Merge branch 'main' into dependabot/github_actions/actions/setup-node…

…-4.0.3
hashicorp · Aug 16, 2024 · 48c8e17 · 48c8e17
2 parents 1ac6813 + 30da9ae
commit 48c8e17
Show file tree

Hide file tree

Showing 40 changed files with 948 additions and 257 deletions.
diff --git a/.github/actions/build-vault/action.yml b/.github/actions/build-vault/action.yml
@@ -146,7 +146,7 @@ runs:
         BUNDLE_PATH: out/${{ steps.metadata.outputs.artifact-basename }}.zip
       shell: bash
       run: make ci-bundle
-    - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+    - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
       with:
         name: ${{ steps.metadata.outputs.artifact-basename }}.zip
         path: out/${{ steps.metadata.outputs.artifact-basename }}.zip
@@ -178,13 +178,13 @@ runs:
           echo "deb-files=$(basename out/*.deb)"
         } | tee -a "$GITHUB_OUTPUT"
     - if: inputs.create-packages == 'true'
-      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+      uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
       with:
         name: ${{ steps.package-files.outputs.rpm-files }}
         path: out/${{ steps.package-files.outputs.rpm-files }}
         if-no-files-found: error
     - if: inputs.create-packages == 'true'
-      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+      uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
       with:
         name: ${{ steps.package-files.outputs.deb-files }}
         path: out/${{ steps.package-files.outputs.deb-files }}

diff --git a/.github/actions/set-up-go/action.yml b/.github/actions/set-up-go/action.yml
@@ -40,7 +40,7 @@ runs:
         else
           echo "go-version=${{ inputs.go-version }}" | tee -a "$GITHUB_OUTPUT"
         fi
-    - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+    - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
       with:
         go-version: ${{ steps.go-version.outputs.go-version }}
         cache: false # We use our own caching strategy

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -387,7 +387,7 @@ jobs:
         with:
           version: ${{ needs.setup.outputs.vault-version-metadata }}
           product: ${{ needs.setup.outputs.vault-binary-name }}
-      - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+      - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
         if: steps.generate-metadata-file.outcome == 'success' # upload our metadata if we created it
         with:
           name: metadata.json

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -207,7 +207,7 @@ jobs:
           mkdir -p test-results/qunit
           yarn ${{ needs.setup.outputs.is-enterprise == 'true' && 'test' || 'test:oss' }}
       - if: always()
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
         with:
           name: test-results-ui
           path: ui/test-results

diff --git a/.github/workflows/plugin-update-check.yml b/.github/workflows/plugin-update-check.yml
@@ -29,7 +29,7 @@ jobs:
           # https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow
           token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
 
-      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           cache: false # save cache space for vault builds: https://github.com/hashicorp/vault/pull/21764
           go-version-file: .go-version

diff --git a/.github/workflows/plugin-update.yml b/.github/workflows/plugin-update.yml
@@ -34,7 +34,7 @@ jobs:
           # https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow
           token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
 
-      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           cache: false # save cache space for vault builds: https://github.com/hashicorp/vault/pull/21764
           go-version-file: .go-version

diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
@@ -16,17 +16,17 @@ on:
 jobs:
   scan:
     runs-on: ${{ github.repository == 'hashicorp/vault' && 'ubuntu-latest' || fromJSON('["self-hosted","ondemand","os=linux","type=c6a.4xlarge"]') }}
-    # The first check ensures this doesn't run on community-contributed PRs, who
-    # won't have the permissions to run this job.
+    # The first check ensures this doesn't run on community-contributed PRs, who won't have the
+    # permissions to run this job.
     if: |
-      (startsWith(github.repository, 'hashicorp/vault') || (github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name)) &&
+      ! github.event.pull_request.head.repo.fork &&
       github.actor != 'dependabot[bot]' &&
       github.actor != 'hc-github-team-secure-vault-core'
     steps:
     - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
     - name: Set up Go
-      uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
       with:
         cache: false # save cache space for vault builds: https://github.com/hashicorp/vault/pull/21764
         go-version-file: .go-version

