mirror of
https://github.com/hashicorp/vault.git
synced 2026-02-03 20:40:45 -05:00
25540ad222
* Fix regexes for `sys/raw/` and `sys/leases/lookup/` to match prevailing conventions There are several endpoints in Vault which take an arbitrary path as the last parameter. Many of these are defined in terms of the `framework.MatchAllRegex` helper. Some were not, and were defined using custom regexes which gave rise to multiple OpenAPI endpoints - one with the path parameter, and one without. We need to fix these definitions, because they give rise to a very unnatural result when used to generate a client API - for example, you end up with `LeasesLookUp()` which is only capable of being used to list the very top level of the hierarchical collection of leases, and `LeasesLookUpWithPrefix(prefix)` which must be used for all deeper levels. This PR changes the regexes used for `sys/raw/` and `sys/leases/lookup/` to be consistent with the approach used for other well-known similar endpoints, such as `cubbyhole/`, `kv-v1/` and `kv-v2/metadata/`. This PR does have a very small compatibility issue, which I think is tolerable: prior to this change, `sys/raw` with no trailing slash was considered a valid endpoint, and now it will no longer be. One way to observe this is to try `vault path-help sys/raw` - before this change, it would work, after, it will not. You would have to instead use `vault path-help sys/raw/foobar` to see the help. I also considered whether losing the ability to read/write/delete `sys/raw` would be an issue. In each case, the precise HTTP result code will change, but each of these were meaningless operations that make no sense - you cannot read/write/delete a "file" at the "root directory" of the underlying Vault storage. In fact, during testing, I discovered that currently, `vault write sys/raw x=y` when using Raft storage, will permanently break the Vault instance - it causes a panic within the Raft FSM, which re-occurs immediately on restarting the server! This PR also closes off that footgun / DoS vector. None of these issues apply to `sys/leases/lookup/`, as the existing regex in that case was already not matching the path without the trailing slash. * changelog * Realign hardcoded sudo paths with updated OpenAPI spec |
||
|---|---|---|
| .. | ||
| auth | ||
| test-fixtures | ||
| api_test.go | ||
| auth.go | ||
| auth_test.go | ||
| auth_token.go | ||
| client.go | ||
| client_test.go | ||
| go.mod | ||
| go.sum | ||
| help.go | ||
| kv.go | ||
| kv_test.go | ||
| kv_v1.go | ||
| kv_v2.go | ||
| lifetime_watcher.go | ||
| logical.go | ||
| output_policy.go | ||
| output_policy_test.go | ||
| output_string.go | ||
| plugin_helpers.go | ||
| plugin_types.go | ||
| README.md | ||
| renewer_test.go | ||
| replication_status.go | ||
| request.go | ||
| request_test.go | ||
| response.go | ||
| secret.go | ||
| secret_test.go | ||
| ssh.go | ||
| ssh_agent.go | ||
| ssh_agent_test.go | ||
| sudo_paths.go | ||
| sudo_paths_test.go | ||
| sys.go | ||
| sys_audit.go | ||
| sys_auth.go | ||
| sys_capabilities.go | ||
| sys_config_cors.go | ||
| sys_generate_root.go | ||
| sys_hastatus.go | ||
| sys_health.go | ||
| sys_init.go | ||
| sys_leader.go | ||
| sys_leases.go | ||
| sys_mfa.go | ||
| sys_monitor.go | ||
| sys_mounts.go | ||
| sys_mounts_test.go | ||
| sys_plugins.go | ||
| sys_plugins_test.go | ||
| sys_policy.go | ||
| sys_raft.go | ||
| sys_rekey.go | ||
| sys_rotate.go | ||
| sys_seal.go | ||
| sys_stepdown.go | ||
Vault API
This provides the github.com/hashicorp/vault/api package which contains code useful for interacting with a Vault server.
For examples of how to use this module, see the vault-examples repo. For a step-by-step walkthrough on using these client libraries, see the developer quickstart.
