* Change PkiCertificateCountManager.GetCounts() to return a CertCount.
* Add PkiDurationAdjustedCerts field to CertCount.
Add a new field to CertCount to keep track of "duration adjusted" issued
certificates.
Add an x509.Certificate argument to CertCountIncrementer.AddIssuedCertificate.
In the implementation, use the certificate's NotBefore and NotAfter fields to
calculate the validity duration for the certificate, and use that to compute the
duration adjusted units.
* Add the issued certificate to calls to AddIssuedCertificate.
* Add PkiDurationAdjustedCerts when forwarding counts.
Add pki_duration_adjusted_certificate_count to IncrementPkiCount proto.
Update replicationServiceHandler.IncrementPkiCertCountRequest to take into
account the new field.
* Run make proto.
* Update testingPkiCertificateCounter to make assertions on time adjusted counts.
* PR review: Don't use NotAfter.Sub(NotBefore), since time.Duration is max 290 years.
* PR review: Move DurationAdjustedCertificateCount to logical.pki/test_helpers.
Add Bob generated unit tests for logical.durationAdjustedCertificateCount.
* Run make fmt.
Co-authored-by: Victor Rodriguez Rizo <vrizo@hashicorp.com>
* rotation-manager: enable RM to send rotation information to plugins on registration/rotation operations (#11810)
* initial commit for sending NVR to plugins
* add changelog
* add NVR to plugin fields, add RotationInfo to GRPC request handler
* fix tests
* ensure consistent formats on times and ttls
* add translation to allow grpc data transfer
* fix tests and rename fields
* fix missed field renames in tests
* make all methods net-new for backwards compatibility
* update mock plugin and add oss stub back
* remove method with no usages
* Address wrapper comments
* Rebuild proto
* Nil check around SetRotationInfo, return n/a for no last_vault_rotation
* Fix error to match other instances
* Update fields.go
* Return nil if unset for next/last vault rotation times
---------
Co-authored-by: robmonte <17119716+robmonte@users.noreply.github.com>
* Fix return type in stub method
---------
Co-authored-by: vinay-gopalan <86625824+vinay-gopalan@users.noreply.github.com>
Co-authored-by: robmonte <17119716+robmonte@users.noreply.github.com>
* Refactor CertificateCounter.IncrementeCount to use a param object.
In preparation to start collecting more information, refactor the
CertificateCounter to take a parameter object which can be later gain more
fields.
* Rework CertificateCounter to use a fluent interface.
Rename method IncrementCount to AddCount.
Remove method AddIssuedCertificate.
Add method Incrementer, which returns an implementation of the new
CertCountIncrementer.
* Add method CertCountIncrement.Add.
* Refactor PkiCertificateCountConsumer to take a CertCountIncrement.
* Fix TestPkiCertificateCountManager_IncrementAndConsume.
* Rename type CertCountIncrement to CertCount.
* Refactor ReadStoredCounts to return a CertCount value.
Co-authored-by: Victor Rodriguez Rizo <vrizo@hashicorp.com>
* Add the ability to specify extra audit only fields from a plugin
* Add extra auditing fields within the PKI OCSP handler
* Add missing copywrite headers
* Format OCSP dates when non-zero, otherwise specify not set to be clear
* Feedback 2: Only set time fields if not zero instead of non-parsable string
* Serialize JSON fields in SDK response struct
* Perform renames based on RFC feedback
* Resolve OpenAPI test failure
* add cl
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Vault 42177 Add Backend Field (#12092)
* add a new struct for the total number of successful requests for transit and transform
* implement tracking for encrypt path
* implement tracking in encrypt path
* add tracking in rewrap
* add tracking to datakey path
* add tracking to hmac path
* add tracking to sign path
* add tracking to verify path
* unit tests for verify path
* add tracking to cmac path
* reset the global counter in each unit test
* add tracking to hmac verify
* add methods to retrieve and flush transit count
* modify the methods that store and update data protection call counts
* update the methods
* add a helper method to combine replicated and local data call counts
* add tracking to the endpoint
* fix some formatting errors
* add unit tests to path encrypt for tracking
* add unit tests to decrypt path
* fix linter error
* add unit tests to test update and store methods for data protection calls
* stub fix: do not create separate files
* fix the tracking by coordinating replicated and local data, add unit tests
* update all reference to the new data struct
* revert to previous design with just one global counter for all calls for each cluster
* complete external test
* no need to check if current count is greater than 0, remove it
* feedback: remove unnacassary comments about atomic addition, standardize comments
* leave jira id on todo comment, remove unused method
* rename mathods by removing HWM and max in names, update jira id in todo comment, update response field key name
* feedback: remove explicit counter in cmac tests, instead put in the expected number
* feedback: remove explicit tracking in the rest of the tests
* feedback: separate transit testing into its own external test
* Update vault/consumption_billing_util_test.go
Co-authored-by: divyaac <divya.chandrasekaran@hashicorp.com>
* update comment after test name change
* fix comments
* fix comments in test
* another comment fix
* feedback: remove incorrect comment
* fix a CE test
* fix the update method: instead of storing max, increment by the current count value
* update the unit test, remove local prefix as argument to the methods since we store only to non-replicated paths
* update the external test
* Adds a field to backend to track billing data
removed file
* Changed implementation to use a map instead
* Some more comments
* Add more implementation
* Edited grpc server backend
* Refactored a bit
* Fix one more test
* Modified map:
* Revert "Modified map:"
This reverts commit 1730fe1f358b210e6abae43fbdca09e585aaaaa8.
