From e5b9b833614608a6373e0dc3ae3de683bce4d67c Mon Sep 17 00:00:00 2001 From: hamid ghaf Date: Mon, 19 Jul 2021 20:10:41 -0700 Subject: [PATCH 01/12] VAULT-2285 adding capability to accept comma separated entries for auth enable/tune --- command/auth_enable_test.go | 6 ++ command/auth_tune.go | 42 ++++++++-- command/auth_tune_test.go | 3 + vault/logical_system.go | 83 +++++++++++++++++-- website/content/docs/commands/auth/enable.mdx | 15 ++++ website/content/docs/commands/auth/tune.mdx | 12 +++ 6 files changed, 143 insertions(+), 18 deletions(-) diff --git a/command/auth_enable_test.go b/command/auth_enable_test.go index 21479e9493b68..951054b02115c 100644 --- a/command/auth_enable_test.go +++ b/command/auth_enable_test.go @@ -86,6 +86,12 @@ func TestAuthEnableCommand_Run(t *testing.T) { code := cmd.Run([]string{ "-path", "auth_integration/", "-description", "The best kind of test", + "-audit-non-hmac-request-keys", "foo,bar", + "-audit-non-hmac-response-keys", "foo,bar", + "-passthrough-request-headers", "authorization,authentication", + "-passthrough-request-headers", "www-authentication", + "-allowed-response-headers", "authorization", + "-listing-visibility", "unauth", "userpass", }) if exp := 0; code != exp { diff --git a/command/auth_tune.go b/command/auth_tune.go index 0094e56c00f3e..a3ad65579cdcf 100644 --- a/command/auth_tune.go +++ b/command/auth_tune.go @@ -20,15 +20,17 @@ var ( type AuthTuneCommand struct { *BaseCommand - flagAuditNonHMACRequestKeys []string - flagAuditNonHMACResponseKeys []string - flagDefaultLeaseTTL time.Duration - flagDescription string - flagListingVisibility string - flagMaxLeaseTTL time.Duration - flagOptions map[string]string - flagTokenType string - flagVersion int + flagAuditNonHMACRequestKeys []string + flagAuditNonHMACResponseKeys []string + flagDefaultLeaseTTL time.Duration + flagDescription string + flagListingVisibility string + flagMaxLeaseTTL time.Duration + flagPassthroughRequestHeaders []string + flagAllowedResponseHeaders []string + flagOptions map[string]string + flagTokenType string + flagVersion int } func (c *AuthTuneCommand) Synopsis() string { @@ -107,6 +109,20 @@ func (c *AuthTuneCommand) Flags() *FlagSets { "or a previously configured value for the auth method.", }) + f.StringSliceVar(&StringSliceVar{ + Name: flagNamePassthroughRequestHeaders, + Target: &c.flagPassthroughRequestHeaders, + Usage: "Comma-separated string or list of request header values that " + + "will be sent to the plugin", + }) + + f.StringSliceVar(&StringSliceVar{ + Name: flagNameAllowedResponseHeaders, + Target: &c.flagAllowedResponseHeaders, + Usage: "Comma-separated string or list of response header values that " + + "plugins will be allowed to set", + }) + f.StringMapVar(&StringMapVar{ Name: "options", Target: &c.flagOptions, @@ -194,6 +210,14 @@ func (c *AuthTuneCommand) Run(args []string) int { mountConfigInput.ListingVisibility = c.flagListingVisibility } + if fl.Name == flagNamePassthroughRequestHeaders { + mountConfigInput.PassthroughRequestHeaders = c.flagPassthroughRequestHeaders + } + + if fl.Name == flagNameAllowedResponseHeaders { + mountConfigInput.AllowedResponseHeaders = c.flagAllowedResponseHeaders + } + if fl.Name == flagNameTokenType { mountConfigInput.TokenType = c.flagTokenType } diff --git a/command/auth_tune_test.go b/command/auth_tune_test.go index e01aa98910ac6..24de2194a4bfb 100644 --- a/command/auth_tune_test.go +++ b/command/auth_tune_test.go @@ -92,6 +92,9 @@ func TestAuthTuneCommand_Run(t *testing.T) { "-max-lease-ttl", "1h", "-audit-non-hmac-request-keys", "foo,bar", "-audit-non-hmac-response-keys", "foo,bar", + "-passthrough-request-headers", "authorization", + "-passthrough-request-headers", "www-authentication", + "-allowed-response-headers", "authorization,www-authentication", "-listing-visibility", "unauth", "my-auth/", }) diff --git a/vault/logical_system.go b/vault/logical_system.go index 5c82784644739..343d1f9193a60 100644 --- a/vault/logical_system.go +++ b/vault/logical_system.go @@ -13,6 +13,7 @@ import ( "net/http" "path" "path/filepath" + "reflect" "sort" "strconv" "strings" @@ -1309,6 +1310,19 @@ func (b *SystemBackend) handleMountTuneWrite(ctx context.Context, req *logical.R return b.handleTuneWriteCommon(ctx, path, data) } +func augmentTuneWriteParams(paramIn interface{}) ([]string, error) { + newVal := paramIn.([]string) + var outputSlice []string + for _, v := range newVal { + res, err := parseutil.ParseCommaStringSlice(v) + if err != nil { + return nil, err + } + outputSlice = append(outputSlice, res...) + } + return outputSlice, nil +} + // handleTuneWriteCommon is used to set config settings on a path func (b *SystemBackend) handleTuneWriteCommon(ctx context.Context, path string, data *framework.FieldData) (*logical.Response, error) { repState := b.Core.ReplicationState() @@ -1418,13 +1432,15 @@ func (b *SystemBackend) handleTuneWriteCommon(ctx context.Context, path string, } if rawVal, ok := data.GetOk("audit_non_hmac_request_keys"); ok { - auditNonHMACRequestKeys := rawVal.([]string) + auditNonHMACRequestKeys, err := augmentTuneWriteParams(rawVal) + if err != nil { + return handleError(err) + } oldVal := mountEntry.Config.AuditNonHMACRequestKeys mountEntry.Config.AuditNonHMACRequestKeys = auditNonHMACRequestKeys // Update the mount table - var err error switch { case strings.HasPrefix(path, "auth/"): err = b.Core.persistAuth(ctx, b.Core.auth, &mountEntry.Local) @@ -1444,13 +1460,15 @@ func (b *SystemBackend) handleTuneWriteCommon(ctx context.Context, path string, } if rawVal, ok := data.GetOk("audit_non_hmac_response_keys"); ok { - auditNonHMACResponseKeys := rawVal.([]string) + auditNonHMACResponseKeys, err := augmentTuneWriteParams(rawVal) + if err != nil { + return handleError(err) + } oldVal := mountEntry.Config.AuditNonHMACResponseKeys mountEntry.Config.AuditNonHMACResponseKeys = auditNonHMACResponseKeys // Update the mount table - var err error switch { case strings.HasPrefix(path, "auth/"): err = b.Core.persistAuth(ctx, b.Core.auth, &mountEntry.Local) @@ -1537,13 +1555,15 @@ func (b *SystemBackend) handleTuneWriteCommon(ctx context.Context, path string, } if rawVal, ok := data.GetOk("passthrough_request_headers"); ok { - headers := rawVal.([]string) + headers, err := augmentTuneWriteParams(rawVal) + if err != nil { + return handleError(err) + } oldVal := mountEntry.Config.PassthroughRequestHeaders mountEntry.Config.PassthroughRequestHeaders = headers // Update the mount table - var err error switch { case strings.HasPrefix(path, "auth/"): err = b.Core.persistAuth(ctx, b.Core.auth, &mountEntry.Local) @@ -1563,13 +1583,14 @@ func (b *SystemBackend) handleTuneWriteCommon(ctx context.Context, path string, } if rawVal, ok := data.GetOk("allowed_response_headers"); ok { - headers := rawVal.([]string) - + headers, err := augmentTuneWriteParams(rawVal) + if err != nil { + return handleError(err) + } oldVal := mountEntry.Config.AllowedResponseHeaders mountEntry.Config.AllowedResponseHeaders = headers // Update the mount table - var err error switch { case strings.HasPrefix(path, "auth/"): err = b.Core.persistAuth(ctx, b.Core.auth, &mountEntry.Local) @@ -1869,6 +1890,43 @@ func (b *SystemBackend) handleAuthTable(ctx context.Context, req *logical.Reques return resp, nil } +func augmentEnableAuthConfigMap(configMap map[string]interface{}) error { + configParamNameSlice := []string{ + "audit_non_hmac_request_keys", + "audit_non_hmac_response_keys", + "passthrough_request_headers", + "allowed_response_headers", + } + for _, paramName := range configParamNameSlice { + if raw, ok := configMap[paramName]; ok { + outputSlice := []string{} + + rt := reflect.TypeOf(raw) + switch rt.Kind() { + case reflect.Slice: + rawNew := raw.([]interface{}) + for _, rawVal := range rawNew { + rawValSt := rawVal.(string) + res, err := parseutil.ParseCommaStringSlice(rawValSt) + if err != nil { + return err + } + outputSlice = append(outputSlice, res...) + } + case reflect.String: + rawNew := raw.(string) + res, err := parseutil.ParseCommaStringSlice(rawNew) + if err != nil { + return err + } + outputSlice = append(outputSlice, res...) + } + configMap[paramName] = outputSlice + } + } + return nil +} + // handleEnableAuth is used to enable a new credential backend func (b *SystemBackend) handleEnableAuth(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) { repState := b.Core.ReplicationState() @@ -1895,6 +1953,13 @@ func (b *SystemBackend) handleEnableAuth(ctx context.Context, req *logical.Reque var apiConfig APIMountConfig configMap := data.Get("config").