* actions: pin to latest actions
- actions/checkout@9c091bb21b => v7.0.0
Adds a guardrail to prevent accidentally checking out fork pull
request code in privileged GitHub Actions contexts
(pull_request_target and PR-triggered workflow_run), with an
explicit opt-in escape hatch for advanced workflows.
- pnpm/action-setup@0ebf47130e => v6.0.9
Update pnpm to v11.7.0
- Add .github/actions/build-ui to ui changed files group
- Add .github/actions/build-ui to ui/frontend CODEOWNERS
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* Reorganize vault blackbox tests into isolated/scenario/system structure (#14919)
* Reorganize vault blackbox tests into isolated/scenario/system structure
- Move 38 test files from flat structure to organized directories:
* isolated/: namespace-scoped, concurrent-safe tests (auth, secrets, plugins, verify)
* scenario/: state-changing tests (raft, ha)
* system/: system-level config tests (billing, license)
- Add build tags (isolated, scenario, system) to all test files
- Update enos scenarios to use new test paths (./vault/external_tests/blackbox/isolated/verify)
- Add isolated build tag to undo_logs_test.go for consistency
- Remove empty directories and duplicate test files
- All tests compile successfully with respective build tags
Updated enos scenarios: autopilot, agent, dr-replication, plugin, pr-replication, proxy, seal-ha, smoke, upgrade
* Fix test failures: skip postgres without env vars, handle userpass login failure
* Add HSM-specific build tags for test compilation
* Add metadata path permissions for KV v2 delete/undelete operations
* Fix KV tests: use user session for all write operations
* Fix KV tests: remove userpass, use root session
* Incorporate new AWS and LDAP test functions from main branch
- Add TestAWS_SecretsCreate() and TestAWS_SecretsRead() to isolated/plugins/aws/secrets_aws_test.go
* Tests basic AWS secrets engine configuration and role creation
* Tests reading AWS role and root configuration
* Complements existing TestAWS_GenerateNewUser() with simpler test cases
- Add TestLDAP_StaticRoleCreate(), TestLDAP_LibrarySetRead(), and TestLDAP_LibrarySetDelete() to isolated/plugins/ldap/secrets_ldap_test.go
* Tests LDAP static role creation for password rotation
* Tests LDAP library set operations for service account management
* Tests library set deletion
* Adds requireLDAPAvailable() helper for connectivity verification
* Complements existing dynamic credential tests
- All new test functions include:
* Build tag: //go:build isolated
* t.Parallel() for concurrent execution
* Proper environment variable checks with skip logic
* Consistent error handling and assertions
- Cleanup:
* Removed stray .git directories from test folders
* Removed empty vault/external_tests/blackbox/plugins directory
These changes ensure the PR includes all test coverage from main while maintaining
the new isolated/scenario/system organization structure.
* Fix pr-replication scenario to use correct test path and name
- Update test_package from ./vault/external_tests/blackbox/verify to isolated/verify
- Update test_names from TestVaultUIAvailability to TestUIAssets
- Fixes test failures caused by incomplete migration in blackbox test reorganization
* Fix all Enos scenarios: isolated/verify path and correct test names
* Skip isolated tests on CE - require enterprise features
---------
Co-authored-by: hashigator <280075563+hashigator@users.noreply.github.com>
Co-authored-by: hashigator <lt.carbonell@ibm.com>
* [UI]: Ember Data Migration Identity List and Details (#15157)
* Update identity views edm
* Use model directly
* Code cleanup!
* Refresh list view if deleted
* Update identity detail page
* Identity show..
* Have different method types
* Update delete...
* [UI] Ember Data Migration: Identity forms, show, edit, create and list routes (#15291)
* Identity forms...
* Fetch entities and groups in route
* Update forms to have edit
* Fix breadcrumbs
* Update save to use api service method
* Merge entities form...
* Update aliases
* Entity and group show routes
* Fix create / save action
* Add alias form.
* Fix some tests!
* Fix tests and update capability check
* WIP fixing tests...
* Fixes some details page bugs
* Edit form delete actions..
* Passing all tests!!
* Refactor some utils
* Update to class based syntax
* Form label updates
* Remove unused onSuccess
* [UI] Identity EDM code cleanup (#15608)
* Fix cancelLink action
* Update tests to have the correct args
* Ensure add alias button shows when alias does not exist
* Fix lookup input
* Fix other tabs and pages..
* Address comments
Co-authored-by: Kianna <30884335+kiannaquach@users.noreply.github.com>
* no-op commit
* Sgm/without envelope wireup (#15441)
* Changes needed to allow encryption/decryption with gcpckms in managed keys
* wip
* wip
* wip
* Normalize key purposes across implementations
* update kmse
* Update kms wrapper deps to those that support WithoutEnvelope
* crucially, supply the option in the wrapper managed key impl
* restore the kmse update
* no, thats done via the encryptWithManagedKey in Policy, not needed here
* changelog
* remove replace
* Update sdk's go-kms-wrapping
* mod tidy
* Switch to using the main wrapper even for testing.
