diff --git a/api/sudo_paths.go b/api/sudo_paths.go index 493e68c284..fb7113a0f3 100644 --- a/api/sudo_paths.go +++ b/api/sudo_paths.go @@ -32,15 +32,13 @@ var sudoPaths = map[string]*regexp.Regexp{ // This entry is a bit wrong... sys/leases/lookup does NOT require sudo. But sys/leases/lookup/ with a trailing // slash DOES require sudo. But the part of the Vault CLI that uses this logic doesn't pass operation-appropriate // trailing slashes, it always strips them off, so we end up giving the wrong answer for one of these. - "/sys/leases/lookup": regexp.MustCompile(`^/sys/leases/lookup/?$`), - "/sys/leases/lookup/{prefix}": regexp.MustCompile(`^/sys/leases/lookup/.+$`), + "/sys/leases/lookup/{prefix}": regexp.MustCompile(`^/sys/leases/lookup(?:/.+)?$`), "/sys/leases/revoke-force/{prefix}": regexp.MustCompile(`^/sys/leases/revoke-force/.+$`), "/sys/leases/revoke-prefix/{prefix}": regexp.MustCompile(`^/sys/leases/revoke-prefix/.+$`), "/sys/plugins/catalog/{name}": regexp.MustCompile(`^/sys/plugins/catalog/[^/]+$`), "/sys/plugins/catalog/{type}": regexp.MustCompile(`^/sys/plugins/catalog/[\w-]+$`), "/sys/plugins/catalog/{type}/{name}": regexp.MustCompile(`^/sys/plugins/catalog/[\w-]+/[^/]+$`), - "/sys/raw": regexp.MustCompile(`^/sys/raw$`), - "/sys/raw/{path}": regexp.MustCompile(`^/sys/raw/.+$`), + "/sys/raw/{path}": regexp.MustCompile(`^/sys/raw(?:/.+)?$`), "/sys/remount": regexp.MustCompile(`^/sys/remount$`), "/sys/revoke-force/{prefix}": regexp.MustCompile(`^/sys/revoke-force/.+$`), "/sys/revoke-prefix/{prefix}": regexp.MustCompile(`^/sys/revoke-prefix/.+$`), diff --git a/changelog/21760.txt b/changelog/21760.txt new file mode 100644 index 0000000000..2285cda446 --- /dev/null +++ b/changelog/21760.txt @@ -0,0 +1,3 @@ +```release-note:improvement +core: Fix regexes for `sys/raw/` and `sys/leases/lookup/` to match prevailing conventions +``` diff --git a/vault/logical_raw.go b/vault/logical_raw.go index ba4822d95b..ba221327a8 100644 --- a/vault/logical_raw.go +++ b/vault/logical_raw.go @@ -296,7 +296,7 @@ func (b *RawBackend) existenceCheck(ctx context.Context, request *logical.Reques func rawPaths(prefix string, r *RawBackend) []*framework.Path { return []*framework.Path{ { - Pattern: prefix + "(raw/?$|raw/(?P.+))", + Pattern: prefix + "raw/" + framework.MatchAllRegex("path"), Fields: map[string]*framework.FieldSchema{ "path": { @@ -322,7 +322,6 @@ func rawPaths(prefix string, r *RawBackend) []*framework.Path { DisplayAttrs: &framework.DisplayAttributes{ OperationPrefix: "raw", OperationVerb: "read", - OperationSuffix: "|path", }, Responses: map[int][]framework.Response{ http.StatusOK: {{ @@ -342,7 +341,6 @@ func rawPaths(prefix string, r *RawBackend) []*framework.Path { DisplayAttrs: &framework.DisplayAttributes{ OperationPrefix: "raw", OperationVerb: "write", - OperationSuffix: "|path", }, Responses: map[int][]framework.Response{ http.StatusOK: {{ @@ -353,11 +351,6 @@ func rawPaths(prefix string, r *RawBackend) []*framework.Path { }, logical.CreateOperation: &framework.PathOperation{ Callback: r.handleRawWrite, - DisplayAttrs: &framework.DisplayAttributes{ - OperationPrefix: "raw", - OperationVerb: "write", - OperationSuffix: "|path", - }, Responses: map[int][]framework.Response{ http.StatusNoContent: {{ Description: "OK", @@ -370,7 +363,6 @@ func rawPaths(prefix string, r *RawBackend) []*framework.Path { DisplayAttrs: &framework.DisplayAttributes{ OperationPrefix: "raw", OperationVerb: "delete", - OperationSuffix: "|path", }, Responses: map[int][]framework.Response{ http.StatusNoContent: {{ @@ -384,7 +376,6 @@ func rawPaths(prefix string, r *RawBackend) []*framework.Path { DisplayAttrs: &framework.DisplayAttributes{ OperationPrefix: "raw", OperationVerb: "list", - OperationSuffix: "|path", }, Responses: map[int][]framework.Response{ http.StatusOK: {{ diff --git a/vault/logical_system_paths.go b/vault/logical_system_paths.go index f90b50c0ca..ccb4d20819 100644 --- a/vault/logical_system_paths.go +++ b/vault/logical_system_paths.go @@ -2696,12 +2696,11 @@ func (b *SystemBackend) capabilitiesPaths() []*framework.Path { func (b *SystemBackend) leasePaths() []*framework.Path { return []*framework.Path{ { - Pattern: "leases/lookup/(?P.+?)?", + Pattern: "leases/lookup/" + framework.MatchAllRegex("prefix"), DisplayAttrs: &framework.DisplayAttributes{ OperationPrefix: "leases", OperationVerb: "look-up", - OperationSuffix: "|with-prefix", }, Fields: map[string]*framework.FieldSchema{