Merge branch 'release/1.16.x' into backport/ui/VAULT-20147/configurat…

…ion-link-list-view/totally-pleasing-bulldog

.github/actions/install-external-tools/action.yml

@@ -22,7 +22,7 @@ runs:
       # up here.
     - run: go install google.golang.org/protobuf/cmd/protoc-gen-go@latest
       shell: bash
-    - run: go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest
+    - run: go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.3.0
       shell: bash
     - run: go install github.com/favadi/protoc-go-inject-tag@latest
       shell: bash

Dockerfile

@@ -24,7 +24,8 @@ LABEL name="Vault" \
       summary="Vault is a tool for securely accessing secrets." \
       description="Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log."
 
-COPY LICENSE /licenses/mozilla.txt
+# Copy the license file as per Legal requirement
+COPY LICENSE /licenses/LICENSE.txt
 
 # Set ARGs as ENV so that they can be used in ENTRYPOINT/CMD
 ENV NAME=$NAME
@@ -95,7 +96,8 @@ LABEL name="Vault" \
       summary="Vault is a tool for securely accessing secrets." \
       description="Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log."
 
-COPY LICENSE /licenses/mozilla.txt
+# Copy the license file as per Legal requirement
+COPY LICENSE /licenses/LICENSE.txt
 
 # Set ARGs as ENV so that they can be used in ENTRYPOINT/CMD
 ENV NAME=$NAME

builtin/credential/aws/path_config_identity.go

@@ -66,7 +66,7 @@ func (b *backend) pathConfigIdentity() *framework.Path {
 			"iam_alias": {
 				Type:        framework.TypeString,
 				Default:     identityAliasIAMUniqueID,
-				Description: fmt.Sprintf("Configure how the AWS auth method generates entity aliases when using IAM auth. Valid values are %q, %q, and %q. Defaults to %q.", identityAliasRoleID, identityAliasIAMUniqueID, identityAliasIAMFullArn, identityAliasRoleID),
+				Description: fmt.Sprintf("Configure how the AWS auth method generates entity aliases when using IAM auth. Valid values are %q, %q, %q and %q. Defaults to %q.", identityAliasRoleID, identityAliasIAMUniqueID, identityAliasIAMFullArn, identityAliasIAMCanonicalArn, identityAliasRoleID),
 			},
 			iamAuthMetadataFields.FieldName: authmetadata.FieldSchema(iamAuthMetadataFields),
 			"ec2_alias": {
@@ -150,7 +150,7 @@ func pathConfigIdentityUpdate(ctx context.Context, req *logical.Request, data *f
 	iamAliasRaw, ok := data.GetOk("iam_alias")
 	if ok {
 		iamAlias := iamAliasRaw.(string)
-		allowedIAMAliasValues := []string{identityAliasRoleID, identityAliasIAMUniqueID, identityAliasIAMFullArn}
+		allowedIAMAliasValues := []string{identityAliasRoleID, identityAliasIAMUniqueID, identityAliasIAMFullArn, identityAliasIAMCanonicalArn}
 		if !strutil.StrListContains(allowedIAMAliasValues, iamAlias) {
 			return logical.ErrorResponse(fmt.Sprintf("iam_alias of %q not in set of allowed values: %v", iamAlias, allowedIAMAliasValues)), nil
 		}
@@ -194,11 +194,12 @@ type identityConfig struct {
 }
 
 const (
-	identityAliasIAMUniqueID   = "unique_id"
-	identityAliasIAMFullArn    = "full_arn"
-	identityAliasEC2InstanceID = "instance_id"
-	identityAliasEC2ImageID    = "image_id"
-	identityAliasRoleID        = "role_id"
+	identityAliasIAMUniqueID     = "unique_id"
+	identityAliasIAMFullArn      = "full_arn"
+	identityAliasIAMCanonicalArn = "canonical_arn"
+	identityAliasEC2InstanceID   = "instance_id"
+	identityAliasEC2ImageID      = "image_id"
+	identityAliasRoleID          = "role_id"
 )
 
 const pathConfigIdentityHelpSyn = `

builtin/credential/aws/path_login.go

@@ -1397,6 +1397,8 @@ func (b *backend) pathLoginUpdateIam(ctx context.Context, req *logical.Request,
 		identityAlias = callerUniqueId
 	case identityAliasIAMFullArn:
 		identityAlias = callerID.Arn
+	case identityAliasIAMCanonicalArn:
+		identityAlias = entity.canonicalArn()
 	}
 
 	// If we're just looking up for MFA, return the Alias info

builtin/logical/pki/ca_util.go

@@ -237,7 +237,7 @@ func getKeyTypeAndBitsFromPublicKeyForRole(pubKey crypto.PublicKey) (certutil.Pr
 		keyBits = certutil.GetPublicKeySize(pubKey)
 	case *ecdsa.PublicKey:
 		keyType = certutil.ECPrivateKey
-	case *ed25519.PublicKey:
+	case ed25519.PublicKey:
 		keyType = certutil.Ed25519PrivateKey
 	default:
 		return certutil.UnknownPrivateKey, 0, fmt.Errorf("unsupported public key: %#v", pubKey)

