mirror of https://github.com/hashicorp/boundary
dkanney-get-token
moduli-cache-optimize
main
llb-app-token
dependabot/github_actions/actions-c7ef05859a
release/0.21.x
release/0.20.x
release/0.19.x
backport/aditya2548-update-cve-changelog-0.21/adequately-careful-gobbler
backport/aditya2548-update-cve-changelog-0.19/evidently-clear-gopher
dheath-delete-website
bgajjala-type-confusion-fix
ddebko-skip-iputils
bgajjala-bexpr-fix
llb-desktop-client-sort-backup
improve-testoutput
backport/irindos-bump-go/externally-champion-kid
rand-read-reverting
bosorawis-stop-revoking-expired-vault-creds
bosorawis-stop-renewing-and-revoking-expired-vault-lease
wongtonyb-enos-ssh-keypair
test_crypto_rand
bumped-ui-commit-95f72e1
update-ui-changelog
backport/update-ui-changelog/ideally-eternal-doberman
bump-ui-commit-4fc3244
wongtonyb-connectcli-stdoutpipe-ff
llb-password-credential-type-clean
recovered-work
llb-password-credential-fix
llb-password-credential-type-backup
mikemountain-sql-schema-and-pgtap
backport/dkanney-add-plugin-ibm-key-protect-kms/terminally-vocal-duckling
stable-website
backport/dheath-fix-redirects-2/extremely-gorgeous-troll
backport/am-add-winrdp-err/barely-bold-jaybird
app-token-prototype
dheath-worker-config-name
ICU-17720-storage-protobufs
moduli-e2e-loglevel-debug
backport/rdp-docs/actively-classic-adder
backport/ICU-14484-redis-connect/greatly-immortal-cardinal
bump-ui-commit-39dedc6
scc/backport-content-change
drohan-rdp-beta-doc-updates
scc/backport-redirects
dheath-spe-1219-controller-config
style-nonce
irindos-fix-nz-tests
manjeet-04-recovery-plugin-proto
llb-recovery
dkanney-expose-warehouse-tables-over-mcp-server
backport/dheath-clarify-known-issue-message/especially-fun-lioness
louis-tests
louis-testing
backport/bosorawis-add-test-to-migration-fix/surely-relevant-tiger
backport/bosorawis-add-test-to-migration-fix/hardly-optimal-ape
mikemountain-fix-rollback-bug-on-hook-failures
llb-normalized-grants-tests-only
dkanney-merge-main-into-release/0.19.x
dkanney-release/0.19.x-rebase-on-c97605b
dkanney-make-gen-release/0.19.x
mikemountain-add-create-default-and-admin-role-options
mikemountain-fix-migration-drop-cascade
backport/pnpm-migration/socially-star-sponge
backport/bump-ui-commit-2d34717/uniquely-amazing-gnat
backport/dheath-add-client-agent-commands/preferably-lenient-marten
backport/dheath-add-client-agent-commands/presumably-moved-bluejay
mikemountain-fix-makefile-sed-issue
mikemountain-add-createdefaultrole-and-createadminrole-options
backport/boundry/mini-doc-day-2/informally-mutual-poodle
anwittin-changelog-update-1-19-3
backport/dkanney-cve-suppression-for-0.19.2/secondly-unified-terrier
backport/add-ui-entries-changelog/suitably-large-puma
release/0.18.x
release/0.17.x
bosorawis-domain-iam-implement-role-grant-scopes
bosorawis-domain-iam-implement-list-role-grant-scopes
backup/backport/moduli-e2e-ubuntu22/especially-still-oarfish-10-44-20 AM
backport/ddebko-update-changelog/previously-adapting-hare
backport/ddebko-update-changelog/initially-whole-bison
tsccr-auto-pinning/trusted/2025-04-01
bosorawis-domain-iam-create-role
elimt-auth-tokens-grants-test
backport/vanphan24-patch-1---public_addr-note/poorly-smiling-dingo
backport/vanphan24-patch-1---public_addr-note/forcibly-proven-pheasant
backport/vanphan24-patch-1---public_addr-note/eminently-renewed-pika
mikemountain-changelog-0.19.1
boundry/mini-doc-day
elimt-grants-data-migration
jbrandhorst-prevent-enourmous-estimated-counts
backport/jbrandhorst-update-azure-plugin/largely-amused-tetra
judith/edu-web-codeowners
backport/docs/config-examples-fix/suddenly-eternal-rat
backport/docs/config-examples-fix/rationally-immortal-kangaroo
jbrandhorst-prototype-db-iface-changes
bumpui-commit-835b302c1
bump-commit-835b302c1
irindos-test
backport/bump-ui-commit-ae1e6d2/notably-secure-malamute
bosorawis-grants-tests-for-accounts-resource
release/0.16.x
jbrandhorst-remove-dependabot-actions
elimt-gcp-multiple-targets
backport/artifact-manifest/main/mainly-proven-snake/vaguely-next-foal
jimlambrt-cache-refresh-win
ddebko-optimize-cluster-tests
jbrandhorst-revert-awssdk-update
ddebko-revert-awskms
moduli-vgt
backport/ryan/ICU-15359/steadily-content-finch
jbrandhorst-remove-wget
backport/ci/update-security-scanner-token/strangely-sweeping-wildcat
dheath-telemetry-doc
bosorawis-labweek-per-authmethod-ttl
backport/jbrandhorst-clarify-ts-configuration-reload/lately-quiet-civet
fix-security-scanner
jimlambrt-cache-soft-delete-user
jimlambrt-cache-speedup-refresh
hugo-dhc-manual-tests
backport/irindos-update-changelog-0.17.2/gently-grand-titmouse
jbrandhorst-context-cause
jbrandhorst-go-api-paging
backport/irindos-update-changelog/horribly-super-crayfish
jbrandhorst-fix-security-scanner
uruemu/app-token-service
dheath-IA-POC
llb-app-tokens
jefferai-rbac-caching
release/0.15.x
moduli-e2e-port
irindos-custom-cli-dump
jefferai-proxyv2-test-2
jefferai-proxyv2-test-1
llb-worker-storage-bucket-state
dmiu_vault-response-wrapping
release/0.14.x
release/0.13.x
single-write-errors
elimt-release-0.16.1-mod-update
backport/alanknight_update_dependencies/personally-champion-robin
irindos-cause-split-brain
backport/uruemu/session-recording-observation-events/plainly-tender-guinea
labweek/event-streaming
alanknight_sessions_includeterminated
jbrandhorst-node-enrollment-test
alanknight_labweek_search_tui
jbrandhorst-help-api
flakey-test-TestRotationTicking
lab-week/event-streaming
dheath-docsdays-multi-hop-concept
irindos-update-apisdk
jefferai-random-reader-through-nodee
dgreeninger-vault-integration-howto
backport/dheath-ICU-12878/obviously-intense-calf
backport/irindos-update-bsr-detail/publicly-merry-kangaroo
carlos
dgreeninger-vault-integrations2
SMRE-7-release-pipeline
tmessi-cp-monthly-active-users
backport/jbrandhorst-update-runc/carefully-supreme-mole
jefferai-proxy-in-api
jbrandhorst-fuzz-dns-validator
syncing-file-buffer
jefferai-initial-resources-test
moduli-e2e-fast
tmessi-target-list-reduce-query-params
elimt-oidc-prompts-changelog
tmessi-rate-limit-sys-event
tmessi-rate-limit-unlimited
DoNotDelete-plugin-sdk-0.3.0
app-token-read
moduli-e2e-logout-test
mikemountain-iam-groups-list-pagination
jimlambrt-more-multierror-bits
llb-worker-local-storage-state
moduli-e2e-authorize-session-scope-test
mikemountain-iam-user-list-pagination
mikemountain-iam-role-list-pagination
mikemountain-auth-handlers-pagination
mikemountain-auth-domain-pagination
AdamBouhmad-patch-1
mikemountain-managed-groups-list-pagination
mikemountain-sessions-list-pagination
mikemountain-refactor-auth-methods-domain-layer
mikemountain-auth-token-domain-list-pagination
mikemountain-refactor-accounts-domain-layer
backport/jimlambrt-ldap-mtls-fix-changelog/forcibly-cunning-katydid
backport/dmiu_add-valid-principals-ssh-cert/manually-stirred-mutt
elimt-cpu-consumption-changelog
backport/jimlambrt-fix-oplog-keys/gladly-included-aardvark
elimt-worker-local-storage-proto
release/0.14.1
alanknight_warnings
jimlambrt-go-version
jbrandhorst-experimenting
mikemountain-refactor-accounts-base-repo
releng-test-cgo-enabled
readme-update
rab-permissions-docs-rebase
jimlambrt-make-gen
jimlambrt-auth-ldap-fixes
jimlambrt-drop-oplog-scopeid-fk
backport/jefferai-icu-10786/subtly-legal-chigger
ajayreshc-plugin-proto-observability
backport/dheath-elur-edits/humbly-comic-hornet
compliance/license-update
mikemountain-purge-pagination-tables
mikemountain-prototype-table-trigger-job
dmiu_client-connection-via-unix-socket
dmiu_plugin-error-handling
backport/danny-knights-documentation/hopefully-giving-goat
backport/xw-worker-docs/mildly-talented-newt
backport/irindos-bsr-check-nano-decode/implicitly-hip-turkey
jimlambrt-update-cap
backport/xw-worker-docs/honestly-composed-minnow
backport/dheath-reorg-session-recording-operations/terribly-alert-bug
backport/docs/cli-commands/internally-bursting-condor
backport/docs/cli-commands/eagerly-chief-yeti
backport/dheath-fix-toc-typo/overly-funky-gelding
backport/dheath-fix-headings-1/mistakenly-mint-panther
backport/edorion-patch-3/entirely-direct-barnacle
backport/edorion-patch-2/amazingly-inspired-prawn
backport/edorion-patch-1/properly-desired-mastiff
backport/dheath-host-discovery/gradually-dominant-bunny
backport/irindos-fix-mlock-typo/preferably-enormous-mustang
backport/dheath-update-target-client-port/mainly-loving-heron
backport/irindos-0130-release-notes/actually-unbiased-bunny
jimlambrt-gldap-dep
jimlambrt-cache-poc
backport/dheath-fix-spacing-bullets/code/severely-decent-walleye
llb-jefferai
backport/dheath-bsr-key-req/adversely-great-teal
backport/Postgres-version-recommendation/badly-major-goshawk
backport/irindos-update-storage-bucket-docs/shortly-worthy-foal
backport/dheath-fix-code-blocks/endlessly-closing-alpaca
backport/what-is-boundary-changes/terminally-famous-goshawk
xinglu-permissions-docs
release/0.12.x
hz-cli-print-cert
jefferai-test-stream-interceptor
manthony-controller-led-auth
tmessi-interface-to-any
zs.test-api-docs-preview
tmessi-fix-ui-build
jefferai-unsettable-bools
test-gh-fix
dmiu_plugin-restructure
sarah-test-transient
ahuang/test-mod-cache
test-changing-nofile-limit
try-test-splitting
tmessi-ci-gh-actions-mariano
jimlambrt-ldap-changelog
backport/alanknight_pkiworkers_docs/clearly-driven-raptor
backport/alanknight_pkiworkers_docs/rapidly-rational-chamois
backport/alanknight_pkiworkers_docs/wholly-pumped-dinosaur
backport/rab-0_12_0_cve-link/partly-singular-bison
eneil/test-changes
test-rm-product-metadata
jimlambrt-ldap-wh
backport/bump-ui-commit-onboarding-update/firmly-flexible-mallard
jimlambrt-ldap-ongoing
release/0.5.x
release/0.6.x
release/0.7.x
release/0.8.x
release/0.9.x
release/0.10.x
release/0.11.x
backport/dheath-add-frontmatter-ref-arch/normally-smooth-werewolf
backport/dheath-release-notes-0.11/probably-legal-walrus
backport/dheath-release-notes-0.11/grossly-advanced-alien
tmessi-sqltest-postgres-versions
backport/ks.update-alert-docs/miserably-valued-seahorse
RELENG-305
daniellemiu_remove-session-id-from-retrieveCredential
release/0.11.2
backport/set-product-version/briefly-knowing-fowl
backport/dheath-template-params-rewrite/totally-thankful-buzzard
mktg-tf-999fc08cd5edb8632f8f6995f9998396
tmessi-sqllit
hz-active-conns-main
hugoamvieira-bud-update-changelog1
backport/dheath-vault-credential-templating/carefully-striking-jaybird
sam/set-product-version
hz-active-conns-cherrypick
backport/dheath-boundary-v-others/adequately-genuine-badger
backport/dheath-boundary-v-others/readily-rich-squirrel
backport/dheath-boundary-v-others/sadly-splendid-lion
hz-db-consistency-2
chore-bump-ui-commit
hz-active-connections-re
hz-active-connections
jefferai-eph-testing
kevin/boundary-ga-link-fixes
jefferai-skip-shared-lock-acquisition
jefferai-hosts-on-targets
jefferai-gen-add-set-remove
manthony/QTI-317
b/set-version-docker
chore-bump-ui
qti/nomad-deployment
jimlambrt-go-dbw-dep-update
rename_boundary_service
jimlambrt-worker-dag
qti-275
llb-project-scope-refactor
mgaffney-rename-catalog-column
jimlambrt-repo
jimlambrt-byow-create-ongoing
docs-install-dir
jimlambrt-yugabyte
release/0.8.1
jefferai-session-listing-style
new-metrics-doc
jimlambrt-kms-refactor
test-build-downloading-ui-artifact
jefferai-remove-alpnmux
test-workflow
plugin-error-code-conversion
add-desktop-vault-credential-clickthrough
test-kms
sarah-test
crt
release/0.7.3
vancluever-persisted-creds-maintenance-job
release/0.7.2
hostcatalog-updates-074
vancluever-persisted-creds-maintenance-job-abandoned-timestamponly
mgaffney-update-mappers2
brk.feat/mdx-v2
release_notes_07
build-abd695e5bc42d01e4412bf6c76211c3fc93a93d7-96b4bb6d1c841f3
jeff-windows-asset-embedding
build-bc27190474ad4863d3c7541f35467c84d8b17621-6e6387801f8e1b6e
jeff-ci-error-investigation
jimlambrt-update-db-docs
vancluever-plugin-hostcatalogs-catch-duplicate-name-early
vancluever-hostcatalogsecret-crud
backport/add-reference-architectures-docs-2/sadly-exotic-cattle
jeff-migrate-host-set-members
