-6091 Update wording
* VAULT-6091 Update to duration format string, replace everywhere I've found so far
* VAULT-6091 Add the word 'string' to the nav bar
* VAULT-6091 fix link
* VAULT-6091 fix link
* VAULT-6091 Fix time/string, add another reference
* VAULT-6091 add some misses for references to this format
* Handle func
* Update - check if key_type and key_bits are allowed
* Update - fields
* Generating keys based on provided key_type and key_bits
* Returning signed key
* Refactor
* Refactor update to common logic function
* Descriptions
* Tests added
* Suggested changes and tests added and refactored
* Suggested changes and fmt run
* File refactoring
* Changelog file
* Update changelog/15561.txt
Co-authored-by: Alexander Scheel <alexander.m.scheel@gmail.com>
* Suggested changes - consistent returns and additional info to test messages
* ssh issue key pair documentation
Co-authored-by: Alexander Scheel <alexander.m.scheel@gmail.com>
* Overhaul consul docs and api-docs for new 1.11 features
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
Co-authored-by: Calvin Leung Huang <1883212+calvn@users.noreply.github.com>
Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
This adds a note that manual_chain is required for cross-signed
intermediates, as Vault will not automatically associate the
cross-signed pair during chain construction. During issuance, the chain
is used verbatim from the issuer, so no chain detection will be used
then.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Update AWS auth docs for SHA-1 deprecation
We now recommend `/rsa2048` as the preferred AWS signature moving
foward, as `/pkcs7` and `/signature` will stop working by default in
Vault 1.12 without setting `GODEBUG=x509sha1=1` in the Vault deployment
due to the move to Go 1.18.
I also took this oppoturnity to try to make the docs less confusing
and more consistent with all of the usages of signature, PKCS#7, DSA,
and RSA terminology.
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
* Match listing_visibility in system/auth with system/mounts
See also: #15209
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix path-help for listing_visibility
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add missing key_ref parameter to gen root docs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add API docs section on key generation
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add note about managed key access
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add integration tests for aliased PKI paths (root/rotate, root/replace)
- Add tests for the two api endpoints
- Also return the issuer_name field within the generate root api response
* Add key_name to generate root api endpoint response and doc updates
- Since we are now returning issuer_name, we should also return key_name
- Update the api-docs for the generate root endpoint responses and add
missing arguments that we accept.
* Add a little more information about PKI and replicated data sets.
- Add a TOC to the PKI considerations page
- Merge in the existing certificate storage into a new Replicated DataSets
section
- Move the existing Cluster Scalability section from the api-docs into the
considerations page.
* Add API docs for Kubernetes secret engine
* alphabetical ordering for K-items in docs sidebar
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Co-authored-by: Christopher Swenson <swenson@swenson.io>
* Add tests for role patching
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Prevent bad issuer names on update
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add documentation on PATCH operations
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* PKI - Add not_before_duration API parameter to:
- Root CA generation
- Intermediate CA generation
- Intermediate CA signing
* Move not_before_duration to addCACommonFields
This gets applied on both root generation and intermediate signing,
which is the correct place to apply this.
Co-authored-by: guysv <sviryguy@gmail.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Resolves: #10631
Co-authored-by: guysv <sviryguy@gmail.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add test case for root/generate, sign-intermediate
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update path role description
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add new not_before_duration to relevant docs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: guysv <sviryguy@gmail.com>
* Protect against key and issuer name re-use
- While importing keys and issuers verify that the provided name if any has not been used by another key that we did not match against.
- Validate an assumption within the key import api, that we were provided a single key
- Add additional tests on the new key generation and key import handlers.
* Protect key import api end-users from using "default" as a name
- Do not allow end-users to provide the value of default as a name for key imports
as that would lead to weird and wonderful behaviors to the end-user.
* Add missing api-docs for PKI key import
* Begin restructuring FIPS documentation
This creates a new FIPS category under Enterprise and copies the
FIPS-specific seal wrap documentation into it.
