This project is mirrored from https://gitee.com/NQL886/vault.git.
Pull mirroring failed .
Repository mirroring has been paused due to too many failed attempts. It can be resumed by a project maintainer.
Repository mirroring has been paused due to too many failed attempts. It can be resumed by a project maintainer.
- 29 Mar, 2022 4 commits
-
-
akshya96 authored
-
akshya96 authored
-
hc-github-team-secure-vault-core authored
* backport of commit e0d23f4195623fd4a5ec1900f4fae488478667da * backport of commit 0fd1e6fbf10d7601660fcabaa00aa402e360f3b1 * backport of commit 492b422b69c5d4f9f697dffa13a10c7c03cc2377 Co-authored-by:
Chris Capurso <1036769+ccapurso@users.noreply.github.com>
-
hc-github-team-secure-vault-core authored
Backport of Fix panic caused by parsing `json.Number` values for TypeCommaStringSlice fields into release/1.8.x (#14741) * no-op commit due to failed cherry-picking * port over ParseCommaStringSlice json.Number fix from go-secure-stdlib * add changelog entry (cherry picked from commit cec77a20dc8deb514f635064b73a4299085eafec) Co-authored-by:
temp <temp@hashicorp.com> Co-authored-by:
Chris Capurso <1036769+ccapurso@users.noreply.github.com>
-
- 28 Mar, 2022 2 commits
-
-
hc-github-team-secure-vault-core authored
* no-op commit due to failed cherry-picking * port over kvbuilder backslash fix from go-secure-stdlib * add changelog entry (cherry picked from commit d90053515f1aa03e394ad649773521880c597820) * fix single backslash kv put test Co-authored-by:
temp <temp@hashicorp.com> Co-authored-by:
Chris Capurso <1036769+ccapurso@users.noreply.github.com>
-
hc-github-team-secure-vault-core authored
* backport of commit 156bfc1c * backport of commit 38f51cc5 Co-authored-by:
Chris Capurso <1036769+ccapurso@users.noreply.github.com>
-
- 25 Mar, 2022 1 commit
-
-
hc-github-team-secure-vault-core authored
Co-authored-by:
Michele Degges <mdeggies@gmail.com>
-
- 21 Mar, 2022 2 commits
-
-
hc-github-team-secure-vault-core authored
Co-authored-by:
hashishaw <cshaw@hashicorp.com> Co-authored-by:
Chelsea Shaw <82459713+hashishaw@users.noreply.github.com>
-
hc-github-team-secure-vault-core authored
Co-authored-by:
Jordan Reimer <zofskeez@gmail.com>
-
- 18 Mar, 2022 2 commits
-
-
hc-github-team-secure-vault-core authored
Co-authored-by:
Jordan Reimer <zofskeez@gmail.com>
-
Jordan Reimer authored
* fixes issue with token auth selected after logging out from oidc or jwt methods * adds changelog entry * reverts backendType var name change in auth-form authenticate method
-
- 16 Mar, 2022 1 commit
-
-
hc-github-team-secure-vault-core authored
Co-authored-by:
mickael e <mickael@hashicorp.com>
-
- 15 Mar, 2022 1 commit
-
-
Jason O'Donnell authored
-
- 14 Mar, 2022 2 commits
-
-
hc-github-team-secure-vault-core authored
Co-authored-by:
Michele Degges <mdeggies@gmail.com>
-
hc-github-team-secure-vault-core authored
* backport of commit 8aef67766926213f0b0e3f2d733aa987e630cdc4 * backport of commit 7fe721670e53bcc153092591a973be8d7e2b0528 * backport of commit 9b1cca294fb47db904a0480364d44ac8362ca187 Co-authored-by:
Stephen Wayne <swayne@hashicorp.com>
-
- 11 Mar, 2022 1 commit
-
-
hc-github-team-secure-vault-core authored
Co-authored-by:
Ricky Grassmuck <rigrassm@gmail.com>
-
- 03 Mar, 2022 2 commits
-
-
Chris Capurso authored
-
Chris Capurso authored
-
- 02 Mar, 2022 1 commit
-
-
hc-github-team-secure-vault-core authored
* backport of commit eaf5f1a50f72c4ebcae6c6c7d2fa6e5e94382ba5 * backport of commit a0e6d1b6b93fd84967314aca28dc4b7f58fbe6b0 Co-authored-by:
Jordan Reimer <zofskeez@gmail.com>
-
- 28 Feb, 2022 1 commit
-
-
hc-github-team-secure-vault-core authored
Co-authored-by:
Sarah <sthompson@hashicorp.com>
-
- 24 Feb, 2022 6 commits
-
-
Nick Cabatoff authored
-
Nick Cabatoff authored
-
hc-github-team-secure-vault-core authored
* backport of commit a9fca1048496c2b2c828c14188ca6a1db0676ef8 * Fixes pre-refactor * Tests Co-authored-by:
hashishaw <cshaw@hashicorp.com> Co-authored-by:
Chelsea Shaw <82459713+hashishaw@users.noreply.github.com>
-
Nick Cabatoff authored
-
Alexander Scheel authored
