* Copy https://github.com/hashicorp/vault/pull/31733 into main
* fix(transit): prevent panic on restore with missing policy
* test: add unit test for RestorePolicy nil policy validation
* changelog: add entry for transit restore panic fix
* Update changelog/31733.txt
---------
Co-authored-by: Abhishek Dadwal <dadwalabhishek10@gmail.com>
Co-authored-by: Abhishek Dadwal <73817744+Abhishek00810@users.noreply.github.com>
Co-authored-by: Steven Clark <steven@sclark.me>
* WIP
* WIP...
* Update page headers and move logic back
* remove unused stuff
* Fix failing tests
* Use hasNavPermission
* Update raft storage locatin and add namespace link on top
* Update access sidebar link to Access control
* Update order of API_PATHS
* Remove namespace link
Co-authored-by: Kianna <30884335+kiannaquach@users.noreply.github.com>
* [VAULT-33083] support mount external engine
* add "Plugin type" and "Plugin version" fields to the enable mount page
* add changelog
* address copilot review comments
* address PR comments, code cleanup
* fix test failures
* Add support for external plugins registered without a plugin version
* external plugin should be enabled for enterprise only, plugin version should be mandatory for external plugins
* fix tests
* address copilot feedback
* fix failing tests, add unit test coverage
* address PR comments
* address PR comments
* remove dead code
* move no external versions alert
* Only show un-versioned plugin message if there are un-versioned plugins in the catalog.
* address PR comments
* use ApiService instead of custom PluginPinsService; fix failing tests
* revert changes to forms/mount.ts and forms/auth/method.ts
Co-authored-by: Shannon Roberts (Beagin) <beagins@users.noreply.github.com>
* VAULT-42143 Update role counting to official only
* KV thing
* remove old func
* update name
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
* Fix test race in TestPkiCertificateCountManager_IncrementAndConsume (#12275)
* Fix test race in TestPkiCertificateCountManager_IncrementAndConsume.
* Fix signature of stub function forwardPkiCertCounts.
* Fix call to forwardPkiCertCounts.
---------
Co-authored-by: Victor Rodriguez Rizo <vrizo@hashicorp.com>
* fix flacky test by checking for nil billing storage view
* simplify nil checks by checking it inside the worker itself and inside GetBillingSubView to prevent direct method calls in external tests; this we we have single point checks instead of checking it everywhere
* remove redundant nil checks
* add locks and a check against sealed core
* removed a check of sealed core
* re-add individual nil checks
* make getBillingSubView return a bool to to more explicitely indicate possibility of nil storage
Co-authored-by: Amir Aslamov <amir.aslamov@hashicorp.com>
* removes require-input-label ember-template-lint override
* adds aria-label to textarea in MaskedInput component
* more a11y fixes for missing labels
* adds aria-label back to lookup-input
* adds aria-label back to select component
* ensures aria-label has value in select component
* removes duplicate onchange handler from lookup-input component
Co-authored-by: Jordan Reimer <zofskeez@gmail.com>
* Refactor CertificateCounter.IncrementeCount to use a param object.
In preparation to start collecting more information, refactor the
CertificateCounter to take a parameter object which can be later gain more
fields.
* Rework CertificateCounter to use a fluent interface.
Rename method IncrementCount to AddCount.
Remove method AddIssuedCertificate.
Add method Incrementer, which returns an implementation of the new
CertCountIncrementer.
* Add method CertCountIncrement.Add.
* Refactor PkiCertificateCountConsumer to take a CertCountIncrement.
* Fix TestPkiCertificateCountManager_IncrementAndConsume.
* Rename type CertCountIncrement to CertCount.
* Refactor ReadStoredCounts to return a CertCount value.
