diff --git a/changelog/12126.txt b/changelog/12126.txt new file mode 100644 index 0000000000000..c53d2a19ca098 --- /dev/null +++ b/changelog/12126.txt @@ -0,0 +1,3 @@ +```release-note:bug +cli/api: Providing consistency for the use of comma separated parameters in auth/secret enable/tune +``` diff --git a/command/auth_enable_test.go b/command/auth_enable_test.go index 21479e9493b68..0cc125fc97563 100644 --- a/command/auth_enable_test.go +++ b/command/auth_enable_test.go @@ -5,6 +5,7 @@ import ( "strings" "testing" + "github.com/go-test/deep" "github.com/hashicorp/vault/helper/builtinplugins" "github.com/hashicorp/vault/sdk/helper/consts" "github.com/mitchellh/cli" @@ -86,6 +87,12 @@ func TestAuthEnableCommand_Run(t *testing.T) { code := cmd.Run([]string{ "-path", "auth_integration/", "-description", "The best kind of test", + "-audit-non-hmac-request-keys", "foo,bar", + "-audit-non-hmac-response-keys", "foo,bar", + "-passthrough-request-headers", "authorization,authentication", + "-passthrough-request-headers", "www-authentication", + "-allowed-response-headers", "authorization", + "-listing-visibility", "unauth", "userpass", }) if exp := 0; code != exp { @@ -113,6 +120,18 @@ func TestAuthEnableCommand_Run(t *testing.T) { if exp := "The best kind of test"; authInfo.Description != exp { t.Errorf("expected %q to be %q", authInfo.Description, exp) } + if diff := deep.Equal([]string{"authorization,authentication", "www-authentication"}, authInfo.Config.PassthroughRequestHeaders); len(diff) > 0 { + t.Errorf("Failed to find expected values in PassthroughRequestHeaders. Difference is: %v", diff) + } + if diff := deep.Equal([]string{"authorization"}, authInfo.Config.AllowedResponseHeaders); len(diff) > 0 { + t.Errorf("Failed to find expected values in AllowedResponseHeaders. Difference is: %v", diff) + } + if diff := deep.Equal([]string{"foo,bar"}, authInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 { + t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys. Difference is: %v", diff) + } + if diff := deep.Equal([]string{"foo,bar"}, authInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 { + t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff) + } }) t.Run("communication_failure", func(t *testing.T) { diff --git a/command/auth_tune.go b/command/auth_tune.go index 0094e56c00f3e..a3ad65579cdcf 100644 --- a/command/auth_tune.go +++ b/command/auth_tune.go @@ -20,15 +20,17 @@ var ( type AuthTuneCommand struct { *BaseCommand - flagAuditNonHMACRequestKeys []string - flagAuditNonHMACResponseKeys []string - flagDefaultLeaseTTL time.Duration - flagDescription string - flagListingVisibility string - flagMaxLeaseTTL time.Duration - flagOptions map[string]string - flagTokenType string - flagVersion int + flagAuditNonHMACRequestKeys []string + flagAuditNonHMACResponseKeys []string + flagDefaultLeaseTTL time.Duration + flagDescription string + flagListingVisibility string + flagMaxLeaseTTL time.Duration + flagPassthroughRequestHeaders []string + flagAllowedResponseHeaders []string + flagOptions map[string]string + flagTokenType string + flagVersion int } func (c *AuthTuneCommand) Synopsis() string { @@ -107,6 +109,20 @@ func (c *AuthTuneCommand) Flags() *FlagSets { "or a previously configured value for the auth method.", }) + f.StringSliceVar(&StringSliceVar{ + Name: flagNamePassthroughRequestHeaders, + Target: &c.flagPassthroughRequestHeaders, + Usage: "Comma-separated string or list of request header values that " + + "will be sent to the plugin", + }) + + f.StringSliceVar(&StringSliceVar{ + Name: flagNameAllowedResponseHeaders, + Target: &c.flagAllowedResponseHeaders, + Usage: "Comma-separated string or list of response header values that " + + "plugins will be allowed to set", + }) + f.StringMapVar(&StringMapVar{ Name: "options", Target: &c.flagOptions, @@ -194,6 +210,14 @@ func (c *AuthTuneCommand) Run(args []string) int { mountConfigInput.ListingVisibility = c.flagListingVisibility } + if fl.Name == flagNamePassthroughRequestHeaders { + mountConfigInput.PassthroughRequestHeaders = c.flagPassthroughRequestHeaders + } + + if fl.Name == flagNameAllowedResponseHeaders { + mountConfigInput.AllowedResponseHeaders = c.flagAllowedResponseHeaders + } + if fl.Name == flagNameTokenType { mountConfigInput.TokenType = c.flagTokenType } diff --git a/command/auth_tune_test.go b/command/auth_tune_test.go index e01aa98910ac6..227330ea774e2 100644 --- a/command/auth_tune_test.go +++ b/command/auth_tune_test.go @@ -4,6 +4,7 @@ import ( "strings" "testing" + "github.com/go-test/deep" "github.com/hashicorp/vault/api" "github.com/mitchellh/cli" ) @@ -92,6 +93,9 @@ func TestAuthTuneCommand_Run(t *testing.T) { "-max-lease-ttl", "1h", "-audit-non-hmac-request-keys", "foo,bar", "-audit-non-hmac-response-keys", "foo,bar", + "-passthrough-request-headers", "authorization", + "-passthrough-request-headers", "www-authentication", + "-allowed-response-headers", "authorization,www-authentication", "-listing-visibility", "unauth", "my-auth/", }) @@ -126,6 +130,18 @@ func TestAuthTuneCommand_Run(t *testing.T) { if exp := 3600; mountInfo.Config.MaxLeaseTTL != exp { t.Errorf("expected %d to be %d", mountInfo.Config.MaxLeaseTTL, exp) } + if diff := deep.Equal([]string{"authorization", "www-authentication"}, mountInfo.Config.PassthroughRequestHeaders); len(diff) > 0 { + t.Errorf("Failed to find expected values in PassthroughRequestHeaders. Difference is: %v", diff) + } + if diff := deep.Equal([]string{"authorization,www-authentication"}, mountInfo.Config.AllowedResponseHeaders); len(diff) > 0 { + t.Errorf("Failed to find expected values in AllowedResponseHeaders. Difference is: %v", diff) + } + if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 { + t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys. Difference is: %v", diff) + } + if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 { + t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff) + } }) t.Run("flags_description", func(t *testing.T) { diff --git a/command/secrets_enable_test.go b/command/secrets_enable_test.go index a8b4084427fa7..bcc581a4e1089 100644 --- a/command/secrets_enable_test.go +++ b/command/secrets_enable_test.go @@ -5,6 +5,7 @@ import ( "strings" "testing" + "github.com/go-test/deep" "github.com/hashicorp/vault/helper/builtinplugins" "github.com/hashicorp/vault/sdk/helper/consts" "github.com/mitchellh/cli" @@ -107,6 +108,11 @@ func TestSecretsEnableCommand_Run(t *testing.T) { "-description", "The best kind of test", "-default-lease-ttl", "30m", "-max-lease-ttl", "1h", + "-audit-non-hmac-request-keys", "foo,bar", + "-audit-non-hmac-response-keys", "foo,bar", + "-passthrough-request-headers", "authorization,authentication", + "-passthrough-request-headers", "www-authentication", + "-allowed-response-headers", "authorization", "-force-no-cache", "pki", }) @@ -144,6 +150,19 @@ func TestSecretsEnableCommand_Run(t *testing.T) { if exp := true; mountInfo.Config.ForceNoCache != exp { t.Errorf("expected %t to be %t", mountInfo.Config.ForceNoCache, exp) } + if diff := deep.Equal([]string{"authorization,authentication", "www-authentication"}, mountInfo.Config.PassthroughRequestHeaders); len(diff) > 0 { + t.Errorf("Failed to find expected values in PassthroughRequestHeaders. Difference is: %v", diff) + } + if diff := deep.Equal([]string{"authorization"}, mountInfo.Config.AllowedResponseHeaders); len(diff) > 0 { + t.Errorf("Failed to find expected values in AllowedResponseHeaders. Difference is: %v", diff) + } + if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 { + t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys. Difference is: %v", diff) + } + if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 { + t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff) + } + }) t.Run("communication_failure", func(t *testing.T) { diff --git a/command/secrets_tune.go b/command/secrets_tune.go index c768c7ea88533..a7883a618cd01 100644 --- a/command/secrets_tune.go +++ b/command/secrets_tune.go @@ -20,14 +20,16 @@ var ( type SecretsTuneCommand struct { *BaseCommand - flagAuditNonHMACRequestKeys []string - flagAuditNonHMACResponseKeys []string - flagDefaultLeaseTTL time.Duration - flagDescription string - flagListingVisibility string - flagMaxLeaseTTL time.Duration - flagOptions map[string]string - flagVersion int + flagAuditNonHMACRequestKeys []string + flagAuditNonHMACResponseKeys []string + flagDefaultLeaseTTL time.Duration + flagDescription string + flagListingVisibility string + flagMaxLeaseTTL time.Duration + flagPassthroughRequestHeaders []string + flagAllowedResponseHeaders []string + flagOptions map[string]string + flagVersion int } func (c *SecretsTuneCommand) Synopsis() string { @@ -106,6 +108,20 @@ func (c *SecretsTuneCommand) Flags() *FlagSets { "TTL, or a previously configured value for the secrets engine.", }) + f.StringSliceVar(&StringSliceVar{ + Name: flagNamePassthroughRequestHeaders, + Target: &c.flagPassthroughRequestHeaders, + Usage: "Comma-separated string or list of request header values that " + + "will be sent to the plugin", + }) + + f.StringSliceVar(&StringSliceVar{ + Name: flagNameAllowedResponseHeaders, + Target: &c.flagAllowedResponseHeaders, + Usage: "Comma-separated string or list of response header values that " + + "plugins will be allowed to set", + }) + f.StringMapVar(&StringMapVar{ Name: "options", Target: &c.flagOptions, @@ -189,6 +205,14 @@ func (c *SecretsTuneCommand) Run(args []string) int { if fl.Name == flagNameListingVisibility { mountConfigInput.ListingVisibility = c.flagListingVisibility } + + if fl.Name == flagNamePassthroughRequestHeaders { + mountConfigInput.PassthroughRequestHeaders = c.flagPassthroughRequestHeaders + } + + if fl.Name == flagNameAllowedResponseHeaders { + mountConfigInput.AllowedResponseHeaders = c.flagAllowedResponseHeaders + } }) if err := client.Sys().TuneMount(mountPath, mountConfigInput); err != nil { diff --git a/command/secrets_tune_test.go b/command/secrets_tune_test.go index 42bd800dc1ab3..de732873790e7 100644 --- a/command/secrets_tune_test.go +++ b/command/secrets_tune_test.go @@ -4,6 +4,7 @@ import ( "strings" "testing" + "github.com/go-test/deep" "github.com/hashicorp/vault/api" "github.com/mitchellh/cli" ) @@ -166,6 +167,9 @@ func TestSecretsTuneCommand_Run(t *testing.T) { "-max-lease-ttl", "1h", "-audit-non-hmac-request-keys", "foo,bar", "-audit-non-hmac-response-keys", "foo,bar", + "-passthrough-request-headers", "authorization", + "-passthrough-request-headers", "www-authentication", + "-allowed-response-headers", "authorization,www-authentication", "-listing-visibility", "unauth", "mount_tune_integration/", }) @@ -200,6 +204,18 @@ func TestSecretsTuneCommand_Run(t *testing.T) { if exp := 3600; mountInfo.Config.MaxLeaseTTL != exp { t.Errorf("expected %d to be %d", mountInfo.Config.MaxLeaseTTL, exp) } + if diff := deep.Equal([]string{"authorization", "www-authentication"}, mountInfo.Config.PassthroughRequestHeaders); len(diff) > 0 { + t.Errorf("Failed to find expected values for PassthroughRequestHeaders. Difference is: %v", diff) + } + if diff := deep.Equal([]string{"authorization,www-authentication"}, mountInfo.Config.AllowedResponseHeaders); len(diff) > 0 { + t.Errorf("Failed to find expected values in AllowedResponseHeaders. Difference is: %v", diff) + } + if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 { + t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys. Difference is: %v", diff) + } + if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 { + t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff) + } }) t.Run("flags_description", func(t *testing.T) { diff --git a/vault/logical_system.go b/vault/logical_system.go index 6084baa94e656..6179287818861 100644 --- a/vault/logical_system.go +++ b/vault/logical_system.go @@ -898,6 +898,13 @@ func (b *SystemBackend) handleMount(ctx context.Context, req *logical.Request, d var apiConfig APIMountConfig configMap := data.Get("config").