New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add patch support #49
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hghaf099
reviewed
Sep 30, 2021
ncabatoff
reviewed
Oct 6, 2021
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Haven't yet got to the tests but the changes overall look good. And thanks for the wonderful PR description and comments!
ncabatoff
reviewed
Oct 7, 2021
ncabatoff
reviewed
Oct 7, 2021
ncabatoff
approved these changes
Oct 8, 2021
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
Providing supplemental data or performing a partial update to a KV secret entry currently requires a GET request, local update, and PUT request. This process has both security and data integrity implications. Requiring a user to fetch a KV secret’s data in full when attempting to perform a partial update necessitates the
read
ACL capability for a given endpoint. One might want to allow a user or system to update secret entries but not read them.Vault PR #12687 introduces support for HTTP
PATCH
requests, specifically JSON merge patch requests, along with a newpatch
ACL capability. The newlogical
operation to handle backend requests is calledPatchOperation
.Design of Change
A
PatchOperation
handler was added to the data path (/<mount>/data/:path
). Like theCreateOperation
handler, it uses check-and-set and is specified as thecas
field within theoptions
map. Thecas
validation logic was abstracted so that both theCreateOperation
andPatchOperation
handlers could perform consistent checks.A
PATCH
request must be performed on an existing resource. If a key metadata entry exists without data, a 404 is returned with theversion
(which should be 0),created_time
,deletion_time
, anddestroyed
fields. This response payload is consistent for the same scenario in theReadOperation
handler. If no key metadata or data entry exists for thepath
requested, thePatchOperation
short circuits and will ultimately bubble up to a 404 within Vault's response handling logic.The JSON merge patch abstraction within Vault (
framework.HandlePatchOperation
) accepts an optional preprocessor function. This is due to the inconsistency between what API endpoints accept as input and what is ultimately stored. In the case of KV's data endpoint, only the map under thedata
key needs to be stored. The preprocessor function simply pulls that out as the data to use in the JSON merge patch operation with the existing[]byte
data read from storage for the current version of the secret.The logic to cleanup old versions has been abstracted so that is performed consistently between the
CreateOperation
andPatchOperation
handlers.A successful response will include the
version
,created_time
,deletion_time
, anddestroyed
fields for the newly created version of the secret entry.Related Issues/Pull Requests
Issue #1468
Issue #7437
Issue #12330
Vault HTTP PATCH PR #12687
Vault Docs Update PR #12689