* add cert counting for ssh
* add system view and fix errors
* add otp counting and change units for certs
* add storage tests
* fix census errors
* run make fmt
* use incrementer and change storage to match rfc
* run make fmt
* fix interface and remove parameter
* fix errors
* Update builtin/logical/ssh/path_creds_create.go
* remove error check
* add ssh counts to billing endpoint
* fix error
* add test case
* add ssh metric to test
* add get functions and tests
* fix format
* create function for ssh metrics
* refactoring and add test cases
* replace test check
* add ssh to billing overview test
---------
Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
Co-authored-by: Victor Rodriguez Rizo <vrizo@hashicorp.com>
* add resource orphaning to SCIM client delete
* add background orphaning handling
* delete instead of orphan, add retry and startup tests
* revert: undo accidental changes to Makefile and golang instructions
* fix tests
* stop log flood (try again)
* fix linter findings
* try to silence spam again
* try to silence spam once more
* dont allow running outside of active primary
* go docs
* fix active check and pass client id via context
* remove unnecessary change
* Remove Test_SCIM_ClientDeletion_Cascading
this test was added in another PR but mine already has a bunch of deleting test that work with the new behavior
Co-authored-by: Bruno Oliveira de Souza <bruno.souza@hashicorp.com>
* fix updated_at logic for previous month, add tests
* improvement: separate out metric names into consts
* wholistically cover all metrics in billing api test
* add actual totp data in the ent test
* fix more wording errors
* feedback: remove consts and use metric names directly
* fix a test
* simplify the logic around refreshing data
* simplify the logic by centralizing the atomic tracker interacting inside updateBillingMetrics method, fix the logic inside the endpoint, add tests
* miner fixes
* feedback: set time tracker to zero at set up and at start of month to indicate data has not been updated yet, update test
* attempt to fix deadlock by using statelock free version of update billing metrics method
* remove unnecessary locks inside request handling
* remove duplicate methods - instead create 2 wrappers around the method one with lock and one without
* add a new prefix and methods to store and retrieve last update time
* add comments to explain local prefix behavior for the update method
* replace atomic tracker with storage methods
* add method level tests for the update time storage methods
* add external tests to verify perf replicated cluster independelty track last update time now
* normalize time to utc before storing to storage, fix comments
* code scanql feedback: remove logging of raw error to prevent leakage
* feedback: reorganize and refactor update billing metric method wrappers
* feedback: add go doc to the get method
* feedback: retrieve stored update time for last month, instead of always putting end of month inside computeUpdatedTime
* use equal test instead of within duration inside util tests
* use require equal inside external tests too
* use end of the requested month inside the endpoint for past months
* update tests
* add a new test case for when time is not stored in storage
* fix a bug: add nil check before passing role counts and managed key counts to update method
* feedback: remove update call of of time inside setup billing
* Update vault/consumption_billing_util.go
* Update vault/logical_system_use_case_billing.go
* Update vault/logical_system_use_case_billing.go
* comment fix
* feedback: do not allow refresh on perf standby, add a warning and just retrieve stored data
* add tests
---------
Co-authored-by: Amir Aslamov <amir.aslamov@hashicorp.com>
Co-authored-by: divyaac <divya.chandrasekaran@hashicorp.com>
* hookup the new path to the system backend
* add API client method for the new endpoint
* add test for the api method structure
* adjust the path implementation to capture all so-far added metrics
* add tests
* add go docs to the tests
* add more tests
* feedback: add go doc to test
* feedback: use require in tests
* fix the api: use parse secret method to properly parse response, add mapstructure definitions to api structs
* feedback: fix api method test by using mock api response
* Update vault/logical_system_use_case_billing.go
* Update vault/logical_system_use_case_billing.go
* feedback: refactor build month data method into methods that collect data separately
* feedback: make update_counts parameter a new user set field for the endpoint
* feedback: remove basic comments
* update logic around determining updated at field
* fix tests: add actual data and fix some assertions
* separate out ent only features from the neutral test file
* add a new test file to test ent only features
* call one update method to update all metrics
* add external tests for the endpoint
* add a changelog
