diff --git a/changelog/12793.txt b/changelog/12793.txt new file mode 100644 index 000000000..b787a3ac9 --- /dev/null +++ b/changelog/12793.txt @@ -0,0 +1,3 @@ +```release-note: feature +auth: reading `sys/auth/:path` now returns the configuration for the auth engine mounted at the given path +``` diff --git a/vault/logical_system.go b/vault/logical_system.go index 7f86494b2..75e2a7fe4 100644 --- a/vault/logical_system.go +++ b/vault/logical_system.go @@ -1933,6 +1933,40 @@ func (b *SystemBackend) handleAuthTable(ctx context.Context, req *logical.Reques return resp, nil } +func (b *SystemBackend) handleReadAuth(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) { + path := data.Get("path").(string) + path = sanitizePath(path) + + ns, err := namespace.FromContext(ctx) + if err != nil { + return nil, err + } + + b.Core.authLock.RLock() + defer b.Core.authLock.RUnlock() + + for _, entry := range b.Core.auth.Entries { + // Only show entry for current namespace + if entry.Namespace().Path != ns.Path || entry.Path != path{ + continue + } + + cont, err := b.Core.checkReplicatedFiltering(ctx, entry, credentialRoutePrefix) + if err != nil { + return nil, err + } + if cont { + continue + } + + return &logical.Response{ + Data: mountInfo(entry), + }, nil + } + + return logical.ErrorResponse("No auth engine at %s", path), nil +} + func expandStringValsWithCommas(configMap map[string]interface{}) error { configParamNameSlice := []string{ "audit_non_hmac_request_keys", diff --git a/vault/logical_system_paths.go b/vault/logical_system_paths.go index 61ffca07b..bf6a8da05 100644 --- a/vault/logical_system_paths.go +++ b/vault/logical_system_paths.go @@ -1501,6 +1501,10 @@ func (b *SystemBackend) authPaths() []*framework.Path { }, }, Operations: map[logical.Operation]framework.OperationHandler{ + logical.ReadOperation: &framework.PathOperation{ + Callback: b.handleReadAuth, + Summary: "Read the configuration of the auth engine at the given path.", + }, logical.UpdateOperation: &framework.PathOperation{ Callback: b.handleEnableAuth, Summary: "Enables a new auth method.", diff --git a/vault/logical_system_test.go b/vault/logical_system_test.go index edafcb6d9..c826e19d7 100644 --- a/vault/logical_system_test.go +++ b/vault/logical_system_test.go @@ -1523,6 +1523,15 @@ func TestSystemBackend_authTable(t *testing.T) { if diff := deep.Equal(resp.Data, exp); diff != nil { t.Fatal(diff) } + + req = logical.TestRequest(t, logical.ReadOperation, "auth/token") + resp, err = b.HandleRequest(namespace.RootContext(nil), req) + if err != nil { + t.Fatalf("err: %v", err) + } + if diff := deep.Equal(resp.Data, exp["token/"]); diff != nil { + t.Fatal(diff) + } } func TestSystemBackend_enableAuth(t *testing.T) { diff --git a/website/content/api-docs/system/auth.mdx b/website/content/api-docs/system/auth.mdx index 83f1c224c..a8e7e7a53 100644 --- a/website/content/api-docs/system/auth.mdx +++ b/website/content/api-docs/system/auth.mdx @@ -140,6 +140,67 @@ $ curl \ http://127.0.0.1:8200/v1/sys/auth/my-auth ``` +## Read Auth Method configuration + +This endpoints returns the configuration of the auth method at the given path. + +| Method | Path | +| :----- | :--------------- | +| `GET` | `/sys/auth/path` | + +### Sample Request + +```shell-session +$ curl \ + --header "X-Vault-Token: ..." \ + http://127.0.0.1:8200/v1/sys/auth/my-auth +``` + +### Sample Response + +```json +{ + "uuid": "4b42d1a4-0a0d-3c88-ae90-997e0c8b41be", + "type": "github", + "accessor": "auth_github_badd7fd0", + "local": false, + "seal_wrap": false, + "external_entropy_access": false, + "options": null, + "config": { + "default_lease_ttl": 0, + "force_no_cache": false, + "max_lease_ttl": 0, + "token_type": "default-service" + }, + "description": "", + "request_id": "8d2a1e33-4c00-46a5-f50d-4dc5f5d96f12", + "lease_id": "", + "renewable": false, + "lease_duration": 0, + "data": { + "accessor": "auth_github_badd7fd0", + "config": { + "default_lease_ttl": 0, + "force_no_cache": false, + "max_lease_ttl": 0, + "token_type": "default-service" + }, + "description": "", + "external_entropy_access": false, + "local": false, + "options": null, + "seal_wrap": false, + "type": "github", + "uuid": "4b42d1a4-0a0d-3c88-ae90-997e0c8b41be" + }, + "wrap_info": null, + "warnings": null, + "auth": null +} +``` + + ## Disable Auth Method This endpoint disables the auth method at the given auth path.