* fix: add timeout context around UpdateUser to prevent static role rotation hang (#13697)
* fix: add timeout context around UpdateUser to prevent static role rotation hang
* changelog: add entry for static role rotation timeout fix
* fix: rename changelog file to match expected format
* fix: update changelog format to release-note style
* Bound database Initialize to prevent static rotation stalls
* add missing go doc
* pr comments: close changelog block, distinguish parent context cancellation from UpdateUser timeout
* changelog: include Initialize timeout handling
* async Close on init cancel/timeout, add test, and set PluginName in test config
* add UpdateUser timeout test coverage for static role rotation
* go doc comments fix
* Apply suggestions from code review
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* welp copilot prompt was out of date and I shouldn't have accepted it.
---------
Co-authored-by: Angel Garbarino <argarbarino@gmail.com>
Co-authored-by: Angel Garbarino <Monkeychip@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* fix(database): remove async UpdateUser timeout and use synchronous context to avoid race conditions
* fix(backport): restore async UpdateUser timeout behavior
---------
Co-authored-by: arslan23-push <arslan.muhammad@ibm.com>
Co-authored-by: Angel Garbarino <argarbarino@gmail.com>
Co-authored-by: Angel Garbarino <Monkeychip@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Delete cluster.Start for NewTestCluster clusters, and deprecate and clean up cluster.Cleanup for NewTestCluster clusters (#14014)
* progress
* more progress
* missed cleanup
* fix mistakes
* cleanup
* fix docker cleanup
* various fixes
* further fixes
* further cleanup
* the cleanup will continue until morale improves
* two morE
* more fixes
* how did I miss that
* new test cleanup
* update
* cleanup, attempt small de-flake
* fix and extra cleanup
* some docker cleanup
* newlines
* some testwaitactives
* CE changes
---------
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
Resolve GHSA-x744-4wpc-v9h2 and GHSA-pxq6-2prw-chj9 in `vault` by replacing
`github.com/docker/docker` with `github.com/moby/moby/client` @ `v0.3.0` and
`github.com/moby/moby/api` @ `v1.54.0`. This is necessary as `docker/docker`
is no longer maintained and the fixes are not available in it.
Resolve GO-2026-4518, GHSA-x6gf-mpr2-68h6 and GHSA-jqcq-xjh3-6g23 by
upgrading to github.com/jackc/pgx/v5. This is necessary as v4 is not
longer maitained.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* rotation-manager: enable RM to send rotation information to plugins on registration/rotation operations (#11810)
* initial commit for sending NVR to plugins
* add changelog
* add NVR to plugin fields, add RotationInfo to GRPC request handler
* fix tests
* ensure consistent formats on times and ttls
* add translation to allow grpc data transfer
* fix tests and rename fields
* fix missed field renames in tests
* make all methods net-new for backwards compatibility
* update mock plugin and add oss stub back
* remove method with no usages
* Address wrapper comments
* Rebuild proto
* Nil check around SetRotationInfo, return n/a for no last_vault_rotation
* Fix error to match other instances
* Update fields.go
* Return nil if unset for next/last vault rotation times
---------
Co-authored-by: robmonte <17119716+robmonte@users.noreply.github.com>
* Fix return type in stub method
---------
Co-authored-by: vinay-gopalan <86625824+vinay-gopalan@users.noreply.github.com>
Co-authored-by: robmonte <17119716+robmonte@users.noreply.github.com>
* Add override_pinned_version support on configure connection for database (#10517)
* add DatabaseConfigEnt and split ce-ent impl for connectionWriteHandler() and selectPluginVersion()
* add override_pinned_version handling in connectionWriteHandler() and selectPluginVersion()
* split ce-ent impl for connectionReadHandler() to support override_pinned_version
* split ce-ent impl for databaseBackend.GetConnectionWithConfig() to support override_pinned_version
* split TestBackend_* units related to databased connection config CRUD into ce and ent
* remove EntDatabaseConfig from response
---------
Co-authored-by: Thy Ton <maithytonn@gmail.com>
* license: update headers to IBM Corp.
