* no-op commit
* Sgm/without envelope wireup (#15441)
* Changes needed to allow encryption/decryption with gcpckms in managed keys
* wip
* wip
* wip
* Normalize key purposes across implementations
* update kmse
* Update kms wrapper deps to those that support WithoutEnvelope
* crucially, supply the option in the wrapper managed key impl
* restore the kmse update
* no, thats done via the encryptWithManagedKey in Policy, not needed here
* changelog
* remove replace
* Update sdk's go-kms-wrapping
* mod tidy
* Switch to using the main wrapper even for testing.
* update test cluster usage
* Update go.mod
Co-authored-by: wiz-inc-0e7a25329d[bot] <177343755+wiz-inc-0e7a25329d[bot]@users.noreply.github.com>
* Update go.mod
Co-authored-by: wiz-inc-0e7a25329d[bot] <177343755+wiz-inc-0e7a25329d[bot]@users.noreply.github.com>
* more go.sum update
* PR feedback
* GCPC KMS needed some more config massaging to work w/ encryption
---------
Co-authored-by: wiz-inc-0e7a25329d[bot] <177343755+wiz-inc-0e7a25329d[bot]@users.noreply.github.com>
---------
Co-authored-by: Scott Miller <smiller@hashicorp.com>
Co-authored-by: wiz-inc-0e7a25329d[bot] <177343755+wiz-inc-0e7a25329d[bot]@users.noreply.github.com>
* no-op commit
* Backport Change to Trail of Bits library for PQC into release/2.x.x+ent (#14617)
* Change to Trail of Bits library for PQC (#12676)
* switch to tob library
* test fixes for mldsa public keys
* fix public keys in tests
* add logic for slh-dsa param changes
* add logic to handle both key encodings
* fix slhdsa key gen
* fix slhdsa public key
* add logic for hybrid keys
* fix slhdsa verify
* add test cases
* fix public key in read for pqc
* fix mldsa decoding
* fix mldsa public key encoding
* make encoding consistent
* fix tests
* fixes and bob tests
* add changelog
* fix test case
* adjust existing test cases
* add test cases with old keys
* go mod tidy
* run go mod tidy
---------
Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
Co-authored-by: rculpepper <rculpepper@hashicorp.com>
* go mod tidy
* add function for pqc public keys
* delete ent file
* remove library
---------
Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
Co-authored-by: rculpepper <rculpepper@hashicorp.com>
Migrate undo logs verification from bash scripts to Go blackbox tests using
the vault_run_blackbox_test module pattern.
Changes:
- Add TestVaultUndoLogsMetric Go test in vault/external_tests/blackbox/verify
- Add AssertMetricGaugeValue SDK helper in blackbox/session_metrics.go
- Remove deprecated vault_verify_undo_logs bash-based module
- Update vault_run_blackbox_test to support test_env_vars parameter
- Update autopilot scenario to use vault_run_blackbox_test for undo logs verification
The test verifies the vault.core.replication.write_undo_logs gauge metric
via API calls, following the blackbox testing pattern (no SSH/file access).
Only autopilot scenario is updated as it's the only scenario that currently
uses undo logs verification. Other scenarios remain unchanged.
Rebased onto main (58751c5d19e) and resolved conflicts with current codebase.
Co-authored-by: hashigator <280075563+hashigator@users.noreply.github.com>
Co-authored-by: lt-hc <280075563+lt-hc@users.noreply.github.com>
* only add required mounts if there's space
* correct the docker version, add comments
* fix base version
Co-authored-by: miagilepner <mia.epner@hashicorp.com>
* bumped crypto dep and ran go mod tidy
* bumped net and ran go mod tidy
* bumped net in api from 53 to 55 and ran go mod tidy
* added changelog
* bump deps for all go modules
---------
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: kelly <69541941+kporter101@users.noreply.github.com>
Co-authored-by: Ryan Cragun <me@ryan.ec>
Add QuotedTemplating mode to identity templating.
The QuotedTemplating mode is used in the vault-plugin-secrets-spiffe backend
for JWT-SVID templates.