We leave the existing Seal Wrap page at the old path, but document that
the FIPS-specific portions of it have moved.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add initial FIPS 140-2 inside documentation
This documents the new FIPS 140-2 Inside binary and how to use and
validate it. This also documents which algorithms are certified for
use in the BoringCrypto distribution.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add notes about FIPS algorithm restrictions
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Use "not_before_duration" fiueld from role if above 0
* 'test' and update docs
* changelog file
* Requested changes - improved test and better description to changelog
* changelog description:
* update to ttl and not_before_duration API docs
The Parameter `cidr_list` is not support for Key_Type CA, customer was confused on this, so I feel we should specifically call this out to ensure there is no confusion
* POC of Okta Auth Number Challenge verification
* switch from callbacks to operations, forward validate to primary
* cleanup and nonce description update
* add changelog
* error on empty nonce, no forwarding, return correct_answer instead
* properly clean up verify goroutine
* add docs on new endpoint and parameters
* change polling frequency when WAITING to 1s
Co-authored-by: Jim Kalafut <jkalafut@hashicorp.com>
* Update API docs for multiple issuer functionality
This substantially restructures the PKI secret engine's docs for two
purposes:
1. To provide an explicit grouping of APIs by user usage and roles,
2. To add all of the new APIs, hopefully with as minimal duplication
as possible.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add section on vault cli with DER/PEM response formats
- Add [1] links next to the DER/PEM format entries within various PKI
response tables. These link to a new section explaining that the vault
cli does not support DER/PEM response formats
- Remove repetition of vault cli blurb in various description fields.
- Fix up some typos
* Restructure API docs and add missing sections
Also addresses minor nits in the content.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Clarify some language in the API docs
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update website/content/api-docs/secret/pki.mdx
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Update website/content/api-docs/secret/pki.mdx
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Update website/content/api-docs/secret/pki.mdx
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Update website/content/api-docs/secret/pki.mdx
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Update website/content/api-docs/secret/pki.mdx
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
Co-authored-by: Steve Clark <steven.clark@hashicorp.com>
* Allow callers to choose the entropy source for the random endpoints
* Put source in the URL for sys as well
* changelog
* docs
* Fix unit tests, and add coverage
* refactor to use a single common implementation
* Update documentation
* one more tweak
* more cleanup
* Readd lost test expected code
* fmt
* VAULT-5422: Add rate limit for TOTP passcode attempts
* fixing the docs
* CL
* feedback
* Additional info in doc
* rate limit is done per entity per methodID
* refactoring a test
* rate limit OSS work for policy MFA
* adding max_validation_attempts to TOTP config
* feedback
* checking for non-nil reference
When adding SignatureBits control logic, we incorrectly allowed
specification of SignatureBits in the case of an ECDSA issuer. As noted
in the original request, NIST and Mozilla (and others) are fairly
prescriptive in the choice of signatures (matching the size of the
NIST P-curve), and we shouldn't usually use a smaller (or worse, larger
and truncate!) hash.
Ignore the configuration of signature bits and always use autodetection
for ECDSA like ed25519.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This syncs the deletion text from one of Josh's PRs into OSS to be
visible on the website. Suggested by Nick.
Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* update sample request in create managed keys
* Update documentation for curve param
* Add period at end of sentence
* Update key_bits documentation for aws and azure
* Update description of certificate fetch API
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Clarify /config/crl and /config/url PKI are empty
GET-ing these URLs will return 404 until such time as a config is posted
to them, even though (in the case of CRL), default values will be used.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Clarify usage of /pki/crl/rotate
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update documentation around PKI key_bits
This unifies the description of key_bits to match the API description
(which is consistent across all usages).
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix indented field descriptions in PKI paths
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Clarify documentation around serial_number
Note that this field has no impact on the actual Serial Number field and
only an attribute in the requested certificate's Subject.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix spelling of localdomain
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* add tip for how to force a secrets engine disable
* add warning to force disable secrets instructions
* clean up wording
* add force secrets engine disable info to api doc
* Update website/content/api-docs/system/mounts.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Update website/content/api-docs/system/mounts.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Update website/content/api-docs/system/mounts.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Update website/content/api-docs/system/mounts.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Update website/content/api-docs/system/mounts.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Update website/content/docs/commands/secrets/disable.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Update website/content/docs/commands/secrets/disable.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* feedback updates
* impl taoism feedback
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* remove mount accessor from MFA config
* Update login_mfa_duo_test.go
* DUO test with entity templating
* using identitytpl.PopulateString to perform templating
* minor refactoring
* fixing fmt failures in CI
* change username format to username template
* fixing username_template example
* Add documentation for Managed Keys
- Add concept, sys/api and pki updates related to managed keys
* Review feedback
- Reworked quite a bit of the existing documentation based on feedback
and a re-reading
- Moved the managed keys out of the concepts section and into the
enterprise section
* Address broken links and a few grammar tweaks
* add documentation for AWS KMS managed keys
* a couple small fixes
* # Conflicts:
# website/content/api-docs/secret/pki.mdx
# website/content/api-docs/system/managed-keys.mdx
# website/content/docs/enterprise/managed-keys.mdx
* docs updates
* # Conflicts:
# sdk/version/version_base.go
# vault/seal_autoseal_test.go
# website/content/api-docs/system/managed-keys.mdx
# website/content/docs/enterprise/managed-keys.mdx
* remove endpoint env var
* Document Azure Key Vault parameters for managed keys.