diff --git a/.github/workflows/test-go.yml b/.github/workflows/test-go.yml
@@ -478,15 +478,15 @@ jobs:
         run: |
           tar -cvf '${{ steps.metadata.outputs.go-test-log-archive-name }}' -C "${{ steps.metadata.outputs.go-test-log-dir }}" .
       - name: Upload test logs archives
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
         with:
           name: ${{ steps.metadata.outputs.go-test-log-archive-name }}
           path: ${{ steps.metadata.outputs.go-test-log-archive-name }}
           retention-days: 7
         if: success() || failure()
       - name: Upload test results
         if: success() || failure()
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
         with:
           name: ${{ steps.metadata.outputs.go-test-results-upload-key }}
           path: |
@@ -526,7 +526,7 @@ jobs:
         if: |
           (success() || failure()) &&
           steps.data-race-check.outputs.data-race-result == 'failure'
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
         with:
           name: ${{ steps.metadata.outputs.data-race-log-upload-key }}
           path: ${{ steps.metadata.outputs.go-test-dir }}/${{ steps.metadata.outputs.data-race-log-file }}
@@ -599,7 +599,7 @@ jobs:
           '${{ steps.metadata.outputs.gotestsum-timing-events }}' \
           >> '${{ steps.metadata.outputs.failure-summary-file-name }}'
       - name: Upload failure summary
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
         if: success() || failure()
         with:
           name: ${{ steps.metadata.outputs.failure-summary-file-name }}

diff --git a/.github/workflows/test-run-acc-tests-for-path.yml b/.github/workflows/test-run-acc-tests-for-path.yml
@@ -25,7 +25,7 @@ jobs:
         with:
           github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
       - run: go test -v ./${{ inputs.path }}/... 2>&1 | tee ${{ inputs.name }}.txt
-      - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+      - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
         with:
           name: ${{ inputs.name }}-output
           path: ${{ inputs.name }}.txt

diff --git a/.github/workflows/test-run-enos-scenario-matrix.yml b/.github/workflows/test-run-enos-scenario-matrix.yml
@@ -155,7 +155,7 @@ jobs:
         run: enos scenario launch --timeout 60m0s --chdir ./enos ${{ matrix.scenario.id.filter }}
       - name: Upload Debug Data
         if: failure()
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
         with:
           # The name of the artifact is the same as the matrix scenario name with the spaces replaced with underscores and colons replaced by equals.
           name: ${{ steps.prepare_scenario.outputs.debug_data_artifact_name }}

diff --git a/audit/broker.go b/audit/broker.go
@@ -305,7 +305,7 @@ func (b *Broker) LogRequest(ctx context.Context, in *logical.LogInput) (retErr e
 	if hasAuditPipelines(b.broker) {
 		status, err = b.broker.Send(auditContext, event.AuditType.AsEventType(), e)
 		if err != nil {
-			return fmt.Errorf("%w: %w", err, errors.Join(status.Warnings...))
+			return errors.Join(append([]error{err}, status.Warnings...)...)
 		}
 	}
 
@@ -389,7 +389,7 @@ func (b *Broker) LogResponse(ctx context.Context, in *logical.LogInput) (retErr
 	if hasAuditPipelines(b.broker) {
 		status, err = b.broker.Send(auditContext, event.AuditType.AsEventType(), e)
 		if err != nil {
-			return fmt.Errorf("%w: %w", err, errors.Join(status.Warnings...))
+			return errors.Join(append([]error{err}, status.Warnings...)...)
 		}
 	}
 

diff --git a/changelog/27457.txt b/changelog/27457.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+sdk/helper: Allow setting environment variables when using NewTestDockerCluster
+```
diff --git a/sdk/helper/testcluster/docker/environment.go b/sdk/helper/testcluster/docker/environment.go
@@ -805,20 +805,23 @@ func (n *DockerClusterNode) Start(ctx context.Context, opts *DockerClusterOption
 		}
 	}
 
+	envs := []string{
+		// For now we're using disable_mlock, because this is for testing
+		// anyway, and because it prevents us using external plugins.
+		"SKIP_SETCAP=true",
+		"VAULT_LOG_FORMAT=json",
+		"VAULT_LICENSE=" + opts.VaultLicense,
+	}
+	envs = append(envs, opts.Envs...)
+
 	r, err := dockhelper.NewServiceRunner(dockhelper.RunOptions{
 		ImageRepo: n.ImageRepo,
 		ImageTag:  n.ImageTag,
 		// We don't need to run update-ca-certificates in the container, because
 		// we're providing the CA in the raft join call, and otherwise Vault
 		// servers don't talk to one another on the API port.
-		Cmd: append([]string{"server"}, opts.Args...),
-		Env: []string{
-			// For now we're using disable_mlock, because this is for testing
-			// anyway, and because it prevents us using external plugins.
-			"SKIP_SETCAP=true",
-			"VAULT_LOG_FORMAT=json",
-			"VAULT_LICENSE=" + opts.VaultLicense,
-		},
+		Cmd:               append([]string{"server"}, opts.Args...),
+		Env:               envs,
 		Ports:             ports,
 		ContainerName:     n.Name(),
 		NetworkName:       opts.NetworkName,
@@ -1089,6 +1092,7 @@ type DockerClusterOptions struct {
 	CA          *testcluster.CA
 	VaultBinary string
 	Args        []string
+	Envs        []string
 	StartProbe  func(*api.Client) error
 	Storage     testcluster.ClusterStorage
 	DisableTLS  bool

