scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-30 10:12:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add missing delegated_auth_accessors config field to /sys/mounts/<path> response (#26876)

Browse Source 
* Add missing delegated_auth_accessors config field to /sys/mounts/<path> response

 - The field hadn't been properly populated in the JSON struct being returned
   through the API response, but had been properly set in the stored structs
   in the backend.
 - Add missing update to the command tune docs for the -delegated-auth-accessors
   option that existed
 - Add -delegated-auth-accessors to the secret enable vault command along with
   a docs update

* Add cl

* Fix documentation, using a comma separated list does not work

* Apply suggestions from code review

Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>

* Drop plural on doc update

---------

Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
This commit is contained in:
Steven Clark
2024-05-08 15:58:46 -04:00
committed by GitHub
parent 6a905be5ec
commit 259cfbf618
7 changed files with 38 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
changelog/26876.txt Normal file
View File

@@ -0,0 +1,3 @@
```release-note:bug
core: Add missing field delegated_auth_accessors to GET /sys/mounts/:path API response
```

13
command/secrets_enable.go
View File

@@ -41,6 +41,7 @@ type SecretsEnableCommand struct {
flagExternalEntropyAccess bool flagExternalEntropyAccess bool
flagVersion int flagVersion int
flagAllowedManagedKeys []string flagAllowedManagedKeys []string
flagDelegatedAuthAccessors []string
flagIdentityTokenKey string flagIdentityTokenKey string
} }
@@ -229,6 +230,14 @@ func (c *SecretsEnableCommand) Flags() *FlagSets {
"each time with 1 key.", "each time with 1 key.",
}) })
f.StringSliceVar(&StringSliceVar{
Name: flagNameDelegatedAuthAccessors,
Target: &c.flagDelegatedAuthAccessors,
Usage: "A list of permitted authentication accessors this backend can delegate authentication to. " +
"Note that multiple values may be specified by providing this option multiple times, " +
"each time with 1 accessor.",
})
f.StringVar(&StringVar{ f.StringVar(&StringVar{
Name: flagNameIdentityTokenKey, Name: flagNameIdentityTokenKey,
Target: &c.flagIdentityTokenKey, Target: &c.flagIdentityTokenKey,
@@ -339,6 +348,10 @@ func (c *SecretsEnableCommand) Run(args []string) int {
mountInput.Config.AllowedManagedKeys = c.flagAllowedManagedKeys mountInput.Config.AllowedManagedKeys = c.flagAllowedManagedKeys
} }
if fl.Name == flagNameDelegatedAuthAccessors {
mountInput.Config.DelegatedAuthAccessors = c.flagDelegatedAuthAccessors
}
if fl.Name == flagNamePluginVersion { if fl.Name == flagNamePluginVersion {
mountInput.Config.PluginVersion = c.flagPluginVersion mountInput.Config.PluginVersion = c.flagPluginVersion
} }

4
command/secrets_enable_test.go
View File

@@ -119,6 +119,7 @@ func TestSecretsEnableCommand_Run(t *testing.T) {
"-allowed-response-headers", "authorization", "-allowed-response-headers", "authorization",
"-allowed-managed-keys", "key1,key2", "-allowed-managed-keys", "key1,key2",
"-identity-token-key", "default", "-identity-token-key", "default",
"-delegated-auth-accessors", "authAcc1,authAcc2",
"-force-no-cache", "-force-no-cache",
"pki", "pki",
}) })
@@ -171,6 +172,9 @@ func TestSecretsEnableCommand_Run(t *testing.T) {
if diff := deep.Equal([]string{"key1,key2"}, mountInfo.Config.AllowedManagedKeys); len(diff) > 0 { if diff := deep.Equal([]string{"key1,key2"}, mountInfo.Config.AllowedManagedKeys); len(diff) > 0 {
t.Errorf("Failed to find expected values in AllowedManagedKeys. Difference is: %v", diff) t.Errorf("Failed to find expected values in AllowedManagedKeys. Difference is: %v", diff)
} }
if diff := deep.Equal([]string{"authAcc1,authAcc2"}, mountInfo.Config.DelegatedAuthAccessors); len(diff) > 0 {
t.Errorf("Failed to find expected values in DelegatedAuthAccessors. Difference is: %v", diff)
}
if diff := deep.Equal("default", mountInfo.Config.IdentityTokenKey); len(diff) > 0 { if diff := deep.Equal("default", mountInfo.Config.IdentityTokenKey); len(diff) > 0 {
t.Errorf("Failed to find expected values in IdentityTokenKey. Difference is: %v", diff) t.Errorf("Failed to find expected values in IdentityTokenKey. Difference is: %v", diff)
} }

