Merge branch 'main' into chore/vault-license-pr-2026-03-11

Author: CreatorHead

.github/actions/metadata/action.yml

@@ -156,6 +156,7 @@ runs:
         if [ "$is_enterprise_repo" = 'true' ]; then
           base_ref='${{ github.event.pull_request.base.ref || github.event.base_ref || github.ref_name || github.event.branch || github.ref }}'
           is_ent_repo='true'
+          is_ent_branch='true'
           is_ce_in_enterprise=$([[ $base_ref == ce/* ]] && echo "true" || echo "false")
           if [ "$is_ce_in_enterprise" = 'true' ]; then
             is_enterprise="false"
@@ -192,7 +193,7 @@ runs:
           echo "compute-small=${compute_small}"
           echo "go-tags=${go_tags}"
           echo "is-ce-in-enterprise=${is_ce_in_enterprise}"
-          echo "is-ent-branch=${is_enterprise}"
+          echo "is-ent-branch=${is_ent_branch}"
           echo "is-ent-repo=${is_ent_repo}"
           echo "vault-version-metadata=${version_metadata}"
         } | tee -a "$GITHUB_OUTPUT"

.github/workflows/build.yml

@@ -392,25 +392,75 @@ jobs:
       web-ui-cache-key: ${{ needs.ui.outputs.cache-key }}
     secrets: inherit
 
+  # Setup HCP input parameters with proper validation
+  hcp-setup:
+    runs-on: ubuntu-latest
+    outputs:
+      pull-request-number: ${{ steps.pr-logic.outputs.pull-request-number }}
+      branch-name: ${{ steps.branch-logic.outputs.branch-name }}
+    steps:
+      - id: pr-logic
+        name: Determine pull request number
+        run: |
+          echo "Analyzing PR context for event: ${{ github.event_name }}"
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            PR_NUM="${{ github.event.pull_request.number }}"
+            if [[ -n "$PR_NUM" && "$PR_NUM" != "null" ]]; then
+              echo "PR context detected, using number: $PR_NUM"
+            else
+              echo "PR context but no valid number found, using 0"
+              PR_NUM="0"
+            fi
+          else
+            PR_NUM="0"
+            echo "Non-PR context, using fallback value: $PR_NUM"
+          fi
+          echo "pull-request-number=$PR_NUM" >> "$GITHUB_OUTPUT"
+
+      - id: branch-logic
+        name: Determine branch name
+        run: |
+          echo "Analyzing branch context for event: ${{ github.event_name }}"
+          if [[ "${{ github.event_name }}" == "schedule" ]]; then
+            BRANCH="main"
+            echo "Schedule context, using branch: $BRANCH"
+          else
+            BRANCH=""
+            echo "Non-schedule context, using empty branch"
+          fi
+          echo "branch-name=$BRANCH" >> "$GITHUB_OUTPUT"
+
   hcp-image:
+    # Logic: Run HCP image job if:
+    #   if needs.setup.outputs.is-ent-branch != 'true' then
+    #     false
+    #   elseif needs.setup.outputs.workflow-trigger == 'schedule' then
+    #     true
+    #   elseif needs.setup.outputs.workflow-trigger == 'pull_request' and (
+    #       contains(fromJSON(needs.setup.outputs.changed-files).groups, 'hcp') or
+    #       contains(fromJSON(needs.setup.outputs.labels), 'hcp/build-image') or
+    #       contains(fromJSON(needs.setup.outputs.labels), 'hcp/test')
+    #     ) then
+    #     true
+    #   end
     if: |
-      needs.setup.outputs.is-ent-branch == 'true' && (
-      needs.setup.outputs.workflow-trigger == 'schedule' ||
+      ( needs.setup.outputs.is-ent-branch != 'true' ) && false ||
+      ( needs.setup.outputs.workflow-trigger == 'schedule' ) && true ||
       ( needs.setup.outputs.workflow-trigger == 'pull_request' &&
-        (
+        ( contains(fromJSON(needs.setup.outputs.changed-files).groups, 'hcp') ||
           contains(fromJSON(needs.setup.outputs.changed-files).groups, 'hcp') ||
           contains(fromJSON(needs.setup.outputs.labels), 'hcp/build-image') ||
           contains(fromJSON(needs.setup.outputs.labels), 'hcp/test')
         )
-      )
-      )
+      ) && true
     needs:
       - setup
       - artifacts-ent
+      - hcp-setup
     uses: ./.github/workflows/build-hcp-image.yml
     with:
-      pull-request: ${{ needs.setup.outputs.workflow-trigger == 'pull_request' && github.event.pull_request && github.event.pull_request.number || '' }}
-      branch: ${{ needs.setup.outputs.workflow-trigger == 'schedule' && 'main' || '' }}
+      pull-request: ${{ fromJSON(needs.hcp-setup.outputs.pull-request-number) }}
+      branch: ${{ needs.hcp-setup.outputs.branch-name }}
       create-aws-image: true
       create-azure-image: false
       hcp-environment: int

