Merge branch 'main' into peteski22/dependency/swap-armon-go-metrics-t…

…o-hashicorp-go-metrics

.github/workflows/test-run-enos-scenario-matrix.yml

@@ -97,6 +97,8 @@ jobs:
       ENOS_DEBUG_DATA_ROOT_DIR: /tmp/enos-debug-data
     steps:
       - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        with:
+          ref: ${{ inputs.vault-revision }}
       - uses: hashicorp/setup-terraform@v2
         with:
           # the Terraform wrapper will break Terraform execution in Enos because

.hooks/pre-commit

@@ -35,7 +35,7 @@ block() {
 
 # Add all check functions to this space separated list.
 # They are executed in this order (see end of file).
-CHECKS="ui_lint ui_copywrite backend_lint"
+CHECKS="ui_lint backend_lint"
 
 # Run ui linter if changes in that dir detected.
 ui_lint() {
@@ -72,79 +72,6 @@ backend_lint() {
   ./scripts/gofmtcheck.sh "${staged}" || block "Backend linting failed; run 'make fmt' to fix."
 }
 
-ui_copywrite() {
-  DIR=ui
-  BINARY_DIR=$DIR/.copywrite
-  DOWNLOAD_ERR="==> Copywrite tool not found and failed to downloaded. Please download manually and extract to ui/.copywrite directory to utilize in pre-commit hook."
-
-  # silently succeed if no changes staged for $DIR
-  if git diff --name-only --cached --exit-code -- $DIR/; then
-    return 0
-  fi
-
-  echo "==> Changes detected in $DIR/: Checking copyright headers..."
-
-  # download latest version of hashicorp/copywrite if necessary 
-  if [ ! -x $BINARY_DIR/copywrite ]; then
-    local REPO_URL=https://github.com/hashicorp/copywrite
-    # get the latest version tag
-    local LATEST_RELEASE_JSON=$(curl -L -s -H 'Accept: application/json' $REPO_URL/releases/latest);
-    local LATEST_TAG=$(echo $LATEST_RELEASE_JSON | sed -e 's/.*"tag_name":"\([^"]*\)".*/\1/')
-
-    if [ ! $LATEST_TAG ]; then
-      echo $DOWNLOAD_ERR
-      return 0;
-    fi
-
-    # get the OS/Architecture specifics to build the filename
-    # eg. copywrite_0.16.6_darwin_x86_64.tar.gz
-    case "$OSTYPE" in
-      linux*) OS='linux' ;;
-      darwin*) OS='darwin' ;;
-      msys*) OS='windows';;
-    esac
-    local ARCH=$([ $(uname -m) == arm* ] && echo 'arm64' || echo 'x86_64')
-    local EXT=$([ $OSTYPE == "msys" ] && echo '.zip' || echo '.tar.gz')
-    local FILENAME=copywrite_"${LATEST_TAG:1}"_"$OS"_"$ARCH""$EXT"
-
-    mkdir -p $BINARY_DIR
-    echo "==> Copywrite tool not found, downloading version $LATEST_TAG from $REPO_URL..."
-    curl -L -s $REPO_URL/releases/download/$LATEST_TAG/$FILENAME | tar -xz - -C $BINARY_DIR || { echo $DOWNLOAD_ERR;  return 0; };
-  fi
-
-  # run the copywrite tool
-  # if a --path option is added we could apply the headers to only the staged files much easier
-  # as of the latest version 0.16.6 there is only support for --dirPath
-  STAGED_FILES=($(git diff --name-only --cached -- $DIR/))
-
-  rm -rf $BINARY_DIR/.staged
-  mkdir $BINARY_DIR/.staged
-
-  # copy staged files to .staged directory
-  echo $STAGED_FILES;
-  for FILE_PATH in "${STAGED_FILES[@]}"; do
-    cp $FILE_PATH $BINARY_DIR/.staged
-  done
-
-  COPYWRITE_LOG_LEVEL=info
-  COPY_CMD="$BINARY_DIR/copywrite headers -d $BINARY_DIR/.staged --config $DIR/.copywrite.hcl"
-
-  # if staged files are missing header run the tool on .staged directory
-  VALIDATE=$(eval $COPY_CMD --plan) # assigning to var so output is suppressed since it is repeated during second run
-  if [ $(echo $?) == 1 ]; then
-    eval $COPY_CMD || { echo "==> Copyright check failed. Please review and add headers manually."; return 0; };
-
-    # copy files back to original locations and stage changes
-    local TMP_FILES=$(ls $BINARY_DIR/.staged)
-    i=0
-    for FILE in $TMP_FILES; do
-      cp $BINARY_DIR/.staged/$FILE "${STAGED_FILES[$i]}"
-      git add "${STAGED_FILES[$i]}"
-      i=$(( i + 1 ))
-    done
-  fi
-}
-
 for CHECK in $CHECKS; do
   # Force each check into a subshell to avoid crosstalk.
   ( $CHECK ) || exit $?

