* no-op commit
* Sgm/without envelope wireup (#15441)
* Changes needed to allow encryption/decryption with gcpckms in managed keys
* wip
* wip
* wip
* Normalize key purposes across implementations
* update kmse
* Update kms wrapper deps to those that support WithoutEnvelope
* crucially, supply the option in the wrapper managed key impl
* restore the kmse update
* no, thats done via the encryptWithManagedKey in Policy, not needed here
* changelog
* remove replace
* Update sdk's go-kms-wrapping
* mod tidy
* Switch to using the main wrapper even for testing.
* update test cluster usage
* Update go.mod
Co-authored-by: wiz-inc-0e7a25329d[bot] <177343755+wiz-inc-0e7a25329d[bot]@users.noreply.github.com>
* Update go.mod
Co-authored-by: wiz-inc-0e7a25329d[bot] <177343755+wiz-inc-0e7a25329d[bot]@users.noreply.github.com>
* more go.sum update
* PR feedback
* GCPC KMS needed some more config massaging to work w/ encryption
---------
Co-authored-by: wiz-inc-0e7a25329d[bot] <177343755+wiz-inc-0e7a25329d[bot]@users.noreply.github.com>
---------
Co-authored-by: Scott Miller <smiller@hashicorp.com>
Co-authored-by: wiz-inc-0e7a25329d[bot] <177343755+wiz-inc-0e7a25329d[bot]@users.noreply.github.com>
* no-op commit
* Backport Change to Trail of Bits library for PQC into release/2.x.x+ent (#14617)
* Change to Trail of Bits library for PQC (#12676)
* switch to tob library
* test fixes for mldsa public keys
* fix public keys in tests
* add logic for slh-dsa param changes
* add logic to handle both key encodings
* fix slhdsa key gen
* fix slhdsa public key
* add logic for hybrid keys
* fix slhdsa verify
* add test cases
* fix public key in read for pqc
* fix mldsa decoding
* fix mldsa public key encoding
* make encoding consistent
* fix tests
* fixes and bob tests
* add changelog
* fix test case
* adjust existing test cases
* add test cases with old keys
* go mod tidy
* run go mod tidy
---------
Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
Co-authored-by: rculpepper <rculpepper@hashicorp.com>
* go mod tidy
* add function for pqc public keys
* delete ent file
* remove library
---------
Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
Co-authored-by: rculpepper <rculpepper@hashicorp.com>
* added a toggle to normalize radius usernames and reject case-variant duplicates to prevent case-collision
Co-authored-by: Himnish-Nadiminti <himnish.nadiminti@hashicorp.com>
* update key ring to include keys from min_available_version
* Revert "update key ring to include keys from min_available_version"
This reverts commit 914c92def22d3d210bd20a3f100e712125fe478e.
* add openapi field schema
* rename method, move defaults inline
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* Validate 2 character ISO 3166 codes for the Country role field
* stricter validation
* dont validate on GetRole unless it was modified by upgrade. This should help not error out on existing roles with a bad validation
* Validate, but only warn rather than fail
* fix unit tests that were using invalid country codes
* fix more tests
* lint
* Update changelog/_13346.txt
* simply slice searches
* rephrase changelog
---------
Co-authored-by: Scott Miller <smiller@hashicorp.com>
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* On-Time Autorotation Maintained in a Queue.
* Add changelog.
* Renamed changelog correctly.
* Add a check to exit-out early if initialization of the backend has not run (probably only relevant in tests, but not a bad check).
* GoTestDoc added for test.
* Initialize backend in tests.
* Add error checks, compilation check, and move initialize function. Switch to object with a zero-value.
Co-authored-by: Kit Haines <khaines@mit.edu>
* fix: add timeout context around UpdateUser to prevent static role rotation hang (#13697)
* fix: add timeout context around UpdateUser to prevent static role rotation hang
* changelog: add entry for static role rotation timeout fix
* fix: rename changelog file to match expected format
* fix: update changelog format to release-note style
* Bound database Initialize to prevent static rotation stalls
* add missing go doc
* pr comments: close changelog block, distinguish parent context cancellation from UpdateUser timeout
* changelog: include Initialize timeout handling
* async Close on init cancel/timeout, add test, and set PluginName in test config
* add UpdateUser timeout test coverage for static role rotation
* go doc comments fix
* Apply suggestions from code review
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* welp copilot prompt was out of date and I shouldn't have accepted it.