.github/workflows/test-run-enos-scenario-matrix.yml

@@ -200,6 +200,10 @@ jobs:
             echo 'ENOS_VAR_verify_ldap_secrets_engine=false'
             echo 'ENOS_VAR_verify_log_secrets=true'
           } | tee -a "$GITHUB_ENV"
+      - uses: ./.github/actions/set-up-go
+        with:
+          github-token: ${{ steps.secrets.outputs.github-token }}
+      - uses: ./.github/actions/install-tools
       - uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0
         with:
           # the Terraform wrapper will break Terraform execution in Enos because

.github/workflows/test-run-enos-scenario.yml

@@ -64,6 +64,8 @@ jobs:
       - uses: ./.github/actions/set-up-go
         with:
           github-token: ${{ secrets.ELEVATED_GITHUB_TOKEN }}
+      # Install additional tools like gotestsum that are required for Enos scenarios
+      - uses: ./.github/actions/install-tools
       - name: Configure Git
         run: git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com".insteadOf "https://github.com"
       - name: Set up node

.hooks/pre-push

@@ -45,6 +45,9 @@
 
 set -eou pipefail
 
+# We need extglob in order to parse remote_url_is_enterprise
+shopt -s extglob
+
 # fail takes two arguments. The first is the failure reasons and the second is
 # an explanation. Both will be written to STDERR. The script will then exit 1.
 fail() {
@@ -60,7 +63,7 @@ fail() {
 # that of hashicorp/vault-enterprise, otherwise it returns 1.
 remote_url_is_enterprise() {
   case "$1" in
-    git@github.com:hashicorp/vault-enterprise* | https://github.com/hashicorp/vault-enterprise*)
+    ?(ssh://)git@github.com@(:|/)hashicorp/vault-enterprise?(.git) | https://github.com/hashicorp/vault-enterprise?(.git))
       return 0
       ;;
     *)

Dockerfile

@@ -37,7 +37,9 @@ ENV NAME=$NAME
 # Create a non-root user to run the software.
 RUN addgroup ${NAME} && adduser -S -G ${NAME} ${NAME}
 
-RUN apk add --no-cache libcap su-exec dumb-init tzdata
+# NOTE: zlib is only here to resolve ALPINE-CVE-2026-27171, it can be removed
+# when when our Alpine release is >= 3.23.4
+RUN apk update && apk add --upgrade --no-cache libcap su-exec dumb-init tzdata zlib
 
 COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /bin/
 

Makefile

@@ -239,9 +239,6 @@ proto: check-tools-external
 	$(SED_CMD) -e 's/Id/ID/' -e 's/SPDX-License-IDentifier/SPDX-License-Identifier/' vault/request_forwarding_service.pb.go
 	$(SED_CMD) -e 's/Idp/IDP/' -e 's/Url/URL/' -e 's/Id/ID/' -e 's/IDentity/Identity/' -e 's/EntityId/EntityID/' -e 's/Api/API/' -e 's/Qr/QR/' -e 's/Totp/TOTP/' -e 's/Mfa/MFA/' -e 's/Pingid/PingID/' -e 's/namespaceId/namespaceID/' -e 's/Ttl/TTL/' -e 's/BoundCidrs/BoundCIDRs/' -e 's/SPDX-License-IDentifier/SPDX-License-Identifier/' helper/identity/types.pb.go helper/identity/mfa/types.pb.go helper/storagepacker/types.pb.go sdk/plugin/pb/backend.pb.go sdk/logical/identity.pb.go vault/activity/activity_log.pb.go
 
