Merge branch 'main' into ui/VAULT-19096/customizable-banners

.copywrite.hcl

@@ -2,13 +2,13 @@ schema_version = 1
 
 project {
   license        = "BUSL-1.1"
-  copyright_year = 2023
+  copyright_year = 2024
 
   # (OPTIONAL) A list of globs that should not have copyright/license headers.
   # Supports doublestar glob patterns for more flexibility in defining which
   # files or folders should be ignored
   header_ignore = [
-    "builtin/credential/aws/pkcs7/**",
+    "helper/pkcs7/**",
     "ui/node_modules/**",
     "enos/modules/k8s_deploy_vault/raft-config.hcl",
     "plugins/database/postgresql/scram/**",

.github/workflows/security-scan.yml

@@ -83,8 +83,6 @@ jobs:
 
     - name: SARIF Output
       shell: bash
-      env:
-        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: |
         cat results.sarif
 

LICENSE

@@ -4,7 +4,7 @@ License text copyright (c) 2020 MariaDB Corporation Ab, All Rights Reserved.
 Parameters
 
 Licensor:             HashiCorp, Inc.
-Licensed Work:        Vault Version 1.15.0 or later. The Licensed Work is (c) 2023
+Licensed Work:        Vault Version 1.15.0 or later. The Licensed Work is (c) 2024
                       HashiCorp, Inc.
 Additional Use Grant: You may make production use of the Licensed Work, provided
                       Your use does not include offering the Licensed Work to third

api/.copywrite.hcl

@@ -2,7 +2,7 @@ schema_version = 1
 
 project {
   license        = "MPL-2.0"
-  copyright_year = 2023
+  copyright_year = 2024
 
   header_ignore = []
 }

api/auth/gcp/go.mod

@@ -3,8 +3,9 @@ module github.com/hashicorp/vault/api/auth/gcp
 go 1.16
 
 require (
-	cloud.google.com/go v0.97.0
+	cloud.google.com/go/compute/metadata v0.2.3
+	cloud.google.com/go/iam v0.13.0
 	github.com/hashicorp/vault/api v1.10.0
-	google.golang.org/genproto v0.0.0-20210924002016-3dee208752a0
-	google.golang.org/grpc v1.41.0 // indirect
+	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1
+	google.golang.org/grpc v1.56.3 // indirect
 )

api/go.mod

@@ -21,7 +21,7 @@ require (
 	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2
 	github.com/hashicorp/hcl v1.0.0
 	github.com/mitchellh/mapstructure v1.5.0
-	golang.org/x/net v0.7.0
+	golang.org/x/net v0.17.0
 	golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1
 )
 
@@ -33,7 +33,7 @@ require (
 	github.com/mattn/go-isatty v0.0.12 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
-	golang.org/x/crypto v0.6.0 // indirect
-	golang.org/x/sys v0.5.0 // indirect
-	golang.org/x/text v0.7.0 // indirect
+	golang.org/x/crypto v0.17.0 // indirect
+	golang.org/x/sys v0.15.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
 )

api/go.sum

@@ -68,23 +68,23 @@ github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5Cc
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.6.0 h1:qfktjS5LUO+fFKeJXZ+ikTRijMmljikvG68fpMMruSc=
-golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
+golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
+golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g=
-golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
+golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1 h1:NusfzzA6yGQ+ua51ck7E3omNUX/JuqbFSaRGqU8CcLI=
 golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

builtin/credential/aws/path_login.go

@@ -26,14 +26,14 @@ import (
 	"github.com/aws/aws-sdk-go/service/iam"
 	"github.com/aws/aws-sdk-go/service/sts"
 	"github.com/hashicorp/errwrap"
-	cleanhttp "github.com/hashicorp/go-cleanhttp"
+	"github.com/hashicorp/go-cleanhttp"
 	"github.com/hashicorp/go-retryablehttp"
 	"github.com/hashicorp/go-secure-stdlib/awsutil"
 	"github.com/hashicorp/go-secure-stdlib/parseutil"
 	"github.com/hashicorp/go-secure-stdlib/strutil"
-	uuid "github.com/hashicorp/go-uuid"
+	"github.com/hashicorp/go-uuid"
 
