backport of commit 38f51cc

.circleci/config/commands/exit-if-branch-does-not-need-test-ui.yml

@@ -6,7 +6,7 @@ steps:
       name: Check branch name
       command: |
         case "$CIRCLE_BRANCH" in
-        main|ui/*|release/*|merge*) ;;
+        main|ui/*|backport/ui/*|release/*|merge*) ;;
         *) # If the branch being tested doesn't match one of the above patterns,
            # we don't need to run test-ui and can abort the job.
            circleci-agent step halt

.github/workflows/build.yml

@@ -4,8 +4,8 @@ on:
   push:
     # Sequence of patterns matched against refs/heads
     branches:    
-      # Push events on main branch
-      - main
+      # Push events on release/1.10.x branch
+      - release/1.10.x
 
 env:
   PKG_NAME: "vault"
@@ -146,7 +146,7 @@ jobs:
           path: out/${{ env.PKG_NAME }}_${{ needs.get-product-version.outputs.product-version }}_${{ matrix.goos }}_${{ matrix.goarch }}.zip
 
       - name: Package
-        uses: hashicorp/actions-packaging-linux@v1.2
+        uses: hashicorp/actions-packaging-linux@v1
         with:
           name: ${{ github.event.repository.name }}
           description: "Vault is a tool for secrets management, encryption as a service, and privileged access management."

.github/workflows/changelog-checker.yml

@@ -25,18 +25,11 @@ jobs:
       - name: Check for changelog entry in diff
         run: |
           # check if there is a diff in the changelog directory
-          if [ ${{ github.event.repository.name }} == "vault-enterprise" ]; then
-            expected_changelog_file=changelog/_${{ github.event.pull_request.number }}.txt
-          else
-            expected_changelog_file=changelog/${{ github.event.pull_request.number }}.txt
-          fi
-
-          echo "looking for changelog file ${expected_changelog_file}"
-          changelog_files=$(git --no-pager diff --name-only HEAD "$(git merge-base HEAD "origin/${{ github.event.pull_request.base.ref }}")" -- ${expected_changelog_file})
+          changelog_files=$(git --no-pager diff --name-only HEAD "$(git merge-base HEAD "origin/${{ github.event.pull_request.base.ref }}")" -- changelog/${{ github.event.pull_request.number }}.txt)
 
           # If we do not find a file matching the PR # in changelog/, we fail the check
           if [ -z "$changelog_files" ]; then
-            echo "Did not find a changelog entry named ${expected_changelog_file}"
+            echo "Did not find a changelog entry named ${{ github.event.pull_request.number }}.txt"
             echo "If your changelog file is correct, skip this check with the 'pr/no-changelog' label"
             echo "Reference - https://github.com/hashicorp/vault/pull/10363 and https://github.com/hashicorp/vault/pull/11894"
             exit 1

.gitignore

@@ -29,7 +29,8 @@ _testmain.go
 /pkg/
 
 # Generated Web UI goes here
-/http/web_ui/**
+/http/web_ui/*.*
+/http/web_ui/**/*.*
 
 # Vault-specific
 example.hcl

.release/ci.hcl

@@ -8,13 +8,7 @@ project "vault" {
   github {
     organization = "hashicorp"
     repository = "vault"
-    release_branches = [
-      "main",
-      "release/1.7.x",
-      "release/1.8.x",
-      "release/1.9.x",
-      "release/1.10.x",
-    ]
+    release_branches = ["release/1.10.x"]
   }
 }
 

.release/release-metadata.hcl

@@ -0,0 +1,6 @@
+url_docker_registry_dockerhub = "https://hub.docker.com/r/hashicorp/vault"
+url_docker_registry_ecr = "https://gallery.ecr.aws/hashicorp/vault"
+url_license = "https://github.com/hashicorp/vault/blob/main/LICENSE"
+url_project_website = "https://www.vaultproject.io/"
+url_source_repository = "https://github.com/hashicorp/vault"
+url_release_notes = "https://www.vaultproject.io/docs/release-notes"