builtin/logical/pki/ca_util_test.go

@@ -0,0 +1,82 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package pki
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/ed25519"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/rsa"
+	"testing"
+
+	"github.com/hashicorp/vault/sdk/helper/certutil"
+)
+
+func TestGetKeyTypeAndBitsFromPublicKeyForRole(t *testing.T) {
+	rsaKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		t.Fatalf("error generating rsa key: %s", err)
+	}
+
+	ecdsaKey, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
+	if err != nil {
+		t.Fatalf("error generating ecdsa key: %s", err)
+	}
+
+	publicKey, _, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		t.Fatalf("error generating ed25519 key: %s", err)
+	}
+
+	testCases := map[string]struct {
+		publicKey       crypto.PublicKey
+		expectedKeyType certutil.PrivateKeyType
+		expectedKeyBits int
+		expectError     bool
+	}{
+		"rsa": {
+			publicKey:       rsaKey.Public(),
+			expectedKeyType: certutil.RSAPrivateKey,
+			expectedKeyBits: 2048,
+		},
+		"ecdsa": {
+			publicKey:       ecdsaKey.Public(),
+			expectedKeyType: certutil.ECPrivateKey,
+			expectedKeyBits: 0,
+		},
+		"ed25519": {
+			publicKey:       publicKey,
+			expectedKeyType: certutil.Ed25519PrivateKey,
+			expectedKeyBits: 0,
+		},
+		"bad key type": {
+			publicKey:       []byte{},
+			expectedKeyType: certutil.UnknownPrivateKey,
+			expectedKeyBits: 0,
+			expectError:     true,
+		},
+	}
+
+	for name, tt := range testCases {
+		t.Run(name, func(t *testing.T) {
+			keyType, keyBits, err := getKeyTypeAndBitsFromPublicKeyForRole(tt.publicKey)
+			if err != nil && !tt.expectError {
+				t.Fatalf("unexpected error: %s", err)
+			}
+			if err == nil && tt.expectError {
+				t.Fatal("expected error, got nil")
+			}
+
+			if keyType != tt.expectedKeyType {
+				t.Fatalf("key type mismatch: expected %s, got %s", tt.expectedKeyType, keyType)
+			}
+
+			if keyBits != tt.expectedKeyBits {
+				t.Fatalf("key bits mismatch: expected %d, got %d", tt.expectedKeyBits, keyBits)
+			}
+		})
+	}
+}

builtin/logical/transit/path_hmac.go

@@ -257,7 +257,19 @@ func (b *backend) pathHMACVerify(ctx context.Context, req *logical.Request, d *f
 	name := d.Get("name").(string)
 	algorithm := d.Get("urlalgorithm").(string)
 	if algorithm == "" {
-		algorithm = d.Get("algorithm").(string)
+		hashAlgorithmRaw, hasHashAlgorithm := d.GetOk("hash_algorithm")
+		algorithmRaw, hasAlgorithm := d.GetOk("algorithm")
+
+		// As `algorithm` is deprecated, make sure we only read it if
+		// `hash_algorithm` is not present.
+		switch {
+		case hasHashAlgorithm:
+			algorithm = hashAlgorithmRaw.(string)
+		case hasAlgorithm:
+			algorithm = algorithmRaw.(string)
+		default:
+			algorithm = d.Get("hash_algorithm").(string)
+		}
 	}
 
 	// Get the policy

builtin/logical/transit/path_hmac_test.go

@@ -94,17 +94,40 @@ func TestTransit_HMAC(t *testing.T) {
 			}
 
 			// Now verify
+			verify := func() {
+				t.Helper()
+
+				resp, err = b.HandleRequest(context.Background(), req)
+				if err != nil {
+					t.Fatalf("%v: %v", err, resp)
+				}
+				if resp == nil {
+					t.Fatal("expected non-nil response")
+				}
+				if errStr, ok := resp.Data["error"]; ok {
+					t.Fatalf("error validating hmac: %s", errStr)
+				}
+				if resp.Data["valid"].(bool) == false {
+					t.Fatalf(fmt.Sprintf("error validating hmac;\nreq:\n%#v\nresp:\n%#v", *req, *resp))
+				}
+			}
 			req.Path = strings.ReplaceAll(req.Path, "hmac", "verify")
 			req.Data["hmac"] = value.(string)
-			resp, err = b.HandleRequest(context.Background(), req)
-			if err != nil {
-				t.Fatalf("%v: %v", err, resp)
-			}
-			if resp == nil {
-				t.Fatal("expected non-nil response")
-			}
-			if resp.Data["valid"].(bool) == false {
-				panic(fmt.Sprintf("error validating hmac;\nreq:\n%#v\nresp:\n%#v", *req, *resp))
+			verify()
+
+			// If `algorithm` parameter is used, try with `hash_algorithm` as well
+			if algorithm, ok := req.Data["algorithm"]; ok {
+				// Note that `hash_algorithm` takes precedence over `algorithm`, since the
+				// latter is deprecated.
+				req.Data["hash_algorithm"] = algorithm
+				req.Data["algorithm"] = "xxx"
+				defer func() {
+					// Restore the req fields, since it is re-used by the tests below
+					delete(req.Data, "hash_algorithm")
+					req.Data["algorithm"] = algorithm
+				}()
+
+				verify()
 			}
 		}
 

changelog/26993.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+ui: Update PGP display and show error for Generate Operation Token flow with PGP
+```

changelog/27093.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+pki: Fix error in cross-signing using ed25519 keys
+```

changelog/27178.txt

@@ -0,0 +1,3 @@
+```release-note:change
+ui/kubernetes: Update the roles filter-input to use explicit search.
+```

changelog/27184.txt

@@ -0,0 +1,3 @@
+```release-note:change
+core/identity: improve performance for secondary nodes receiving identity related updates through replication
+```

changelog/27211.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+secrets/transit: Use 'hash_algorithm' parameter if present in HMAC verify requests. Otherwise fall back to deprecated 'algorithm' parameter.
+```