Merge branch 'update-db-params' of github.com:hashicorp/vault into up…

…date-db-params

CODEOWNERS

@@ -34,15 +34,15 @@
 /website/ @hashicorp/vault-education-approvers
 
 # Plugin docs
-/website/content/docs/plugins/              @hashicorp/vault-ecosystem
-/website/content/docs/upgrading/plugins.mdx @hashicorp/vault-ecosystem
+/website/content/docs/plugins/              @hashicorp/vault-ecosystem @hashicorp/vault-education-approvers
+/website/content/docs/upgrading/plugins.mdx @hashicorp/vault-ecosystem @hashicorp/vault-education-approvers
 
 /ui/  @hashicorp/vault-ui
 # UI code related to Vault's JWT/OIDC auth method and OIDC provider.
 # Changes to these files often require coordination with backend code,
 # so stewards of the backend code are added below for notification.
-/ui/app/components/auth-jwt.js         @hashicorp/vault-ecosystem
-/ui/app/routes/vault/cluster/oidc-*.js @hashicorp/vault-ecosystem
+/ui/app/components/auth-jwt.js         @hashicorp/vault-ui @hashicorp/vault-ecosystem
+/ui/app/routes/vault/cluster/oidc-*.js @hashicorp/vault-ui @hashicorp/vault-ecosystem
 
 # Release config; service account is required for automation tooling.
 /.release/                     @hashicorp/github-secure-vault-core @hashicorp/quality-team
@@ -55,17 +55,17 @@
 # Cryptosec
 /builtin/logical/pki/                                @hashicorp/vault-crypto
 /builtin/logical/pkiext/                             @hashicorp/vault-crypto
-/website/content/docs/secrets/pki/                   @hashicorp/vault-crypto
-/website/content/api-docs/secret/pki.mdx             @hashicorp/vault-crypto
+/website/content/docs/secrets/pki/                   @hashicorp/vault-crypto @hashicorp/vault-education-approvers
+/website/content/api-docs/secret/pki.mdx             @hashicorp/vault-crypto @hashicorp/vault-education-approvers
 /builtin/credential/cert/                            @hashicorp/vault-crypto
-/website/content/docs/auth/cert.mdx                  @hashicorp/vault-crypto
-/website/content/api-docs/auth/cert.mdx              @hashicorp/vault-crypto
+/website/content/docs/auth/cert.mdx                  @hashicorp/vault-crypto @hashicorp/vault-education-approvers
+/website/content/api-docs/auth/cert.mdx              @hashicorp/vault-crypto @hashicorp/vault-education-approvers
 /builtin/logical/ssh/                                @hashicorp/vault-crypto
-/website/content/docs/secrets/ssh/                   @hashicorp/vault-crypto
-/website/content/api-docs/secret/ssh.mdx             @hashicorp/vault-crypto
+/website/content/docs/secrets/ssh/                   @hashicorp/vault-crypto @hashicorp/vault-education-approvers
+/website/content/api-docs/secret/ssh.mdx             @hashicorp/vault-crypto @hashicorp/vault-education-approvers
 /builtin/logical/transit/                            @hashicorp/vault-crypto
-/website/content/docs/secrets/transit/               @hashicorp/vault-crypto
-/website/content/api-docs/secret/transit.mdx         @hashicorp/vault-crypto
+/website/content/docs/secrets/transit/               @hashicorp/vault-crypto @hashicorp/vault-education-approvers
+/website/content/api-docs/secret/transit.mdx         @hashicorp/vault-crypto @hashicorp/vault-education-approvers
 /helper/random/                                      @hashicorp/vault-crypto
 /sdk/helper/certutil/                                @hashicorp/vault-crypto
 /sdk/helper/cryptoutil/                              @hashicorp/vault-crypto
@@ -79,13 +79,13 @@
 /vault/managed_key*                                  @hashicorp/vault-crypto
 /vault/seal*                                         @hashicorp/vault-crypto
 /vault/seal/                                         @hashicorp/vault-crypto
-/website/content/docs/configuration/seal/            @hashicorp/vault-crypto
-/website/content/docs/enterprise/sealwrap.mdx        @hashicorp/vault-crypto
-/website/content/api-docs/system/sealwrap-rewrap.mdx @hashicorp/vault-crypto
-/website/content/docs/secrets/transform/             @hashicorp/vault-crypto
-/website/content/api-docs/secret/transform.mdx       @hashicorp/vault-crypto
-/website/content/docs/secrets/kmip-profiles.mdx      @hashicorp/vault-crypto
-/website/content/docs/secrets/kmip.mdx               @hashicorp/vault-crypto
-/website/content/api-docs/secret/kmip.mdx            @hashicorp/vault-crypto
-/website/content/docs/enterprise/fips/               @hashicorp/vault-crypto
-/website/content/docs/platform/k8s                   @hashicorp/vault-ecosystem
+/website/content/docs/configuration/seal/            @hashicorp/vault-crypto @hashicorp/vault-education-approvers
+/website/content/docs/enterprise/sealwrap.mdx        @hashicorp/vault-crypto @hashicorp/vault-education-approvers
+/website/content/api-docs/system/sealwrap-rewrap.mdx @hashicorp/vault-crypto @hashicorp/vault-education-approvers
+/website/content/docs/secrets/transform/             @hashicorp/vault-crypto @hashicorp/vault-education-approvers
+/website/content/api-docs/secret/transform.mdx       @hashicorp/vault-crypto @hashicorp/vault-education-approvers
+/website/content/docs/secrets/kmip-profiles.mdx      @hashicorp/vault-crypto @hashicorp/vault-education-approvers
+/website/content/docs/secrets/kmip.mdx               @hashicorp/vault-crypto @hashicorp/vault-education-approvers
+/website/content/api-docs/secret/kmip.mdx            @hashicorp/vault-crypto @hashicorp/vault-education-approvers
+/website/content/docs/enterprise/fips/               @hashicorp/vault-crypto @hashicorp/vault-education-approvers
+/website/content/docs/platform/k8s                   @hashicorp/vault-ecosystem @hashicorp/vault-education-approvers

