backport of commit 4654c15

hashicorp · Jun 13, 2023 · ff62085 · ff62085
1 parent a3657dc
commit ff62085
Show file tree

Hide file tree

Showing 4,214 changed files with 360,264 additions and 112,238 deletions.
diff --git a/.copywrite.hcl b/.copywrite.hcl
@@ -8,9 +8,8 @@ project {
   # Supports doublestar glob patterns for more flexibility in defining which
   # files or folders should be ignored
   header_ignore = [
-    "builtin/credential/aws/pkcs7/**",
+    "builtin/credentials/aws/pkcs7/**",
     "ui/node_modules/**",
     "enos/modules/k8s_deploy_vault/raft-config.hcl",
-    "plugins/database/postgresql/scram/**"
   ]
 }
diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
@@ -1,6 +1,3 @@
-# Copyright (c) HashiCorp, Inc.
-# SPDX-License-Identifier: MPL-2.0
-
 contact_links:
   - name: Ask a question
     url: https://discuss.hashicorp.com/c/vault

diff --git a/.github/scripts/generate-test-package-lists.sh b/.github/scripts/generate-test-package-lists.sh
@@ -8,8 +8,6 @@
 # solution. It distributes the entire set of test packages into 16 sublists,
 # which should roughly take an equal amount of time to complete.
 
-set -e
-
 test_packages=()
 
 base="github.com/hashicorp/vault"
@@ -27,7 +25,7 @@ fi
 
 # Total time: 1009
 test_packages[3]+=" $base/builtin/credential/approle"
-test_packages[3]+=" $base/command/agentproxyshared/sink/file"
+test_packages[3]+=" $base/command/agent/sink/file"
 test_packages[3]+=" $base/command/agent/template"
 test_packages[3]+=" $base/helper/random"
 test_packages[3]+=" $base/helper/storagepacker"
@@ -46,7 +44,6 @@ test_packages[4]+=" $base/http"
 test_packages[4]+=" $base/sdk/helper/pluginutil"
 test_packages[4]+=" $base/serviceregistration/kubernetes"
 test_packages[4]+=" $base/tools/godoctests/pkg/analyzer"
-test_packages[4]+=" $base/tools/gonilnilfunctions/pkg/analyzer"
 if [ "${ENTERPRISE:+x}" == "x" ] ; then
     test_packages[4]+=" $base/vault/external_tests/apilock"
     test_packages[4]+=" $base/vault/external_tests/filteredpaths"
@@ -88,19 +85,16 @@ test_packages[6]+=" $base/builtin/audit/file"
 test_packages[6]+=" $base/builtin/credential/github"
 test_packages[6]+=" $base/builtin/credential/okta"
 test_packages[6]+=" $base/builtin/logical/database/dbplugin"
-test_packages[6]+=" $base/command/agentproxyshared/auth/cert"
-test_packages[6]+=" $base/command/agentproxyshared/auth/jwt"
-test_packages[6]+=" $base/command/agentproxyshared/auth/kerberos"
-test_packages[6]+=" $base/command/agentproxyshared/auth/kubernetes"
-test_packages[6]+=" $base/command/agentproxyshared/auth/token-file"
-test_packages[6]+=" $base/command/agentproxyshared"
-test_packages[6]+=" $base/command/agentproxyshared/cache"
-test_packages[6]+=" $base/command/agentproxyshared/cache/cacheboltdb"
-test_packages[6]+=" $base/command/agentproxyshared/cache/cachememdb"
-test_packages[6]+=" $base/command/agentproxyshared/cache/keymanager"
+test_packages[6]+=" $base/command/agent/auth/cert"
+test_packages[6]+=" $base/command/agent/auth/jwt"
+test_packages[6]+=" $base/command/agent/auth/kerberos"
+test_packages[6]+=" $base/command/agent/auth/kubernetes"
+test_packages[6]+=" $base/command/agent/auth/token-file"
+test_packages[6]+=" $base/command/agent/cache"
+test_packages[6]+=" $base/command/agent/cache/cacheboltdb"
+test_packages[6]+=" $base/command/agent/cache/cachememdb"
+test_packages[6]+=" $base/command/agent/cache/keymanager"
 test_packages[6]+=" $base/command/agent/config"
-test_packages[6]+=" $base/command/agent/exec"
-test_packages[6]+=" $base/command/proxy/config"
 test_packages[6]+=" $base/command/config"
 test_packages[6]+=" $base/command/token"
 if [ "${ENTERPRISE:+x}" == "x" ] ; then
@@ -203,7 +197,7 @@ test_packages[7]+=" $base/vault/quotas"
 # Total time: 779
 test_packages[8]+=" $base/builtin/credential/aws/pkcs7"
 test_packages[8]+=" $base/builtin/logical/totp"
-test_packages[8]+=" $base/command/agentproxyshared/auth"
+test_packages[8]+=" $base/command/agent/auth"
 test_packages[8]+=" $base/physical/raft"
 test_packages[8]+=" $base/sdk/framework"
 test_packages[8]+=" $base/sdk/plugin"
@@ -252,7 +246,6 @@ test_packages[13]+=" $base/command/server"
 test_packages[13]+=" $base/physical/aerospike"
 test_packages[13]+=" $base/physical/cockroachdb"
 test_packages[13]+=" $base/plugins/database/postgresql"
-test_packages[13]+=" $base/plugins/database/postgresql/scram"
 if [ "${ENTERPRISE:+x}" == "x" ] ; then
     test_packages[13]+=" $base/vault/external_tests/filteredpathsext"
 fi
@@ -288,9 +281,3 @@ if [ "${ENTERPRISE:+x}" == "x" ] ; then
     test_packages[16]+=" $base/vault/external_tests/replicationext"
     test_packages[16]+=" $base/vault/external_tests/sealext"
 fi
-
-for i in $(cd $(git rev-parse --show-toplevel) && go list -test -json ./... |
-  jq -r '.ForTest | select(.!=null) | select(.|test("_binary$"))');
-do
-  test_packages[17]+=" $i"
-done
diff --git a/.github/scripts/verify_changes.sh b/.github/scripts/verify_changes.sh
@@ -3,13 +3,15 @@
 
 event_type=$1 # GH event type (pull_request)
 ref_name=$2 # branch reference that triggered the workflow
-base_ref=$3 # PR branch base ref
+head_ref=$3 # PR branch head ref
+base_ref=$4 # PR branch base ref
 
 changed_dir=""
 
 if [[ "$event_type" == "pull_request" ]]; then
+  git fetch --no-tags --prune origin $head_ref
   git fetch --no-tags --prune origin $base_ref
-  head_commit="HEAD"
+  head_commit="origin/$head_ref"
   base_commit="origin/$base_ref"
 else
   git fetch --no-tags --prune origin $ref_name

diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
@@ -10,6 +10,6 @@ jobs:
   actionlint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
       - name: "Check workflow files"
         uses: docker://docker.mirror.hashicorp.services/rhysd/actionlint@sha256:93834930f56ca380be3e9a3377670d7aa5921be251b9c774891a39b3629b83b8
diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
@@ -11,7 +11,7 @@ jobs:
   backport-targeted-release-branch:
     if: github.event.pull_request.merged
     runs-on: ubuntu-latest
-    container: hashicorpdev/backport-assistant:0.3.3
+    container: hashicorpdev/backport-assistant:0.3.0
     steps:
       - name: Backport changes to targeted release branch
         run: |

diff --git a/.github/workflows/build-vault-oss.yml b/.github/workflows/build-vault-oss.yml
@@ -40,14 +40,14 @@ jobs:
     runs-on: ubuntu-latest
     name: Vault ${{ inputs.goos }} ${{ inputs.goarch }} v${{ inputs.vault-version }}
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
-      - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v3
         with:
           go-version: ${{ inputs.go-version }}
       - name: Set up node and yarn
-        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
+        uses: actions/setup-node@v3
         with:
-          node-version-file: './ui/package.json'
+          node-version: 14
           cache: yarn
           cache-dependency-path: ui/yarn.lock
       - name: Build UI
@@ -68,7 +68,7 @@ jobs:
         env:
           BUNDLE_PATH: out/${{ env.ARTIFACT_BASENAME }}.zip
         run: make ci-bundle
-      - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+      - uses: actions/upload-artifact@v3
         with:
           name: ${{ env.ARTIFACT_BASENAME }}.zip
           path: out/${{ env.ARTIFACT_BASENAME }}.zip
@@ -96,13 +96,13 @@ jobs:
           echo "RPM_PACKAGE=$(basename out/*.rpm)" >> "$GITHUB_ENV"
           echo "DEB_PACKAGE=$(basename out/*.deb)" >> "$GITHUB_ENV"
       - if: ${{ inputs.create-packages }}
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        uses: actions/upload-artifact@v3
         with:
           name: ${{ env.RPM_PACKAGE }}
           path: out/${{ env.RPM_PACKAGE }}
           if-no-files-found: error
       - if: ${{ inputs.create-packages }}
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        uses: actions/upload-artifact@v3
         with:
           name: ${{ env.DEB_PACKAGE }}
           path: out/${{ env.DEB_PACKAGE }}

