backport of commit 82f998f071 (#18373)

Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
2025-12-27 15:54:50 +00:00 · 2022-12-14 11:47:16 -08:00
parent d4fa7208f6
commit f99420c92c
13 changed files with 341 additions and 99 deletions
--- a/command/auth_enable_test.go
+++ b/command/auth_enable_test.go
@@ -2,7 +2,6 @@ package command

 import (
 	"io/ioutil"
-	"os"
 	"strings"
 	"testing"

@@ -53,13 +52,13 @@ func TestAuthEnableCommand_Run(t *testing.T) {
 		{
 			"deprecated builtin with standard mount",
 			[]string{"app-id"},
-			"",
+			"mount entry associated with pending removal builtin",
 			2,
 		},
 		{
 			"deprecated builtin with different mount",
 			[]string{"-path=/tmp", "app-id"},
-			"",
+			"mount entry associated with pending removal builtin",
 			2,
 		},
 	}
@@ -78,12 +77,12 @@ func TestAuthEnableCommand_Run(t *testing.T) {

 			code := cmd.Run(tc.args)
 			if code != tc.code {
-				t.Errorf("expected %d to be %d", code, tc.code)
+				t.Errorf("expected command return code to be %d, got %d", tc.code, code)
 			}

 			combined := ui.OutputWriter.String() + ui.ErrorWriter.String()
 			if !strings.Contains(combined, tc.out) {
-				t.Errorf("expected %q to contain %q", combined, tc.out)
+				t.Errorf("expected %q in response\n got: %+v", tc.out, combined)
 			}
 		})
 	}
@@ -225,13 +224,6 @@ func TestAuthEnableCommand_Run(t *testing.T) {

 		for _, b := range backends {
 			var expectedResult int = 0
-			status, _ := builtinplugins.Registry.DeprecationStatus(b, consts.PluginTypeCredential)
-			allowDeprecated := os.Getenv(consts.VaultAllowPendingRemovalMountsEnv)
-
-			// Need to handle deprecated builtins specially
-			if (status == consts.PendingRemoval && allowDeprecated == "") || status == consts.Removed {
-				expectedResult = 2
-			}

 			// Not a builtin
 			if b == "token" {
@@ -244,6 +236,13 @@ func TestAuthEnableCommand_Run(t *testing.T) {
 			actualResult := cmd.Run([]string{
 				b,
 			})
+
+			// Need to handle deprecated builtins specially
+			status, _ := builtinplugins.Registry.DeprecationStatus(b, consts.PluginTypeCredential)
+			if status == consts.PendingRemoval || status == consts.Removed {
+				expectedResult = 2
+			}
+
 			if actualResult != expectedResult {
 				t.Errorf("type: %s - got: %d, expected: %d - %s", b, actualResult, expectedResult, ui.OutputWriter.String()+ui.ErrorWriter.String())
 			}
--- a/command/path_map_upgrade_api_test.go
+++ b/command/path_map_upgrade_api_test.go
@@ -3,7 +3,6 @@ package command
 import (
 	"testing"

-	log "github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/vault/api"
 	vaulthttp "github.com/hashicorp/vault/http"
 	"github.com/hashicorp/vault/sdk/logical"
@@ -17,10 +16,10 @@ func TestPathMap_Upgrade_API(t *testing.T) {
 	coreConfig := &vault.CoreConfig{
 		DisableMlock: true,
 		DisableCache: true,
-		Logger:       log.NewNullLogger(),
 		CredentialBackends: map[string]logical.Factory{
 			"app-id": credAppId.Factory,
 		},
+		PendingRemovalMountsAllowed: true,
 	}

 	cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
--- a/command/secrets_enable_test.go
+++ b/command/secrets_enable_test.go
@@ -2,7 +2,6 @@ package command

 import (
 	"io/ioutil"
-	"os"
 	"strings"
 	"testing"

@@ -245,13 +244,6 @@ func TestSecretsEnableCommand_Run(t *testing.T) {

 		for _, b := range backends {
 			expectedResult := 0
-			status, _ := builtinplugins.Registry.DeprecationStatus(b, consts.PluginTypeSecrets)
-			allowDeprecated := os.Getenv(consts.VaultAllowPendingRemovalMountsEnv)
-
-			// Need to handle deprecated builtins specially
-			if (status == consts.PendingRemoval && allowDeprecated == "") || status == consts.Removed {
-				expectedResult = 2
-			}

 			ui, cmd := testSecretsEnableCommand(t)
 			cmd.client = client
@@ -259,6 +251,13 @@ func TestSecretsEnableCommand_Run(t *testing.T) {
 			actualResult := cmd.Run([]string{
 				b,
 			})
+
+			// Need to handle deprecated builtins specially
+			status, _ := builtinplugins.Registry.DeprecationStatus(b, consts.PluginTypeSecrets)
+			if status == consts.PendingRemoval || status == consts.Removed {
+				expectedResult = 2
+			}
+
 			if actualResult != expectedResult {
 				t.Errorf("type: %s - got: %d, expected: %d - %s", b, actualResult, expectedResult, ui.OutputWriter.String()+ui.ErrorWriter.String())
 			}
--- a/command/server.go
+++ b/command/server.go
@@ -1266,16 +1266,6 @@ func (c *ServerCommand) Run(args []string) int {
 		}
 	}

-	if allowPendingRemoval := os.Getenv(consts.VaultAllowPendingRemovalMountsEnv); allowPendingRemoval != "" {
-		var err error
-		vault.PendingRemovalMountsAllowed, err = strconv.ParseBool(allowPendingRemoval)
-		if err != nil {
-			c.UI.Warn(wrapAtLength("WARNING! failed to parse " +
-				consts.VaultAllowPendingRemovalMountsEnv + " env var: " +
-				"defaulting to false."))
-		}
-	}
-
 	// If mlockall(2) isn't supported, show a warning. We disable this in dev
 	// because it is quite scary to see when first using Vault. We also disable
 	// this if the user has explicitly disabled mlock in configuration.
@@ -1384,6 +1374,16 @@ func (c *ServerCommand) Run(args []string) int {
 		return enableFourClusterDev(c, &coreConfig, info, infoKeys, c.flagDevListenAddr, os.Getenv("VAULT_DEV_TEMP_DIR"))
 	}

+	if allowPendingRemoval := os.Getenv(consts.EnvVaultAllowPendingRemovalMounts); allowPendingRemoval != "" {
+		var err error
+		coreConfig.PendingRemovalMountsAllowed, err = strconv.ParseBool(allowPendingRemoval)
+		if err != nil {
+			c.UI.Warn(wrapAtLength("WARNING! failed to parse " +
+				consts.EnvVaultAllowPendingRemovalMounts + " env var: " +
+				"defaulting to false."))
+		}
+	}
+
 	// Initialize the separate HA storage backend, if it exists
 	disableClustering, err := initHaBackend(c, config, &coreConfig, backend)
 	if err != nil {