* update test cluster usage
* Update go.mod
Co-authored-by: wiz-inc-0e7a25329d[bot] <177343755+wiz-inc-0e7a25329d[bot]@users.noreply.github.com>
* Update go.mod
Co-authored-by: wiz-inc-0e7a25329d[bot] <177343755+wiz-inc-0e7a25329d[bot]@users.noreply.github.com>
* more go.sum update
* PR feedback
* GCPC KMS needed some more config massaging to work w/ encryption
---------
Co-authored-by: wiz-inc-0e7a25329d[bot] <177343755+wiz-inc-0e7a25329d[bot]@users.noreply.github.com>
---------
Co-authored-by: Scott Miller <smiller@hashicorp.com>
Co-authored-by: wiz-inc-0e7a25329d[bot] <177343755+wiz-inc-0e7a25329d[bot]@users.noreply.github.com>
Mark `.agents` and `ui/.agents` as enterprise-only in the pipeline
changed-files grouping config. These directories contain internal
developer tooling (agent skills and configurations) that must not
be synced to CE branches or included in CE backports.
Update both the live config and the test fixture to keep them in
sync.
Co-authored-by: Angelo Cordon <angelo.cordon@hashicorp.com>
Co-authored-by: OpenCode (claude-sonnet-4.6) <opencode.noreply@hashicorp.com>
Add support for running enos on Fyre with support for linux/s390x,
linux/amd64, and linux/ppc64le. The enterprise version of this PR
has enterprise only scenarios. The changes reflected here are on
shared modules.
We now have three new fyre modules that are can swap in-place of
create_vpc, ec2_info, and target_ec2_instances:
create_vpc_fyre_shim, fyre_os_info and target_fyre_vms. This pass
doesn't make them adhered 1:1 as module interfaces but that can come
later when the base scenarios are merged.
The only major change we had to make to long existing modules was
supporting leader_api_addr for discovery. Historically we've always used
cloud based node discovery but that's obviously not available in Fyre.
Nowyou can set the retry_join variable to either local_api_addr or
aws.
We also modify our integration containers to use those available from
the HashiCorp docker mirror. We do this because we pull those images
unauthenticated and thus share the same external address as the larger
network, which makes the likelihood of throttling very high.
To maintain the goal of the Fyre scenarios not requiring AWS credentials, I
had to move the AWS secrets verification into it's own module. That allows
us now to simply not include it, but later if/when we include it we can have
scenarios with the Fyre backend compile them out by skipping.
This PR is massive and covers the following tickets:
VAULT-40635
VAULT-40636
VAULT-44591
VAULT-34888
VAULT-34887
VAULT-34886
VAULT-34885
VAULT-34884
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
Add separate Saturday morning sweeps (3 AM & 5 AM ET) for IAM resources
that lack age metadata or tag support. Conditionally exclude `IAMUserPolicy`,
`IAMRolePolicy`, and policy attachments from weekday sweeps to prevent
interference with active CI runs.
Additional changes:
- Add explicit `America/New_York` timezone to workflow schedules
- Update nightly tests to run at 9 AM ET (was 1 PM UTC)
- Grant `iam:TagInstanceProfile` permission to CI service user to tag instance
profiles to build date based nuke filters.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
Update our container images to not install any packages that are not
strictly necessary to run the entrypoint scripts and start Vault.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
- Adds entity metadata to entity list `key_info`:
- `creation_time`
- `last_update_time`
- `disabled`
- Adds alias metadata to entity list `key_info`:
- `creation_time`
- `last_update_time`
- Moves coverage to the external identity API test:
- `TestIdentityStore_ListAlias`
- covers the new `key_info` fields
- covers entity ID list behavior
- Removes the old internal `TestIdentityStore_ListEntities` test.
- Focused test passed:
`make enttest TEST=./vault/external_tests/identity TESTARGS='-run TestIdentityStore_ListAlias -count=1 -v'`
Co-authored-by: Jorge Aquino <jaquino.usmc@gmail.com>
* Avoid useless re-wrapping of transitory values in sealwrap backend.
When deciding whether to re-wrap a transitory seal wrapped value (one that is
written to storage without seal generation information), only do so if the
result is likely to be a non-transitory value. To determine this likelihood, use
the number of healthy seal wrappers that would be used to re-wrap the value.
* Add a changelog entry.
Co-authored-by: Victor Rodriguez Rizo <vrizo@hashicorp.com>
* Ameriolate lock contention for core paths in the seal wrap backend.
Add a special-purpose LockArray for the sealWrapBackend which segregates locks
for the AlwaysSealWrap path entries from other keys.
* Add a changelog entry.
Co-authored-by: Victor Rodriguez Rizo <vrizo@hashicorp.com>
This fixes a customer-reported Control Group unwrap issue where an approved replayed request returned wrapping metadata, but the Control Group unwrap response serialization dropped that WrapInfo.
Co-authored-by: Jorge Aquino <jaquino.usmc@gmail.com>
* Add support for the filter query parameter on the GET /scim/v2/Users endpoint (#11309)
* VAULT-41847 refactor SCIM listing endpoint to use CompoundIndex (#14988)
---------
Co-authored-by: Bianca <48203644+biazmoreira@users.noreply.github.com>
Co-authored-by: Anjani Mallampati <anjani.mallampati@hashicorp.com>