builtin/logical/database/backend.go

@@ -28,6 +28,7 @@ import (
 	"github.com/hashicorp/vault/sdk/helper/locksutil"
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/hashicorp/vault/sdk/queue"
+	"github.com/mitchellh/mapstructure"
 )
 
 const (
@@ -205,6 +206,19 @@ func (b *databaseBackend) DatabaseConfig(ctx context.Context, s logical.Storage,
 	return &config, nil
 }
 
+// ConnectionDetails decodes the DatabaseConfig.ConnectionDetails map into a
+// struct
+func (b *databaseBackend) ConnectionDetails(ctx context.Context, config *DatabaseConfig) (*ConnectionDetails, error) {
+	cd := &ConnectionDetails{}
+
+	err := mapstructure.WeakDecode(config.ConnectionDetails, &cd)
+	if err != nil {
+		return nil, err
+	}
+
+	return cd, nil
+}
+
 type upgradeStatements struct {
 	// This json tag has a typo in it, the new version does not. This
 	// necessitates this upgrade logic.

builtin/logical/database/credentials.go

@@ -14,11 +14,10 @@ import (
 	"strings"
 	"time"
 
-	"github.com/hashicorp/vault/sdk/helper/cryptoutil"
-
 	"github.com/hashicorp/vault/helper/random"
 	"github.com/hashicorp/vault/sdk/database/dbplugin/v5"
 	"github.com/hashicorp/vault/sdk/helper/certutil"
+	"github.com/hashicorp/vault/sdk/helper/cryptoutil"
 	"github.com/hashicorp/vault/sdk/helper/template"
 	"github.com/mitchellh/mapstructure"
 )

builtin/logical/database/path_config_connection.go

@@ -51,6 +51,12 @@ type DatabaseConfig struct {
 	SkipStaticRoleImportRotation bool `json:"skip_static_role_import_rotation" structs:"skip_static_role_import_rotation" mapstructure:"skip_static_role_import_rotation"`
 }
 
+// ConnectionDetails represents the DatabaseConfig.ConnectionDetails map as a
+// struct
+type ConnectionDetails struct {
+	SelfManaged bool `json:"self_managed" structs:"self_managed" mapstructure:"self_managed"`
+}
+
 func (c *DatabaseConfig) SupportsCredentialType(credentialType v5.CredentialType) bool {
 	credTypes, ok := c.ConnectionDetails[v5.SupportedCredentialTypesKey].([]interface{})
 	if !ok {

builtin/logical/database/path_roles.go

@@ -20,6 +20,11 @@ import (
 	"github.com/robfig/cron/v3"
 )
 
