Allow backends to extract credentials from payloads and trigger an authentication workflow (#23924)

* wip

* Work on the tuneable allowance and some bugs

* Call handleCancellableRequest instead, which gets the audit order more correct and includes the preauth response

* Get rid of no longer needed operation

* Phew, this wasn't necessary

* Add auth error handling by the backend, and fix a bug with handleInvalidCredentials

* Cleanup req/resp naming

* Use the new form, and data

* Discovered that tokens werent really being checked because isLoginRequest returns true for the re-request into the backend, when it shouldnt

* Add a few more checks in the delegated request handler for bad inputs

 - Protect the delegated handler from bad inputs from the backend such
   as an empty accessor, a path that isn't registered as a login request
 - Add similar protections for bad auth results as we do in the normal
   login request paths. Technically not 100% needed but if somehow the
   handleCancelableRequest doesn't use the handleLoginRequest code path
   we could get into trouble in the future
 - Add delegated-auth-accessors flag to the secrets tune command and
   api-docs

* Unit tests and some small fixes

* Remove transit preauth test, rely on unit tests

* Cleanup and add a little more commentary in tests

* Fix typos, add another failure use-case which we reference a disabled auth mount

* PR Feedback

 - Use router to lookup mount instead of defining a new lookup method
 - Enforce auth table types and namespace when mount is found
 - Define a type alias for the handleInvalidCreds
 - Fix typos/grammar
 - Clean up globals in test

* Additional PR feedback

 - Add test for delegated auth handler
 - Force batch token usage
 - Add a test to validate failures if a non-batch token is used
 - Check for Data member being nil in test cases

* Update failure error message around requiring batch tokens

* Trap MFA requests

* Reword some error messages

* Add test and fixes for delegated response wrapping

* Move MFA test to dedicated mount

 - If the delegated auth tests were running in parallel, the MFA test
   case might influence the other tests, so move the MFA to a dedicated
   mount

* PR feedback: use textproto.CanonicalMIMEHeaderKey

 - Change the X-Vault-Wrap-Ttl constant to X-Vault-Wrap-TTL
   and use textproto.CanonicalMIMEHeaderKey to format it
   within the delete call.
 - This protects the code around changes of the constant typing

* PR feedback

 - Append Error to RequestDelegatedAuth
 - Force error interface impl through explicit nil var assignment on
   RequestDelegatedAuthError
 - Clean up test factory and leverage NewTestSoloCluster
 - Leverage newer maps.Clone as this is 1.16 only

---------

Co-authored-by: Scott G. Miller <smiller@hashicorp.com>

command/commands.go

@@ -161,6 +161,9 @@ const (
 	// flagNameLogLevel is used to specify the log level applied to logging
 	// Supported log levels: Trace, Debug, Error, Warn, Info
 	flagNameLogLevel = "log-level"
+	// flagNameDelegatedAuthAccessors allows operators to specify the allowed mount accessors a backend can delegate
+	// authentication
+	flagNameDelegatedAuthAccessors = "delegated-auth-accessors"
 )
 
 var (