This was previously part of the very long command/auth.go file, where it
mimmicked the same API as other handlers. By making it a builtin
credential, we can remove a lot of conditional logic for token-based
authentication.
Some of the path help documentation was incorrect for auth/aws/role as
behavior changed during PR development and the help wasn't updated. This
fixes incorrect information and makes the path help somewhat more
consistent.
Fixes#3472
* Adding support for base_url for Okta api
* addressing feedback suggestions, bringing back optional group query
* updating docs
* cleaning up the login method
* clear out production flag if base_url is set
* docs updates
* docs updates
* Fix using wrong public key in sign-self-issued
* Change behavior of TTL in sign-intermediate
This allows signing CA certs with an expiration past the signer's
NotAfter.
It also change sign-self-issued to replace the Issuer, since it's
potentially RFC legal but stacks won't validate it.
Ref: https://groups.google.com/d/msg/vault-tool/giP69-n2o20/FfhRpW1vAQAJ
The parseIamArn method was making assumptions about the input arn being
properly formatted and of a certain type. If users tried to pass a
bound_iam_principal_arn that was malformed (or was the ARN of the root
user), it would cause a panic. parseIamArn now explicitly checks the
assumptions it's making and tests are added to ensure it properly errors
out (rather than panic'ing) on malformed input.
* Lazy load plugins to avoid setup-unwrap cycle
* Remove commented blocks
* Refactor NewTestCluster, use single core cluster on basic plugin tests
* Set c.pluginDirectory in TestAddTestPlugin for setupPluginCatalog to work properly
* Add special path to mock plugin
* Move ensureCoresSealed to vault/testing.go
* Use same method for EnsureCoresSealed and Cleanup
* Bump ensureCoresSealed timeout to 60s
* Correctly handle nil opts on NewTestCluster
* Add metadata flag to APIClientMeta, use meta-enabled plugin when mounting to bootstrap
* Check metadata flag directly on the plugin process
* Plumb isMetadataMode down to PluginRunner
* Add NOOP shims when running in metadata mode
* Remove unused flag from the APIMetadata object
* Remove setupSecretPlugins and setupCredentialPlugins functions
* Move when we setup rollback manager to after the plugins are initialized
* Fix tests
* Fix merge issue
* start rollback manager after the credential setup
* Add guards against running certain client and server functions while in metadata mode
* Call initialize once a plugin is loaded on the fly
* Add more tests, update basic secret/auth plugin tests to trigger lazy loading
* Skip mount if plugin removed from catalog
* Fixup
* Remove commented line on LookupPlugin
* Fail on mount operation if plugin is re-added to catalog and mount is on existing path
* Check type and special paths on startBackend
* Fix merge conflicts
* Refactor PluginRunner run methods to use runCommon, fix TestSystemBackend_Plugin_auth
* Add pki/root/sign-self-issued.
This is useful for root CA rolling, and is also suitably dangerous.
Along the way I noticed we weren't setting the authority key IDs
anywhere, so I addressed that.
* Add tests
* Compare groups case-insensitively at login time, since Okta groups are
case-insensitive but preserving.
* Make other group operations case-preserving but otherwise
case-insensitive. New groups will be written in lowercase.
* Add automatic plugin reload
* Refactor builtin/backend
* Remove plugin reload at the core level
* Refactor plugin tests
* Add auto-reload test case
* Change backend to use sync.RWMutex, fix dangling test plugin processes
* Add a canary to plugin backends to avoid reloading many times (#3174)
* Call setupPluginCatalog before mount-related operations in postUnseal
* Don't create multiple system backends since core only holds a reference (#3176)
to one.