Co-authored-by: Victor Rodriguez Rizo <vrizo@hashicorp.com>
* go: remove SKIP_SETCAP env vars and add IPC_LOCK when using vault containers
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
Backport community files that changed as part the enterprise only zap scenarios. This mostly includes fixes to scenario execution, retries, and blackbox SDK tests that were broken.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* update key ring to include keys from min_available_version
* Revert "update key ring to include keys from min_available_version"
This reverts commit 914c92def22d3d210bd20a3f100e712125fe478e.
* add openapi field schema
* rename method, move defaults inline
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* [VAULT-45173] go: bump several dependencies to resolve GHSA-j88v-2chj-qfwx
This PR has a set of fairly complex dependency bumps to resolve GHSA-j88v-2chj-qfwx. For the third time in about six weeks, we've had to deal with CVEs in old and unsupported versions of `jackc/pgx`. These changes are for us to rid ourselves of those transitive dependencies completely.
First, we get rid `jackc/pgx/v4` by bumping `cloud.google.com/go/cloudsqlconn` to `v1.21.0`, which pulls in `v5`.
Next, we have to get rid of `jackc/pgx v3`, which was brought in via chain of `hashicorp/go-discover` -> `joyent/triton-go` -> `jackc/pgx/v3`. First, we updated `go-discover` to pull in the v2 module of `triton-go` from the modern upstream ([0], [1]) and pin to it. Then we update our own manta support to pull in the v2 module. Finally, we replace the `TritonDataCenter/triton-go` module with a fork that removes an unnecessary dep on `pgx/v3`.[2]
[0]: https://github.com/hashicorp/go-discover/pull/326
[1]: https://github.com/hashicorp/go-discover/pull/332
[2]: https://github.com/TritonDataCenter/triton-go/pull/207
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* Resolves a bug where a cache is valid when we check the cache, but not valid by the time we check the OCSP responses of the entire chain.
* Add changelog.
* Updated error message.
Co-authored-by: Kit Haines <khaines@mit.edu>
* Add support to configure BIND test server to support RFC2136 updates
* Add missing copywrite header
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* VAULT-44412: upgrade github.com/Azure/go-ntlmssp to resolve GHSA-pjcq-xvwq-hhpj
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
- Migrate undo logs verification from shell script to Go blackbox test
- Add session_metrics.go and session_remote.go helpers to blackbox SDK
- Create undo_logs_test.go in vault/external_tests/blackbox/verify package
- Update autopilot scenario to use vault_run_blackbox_test module
- Remove deprecated vault_verify_undo_logs module
- Update vault_run_blackbox_test module to support test environment variables
This change improves test maintainability and consistency by using the
standardized blackbox testing framework instead of custom shell scripts.
Co-authored-by: brewgator <12831681+brewgator@users.noreply.github.com>
* updating matrix workflow format for easier visualization
* adding test to create and delete Vault AWS Roles
* refactoring functions
* testing pipeline
* testing pipeline
* testing pipeline
* testing pipeline
* finishing up role deletion test
* finishing up role deletion test
Co-authored-by: Tin Vo <tintvo08@gmail.com>
* change GetPolicy to return a locked policy always
* add more fixes and changelog
* remove extra unlock
* make fmt
* fix transform test
* fix write locks with cache
* address comments
Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
* SECVULN-41437 Require sudo for mounts auth tune
* SECVULN-41437 Handle read case and update description
* SECVULN-41437 Update godoc linter error
* SECVULN-41437 Add changelog entry
* SECVULN-41437 Rename changelog entry
* SECVULN-41437 Fixing tests
* SECVULN-41437 enforce sudo parity for mounts auth tune via root path policy
• add mounts/auth/* to system PathsSpecial.Root so sys/mounts/auth/<path>/tune is sudo-gated through core policy checks
• remove explicit handler-level sudo/token capability checks for auth-tune routes (OSS + enterprise) that were causing replication/perf invalid-token failures
• update TestSystemBackend_mountsAuthTuneRequiresSudo policy expectations for the new enforcement point
• align replication overload sys-auth-tune subtest expectations with current behavior
* SECVULN-41437 Add static sudo path for API
* SECVULN-41437 Update test based on review
* SECVULN-41437 Handle incorrect paths special config for sudo
* Update changelog/_13738.txt
* VAULT-41437 Update system path description per pr feedback
* SECVULN-41437 Add external auth tune test with NewTestCluster
* SECVULN-41437 Remove un-needed lines in external test
* Apply suggestion from @VioletHynes
---------
Co-authored-by: Jason Pilz <jasonpilz@gmail.com>
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
* core: normalize JWT req client token to internal ID
Fix enterprise JWT request handling to replace req.ClientToken with the
internal jwt.<jti> token ID after JIT token entry creation, ensuring
downstream auth/lease flows use internal IDs instead of raw JWT strings.
