Merge branch 'main' into add-ui-support-name-constraints

CHANGELOG.md

@@ -28,6 +28,7 @@ seal unwrapper was performing the read twice, and would also issue an unnecessar
 * secret/db: Update static role rotation to generate a new password after 2 failed attempts. [[GH-28989](https://github.com/hashicorp/vault/pull/28989)]
 * ui: Allow users to search the full json object within the json code-editor edit/create view. [[GH-28808](https://github.com/hashicorp/vault/pull/28808)]
 * ui: Decode `connection_url` to fix database connection updates (i.e. editing connection config, deleting roles) failing when urls include template variables. [[GH-29114](https://github.com/hashicorp/vault/pull/29114)]
+* ui: Fix Swagger explorer bug where requests with path params were not working. [[GH-28670](https://github.com/hashicorp/vault/issues/28670)]
 * vault/diagnose: Fix time to expiration reporting within the TLS verification to not be a month off. [[GH-29128](https://github.com/hashicorp/vault/pull/29128)]
 
 ## 1.18.2
@@ -339,6 +340,7 @@ BUG FIXES:
 * secret/db: Update static role rotation to generate a new password after 2 failed attempts. [[GH-28989](https://github.com/hashicorp/vault/pull/28989)]
 * ui: Allow users to search the full json object within the json code-editor edit/create view. [[GH-28808](https://github.com/hashicorp/vault/pull/28808)]
 * ui: Decode `connection_url` to fix database connection updates (i.e. editing connection config, deleting roles) failing when urls include template variables. [[GH-29114](https://github.com/hashicorp/vault/pull/29114)]
+* ui: Fix Swagger explorer bug where requests with path params were not working. [[GH-28670](https://github.com/hashicorp/vault/issues/28670)]
 * vault/diagnose: Fix time to expiration reporting within the TLS verification to not be a month off. [[GH-29128](https://github.com/hashicorp/vault/pull/29128)]
 
 ## 1.17.9 Enterprise

builtin/credential/approle/backend.go

@@ -110,6 +110,10 @@ func Backend(conf *logical.BackendConfig) (*backend, error) {
 				secretIDLocalPrefix,
 				secretIDAccessorLocalPrefix,
 			},
+			SealWrapStorage: []string{
+				secretIDPrefix,
+				secretIDLocalPrefix,
+			},
 		},
 		Paths: framework.PathAppend(
 			rolePaths(b),

builtin/logical/pki/cert_util.go

@@ -348,6 +348,19 @@ func generateCert(sc *storageContext,
 	if isCA {
 		data.Params.IsCA = isCA
 		data.Params.PermittedDNSDomains = input.apiData.Get("permitted_dns_domains").([]string)
+		data.Params.ExcludedDNSDomains = input.apiData.Get("excluded_dns_domains").([]string)
+		data.Params.PermittedIPRanges, err = convertIpRanges(input.apiData.Get("permitted_ip_ranges").([]string))
+		if err != nil {
+			return nil, nil, errutil.UserError{Err: fmt.Sprintf("invalid permitted_ip_ranges value: %s", err)}
+		}
+		data.Params.ExcludedIPRanges, err = convertIpRanges(input.apiData.Get("excluded_ip_ranges").([]string))
+		if err != nil {
+			return nil, nil, errutil.UserError{Err: fmt.Sprintf("invalid excluded_ip_ranges value: %s", err)}
+		}
+		data.Params.PermittedEmailAddresses = input.apiData.Get("permitted_email_addresses").([]string)
+		data.Params.ExcludedEmailAddresses = input.apiData.Get("excluded_email_addresses").([]string)
+		data.Params.PermittedURIDomains = input.apiData.Get("permitted_uri_domains").([]string)
+		data.Params.ExcludedURIDomains = input.apiData.Get("excluded_uri_domains").([]string)
 
 		if data.SigningBundle == nil {
 			// Generating a self-signed root certificate. Since we have no
@@ -399,6 +412,21 @@ func generateCert(sc *storageContext,
 	return parsedBundle, warnings, nil
 }
 
+// convertIpRanges parses each string in the input slice as an IP network. Input
+// strings are expected to be in the CIDR notation of IP address and prefix length
+// like "192.0.2.0/24" or "2001:db8::/32", as defined in RFC 4632 and RFC 4291.
+func convertIpRanges(ipRanges []string) ([]*net.IPNet, error) {
+	var ret []*net.IPNet
+	for _, ipRange := range ipRanges {
+		_, ipnet, err := net.ParseCIDR(ipRange)
+		if err != nil {
+			return nil, fmt.Errorf("error parsing IP range %q: %w", ipRange, err)
+		}
+		ret = append(ret, ipnet)
+	}
+	return ret, nil
+}
+
 // N.B.: This is only meant to be used for generating intermediate CAs.
 // It skips some sanity checks.
 func generateIntermediateCSR(sc *storageContext, input *inputBundle, randomSource io.Reader) (*certutil.ParsedCSRBundle, []string, error) {
@@ -472,6 +500,34 @@ func (i SignCertInputFromDataFields) GetPermittedDomains() []string {
 	return i.data.Get("permitted_dns_domains").([]string)
 }
 
+func (i SignCertInputFromDataFields) GetExcludedDomains() []string {
+	return i.data.Get("excluded_dns_domains").([]string)
+}
+
+func (i SignCertInputFromDataFields) GetPermittedIpRanges() ([]*net.IPNet, error) {
+	return convertIpRanges(i.data.Get("permitted_ip_ranges").([]string))
+}
+
+func (i SignCertInputFromDataFields) GetExcludedIpRanges() ([]*net.IPNet, error) {
+	return convertIpRanges(i.data.Get("excluded_ip_ranges").([]string))
+}
+
+func (i SignCertInputFromDataFields) GetPermittedEmailAddresses() []string {
+	return i.data.Get("permitted_email_addresses").([]string)
+}
+
+func (i SignCertInputFromDataFields) GetExcludedEmailAddresses() []string {
+	return i.data.Get("excluded_email_addresses").([]string)
+}
+
+func (i SignCertInputFromDataFields) GetPermittedUriDomains() []string {
+	return i.data.Get("permitted_uri_domains").([]string)
+}
+
+func (i SignCertInputFromDataFields) GetExcludedUriDomains() []string {
+	return i.data.Get("excluded_uri_domains").([]string)
+}
+
 func (i SignCertInputFromDataFields) IgnoreCSRSignature() bool {
 	return false
 }