* Add O= restrictions in addition to OU= restrictions
* Add changelog
* Add goDoc to test
* Don't let test certificate expire.
Co-authored-by: Kit Haines <khaines@mit.edu>
[VAULT-39160] actions(hcp): add support for testing custom images on HCP (#9345)
Add support for running the `cloud` scenario with a custom image in the
int HCP environment. We support two new tags that trigger new
functionality. If the `hcp/build-image` tag is present on a PR at the
time of `build`, we'll automatically trigger a custom build for the int
environment. If the `hcp/test` tag is present, we'll trigger a custom
build and run the `cloud` scenario with the resulting image.
* Fix a bug in our custom build pattern to handle prerelease versions.
* pipeline(hcp): add `--github-output` support to `show image` and
`wait image` commands.
* enos(hcp/create_vault_cluster): use a unique identifier for HVN
and vault clusters.
* actions(enos-cloud): add workflow to execute the `cloud` enos
scenario.
* actions(build): add support for triggering a custom build and running
the `enos-cloud` scenario.
* add more debug logging and query without a status
* add shim build-hcp-image for CE workflows
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* adding new locks
* adding initial testing
* changelog
* Update changelog/_9336.txt
* fixing test to use proper error output
* added additional locks on pops and last push.
* fixing tests since I cant use t.Fatalf in a go func
* adding rotation window, removing lock as reached a deadlock in test
* removing locking from the OnFailure
* removing unused locks.
---------
Co-authored-by: JMGoldsmith <spartanaudio@gmail.com>
Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
* Fix unsetting sys tunable values (on ent).
* Remove commented test, add GoDoc for test.
* Handle empty slices better (PR feedback).
* Fetch Auth endpoint without listing (PR feedback).
* Fatal vs. Error
* Add GetAuth instead of ListAuth
* Fix error format error. Oops!
* One more list->get auth. Remove extra check.
* Updated TuneMountWithContextAllowNil to use a struct (with all pointers).
* Allow setting empty values for userLockoutConfig too - use new struct.
* Extra pointer.
* Remove useless functions.
* Simple test to ensure any field we can set we can update and vice-versa.
* Add json tag checks.
Co-authored-by: Kit Haines <khaines@mit.edu>
* support wide width splash page
* add enable_self_enrollment param to mfa-method config
* build and implement mfa setup-card display only component
* fix transition bug navigating away from mfa method
* rename mfa card
* WIP implement self-enrollment workflow
* wip integration tests
* convert mfa-form to typescript
* remove unused import
* show alert whenver there is a QR code
* organze mfa steps into Mfa::VerifyForm and Mfa::SelfEnroll
* WIP stretch goals of mfa redesign
* add copyright headers
* update test
* add support for multiple constraints with self-enrollment
* remove comment
* fix multi-method UX
* fix state for failed validation
* remove changing button for error states
* add error handling and validation messages
* minor cleanup for params
* first round of cleanup and reorganization
* final round of logic cleanup and organization
* touch ups after testing with live backend
* fix comment
* final test cleanup!
* Apply suggestions from code review
* improve mirage error handling to more accurately mimic real failures
* add test coverage
* make qr rendering logic easier
* address PR feedback
* submit enroll form on enter, remove code digit number from copy, reset enroll state
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
* UI: General settings Integration and Acceptance Tests. (#9363)
* General settings integration tests
* Add page header integration tests
* Add page header test for plugin settings as a tab too
* More tests!
* Acceptance tests!
* Add more acceptnace tests
* Add copywrite headers
* Fix linting error
* Fix accessibility errors
* Remove unused vars
* Put mock secret engine back into beforeHook
* Add enterprise to key management test (#9392)
---------
Co-authored-by: Kianna <30884335+kiannaquach@users.noreply.github.com>
* Add role rotation info to create/update observations
* observatin enhancements
* observatin enhancements
* remove log
* duration strings instead of seconds
* the stringening
* more times
* credential type
* Add rotation schedule/period to root rotation
* more ttls
* updates
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
* include mount and ns in recovery message, fix state issue
* fix state issue
* show in prod and add changelog
Co-authored-by: lane-wetmore <lane.wetmore@hashicorp.com>
Update our pins to the latest version. Essentially all of these are
related actions needing to run on Node 24. Both our self-hosted and the
Github hosted runners that we use are all on a new enough version of
actions/runner that it shouldn't be a problem.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* license: add support for publishing artifacts to IBM PAO (#8366)
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: brian shore <bshore@hashicorp.com>
Co-authored-by: Ethel Evans <ethel.evans@hashicorp.com>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* add responses to the three endpoints
* add responses for the rest of the endpoints
* more changes
* use standard definitions for responses
* normalize complex fields of type structs into standard json types of slices and maps
* fix normalization of total
* add normalization to partial month endpoint too
* fix linters
* add bad request and server error schema types to monthly endpoint
* add validation tests
* fix linters error
* upgrade dependency
* make query parameters explicit
* add changelog
* define by namespace fields as a slice, not a map
* define times as Time type instead of string
* remove normalizations
Co-authored-by: Amir Aslamov <amir.aslamov@hashicorp.com>
* improve auth/ldap TestRotateRootWithRotationUrl test case
* add const
* Update path_config_rotate_root_test.go
* Backport VAULT-34830: enable the new workflow into ce/main (#8681)
* VAULT-34830: enable the new workflow (#8661)
* pipeline: various fixes for the cutover to the enterprise first workflow (#8686)
Various small fixes that were discovered when doing the cutover to the enterprise first merge workflow:
- The `actions-docker-build` action infers enterprise metadata magically from the repository name. Use a branch that allows configuring the repo name until it's merged upstream.
