* no-op commit
* Backport Change to Trail of Bits library for PQC into release/2.x.x+ent (#14617)
* Change to Trail of Bits library for PQC (#12676)
* switch to tob library
* test fixes for mldsa public keys
* fix public keys in tests
* add logic for slh-dsa param changes
* add logic to handle both key encodings
* fix slhdsa key gen
* fix slhdsa public key
* add logic for hybrid keys
* fix slhdsa verify
* add test cases
* fix public key in read for pqc
* fix mldsa decoding
* fix mldsa public key encoding
* make encoding consistent
* fix tests
* fixes and bob tests
* add changelog
* fix test case
* adjust existing test cases
* add test cases with old keys
* go mod tidy
* run go mod tidy
---------
Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
Co-authored-by: rculpepper <rculpepper@hashicorp.com>
* go mod tidy
* add function for pqc public keys
* delete ent file
* remove library
---------
Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
Co-authored-by: rculpepper <rculpepper@hashicorp.com>
* support attribute parameters for filtering
* address PR comments
* integration tests
* initial implementation for SCIM group patching
* rm nat files
* remove bool parse function
* resolving test failures
* removing test comments
* add changelog
* rename changelog entry
* resolve metadata patch issue
* add test case for metadata patch
* resolve failing SCIM patch tests
* fix: SCIM PATCH user ownership mismatch returns 404 not 403
The verifyScimUserOwnership function previously accepted a 'strict' bool
parameter that caused PATCH requests to return 403 Forbidden when the
requesting client didn't own the entity. All other operations (read,
update, delete) correctly returned 404 to avoid leaking resource existence.
This was inconsistent and the tests expect non-disclosing 404 responses
across all operations including PATCH. Remove the strict parameter and
always return 404 for ownership mismatches, matching:
- Test_SCIM_UserPatch/patch_fails_for_non-owner_client (expected 404, got 403)
- Test_SCIM_Namespace_UpdateFailsAcrossNamespaces (expected 404, got 403)
* fix: SCIM PATCH user ownership mismatch returns 404 not 403
The verifyScimUserOwnership function previously accepted a 'strict' bool
parameter that caused PATCH requests to return 403 Forbidden when the
requesting client didn't own the entity. All other operations (read,
update, delete) correctly returned 404 to avoid leaking resource existence.
This was inconsistent and the tests expect non-disclosing 404 responses
across all operations including PATCH. Remove the strict parameter and
always return 404 for ownership mismatches, matching:
- Test_SCIM_UserPatch/patch_fails_for_non-owner_client (expected 404, got 403)
- Test_SCIM_Namespace_UpdateFailsAcrossNamespaces (expected 404, got 403)
* remove spurious TestSCIMUserPatch_HandlerTable test additions
* revert comment change
* refactor to use new patch logic
* removing temp files
* updating tests to return 403s
* reverting test changes
* ensure ownership mismatch returns 403
* Potential fix for pull request finding
* Potential fix for pull request finding
* updating comment
* addressing copilot comments
* Align with user patch changes
* formatting code structure
* Potential fix for pull request finding
* restore metadata check
* updating comment
* consolidate function definitions
* updating comment
* Potential fix for pull request finding
* Potential fix for pull request finding
* resolving ownership error check
* updating tests
* updating tests
* updating comment
* improve boolean evaluation
* ensure both group and user patch return invalid path error
---------
Co-authored-by: Michael Stott <michael.stott@hashicorp.com>
Co-authored-by: Anjani Mallampati <anjani.mallampati@hashicorp.com>
Co-authored-by: mstott2 <michael.stott@hashicorp.com`>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* update dep override report script to fix issue with deps that have large trees
* runs override report and removes unnecessary overrides
* overrides tmp version to 0.2.6
* regenerates override report
* fixes code scanning issue in gen-dep-override-report script
Co-authored-by: Jordan Reimer <zofskeez@gmail.com>
* Complete vault_verify_replication migration to blackbox tests
Migrate all remaining enos scenarios to use vault_run_blackbox_test:
- enos-scenario-proxy.hcl
- enos-scenario-seal-ha.hcl
- enos-scenario-upgrade.hcl
- enos-scenario-agent.hcl
- enos-scenario-autopilot.hcl
Remove vault_verify_replication module from enos-modules.hcl
All scenarios now use the blackbox test framework for replication verification.