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -4,11 +4,6 @@ name: build
 on:
   workflow_dispatch:
   pull_request:
-    # The default types for pull_request are [ opened, synchronize, reopened ].
-    # This is insufficient for our needs, since we're skipping stuff on PRs in
-    # draft mode.  By adding the ready_for_review type, when a draft pr is marked
-    # ready, we run everything, including the stuff we'd have skipped up until now.
-    types: [ opened, synchronize, reopened, ready_for_review ]
   push:
     branches:
       - main
@@ -17,22 +12,19 @@ on:
 jobs:
   # verify-changes determines if the changes are only for docs (website)
   verify-changes:
-    if: github.event.pull_request.draft == false
     runs-on: ubuntu-latest
     outputs:
       is_docs_change: ${{ steps.get-changeddir.outputs.is_docs_change }}
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-          fetch-depth: 0 # Use fetch depth 0 for comparing changes to base branch
+      - uses: actions/checkout@v3
       - name: Get changed directories
         id: get-changeddir
         env:
           TYPE: ${{ github.event_name }}
           REF_NAME: ${{ github.ref_name }}
+          HEAD_REF: ${{ github.head_ref }}
           BASE: ${{ github.base_ref }}
-        run: ./.github/scripts/verify_changes.sh ${{ env.TYPE }} ${{ env.REF_NAME }} ${{ env.BASE }}
+        run: ./.github/scripts/verify_changes.sh ${{ env.TYPE }} ${{ env.REF_NAME }} ${{ env.HEAD_REF }} ${{ env.BASE }}
 
   product-metadata:
     # do not run build and test steps for docs changes
@@ -51,7 +43,7 @@ jobs:
       vault-version: ${{ steps.get-metadata.outputs.vault-version }}
       vault-base-version: ${{ steps.get-metadata.outputs.vault-base-version }}
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@v3
       - name: Get metadata
         id: get-metadata
         env:
@@ -73,7 +65,7 @@ jobs:
         with:
           version: ${{ steps.get-metadata.outputs.vault-version }}
           product: ${{ steps.get-metadata.outputs.package-name }}
-      - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+      - uses: actions/upload-artifact@v3
         with:
           name: metadata.json
           path: ${{ steps.generate-metadata-file.outputs.filepath }}
@@ -152,7 +144,7 @@ jobs:
       matrix:
         arch: [arm, arm64, 386, amd64]
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@v3
       - uses: hashicorp/actions-docker-build@v1
         with:
           version: ${{ needs.product-metadata.outputs.vault-version }}
@@ -173,7 +165,7 @@ jobs:
       matrix:
         arch: [amd64]
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@v2
       - uses: hashicorp/actions-docker-build@v1
         with:
           version: ${{ needs.product-metadata.outputs.vault-version }}
@@ -184,15 +176,6 @@ jobs:
 
   test:
     name: Test ${{ matrix.build-artifact-name }}
-    # Only run the Enos workflow against branches that are created from the
-    # hashicorp/vault repository. This has the effect of limiting execution of
-    # Enos scenarios to branches that originate from authors that have write
-    # access to hashicorp/vault repository. This is required as Github Actions
-    # will not populate the required secrets for branches created by outside
-    # contributors in order to protect the secrets integrity.
-    # This condition can be removed in future if enos workflow is updated to
-    # workflow_run event
-    if: "! github.event.pull_request.head.repo.fork"
     needs:
       - product-metadata
       - build-linux
@@ -216,16 +199,6 @@ jobs:
 
   test-docker-k8s:
     name: Test Docker K8s
-    # Only run the Enos workflow against branches that are created from the
-    # hashicorp/vault repository. This has the effect of limiting execution of
-    # Enos scenarios to branches that originate from authors that have write
-    # access to hashicorp/vault repository. This is required as Github Actions
-    # will not populate the required secrets for branches created by outside
-    # contributors in order to protect the secrets integrity.
-    # GHA secrets are only ready on workflow_run for public repo
-    # This condition can be removed in future if enos workflow is updated to
-    # workflow_run event
-    if: "! github.event.pull_request.head.repo.fork"
     needs:
       - product-metadata
       - build-docker

diff --git a/.github/workflows/changelog-checker.yml b/.github/workflows/changelog-checker.yml
@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@v2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0 # by default the checkout action doesn't checkout all branches