From 4a505bfa3eaa3fb14b982ff24b6c120abef3ad7a Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeffrey.mitchell@gmail.com>
Date: Thu, 29 Sep 2016 17:44:15 -0400
Subject: [PATCH] Update text around cubbyhole/response

---
 CHANGELOG.md                                         |  4 ++++
 meta/meta_vault.go                                   | 12 +++++-------
 vault/request_handling.go                            |  2 +-
 website/source/docs/http/sys-wrapping-unwrap.html.md |  7 ++++---
 website/source/docs/secrets/cubbyhole/index.html.md  | 10 +++++-----
 5 files changed, 19 insertions(+), 16 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 65a50d757..aa32d3396 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,6 +22,10 @@ DEPRECATIONS/CHANGES:
    getting logged in plaintext in the audit logs as they were part of request
    URLs.  The GET and DELETE operations are now moved to new endpoints (`/lookup`
    and `/destroy`) which consumes the input from the body and not the URL.
+ * Reading wrapped responses from `cubbyhole/response` is deprecated. The
+   `sys/wrapping/unwrap` endpoint should be used instead as it provides
+   additional security, auditing, and other benefits. The ability to read
+   directly will be removed in a future release.
 
 FEATURES:
 
diff --git a/meta/meta_vault.go b/meta/meta_vault.go
index 44c4ca38c..f1fc97afc 100644
--- a/meta/meta_vault.go
+++ b/meta/meta_vault.go
@@ -6,13 +6,11 @@ func AdditionalOptionsUsage() string {
 	return `
   -wrap-ttl=""            Indicates that the response should be wrapped in a
                           cubbyhole token with the requested TTL. The response
-                          will live at "cubbyhole/response" in the cubbyhole of
-                          the returned token with a key of "response" and can
-                          be parsed as a normal API Secret. The backend can
-                          also request wrapping; the lesser of the values is
-                          used. This is a numeric string with an optional
-                          suffix "s", "m", or "h"; if no suffix is specified it
-                          will be parsed as seconds. May also be specified via
+                          can be fetched by calling the "sys/wrapping/unwrap"
+                          endpoint, passing in the wrappping token's ID. This
+                          is a numeric string with an optional suffix
+                          "s", "m", or "h"; if no suffix is specified it will
+                          be parsed as seconds. May also be specified via
                           VAULT_WRAP_TTL.
 `
 }
diff --git a/vault/request_handling.go b/vault/request_handling.go
index 420e115d3..39825611b 100644
--- a/vault/request_handling.go
+++ b/vault/request_handling.go
@@ -275,7 +275,7 @@ func (c *Core) handleRequest(req *logical.Request) (retResp *logical.Response, r
 		req.Path == "cubbyhole/response" &&
 		len(te.Policies) == 1 &&
 		te.Policies[0] == responseWrappingPolicyName {
-		resp.AddWarning("Please use sys/wrapping/unwrap to unwrap responses, as it provides additional security checks.")
+		resp.AddWarning("Reading from 'cubbyhole/response' is deprecated. Please use sys/wrapping/unwrap to unwrap responses, as it provides additional security checks and other benefits.")
 	}
 
 	// Return the response and error
diff --git a/website/source/docs/http/sys-wrapping-unwrap.html.md b/website/source/docs/http/sys-wrapping-unwrap.html.md
index d20100072..c30f51b5d 100644
--- a/website/source/docs/http/sys-wrapping-unwrap.html.md
+++ b/website/source/docs/http/sys-wrapping-unwrap.html.md
@@ -14,9 +14,10 @@ description: |-
   <dt>Description</dt>
   <dd>
     Returns the original response inside the given wrapping token. Unlike
-    simply reading `cubbyhole/response`, this endpoint provides additional
-    validation checks on the token, and returns the original value on the wire
-    rather than a JSON string representation of it.
+    simply reading `cubbyhole/response` (which is deprecated), this endpoint
+    provides additional validation checks on the token, returns the original
+    value on the wire rather than a JSON string representation of it, and
+    ensures that the response is properly audit-logged.
   </dd>
 
   <dt>Method</dt>
diff --git a/website/source/docs/secrets/cubbyhole/index.html.md b/website/source/docs/secrets/cubbyhole/index.html.md
index a11810e27..1b04eaa7f 100644
--- a/website/source/docs/secrets/cubbyhole/index.html.md
+++ b/website/source/docs/secrets/cubbyhole/index.html.md
@@ -44,15 +44,15 @@ If a client requests wrapping:
 
 1. The original response is serialized to JSON
 2. A new single-use token is generated with a TTL as supplied by the client
-3. The original response JSON is stored in `cubbyhole/response` under the key
-   `"response"`
+3. Internally, the original response JSON is stored in the single-use token's
+   cubbyhole.
 4. A new response is generated, with the token ID and the token TTL stored in
    the new response's `wrap_info` dict
 5. The new response is returned to the caller
 
-To get the original value, if using the API, simply perform a read on
-`cubbyhole/response`. In the `data` dict in the Secret response, the value of
-the `response` key can be directly unmarshaled as JSON into a new API Secret.
+To get the original value, if using the API, perform a write on
+`sys/wrapping/unwrap`, passing in the wrapping token ID. The original value
+will be returned.
 
 If using the CLI, passing the wrapping token's ID to the `vault unwrap` command
 will return the original value; `-format` and `-field` can be set like with