backport/nq.web.upgrade-analytics-package/factually-modern-mastodon
backport/nq.add-fathom-analytics/luckily-definite-fawn
jeff-shared-host-lookup
ac.homepage-refresh
build-07c5c00f557ccc6d58ac065fa6c267f576860ac2-b6d44bfa8919b067
zs.hero-video-tweaks
jeff-plugin-threadsafe-map
jimlambrt-events-inbound-interceptor
jimlambrt-events-no-default-stderr-sink
jimlambrt-gorm-v2
vancluever-plugin-hostcatalogs-manager-launch-and-hooks
vancluever-plugin-hostcatalogs-manager
build-7746916d59c46491d77b4381b9e0bfee7f2960c1-aa2e5699399125ec
vscode-customization
build-3fc2cf4df5820b2465e10a4fe12d03e563c9ea36-aa2e5699399125ec
vancluever-plugin-hostcatalogs
build-02c0764e1100301622a8cb916a7e3e6224fec79e-aa2e5699399125ec
build-02c0764e1100301622a8cb916a7e3e6224fec79e-7d2e41b4124999b9
vancluever-move-host-resoruce-address-up-to-top-level
christoff-event-api
christoff-event-storage-protobuf
jeff-add-migration-hooks
jeff-robbarnes-testing
christoff-db-prince
build-5f88243ddc6182db9c71ba84fd401040de4f5d41-ee438ecfea1e5f6d
jimlambrt-oidc-ctx
jimlambrt-remove-threshold
jimlambrt-event-logger-dep
vancluever-plugin-prototype
boundary-toc-draft
boundary-draft-toc
mdeggies-ui-build-fix-commit
christoff-fix-build-ui
jimlambrt-event-resource
build-0b66464a3a173d5cd28a41924fb661d9e68b33c5-7706fefd870195c1
build-48e55f156a0fbdcb4e1e711b04271e57bc8f952e-7706fefd870195c1
build-7f9bc768a02832ebfd96387f8ea48b56975ab391-7706fefd870195c1
build-14c7993c2cc5a9ad92025453c2dbe66651a98359-7706fefd870195c1
build-f48382828610d294361ee6630c11972d501678fb-7706fefd870195c1
jimlambrt-events-integration-updates
jeff-vault-target-sad-cli
origin/vancluever/worker-unit-testing
vancluever/worker-status-connection-close
vancluever/controller-session-cleanup
jimlambrt-hclog-sink-prototyping
jimlambrt-encrypt-node
build-407a21991aa7dc550967720466d4b10c2e02ee1c-af038697addc95f7
pw-prefix-docs
jimlambrt-dry-out-eventer
jimlambrt-events-eventer
jimlambrt-o11y-wip
jimlambrt-o11y-audit-encrypt-filter
build-95e6a736e5d92c824843675122618828c94b89d0-855628175bd6dd2b
build-ed5e34082c60ac49d2501f1ac68f6bd36925c169-96c1fa474bdc9213
build-79c1d90fa58c43e8bdbd1b3a27ea57b8329461d6-855628175bd6dd2b
build-a87fe5f803e2b28fa008158d8a080aa3fe65184e-6a9de274fa82c0d3
packagespec-0.2.6/main
build-3c994f66f877224fd1d75e6ce3ff4efb3aa9a0ad-f8da55a155fec372
build-b0fbd9b905aa8ef091936636d8d7463e728de64c-f8da55a155fec372
build-c3cbf23eaba7c37a4e7a2829c19e8bb2f63efc10-f8da55a155fec372
build-c3cbf23eaba7c37a4e7a2829c19e8bb2f63efc10-d2d108249f2b472e
build-f7e7e54fd8f07011fd36e71cca494d2621017aff-f8da55a155fec372
eventmvp
jimlambrt-oidc-user-name-email-with-scopes
build-7bf6fad7e235ff9ba8fa904904afd1b6deb40082-604d79ffd095ac1d
build-6c003c94f7a49dba6ae2ad524d4e830929c2a363-604d79ffd095ac1d
build-db29c83daf377602e31a5aaebb5252c10e6da4bd-604d79ffd095ac1d
feature-enable-ui-oidc
jimlambrt-oidc-wip
backport/br.stackmenu/thoroughly-tidy-jaybird
jimlambrt-oidc-primary-bool
jimlambrt-oidc-wip-primary-bool
jimlambrt-oidc-wip-disable-discovered
jimlambrt-oidc-wip-uniq-names
jimlambrt-oidc-wip-fix-migrations
jimlambrt-oidc-predictable-auth-oidc-acct-ids
build-c0f33f982c87c0eb4127cb16cf06b03a37b91dbd-ac2d26e9788a0ad5
jeff-update-tls-max-version
jimlambrt-oidc-op-state-changes
revert-937-jimlambrt-oidc-providers-and-repo-reads
jimlambrt-oidc-eff-dating
malnick/dt-client-videos
build-bc565922fbd3a18c9f6a22cd2e80a93df0d7cd45-8df1aef0cf650f
build-c45916918a4e71d3c9f3b47d058ce1e2075e8f5d-eee4aa2684a7d81e
build-9761f1deee3fceeb4e9a11696e3a15de813c6979-eee4aa2684a7d81e
docs-desktop
malnick/jeff-publicclusteraddr-env
mgaffney-ICU-1063-target-hosts
ICU-1063-target-hosts
binary-test-harness
build-ba6c0df8ca56eff0f01d9717da1b1435898408d3-1a2da1c180d096ae
build-f8577519b6fb152ddb19b2e4a7dcf8e9b1e82f58-33843d4ffce619b7
build-b5d84495a33b72a3139bd224d3cfcd4cbaad7b98-6d31fbde972f7762
fix-base-image-reference
jeff-websocket-netconn-framewrapping
build-d8020842ae8b6c742b94538baada313d7eb52809-96150adb9f0307e8
build-a39bad1ab0159ba4fe91365e9ddec93f04d795e3-96150adb9f0307e8
build-353360bbcf38badecbc8b2ebfaeae3597e704a6f-96150adb9f0307e8
jeff-dynamic-groups-exp
malnick-patch-1
build-eccd68d73c3edf14863ecfd31f9023063b809d5a-8bc67ea0caf8607a
build-3b9ef13f173683e82a68b7fb47ed491ac025518f-8bc67ea0caf8607a
build-be498b301567249e8b913e79591af378f0fa5cd6-8bc67ea0caf8607a
jeff-recovery-config-hcl-string
jeff-worker-unix-public-addr
issue-701
chlg-subheader
build-e08ab98a2b128ee202eae46551da23c831b4acfc-13facd1eb832bef
build-7b7fbfa2c1af4c7ee2f60857cedb22f19daffc4f-ccf4cf2f99886942
br.boundary-releases
build-ce40b69ffa93e0b68a045114847ca498732f18b9-19422f9faecfc500
br.download-boundary
nq.website.remove-auth
hashiconf
cli-data
chore-ui-v0.1.0
Docs-landing-page
jm.add-hashi-stack-menu
prefix-format-err
jeff-error-cli-update
malnick-err-cli-update
cli-printer
helpful-text
build-a1765d5838b0fe61ad80af4b3c2d5e514595d216-e4376ac9df46687f
integration-test
db_env_var
build-2647dd2d665b71b5da76a9964b4c272985d37ea0-748714d3a36e1911
build-44575137078a4c177fc9a16b16faf98494b49130-4344d637dfb974c4
build-ad364714b47113baf7e87e9a382d03b8f73b896a-93a6ac5d68844c75
admin-docs
cli-labels
jimlambrt-assoc-changes
build-be1555d9b0325d7d8078451c19df46d0aa514c40-77765297f95ba814
uniq-name
examples
jimlambrt-session-basics
rm-tribal
jimlambrt-targets-store
external-kms
kms-proto
jeff-migrate-debugging
e2e
docs-project-resource
mgaffney/wt-demo-1
iam-basics
revert-143-remove-projects-from-grants
jimlambrt-auth-additions
dev-test-db
mgaffney/static-hosts
mgaffney/make-tests-faster
apigen
mgaffney/db-init
v0.7.4
v0.7.3
v0.7.2
v0.7.1
v0.7.0
v0.6.2
v0.6.1
v0.6.0
v0.5.1
sdk/v0.0.7
v0.5.0
api/v0.0.15
v0.4.0
v0.3.0
v0.2.3
v0.2.2
v0.2.1
api/v0.0.10
v0.2.0
v0.1.8
v0.1.7
v0.1.6
v0.1.5
v0.1.4
v0.1.3
v0.1.2
v0.1.1
v0.1.0
api/v0.0.1
api/v0.0.11
api/v0.0.12
api/v0.0.13
api/v0.0.14
api/v0.0.16
api/v0.0.17
api/v0.0.18
api/v0.0.19
api/v0.0.2
api/v0.0.20
api/v0.0.21
api/v0.0.22
api/v0.0.23
api/v0.0.24
api/v0.0.25
api/v0.0.26
api/v0.0.27
api/v0.0.28
api/v0.0.29
api/v0.0.3
api/v0.0.30
api/v0.0.31
api/v0.0.32
api/v0.0.33
api/v0.0.34
api/v0.0.35
api/v0.0.36
api/v0.0.37
api/v0.0.38
api/v0.0.39
api/v0.0.4
api/v0.0.40
api/v0.0.41
api/v0.0.42
api/v0.0.43
api/v0.0.44
api/v0.0.45
api/v0.0.46
api/v0.0.47
api/v0.0.48
api/v0.0.49
api/v0.0.5
api/v0.0.50
api/v0.0.51
api/v0.0.52
api/v0.0.53
api/v0.0.54
api/v0.0.55
api/v0.0.56
api/v0.0.57
api/v0.0.58
api/v0.0.59
api/v0.0.6
api/v0.0.60
api/v0.0.7
api/v0.0.8
api/v0.0.9
sdk/v0.0.1
sdk/v0.0.10
sdk/v0.0.11
sdk/v0.0.12
sdk/v0.0.13
sdk/v0.0.14
sdk/v0.0.15
sdk/v0.0.16
sdk/v0.0.17
sdk/v0.0.18
sdk/v0.0.19
sdk/v0.0.2
sdk/v0.0.20
sdk/v0.0.21
sdk/v0.0.22
sdk/v0.0.23
sdk/v0.0.24
sdk/v0.0.25
sdk/v0.0.26
sdk/v0.0.27
sdk/v0.0.28
sdk/v0.0.29
sdk/v0.0.3
sdk/v0.0.30
sdk/v0.0.31
sdk/v0.0.32
sdk/v0.0.33
sdk/v0.0.34
sdk/v0.0.35
sdk/v0.0.36
sdk/v0.0.37
sdk/v0.0.38
sdk/v0.0.39
sdk/v0.0.4
sdk/v0.0.40
sdk/v0.0.41
sdk/v0.0.42
sdk/v0.0.43
sdk/v0.0.44
sdk/v0.0.45
sdk/v0.0.46
sdk/v0.0.47
sdk/v0.0.48
sdk/v0.0.49
sdk/v0.0.5
sdk/v0.0.50
sdk/v0.0.51
sdk/v0.0.52
sdk/v0.0.53
sdk/v0.0.54
sdk/v0.0.55
sdk/v0.0.56
sdk/v0.0.57
sdk/v0.0.6
sdk/v0.0.8
sdk/v0.0.9
v0.1.0-beta.1
v0.1.0-beta.2
v0.1.0-beta.3
v0.10.0
v0.10.1
v0.10.2
v0.10.3
v0.10.4
v0.10.5
v0.11.0
v0.11.1
v0.11.2
v0.12.0
v0.12.1
v0.12.2
v0.13.0
v0.13.1
v0.14.0
v0.14.1
v0.14.2
v0.14.3
v0.14.5
v0.15.0
v0.15.1
v0.15.2
v0.15.3
v0.15.4
v0.15.5
v0.16.0
v0.16.1
v0.16.2
v0.16.3
v0.17.0
v0.17.1
v0.17.2
v0.18.0
v0.18.1
v0.18.2
v0.19.0
v0.19.1
v0.19.2
v0.19.3
v0.20.0
v0.20.1
v0.21.0
v0.21.1
v0.7.5
v0.7.6
v0.8.0
v0.8.1
v0.9.0
v0.9.1
${ noResults }
100 Commits (ec7c1b892c970acd24aae28a23916b627a3fb1b6)
| Author | SHA1 | Message | Date |
|---|---|---|---|
irenarindos
|
92e6a6de26 |
rdp(repo): persist target proxy certificates
|
6 months ago |
Andrew Gaffney
|
ef2ee9f9ff |
feat(globals): Add RDP target prefix
|
6 months ago |
April-May
|
e4dfa76c8e |
feat(credential/vault): Primitives for UPD cred in vault-generic library
--------- Co-authored-by: Andrew Gaffney <andrew@gaffney.cc> |
6 months ago |
|
Andrew Gaffney
|
141225baad |
feat(credential/static): Implement UsernamePasswordDomain type (#1512)
Co-authored-by: April-May <18632637+AprilMay0@users.noreply.github.com> |
6 months ago |
Michael Milton
|
1f17313a39
|
Normalise grants and roles tables to improve grants query performance (#5846)
* Create function to define valid set of scopes for each resource (#5558) * Create function to define valid set of scopes for each resource * chore(iam): Update validScopeTypes() to use scope.AllowedIn() * chore(scope): Initialize with iota * feat(scope): Return an error instead scope.Unknown * feat(iam): Replace interface method `validScopeTypes` with `getResourceType` This allows us to call scope.AllowedIn() in one place vs in each implementation of `validScopeTypes` * chore(resource): Refactor other package functions into methods on resource.Type * fix(scope): Add defensive checks around invalid resource types * docs(resource): Add AllowedIn() to the areas to update when adding a new resource type * docs(resource): Improve error message when an invalid type is provided * test(grants): GrantsForUsers tests for Group resource (#5443) * test(grants): WIP: First stab at group associations * test(grants): Add GrantsForUser test for groups * chore(grants): Consolidate repetitive setup logic into functions * test(grants): Add GrantsForUser test for managed groups * test(grants): Add another user with different grants Ensure that non-applicable grants should not be returned because they are not applicable to the user * chore(grants): cleanup * chore(grants): Move common setup steps into a helper function * feat: Define new grants tables (#5486) Create new tables for grants: 1. `iam_role_global`: Roles that are placed in the global scope will be persisted in the `iam_role_global` table. A global role has a `grant_scope` which must be one of: * descendants * children * individual This enforces that a global role's grants either apply to: * All orgs and projects. * All orgs. * An individual set of orgs and/or projects. When the `grant_scope` is set to `individual`, entries for the specific set of orgs and/or projects can be added to the `iam_role_global_individual_grant_scope` table. Separately, a global role can be set to also apply its grant to the global scope by setting `grant_this_role_scope` to true. 2. `iam_role_org`: Roles that are placed in an org scope will be persisted in the `iam_role_org` table. An org role has a `grant_scope` which must be one of: * children * individual This enforces that an org role's grants either apply to: * All projects in the org. * An individual set of projects in the org. When the `grant_scope` is set to `individual`, entries for the specific set of projects can be added to the `iam_role_org_individual_grant_scope` table. **NOTE**: The projects must belong to the org's scope Separately, an org role can be set to also apply its grant to the org by setting `grant_this_role_scope` to true. 3. `resource_enm`: Contains all boundary resources. This is used by `iam_grant` to set the resource from a canonical_grant. 