mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-06 06:37:02 +02:00
Code Issues Projects Releases Wiki Activity
befafd5a9c
vault/command/base_predict.go
Bruno Oliveira de Souza 0b9157156f
VAULT-32657 deprecate duplicate attributes in HCL configs and policies (#30386) 
* upgrade hcl dependency on api pkg

This upgrades the hcl dependency for the API pkg,
and adapts its usage so users of our API pkg are
not affected. There's no good way of communicating
a warning via a library call so we don't.

The tokenHelper which is used by all Vault CLI
commands in order to create the Vault client, as
well as directly used by the login and server
commands, is implemented on the api pkg, so this
upgrade also affects all of those commands. Seems
like this was only moved to the api pkg because
the Terraform provider uses it, and I thought
creating a full copy of all those files back under
command would be too much spaghetti.

Also leaving some TODOs to make next deprecation
steps easier.

* upgrade hcl dependency in vault and sdk pkgs

* upgrade hcl dependency in vault and sdk pkgs

* add CLI warnings to commands that take a config

- vault agent (unit test on CMD warning)
- vault proxy (unit test on CMD warning)
- vault server (no test for the warning)
- vault operator diagnose (no tests at all, uses the
same function as vault server

* ignore duplicates on ParseKMSes function

* Extend policy parsing functions and warn on policy store

* Add warning on policy fmt with duplicate attributes

* Add warnings when creating/updating policy with duplicate HCL attrs

* Add log warning when switchedGetPolicy finds duplicate attrs

Following operations can trigger this warning when they run into a policy
with duplicate attributes:
* replication filtered path namespaces invalidation
* policy read API
* building an ACL (for many different purposes like most authZ operations)
* looking up DR token policies
* creating a token with named policies
* when caching the policies for all namespaces during unseal

* Print log warnings when token inline policy has duplicate attrs

No unit tests on these as new test infra would have to be built on all.
Operations affected, which will now print a log warning when the retrieved
token has an inline policy with duplicate attributes:
* capabilities endpoints in sys mount
* handing events under a subscription with a token with duplicate
attrs in inline policies
* token used to create another token has duplicate attrs in inline
policies (sudo check)
* all uses of fetchACLTokenEntryAndEntity when the request uses a
token with inline policies with duplicate attrs. Almost all reqs
are subject to this
* when tokens are created with inline policies (unclear exactly how that
can happen)

* add changelog and deprecation notice

* add missing copywrite notice

* fix copy-paste mistake

good thing it was covered by unit tests

* Fix manual parsing of telemetry field in SharedConfig

This commit in the hcl library was not in the
v1.0.1-vault-5 version we're using but is
included in v1.0.1-vault-7:
e80118accb

This thing of reusing when parsing means that
our approach of manually re-parsing fields
on top of fields that have already been parsed
by the hcl annotation causes strings (maybe
more?) to concatenate.

Fix that by removing annotation. There's
actually more occurrences of this thing of
automatically parsing something that is also
manually parsing. In some places we could
just remove the boilerplate manual parsing, in
others we better remove the auto parsing, but
I don't wanna pull at that thread right now. I
just checked that all places at least fully
overwrite the automatically parsed field
instead of reusing it as the target of the
decode call. The only exception is the AOP
field on ent but that doesn't have maps or
slices, so I think it's fine.

An alternative approach would be to ensure
that the auto-parsed value is discarded,
like the current parseCache function does

note how it's template not templates

* Fix linter complaints

* Update command/base_predict.go

Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>

* address review

* remove copywrite headers

* re-add copywrite headers

* make fmt

* Update website/content/partials/deprecation/duplicate-hcl-attributes.mdx

Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>

* Update website/content/partials/deprecation/duplicate-hcl-attributes.mdx

Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>

* Update website/content/partials/deprecation/duplicate-hcl-attributes.mdx

Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>

* undo changes to deprecation.mdx

* remove deprecation doc

* fix conflict with changes from main

---------

Co-authored-by: Mike Palmiotto <mike.palmiotto@hashicorp.com>
Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
2025-05-23 16:02:07 -03:00