-	# Enterprise files
-	$(SED_CMD) -e 's/Idp/IDP/' -e 's/Url/URL/' -e 's/Id/ID/' -e 's/IDentity/Identity/' -e 's/EntityId/EntityID/' -e 's/Api/API/' -e 's/Qr/QR/' -e 's/Totp/TOTP/' -e 's/Mfa/MFA/' -e 's/Pingid/PingID/' -e 's/protobuf:"/sentinel:"" protobuf:"/' -e 's/namespaceId/namespaceID/' -e 's/Ttl/TTL/' -e 's/SPDX-License-IDentifier/SPDX-License-Identifier/' vault/replication_services_ent.pb.go
-
 	# This will inject the sentinel struct tags as decorated in the proto files.
 	protoc-go-inject-tag -input=./helper/identity/types.pb.go
 	protoc-go-inject-tag -input=./helper/identity/mfa/types.pb.go

api/logical.go

@@ -393,6 +393,15 @@ func (c *Logical) DeleteWithContext(ctx context.Context, path string) (*Secret,
 	return c.DeleteWithDataWithContext(ctx, path, nil)
 }
 
+func (c *Logical) DeleteRaw(path string) (*Response, error) {
+	return c.DeleteRawWithContext(context.Background(), path)
+}
+
+func (c *Logical) DeleteRawWithContext(ctx context.Context, path string) (*Response, error) {
+	r := c.c.NewRequest(http.MethodDelete, "/v1/"+path)
+	return c.c.RawRequestWithContext(ctx, r)
+}
+
 func (c *Logical) DeleteWithData(path string, data map[string][]string) (*Secret, error) {
 	return c.DeleteWithDataWithContext(context.Background(), path, data)
 }

api/sys_billing_test.go

@@ -33,7 +33,7 @@ func TestSys_BillingOverview(t *testing.T) {
 	currentMonth := resp.Months[0]
 	require.Equal(t, "2026-01", currentMonth.Month)
 	require.Equal(t, "2026-01-14T10:49:00Z", currentMonth.UpdatedAt)
-	require.Len(t, currentMonth.UsageMetrics, 8, "should have all 8 metrics")
+	require.Len(t, currentMonth.UsageMetrics, 9, "should have all 9 metrics")
 
 	// Create a map to verify all expected metrics are present
 	metricsMap := make(map[string]UsageMetric)
@@ -51,6 +51,7 @@ func TestSys_BillingOverview(t *testing.T) {
 		"data_protection_calls",
 		"pki_units",
 		"managed_keys",
+		"ssh_units",
 	}
 
 	for _, metricName := range expectedMetrics {
@@ -86,6 +87,10 @@ func TestSys_BillingOverview(t *testing.T) {
 	require.Equal(t, "external_plugins", externalPluginsMetric.MetricName)
 	require.NotNil(t, externalPluginsMetric.MetricData)
 	require.Contains(t, externalPluginsMetric.MetricData, "total")
+
+	sshMetric := metricsMap["ssh_units"]
+	require.Contains(t, sshMetric.MetricData, "total")
+	require.Contains(t, sshMetric.MetricData, "metric_details")
 }
 
 func mockVaultBillingHandler(w http.ResponseWriter, _ *http.Request) {
@@ -200,6 +205,22 @@ const billingOverviewResponse = `{
 				}
               ]
             }
+          },
+          {
+            "metric_name": "ssh_units",
+            "metric_data": {
+              "total": 8.4,
+              "metric_details": [
+                {
+                  "type": "otp_units",
+                  "count": 5
+                },
+				{
+				  "type": "certificate_units",
+				  "count": 3.4
+				}
+			  ]
+            }
           }
         ]
       },

audit/entry_formatter.go

@@ -5,6 +5,7 @@ package audit
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"maps"
@@ -253,6 +254,46 @@ func clone[V any](s V) (V, error) {
 	return s2.(V), err
 }
 
