Remove internal version endpoint (#25998)

* VAULT-24469 use sys/seal-status instead of internal version endpoint * Update tests and mirage handlers * Revert "VAULT-20669: Add New Authenticated Endpoint for Version (#23740)" This reverts commit 550c99ae3b. * Readded version_test.go * Reverted any old changes on versionlgo --------- Co-authored-by: divyaac <divyaac@berkeley.edu>
2025-10-29 17:52:32 +00:00 · 2024-03-21 11:14:22 -05:00
parent 0048a205ce
commit 6091ad4f71
15 changed files with 29 additions and 149 deletions
--- a/changelog/23740.txt
+++ b/changelog/23740.txt
@@ -1,3 +0,0 @@
-```release-note:feature
-core: add sys/internal/ui/version endpoint
-```
--- a/ui/app/adapters/cluster.js
+++ b/ui/app/adapters/cluster.js
@@ -21,7 +21,6 @@ const ENDPOINTS = [
  'init',
  'capabilities-self',
  'license',
-  'internal/ui/version',
 ];

 const REPLICATION_ENDPOINTS = {
@@ -100,12 +99,8 @@ export default ApplicationAdapter.extend({
    });
  },

-  fetchVersion() {
-    return this.ajax(`${this.urlFor('internal/ui/version')}`, 'GET').catch(() => ({}));
-  },
-
-  sealStatus() {
-    return this.ajax(this.urlFor('seal-status'), 'GET', { unauthenticated: true });
+  sealStatus(unauthenticated = true) {
+    return this.ajax(this.urlFor('seal-status'), 'GET', { unauthenticated });
  },

  seal() {
--- a/ui/app/services/version.js
+++ b/ui/app/services/version.js
@@ -52,8 +52,9 @@ export default class VersionService extends Service {
  @task({ drop: true })
  *getVersion() {
    if (this.version) return;
-    const response = yield this.store.adapterFor('cluster').fetchVersion();
-    this.version = response.data?.version;
+    // Fetch seal status with token to get version
+    const response = yield this.store.adapterFor('cluster').sealStatus(false);
+    this.version = response?.version;
  }

  @task
--- a/ui/mirage/handlers/base.js
+++ b/ui/mirage/handlers/base.js
@@ -37,14 +37,6 @@ export default function (server) {
    };
  });

-  server.get('/sys/internal/ui/version', function () {
-    return {
-      data: {
-        version: '1.9.0+ent',
-      },
-    };
-  });
-
  server.get('/sys/license/status', function () {
    return {
      data: {
--- a/ui/mirage/handlers/reduced-disclosure.js
+++ b/ui/mirage/handlers/reduced-disclosure.js
@@ -10,9 +10,13 @@ export default function (server) {
  server.get('/sys/health', (schema, req) =>
    modifyPassthroughResponse(req, { version: '', cluster_name: '' })
  );
-  server.get('/sys/seal-status', (schema, req) =>
-    modifyPassthroughResponse(req, { version: '', cluster_name: '', build_date: '' })
-  );
+  server.get('/sys/seal-status', (schema, req) => {
+    // When reduced disclosure is active, the version is only returned when a valid token is used
+    const overrides = req.requestHeaders['X-Vault-Token']
+      ? { cluster_name: '', build_date: '' }
+      : { version: '', cluster_name: '', build_date: '' };
+    return modifyPassthroughResponse(req, overrides);
+  });
  server.get('sys/replication/status', () => new Response(404, {}, { errors: ['disabled path'] }));
  server.get('sys/replication/dr/status', () => new Response(404, {}, { errors: ['disabled path'] }));
  server.get(
--- a/ui/tests/acceptance/config-ui/messages/messages-test.js
+++ b/ui/tests/acceptance/config-ui/messages/messages-test.js
@@ -19,14 +19,6 @@ module('Acceptance | Community | config-ui/messages', function (hooks) {
  setupMirage(hooks);

  hooks.beforeEach(async function () {
-    this.server.get('sys/internal/ui/version', function () {
-      return {
-        data: {
-          version: '1.16.0',
-        },
-      };
-    });
-
    this.server.get('/sys/health', function () {
      return {
        enterprise: false,
@@ -100,13 +92,6 @@ module('Acceptance | Enterprise | config-ui/message', function (hooks) {