(map[string]interface{}) + // Augmenting configMap for some config options to treat them as comma separated entries + err := expandStringValsWithCommas(configMap) + if err != nil { + return logical.ErrorResponse( + "unable to parse given auth config information"), + logical.ErrInvalidRequest + } if configMap != nil && len(configMap) != 0 { err := mapstructure.Decode(configMap, &apiConfig) if err != nil { @@ -1564,7 +1571,6 @@ func (b *SystemBackend) handleTuneWriteCommon(ctx context.Context, path string, if rawVal, ok := data.GetOk("allowed_response_headers"); ok { headers := rawVal.([]string) - oldVal := mountEntry.Config.AllowedResponseHeaders mountEntry.Config.AllowedResponseHeaders = headers @@ -1869,6 +1875,31 @@ func (b *SystemBackend) handleAuthTable(ctx context.Context, req *logical.Reques return resp, nil } +func expandStringValsWithCommas(configMap map[string]interface{}) error { + configParamNameSlice := []string{ + "audit_non_hmac_request_keys", + "audit_non_hmac_response_keys", + "passthrough_request_headers", + "allowed_response_headers", + } + for _, paramName := range configParamNameSlice { + if raw, ok := configMap[paramName]; ok { + switch t := raw.(type) { + case string: + // To be consistent with auth tune, and in cases where a single comma separated strings + // is provided in the curl command, we split the entries by the commas. + rawNew := raw.(string) + res, err := parseutil.ParseCommaStringSlice(rawNew) + if err != nil { + return fmt.Errorf("invalid input parameter %v of type %v", paramName, t) + } + configMap[paramName] = res + } + } + } + return nil +} + // handleEnableAuth is used to enable a new credential backend func (b *SystemBackend) handleEnableAuth(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) { repState := b.Core.ReplicationState() @@ -1895,6 +1926,13 @@ func (b *SystemBackend) handleEnableAuth(ctx context.Context, req *logical.Reque var apiConfig APIMountConfig configMap := data.Get("config").(map[string]interface{}) + // Augmenting configMap for some config options to treat them as comma separated entries + err := expandStringValsWithCommas(configMap) + if err != nil { + return logical.ErrorResponse( + "unable to parse given auth config information"), + logical.ErrInvalidRequest + } if configMap != nil && len(configMap) != 0 { err := mapstructure.Decode(configMap, &apiConfig) if err != nil { diff --git a/website/content/api-docs/system/auth.mdx b/website/content/api-docs/system/auth.mdx index 38b7092403571..7fdc29dd06d84 100644 --- a/website/content/api-docs/system/auth.mdx +++ b/website/content/api-docs/system/auth.mdx @@ -83,20 +83,20 @@ For example, enable the "foo" auth method will make it accessible at - `max_lease_ttl` `(string: "")` - The maximum lease duration, specified as a string duration like "5s" or "30m". - - `audit_non_hmac_request_keys` `(array: [])` - Comma-separated list of keys - that will not be HMAC'd by audit devices in the request data object. + - `audit_non_hmac_request_keys` `(array: [])` - List of keys that will not be + HMAC'd by audit devices in the request data object. - - `audit_non_hmac_response_keys` `(array: [])` - Comma-separated list of keys - that will not be HMAC'd by audit devices in the response data object. + - `audit_non_hmac_response_keys` `(array: [])` - List of keys that will not be + HMAC'd by audit devices in the response data object. - `listing_visibility` `(string: "")` - Specifies whether to show this mount in the UI-specific listing endpoint. - - `passthrough_request_headers` `(array: [])` - Comma-separated list of headers - to whitelist and pass from the request to the