Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vault Raw Read Support (CLI & Client) #14945

Merged
merged 5 commits into from
Oct 28, 2022
Merged

Conversation

cipherboy
Copy link
Contributor

Not really sure who should own this work :-) I realize the approach hasn't been popular in the past...
...but I figured I'd re-open a branch I had with this change to see where it'll go this time.

We expose a ReadRaw... operations, which returns a raw Response rather than a parsed Secret. This allows us to hit endpoints (such as the various PKI endpoints -- which are ever-expanding) which return non-JSON formatted responses from both the Client and the API. These responses include DER and PEM-formatted bundles.

From a CLI perspective, this lets the following succeed, which IMO, is a big improvement over the existing behavior:

$ vault read -format=raw pki/ca/pem
-----BEGIN CERTIFICATE-----
MIIDNTCCAh2gAwIBAgIUNTLfhEuAQITKoNnJWDrnJXrLDHwwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMjIwNDAxMTk0NTU5WhcNMjIw
NTAzMTk0NjI5WjAWMRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBALtkk7bWsgwl4hqScjz2Fp+5imFYzLlSqAdG40Lf
HRu/EhomNm4tFufjY+AFZaF0wDergnRd1w/FSWczkmzwqCnJDaUHFGyjX1aTB8DJ
/3VnoNTuHewIDylR543/A/p73a+zzbQKvTDKLaGW3Z0AOCuwdiMz0un4GWh+6TLw
K+OWwgm7XaaiDZc5MSCj2g9f8qZyHaUNyKhrvkNI5HDr5IVT8JLFnmP1zH/iYgfE
q5wgnf6DBfTo1oO2ktaFJfymjnbJ+PlQJ4wOficRqQ6EpVUk/vhlLqtPA6Yns7rn
0iH7y7V+dVFU0xamXZGf+tAphlcJhv6UHyxTw9Mn0iXAeXECAwEAAaN7MHkwDgYD
VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFAeg7OMCL6s
kpGDnqZAqjr8ZrLMMB8GA1UdIwQYMBaAFFAeg7OMCL6skpGDnqZAqjr8ZrLMMBYG
A1UdEQQPMA2CC2V4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQCL0jTwmVHu
ZlvPJgqfQ3DfFe6ECRoyUGulPBVK4duirKrqzvruOKywlK+ecIHSHD5Wi1FPDfuT
9Dq7avKSAYQWWA0pEN3P+QD0yBqs09wOSiOHJII8VUC/Bu1dfNzoOQ2yKnSvAPh4
rpJuoii00z6AGp7Bu4Zd1EMPadh6sBudciDrtCAsz98WaZkazCy6dGpjMx9F7d5H
qIX6wxs6r0LtpnifTmN9Yy1x7ju8Q9nGSYn0hIzdjRQpl/mgQ17LNr1e88R4ywlg
zVSJBWRM1YlB/98aEiYkMftO6Ogg3oUO1qL/GDCHORZ/BCxLqnKrLAdUhdGjxORk
bWYjf3LPCBup
-----END CERTIFICATE-----
$ vault read pki/ca/pem
Error reading pki/ca/pem: invalid character '-' in numeric literal

Having access to the Response object directly could also allow something like #14944 be implementable, wherein the raw errors value is accessible to the CLI to parse -- and (if not an error) -- optionally turn into a Secret if the response warrants it. It also allow JSON-formatted errors (which the API returns but vault read -format=json doesn't do something useful with).

Who knows what else this could enable... :-)

@cipherboy cipherboy force-pushed the cipherboy-vault-read-raw branch from a772c72 to d289a7d Compare April 6, 2022 20:18
@vercel vercel bot temporarily deployed to Preview – vault-storybook April 6, 2022 20:18 Inactive
@vercel vercel bot temporarily deployed to Preview – vault April 6, 2022 20:18 Inactive
Copy link
Contributor

@kitography kitography left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks useful to me (though also these test failures are real).

api/logical.go Outdated Show resolved Hide resolved
@aphorise
Copy link
Contributor

aphorise commented Aug 19, 2022

@cipherboy @kitography I'm guessing the export use-case here would be to facilitate an import and subsequent rebuild for example of a pki mount anew?

Also what's the status & when is it likely to be delivered?

@cipherboy
Copy link
Contributor Author

@aphorise This didn't get much traction internally. If you're interested in pushing it and working on it, feel free to do so. But this has been proposed in the past and rejected before, so I think it'll require a bit of convincing to get it accepted.

Not all Vault API endpoints return well-formatted JSON objects.
Sometimes, in the case of the PKI secrets engine, they're not even
printable (/pki/ca returns a binary (DER-encoded) certificate). While
this endpoint isn't authenticated, in general the API caller would
either need to use Client.RawRequestWithContext(...) directly (which
the docs advise against), or setup their own net/http client and
re-create much of Client and/or Client.Logical.

Instead, exposing the raw Request (via the new ReadRawWithData(...))
allows callers to directly consume these non-JSON endpoints like they
would nearly any other endpoint.

Signed-off-by: Alexander Scheel <[email protected]>
As mentioned in the previous commit, some API endpoints return non-JSON
data. We get as far as fetching this data (via client.Logical().Read),
but parsing it as an api.Secret fails (as in this case, it is non-JSON).
Given that we intend to update `vault read` to support such endpoints,
we'll need a "raw" formatter that accepts []byte-encoded data and simply
writes it to the UI.

Signed-off-by: Alexander Scheel <[email protected]>
Some endpoints, such as `pki/ca` and `pki/ca/pem` return non-JSON
objects. When calling `vault read` on these endpoints, an error
is returned because they cannot be parsed as api.Secret instances:

> Error reading pki/ca/pem: invalid character '-' in numeric literal

Indeed, we go to all the trouble of (successfully) fetching this value,
only to be unable to Unmarshal into a Secrets value. Instead, add
support for a new -format=raw option, allowing these endpoints to be
consumed by callers of `vault read` directly.

Signed-off-by: Alexander Scheel <[email protected]>
@cipherboy cipherboy force-pushed the cipherboy-vault-read-raw branch from d289a7d to cd638de Compare October 26, 2022 20:41
@cipherboy cipherboy requested review from kitography and a team October 26, 2022 20:42
@cipherboy
Copy link
Contributor Author

@aphorise Steve convinced me to update this and I eventually figured out the issue with the contexts, so the tests should now pass. We'll see what others think :-)

@sgmiller
Copy link
Collaborator

I'm still cool with it. Any UX concerns?

Signed-off-by: Alexander Scheel <[email protected]>
@cipherboy
Copy link
Contributor Author

@sgmiller Other than that we've returned obtuse errors in non-raw queries to the PKI endpoints, nope... I tagged you on a Slack thread, if you've got ideas, happy to look at them.

command/format.go Outdated Show resolved Hide resolved
Signed-off-by: Alexander Scheel <[email protected]>
@cipherboy cipherboy requested a review from raskchanky October 27, 2022 13:22
Copy link
Contributor

@raskchanky raskchanky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One minor nit, not a blocker

command/format.go Show resolved Hide resolved
@cipherboy
Copy link
Contributor Author

Thanks all! Merging...

@cipherboy cipherboy merged commit 057b40d into main Oct 28, 2022
@raskchanky raskchanky deleted the cipherboy-vault-read-raw branch October 28, 2022 15:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants