Skip to content

Commit

Permalink
CLI changes for new mount tune config parameter allowed_managed_keys (h…
Browse files Browse the repository at this point in the history
…ashicorp#13255)

* CLI changes for new mount tune config parameter allowed_managed_keys

* Correct allowed_managed_keys description in auth and secrets

* Documentation update for secrets and removed changes for auth

* Add changelog and remove documentation changes for auth

* removed changelog

* Correct the field description
  • Loading branch information
divyapola5 authored and heppu committed Jan 13, 2022
1 parent ae98139 commit c4bfe03
Show file tree
Hide file tree
Showing 7 changed files with 49 additions and 1 deletion.
2 changes: 2 additions & 0 deletions command/commands.go
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,8 @@ const (
flagNameAllowedResponseHeaders = "allowed-response-headers"
// flagNameTokenType is the flag name used to force a specific token type
flagNameTokenType = "token-type"
// flagNameAllowedManagedKeys is the flag name used for auth/secrets enable
flagNameAllowedManagedKeys = "allowed-managed-keys"
)

var (
Expand Down
14 changes: 14 additions & 0 deletions command/secrets_enable.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ type SecretsEnableCommand struct {
flagSealWrap bool
flagExternalEntropyAccess bool
flagVersion int
flagAllowedManagedKeys []string
}

func (c *SecretsEnableCommand) Synopsis() string {
Expand Down Expand Up @@ -209,6 +210,15 @@ func (c *SecretsEnableCommand) Flags() *FlagSets {
Usage: "Select the version of the engine to run. Not supported by all engines.",
})

f.StringSliceVar(&StringSliceVar{
Name: flagNameAllowedManagedKeys,
Target: &c.flagAllowedManagedKeys,
Usage: "Managed key name(s) that the mount in question is allowed to access. " +
"Note that multiple keys may be specified either by providing the key names " +
"as a comma separated string or by providing this option multiple times, " +
"each time with 1 key.",
})

return set
}

Expand Down Expand Up @@ -307,6 +317,10 @@ func (c *SecretsEnableCommand) Run(args []string) int {
if fl.Name == flagNameAllowedResponseHeaders {
mountInput.Config.AllowedResponseHeaders = c.flagAllowedResponseHeaders
}

if fl.Name == flagNameAllowedManagedKeys {
mountInput.Config.AllowedManagedKeys = c.flagAllowedManagedKeys
}
})

if err := client.Sys().Mount(mountPath, mountInput); err != nil {
Expand Down
4 changes: 4 additions & 0 deletions command/secrets_enable_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,7 @@ func TestSecretsEnableCommand_Run(t *testing.T) {
"-passthrough-request-headers", "authorization,authentication",
"-passthrough-request-headers", "www-authentication",
"-allowed-response-headers", "authorization",
"-allowed-managed-keys", "key1,key2",
"-force-no-cache",
"pki",
})
Expand Down Expand Up @@ -162,6 +163,9 @@ func TestSecretsEnableCommand_Run(t *testing.T) {
if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 {
t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff)
}
if diff := deep.Equal([]string{"key1,key2"}, mountInfo.Config.AllowedManagedKeys); len(diff) > 0 {
t.Errorf("Failed to find expected values in AllowedManagedKeys. Difference is: %v", diff)
}

})

Expand Down
14 changes: 14 additions & 0 deletions command/secrets_tune.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ type SecretsTuneCommand struct {
flagAllowedResponseHeaders []string
flagOptions map[string]string
flagVersion int
flagAllowedManagedKeys []string
}

func (c *SecretsTuneCommand) Synopsis() string {
Expand Down Expand Up @@ -137,6 +138,15 @@ func (c *SecretsTuneCommand) Flags() *FlagSets {
Usage: "Select the version of the engine to run. Not supported by all engines.",
})

f.StringSliceVar(&StringSliceVar{
Name: flagNameAllowedManagedKeys,
Target: &c.flagAllowedManagedKeys,
Usage: "Managed key name(s) that the mount in question is allowed to access. " +
"Note that multiple keys may be specified either by providing the key names " +
"as a comma separated string or by providing this option multiple times, " +
"each time with 1 key.",
})

return set
}

Expand Down Expand Up @@ -213,6 +223,10 @@ func (c *SecretsTuneCommand) Run(args []string) int {
if fl.Name == flagNameAllowedResponseHeaders {
mountConfigInput.AllowedResponseHeaders = c.flagAllowedResponseHeaders
}

if fl.Name == flagNameAllowedManagedKeys {
mountConfigInput.AllowedManagedKeys = c.flagAllowedManagedKeys
}
})

if err := client.Sys().TuneMount(mountPath, mountConfigInput); err != nil {
Expand Down
4 changes: 4 additions & 0 deletions command/secrets_tune_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -170,6 +170,7 @@ func TestSecretsTuneCommand_Run(t *testing.T) {
"-passthrough-request-headers", "authorization",
"-passthrough-request-headers", "www-authentication",
"-allowed-response-headers", "authorization,www-authentication",
"-allowed-managed-keys", "key1,key2",
"-listing-visibility", "unauth",
"mount_tune_integration/",
})
Expand Down Expand Up @@ -216,6 +217,9 @@ func TestSecretsTuneCommand_Run(t *testing.T) {
if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 {
t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff)
}
if diff := deep.Equal([]string{"key1,key2"}, mountInfo.Config.AllowedManagedKeys); len(diff) > 0 {
t.Errorf("Failed to find expected values in AllowedManagedKeys. Difference is: %v", diff)
}
})

t.Run("flags_description", func(t *testing.T) {
Expand Down
5 changes: 5 additions & 0 deletions website/content/docs/commands/secrets/enable.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -98,3 +98,8 @@ flags](/docs/commands) included on all commands.
- `-allowed-response-headers` `(string: "")` - response header values that the secrets
engine will be allowed to set. Note that multiple keys may be
specified by providing this option multiple times, each time with 1 key.

- `-allowed-managed-keys` `(string: "")` - Managed key name(s) that the mount
in question is allowed to access. Note that multiple keys may be specified
either by providing the key names as a comma separated string or by providing
this option multiple times, each time with 1 key.
7 changes: 6 additions & 1 deletion website/content/docs/commands/secrets/tune.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
layout: docs
page_title: secrets tune - Command
description: |-
The "secrets tune" command tunes the configuration options for the secrets engine at the given PATH.
The "secrets tune" command tunes the configuration options for the secrets engine at the given PATH.
---

# secrets tune
Expand Down Expand Up @@ -86,3 +86,8 @@ flags](/docs/commands) included on all commands.
- `-passthrough-request-headers` `(string: "")` - request header values that will
be sent to the secrets engine. Note that multiple keys may be
specified by providing this option multiple times, each time with 1 key.

- `-allowed-managed-keys` `(string: "")` - Managed key name(s) that the mount
in question is allowed to access. Note that multiple keys may be specified
either by providing the key names as a comma separated string or by providing
this option multiple times, each time with 1 key.

0 comments on commit c4bfe03

Please sign in to comment.