(map[string]interface{}) + // Augmenting configMap for some config options to treat them as comma separated entries + err := augmentEnableAuthConfigMap(configMap) + if err != nil { + return logical.ErrorResponse( + "unable to parse given auth config information"), + logical.ErrInvalidRequest + } if configMap != nil && len(configMap) != 0 { err := mapstructure.Decode(configMap, &apiConfig) if err != nil { diff --git a/website/content/docs/commands/auth/enable.mdx b/website/content/docs/commands/auth/enable.mdx index ed9dc6ef653b4..2fc4de408d038 100644 --- a/website/content/docs/commands/auth/enable.mdx +++ b/website/content/docs/commands/auth/enable.mdx @@ -57,12 +57,27 @@ flags](/docs/commands) included on all commands. configured default lease TTL, or a previously configured value for the auth method. +- `-passthrough-request-headers` `(string: "")` - request header values that will + be sent to the plugin. + +- `-allowed-response-headers` `(string: "")` - response header values that plugins + will be allowed to set. + - `-description` `(string: "")` - Human-friendly description for the purpose of this auth method. +- `-listing-visibility` `(string: "")` - The flag to toggle whether to show the + mount in the UI-specific listing endpoint. + - `-local` `(bool: false)` - Mark the auth method as local-only. Local auth methods are not replicated nor removed by replication. +- `-max-lease-ttl` `(string: "")` - The maximum lease duration, specified as + a string duration like "5s" or "30m". + - `-path` `(string: "")` - Place where the auth method will be accessible. This must be unique across all auth methods. This defaults to the "type" of the auth method. The auth method will be accessible at `/auth/`. + +- `-seal-wrap` `(bool: false)` - Enable seal wrapping for the mount, causing + values stored by the mount to be wrapped by the seal's encryption capability. \ No newline at end of file diff --git a/website/content/docs/commands/auth/tune.mdx b/website/content/docs/commands/auth/tune.mdx index d351e5d7d6263..2ea64915f7ad4 100644 --- a/website/content/docs/commands/auth/tune.mdx +++ b/website/content/docs/commands/auth/tune.mdx @@ -32,6 +32,9 @@ $ vault auth tune -audit-non-hmac-request-keys=value1 -audit-non-hmac-request-ke The following flags are available in addition to the [standard set of flags](/docs/commands) included on all commands. +- `-allowed-response-headers` `(string: "")` - response header values that plugins + will be allowed to set. + - `-audit-non-hmac-request-keys` `(string: "")` - Key that will not be HMAC'd by audit devices in the request data object. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key. @@ -45,7 +48,16 @@ flags](/docs/commands) included on all commands. configured default lease TTL, or a previously configured value for the auth method. +- `-description` `(string: "")` - Specifies the description of the mount. + This overrides the current stored value, if any. + - `-max-lease-ttl` `(duration: "")` - The maximum lease TTL for this auth method. If unspecified, this defaults to the Vault server's globally configured maximum lease TTL, or a previously configured value for the auth method. + +- `-passthrough-request-headers` `(string: "")` - request header values that will + be sent to the plugin. + +- `-token-type` `(string: "") - Specifies the type of tokens that should be + returned by the mount. From 1594733d258b0bc54af3b4da484f3785ee314823 Mon Sep 17 00:00:00 2001 From: hamid ghaf Date: Mon, 19 Jul 2021 20:17:52 -0700 Subject: [PATCH 02/12] Adding changelog --- changelog/12126.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 changelog/12126.txt diff --git a/changelog/12126.txt b/changelog/12126.txt new file mode 100644 index 0000000000000..2ef309718774e --- /dev/null +++ b/changelog/12126.txt @@ -0,0 +1,3 @@ +```release-note:bug +auth: Adding capability to use comma separated parameters for auth enable/tune +``` From e8515b373bc70d3503e3b5901dd68565b9ab7c22 Mon Sep 17 00:00:00 2001 From: hamid ghaf Date: Tue, 20 Jul 2021 07:12:00 -0700 Subject: [PATCH 03/12] Adding logic to detect invalid input parameter for auth enable config --- vault/logical_system.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/vault/logical_system.go b/vault/logical_system.go index 343d1f9193a60..108983684c9fe 100644 --- a/vault/logical_system.go +++ b/vault/logical_system.go @@ -1920,6 +1920,8 @@ func augmentEnableAuthConfigMap(configMap map[string]interface{}) error { return err } outputSlice = append(outputSlice, res...) + default: + return fmt.Errorf("Invalid input parameter type for %v", paramName) } configMap[paramName] = outputSlice } From 50cb87cf1e5cbc46e1c3ec1268c3b17893534e42 Mon Sep 17 00:00:00 2001 From: hamid ghaf Date: Tue, 20 Jul 2021 07:22:08 -0700 Subject: [PATCH 04/12] Updating tune.mdx --- website/content/docs/commands/auth/tune.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/commands/auth/tune.mdx b/website/content/docs/commands/auth/tune.mdx index 2ea64915f7ad4..974cceeba7b91 100644 --- a/website/content/docs/commands/auth/tune.mdx +++ b/website/content/docs/commands/auth/tune.mdx @@ -59,5 +59,5 @@ flags](/docs/commands) included on all commands. - `-passthrough-request-headers` `(string: "")` - request header values that will be sent to the plugin. -- `-token-type` `(string: "") - Specifies the type of tokens that should be +- `-token-type` `(string: "")` - Specifies the type of tokens that should be returned by the mount. From bcef9b45c18744c51a301bb676cae55441483773 Mon Sep 17 00:00:00 2001 From: hamid ghaf Date: Tue, 20 Jul 2021 07:51:59 -0700 Subject: [PATCH 05/12] Updating secret enable/tune for comma separated parameters --- changelog/12126.txt | 3 +- command/secrets_enable_test.go | 5 +++ command/secrets_tune.go | 40 +++++++++++++++---- command/secrets_tune_test.go | 3 ++ vault/logical_system.go | 7 ++++ .../content/docs/commands/secrets/enable.mdx | 6 +++ .../content/docs/commands/secrets/tune.mdx | 9 +++++ 7 files changed, 64 insertions(+), 9 deletions(-) diff --git a/changelog/12126.txt b/changelog/12126.txt index 2ef309718774e..2a8ac92fe2299 100644 --- a/changelog/12126.txt +++ b/changelog/12126.txt @@ -1,3 +1,4 @@ ```release-note:bug -auth: Adding capability to use comma separated parameters for auth enable/tune +auth/secret: Adding capability to use comma separated parameters for auth enable/tune +auth/secret: Adding missing CLI parameters and updating website information accordingly ``` diff --git a/command/secrets_enable_test.go b/command/secrets_enable_test.go index a8b4084427fa7..cbb093011a9de 100644 --- a/command/secrets_enable_test.go +++ b/command/secrets_enable_test.go @@ -107,6 +107,11 @@ func TestSecretsEnableCommand_Run(t *testing.T) { "-description", "The best kind of test", "-default-lease-ttl", "30m", "-max-lease-ttl", "1h", + "-audit-non-hmac-request-keys", "foo,bar", + "-audit-non-hmac-response-keys", "foo,bar", + "-passthrough-request-headers", "authorization,authentication", + "-passthrough-request-headers", "www-authentication", + "-allowed-response-headers", "authorization", "-force-no-cache", "pki", }) diff --git a/command/secrets_tune.go b/command/secrets_tune.go index c768c7ea88533..a7883a618cd01 100644 --- a/command/secrets_tune.go +++ b/command/secrets_tune.go @@ -20,14 +20,16 @@ var ( type SecretsTuneCommand struct { *BaseCommand - flagAuditNonHMACRequestKeys []string - flagAuditNonHMACResponseKeys []string - flagDefaultLeaseTTL time.Duration - flagDescription string - flagListingVisibility string - flagMaxLeaseTTL time.Duration - flagOptions map[string]string - flagVersion int + flagAuditNonHMACRequestKeys []string + flagAuditNonHMACResponseKeys []string + flagDefaultLeaseTTL time.Duration + flagDescription string + flagListingVisibility string + flagMaxLeaseTTL time.Duration + flagPassthroughRequestHeaders []string + flagAllowedResponseHeaders []string + flagOptions map[string]string + flagVersion int } func (c *SecretsTuneCommand) Synopsis() string { @@ -106,6 +108,20 @@ func (c *SecretsTuneCommand) Flags() *FlagSets { "TTL, or a previously configured value for the secrets engine.", }) + f.StringSliceVar(&StringSliceVar{ + Name: flagNamePassthroughRequestHeaders, + Target: &c.flagPassthroughRequestHeaders, + Usage: "Comma-separated string or list of request header values that " + + "will be sent to the plugin", + }) + + f.StringSliceVar(&StringSliceVar{ + Name: flagNameAllowedResponseHeaders, + Target: &c.flagAllowedResponseHeaders, + Usage: "Comma-separated string or list of response header values that " + + "plugins will be allowed to set", + }) + f.StringMapVar(&StringMapVar{ Name: "options", Target: &c.flagOptions, @@ -189,6 +205,14 @@ func (c *SecretsTuneCommand) Run(args []string) int { if fl.Name == flagNameListingVisibility { mountConfigInput.ListingVisibility = c.flagListingVisibility } + + if fl.Name == flagNamePassthroughRequestHeaders { + mountConfigInput.PassthroughRequestHeaders = c.flagPassthroughRequestHeaders + } + + if fl.Name == flagNameAllowedResponseHeaders { + mountConfigInput.AllowedResponseHeaders = c.flagAllowedResponseHeaders + } }) if err := client.Sys().TuneMount(mountPath, mountConfigInput); err != nil { diff --git a/command/secrets_tune_test.go b/command/secrets_tune_test.go index 42bd800dc1ab3..f56ccb0151dd8 100644 --- a/command/secrets_tune_test.go +++ b/command/secrets_tune_test.go @@ -166,6 +166,9 @@ func TestSecretsTuneCommand_Run(t *testing.T) { "-max-lease-ttl", "1h", "-audit-non-hmac-request-keys", "foo,bar", "-audit-non-hmac-response-keys", "foo,bar", + "-passthrough-request-headers", "authorization", + "-passthrough-request-headers", "www-authentication", + "-allowed-response-headers", "authorization,www-authentication", "-listing-visibility", "unauth", "mount_tune_integration/", }) diff --git a/vault/logical_system.go b/vault/logical_system.go index 108983684c9fe..c6a854826170a 100644 --- a/vault/logical_system.go +++ b/vault/logical_system.go @@ -899,6 +899,13 @@ func (b *SystemBackend) handleMount(ctx context.Context, req *logical.Request, d var apiConfig APIMountConfig configMap := data.Get("config").