* docs changes for aws kms managed keys
Co-authored-by: Steve Clark <steven.clark@hashicorp.com>
Co-authored-by: Victor Rodriguez <vrizo@hashicorp.com>
* add mount move docs
* add missed word
* Update website/content/api-docs/system/remount.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* one clarification
* docs changes from feedback
* couple things i missed
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
As pointed out internally, a lot of the API docs and FrameworkField
descriptions of parameters were out of date. This syncs a number of
them, updating their descriptions where relevant.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
The operations are handled identically, but ~85% of the references were
POST, and having a mix of PUT and POST was a source of questions.
A subsequent commit will update the internal use of "PUT" such as by
the API client and -output-curl-string.
We note that:
- allow_bare_domains, allow_glob_domains, and allow_subdomains are all
independent,
- enforce_hostnames and allow_wildcard_certificates take precedence over
allow_any_name,
- We limit to RFC 6125 wildcards.
- Clarify that both allow_bare_domains and allow_glob_domains will permit
wildcard issuance in certain scenarios.
Co-authored-by: mickael-hc <86245626+mickael-hc@users.noreply.github.com>
Co-authored-by: Kit Haines <kit.haines@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: mickael-hc <86245626+mickael-hc@users.noreply.github.com>
Co-authored-by: Kit Haines <kit.haines@hashicorp.com>
* Add documentation for managed key test sign API
- Add the documentation for the new managed key api that allows
operators to test the managed key configuration by going through
a sign/verify workflow with some randomly generated data.
* PR feedback
* Allow OpenSSH-style key type identifiers
To bring better parity with the changes of #14008, wherein we allowed
OpenSSH-style key identifiers during generation. When specifying a list
of allowed keys, validate against both OpenSSH-style key identifiers
and the usual simplified names as well ("rsa" or "ecdsa"). Notably, the
PKI secrets engine prefers "ec" over "ecdsa", so we permit both as well.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix missing quote in docs
* Explicitly call out SSH algorithm_signer default
Related: #11608
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Use rsa-sha2-256 as the default SSH CA hash algo
As mentioned in the OpenSSH 8.2 release notes, OpenSSH will no longer be
accepting ssh-rsa signatures by default as these use the insecure SHA-1
algorithm.
For roles in which an explicit signature type wasn't specified, we
should change the default from SHA-1 to SHA-256 for security and
compatibility with modern OpenSSH releases.
See also: https://www.openssh.com/txt/release-8.2
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update docs mentioning new algorithm change
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix missing parenthesis, clarify new default value
* Add to side bar
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Allow specifying multiple allowed SSH key lengths
In the ssh secrets engine, only a single allowed key length was allowed
for each algorithm type. However, many algorithms have multiple safe
values (such as RSA and ECDSA); allowing a single role to have multiple
values for a single algorithm is thus helpful.
