api: Add deprecation warnings to secrets/auth POST endpoints (#17058)
* api: Add deprecation warnings to endpoints * Add changelog
This commit is contained in:
Mike Palmiotto
GitHub
parent
d8e0a13aae
commit
403fdd77be
|
|
@ -0,0 +1,6 @@
|
|||
```release-note:change
|
||||
auth: `POST /sys/auth/:type` endpoint response contains a warning for `Deprecated` auth methods.
|
||||
```
|
||||
```release-note:change
|
||||
secrets: `POST /sys/mounts/:type` endpoint response contains a warning for `Deprecated` secrets engines.
|
||||
```
|
||||
|
|
@ -1145,13 +1145,19 @@ func (b *SystemBackend) handleMount(ctx context.Context, req *logical.Request, d
|
|||
Version: version,
|
||||
}
|
||||
|
||||
// Detect and handle deprecated secrets engines
|
||||
resp, err := b.Core.handleDeprecatedMountEntry(ctx, me, consts.PluginTypeSecrets)
|
||||
if err != nil {
|
||||
return handleError(err)
|
||||
}
|
||||
|
||||
// Attempt mount
|
||||
if err := b.Core.mount(ctx, me); err != nil {
|
||||
b.Backend.Logger().Error("error occurred during enable mount", "path", me.Path, "error", err)
|
||||
return handleError(err)
|
||||
}
|
||||
|
||||
return nil, nil
|
||||
return resp, nil
|
||||
}
|
||||
|
||||
func (b *SystemBackend) handleReadMount(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
|
||||
|
|
@ -2385,7 +2391,7 @@ func (b *SystemBackend) handleEnableAuth(ctx context.Context, req *logical.Reque
|
|||
Version: version,
|
||||
}
|
||||
|
||||
err = b.Core.handleDeprecatedMountEntry(ctx, me, consts.PluginTypeCredential)
|
||||
resp, err := b.Core.handleDeprecatedMountEntry(ctx, me, consts.PluginTypeCredential)
|
||||
if err != nil {
|
||||
return handleError(err)
|
||||
}
|
||||
|
|
@ -2395,7 +2401,7 @@ func (b *SystemBackend) handleEnableAuth(ctx context.Context, req *logical.Reque
|
|||
b.Backend.Logger().Error("error occurred during enable credential", "path", me.Path, "error", err)
|
||||
return handleError(err)
|
||||
}
|
||||
return nil, nil
|
||||
return resp, nil
|
||||
}
|
||||
|
||||
// handleDisableAuth is used to disable a credential backend
|
||||
|
|
|
|||
|
|
@ -464,7 +464,7 @@ func (c *Core) decodeMountTable(ctx context.Context, raw []byte) (*MountTable, e
|
|||
}
|
||||
|
||||
// Immediately shutdown the core if deprecated mounts are detected and VAULT_ALLOW_PENDING_REMOVAL_MOUNTS is unset
|
||||
if err := c.handleDeprecatedMountEntry(ctx, entry, consts.PluginTypeUnknown); err != nil {
|
||||
if _, err := c.handleDeprecatedMountEntry(ctx, entry, consts.PluginTypeUnknown); err != nil {
|
||||
c.logger.Error("shutting down core", "error", err)
|
||||
c.Shutdown()
|
||||
}
|
||||
|
|
@ -591,11 +591,6 @@ func (c *Core) mountInternal(ctx context.Context, entry *MountEntry, updateStora
|
|||
addFilterablePath(c, viewPath)
|
||||
}
|
||||
|
||||
// Detect and handle deprecated secrets engines
|
||||
if err := c.handleDeprecatedMountEntry(ctx, entry, consts.PluginTypeSecrets); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
nilMount, err := preprocessMount(c, entry, view)
|
||||
if err != nil {
|
||||
return err
|
||||
|
|
@ -923,9 +918,9 @@ func (c *Core) taintMountEntry(ctx context.Context, nsID, mountPath string, upda
|
|||
// * PendingRemoval - log an error about builtin deprecation and return an error
|
||||
// if VAULT_ALLOW_PENDING_REMOVAL_MOUNTS is unset
|
||||
// * Removed - log an error about builtin deprecation and return an error
|
||||
func (c *Core) handleDeprecatedMountEntry(ctx context.Context, entry *MountEntry, pluginType consts.PluginType) error {
|
||||
func (c *Core) handleDeprecatedMountEntry(ctx context.Context, entry *MountEntry, pluginType consts.PluginType) (*logical.Response, error) {
|
||||
if c.builtinRegistry == nil || entry == nil {
|
||||
return nil
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
// Allow type to be determined from mount entry when not otherwise specified
|
||||
|
|
@ -941,6 +936,7 @@ func (c *Core) handleDeprecatedMountEntry(ctx context.Context, entry *MountEntry
|
|||
|
||||
status, ok := c.builtinRegistry.DeprecationStatus(t, pluginType)
|
||||
if ok {
|
||||
resp := &logical.Response{}
|
||||
// Deprecation sublogger with some identifying information
|
||||
dl := c.logger.With("name", t, "type", pluginType, "status", status, "path", entry.Path)
|
||||
errDeprecatedMount := fmt.Errorf("mount entry associated with %s builtin", status)
|
||||
|
|
@ -948,19 +944,23 @@ func (c *Core) handleDeprecatedMountEntry(ctx context.Context, entry *MountEntry
|
|||
switch status {
|
||||
case consts.Deprecated:
|
||||
dl.Warn(errDeprecatedMount.Error())
|
||||
resp.AddWarning(errDeprecatedMount.Error())
|
||||
return resp, nil
|
||||
|
||||
case consts.PendingRemoval:
|
||||
dl.Error(errDeprecatedMount.Error())
|
||||
if allow := os.Getenv(consts.VaultAllowPendingRemovalMountsEnv); allow == "" {
|
||||
return fmt.Errorf("could not mount %q: %w", t, errDeprecatedMount)
|
||||
return nil, fmt.Errorf("could not mount %q: %w", t, errDeprecatedMount)
|
||||
}
|
||||
resp.AddWarning(errDeprecatedMount.Error())
|
||||
c.Logger().Info("mount allowed by environment variable", "env", consts.VaultAllowPendingRemovalMountsEnv)
|
||||
return resp, nil
|
||||
|
||||
case consts.Removed:
|
||||
return fmt.Errorf("could not mount %s: %w", t, errDeprecatedMount)
|
||||
return nil, fmt.Errorf("could not mount %s: %w", t, errDeprecatedMount)
|
||||
}
|
||||
}
|
||||
return nil
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
// remountForceInternal takes a copy of the mount entry for the path and fully unmounts
|
||||
|
|
|
|||
Loading…
Reference in New Issue