Merge branch 'main' into dependabot/github_actions/hashicorp/vault-ac…

…tion-3.0.0

.github/actions/build-vault/action.yml

@@ -143,8 +143,7 @@ runs:
         BUNDLE_PATH: out/${{ steps.metadata.outputs.artifact-basename }}.zip
       shell: bash
       run: make ci-bundle
-    # Use actions/upload-artifact @3.x until https://hashicorp.atlassian.net/browse/HREL-99 is resolved
-    - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+    - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
       with:
         name: ${{ steps.metadata.outputs.artifact-basename }}.zip
         path: out/${{ steps.metadata.outputs.artifact-basename }}.zip
@@ -176,15 +175,13 @@ runs:
           echo "deb-files=$(basename out/*.deb)"
         } | tee -a "$GITHUB_OUTPUT"
     - if: inputs.create-packages == 'true'
-      # Use actions/upload-artifact @3.x until https://hashicorp.atlassian.net/browse/HREL-99 is resolved
-      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
       with:
         name: ${{ steps.package-files.outputs.rpm-files }}
         path: out/${{ steps.package-files.outputs.rpm-files }}
         if-no-files-found: error
     - if: inputs.create-packages == 'true'
-      # Use actions/upload-artifact @3.x until https://hashicorp.atlassian.net/browse/HREL-99 is resolved
-      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
       with:
         name: ${{ steps.package-files.outputs.deb-files }}
         path: out/${{ steps.package-files.outputs.deb-files }}

.github/actions/containerize/action.yml

@@ -90,7 +90,7 @@ runs:
         [[ ! -d "$dest_dir" ]] && mkdir -p "$dest_dir"
         [[ ! -f "$dest_path" ]] && cp ${{ inputs.vault-binary-path }} "${dest_path}"
     - if: inputs.docker == 'true'
-      uses: hashicorp/actions-docker-build@v1
+      uses: hashicorp/actions-docker-build@v2
       with:
         arch: ${{ inputs.goarch }}
         do_zip_extract_step: 'false' # Don't download and extract an already present binary
@@ -99,7 +99,7 @@ runs:
         revision: ${{ steps.vars.outputs.revision }}
         version: ${{ steps.vars.outputs.container-version }}
     - if: inputs.redhat == 'true'
-      uses: hashicorp/actions-docker-build@v1
+      uses: hashicorp/actions-docker-build@v2
       with:
         arch: ${{ inputs.goarch }}
         do_zip_extract_step: 'false' # Don't download and extract an already present binary

.github/actions/set-up-go/action.yml

@@ -40,7 +40,7 @@ runs:
         else
           echo "go-version=${{ inputs.go-version }}" | tee -a "$GITHUB_OUTPUT"
         fi
-    - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+    - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
       with:
         go-version: ${{ steps.go-version.outputs.go-version }}
         cache: false # We use our own caching strategy

.github/workflows/build.yml

@@ -111,7 +111,7 @@ jobs:
       - uses: ./.github/actions/checkout
         id: checkout # Make sure we check out correct ref after checking changed files
       # Get the vault version metadata
-      - uses: hashicorp/actions-set-product-version@v1
+      - uses: hashicorp/actions-set-product-version@d9b52fb778068099ca4c5e28e1ca0fee2544e114 # v2
         id: set-product-version
         with:
           checkout: false # don't override the reference we've checked out
@@ -389,8 +389,7 @@ jobs:
         with:
           version: ${{ needs.setup.outputs.vault-version-metadata }}
           product: ${{ needs.setup.outputs.vault-binary-name }}
-      # Use actions/upload-artifact @3.x until https://hashicorp.atlassian.net/browse/HREL-99 is resolved
-      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+      - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         if: steps.generate-metadata-file.outcome == 'success' # upload our metadata if we created it
         with:
           name: metadata.json

