Add read support to sys/auth/:path (#12793)

* Add read support to sys/auth/:path

Closes https://github.com/hashicorp/vault/issues/7411

* Add changelog entry

changelog/12793.txt

@@ -0,0 +1,3 @@
+```release-note: feature
+auth: reading `sys/auth/:path` now returns the configuration for the auth engine mounted at the given path
+```

vault/logical_system.go

@@ -1933,6 +1933,40 @@ func (b *SystemBackend) handleAuthTable(ctx context.Context, req *logical.Reques
 	return resp, nil
 }
 
+func (b *SystemBackend) handleReadAuth(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	path := data.Get("path").(string)
+	path = sanitizePath(path)
+
+	ns, err := namespace.FromContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	b.Core.authLock.RLock()
+	defer b.Core.authLock.RUnlock()
+
+	for _, entry := range b.Core.auth.Entries {
+		// Only show entry for current namespace
+		if entry.Namespace().Path != ns.Path || entry.Path != path{
+			continue
+		}
+
+		cont, err := b.Core.checkReplicatedFiltering(ctx, entry, credentialRoutePrefix)
+		if err != nil {
+			return nil, err
+		}
+		if cont {
+			continue
+		}
+
+		return &logical.Response{
+			Data: mountInfo(entry),
+		}, nil
+	}
+
+	return logical.ErrorResponse("No auth engine at %s", path), nil
+}
+
 func expandStringValsWithCommas(configMap map[string]interface{}) error {
 	configParamNameSlice := []string{
 		"audit_non_hmac_request_keys",

vault/logical_system_paths.go

@@ -1501,6 +1501,10 @@ func (b *SystemBackend) authPaths() []*framework.Path {
 				},
 			},
 			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.handleReadAuth,
+					Summary: "Read the configuration of the auth engine at the given path.",
+				},
 				logical.UpdateOperation: &framework.PathOperation{
 					Callback: b.handleEnableAuth,
 					Summary:  "Enables a new auth method.",

vault/logical_system_test.go

@@ -1523,6 +1523,15 @@ func TestSystemBackend_authTable(t *testing.T) {
 	if diff := deep.Equal(resp.Data, exp); diff != nil {
 		t.Fatal(diff)
 	}
+
+	req = logical.TestRequest(t, logical.ReadOperation, "auth/token")
+	resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if diff := deep.Equal(resp.Data, exp["token/"]); diff != nil {
+		t.Fatal(diff)
+	}
 }
 
 func TestSystemBackend_enableAuth(t *testing.T) {

website/content/api-docs/system/auth.mdx

@@ -140,6 +140,67 @@ $ curl \
     http://127.0.0.1:8200/v1/sys/auth/my-auth
 ```
 
+## Read Auth Method configuration
+
+This endpoints returns the configuration of the auth method at the given path.
+
+| Method | Path             |
+| :----- | :--------------- |
+| `GET`  | `/sys/auth/path` |
+
+### Sample Request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/auth/my-auth
+```
+
+### Sample Response
+
+```json
+{
+  "uuid": "4b42d1a4-0a0d-3c88-ae90-997e0c8b41be",
+  "type": "github",
+  "accessor": "auth_github_badd7fd0",
+  "local": false,
+  "seal_wrap": false,
+  "external_entropy_access": false,
+  "options": null,
+  "config": {
+    "default_lease_ttl": 0,
+    "force_no_cache": false,
+    "max_lease_ttl": 0,
+    "token_type": "default-service"
+  },
+  "description": "",
+  "request_id": "8d2a1e33-4c00-46a5-f50d-4dc5f5d96f12",
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "accessor": "auth_github_badd7fd0",
+    "config": {
+      "default_lease_ttl": 0,
+      "force_no_cache": false,
+      "max_lease_ttl": 0,
+      "token_type": "default-service"
+    },
+    "description": "",
+    "external_entropy_access": false,
+    "local": false,
+    "options": null,
+    "seal_wrap": false,
+    "type": "github",
+    "uuid": "4b42d1a4-0a0d-3c88-ae90-997e0c8b41be"
+  },
+  "wrap_info": null,
+  "warnings": null,
+  "auth": null
+}
+```
+
+
 ## Disable Auth Method
 
 This endpoint disables the auth method at the given auth path.