plugin. + - `passthrough_request_headers` `(array: [])` - List of headers to whitelist + and pass from the request to the plugin. - - `allowed_response_headers` `(array: [])` - Comma-separated list of headers - to whitelist, allowing a plugin to include them in the response. + - `allowed_response_headers` `(array: [])` - List of headers to whitelist, + allowing a plugin to include them in the response. Additionally, the following options are allowed in Vault open-source, but relevant functionality is only supported in Vault Enterprise: @@ -217,22 +217,20 @@ can be achieved without `sudo` via `sys/mounts/auth/[auth-path]/tune`._ - `description` `(string: "")` – Specifies the description of the mount. This overrides the current stored value, if any. -- `audit_non_hmac_request_keys` `(array: [])` - Specifies the comma-separated - list of keys that will not be HMAC'd by audit devices in the request data - object. +- `audit_non_hmac_request_keys` `(array: [])` - Specifies the list of keys + that will not be HMAC'd by audit devices in the request data object. -- `audit_non_hmac_response_keys` `(array: [])` - Specifies the comma-separated - list of keys that will not be HMAC'd by audit devices in the response data - object. +- `audit_non_hmac_response_keys` `(array: [])` - Specifies the list of keys + that will not be HMAC'd by audit devices in the response data object. - `listing_visibility` `(string: "")` - Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are `"unauth"` or `""`. -- `passthrough_request_headers` `(array: [])` - Comma-separated list of headers - to whitelist and pass from the request to the plugin. +- `passthrough_request_headers` `(array: [])` - List of headers to whitelist + and pass from the request to the plugin. -- `allowed_response_headers` `(array: [])` - Comma-separated list of headers - to whitelist, allowing a plugin to include them in the response. +- `allowed_response_headers` `(array: [])` - List of headers to whitelist, + allowing a plugin to include them in the response. - `token_type` `(string: "")` – Specifies the type of tokens that should be returned by the mount. The following values are available: diff --git a/website/content/api-docs/system/mounts.mdx b/website/content/api-docs/system/mounts.mdx index 44839ca18feec..53a28f25c9c5d 100644 --- a/website/content/api-docs/system/mounts.mdx +++ b/website/content/api-docs/system/mounts.mdx @@ -137,21 +137,21 @@ This endpoint enables a new secrets engine at the given path. - `force_no_cache` `(bool: false)` - Disable caching. - - `audit_non_hmac_request_keys` `(array: [])` - Comma-separated list of keys - that will not be HMAC'd by audit devices in the request data object. + - `audit_non_hmac_request_keys` `(array: [])` - List of keys that will not be + HMAC'd by audit devices in the request data object. - - `audit_non_hmac_response_keys` `(array: [])` - Comma-separated list of keys - that will not be HMAC'd by audit devices in the response data object. + - `audit_non_hmac_response_keys` `(array: [])` - List of keys that will not be + HMAC'd by audit devices in the response data object. - `listing_visibility` `(string: "")` - Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are `"unauth"` or `"hidden"`. If not set, behaves like `"hidden"`. - - `passthrough_request_headers` `(array: [])` - Comma-separated list of headers - to whitelist and pass from the request to the plugin. + - `passthrough_request_headers` `(array: [])` - List of headers to whitelist + and pass from the request to the plugin. - - `allowed_response_headers` `(array: [])` - Comma-separated list of headers - to whitelist, allowing a plugin to include them in the response. + - `allowed_response_headers` `(array: [])` - List of headers to whitelist, + allowing a plugin to include them in the response. - `options` `(map: nil)` - Specifies mount type specific options that are passed to the backend. @@ -261,23 +261,21 @@ This endpoint tunes configuration parameters for a given mount point. - `description` `(string: "")` – Specifies the description of the mount. This overrides the current stored value, if any. -- `audit_non_hmac_request_keys` `(array: [])` - Specifies the comma-separated - list of keys that will not be HMAC'd by audit devices in the request data - object. +- `audit_non_hmac_request_keys` `(array: [])` - Specifies the list of keys that + will not be HMAC'd by audit devices in the request data object. -- `audit_non_hmac_response_keys` `(array: [])` - Specifies the comma-separated - list of keys that will not be HMAC'd by audit devices in the response data - object. +- `audit_non_hmac_response_keys` `(array: [])` - Specifies the list of keys that + will not be HMAC'd by audit devices in the response data object. - `listing_visibility` `(string: "")` - Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are `"unauth"` or `"hidden"`. If not set, behaves like `"hidden"`. -- `passthrough_request_headers` `(array: [])` - Comma-separated list of headers - to whitelist and pass from the request to the plugin. +- `passthrough_request_headers` `(array: [])` - List of headers to whitelist + and pass from the request to the plugin. -- `allowed_response_headers` `(array: [])` - Comma-separated list of headers - to whitelist, allowing a plugin to include them in the response. +- `allowed_response_headers` `(array: [])` - List of headers to whitelist, + allowing a plugin to include them in the response. ### Sample Payload diff --git a/website/content/docs/commands/auth/enable.mdx b/website/content/docs/commands/auth/enable.mdx index ed9dc6ef653b4..7704c7bb9a3a7 100644 --- a/website/content/docs/commands/auth/enable.mdx +++ b/website/content/docs/commands/auth/enable.mdx @@ -57,12 +57,29 @@ flags](/docs/commands) included on all commands. configured default lease TTL, or a previously configured value for the auth method. +- `-passthrough-request-headers` `(string: "")` - request header values that will + be sent to the auth method. Note that multiple keys may be + specified by providing this option multiple times, each time with 1 key. + +- `-allowed-response-headers` `(string: "")` - response header values that the auth + method will be allowed to set. Note that multiple keys may be + specified by providing this option multiple times, each time with 1 key. + - `-description` `(string: "")` - Human-friendly description for the purpose of this auth method. +- `-listing-visibility` `(string: "")` - The flag to toggle whether to show the + mount in the UI-specific listing endpoint. + - `-local` `(bool: false)` - Mark the auth method as local-only. Local auth methods are not replicated nor removed by replication. +- `-max-lease-ttl` `(string: "")` - The maximum lease duration, specified as + a string duration like "5s" or "30m". + - `-path` `(string: "")` - Place where the auth method will be accessible. This must be unique across all auth methods. This defaults to the "type" of the auth method. The auth method will be accessible at `/auth/`. + +- `-seal-wrap` `(bool: false)` - Enable seal wrapping for the mount, causing + values stored by the mount to be wrapped by the seal's encryption capability. diff --git a/website/content/docs/commands/auth/tune.mdx b/website/content/docs/commands/auth/tune.mdx index d351e5d7d6263..94f8ab50fa1ce 100644 --- a/website/content/docs/commands/auth/tune.mdx +++ b/website/content/docs/commands/auth/tune.mdx @@ -32,6 +32,9 @@ $ vault auth tune -audit-non-hmac-request-keys=value1 -audit-non-hmac-request-ke The following flags are available in addition to the [standard set of flags](/docs/commands) included on all commands. +- `-allowed-response-headers` `(string: "")` - response header values that the auth + method will be allowed to set. + - `-audit-non-hmac-request-keys` `(string: "")` - Key that will not be HMAC'd by audit devices in the request data object. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key. @@ -45,7 +48,21 @@ flags](/docs/commands) included on all commands. configured default lease TTL, or a previously configured value for the auth method. +- `-description` `(string: "")` - Specifies the description of the auth method. + This overrides the current stored value, if any. + +- `-listing-visibility` `(string: "")` - The flag to toggle whether to show the + mount in the UI-specific listing endpoint. + - `-max-lease-ttl` `(duration: "")` - The maximum lease TTL for this auth method. If unspecified, this defaults to the Vault server's globally configured maximum lease TTL, or a previously configured value for the auth method. + +- `-passthrough-request-headers` `(string: "")` - request header values that will + be sent to the auth method. Note that multiple keys may be + specified by providing this option multiple times, each time with 1 key. + +- `-token-type` `(string: "")` - Specifies the type of tokens that should be + returned by the auth method. Note that multiple keys may be + specified by providing this option multiple times, each time with 1 key. diff --git a/website/content/docs/commands/secrets/enable.mdx b/website/content/docs/commands/secrets/enable.mdx index f54213b35b520..ec8258b1270ca 100644 --- a/website/content/docs/commands/secrets/enable.mdx +++ b/website/content/docs/commands/secrets/enable.mdx @@ -90,3 +90,11 @@ flags](/docs/commands) included on all commands. - `-path` `(string: "")` Place where the secrets engine will be accessible. This must be unique cross all secrets engines. This defaults to the "type" of the secrets engine. + +- `-passthrough-request-headers` `(string: "")` - request header values that will + be sent to the secrets engine. Note that multiple keys may be + specified by providing this option multiple times, each time with 1 key. + +- `-allowed-response-headers` `(string: "")` - response header values that the secrets + engine will be allowed to set. Note that multiple keys may be + specified by providing this option multiple times, each time with 1 key. diff --git a/website/content/docs/commands/secrets/tune.mdx b/website/content/docs/commands/secrets/tune.mdx index 674698353e09b..0e34d4abf18f7 100644 --- a/website/content/docs/commands/secrets/tune.mdx +++ b/website/content/docs/commands/secrets/tune.mdx @@ -32,6 +32,10 @@ $ vault secrets tune -audit-non-hmac-request-keys=value1 -audit-non-hmac-request The following flags are available in addition to the [standard set of flags](/docs/commands) included on all commands. +`-allowed-response-headers` `(string: "")` - response header values that the + secrets engine will be allowed to set. Note that multiple keys may be + specified by providing this option multiple times, each time with 1 key. + - `-audit-non-hmac-request-keys` `(string: "")` - Key that will not be HMAC'd by audit devices in the request data object. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key. @@ -45,7 +49,17 @@ flags](/docs/commands) included on all commands. configured default lease TTL, or a previously configured value for the secrets engine. +- `-description` `(string: "")` - Specifies the description of the mount. + This overrides the current stored value, if any. + +- `-listing-visibility` `(string: "")` - The flag to toggle whether to show the + mount in the UI-specific listing endpoint. + - `-max-lease-ttl` `(duration: "")` - The maximum lease TTL for this secrets engine. If unspecified, this defaults to the Vault server's globally configured maximum lease TTL, or a previously configured value for the secrets engine. + +- `-passthrough-request-headers` `(string: "")` - request header values that will + be sent to the secrets engine. Note that multiple keys may be + specified by providing this option multiple times, each time with 1 key.