Add hooks for enterprise token auth metadata feature. (#31391)

builtin/credential/approle/path_role.go

@@ -227,52 +227,6 @@ can only be set during role creation and once set, it can't be reset later.`,
 								Required:    true,
 								Description: "If true, the secret identifiers generated using this role will be cluster local. This can only be set during role creation and once set, it can't be reset later",
 							},
-							"token_bound_cidrs": {
-								Type:        framework.TypeCommaStringSlice,
-								Required:    true,
-								Description: `Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.`,
-							},
-							"token_explicit_max_ttl": {
-								Type:        framework.TypeInt64,
-								Required:    true,
-								Description: "If set, tokens created via this role carry an explicit maximum TTL. During renewal, the current maximum TTL values of the role and the mount are not checked for changes, and any updates to these values will have no effect on the token being renewed.",
-							},
-							"token_max_ttl": {
-								Type:        framework.TypeInt64,
-								Required:    true,
-								Description: "The maximum lifetime of the generated token",
-							},
-							"token_no_default_policy": {
-								Type:        framework.TypeBool,
-								Required:    true,
-								Description: "If true, the 'default' policy will not automatically be added to generated tokens",
-							},
-							"token_period": {
-								Type:        framework.TypeInt64,
-								Required:    true,
-								Description: "If set, tokens created via this role will have no max lifetime; instead, their renewal period will be fixed to this value.",
-							},
-							"token_policies": {
-								Type:        framework.TypeCommaStringSlice,
-								Required:    true,
-								Description: "Comma-separated list of policies",
-							},
-							"token_type": {
-								Type:        framework.TypeString,
-								Required:    true,
-								Default:     "default-service",
-								Description: "The type of token to generate, service or batch",
-							},
-							"token_ttl": {
-								Type:        framework.TypeInt64,
-								Required:    true,
-								Description: "The initial ttl of the token to generate",
-							},
-							"token_num_uses": {
-								Type:        framework.TypeInt,
-								Required:    true,
-								Description: "The maximum number of times a token may be used, a value of zero means unlimited",
-							},
 							"period": {
 								Type:        framework.TypeInt64,
 								Required:    false,
@@ -299,6 +253,12 @@ can only be set during role creation and once set, it can't be reset later.`,
 	}
 
 	tokenutil.AddTokenFields(p.Fields)
+	{
+		// AppRole is coded differently from other Auth methods, it is the only one that
+		// populates the `Fields` field of the response
+		readOperation := p.Operations[logical.ReadOperation].(*framework.PathOperation)
+		tokenutil.AddTokenFields(readOperation.Responses[http.StatusOK][0].Fields)
+	}
 
 	return []*framework.Path{
 		p,

builtin/credential/aws/path_role_test.go

@@ -14,6 +14,7 @@ import (
 	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-secure-stdlib/awsutil"
 	"github.com/hashicorp/go-secure-stdlib/strutil"
+	"github.com/hashicorp/vault/helper/constants"
 	vlttesting "github.com/hashicorp/vault/helper/testhelpers/logical"
 	"github.com/hashicorp/vault/sdk/helper/logging"
 	"github.com/hashicorp/vault/sdk/helper/policyutil"
@@ -634,8 +635,12 @@ func TestAwsEc2_RoleCrud(t *testing.T) {
 		"token_type":                     "default",
 	}
 
+	if constants.IsEnterprise {
+		expected["token_auth_metadata"] = map[string]string{}
+	}
+
 	if resp.Data["role_id"] == nil {
-		t.Fatal("role_id not found in repsonse")
+		t.Fatal("role_id not found in response")
 	}
 	expected["role_id"] = resp.Data["role_id"]
 	if diff := deep.Equal(expected, resp.Data); diff != nil {

builtin/credential/ldap/backend_test.go

@@ -15,6 +15,7 @@ import (
 	"github.com/go-test/deep"
 	hclog "github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-secure-stdlib/strutil"
+	"github.com/hashicorp/vault/helper/constants"
 	"github.com/hashicorp/vault/helper/namespace"
 	"github.com/hashicorp/vault/helper/testhelpers/ldap"
 	logicaltest "github.com/hashicorp/vault/helper/testhelpers/logical"
@@ -1494,6 +1495,9 @@ func TestLdapAuthBackend_ConfigUpgrade(t *testing.T) {
 			MaximumPageSize:          1000,
 		},
 	}
+	if constants.IsEnterprise {
+		exp.TokenParams.TokenAuthMetadata = make(map[string]string)
+	}
 
 	configEntry, err := b.Config(ctx, configReq)
 	if err != nil {

helper/testhelpers/pluginhelpers/pluginhelpers.go

@@ -16,6 +16,7 @@ import (
 	"sync"
 	"testing"
 