4
command/secrets_tune_test.go
View File

@@ -195,6 +195,7 @@ func TestSecretsTuneCommand_Run(t *testing.T) {
"-identity-token-key", "default", "-identity-token-key", "default",
"-listing-visibility", "unauth", "-listing-visibility", "unauth",
"-plugin-version", version, "-plugin-version", version,
"-delegated-auth-accessors", "authAcc1,authAcc2",
"mount_tune_integration/", "mount_tune_integration/",
}) })
if exp := 0; code != exp { if exp := 0; code != exp {
@@ -246,6 +247,9 @@ func TestSecretsTuneCommand_Run(t *testing.T) {
if diff := deep.Equal([]string{"key1,key2"}, mountInfo.Config.AllowedManagedKeys); len(diff) > 0 { if diff := deep.Equal([]string{"key1,key2"}, mountInfo.Config.AllowedManagedKeys); len(diff) > 0 {
t.Errorf("Failed to find expected values in AllowedManagedKeys. Difference is: %v", diff) t.Errorf("Failed to find expected values in AllowedManagedKeys. Difference is: %v", diff)
} }
if diff := deep.Equal([]string{"authAcc1,authAcc2"}, mountInfo.Config.DelegatedAuthAccessors); len(diff) > 0 {
t.Errorf("Failed to find expected values in DelegatedAuthAccessors. Difference is: %v", diff)
}
if diff := deep.Equal("default", mountInfo.Config.IdentityTokenKey); len(diff) > 0 { if diff := deep.Equal("default", mountInfo.Config.IdentityTokenKey); len(diff) > 0 {
t.Errorf("Failed to find expected values in IdentityTokenKey. Difference is: %v", diff) t.Errorf("Failed to find expected values in IdentityTokenKey. Difference is: %v", diff)
} }

3
vault/logical_system.go
View File

@@ -1424,6 +1424,9 @@ func (b *SystemBackend) mountInfo(ctx context.Context, entry *MountEntry, legacy
} }
entryConfig["user_lockout_config"] = userLockoutConfig entryConfig["user_lockout_config"] = userLockoutConfig
} }
if rawVal, ok := entry.synthesizedConfigCache.Load("delegated_auth_accessors"); ok {
entryConfig["delegated_auth_accessors"] = rawVal.([]string)
}
// Add deprecation status only if it exists // Add deprecation status only if it exists
builtinType := b.Core.builtinTypeFromMountEntry(ctx, entry) builtinType := b.Core.builtinTypeFromMountEntry(ctx, entry)

9
website/content/docs/commands/secrets/enable.mdx
View File

@@ -90,7 +90,7 @@ flags](/vault/docs/commands) included on all commands.
- `-path` `(string: "")` Place where the secrets engine will be accessible. This - `-path` `(string: "")` Place where the secrets engine will be accessible. This
must be unique cross all secrets engines. This defaults to the "type" of the must be unique cross all secrets engines. This defaults to the "type" of the
secrets engine. secrets engine.
!> **Case-sensitive:** The path where you enable secrets engines is case-sensitive. For !> **Case-sensitive:** The path where you enable secrets engines is case-sensitive. For
example, the KV secrets engine enabled at `kv/` and `KV/` are treated as two example, the KV secrets engine enabled at `kv/` and `KV/` are treated as two
distinct instances of KV secrets engine. distinct instances of KV secrets engine.
@@ -105,8 +105,11 @@ flags](/vault/docs/commands) included on all commands.
- `-allowed-managed-keys` `(string: "")` - Managed key name(s) that the mount - `-allowed-managed-keys` `(string: "")` - Managed key name(s) that the mount
in question is allowed to access. Note that multiple keys may be specified in question is allowed to access. Note that multiple keys may be specified
either by providing the key names as a comma separated string or by providing by providing this option multiple times, each time with 1 key.
this option multiple times, each time with 1 key.
- `-delegated-auth-accessors` `(string: "")` - An authorized accessor the auth
backend can delegate authentication to. To allow multiple accessors, provide
the `delegated-auth-accessors` multiple times, each time with 1 accessor.
- `-plugin-version` `(string: "")` - Configures the semantic version of the plugin - `-plugin-version` `(string: "")` - Configures the semantic version of the plugin
to use. If unspecified, implies the built-in or any matching unversioned plugin to use. If unspecified, implies the built-in or any matching unversioned plugin

7
website/content/docs/commands/secrets/tune.mdx
View File

@@ -91,8 +91,11 @@ flags](/vault/docs/commands) included on all commands.
- `-allowed-managed-keys` `(string: "")` - Managed key name(s) that the mount - `-allowed-managed-keys` `(string: "")` - Managed key name(s) that the mount
in question is allowed to access. Note that multiple keys may be specified in question is allowed to access. Note that multiple keys may be specified
either by providing the key names as a comma separated string or by providing by providing this option multiple times, each time with 1 key.
this option multiple times, each time with 1 key.
- `-delegated-auth-accessors` `(string: "")` - An authorized accessor the auth
backend can delegate authentication to. To allow multiple accessors, provide
the `delegated-auth-accessors` multiple times, each time with 1 accessor.
- `-plugin-version` `(string: "")` - Configures the semantic version of the plugin - `-plugin-version` `(string: "")` - Configures the semantic version of the plugin
to use. The new version will not start running until the mount is to use. The new version will not start running until the mount is