- Fix some CE-In-Enterprise outputs in our metadata job.
- Pass the recurse depth flag correctly when creating backports
- Set the package name when calling the `build-vault` composite action
- Disallow merging changes into `main` and `release/*` when executing in the `hashicorp/vault` repository. This is a hack until PSS-909 is resolved.
- Use self-hosted runners when testing arm64 CE containers in enterprise.
Conflicts:
.github/workflows/backport-automation-ent.yml
.github/workflows/test-run-enos-scenario-containers.yml
---------
* remove file that slipped in during the backport but before the changed file checks (#8706)
* UI: Creating Metadata card for configuration page (#8679) (#8709)
* card setup
* updating to pass in vals
* remove test usage
* actions(metadata): fix metadata version for ce (#8713) (#8714)
* Add support for AES-CBC to transit (#8367) (#8741)
* add key types and encryption for cbc
* add decryption
* start adding tests
* add tests for policy functions
* add convergent case
* add enterprise check and key creation test cases
* fix key generation and add import/export
* add tests and fixes
* add changelog
* linter
* refactor policy functions and fix IV
* add ce change
* fix function calls
* fix factories in function call
* fix IV test case
* test fixes
* add cbc keys to read
* change iv
* fix merge errors
* make fmt
* change error name and add iv error
* fix tests
* UI: Create version card (#8710) (#8744)
* setup version card
* folder restructure
* Adding todos, removing test
* [VAULT-38605] Add self-enrollment option to the TOTP Login MFA method (#8711) (#8731)
* [VAULT-38601] Modify response to MFA enforced requests to enable TOTP self-enrollment (#8723) (#8746)
* Fix token creation in a namespace (#8461) (#8747)
* fix and test for token creation in namespace
* add changelog
* add nil check
* change existing test to work with change
* fix imports
* add error and more specificity in changelog
* enos(sample): don't double sample (#8752) (#8770)
* enos: remove double sample observe
* ci(build): fix notification on artifacts build failure
* changelog: add hash link to changes that originate from enterprise (#8745) (#8775)
* pipeline(backport): use --strategy-option=theirs (#8767) (#8780)
* VAULT-37630: Recover as a copy (#8640) (#8798)
* recover as a copy implementation
* get policy tests passing
* add helpers and testing support
* fixes
* revert a couple of changes
* more tests
* switch to query param
* correctly update source path with the namespace
* only add openapi recover source path if there's a path parameter
* add changelog
* check for no mount in path
* [UI] VAULT-37386 Plugin management: General Settings Route + Templates (#8726) (#8801)
* Move components and routes over to new PR
* Move components to secrets-engine folder
* Use native FormData
* Update params that are passed in
* Add loading state
* Add comments
* Update jsdoc description
* Remove unused action
* Remove debugger
* Fix linting errors
* Add version card component and fix merge conflict issues
* VAULT-38193 Add database observations to Vault (#8727) (#8802)
* VAULT-38193 database observations (WIP)
* VAULT-38193 database observations
* nil check
* make it consistent
* Clean up
* update vault-plugin-secrets-openldap to v0.16.1 (#8820) (#8821)
* update vault-plugin-secrets-openldap to v0.16.1
* changelog
* VAULT-39129: Updating enos tutorial scenario link (#8831) (#8835)
* [VAULT-39153] pipeline(backport): remove docs and pipeline from allowed ce inactive (#8819) (#8842)
Docs have been moved since the tool was written so that exclusion is no
longer needed. Since the defaults were added the `pipeline` group has
expanded to include all `.github`, which we don't want to always
backport. It seems unlike that `pipeline` tooling changes are likely to
be required often on inactive branches so we'll exclude all together for
now.