-	"github.com/hashicorp/vault/builtin/credential/aws/pkcs7"
+	"github.com/hashicorp/vault/helper/pkcs7"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/cidrutil"
 	"github.com/hashicorp/vault/sdk/helper/jsonutil"

builtin/logical/database/rotation.go

@@ -586,10 +586,10 @@ func (b *databaseBackend) initQueue(ctx context.Context, conf *logical.BackendCo
 		queueTickerInterval := defaultQueueTickSeconds * time.Second
 		if strVal, ok := conf.Config[queueTickIntervalKey]; ok {
 			newVal, err := strconv.Atoi(strVal)
-			if err == nil {
+			if err == nil && newVal > 0 {
 				queueTickerInterval = time.Duration(newVal) * time.Second
 			} else {
-				b.Logger().Error("bad value for %q option: %q", queueTickIntervalKey, strVal)
+				b.Logger().Error("bad value for %q option: %q, default value of %d being used instead", queueTickIntervalKey, strVal, defaultQueueTickSeconds)
 			}
 		}
 		go b.runTicker(ctx, queueTickerInterval, conf.StorageView)

builtin/logical/database/rotation_test.go

@@ -28,6 +28,7 @@ import (
 	_ "github.com/jackc/pgx/v4/stdlib"
 	"github.com/robfig/cron/v3"
 	"github.com/stretchr/testify/mock"
+	"github.com/stretchr/testify/require"
 	mongodbatlasapi "go.mongodb.org/atlas/mongodbatlas"
 	"go.mongodb.org/mongo-driver/mongo"
 	"go.mongodb.org/mongo-driver/mongo/options"
@@ -998,6 +999,34 @@ func TestBackend_StaticRole_Rotation_MongoDBAtlas(t *testing.T) {
 	})
 }
 
+// TestQueueTickIntervalKeyConfig tests the configuration of queueTickIntervalKey
+// does not break on invalid values.
+func TestQueueTickIntervalKeyConfig(t *testing.T) {
+	t.Parallel()
+	cluster, sys := getClusterPostgresDB(t)
+	defer cluster.Cleanup()
+
+	config := logical.TestBackendConfig()
+	config.StorageView = &logical.InmemStorage{}
+	config.System = sys
+	config.Config[queueTickIntervalKey] = "1"
+
+	// Rotation ticker starts running in Factory call
+	b, err := Factory(context.Background(), config)
+	require.Nil(t, err)
+	b.Cleanup(context.Background())
+
+	config.Config[queueTickIntervalKey] = "0"
+	b, err = Factory(context.Background(), config)
+	require.Nil(t, err)
+	b.Cleanup(context.Background())
+
+	config.Config[queueTickIntervalKey] = "-1"
+	b, err = Factory(context.Background(), config)
+	require.Nil(t, err)
+	b.Cleanup(context.Background())
+}
+
 func testBackend_StaticRole_Rotations(t *testing.T, createUser userCreator, opts map[string]interface{}) {
 	// We need to set this value for the plugin to run, but it doesn't matter what we set it to.
 	oldToken := os.Getenv(pluginutil.PluginUnwrapTokenEnv)

builtin/logical/transit/path_certificates.go

@@ -1,5 +1,5 @@
 // Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: MPL-2.0
+// SPDX-License-Identifier: BUSL-1.1
 
 package transit
 

builtin/logical/transit/path_certificates_test.go

@@ -1,5 +1,5 @@
 // Copyright (c) HashiCorp, Inc.
-// SPDX-License-Identifier: MPL-2.0
+// SPDX-License-Identifier: BUSL-1.1
 
 package transit
 

changelog/24548.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+agent/template: Added max_connections_per_host to limit total number of connections per Vault host.
+```

changelog/24667.txt

@@ -0,0 +1,6 @@
+```release-note:improvement
+agent: Added new namespace top level configuration parameter, which can be used to make requests made by Agent to go to that namespace.
+```
+```release-note:improvement
+proxy: Added new namespace top level configuration parameter, and prepend_configured_namespace API Proxy configuration parameter, which can be used to make requests made to Proxy get proxied to that namespace.
+```

command/agent.go

@@ -309,14 +309,25 @@ func (c *AgentCommand) Run(args []string) int {
 	}
 	c.metricsHelper = metricsutil.NewMetricsHelper(inmemMetrics, prometheusEnabled)
 