Add regression assertions in request handling enterprise tests to verify
req/auth/token entry IDs are normalized and raw JWT is not propagated.
* vault: document perf-standby JIT forwarding
* vault: fix enterprise JWT RAR enforcement
Preserve internal JWT token-id normalization while enforcing RAR constraints from request-populated authorization details, with JWT parsing fallback for compatibility.
* Fix perf-standby JWT forwarding token restoration
Prefer inbound original token when restoring forwarding auth headers so perf-standby forwards raw JWT instead of normalized internal token ID.
Also add regression tests for header restoration behavior and clarify godocs for InboundSSCToken semantics.
* Add missing Go docs for forwarding tests
Fix code-checker lint failure by adding go doc comments to new Test* functions in request_handling_test.go.
* Address PR review feedback on type checks and CE wording
Split map lookup and type assertion in getMapString for clarity, and adjust InboundSSCToken doc wording to avoid JWT-specific language in CE file.
* Canonicalize enterprise token handling
Normalize enterprise token inputs to canonical internal IDs in token store paths and remove dual-representation RAR fallback.
* Address review nits on token normalization
Rename enterprise token normalization helper for clarity and update tests to use require.NoError/require.Equal as requested in review feedback.
* Guard sdk ent token tests with enterprise tag
Add enterprise build constraint to sdk/logical/token_ent_test.go so CE-mode sdk/logical checks can run without enterprise-only EntToken fields.
* Remove enterprise build tag from token_ent_test
Revert the temporary build constraint addition in sdk/logical/token_ent_test.go.
---------
Co-authored-by: Bianca <48203644+biazmoreira@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Attempt to fix build test failures due to docker user change
* Set SKIP_SETCAP as workaround
* SKIP_SETCAP in a few more places
* Try to run command as root for TestConsulFencing_PartitionedLeaderCantWrite test
* Add run as root on a few more commands
* Fix for TestSealHA_SealUnavailable
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
Return a templating error if a rendered identity template contains a
glob (*) or directory wildcard (+) .
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
* add freshest crl to base
* add test
* add helper, add test case for delta crl
* add openssl test
* add changelog
* add removed nil check
* add go doc
* change keytype to ec
* rotate CRL instead of role/issue/revoke a cert and add ldap url test case
* move root generation outside test loop
* remove length check so urls are always set for each test case
* remove unnecessary clearing
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
go: resolve CVE-2026-34986 and CVE-2026-34986 by upgrading github.com/go-jose/go-jose
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
Resolve GHSA-x744-4wpc-v9h2 and GHSA-pxq6-2prw-chj9 in `vault` by replacing
`github.com/docker/docker` with `github.com/moby/moby/client` @ `v0.3.0` and
`github.com/moby/moby/api` @ `v1.54.0`. This is necessary as `docker/docker`
is no longer maintained and the fixes are not available in it.
Resolve GO-2026-4518, GHSA-x6gf-mpr2-68h6 and GHSA-jqcq-xjh3-6g23 by
upgrading to github.com/jackc/pgx/v5. This is necessary as v4 is not
longer maitained.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
Refactor our connection checking into a new LDAP module that is capable
of running a search and waiting for success. We now call this module
while setting up the integration host and before enabling the LDAP
secrets engine.
