Merge branch 'main' into docs/secrets-seo-updates-3

Author: yhyakuna

.github/workflows/hack-week-benchmark.yml .github/workflows/benchmark-prevent-performance-degradations.yml

@@ -7,6 +7,7 @@ on:
 jobs:
   bench:
     name: Bench
+    if: github.base_ref == 'main'
     runs-on: ubuntu-latest
     steps:
       - name: Check out code into the Go module directory

changelog/29045.txt

@@ -1,3 +1,3 @@
 ```release-note:change
-secrets/pki: Enforce the issuer constraint extensions (extended key usage, name constraints, issuer name) when issuing or signing leaf certificates.
+secrets/pki: Enforce the issuer constraint extensions (extended key usage, name constraints, issuer name) when issuing or signing leaf certificates. For more information see [PKI considerations](https://developer.hashicorp.com/vault/docs/secrets/pki/considerations#issuer-constraints-enforcement)
 ```

changelog/29082.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+sdk: Add Vault build date to system view plugin environment response
+```

changelog/29090.txt

@@ -0,0 +1,3 @@
+```release-note:change
+core/raft: Return an error on sys/storage/raft/join if a node that has been removed from raft cluster attempts to re-join when it still has existing raft data on disk.   
+```

changelog/29114.txt

@@ -1,3 +1,3 @@
 ```release-note:bug
-ui: Decode database url to fix editing failures for an oracle connection
+ui: Decode `connection_url` to fix database connection updates (i.e. editing connection config, deleting roles) failing when urls include template variables.
 ```

changelog/29145.txt

@@ -0,0 +1,4 @@
+```release-note:improvement
+activity: Add a "local_mount" field to the Export API response. This field is true if the client is a token or created on a
+local mount.
+```

physical/raft/raft.go

@@ -256,7 +256,7 @@ type RaftBackend struct {
 	// limits.
 	specialPathLimits map[string]uint64
 
-	removed         atomic.Bool
+	removed         *atomic.Bool
 	removedCallback func()
 }
 
@@ -277,9 +277,11 @@ func (b *RaftBackend) IsRemoved() bool {
 	return b.removed.Load()
 }
 
+var removedKey = []byte("removed")
+
 func (b *RaftBackend) RemoveSelf() error {
 	b.removed.Store(true)
-	return nil
+	return b.stableStore.SetUint64(removedKey, 1)
 }
 
 // LeaderJoinInfo contains information required by a node to join itself as a
@@ -593,6 +595,14 @@ func NewRaftBackend(conf map[string]string, logger log.Logger) (physical.Backend
 		snapStore = newSnapshotStoreDelay(snapStore, backendConfig.SnapshotDelay, logger)
 	}
 
+	isRemoved := new(atomic.Bool)
+	removedVal, err := stableStore.GetUint64(removedKey)
+	if err != nil {
+		logger.Error("error checking if this node is removed. continuing under the assumption that it's not", "error", err)
+	}
+	if removedVal == 1 {
+		isRemoved.Store(true)
+	}
 	return &RaftBackend{
 		logger:                        logger,
 		fsm:                           fsm,
@@ -619,6 +629,7 @@ func NewRaftBackend(conf map[string]string, logger log.Logger) (physical.Backend
 		raftLogVerifierEnabled:        backendConfig.RaftLogVerifierEnabled,
 		raftLogVerificationInterval:   backendConfig.RaftLogVerificationInterval,
 		effectiveSDKVersion:           version.GetVersion().Version,
+		removed:                       isRemoved,
 	}, nil
 }
 

sdk/logical/events.go

@@ -12,10 +12,17 @@ import (
 
 // common event metadata keys
 const (
-	// EventMetadataDataPath is used in event metadata to show the API path that can be used to fetch any underlying
-	// data. For example, the KV plugin would set this to `data/mysecret`. The event system will automatically prepend
-	// the plugin mount to this path, if present, so it would become `secret/data/mysecret`, for example.
+	// EventMetadataPath is used in event metadata to show the API path the client must have the `subscribe` capability
+	// on in order to consume the event. It is recommended that the event path metadata field is the API path that was
+	// invoked in order to generate the event.
+	//
+	// For example, the KV plugin would set this to `data/mysecret`. The event system will automatically prepend the
+	// plugin mount to this path, if present, so it would become `secret/data/mysecret`, for example.
 	// If this is an auth plugin event, this will additionally be prepended with `auth/`.
+	EventMetadataPath = "path"
+	// EventMetadataDataPath is used in event metadata to show the API path that can be used to fetch any underlying
+	// data. Similar to the `path` event metadata, the event system will automatically prepend the plugin mount to the
+	// `data_path`.
 	EventMetadataDataPath = "data_path"
 	// EventMetadataOperation is used in event metadata to express what operation was performed that generated the
 	// event, e.g., `read` or `write`.