4. `iam_grant` Stores the canonical grant string and the resource for filtering on specific grants. Co-authored-by: Sorawis Nilparuk <sorawis.nilparuk@hashicorp.com> Co-authored-by: David Kanney <david.kanney@hashicorp.com> * add name scope id unique constraints to all iam_role tables (#5623) * Bosorawis domain iam role subtypes (#5626) * add subtype storage definitions * make gen * add all subtype definitions * add const for grant scope individual * remove unnecessary baseRole subtype * add new proto files to make target protobuild * make gen to get protoc-go-inject-tag * add clone, setTableName, and GetScope tests * add ResourceType and Actions test * add create and delete tests for globalROle * finish create and delete tests * add trigger for deleting base role * add trigger to sync update_time back to base iam_role table * add update tests * fix missing err checks * fix iam_role delete subtype trigger function name and use new.update_time instead of now() * add struct documentation to role subtypes * add version update check * add todo comment: * bosorawis sql split global grants scope table (#5638) * split iam_role_global_individual_grant_scope to have separate tables for org and project * small comment change * small comment change * WIP: add tests * remove grant_scope as immutable column * add trigger to delete individual grant scope when grant_scope changes * add a test that covers changing grant_scope * rename function and trigger in iam_role_global * improve assertion in sqltest for iam_role_global * update iam_role_org to delete redundant grants scope * minor comment fix * no longer handle individual grant scope deletion with triggers and rename some functions * add trigger test for grant_scope * rename delete_base_iam_role to delete_iam_role_subtype * SQL formatting use now() instead of interval * bosorawis domain iam implement getRoleScopeType (#5629) * implement getRoleScopeId * move query to query.go * improve notfound err message * improve other err messages * use named parameter and move getRoleScopeId implementation * moved getRoleScopeId test * rename getRoleScopeId to getRoleScopeType * fix public_id ambiguous error * undo unintended change to getUserWithAccount * fix the correct query * rename test * change error code to RecordNotFound * Update internal/iam/repository_role.go Co-authored-by: David Kanney <david.kanney@hashicorp.com> * switch to slice instead of counter --------- Co-authored-by: David Kanney <david.kanney@hashicorp.com> * domain: iam: upgrade repository code to use new tables (#5643) * implement getRoleScopeId * move query to query.go * improve notfound err message * improve other err messages * use named parameter and move getRoleScopeId implementation * moved getRoleScopeId test * rename getRoleScopeId to getRoleScopeType * fix public_id ambiguous error * undo unintended change to getUserWithAccount * fix the correct query * split iam_role_global_individual_grant_scope to have separate tables for org and project * small comment change * small comment change * WIP: add tests * remove grant_scope as immutable column * add trigger to delete individual grant scope when grant_scope changes * add a test that covers changing grant_scope * rename function and trigger in iam_role_global * improve assertion in sqltest for iam_role_global * update iam_role_org to delete redundant grants scope * minor comment fix * no longer handle individual grant scope deletion with triggers and rename some functions * rename test * add all subtype definitions * remove unnecessary baseRole subtype * add clone, setTableName, and GetScope tests * add ResourceType and Actions test * add create and delete tests for globalROle * finish create and delete tests * add trigger for deleting base role * add trigger to sync update_time back to base iam_role table * add update tests * fix missing err checks * fix iam_role delete subtype trigger function name and use new.update_time instead of now() * add struct documentation to role subtypes * add version update check * implement getRoleScopeId * implement getRoleScopeId * save * remove struct embedding from iam.Role * fix tests to use new iam.Role definition * repository_role_test.go move to new iam.Role model * repository_principal_role_test.go use new iam.Role model * repository_role_grant_test.go use new iam.Role model in test * add oplog info to sql schema * internal/iam/testing.go use new role schema in TestRole * add toRole helper function to all role subtype * remove tests that are no longer relevant * internal/iam/repository_scope.go use new iam model * internal/iam/repository_role_grant.go use new iam model * internal/iam/repository_principal_role.go use new iam model * internal/iam/repository_role_test.go add test case for global scoped role * internal/iam/repository_grant_scope.go use new iam model * fix query * make create and lookup role work and add tests * add role id to getRoleScopeId error message * make DeleteRole work with new model and add tests * fix update * ensure oplog.ReplayableMessage is implemented on all role subtypes * internal/iam/repository_role_grant.go fix slugging version properly * internal/iam/repository_role.go minor correction to error message saying org instead of scope * internal/iam/repository_role_test.go add more update tests * add immutable_fields tests * fix rebase * change error code to RecordNotFound * refactor to use getScopeType * fix delete test * add getRoleScope utility function * repository_principal_role.go: refactor to remove multiple switch statements * repository_role_grant.go: refactor to reduce LOC * repository_role.go small refactor to use alloc func * repository_grant_scope.go refactor * review comments * implement getRoleScopeId * move query to query.go * improve notfound err message * improve other err messages * use named parameter and move getRoleScopeId implementation * moved getRoleScopeId test * rename getRoleScopeId to getRoleScopeType * fix public_id ambiguous error * undo unintended change to getUserWithAccount * fix the correct query * rename test * change error code to RecordNotFound * Update internal/iam/repository_role.go Co-authored-by: David Kanney <david.kanney@hashicorp.com> * switch to slice instead of counter * fix merge mistakes * handling special scopes in test function * fix TestRoleWithGrants * fix minor typo * make gen * fix comment typos * Bosorawis domain iam role use new model list role (#5676) * add and use new list roles query * run make gen * tweaked returned error * replace tabs with spaces in query string * missed one tab * remove leading spaces --------- Co-authored-by: David Kanney <david.kanney@hashicorp.com> * Domain: iam: Repository: update list-grant-scope and test setup to use new model (#5679) * implement getRoleScopeId * move query to query.go * improve notfound err message * improve other err messages * use named parameter and move getRoleScopeId implementation * moved getRoleScopeId test * rename getRoleScopeId to getRoleScopeType * fix public_id ambiguous error * undo unintended change to getUserWithAccount * fix the correct query * split iam_role_global_individual_grant_scope to have separate tables for org and project * small comment change * small comment change * WIP: add tests * remove grant_scope as immutable column * add trigger to delete individual grant scope when grant_scope changes * add a test that covers changing grant_scope * rename function and trigger in iam_role_global * improve assertion in sqltest for iam_role_global * update iam_role_org to delete redundant grants scope * minor comment fix * no longer handle individual grant scope deletion with triggers and rename some functions * rename test * add all subtype definitions * remove unnecessary baseRole subtype * add clone, setTableName, and GetScope tests * add ResourceType and Actions test * add create and delete tests for globalROle * finish create and delete tests * add trigger for deleting base role * add trigger to sync update_time back to base iam_role table * add update tests * fix missing err checks * fix iam_role delete subtype trigger function name and use new.update_time instead of now() * add struct documentation to role subtypes * add version update check * implement getRoleScopeId * implement getRoleScopeId * save * remove struct embedding from iam.Role * fix tests to use new iam.Role definition * repository_role_test.go move to new iam.Role model * repository_principal_role_test.go use new iam.Role model * repository_role_grant_test.go use new iam.Role model in test * add oplog info to sql schema * internal/iam/testing.go use new role schema in TestRole * add toRole helper function to all role subtype * remove tests that are no longer relevant * internal/iam/repository_scope.go use new iam model * internal/iam/repository_role_grant.go use new iam model * internal/iam/repository_principal_role.go use new iam model * internal/iam/repository_role_test.go add test case for global scoped role * internal/iam/repository_grant_scope.go use new iam model * fix query * make create and lookup role work and add tests * add role id to getRoleScopeId error message * make DeleteRole work with new model and add tests * fix update * ensure oplog.ReplayableMessage is implemented on all role subtypes * internal/iam/repository_role_grant.go fix slugging version properly * internal/iam/repository_role.go minor correction to error message saying org instead of scope * internal/iam/repository_role_test.go add more update tests * add immutable_fields tests * fix rebase * change error code to RecordNotFound * refactor to use getScopeType * fix delete test * add getRoleScope utility function * repository_principal_role.go: refactor to remove multiple switch statements * repository_role_grant.go: refactor to reduce LOC * repository_role.go small refactor to use alloc func * repository_grant_scope.go refactor * review comments * implement getRoleScopeId * move query to query.go * improve notfound err message * improve other err messages * use named parameter and move getRoleScopeId implementation * moved getRoleScopeId test * rename getRoleScopeId to getRoleScopeType * fix public_id ambiguous error * undo unintended change to getUserWithAccount * fix the correct query * rename test * change error code to RecordNotFound * Update internal/iam/repository_role.go Co-authored-by: David Kanney <david.kanney@hashicorp.com> * switch to slice instead of counter * fix merge mistakes * handling special scopes in test function * fix TestRoleWithGrants * fix minor typo * make gen * fix comment typos * Bosorawis domain iam role use new model list role (#5676) * add and use new list roles query * run make gen * tweaked returned error * replace tabs with spaces in query string * missed one tab * remove leading spaces * move ListRoleGrantScopes to repository_grant_scope.go * rename repository_grant_scope to repository_role_grant_scope * add proto definition for global role individual grant scope tables * fix test from removing embeded struct from RoleGrantScope * add grant_scope to proto definition * implement GlobalRoleIndividualOrgGrantScope and GlobalRoleIndividualProjectGrantScope * update comment * run make gen to update comment * implement OrgRoleIndividualGrantScope and add tests * implement part of ListRoleGrantScopes * Add more test * add more test cases and remove add-grants test * unexport listRoleGrantScopes * use reader from function parameter instead of struct method * rename test to match actual function * run make gen * unexport individual grants structs * unexport individual grants structs - missed one file * change TestRole and TestRoleGrantScope function to support new model * add validation for special scopes * add role_org_individual_grant_scope.pb.go to protobuild make target * remove dead code from listRoleGrantScopes * fix testRoleGrantScopeSpecial not handling org role special scope properly * add back query removed by rebase --------- Co-authored-by: David Kanney <david.kanney@hashicorp.com> * feat: grantsForUser for Global Resources (#5612) * feat: grantsForUser for Global Resources add query to fetch grants for a user for resources that are only globally scoped * Update query based on change to bifurcate individual table * Create subtests for different resources * Return grant.grant_scope instead of the request scope * Remove 'individual' subquery & unused reqScope parameter * Use sql.Named for better readability * Fix op function name * Remove individual grant scope logic from global resource repo function No need to handle individual grant scopes since global resources can only be queried via 'this' grant scope at the global