586 lines
16 KiB
Go
Raw Blame History

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
package command
import (
"os"
"sort"
"strings"
"sync"
"github.com/hashicorp/vault/api"
"github.com/hashicorp/vault/api/cliconfig"
"github.com/posener/complete"
)
type Predict struct {
client *api.Client
clientOnce sync.Once
}
func NewPredict() *Predict {
return &Predict{}
}
func (p *Predict) Client() *api.Client {
p.clientOnce.Do(func() {
if p.client == nil { // For tests
client, _ := api.NewClient(nil)
if client.Token() == "" {
// ignore duplicate keys in HCL files on autocompletion as printing a warning here would be too annoying
// TODO (HCL_DUP_KEYS_DEPRECATION): remove the comment above
helper, err := cliconfig.DefaultTokenHelper()
if err != nil {
return
}
token, err := helper.Get()
if err != nil {
return
}
client.SetToken(token)
}
// Turn off retries for prediction
if os.Getenv(api.EnvVaultMaxRetries) == "" {
client.SetMaxRetries(0)
}
p.client = client
}
})
return p.client
}
// defaultPredictVaultMounts is the default list of mounts to return to the
// user. This is a best-guess, given we haven't communicated with the Vault
// server. If the user has no token or if the token does not have the default
// policy attached, it won't be able to read cubbyhole/, but it's a better UX
// that returning nothing.
var defaultPredictVaultMounts = []string{"cubbyhole/"}
// predictClient is the API client to use for prediction. We create this at the
// beginning once, because completions are generated for each command (and this
// doesn't change), and the only way to configure the predict/autocomplete
// client is via environment variables. Even if the user specifies a flag, we
// can't parse that flag until after the command is submitted.
var (
predictClient *api.Client
predictClientOnce sync.Once
)
// PredictClient returns the cached API client for the predictor.
func PredictClient() *api.Client {
predictClientOnce.Do(func() {
if predictClient == nil { // For tests
predictClient, _ = api.NewClient(nil)
}
})
return predictClient
}
// PredictVaultAvailableMounts returns a predictor for the available mounts in
// Vault. For now, there is no way to programmatically get this list. If, in the
// future, such a list exists, we can adapt it here. Until then, it's
// hard-coded.
func (b *BaseCommand) PredictVaultAvailableMounts() complete.Predictor {
// This list does not contain deprecated backends. At present, there is no
// API that lists all available secret backends, so this is hard-coded :(.
return complete.PredictSet(
"aws",
"consul",
"database",
"generic",
"pki",
"plugin",
"rabbitmq",
"ssh",
"totp",
"transit",
)
}
// PredictVaultAvailableAuths returns a predictor for the available auths in
// Vault. For now, there is no way to programmatically get this list. If, in the
// future, such a list exists, we can adapt it here. Until then, it's
// hard-coded.
func (b *BaseCommand) PredictVaultAvailableAuths() complete.Predictor {
return complete.PredictSet(
"app-id",
"approle",
"aws",
"cert",
"gcp",
"github",
"ldap",
"okta",
"plugin",
"radius",
"userpass",
)
}
// PredictVaultFiles returns a predictor for Vault mounts and paths based on the
// configured client for the base command. Unfortunately this happens pre-flag
// parsing, so users must rely on environment variables for autocomplete if they
// are not using Vault at the default endpoints.
func (b *BaseCommand) PredictVaultFiles() complete.Predictor {
return NewPredict().VaultFiles()
}
// PredictVaultFolders returns a predictor for "folders". See PredictVaultFiles
// for more information and restrictions.
func (b *BaseCommand) PredictVaultFolders() complete.Predictor {
return NewPredict().VaultFolders()
}
// PredictVaultNamespaces returns a predictor for "namespaces". See PredictVaultFiles
// for more information an restrictions.