(map[string]interface{}) + // Augmenting configMap for some config options to treat them as comma separated entries + err := augmentEnableAuthConfigMap(configMap) + if err != nil { + return logical.ErrorResponse( + "unable to parse given auth config information"), + logical.ErrInvalidRequest + } if configMap != nil && len(configMap) != 0 { err := mapstructure.Decode(configMap, &apiConfig) if err != nil { diff --git a/website/content/docs/commands/secrets/enable.mdx b/website/content/docs/commands/secrets/enable.mdx index f54213b35b520..8045dfe5c7f30 100644 --- a/website/content/docs/commands/secrets/enable.mdx +++ b/website/content/docs/commands/secrets/enable.mdx @@ -90,3 +90,9 @@ flags](/docs/commands) included on all commands. - `-path` `(string: "")` Place where the secrets engine will be accessible. This must be unique cross all secrets engines. This defaults to the "type" of the secrets engine. + +- `-passthrough-request-headers` `(string: "")` - request header values that will + be sent to the plugin. + +- `-allowed-response-headers` `(string: "")` - response header values that plugins + will be allowed to set. diff --git a/website/content/docs/commands/secrets/tune.mdx b/website/content/docs/commands/secrets/tune.mdx index 674698353e09b..e5538c5681d57 100644 --- a/website/content/docs/commands/secrets/tune.mdx +++ b/website/content/docs/commands/secrets/tune.mdx @@ -32,6 +32,9 @@ $ vault secrets tune -audit-non-hmac-request-keys=value1 -audit-non-hmac-request The following flags are available in addition to the [standard set of flags](/docs/commands) included on all commands. +`-allowed-response-headers` `(string: "")` - response header values that plugins + will be allowed to set. + - `-audit-non-hmac-request-keys` `(string: "")` - Key that will not be HMAC'd by audit devices in the request data object. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key. @@ -45,7 +48,13 @@ flags](/docs/commands) included on all commands. configured default lease TTL, or a previously configured value for the secrets engine. +- `-description` `(string: "")` - Specifies the description of the mount. + This overrides the current stored value, if any. + - `-max-lease-ttl` `(duration: "")` - The maximum lease TTL for this secrets engine. If unspecified, this defaults to the Vault server's globally configured maximum lease TTL, or a previously configured value for the secrets engine. + +- `-passthrough-request-headers` `(string: "")` - request header values that will + be sent to the plugin. \ No newline at end of file From ef999e746a64bc2de640816df022bcba82ad1884 Mon Sep 17 00:00:00 2001 From: hamid ghaf Date: Tue, 20 Jul 2021 10:52:13 -0700 Subject: [PATCH 06/12] Adding further parameter checks for auth/secret tests Fixing changelog using builtin type for a switch statement Fixing a possible panic scenario --- changelog/12126.txt | 3 +-- command/auth_enable_test.go | 13 ++++++++++ command/auth_tune_test.go | 13 ++++++++++ command/secrets_enable_test.go | 14 +++++++++++ command/secrets_tune_test.go | 13 ++++++++++ vault/logical_system.go | 25 ++++++++++--------- website/content/docs/commands/auth/tune.mdx | 3 +++ .../content/docs/commands/secrets/tune.mdx | 3 +++ 8 files changed, 73 insertions(+), 14 deletions(-) diff --git a/changelog/12126.txt b/changelog/12126.txt index 2a8ac92fe2299..d660cd929be76 100644 --- a/changelog/12126.txt +++ b/changelog/12126.txt @@ -1,4 +1,3 @@ ```release-note:bug -auth/secret: Adding capability to use comma separated parameters for auth enable/tune -auth/secret: Adding missing CLI parameters and updating website information accordingly +cli/api: Adding capability to use comma separated parameters for auth/secret enable/tune ``` diff --git a/command/auth_enable_test.go b/command/auth_enable_test.go index 951054b02115c..5cd292e09c8bd 100644 --- a/command/auth_enable_test.go +++ b/command/auth_enable_test.go @@ -2,6 +2,7 @@ package command import ( "io/ioutil" + "reflect" "strings" "testing" @@ -119,6 +120,18 @@ func TestAuthEnableCommand_Run(t *testing.T) { if exp := "The best kind of test"; authInfo.Description != exp { t.Errorf("expected %q to be %q", authInfo.Description, exp) } + if exp := []string{"authorization", "authentication", "www-authentication"}; !reflect.DeepEqual(exp, authInfo.Config.PassthroughRequestHeaders) { + t.Errorf("Failed to find expected values in PassthroughRequestHeaders") + } + if exp := []string{"authorization"}; !reflect.DeepEqual(exp, authInfo.Config.AllowedResponseHeaders) { + t.Errorf("Failed to find expected values in AllowedResponseHeaders") + } + if exp := []string{"foo", "bar"}; !reflect.DeepEqual(exp, authInfo.Config.AuditNonHMACRequestKeys) { + t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys") + } + if exp := []string{"foo", "bar"}; !reflect.DeepEqual(exp, authInfo.Config.AuditNonHMACResponseKeys) { + t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys") + } }) t.Run("communication_failure", func(t *testing.T) { diff --git a/command/auth_tune_test.go b/command/auth_tune_test.go index 24de2194a4bfb..baa3a8ac6a7a7 100644 --- a/command/auth_tune_test.go +++ b/command/auth_tune_test.go @@ -1,6 +1,7 @@ package command import ( + "reflect" "strings" "testing" @@ -129,6 +130,18 @@ func TestAuthTuneCommand_Run(t *testing.T) { if exp := 3600; mountInfo.Config.MaxLeaseTTL != exp { t.Errorf("expected %d to be %d", mountInfo.Config.MaxLeaseTTL, exp) } + if exp := []string{"authorization", "www-authentication"}; !reflect.DeepEqual(exp, mountInfo.Config.PassthroughRequestHeaders) { + t.Errorf("Failed to find expected values in PassthroughRequestHeaders") + } + if exp := []string{"authorization", "www-authentication"}; !reflect.DeepEqual(exp, mountInfo.Config.AllowedResponseHeaders) { + t.Errorf("Failed to find expected values in AllowedResponseHeaders") + } + if exp := []string{"foo", "bar"}; !reflect.DeepEqual(exp, mountInfo.Config.AuditNonHMACRequestKeys) { + t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys") + } + if exp := []string{"foo", "bar"}; !reflect.DeepEqual(exp, mountInfo.Config.AuditNonHMACResponseKeys) { + t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys") + } }) t.Run("flags_description", func(t *testing.T) { diff --git a/command/secrets_enable_test.go b/command/secrets_enable_test.go index cbb093011a9de..9c128930201bd 100644 --- a/command/secrets_enable_test.go +++ b/command/secrets_enable_test.go @@ -2,6 +2,7 @@ package command import ( "io/ioutil" + "reflect" "strings" "testing" @@ -149,6 +150,19 @@ func TestSecretsEnableCommand_Run(t *testing.T) { if exp := true; mountInfo.Config.ForceNoCache != exp { t.Errorf("expected %t to be %t", mountInfo.Config.ForceNoCache, exp) } + if exp := []string{"authorization", "authentication", "www-authentication"}; !reflect.DeepEqual(exp, mountInfo.Config.PassthroughRequestHeaders) { + t.Errorf("Failed to find expected values in PassthroughRequestHeaders") + } + if exp := []string{"authorization"}; !reflect.DeepEqual(exp, mountInfo.Config.AllowedResponseHeaders) { + t.Errorf("Failed to find expected values in AllowedResponseHeaders") + } + if exp := []string{"foo", "bar"}; !reflect.DeepEqual(exp, mountInfo.Config.AuditNonHMACRequestKeys) { + t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys") + } + if exp := []string{"foo", "bar"}; !reflect.DeepEqual(exp, mountInfo.Config.AuditNonHMACResponseKeys) { + t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys") + } + }) t.Run("communication_failure", func(t *testing.T) { diff --git a/command/secrets_tune_test.go b/command/secrets_tune_test.go index f56ccb0151dd8..83168c17a00c0 100644 --- a/command/secrets_tune_test.go +++ b/command/secrets_tune_test.go @@ -1,6 +1,7 @@ package command import ( + "reflect" "strings" "testing" @@ -203,6 +204,18 @@ func TestSecretsTuneCommand_Run(t *testing.T) { if exp := 3600; mountInfo.Config.MaxLeaseTTL != exp { t.Errorf("expected %d to be %d", mountInfo.Config.MaxLeaseTTL, exp) } + if exp := []string{"authorization", "www-authentication"}; !reflect.DeepEqual(exp, mountInfo.Config.PassthroughRequestHeaders) { + t.Errorf("Failed to find expected values in PassthroughRequestHeaders") + } + if exp := []string{"authorization", "www-authentication"}; !reflect.DeepEqual(exp, mountInfo.Config.AllowedResponseHeaders) { + t.Errorf("Failed to find expected values in AllowedResponseHeaders") + } + if exp := []string{"foo", "bar"}; !reflect.DeepEqual(exp, mountInfo.Config.AuditNonHMACRequestKeys) { + t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys") + } + if exp := []string{"foo", "bar"}; !reflect.DeepEqual(exp, mountInfo.Config.AuditNonHMACResponseKeys) { + t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys") + } }) t.Run("flags_description", func(t *testing.T) { diff --git a/vault/logical_system.go b/vault/logical_system.go index c6a854826170a..638a7f96b7d5b 100644 --- a/vault/logical_system.go +++ b/vault/logical_system.go @@ -13,7 +13,6 @@ import ( "net/http" "path" "path/filepath" - "reflect" "sort" "strconv" "strings" @@ -1317,10 +1316,9 @@ func (b *SystemBackend) handleMountTuneWrite(ctx context.Context, req *logical.R return b.handleTuneWriteCommon(ctx, path, data) } -func augmentTuneWriteParams(paramIn interface{}) ([]string, error) { - newVal := paramIn.