---------
Co-authored-by: Angel Garbarino <argarbarino@gmail.com>
Co-authored-by: Angel Garbarino <Monkeychip@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* fix(database): remove async UpdateUser timeout and use synchronous context to avoid race conditions
* fix(backport): restore async UpdateUser timeout behavior
---------
Co-authored-by: arslan23-push <arslan.muhammad@ibm.com>
Co-authored-by: Angel Garbarino <argarbarino@gmail.com>
Co-authored-by: Angel Garbarino <Monkeychip@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* change GetPolicy to return a locked policy always
* add more fixes and changelog
* remove extra unlock
* make fmt
* fix transform test
* fix write locks with cache
* address comments
Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
* Delete cluster.Start for NewTestCluster clusters, and deprecate and clean up cluster.Cleanup for NewTestCluster clusters (#14014)
* progress
* more progress
* missed cleanup
* fix mistakes
* cleanup
* fix docker cleanup
* various fixes
* further fixes
* further cleanup
* the cleanup will continue until morale improves
* two morE
* more fixes
* how did I miss that
* new test cleanup
* update
* cleanup, attempt small de-flake
* fix and extra cleanup
* some docker cleanup
* newlines
* some testwaitactives
* CE changes
---------
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
* add freshest crl to base
* add test
* add helper, add test case for delta crl
* add openssl test
* add changelog
* add removed nil check
* add go doc
* change keytype to ec
* rotate CRL instead of role/issue/revoke a cert and add ldap url test case
* move root generation outside test loop
* remove length check so urls are always set for each test case
* remove unnecessary clearing
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
Resolve GHSA-x744-4wpc-v9h2 and GHSA-pxq6-2prw-chj9 in `vault` by replacing
`github.com/docker/docker` with `github.com/moby/moby/client` @ `v0.3.0` and
`github.com/moby/moby/api` @ `v1.54.0`. This is necessary as `docker/docker`
is no longer maintained and the fixes are not available in it.
Resolve GO-2026-4518, GHSA-x6gf-mpr2-68h6 and GHSA-jqcq-xjh3-6g23 by
upgrading to github.com/jackc/pgx/v5. This is necessary as v4 is not
longer maitained.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* Fix occasional error within pki.TestParseCertificate/full_non_CA_cert/full_non_CA_cert_fields
* Drop length matching in regex and parse hex comparing as big int against certificate
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Add IP range filtering for ACME challenge validation.
* Add challenge_permitted_ip_ranges and challenge_excluded_ip_ranges API fields
* Add PermittedIPRanges and ExcludedIPRanges fields to acmeConfigEntry
* Implement CIDR/IP validation with precedence: excluded > permitted > default
* Add changelog entry.
Co-authored-by: Victor Rodriguez Rizo <vrizo@hashicorp.com>
* Copy https://github.com/hashicorp/vault/pull/31828 into main
* pki/acme: reject unsafe validation targets
reject loopback, link-local, unspecified, multicast, and other
non-global-unicast targets before HTTP-01 and TLS-ALPN-01 validation
connections are attempted.
the shared dial helper now filters both direct IP literals and DNS
resolution results, and regression tests cover loopback-via-DNS for
both validators plus direct loopback literals.