CHANGELOG.md

@@ -2,6 +2,28 @@
 - [v1.0.0 - v1.9.10](CHANGELOG-pre-v1.10.md)
 - [v0.11.6 and earlier](CHANGELOG-v0.md)
 
+## 1.15.4
+### December 06, 2023
+
+SECURITY:
+
+* core: Fixes an issue present in both Vault and Vault Enterprise since Vault 1.12.0, where Vault is vulnerable to a denial of service through memory exhaustion of the host when handling large HTTP requests from a client. (see [CVE-2023-6337](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6337) & [HCSEC-2023-34](https://discuss.hashicorp.com/t/hcsec-2023-34-vault-vulnerable-to-denial-of-service-through-memory-exhaustion-when-handling-large-http-requests/60741))
+
+CHANGES:
+
+* identity (enterprise): POST requests to the `/identity/entity/merge` endpoint
+are now always forwarded from standbys to the active node. [[GH-24325](https://github.com/hashicorp/vault/pull/24325)]
+
+BUG FIXES:
+
+* agent/logging: Agent should now honor correct -log-format and -log-file settings in logs generated by the consul-template library. [[GH-24252](https://github.com/hashicorp/vault/pull/24252)]
+* api: Fix deadlock on calls to sys/leader with a namespace configured
+on the request. [[GH-24256](https://github.com/hashicorp/vault/pull/24256)]
+* core: Fix a timeout initializing Vault by only using a short timeout persisting barrier keyring encryption counts. [[GH-24336](https://github.com/hashicorp/vault/pull/24336)]
+* ui: Correctly handle directory redirects from pre 1.15.0 Kv v2 list view urls. [[GH-24281](https://github.com/hashicorp/vault/pull/24281)]
+* ui: Fix payload sent when disabling replication [[GH-24292](https://github.com/hashicorp/vault/pull/24292)]
+* ui: When Kv v2 secret is an object, fix so details view defaults to readOnly JSON editor. [[GH-24290](https://github.com/hashicorp/vault/pull/24290)]
+
 ## 1.15.3
 ### November 30, 2023
 
@@ -371,6 +393,26 @@ sdk/ldaputil: use EscapeLDAPValue implementation from cap/ldap [[GH-22249](https
 * ui: fixes model defaults overwriting input value when user tries to clear form input [[GH-22458](https://github.com/hashicorp/vault/pull/22458)]
 * ui: fixes text readability issue in revoke token confirmation dialog [[GH-22390](https://github.com/hashicorp/vault/pull/22390)]
 
