* [OT] use `new` builtin for visual clarity
`new(ExternalTokenHelper)` is a lot easier to parse than
`(*ExternalTokenHelper)(nil)`
* add `Args` field to `ExternalTokenHelper`
This will be used to store any extra command arguments and allows
`BinaryPath` to hold *just* the binary path.
* remove shell invocation
Since `BinPath` no longer has to hold any additional arguments we can
execute the command directly without inoking the shell first.
* update `testExternalTokenHelper` to make use of the new `Args` field
* updated `ExternalTokenHelper` documentation
* Add changelog entry for token_helper without shell
Currently using 0.txt until we have a PR id.
* Rename 0.txt to 29653.txt
We got a PR ID, so fix the changelog file
---------
Co-authored-by: Roosevelt Burden <rburden@grantstreet.com>
Co-authored-by: Roosevelt Burden <roosevelt.burden@grantstreet.com>
* Rework certificate authentication api
- Use the passed in Vault api client to perform the connection
- This provides namespace support, retry behaviors and uses
the existing secret parsing logic instead of re-implementing it
- Change the cert auth role to be an optional argument
- Allow users to use a different cert auth mount point
* Clean up test name
Co-authored-by: Amir Aslamov <amir.aslamov@hashicorp.com>
---------
Co-authored-by: Amir Aslamov <amir.aslamov@hashicorp.com>
* Update go-jose to v3.0.4
- Updating to address CVE-2025-27144
* Update v4 references in sdk and api
* Update go-jose across all api auth projects to v4.0.5
* Fix "t.Fatal from a non-test goroutine" errors in cache_test.go
- t.Fatal(f) should not be called within a Go routine based on it's documentation and only from the main test's thread.
- In 1.24 this seems to cause build failures
* Address all "non-constant format string errors" from go vet
- Within 1.24 these now cause test builds to fail
…" from go vet
* logic
* actually got test working
* heartbeat health test
* fix healthy definition and add changelog
* fix test condition
* actually fix test condition
* Update vault/testing.go
Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
* close body
---------
Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
* Support trimming trailing slashes via a mount tuneable to support CMPv2
* changelog/
* Perform trimming in handleLoginRequest too
* Eagerly fetch the mount entry so we only test this once
* Add a mount match function that gets path and entry
* Update vault/request_handling.go
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* more docs
* Some patches (from ENT) didnt apply
* patch fail
* Update vault/router.go
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* PR feedback
* dupe
* another dupe
* Add support for enabling trim_request_trailing_slashes on mount creation
* Fix read mount api returning configuration for trim_request_trailing_slashes
* Fix test assertion
* Switch enable and tune arguments to BoolPtrVal to allow end-users to specify false flag
* Add trim-request-trailing-slashes to the auth enable API and CLI
---------
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
Go module tooling mandates that each sub-module contains its own LICENSE file.
If absent, it defaults to the LICENSE file in the root of the git repository.
This resulted in the api/auth/* modules erroneously inheriting the BUSL
license instead of the correct MPL license, as indicated by the SPDX info in
the actual API code.
This update ensures that module documentation is displayed correctly on
pkg.go.dev and resolves issues with various tools showing incorrect license
information for the sub-modules.
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
* VAULT-28577: change CSV MIME type to text/csv
* VAULT-28578: require sudo for export API
* add validation and associated error handling
* change export API default to 204 if no data returned
* VAULT-28579: allow export API in non-root namespace, add filtering support
* update test fixtures to reflect filtering changes
* TestActivityLog_Export moved to ENT-only test
* add test to verify sudo access
* add changelog entry
This makes it so projects that are already using backoff don't need to
pull up an old version of it just because of vault/api. This major
version change is compatible with existing usage in code.
Refs #24707.
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
* check if "identity_policies" is nil to fix cli vault login error
* add changelog
* skip add identity_policies to resp when there's no identity_policies associated in token's namespace
This is an edge case, when an entity has identity_policies associated in other namespaces but no identity_policies in this token's namespace, `identityPolicies[out.NamespaceID]` is nil, client side doesn't handle nil which raises error.
* update changelog
---------
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
* VAULT-25341 Address issue where having no permissions to renew caused Agent and Proxy auth to attempt to renew with no backoff
* Fiddle with go.mod changes that shouldn't have happened
* VAULT-25341 small cleanup and extra test
* VAULT-25341 backoff only in error case
* VAULT-25341 godocs
* VAULT-25342 changelog
* Update command/agent_test.go
Co-authored-by: divyaac <divya.chandrasekaran@hashicorp.com>
* VAULT-25341 rename file audit
---------
Co-authored-by: divyaac <divya.chandrasekaran@hashicorp.com>
We have many hand-written String() methods (and similar) for enums.
These require more maintenance and are more error-prone than using
automatically generated methods. In addition, the auto-generated
versions can be more efficient.
Here, we switch to using https://github.com/loggerhead/enumer, itself
a fork of https://github.com/diegostamigni/enumer, no longer maintained,
and a fork of the mostly standard tool
https://pkg.go.dev/golang.org/x/tools/cmd/stringer.
We use this fork of enumer for Go 1.20+ compatibility and because
we require the `-transform` flag to be able to generate
constants that match our current code base.
Some enums were not targeted for this change:
* Move command/config + command/token to api/cliconfig + api/tokenhelper
* Remove unused functions and unused import
* Simplify and inline function copied from SDK
* Delete unused duplicated/forwarding config implementation from command package
* Delete unused code, unexport API surface that's only used internally to the package
* Fix up license headers
* Add changelog
* Tweak .gitignore to track hcl files in testdata/ folders
* add gosimport to make fmt and run it
* move installation to tools.sh
* correct weird spacing issue
* Update Makefile
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* fix a weird issue
---------
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* add methods in Sys struct to manipulate UI Custom Messages
* adding go-docs
* extracting recurring URL path into a constant
* using same stretchr/testify version as the main go.mod
* adds plugin identity token to secrets CLI for enable and tune
* adds plugin identity token to auth CLI for enable and tune
* adds field to mount config input and output
* adds changelog
* fix tests
* fix another test
* sys: adds identity_token_key to mounts/auth for enable/tune
* adds changelog
* adds godoc on new tests
* adds function for identityStoreKeyExists
* use read lock, remove helper func
* tune test in logical_system_test, remove router access method
* fix key existence check in namespaces
