Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CLI changes for new mount tune config parameter allowed_managed_keys #13255

Merged
merged 6 commits into from
Dec 10, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions command/commands.go
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,8 @@ const (
flagNameAllowedResponseHeaders = "allowed-response-headers"
// flagNameTokenType is the flag name used to force a specific token type
flagNameTokenType = "token-type"
// flagNameAllowedManagedKeys is the flag name used for auth/secrets enable
flagNameAllowedManagedKeys = "allowed-managed-keys"
)

var (
Expand Down
14 changes: 14 additions & 0 deletions command/secrets_enable.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ type SecretsEnableCommand struct {
flagSealWrap bool
flagExternalEntropyAccess bool
flagVersion int
flagAllowedManagedKeys []string
}

func (c *SecretsEnableCommand) Synopsis() string {
Expand Down Expand Up @@ -209,6 +210,15 @@ func (c *SecretsEnableCommand) Flags() *FlagSets {
Usage: "Select the version of the engine to run. Not supported by all engines.",
})

f.StringSliceVar(&StringSliceVar{
Name: flagNameAllowedManagedKeys,
Target: &c.flagAllowedManagedKeys,
Usage: "Managed key name(s) that the mount in question is allowed to access. " +
"Note that multiple keys may be specified either by providing the key names " +
"as a comma separated string or by providing this option multiple times, " +
"each time with 1 key.",
})

return set
}

Expand Down Expand Up @@ -307,6 +317,10 @@ func (c *SecretsEnableCommand) Run(args []string) int {
if fl.Name == flagNameAllowedResponseHeaders {
mountInput.Config.AllowedResponseHeaders = c.flagAllowedResponseHeaders
}

if fl.Name == flagNameAllowedManagedKeys {
mountInput.Config.AllowedManagedKeys = c.flagAllowedManagedKeys
}
})

if err := client.Sys().Mount(mountPath, mountInput); err != nil {
Expand Down
4 changes: 4 additions & 0 deletions command/secrets_enable_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,7 @@ func TestSecretsEnableCommand_Run(t *testing.T) {
"-passthrough-request-headers", "authorization,authentication",
"-passthrough-request-headers", "www-authentication",
"-allowed-response-headers", "authorization",
"-allowed-managed-keys", "key1,key2",
"-force-no-cache",
"pki",
})
Expand Down Expand Up @@ -162,6 +163,9 @@ func TestSecretsEnableCommand_Run(t *testing.T) {
if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 {
t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff)
}
if diff := deep.Equal([]string{"key1,key2"}, mountInfo.Config.AllowedManagedKeys); len(diff) > 0 {
t.Errorf("Failed to find expected values in AllowedManagedKeys. Difference is: %v", diff)
}

})

Expand Down
14 changes: 14 additions & 0 deletions command/secrets_tune.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ type SecretsTuneCommand struct {
flagAllowedResponseHeaders []string
flagOptions map[string]string
flagVersion int
flagAllowedManagedKeys []string
}

func (c *SecretsTuneCommand) Synopsis() string {
Expand Down Expand Up @@ -137,6 +138,15 @@ func (c *SecretsTuneCommand) Flags() *FlagSets {
Usage: "Select the version of the engine to run. Not supported by all engines.",
})

f.StringSliceVar(&StringSliceVar{
Name: flagNameAllowedManagedKeys,
Target: &c.flagAllowedManagedKeys,
Usage: "Managed key name(s) that the mount in question is allowed to access. " +
"Note that multiple keys may be specified either by providing the key names " +
"as a comma separated string or by providing this option multiple times, " +
"each time with 1 key.",
})

return set
}

Expand Down Expand Up @@ -213,6 +223,10 @@ func (c *SecretsTuneCommand) Run(args []string) int {
if fl.Name == flagNameAllowedResponseHeaders {
mountConfigInput.AllowedResponseHeaders = c.flagAllowedResponseHeaders
}

if fl.Name == flagNameAllowedManagedKeys {
mountConfigInput.AllowedManagedKeys = c.flagAllowedManagedKeys
}
})

if err := client.Sys().TuneMount(mountPath, mountConfigInput); err != nil {
Expand Down
4 changes: 4 additions & 0 deletions command/secrets_tune_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -170,6 +170,7 @@ func TestSecretsTuneCommand_Run(t *testing.T) {
"-passthrough-request-headers", "authorization",
"-passthrough-request-headers", "www-authentication",
"-allowed-response-headers", "authorization,www-authentication",
"-allowed-managed-keys", "key1,key2",
"-listing-visibility", "unauth",
"mount_tune_integration/",
})
Expand Down Expand Up @@ -216,6 +217,9 @@ func TestSecretsTuneCommand_Run(t *testing.T) {
if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 {
t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff)
}
if diff := deep.Equal([]string{"key1,key2"}, mountInfo.Config.AllowedManagedKeys); len(diff) > 0 {
t.Errorf("Failed to find expected values in AllowedManagedKeys. Difference is: %v", diff)
}
})

t.Run("flags_description", func(t *testing.T) {
Expand Down
5 changes: 5 additions & 0 deletions website/content/docs/commands/secrets/enable.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -98,3 +98,8 @@ flags](/docs/commands) included on all commands.
- `-allowed-response-headers` `(string: "")` - response header values that the secrets
engine will be allowed to set. Note that multiple keys may be
specified by providing this option multiple times, each time with 1 key.

- `-allowed-managed-keys` `(string: "")` - Managed key name(s) that the mount
in question is allowed to access. Note that multiple keys may be specified
either by providing the key names as a comma separated string or by providing
this option multiple times, each time with 1 key.
7 changes: 6 additions & 1 deletion website/content/docs/commands/secrets/tune.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
layout: docs
page_title: secrets tune - Command
description: |-
The "secrets tune" command tunes the configuration options for the secrets engine at the given PATH.
The "secrets tune" command tunes the configuration options for the secrets engine at the given PATH.
---

# secrets tune
Expand Down Expand Up @@ -86,3 +86,8 @@ flags](/docs/commands) included on all commands.
- `-passthrough-request-headers` `(string: "")` - request header values that will
be sent to the secrets engine. Note that multiple keys may be
specified by providing this option multiple times, each time with 1 key.

- `-allowed-managed-keys` `(string: "")` - Managed key name(s) that the mount
in question is allowed to access. Note that multiple keys may be specified
either by providing the key names as a comma separated string or by providing
this option multiple times, each time with 1 key.