+## 1.14.8
+### December 06, 2023
+
+SECURITY:
+
+* core: Fixes an issue present in both Vault and Vault Enterprise since Vault 1.12.0, where Vault is vulnerable to a denial of service through memory exhaustion of the host when handling large HTTP requests from a client. (see [CVE-2023-6337](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6337) & [HCSEC-2023-34](https://discuss.hashicorp.com/t/hcsec-2023-34-vault-vulnerable-to-denial-of-service-through-memory-exhaustion-when-handling-large-http-requests/60741))
+
+CHANGES:
+
+* identity (enterprise): POST requests to the `/identity/entity/merge` endpoint
+are now always forwarded from standbys to the active node. [[GH-24325](https://github.com/hashicorp/vault/pull/24325)]
+
+BUG FIXES:
+
+* agent/logging: Agent should now honor correct -log-format and -log-file settings in logs generated by the consul-template library. [[GH-24252](https://github.com/hashicorp/vault/pull/24252)]
+* api: Fix deadlock on calls to sys/leader with a namespace configured
+on the request. [[GH-24256](https://github.com/hashicorp/vault/pull/24256)]
+* core: Fix a timeout initializing Vault by only using a short timeout persisting barrier keyring encryption counts. [[GH-24336](https://github.com/hashicorp/vault/pull/24336)]
+* ui: Fix payload sent when disabling replication [[GH-24292](https://github.com/hashicorp/vault/pull/24292)]
+
 ## 1.14.7
 ### November 30, 2023
 
@@ -862,6 +904,25 @@ with a new entity alias to be incorrectly forwarded from perf standbys. [[GH-211
 * ui: fixes key_bits and signature_bits reverting to default values when editing a pki role [[GH-20907](https://github.com/hashicorp/vault/pull/20907)]
 * ui: wait for wanted message event during OIDC callback instead of using the first message event [[GH-18521](https://github.com/hashicorp/vault/pull/18521)]
 
+## 1.13.12
+### December 06, 2023
+
+SECURITY:
+
+* core: Fixes an issue present in both Vault and Vault Enterprise since Vault 1.12.0, where Vault is vulnerable to a denial of service through memory exhaustion of the host when handling large HTTP requests from a client. (see [CVE-2023-6337](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6337) & [HCSEC-2023-34](https://discuss.hashicorp.com/t/hcsec-2023-34-vault-vulnerable-to-denial-of-service-through-memory-exhaustion-when-handling-large-http-requests/60741))
+
+CHANGES:
+
+* identity (enterprise): POST requests to the `/identity/entity/merge` endpoint
+are now always forwarded from standbys to the active node. [[GH-24325](https://github.com/hashicorp/vault/pull/24325)]
+
+BUG FIXES:
+
+* api: Fix deadlock on calls to sys/leader with a namespace configured
+on the request. [[GH-24256](https://github.com/hashicorp/vault/pull/24256)]
+* core: Fix a timeout initializing Vault by only using a short timeout persisting barrier keyring encryption counts. [[GH-24336](https://github.com/hashicorp/vault/pull/24336)]
+* ui: Fix payload sent when disabling replication [[GH-24292](https://github.com/hashicorp/vault/pull/24292)]
+
 ## 1.13.11
 ### November 30, 2023
 

README.md

@@ -10,8 +10,8 @@
 -	Announcement list: [Google Groups](https://groups.google.com/group/hashicorp-announce)
 -	Discussion forum: [Discuss](https://discuss.hashicorp.com/c/vault)
 - Documentation: [https://developer.hashicorp.com/vault/docs](https://developer.hashicorp.com/vault/docs)
-- Tutorials: [HashiCorp's Learn Platform](https://learn.hashicorp.com/vault)
-- Certification Exam: [Vault Associate](https://www.hashicorp.com/certification/#hashicorp-certified-vault-associate)
+- Tutorials: [https://developer.hashicorp.com/vault/tutorials](https://developer.hashicorp.com/vault/tutorials)
+- Certification Exam: [https://developer.hashicorp.com/certifications/security-automation](https://developer.hashicorp.com/certifications/security-automation)
 
