vault

mirrors/vault

Fork 0

mirror of https://github.com/hashicorp/vault.git synced 2025-08-10 08:37:00 +02:00

Commit Graph

Author	SHA1	Message	Date
Max Bowsher	188bdca4bd	Fix sudo paths missing from OpenAPI and docs (#21772 ) * Fix sudo paths missing from OpenAPI and docs Various sudo (a.k.a. root-protected) paths are implemented in non-standard ways, and as a result: * are not declared as x-vault-sudo in the OpenAPI spec * and as a result of that, are not included in the hardcoded patterns powering the Vault CLI `-output-policy` flag * and in some cases are missing from the table of all sudo paths in the docs too Fix these problems by: * Adding `seal` and `step-down` to the list of root paths for the system backend. They don't need to be there for enforcement, as those two special endpoints bypass the standard request handling code, but they do need to be there for the OpenAPI generator to be able to know they require sudo. The way in which those two endpoints do things differently can be observed in the code search results for `RootPrivsRequired`: https://github.com/search?q=repo%3Ahashicorp%2Fvault%20RootPrivsRequired&type=code * Fix the implementation of `auth/token/revoke-orphan` to implement endpoint sudo requirements in the standard way. Currently, it has an incorrect path declared in the special paths metadata, and then compensates with custom code throwing an error within the request handler function itself. * changelog * As discussed in PR, delete test which is just testing equality of a constant * Restore sudo check as requested, and add comment * Update vault/token_store.go Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com> --------- Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>	2023-07-19 16:28:17 +00:00
Max Bowsher	3961d7b9cc	api: Separate two distinct areas of code that were interleaved in one file (#21906 ) This is a code cleanup and addition of an explanatory comment. For some reason, the code related to the CLI guessing whether a path requires sudo, has been interleaved into plugin_helpers.go, which was previously purely code used on the server side in the implementation of Vault plugins. This remedies that by dividing the sudo paths code to a separate file, and adds a comment to plugin_helpers.go providing future readers with information about the overall theme of the file. No code has been changed - only moved and documented.	2023-07-18 12:20:34 +01:00

Author

SHA1

Message

Date

Max Bowsher

188bdca4bd

Fix sudo paths missing from OpenAPI and docs (#21772 )

* Fix sudo paths missing from OpenAPI and docs

Various sudo (a.k.a. root-protected) paths are implemented in
non-standard ways, and as a result:

* are not declared as x-vault-sudo in the OpenAPI spec

* and as a result of that, are not included in the hardcoded patterns
  powering the Vault CLI `-output-policy` flag

* and in some cases are missing from the table of all sudo paths in the
  docs too

Fix these problems by:

* Adding `seal` and `step-down` to the list of root paths for the system
  backend. They don't need to be there for enforcement, as those two
  special endpoints bypass the standard request handling code, but they
  do need to be there for the OpenAPI generator to be able to know they
  require sudo.

  The way in which those two endpoints do things differently can be
  observed in the code search results for `RootPrivsRequired`:
  https://github.com/search?q=repo%3Ahashicorp%2Fvault%20RootPrivsRequired&type=code

* Fix the implementation of `auth/token/revoke-orphan` to implement
  endpoint sudo requirements in the standard way. Currently, it has an
  **incorrect** path declared in the special paths metadata, and then
  compensates with custom code throwing an error within the request
  handler function itself.

* changelog

* As discussed in PR, delete test which is just testing equality of a constant

* Restore sudo check as requested, and add comment

* Update vault/token_store.go

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

---------

Co-authored-by: Anton Averchenkov <84287187+averche@users.noreply.github.com>

2023-07-19 16:28:17 +00:00

Max Bowsher

3961d7b9cc

api: Separate two distinct areas of code that were interleaved in one file (#21906 )

This is a code cleanup and addition of an explanatory comment. For some
reason, the code related to the CLI guessing whether a path requires
sudo, has been interleaved into plugin_helpers.go, which was previously
purely code used on the server side in the implementation of Vault
plugins.

This remedies that by dividing the sudo paths code to a separate file,
and adds a comment to plugin_helpers.go providing future readers with
information about the overall theme of the file.

No code has been changed - only moved and documented.

2023-07-18 12:20:34 +01:00

2 Commits