sdk/logical/plugin.pb.go

@@ -5,6 +5,8 @@ syntax = "proto3";
 
 package logical;
 
+import "google/protobuf/timestamp.proto";
+
 option go_package = "github.com/hashicorp/vault/sdk/logical";
 
 message PluginEnvironment {
@@ -16,4 +18,7 @@ message PluginEnvironment {
 
   // VaultVersionMetadata is the version metadata of the Vault server
   string vault_version_metadata = 3;
+
+  // VaultBuildDate is the build date of the Vault server
+  google.protobuf.Timestamp vault_build_date = 4;
 }

sdk/logical/plugin.proto

@@ -0,0 +1,26 @@
+/**
+ * Copyright (c) HashiCorp, Inc.
+ * SPDX-License-Identifier: BUSL-1.1
+ */
+
+import ApplicationAdapter from '../application';
+import { encodePath } from 'vault/utils/path-encoding-helpers';
+
+export default class AzureConfig extends ApplicationAdapter {
+  namespace = 'v1';
+
+  _url(backend) {
+    return `${this.buildURL()}/${encodePath(backend)}/config`;
+  }
+
+  queryRecord(store, type, query) {
+    const { backend } = query;
+    return this.ajax(this._url(backend), 'GET').then((resp) => {
+      return {
+        ...resp,
+        id: backend,
+        backend,
+      };
+    });
+  }
+}

ui/app/adapters/azure/config.js

@@ -3,47 +3,42 @@
   SPDX-License-Identifier: BUSL-1.1
 ~}}
 
-{{#if @configModels.length}}
-  {{#each @configModels as |configModel|}}
-    {{#each configModel.attrs as |attr|}}
-      {{! public key while not sensitive when editing/creating, should be hidden by default on viewing }}
-      {{#if (or attr.options.sensitive (eq attr.name "publicKey"))}}
-        <InfoTableRow
-          alwaysRender={{not (is-empty-value (get configModel attr.name))}}
-          @label={{or attr.options.label (to-label attr.name)}}
-          @value={{get configModel (or attr.options.fieldValue attr.name)}}
-        >
-          {{#if (or attr.options.sensitive (eq attr.name "publicKey"))}}
-            <MaskedInput
-              @value={{get configModel attr.name}}
-              @name={{attr.name}}
-              @displayOnly={{true}}
-              @allowCopy={{true}}
-            />
-          {{/if}}
-        </InfoTableRow>
-      {{else}}
-        <InfoTableRow
-          @alwaysRender={{not (is-empty-value (get @model attr.name))}}
-          @label={{or attr.options.label (to-label attr.name)}}
-          @value={{get configModel (or attr.options.fieldValue attr.name)}}
-        />
-      {{/if}}
-    {{/each}}
+{{#each @configModels as |configModel|}}
+  {{#each configModel.displayAttrs as |attr|}}
+    {{! public key while not sensitive when editing/creating, should be hidden by default on viewing }}
+    {{#if (or attr.options.sensitive (eq attr.name "publicKey"))}}
+      <InfoTableRow
+        alwaysRender={{not (is-empty-value (get configModel attr.name))}}
+        @label={{or attr.options.label (to-label attr.name)}}
+        @value={{get configModel (or attr.options.fieldValue attr.name)}}
+      >
+        <MaskedInput @value={{get configModel attr.name}} @name={{attr.name}} @displayOnly={{true}} @allowCopy={{true}} />
+      </InfoTableRow>
+    {{else}}
+      <InfoTableRow
+        @alwaysRender={{not (is-empty-value (get @model attr.name))}}
+        @label={{or attr.options.label (to-label attr.name)}}
+        @value={{get configModel (or attr.options.fieldValue attr.name)}}
+        @formatTtl={{eq attr.options.editType "ttl"}}
+      />
+    {{/if}}
   {{/each}}
 {{else}}
   {{! Prompt user to configure the secret engine }}
   <EmptyState
     data-test-config-cta
     @title="{{@typeDisplay}} not configured"
-    @message="Get started by configuring your {{@typeDisplay}} engine."
+    @message="Get started by configuring your {{@typeDisplay}} secrets engine."
   >
-    <Hds::Link::Standalone
-      @icon="chevron-right"
-      @iconPosition="trailing"
-      @text="Configure {{@typeDisplay}}"
-      @route="vault.cluster.secrets.backend.configuration.edit"
-      @model={{@id}}
-    />
+    {{! TODO: short-term conditional to be removed once configuration for azure is merged. }}
+    {{#unless (eq @typeDisplay "Azure")}}
+      <Hds::Link::Standalone
+        @icon="chevron-right"
+        @iconPosition="trailing"
+        @text="Configure {{@typeDisplay}}"
+        @route="vault.cluster.secrets.backend.configuration.edit"
+        @model={{@id}}
+      />
+    {{/unless}}
   </EmptyState>
-{{/if}}
+{{/each}}