([]string) +func augmentTuneWriteParams(paramIn []string) ([]string, error) { var outputSlice []string - for _, v := range newVal { + for _, v := range paramIn { res, err := parseutil.ParseCommaStringSlice(v) if err != nil { return nil, err @@ -1439,7 +1437,8 @@ func (b *SystemBackend) handleTuneWriteCommon(ctx context.Context, path string, } if rawVal, ok := data.GetOk("audit_non_hmac_request_keys"); ok { - auditNonHMACRequestKeys, err := augmentTuneWriteParams(rawVal) + newVal := rawVal.([]string) + auditNonHMACRequestKeys, err := augmentTuneWriteParams(newVal) if err != nil { return handleError(err) } @@ -1467,7 +1466,8 @@ func (b *SystemBackend) handleTuneWriteCommon(ctx context.Context, path string, } if rawVal, ok := data.GetOk("audit_non_hmac_response_keys"); ok { - auditNonHMACResponseKeys, err := augmentTuneWriteParams(rawVal) + newVal := rawVal.([]string) + auditNonHMACResponseKeys, err := augmentTuneWriteParams(newVal) if err != nil { return handleError(err) } @@ -1562,7 +1562,8 @@ func (b *SystemBackend) handleTuneWriteCommon(ctx context.Context, path string, } if rawVal, ok := data.GetOk("passthrough_request_headers"); ok { - headers, err := augmentTuneWriteParams(rawVal) + newVal := rawVal.([]string) + headers, err := augmentTuneWriteParams(newVal) if err != nil { return handleError(err) } @@ -1590,7 +1591,8 @@ func (b *SystemBackend) handleTuneWriteCommon(ctx context.Context, path string, } if rawVal, ok := data.GetOk("allowed_response_headers"); ok { - headers, err := augmentTuneWriteParams(rawVal) + newVal := rawVal.([]string) + headers, err := augmentTuneWriteParams(newVal) if err != nil { return handleError(err) } @@ -1908,9 +1910,8 @@ func augmentEnableAuthConfigMap(configMap map[string]interface{}) error { if raw, ok := configMap[paramName]; ok { outputSlice := []string{} - rt := reflect.TypeOf(raw) - switch rt.Kind() { - case reflect.Slice: + switch raw.(type) { + case []interface{}: rawNew := raw.([]interface{}) for _, rawVal := range rawNew { rawValSt := rawVal.(string) @@ -1920,7 +1921,7 @@ func augmentEnableAuthConfigMap(configMap map[string]interface{}) error { } outputSlice = append(outputSlice, res...) } - case reflect.String: + case string: rawNew := raw.(string) res, err := parseutil.ParseCommaStringSlice(rawNew) if err != nil { diff --git a/website/content/docs/commands/auth/tune.mdx b/website/content/docs/commands/auth/tune.mdx index 974cceeba7b91..6ea9c82c6c6a7 100644 --- a/website/content/docs/commands/auth/tune.mdx +++ b/website/content/docs/commands/auth/tune.mdx @@ -51,6 +51,9 @@ flags](/docs/commands) included on all commands. - `-description` `(string: "")` - Specifies the description of the mount. This overrides the current stored value, if any. +- `-listing-visibility` `(string: "")` - The flag to toggle whether to show the + mount in the UI-specific listing endpoint. + - `-max-lease-ttl` `(duration: "")` - The maximum lease TTL for this auth method. If unspecified, this defaults to the Vault server's globally configured maximum lease TTL, or a previously configured value for the auth diff --git a/website/content/docs/commands/secrets/tune.mdx b/website/content/docs/commands/secrets/tune.mdx index e5538c5681d57..28948ac7e2d1b 100644 --- a/website/content/docs/commands/secrets/tune.mdx +++ b/website/content/docs/commands/secrets/tune.mdx @@ -51,6 +51,9 @@ flags](/docs/commands) included on all commands. - `-description` `(string: "")` - Specifies the description of the mount. This overrides the current stored value, if any. +- `-listing-visibility` `(string: "")` - The flag to toggle whether to show the + mount in the UI-specific listing endpoint. + - `-max-lease-ttl` `(duration: "")` - The maximum lease TTL for this secrets engine. If unspecified, this defaults to the Vault server's globally configured maximum lease TTL, or a previously configured value for the secrets From f2a690e3d985622e3ab05119abcbca082b41dea1 Mon Sep 17 00:00:00 2001 From: hamid ghaf Date: Fri, 23 Jul 2021 16:03:10 -0700 Subject: [PATCH 07/12] Changing a function name, using deep.Equal instead of what reflect package provides --- command/auth_enable_test.go | 18 +++++++++--------- command/auth_tune_test.go | 18 +++++++++--------- command/secrets_enable_test.go | 18 +++++++++--------- command/secrets_tune_test.go | 18 +++++++++--------- vault/logical_system.go | 15 +++++++++------ 5 files changed, 45 insertions(+), 42 deletions(-) diff --git a/command/auth_enable_test.go b/command/auth_enable_test.go index 5cd292e09c8bd..fbf3ede169192 100644 --- a/command/auth_enable_test.go +++ b/command/auth_enable_test.go @@ -2,10 +2,10 @@ package command import ( "io/ioutil" - "reflect" "strings" "testing" + "github.com/go-test/deep" "github.com/hashicorp/vault/helper/builtinplugins" "github.com/hashicorp/vault/sdk/helper/consts" "github.com/mitchellh/cli" @@ -120,17 +120,17 @@ func TestAuthEnableCommand_Run(t *testing.T) { if exp := "The best kind of test"; authInfo.Description != exp { t.Errorf("expected %q to be %q", authInfo.Description, exp) } - if exp := []string{"authorization", "authentication", "www-authentication"}; !reflect.DeepEqual(exp, authInfo.Config.PassthroughRequestHeaders) { - t.Errorf("Failed to find expected values in PassthroughRequestHeaders") + if diff := deep.Equal([]string{"authorization", "authentication", "www-authentication"}, authInfo.Config.PassthroughRequestHeaders); len(diff) > 0 { + t.Errorf("Failed to find expected values in PassthroughRequestHeaders. Difference is: %v", diff) } - if exp := []string{"authorization"}; !reflect.DeepEqual(exp, authInfo.Config.AllowedResponseHeaders) { - t.Errorf("Failed to find expected values in AllowedResponseHeaders") + if diff := deep.Equal([]string{"authorization"}, authInfo.Config.AllowedResponseHeaders); len(diff) > 0 { + t.Errorf("Failed to find expected values in AllowedResponseHeaders. Difference is: %v", diff) } - if exp := []string{"foo", "bar"}; !reflect.DeepEqual(exp, authInfo.Config.AuditNonHMACRequestKeys) { - t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys") + if diff := deep.Equal([]string{"foo", "bar"}, authInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 { + t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys. Difference is: %v", diff) } - if exp := []string{"foo", "bar"}; !reflect.DeepEqual(exp, authInfo.Config.AuditNonHMACResponseKeys) { - t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys") + if diff := deep.Equal([]string{"foo", "bar"}, authInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 { + t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff) } }) diff --git a/command/auth_tune_test.go b/command/auth_tune_test.go index baa3a8ac6a7a7..2b9a588f0c7fc 100644 --- a/command/auth_tune_test.go +++ b/command/auth_tune_test.go @@ -1,10 +1,10 @@ package command import ( - "reflect" "strings" "testing" + "github.com/go-test/deep" "github.com/hashicorp/vault/api" "github.com/mitchellh/cli" ) @@ -130,17 +130,17 @@ func TestAuthTuneCommand_Run(t *testing.T) { if exp := 3600; mountInfo.Config.MaxLeaseTTL != exp { t.Errorf("expected %d to be %d", mountInfo.Config.MaxLeaseTTL, exp) } - if exp := []string{"authorization", "www-authentication"}; !reflect.DeepEqual(exp, mountInfo.Config.PassthroughRequestHeaders) { - t.Errorf("Failed to find expected values in PassthroughRequestHeaders") + if diff := deep.Equal([]string{"authorization", "www-authentication"}, mountInfo.Config.PassthroughRequestHeaders); len(diff) > 0 { + t.Errorf("Failed to find expected values in PassthroughRequestHeaders. Difference is: %v", diff) } - if exp := []string{"authorization", "www-authentication"}; !reflect.DeepEqual(exp, mountInfo.Config.AllowedResponseHeaders) { - t.Errorf("Failed to find expected values in AllowedResponseHeaders") + if diff := deep.Equal([]string{"authorization", "www-authentication"}, mountInfo.Config.AllowedResponseHeaders); len(diff) > 0 { + t.Errorf("Failed to find expected values in AllowedResponseHeaders. Difference is: %v", diff) } - if exp := []string{"foo", "bar"}; !reflect.DeepEqual(exp, mountInfo.Config.AuditNonHMACRequestKeys) { - t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys") + if diff := deep.Equal([]string{"foo", "bar"}, mountInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 { + t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys. Difference