+var (
+	errNoUpdateAfterRotation            = "updating password not allowed after rotation"
+	errNoPasswordAndSelfManagedPassword = "cannot set both `password` and `self_managed_password`"
+)
+
 func pathListRoles(b *databaseBackend) []*framework.Path {
 	return []*framework.Path{
 		{
@@ -651,16 +656,25 @@ func (b *databaseBackend) pathStaticRoleCreateUpdate(ctx context.Context, req *l
 		updateAllowed := lastVaultRotation.IsZero()
 		if updateAllowed {
 			role.StaticAccount.Password = passwordRaw.(string)
-			if selfManaged, ok := dbConfig.ConnectionDetails["self_managed"].(bool); ok && selfManaged {
+
+			connDetails, err := b.ConnectionDetails(ctx, dbConfig)
+			if err != nil {
+				return nil, err
+			}
+
+			if connDetails != nil && connDetails.SelfManaged {
 				// Password and SelfManagedPassword should map to the same value
 				role.StaticAccount.SelfManagedPassword = passwordRaw.(string)
 			}
 		} else {
-			return logical.ErrorResponse("updating password not allowed after rotation: role=%s, lastVaultRotation=%s", name, lastVaultRotation), nil
+			return logical.ErrorResponse("%s: role=%s, lastVaultRotation=%s", errNoUpdateAfterRotation, name, lastVaultRotation), nil
 		}
 	}
 
 	if smPasswordRaw, ok := data.GetOk("self_managed_password"); ok && createRole {
+		if _, ok := data.GetOk("password"); ok {
+			return logical.ErrorResponse(errNoPasswordAndSelfManagedPassword), nil
+		}
 		// Password and SelfManagedPassword should map to the same value
 		role.StaticAccount.SelfManagedPassword = smPasswordRaw.(string)
 		role.StaticAccount.Password = smPasswordRaw.(string)
@@ -673,6 +687,7 @@ func (b *databaseBackend) pathStaticRoleCreateUpdate(ctx context.Context, req *l
 			role.SkipImportRotation = skipImportRotationRaw.(bool)
 		}
 	} else if createRole {
+		// default to the config-level setting
 		role.SkipImportRotation = dbConfig.SkipStaticRoleImportRotation
 	}
 

builtin/logical/pki/ca_util_test.go

@@ -11,9 +11,8 @@ import (
 	"crypto/rand"
 	"testing"
 
-	"github.com/hashicorp/vault/sdk/helper/cryptoutil"
-
 	"github.com/hashicorp/vault/sdk/helper/certutil"
+	"github.com/hashicorp/vault/sdk/helper/cryptoutil"
 )
 
 func TestGetKeyTypeAndBitsFromPublicKeyForRole(t *testing.T) {

builtin/logical/ssh/util.go

@@ -13,9 +13,8 @@ import (
 	"net"
 	"strings"
 
-	"github.com/hashicorp/vault/sdk/helper/cryptoutil"
-
 	"github.com/hashicorp/go-secure-stdlib/parseutil"
+	"github.com/hashicorp/vault/sdk/helper/cryptoutil"
 	"github.com/hashicorp/vault/sdk/logical"
 	"golang.org/x/crypto/ssh"
 )

changelog/28873.txt

@@ -0,0 +1,6 @@
+```release-note:bug
+ui: Fixes login to web UI when MFA is enabled for OIDC (i.e. azure, auth0) and Okta auth methods
+```
+```release-note:bug
+ui (enterprise): Fixes login to web UI when MFA is enabled for SAML auth methods
+```

sdk/helper/certutil/helpers.go

@@ -29,9 +29,8 @@ import (
 	"strings"
 	"time"
 