 <img width="300" alt="Vault Logo" src="https://github.com/hashicorp/vault/blob/f22d202cde2018f9455dec755118a9b84586e082/Vault_PrimaryLogo_Black.png">
 

api/sys_capabilities.go

@@ -78,3 +78,56 @@ func (c *Sys) CapabilitiesWithContext(ctx context.Context, token, path string) (
 
 	return res, nil
 }
+
+func (c *Sys) CapabilitiesAccessor(accessor, path string) ([]string, error) {
+	return c.CapabilitiesAccessorWithContext(context.Background(), accessor, path)
+}
+
+func (c *Sys) CapabilitiesAccessorWithContext(ctx context.Context, accessor, path string) ([]string, error) {
+	ctx, cancelFunc := c.c.withConfiguredTimeout(ctx)
+	defer cancelFunc()
+
+	body := map[string]string{
+		"accessor": accessor,
+		"path":     path,
+	}
+
+	reqPath := "/v1/sys/capabilities-accessor"
+
+	r := c.c.NewRequest(http.MethodPost, reqPath)
+	if err := r.SetJSONBody(body); err != nil {
+		return nil, err
+	}
+
+	resp, err := c.c.rawRequestWithContext(ctx, r)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	secret, err := ParseSecret(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	if secret == nil || secret.Data == nil {
+		return nil, errors.New("data from server response is empty")
+	}
+
+	var res []string
+	err = mapstructure.Decode(secret.Data[path], &res)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(res) == 0 {
+		_, ok := secret.Data["capabilities"]
+		if ok {
+			err = mapstructure.Decode(secret.Data["capabilities"], &res)
+			if err != nil {
+				return nil, err
+			}
+		}
+	}
+
+	return res, nil
+}

audit/entry_filter.go

@@ -0,0 +1,91 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package audit
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/hashicorp/eventlogger"
+	"github.com/hashicorp/go-bexpr"
+	"github.com/hashicorp/vault/helper/namespace"
+	"github.com/hashicorp/vault/internal/observability/event"
+)
+
+var _ eventlogger.Node = (*EntryFilter)(nil)
+
+// NewEntryFilter should be used to create an EntryFilter node.
+// The filter supplied should be in bexpr format and reference fields from logical.LogInputBexpr.
+func NewEntryFilter(filter string) (*EntryFilter, error) {
+	const op = "audit.NewEntryFilter"
+
+	filter = strings.TrimSpace(filter)
+	if filter == "" {
+		return nil, fmt.Errorf("%s: cannot create new audit filter with empty filter expression: %w", op, event.ErrInvalidParameter)
+	}
+
+	eval, err := bexpr.CreateEvaluator(filter)
+	if err != nil {
+		return nil, fmt.Errorf("%s: cannot create new audit filter: %w", op, err)
+	}
+
+	return &EntryFilter{evaluator: eval}, nil
+}
+
+// Reopen is a no-op for the filter node.
+func (*EntryFilter) Reopen() error {
+	return nil
+}
+
+// Type describes the type of this node (filter).
+func (*EntryFilter) Type() eventlogger.NodeType {
+	return eventlogger.NodeTypeFilter
+}
+
+// Process will attempt to parse the incoming event data and decide whether it
+// should be filtered or remain in the pipeline and passed to the next node.
+func (f *EntryFilter) Process(ctx context.Context, e *eventlogger.Event) (*eventlogger.Event, error) {
+	const op = "audit.(EntryFilter).Process"
+
+	select {
+	case <-ctx.Done():
+		return nil, ctx.Err()
+	default:
+	}
+
+	if e == nil {
+		return nil, fmt.Errorf("%s: event is nil: %w", op, event.ErrInvalidParameter)
+	}
+
+	a, ok := e.Payload.(*AuditEvent)
+	if !ok {
+		return nil, fmt.Errorf("%s: cannot parse event payload: %w", op, event.ErrInvalidParameter)
+	}
+
+	// If we don't have data to process, then we're done.
+	if a.Data == nil {
+		return nil, nil
+	}
+
+	ns, err := namespace.FromContext(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("%s: cannot obtain namespace: %w", op, err)
+	}
+
+	datum := a.Data.BexprDatum(ns.Path)
+
+	result, err := f.evaluator.Evaluate(datum)
+	if err != nil {
+		return nil, fmt.Errorf("%s: unable to evaluate filter: %w", op, err)
+	}
+
+	if result {
+		// Allow this event to carry on through the pipeline.
+		return e, nil
+	}
+
+	// End process of this pipeline.
+	return nil, nil
+}