is: %v", diff) } - if exp := []string{"foo", "bar"}; !reflect.DeepEqual(exp, mountInfo.Config.AuditNonHMACResponseKeys) { - t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys") + if diff := deep.Equal([]string{"foo", "bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 { + t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff) } }) diff --git a/command/secrets_enable_test.go b/command/secrets_enable_test.go index 9c128930201bd..9efb4afcce92c 100644 --- a/command/secrets_enable_test.go +++ b/command/secrets_enable_test.go @@ -2,10 +2,10 @@ package command import ( "io/ioutil" - "reflect" "strings" "testing" + "github.com/go-test/deep" "github.com/hashicorp/vault/helper/builtinplugins" "github.com/hashicorp/vault/sdk/helper/consts" "github.com/mitchellh/cli" @@ -150,17 +150,17 @@ func TestSecretsEnableCommand_Run(t *testing.T) { if exp := true; mountInfo.Config.ForceNoCache != exp { t.Errorf("expected %t to be %t", mountInfo.Config.ForceNoCache, exp) } - if exp := []string{"authorization", "authentication", "www-authentication"}; !reflect.DeepEqual(exp, mountInfo.Config.PassthroughRequestHeaders) { - t.Errorf("Failed to find expected values in PassthroughRequestHeaders") + if diff := deep.Equal([]string{"authorization", "authentication", "www-authentication"}, mountInfo.Config.PassthroughRequestHeaders); len(diff) > 0 { + t.Errorf("Failed to find expected values in PassthroughRequestHeaders. Difference is: %v", diff) } - if exp := []string{"authorization"}; !reflect.DeepEqual(exp, mountInfo.Config.AllowedResponseHeaders) { - t.Errorf("Failed to find expected values in AllowedResponseHeaders") + if diff := deep.Equal([]string{"authorization"}, mountInfo.Config.AllowedResponseHeaders); len(diff) > 0 { + t.Errorf("Failed to find expected values in AllowedResponseHeaders. Difference is: %v", diff) } - if exp := []string{"foo", "bar"}; !reflect.DeepEqual(exp, mountInfo.Config.AuditNonHMACRequestKeys) { - t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys") + if diff := deep.Equal([]string{"foo", "bar"}, mountInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 { + t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys. Difference is: %v", diff) } - if exp := []string{"foo", "bar"}; !reflect.DeepEqual(exp, mountInfo.Config.AuditNonHMACResponseKeys) { - t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys") + if diff := deep.Equal([]string{"foo", "bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 { + t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff) } }) diff --git a/command/secrets_tune_test.go b/command/secrets_tune_test.go index 83168c17a00c0..f4e5727b1d18a 100644 --- a/command/secrets_tune_test.go +++ b/command/secrets_tune_test.go @@ -1,10 +1,10 @@ package command import ( - "reflect" "strings" "testing" + "github.com/go-test/deep" "github.com/hashicorp/vault/api" "github.com/mitchellh/cli" ) @@ -204,17 +204,17 @@ func TestSecretsTuneCommand_Run(t *testing.T) { if exp := 3600; mountInfo.Config.MaxLeaseTTL != exp { t.Errorf("expected %d to be %d", mountInfo.Config.MaxLeaseTTL, exp) } - if exp := []string{"authorization", "www-authentication"}; !reflect.DeepEqual(exp, mountInfo.Config.PassthroughRequestHeaders) { - t.Errorf("Failed to find expected values in PassthroughRequestHeaders") + if diff := deep.Equal([]string{"authorization", "www-authentication"}, mountInfo.Config.PassthroughRequestHeaders); len(diff) > 0 { + t.Errorf("Failed to find expected values for PassthroughRequestHeaders. Difference is: %v", diff) } - if exp := []string{"authorization", "www-authentication"}; !reflect.DeepEqual(exp, mountInfo.Config.AllowedResponseHeaders) { - t.Errorf("Failed to find expected values in AllowedResponseHeaders") + if diff := deep.Equal([]string{"authorization", "www-authentication"}, mountInfo.Config.AllowedResponseHeaders); len(diff) > 0 { + t.Errorf("Failed to find expected values in AllowedResponseHeaders. Difference is: %v", diff) } - if exp := []string{"foo", "bar"}; !reflect.DeepEqual(exp, mountInfo.Config.AuditNonHMACRequestKeys) { - t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys") + if diff := deep.Equal([]string{"foo", "bar"}, mountInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 { + t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys. Difference is: %v", diff) } - if exp := []string{"foo", "bar"}; !reflect.DeepEqual(exp, mountInfo.Config.AuditNonHMACResponseKeys) { - t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys") + if diff := deep.Equal([]string{"foo", "bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 { + t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff) } }) diff --git a/vault/logical_system.go b/vault/logical_system.go index 638a7f96b7d5b..a591a642ee189 100644 --- a/vault/logical_system.go +++ b/vault/logical_system.go @@ -899,7 +899,7 @@ func (b *SystemBackend) handleMount(ctx context.Context, req *logical.Request, d configMap := data.Get("config").(map[string]interface{}) // Augmenting configMap for some config options to treat them as comma separated entries - err := augmentEnableAuthConfigMap(configMap) + err := expandStringValsWithCommas(configMap) if err != nil { return logical.ErrorResponse( "unable to parse given auth config information"), @@ -1899,7 +1899,7 @@ func (b *SystemBackend) handleAuthTable(ctx context.Context, req *logical.Reques return resp, nil } -func augmentEnableAuthConfigMap(configMap map[string]interface{}) error { +func expandStringValsWithCommas(configMap map[string]interface{}) error { configParamNameSlice := []string{ "audit_non_hmac_request_keys", "audit_non_hmac_response_keys", @@ -1910,11 +1910,14 @@ func augmentEnableAuthConfigMap(configMap map[string]interface{}) error { if raw, ok := configMap[paramName]; ok { outputSlice := []string{} - switch raw.(type) { + switch t := raw.(type) { case []interface{}: rawNew := raw.([]interface{}) for _, rawVal := range rawNew { - rawValSt := rawVal.(string) + rawValSt, ok := rawVal.(string) + if !ok { + return fmt.Errorf("Invalid input parameter %v of type %v", paramName, t) + } res, err := parseutil.ParseCommaStringSlice(rawValSt) if err != nil { return err @@ -1929,7 +1932,7 @@ func augmentEnableAuthConfigMap(configMap map[string]interface{}) error { } outputSlice = append(outputSlice, res...) default: - return fmt.Errorf("Invalid input parameter type for %v", paramName) + return fmt.Errorf("Invalid input parameter %v of type %v", paramName, t) } configMap[paramName] = outputSlice } @@ -1964,7 +1967,7 @@ func (b *SystemBackend) handleEnableAuth(ctx context.Context, req *logical.Reque configMap := data.Get("config").(map[string]interface{}) // Augmenting configMap for some config options to treat them as comma separated entries - err := augmentEnableAuthConfigMap(configMap) + err := expandStringValsWithCommas(configMap) if err != nil { return logical.ErrorResponse( "unable to parse given auth config information"), From d493f25a2f4b58c3b16bf04f9b3e9e1fcfe40dcb Mon Sep 17 00:00:00 2001 From: hamid ghaf Date: Fri, 23 Jul 2021 16:18:40 -0700 Subject: [PATCH 08/12] Fixing auth/secret enable/tune mdx files --- website/content/docs/commands/auth/enable.mdx | 8 ++++---- website/content/docs/commands/auth/tune.mdx | 8 ++++---- website/content/docs/commands/secrets/enable.mdx | 6 +++--- website/content/docs/commands/secrets/tune.mdx | 6 +++--- 4 files changed, 14 insertions(+), 14 deletions(-) diff --git a/website/content/docs/commands/auth/enable.mdx b/website/content/docs/commands/auth/enable.mdx index 2fc4de408d038..d0a42506653a2 100644 --- a/website/content/docs/commands/auth/enable.mdx +++ b/website/content/docs/commands/auth/enable.mdx @@ -58,10 +58,10 @@ flags](/docs/commands) included on all commands. method. - `-passthrough-request-headers` `(string: "")` - request header values that will - be sent to the plugin. + be sent to the auth method. -- `-allowed-response-headers` `(string: "")` - response header values that plugins - will be allowed to set. +- `-allowed-response-headers` `(string: "")` - response header values that the auth + method will be allowed to set. - `-description` `(string: "")` - Human-friendly description for the purpose of this auth method. @@ -80,4 +80,4 @@ flags](/docs/commands) included on all commands. auth method. The auth method will be accessible at `/auth/`. - `-seal-wrap` `(bool: false)` - Enable seal wrapping for the mount, causing - values stored by the mount to be wrapped by the seal's encryption capability. \ No newline at end of file + values stored by the mount to be wrapped by the seal's encryption capability. diff --git a/website/content/docs/commands/auth/tune.mdx b/website/content/docs/commands/auth/tune.mdx index 6ea9c82c6c6a7..7813ec1509cd9 100644 --- a/website/content/docs/commands/auth/tune.mdx +++ b/website/content/docs/commands/auth/tune.mdx @@ -32,8 +32,8 @@ $ vault auth tune -audit-non-hmac-request-keys=value1 -audit-non-hmac-request-ke The following flags are available in addition to the [standard set of flags](/docs/commands) included on all