From b4bddb56106ebe4976689a5382c473f77db30e05 Mon Sep 17 00:00:00 2001 From: Steve Clark Date: Wed, 8 May 2024 09:56:59 -0400 Subject: [PATCH 1/5] Add missing delegated_auth_accessors config field to /sys/mounts/ response - The field hadn't been properly populated in the JSON struct being returned through the API response, but had been properly set in the stored structs in the backend. - Add missing update to the command tune docs for the -delegated-auth-accessors option that existed - Add -delegated-auth-accessors to the secret enable vault command along with a docs update --- command/secrets_enable.go | 13 +++++++++++++ command/secrets_enable_test.go | 4 ++++ command/secrets_tune_test.go | 4 ++++ vault/logical_system.go | 3 +++ website/content/docs/commands/secrets/enable.mdx | 7 ++++++- website/content/docs/commands/secrets/tune.mdx | 5 +++++ 6 files changed, 35 insertions(+), 1 deletion(-) diff --git a/command/secrets_enable.go b/command/secrets_enable.go index d02bd69d459f..a73a5e49ef87 100644 --- a/command/secrets_enable.go +++ b/command/secrets_enable.go @@ -41,6 +41,7 @@ type SecretsEnableCommand struct { flagExternalEntropyAccess bool flagVersion int flagAllowedManagedKeys []string + flagDelegatedAuthAccessors []string flagIdentityTokenKey string } @@ -229,6 +230,14 @@ func (c *SecretsEnableCommand) Flags() *FlagSets { "each time with 1 key.", }) + f.StringSliceVar(&StringSliceVar{ + Name: flagNameDelegatedAuthAccessors, + Target: &c.flagDelegatedAuthAccessors, + Usage: "A list of permitted authentication accessors this backend can delegate authentication to. " + + "Note that multiple values may be specified by providing this option multiple times, " + + "each time with 1 accessor.", + }) + f.StringVar(&StringVar{ Name: flagNameIdentityTokenKey, Target: &c.flagIdentityTokenKey, @@ -339,6 +348,10 @@ func (c *SecretsEnableCommand) Run(args []string) int { mountInput.Config.AllowedManagedKeys = c.flagAllowedManagedKeys } + if fl.Name == flagNameDelegatedAuthAccessors { + mountInput.Config.DelegatedAuthAccessors = c.flagDelegatedAuthAccessors + } + if fl.Name == flagNamePluginVersion { mountInput.Config.PluginVersion = c.flagPluginVersion } diff --git a/command/secrets_enable_test.go b/command/secrets_enable_test.go index 3d6766b53e35..3efc171a7be1 100644 --- a/command/secrets_enable_test.go +++ b/command/secrets_enable_test.go @@ -119,6 +119,7 @@ func TestSecretsEnableCommand_Run(t *testing.T) { "-allowed-response-headers", "authorization", "-allowed-managed-keys", "key1,key2", "-identity-token-key", "default", + "-delegated-auth-accessors", "authAcc1,authAcc2", "-force-no-cache", "pki", }) @@ -171,6 +172,9 @@ func TestSecretsEnableCommand_Run(t *testing.T) { if diff := deep.Equal([]string{"key1,key2"}, mountInfo.Config.AllowedManagedKeys); len(diff) > 0 { t.Errorf("Failed to find expected values in AllowedManagedKeys. Difference is: %v", diff) } + if diff := deep.Equal([]string{"authAcc1,authAcc2"}, mountInfo.Config.DelegatedAuthAccessors); len(diff) > 0 { + t.Errorf("Failed to find expected values in DelegatedAuthAccessors. Difference is: %v", diff) + } if diff := deep.Equal("default", mountInfo.Config.IdentityTokenKey); len(diff) > 0 { t.Errorf("Failed to find expected values in IdentityTokenKey. Difference is: %v", diff) } diff --git a/command/secrets_tune_test.go b/command/secrets_tune_test.go index 5bd70a0f0deb..b2d932779fd8 100644 --- a/command/secrets_tune_test.go +++ b/command/secrets_tune_test.go @@ -195,6 +195,7 @@ func TestSecretsTuneCommand_Run(t *testing.T) { "-identity-token-key", "default", "-listing-visibility", "unauth", "-plugin-version", version, + "-delegated-auth-accessors", "authAcc1,authAcc2", "mount_tune_integration/", }) if exp := 0; code != exp { @@ -246,6 +247,9 @@ func TestSecretsTuneCommand_Run(t *testing.T) { if