Co-authored-by: Victor Rodriguez Rizo <vrizo@hashicorp.com>
* improve dismissal logic, use AutomationSnippet component, use wizard service for tracking dismissal
* use class helper to check for multiple nodes when rendering tree chart, add test coverage
* update comments
* add wizard service unit test coverage
* move item filtering into helper func
Co-authored-by: lane-wetmore <lane.wetmore@hashicorp.com>
* adding ibm tests for ent files
* adding debug commands
* adding code changes
* adding reload tests
* remove settings.json
* remove ryboe q
* changing isHashicorpLicense to isIBMLicense and moving DiagnoseCheckLicenseGeneration to core_util_common.go
* fix test
* reverting non-license related tests
* reverting non-license related tests
* removing hashicorp license test
* modify reload server_ent_test.go
* change ibm-license paths
* adding census reload server test
* moving LicensingEntitlementSelectionConfig to core_util_common.go
* add EntReloadLicenseAndConfig to stubs
* fix operator diagnose bug
* move bug fix into ce and ent files
* add more ibm test cases
* Update command/command_testonly/server_testonly_ent_test.go
* address comments
* make fmt
---------
Co-authored-by: akshya96 <87045294+akshya96@users.noreply.github.com>
Co-authored-by: Jenny Deng <jenny.deng@hashicorp.com>
* rough draft
* add some stuff for dynamic secrets
* add some more helpers and sample tests
* new helpers, new tests, refactoring
* Add Basic Smoke SDK Scenario (#11678)
* Add simple test for stepdown election
* Add a smoke_sdk scenario
* add script to run tests locally
* fix up a few things
* VAULT-39746 - Add Tests to Smoke SDK and Cloud Scenarios (#11795)
* Add some go verification steps in enos sdk test run script
* formatting
* Add a smoke_sdk scenario userpass secret engine create test (#11808)
* Add a smoke_sdk scenario userpass secret engine create test
* Add the some additional tests
* Add Smoke tests to Cloud Scenario (#11876)
* Add a smoke_sdk scenario userpass secret engine create test
* Add the some additional tests
* Add smoke testing to cloud
* Add test results to output and test filtering
* comment
* fix test
* fix the smoke scenario
* Address some various feedback
* missed cleanup
* remove node count dependency in the tests
* Fix test perms
* Adjust the testing and clean them up a bit
* formatting
* fmt
* fmt2
* more fmt
* formatting
* tryagain
* remove the docker/hcp divide
* use the SHA as ID
* adjust perms
* Add transit test
* skip blackbox testing in test-go
* copywrite
* Apply suggestion from @brewgator
* Add godoc
* grep cleanup
---------
Co-authored-by: Josh Black <raskchanky@gmail.com>
Co-authored-by: Luis (LT) Carbonell <lt.carbonell@hashicorp.com>
* Update kubernetes and kmip breadcrumbs
* Add breadcrumbs for non ember engines
* LDAP breadcrumbs..
* PKI breadcrumbs..
* Mostly working kv tests
* kv data persona tests
* Fix remaining kv-workflow test
* Route to vault.cluster instead of dashboard
* VAULT-41964 Update client count breadcrumb + test
* VAULT-41143 Remove user dropdown a11y override
* Add test for nav links on community
* Ensure we check for enterprise
* Address feedback
* Use selector instead
Co-authored-by: Kianna <30884335+kiannaquach@users.noreply.github.com>
* PKI: SCEP make GetCACaps response dynamic based on configuration
* add cl
* Use strings.Builder for more efficient response building
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Update CHANGELOG.md for versions 1.21.3, 1.20.8, 1.19.14, and 1.16.30
Added release notes for version 1.21.3, 1.20.8, 1.19.14, and 1.16.30 Enterprise, including security updates, changes, features, improvements, and bug fixes.
* Update CHANGELOG for version 1.19.14
Added new security, changes, improvements, and bug fixes for version 1.19.14.
* Fix formatting issues in CHANGELOG.md
Removed extra newlines in CHANGELOG.md to improve formatting.
Co-authored-by: Tony Wittinger <anwittin@users.noreply.github.com>
We've already deployed some changed file detection in the CI pipeline. It uses the Github API to fetch a list of all changed files on a PR and then run it through a simple groups categorization pass. It's been a useful strategy in the context of a Pull Request because it does not depend on the local state of the Git repo.
This commit introduces a local git-based file change detection and validation system for the pipeline tool, enabling developers to identify and validate changed files before pushing code. We intend to use the new tool in two primary ways:
- As a Git pre-push hook when pushing new or updated branches. (Implemented here)
- As part of the scheduled automated repository synchronization. (Up next, and it will use the same `git.CheckChangedFilesReq{}` implementation.
This will allow us to guard all pushes to `hashicorp/vault` and `ce/*` branches in `hashicorp/vault-enterprise`, whether run locally on a developer machine or in CI by our service user.
