* Parse OpenAPI response correctly if schema includes

* Add changelog

* small cleanup

compromised clients are not part of vault's threat model

* Update description of certificate fetch API
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Clarify /config/crl and /config/url PKI are empty

GET-ing these URLs will return 404 until such time as a config is posted
to them, even though (in the case of CRL), default values will be used.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Clarify usage of /pki/crl/rotate
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update documentation around PKI key_bits

This unifies the description of key_bits to match the API description
(which is consistent across all usages).
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix indented field descriptions in PKI paths
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Clarify documentation around serial_number

Note that this field has no impact on the actual Serial Number field and
only an attribute in the requested certificate's Subject.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Fix spelling of localdomain
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add validation, fix docs

* add changelog

* fmt fix

* Update vault/logical_system.go
Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>

* Update vault/logical_system.go
Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>

* Update vault/logical_system_test.go
Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>

* Update vault/logical_system_test.go
Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>
Co-authored-by: Josh Black <raskchanky@users.noreply.github.com>

Unlike fips_140_3, fips will be a (FIPS) version-agnostic build tag.
The listener support will remain in 140-3 only, but the IsFIPS() check
should apply regardless of FIPS version.

We add two FIPS-only build files which validate the constraints of FIPS
builds here: fips must be specified with either fips_140_2 or fips_140_3
build tags, and fips and cgo must also be specified together.
Additionally, using only a version-specific FIPS build tag without the
version-agnostic FIPS tag should be a failure.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* only check Contains if IP address

* fix typo

* add bug fix changelog

* add MFA validation support to vault login command

* correctly report new totp code availability period

These options must be specified multiple times in order to be properly
parsed. However, the present description suggests that a comma-separated
list would work as well, however this isn't the case and results in a
slice containing a single string (with all comma-separated values) in
the API request. Clarify the argument help text to make this clearer.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

Use net/http client when body could be too big for retryablehttp client

* fix empty masked inputs displaying

* Revert "fix empty masked inputs displaying"

This reverts commit 8b297df7.

* fix empty masked inputs displaying

* fix info banner conditional

* add test coverage

* adds changelog

* fixes tests

* change other canParse conditional

* add tip for how to force a secrets engine disable

* add warning to force disable secrets instructions

* clean up wording

* add force secrets engine disable info to api doc

* Update website/content/api-docs/system/mounts.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/api-docs/system/mounts.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/api-docs/system/mounts.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/api-docs/system/mounts.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/api-docs/system/mounts.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/commands/secrets/disable.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* Update website/content/docs/commands/secrets/disable.mdx
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* feedback updates

* impl taoism feedback
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>

* added add_basic_constraints parameter to PKI API docs

Added add_basic_constraints parameter to PKI API docs for Generate Intermediate. 

Copied description from https://github.com/hashicorp/vault/blob/ba533d006f2244103648785ebfe8a9a9763d2b6e/builtin/logical/pki/path_intermediate.go#L34-L37

Added Enigma Vault secret plugin. Designed to be simple but complete, a good starting point for plugin developers (#14389)

It was determined that it would be better to have these changes alert
the docs team. Additional guidance is in place to not approve docs+code
PRs ahead of code review.

This reverts commit 6d16840f.

* The UI redirects to properly prefixed namespace if some other namespace is passed instead, with tests

* Fix ordering

* Add changelog

* remove mount accessor from MFA config

* Update login_mfa_duo_test.go

* DUO test with entity templating

* using identitytpl.PopulateString to perform templating

* minor refactoring

* fixing fmt failures in CI

* change username format to username template

* fixing username_template example

Updates the systemd service shipped with Linux packages to `Type=notify`

* Full secret path in table output of get and put

* Add path output to KV patch and metadata get

* Add changelog

* Don't print secret path for kv-v1

* Make more readable

* Switch around logic to not swallow error

* Add test for secret path

* Fix metadata test

* Add unit test for padequalsigns

* Remove wonky kv get tests

* Add support for PROXY protocol v2 in TCP listener

I did not find tests for this so I added one trying to cover different
configurations to make sure I did not break something. As far as I know,
the behavior should be exactly the same as before except for one thing
when proxy_protocol_behavior is set to "deny_unauthorized", unauthorized
requests were previously silently reject because of https://github.com/armon/go-proxyproto/blob/7e956b284f0a/protocol.go#L81-L84
but it will now be logged.

Also fixes https://github.com/hashicorp/vault/issues/9462 by adding
support for `PROXY UNKNOWN` for PROXY protocol v1.

Closes https://github.com/hashicorp/vault/issues/3807

* Add changelog

* plugin client and plugin catalog tests

* add v5 plugin cases and more checks

* improve err msg

* refactor tests; fix test err msg

[QTI-188] Add test-ember-enos Makefile target, update enos-test-ember script to accept additional paramters (#14403)

[QTI-188] Update the UI tests to be able to run against a cluster deployed to AWS. Add build hooks (package.json/Makefile) to execute ui tests with a real backend. (#14396)