* feedback: rename update_counts parameter to refresh_data
* feedback: fix determination of updated_at field
* feedback: convert created methods into core methods from system backend methods
* Update changelog/12328.txt
* feedback: create a new atomic tracker of last updated time for the metrics update and use that in the endpoint
* add unit tests to test updated_at
* always build metrics, even when the values are 0
* add test coverage to verify metrics still exist in the response with zero values even when there are no billing resources
* feedback: remove manual check of root namespace - rely on system backend to enforce root namespace restriction
* remove namespace test from oss test file
* properly accomodate new totp metric
* add pki cert and totp to endpoint response, add test coverage
* rename changelog file
* linters
* change changelog type to improvement, make the file CE and ENT
* test ent changelog
* fix some tests after the addition of totp and pki
* add test coverage for the new metrics in external and api tests
* make changelog CE file
---------
Co-authored-by: Amir Aslamov <amir.aslamov@hashicorp.com>
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
Co-authored-by: divyaac <divya.chandrasekaran@hashicorp.com>
* VAULT-40965 async option for scan API
* whoopsie
* whoopsie
* add test, return accepted (for real), fix docs
* Add extra time
* make test more resilient
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
* Include SHA256 sum field in the list response for external plugins
* Add changelog
* remove mapstructure
Co-authored-by: Zlaticanin <60530402+Zlaticanin@users.noreply.github.com>
* backport: Add override_pinned_version support on tune and enable for secret and auth (#9719)
* fix entWrappedAuthPath() and entWrappedMountsPath() oss stubs
---------
Co-authored-by: Thy Ton <maithytonn@gmail.com>
* license: update headers to IBM Corp.
* `make proto`
* update offset because source file changed
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* Fix unsetting sys tunable values (on ent).
* Remove commented test, add GoDoc for test.
* Handle empty slices better (PR feedback).
* Fetch Auth endpoint without listing (PR feedback).
* Fatal vs. Error
* Add GetAuth instead of ListAuth
* Fix error format error. Oops!
* One more list->get auth. Remove extra check.
* Updated TuneMountWithContextAllowNil to use a struct (with all pointers).
* Allow setting empty values for userLockoutConfig too - use new struct.
* Extra pointer.
* Remove useless functions.
* Simple test to ensure any field we can set we can update and vice-versa.
* Add json tag checks.
Co-authored-by: Kit Haines <khaines@mit.edu>
* portion of changes for autoloading
* add test checking for panic
* add endpoint for force unloading
* separate method for force unload
* changelog
* don't redefine constants
Co-authored-by: miagilepner <mia.epner@hashicorp.com>
* bump go-getter to 1.7.9 (#8899)
* bump go-getter to 1.7.9
* add changelog
* go mod tidy
Signed-off-by: Ryan Cragun <me@ryan.ec>
---------
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Josh Black <raskchanky@gmail.com>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* recover as a copy implementation
* get policy tests passing
* add helpers and testing support
* fixes
* revert a couple of changes
* more tests
* switch to query param
* correctly update source path with the namespace
* only add openapi recover source path if there's a path parameter
* add changelog
* check for no mount in path
Co-authored-by: miagilepner <mia.epner@hashicorp.com>
* cli: only set default command parameter to plugin name if sha256 is provided
* api: write warnings to RegisterPluginResponse, propagate up to cli
* api: filter out 'Endpoint replaced the value of these parameters' warning before returning in RegisterPluginWithContext
* docs
* add TODO on filtering that links to api type parameter deprecation ticket
* fix tests
* allocate filteredWarning slice only if there are warnings
* improve deferred resp close and early error return conditionals in RegisterPluginWithContext
* refer to sha256 as cli option -sha256 in command cli usage
* break up ui error lines for sha256 and version flag check
* consolidate if statements for sha256 and command, oci_image check in cli
* consolidate if statements for sha256 and command, oci_image check in api
* new RegisterPluginV2 and RegisterPluginWithContextV2 api client functions for backward compatibility
* add changelog
* more descriptive changelog
* rename RegisterPluginV2 to RegisterPluginDetailed and RegisterPluginWithContextV2 to RegisterPluginWithContextDetailed
* return nil, nil if no warnings to preserve status code
* fix eof from decoding (check if no content before decoding)
* doc for RegisterPluginResponse
* only validate plugin.Command in plugin catalog set for downloaded and binary plugins, which rely on plugin.Command input; extracted artifact plugins don't rely on plugin.Command input