diff --git a/sdk/helper/testcluster/docker/environment_test.go b/sdk/helper/testcluster/docker/environment_test.go
@@ -0,0 +1,38 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package docker
+
+import (
+	"testing"
+)
+
+func TestSettingEnvsToContainer(t *testing.T) {
+	expectedEnv := "TEST_ENV=value1"
+	expectedEnv2 := "TEST_ENV2=value2"
+	opts := &DockerClusterOptions{
+		ImageRepo: "hashicorp/vault",
+		ImageTag:  "latest",
+		Envs:      []string{expectedEnv, expectedEnv2},
+	}
+	cluster := NewTestDockerCluster(t, opts)
+	defer cluster.Cleanup()
+
+	envs := cluster.GetActiveClusterNode().Container.Config.Env
+
+	if !findEnv(envs, expectedEnv) {
+		t.Errorf("Missing ENV variable: %s", expectedEnv)
+	}
+	if !findEnv(envs, expectedEnv2) {
+		t.Errorf("Missing ENV variable: %s", expectedEnv2)
+	}
+}
+
+func findEnv(envs []string, env string) bool {
+	for _, e := range envs {
+		if e == env {
+			return true
+		}
+	}
+	return false
+}
diff --git a/ui/app/models/kv/metadata.js b/ui/app/models/kv/metadata.js
@@ -69,11 +69,6 @@ export default class KvSecretMetadataModel extends Model {
     return keyIsFolder(this.path);
   }
 
-  // cannot use isDeleted due to ember property conflict
-  get isSecretDeleted() {
-    return isDeleted(this.deletionTime);
-  }
-
   // turns version object into an array for version dropdown menu
   get sortedVersions() {
     const array = [];
@@ -93,6 +88,7 @@ export default class KvSecretMetadataModel extends Model {
     return {
       state,
       isDeactivated: state !== 'created',
+      deletionTime: data.deletion_time,
     };
   }
 

diff --git a/ui/lib/core/addon/components/json-editor.js b/ui/lib/core/addon/components/json-editor.js
@@ -16,6 +16,7 @@ import { obfuscateData } from 'core/utils/advanced-secret';
  * <JsonEditor @title="Policy" @value={{hash foo="bar"}} @viewportMargin={{100}} />
  *
  * @param {string} [title] - Name above codemirror view
+ * @param {boolean} [showToolbar=true] - If false, toolbar and title are hidden
  * @param {string} value - a specific string the comes from codemirror. It's the value inside the codemirror display
  * @param {Function} [valueUpdated] - action to preform when you edit the codemirror value.
  * @param {Function} [onFocusOut] - action to preform when you focus out of codemirror.

diff --git a/ui/lib/core/addon/components/overview-card.hbs b/ui/lib/core/addon/components/overview-card.hbs
@@ -10,10 +10,14 @@
   data-test-overview-card-container={{@cardTitle}}
   ...attributes
 >
-  <div class="flex row-wrap space-between has-bottom-margin-s" data-test-overview-card={{@cardTitle}}>
-    <Hds::Text::Display @weight="bold" @size="300" data-test-overview-card-title={{@cardTitle}}>
-      {{@cardTitle}}
-    </Hds::Text::Display>
+  <div class="flex row-wrap space-between" data-test-overview-card={{@cardTitle}}>
+    {{#if (has-block "customTitle")}}
+      {{yield to="customTitle"}}
+    {{else}}
+      <Hds::Text::Display @weight="semibold" @size="300" data-test-overview-card-title={{@cardTitle}}>
+        {{@cardTitle}}
+      </Hds::Text::Display>
+    {{/if}}
 