func (b *BaseCommand) PredictVaultNamespaces() complete.Predictor {
return NewPredict().VaultNamespaces()
}
// PredictVaultMounts returns a predictor for "folders". See PredictVaultFiles
// for more information and restrictions.
func (b *BaseCommand) PredictVaultMounts() complete.Predictor {
return NewPredict().VaultMounts()
}
// PredictVaultAudits returns a predictor for "folders". See PredictVaultFiles
// for more information and restrictions.
func (b *BaseCommand) PredictVaultAudits() complete.Predictor {
return NewPredict().VaultAudits()
}
// PredictVaultAuths returns a predictor for "folders". See PredictVaultFiles
// for more information and restrictions.
func (b *BaseCommand) PredictVaultAuths() complete.Predictor {
return NewPredict().VaultAuths()
}
// PredictVaultPlugins returns a predictor for installed plugins.
func (b *BaseCommand) PredictVaultPlugins(pluginTypes ...api.PluginType) complete.Predictor {
return NewPredict().VaultPlugins(pluginTypes...)
}
// PredictVaultPolicies returns a predictor for "folders". See PredictVaultFiles
// for more information and restrictions.
func (b *BaseCommand) PredictVaultPolicies() complete.Predictor {
return NewPredict().VaultPolicies()
}
func (b *BaseCommand) PredictVaultDebugTargets() complete.Predictor {
return complete.PredictSet(
"config",
"host",
"metrics",
"pprof",
"replication-status",
"server-status",
)
}
// VaultFiles returns a predictor for Vault "files". This is a public API for
// consumers, but you probably want BaseCommand.PredictVaultFiles instead.
func (p *Predict) VaultFiles() complete.Predictor {
return p.vaultPaths(true)
}
// VaultFolders returns a predictor for Vault "folders". This is a public
// API for consumers, but you probably want BaseCommand.PredictVaultFolders
// instead.
func (p *Predict) VaultFolders() complete.Predictor {
return p.vaultPaths(false)
}
// VaultNamespaces returns a predictor for Vault "namespaces". This is a public
// API for consumers, but you probably want BaseCommand.PredictVaultNamespaces
// instead.
func (p *Predict) VaultNamespaces() complete.Predictor {
return p.filterFunc(p.namespaces)
}
// VaultMounts returns a predictor for Vault "folders". This is a public
// API for consumers, but you probably want BaseCommand.PredictVaultMounts
// instead.
func (p *Predict) VaultMounts() complete.Predictor {
return p.filterFunc(p.mounts)
}
// VaultAudits returns a predictor for Vault "folders". This is a public API for
// consumers, but you probably want BaseCommand.PredictVaultAudits instead.
func (p *Predict) VaultAudits() complete.Predictor {
return p.filterFunc(p.audits)
}
// VaultAuths returns a predictor for Vault "folders". This is a public API for
// consumers, but you probably want BaseCommand.PredictVaultAuths instead.
func (p *Predict) VaultAuths() complete.Predictor {
return p.filterFunc(p.auths)
}
// VaultPlugins returns a predictor for Vault's plugin catalog. This is a public
// API for consumers, but you probably want BaseCommand.PredictVaultPlugins
// instead.
func (p *Predict) VaultPlugins(pluginTypes ...api.PluginType) complete.Predictor {
filterFunc := func() []string {
return p.plugins(pluginTypes...)
}
return p.filterFunc(filterFunc)
}
// VaultPolicies returns a predictor for Vault "folders". This is a public API for
// consumers, but you probably want BaseCommand.PredictVaultPolicies instead.
func (p *Predict) VaultPolicies() complete.Predictor {
return p.filterFunc(p.policies)
}
// vaultPaths parses the CLI options and returns the "best" list of possible
// paths. If there are any errors, this function returns an empty result. All
// errors are suppressed since this is a prediction function.
func (p *Predict) vaultPaths(includeFiles bool) complete.PredictFunc {
return func(args complete.Args) []string {
// Do not predict more than one paths