* Update website/content/api-docs/system/plugins-catalog.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/api-docs/system/plugins-catalog.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/api-docs/system/plugins-catalog.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/docs/commands/plugin/register.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/docs/commands/plugin/register.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/docs/commands/plugin/register.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/docs/commands/plugin/register.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* move up enterprise note on plugin register command doc
* [DOCS] Editorial suggestions for PR #30811 (#31111)
* suggestions
* move common reqs to a partial
* fix typo
* tweak reqs
* Update website/content/partials/plugins/prepare-plugin.mdx
Co-authored-by: helenfufu <25168806+helenfufu@users.noreply.github.com>
* Update website/content/partials/plugins/prepare-plugin.mdx
Co-authored-by: helenfufu <25168806+helenfufu@users.noreply.github.com>
* Update website/content/partials/plugins/prepare-plugin.mdx
Co-authored-by: helenfufu <25168806+helenfufu@users.noreply.github.com>
* tweak feedback
* remove deprecation
* Update website/content/partials/plugins/common-requirements.mdx
Co-authored-by: helenfufu <25168806+helenfufu@users.noreply.github.com>
* save
* Update website/content/docs/plugins/rollback.mdx
Co-authored-by: helenfufu <25168806+helenfufu@users.noreply.github.com>
* Update website/content/docs/plugins/upgrade.mdx
Co-authored-by: helenfufu <25168806+helenfufu@users.noreply.github.com>
* fix formatting
---------
Co-authored-by: helenfufu <25168806+helenfufu@users.noreply.github.com>
---------
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* round up
* round up, test, update backoff
* add external test
* changelog
* use released version of go-retryablehttp
* update api version of go-retryablehttp
* fix name
* upgrade hcl dependency on api pkg
This upgrades the hcl dependency for the API pkg,
and adapts its usage so users of our API pkg are
not affected. There's no good way of communicating
a warning via a library call so we don't.
The tokenHelper which is used by all Vault CLI
commands in order to create the Vault client, as
well as directly used by the login and server
commands, is implemented on the api pkg, so this
upgrade also affects all of those commands. Seems
like this was only moved to the api pkg because
the Terraform provider uses it, and I thought
creating a full copy of all those files back under
command would be too much spaghetti.
Also leaving some TODOs to make next deprecation
steps easier.
* upgrade hcl dependency in vault and sdk pkgs
* upgrade hcl dependency in vault and sdk pkgs
* add CLI warnings to commands that take a config
- vault agent (unit test on CMD warning)
- vault proxy (unit test on CMD warning)
- vault server (no test for the warning)
- vault operator diagnose (no tests at all, uses the
same function as vault server
* ignore duplicates on ParseKMSes function
* Extend policy parsing functions and warn on policy store
* Add warning on policy fmt with duplicate attributes
* Add warnings when creating/updating policy with duplicate HCL attrs
* Add log warning when switchedGetPolicy finds duplicate attrs
Following operations can trigger this warning when they run into a policy
with duplicate attributes:
* replication filtered path namespaces invalidation
* policy read API
* building an ACL (for many different purposes like most authZ operations)
* looking up DR token policies
* creating a token with named policies
* when caching the policies for all namespaces during unseal
* Print log warnings when token inline policy has duplicate attrs
No unit tests on these as new test infra would have to be built on all.
Operations affected, which will now print a log warning when the retrieved
token has an inline policy with duplicate attributes:
* capabilities endpoints in sys mount
* handing events under a subscription with a token with duplicate
attrs in inline policies
* token used to create another token has duplicate attrs in inline
policies (sudo check)
* all uses of fetchACLTokenEntryAndEntity when the request uses a
token with inline policies with duplicate attrs. Almost all reqs
are subject to this
* when tokens are created with inline policies (unclear exactly how that
can happen)
* add changelog and deprecation notice
* add missing copywrite notice
* fix copy-paste mistake
good thing it was covered by unit tests
* Fix manual parsing of telemetry field in SharedConfig
This commit in the hcl library was not in the
v1.0.1-vault-5 version we're using but is
included in v1.0.1-vault-7:
e80118accb
This thing of reusing when parsing means that
our approach of manually re-parsing fields
on top of fields that have already been parsed
by the hcl annotation causes strings (maybe
more?) to concatenate.
