Merge branch 'main' into ui/vault-27813/fix-token-banner

hashicorp · Jun 25, 2024 · e5dceb6 · e5dceb6
2 parents 1a2e3cf + ad1b5df
commit e5dceb6
Show file tree

Hide file tree

Showing 96 changed files with 2,487 additions and 960 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -165,6 +165,9 @@ jobs:
           cache: yarn
           cache-dependency-path: ui/yarn.lock
       - uses: browser-actions/setup-chrome@db1b524c26f20a8d1a10f7fc385c92387e2d0477 # v1.7.1
+        with:
+          # Temporarily pin our Chrome version while we sort out a broken test on latest
+          chrome-version: 1314712
       - name: ui-dependencies
         working-directory: ./ui
         run: |

diff --git a/api/client.go b/api/client.go
@@ -10,6 +10,7 @@ import (
 	"crypto/tls"
 	"encoding/base64"
 	"encoding/hex"
+	"encoding/json"
 	"fmt"
 	"net"
 	"net/http"
@@ -41,6 +42,7 @@ const (
 	EnvVaultClientCert       = "VAULT_CLIENT_CERT"
 	EnvVaultClientKey        = "VAULT_CLIENT_KEY"
 	EnvVaultClientTimeout    = "VAULT_CLIENT_TIMEOUT"
+	EnvVaultHeaders          = "VAULT_HEADERS"
 	EnvVaultSRVLookup        = "VAULT_SRV_LOOKUP"
 	EnvVaultSkipVerify       = "VAULT_SKIP_VERIFY"
 	EnvVaultNamespace        = "VAULT_NAMESPACE"
@@ -665,6 +667,30 @@ func NewClient(c *Config) (*Client, error) {
 		client.setNamespace(namespace)
 	}
 
+	if envHeaders := os.Getenv(EnvVaultHeaders); envHeaders != "" {
+		var result map[string]any
+		err := json.Unmarshal([]byte(envHeaders), &result)
+		if err != nil {
+			return nil, fmt.Errorf("could not unmarshal environment-supplied headers")
+		}
+		var forbiddenHeaders []string
+		for key, value := range result {
+			if strings.HasPrefix(key, "X-Vault-") {
+				forbiddenHeaders = append(forbiddenHeaders, key)
+				continue
+			}
+
+			value, ok := value.(string)
+			if !ok {
+				return nil, fmt.Errorf("environment-supplied headers include non-string values")
+			}
+			client.AddHeader(key, value)
+		}
+		if len(forbiddenHeaders) > 0 {
+			return nil, fmt.Errorf("failed to setup Headers[%s]: Header starting by 'X-Vault-' are for internal usage only", strings.Join(forbiddenHeaders, ", "))
+		}
+	}
+
 	return client, nil
 }
 

diff --git a/api/client_test.go b/api/client_test.go
@@ -374,6 +374,61 @@ func TestDefaulRetryPolicy(t *testing.T) {
 	}
 }
 
+func TestClientEnvHeaders(t *testing.T) {
+	oldHeaders := os.Getenv(EnvVaultHeaders)
+
+	defer func() {
+		os.Setenv(EnvVaultHeaders, oldHeaders)
+	}()
+
+	cases := []struct {
+		Input string
+		Valid bool
+	}{
+		{
+			"{}",
+			true,
+		},
+		{
+			"{\"foo\": \"bar\"}",
+			true,
+		},
+		{
+			"{\"foo\": 1}", // Values must be strings
+			false,
+		},
+		{
+			"{\"X-Vault-Foo\": \"bar\"}", // X-Vault-* not allowed
+			false,
+		},
+	}
+
+	for _, tc := range cases {
+		os.Setenv(EnvVaultHeaders, tc.Input)
+		config := DefaultConfig()
+		config.ReadEnvironment()
+		_, err := NewClient(config)
+		if err != nil {
+			if tc.Valid {
+				t.Fatalf("unexpected error reading headers from environment: %v", err)
+			}
+		} else {
+			if !tc.Valid {
+				t.Fatal("no error reading headers from environment when error was expected")
+			}
+		}
+	}
+
+	os.Setenv(EnvVaultHeaders, "{\"foo\": \"bar\"}")
+	config := DefaultConfig()
+	config.ReadEnvironment()
+	cli, _ := NewClient(config)
+
+	if !reflect.DeepEqual(cli.Headers().Values("foo"), []string{"bar"}) {
+		t.Error("Environment-supplied headers not set in CLI client")
+	}
+}
+
 func TestClientEnvSettings(t *testing.T) {
 	cwd, _ := os.Getwd()
 