if p.hasPathArg(args.All) {
return nil
}
client := p.Client()
if client == nil {
return nil
}
path := args.Last
// Trim path with potential mount
var relativePath string
mountInfos, err := p.mountInfos()
if err != nil {
return nil
}
var mountType, mountVersion string
for mount, mountInfo := range mountInfos {
if strings.HasPrefix(path, mount) {
relativePath = strings.TrimPrefix(path, mount+"/")
mountType = mountInfo.Type
if mountInfo.Options != nil {
mountVersion = mountInfo.Options["version"]
}
break
}
}
// Predict path or mount depending on path separator
var predictions []string
if strings.Contains(relativePath, "/") {
predictions = p.paths(mountType, mountVersion, path, includeFiles)
} else {
predictions = p.filter(p.mounts(), path)
}
// Either no results or many results, so return.
if len(predictions) != 1 {
return predictions
}
// If this is not a "folder", do not try to recurse.
if !strings.HasSuffix(predictions[0], "/") {
return predictions
}
// If the prediction is the same as the last guess, return it (we have no
// new information and we won't get anymore).
if predictions[0] == args.Last {
return predictions
}
// Re-predict with the remaining path
args.Last = predictions[0]
return p.vaultPaths(includeFiles).Predict(args)
}
}
// paths predicts all paths which start with the given path.
func (p *Predict) paths(mountType, mountVersion, path string, includeFiles bool) []string {
client := p.Client()
if client == nil {
return nil
}
// Vault does not support listing based on a sub-key, so we have to back-pedal
// to the last "/" and return all paths on that "folder". Then we perform
// client-side filtering.
root := path
idx := strings.LastIndex(root, "/")
if idx > 0 && idx < len(root) {
root = root[:idx+1]
}
paths := p.listPaths(buildAPIListPath(root, mountType, mountVersion))
var predictions []string
for _, p := range paths {
// Calculate the absolute "path" for matching.
p = root + p
if strings.HasPrefix(p, path) {
// Ensure this is a directory or we've asked to include files.
if includeFiles || strings.HasSuffix(p, "/") {
predictions = append(predictions, p)
}
}
}
// Add root to the path
if len(predictions) == 0 {
predictions = append(predictions, path)
}
return predictions
}
func buildAPIListPath(path, mountType, mountVersion string) string {
if mountType == "kv" && mountVersion == "2" {
return toKVv2ListPath(path)
}
return path
}
func toKVv2ListPath(path string) string {
firstSlashIdx := strings.Index(path, "/")
if firstSlashIdx < 0 {
return path
}
return path[:firstSlashIdx] + "/metadata" + path[firstSlashIdx:]
}
// audits returns a sorted list of the audit backends for Vault server for
// which the client is configured to communicate with.
func (p *Predict) audits() []string {
client := p.Client()
if client == nil {
return nil
}
audits, err := client.Sys().ListAudit()
if err != nil {
return nil
}
list := make([]string, 0, len(audits))
for m := range audits {
list = append(list, m)
}
sort.Strings(list)
return list
}
// auths returns a sorted list of the enabled auth provides for Vault server for
// which the client is configured to communicate with.
func (p *Predict) auths() []string {
client := p.Client()
if client == nil {
return nil
}
auths, err := client.Sys().ListAuth()
if err != nil {
return nil
}
list := make([]string, 0, len(auths))
for m := range auths {
list = append(list, m)
}
sort.Strings(list)
return list
}
// plugins returns a sorted list of the plugins in the catalog.
func (p *Predict) plugins(pluginTypes ...api.PluginType) []string {
// This method's signature doesn't enforce that a pluginType must be passed in.
// If it's not, it's likely the caller's intent is go get a list of all of them,
// so let's help them out.
if len(pluginTypes) == 0 {
pluginTypes = append(pluginTypes, api.PluginTypeUnknown)
}
client := p.Client()