+	"github.com/hashicorp/vault/helper/constants"
 	"github.com/hashicorp/vault/sdk/helper/consts"
 )
 
@@ -110,6 +111,12 @@ func CompilePlugin(t testing.TB, typ consts.PluginType, pluginVersion string, pl
 		if pluginVersion != "" {
 			line = append(line, "-ldflags", fmt.Sprintf("-X %s=%s", pluginVersionLocation, pluginVersion))
 		}
+		if constants.IsEnterprise {
+			// Under VAULT-38008, tokenutil.go got stubs, which means we now need to
+			// set the enterprise tag to avoid compiling both the _ent.go and the _stubs_oss.go
+			// files.
+			line = append(line, "-tags", "enterprise")
+		}
 		line = append(line, "-o", pluginPath, pluginMain)
 		cmd := exec.Command("go", line...)
 		cmd.Env = append(os.Environ(), "CGO_ENABLED=0")

sdk/helper/tokenutil/tokenutil.go

@@ -47,6 +47,9 @@ type TokenParams struct {
 
 	// The TTL to user for the token
 	TokenTTL time.Duration `json:"token_ttl" mapstructure:"token_ttl"`
+
+	// The metadata to attach to the authentication information.
+	TokenAuthMetadata map[string]string `json:"token_auth_metadata" mapstructure:"token_auth_metadata"`
 }
 
 // AddTokenFields adds fields to an existing role. It panics if it would
@@ -73,7 +76,7 @@ func AddTokenFieldsWithAllowList(m map[string]*framework.FieldSchema, allowed []
 
 // TokenFields provides a set of field schemas for the parameters
 func TokenFields() map[string]*framework.FieldSchema {
-	return map[string]*framework.FieldSchema{
+	return entTokenFields(map[string]*framework.FieldSchema{
 		"token_bound_cidrs": {
 			Type:        framework.TypeCommaStringSlice,
 			Description: `Comma separated string or JSON list of CIDR blocks. If set, specifies the blocks of IP addresses which are allowed to use the generated token.`,
@@ -157,7 +160,7 @@ func TokenFields() map[string]*framework.FieldSchema {
 				Group: "Tokens",
 			},
 		},
-	}
+	})
 }
 
 // ParseTokenFields provides common field parsing functionality into a TokenFields struct
@@ -238,6 +241,8 @@ func (t *TokenParams) ParseTokenFields(req *logical.Request, d *framework.FieldD
 		return errors.New("'token_ttl' cannot be greater than 'token_max_ttl'")
 	}
 
+	t.entParseTokenFields(d)
+
 	return nil
 }
 
@@ -260,6 +265,8 @@ func (t *TokenParams) PopulateTokenData(m map[string]interface{}) {
 	if len(t.TokenBoundCIDRs) == 0 {
 		m["token_bound_cidrs"] = []string{}
 	}
+
+	t.entPopulateTokenData(m)
 }
 
 // PopulateTokenAuth populates Auth with parameters
@@ -274,6 +281,8 @@ func (t *TokenParams) PopulateTokenAuth(auth *logical.Auth) {
 	auth.TokenType = t.TokenType
 	auth.TTL = t.TokenTTL
 	auth.NumUses = t.TokenNumUses
+
+	t.entPopulateTokenAuth(auth)
 }
 
 func DeprecationText(param string) string {

sdk/helper/tokenutil/tokenutil_stubs_oss.go

@@ -0,0 +1,21 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+//go:build !enterprise
+
+package tokenutil
+
+import (
+	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/logical"
+)
+
+func entTokenFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
+	return fields
+}
+
+func (t *TokenParams) entParseTokenFields(d *framework.FieldData) {}
+
+func (t *TokenParams) entPopulateTokenData(m map[string]any) {}
+
+func (t *TokenParams) entPopulateTokenAuth(auth *logical.Auth) {}