diff --git a/audit/broker.go b/audit/broker.go
@@ -462,6 +462,8 @@ func (b *Broker) IsRegistered(name string) bool {
 
 // isContextViable examines the supplied context to see if its own deadline would
 // occur later than a newly created context with a specific timeout.
+// Additionally, whether the supplied context is already cancelled, thus making it
+// unviable.
 // If the existing context is viable it can be used 'as-is', if not, the caller
 // should consider creating a new context with the relevant deadline and associated
 // context values (e.g. namespace) in order to reduce the likelihood that the
@@ -472,6 +474,12 @@ func isContextViable(ctx context.Context) bool {
 		return false
 	}
 
+	select {
+	case <-ctx.Done():
+		return false
+	default:
+	}
+
 	deadline, hasDeadline := ctx.Deadline()
 
 	// If there's no deadline on the context then we don't need to worry about

diff --git a/audit/broker_test.go b/audit/broker_test.go
@@ -160,11 +160,14 @@ func BenchmarkAuditBroker_File_Request_DevNull(b *testing.B) {
 }
 
 // TestBroker_isContextViable_basics checks the expected result of isContextViable
-// for basic inputs such as nil and a never-ending context.
+// for basic inputs such as nil, cancelled context and a never-ending context.
 func TestBroker_isContextViable_basics(t *testing.T) {
 	t.Parallel()
 
 	require.False(t, isContextViable(nil))
+	ctx, cancel := context.WithCancel(context.Background())
+	cancel()
+	require.False(t, isContextViable(ctx))
 	require.True(t, isContextViable(context.Background()))
 }
 

diff --git a/changelog/21993.txt b/changelog/21993.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+cli: Allow vault CLI HTTP headers to be specified using the JSON-encoded VAULT_HEADERS environment variable
+```
diff --git a/changelog/27348.txt b/changelog/27348.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+ui: Mask obfuscated fields when creating/editing a Secrets sync destination.
+```
diff --git a/changelog/27518.txt b/changelog/27518.txt
@@ -0,0 +1,7 @@
+```release-note:bug
+agent: Fixed an issue causing excessive CPU usage during normal operation
+```
+
+```release-note:bug
+proxy: Fixed an issue causing excessive CPU usage during normal operation
+```
diff --git a/changelog/27531.txt b/changelog/27531.txt
@@ -0,0 +1,5 @@
+```release-note:bug
+core/audit: Audit logging a Vault request/response checks if the existing context 
+is cancelled and will now use a new context with a 5 second timeout.
+If the existing context is cancelled a new context, will be used.
+```
diff --git a/changelog/27559.txt b/changelog/27559.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+ui: Remove deprecated `current_billing_period` from dashboard activity log request
+```
diff --git a/changelog/27563.txt b/changelog/27563.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+storage/azure: Fix invalid account name initialization bug
+```
diff --git a/command/agent/template/template.go b/command/agent/template/template.go
@@ -246,31 +246,24 @@ func (ts *Server) Run(ctx context.Context, incoming chan string, templates []*ct
 				ts.runner.Stop()
 				return nil
 			}
-		default:
-			// We are using default instead of a new case block to prioritize the case where <-incoming has a new value over
-			// receiving an error message from the consul-template server
-			select {
-			case err := <-ts.runner.ServerErrCh:
-				var responseError *api.ResponseError
-				ok := errors.As(err, &responseError)
-				if !ok {
-					ts.logger.Error("template server: could not extract error response")
-					continue
-				}
-				if responseError.StatusCode == 403 && strings.Contains(responseError.Error(), logical.ErrInvalidToken.Error()) && !tokenRenewalInProgress.Load() {
-					ts.logger.Info("template server: received invalid token error")
-
-					// Drain the error channel before sending a new error
-					select {
-					case <-invalidTokenCh:
-					default:
-					}
-					invalidTokenCh <- err
-				}
-			default:
+		case err := <-ts.runner.ServerErrCh:
+			var responseError *api.ResponseError
+			ok := errors.As(err, &responseError)
+			if !ok {
+				ts.logger.Error("template server: could not extract error response")
 				continue
 			}
-
+			if responseError.StatusCode == 403 && strings.Contains(responseError.Error(), logical.ErrInvalidToken.Error()) && !tokenRenewalInProgress.Load() {
+				ts.logger.Info("template server: received invalid token error")
+
+				// Drain the error channel and incoming channel before sending a new error
+				select {
+				case <-invalidTokenCh:
+				case <-incoming:
+				default:
+				}
+				invalidTokenCh <- err
+			}
 		}
 	}
 }