CODEOWNERS

@@ -25,7 +25,11 @@
 /command/agent/               @hashicorp/vault-ecosystem
 /plugins/                     @hashicorp/vault-ecosystem
 
-/website/content/                         @taoism4504
+# Disabling for now to see if manually adding the reviewer when a PR
+# is ready will be more useful and accurate. There have been cases where
+# docs are being reviewed against PRs that haven't been vetted for acceptance.
+# /website/content/                         @taoism4504
+
 /website/content/docs/plugin-portal.mdx   @taoism4504  @acahn
 
 # UI code related to Vault's JWT/OIDC auth method and OIDC provider.

Dockerfile

@@ -1,15 +1,15 @@
 FROM alpine:3.15 as default
 
 ARG BIN_NAME
-# NAME and PRODUCT_VERSION are the name of the software in releases.hashicorp.com
-# and the version to download. Example: NAME=vault PRODUCT_VERSION=1.2.3.
+# NAME and VERSION are the name of the software in releases.hashicorp.com
+# and the version to download. Example: NAME=vault VERSION=1.2.3.
 ARG NAME=vault
-ARG PRODUCT_VERSION
+ARG VERSION
 # TARGETARCH and TARGETOS are set automatically when --platform is provided.
 ARG TARGETOS TARGETARCH
 
 LABEL maintainer="Vault Team <vault@hashicorp.com>"
-LABEL version=${PRODUCT_VERSION}
+LABEL version=$VERSION
 
 # Set ARGs as ENV so that they can be used in ENTRYPOINT/CMD
 ENV NAME=$NAME

Makefile

@@ -139,18 +139,12 @@ update-plugins:
 static-assets-dir:
 	@mkdir -p ./http/web_ui
 
-install-ui-dependencies:
+test-ember:
 	@echo "--> Installing JavaScript assets"
 	@cd ui && yarn --ignore-optional
-
-test-ember: install-ui-dependencies
 	@echo "--> Running ember tests"
 	@cd ui && yarn run test:oss
 
-test-ember-enos: install-ui-dependencies
-	@echo "--> Running ember tests with a real backend"
-	@cd ui && yarn run test:enos
-
 ember-ci-test: # Deprecated, to be removed soon.
 	@echo "ember-ci-test is deprecated in favour of test-ui-browserstack"
 	@exit 1
@@ -164,23 +158,29 @@ check-browserstack-creds:
 	@[ -n "$$BROWSERSTACK_ACCESS_KEY" ] || { echo "BROWSERSTACK_ACCESS_KEY not set"; exit 1; }
 	@[ -n "$$BROWSERSTACK_USERNAME" ] || { echo "BROWSERSTACK_USERNAME not set"; exit 1; }
 
-test-ui-browserstack: check-vault-in-path check-browserstack-creds install-ui-dependencies
+test-ui-browserstack: check-vault-in-path check-browserstack-creds
+	@echo "--> Installing JavaScript assets"
+	@cd ui && yarn --ignore-optional
 	@echo "--> Running ember tests in Browserstack"
 	@cd ui && yarn run test:browserstack
 
-ember-dist: install-ui-dependencies
+ember-dist:
+	@echo "--> Installing JavaScript assets"
+	@cd ui && yarn --ignore-optional
 	@cd ui && npm rebuild node-sass
 	@echo "--> Building Ember application"
 	@cd ui && yarn run build
 	@rm -rf ui/if-you-need-to-delete-this-open-an-issue-async-disk-cache
 
-ember-dist-dev: install-ui-dependencies
+ember-dist-dev:
+	@echo "--> Installing JavaScript assets"
+	@cd ui && yarn --ignore-optional
 	@cd ui && npm rebuild node-sass
 	@echo "--> Building Ember application"
 	@cd ui && yarn run build:dev
 