      await click(PAGE.button('create-message'));
    };
-    this.server.get('sys/internal/ui/version', function () {
-      return {
-        data: {
-          version: '1.16.0+ent',
-        },
-      };
-    });
    this.server.get('/sys/health', function () {
      return {
        enterprise: true,
--- a/ui/tests/acceptance/dashboard-test.js
+++ b/ui/tests/acceptance/dashboard-test.js
@@ -83,7 +83,9 @@ module('Acceptance | landing page dashboard', function (hooks) {
    await visit('/vault/dashboard');
    const version = this.owner.lookup('service:version');
    // Since we're using mirage, version is mocked static value
-    const versionText = version.isEnterprise ? `Vault v1.9.0 root` : `Vault v1.9.0`;
+    const versionText = version.isEnterprise
+      ? `Vault ${version.versionDisplay} root`
+      : `Vault ${version.versionDisplay}`;

    assert.dom(SELECTORS.cardHeader('Vault version')).hasText(versionText);
  });
--- a/ui/tests/acceptance/reduced-disclosure-test.js
+++ b/ui/tests/acceptance/reduced-disclosure-test.js
@@ -62,6 +62,7 @@ module('Acceptance | reduced disclosure test', function (hooks) {
        type: 'shamir',
        initialized: true,
        sealed: this.sealed,
+        version: '1.21.3',
      };
    });
    this.server.put(`/sys/seal`, () => {
@@ -84,11 +85,9 @@ module('Acceptance | reduced disclosure test', function (hooks) {
    });
    await authPage.login();

-    const versionSvc = this.owner.lookup('service:version');
    await visit('/vault/settings/seal');
-    assert
-      .dom('[data-test-footer-version]')
-      .hasText(`Vault ${versionSvc.version}`, 'shows version on seal page');
+
+    assert.dom('[data-test-footer-version]').hasText(`Vault 1.21.3`, 'shows version on seal page');
    assert.strictEqual(currentURL(), '/vault/settings/seal');

    // seal
@@ -115,9 +114,7 @@ module('Acceptance | reduced disclosure test', function (hooks) {
    assert.strictEqual(currentRouteName(), 'vault.cluster.auth', 'vault is ready to authenticate');
    assert.dom('[data-test-footer-version]').hasText(`Vault`, 'Version is still not shown before auth');
    await authPage.login();
-    assert
-      .dom('[data-test-footer-version]')
-      .hasText(`Vault ${versionSvc.version}`, 'Version is shown after login');
+    assert.dom('[data-test-footer-version]').hasText(`Vault 1.21.3`, 'Version is shown after login');
  });

  module('enterprise', function () {
--- a/ui/tests/unit/services/version-test.js
+++ b/ui/tests/unit/services/version-test.js
@@ -23,6 +23,16 @@ module('Unit | Service | version', function (hooks) {
    assert.true(service.isEnterprise);
  });

+  test('calculates versionDisplay correctly', function (assert) {
+    const service = this.owner.lookup('service:version');
+    service.type = 'community';
+    service.version = '1.2.3';
+    assert.strictEqual(service.versionDisplay, 'v1.2.3');
+    service.type = 'enterprise';
+    service.version = '1.4.7+ent';
+    assert.strictEqual(service.versionDisplay, 'v1.4.7');
+  });
+
  test('hasPerfReplication', function (assert) {
    const service = this.owner.lookup('service:version');
    assert.false(service.hasPerfReplication);
--- a/vault/logical_system.go
+++ b/vault/logical_system.go
@@ -5249,18 +5249,6 @@ func (b *SystemBackend) pathInternalUIResultantACL(ctx context.Context, req *log
 	return resp, nil
 }

