* VAULT-44550 Add test for clobbered event subscription during ACL creation
* VAULT-44550 Add additional test for event subsciption ACL build
* VAULT-44550 fatalf -> NoError in ACL event subscribe test
* VAULT-44550 Better formatting for policy strings in tests
* VAULT-44550 Revert unrelated test
Co-authored-by: Jason Pilz <jasonpilz@gmail.com>
* UI: Ember data migration: Transit secrets engine - Show & List views (#15015)
* Adding api calls
* fixing timestamps and actions
* fixing routing and moving functions around for model creation
* UI: Ember Data migration: Transit - Create & Edit (#15085)
* adding in new create form
* updating form to handle editing
* yielding ttl, updating conditional renders
* a lot of moving around
* test fix 1
* test fix 2
* UI: Ember Data migration: Transit Secrets Engine - Key actions (#15176)
* updating store use to use api calls per actions
* forgot export, fixing some tests
* test fixes
* converting to .ts and minor tweaks
* test fixes
Co-authored-by: Dan Rivera <dan.rivera@hashicorp.com>
* SECVULN-44099 Add new helper for verifying SCIM user ownership and update error returns
* SECVULN-44099 Update stale tests
Co-authored-by: Jason Pilz <jasonpilz@gmail.com>
* added a toggle to normalize radius usernames and reject case-variant duplicates to prevent case-collision
Co-authored-by: Himnish-Nadiminti <himnish.nadiminti@hashicorp.com>
* Update CHANGELOG.md
* Update CHANGELOG.md
Moved secrets/ssh: RSA key sizes are now limited to a maximum size of 8192 bits addressing CVE-2026-39829
to breaking changes
* Apply suggestions from code review
---------
Co-authored-by: Chris Foran <Christopher.Foran@ibm.com>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* feat(enos): migrate vault_verify_replication to blackbox tests
Convert vault_verify_replication from bash scripts to blackbox SDK tests.
Changes:
- Created vault/external_tests/blackbox/verify/replication_test.go with TestReplicationAvailability
- Updated enos-scenario-smoke.hcl to use vault_run_blackbox_test module
- Removed enos/modules/vault_verify_replication module and bash script
The new test verifies:
- CE: replication mode is 'disabled'
- ENT: DR and performance replication are available
Fixes: Converts bash-based verification to Go-based blackbox tests for better maintainability
* Add detailed error messages to replication test for debugging
* Add debug logging to replication test
* Exclude TestReplicationAvailability from race detection
The TestReplicationAvailability test requires a live Vault instance with
VAULT_ADDR and VAULT_TOKEN environment variables set. This test is not
compatible with race detection runs in CI which don't have these
prerequisites configured.
Add //go:build !race tag to exclude this test from race detection runs.
* Revert "Exclude TestReplicationAvailability from race detection"
This reverts commit 5afc7c1bf243e7e833864288cdd5bd16c9ed3018.
* Fix replication test to read from root namespace
The test was failing because it tried to read sys/replication/status
from within the test's isolated namespace. Replication status is only
available at the root namespace level.
Changes:
- Use WithRootNamespace() to read replication status from root
- Add proper error handling for the namespace operation
- Add api import for WithRootNamespace return type
* Add testonly build tag and update CI workflow pattern for verify tests
* Add missing ip_version parameter to vault_run_blackbox_test calls
Co-authored-by: hashigator <280075563+hashigator@users.noreply.github.com>
* [VAULT-44702] Refactor consumption billing metric collection (#13681)
* refactor
* add missing new file
* fix merge error
* cleanup
* only check if official plugin if required
* fix tests
* add test helpers and move things around
* add tests
* address comments
* make kv count just int
* check if sealed and return error
* add err checks to test helpers
* use db secret engine instead of azure
---------
Co-authored-by: Jenny Deng <jenny.deng@hashicorp.com>
* VAULT-45707 - migrates transform templates views
* updated fields to snake_case
* updated selectors in test to use GENERAL selector
Co-authored-by: mohit-hashicorp <mohit.ojha@hashicorp.com>
* bumped go from 1.26.3 to 1.26.4 and added changelog
* removed new chanagelog, updated existing
Co-authored-by: kelly <69541941+kporter101@users.noreply.github.com>
Split HashiCorp PGP key into two separate keys (2026 and 2030 versions)
and load them into separate keyrings. Resolves signature verification
failures for plugins signed with either the expired (2026) or renewed
(2030) HashiCorp PGP keys.
The keyring previously contained both the expired 2026 block and the
updated 2030 extension block for subkey 374EC75B. This duplication
caused the OpenPGP signature parser to get trapped on the first (expired)
entry it encountered, triggering false-positive `openpgp: key expired`
errors when registering official plugins.