if client == nil {
return nil
}
var plugins []string
pluginsAdded := make(map[string]bool)
for _, pluginType := range pluginTypes {
result, err := client.Sys().ListPlugins(&api.ListPluginsInput{Type: api.PluginType(pluginType)})
if err != nil {
return nil
}
if result == nil {
return nil
}
for _, names := range result.PluginsByType {
for _, name := range names {
if _, ok := pluginsAdded[name]; !ok {
plugins = append(plugins, name)
pluginsAdded[name] = true
}
}
}
}
sort.Strings(plugins)
return plugins
}
// policies returns a sorted list of the policies stored in this Vault
// server.
func (p *Predict) policies() []string {
client := p.Client()
if client == nil {
return nil
}
policies, err := client.Sys().ListPolicies()
if err != nil {
return nil
}
sort.Strings(policies)
return policies
}
// mountInfos returns a map with mount paths as keys and MountOutputs as values
// for the Vault server which the client is configured to communicate with.
// Returns error if server communication fails.
func (p *Predict) mountInfos() (map[string]*api.MountOutput, error) {
client := p.Client()
if client == nil {
return nil, nil
}
mounts, err := client.Sys().ListMounts()
if err != nil {
return nil, err
}
return mounts, nil
}
// mounts returns a sorted list of the mount paths for Vault server for
// which the client is configured to communicate with. This function returns the
// default list of mounts if an error occurs.
func (p *Predict) mounts() []string {
mounts, err := p.mountInfos()
if err != nil {
return defaultPredictVaultMounts
}
list := make([]string, 0, len(mounts))
for m := range mounts {
list = append(list, m)
}
sort.Strings(list)
return list
}
// namespaces returns a sorted list of the namespace paths for Vault server for
// which the client is configured to communicate with. This function returns
// an empty list in any error occurs.
func (p *Predict) namespaces() []string {
client := p.Client()
if client == nil {
return nil
}
secret, err := client.Logical().List("sys/namespaces")
if err != nil {
return nil
}
namespaces, ok := extractListData(secret)
if !ok {
return nil
}
list := make([]string, 0, len(namespaces))
for _, n := range namespaces {
s, ok := n.(string)
if !ok {
continue
}
list = append(list, s)
}
sort.Strings(list)
return list
}
// listPaths returns a list of paths (HTTP LIST) for the given path. This
// function returns an empty list of any errors occur.
func (p *Predict) listPaths(path string) []string {
client := p.Client()
if client == nil {
return nil
}
secret, err := client.Logical().List(path)
if err != nil || secret == nil || secret.Data == nil {
return nil
}
paths, ok := secret.Data["keys"].([]interface{})
if !ok {
return nil
}
list := make([]string, 0, len(paths))
for _, p := range paths {
if str, ok := p.(string); ok {
list = append(list, str)
}
}
sort.Strings(list)
return list
}
// hasPathArg determines if the args have already accepted a path.
func (p *Predict) hasPathArg(args []string) bool {
var nonFlags []string
for _, a := range args {
if !strings.HasPrefix(a, "-") {
nonFlags = append(nonFlags, a)
}
}
return len(nonFlags) > 2
}
// filterFunc is used to compose a complete predictor that filters an array
// of strings as per the filter function.
func (p *Predict) filterFunc(f func() []string) complete.Predictor {
return complete.PredictFunc(func(args complete.Args) []string {
if p.hasPathArg(args.All) {
return nil
}
client := p.Client()
if client == nil {
return nil
}
return p.filter(f(), args.Last)
})
}
// filter filters the given list for items that start with the prefix.
func (p *Predict) filter(list []string, prefix string) []string {
var predictions []string
for _, item := range list {
if strings.HasPrefix(item, prefix) {
predictions = append(predictions, item)
}
}
return predictions
}
Reference in New Issue View Git Blame Copy Permalink