We also fix two race conditions in the Agent and HA Seal scenarios where
we might attempt to verify and/or test LDAP before the integration host
has been set up.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: LT Carbonell <lt.carbonell@hashicorp.com>
* wip
* crud and internal lookups working
* worked with bob on tests
* add and fix some tests
* update logical identity protobuf
* pass in empty issuer via scim and add test
* tidy tests and address linter
* VAULT-42443 Update alias API for external JWT entity binding
* test cleanup
* changes
* changelog
* update fix
* address feedback
* whoopsie
* fix stubs
* namespace guarding, more test
* further fix
* Fixes
* I'm dumb
---------
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
Co-authored-by: davidadeleon <ddeleon@hashicorp.com>
* vault: lazily materialize external tokens
Implement stub-first auth flow to avoid token-store writes on read-only requests, materialize only on lease registration, cache materialized token IDs by fingerprint, and add coverage for standby/leader materialization behavior.
* vault: align lazy JWT materialization with main
Adjust standby materialization behavior to main branch APIs, keep lease-time forwarding conversion, and update enterprise tests to match current standby error paths.
* vault: align jwt lazy materialization follow-ups
Apply naming and test-practice follow-ups, document cache-size rationale, simplify stub-use gating, and add external JWT e2e/benchmark coverage that measures raft writes for passthrough vs leased flows.
* vault: sanitize jwt lazy materialization logs
* vault: move jwt stub audit labels to ent
* vault: keep ent token type in audit logs
Remove audit token_type override and jwt_stub audit labeling so enterprise JWT tokens are consistently reported as ent while preserving existing request handling behavior.
* vault: rename unpersisted JWT token state
Rename IsStub/JwtStub to IsUnpersisted/JwtUnpersisted and switch serialized key to jwt_unpersisted for clearer storage semantics.
* vault: use storage-backed JWT token naming
Rename JWT token persistence marker to IsStorageBacked/JwtStorageBacked and clarify docs that passthrough JWT requests may never write token state to storage.
* vault: address jwt token materialization regressions
Fix storage-backed checks for non-ent tokens, materialize JWTs for lookup endpoints, and add lookup-self regression coverage.
* vault: thread perf standby state into jwt materialization
Pass perf standby state through materializeEnterpriseTokenForLease call sites to avoid unsynchronized state reads in request handling paths.
* test: harden flaky enterprise timing checks
Increase timing tolerance in flaky CI tests without changing runtime behavior.
* test: document CI timing tolerance in flaky tests
Add comments clarifying widened waits are for CI scheduling jitter and asynchronous convergence, not behavior changes.
* vault: remove sensitive token logging
Drop clear-text token value from SSC token MAC mismatch debug logging and keep census test unchanged per request.
* vault: tighten request logging for security scan
Remove remaining error-derived logging fields in request handling token/JWT revoke paths to satisfy clear-text sensitive logging findings.
* vault: use typed no-rpc-client errors
Replace string-based no-rpc-client error matching with a dedicated error type and update perf-standby callsites to return it.
* test: harden perf-standby billing race assertions
Allow early active-node counts up to the number of standby operations before the eventual RPC delivery assertion, to avoid race-only CI flakes without changing behavior.
* revert: undo billing test race assertion changes
Revert the prior billing test hardening commit per user request to keep billing tests unchanged in PR #12909.
* vault: restore fetchCeilingPolicies after rebase
Re-add the enterprise fetchCeilingPolicies method from main that was dropped during rebase conflict resolution, fixing build failure in request_handling.go.
* vault: materialize JWT tokens for cubbyhole requests
Ensure enterprise JWT tokens are materialized for cubbyhole paths in addition to token lookup endpoints, preserving expected persisted token-entry behavior for cubbyhole-backed request flows and token-entry JWT tests.
* vault: restore JWT token headers on perf-standby forward
* tests: fix jwt passthrough profile setup
* vault: clarify forwarding helper docs
* vault: cover jwt standby token endpoint behavior
* vault: remove enterprise JWT wording in comments
* vault: preserve materialized token request identity
* vault: stabilize external JWT readonly raft assertion
* vault: address PR 12909 review feedback
* tests: remove redundant NewTestCluster lifecycle calls
* vault: sanitize request handling token error logs
* vault: remove sensitive error fields in ent token cleanup logs
* vault: restore IsJWT wording
* vault: migrate jwt materialization tests to NewTestCluster
* tests: skip external jwt benchmark in CI
* Run make fmt
* Address PR review feedback
* Remove benchmark CI skip
* Move JWT materialization tests to external suite
---------
Co-authored-by: Bianca <48203644+biazmoreira@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