Changes:
- Split HashiCorp PGP key into two separate keys (2026 and 2030 versions)
- Implement fallback strategy: try 2030 key first, fallback to 2026 on
"no valid self signature" error
- Use separate KeyRing objects for explicit fallback control
- Add custom keys to BOTH keyrings to maintain HashiCorp plugin verification
Co-authored-by: JM Faircloth <jmfaircloth@hashicorp.com>
* SECVULN-39610 Implement raft retry limit
* SECVULN-39610 Implement pr review feedback:
- refactor context usage to not have a helper
- add test coverage for raft join limiter
* SECVULN-39610 Update max raft joins to 20, add godoc for test
* SECVULN-39610 Add changelog entry
* SECVULN-39610 Update raft retry test to exercise the cap on a single follower core
* Update changelog/_14954.txt
---------
Co-authored-by: Jason Pilz <jasonpilz@gmail.com>
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
Migrate undo logs verification from bash scripts to Go blackbox tests using
the vault_run_blackbox_test module pattern.
Changes:
- Add TestVaultUndoLogsMetric Go test in vault/external_tests/blackbox/verify
- Add AssertMetricGaugeValue SDK helper in blackbox/session_metrics.go
- Remove deprecated vault_verify_undo_logs bash-based module
- Update vault_run_blackbox_test to support test_env_vars parameter
- Update autopilot scenario to use vault_run_blackbox_test for undo logs verification
The test verifies the vault.core.replication.write_undo_logs gauge metric
via API calls, following the blackbox testing pattern (no SSH/file access).
Only autopilot scenario is updated as it's the only scenario that currently
uses undo logs verification. Other scenarios remain unchanged.
Rebased onto main (58751c5d19e) and resolved conflicts with current codebase.
Co-authored-by: hashigator <280075563+hashigator@users.noreply.github.com>
Co-authored-by: lt-hc <280075563+lt-hc@users.noreply.github.com>
* migrated ssh views - list, detail, create and edit
* adds validation for role name and update test attributes for consistency
* updated sign key attr name in test
* migrated ssh views - list, detail, create and edit
* adds validation for role name and update test attributes for consistency
* updated sign key attr name in test
* moved flat ordering logic to form as per dynamic selection
* Humanized TTL field display value
* Apply suggestions from code review
* fixed prettier issue
* VAULT-45234 - Migrates SSH credential generation and signing components with forms and Api service
* fixed review comments
* Apply suggestions from code review
---------
Co-authored-by: mohit-hashicorp <mohit.ojha@hashicorp.com>
Co-authored-by: Kianna <30884335+kiannaquach@users.noreply.github.com>
* only add required mounts if there's space
* correct the docker version, add comments
* fix base version
Co-authored-by: miagilepner <mia.epner@hashicorp.com>
* migrated ssh views - list, detail, create and edit
* adds validation for role name and update test attributes for consistency
* updated sign key attr name in test
* migrated ssh views - list, detail, create and edit
* adds validation for role name and update test attributes for consistency
* updated sign key attr name in test
* moved flat ordering logic to form as per dynamic selection
* Humanized TTL field display value
* Apply suggestions from code review
* fixed prettier issue
---------
Co-authored-by: mohit-hashicorp <mohit.ojha@hashicorp.com>
Co-authored-by: Kianna <30884335+kiannaquach@users.noreply.github.com>
* Document ssh RSA key size limitation
* Use appropriate keyword
* Move to use current PR number
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* actions: expressions in composite action defaults don't work 🫢 (#15023)
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* migrating db overview page
* fix toolbar alignment on remaining links
* migrating database creds + minor secrets table fix
* update totp key fetch
* removing store for aws
* fix workflow test
* removed commented code
* fix return line
* [UI] Ember Data Migration - Core Addon (#14891)
* removes store service from confirm-leave decorator
* updates secret list header tab component to use capabilities service for database type
* removes store service from edit-form component
* removes ember data fetch support from InfoTableItemArray component
* removes store from shamir components
* removes store from replication components in core addon
* adds missing service injection to shamir flow component
* fixes reduced disclosure test
* fixes issues with seal/unseal workflow
* reverts assertion change in info-table-item-array test
* fixes database test
* updates shamir flow test
* removes commented out code
* fix pathfors
* dont throw messages that dont need to be thrown :)
* updating to use allSettled
* matching whats in adapter
* fix
* updating to use enums
* [UI] Ember Data Migration - TOTP Secrets Engine Views | VAULT-44225 (#14933)
* VAULT-44225 - edm secrets totp views
* fixed review comments and updated validations to match original
* fixed review comments
* fix 2
* update to parseError
* fix
---------
Co-authored-by: Dan Rivera <dan.rivera@hashicorp.com>
Co-authored-by: Jordan Reimer <zofskeez@gmail.com>
Co-authored-by: mohit-hashicorp <mohit.ojha@hashicorp.com>
* bumped crypto dep and ran go mod tidy
* bumped net and ran go mod tidy
* bumped net in api from 53 to 55 and ran go mod tidy
* added changelog
* bump deps for all go modules
---------
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: kelly <69541941+kporter101@users.noreply.github.com>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* working to add new namespace on upgrades
* upgrade tests
* only allow setting the root agent registry in core
* add reloading the backend
* switch to kvv1 helper for api client
* hopefully fix the flake
* build is stuck
* switch test to single node
Co-authored-by: miagilepner <mia.epner@hashicorp.com>
Do not set the IPC_LOCK capability on the vault binary. While we would prefer this, several container runtimes either don't allow setting capabilities or have policies that disallow the capability. This change will require runtime operators to disable swap to ensure data safety but seems the best middle ground until we decide whether or not to provide two images.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