Backport 1.8.x - Add role parameter to restrict issuance of wildcard certificates + Clarify documentation around certificate issuance (#14252) * Add role parameter to restrict issuance of wildcard certificates (#14238) * Add new AllowWildcardCertificate field to PKI role This field allows the PKI role to control whether or not issuance of wildcard certificates are allowed. We default (both on migration and new role creation) to the less secure true value for backwards compatibility with existing Vault versions. Signed-off-by:
Alexander Scheel <alex.scheel@hashicorp.com> * Refactor sanitizedName to reducedName Per comment, this variable name was confusing during the reproduction and subsequent fix of the earlier vulnerability and associated bug report. Because the common name isn't necessarily _sanitized_ in any way (and indeed must be considered in relation to other parts or the whole), but portions of the entire name are removed, reducedName appears to make the most sense. Signed-off-by:
Alexander Scheel <alex.scheel@hashicorp.com> * Enforce AllowWildcardCertificates during issuance This commit adds the bulk of correctly validating wildcard certificate Common Names during issuance according to RFC 6125 Section 6.4.3 semantics. As part of this, support for RFC 2818-conforming wildcard certificates (wherein there are almost no restrictions on issuance) has been removed. Note that this flag does take precedence over AllowAnyName, giving a little more safety in wildcard issuance in this case. Signed-off-by:
Alexander Scheel <alex.scheel@hashicorp.com> * Update test cases to conform with RFC 6125 Test cases 19, 70+71, and 83+84 didn't conform with the RFC 6125, and so should've been rejected under strict conformance. For 70+71 and 83+84, we previously conditioned around the value of AllowSubdomains (allowing issuance when true), but they likely should've been rejected either way. Additionally, update the notes about globs matching wildcard certificates to notate this is indeed the case. Signed-off-by:
Alexander Scheel <alex.scheel@hashicorp.com> * Check AllowWildcardCertifciates in issuance tests This allows for regression tests to cover the new AllowWildcardCertificate conditional. We add additional test cases ensuring that wildcard issuance is properly forbidden in all relevant scenarios, while allowing the existing test cases to validate that wildcard status doesn't affect non-wildcard certificates. Signed-off-by:
Alexander Scheel <alex.scheel@hashicorp.com> * Add Wildcard allowance during signing operations When using sign-verbatim, sign-intermediate, or getting certificate generation parameters, set AllowWildcardCertificates to mirror existing policies. Signed-off-by:
Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog entry Signed-off-by:
Alexander Scheel <alex.scheel@hashicorp.com> * Clarify documentation around certificate issuance (#14236) We note that: - allow_bare_domains, allow_glob_domains, and allow_subdomains are all independent, - enforce_hostnames and allow_wildcard_certificates take precedence over allow_any_name, - We limit to RFC 6125 wildcards. - Clarify that both allow_bare_domains and allow_glob_domains will permit wildcard issuance in certain scenarios. Co-authored-by:
mickael-hc <86245626+mickael-hc@users.noreply.github.com> Co-authored-by:
Kit Haines <kit.haines@hashicorp.com> Signed-off-by:
Alexander Scheel <alex.scheel@hashicorp.com> Co-authored-by:
mickael-hc <86245626+mickael-hc@users.noreply.github.com> Co-authored-by:
Kit Haines <kit.haines@hashicorp.com> Co-authored-by:
mickael-hc <86245626+mickael-hc@users.noreply.github.com> Co-authored-by:
Kit Haines <kit.haines@hashicorp.com>
-
Alexander Scheel authored
* Allow issuance of wildcard via glob match From Vault v1.8.0 onwards, we would incorrectly disallow issuance of a wildcard certificate when allow_glob_domain was enabled with a multi-part glob domain in allowed_domains (such as *.*.foo) when attempting to issue a wildcard for a subdomain (such as *.bar.foo). This fixes that by reverting an errant change in the case insensitivity patch. Here, when validating against a very powerful glob construct, we leave the wildcard prefix (*.) from the raw common_name element, to allow multi-part globs to match wildcard entries. It is important to note that "sanitizedName" is an incorrect variable naming here. Wildcard parsing (per RFC 6125 which supercedes RFC 2818) must be in the left-most segment of the domain, but we lack validation to ensure no internal wildcards exist. Additionally per item 3 of section 6.4.3 of RFC 6125, wildcards MAY be internal to a domain segment, in which case sanitizedName again leaves the wildcard in place. Resolves: #13530 Signed-off-by:
Alexander Scheel <alex.scheel@hashicorp.com> * Remove duplicate email address check As pointed out by Steven Clark (author of the removed conditional in 70012cd8 ), this is duplicate from the now-reintroduced comparison against name (versus the erroneous sanitizedName at the time of his commit). This is a reversion of the changes to builtin/logical/pki/cert_util.go, but keeping the additional valuable test cases. Co-authored-by:
Steven Clark <steven.clark@hashicorp.com> Signed-off-by:
Alexander Scheel <alex.scheel@hashicorp.com> * Add multi-dimensional PKI role issuance tests This commit introduces multi-dimensional testing of PKI secrets engine's role-based certificate issuance with the intent of preventing future regressions. Here, dimensions of testing include: - AllowedDomains to decide which domains are approved for issuance, - AllowBareDomains to decide if raw entries of AllowedDomains are permitted, - AllowGlobDomains to decide if glob patterns in AllowedDomains are parsed, - AllowSubdomains to decide if subdomains of AllowedDomains are permitted, - AllowLocalhost to decide if localhost identifiers are permitted, and - CommonName of the certificate to request. Signed-off-by:
Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog entry Signed-off-by:
Alexander Scheel <alex.scheel@hashicorp.com> Co-authored-by:
Steven Clark <steven.clark@hashicorp.com> Co-authored-by:
Steven Clark <steven.clark@hashicorp.com>
-
- 19 Feb, 2022 1 commit
-
-
Jason O'Donnell authored
* secrets/openldap: fix panic from nil logger * changelog
-
- 18 Feb, 2022 1 commit
-
-
swayne275 authored
* validate cipher length before decrypting * also protect decrypt from short cipher
-
- 11 Feb, 2022 1 commit
-
-
Jason O'Donnell authored
* Fix pkcs7 parsing in some cases brings in https://github.com/mozilla-services/pkcs7/pull/61 from upstream In some cases but not all, aws includes a certificate in the pkcs7 response, and currently vault fails to parse those certificates: ``` URL: PUT https://vault.example.com/v1/auth/aws/login Code: 500. Errors * failed to parse the BER encoded PKCS#7 signature: ber2der: Invalid BER format ``` This fixes logins on those instances. Note we could not readily ascertain why some instances have those certificates and others don't. * Add changelog entry * Correct missed line Co-authored-by:
Jacob Burroughs <jburroughs@instructure.com>
-
- 08 Feb, 2022 1 commit
-
-
hc-github-team-secure-vault-core authored
* backport of commit b6995880edb57337040c79b609ee7c3286fad684 * backport of commit a27fcf35402fc537a32f745b808cd249b04d4ca9 Co-authored-by:
hashishaw <cshaw@hashicorp.com>
-
- 07 Feb, 2022 1 commit
-
-
hc-github-team-secure-vault-core authored
Co-authored-by:
Sarah <sthompson@hashicorp.com>
-
- 04 Feb, 2022 1 commit
-
-
hc-github-team-secure-vault-core authored
Co-authored-by:
raakatz <76823497+raakatz@users.noreply.github.com> Co-authored-by:
Loann Le <84412881+taoism4504@users.noreply.github.com>
-
- 03 Feb, 2022 1 commit
-
-
hc-github-team-secure-vault-core authored
Co-authored-by:
hamid ghaf <hamid@hashicorp.com>
-
- 01 Feb, 2022 1 commit
-
-
claire labry authored
* add security-scan * updating the alpine version * clean up * update the alpine version to be more prescriptive
-
- 28 Jan, 2022 3 commits
-
-
hc-github-team-secure-vault-core authored
* removed fmt strings and replaced with inline SQL | added unit tests * changelog++ Co-authored-by:
Gary Frederick <gary.frederick@hashicorp.com>
-
Nick Cabatoff authored
* Remove unnecessary branch filters; we rely instead on exiting the jobs on inappropriate branches, since otherwise GH's required checks won't be satisfied.
-
hc-github-team-secure-vault-core authored
Co-authored-by:
Steve Clark <steven.clark@hashicorp.com>
-
- 27 Jan, 2022 1 commit
-
-
Meggie authored
-
- 25 Jan, 2022 2 commits
-
-
hc-github-team-secure-vault-core authored
Co-authored-by:
mickael e <mickael@hashicorp.com>
-
Jordan Reimer authored
* Raft peer removal bug (#13098) * fixes issue removing raft peer via cli not reflected in UI until refresh * adds changelog entry * removes faker * attempts to fix global error in circle ci run
-