ui/app/components/secret-engine/configuration-details.hbs

@@ -56,7 +56,7 @@
     {{/if}}
     {{#if (eq this.accessType "wif")}}
       {{! WIF Fields }}
-      {{#each @issuerConfig.attrs as |attr|}}
+      {{#each @issuerConfig.displayAttrs as |attr|}}
         <FormField @attr={{attr}} @model={{@issuerConfig}} />
       {{/each}}
       <FormFieldGroups
@@ -82,7 +82,7 @@
     Leases
   </h2>
   <div class="box is-fullwidth is-sideless is-bottomless">
-    {{#each @leaseConfig.attrs as |attr|}}
+    {{#each @leaseConfig.displayAttrs as |attr|}}
       <FormField @attr={{attr}} @model={{@leaseConfig}} @modelValidations={{this.modelValidationsLease}} />
     {{/each}}
   </div>

ui/app/components/secret-engine/configure-aws.hbs

@@ -135,23 +135,32 @@ const MOUNTABLE_SECRET_ENGINES = [
 ];
 
 // A list of Workload Identity Federation engines.
-// Will eventually include Azure and GCP.
-export const WIF_ENGINES = ['aws'];
+export const WIF_ENGINES = ['aws', 'azure'];
 
 export function wifEngines() {
   return WIF_ENGINES.slice();
 }
 
+// The UI only supports configuration views for these secrets engines. The CLI must be used to manage other engine resources (i.e. roles, credentials).
+// Will eventually include gcp.
+export const CONFIGURATION_ONLY = ['azure'];
+
+export function configurationOnly() {
+  return CONFIGURATION_ONLY.slice();
+}
+
 // Secret engines that have their own configuration page and actions
 // These engines do not exist in their own Ember engine.
-export const CONFIGURABLE_SECRET_ENGINES = ['aws', 'ssh'];
+export const CONFIGURABLE_SECRET_ENGINES = ['aws', 'azure', 'ssh'];
 
-export function configurableSecretEngines() {
+export function mountableEngines() {
   return MOUNTABLE_SECRET_ENGINES.slice();
 }
+// secret engines that have not other views than the mount view and mount details view
+export const UNSUPPORTED_ENGINES = ['alicloud', 'consul', 'gcp', 'gcpkms', 'nomad', 'rabbitmq', 'totp'];
 
-export function mountableEngines() {
-  return MOUNTABLE_SECRET_ENGINES.slice();
+export function unsupportedEngines() {
+  return UNSUPPORTED_ENGINES.slice();
 }
 
 export function allEngines() {

ui/app/helpers/mountable-secret-engines.js

@@ -7,6 +7,7 @@ import { helper as buildHelper } from '@ember/component/helper';
 
 const SUPPORTED_SECRET_BACKENDS = [
   'aws',
+  'azure',
   'cubbyhole',
   'database',
   'generic',

ui/app/helpers/supported-secret-backends.js

@@ -32,7 +32,7 @@ export default class AwsLeaseConfig extends Model {
   })
   lease;
 
-  get attrs() {
+  get displayAttrs() {
     const keys = ['lease', 'leaseMax'];
     return expandAttributeMeta(this, keys);
   }

ui/app/models/aws/lease-config.js

@@ -50,7 +50,7 @@ export default class AwsRootConfig extends Model {
   })
   maxRetries;
 
-  get attrs() {
+  get displayAttrs() {
     const keys = [
       'roleArn',
       'identityTokenAudience',