From d41a9a711983a35ea5d6e7886be8ff3299bc64a8 Mon Sep 17 00:00:00 2001 From: hc-github-team-secure-vault-core <82990506+hc-github-team-secure-vault-core@users.noreply.github.com> Date: Wed, 5 Jul 2023 15:29:29 -0400 Subject: [PATCH] backport of commit e0472d4059decd4a5801e027c34d38b80e038a32 (#21590) Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com> --- changelog/21563.txt | 3 +++ helper/builtinplugins/registry_test.go | 4 ++-- scripts/gen_openapi.sh | 11 +++++++++-- vault/logical_system.go | 4 ++-- 4 files changed, 16 insertions(+), 6 deletions(-) create mode 100644 changelog/21563.txt diff --git a/changelog/21563.txt b/changelog/21563.txt new file mode 100644 index 0000000000..7426ed24fa --- /dev/null +++ b/changelog/21563.txt @@ -0,0 +1,3 @@ +```release-note:improvement +openapi: Better mount points for kv-v1 and kv-v2 in openapi.json +``` diff --git a/helper/builtinplugins/registry_test.go b/helper/builtinplugins/registry_test.go index cfaec51814..55acdd9859 100644 --- a/helper/builtinplugins/registry_test.go +++ b/helper/builtinplugins/registry_test.go @@ -242,10 +242,10 @@ func Test_RegistryMatchesGenOpenapi(t *testing.T) { var ( credentialBackends []string - credentialBackendsRe = regexp.MustCompile(`^vault auth enable (?:"([a-zA-Z]+)"|([a-zA-Z]+))$`) + credentialBackendsRe = regexp.MustCompile(`^vault auth enable (?:-.+ )*(?:"([a-zA-Z]+)"|([a-zA-Z]+))$`) secretsBackends []string - secretsBackendsRe = regexp.MustCompile(`^vault secrets enable (?:"([a-zA-Z]+)"|([a-zA-Z]+))$`) + secretsBackendsRe = regexp.MustCompile(`^vault secrets enable (?:-.+ )*(?:"([a-zA-Z]+)"|([a-zA-Z]+))$`) ) scanner := bufio.NewScanner(f) diff --git a/scripts/gen_openapi.sh b/scripts/gen_openapi.sh index de4589877d..b9495cc9c6 100755 --- a/scripts/gen_openapi.sh +++ b/scripts/gen_openapi.sh @@ -37,7 +37,13 @@ trap defer_stop_vault INT TERM EXIT export VAULT_ADDR=http://127.0.0.1:8200 -echo "Mounting all builtin plugins..." +echo "Unmounting the default kv-v2 secrets engine ..." + +# Unmount the default kv-v2 engine so that we can remount it at 'kv_v2/' later. +# The mount path will be reflected in the resultant OpenAPI document. +vault secrets disable "secret/" + +echo "Mounting all builtin plugins ..." # Enable auth plugins vault auth enable "alicloud" @@ -67,7 +73,8 @@ vault secrets enable "database" vault secrets enable "gcp" vault secrets enable "gcpkms" vault secrets enable "kubernetes" -vault secrets enable "kv" +vault secrets enable -path="kv-v1/" -version=1 "kv" +vault secrets enable -path="kv-v2/" -version=2 "kv" vault secrets enable "ldap" vault secrets enable "mongodbatlas" vault secrets enable "nomad" diff --git a/vault/logical_system.go b/vault/logical_system.go index 35707f6804..842ee30146 100644 --- a/vault/logical_system.go +++ b/vault/logical_system.go @@ -4541,7 +4541,7 @@ func (b *SystemBackend) pathInternalOpenAPI(ctx context.Context, req *logical.Re // Generic mount paths will primarily be used for code generation purposes. // This will result in parameterized mount paths being returned instead of // hardcoded actual paths. For example /auth/my-auth-method/login would be - // replaced with /auth/{my-auth-method_mount_path}/login. + // replaced with /auth/{my_auth_method_mount_path}/login. // // Note that for this to actually be useful, you have to be using it with // a Vault instance in which you have mounted one of each secrets engine @@ -4615,7 +4615,7 @@ func (b *SystemBackend) pathInternalOpenAPI(ctx context.Context, req *logical.Re (pluginType == "system" || pluginType == "identity" || pluginType == "cubbyhole")) if !isSingletonMount { - mountPathParameterName = strings.TrimRight(mount, "/") + "_mount_path" + mountPathParameterName = strings.TrimRight(strings.ReplaceAll(mount, "-", "_"), "/") + "_mount_path" } }