luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Update text around cubbyhole/response

This commit is contained in:
Jeff Mitchell 2016-09-29 17:44:15 -04:00
parent 47796eac7e
commit 4a505bfa3e
5 changed files with 19 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGELOG.md
View File

@ -22,6 +22,10 @@ DEPRECATIONS/CHANGES:
getting logged in plaintext in the audit logs as they were part of request
URLs. The GET and DELETE operations are now moved to new endpoints (`/lookup`
and `/destroy`) which consumes the input from the body and not the URL.
* Reading wrapped responses from `cubbyhole/response` is deprecated. The
`sys/wrapping/unwrap` endpoint should be used instead as it provides
additional security, auditing, and other benefits. The ability to read
directly will be removed in a future release.
FEATURES:

12
meta/meta_vault.go
View File

@ -6,13 +6,11 @@ func AdditionalOptionsUsage() string {
return `
-wrap-ttl="" Indicates that the response should be wrapped in a
cubbyhole token with the requested TTL. The response
will live at "cubbyhole/response" in the cubbyhole of
the returned token with a key of "response" and can
be parsed as a normal API Secret. The backend can
also request wrapping; the lesser of the values is
used. This is a numeric string with an optional
suffix "s", "m", or "h"; if no suffix is specified it
will be parsed as seconds. May also be specified via
can be fetched by calling the "sys/wrapping/unwrap"
endpoint, passing in the wrappping token's ID. This
is a numeric string with an optional suffix
"s", "m", or "h"; if no suffix is specified it will
be parsed as seconds. May also be specified via
VAULT_WRAP_TTL.
`
}

2
vault/request_handling.go
View File

@ -275,7 +275,7 @@ func (c *Core) handleRequest(req *logical.Request) (retResp *logical.Response, r
req.Path == "cubbyhole/response" &&
len(te.Policies) == 1 &&
te.Policies[0] == responseWrappingPolicyName {
resp.AddWarning("Please use sys/wrapping/unwrap to unwrap responses, as it provides additional security checks.")
resp.AddWarning("Reading from 'cubbyhole/response' is deprecated. Please use sys/wrapping/unwrap to unwrap responses, as it provides additional security checks and other benefits.")
}
// Return the response and error

7
website/source/docs/http/sys-wrapping-unwrap.html.md
View File

@ -14,9 +14,10 @@ description: |-
<dt>Description</dt>
<dd>
Returns the original response inside the given wrapping token. Unlike
simply reading `cubbyhole/response`, this endpoint provides additional
validation checks on the token, and returns the original value on the wire
rather than a JSON string representation of it.
simply reading `cubbyhole/response` (which is deprecated), this endpoint
provides additional validation checks on the token, returns the original
value on the wire rather than a JSON string representation of it, and
ensures that the response is properly audit-logged.
</dd>
<dt>Method</dt>

10
website/source/docs/secrets/cubbyhole/index.html.md
View File

@ -44,15 +44,15 @@ If a client requests wrapping:
1. The original response is serialized to JSON
2. A new single-use token is generated with a TTL as supplied by the client
3. The original response JSON is stored in `cubbyhole/response` under the key
`"response"`
3. Internally, the original response JSON is stored in the single-use token's
cubbyhole.
4. A new response is generated, with the token ID and the token TTL stored in
the new response's `wrap_info` dict
5. The new response is returned to the caller
To get the original value, if using the API, simply perform a read on
`cubbyhole/response`. In the `data` dict in the Secret response, the value of
the `response` key can be directly unmarshaled as JSON into a new API Secret.
To get the original value, if using the API, perform a write on
`sys/wrapping/unwrap`, passing in the wrapping token ID. The original value
will be returned.
If using the CLI, passing the wrapping token's ID to the `vault unwrap` command
will return the original value; `-format` and `-field` can be set like with