VAULT-6131 OpenAPI schema now includes /auth/token endpoints when explicit permission has been granted (#15552)

* VAULT-6131 OpenAPI schema now includes /auth/token endpoints when explicit permission has been granted * VAULT-6131 add changelog * VAULT-6131 Update changelog and fix related bug
2022-05-31 11:25:27 -04:00 · 2022-05-31 11:25:27 -04:00 · 4aac96238c
parent c9a0fdb4ff
commit 4aac96238c
2 changed files with 22 additions and 4 deletions
--- a/changelog/15552.txt
+++ b/changelog/15552.txt
@ -0,0 +1,6 @@
+```release-note:bug
+openapi: Fixed issue where information about /auth/token endpoints was not present with explicit policy permissions
+```
+```release-note:bug
+api: Fixed issue with internal/ui/mounts and internal/ui/mounts/(?P<path>.+) endpoints where it was not properly handling /auth/
+```
--- a/vault/logical_system.go
+++ b/vault/logical_system.go
@ -3734,7 +3734,11 @@ func (b *SystemBackend) pathInternalUIMountsRead(ctx context.Context, req *logic
 		}

 		if isAuthed {
-			return hasMountAccess(ctx, acl, me.Namespace().Path+me.Path)
+			if me.Table == "auth" {
+				return hasMountAccess(ctx, acl, me.Namespace().Path+me.Table+"/"+me.Path)
+			} else {
+				return hasMountAccess(ctx, acl, me.Namespace().Path+me.Path)
+			}
 		}

 		return false
@ -3844,10 +3848,18 @@ func (b *SystemBackend) pathInternalUIMountRead(ctx context.Context, req *logica
 	}
 	resp.Data["path"] = me.Path

-	fullMountPath := ns.Path + me.Path
+	pathWithTable := ""
+
+	if me.Table == "auth" {
+		pathWithTable = me.Table + "/" + me.Path
+	} else {
+		pathWithTable = me.Path
+	}
+
+	fullMountPath := ns.Path + pathWithTable
 	if ns.ID != me.Namespace().ID {
-		resp.Data["path"] = me.Namespace().Path + me.Path
-		fullMountPath = ns.Path + me.Namespace().Path + me.Path
+		resp.Data["path"] = me.Namespace().Path + pathWithTable
+		fullMountPath = ns.Path + me.Namespace().Path + pathWithTable
 	}

 	if !hasMountAccess(ctx, acl, fullMountPath) {