diff --git a/command/commands.go b/command/commands.go index bf5daa7474d4..a3846cd414cc 100644 --- a/command/commands.go +++ b/command/commands.go @@ -116,6 +116,8 @@ const ( flagNameAllowedResponseHeaders = "allowed-response-headers" // flagNameTokenType is the flag name used to force a specific token type flagNameTokenType = "token-type" + // flagNameAllowedManagedKeys is the flag name used for auth/secrets enable + flagNameAllowedManagedKeys = "allowed-managed-keys" ) var ( diff --git a/command/secrets_enable.go b/command/secrets_enable.go index cb4671ba3943..72b7b89b5585 100644 --- a/command/secrets_enable.go +++ b/command/secrets_enable.go @@ -37,6 +37,7 @@ type SecretsEnableCommand struct { flagSealWrap bool flagExternalEntropyAccess bool flagVersion int + flagAllowedManagedKeys []string } func (c *SecretsEnableCommand) Synopsis() string { @@ -209,6 +210,15 @@ func (c *SecretsEnableCommand) Flags() *FlagSets { Usage: "Select the version of the engine to run. Not supported by all engines.", }) + f.StringSliceVar(&StringSliceVar{ + Name: flagNameAllowedManagedKeys, + Target: &c.flagAllowedManagedKeys, + Usage: "Managed key name(s) that the mount in question is allowed to access. " + + "Note that multiple keys may be specified either by providing the key names " + + "as a comma separated string or by providing this option multiple times, " + + "each time with 1 key.", + }) + return set } @@ -307,6 +317,10 @@ func (c *SecretsEnableCommand) Run(args []string) int { if fl.Name == flagNameAllowedResponseHeaders { mountInput.Config.AllowedResponseHeaders = c.flagAllowedResponseHeaders } + + if fl.Name == flagNameAllowedManagedKeys { + mountInput.Config.AllowedManagedKeys = c.flagAllowedManagedKeys + } }) if err := client.Sys().Mount(mountPath, mountInput); err != nil { diff --git a/command/secrets_enable_test.go b/command/secrets_enable_test.go index bcc581a4e108..f5a54a8cc8da 100644 --- a/command/secrets_enable_test.go +++ b/command/secrets_enable_test.go @@ -113,6 +113,7 @@ func TestSecretsEnableCommand_Run(t *testing.T) { "-passthrough-request-headers", "authorization,authentication", "-passthrough-request-headers", "www-authentication", "-allowed-response-headers", "authorization", + "-allowed-managed-keys", "key1,key2", "-force-no-cache", "pki", }) @@ -162,6 +163,9 @@ func TestSecretsEnableCommand_Run(t *testing.T) { if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 { t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff) } + if diff := deep.Equal([]string{"key1,key2"}, mountInfo.Config.AllowedManagedKeys); len(diff) > 0 { + t.Errorf("Failed to find expected values in AllowedManagedKeys. Difference is: %v", diff) + } }) diff --git a/command/secrets_tune.go b/command/secrets_tune.go index a7883a618cd0..3e20367ea6e0 100644 --- a/command/secrets_tune.go +++ b/command/secrets_tune.go @@ -30,6 +30,7 @@ type SecretsTuneCommand struct { flagAllowedResponseHeaders []string flagOptions map[string]string flagVersion int + flagAllowedManagedKeys []string } func (c *SecretsTuneCommand) Synopsis() string { @@ -137,6 +138,15 @@ func (c *SecretsTuneCommand) Flags() *FlagSets { Usage: "Select the version of the engine to run. Not supported by all engines.", }) + f.StringSliceVar(&StringSliceVar{ + Name: flagNameAllowedManagedKeys, + Target: &c.flagAllowedManagedKeys, + Usage: "Managed key name(s) that the mount in question is allowed to access. " + + "Note that multiple keys may be specified either by providing the key names " + + "as a comma separated string or by providing this option multiple times, " + + "each time with 1 key.", + }) + return set } @@ -213,6 +223,10 @@ func (c *SecretsTuneCommand) Run(args []string) int { if fl.Name == flagNameAllowedResponseHeaders { mountConfigInput.AllowedResponseHeaders = c.flagAllowedResponseHeaders } + + if fl.Name == flagNameAllowedManagedKeys { + mountConfigInput.AllowedManagedKeys = c.flagAllowedManagedKeys + } }) if err := client.Sys().TuneMount(mountPath, mountConfigInput); err != nil { diff --git a/command/secrets_tune_test.go b/command/secrets_tune_test.go index de732873790e..f51b8fb34b78 100644 --- a/command/secrets_tune_test.go +++ b/command/secrets_tune_test.go @@ -170,6 +170,7 @@ func TestSecretsTuneCommand_Run(t *testing.T) { "-passthrough-request-headers", "authorization", "-passthrough-request-headers", "www-authentication", "-allowed-response-headers", "authorization,www-authentication", + "-allowed-managed-keys", "key1,key2", "-listing-visibility", "unauth", "mount_tune_integration/", }) @@ -216,6 +217,9 @@ func TestSecretsTuneCommand_Run(t *testing.T) { if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 { t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff) } + if diff := deep.Equal([]string{"key1,key2"}, mountInfo.Config.AllowedManagedKeys); len(diff) > 0 { + t.Errorf("Failed to find expected values in AllowedManagedKeys. Difference is: %v", diff) + } }) t.Run("flags_description", func(t *testing.T) { diff --git a/website/content/docs/commands/secrets/enable.mdx b/website/content/docs/commands/secrets/enable.mdx index ec8258b1270c..08ccd102dd6b 100644 --- a/website/content/docs/commands/secrets/enable.mdx +++ b/website/content/docs/commands/secrets/enable.mdx @@ -98,3 +98,8 @@ flags](/docs/commands) included on all commands. - `-allowed-response-headers` `(string: "")` - response header values that the secrets engine will be allowed to set. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key. + +- `-allowed-managed-keys` `(string: "")` - Managed key name(s) that the mount + in question is allowed to access. Note that multiple keys may be specified + either by providing the key names as a comma separated string or by providing + this option multiple times, each time with 1 key. diff --git a/website/content/docs/commands/secrets/tune.mdx b/website/content/docs/commands/secrets/tune.mdx index 96679d1e113c..ef62765251b6 100644 --- a/website/content/docs/commands/secrets/tune.mdx +++ b/website/content/docs/commands/secrets/tune.mdx @@ -2,7 +2,7 @@ layout: docs page_title: secrets tune - Command description: |- - The "secrets tune" command tunes the configuration options for the secrets engine at the given PATH. + The "secrets tune" command tunes the configuration options for the secrets engine at the given PATH. --- # secrets tune @@ -86,3 +86,8 @@ flags](/docs/commands) included on all commands. - `-passthrough-request-headers` `(string: "")` - request header values that will be sent to the secrets engine. Note that multiple keys may be specified by providing this option multiple times, each time with 1 key. + +- `-allowed-managed-keys` `(string: "")` - Managed key name(s) that the mount + in question is allowed to access. Note that multiple keys may be specified + either by providing the key names as a comma separated string or by providing + this option multiple times, each time with 1 key.