We introduce two new `pipeline` CLI commands:
- `pipeline git list changed-files`
- `pipeline git check changed-files`
Both support specifying what method of git inspection we want to use for the changed files list:
- **`--branch <branch>`**: Lists all files added in the entire history of a specific branch. We use this when pushing a _new_ branch.
- **`--range <range>`**: Lists all changed files within a commit range (e.g., `HEAD~5..HEAD`). We use this when updating an existing branch.
- **`--commit <sha>`**: Lists all changed files in a specific commit (using `git show`). This isn't actually used at all in the pre-push hook but it useful if you wish to inspect a single commit on your branch.
The behavior when passing the `range` and `commit` is similar. We inspect the changed file list either for one or many commits (but with slightly different implementations for efficiency and accuracy. The `branch` option is a bit different. We use it to inspect the branches entire history of changed files for enterprise files before pushing a new branch. We do this to ensure that our branch doesn't accidentally add and then subsequently remove enterprise files, leaving the contents in the history but nothing obvious in the diff.
Each command supports several different output formats. The default is the human readable text table, though `--format json` will write all of the details as valid JSON to STDOUT. When given the `--github-output` command each will write a more concise version of the JSON output to `$GITHUB_OUTPUT`. It differs from our standard JSON output as it has been formatted to be easier to use in Github Actions contexts without requiring complex filtering.
When run, changed files are automatically categorized into logical groups based on their file name, just like our existing changed file detection. A follow-up to this PR will introduce a configuration based system for classifying file groups. This will allow us to create generic support for changed file detection so that many repositories can adopt this pattern.
The major difference in behavior between the two new commands is that the `list` command will always list the changed files for the given method/target, while the `check` command requires one-or-more changed file groups that we want to disallow to be included via the `-g` flag. If any changed files match the given group(s) then the command will fail. That allows us to specify the `enterprise` group and disallow the command to succeed if any of the changed files match the group.
The pre-push git hook now uses this system to prevent accidental pushes, however, it requires the local machine to have the `pipeline` tool in the `$PATH`. This ought not be much of a requirement as a working Go toolchain is required for any Vault developer. When it is not present we explain in our error messages how to resolve the problem and direct them to our slack channel if they need further assistance.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* add a new method to identify whether KMIP is enabled
* add a new prefix for the new metric
* add new methods to store and update the metric
* update the kmip usage in billing
* move the method to ent file since kmip is ent only feature
* add unit tests at the core metrics level
* add new unit tests to test the billing methods for the new metric
* add persistence to test cases
* add external tests for primary and secondary
* account for DR secondaries, add clarifying comments, fix tests
* fmt
* move call of update into update local hwm metric method
* feedback: simplify update method by removing operation to get stored value
* feedback: optimize kmip usage detection by adding atomic tracker to detect usage once kmip mount is enabled
* fmt
* feedback: remove check on DR secondary inside update method but leave it at Get method for now
* feedback: change kmip prefix to a more flexible structure with sub item
* feedback: rename atomic tracker for kmip usage
* feedback: simplify the kmip identifier method
* revert back on kmip path prefix changes
* feedback: move the atomic bool into consumption billing struct
* feedback: remove DR check in Get method since dr needs to have billing data replicated
* add another external test to test local mount detection in perf secondary
* add a no-op oss stub for kmip enabled method
Co-authored-by: Amir Aslamov <amir.aslamov@hashicorp.com>
* PKI: Address failures with SCEP handlers on standby nodes
* add cl
* Add extra safety to protect against nil panics
* PR feedback
* PR feedback 2
* Ignore DR states
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* VAULT-41682 - update header to add title tag and centre align with icon
* Fixed linting error
Co-authored-by: mohit-hashicorp <mohit.ojha@hashicorp.com>
- Resolves CVE-2025-61732
- Fixes an issue in `crypto/x509` with certificate validation with
single-label DNS name constraints.
- Fixes an issue in `crypto/tls` where certificate chaings were not
reverified during resumption.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* WIP secrets sidebar
* Remove unwanted text and put some things back..
* Add secrets templates for sidebar
* Fix tests
* Update more Secrets navlinks
* Add copywrite headers
* Creates secrets.hbs so its the parent route
* Update secrets comment
* Update component name
* Update sidebar to use helper
* Secrets sync breadcrumbs
* Address feedback~
* Use enum and add helper test
* Fix links!