-	"github.com/hashicorp/vault/sdk/helper/cryptoutil"
-
 	"github.com/hashicorp/errwrap"
+	"github.com/hashicorp/vault/sdk/helper/cryptoutil"
 	"github.com/hashicorp/vault/sdk/helper/errutil"
 	"github.com/hashicorp/vault/sdk/helper/jsonutil"
 	"github.com/mitchellh/mapstructure"

ui/app/components/auth-form.js

@@ -257,6 +257,7 @@ export default Component.extend(DEFAULTS, {
           data.path = 'okta';
         }
       }
+      // calls performAuth in login-form.js which initiates the authenticate @task
       return this.performAuth(backend.type, data);
     },
     handleError(e) {

ui/app/components/auth-jwt.js

@@ -161,7 +161,9 @@ export default Component.extend({
       // and show the error on the login screen
       return this.cancelLogin(oidcWindow, e);
     }
-    yield this.onSubmit(null, null, resp.auth.client_token);
+    const { mfa_requirement, client_token } = resp.auth;
+    // onSubmit calls doSubmit in auth-form.js
+    yield this.onSubmit({ mfa_requirement }, null, client_token);
   }),
 
   async startOIDCAuth() {

ui/app/components/auth-saml.js

@@ -97,8 +97,10 @@ export default class AuthSaml extends Component {
         if (!resp?.auth) {
           continue;
         }
-        // We've obtained the Vault token for the authentication flow, now log in.
-        yield this.args.onSubmit(null, null, resp.auth.client_token);
+        // We've obtained the Vault token for the authentication flow now log in or pass MFA data
+        const { mfa_requirement, client_token } = resp.auth;
+        // onSubmit calls doSubmit in auth-form.js
+        yield this.args.onSubmit({ mfa_requirement }, null, client_token);
         this.closeWindow(samlWindow);
         return;
       } catch (e) {

ui/app/components/auth/login-form.js

@@ -60,13 +60,32 @@ export default class AuthLoginFormComponent extends Component {
       } else {
         this.delayAuthMessageReminder.perform();
       }
+
+      /*
+      Checking for an mfa_requirement happens in two places.
+      Login methods submitted using a child of <AuthForm> have custom auth logic where mfa_requirements are collected, if any. 
+      This mfa data is passed to their respective onSubmit callback functions, then intercepted here and passed up to 
+      the parent <Auth::Page> component (which renders the Mfa::MfaForm).
+
+      If doSubmit in <AuthForm> is called directly (by the "default" <form> component) 
+      mfa is handled directly by the parent <Auth::Page> component.
+      */
+      if (data?.mfa_requirement) {
+        const parsedMfaAuthResponse = this.auth._parseMfaResponse(data.mfa_requirement);
+        // calls onAuthResponse in parent auth/page.js component
+        this.args.onSuccess(parsedMfaAuthResponse, backendType, data);
+        // return here because mfa-form.js will finish login/authentication flow after mfa validation
+        return;
+      }
+
       const authResponse = yield this.auth.authenticate({
         clusterId,
         backend: backendType,
         data,
         selectedAuth,
       });
 
+      // calls onAuthResponse in auth/page.js
       this.args.onSuccess(authResponse, backendType, data);
     } catch (e) {
       if (!this.auth.mfaError) {

ui/app/components/auth/page.js

@@ -51,16 +51,25 @@ export default class AuthPage extends Component {
   @action
   onAuthResponse(authResponse, backend, data) {
     const { mfa_requirement } = authResponse;
-    // if an mfa requirement exists further action is required
+    /*
+    Checking for an mfa_requirement happens in two places.
+    If doSubmit in <AuthForm> is called directly (by the <form> component) mfa is just handled here.
+  
+    Login methods submitted using a child form component of <AuthForm> are first checked for mfa 
+    in the Auth::LoginForm "authenticate" task, and then that data eventually bubbles up here.
+    */
     if (mfa_requirement) {
+      // if an mfa requirement exists further action is required
       this.mfaAuthData = { mfa_requirement, backend, data };
     } else {
+      // calls authSuccess in auth.js controller
       this.args.onAuthSuccess(authResponse);
     }
   }
 
   @action
   onMfaSuccess(authResponse) {
+    // calls authSuccess in auth.js controller
     this.args.onAuthSuccess(authResponse);
   }
 

ui/app/components/mfa/mfa-form.js

@@ -83,6 +83,7 @@ export default class MfaForm extends Component {
         clusterId: this.args.clusterId,
         ...this.args.authData,
       });
+      // calls onMfaSuccess in auth/page.js
       this.args.onSuccess(response);
     } catch (error) {
       const errors = error.errors || [];