* removes require-input-label ember-template-lint override
* adds aria-label to textarea in MaskedInput component
* more a11y fixes for missing labels
* adds aria-label back to lookup-input
* adds aria-label back to select component
* ensures aria-label has value in select component
* removes duplicate onchange handler from lookup-input component
Co-authored-by: Jordan Reimer <zofskeez@gmail.com>
* Refactor CertificateCounter.IncrementeCount to use a param object.
In preparation to start collecting more information, refactor the
CertificateCounter to take a parameter object which can be later gain more
fields.
* Rework CertificateCounter to use a fluent interface.
Rename method IncrementCount to AddCount.
Remove method AddIssuedCertificate.
Add method Incrementer, which returns an implementation of the new
CertCountIncrementer.
* Add method CertCountIncrement.Add.
* Refactor PkiCertificateCountConsumer to take a CertCountIncrement.
* Fix TestPkiCertificateCountManager_IncrementAndConsume.
* Rename type CertCountIncrement to CertCount.
* Refactor ReadStoredCounts to return a CertCount value.
Co-authored-by: Victor Rodriguez Rizo <vrizo@hashicorp.com>
* improve dismissal logic, use AutomationSnippet component, use wizard service for tracking dismissal
* use class helper to check for multiple nodes when rendering tree chart, add test coverage
* update comments
* add wizard service unit test coverage
* move item filtering into helper func
Co-authored-by: lane-wetmore <lane.wetmore@hashicorp.com>
* adding ibm tests for ent files
* adding debug commands
* adding code changes
* adding reload tests
* remove settings.json
* remove ryboe q
* changing isHashicorpLicense to isIBMLicense and moving DiagnoseCheckLicenseGeneration to core_util_common.go
* fix test
* reverting non-license related tests
* reverting non-license related tests
* removing hashicorp license test
* modify reload server_ent_test.go
* change ibm-license paths
* adding census reload server test
* moving LicensingEntitlementSelectionConfig to core_util_common.go
* add EntReloadLicenseAndConfig to stubs
* fix operator diagnose bug
* move bug fix into ce and ent files
* add more ibm test cases
* Update command/command_testonly/server_testonly_ent_test.go
* address comments
* make fmt
---------
Co-authored-by: akshya96 <87045294+akshya96@users.noreply.github.com>
Co-authored-by: Jenny Deng <jenny.deng@hashicorp.com>
* rough draft
* add some stuff for dynamic secrets
* add some more helpers and sample tests
* new helpers, new tests, refactoring
* Add Basic Smoke SDK Scenario (#11678)
* Add simple test for stepdown election
* Add a smoke_sdk scenario
* add script to run tests locally
* fix up a few things
* VAULT-39746 - Add Tests to Smoke SDK and Cloud Scenarios (#11795)
* Add some go verification steps in enos sdk test run script
* formatting
* Add a smoke_sdk scenario userpass secret engine create test (#11808)
* Add a smoke_sdk scenario userpass secret engine create test
* Add the some additional tests
* Add Smoke tests to Cloud Scenario (#11876)
* Add a smoke_sdk scenario userpass secret engine create test
* Add the some additional tests
* Add smoke testing to cloud
* Add test results to output and test filtering
* comment
* fix test
* fix the smoke scenario
* Address some various feedback
* missed cleanup
* remove node count dependency in the tests
* Fix test perms
* Adjust the testing and clean them up a bit
* formatting
* fmt
* fmt2
* more fmt
* formatting
* tryagain
* remove the docker/hcp divide
* use the SHA as ID
* adjust perms
* Add transit test
* skip blackbox testing in test-go
* copywrite
* Apply suggestion from @brewgator
* Add godoc
* grep cleanup
---------
Co-authored-by: Josh Black <raskchanky@gmail.com>
Co-authored-by: Luis (LT) Carbonell <lt.carbonell@hashicorp.com>
* Update kubernetes and kmip breadcrumbs
* Add breadcrumbs for non ember engines
* LDAP breadcrumbs..
* PKI breadcrumbs..
* Mostly working kv tests
* kv data persona tests
* Fix remaining kv-workflow test
* Route to vault.cluster instead of dashboard
* VAULT-41964 Update client count breadcrumb + test
* VAULT-41143 Remove user dropdown a11y override
* Add test for nav links on community
* Ensure we check for enterprise
* Address feedback
* Use selector instead
Co-authored-by: Kianna <30884335+kiannaquach@users.noreply.github.com>
* PKI: SCEP make GetCACaps response dynamic based on configuration
* add cl
* Use strings.Builder for more efficient response building
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* Update CHANGELOG.md for versions 1.21.3, 1.20.8, 1.19.14, and 1.16.30
Added release notes for version 1.21.3, 1.20.8, 1.19.14, and 1.16.30 Enterprise, including security updates, changes, features, improvements, and bug fixes.
* Update CHANGELOG for version 1.19.14
Added new security, changes, improvements, and bug fixes for version 1.19.14.
* Fix formatting issues in CHANGELOG.md
Removed extra newlines in CHANGELOG.md to improve formatting.
Co-authored-by: Tony Wittinger <anwittin@users.noreply.github.com>
We've already deployed some changed file detection in the CI pipeline. It uses the Github API to fetch a list of all changed files on a PR and then run it through a simple groups categorization pass. It's been a useful strategy in the context of a Pull Request because it does not depend on the local state of the Git repo.