* [VAULT-39157] enos(cloud): add basic vault cloud scenario (#8828) (#8847)
* [VAULT-39157] enos(cloud): add basic vault cloud scenario
Add the skeleton of a Vault Cloud scenario whereby we create an HCP
network, Vault Cloud cluster, and admin token.
In subsequent PR's we'll wire up building images, waiting on builds, and
ultimately fully testing the resulting image.
* copywrite: add headers
---------
* Upgrade to CRT schema 2 to fix crt-report-dispatch event (#8572) (#8809)
* api/client: support setting extra headers with new logical request interface. (#8808) (#8858)
* [VAULT-39208]: actions: update action pins (#8864) (#8865)
* UI: Create Lease Duration card component + style updates (#8815) (#8870)
* updating components to use hds flex, removing custom css
* creating layout, updating fields to use select instead of dropdown
* conditional render, remove commented code
* adding external link
* update handlers and style
* updating general settings layout so TTL doesnt stretch other cards
* typo
* [UI] Cubbyhole List View Bug (#8859) (#8871)
* fixes issue with cubbyhole list view throwing error in child namespace
* updates to use engineType prop
* Disallow writing of barrier keyring if seals aren't healthy (#8707) (#8885)
* Set the full rewrap context for barrier keyring writes
* Retain some logging at Trace but get rid of the overall context pattern.
Apply correct ctx transform
* changelog
* remove logger
* here too
* remove other unnecessary changes
* VAULT-38888 Add prefix vault to metric summary definitions into main (#8725) (#8892)
* VAULT-38888 Add prefix vault to metric summary definitions
* VAULT-38888 Add changelog for fix
* Edit changelog file name
---------
* [VAULT-39235]: pipeline(changed-files): don't group underscore prefixed changelogs as enterprise only files (#8906) (#8934)
Don't categorize changelog files that begin with an underscore as
enterprise only, otherwise they'll be removed when backporting changes
to CE.
Since we want to include links to commit SHAs in the changelog we have
to create the changelog in the context of CE and thus need to backport
all of those changes.
We also fix a few Go tests that hand not been updated to handle the
updated default inactive CE groups.
* VAULT-39010 Adding new go-discover logic (#8884) (#8931)
* testing new go-discover logic
* add changelog
* Delete website/content/partials/known-issues/aws-auto-join-fails.mdx
* Backport bump go-getter to 1.7.9 into ce/main (#8926)
* bump go-getter to 1.7.9 (#8899)
* bump go-getter to 1.7.9
* add changelog
* go mod tidy
---------
* VAULT-38463: Addressing ldap pipeline failure (#8817) (#8911)
* VAULT-38463: Addressing ldap pipeline failure
* testing ldap tests
* testing ldap tests
* debugging ldap issue
* testing pipeline
* testing pipeline
* testing pipeline
* testing pipeline
* testing pipeline
* testing pipeline
* testing pipeline
* debugging ldap failure
* debugging ldap failure
* debugging pipeline
* adding dependency for verify secrets
* removing extra code
* undo changes
* undo changes
* Backport [VAULT-38910]: upgrade docker package to resolve GO-2025-3829 into ce/main (#8875)
* [VAULT-38910]upgrade docker package to resolve GO-2025-3829 (#8642)
* bump github.com/hashicorp/go-secure-stdlib/plugincontainer to v0.4.2
* bump github.com/docker/docker to v28.3.3+incompatible
* go mod tidy
---------
* manually copy over missing changelogs for main (#8956)
* Improve error messages in TestRotateRootWithRotationUrl for BindDN and URL checks
* Use bitnamilegacy cassandra image for tests (#8984) (#8985)
* use default cassandra image for tests
* switch to bitnamilegacy
* [VAULT-39237] actions(generate-changelog) generate changelogs in ce for active ce versions (#8973) (#8976)
Update our changelog generator to dynamically decide which repository
context that it should use when generating the changelog. If the version
given corresponds to an active CE branch then we generate the changelog
in the context of `hashicorp/vault` with the `note-ce.md` template. If
the version corresponds to an enterprise only branch we generate the
changelog in the context of `hashicorp/vault-enterprise` with the
`note-ent.md` template.
The reason we do all of this is so that we can add commit links to
changelogs that for changes that are actually in community editions.
