Changes:
Lock direct mount table replacement in TestCore_Mount_Local
Hold mountsLock while mutating a mount entry and calling persistMounts in TestCore_Mount_Local
Lock the direct mount entry slice rebuild in TestCore_Mount_Local
Lock direct mount table replacement in TestCore_FindOps
Lock direct mount table replacement in TestCore_MountInitialize
Co-authored-by: Jorge Aquino <jaquino.usmc@gmail.com>
* Add enterprise build tag to ent files lacking it. Add cedev Makefile target (#10934)
* Revert everything except the ce stub
---------
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* pipeline: enable us-east-2 region when running scenarios (#15869)
Due to the frequent runner disconnects leaving orphaned infra, we're now
commonly seeing more VPC limit issues in the intervals between when the
infra sweeper runs. Instead of increasing our limits more, we'll instead
enable `us-east-2`. There will be a marginal cost impact as `us-east-2`
is ever so slightly more expensive than `us-west-2` and `us-east-1`, but
it's worth it so as to not have failing CI runs.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* remove all failures, add relevant test results
* adding code change for test.
* adding back in deleted code
* changing to testonly
* adding links to tests
* update to tree, not ref
* removing test
* adding script for first test manifest
Co-authored-by: JMGoldsmith <spartanaudio@gmail.com>
* [VAULT-46498]: Do not redirect all snapshot operations (#15769)
* only redirect snapshot loads. all other snapshot operations should be handled normally
* changelog
* fix comment, add additional test cases
* VAULT-46498: Snapshot redirect test should be ent only (#15861)
---------
Co-authored-by: miagilepner <mia.epner@hashicorp.com>
* fixing parsing error for 64 bit slot id
* adding this changes in changelog
* Revert "adding this changes in changelog"
This reverts commit 6b61c0c934161d9fbce2b16cf06a5dc60dc8db45.
reverting previous commit for chaneglog
* adding new changelog file
* adding new changelog file
Co-authored-by: sandeep-ibm2026 <sandeep.kumar.srivastava@ibm.com>
Update software.sslmate.com/src/go-pkcs12 to v0.7.2 to fix security vulnerability GO-2026-5052
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* no-op commit
* Turn opts.Raw into WithoutEnvelope instead of a mismatching raw parameter in encryptWithManagedKey (#15862)
---------
Co-authored-by: Scott Miller <smiller@hashicorp.com>
* no-op commit
* Refactor sync UI to support multiple secret types with configuration-based architecture
* remove radio-cards and add mount-based secret type auto-detection for sync destinations
Co-authored-by: Copilot <copilot@github.com>
* enhance suggestion input component with placeholder and no matches message support from parent
* refactor secrets component methods for improved readability and consistency
* refactor sync components and update empty state messages for clarity
* updated ui as per figma design
* Refactor secret handling and introduce SecretTypeBadge component for improved UI representation
* updated button text as per Figma design
* Enable external link support for database static roles in SECRET_TYPE_CONFIGS
* Update document and improve tests for database roles
* Add release note for Secrets Sync UI feature to support syncing Database static roles
* fixed changelog name and updated link to remove trailing space
* resolved copilot review comments
---------
Co-authored-by: Mohit Ojha <mohit.ojha@hashicorp.com>
Co-authored-by: Copilot <copilot@github.com>
* added struct for transform roles
* added transform roles to mount traversal functions
* added combine util function
* getter function
* reporting function
* fix API list path
* comment adjustment
* add schema entry
* add writer to big writer function
* updated schema
* test function for collection
* getter test
* changed function to test transform role counts
* return to originial test, moving test into ent file
* fixed comment
* added new ent file for testing per mount metric collection for ent-only features
* capture range variable in table-driven subtest
* remove redundant outer mountsLock in metrics test
CountMetricsFromMounts already acquires mountsLock internally; the outer
RLock was a recursive read-lock with deadlock potential.
* File name changes
* Fold transform roles into roleCounts and renamed TransitKey to writeManagedKeyMetrics
* Finished folding transform role counts into existing roleCounts infra
* Added changelog
* Updated naming for ent and added transit key metric changelog as well
* moved Transform role count test to external_test cluster
* Will add transit key changelog to different pr
* Moved all tests to external package
* Deleted redudant tests
* Replace sleep with EventuallyWithT
* Update vault/census_manager_schema_ent.go
---------
Co-authored-by: Gaurav Mitra <gauravmitra@ibm.com>
Co-authored-by: claire bontempo <clairebontempo@gmail.com>
Adds a global option to deny slashes in templated policy path output,
defaults to false:
- hcl config `deny_slash_in_templated_paths = true/false`
- env var `VAULT_DENY_SLASH_IN_TEMPLATED_PATHS=true/false`
* fix changelog and init deny option correctly for CE
---------
Co-authored-by: Theron Voran <tvoran@users.noreply.github.com>
Co-authored-by: Violet Hynes <a.xenasis@gmail.com>
* close slow subscribers with bounded queue on event subs
* chanelog
* Add ErrSlowConsumer as valid test path
* Add VAULT_BOUNDED_EVENT_QUEUE env var to gate bounded event queue feature
* cleanup comments
* Update changelog/_15549.txt
* Update vault/eventbus/bus.go
* Add VAULT_BOUNDED_EVENT_QUEUE env var to gate bounded event queue feature
Gate bounded event queue implementation with VAULT_BOUNDED_EVENT_QUEUE
environment variable for gradual rollout. Set to a positive integer (e.g., 16)
to enable buffered subscriber channels of that size. Defaults to 0 (unbuffered)
for backward compatibility.