-static-dist: ember-dist
-static-dist-dev: ember-dist-dev
+static-dist: ember-dist 
+static-dist-dev: ember-dist-dev 
 
 proto: bootstrap
 	protoc --go_out=. --go_opt=paths=source_relative --go-grpc_out=. --go-grpc_opt=paths=source_relative vault/*.proto

api/client.go

@@ -53,14 +53,6 @@ const (
 	HeaderIndex           = "X-Vault-Index"
 	HeaderForward         = "X-Vault-Forward"
 	HeaderInconsistent    = "X-Vault-Inconsistent"
-	TLSErrorString        = "This error usually means that the server is running with TLS disabled\n" +
-		"but the client is configured to use TLS. Please either enable TLS\n" +
-		"on the server or run the client with -address set to an address\n" +
-		"that uses the http protocol:\n\n" +
-		"    vault <command> -address http://<address>\n\n" +
-		"You can also set the VAULT_ADDR environment variable:\n\n\n" +
-		"    VAULT_ADDR=http://<address> vault <command>\n\n" +
-		"where <address> is replaced by the actual address to the server."
 )
 
 // Deprecated values
@@ -1135,9 +1127,12 @@ func (c *Client) RawRequestWithContext(ctx context.Context, r *Request) (*Respon
 		limiter.Wait(ctx)
 	}
 
-	// check the token before potentially erroring from the API
-	if err := validateToken(token); err != nil {
-		return nil, err
+	// Sanity check the token before potentially erroring from the API
+	idx := strings.IndexFunc(token, func(c rune) bool {
+		return !unicode.IsPrint(c)
+	})
+	if idx != -1 {
+		return nil, fmt.Errorf("configured Vault token contains non-printable characters and cannot be used")
 	}
 
 	redirectCount := 0
@@ -1197,7 +1192,17 @@ START:
 	}
 	if err != nil {
 		if strings.Contains(err.Error(), "tls: oversized") {
-			err = errwrap.Wrapf("{{err}}\n\n"+TLSErrorString, err)
+			err = errwrap.Wrapf(
+				"{{err}}\n\n"+
+					"This error usually means that the server is running with TLS disabled\n"+
+					"but the client is configured to use TLS. Please either enable TLS\n"+
+					"on the server or run the client with -address set to an address\n"+
+					"that uses the http protocol:\n\n"+
+					"    vault <command> -address http://<address>\n\n"+
+					"You can also set the VAULT_ADDR environment variable:\n\n\n"+
+					"    VAULT_ADDR=http://<address> vault <command>\n\n"+
+					"where <address> is replaced by the actual address to the server.",
+				err)
 		}
 		return result, err
 	}
@@ -1244,120 +1249,6 @@ START:
 	return result, nil
 }
 