* changelog: add entry for ACME validation hardening PR
* pki/acme: allow configured validation targets
* pki/acme: add docs for validation tests
---------
Co-authored-by: 1seal <security@1seal.org>
* add cert counting for ssh
* add system view and fix errors
* add otp counting and change units for certs
* add storage tests
* fix census errors
* run make fmt
* use incrementer and change storage to match rfc
* run make fmt
* fix interface and remove parameter
* fix errors
* Update builtin/logical/ssh/path_creds_create.go
* remove error check
* add ssh counts to billing endpoint
* fix error
* add test case
* add ssh metric to test
* add get functions and tests
* fix format
* create function for ssh metrics
* refactoring and add test cases
* replace test check
* add ssh to billing overview test
---------
Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
Co-authored-by: Victor Rodriguez Rizo <vrizo@hashicorp.com>
* adding root rotation for ldap auth method for schema AD
* adding test cases for root rotation
* code fix and adding TestRotateRoot_EncodeUTF16LEBytes
* adding constants
* schema validation + unit test
* updated unit test
* removed duplicate enum
* adding acceptance test, unit test, changelog and updating schemaType to schema
* adding logs and comments for debugging
* added validation for config params
* adding validation and test cases to enforce encrypted connection requirements for AD password rotation
* adding fix to data race error in CI pipeline
* addressing PR comments
* fix for backward compatibility for schema and test
* adding validation and tests for multiple URLs for AD root rotation
---------
Co-authored-by: Stuti Srivastava <stuti.srivastava@hashicorp.com>
Co-authored-by: Prajna Nayak <prajna.nayak@hashicorp.com>
* Allow "glob" style wildcards in DNS names when issuing PKI certs.
Change the regex we use to validate hostnames to allow wildcards in the first
"label" of the hostname to be not just "*" by itself, but to be in any position.
Remove unused duplicated regexes from cert_util.go.
Add unit tests.
Co-authored-by: Victor Rodriguez Rizo <vrizo@hashicorp.com>
Upgrade `cloudflare/circl` to v1.6.3 to resolve CVE-2026-1229. We had
several transient dependencies that depend on various versions of
`circl` that also needed to be updated in order to resolve the latest
version everywhere.
- github.com/ProtonMail/go-crypto v1.2.0 => v1.3.0
- github.com/google/go-github v17 => v83/v83.0.0
- github.com/google/go-github/v81 => v83/v83.0.0
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* Change PkiCertificateCountManager.GetCounts() to return a CertCount.
* Add PkiDurationAdjustedCerts field to CertCount.
Add a new field to CertCount to keep track of "duration adjusted" issued
certificates.
Add an x509.Certificate argument to CertCountIncrementer.AddIssuedCertificate.
In the implementation, use the certificate's NotBefore and NotAfter fields to
calculate the validity duration for the certificate, and use that to compute the
duration adjusted units.
* Add the issued certificate to calls to AddIssuedCertificate.
* Add PkiDurationAdjustedCerts when forwarding counts.
Add pki_duration_adjusted_certificate_count to IncrementPkiCount proto.
Update replicationServiceHandler.IncrementPkiCertCountRequest to take into
account the new field.
* Run make proto.
* Update testingPkiCertificateCounter to make assertions on time adjusted counts.
* PR review: Don't use NotAfter.Sub(NotBefore), since time.Duration is max 290 years.
* PR review: Move DurationAdjustedCertificateCount to logical.pki/test_helpers.
Add Bob generated unit tests for logical.durationAdjustedCertificateCount.
* Run make fmt.
Co-authored-by: Victor Rodriguez Rizo <vrizo@hashicorp.com>
* rotation-manager: enable RM to send rotation information to plugins on registration/rotation operations (#11810)
* initial commit for sending NVR to plugins
* add changelog
* add NVR to plugin fields, add RotationInfo to GRPC request handler
* fix tests
* ensure consistent formats on times and ttls
* add translation to allow grpc data transfer
* fix tests and rename fields
* fix missed field renames in tests
* make all methods net-new for backwards compatibility
* update mock plugin and add oss stub back
* remove method with no usages
* Address wrapper comments
* Rebuild proto
* Nil check around SetRotationInfo, return n/a for no last_vault_rotation
* Fix error to match other instances
* Update fields.go
* Return nil if unset for next/last vault rotation times
---------
Co-authored-by: robmonte <17119716+robmonte@users.noreply.github.com>
* Fix return type in stub method
---------
Co-authored-by: vinay-gopalan <86625824+vinay-gopalan@users.noreply.github.com>
Co-authored-by: robmonte <17119716+robmonte@users.noreply.github.com>