+	var templateNamespace string
+	// This indicates whether the namespace for the client has been set by environment variable.
+	// If it has, we don't touch it
+	namespaceSetByEnvironmentVariable := client.Namespace() != ""
+
+	if !namespaceSetByEnvironmentVariable && config.Vault != nil && config.Vault.Namespace != "" {
+		client.SetNamespace(config.Vault.Namespace)
+	}
+
 	var method auth.AuthMethod
 	var sinks []*sink.SinkConfig
-	var templateNamespace string
 	if config.AutoAuth != nil {
-		if client.Headers().Get(consts.NamespaceHeaderName) == "" && config.AutoAuth.Method.Namespace != "" {
+		// Note: This will only set namespace header to the value in config.AutoAuth.Method.Namespace
+		// only if it hasn't been set by config.Vault.Namespace above. In that case, the config value
+		// present at config.AutoAuth.Method.Namespace will still be used for auto-auth.
+		if !namespaceSetByEnvironmentVariable && config.AutoAuth.Method.Namespace != "" {
 			client.SetNamespace(config.AutoAuth.Method.Namespace)
 		}
-		templateNamespace = client.Headers().Get(consts.NamespaceHeaderName)
+		templateNamespace = client.Namespace()
 
 		sinkClient, err := client.CloneWithHeaders()
 		if err != nil {
@@ -707,6 +718,11 @@ func (c *AgentCommand) Run(args []string) int {
 			return 1
 		}
 
+		// Override the set namespace with the auto-auth specific namespace
+		if !namespaceSetByEnvironmentVariable && config.AutoAuth.Method.Namespace != "" {
+			ahClient.SetNamespace(config.AutoAuth.Method.Namespace)
+		}
+
 		if config.DisableIdleConnsAutoAuth {
 			ahClient.SetMaxIdleConnections(-1)
 		}

command/agent/config/config.go

@@ -56,6 +56,8 @@ type Config struct {
 const (
 	DisableIdleConnsEnv  = "VAULT_AGENT_DISABLE_IDLE_CONNECTIONS"
 	DisableKeepAlivesEnv = "VAULT_AGENT_DISABLE_KEEP_ALIVES"
+
+	DefaultTemplateConfigMaxConnsPerHost = 10
 )
 
 func (c *Config) Prune() {
@@ -89,6 +91,7 @@ type Vault struct {
 	ClientCert       string      `hcl:"client_cert"`
 	ClientKey        string      `hcl:"client_key"`
 	TLSServerName    string      `hcl:"tls_server_name"`
+	Namespace        string      `hcl:"namespace"`
 	Retry            *Retry      `hcl:"retry"`
 }
 
@@ -165,6 +168,8 @@ type TemplateConfig struct {
 	ExitOnRetryFailure       bool          `hcl:"exit_on_retry_failure"`
 	StaticSecretRenderIntRaw interface{}   `hcl:"static_secret_render_interval"`
 	StaticSecretRenderInt    time.Duration `hcl:"-"`
+	MaxConnectionsPerHostRaw interface{}   `hcl:"max_connections_per_host"`
+	MaxConnectionsPerHost    int           `hcl:"-"`
 }
 
 type ExecConfig struct {
@@ -1126,6 +1131,17 @@ func parseTemplateConfig(result *Config, list *ast.ObjectList) error {
 		result.TemplateConfig.StaticSecretRenderIntRaw = nil
 	}
 