* `make proto`
* update offset because source file changed
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* Initial implementation
* Use rotation_statements, handle both password and private_key
* Remove debug prints
* Merge in main
* Remove duplicated error text
* Rename keypair root rotation function
* Use NewRotateRootCredentialsWALPasswordEntry
* Add changelog file
* Move back to original file for now, for review
* put generatePassword into function
* Fix names, call helper for generatePassword
* Generalize the rotation flow and keypair path
* Fix conditional check, remove new file
* Fix changelog
* Add test file
* Fix username check var name
* Fix name variable
* Return an error when both fields are set during rotation, and return an error if somehow walEntry is nil
* Fix test godoc
* Remove print
* change rotated key bits to 4096
Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>
* Add role rotation info to create/update observations
* observatin enhancements
* observatin enhancements
* remove log
* duration strings instead of seconds
* the stringening
* more times
* credential type
* Add rotation schedule/period to root rotation
* more ttls
* updates
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
* remove local time logic, and force cron to be UTC
* add test comment
* update docs
* add changelog
* change mesasge
* add utc clarification to docs
* remove utc reference in root token docs
* remove doc from partial
* consider possibility of NextVaultRotation being nil on queue population
* move test
* add changelog
* fix reference to nil, and improve debug log
* use helper function to write static roles to storage
* add password check in test
* fix godoc
* fix changelog and add remediation debug line
* force ticker to run, and make sure credential doesnt rotate
* add another edge case
* fix godoc
* check ttl is less in test
* check error case and if resp is nil
* make check on ttl more robust
* Add API warning based on DB type
* Add deprecation notice
* Add warning to the top of the docs pages
* Update capabilities table
* Filter SQLConnectionProducer fields from unrecognized parameters warning
* Add test case
* database: fix reload to not fail early
* return logical.ErrorRresponse; add tests
* do not return noop warnings; add logs
* changelog
* use name for log; remove event doc
* secrets/db: enable skip auto import rotation of static roles
* fix panic due to empty role name causing role to not be stored
* fix role upgrade test
* Apply suggestions from code review
Co-authored-by: vinay-gopalan <86625824+vinay-gopalan@users.noreply.github.com>
Co-authored-by: kpcraig <3031348+kpcraig@users.noreply.github.com>
* use password in favor of self_managed_password
* add deprecated to self_managed_password field
* fix bug with allowing updates to password
---------
Co-authored-by: vinay-gopalan <86625824+vinay-gopalan@users.noreply.github.com>
Co-authored-by: kpcraig <3031348+kpcraig@users.noreply.github.com>
* Use DRBG based RSA key generation everywhere
* switch to the conditional generator
* Use DRBG based RSA key generation everywhere
* switch to the conditional generator
* Add an ENV var to disable the DRBG in a pinch
* update go.mod
* Use DRBG based RSA key generation everywhere
* switch to the conditional generator
* Add an ENV var to disable the DRBG in a pinch
* Use DRBG based RSA key generation everywhere
* update go.mod
* fix import
* Remove rsa2 alias, remove test code
* move cryptoutil/rsa.go to sdk
* move imports too
* remove makefile change
* rsa2->rsa
* more rsa2->rsa, remove test code
* fix some overzelous search/replace
* Update to a real tag
* changelog
* copyright
* work around copyright check
* work around copyright check pt2
* bunch of dupe imports
* missing import
* wrong license
* fix go.mod conflict
* missed a spot
* dupe import
* skip connection verification on config read
* ensure appropriate default on config update call that results in a creation
* changelog
* leave verify_connection in config read response
* update test to handle output of verify_connection parameter
* fix remaining tests
* add inline cert auth to postres db plugin
* handle both sslinline and new TLS plugin fields
* refactor PrepareTestContainerWithSSL
* add tests for postgres inline TLS fields
* changelog
* revert back to errwrap since the middleware sanitizing depends on it
* enable only setting sslrootcert
* adds sslinline option to postgres conn string
* for database secrets type postgres, inspects the connection string for sslinline and generates a tlsconfig from the connection string.
* support fallback hosts
* remove broken multihost test
* bootstrap container with cert material
* overwrite pg config and set key file perms
* add feature flag check
* add tests
* add license and comments
* test all ssl modes
* add test cases for dsn (key/value) connection strings
* add fallback test cases
* fix error formatting
* add test for multi-host when using pgx native conn url parsing
---------
Co-authored-by: Branden Horiuchi <Branden.Horiuchi@blackline.com>
When creating database connections, there is a race
condition when multiple goroutines try to create the
connection at the same time. This happens, for
example, on leadership changes in a cluster.
Normally, the extra database connections are cleaned
up when this is detected. However, some database
implementations, notably Postgres, do not seem to
clean up in a timely manner, and can leak in these
scenarios.
To fix this, we create a global lock when creating
database connections to prevent multiple connections
from being created at the same time.
We also clean up the logic at the end so that
if (somehow) we ended up creating an additional
connection, we use the existing one rather than
the new one. This by itself would solve our
problem long-term, however, would still involve
many transient database connections being created
and immediately killed on leadership changes.
It's not ideal to have a single global lock for
database connection creation. Some potential
alternatives:
* a map of locks from the connection name to the lock.
The biggest downside is the we probably will want to
garbage collect this map so that we don't have an
unbounded number of locks.
* a small pool of locks, where we hash the connection
names to pick the lock. Using such a pool generally
is a good way to introduce deadlock, but since we
will only use it in a specific case, and the purpose
is to improve performance for concurrent connection
creation, this is probably acceptable.
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
* add gosimport to make fmt and run it
* move installation to tools.sh
* correct weird spacing issue
* Update Makefile
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* fix a weird issue
---------
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
Adds the ability to pin a version for a specific plugin type + name to enable an easier plugin upgrade UX. After pinning and reloading, that version should be the only version in use.
No HTTP API implementation yet for managing pins, so no user-facing effects yet.
* Support reloading database plugins across multiple mounts
* Add clarifying comment to MountEntry.Path field
* Tests: Replace non-parallelisable t.Setenv with plugin env settings