.github/workflows/ci.yml

@@ -164,7 +164,7 @@ jobs:
           node-version-file: './ui/package.json'
           cache: yarn
           cache-dependency-path: ui/yarn.lock
-      - uses: browser-actions/setup-chrome@82b9ce628cc5595478a9ebadc480958a36457dc2 # v1.6.0
+      - uses: browser-actions/setup-chrome@361a23fcf94a523a91c9cfae6f11c2a5c2d87f64 # v1.6.1
       - name: ui-dependencies
         working-directory: ./ui
         run: |

.github/workflows/enos-lint.yml

@@ -19,7 +19,7 @@ jobs:
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
       - id: set-product-version
-        uses: hashicorp/actions-set-product-version@v1
+        uses: hashicorp/actions-set-product-version@d9b52fb778068099ca4c5e28e1ca0fee2544e114 # v2
       - id: metadata
         run: |
           echo "version=${{ steps.set-product-version.outputs.product-version }}" >> "$GITHUB_OUTPUT"

.github/workflows/enos-release-testing-oss.yml

@@ -69,4 +69,4 @@ jobs:
     needs: test
     steps:
       - name: Persist metadata
-        uses: hashicorp/actions-persist-metadata@v1
+        uses: hashicorp/actions-persist-metadata@v2

.github/workflows/enos-run-k8s.yml

@@ -45,8 +45,7 @@ jobs:
           github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
       - name: Download Docker Image
         id: download
-        # Use actions/download-artifact @3.x until https://hashicorp.atlassian.net/browse/HREL-99 is resolved
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
         with:
           name: ${{ inputs.artifact-name }}
           path: ./enos/support/downloads

.github/workflows/plugin-update-check.yml

@@ -29,7 +29,7 @@ jobs:
           # https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow
           token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
 
-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           cache: false # save cache space for vault builds: https://github.com/hashicorp/vault/pull/21764
           go-version-file: .go-version

.github/workflows/plugin-update.yml

@@ -25,7 +25,7 @@ jobs:
           # https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow
           token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
 
-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           cache: false # save cache space for vault builds: https://github.com/hashicorp/vault/pull/21764
           go-version-file: .go-version

.github/workflows/security-scan.yml

@@ -20,12 +20,12 @@ jobs:
     # won't have the permissions to run this job.
     if: ${{ (github.repository != 'hashicorp/vault' || (github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name))
           && (github.actor != 'dependabot[bot]') && ( github.actor != 'hc-github-team-secure-vault-core') }}
-    
+
     steps:
     - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
 
     - name: Set up Go
-      uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
       with:
         cache: false # save cache space for vault builds: https://github.com/hashicorp/vault/pull/21764
         go-version-file: .go-version

.github/workflows/test-enos-scenario-ui.yml

@@ -109,7 +109,7 @@ jobs:
           sudo apt install -y libnss3-dev libgdk-pixbuf2.0-dev libgtk-3-dev libxss-dev libasound2
       - name: Install Chrome
         if: steps.chrome-check.outputs.chrome-version == 'not-installed'
-        uses: browser-actions/setup-chrome@82b9ce628cc5595478a9ebadc480958a36457dc2 # v1.6.0
+        uses: browser-actions/setup-chrome@361a23fcf94a523a91c9cfae6f11c2a5c2d87f64 # v1.6.1
       - name: Installed Chrome Version
         run: |
           echo "Installed Chrome Version = [$(chrome --version 2> /dev/null || google-chrome --version 2> /dev/null || google-chrome-stable --version 2> /dev/null)]"

.github/workflows/test-go.yml

@@ -306,6 +306,15 @@ jobs:
         run: |
           git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN}}@github.com".insteadOf https://github.com
       - uses: ./.github/actions/install-external-tools
+      - name: Build Vault HSM binary for tests
+        if: inputs.binary-tests && matrix.id == inputs.total-runners && github.repository == 'hashicorp/vault-enterprise'
+        env:
+          GOPRIVATE: github.com/hashicorp/*
+        run: |
+          set -exo pipefail
+          time make prep enthsmdev
+          # The subsequent build of vault will blow away the bin folder
+          mv bin/vault vault-hsm-binary
       - if: inputs.binary-tests && matrix.id == inputs.total-runners
         name: Build dev binary for binary tests
         # The dev mode binary has to exist for binary tests that are dispatched on the last runner.
@@ -400,6 +409,11 @@ jobs:
           # parallelism.  The default if -p isn't specified is to use NumCPUs, which seems fine for regular tests.
           package_parallelism=""
 
