404 response for LIST sys/config/ui/headers endpoint if no headers set

[maxiscoding28]

Describe the bug
If no header is configured for via the sys/config/ui/headers/:name endpoint then a 404 error is returned by the list ui headers endpoint
https://developer.hashicorp.com/vault/api-docs/system/config-ui#list-ui-headers

To Reproduce
Steps to reproduce the behavior:

1. Tested on version Vault 1.13.2+ent

~ vault status -format=json | jq -r '.version'
1.13.2+ent

2. LIST /sys/config/ui/headers returns 404 if no header is set - https://developer.hashicorp.com/vault/api-docs/system/config-ui#list-ui-headers

~ curl -v -H "X-Vault-Request: true" -H "X-Vault-Token: $(vault print token)" \
--request LIST http://127.0.0.1:8200/v1/sys/config/ui/headers
*   Trying 127.0.0.1:8200...
* Connected to 127.0.0.1 (127.0.0.1) port 8200 (#0)
> LIST /v1/sys/config/ui/headers HTTP/1.1
> Host: 127.0.0.1:8200
> User-Agent: curl/7.87.0
> Accept: */*
> X-Vault-Request: true
> X-Vault-Token: XXX
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< Cache-Control: no-store
< Content-Type: application/json
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< Date: Wed, 24 May 2023 15:59:49 GMT
< Content-Length: 14
< 
{"errors":[]}
* Connection #0 to host 127.0.0.1 left intact

3. Set a UI header

curl -v -X PUT -H "X-Vault-Request: true" -H "X-Vault-Token: $(vault print token)" \
-d '{"values":"winz"}' http://127.0.0.1:8200/v1/sys/config/ui/headers/X-Custom-Header

4. LIST /sys/config/ui/headers now returns a 200

~ curl -v -H "X-Vault-Request: true" -H "X-Vault-Token: $(vault print token)" \ 
--request LIST http://127.0.0.1:8200/v1/sys/config/ui/headers
*   Trying 127.0.0.1:8200...
* Connected to 127.0.0.1 (127.0.0.1) port 8200 (#0)
> LIST /v1/sys/config/ui/headers HTTP/1.1
> Host: 127.0.0.1:8200
> User-Agent: curl/7.87.0
> Accept: */*
> X-Vault-Request: true
> X-Vault-Token: XXX
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Cache-Control: no-store
< Content-Type: application/json
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< Date: Wed, 24 May 2023 16:04:44 GMT
< Content-Length: 186
< 
{"request_id":"d5a030a5-8d94-987b-6a51-ecc4ae8b3b2d","lease_id":"","renewable":false,"lease_duration":0,"data":{"keys":["X-Custom-Header"]},"wrap_info":null,"warnings":null,"auth":null}
* Connection #0 to host 127.0.0.1 left intact

Expected behavior
A 200 response is returned for the LIST sys/config/ui/headers endpoint even if there are no headers configured.

Environment:
1.13.2

[maxb]

Although surprising, and probably not the best API design, this behaviour is the same across most (all?) of the LIST endpoints in Vault. It would be weird for sys/config/ui/headers specifically to behave differently.

[marcboudreau]

Thank you for bringing this issue to our attention. Unfortunately, the Vault API has returned HTTP 404 for List operations that do not have any results for quite some time now. We consider the potential adverse effects of changing this behavior would outweigh the clarity that this change would bring.

Given this assessment, I will close this issue. I would encourage you to continue raising issues like this in the future and we will continue to evaluate them to see what can be done on a case by case basis.

[ZhaoZhen711]

Will documentation be updated to reflect this policy?
https://developer.hashicorp.com/vault/api-docs/system/config-ui#list-ui-headers

[maxb]

As this is a cross-cutting truth across the entire Vault API, not just one endpoint, it would make more sense to put it in https://developer.hashicorp.com/vault/api-docs, I think.

I'd be open to writing a PR for the docs, but only if someone from HashiCorp is explicitly interested in reviewing and merging it, as I already have 8 open PRs waiting on HashiCorp, some pending for months, and it's getting a bit discouraging.

[stormshield-gt]

I've just hit a similar problem while listing entity aliases, it should definitely be in the doc

[marcboudreau]

Good suggestion @maxb , I've created #26819 to address this.