Co-authored-by: Kianna <30884335+kiannaquach@users.noreply.github.com>
* Add the ability to specify extra audit only fields from a plugin
* Add extra auditing fields within the PKI OCSP handler
* Add missing copywrite headers
* Format OCSP dates when non-zero, otherwise specify not set to be clear
* Feedback 2: Only set time fields if not zero instead of non-parsable string
* Serialize JSON fields in SDK response struct
* Perform renames based on RFC feedback
* Resolve OpenAPI test failure
* add cl
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Vault 42177 Add Backend Field (#12092)
* add a new struct for the total number of successful requests for transit and transform
* implement tracking for encrypt path
* implement tracking in encrypt path
* add tracking in rewrap
* add tracking to datakey path
* add tracking to hmac path
* add tracking to sign path
* add tracking to verify path
* unit tests for verify path
* add tracking to cmac path
* reset the global counter in each unit test
* add tracking to hmac verify
* add methods to retrieve and flush transit count
* modify the methods that store and update data protection call counts
* update the methods
* add a helper method to combine replicated and local data call counts
* add tracking to the endpoint
* fix some formatting errors
* add unit tests to path encrypt for tracking
* add unit tests to decrypt path
* fix linter error
* add unit tests to test update and store methods for data protection calls
* stub fix: do not create separate files
* fix the tracking by coordinating replicated and local data, add unit tests
* update all reference to the new data struct
* revert to previous design with just one global counter for all calls for each cluster
* complete external test
* no need to check if current count is greater than 0, remove it
* feedback: remove unnacassary comments about atomic addition, standardize comments
* leave jira id on todo comment, remove unused method
* rename mathods by removing HWM and max in names, update jira id in todo comment, update response field key name
* feedback: remove explicit counter in cmac tests, instead put in the expected number
* feedback: remove explicit tracking in the rest of the tests
* feedback: separate transit testing into its own external test
* Update vault/consumption_billing_util_test.go
Co-authored-by: divyaac <divya.chandrasekaran@hashicorp.com>
* update comment after test name change
* fix comments
* fix comments in test
* another comment fix
* feedback: remove incorrect comment
* fix a CE test
* fix the update method: instead of storing max, increment by the current count value
* update the unit test, remove local prefix as argument to the methods since we store only to non-replicated paths
* update the external test
* Adds a field to backend to track billing data
removed file
* Changed implementation to use a map instead
* Some more comments
* Add more implementation
* Edited grpc server backend
* Refactored a bit
* Fix one more test
* Modified map:
* Revert "Modified map:"
This reverts commit 1730fe1f358b210e6abae43fbdca09e585aaaaa8.
* Removed some other things
* Edited consumption billing files a bit
* Testing function
* Fix transit stuff and make sure tests pass
* Changes
* More changes
* More changes
* Edited external test
* Edited some more tests
* Edited and fixed tests
* One more fix
* Fix some more tests
* Moved some testing structures around and added error checking
* Fixed some nits
* Update builtin/logical/transit/path_sign_verify.go
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* Edited some errors
* Fixed error logs
* Edited one more thing
* Decorate the error
* Update vault/consumption_billing.go
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
---------
Co-authored-by: Amir Aslamov <amir.aslamov@hashicorp.com>
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* Edited stub function
---------
Co-authored-by: divyaac <divya.chandrasekaran@hashicorp.com>
Co-authored-by: Amir Aslamov <amir.aslamov@hashicorp.com>
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
Co-authored-by: divyaac <divyaac@berkeley.edu>
Update to the latest actions. The primary motivation here is to get the
latest action-setup-enos.