commands. -- `-allowed-response-headers` `(string: "")` - response header values that plugins - will be allowed to set. +- `-allowed-response-headers` `(string: "")` - response header values that the auth + method will be allowed to set. - `-audit-non-hmac-request-keys` `(string: "")` - Key that will not be HMAC'd by audit devices in the request data object. Note that multiple keys may be @@ -48,7 +48,7 @@ flags](/docs/commands) included on all commands. configured default lease TTL, or a previously configured value for the auth method. -- `-description` `(string: "")` - Specifies the description of the mount. +- `-description` `(string: "")` - Specifies the description of the auth method. This overrides the current stored value, if any. - `-listing-visibility` `(string: "")` - The flag to toggle whether to show the @@ -60,7 +60,7 @@ flags](/docs/commands) included on all commands. method. - `-passthrough-request-headers` `(string: "")` - request header values that will - be sent to the plugin. + be sent to the auth method - `-token-type` `(string: "")` - Specifies the type of tokens that should be returned by the mount. diff --git a/website/content/docs/commands/secrets/enable.mdx b/website/content/docs/commands/secrets/enable.mdx index 8045dfe5c7f30..6fdbbbc98fbfd 100644 --- a/website/content/docs/commands/secrets/enable.mdx +++ b/website/content/docs/commands/secrets/enable.mdx @@ -92,7 +92,7 @@ flags](/docs/commands) included on all commands. secrets engine. - `-passthrough-request-headers` `(string: "")` - request header values that will - be sent to the plugin. + be sent to the secrets engine. -- `-allowed-response-headers` `(string: "")` - response header values that plugins - will be allowed to set. +- `-allowed-response-headers` `(string: "")` - response header values that the secrets + engin will be allowed to set. diff --git a/website/content/docs/commands/secrets/tune.mdx b/website/content/docs/commands/secrets/tune.mdx index 28948ac7e2d1b..c0ffe07e16eec 100644 --- a/website/content/docs/commands/secrets/tune.mdx +++ b/website/content/docs/commands/secrets/tune.mdx @@ -32,8 +32,8 @@ $ vault secrets tune -audit-non-hmac-request-keys=value1 -audit-non-hmac-request The following flags are available in addition to the [standard set of flags](/docs/commands) included on all commands. -`-allowed-response-headers` `(string: "")` - response header values that plugins - will be allowed to set. +`-allowed-response-headers` `(string: "")` - response header values that the + secrets engine will be allowed to set. - `-audit-non-hmac-request-keys` `(string: "")` - Key that will not be HMAC'd by audit devices in the request data object. Note that multiple keys may be @@ -60,4 +60,4 @@ flags](/docs/commands) included on all commands. engine. - `-passthrough-request-headers` `(string: "")` - request header values that will - be sent to the plugin. \ No newline at end of file + be sent to the secrets engine. From 245c7466bbd39630fb7d0df12f35bcba596ab6b8 Mon Sep 17 00:00:00 2001 From: hamid ghaf Date: Fri, 23 Jul 2021 16:23:16 -0700 Subject: [PATCH 09/12] One more mdx file fix --- website/content/docs/commands/auth/tune.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/content/docs/commands/auth/tune.mdx b/website/content/docs/commands/auth/tune.mdx index 7813ec1509cd9..66742ddd5b610 100644 --- a/website/content/docs/commands/auth/tune.mdx +++ b/website/content/docs/commands/auth/tune.mdx @@ -63,4 +63,4 @@ flags](/docs/commands) included on all commands. be sent to the auth method - `-token-type` `(string: "")` - Specifies the type of tokens that should be - returned by the mount. + returned by the auth method. From 0fab3855216950c3553fc5cc80e3506354ea432c Mon Sep 17 00:00:00 2001 From: hamid ghaf Date: Tue, 27 Jul 2021 08:32:23 -0700 Subject: [PATCH 10/12] Only when users provide a single comma separated string in a curl command, split the entries by commas --- command/auth_enable_test.go | 6 ++-- command/auth_tune_test.go | 6 ++-- command/secrets_enable_test.go | 6 ++-- command/secrets_tune_test.go | 6 ++-- vault/logical_system.go | 50 +++++++++------------------------- 5 files changed, 25 insertions(+), 49 deletions(-) diff --git a/command/auth_enable_test.go b/command/auth_enable_test.go index fbf3ede169192..0cc125fc97563 100644 --- a/command/auth_enable_test.go +++ b/command/auth_enable_test.go @@ -120,16 +120,16 @@ func TestAuthEnableCommand_Run(t *testing.T) { if exp := "The best kind of test"; authInfo.Description != exp { t.Errorf("expected %q to be %q", authInfo.Description, exp) } - if diff := deep.Equal([]string{"authorization", "authentication", "www-authentication"}, authInfo.Config.PassthroughRequestHeaders); len(diff) > 0 { + if diff := deep.Equal([]string{"authorization,authentication", "www-authentication"}, authInfo.Config.PassthroughRequestHeaders); len(diff) > 0 { t.Errorf("Failed to find expected values in PassthroughRequestHeaders. Difference is: %v", diff) } if diff := deep.Equal([]string{"authorization"}, authInfo.Config.AllowedResponseHeaders); len(diff) > 0 { t.Errorf("Failed to find expected values in AllowedResponseHeaders. Difference is: %v", diff) } - if diff := deep.Equal([]string{"foo", "bar"}, authInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 { + if diff := deep.Equal([]string{"foo,bar"}, authInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 { t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys. Difference is: %v", diff) } - if diff := deep.Equal([]string{"foo", "bar"}, authInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 { + if diff := deep.Equal([]string{"foo,bar"}, authInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 { t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff) } }) diff --git a/command/auth_tune_test.go b/command/auth_tune_test.go index 2b9a588f0c7fc..227330ea774e2 100644 --- a/command/auth_tune_test.go +++ b/command/auth_tune_test.go @@ -133,13 +133,13 @@ func TestAuthTuneCommand_Run(t *testing.T) { if diff := deep.Equal([]string{"authorization", "www-authentication"}, mountInfo.Config.PassthroughRequestHeaders); len(diff) > 0 { t.Errorf("Failed to find expected values in PassthroughRequestHeaders. Difference is: %v", diff) } - if diff := deep.Equal([]string{"authorization", "www-authentication"}, mountInfo.Config.AllowedResponseHeaders); len(diff) > 0 { + if diff := deep.Equal([]string{"authorization,www-authentication"}, mountInfo.Config.AllowedResponseHeaders); len(diff) > 0 { t.Errorf("Failed to find expected values in AllowedResponseHeaders. Difference is: %v", diff) } - if diff := deep.Equal([]string{"foo", "bar"}, mountInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 { + if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 { t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys. Difference is: %v", diff) } - if diff := deep.Equal([]string{"foo", "bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 { + if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 { t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff) } }) diff --git a/command/secrets_enable_test.go b/command/secrets_enable_test.go index 9efb4afcce92c..bcc581a4e1089 100644 --- a/command/secrets_enable_test.go +++ b/command/secrets_enable_test.go @@ -150,16 +150,16 @@ func TestSecretsEnableCommand_Run(t *testing.T) { if exp := true; mountInfo.Config.ForceNoCache != exp { t.Errorf("expected %t to be %t", mountInfo.Config.ForceNoCache, exp) } - if diff := deep.Equal([]string{"authorization", "authentication", "www-authentication"}, mountInfo.Config.PassthroughRequestHeaders); len(diff) > 0 { + if diff := deep.Equal([]string{"authorization,authentication", "www-authentication"}, mountInfo.Config.PassthroughRequestHeaders); len(diff) > 0 { t.Errorf("Failed to find expected values in PassthroughRequestHeaders. Difference is: %v", diff) } if diff := deep.Equal([]string{"authorization"}, mountInfo.Config.AllowedResponseHeaders); len(diff) > 0 { t.Errorf("Failed to find expected values in AllowedResponseHeaders. Difference is: %v", diff) } - if diff := deep.Equal([]string{"foo", "bar"}, mountInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 { + if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 { t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys. Difference is: %v", diff) } - if diff := deep.Equal([]string{"foo", "bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 { + if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 { t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff) } diff --git a/command/secrets_tune_test.go b/command/secrets_tune_test.go index f4e5727b1d18a..de732873790e7 100644 --- a/command/secrets_tune_test.go +++ b/command/secrets_tune_test.go @@ -207,13 +207,13 @@ func TestSecretsTuneCommand_Run(t *testing.T) { if diff := deep.Equal([]string{"authorization", "www-authentication"}, mountInfo.Config.PassthroughRequestHeaders); len(diff) > 0 { t.Errorf("Failed to find expected values for PassthroughRequestHeaders. Difference is: %v", diff) } - if diff := deep.Equal([]string{"authorization", "www-authentication"}, mountInfo.Config.AllowedResponseHeaders); len(diff) > 0 { + if diff := deep.Equal([]string{"authorization,www-authentication"}, mountInfo.Config.AllowedResponseHeaders); len(diff) > 0 { t.Errorf("Failed to find expected values in AllowedResponseHeaders. Difference is: %v", diff) } - if diff := deep.Equal([]string{"foo", "bar"}, mountInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 { + if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 { t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys. Difference is: %v", diff) } - if diff := deep.Equal([]string{"foo", "bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 { + if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 { t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff) } }) diff --git a/vault/logical_system.go b/vault/logical_system.go index a591a642ee189..ae9d9036a91cc 100644 --- a/vault/logical_system.go +++ b/vault/logical_system.go @@ -1316,18 +1316,6 @@ func (b *SystemBackend) handleMountTuneWrite(ctx context.Context, req *logical.R return b.handleTuneWriteCommon(ctx, path, data) } -func augmentTuneWriteParams(paramIn []string) ([]string, error) { - var outputSlice []string - for _, v := range paramIn { - res, err := parseutil.ParseCommaStringSlice(v) - if err != nil { - return nil, err - } - outputSlice = append(outputSlice, res...) - } - return outputSlice, nil -} - // handleTuneWriteCommon is used to set config settings on a path func (b *SystemBackend) handleTuneWriteCommon(ctx context.Context, path string, data *framework.FieldData) (*logical.Response, error) { repState := b.Core.ReplicationState() @@ -1437,16 +1425,13 @@ func (b *SystemBackend) handleTuneWriteCommon(ctx context.Context, path string, } if rawVal, ok := data.GetOk("audit_non_hmac_request_keys"); ok { - newVal := rawVal.([]string) - auditNonHMACRequestKeys, err := augmentTuneWriteParams(newVal) - if err != nil { - return handleError(err) - } + auditNonHMACRequestKeys := rawVal.([]string) oldVal := mountEntry.Config.AuditNonHMACRequestKeys mountEntry.Config.AuditNonHMACRequestKeys = auditNonHMACRequestKeys // Update the mount table + var err error switch { case strings.HasPrefix(path, "auth/"): err = b.Core.persistAuth(ctx, b.Core.auth, &mountEntry.Local) @@ -1466,16 +1451,13 @@ func (b *SystemBackend) handleTuneWriteCommon(ctx context.Context, path string, } if rawVal, ok := data.GetOk("audit_non_hmac_response_keys"); ok { - newVal := rawVal.([]string) - auditNonHMACResponseKeys, err := augmentTuneWriteParams(newVal) - if err != nil { - return handleError(err) - } + auditNonHMACResponseKeys := rawVal.([]string) oldVal := mountEntry.Config.AuditNonHMACResponseKeys mountEntry.Config.AuditNonHMACResponseKeys = auditNonHMACResponseKeys // Update the mount table + var err error switch { case strings.HasPrefix(path, "auth/"): err = b.Core.persistAuth(ctx, b.Core.auth, &mountEntry.Local) @@ -1562,16 +1544,13 @@ func (b *SystemBackend) handleTuneWriteCommon(ctx context.Context, path string, } if rawVal, ok := data.GetOk("passthrough_request_headers"); ok { - newVal := rawVal.([]string) - headers, err := augmentTuneWriteParams(newVal) - if err != nil { - return handleError(err) - } + headers := rawVal.([]string) oldVal := mountEntry.Config.PassthroughRequestHeaders mountEntry.Config.PassthroughRequestHeaders = headers // Update the mount table + var err error switch { case strings.HasPrefix(path, "auth/"): err = b.Core.persistAuth(ctx, b.Core.auth, &mountEntry.Local) @@ -1591,15 +1570,12 @@ func (b *SystemBackend) handleTuneWriteCommon(ctx context.Context, path string, } if rawVal, ok := data.GetOk("allowed_response_headers"); ok { - newVal := rawVal.([]string) - headers, err := augmentTuneWriteParams(newVal) - if err != nil { - return handleError(err) - } + headers := rawVal.([]string) oldVal := mountEntry.Config.AllowedResponseHeaders mountEntry.Config.AllowedResponseHeaders = headers // Update the mount table + var err error switch { case strings.HasPrefix(path, "auth/"): err = b.Core.persistAuth(ctx, b.Core.auth, &mountEntry.Local) @@ -1912,19 +1888,19 @@ func expandStringValsWithCommas(configMap map[string]interface{}) error { switch t := raw.(type) { case []interface{}: + // If the users already passed in a slice with comma separated values, + // we don't do anything for compatibility reasons. rawNew := raw.([]interface{}) for _, rawVal := range rawNew { rawValSt, ok := rawVal.(string) if !ok { return fmt.Errorf("Invalid input parameter %v of type %v", paramName, t) } - res, err := parseutil.ParseCommaStringSlice(rawValSt) - if err != nil { - return err - } - outputSlice = append(outputSlice, res...) + outputSlice = append(outputSlice, rawValSt) } case string: + // To be consistent with auth tune, and in cases where a single comma separated strings + // is provided in the curl command, we split the entries by the commas. rawNew := raw.(string) res, err := parseutil.ParseCommaStringSlice(rawNew) if err != nil { From 154c3b03ad651dc4cddacc19cd3e6c7a3a54963d Mon Sep 17 00:00:00 2001 From: hamid ghaf Date: Fri, 30 Jul 2021 12:18:04 -0700 Subject: [PATCH 11/12] Fixing API docs for auth/mount enable/tune for comma separated entries --- changelog/12126.txt | 2 +- website/content/api-docs/system/auth.mdx | 34 ++++++++++------------ website/content/api-docs/system/mounts.mdx | 34 ++++++++++------------ 3 files changed, 33 insertions(+), 37 deletions(-) diff --git a/changelog/12126.txt b/changelog/12126.txt index d660cd929be76..c53d2a19ca098 100644 --- a/changelog/12126.txt +++ b/changelog/12126.txt @@ -1,3 +1,3 @@ ```release-note:bug -cli/api: Adding capability to use comma separated parameters for auth/secret enable/tune +cli/api: Providing consistency for the use of comma separated parameters in auth/secret enable/tune ``` diff --git a/website/content/api-docs/system/auth.mdx b/website/content/api-docs/system/auth.mdx index 38b7092403571..7fdc29dd06d84 100644 --- a/website/content/api-docs/system/auth.mdx +++ b/website/content/api-docs/system/auth.mdx @@ -83,20 +83,20 @@ For example, enable the "foo" auth method will make it accessible at - `max_lease_ttl` `(string: "")` - The maximum lease duration, specified as a string duration like "5s" or "30m". - - `audit_non_hmac_request_keys` `(array: [])` - Comma-separated list of keys - that will not be HMAC'd by audit devices in the request data object. + - `audit_non_hmac_request_keys` `(array: [])` - List of keys that will not be + HMAC'd by audit devices in the request data object. - - `audit_non_hmac_response_keys` `(array: [])` - Comma-separated list of keys - that will not be HMAC'd by audit devices in the response data object. + - `audit_non_hmac_response_keys` `(array: [])` - List of keys that will not be + HMAC'd by audit devices in the response data object. - `listing_visibility` `(string: "")` - Specifies whether to show this mount in the UI-specific listing endpoint. - - `passthrough_request_headers` `(array: [])` - Comma-separated list of headers - to whitelist and pass from the request to the plugin. + - `passthrough_request_headers` `(array: [])` - List of headers to whitelist + and pass from the request to the plugin. - - `allowed_response_headers` `(array: [])` - Comma-separated list of headers - to whitelist, allowing a plugin to include them in the response. + - `allowed_response_headers` `(array: [])` - List of headers to whitelist, + allowing a plugin to include them in the response. Additionally, the following options are allowed in Vault open-source, but relevant functionality is only supported in Vault Enterprise: @@ -217,22 +217,20 @@ can be achieved without `sudo` via `sys/mounts/auth/[auth-path]/tune`._ - `description` `(string: "")` – Specifies the description of the mount. This overrides the current stored value, if any. -- `audit_non_hmac_request_keys` `(array: [])` - Specifies the comma-separated - list of keys that will not be HMAC'd by audit devices in the request data - object. +- `audit_non_hmac_request_keys` `(array: [])` - Specifies the list of keys + that will not be HMAC'd by audit devices in the request data object. -- `audit_non_hmac_response_keys` `(array: [])` - Specifies the comma-separated - list of keys that will not be HMAC'd by audit devices in the response data - object. +- `audit_non_hmac_response_keys` `(array: [])` - Specifies the list of keys + that will not be HMAC'd by audit devices in the response data object. - `listing_visibility` `(string: "")` - Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are `"unauth"` or `""`. -- `passthrough_request_headers` `(array: [])` - Comma-separated list of headers - to whitelist and pass from the request to the plugin. +- `passthrough_request_headers` `(array: [])` - List of headers to whitelist + and pass from the request to the plugin. -- `allowed_response_headers` `(array: [])` - Comma-separated list of headers - to whitelist, allowing a plugin to include them in the response. +- `allowed_response_headers` `(array: [])` - List of headers to whitelist, + allowing a plugin to include them in the