* Removed some other things
* Edited consumption billing files a bit
* Testing function
* Fix transit stuff and make sure tests pass
* Changes
* More changes
* More changes
* Edited external test
* Edited some more tests
* Edited and fixed tests
* One more fix
* Fix some more tests
* Moved some testing structures around and added error checking
* Fixed some nits
* Update builtin/logical/transit/path_sign_verify.go
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* Edited some errors
* Fixed error logs
* Edited one more thing
* Decorate the error
* Update vault/consumption_billing.go
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
---------
Co-authored-by: Amir Aslamov <amir.aslamov@hashicorp.com>
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* Edited stub function
---------
Co-authored-by: divyaac <divya.chandrasekaran@hashicorp.com>
Co-authored-by: Amir Aslamov <amir.aslamov@hashicorp.com>
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
Co-authored-by: divyaac <divyaac@berkeley.edu>
* In the random APIs, add a 'prng' param that causes a DRBG seeded from the selected source(s) to be the source of the returned bytes
* fixes, unit test next
* unit tests
* changelog
* memory ramifications
* switch to using a string called drbg
* Update helper/random/random_api.go
* wrong changelog
---------
Co-authored-by: Scott Miller <smiller@hashicorp.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* add a new struct for the total number of successful requests for transit and transform
* implement tracking for encrypt path
* implement tracking in encrypt path
* add tracking in rewrap
* add tracking to datakey path
* add tracking to hmac path
* add tracking to sign path
* add tracking to verify path
* unit tests for verify path
* add tracking to cmac path
* reset the global counter in each unit test
* add tracking to hmac verify
* add methods to retrieve and flush transit count
* modify the methods that store and update data protection call counts
* update the methods
* add a helper method to combine replicated and local data call counts
* add tracking to the endpoint
* fix some formatting errors
* add unit tests to path encrypt for tracking
* add unit tests to decrypt path
* fix linter error
* add unit tests to test update and store methods for data protection calls
* stub fix: do not create separate files
* fix the tracking by coordinating replicated and local data, add unit tests
* update all reference to the new data struct
* revert to previous design with just one global counter for all calls for each cluster
* complete external test
* no need to check if current count is greater than 0, remove it
* feedback: remove unnacassary comments about atomic addition, standardize comments
* leave jira id on todo comment, remove unused method
* rename mathods by removing HWM and max in names, update jira id in todo comment, update response field key name
* feedback: remove explicit counter in cmac tests, instead put in the expected number
* feedback: remove explicit tracking in the rest of the tests
* feedback: separate transit testing into its own external test
* Update vault/consumption_billing_util_test.go
* update comment after test name change
* fix comments
* fix comments in test
* another comment fix
* feedback: remove incorrect comment
* fix a CE test
* fix the update method: instead of storing max, increment by the current count value
* update the unit test, remove local prefix as argument to the methods since we store only to non-replicated paths
* update the external test
* fix a bug: reset the counter everyime we update the stored counter value to prevent double-counting
* update one of the tests
* update external test
---------
Co-authored-by: Amir Aslamov <amir.aslamov@hashicorp.com>
Co-authored-by: divyaac <divya.chandrasekaran@hashicorp.com>
* Basic refactoring to reuse PKI certs for SSH
* Refactored so that files are moved to CE
* Modified comment
* Renamed CertCountSystemView
* Moved forwarding function and redefined consume function
* Renamed cert view file
* Moved forwarding function and redefined consume function
Small edit
Renamed cert view file
* Fix issues with commit
* Fix consume job
* Removed error
* Update vault/logical_system_helpers.go
---------
Co-authored-by: divyaac <divya.chandrasekaran@hashicorp.com>
Co-authored-by: Victor Rodriguez <vrizo@hashicorp.com>
* Validate that certificate of the connection is the same as the certificate we are trying to renew for.
* add changelog
* Add explicit check for nil-entry.
* Remove the cast - PR feedback.