+// mergeEnterpriseTokenMetadata injects enterprise token fields from a logical.Request
+// into the audit auth's Metadata map.
+func mergeEnterpriseTokenMetadata(a *auth, req *logical.Request) error {
+	if a == nil || req == nil {
+		return nil
+	}
+
+	if req.EnterpriseTokenMetadata == "" &&
+		req.EnterpriseTokenIssuer == "" &&
+		len(req.EnterpriseTokenAudience) == 0 &&
+		len(req.EnterpriseTokenAuthorizationDetails) == 0 {
+		return nil
+	}
+
+	if a.Metadata == nil {
+		a.Metadata = make(map[string]string)
+	}
+	if req.EnterpriseTokenMetadata != "" {
+		a.Metadata["enterprise_token_metadata"] = req.EnterpriseTokenMetadata
+	}
+	if req.EnterpriseTokenIssuer != "" {
+		a.Metadata["enterprise_token_issuer"] = req.EnterpriseTokenIssuer
+	}
+	if len(req.EnterpriseTokenAudience) > 0 {
+		audJSON, err := json.Marshal(req.EnterpriseTokenAudience)
+		if err != nil {
+			return fmt.Errorf("unable to marshal enterprise token audience for audit: %w", err)
+		}
+		a.Metadata["enterprise_token_audience"] = string(audJSON)
+	}
+	if len(req.EnterpriseTokenAuthorizationDetails) > 0 {
+		authzJSON, err := json.Marshal(req.EnterpriseTokenAuthorizationDetails)
+		if err != nil {
+			return fmt.Errorf("unable to marshal enterprise token authorization details for audit: %w", err)
+		}
+		a.Metadata["enterprise_token_authorization_details"] = string(authzJSON)
+	}
+	return nil
+}
+
 // newAuth takes a logical.Auth and the number of remaining client token uses
 // (which should be supplied from the logical.Request's client token), and creates
 // an audit auth.
@@ -281,6 +322,18 @@ func newAuth(input *logical.Auth, tokenRemainingUses int) (*auth, error) {
 		return nil, fmt.Errorf("unable to clone logical auth: metadata: %w", err)
 	}
 
+	if input.ActorEntityID != "" || input.ActorEntityName != "" {
+		if metadata == nil {
+			metadata = make(map[string]string)
+		}
+		if input.ActorEntityID != "" {
+			metadata["actor_entity_id"] = input.ActorEntityID
+		}
+		if input.ActorEntityName != "" {
+			metadata["actor_entity_name"] = input.ActorEntityName
+		}
+	}
+
 	policies, err := clone(input.Policies)
 	if err != nil {
 		return nil, fmt.Errorf("unable to clone logical auth: policies: %w", err)
@@ -535,6 +588,10 @@ func (f *entryFormatter) createEntry(ctx context.Context, a *Event) (*entry, err
 		return nil, fmt.Errorf("cannot convert auth: %w", err)
 	}
 
+	if err := mergeEnterpriseTokenMetadata(auth, data.Request); err != nil {
+		return nil, err
+	}
+
 	req, err := newRequest(data.Request, ns)
 	if err != nil {
 		return nil, fmt.Errorf("cannot convert request: %w", err)
@@ -548,6 +605,12 @@ func (f *entryFormatter) createEntry(ctx context.Context, a *Event) (*entry, err
 			return nil, fmt.Errorf("cannot convert response: %w", err)
 		}
 
+		if resp != nil && resp.Auth != nil {
+			if err := mergeEnterpriseTokenMetadata(resp.Auth, data.Request); err != nil {
+				return nil, err
+			}
+		}
+
 		// If the plugin's response contained any additional audit request fields,
 		// lets populate them on our original request.
 		if data.Response != nil && data.Response.SupplementalAuditRequestData != nil {