diff := deep.Equal([]string{"key1,key2"}, mountInfo.Config.AllowedManagedKeys); len(diff) > 0 { t.Errorf("Failed to find expected values in AllowedManagedKeys. Difference is: %v", diff) } + if diff := deep.Equal([]string{"authAcc1,authAcc2"}, mountInfo.Config.DelegatedAuthAccessors); len(diff) > 0 { + t.Errorf("Failed to find expected values in DelegatedAuthAccessors. Difference is: %v", diff) + } if diff := deep.Equal("default", mountInfo.Config.IdentityTokenKey); len(diff) > 0 { t.Errorf("Failed to find expected values in IdentityTokenKey. Difference is: %v", diff) } diff --git a/vault/logical_system.go b/vault/logical_system.go index 372317e29601..77b37dbf5cff 100644 --- a/vault/logical_system.go +++ b/vault/logical_system.go @@ -1424,6 +1424,9 @@ func (b *SystemBackend) mountInfo(ctx context.Context, entry *MountEntry, legacy } entryConfig["user_lockout_config"] = userLockoutConfig } + if rawVal, ok := entry.synthesizedConfigCache.Load("delegated_auth_accessors"); ok { + entryConfig["delegated_auth_accessors"] = rawVal.([]string) + } // Add deprecation status only if it exists builtinType := b.Core.builtinTypeFromMountEntry(ctx, entry) diff --git a/website/content/docs/commands/secrets/enable.mdx b/website/content/docs/commands/secrets/enable.mdx index 350dc6bc5d6a..fa30ddd2734d 100644 --- a/website/content/docs/commands/secrets/enable.mdx +++ b/website/content/docs/commands/secrets/enable.mdx @@ -90,7 +90,7 @@ flags](/vault/docs/commands) included on all commands. - `-path` `(string: "")` Place where the secrets engine will be accessible. This must be unique cross all secrets engines. This defaults to the "type" of the secrets engine. - + !> **Case-sensitive:** The path where you enable secrets engines is case-sensitive. For example, the KV secrets engine enabled at `kv/` and `KV/` are treated as two distinct instances of KV secrets engine. @@ -108,6 +108,11 @@ flags](/vault/docs/commands) included on all commands. either by providing the key names as a comma separated string or by providing this option multiple times, each time with 1 key. +- `-delegated-auth-accessors` `(string: "")` - A list of permitted authentication + accessors this backend can delegate authentication to. Note that multiple keys + may be specified either by providing the key names as a comma separated string + or by providing this option multiple times, each time with 1 key. + - `-plugin-version` `(string: "")` - Configures the semantic version of the plugin to use. If unspecified, implies the built-in or any matching unversioned plugin that may have been registered. diff --git a/website/content/docs/commands/secrets/tune.mdx b/website/content/docs/commands/secrets/tune.mdx index 4074374888c9..799736ef199a 100644 --- a/website/content/docs/commands/secrets/tune.mdx +++ b/website/content/docs/commands/secrets/tune.mdx @@ -94,6 +94,11 @@ flags](/vault/docs/commands) included on all commands. either by providing the key names as a comma separated string or by providing this option multiple times, each time with 1 key. +- `-delegated-auth-accessors` `(string: "")` - A list of permitted authentication + accessors this backend can delegate authentication to. Note that multiple keys + may be specified either by providing the key names as a comma separated string + or by providing this option multiple times, each time with 1 key. + - `-plugin-version` `(string: "")` - Configures the semantic version of the plugin to use. The new version will not start running until the mount is [reloaded](/vault/docs/commands/plugin/reload). From 17138104e1547ce45640c8dc7506252e6475fac7 Mon Sep 17 00:00:00 2001 From: Steve Clark Date: Wed, 8 May 2024 10:07:57 -0400 Subject: [PATCH 2/5] Add cl --- changelog/26876.