+          if [ -f vault-hsm-binary ]; then
+            VAULT_HSM_BINARY="$(pwd)/vault-hsm-binary"
+            export VAULT_HSM_BINARY
+          fi
+
           if [ -f bin/vault ]; then
             VAULT_BINARY="$(pwd)/bin/vault"
             export VAULT_BINARY

.github/workflows/test-run-enos-scenario-matrix.yml

@@ -127,8 +127,7 @@ jobs:
           chmod 600 "./enos/support/private_key.pem"
           echo "debug_data_artifact_name=enos-debug-data_$(echo "${{ matrix.scenario }}" | sed -e 's/ /_/g' | sed -e 's/:/=/g')" >> "$GITHUB_OUTPUT"
       - if: contains(inputs.sample-name, 'build')
-        # Use actions/download-artifact @3.x until https://hashicorp.atlassian.net/browse/HREL-99 is resolved
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
         with:
           name: ${{ inputs.build-artifact-name }}
           path: ./enos/support/downloads
@@ -176,28 +175,28 @@ jobs:
       # https://api.slack.com/apps/A05E31CH1LG/incoming-webhooks
       - if: ${{ always() && ! cancelled() }}
         name: Notify launch failed
-        uses: hashicorp/actions-slack-status@v1
+        uses: hashicorp/actions-slack-status@v2
         with:
           failure-message: "enos scenario launch ${{ matrix.scenario.id.filter}} failed. \nTriggering event: `${{ github.event_name }}` \nActor: `${{ github.actor }}`"
           status: ${{ steps.launch.outcome }}
           slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
       - if: ${{ always() && ! cancelled() }}
         name: Notify retry launch failed
-        uses: hashicorp/actions-slack-status@v1
+        uses: hashicorp/actions-slack-status@v2
         with:
           failure-message: "retry enos scenario launch ${{ matrix.scenario.id.filter}} failed. \nTriggering event: `${{ github.event_name }}` \nActor: `${{ github.actor }}`"
           status: ${{ steps.launch_retry.outcome }}
           slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
       - if: ${{ always() && ! cancelled() }}
         name: Notify destroy failed
-        uses: hashicorp/actions-slack-status@v1
+        uses: hashicorp/actions-slack-status@v2
         with:
           failure-message: "enos scenario destroy ${{ matrix.scenario.id.filter}} failed. \nTriggering event: `${{ github.event_name }}` \nActor: `${{ github.actor }}`"
           status: ${{ steps.destroy.outcome }}
           slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
       - if: ${{ always() && ! cancelled() }}
         name: Notify retry destroy failed
-        uses: hashicorp/actions-slack-status@v1
+        uses: hashicorp/actions-slack-status@v2
         with:
           failure-message: "retry enos scenario destroy ${{ matrix.scenario.id.filter}} failed. \nTriggering event: `${{ github.event_name }}` \nActor: `${{ github.actor }}`"
           status: ${{ steps.destroy_retry.outcome }}

CHANGELOG.md

@@ -418,6 +418,10 @@ leading to failure to complete merkle sync without a full re-index. [[GH-23013](
 ## 1.15.8 Enterprise
 ### April 24, 2024
 
+SECURITY:
+
+* core (enterprise): fix bug where http headers were displayed in the audit log of a performance standby node [HCSEC-2024-10](https://discuss.hashicorp.com/t/hcsec-2024-10-vault-enterprise-leaks-sensitive-http-request-headers-in-audit-log-when-deployed-with-a-performance-standby-node) 
+
 CHANGES:
 
 * core: Bump Go version to 1.21.9.

