Add HTTP PATCH support for key metadata

[ccapurso]

Overview

The custom_metadata map field was added to key metadata in #48. Updating the field currently results in a full overwrite. HTTP PATCH was introduced for the data endpoint in #49. Now that Vault generally supports HTTP PATCH, it seemed prudent to add a PatchOperation handler for the metadata endpoint so that custom_metadata can be patched rather than fully overwritten.

Design of Change

The custom_metadata type has been changed from framework.TypeKVPairs to framework.TypeMap. The framework.TypeKVPairs restricts values to strings but does not result in proper handling when users to submit null values within the JSON request body. A null will indicate to the JSON merge handler to remove the field. Using framework.TypeKVPairs will result in coercing a nil interface{} from the request data to an empty string which is not ideal. Changing the type of this field was a concern that was handled carefully. The parseCustomMetadata function was added to handle the parsing of the interface{} values into strings to create a map[string]string in the same way that the FieldData parsing would if it were otherwise typed as framework.TypeKVPairs . This function is then used for the CreateOperation/UpdateOperation and PatchOperation handlers to ensure consistent request data coercion.

A PatchOperation handler has been added to the metadata path. Similar to the CreateOperation/UpdateOperation handler, the cas_required field is treated as lower priority than the backend configuration. If the cas_required field on the backend configuration is set to true and an attempt made to set the metadata's cas_required to false will result in a warning.

The framework.PatchPreprocessorFunc for the metadata PatchOperation handler is responsible for the following:

• Only include max_versions, cas_required, delete_version_after, custom_metadata as all other fields are handled internally by the backend
• Ignore top-level nil values as they will result in the JSON merge patch removing them from the resource, they are allowed to exist within custom_metadata
• Create a DurationProto value for delete_version_after

Related Issues/Pull Requests

• Vault PR #13191 - handling type errors in HandlePatchOperation which have been included in the update of github.com/hashicorp/vault/sdk to version v0.3.1-0.20211124134129-09816c37b82e
• Vault PR #13215 - kv metadata patch CLI support and doc updates

[HridoyRoy]

Lgtm! Thanks for including comments for each new function, and for the comprehensive testing!

Just a couple questions/comments to clarify my understanding.

[HridoyRoy]

Could you link the relevant sdk update that is required for this PR? I noticed that this PR uses HandlePatchOperation , which is updated here: https://github.com/hashicorp/vault/pull/13191/files . Was this the change you wanted to include?

[ccapurso]

Ah, yes. I did link the PR above but I will add a note in the description to specify why the sdk version has been updated. Thank you for calling that out!

[HridoyRoy]

Awesome! In that case, I think we'd want to merge the sdk PR first, then redo the go get so we don't depend on a branch.

[ccapurso]

Yup, that's the plan.

[HridoyRoy]

Why do we filter out nils here? Further down in PathMetadataPatch, the parsing logic should filter out nils already. Not a problem regardless as I think having the extra lair of defensive coding is a good thing, but I was just curious if I was missing something here.

[ccapurso]

That's a good point. We have discussed this further offline and come to the conclusion that nils provided for top-level fields will be treated as unsetting the field. The godoc for framework.HandlePatchOperation will account for this functionality.

[HridoyRoy]

Changing my review from Approve to Request changes because I think the question about the go.mod upgrade might be blocking, but otherwise lgtm!