On creation or update, roles can now specify multiple types using a list
or comma separated string of allowed values:
allowed_user_key_lengths: map[string][]int{"rsa": []int{2048, 4096}}
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Break out ssh upgrade logic into separate function
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update parseutil for optional lists of integers
go get -u github.com/hashicorp/go-secure-stdlib/parseutil
go mod tidy
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Simplify parse logic using new parseutil
The newly introduced parseutil.ParseIntSlice handles the more
complicated optional int-like slice logic for us.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Update repository links to point to main
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Fix broken link in relatedtools.mdx
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* adds development workflow to mirage config
* adds mirage handler and factory for mfa workflow
* adds mfa handling to auth service and cluster adapter
* moves auth success logic from form to controller
* adds mfa form component
* shows delayed auth message for all methods
* adds new code delay to mfa form
* adds error views
* fixes merge conflict
* adds integration tests for mfa-form component
* fixes auth tests
* updates mfa response handling to align with backend
* updates mfa-form to handle multiple methods and constraints
* adds noDefault arg to Select component
* updates mirage mfa handler to align with backend and adds generator for various mfa scenarios
* adds tests
* flaky test fix attempt
* reverts test fix attempt
* adds changelog entry
* updates comments for todo items
* removes faker from mfa mirage factory and handler
* adds number to word helper
* fixes tests
* Revert "Merge branch 'main' into ui/mfa"
This reverts commit 8ee6a6aaa1, reversing
changes made to 2428dd6cca.
* format-ttl helper fix from main
* Add generation support for other SSH CA key types
This adds two new arguments to config/ca, mirroring the values of PKI
secrets engine but tailored towards SSH mounts. Key types are specified
as x/crypto/ssh KeyAlgo identifiers (e.g., ssh-rsa or ssh-ed25519)
and respect current defaults (ssh-rsa/4096). Key bits defaults to 0,
which for ssh-rsa then takes a value of 4096.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add documentation on key_type, key_bits for ssh/config/ca
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* store version history as utc; add self-heal logic
* add sys/version-history endpoint
* change version history from GET to LIST, require auth
* add "vault version-history" CLI command
* add vault-version CLI error message for version string parsing
* adding version-history API and CLI docs
* add changelog entry
* some version-history command fixes
* remove extraneous cmd args
* fix version-history command help text
* specify in docs that endpoint was added in 1.10.0
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* enforce UTC within storeVersionTimestamp directly
* fix improper use of %w in logger.Warn
* remove extra err check and erroneous return from loadVersionTimestamps
* add >= 1.10.0 warning to version-history cmd
* move sys/version-history tests
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* Add documentation for Managed Keys
- Add concept, sys/api and pki updates related to managed keys
* Review feedback
- Reworked quite a bit of the existing documentation based on feedback
and a re-reading
- Moved the managed keys out of the concepts section and into the
enterprise section
* Address broken links and a few grammar tweaks
* Include full chain in /cert/ca_chain response
This allows callers to get the full chain (including issuing
certificates) from a call to /cert/ca_chain. Previously, most endpoints
(including during issuance) do not include the root authority, requiring
an explicit call to /cert/ca to fetch. This allows full chains to be
constructed without without needing multiple calls to the API.
Resolves: #13489
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add test case for full CA issuance
We test three main scenarios:
1. A root-only CA's `/cert/ca_chain`'s `.data.ca_chain` field should
contain only the root,
2. An intermediate CA (with root provide) should contain both the root
and the intermediate.
3. An external (e.g., `/config/ca`-provided) CA with both root and
intermediate should contain both certs.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add documentation for new ca_chain field
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
* Add note about where to find the entire chain
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
The field "replication_per_mode" was renamed before this feature was
released, but the docs have never been updated. Update the documentation
to present the correct name.
This change proposes adding [vaultrs](https://crates.io/crates/vaultrs) to the list of community-supported libraries. This crate has a mature base and is expected to expand to accommodate most of the API.
* Add auto_rotate_interval field to transit key creation path.
* Add auto_rotate_interval field to transit key config update path.
* Implement transit automatic key rotation on an hourly interval.
* Fixes transit key autorotation key listing typo.
* Add unit tests for transit key autorotation.
* Add unit tests for transit key creation with autorotation interval.
* Add unit tests for transit key config update with autorotation interval.
* Document new auto_rotate_interval fields in key creation and key config update endpoints.
* Add changelog for transit key autorotation.
* Wrap individual transit key autorotation in a policy lock.
* Add a safeguard to transit key autorotation to ensure only one execution happens simultaneously.
* auth/kubernetes: support for short-lived tokens
* Uplift new version of Kubernetes auth plugin that does not store the
service account token persistently to Vault storage.
* Update the documentation to recommend local token again when running
Vault inside cluster.