diff --git a/command/agentproxyshared/auth/auth.go b/command/agentproxyshared/auth/auth.go
@@ -563,18 +563,12 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 				// Set authenticated when authentication succeeds
 				metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 1)
 				ah.logger.Info("renewed auth token")
-
 			case <-credCh:
 				ah.logger.Info("auth method found new credentials, re-authenticating")
 				break LifetimeWatcherLoop
-			default:
-				select {
-				case <-ah.InvalidToken:
-					ah.logger.Info("invalid token found, re-authenticating")
-					break LifetimeWatcherLoop
-				default:
-					continue
-				}
+			case <-ah.InvalidToken:
+				ah.logger.Info("invalid token found, re-authenticating")
+				break LifetimeWatcherLoop
 			}
 		}
 	}

diff --git a/command/server.go b/command/server.go
@@ -1711,7 +1711,7 @@ func (c *ServerCommand) Run(args []string) int {
 				sr.NotifyConfigurationReload(srConfig)
 			}
 
-			if err := core.ReloadCensus(); err != nil {
+			if err := core.ReloadCensusManager(); err != nil {
 				c.UI.Error(err.Error())
 			}
 

diff --git a/enos/enos-scenario-agent.hcl b/enos/enos-scenario-agent.hcl
@@ -36,12 +36,6 @@ scenario "agent" {
       artifact_type   = ["package"]
     }
 
-    # HSM and FIPS 140-2 are only supported on amd64
-    exclude {
-      arch    = ["arm64"]
-      edition = ["ent.fips1402", "ent.hsm", "ent.hsm.fips1402"]
-    }
-
     # PKCS#11 can only be used on ent.hsm and ent.hsm.fips1402.
     exclude {
       seal    = ["pkcs11"]
@@ -54,8 +48,8 @@ scenario "agent" {
       arch   = ["arm64"]
     }
 
-    # softhsm packages not available for leap/sles; Enos support for softhsm
-    # on amzn2 to be added later.
+    # softhsm packages not available for leap/sles. Enos support for softhsm on amzn2 is
+    # not implemented yet.
     exclude {
       seal   = ["pkcs11"]
       distro = ["amzn2", "leap", "sles"]

diff --git a/enos/enos-scenario-autopilot.hcl b/enos/enos-scenario-autopilot.hcl
@@ -41,7 +41,8 @@ scenario "autopilot" {
       artifact_type   = ["package"]
     }
 