-// pathInternalUIVersion is the framework.PathOperation callback function for
-// the sys/internal/ui/version path. It simply returns the Vault version.
-func (b *SystemBackend) pathInternalUIVersion(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
-	resp := &logical.Response{
-		Data: map[string]any{
-			"version": version.GetVersion().VersionNumber(),
-		},
-	}
-
-	return resp, nil
-}
-
 func (b *SystemBackend) pathInternalOpenAPI(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
 	// Limit output to authorized paths
 	resp, err := b.pathInternalUIMountsRead(ctx, req, d)
--- a/vault/logical_system_integ_test.go
+++ b/vault/logical_system_integ_test.go
@@ -87,11 +87,6 @@ func TestSystemBackend_InternalUIResultantACL(t *testing.T) {
 					"read",
 				},
 			},
-			"sys/internal/ui/version": map[string]interface{}{
-				"capabilities": []interface{}{
-					"read",
-				},
-			},
 			"sys/leases/lookup": map[string]interface{}{
 				"capabilities": []interface{}{
 					"update",
--- a/vault/logical_system_paths.go
+++ b/vault/logical_system_paths.go
@@ -2895,31 +2895,6 @@ func (b *SystemBackend) internalPaths() []*framework.Path {
 				},
 			},
 		},
-		{
-			Pattern: "internal/ui/version",
-			DisplayAttrs: &framework.DisplayAttributes{
-				OperationPrefix: "internal-ui",
-				OperationVerb:   "read",
-				OperationSuffix: "version",
-			},
-			Operations: map[logical.Operation]framework.OperationHandler{
-				logical.ReadOperation: &framework.PathOperation{
-					Callback: b.pathInternalUIVersion,
-					Summary:  "Backwards compatibility is not guaranteed for this API",
-					Responses: map[int][]framework.Response{
-						http.StatusOK: {{
-							Description: "OK",
-							Fields: map[string]*framework.FieldSchema{
-								"version": {
-									Type:     framework.TypeString,
-									Required: true,
-								},
-							},
-						}},
-					},
-				},
-			},
-		},
 		{
 			Pattern: "internal/counters/requests",
 			DisplayAttrs: &framework.DisplayAttributes{
--- a/vault/policy_store.go
+++ b/vault/policy_store.go
@@ -102,12 +102,6 @@ path "sys/internal/ui/resultant-acl" {
    capabilities = ["read"]
 }

-# Allow a token to look up the Vault version. This path is not subject to
-# redaction like the unauthenticated endpoints that provide the Vault version.
-path "sys/internal/ui/version" {
-	capabilities = ["read"]
-}
-
 # Allow a token to renew a lease via lease_id in the request body; old path for
 # old clients, new path for newer
 path "sys/renew" {
--- a/website/content/api-docs/system/internal-ui-version.mdx
+++ b/website/content/api-docs/system/internal-ui-version.mdx
@@ -1,51 +0,0 @@
---
-layout: api
-page_title: /sys/internal/ui/version - HTTP API
-description: >-
-  The `/sys/internal/ui/version` endpoint exposes the software version of Vault.
---
-
-# `/sys/internal/ui/version`
-
-The `/sys/internal/ui/version` endpoint exposes the Vault software version
-so the Vault UI can display the information to logged in users.
-
-Vault uses internal endpoints to provide information to the Vault UI
-and/or Vault CLI. Internal endpoints are explicitly intended to support
-Vault functionality, so we do not recommend them for general use
-and do not guarantee backwards compatibility across versions.
-
-## Get version
-
-Return the current software version of Vault.
-
-| Method | Path                       |
-| :----- | :------------------------- |
-| `GET`  | `/sys/internal/ui/version` |
-
-### Sample request
-
-```shell-session
-$ curl \
-    --header "X-Vault-Token: ..." \
-    --request GET \
-    http://127.0.0.1:8200/v1/sys/internal/ui/version
-```
-
-### Sample response
-
-```json
-{
-  "request_id": "d585b9be-9c6f-a05f-939b-490cf062ebbe",
-  "lease_id": "",
-  "renewable": false,
-  "lease_duration": 0,
-  "data": {
-    "version": "1.16.0"
-  },
-  "wrap_info": null,
-  "warnings": null,
-  "auth": null,
-  "mount_type": "system"
-}
-```
--- a/website/data/api-docs-nav-data.json
+++ b/website/data/api-docs-nav-data.json
@@ -532,10 +532,6 @@
        "title": "<code>/sys/internal/ui/unauthenticated-messages</code>",
        "path": "system/internal-ui-unauthenticated-messages"
      },
-      {
-        "title": "<code>/sys/internal/ui/version</code>",
-        "path": "system/internal-ui-version"
-      },
      {
        "title": "<code>/sys/key-status</code>",
        "path": "system/key-status"