- actions/cache => v5.0.3: security patches
- actions/checkout => v6.0.2: small fixes to git user-agent and tag
fetching
- hashicorp/action-setup-enos => v1.50: security patches
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* In the random APIs, add a 'prng' param that causes a DRBG seeded from the selected source(s) to be the source of the returned bytes
* fixes, unit test next
* unit tests
* changelog
* memory ramifications
* switch to using a string called drbg
* Update helper/random/random_api.go
* wrong changelog
---------
Co-authored-by: Scott Miller <smiller@hashicorp.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* updates flags service to use api service
* converts clients index route to ts
* updates clients config workflows to use api service
* updates clients date-range component to handle Date objects rather than ISO strings
* updates clients page-header component to handle Date objects and use api and capabilities services
* updates clients route to use api and capabilities services
* updates types in client-counts helpers
* updates client counts route to use api service
* updates types for client-counts serializers
* updates date handling in client counts page component
* updates clients overview page component
* converts clients page-header component to ts
* fixes type errors in clients page-header component
* updates client counts tests
* updates client-count-card component to use api service
* converts client-count-card component to ts
* removes model-form-fields test that uses clients/config model
* removes clients/version-history model usage from client-counts helpers tests
* removes migrated models from adapter and model registries
* removes clients ember data models, adapters and serializers
* updates clients date-range component to format dates in time zone
* cleans up references to activityError in client counts route
* adds clients/activity mirage model
* updates activation flags assertions in sync overview tests
* fixes issue selecting current period in clients date-range component and adds test
* fixes issues with enabled state for client counts
* updates parseAPITimestamp to handle date object formatting
* removes unnecesarry type casting for format return in parseAPITimestamp util
* updates parseAPITimestamp to use formatInTimeZone for strings
* updates parseAPITimestamp comment
* updates enabled value in clients config component to boolean
* adds date-fns-tz to core addon
* removes parseISO from date-formatters util in favor of new Date
* updates comments for client counts
* updates retention months validation for client counts config
* updates comment and min retention months default for client counts config
Co-authored-by: Jordan Reimer <zofskeez@gmail.com>
* adding ibm tests for ent files
* changing isHashicorpLicense to isIBMLicense and moving DiagnoseCheckLicenseGeneration to core_util_common.go
* reverting non-license related tests
* removing hashicorp license test
Co-authored-by: akshya96 <87045294+akshya96@users.noreply.github.com>
* add a new struct for the total number of successful requests for transit and transform
* implement tracking for encrypt path
* implement tracking in encrypt path
* add tracking in rewrap
* add tracking to datakey path
* add tracking to hmac path
* add tracking to sign path
* add tracking to verify path
* unit tests for verify path
* add tracking to cmac path
* reset the global counter in each unit test
* add tracking to hmac verify
* add methods to retrieve and flush transit count
* modify the methods that store and update data protection call counts
* update the methods
* add a helper method to combine replicated and local data call counts
* add tracking to the endpoint
* fix some formatting errors
* add unit tests to path encrypt for tracking
* add unit tests to decrypt path
* fix linter error
* add unit tests to test update and store methods for data protection calls
* stub fix: do not create separate files
* fix the tracking by coordinating replicated and local data, add unit tests
* update all reference to the new data struct
* revert to previous design with just one global counter for all calls for each cluster
* complete external test
* no need to check if current count is greater than 0, remove it
* feedback: remove unnacassary comments about atomic addition, standardize comments
* leave jira id on todo comment, remove unused method
* rename mathods by removing HWM and max in names, update jira id in todo comment, update response field key name
* feedback: remove explicit counter in cmac tests, instead put in the expected number
* feedback: remove explicit tracking in the rest of the tests
* feedback: separate transit testing into its own external test
* Update vault/consumption_billing_util_test.go
* update comment after test name change
* fix comments
* fix comments in test
* another comment fix
* feedback: remove incorrect comment
* fix a CE test
* fix the update method: instead of storing max, increment by the current count value
* update the unit test, remove local prefix as argument to the methods since we store only to non-replicated paths
* update the external test
* fix a bug: reset the counter everyime we update the stored counter value to prevent double-counting
* update one of the tests
* update external test
---------
Co-authored-by: Amir Aslamov <amir.aslamov@hashicorp.com>
Co-authored-by: divyaac <divya.chandrasekaran@hashicorp.com>
* update namespace empty state
add in refresh button to empty state and update tests
update button design
* update copy
* update when exit button is shown
* update css class
* revert state changes
Co-authored-by: lane-wetmore <lane.wetmore@hashicorp.com>
- actions/checkout -> v6.0.2: some minor changes around setting the
ACTIONS_ORCHESTRATION_ID and some fixes to `fetch-tags`.
- actions/setup-python -> v6.2.0: Node 24 compat
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