scope. * Fix row scan order * Remove data gen function * Adjust query formatting Remove canonical_grant filter from query. `iam_grant.canonical_grant` is a primary key, so it can't be null anyway -- no need to filter out null canonical grants * Use the consts for u_auth and u_anon * Specify "empty" instead of "NULL" in struct field comment * Build query args with `pq.Array` instead of `fmt.Sprintf` * Fix TestGrantsForUserGlobalResources No longer using a hard-coded value for roleVersion * Refactor grantsForUserGlobalResources tests into testcases * go mod tidy * Update query comment for correctness --------- Co-authored-by: dkanney <dkanney@terpmail.umd.edu> Co-authored-by: dkanney <david.kanney@hashicorp.com> * Bosorawis domain iam implement role grant scopes all (#5701) * implement getRoleScopeId * move query to query.go * improve notfound err message * improve other err messages * use named parameter and move getRoleScopeId implementation * moved getRoleScopeId test * rename getRoleScopeId to getRoleScopeType * fix public_id ambiguous error * undo unintended change to getUserWithAccount * fix the correct query * split iam_role_global_individual_grant_scope to have separate tables for org and project * small comment change * small comment change * WIP: add tests * remove grant_scope as immutable column * add trigger to delete individual grant scope when grant_scope changes * add a test that covers changing grant_scope * rename function and trigger in iam_role_global * improve assertion in sqltest for iam_role_global * update iam_role_org to delete redundant grants scope * minor comment fix * no longer handle individual grant scope deletion with triggers and rename some functions * rename test * add all subtype definitions * remove unnecessary baseRole subtype * add clone, setTableName, and GetScope tests * add ResourceType and Actions test * add create and delete tests for globalROle * finish create and delete tests * add trigger for deleting base role * add trigger to sync update_time back to base iam_role table * add update tests * fix missing err checks * fix iam_role delete subtype trigger function name and use new.update_time instead of now() * add struct documentation to role subtypes * add version update check * implement getRoleScopeId * implement getRoleScopeId * save * remove struct embedding from iam.Role * fix tests to use new iam.Role definition * repository_role_test.go move to new iam.Role model * repository_principal_role_test.go use new iam.Role model * repository_role_grant_test.go use new iam.Role model in test * add oplog info to sql schema * internal/iam/testing.go use new role schema in TestRole * add toRole helper function to all role subtype * remove tests that are no longer relevant * internal/iam/repository_scope.go use new iam model * internal/iam/repository_role_grant.go use new iam model * internal/iam/repository_principal_role.go use new iam model * internal/iam/repository_role_test.go add test case for global scoped role * internal/iam/repository_grant_scope.go use new iam model * fix query * make create and lookup role work and add tests * add role id to getRoleScopeId error message * make DeleteRole work with new model and add tests * fix update * ensure oplog.ReplayableMessage is implemented on all role subtypes * internal/iam/repository_role_grant.go fix slugging version properly * internal/iam/repository_role.go minor correction to error message saying org instead of scope * internal/iam/repository_role_test.go add more update tests * add immutable_fields tests * fix rebase * change error code to RecordNotFound * refactor to use getScopeType * fix delete test * add getRoleScope utility function * repository_principal_role.go: refactor to remove multiple switch statements * repository_role_grant.go: refactor to reduce LOC * repository_role.go small refactor to use alloc func * repository_grant_scope.go refactor * review comments * implement getRoleScopeId * move query to query.go * improve notfound err message * improve other err messages * use named parameter and move getRoleScopeId implementation * moved getRoleScopeId test * rename getRoleScopeId to getRoleScopeType * fix public_id ambiguous error * undo unintended change to getUserWithAccount * fix the correct query * rename test * change error code to RecordNotFound * Update internal/iam/repository_role.go Co-authored-by: David Kanney <david.kanney@hashicorp.com> * switch to slice instead of counter * fix merge mistakes * handling special scopes in test function * fix TestRoleWithGrants * fix minor typo * make gen * fix comment typos * Bosorawis domain iam role use new model list role (#5676) * add and use new list roles query * run make gen * tweaked returned error * move ListRoleGrantScopes to repository_grant_scope.go * rename repository_grant_scope to repository_role_grant_scope * add proto definition for global role individual grant scope tables * fix test from removing embeded struct from RoleGrantScope * add grant_scope to proto definition * implement GlobalRoleIndividualOrgGrantScope and GlobalRoleIndividualProjectGrantScope * update comment * run make gen to update comment * implement OrgRoleIndividualGrantScope and add tests * implement part of ListRoleGrantScopes * Add more test * add more test cases and remove add-grants test * unexport listRoleGrantScopes * use reader from function parameter instead of struct method * rename test to match actual function * run make gen * unexport individual grants structs * unexport individual grants structs - missed one file * change TestRole and TestRoleGrantScope function to support new model * add validation for special scopes * add role_org_individual_grant_scope.pb.go to protobuild make target * remove dead code from listRoleGrantScopes * fix testRoleGrantScopeSpecial not handling org role special scope properly * change proto grant_this default to true * make TestRole readback the role to get updated version * implement toRoleGrantScope function on the subtypes * implement conversion function * add tests and AddRoleGrantScope before refactor * working delete grant scope before refactor * remove unused functions * refactor repository_role_grant_scope.go * add tests for SetRoleGrantScopes * all tests passing * refactor repository_role_grant_scope.go again * run make gen * no longer embed Resource in roleScopeGranter interface and make interface all internal functions * add additional test case * fix minor typo * add a constraint check for iam_role_org.grant_scope * refactor and comment repository_role_grant_scope.go and add test cases * remove unused code * rename roleScopeGranter to roleGrantScopeUpdater * interface and function rename * address PR comments * remove redundant constraint on iam_role_org * address pr comments * grant this scope to role by default when creating a role * tweak comments and variable names --------- Co-authored-by: David Kanney <david.kanney@hashicorp.com> * feat: add grant_this_role_scope column to iam_role_project (#5738) * add grant_this_role_scope and sqltes for iam_project_role * update role_project.proto to add grant_this_role_scope field * fix missing fields in role_project.proto * support GrantThisRoleScope field in iam/testing.go * update repository_scope to set GrantThisRoleScope to true * add GrantThisRoleScope to projec role tests to role_test.go * add grant_this_role_scope check to query.go * update roleGrantScopeUpdater to split setGrantScope to setHierarchicalGrantScope and removeHierarchicalGrantScope * update create_role to set default vaule for iam_role_project.grant_this_role_scope * update set, add, delete, list role grant scopes to support grant_this_role_scope in project_role * rename methods * run make gen * make TestRole not bump version when creating roles with default 'this' grants * address pr comments * fix variable names * feat: grantsForUser for Org resources (#5663) * Create grantsForUser query for Org resources * Finish & format query * Change name of field in query From 'role_type' to 'role_parent_scope_id' * Finish grantsForUserOrgResources test - Refactor to match the usual testcase pattern - Use test functions to create test resources * Remove unnecessary check against GrantScopeThis "this" now has its own field and no longer lives alongside the other grant scopes, so we should not check for it against grantScope * Ignore children & descendant grant scopes when querying org resources The only grant_scope that mattters when querying org resources is 'this' * Refactor query to simplify repo function Create separate CTEs for each case: global special (children or descendant), global individual, and org (this). This allows us to query directly into perms.GrantTuple; no additional logic required. * feat: grantsForUser for Project resources (#5669) * Reuse testInput * Create grantsForUserProjectResources query * Create grantsForUserProjectResources repo func * Create tests for grantsForUserProjectResources * Split up CTEs by grant scope and simplify repo function * Add test cases for missing reqScope id * Remove unnecessary join to iam_scope_org table * Reuse 'roles_with_grants' CTE across the grantsForUser queriers * Change reqScope parameter type from `Scope` to `string` (#5748) * Change 'reqScope' parameter type to: string * Simplify grantsForUserGlobalQuery & repo func * Test: GrantsForUser for Accounts for various user to role relationships (#5631) * test(iam): Refactor GrantsForUser tests into a single test * test(iam): Extend TestGrantsForUser to include Account resource Note: These tests will fail until GrantsForUser is refactored to return only grants whose scopes are applicable to this resource * test(iam): test(iam): Add Target resource to TestGrantsForUser * feat: grantsForUser for recursive Global or Org resources (#5747) * Create query: grantsForUserGlobalAndOrgResourcesQuery * Create repo function: grantsForUserGlobalAndOrgResourcesRecursive * Create tests for grantsForUserGlobalAndOrgResources * Restrict recursive list for Global/Org resources to global scope only Return error for non-recursive scopes * Remove unused option parameter * Add additional scope and test cases - Test for grants against a resource with no permission granted for it - Test for grants against a specific resource id without an explicit type set in the grant string - Add a project scope to ensure its grants aren't returned * Return error when passed 'Unknown' or 'All' resource type * Use constants for 'unknown' & '*' resources * feat: grantsForUser for recursive Project resources (#5783) * Create query: grantsForUserProjectResourcesGlobalScopeQuery * Create query: grantsForUserProjectResourcesOrgScopeQuery * Create repo function: grantsForUserProjectResourcesRecursiveScopes * Add recursive testcases to existing grantsForUserProjectResource test function * Address PR feedback - Add testcases for Unknown & All resource types - Change a grant string to a pinned resource. Its resource type changed from Target type to Unknown type - Call through to grantsForUserProjectResources when reqScopeId is a project scope (i.e. a non-recursve scope) * Add 'Recursive' to query var naming * feat: migration hook grants refactor (#5733) * scaffolding * comments * rename migration number * implement FindIllegalAssociations for 97006 hook * refactor findIllegalAssociation query * implement RepairIllegalAssociations and refactor queries * make gen * fix missing err check * pr feedback fix hook fix message wording * sql formatting * update comment * sql formatting * Apply suggestions from code review Co-authored-by: David Kanney <david.kanney@hashicorp.com> * change 'illegal' to 'invalid' * pr comment feedback * small comment update --------- Co-authored-by: David Kanney <david.kanney@hashicorp.com> * feat: grantsForUser for Global/Org/Project resources (#5807) * Change naming to be consistent with other