* Update setup-enos action to v1.53
Co-authored-by: hashigator <280075563+hashigator@users.noreply.github.com>
* fix(core/acl): prevent LIST bypass via trailing-slash strip (SECVULN-45175)
A logic error in AllowOperation (vault/acl.go) caused LIST requests with
a trailing slash to bypass more-specific deny rules. The slash-stripping
short-circuit ran prefixRules.LongestPrefix on the trimmed path, making
a deny key (e.g. 'kv1/private/') invisible because it is longer than the
trimmed query 'kv1/private', so the lookup fell back to the broader allow
('kv1/') and jumped to CHECK before the full-path deny could be evaluated.
Fix: refactor the non-exact path matching into three reusable helpers
(lessFor, matchSegmentWildcard, nonExactCandidates) and introduce
listPickPermissions, which collects candidates from both the slash-stripped
and full path forms and selects the winner using a three-tier deny-aware,
LIST-aware comparator:
1. Most-specific deny wins (closes the bypass — SECVULN-45175).
2. Most-specific LIST-granting rule wins otherwise (preserves VAULT-3825
intent: a 'kv1/+' rule granting LIST still applies to 'LIST kv1/x/').
3. Fallback: most-specific overall candidate (for non-LIST operations
hitting this branch).
The bareMount=true path in CheckAllowedFromNonExactPaths is preserved
byte-for-byte. Phase 1 exact-rule handling is untouched. No opt-out
toggle is introduced; the fix ships unconditionally.
Resolves: SECVULN-45175
* changelog: add entry for SECVULN-45175 fix (GH-15366)
* fix(core/acl): refactor ACL candidate selection helpers (SECVULN-45175)
* changelog: fix 15366.txt format - remove auto-generated link
* fix(core/acl): cosmetic changes
* fix(core/acl): rename changelog
* docs(core/acl): improve code comments for ACL helper types and functions
* fix(core/acl): expand abbreviated function names for clarity (SECVULN-45175)
* fix(core/acl): address review feedback (SECVULN-45175)
- changelog: shorten security note, add behavior-change note
- acl_test: inline policy strings per test case (reviewer nit)
---------
Signed-off-by: Arnab Chatterjee <arnab.chatterjee@hashicorp.com>
Co-authored-by: Arnab Chatterjee <arnab.chatterjee2@ibm.com>
Co-authored-by: Arnab Chatterjee <arnab.chatterjee@hashicorp.com>
* changelog: add release notes for migrating charts from Lineal to Carbon in Client and Vault usage dashboards
* changelog: add release notes for migrating charts from Lineal to Carbon in Client usage overview and Vault usage dashboard
Co-authored-by: Aravind VM <aravind.vm@ibm.com>
Fixed the Cassandra db TestSelfSignedCA test by replacing static
certificate files with dynamically generated certificates using the
pkihelper.GenerateCertWithRoot() helper function.
Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
* no-op commit
* Migrate Vault Reporting Dashboard from shared package into Vault Enterprise (#14892)
* Migrate Vault Reporting Dashboard from shared package into Vault Enterprise
* Add click interactions for export toggle in usage reporting dashboard tests
* feat(reporting): enhance external link security with rel attributes
* feat(reporting): migrate Vault Reporting Dashboard components and integrate meter chart visualization
* feat(reporting): remove deprecated meter.js and migration instructions for Vault Reporting Dashboard
* Migrate Vault Reporting Dashboard from shared package into Vault Enterprise
* Add click interactions for export toggle in usage reporting dashboard tests
* feat(reporting): enhance external link security with rel attributes
* feat(reporting): migrate Vault Reporting Dashboard components and integrate meter chart visualization
* feat(reporting): remove deprecated meter.js and migration instructions for Vault Reporting Dashboard
* feat(reporting): migrate horizontal bar chart to new viz-card component and remove deprecated files
* feat(reporting): remove horizontal bar chart component and associated files
* feat(reporting): update dashboard to force remount of chart layers on namespace refresh and improve data fetching logic
* feat(reporting): remove usage reporting handler and associated imports
* feat(reporting): refactor route handling and remove safeRoute utility; update data download methods- copilot recommendation
* feat(reporting): enhance tooltip interaction by replacing mouse events with pointer events for better responsiveness
* feat(reporting): remove reporting analytics service and associated tracking logic from dashboard components
* feat(reporting): standardize text casing in dashboard and export components
* feat(reporting): standardize text casing in usage reporting tests
* feat(reporting): add padding to carbon chart for improved layout
* feat(reporting): implement toSentenceCase utility and update chart labels for consistency
* feat(reporting): enhance toSentenceCase utility to handle acronyms and branded names
* feat(reporting): migrate vault-reporting module from shared package to Vault Enterprise
* feat(reporting): enhance tooltip functionality and styling for usage reporting charts
* Fix formatting in pnpm-lock.yaml
* Refactor CSV export to use sentence case for labels and enhance toSentenceCase utility
* Refactor CSV download test to simplify URL handling and assert sentence case labels
* Enhance destination name formatting to use sentence case in reporting dashboard
* Add RabbitMQ branding override and update tests for sentence case handling
---------
Co-authored-by: Aravind VM <aravind.vm@ibm.com>
Add the vault-frontend team to each CODEOWNERS entry that
already lists vault-ui.
Keep frontend reviewers on general UI changes and the
OIDC/JWT/SAML exceptions alongside the existing ecosystem
ownership.
Co-authored-by: Angelo Cordon <angelo.cordon@hashicorp.com>
Co-authored-by: OpenCode (gpt-5.4) <opencode.noreply@hashicorp.com>
Convert vault_verify_ui from bash scripts to blackbox SDK tests.
Changes:
- Created vault/external_tests/blackbox/verify/ui_test.go with TestVaultUIAvailability
- Updated 8 scenario files to use vault_run_blackbox_test module
- Removed enos/modules/vault_verify_ui module and bash script
The new test verifies:
- Root URL redirects to /ui/
- UI page loads successfully
- No 'Vault UI is not available' error message
Fixes: VAULT-43739
Co-authored-by: hashigator <280075563+hashigator@users.noreply.github.com>
The test was using invalid Go syntax: new(string("87600h"))
Changed to create a variable and use its address instead.
Error: string("87600h") is not a type
Co-authored-by: hashigator <280075563+hashigator@users.noreply.github.com>
* VAULT-44550 Add test for clobbered event subscription during ACL creation
* VAULT-44550 Add additional test for event subsciption ACL build
* VAULT-44550 fatalf -> NoError in ACL event subscribe test
* VAULT-44550 Better formatting for policy strings in tests
* VAULT-44550 Revert unrelated test
Co-authored-by: Jason Pilz <jasonpilz@gmail.com>
* UI: Ember data migration: Transit secrets engine - Show & List views (#15015)
* Adding api calls
* fixing timestamps and actions
* fixing routing and moving functions around for model creation
* UI: Ember Data migration: Transit - Create & Edit (#15085)
* adding in new create form
* updating form to handle editing
* yielding ttl, updating conditional renders
* a lot of moving around
* test fix 1
* test fix 2
* UI: Ember Data migration: Transit Secrets Engine - Key actions (#15176)
* updating store use to use api calls per actions
* forgot export, fixing some tests
* test fixes
* converting to .ts and minor tweaks
* test fixes
Co-authored-by: Dan Rivera <dan.rivera@hashicorp.com>