     {{#if (has-block "action")}}
       {{yield to="action"}}

diff --git a/ui/lib/core/addon/helpers/date-format.js b/ui/lib/core/addon/helpers/date-format.js
@@ -43,7 +43,7 @@ function dateFromString(str) {
   return null;
 }
 
-export function dateFormat([value, style], { withTimeZone = false }) {
+export function dateFormat([value, style = 'MMM d yyyy, h:mm:ss aa'], { withTimeZone = false }) {
   // see format breaking in upgrade to date-fns 2.x https://github.com/date-fns/date-fns/blob/master/CHANGELOG.md#changed-5
   let date;
   switch (checkType(value)) {

diff --git a/ui/app/helpers/date-from-now.js → ui/lib/core/addon/helpers/date-from-now.js b/ui/app/helpers/date-from-now.js → ui/lib/core/addon/helpers/date-from-now.js
diff --git a/ui/lib/core/app/helpers/date-from-now.js b/ui/lib/core/app/helpers/date-from-now.js
@@ -0,0 +1,6 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+export { default } from 'core/helpers/date-from-now';
diff --git a/ui/lib/kv/addon/components/kv-paths-card.hbs b/ui/lib/kv/addon/components/kv-paths-card.hbs
@@ -0,0 +1,82 @@
+{{!
+  Copyright (c) HashiCorp, Inc.
+  SPDX-License-Identifier: BUSL-1.1
+~}}
+
+<div data-test-overview-card-container="Paths" ...attributes>
+  <Hds::Text::Display @weight="semibold" @size="300" @tag="h2">
+    Paths
+  </Hds::Text::Display>
+  {{#if @isCondensed}}
+    <Hds::Text::Body @tag="p" @color="faint">
+      The paths to use when referring to this secret in API or CLI.
+    </Hds::Text::Body>
+  {{/if}}
+
+  <div class="box is-fullwidth is-sideless is-paddingless is-marginless {{if @isCondensed 'is-shadowless'}} ">
+    {{#each this.paths as |path|}}
+      <InfoTableRow
+        @label={{path.label}}
+        @labelWidth={{if @isCondensed "is-one-quarter" "is-one-third"}}
+        @helperText={{if @isCondensed "" path.text}}
+        @truncateValue={{true}}
+      >
+        <Hds::Copy::Button
+          @text="Copy"
+          @isIconOnly={{true}}
+          @textToCopy={{path.snippet}}
+          @onError={{fn (set-flash-message "Clipboard copy failed. The Clipboard API requires a secure context." "danger")}}
+          data-test-copy-button={{path.snippet}}
+          class="transparent"
+        />
+        <code class="is-flex-1 text-overflow-ellipsis has-left-margin-s">
+          {{path.snippet}}
+        </code>
+      </InfoTableRow>
+    {{/each}}
+  </div>
+
+  {{#unless @isCondensed}}
+    <Hds::Text::Display @weight="semibold" @size="300" @tag="h3" class="has-top-margin-xl">
+      Commands
+    </Hds::Text::Display>
+
+    <div class="box is-fullwidth is-sideless">
+      <h3 class="is-label">
+        CLI
+        <Hds::Badge @text="kv get" @color="neutral" />
+      </h3>
+      <p class="helper-text has-text-grey-light has-bottom-padding-s">
+        This command retrieves the value from KV secrets engine at the given key name. See our
+        <Hds::Link::Inline @isHrefExternal={{true}} @href={{doc-link "/vault/docs/commands/kv"}}>
+          documentation</Hds::Link::Inline>
+        for other CLI commands.
+      </p>
+      <Hds::CodeBlock
+        data-test-commands="cli"
+        @language="bash"
+        @hasLineNumbers={{false}}
+        @hasCopyButton={{true}}
+        @value={{this.commands.cli}}
+      />
+
+      <h3 class="has-top-margin-l is-label">
+        API read secret version
+      </h3>
+      <p class="helper-text has-text-grey-light has-bottom-padding-s">
+        This command obtains data and metadata for the latest version of this secret. In this example, Vault is located at
+        https://127.0.0.1:8200. For other API commands,
+        <DocLink @path="/vault/api-docs/secret/kv/kv-v2">
+          learn more.
+        </DocLink>
+      </p>
+      <Hds::CodeBlock
+        data-test-commands="api"
+        @language="bash"
+        @hasLineNumbers={{false}}
+        @hasCopyButton={{true}}
+        @value={{this.commands.api}}
+      />
+    </div>
+  {{/unless}}
+</div>