* UI: Moving settings/mount-backend-form to secrets/mounts (#8975) (#8998)
* adding route and replacing old route usage
* adding comments
* updating secrets tests to new route
* Update CHANGELOG.md for 1.20.3 1.19.9 1.18.14 and 1.16.25 (#31527)
* changelog: fix commit URL in CE generated template (#9010) (#9013)
* VAULT-38463: Fix ldap failure (#8996) (#9001)
* Backport [VAULT-38600] Fix the name of the CE stub for mfaLoginEnterprisePaths into ce/main (#9021)
* Update CHANGELOG.md (#31528)
added "Enterprise" to 1.19, 1.18 and 1.16 minor releases
* VAULT-38796, VAULT-38889 reformat observation schema to version 2 (#9006) (#9023)
* [VAULT-39267] actions(slack): migrate to v2 action (#8964) (#8990)
* VAULT-37633: Database static role recover operations (#8922) (#8982)
* initial implementation
* fix
* tests
* changelog
* fix vet errors
* pr comments
* [VAULT-38600] Create TOTP Login MFA credential self-enrollment API endpoint (#8970) (#8999)
* VAULT-36947: Support force unloading a snapshot (#8740) (#9036)
* portion of changes for autoloading
* add test checking for panic
* add endpoint for force unloading
* separate method for force unload
* changelog
* don't redefine constants
* VAULT-39294: Deprecate recover_snapshot_id query param and use a header instead (#8834) (#9042)
* deprecate snapshot query params, use a header instead
* keep read query param, but deprecate recover one
* fix test
* remove list change
* add changelog
* rename header, allow request method
* update changelog
* VAULT-37632 allow restoring SSH CA from loaded snapshot (#8581) (#9034)
* allow restoring ssh config/ca
* add some unit tests
* address PR review
* imports and test upgrades
* linter complaints
* add PR comment and linter fixes
* address review
* Revert "Merge https://github.com/hashicorp/vault/pull/31503 into main"
This reverts commit 6f2ffcf64cd6a01cdbf685db296053adb428e26b, reversing
changes made to 681d1d5c7a2298a8b5dd403554dec2e98c3ce971.
* Update path_config_rotate_root_test.go
---------
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: jadeidev <32917209+jadeidev@users.noreply.github.com>
Co-authored-by: Dan Rivera <dan.rivera@hashicorp.com>
Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
Co-authored-by: miagilepner <mia.epner@hashicorp.com>
Co-authored-by: Kianna <30884335+kiannaquach@users.noreply.github.com>
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
Co-authored-by: Tin Vo <tintvo08@gmail.com>
Co-authored-by: james-warren0 <95658341+james-warren0@users.noreply.github.com>
Co-authored-by: Ben Ash <32777270+benashz@users.noreply.github.com>
Co-authored-by: Jordan Reimer <zofskeez@gmail.com>
Co-authored-by: Scott Miller <smiller@hashicorp.com>
Co-authored-by: roh-ag <rohit.agrawal@hashicorp.com>
Co-authored-by: JMGoldsmith <spartanaudio@gmail.com>
Co-authored-by: Josh Black <raskchanky@gmail.com>
Co-authored-by: Luciano Di Lalla <88449051+ldilalla-HC@users.noreply.github.com>
Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>
Co-authored-by: Bruno Oliveira de Souza <bruno.souza@hashicorp.com>
* UI: VAULT-39172 VAULT-38567 general settings followup (#8910)
* Add unsaved changes fields
* Set up default values for TTL and update general-settings
* Add form error state
* Ass TODO cmment
* Move actions back!
* Update unsaved changes state
* Address comments and add TODOs
* UI: VAULT-39264 Lease Duration TTL picker (#9080)
* Update default and max ttl to show correct default
* Query sys/internal endpoint for ttl values
* WIP ttl-picker-v2
* Intialize values and check for if ttl value is unset
* Use ttlKey instead of name
* Set name to be ttlKey
* Show validation for ttl picker
* Fix validation bugs
* Remove lease duration files
* Add copyright headers
* Initalize only when its a custom value
* Update ttl-picker to not have a dropdown
* Validate field before converting to secs
* [UI] Fix styling and update version card component (#9214)
* Fix styling and update version card component
* Update unsaved changes
* Code cleanup
* More code cleanup!
* Add helper function
* Remove query for lease duration
* Fix outstanding issues
* Captialize unsaved changes
* Update util name
* Remove action helper
* [UI]: General Settings design feedback updates (#9257)
* Small refactor based on design feedback
* More refactoring!
* Rename variables so it makes more sense!
* Remove unused modal fields
Co-authored-by: Kianna <30884335+kiannaquach@users.noreply.github.com>
* delete activity component, convert date-formatters to ts
* add "month" filter to overview tab
* add test coverage for date range dropdown
* add month filtering to client-list
* remove old comment
* wire up clients to route filters for client-list
* adds changelog
* only link to client-list for enterprise versions
* add refresh page link
* render all tabs, add custom empty state for secret sycn clients
* cleanup unused service imports
* revert billing periods as first of the month
* first round of test updates
* update client count utils test
* fix comment typo
* organize tests
Co-authored-by: claire bontempo <68122737+hellobontempo@users.noreply.github.com>