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 changelog/26876.txt diff --git a/changelog/26876.txt b/changelog/26876.txt new file mode 100644 index 000000000000..6522b0ecd9a6 --- /dev/null +++ b/changelog/26876.txt @@ -0,0 +1,3 @@ +```release-note:bug +core: Add missing field delegated_auth_accessors to GET /sys/mounts/:path API response +``` From 36eb39e469f64ee80cc8d509f818dbdc95a39e7d Mon Sep 17 00:00:00 2001 From: Steve Clark Date: Wed, 8 May 2024 13:43:44 -0400 Subject: [PATCH 3/5] Fix documentation, using a comma separated list does not work --- website/content/docs/commands/secrets/enable.mdx | 8 +++----- website/content/docs/commands/secrets/tune.mdx | 8 +++----- 2 files changed, 6 insertions(+), 10 deletions(-) diff --git a/website/content/docs/commands/secrets/enable.mdx b/website/content/docs/commands/secrets/enable.mdx index fa30ddd2734d..e982a98ca528 100644 --- a/website/content/docs/commands/secrets/enable.mdx +++ b/website/content/docs/commands/secrets/enable.mdx @@ -105,13 +105,11 @@ flags](/vault/docs/commands) included on all commands. - `-allowed-managed-keys` `(string: "")` - Managed key name(s) that the mount in question is allowed to access. Note that multiple keys may be specified - either by providing the key names as a comma separated string or by providing - this option multiple times, each time with 1 key. + by providing this option multiple times, each time with 1 key. - `-delegated-auth-accessors` `(string: "")` - A list of permitted authentication - accessors this backend can delegate authentication to. Note that multiple keys - may be specified either by providing the key names as a comma separated string - or by providing this option multiple times, each time with 1 key. + accessors this backend can delegate authentication to. Note that multiple accessors + may be specified by providing this option multiple times, each time with 1 accessor. - `-plugin-version` `(string: "")` - Configures the semantic version of the plugin to use. If unspecified, implies the built-in or any matching unversioned plugin diff --git a/website/content/docs/commands/secrets/tune.mdx b/website/content/docs/commands/secrets/tune.mdx index 799736ef199a..edccaee9367e 100644 --- a/website/content/docs/commands/secrets/tune.mdx +++ b/website/content/docs/commands/secrets/tune.mdx @@ -91,13 +91,11 @@ flags](/vault/docs/commands) included on all commands. - `-allowed-managed-keys` `(string: "")` - Managed key name(s) that the mount in question is allowed to access. Note that multiple keys may be specified - either by providing the key names as a comma separated string or by providing - this option multiple times, each time with 1 key. + by providing this option multiple times, each time with 1 key. - `-delegated-auth-accessors` `(string: "")` - A list of permitted authentication - accessors this backend can delegate authentication to. Note that multiple keys - may be specified either by providing the key names as a comma separated string - or by providing this option multiple times, each time with 1 key. + accessors this backend can delegate authentication to. Note that multiple accessors + may be specified by providing this option multiple times, each time with 1 accessor. - `-plugin-version` `(string: "")` - Configures the semantic version of the plugin to use. The new version will not start running until the mount is From 4dedf2ba07dcda534f6f242eba57d28d41597941 Mon Sep 17 00:00:00 2001 From: Steven Clark Date: Wed, 8 May 2024 15:37:24 -0400 Subject: [PATCH 4/5] Apply suggestions from code review Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --- website/content/docs/commands/secrets/enable.mdx | 6 +++--- website/content/docs/commands/secrets/tune.mdx | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/website/content/docs/commands/secrets/enable.mdx b/website/content/docs/commands/secrets/enable.mdx index e982a98ca528..f7ff69ebf312 100644 --- a/website/content/docs/commands/secrets/enable.mdx +++ b/website/content/docs/commands/secrets/enable.mdx @@ -107,9 +107,9 @@ flags](/vault/docs/commands) included on all commands. in question is allowed to access. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key. -- `-delegated-auth-accessors` `(string: "")` - A list of permitted authentication - accessors this backend can delegate authentication to. Note that multiple accessors - may be specified by providing this option multiple times, each time with 1 accessor. +- `-delegated-auth-accessors` `(string: "")` - An authorized accessors the auth + backend can delegate authentication to. To allow multiple accessors, provide + the `delegated-auth-accessors` multiple times, each time with 1 accessor. - `-plugin-version` `(string: "")` - Configures the semantic version of the plugin to use. If unspecified, implies the built-in or any matching unversioned plugin diff --git a/website/content/docs/commands/secrets/tune.mdx b/website/content/docs/commands/secrets/tune.mdx index edccaee9367e..3a12d473edc5 100644 --- a/website/content/docs/commands/secrets/tune.mdx +++ b/website/content/docs/commands/secrets/tune.mdx @@ -93,9 +93,9 @@ flags](/vault/docs/commands) included on all commands. in question is allowed to access. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key. -- `-delegated-auth-accessors` `(string: "")` - A list of permitted authentication - accessors this backend can delegate authentication to. Note that multiple accessors - may be specified by providing this option multiple times, each time with 1 accessor. +- `-delegated-auth-accessors` `(string: "")` - An authorized accessors the auth + backend can delegate authentication to. To allow multiple accessors, provide + the `delegated-auth-accessors` multiple times, each time with 1 accessor. - `-plugin-version` `(string: "")` - Configures the semantic version of the plugin to use. The new version will not start running until the mount is From c9dd7e3ea97260d2e3c1a62a255380679f664f7c Mon Sep 17 00:00:00 2001 From: Steve Clark Date: Wed, 8 May 2024 15:38:08 -0400 Subject: [PATCH 5/5] Drop plural on doc update --- website/content/docs/commands/secrets/enable.mdx | 2 +- website/content/docs/commands/secrets/tune.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/website/content/docs/commands/secrets/enable.mdx b/website/content/docs/commands/secrets/enable.mdx index f7ff69ebf312..d26ab12bcd1b 100644 --- a/website/content/docs/commands/secrets/enable.mdx +++ b/website/content/docs/commands/secrets/enable.mdx @@ -107,7 +107,7 @@ flags](/vault/docs/commands) included on all commands. in question is allowed to access. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key. -- `-delegated-auth-accessors` `(string: "")` - An authorized accessors the auth +- `-delegated-auth-accessors` `(string: "")` - An authorized accessor the auth backend can delegate authentication to. To allow multiple accessors, provide the `delegated-auth-accessors` multiple times, each time with 1 accessor. diff --git a/website/content/docs/commands/secrets/tune.mdx b/website/content/docs/commands/secrets/tune.mdx index 3a12d473edc5..0bb31549f314 100644 --- a/website/content/docs/commands/secrets/tune.mdx +++ b/website/content/docs/commands/secrets/tune.mdx @@ -93,7 +93,7 @@ flags](/vault/docs/commands) included on all commands. in question is allowed to access. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key. -- `-delegated-auth-accessors` `(string: "")` - An authorized accessors the auth +- `-delegated-auth-accessors` `(string: "")` - An authorized accessor the auth backend can delegate authentication to. To allow multiple accessors, provide the `delegated-auth-accessors` multiple times, each time with 1 accessor.