Backport of Vault 3999 Change permissions for directory/archive created by debug command  into release/1.8.x (#14877)

* backport of commit 74feb3a1

* backport of commit 54ef0ae0

Co-authored-by: akshya96 <araghavan@hashicorp.com>

* Fixing excessive unix file permissions

* CL

* reduce the permission from 750 to 700

Backport of [VAULT-5003] Use net/http client in Sys().RaftSnapshotRestore into release/1.8.x (#14838)

* backport of Use net/http client in Sys().RaftSnapshotRestore into release/1.8.x (#14838)

* Vault-4279 reporting redundant/unused keys in config

* missing validate step

* CL

* Change the log level

Backport of VAULT-4240 time.After() in a select statement can lead to memory leak into release/1.8.x (#14825)

* backport of commit 4ca1742f10b702265268a936942249f373a544a6

* backport of commit b7067500f381fca0d58af8203eb278050affe552
Co-authored-by: hamid ghaf <hamid@hashicorp.com>

* no-op commit due to failed cherry-picking

* treat logical.ErrRelativePath as 400 instead of 500

(cherry picked from commit c1e527d4886939aaded77c1de010fc62b3d20eaf)

* add changelog entry

(cherry picked from commit 550d3aa7f45d7483b5eb73ddcaf15e40d5ccce21)

* return UserError for logical.ErrRelativePath

(cherry picked from commit 154a3a7f8f28c1fb910947314f3d64387041423e)

* add missing import
Co-authored-by: temp <temp@hashicorp.com>
Co-authored-by: Chris Capurso <1036769+ccapurso@users.noreply.github.com>

Co-authored-by: akshya96 <87045294+akshya96@users.noreply.github.com>

* backport of commit e0d23f4195623fd4a5ec1900f4fae488478667da

* backport of commit 0fd1e6fbf10d7601660fcabaa00aa402e360f3b1

* backport of commit 492b422b69c5d4f9f697dffa13a10c7c03cc2377
Co-authored-by: Chris Capurso <1036769+ccapurso@users.noreply.github.com>

Backport of Fix panic caused by parsing `json.Number` values for TypeCommaStringSlice fields into release/1.8.x (#14741)

* no-op commit due to failed cherry-picking

* port over ParseCommaStringSlice json.Number fix from go-secure-stdlib

* add changelog entry

(cherry picked from commit cec77a20dc8deb514f635064b73a4299085eafec)
Co-authored-by: temp <temp@hashicorp.com>
Co-authored-by: Chris Capurso <1036769+ccapurso@users.noreply.github.com>

* no-op commit due to failed cherry-picking

* port over kvbuilder backslash fix from go-secure-stdlib

* add changelog entry

(cherry picked from commit d90053515f1aa03e394ad649773521880c597820)

* fix single backslash kv put test
Co-authored-by: temp <temp@hashicorp.com>
Co-authored-by: Chris Capurso <1036769+ccapurso@users.noreply.github.com>

* backport of commit 156bfc1c

* backport of commit 38f51cc5

Co-authored-by: Chris Capurso <1036769+ccapurso@users.noreply.github.com>

Co-authored-by: Michele Degges <mdeggies@gmail.com>

Co-authored-by: hashishaw <cshaw@hashicorp.com>
Co-authored-by: Chelsea Shaw <82459713+hashishaw@users.noreply.github.com>

Co-authored-by: Jordan Reimer <zofskeez@gmail.com>

Co-authored-by: Jordan Reimer <zofskeez@gmail.com>

* fixes issue with token auth selected after logging out from oidc or jwt methods

* adds changelog entry

* reverts backendType var name change in auth-form authenticate method

Co-authored-by: mickael e <mickael@hashicorp.com>

Co-authored-by: Michele Degges <mdeggies@gmail.com>

* backport of commit 8aef67766926213f0b0e3f2d733aa987e630cdc4

* backport of commit 7fe721670e53bcc153092591a973be8d7e2b0528

* backport of commit 9b1cca294fb47db904a0480364d44ac8362ca187
Co-authored-by: Stephen Wayne <swayne@hashicorp.com>

Co-authored-by: Ricky Grassmuck <rigrassm@gmail.com>

* backport of commit eaf5f1a50f72c4ebcae6c6c7d2fa6e5e94382ba5

* backport of commit a0e6d1b6b93fd84967314aca28dc4b7f58fbe6b0
Co-authored-by: Jordan Reimer <zofskeez@gmail.com>

Co-authored-by: Sarah <sthompson@hashicorp.com>

* backport of commit a9fca1048496c2b2c828c14188ca6a1db0676ef8

* Fixes pre-refactor

* Tests
Co-authored-by: hashishaw <cshaw@hashicorp.com>
Co-authored-by: Chelsea Shaw <82459713+hashishaw@users.noreply.github.com>

Backport 1.8.x - Add role parameter to restrict issuance of wildcard certificates + Clarify documentation around certificate issuance (#14252)

* Add role parameter to restrict issuance of wildcard certificates (#14238)

* Add new AllowWildcardCertificate field to PKI role

This field allows the PKI role to control whether or not issuance of
wildcard certificates are allowed. We default (both on migration and
new role creation) to the less secure true value for backwards
compatibility with existing Vault versions.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Refactor sanitizedName to reducedName

Per comment, this variable name was confusing during the reproduction
and subsequent fix of the earlier vulnerability and associated bug
report. Because the common name isn't necessarily _sanitized_ in any way
(and indeed must be considered in relation to other parts or the whole),
but portions of the entire name are removed, reducedName appears to make
the most sense.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Enforce AllowWildcardCertificates during issuance

This commit adds the bulk of correctly validating wildcard certificate
Common Names during issuance according to RFC 6125 Section 6.4.3
semantics. As part of this, support for RFC 2818-conforming wildcard
certificates (wherein there are almost no restrictions on issuance) has
been removed.

