Support trimming trailing slashes via a mount tuneable to support CMPv2 (#28752)

* Support trimming trailing slashes via a mount tuneable to support CMPv2 * changelog/ * Perform trimming in handleLoginRequest too * Eagerly fetch the mount entry so we only test this once * Add a mount match function that gets path and entry * Update vault/request_handling.go Co-authored-by: Steven Clark <steven.clark@hashicorp.com> * more docs * Some patches (from ENT) didnt apply * patch fail * Update vault/router.go Co-authored-by: Steven Clark <steven.clark@hashicorp.com> * PR feedback * dupe * another dupe * Add support for enabling trim_request_trailing_slashes on mount creation * Fix read mount api returning configuration for trim_request_trailing_slashes * Fix test assertion * Switch enable and tune arguments to BoolPtrVal to allow end-users to specify false flag * Add trim-request-trailing-slashes to the auth enable API and CLI --------- Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
2025-10-30 18:17:55 +00:00 · 2024-10-24 10:47:17 -05:00
parent 314874c2b1
commit 415d260995
21 changed files with 292 additions and 140 deletions
--- a/command/secrets_enable.go
+++ b/command/secrets_enable.go
@@ -23,26 +23,27 @@ var (
 type SecretsEnableCommand struct {
 	*BaseCommand

-	flagDescription               string
-	flagPath                      string
-	flagDefaultLeaseTTL           time.Duration
-	flagMaxLeaseTTL               time.Duration
-	flagAuditNonHMACRequestKeys   []string
-	flagAuditNonHMACResponseKeys  []string
-	flagListingVisibility         string
-	flagPassthroughRequestHeaders []string
-	flagAllowedResponseHeaders    []string
-	flagForceNoCache              bool
-	flagPluginName                string
-	flagPluginVersion             string
-	flagOptions                   map[string]string
-	flagLocal                     bool
-	flagSealWrap                  bool
-	flagExternalEntropyAccess     bool
-	flagVersion                   int
-	flagAllowedManagedKeys        []string
-	flagDelegatedAuthAccessors    []string
-	flagIdentityTokenKey          string
+	flagDescription                string
+	flagPath                       string
+	flagDefaultLeaseTTL            time.Duration
+	flagMaxLeaseTTL                time.Duration
+	flagAuditNonHMACRequestKeys    []string
+	flagAuditNonHMACResponseKeys   []string
+	flagListingVisibility          string
+	flagPassthroughRequestHeaders  []string
+	flagAllowedResponseHeaders     []string
+	flagForceNoCache               bool
+	flagPluginName                 string
+	flagPluginVersion              string
+	flagOptions                    map[string]string
+	flagLocal                      bool
+	flagSealWrap                   bool
+	flagExternalEntropyAccess      bool
+	flagVersion                    int
+	flagAllowedManagedKeys         []string
+	flagDelegatedAuthAccessors     []string
+	flagIdentityTokenKey           string
+	flagTrimRequestTrailingSlashes BoolPtr
 }

 func (c *SecretsEnableCommand) Synopsis() string {
@@ -245,6 +246,12 @@ func (c *SecretsEnableCommand) Flags() *FlagSets {
 		Usage:   "Select the key used to sign plugin identity tokens.",
 	})

+	f.BoolPtrVar(&BoolPtrVar{
+		Name:   flagNameTrimRequestTrailingSlashes,
+		Target: &c.flagTrimRequestTrailingSlashes,
+		Usage:  "Whether to trim trailing slashes for incoming requests to this mount",
+	})
+
 	return set
 }

@@ -359,6 +366,11 @@ func (c *SecretsEnableCommand) Run(args []string) int {
 		if fl.Name == flagNameIdentityTokenKey {
 			mountInput.Config.IdentityTokenKey = c.flagIdentityTokenKey
 		}
+
+		if fl.Name == flagNameTrimRequestTrailingSlashes && c.flagTrimRequestTrailingSlashes.IsSet() {
+			val := c.flagTrimRequestTrailingSlashes.Get()
+			mountInput.Config.TrimRequestTrailingSlashes = &val
+		}
 	})

 	if err := client.Sys().Mount(mountPath, mountInput); err != nil {