Changes:
- Add EnvVaultBoundedEventQueue constant and getSubscriberBufferSize() helper
- Cache buffer size at EventBus initialization for performance
- Add subscriberBufferSize field to EventBus and bufferSize to asyncChanNode
- Update newAsyncNode() to accept buffer size parameter
- Update asyncChanNode.Process() to use cached bufferSize for behavior selection
- Add getEventID() helper for safe event ID extraction (prevents panics)
- Update tests to use integer configuration and improve error handling
- Update changelog to document configurable buffer size
This allows operators to opt-in to bounded queue behavior with tunable buffer
sizes, preventing goroutine leaks and providing immediate slow consumer detection,
while maintaining backward compatibility with unbuffered channels as default.
* update env var name
* add max buffer size of 1000
* update changelog
---------
Co-authored-by: Angel Garbarino <Monkeychip@users.noreply.github.com>
Co-authored-by: Charles Nwokotubo <charles.nwokotubo@hashicorp.com>
Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
* send over data for spiffe
* add test
* fix bug in tests: do not use hard coded core in the billing handler because it is always set to the active node's core
* add changelog
* address all feedback
Co-authored-by: Amir Aslamov <amir.aslamov@hashicorp.com>
* Added schema definition and updated schema version
* update
* Fix
* Added transitKeys metric counting to existing functions in billing
* test functions written
* census schema version
* test fix
Co-authored-by: Gaurav Mitra <gauravmitra@ibm.com>
* actions: pin to latest actions
- actions/checkout@9c091bb21b => v7.0.0
Adds a guardrail to prevent accidentally checking out fork pull
request code in privileged GitHub Actions contexts
(pull_request_target and PR-triggered workflow_run), with an
explicit opt-in escape hatch for advanced workflows.
- pnpm/action-setup@0ebf47130e => v6.0.9
Update pnpm to v11.7.0
- Add .github/actions/build-ui to ui changed files group
- Add .github/actions/build-ui to ui/frontend CODEOWNERS
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* Reorganize vault blackbox tests into isolated/scenario/system structure (#14919)
* Reorganize vault blackbox tests into isolated/scenario/system structure
- Move 38 test files from flat structure to organized directories:
* isolated/: namespace-scoped, concurrent-safe tests (auth, secrets, plugins, verify)
* scenario/: state-changing tests (raft, ha)
* system/: system-level config tests (billing, license)
- Add build tags (isolated, scenario, system) to all test files
- Update enos scenarios to use new test paths (./vault/external_tests/blackbox/isolated/verify)
- Add isolated build tag to undo_logs_test.go for consistency
- Remove empty directories and duplicate test files
- All tests compile successfully with respective build tags
Updated enos scenarios: autopilot, agent, dr-replication, plugin, pr-replication, proxy, seal-ha, smoke, upgrade
* Fix test failures: skip postgres without env vars, handle userpass login failure
* Add HSM-specific build tags for test compilation
* Add metadata path permissions for KV v2 delete/undelete operations
* Fix KV tests: use user session for all write operations
* Fix KV tests: remove userpass, use root session
* Incorporate new AWS and LDAP test functions from main branch
- Add TestAWS_SecretsCreate() and TestAWS_SecretsRead() to isolated/plugins/aws/secrets_aws_test.go
* Tests basic AWS secrets engine configuration and role creation
* Tests reading AWS role and root configuration
* Complements existing TestAWS_GenerateNewUser() with simpler test cases
- Add TestLDAP_StaticRoleCreate(), TestLDAP_LibrarySetRead(), and TestLDAP_LibrarySetDelete() to isolated/plugins/ldap/secrets_ldap_test.go
* Tests LDAP static role creation for password rotation
* Tests LDAP library set operations for service account management
* Tests library set deletion
* Adds requireLDAPAvailable() helper for connectivity verification
* Complements existing dynamic credential tests
- All new test functions include:
* Build tag: //go:build isolated
* t.Parallel() for concurrent execution
* Proper environment variable checks with skip logic
* Consistent error handling and assertions
- Cleanup:
* Removed stray .git directories from test folders
* Removed empty vault/external_tests/blackbox/plugins directory
These changes ensure the PR includes all test coverage from main while maintaining
the new isolated/scenario/system organization structure.