grantsForUser functions * Create grantsForUser query for global-scoped Global/Org/Proj resources * Create grantsForUser repo function for Global/Org/Proj resources * Create tests for grantsForUserGlobalOrOrgOrProjectResources * Create grantsForUser query for org-scoped Globa/Org/Proj resources * Add tests for grantsForUser Global/Org/Proj resource query's org & project request_scopes * Add clarifying comments and shorter naming convention * Add 'children' grant_scoped org roles to result set * feat: grants: add resource type parameters to GrantsForUser (#5750) * add resource.Type to auth.Verify callchain * remove WithType option * update internal/auth/additional_verification_test.go to no longer use WithType * handle explicit resource type in aclAndGrantHashForUser * update interceptor_test.go to use resource.Scope for testing auth.Verify * use resource.Scope to test Audit events * add godoc comment on GrantsForUser * add recursive options to iam * add recursive options to auth * internal/auth/ldap/managed_group_role_grants_test.go fix GrantsForUser signature * internal/daemon/controller/handlers/accounts/account_service_test.go fix GrantsForUser signature * update GrantsForUser godoc * replace GrantsForUser tests with a new version with scoped down grants * add mix type assignment to TestGrantsForUser * move GrantsForUser test to internal/iam/repository_role_grant_ext_test.go * remove unused options * rewrite GrantsForUser tests to match the new expectation * handle recursive call in s.authResult * fix missing import from rebase * resolve ListResolvableAlias destination permissions properly * use global scope for ListResolvableAlias aclAndGrantHashForUser * make auth.WithRecursive take boolean input * make iam.WithRecursive option takes a boolean input * auth/options_test.go add assertion for default option values * make gen * add back ACL tests to grants for user * Support previous grants use-cases (#5823) * rename parameter to TestManagedGroupMember * make replace old GrantsForUser with new queries * fix tests and bugs where global grants don't get resolved * remove unnecessary grants from grantsForUserProjectResourcesOrgScopeRecursiveQuery * return full grants for any recursive call * handle this and role scope ID in test * order list result by create time instead of update time * add missing err check * handle converting role scope ID to this in grant scope API * fix role service tests * correct default scope role name * add special handling in grantsForUser for scope resource * fix tests to match role creation that does not bump version * creating alias in invalid scope now returns permissions denied instead of internal * remove test which looks for account in an authmethod in project scope which is an invalid config * fix TestLdapManagedGroupRoleGrants to use scope appropriate resource for the test * fix TestFetchActionSetForId and split org/proj test cases * Validate reqScopeId for grantsForUserRecursive() * Update tests based on recursive grantsForUser changes * Remove last recursive function in favor of grantsForUserRecursive() * move Scope resource to be AllowedIn all scope types * allow multiple resouce types when calling auth.Verify down to GrantsForUsers * use append instead of ranging over slice * minor fix to tests * Skip default role creation to avoid returning default role in test * Update wantErrMsg to accommodate multiple resource types * Add new entries to TestGrantsForUser test results based on recursive query changes * Update unneccessaryRoles in recursive global/org test case based on changes to recursive query --------- Co-authored-by: dkanney <david.kanney@hashicorp.com> * Migrate roles and grants to new table structure (#5814) * Refactor migration files to create tables, functions, triggers, and complete the actual data migration in their own files. update migrations and tests clean up removed files rebase onto bosorawis-sql-grants-migration-hook * Add comments to migration files, clean up some formatting, and add 30k project roles to test migration efficiency update migrations go test file Delete duplicate test file * Fix formatting in migration files * Rename hook number to reflect new number of migration files split migrations into hook files, large test file, and more specific test functions * Include missed oss file * Apply suggestions from code review Co-authored-by: Sorawis Nilparuk (Bo) <sorawis.nilparuk@hashicorp.com> --------- Co-authored-by: Sorawis Nilparuk (Bo) <sorawis.nilparuk@hashicorp.com> * Refactor GrantsForUser subqueries to use aggregate functions (#5822) * Use shorter var name * Refactor grantsForUserGlobalResourcesQuery: Use aggregate function array_agg to reduce rows returned from DB Adding mutliple grants to a role exposes the need to aggregate certain fields (canonical_grant). - Before this change, a row is returned for each distinct canonical grant for each role. - After this change, only one row is returned per role. Each row contains an array of all canonical_grants that apply to the role. * Refactor grantsForUserOrgResourcesQuery: Use aggregate function array_agg to reduce rows returned from DB Adding mutliple grants to a role exposes the need to aggregate certain fields (individual_grant_scopes, canonical_grant). - Before this change, a row is returned for each distinct canonical grant for each role. - After this change, only one row is returned per role. Each row contains an array of all canonical_grants (and individual_grant_scopes) that apply to the role. * Refactor grantsForUserProjectResourcesQuery: Use aggregate function array_agg to reduce rows returned from DB Adding mutliple grants to a role exposes the need to aggregate certain fields (individual_grant_scopes, canonical_grant). - Before this change, a row is returned for each distinct canonical grant for each role. - After this change, only one row is returned per role. Each row contains an array of all canonical_grants (and individual_grant_scopes) that apply to the role. * Address PR feedback * Finish PR feedback * Remove unnecessary if-check * Match test name to function name * Refactor grantsForUserRecursiveQuery: Use aggregate function array_agg to reduce rows returned from DB * fix broken test (#5842) * update tests to not check a table that will be dropped in the migration (#5847) * Fix global scope's parent scope id (#5844) * Use variable over hard-coded string * 'global' scope should have no parent scope * Clean up migrated tables (#5837) * Refactor migration files to create tables, functions, triggers, and complete the actual data migration in their own files. update migrations and tests clean up removed files rebase onto bosorawis-sql-grants-migration-hook * Add comments to migration files, clean up some formatting, and add 30k project roles to test migration efficiency update migrations go test file Delete duplicate test file * Fix formatting in migration files * Rename hook number to reflect new number of migration files split migrations into hook files, large test file, and more specific test functions * Drop unneeded iam_role_grant_scope table and unneeded name, description, and version columns from iam_role * fix whitespace * fix broken sql from removing iam role grant scope (#5860) * Ensure table drop also cascades changes to cross-table dependencies * fix broken pgtap from removing iam-role-grant-scope table * drop trigger which deletes from iam-role-grant-scope --------- Co-authored-by: Michael Milton <michael.milton@hashicorp.com> * test(groups): add grants tests for groups API (#5403) * first test with all the required setup * v1 of test * add primitive func and more test * refactor read tests into a single top level * move token generation to a function * add test for creates * add delete tests * add update test * only check for version and update_time * move setup resource into testcase to support grants with specific ID * add member tests * add group-member test example with multiple actions * remove duplicate group membership tests * ran make gen * fix missing parentID bug * fix typo * fix test names and add test cases * switch from google/uuid to hashicorp/go-uuid * add comment to groupmember tests * small comment change * pull shared test utility code from PR #5418 * refactor role grants out of authtoken package * unexport utility function * Remove dead code * lint and make gen * fix role cration logic * fix password TestAccountFunc implementation * implement TestAccountFunc for LDAP * implement TestAccountFunc for OIDC * implement TestUserFunc for managed groups * use managed groups in grants test * undo removal of authtoken.TestAuthTokenWithRoles for future refactor * switch from list to map based test case for create tests * undo merge mistakes * fix merge mistakes * lint * add setup examples * add output fields tests for getgroup * reimplement with reflect * add test for CreateGroup * add all single resource action tests * add list test * rename function argument * move AssertOutputFields to handlers package * fix lint * make gen * use proto.Message instead of custom interface * switch to hashicorp/go-uuid * fix typo * fix error message * id= to ids= * make generating test accounts more randomized * Trigger CI checks * refactor auth/iam grants test setup * move a test to _test package * lint * minor comment fix * use Id instead of ID * make user/account setup in iam returns account instead of just account ID * missed one change * reorganize tests * make gen * feat: add grants tests for billing resource (#5559) * first test with all the required setup * v1 of test * add primitive func and more test * refactor read tests into a single top level * move token generation to a function * add test for creates * add delete tests * add update test * only check for version and update_time * move setup resource into testcase to support grants with specific ID * add member tests * add group-member test example with multiple actions * remove duplicate group membership tests * ran make gen * fix missing parentID bug * fix typo * fix test names and add test cases * switch from google/uuid to hashicorp/go-uuid * add comment to groupmember tests * small comment change * pull shared test utility code from PR #5418 * refactor role grants out of authtoken package * unexport utility function * Remove dead code * lint and make gen * fix role cration logic * fix password TestAccountFunc implementation * implement TestAccountFunc for LDAP * implement TestAccountFunc for OIDC * implement TestUserFunc for managed groups * use managed groups in grants test * undo removal of authtoken.TestAuthTokenWithRoles for future refactor * switch from list to map based test case for create tests * undo merge mistakes * fix merge mistakes * lint * add setup examples * add output fields tests for getgroup * reimplement with reflect * add test for CreateGroup * add all single resource action tests * add list test * rename function argument * move AssertOutputFields to handlers package * fix lint * make gen * use proto.Message instead of custom interface * switch to hashicorp/go-uuid * fix typo * fix error message * id= to ids= * make generating test accounts more randomized * Trigger CI checks * refactor auth/iam grants test setup * lint * minor comment fix * use Id instead of ID * make user/account setup in iam returns account instead of just account ID * missed one change * reorganize tests * make gen * feat: add grants tests for billing resource add test coverage for testing grants with billing resource. This tests `monthly-active-users` action with billing. billing does not support output_fields so there are no tests for that * add negative test coverage for descendant scope and org scope * move negative tests to the billing resource * revert alias changes * revert alias test name change * resolve rebase conflict --------- Co-authored-by: Sorawis Nilparuk <sorawis.nilparuk@hashicorp.com> * Add grants tests for accounts (#5566) * first test with all the required setup * v1 of test * add primitive func and more test * small comment change * refactor role grants out of authtoken package * undo removal of authtoken.TestAuthTokenWithRoles for future refactor * undo merge mistakes * fix merge mistakes * Trigger CI checks * refactor auth/iam grants test setup * Trigger CI checks * add CRUDL tests * add change-password and set-password tests * add UpdateAccount, ChangePassword, SetPassword tests * add ListAccount output_fields test * make gen * fix error message * rebased against llb * make gen * fix post rebase * fix typo * make some tests use type-specific grants * fix rebase issue * add negative test to read * test(credentials): Add grants tests (#5608) * test(credentials): List tests * test(credentials): Get tests * test(credentials): Add "attributes" output_field & one its subtypes to the Read tests * test(credentials): Create tests * test(credentials): Update tests * test(credentials): Delete tests * test(credentials): Add additional test cases for pinned cred store id * feat: add grants tests for alias (#5550) * first test with all the required setup * v1 of test * add primitive func and more test * refactor read tests into a single top level * move token generation to a function * add test for creates * add delete tests * add update test * only check for version and update_time * move setup resource into testcase to support grants with specific ID * add member tests * add group-member test example with multiple actions * remove duplicate group membership tests * ran make gen * fix missing parentID bug * fix typo * fix test names and add test cases * switch from google/uuid to hashicorp/go-uuid * add comment to groupmember tests * small comment change * pull shared test utility code from PR #5418 * refactor role grants out of authtoken package * unexport utility function * Remove dead code * lint and make gen * fix role cration logic * fix password TestAccountFunc implementation * implement TestAccountFunc for LDAP * implement TestAccountFunc for OIDC * implement TestUserFunc for managed groups * use managed groups in grants test * undo removal of authtoken.TestAuthTokenWithRoles for future refactor * switch from list to map based test case for create tests * undo merge mistakes * fix merge mistakes * lint * add setup examples * add output fields tests for getgroup * reimplement with reflect * add test for CreateGroup * add all single resource action tests * add list test * rename function argument * move AssertOutputFields to handlers package * fix lint * make gen * use proto.Message instead of custom interface * switch to hashicorp/go-uuid * fix typo * fix error message * id= to ids= * make generating test accounts more randomized * Trigger CI checks * refactor auth/iam grants test setup * lint * minor comment fix * use Id instead of ID * make user/account setup in iam returns account instead of just account ID * missed one change * reorganize tests * make gen * feat: add grants tests for alias add test coverage for testing grants with alias resource. This tests all actions with aliases and different grant scopes * add tests for output fields * add more test cases for actions, id * update output assert to use shared assert function * rebase * use hashicorp/go-uuid instead of google/uuid --------- Co-authored-by: Sorawis Nilparuk <sorawis.nilparuk@hashicorp.com> Co-authored-by: Elim Tsiagbey <elim.tsiagbey@hashicorp.com> * test: add grants tests for host_catalogs (#5573) * first test with all the required setup * v1 of test * add primitive func and more test * refactor read tests into a single top level * move token generation to a function * add test for creates * add delete tests * add update test * only check for version and update_time * move setup resource into testcase to support grants with specific ID * add member tests * add group-member test example with multiple actions * remove duplicate group membership tests * ran make gen * fix missing parentID bug * fix typo * fix test names and add test cases * switch from google/uuid to hashicorp/go-uuid * add comment to groupmember tests * small comment change * pull shared test utility code from PR #5418 * refactor role grants out of authtoken package * unexport utility function * Remove dead code * lint and make gen * fix role cration logic * fix password TestAccountFunc implementation * implement TestAccountFunc for LDAP * implement TestAccountFunc for OIDC * implement TestUserFunc for managed groups * use managed groups in grants test * undo removal of authtoken.TestAuthTokenWithRoles for future refactor * switch from list to map based test case for create tests * undo merge mistakes * fix merge mistakes * lint * add setup examples * add output fields tests for getgroup * reimplement with reflect * add test for CreateGroup * add all single resource action tests * add list test * rename function argument * move AssertOutputFields to handlers package * fix lint * make gen * use proto.Message instead of custom interface * switch to hashicorp/go-uuid * fix typo * fix error message * id= to ids= * make generating test accounts more randomized * Trigger CI checks * refactor auth/iam grants test setup * move a test to _test package * lint * minor comment fix * use Id instead of ID * make user/account setup in iam returns account instead of just account ID * missed one change * reorganize tests * make gen * Trigger CI checks * test: add grants tests for host_catalogs * add test coverage for output fields and write actions * add missing error check assertions * fixup! address PR comments * fixup! fix lint errors * chore(host_catalogs_test): Remove duplicate import * test(hostcatalogs): Add tests for actions w/o grants * test(hostcatalogs): Use ldap managed group for all test cases * feat: add grants tests for billing resource (#5559) * first test with all the required setup * v1 of test * add primitive func and more test * refactor read tests into a single top level * move token generation to a function * add test for creates * add delete tests * add update test * only check for version and update_time * move setup resource into testcase to support grants with specific ID * add member tests * add group-member test example with multiple actions * remove duplicate group membership tests * ran make gen * fix missing parentID bug * fix typo * fix test names and add test cases * switch from google/uuid to hashicorp/go-uuid * add comment to groupmember tests * small comment change * pull shared test utility code from PR #5418 * refactor role grants out of authtoken package * unexport utility function * Remove dead code * lint and make gen * fix role cration logic * fix password TestAccountFunc implementation * implement TestAccountFunc for LDAP * implement TestAccountFunc for OIDC * implement TestUserFunc for managed groups * use managed groups in grants test * undo removal of authtoken.TestAuthTokenWithRoles for future refactor * switch from list to map based test case for create tests * undo merge mistakes * fix merge mistakes * lint * add setup examples * add output fields tests for getgroup * reimplement with reflect * add test for CreateGroup * add all single resource action tests * add list test * rename function argument * move AssertOutputFields to handlers package * fix lint * make gen * use proto.Message instead of custom interface * switch to hashicorp/go-uuid * fix typo * fix error message * id= to ids= * make generating test accounts more randomized * Trigger CI checks * refactor auth/iam grants test setup * lint * minor comment fix * use Id instead of ID * make user/account setup in iam returns account instead of just account ID * missed one change * reorganize tests * make gen * feat: add grants tests for billing resource add test coverage for testing grants with billing resource. This tests `monthly-active-users` action with billing. billing does not support output_fields so there are no tests for that * add negative test coverage for descendant scope and org scope * move negative tests to the billing resource * revert alias changes * revert alias test name change * resolve rebase conflict --------- Co-authored-by: Sorawis Nilparuk <sorawis.nilparuk@hashicorp.com> * Add grants tests for accounts (#5566) * first test with all the required setup * v1 of test * add primitive func and more test * small comment change * refactor role grants out of authtoken package * undo removal of authtoken.TestAuthTokenWithRoles for future refactor * undo merge mistakes * fix merge mistakes * Trigger CI checks * refactor auth/iam grants test setup * Trigger CI checks * add CRUDL tests * add change-password and set-password tests * add UpdateAccount, ChangePassword, SetPassword tests * add ListAccount output_fields test * make gen * fix error message * rebased against llb * make gen * fix post rebase * fix typo * make some tests use type-specific grants * fix rebase issue * add negative test to read * test(credentials): Add grants tests (#5608) * test(credentials): List tests * test(credentials): Get tests * test(credentials): Add "attributes" output_field & one its subtypes to the Read tests * test(credentials): Create tests * test(credentials): Update tests * test(credentials): Delete tests * test(credentials): Add additional test cases for pinned cred store id * feat: add grants tests for alias (#5550) * first test with all the required setup * v1 of test * add primitive func and more test * refactor read tests into a single top level * move token generation to a function * add test for creates * add delete tests * add update test * only check for version and update_time * move setup resource into testcase to support grants with specific ID * add member tests * add group-member test example with multiple actions * remove duplicate group membership tests * ran make gen * fix missing parentID bug * fix typo * fix test names and add test cases * switch from google/uuid to hashicorp/go-uuid * add comment to groupmember tests * small comment change * pull shared test utility code from PR #5418 * refactor role grants out of authtoken package * unexport utility function * Remove dead code * lint and make gen * fix role cration logic * fix password TestAccountFunc implementation * implement TestAccountFunc for LDAP * implement TestAccountFunc for OIDC * implement TestUserFunc for managed groups * use managed groups in grants test * undo removal of authtoken.TestAuthTokenWithRoles for future refactor * switch from list to map based test case for create tests * undo merge mistakes * fix merge mistakes * lint * add setup examples * add output fields tests for getgroup * reimplement with reflect * add test for CreateGroup * add all single resource action tests * add list test * rename function argument * move AssertOutputFields to handlers package * fix lint * make gen * use proto.Message instead of custom interface * switch to hashicorp/go-uuid * fix typo * fix error message * id= to ids= * make generating test accounts more randomized * Trigger CI checks * refactor auth/iam grants test setup * lint * minor comment fix * use Id instead of ID * make user/account setup in iam returns account instead of just account ID * missed one change * reorganize tests * make gen * feat: add grants tests for alias add test coverage for testing grants with alias resource. This tests all actions with aliases and different grant scopes * add tests for output fields * add more test cases for actions, id * update output assert to use shared assert function * rebase * use hashicorp/go-uuid instead of google/uuid --------- Co-authored-by: Sorawis Nilparuk <sorawis.nilparuk@hashicorp.com> Co-authored-by: Elim Tsiagbey <elim.tsiagbey@hashicorp.com> * test(hostcatalogs): Add an additional project to "create" test cases --------- Co-authored-by: Sorawis Nilparuk <sorawis.nilparuk@hashicorp.com> Co-authored-by: dkanney <dkanney@terpmail.umd.edu> Co-authored-by: David Kanney <david.kanney@hashicorp.com> * Add grants tests for authmethods (#5569) * test(authmethods): Simplify read actions test cases * test(authmethods): Create grants tests for write actions * test(authmethods): Create test cases for action: authenticate * test(authmethods): Update tests to use userFunc & other changes from upstream branch * test(authmethods): Add output_fields to ReadActions tests * test(authmethods): Add output_fields to WriteActions tests * chore(authmethods_test): Consolidate common output fields into a single struct * test(authmethods): Add test cases for project roles * test(authmethods): Fix authenticate testcases * test(authmethods): Add tests granting permission to specific ids using multiple roles * test(hostsets): add grants tests (#5591) * test(hostsets): List tests * test(hostsets): Get tests * test(hostsets): Create tests * test(hostsets): Update tests * test(hostsets): Delete tests * test(hostsets}: AddHostSetHosts tests * test(hostsets): RemoveHostSetHosts tests * test(hostsets): SetHostSetHosts tests * test(hostsets): Use unique host-catalog names to avoid duplicate key DB errors * test(hostsets): Add second project to enforce exclusivity when Listing host-sets * test: credentials store grants (#5592) * first test with all the required setup * v1 of test * add primitive func and more test * refactor read tests into a single top level * move token generation to a function * add test for creates * add delete tests * add update test * only check for version and update_time * move setup resource into testcase to support grants with specific ID * add member tests * add group-member test example with multiple actions * remove duplicate group membership tests * ran make gen * fix missing parentID bug * fix typo * fix test names and add test cases * switch from google/uuid to hashicorp/go-uuid * add comment to groupmember tests * small comment change * pull shared test utility code from PR #5418 * refactor role grants out of authtoken package * unexport utility function * Remove dead code * lint and make gen * fix role cration logic * fix password TestAccountFunc implementation * implement TestAccountFunc for LDAP * implement TestAccountFunc for OIDC * implement TestUserFunc for managed groups * use managed groups in grants test * undo removal of authtoken.TestAuthTokenWithRoles for future refactor * switch from list to map based test case for create tests * undo merge mistakes * fix merge mistakes * lint * add setup examples * add output fields tests for getgroup * reimplement with reflect * add test for CreateGroup * add all single resource action tests * add list test * rename function argument * move AssertOutputFields to handlers package * fix lint * make gen * use proto.Message instead of custom interface * switch to hashicorp/go-uuid * fix typo * fix error message * id= to ids= * make generating test accounts more randomized * Trigger CI checks * refactor auth/iam grants test setup * lint * minor comment fix * use Id instead of ID * make user/account setup in iam returns account instead of just account ID * missed one change * save * add list tests * add get test * add create and delete test * add delete and update tests * more tests * fix collection_authorized_actions grants not resolving * complete output_fields tests * fix import groups * make gen * fixed broken tests * fix rebase * switch all tests to TestUserGroupGrantsFunc * remove duplicate test * test: add grants tests for managed groups resource (#5642) * test: add grants tests for managed groups resource * PR reviews * address PR comments * test: add grants tests for auth tokens resource (#5644) * test: add grants tests for auth tokens resource * add authorized actions tests for resources with sub-resources (#5835) * add authorized actions tests for resources with sub-resources * make gen * bosorawis remove TestRoleGrantsForToken (#5840) * refactor auth method grants tests * refactor credential libraries grants tests * refactor hosts grants tests * refactor roles grants tests * refactor scopes grants tests * refactor tcp targets grants tests * refactor users grants tests * refactor worker grants tests * fix authmethod test broken during the refactor * remove authtoken.TestRoleGrantsForToken * add pinned ID test * correct event name * fix make gen and lint * Remove old test Role creation code Removing leftover logic from old grants data model because it caused Group-association tests to fail * update go mod * run make gen and move new migrations to new folder (#5862) * run make gen and move new migrations to new folder * make tools and make gen * update hook number * update prior migration * move 97005 to 97001 for consistency * test: add grants tests for session resource (#5855) * add grants tests for sessions * fix missing parentScopeId * make gen * Resolve GrantsForUser queries via resolveQuery() (#5836) * Add validation for nil resource type * Remove redundant recursive test * Refactor GrantsForUser() to perform query resolution & data mapping - Remove grantsForUser sub-functions - Resolve grantsForUser queries via resolveQuery() - resolveQuery() and map data to GrantTuples in GrantsForUser() * remove dead code --------- Co-authored-by: Sorawis Nilparuk <sorawis.nilparuk@hashicorp.com> * add grants tests for scope resource (#5845) (#5865) * 'List' tests for scopes * 'Get' tests for scopes * 'Create' tests for scopes * 'List Key Version Destruction Jobs' tests for scopes * Add output_fields testing to 'Get' test * Add additional test case for list-key-version-destruction-jobs * test: add grants tests for roles resource (#5864) * add grants tests for roles * make gen * test: add grants tests for worker resource (#5841) * add read createControllerLed createWorkerLed tests # Conflicts: # internal/daemon/controller/handlers/workers/grants_test.go * minor refactor * add output fields tests for list * add tests for addworkertags readcertificateauthority reinitializecertificateauthority * finish all worker api tests * fix make gen and lint * fix unchecked error lint * add missing output fields assertion * Bosorawis fix set role grant scope not handle children grant already exist (#5868) * add new test case where role already has children and attempt to set children and individual project * handle case where role already has children grant scope attempt to set children and project * test: add grants tests for target resource (#5861) * additional tests to target resource * add test coverage for SetTargetCredentialSources * make gen * review suggestions * test: add grants test for user resource and fix ACL bug (#5869) * add some list-resolvable-aliases tests * fix missing fields * add more test and found edge case with children grants * more list-resolvable test cases * fix edge case where resource ids not overlapping between parent and child are not considered * resolve conflict * remove name, version, description from expect output_fields * remove name and description from toProto and add godoc comment --------- Co-authored-by: David Kanney <david.kanney@hashicorp.com> Co-authored-by: Elim Tsiagbey <elim.tsiagbey@hashicorp.com> Co-authored-by: Sorawis Nilparuk <sorawis.nilparuk@hashicorp.com> Co-authored-by: Elim Tsiagbey <elimty02@gmail.com> Co-authored-by: dkanney <dkanney@terpmail.umd.edu> |
8 months ago |
Hugo
|
a65d5d8573
|
feat: Normalize fields across various Boundary components (#5599)
Normalizes various IP/Address/Host fields across Boundary resources/components to comply with IPv6 specifications. |
9 months ago |
Damian Debkowski
|
c0cf5c4e1b |
feat(api): return remote storage states for worker
|
2 years ago |
Johan Brandhorst-Satzkorn
|
c6f3c375f3
|
api: remove deprecated grant_scope_id field (#4886)
* api: remove deprecated grant_scope_id field The grant_scope_id field was deprecated in 0.15.0, so we can remove it for 0.17.0. * Fix tests * Fix more tests * Remove an option and some related code that stuck around * Fix bats tests --------- Co-authored-by: Jeff Mitchell <jeffrey.mitchell@gmail.com> |
2 years ago |
Louis Ruch
|
c376d06355 |
feat: Add support for correlationId
|
2 years ago |
Elim Tsiagbey
|
2c140b1e09 |
feat: Local Storage State API & CLI
- add `local_storage_state` value to API & CLI |
2 years ago |
Todd
|
868228847d
|
Add handler and API support for alias creation with target (#4508)
* Add handler and API support for alias creation with target |
2 years ago |
Irena Rindos
|
eceb1fd40e |
api(targets): add aliases to targets (#4337)
* api(targets): add aliases to targets |
2 years ago |
|
Todd
|
92181e272a |
Create the alias service and resource (#4276)
* Create the alias service and resource * Add alias generated API files and tests |
2 years ago |
|
Todd
|
e848e76b48 |
Create Alias Domain Object and Repo (#4275)
* Create alias domain object resource * Add paginated listing * fixing ratelimit related panics * Address reviewer comments * remove NewAlias value checks |
2 years ago |
Jeff Mitchell
|
f5dd457b34
|
Multiple grant scope IDs (#4251)
Co-authored-by: Timothy Messier <tim.messier@gmail.com> Co-authored-by: Todd <github@quaddi.com> |
2 years ago |
|
Hugo
|
0d71976437 |
feat(proto): Add RetainUntil and DeleteAfter timestamps on Session Recordings
|
2 years ago |
|
Damian Debkowski
|
6ca1bc3c3f |
feat(handlers): utilize service func for scope service
|
2 years ago |
|
Hugo
|
edbb33de5b |
feat(handlers): Implement Policy Service
This also includes adding new grant and type primitives, as well as package domain names. |
2 years ago |
|
Hugo
|
e3971decf4 |
feat(policy): Create storage policies (#773)
|
2 years ago |
|
Jeff Mitchell
|
9332179a01
|
Remove the deprecated old KMS worker auth mechanism (#3935)
This has been superceded by the nodeenrollment-based KMS worker auth mechanism. This commit only removes the ability to connect with this mechanism; some upgrade logic will remain intact for a bit and can be removed later. |
2 years ago |
|
Johan Brandhorst-Satzkorn
|
8b0d1aa4af |
globals: Add new DatabaseReadTimeout
The new field is used as a buffer in certain list queries, to account for concurrent transactions. |
2 years ago |
|
Johan Brandhorst-Satzkorn
|
5984f5bba6 |
handlers/targets: add pagination support
|
2 years ago |
Timothy Messier
|
e337cf8f69
|
feat(controller): Add authtoken public id to request context
This allows for http middleware handler functions that run later in the handler function stack to have access to the extracted auth token public id. |
2 years ago |
|
Jeff Mitchell
|
b6df5693b5
|
Add generic read/update/delete commands (#3992)
* Add generic read/update/delete commands This adds three generic commands that use the resource prefix to determine the subcommand to run and pass through args over to that subcommand. Since this occurs very early on and to avoid loading essentially every internal resource package, I moved subtype definitions to globals. This replaces #3967 Co-authored-by: Johan Brandhorst-Satzkorn <johan.brandhorst@gmail.com> * De-duplicate Subtype code (#4031) Co-authored-by: Timothy Messier <tim.messier@gmail.com> --------- Co-authored-by: Johan Brandhorst-Satzkorn <johan.brandhorst@gmail.com> Co-authored-by: Timothy Messier <tim.messier@gmail.com> |
2 years ago |
|
Jeff Mitchell
|
a9e372930d
|
Revert 0bf60996c5 (#3990)
Post-merge some issues were discovered with the ways typing is used for proto reflection. This will be reworked without moving the subtypes around. |
2 years ago |
|
Jeff Mitchell
|
d98523be9f
|
Fix failing test (#3984)
|
2 years ago |
|
Jeff Mitchell
|
66c0f152d9
|
Revert "test(globals): Fix failing tests" (#3983)
This reverts commit
|
2 years ago |
Michael Gaffney
|
274aca755f
|
test(globals): Fix failing tests
This fixes test failures introduced in a recent refactoring.