-// httpRequestWithContext avoids the use of the go-retryable library found in RawRequestWithContext and is
-// useful when making calls where a net/http client is desirable. A single redirect (status code 301, 302,
-// or 307) will be followed but all retry and timeout logic is the responsibility of the caller as is
-// closing the Response body.
-func (c *Client) httpRequestWithContext(ctx context.Context, r *Request) (*Response, error) {
-	req, err := http.NewRequestWithContext(ctx, r.Method, r.URL.RequestURI(), r.Body)
-	if err != nil {
-		return nil, err
-	}
-
-	c.modifyLock.RLock()
-	token := c.token
-
-	c.config.modifyLock.RLock()
-	limiter := c.config.Limiter
-	httpClient := c.config.HttpClient
-	outputCurlString := c.config.OutputCurlString
-	if c.headers != nil {
-		for header, vals := range c.headers {
-			for _, val := range vals {
-				req.Header.Add(header, val)
-			}
-		}
-	}
-	c.config.modifyLock.RUnlock()
-	c.modifyLock.RUnlock()
-
-	// OutputCurlString logic relies on the request type to be retryable.Request as
-	if outputCurlString {
-		return nil, fmt.Errorf("output-curl-string is not implemented for this request")
-	}
-
-	req.URL.User = r.URL.User
-	req.URL.Scheme = r.URL.Scheme
-	req.URL.Host = r.URL.Host
-	req.Host = r.URL.Host
-
-	if len(r.ClientToken) != 0 {
-		req.Header.Set(consts.AuthHeaderName, r.ClientToken)
-	}
-
-	if len(r.WrapTTL) != 0 {
-		req.Header.Set("X-Vault-Wrap-TTL", r.WrapTTL)
-	}
-
-	if len(r.MFAHeaderVals) != 0 {
-		for _, mfaHeaderVal := range r.MFAHeaderVals {
-			req.Header.Add("X-Vault-MFA", mfaHeaderVal)
-		}
-	}
-
-	if r.PolicyOverride {
-		req.Header.Set("X-Vault-Policy-Override", "true")
-	}
-
-	if limiter != nil {
-		limiter.Wait(ctx)
-	}
-
-	// check the token before potentially erroring from the API
-	if err := validateToken(token); err != nil {
-		return nil, err
-	}
-
-	var result *Response
-
-	resp, err := httpClient.Do(req)
-
-	if resp != nil {
-		result = &Response{Response: resp}
-	}
-
-	if err != nil {
-		if strings.Contains(err.Error(), "tls: oversized") {
-			err = errwrap.Wrapf("{{err}}\n\n"+TLSErrorString, err)
-		}
-		return result, err
-	}
-
-	// Check for a redirect, only allowing for a single redirect
-	if resp.StatusCode == 301 || resp.StatusCode == 302 || resp.StatusCode == 307 {
-		// Parse the updated location
-		respLoc, err := resp.Location()
-		if err != nil {
-			return result, fmt.Errorf("redirect failed: %s", err)
-		}
-
-		// Ensure a protocol downgrade doesn't happen
-		if req.URL.Scheme == "https" && respLoc.Scheme != "https" {
-			return result, fmt.Errorf("redirect would cause protocol downgrade")
-		}
-
-		// Update the request
-		req.URL = respLoc
-
-		// Reset the request body if any
-		if err := r.ResetJSONBody(); err != nil {
-			return result, fmt.Errorf("redirect failed: %s", err)
-		}
-
-		// Retry the request
-		resp, err = httpClient.Do(req)
-		if err != nil {
-			return result, fmt.Errorf("redirect failed: %s", err)
-		}
-	}
-
-	if err := result.Error(); err != nil {
-		return nil, err
-	}
-
-	return result, nil
-}
-
 type (
 	RequestCallback  func(*Request)
 	ResponseCallback func(*Response)
@@ -1575,14 +1466,3 @@ func (w *replicationStateStore) states() []string {
 	copy(c, w.store)
 	return c
 }
-
-// validateToken will check for non-printable characters to prevent a call that will fail at the api
-func validateToken(t string) error {
-	idx := strings.IndexFunc(t, func(c rune) bool {
-		return !unicode.IsPrint(c)
-	})
-	if idx != -1 {
-		return fmt.Errorf("configured Vault token contains non-printable characters and cannot be used")
-	}
-	return nil
-}

api/renewer_test.go

@@ -174,10 +174,8 @@ func TestLifetimeWatcher(t *testing.T) {
 				t.Fatal(err)
 			}
 
-			doneCh := make(chan error, 1)
 			go func() {
-				doneCh <- v.doRenewWithOptions(false, false,
-					tc.leaseDurationSeconds, "myleaseID", tc.renew, time.Second)
+				v.doneCh <- v.doRenewWithOptions(false, false, tc.leaseDurationSeconds, "myleaseID", tc.renew, time.Second)
 			}()
 			defer v.Stop()
 
@@ -191,15 +189,12 @@ func TestLifetimeWatcher(t *testing.T) {
 				if r.Secret != renewedSecret {
 					t.Fatalf("expected secret %v, got %v", renewedSecret, r.Secret)
 				}
-			case err := <-doneCh:
+			case err := <-v.DoneCh():
 				if tc.expectError != nil && !errors.Is(err, tc.expectError) {
 					t.Fatalf("expected error %q, got: %v", tc.expectError, err)
 				}
-				if tc.expectError == nil && err != nil {
-					t.Fatalf("expected no error, got: %v", err)
-				}
 				if tc.expectRenewal {
-					t.Fatalf("expected at least one renewal, got donech result: %v", err)
+					t.Fatal("expected at least one renewal")
 				}
 			}
 		})