* Fix pr-replication scenario to use correct test path and name
- Update test_package from ./vault/external_tests/blackbox/verify to isolated/verify
- Update test_names from TestVaultUIAvailability to TestUIAssets
- Fixes test failures caused by incomplete migration in blackbox test reorganization
* Fix all Enos scenarios: isolated/verify path and correct test names
* Skip isolated tests on CE - require enterprise features
---------
Co-authored-by: hashigator <280075563+hashigator@users.noreply.github.com>
Co-authored-by: hashigator <lt.carbonell@ibm.com>
* [UI]: Ember Data Migration Identity List and Details (#15157)
* Update identity views edm
* Use model directly
* Code cleanup!
* Refresh list view if deleted
* Update identity detail page
* Identity show..
* Have different method types
* Update delete...
* [UI] Ember Data Migration: Identity forms, show, edit, create and list routes (#15291)
* Identity forms...
* Fetch entities and groups in route
* Update forms to have edit
* Fix breadcrumbs
* Update save to use api service method
* Merge entities form...
* Update aliases
* Entity and group show routes
* Fix create / save action
* Add alias form.
* Fix some tests!
* Fix tests and update capability check
* WIP fixing tests...
* Fixes some details page bugs
* Edit form delete actions..
* Passing all tests!!
* Refactor some utils
* Update to class based syntax
* Form label updates
* Remove unused onSuccess
* [UI] Identity EDM code cleanup (#15608)
* Fix cancelLink action
* Update tests to have the correct args
* Ensure add alias button shows when alias does not exist
* Fix lookup input
* Fix other tabs and pages..
* Address comments
Co-authored-by: Kianna <30884335+kiannaquach@users.noreply.github.com>
* no-op commit
* Sgm/without envelope wireup (#15441)
* Changes needed to allow encryption/decryption with gcpckms in managed keys
* wip
* wip
* wip
* Normalize key purposes across implementations
* update kmse
* Update kms wrapper deps to those that support WithoutEnvelope
* crucially, supply the option in the wrapper managed key impl
* restore the kmse update
* no, thats done via the encryptWithManagedKey in Policy, not needed here
* changelog
* remove replace
* Update sdk's go-kms-wrapping
* mod tidy
* Switch to using the main wrapper even for testing.
* update test cluster usage
* Update go.mod
Co-authored-by: wiz-inc-0e7a25329d[bot] <177343755+wiz-inc-0e7a25329d[bot]@users.noreply.github.com>
* Update go.mod
Co-authored-by: wiz-inc-0e7a25329d[bot] <177343755+wiz-inc-0e7a25329d[bot]@users.noreply.github.com>
* more go.sum update
* PR feedback
* GCPC KMS needed some more config massaging to work w/ encryption
---------
Co-authored-by: wiz-inc-0e7a25329d[bot] <177343755+wiz-inc-0e7a25329d[bot]@users.noreply.github.com>
---------
Co-authored-by: Scott Miller <smiller@hashicorp.com>
Co-authored-by: wiz-inc-0e7a25329d[bot] <177343755+wiz-inc-0e7a25329d[bot]@users.noreply.github.com>
Mark `.agents` and `ui/.agents` as enterprise-only in the pipeline
changed-files grouping config. These directories contain internal
developer tooling (agent skills and configurations) that must not
be synced to CE branches or included in CE backports.
Update both the live config and the test fixture to keep them in
sync.
Co-authored-by: Angelo Cordon <angelo.cordon@hashicorp.com>
Co-authored-by: OpenCode (claude-sonnet-4.6) <opencode.noreply@hashicorp.com>
Add support for running enos on Fyre with support for linux/s390x,
linux/amd64, and linux/ppc64le. The enterprise version of this PR
has enterprise only scenarios. The changes reflected here are on
shared modules.
We now have three new fyre modules that are can swap in-place of
create_vpc, ec2_info, and target_ec2_instances:
create_vpc_fyre_shim, fyre_os_info and target_fyre_vms. This pass
doesn't make them adhered 1:1 as module interfaces but that can come
later when the base scenarios are merged.
The only major change we had to make to long existing modules was
supporting leader_api_addr for discovery. Historically we've always used
cloud based node discovery but that's obviously not available in Fyre.
Nowyou can set the retry_join variable to either local_api_addr or
aws.
We also modify our integration containers to use those available from
the HashiCorp docker mirror. We do this because we pull those images
unauthenticated and thus share the same external address as the larger
network, which makes the likelihood of throttling very high.
To maintain the goal of the Fyre scenarios not requiring AWS credentials, I
had to move the AWS secrets verification into it's own module. That allows
us now to simply not include it, but later if/when we include it we can have
scenarios with the Fyre backend compile them out by skipping.
This PR is massive and covers the following tickets:
VAULT-40635
VAULT-40636
VAULT-44591
VAULT-34888
VAULT-34887
VAULT-34886
VAULT-34885
VAULT-34884
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>