api/lifetime_watcher.go

@@ -6,6 +6,7 @@ package api
 import (
 	"errors"
 	"math/rand"
+	"strings"
 	"sync"
 	"time"
 
@@ -289,12 +290,18 @@ func (r *LifetimeWatcher) doRenewWithOptions(tokenMode bool, nonRenewable bool,
 		switch {
 		case nonRenewable || r.renewBehavior == RenewBehaviorRenewDisabled:
 			// Can't or won't renew, just keep the same expiration so we exit
-			// when it's reauthentication time
+			// when it's re-authentication time
 			remainingLeaseDuration = fallbackLeaseDuration
 
 		default:
 			// Renew the token
 			renewal, err = renew(credString, r.increment)
+			if err != nil && strings.Contains(err.Error(), "permission denied") {
+				// We can't renew since the token doesn't have permission to. Fall back
+				// to the code path for non-renewable tokens.
+				nonRenewable = true
+				continue
+			}
 			if err != nil || renewal == nil || (tokenMode && renewal.Auth == nil) {
 				if r.renewBehavior == RenewBehaviorErrorOnErrors {
 					if err != nil {

api/renewer_test.go

@@ -177,6 +177,20 @@ func TestLifetimeWatcher(t *testing.T) {
 			expectError:   nil,
 			expectRenewal: true,
 		},
+		{
+			maxTestTime:          time.Second,
+			name:                 "permission_denied_error",
+			leaseDurationSeconds: 60,
+			incrementSeconds:     10,
+			// This should cause the lifetime watcher to behave just
+			// like a non-renewable secret, i.e. wait until its lifetime
+			// then be done.
+			renew: func(_ string, _ int) (*Secret, error) {
+				return nil, fmt.Errorf("permission denied")
+			},
+			expectError:   nil,
+			expectRenewal: false,
+		},
 	}
 
 	for _, tc := range cases {
@@ -204,7 +218,9 @@ func TestLifetimeWatcher(t *testing.T) {
 			for {
 				select {
 				case <-time.After(tc.maxTestTime):
-					t.Fatalf("renewal didn't happen")
+					if tc.expectRenewal || tc.expectError != nil {
+						t.Fatalf("expected error or renewal, and neither happened")
+					}
 				case r := <-v.RenewCh():
 					if !tc.expectRenewal {
 						t.Fatal("expected no renewals")

audit/headers.go

@@ -163,6 +163,21 @@ func (a *HeadersConfig) Remove(ctx context.Context, header string) error {
 	return nil
 }
 
+// DefaultHeaders can be used to retrieve the set of default headers that will be
+// added to HeadersConfig in order to allow them to appear in audit logs in a raw
+// format. If the Vault Operator adds their own setting for any of the defaults,
+// their setting will be honored.
+func (a *HeadersConfig) DefaultHeaders() map[string]*HeaderSettings {
+	// Support deprecated 'x-' prefix (https://datatracker.ietf.org/doc/html/rfc6648)
+	const correlationID = "correlation-id"
+	xCorrelationID := fmt.Sprintf("x-%s", correlationID)
+
+	return map[string]*HeaderSettings{
+		correlationID:  {},
+		xCorrelationID: {},
+	}
+}
+
 // Invalidate attempts to refresh the allowed audit headers and their settings.
 // NOTE: Invalidate will acquire a write lock in order to update the underlying headers.
 func (a *HeadersConfig) Invalidate(ctx context.Context) error {
@@ -192,6 +207,14 @@ func (a *HeadersConfig) Invalidate(ctx context.Context) error {
 		lowerHeaders[strings.ToLower(k)] = v
 	}
 
+	// Ensure that we have default headers configured to appear in the audit log.
+	// Add them if they're missing.
+	for header, setting := range a.DefaultHeaders() {
+		if _, ok := lowerHeaders[header]; !ok {
+			lowerHeaders[header] = setting
+		}
+	}
+
 	a.headerSettings = lowerHeaders
 	return nil
 }