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
* Added changelog entry
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
* clarification to changelog entry, executed go mod tidy
* clarifications and added targeted release version
* go get vault-plugin-secrets-kv@vault-4290-patch-metadata
* add kv metadata patch command
* add changelog entry
* success tests for kv metadata patch flags
* add more kv metadata patch flags tests
* add kv metadata patch cas warning test
* add kv-v2 key metadata patch API docs
* add kv metadata patch to docs
* prevent unintentional field overwriting in kv metadata put cmd
* like create/update ops, prevent patch to paths ending in /
* fix kv metadata patch cmd in docs
* fix flag defaults for kv metadata put
* go get vault-plugin-secrets-kv@vault-4290-patch-metadata
* fix TestKvMetadataPatchCommand_Flags test
* doc fixes
* go get vault-plugin-secrets-kv@master; go mod tidy
* Update entity-alias.mdx
it was not clear for approle what the name should be the approle name or the role_id.
* Update website/content/api-docs/secret/identity/entity-alias.mdx
Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
* Upgrade guidance updates from VLT-172
Trying to clarify some upgrade questions. Learn update to follow in
separate PR.
* Apply suggestions from code review
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* Add allowed_uri_sans_template
Enables identity templating for the allowed_uri_sans field in PKI cert roles.
Implemented as suggested in #8509
* changelog++
* Update docs with URI SAN templating
* VAULT-1564 report in-flight requests
* adding a changelog
* Changing some variable names and fixing comments
* minor style change
* adding unauthenticated support for in-flight-req
* adding documentation for the listener.profiling stanza
* adding an atomic counter for the inflight requests
addressing comments
* addressing comments
* logging completed requests
* fixing a test
* providing log_requests_info as a config option to determine at which level requests should be logged
* removing a member and a method from the StatusHeaderResponseWriter struct
* adding api docks
* revert changes in NewHTTPResponseWriter
* Fix logging invalid log_requests_info value
* Addressing comments
* Fixing a test
* use an tomic value for logRequestsInfo, and moving the CreateClientID function to Core
* fixing go.sum
* minor refactoring
* protecting InFlightRequests from data race
* another try on fixing a data race
* another try to fix a data race
* addressing comments
* fixing couple of tests
* changing log_requests_info to log_requests_level
* minor style change
* fixing a test
* removing the lock in InFlightRequests
* use single-argument form for interface assertion
* adding doc for the new configuration paramter
* adding the new doc to the nav data file
* minor fix
* Adding support for SHA3 in the transit backend.
* Adds SHA-3 tests for transit sign/verify path. Adds SHA-3 tests for logical system tools path hash functionality. Updates documentation to include SHA-3 algorithms in system tools path hashing.
* Adds changelog entry.
Co-authored-by: robison jacka <robison@packetized.io>
* change default vaule for disable_iss_validation to be true
* mark as deprecated | remove issuer from sample
* deprecation section
* additional informaiton about when fields will be removed
* additional deprecation note under csi provider
* punctuation
* make the deprecation note more noticable
* missing issuer sentence | remove whitespace
* Update website/content/docs/platform/k8s/csi/index.mdx
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
* cleanup
* additional deprecation comments
* fix discovery link
* highlight
* no need to configure the issuer
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
* docs for counting tokens without entities
* Update website/content/docs/concepts/client-count.mdx
Co-authored-by: swayne275 <swayne275@gmail.com>
* remove parens in docs
* Update website/content/docs/concepts/client-count.mdx
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* Update website/content/docs/concepts/client-count.mdx
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* update documentation to be consistent with the non-entity token terminology
* Update website/content/docs/concepts/client-count.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Update website/content/docs/concepts/client-count.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* add line about client ids to the api docs
* syntax and grammar
Co-authored-by: swayne275 <swayne275@gmail.com>
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* add api lock doc
* add docs nav data
* Update website/content/api-docs/system/namespaces.mdx
Co-authored-by: Chris Capurso <christopher.capurso@gmail.com>
* update command doc
* clarify locked http status code
* add example exempt path
* further exempt clarification
* link api locked response
* add x-vault-namespace api example
* Update website/content/docs/concepts/namespace-api-lock.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* review suggestions
* few other small tweaks
Co-authored-by: Chris Capurso <christopher.capurso@gmail.com>
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>
* Add note that monitor command may truncate logs
* Apply suggestions from code review
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