This commit introduces a local git-based file change detection and validation system for the pipeline tool, enabling developers to identify and validate changed files before pushing code. We intend to use the new tool in two primary ways:
- As a Git pre-push hook when pushing new or updated branches. (Implemented here)
- As part of the scheduled automated repository synchronization. (Up next, and it will use the same `git.CheckChangedFilesReq{}` implementation.
This will allow us to guard all pushes to `hashicorp/vault` and `ce/*` branches in `hashicorp/vault-enterprise`, whether run locally on a developer machine or in CI by our service user.
We introduce two new `pipeline` CLI commands:
- `pipeline git list changed-files`
- `pipeline git check changed-files`
Both support specifying what method of git inspection we want to use for the changed files list:
- **`--branch <branch>`**: Lists all files added in the entire history of a specific branch. We use this when pushing a _new_ branch.
- **`--range <range>`**: Lists all changed files within a commit range (e.g., `HEAD~5..HEAD`). We use this when updating an existing branch.
- **`--commit <sha>`**: Lists all changed files in a specific commit (using `git show`). This isn't actually used at all in the pre-push hook but it useful if you wish to inspect a single commit on your branch.
The behavior when passing the `range` and `commit` is similar. We inspect the changed file list either for one or many commits (but with slightly different implementations for efficiency and accuracy. The `branch` option is a bit different. We use it to inspect the branches entire history of changed files for enterprise files before pushing a new branch. We do this to ensure that our branch doesn't accidentally add and then subsequently remove enterprise files, leaving the contents in the history but nothing obvious in the diff.
Each command supports several different output formats. The default is the human readable text table, though `--format json` will write all of the details as valid JSON to STDOUT. When given the `--github-output` command each will write a more concise version of the JSON output to `$GITHUB_OUTPUT`. It differs from our standard JSON output as it has been formatted to be easier to use in Github Actions contexts without requiring complex filtering.
When run, changed files are automatically categorized into logical groups based on their file name, just like our existing changed file detection. A follow-up to this PR will introduce a configuration based system for classifying file groups. This will allow us to create generic support for changed file detection so that many repositories can adopt this pattern.
The major difference in behavior between the two new commands is that the `list` command will always list the changed files for the given method/target, while the `check` command requires one-or-more changed file groups that we want to disallow to be included via the `-g` flag. If any changed files match the given group(s) then the command will fail. That allows us to specify the `enterprise` group and disallow the command to succeed if any of the changed files match the group.
The pre-push git hook now uses this system to prevent accidental pushes, however, it requires the local machine to have the `pipeline` tool in the `$PATH`. This ought not be much of a requirement as a working Go toolchain is required for any Vault developer. When it is not present we explain in our error messages how to resolve the problem and direct them to our slack channel if they need further assistance.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* add a new method to identify whether KMIP is enabled
* add a new prefix for the new metric
* add new methods to store and update the metric
* update the kmip usage in billing
* move the method to ent file since kmip is ent only feature
* add unit tests at the core metrics level
* add new unit tests to test the billing methods for the new metric
* add persistence to test cases
* add external tests for primary and secondary
* account for DR secondaries, add clarifying comments, fix tests
* fmt
* move call of update into update local hwm metric method
* feedback: simplify update method by removing operation to get stored value
* feedback: optimize kmip usage detection by adding atomic tracker to detect usage once kmip mount is enabled
* fmt
* feedback: remove check on DR secondary inside update method but leave it at Get method for now
* feedback: change kmip prefix to a more flexible structure with sub item
* feedback: rename atomic tracker for kmip usage
* feedback: simplify the kmip identifier method
* revert back on kmip path prefix changes
* feedback: move the atomic bool into consumption billing struct
* feedback: remove DR check in Get method since dr needs to have billing data replicated
* add another external test to test local mount detection in perf secondary
* add a no-op oss stub for kmip enabled method
Co-authored-by: Amir Aslamov <amir.aslamov@hashicorp.com>
* PKI: Address failures with SCEP handlers on standby nodes
* add cl
* Add extra safety to protect against nil panics
* PR feedback
* PR feedback 2
* Ignore DR states
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* VAULT-41682 - update header to add title tag and centre align with icon
* Fixed linting error
Co-authored-by: mohit-hashicorp <mohit.ojha@hashicorp.com>
- Resolves CVE-2025-61732
- Fixes an issue in `crypto/x509` with certificate validation with
single-label DNS name constraints.
- Fixes an issue in `crypto/tls` where certificate chaings were not
reverified during resumption.
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* WIP secrets sidebar
* Remove unwanted text and put some things back..
* Add secrets templates for sidebar
* Fix tests
* Update more Secrets navlinks
* Add copywrite headers
* Creates secrets.hbs so its the parent route
* Update secrets comment
* Update component name
* Update sidebar to use helper
* Secrets sync breadcrumbs
* Address feedback~
* Use enum and add helper test
* Fix links!
Co-authored-by: Kianna <30884335+kiannaquach@users.noreply.github.com>
* Add the ability to specify extra audit only fields from a plugin
* Add extra auditing fields within the PKI OCSP handler
* Add missing copywrite headers
* Format OCSP dates when non-zero, otherwise specify not set to be clear
* Feedback 2: Only set time fields if not zero instead of non-parsable string
* Serialize JSON fields in SDK response struct
* Perform renames based on RFC feedback
* Resolve OpenAPI test failure
* add cl
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
