Add patch support #49
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hghaf099
reviewed
Sep 30, 2021
ncabatoff
reviewed
Oct 6, 2021
ncabatoff
reviewed
Oct 7, 2021
ncabatoff
reviewed
Oct 7, 2021
ncabatoff
approved these changes
Oct 8, 2021
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
Providing supplemental data or performing a partial update to a KV secret entry currently requires a GET request, local update, and PUT request. This process has both security and data integrity implications. Requiring a user to fetch a KV secret’s data in full when attempting to perform a partial update necessitates the
readACL capability for a given endpoint. One might want to allow a user or system to update secret entries but not read them.Vault PR #12687 introduces support for HTTP
PATCHrequests, specifically JSON merge patch requests, along with a newpatchACL capability. The newlogicaloperation to handle backend requests is calledPatchOperation.Design of Change
A
PatchOperationhandler was added to the data path (/<mount>/data/:path). Like theCreateOperationhandler, it uses check-and-set and is specified as thecasfield within theoptionsmap. Thecasvalidation logic was abstracted so that both theCreateOperationandPatchOperationhandlers could perform consistent checks.A
PATCHrequest must be performed on an existing resource. If a key metadata entry exists without data, a 404 is returned with theversion(which should be 0),created_time,deletion_time, anddestroyedfields. This response payload is consistent for the same scenario in theReadOperationhandler. If no key metadata or data entry exists for thepathrequested, thePatchOperationshort circuits and will ultimately bubble up to a 404 within Vault's response handling logic.The JSON merge patch abstraction within Vault (
framework.HandlePatchOperation) accepts an optional preprocessor function. This is due to the inconsistency between what API endpoints accept as input and what is ultimately stored. In the case of KV's data endpoint, only the map under thedatakey needs to be stored. The preprocessor function simply pulls that out as the data to use in the JSON merge patch operation with the existing[]bytedata read from storage for the current version of the secret.The logic to cleanup old versions has been abstracted so that is performed consistently between the
CreateOperationandPatchOperationhandlers.A successful response will include the
version,created_time,deletion_time, anddestroyedfields for the newly created version of the secret entry.Related Issues/Pull Requests
Issue #1468
Issue #7437
Issue #12330
Vault HTTP PATCH PR #12687
Vault Docs Update PR #12689