+	if result.TemplateConfig.MaxConnectionsPerHostRaw != nil {
+		var err error
+		if result.TemplateConfig.MaxConnectionsPerHost, err = parseutil.SafeParseInt(result.TemplateConfig.MaxConnectionsPerHostRaw); err != nil {
+			return err
+		}
+
+		result.TemplateConfig.MaxConnectionsPerHostRaw = nil
+	} else {
+		result.TemplateConfig.MaxConnectionsPerHost = DefaultTemplateConfigMaxConnsPerHost
+	}
+
 	return nil
 }
 

command/agent/config/config_test.go

@@ -998,12 +998,14 @@ func TestLoadConfigFile_TemplateConfig(t *testing.T) {
 			TemplateConfig{
 				ExitOnRetryFailure:    true,
 				StaticSecretRenderInt: 1 * time.Minute,
+				MaxConnectionsPerHost: 100,
 			},
 		},
 		"empty": {
 			"./test-fixtures/config-template_config-empty.hcl",
 			TemplateConfig{
-				ExitOnRetryFailure: false,
+				ExitOnRetryFailure:    false,
+				MaxConnectionsPerHost: 10,
 			},
 		},
 	}

command/agent/config/test-fixtures/config-template_config.hcl

@@ -11,6 +11,7 @@ vault {
 template_config {
   exit_on_retry_failure = true
   static_secret_render_interval = 60
+  max_connections_per_host = 100
 }
 
 template {

command/agent/internal/ctmanager/runner_config.go

@@ -51,6 +51,10 @@ func NewConfig(mc ManagerConfig, templates ctconfig.TemplateConfigs) (*ctconfig.
 		conf.Vault.Transport.DisableKeepAlives = pointerutil.BoolPtr(true)
 	}
 
+	if mc.AgentConfig.TemplateConfig != nil && mc.AgentConfig.TemplateConfig.MaxConnectionsPerHost != 0 {
+		conf.Vault.Transport.MaxConnsPerHost = &mc.AgentConfig.TemplateConfig.MaxConnectionsPerHost
+	}
+
 	conf.Vault.SSL = &ctconfig.SSLConfig{
 		Enabled:    pointerutil.BoolPtr(false),
 		Verify:     pointerutil.BoolPtr(false),

command/agent_generate_config.go

@@ -224,6 +224,7 @@ func generateConfiguration(ctx context.Context, client *api.Client, flagExec str
 		TemplateConfig: generatedConfigTemplateConfig{
 			StaticSecretRenderInterval: "5m",
 			ExitOnRetryFailure:         true,
+			MaxConnectionsPerHost:      10,
 		},
 		Vault: generatedConfigVault{
 			Address: client.Address(),
@@ -410,6 +411,7 @@ type generatedConfig struct {
 type generatedConfigTemplateConfig struct {
 	StaticSecretRenderInterval string `hcl:"static_secret_render_interval"`
 	ExitOnRetryFailure         bool   `hcl:"exit_on_retry_failure"`
+	MaxConnectionsPerHost      int    `hcl:"max_connections_per_host"`
 }
 
 type generatedConfigExec struct {

command/agent_generate_config_test.go

@@ -180,6 +180,7 @@ auto_auth \{
 template_config \{
   static_secret_render_interval = "5m"
   exit_on_retry_failure         = true
+  max_connections_per_host      = 10
 }
 
 vault \{
@@ -222,6 +223,7 @@ auto_auth \{
 template_config \{
   static_secret_render_interval = "5m"
   exit_on_retry_failure         = true
+  max_connections_per_host      = 10
 }
 
 vault \{

command/agentproxyshared/auth/alicloud/alicloud.go

@@ -63,10 +63,10 @@ func NewAliCloudAuthMethod(conf *auth.AuthConfig) (auth.AuthMethod, error) {
 	// Check for an optional custom frequency at which we should poll for creds.
 	credCheckFreqSec := defaultCredCheckFreqSeconds
 	if checkFreqRaw, ok := conf.Config["credential_poll_interval"]; ok {
-		if credFreq, ok := checkFreqRaw.(int); ok {
+		if credFreq, ok := checkFreqRaw.(int); ok && credFreq > 0 {
 			credCheckFreqSec = credFreq
 		} else {
-			return nil, errors.New("could not convert 'credential_poll_interval' config value to int")
+			return nil, errors.New("could not convert 'credential_poll_interval' config value to positive int")
 		}
 	}