response. - `token_type` `(string: "")` – Specifies the type of tokens that should be returned by the mount. The following values are available: diff --git a/website/content/api-docs/system/mounts.mdx b/website/content/api-docs/system/mounts.mdx index 44839ca18feec..53a28f25c9c5d 100644 --- a/website/content/api-docs/system/mounts.mdx +++ b/website/content/api-docs/system/mounts.mdx @@ -137,21 +137,21 @@ This endpoint enables a new secrets engine at the given path. - `force_no_cache` `(bool: false)` - Disable caching. - - `audit_non_hmac_request_keys` `(array: [])` - Comma-separated list of keys - that will not be HMAC'd by audit devices in the request data object. + - `audit_non_hmac_request_keys` `(array: [])` - List of keys that will not be + HMAC'd by audit devices in the request data object. - - `audit_non_hmac_response_keys` `(array: [])` - Comma-separated list of keys - that will not be HMAC'd by audit devices in the response data object. + - `audit_non_hmac_response_keys` `(array: [])` - List of keys that will not be + HMAC'd by audit devices in the response data object. - `listing_visibility` `(string: "")` - Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are `"unauth"` or `"hidden"`. If not set, behaves like `"hidden"`. - - `passthrough_request_headers` `(array: [])` - Comma-separated list of headers - to whitelist and pass from the request to the plugin. + - `passthrough_request_headers` `(array: [])` - List of headers to whitelist + and pass from the request to the plugin. - - `allowed_response_headers` `(array: [])` - Comma-separated list of headers - to whitelist, allowing a plugin to include them in the response. + - `allowed_response_headers` `(array: [])` - List of headers to whitelist, + allowing a plugin to include them in the response. - `options` `(map: nil)` - Specifies mount type specific options that are passed to the backend. @@ -261,23 +261,21 @@ This endpoint tunes configuration parameters for a given mount point. - `description` `(string: "")` – Specifies the description of the mount. This overrides the current stored value, if any. -- `audit_non_hmac_request_keys` `(array: [])` - Specifies the comma-separated - list of keys that will not be HMAC'd by audit devices in the request data - object. +- `audit_non_hmac_request_keys` `(array: [])` - Specifies the list of keys that + will not be HMAC'd by audit devices in the request data object. -- `audit_non_hmac_response_keys` `(array: [])` - Specifies the comma-separated - list of keys that will not be HMAC'd by audit devices in the response data - object. +- `audit_non_hmac_response_keys` `(array: [])` - Specifies the list of keys that + will not be HMAC'd by audit devices in the response data object. - `listing_visibility` `(string: "")` - Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are `"unauth"` or `"hidden"`. If not set, behaves like `"hidden"`. -- `passthrough_request_headers` `(array: [])` - Comma-separated list of headers - to whitelist and pass from the request to the plugin. +- `passthrough_request_headers` `(array: [])` - List of headers to whitelist + and pass from the request to the plugin. -- `allowed_response_headers` `(array: [])` - Comma-separated list of headers - to whitelist, allowing a plugin to include them in the response. +- `allowed_response_headers` `(array: [])` - List of headers to whitelist, + allowing a plugin to include them in the response. ### Sample Payload From e4800f8eeaded84baea3f1888e9e77093a6578c9 Mon Sep 17 00:00:00 2001 From: hamid ghaf Date: Mon, 9 Aug 2021 10:08:53 -0700 Subject: [PATCH 12/12] updating docs, removing an unnecessary switch case --- vault/logical_system.go | 20 ++----------------- website/content/docs/commands/auth/enable.mdx | 6 ++++-- website/content/docs/commands/auth/tune.mdx | 6 ++++-- .../content/docs/commands/secrets/enable.mdx | 6 ++++-- .../content/docs/commands/secrets/tune.mdx | 6 ++++-- 5 files changed, 18 insertions(+), 26 deletions(-) diff --git a/vault/logical_system.go b/vault/logical_system.go index 011771ac13811..6179287818861 100644 --- a/vault/logical_system.go +++ b/vault/logical_system.go @@ -1884,33 +1884,17 @@ func expandStringValsWithCommas(configMap map[string]interface{}) error { } for _, paramName := range configParamNameSlice { if raw, ok := configMap[paramName]; ok { - outputSlice := []string{} - switch t := raw.(type) { - case []interface{}: - // If the users already passed in a slice with comma separated values, - // we don't do anything for compatibility reasons. - rawNew := raw.([]interface{}) - for _, rawVal := range rawNew { - rawValSt, ok := rawVal.(string) - if !ok { - return fmt.Errorf("Invalid input parameter %v of type %v", paramName, t) - } - outputSlice = append(outputSlice, rawValSt) - } case string: // To be consistent with auth tune, and in cases where a single comma separated strings // is provided in the curl command, we split the entries by the commas. rawNew := raw.(string) res, err := parseutil.ParseCommaStringSlice(rawNew) if err != nil { - return err + return fmt.Errorf("invalid input parameter %v of type %v", paramName, t) } - outputSlice = append(outputSlice, res...) - default: - return fmt.Errorf("Invalid input parameter %v of type %v", paramName, t) + configMap[paramName] = res } - configMap[paramName] = outputSlice } } return nil diff --git a/website/content/docs/commands/auth/enable.mdx b/website/content/docs/commands/auth/enable.mdx index d0a42506653a2..7704c7bb9a3a7 100644 --- a/website/content/docs/commands/auth/enable.mdx +++ b/website/content/docs/commands/auth/enable.mdx @@ -58,10 +58,12 @@ flags](/docs/commands) included on all commands. method. - `-passthrough-request-headers` `(string: "")` - request header values that will - be sent to the auth method. + be sent to the auth method. Note that multiple keys may be + specified by providing this option multiple times, each time with 1 key. - `-allowed-response-headers` `(string: "")` - response header values that the auth - method will be allowed to set. + method will be allowed to set. Note that multiple keys may be + specified by providing this option multiple times, each time with 1 key. - `-description` `(string: "")` - Human-friendly description for the purpose of this auth method. diff --git a/website/content/docs/commands/auth/tune.mdx b/website/content/docs/commands/auth/tune.mdx index 66742ddd5b610..94f8ab50fa1ce 100644 --- a/website/content/docs/commands/auth/tune.mdx +++ b/website/content/docs/commands/auth/tune.mdx @@ -60,7 +60,9 @@ flags](/docs/commands) included on all commands. method. - `-passthrough-request-headers` `(string: "")` - request header values that will - be sent to the auth method + be sent to the auth method. Note that multiple keys may be + specified by providing this option multiple times, each time with 1 key. - `-token-type` `(string: "")` - Specifies the type of tokens that should be - returned by the auth method. + returned by the auth method. Note that multiple keys may be + specified by providing this option multiple times, each time with 1 key. diff --git a/website/content/docs/commands/secrets/enable.mdx b/website/content/docs/commands/secrets/enable.mdx index 6fdbbbc98fbfd..ec8258b1270ca 100644 --- a/website/content/docs/commands/secrets/enable.mdx +++ b/website/content/docs/commands/secrets/enable.mdx @@ -92,7 +92,9 @@ flags](/docs/commands) included on all commands. secrets engine. - `-passthrough-request-headers` `(string: "")` - request header values that will - be sent to the secrets engine. + be sent to the secrets engine. Note that multiple keys may be + specified by providing this option multiple times, each time with 1 key. - `-allowed-response-headers` `(string: "")` - response header values that the secrets - engin will be allowed to set. + engine will be allowed to set. Note that multiple keys may be + specified by providing this option multiple times, each time with 1 key. diff --git a/website/content/docs/commands/secrets/tune.mdx b/website/content/docs/commands/secrets/tune.mdx index c0ffe07e16eec..0e34d4abf18f7 100644 --- a/website/content/docs/commands/secrets/tune.mdx +++ b/website/content/docs/commands/secrets/tune.mdx @@ -33,7 +33,8 @@ The following flags are available in addition to the [standard set of flags](/docs/commands) included on all commands. `-allowed-response-headers` `(string: "")` - response header values that the - secrets engine will be allowed to set. + secrets engine will be allowed to set. Note that multiple keys may be + specified by providing this option multiple times, each time with 1 key. - `-audit-non-hmac-request-keys` `(string: "")` - Key that will not be HMAC'd by audit devices in the request data object. Note that multiple keys may be @@ -60,4 +61,5 @@ flags](/docs/commands) included on all commands. engine. - `-passthrough-request-headers` `(string: "")` - request header values that will - be sent to the secrets engine. + be sent to the secrets engine. Note that multiple keys may be + specified by providing this option multiple times, each time with 1 key.