-    # HSM and FIPS 140-2 are only supported on amd64
+    # There are no published versions of these artifacts yet. We'll update this to exclude older
+    # versions after our initial publication of these editions for arm64.
     exclude {
       arch    = ["arm64"]
       edition = ["ent.fips1402", "ent.hsm", "ent.hsm.fips1402"]
@@ -59,8 +60,8 @@ scenario "autopilot" {
       arch   = ["arm64"]
     }
 
-    # softhsm packages not available for leap/sles; Enos support for softhsm
-    # on amzn2 to be added later.
+    # softhsm packages not available for leap/sles. Enos support for softhsm on amzn2 is
+    # not implemented yet.
     exclude {
       seal   = ["pkcs11"]
       distro = ["amzn2", "leap", "sles"]

diff --git a/enos/enos-scenario-proxy.hcl b/enos/enos-scenario-proxy.hcl
@@ -36,12 +36,6 @@ scenario "proxy" {
       artifact_type   = ["package"]
     }
 
-    # HSM and FIPS 140-2 are only supported on amd64
-    exclude {
-      arch    = ["arm64"]
-      edition = ["ent.fips1402", "ent.hsm", "ent.hsm.fips1402"]
-    }
-
     # PKCS#11 can only be used on ent.hsm and ent.hsm.fips1402.
     exclude {
       seal    = ["pkcs11"]
@@ -54,8 +48,8 @@ scenario "proxy" {
       arch   = ["arm64"]
     }
 
-    # softhsm packages not available for leap/sles; Enos support for softhsm
-    # on amzn2 to be added later.
+    # softhsm packages not available for leap/sles. Enos support for softhsm on amzn2 is
+    # not implemented yet.
     exclude {
       seal   = ["pkcs11"]
       distro = ["amzn2", "leap", "sles"]

diff --git a/enos/enos-scenario-replication.hcl b/enos/enos-scenario-replication.hcl
@@ -43,12 +43,6 @@ scenario "replication" {
       artifact_type   = ["package"]
     }
 
-    # HSM and FIPS 140-2 are only supported on amd64
-    exclude {
-      arch    = ["arm64"]
-      edition = ["ent.fips1402", "ent.hsm", "ent.hsm.fips1402"]
-    }
-
     # PKCS#11 can only be used on ent.hsm and ent.hsm.fips1402.
     exclude {
       primary_seal = ["pkcs11"]
@@ -66,8 +60,8 @@ scenario "replication" {
       arch   = ["arm64"]
     }
 
-    # softhsm packages not available for leap/sles; Enos support for softhsm
-    # on amzn2 to be added later.
+    # softhsm packages not available for leap/sles. Enos support for softhsm on amzn2 is
+    # not implemented yet.
     exclude {
       primary_seal = ["pkcs11"]
       distro       = ["amzn2", "leap", "sles"]

diff --git a/enos/enos-scenario-seal-ha.hcl b/enos/enos-scenario-seal-ha.hcl
@@ -41,12 +41,6 @@ scenario "seal_ha" {
       artifact_type   = ["package"]
     }
 
-    # HSM and FIPS 140-2 are only supported on amd64
-    exclude {
-      arch    = ["arm64"]
-      edition = ["ent.fips1402", "ent.hsm", "ent.hsm.fips1402"]
-    }
-
     # PKCS#11 can only be used on ent.hsm and ent.hsm.fips1402.
     exclude {
       primary_seal = ["pkcs11"]
@@ -64,15 +58,13 @@ scenario "seal_ha" {
       arch   = ["arm64"]
     }
 
-    # softhsm packages not available for leap/sles; Enos support for softhsm
-    # on amzn2 to be added later.
+    # softhsm packages not available for leap/sles. Enos support for softhsm on amzn2 is
+    # not implemented yet.
     exclude {
       primary_seal = ["pkcs11"]
       distro       = ["amzn2", "leap", "sles"]
     }
 
-    # softhsm packages not available for leap/sles; Enos support for softhsm
-    # on amzn2 to be added later.
     exclude {
       secondary_seal = ["pkcs11"]
       distro         = ["amzn2", "leap", "sles"]