Blame:
|
2 years ago |
|
Jeff Mitchell
|
0bf60996c5
|
Add generic read/update/delete commands (#3967)
* Add generic read/update/delete commands This adds three generic commands that use the resource prefix to determine the subcommand to run and pass through args over to that subcommand. Since this occurs very early on and to avoid loading essentially every internal resource package, I moved subtype definitions to globals. * Update main.go Co-authored-by: Johan Brandhorst-Satzkorn <johan.brandhorst@gmail.com> * Update changelog and remove another deprecated command --------- Co-authored-by: Johan Brandhorst-Satzkorn <johan.brandhorst@gmail.com> |
2 years ago |
|
Jeff Mitchell
|
eb20b80c71
|
Migrate some credential bits around (#3864)
|
2 years ago |
hashicorp-copywrite[bot]
|
29da0bcb92
|
[COMPLIANCE] License changes (#3567)
* Adding explicit MPL license for sub-package. This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at https://hashi.co/bsl-blog, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * Update copyright file headers to BUS-1.1 * Rerun make gen This will pick up the last of the license changes * Revert "Rerun make gen" This reverts commit |
3 years ago |
|
Jeff Mitchell
|
feb3aea38f |
Support multiple IDs in grants (#3263)
This allows specifying multiple IDs in grants via an `ids` field, which will eventually become the normal way to specify IDs. Internally, each grant with multiple IDs turns into multiple ACL grants each with a single ID; to make this distinction clearer and allow for better separation of concerns an AclGrant type has been introduced, so really multiple IDs in a Grant turn into multiple AclGrants. The nice thing about doing it this way is that it becomes purely a parsing concern; no actual validation logic has changed. For backwards compatibility with grants already stored in roles, we do not error out if `id` is specified. However, eventually we will simply not support grants with `id` coming via the API; they will fail API validation, such that new grants will require the use of the updated `ids` field. A follow-on PR will plumb this through the service handlers/API/CLI, but I decided to do it in separate chunks to make reviewing easier, given that they are easily separable into the internal and external aspects of the change. * Add CLI/API checks around using ID in grants (#3264) * Plumb through some contexts to remove a lot of deprecated errors (#3268) |
3 years ago |
|
Todd
|
d1a5f3a2ff
|
Update attribute fields to be proto struct so generated api becomes map[string]any
|
3 years ago |
|
Johan Brandhorst-Satzkorn
|
89befba55e
|
api: add state and error details fields to recordings
|
3 years ago |
|
Todd
|
cfe0dc08d9
|
Add session recording service stuff
|
3 years ago |
Jim
|
e4d6742514
|
feat (action/resource): add Download and SessionRecording
|
3 years ago |
|
Timothy Messier
|
18eca382c6
|
feat(globals): Add prefixes for recording resources
|
3 years ago |
|
Louis Ruch
|
8ea61054cd
|
feat(storage): Add support for Storage Bucket API
|
3 years ago |
Danielle Miu
|
a4a14fc7fc
|
merged commit for plugin rework, storage bucket sql and proto, storage bucket secret rewrapping, storage bucket repository
|
3 years ago |
|
Jim
|
20cf521cc0
|
feat(bsr): add bsr kms support in config, dev and tests
|
3 years ago |
Hugo Vieira
|
45dc8251ec |
feat(api): Support plugin host external_name field
|
3 years ago |
|
Jeff Mitchell
|
163ce184b8
|
KMS-PKI Workers (#3101)
This adds a new mechanism for worker authentication that uses the third-party arbitration of the original KMS flow by leveraging recently-added capabilities in nodeenrollment to support a registration wrapper. This allows for workers to be registered to the system with just a name and a matching wrapper, while at the same time allowing these workers to be used for private Vault access and multi-hop as they contain per-worker encryption keys and support rotation. Nodes using this mode will generate and rotate credentials in-memory (using another recently added nodeenrollment capability) so will have a new set of keys on every startup. This has the side effect of ensuring that there is never a conflict or re-use of these credentials. Note that the normal test worker flow was using the now-deprecated KMS method; there is still a test that uses this (explicitly) but all other tests using test workers that did not specify a specific PKI flow now actually use this mechanism. This means there is fairly decent test coverage in a general sense, plus the specific tests updated/added for this feature. This also adds a new KMS type that can be used to have distinct KMSes for upstream authentication vs. accepting from downstream. |
3 years ago |
|
Jeff Mitchell
|
fc664eb35f
|
Improve grant validation (#3081)
This adds several relationships into the resource package that are then made use of to improve the grant validation that runs during Parse. By understanding mappings between ID and resource type the validation checks can far better align with actual allowed grant formats so we can find several common misunderstandings before they simply result in an authorization failure. In the future some of these functions could be used in the logic in the actual ACL checks but it's not currently necessary and I don't want to lump that change in with this. Note that the tests have not meaningfully changed, but they _have_ had to be updated because the stricter validation is actually catching issues. |
3 years ago |
|
Jim
|
86192f75eb
|
feature (auth/ldap): add LDAP auth method along with associated accounts and managed groups (#2912)
* feature (auth): required schema changes for auth ldap method (#2669) chore (auth/ldap): move schema changes to next avail migration number * feature (auth/ldap): define AuthMethod and all its value objects (#2703) * feature (auth/ldap): storage protos * feature (auth/ldap): define AuthMethod and all its value objects * feature (auth/ldap): add repo and reading an auth method (#2718) * feature (auth/ldap): add Repository.CreateAuthMethod(...) and Repository.DeleteAuthMethod(...) (#2724) * feature (auth/ldap): add Repository.UpdateAuthMethod(...) (#2739) * feature (auth/ldap): add Account * feature (auth/ldap): add AuthMethod.EnableGroups * fix (auth/ldap): refactor AuthMethod.oplog to enforce proper constraints * feature (auth/ldap): add Account repo functions * refactor (auth/ldap): remove entry attributes from account Realized the entry attributes could have absolutely anything in them (including binary data) and since we absolutely don't have to have them there's just no reason to take on the risk. * feature (auth/ldap): add AuthMethod.UseTokenGroups * feature (auth/ldap): add Authenticate(...) * refactor (auth/ldap): ensure options take a context as the 1st parameter * feature (auth/ldap): add Account attribute maps * chore (auth/ldap): make fmt deltas * feature (auth/ldap): add managed groups (#2760) * tests (auth/ldap): add missing unit test to Repository.DeleteAccount(...) Add bits to test the delete operation when you're not able to generate oplog metadata * feature (auth/ldap): add managed groups fixup! feature (auth/ldap): add managed groups (#2760) * feature (auth/ldap): service proto definition (#2761) * feature (handlers/authmethods): add handlers for ldap auth method operations (#2794) * feature (auth/ldap): add Account attribute maps * chore (auth/ldap): update cap/ldap to latest version * feature (auth/ldap): add ldap api generation definitions * feature (authmethods): add ldap repo NewService(...) * feature (authmethods/ldap): add proper mask_mapping to protobufs * feature (authmethods): add support to get an ldap auth method * refactor (auth/ldap): export TestGenerateCA(...) * feature (authmethods): add support to create an ldap auth method * feature (authmethods): add support to delete an ldap auth method * feature (authmethods): add support to list ldap auth methods * refactor (auth/ldap): make urls optional for NewAuthMethod(...) * refactor (auth/ldap): export ldap.TestInvalidPem * chore: make fmt changes * fix (auth/ldap): properly handle group search config Add constraints and tests to ensure when an ldap AuthMethod.EnableGroups is true, and UseTokenGroups is false; that there's a GroupDn configured for finding a user's associated groups * feature (authmethods): add support to update an ldap auth methods * chore (db/ldap): tmp mv migrations so there's no conflict with ongoing work * feature (verifier): add ldap auth method to verifier bits * fix (controller): prevent panic when controller stops when there's no listener * feature (authmethods): add support to authenticate via ldap auth methods * chore (migrations): fix whitespace in stmt * chore: fmt fixup * tests (auth/ldap): invalid err msg * feature (cli/authmethods): add support for ldap auth-methods CRUD and authenticate (#2810) * feature (authmethods): add CLI support for ldap auth methods CRUD * tests (api/auth): ldap auth method classification tests * feature (authmethods): add CLI support for ldap auth authenticate * feature (auth/ldap): set request timeouts for ldap server connections * feature (handlers/authmethods): handle u_anon listing properly. * feature (account/handers): ldap account and managed group CRUDL APIs (#2852) * feature (auth/ldap) add repository Listing of ManagedGroupMemberAccount * feature (controller/handlers): add ldapRepoFn to accounts service * feature (auth/ldap) register ldap managed group subtype * feature (account/handlers): ldap account CRUDL APIs * feature (controller/handlers): add ldapRepo to managed groups service * feature (account/handlers): ldap managed group CRUDL APIs * docs (domain): add LDAP accounts, auth-methods and managed groups (#2857) * feature (ldap/cli) add ldap accounts and managed groups CRUDL commands (#2856) * fix (handlers/authmethods): fix ldap authorized actions (#2892) * feature (cli/ldap/authenticate): use primary auth method if none is provided (#2890) * fix (auth/ldap): support setting the state attribute * feature (cli/ldap/authenticate): use primary auth method if none is provided * feature (wh/ldap) add tests for new ldap auth method and accounts (#2919) * refactor (migrations/ldap): mv to correct directory * chore: add copyright headers * fix (api/authmethods/ldap): renumber new LdapAuthMethodAttributes field * fix (auth/ldap): allow the auth method state to be updated (#2951) * chore: update sdk and api versions for llb - this is tmp until merging * tests (managed groups): add required errContains for new test |
3 years ago |
|
Timothy Messier
|
23f9a7774b
|
chore(globals): Add missing copywrite header (#3083)
|
3 years ago |
|
Jeff Mitchell
|
d391dc6ab7
|
Add top level resource prefix function in globals (#3075)
|
3 years ago |
|
Jeff Mitchell
|
b76b24a4ad
|
Move prefixes for many packages into the globals package (#3069)
This is a prerequisite for some enhancements to grant validation |
3 years ago |
|
Johan Brandhorst-Satzkorn
|
3c29308673 |
chore: Add license headers to all files
|
3 years ago |
|
Jeff Mitchell
|
19180af0eb
|
Fix target port handling (#2846)
* Fix target port handling This fixes two issues that compounded on each other (see the Changelog update for more information): * The verification logic for hosts was not correct for update operations (in multiple ways) which meant that a host could be updated after creation to have a port. Targets had a previously fixed bug where they did not require a default port, which meant that ports could be used from hosts * A recent (unreleased) change had prioritized any port coming from the host over the default port, which would mean there was no way if a host had a port specified to use it in multiple targets. This fixes the update verification logic, and strikes a middle ground between breaking things and not by allowing existing addresses with ports to be used with targets but ignoring that port, instead requiring targets to have default port set at authorize time (currently there is backwards compat that does not require this due to the original optional port bug). * Update CHANGELOG.md Co-authored-by: Johan Brandhorst-Satzkorn <johan.brandhorst@gmail.com> |
3 years ago |
|
Todd
|
d66b92abe0
|
Add directly connected downstream workers to the worker resource api (#2831)
|
3 years ago |