Skip to content

Commit

Permalink
backport of commit 259cfbf
Browse files Browse the repository at this point in the history
  • Loading branch information
stevendpclark authored May 8, 2024
1 parent d9d717b commit 2f2f09c
Show file tree
Hide file tree
Showing 7 changed files with 38 additions and 5 deletions.
3 changes: 3 additions & 0 deletions changelog/26876.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
core: Add missing field delegated_auth_accessors to GET /sys/mounts/:path API response
```
13 changes: 13 additions & 0 deletions command/secrets_enable.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ type SecretsEnableCommand struct {
flagExternalEntropyAccess bool
flagVersion int
flagAllowedManagedKeys []string
flagDelegatedAuthAccessors []string
flagIdentityTokenKey string
}

Expand Down Expand Up @@ -229,6 +230,14 @@ func (c *SecretsEnableCommand) Flags() *FlagSets {
"each time with 1 key.",
})

f.StringSliceVar(&StringSliceVar{
Name: flagNameDelegatedAuthAccessors,
Target: &c.flagDelegatedAuthAccessors,
Usage: "A list of permitted authentication accessors this backend can delegate authentication to. " +
"Note that multiple values may be specified by providing this option multiple times, " +
"each time with 1 accessor.",
})

f.StringVar(&StringVar{
Name: flagNameIdentityTokenKey,
Target: &c.flagIdentityTokenKey,
Expand Down Expand Up @@ -339,6 +348,10 @@ func (c *SecretsEnableCommand) Run(args []string) int {
mountInput.Config.AllowedManagedKeys = c.flagAllowedManagedKeys
}

if fl.Name == flagNameDelegatedAuthAccessors {
mountInput.Config.DelegatedAuthAccessors = c.flagDelegatedAuthAccessors
}

if fl.Name == flagNamePluginVersion {
mountInput.Config.PluginVersion = c.flagPluginVersion
}
Expand Down
4 changes: 4 additions & 0 deletions command/secrets_enable_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,7 @@ func TestSecretsEnableCommand_Run(t *testing.T) {
"-allowed-response-headers", "authorization",
"-allowed-managed-keys", "key1,key2",
"-identity-token-key", "default",
"-delegated-auth-accessors", "authAcc1,authAcc2",
"-force-no-cache",
"pki",
})
Expand Down Expand Up @@ -171,6 +172,9 @@ func TestSecretsEnableCommand_Run(t *testing.T) {
if diff := deep.Equal([]string{"key1,key2"}, mountInfo.Config.AllowedManagedKeys); len(diff) > 0 {
t.Errorf("Failed to find expected values in AllowedManagedKeys. Difference is: %v", diff)
}
if diff := deep.Equal([]string{"authAcc1,authAcc2"}, mountInfo.Config.DelegatedAuthAccessors); len(diff) > 0 {
t.Errorf("Failed to find expected values in DelegatedAuthAccessors. Difference is: %v", diff)
}
if diff := deep.Equal("default", mountInfo.Config.IdentityTokenKey); len(diff) > 0 {
t.Errorf("Failed to find expected values in IdentityTokenKey. Difference is: %v", diff)
}
Expand Down
4 changes: 4 additions & 0 deletions command/secrets_tune_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -195,6 +195,7 @@ func TestSecretsTuneCommand_Run(t *testing.T) {
"-identity-token-key", "default",
"-listing-visibility", "unauth",
"-plugin-version", version,
"-delegated-auth-accessors", "authAcc1,authAcc2",
"mount_tune_integration/",
})
if exp := 0; code != exp {
Expand Down Expand Up @@ -246,6 +247,9 @@ func TestSecretsTuneCommand_Run(t *testing.T) {
if diff := deep.Equal([]string{"key1,key2"}, mountInfo.Config.AllowedManagedKeys); len(diff) > 0 {
t.Errorf("Failed to find expected values in AllowedManagedKeys. Difference is: %v", diff)
}
if diff := deep.Equal([]string{"authAcc1,authAcc2"}, mountInfo.Config.DelegatedAuthAccessors); len(diff) > 0 {
t.Errorf("Failed to find expected values in DelegatedAuthAccessors. Difference is: %v", diff)
}
if diff := deep.Equal("default", mountInfo.Config.IdentityTokenKey); len(diff) > 0 {
t.Errorf("Failed to find expected values in IdentityTokenKey. Difference is: %v", diff)
}
Expand Down
3 changes: 3 additions & 0 deletions vault/logical_system.go
Original file line number Diff line number Diff line change
Expand Up @@ -1409,6 +1409,9 @@ func (b *SystemBackend) mountInfo(ctx context.Context, entry *MountEntry) map[st
}
entryConfig["user_lockout_config"] = userLockoutConfig
}
if rawVal, ok := entry.synthesizedConfigCache.Load("delegated_auth_accessors"); ok {
entryConfig["delegated_auth_accessors"] = rawVal.([]string)
}

// Add deprecation status only if it exists
builtinType := b.Core.builtinTypeFromMountEntry(ctx, entry)
Expand Down
9 changes: 6 additions & 3 deletions website/content/docs/commands/secrets/enable.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ flags](/vault/docs/commands) included on all commands.
- `-path` `(string: "")` Place where the secrets engine will be accessible. This
must be unique cross all secrets engines. This defaults to the "type" of the
secrets engine.

!> **Case-sensitive:** The path where you enable secrets engines is case-sensitive. For
example, the KV secrets engine enabled at `kv/` and `KV/` are treated as two
distinct instances of KV secrets engine.
Expand All @@ -105,8 +105,11 @@ flags](/vault/docs/commands) included on all commands.

- `-allowed-managed-keys` `(string: "")` - Managed key name(s) that the mount
in question is allowed to access. Note that multiple keys may be specified
either by providing the key names as a comma separated string or by providing
this option multiple times, each time with 1 key.
by providing this option multiple times, each time with 1 key.

- `-delegated-auth-accessors` `(string: "")` - An authorized accessor the auth
backend can delegate authentication to. To allow multiple accessors, provide
the `delegated-auth-accessors` multiple times, each time with 1 accessor.

- `-plugin-version` `(string: "")` - Configures the semantic version of the plugin
to use. If unspecified, implies the built-in or any matching unversioned plugin
Expand Down
7 changes: 5 additions & 2 deletions website/content/docs/commands/secrets/tune.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -91,8 +91,11 @@ flags](/vault/docs/commands) included on all commands.

- `-allowed-managed-keys` `(string: "")` - Managed key name(s) that the mount
in question is allowed to access. Note that multiple keys may be specified
either by providing the key names as a comma separated string or by providing
this option multiple times, each time with 1 key.
by providing this option multiple times, each time with 1 key.

- `-delegated-auth-accessors` `(string: "")` - An authorized accessor the auth
backend can delegate authentication to. To allow multiple accessors, provide
the `delegated-auth-accessors` multiple times, each time with 1 accessor.

- `-plugin-version` `(string: "")` - Configures the semantic version of the plugin
to use. The new version will not start running until the mount is
Expand Down

0 comments on commit 2f2f09c

Please sign in to comment.