Co-authored-by: Kit Haines <khaines@mit.edu>
* add observations for the aws secrets engine
* add mock recorder
* add tests to verify observations are created
* fix comment
* update godoc and switch to require
* fix type assertion, add test
Co-authored-by: miagilepner <mia.epner@hashicorp.com>
* Add Disable-Time-Check flag, and also respect common criteria when doing so.
* Switch to EnableTimeChecks to not change default behavior.
* Check Common Criteria Flag Before Disabling Verification.
* Add Changelog.
* Update builtin/logical/pki/issuing/cert_verify_ent.go
* Update changelog/_10915.txt
* PR feedback.
* Merge-fix
* Test case requested by PR review.
---------
Co-authored-by: Kit Haines <khaines@mit.edu>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Correctly set signature bits.
* All the other places that accidentally conflate issuer and issued key.
* Update builtin/logical/pki/path_roles.go
* PR Feedback.
* Add changelog.
* Test and validate keybits in a single call
* License header.
* Add/combine validate and get default hashbits calls.
* Actually set keyBits on the role.
* Fix storage test, switch to defaultOrValue.
* fix storage test.
* Update error return for linter.
* Look at underlaying key type not type which might include "managedKeyType" for ca-issuer.
* Update expected role values, and convert between PublicAlgorithm and KeyType internally.
* Move the ec to ecdsa transformation to helper functions. More consistant usage.
* Speed improvement to testing - pregenerate CA bundles and CSR.
* Add go test doc.
* Fix issue with web-merge.
* Error wrapping error now warnings aren't errors.
* PR feedback - move ecdsa support to subfunctions.
---------
Co-authored-by: Kit Haines <khaines@mit.edu>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Adding logic to run tidy on local secret IDs only for perf secondaries
* Modifying periodic tidy to run on local mounts
* Updating changelog for fix in VAULT-40239
Co-authored-by: Sean Ellefson <sellefson@hashicorp.com>
* refactor dependencies and removes disallowed vault imports from builtin Okta auth (#10965)
* move SkipUnlessEnvVarsSet from vault/helper/testhelpers/ to vault/sdk/helper/testhelpers
* use unittest framework from vault-testing-stepwise module in place of sdk/logical
* refactor SkipUnlessEnvVarsSet() and NewAssertAuthPoliciesFunc() to sdk
* bump docker API version to 1.44 matching 2f33549
---------
Co-authored-by: Thy Ton <maithytonn@gmail.com>
* Add override_pinned_version support on configure connection for database (#10517)
* add DatabaseConfigEnt and split ce-ent impl for connectionWriteHandler() and selectPluginVersion()
* add override_pinned_version handling in connectionWriteHandler() and selectPluginVersion()
* split ce-ent impl for connectionReadHandler() to support override_pinned_version
* split ce-ent impl for databaseBackend.GetConnectionWithConfig() to support override_pinned_version
* split TestBackend_* units related to databased connection config CRUD into ce and ent
* remove EntDatabaseConfig from response
---------
Co-authored-by: Thy Ton <maithytonn@gmail.com>
* Refuse to issue or sign certs that have a NotAfter before NotBefore
* Add checks to ensure that validity period of cert being issued is contained within CA's validity period
* WIP
* VAULT-40037 Updates to PKI observations
* review feedback
* public key size
* make fmt
* issuerId for sign self issued
* remove confusing issuer_name
* remove unused var
* whoops common name
* role -> role_name
* role name
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
* license: update headers to IBM Corp.
* `make proto`
* update offset because source file changed
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* fix aws auth client cache to use accound ID
* return error if no sts config found
* cache ec2 clients by account ID, region, and role
* add changelog
* fix log syntax
Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com>
* Initial implementation
* Use rotation_statements, handle both password and private_key
* Remove debug prints
* Merge in main
* Remove duplicated error text
* Rename keypair root rotation function
* Use NewRotateRootCredentialsWALPasswordEntry
* Add changelog file
* Move back to original file for now, for review
* put generatePassword into function
* Fix names, call helper for generatePassword
* Generalize the rotation flow and keypair path
* Fix conditional check, remove new file
* Fix changelog
* Add test file
* Fix username check var name
* Fix name variable
* Return an error when both fields are set during rotation, and return an error if somehow walEntry is nil
* Fix test godoc
* Remove print
* change rotated key bits to 4096
Co-authored-by: Robert <17119716+robmonte@users.noreply.github.com>
* add new datakeys endpoint and refactor common functionality
* add test file for new endpoint
* add check and test cases
* add endpoint to ent
* Update builtin/logical/transit/path_datakeys_ent_test.go
* address pr feedback
* fix key size
* run make fmt
* add maximum on count
---------
Co-authored-by: Rachel Culpepper <84159930+rculpepper@users.noreply.github.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