Fix that by removing annotation. There's
actually more occurrences of this thing of
automatically parsing something that is also
manually parsing. In some places we could
just remove the boilerplate manual parsing, in
others we better remove the auto parsing, but
I don't wanna pull at that thread right now. I
just checked that all places at least fully
overwrite the automatically parsed field
instead of reusing it as the target of the
decode call. The only exception is the AOP
field on ent but that doesn't have maps or
slices, so I think it's fine.
An alternative approach would be to ensure
that the auto-parsed value is discarded,
like the current parseCache function does
note how it's template not templates
* Fix linter complaints
* Update command/base_predict.go
Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
* address review
* remove copywrite headers
* re-add copywrite headers
* make fmt
* Update website/content/partials/deprecation/duplicate-hcl-attributes.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/partials/deprecation/duplicate-hcl-attributes.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* Update website/content/partials/deprecation/duplicate-hcl-attributes.mdx
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* undo changes to deprecation.mdx
* remove deprecation doc
* fix conflict with changes from main
---------
Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
* [OT] use `new` builtin for visual clarity
`new(ExternalTokenHelper)` is a lot easier to parse than
`(*ExternalTokenHelper)(nil)`
* add `Args` field to `ExternalTokenHelper`
This will be used to store any extra command arguments and allows
`BinaryPath` to hold *just* the binary path.
* remove shell invocation
Since `BinPath` no longer has to hold any additional arguments we can
execute the command directly without inoking the shell first.
* update `testExternalTokenHelper` to make use of the new `Args` field
* updated `ExternalTokenHelper` documentation
* Add changelog entry for token_helper without shell
Currently using 0.txt until we have a PR id.
* Rename 0.txt to 29653.txt
We got a PR ID, so fix the changelog file
---------
Co-authored-by: Roosevelt Burden <rburden@grantstreet.com>
Co-authored-by: Roosevelt Burden <roosevelt.burden@grantstreet.com>
* Rework certificate authentication api
- Use the passed in Vault api client to perform the connection
- This provides namespace support, retry behaviors and uses
the existing secret parsing logic instead of re-implementing it
- Change the cert auth role to be an optional argument
- Allow users to use a different cert auth mount point
* Clean up test name
Co-authored-by: Amir Aslamov <amir.aslamov@hashicorp.com>
---------
Co-authored-by: Amir Aslamov <amir.aslamov@hashicorp.com>
* Update go-jose to v3.0.4
- Updating to address CVE-2025-27144
* Update v4 references in sdk and api
* Update go-jose across all api auth projects to v4.0.5
* Fix "t.Fatal from a non-test goroutine" errors in cache_test.go
- t.Fatal(f) should not be called within a Go routine based on it's documentation and only from the main test's thread.
- In 1.24 this seems to cause build failures
* Address all "non-constant format string errors" from go vet
- Within 1.24 these now cause test builds to fail
…" from go vet
* logic
* actually got test working
* heartbeat health test
* fix healthy definition and add changelog
* fix test condition
* actually fix test condition
* Update vault/testing.go
Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
* close body
---------
Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
* Support trimming trailing slashes via a mount tuneable to support CMPv2
* changelog/
* Perform trimming in handleLoginRequest too
* Eagerly fetch the mount entry so we only test this once
* Add a mount match function that gets path and entry
* Update vault/request_handling.go
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* more docs
* Some patches (from ENT) didnt apply
* patch fail
* Update vault/router.go
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* PR feedback
* dupe
* another dupe
* Add support for enabling trim_request_trailing_slashes on mount creation
* Fix read mount api returning configuration for trim_request_trailing_slashes
* Fix test assertion
* Switch enable and tune arguments to BoolPtrVal to allow end-users to specify false flag
* Add trim-request-trailing-slashes to the auth enable API and CLI
---------
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