Note that this flag does take precedence over AllowAnyName, giving a
little more safety in wildcard issuance in this case.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Update test cases to conform with RFC 6125

Test cases 19, 70+71, and 83+84 didn't conform with the RFC 6125, and so
should've been rejected under strict conformance. For 70+71 and 83+84,
we previously conditioned around the value of AllowSubdomains (allowing
issuance when true), but they likely should've been rejected either way.

Additionally, update the notes about globs matching wildcard
certificates to notate this is indeed the case.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Check AllowWildcardCertifciates in issuance tests

This allows for regression tests to cover the new
AllowWildcardCertificate conditional. We add additional test cases
ensuring that wildcard issuance is properly forbidden in all relevant
scenarios, while allowing the existing test cases to validate that
wildcard status doesn't affect non-wildcard certificates.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add Wildcard allowance during signing operations

When using sign-verbatim, sign-intermediate, or getting certificate
generation parameters, set AllowWildcardCertificates to mirror existing
policies.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Clarify documentation around certificate issuance (#14236)

We note that:

 - allow_bare_domains, allow_glob_domains, and allow_subdomains are all
   independent,
 - enforce_hostnames and allow_wildcard_certificates take precedence over
   allow_any_name,
 - We limit to RFC 6125 wildcards.
 - Clarify that both allow_bare_domains and allow_glob_domains will permit
   wildcard issuance in certain scenarios.
Co-authored-by: mickael-hc <86245626+mickael-hc@users.noreply.github.com>
Co-authored-by: Kit Haines <kit.haines@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: mickael-hc <86245626+mickael-hc@users.noreply.github.com>
Co-authored-by: Kit Haines <kit.haines@hashicorp.com>
Co-authored-by: mickael-hc <86245626+mickael-hc@users.noreply.github.com>
Co-authored-by: Kit Haines <kit.haines@hashicorp.com>

* Allow issuance of wildcard via glob match

From Vault v1.8.0 onwards, we would incorrectly disallow issuance of a
wildcard certificate when allow_glob_domain was enabled with a
multi-part glob domain in allowed_domains (such as *.*.foo) when
attempting to issue a wildcard for a subdomain (such as *.bar.foo).

This fixes that by reverting an errant change in the case insensitivity
patch. Here, when validating against a very powerful glob construct, we
leave the wildcard prefix (*.) from the raw common_name element, to
allow multi-part globs to match wildcard entries.

It is important to note that "sanitizedName" is an incorrect variable
naming here. Wildcard parsing (per RFC 6125 which supercedes RFC 2818)
must be in the left-most segment of the domain, but we lack validation
to ensure no internal wildcards exist. Additionally per item 3 of
section 6.4.3 of RFC 6125, wildcards MAY be internal to a domain
segment, in which case sanitizedName again leaves the wildcard in place.

Resolves: #13530
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Remove duplicate email address check

As pointed out by Steven Clark (author of the removed conditional in
70012cd8

), this is duplicate from the
now-reintroduced comparison against name (versus the erroneous
sanitizedName at the time of his commit).

This is a reversion of the changes to builtin/logical/pki/cert_util.go,
but keeping the additional valuable test cases.
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add multi-dimensional PKI role issuance tests

This commit introduces multi-dimensional testing of PKI secrets engine's
role-based certificate issuance with the intent of preventing future
regressions.

Here, dimensions of testing include:

 - AllowedDomains to decide which domains are approved for issuance,
 - AllowBareDomains to decide if raw entries of AllowedDomains are
   permitted,
 - AllowGlobDomains to decide if glob patterns in AllowedDomains are
   parsed,
 - AllowSubdomains to decide if subdomains of AllowedDomains are
   permitted,
 - AllowLocalhost to decide if localhost identifiers are permitted, and
 - CommonName of the certificate to request.
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>

* secrets/openldap: fix panic from nil logger

* changelog

* validate cipher length before decrypting

* also protect decrypt from short cipher

* Fix pkcs7 parsing in some cases

brings in https://github.com/mozilla-services/pkcs7/pull/61 from upstream

In some cases but not all, aws includes a certificate in the pkcs7 response,
and currently vault fails to parse those certificates:
```
URL: PUT https://vault.example.com/v1/auth/aws/login


Code: 500. Errors
* failed to parse the BER encoded PKCS#7 signature: ber2der: Invalid BER format
```

This fixes logins on those instances.  Note we could not readily ascertain why
some instances have those certificates and others don't.

* Add changelog entry

* Correct missed line
Co-authored-by: Jacob Burroughs <jburroughs@instructure.com>

* backport of commit b6995880edb57337040c79b609ee7c3286fad684

* backport of commit a27fcf35402fc537a32f745b808cd249b04d4ca9
Co-authored-by: hashishaw <cshaw@hashicorp.com>

Co-authored-by: Sarah <sthompson@hashicorp.com>

Co-authored-by: raakatz <76823497+raakatz@users.noreply.github.com>
Co-authored-by: Loann Le <84412881+taoism4504@users.noreply.github.com>