Add read support to sys/mounts/:path (#12792)

* Add read support to sys/mounts/:path

Closes https://github.com/hashicorp/vault/issues/12349

* Add changelog entry

* Empty commit to trigger CI

* Empty commit to trigger CI

changelog/12792.txt

@@ -0,0 +1,3 @@
+```release-note: feature
+core: reading `sys/mounts/:path` now returns the configuration for the secret engine at the given path
+```

vault/logical_system.go

@@ -1043,6 +1043,21 @@ func (b *SystemBackend) handleMount(ctx context.Context, req *logical.Request, d
 	return nil, nil
 }
 
+func (b *SystemBackend) handleReadMount(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	path := data.Get("path").(string)
+	path = sanitizePath(path)
+
+	entry := b.Core.router.MatchingMountEntry(ctx, path)
+
+	if entry == nil {
+		return logical.ErrorResponse("No secret engine mount at %s", path), nil
+	}
+
+	return &logical.Response{
+		Data: mountInfo(entry),
+	}, nil
+}
+
 // used to intercept an HTTPCodedError so it goes back to callee
 func handleError(
 	err error) (*logical.Response, error) {

vault/logical_system_paths.go

@@ -1826,6 +1826,10 @@ func (b *SystemBackend) mountPaths() []*framework.Path {
 			},
 
 			Operations: map[logical.Operation]framework.OperationHandler{
+				logical.ReadOperation: &framework.PathOperation{
+					Callback: b.handleReadMount,
+					Summary:  "Read the configuration of the secret engine at the given path.",
+				},
 				logical.UpdateOperation: &framework.PathOperation{
 					Callback: b.handleMount,
 					Summary:  "Enable a new secrets engine at the given path.",

vault/logical_system_test.go

@@ -220,6 +220,17 @@ func TestSystemBackend_mounts(t *testing.T) {
 	if diff := deep.Equal(resp.Data, exp); len(diff) > 0 {
 		t.Fatalf("bad, diff: %#v", diff)
 	}
+
+	for name, conf := range exp {
+		req := logical.TestRequest(t, logical.ReadOperation, "mounts/"+name)
+		resp, err = b.HandleRequest(namespace.RootContext(nil), req)
+		if err != nil {
+			t.Fatalf("err: %v", err)
+		}
+		if diff := deep.Equal(resp.Data, conf); len(diff) > 0 {
+			t.Fatalf("bad, diff: %#v", diff)
+		}
+	}
 }
 
 func TestSystemBackend_mount(t *testing.T) {

website/content/api-docs/system/mounts.mdx

@@ -212,6 +212,65 @@ $ curl \
     http://127.0.0.1:8200/v1/sys/mounts/my-mount
 ```
 
+## Get the configuration of a Secret Engine
+
+This endpoint returns the configuration of a specific secret engine.
+
+| Method | Path                |
+| :----- | :------------------ |
+| `GET`  | `/sys/mounts/:path` |
+
+
+### Sample Request
+
+```shell-session
+$ curl \
+    --header "X-Vault-Token: ..." \
+    http://127.0.0.1:8200/v1/sys/mounts/cubbyhole
+```
+
+### Sample Response
+
+```json
+{
+  "config": {
+    "default_lease_ttl": 0,
+    "force_no_cache": false,
+    "max_lease_ttl": 0
+  },
+  "description": "per-token private secret storage",
+  "accessor": "cubbyhole_db85f061",
+  "external_entropy_access": false,
+  "options": null,
+  "uuid": "9c0e211a-904d-e41d-e1a2-7f1ff2bb8461",
+  "type": "cubbyhole",
+  "local": true,
+  "seal_wrap": false,
+  "request_id": "efdab917-ade2-1802-b8fa-fe2e6486d4e5",
+  "lease_id": "",
+  "renewable": false,
+  "lease_duration": 0,
+  "data": {
+    "accessor": "cubbyhole_db85f061",
+    "config": {
+      "default_lease_ttl": 0,
+      "force_no_cache": false,
+      "max_lease_ttl": 0
+    },
+    "description": "per-token private secret storage",
+    "external_entropy_access": false,
+    "local": true,
+    "options": null,
+    "seal_wrap": false,
+    "type": "cubbyhole",
+    "uuid": "9c0e211a-904d-e41d-e1a2-7f1ff2bb8461"
+  },
+  "wrap_info": null,
+  "warnings": null,
+  "auth": null
+}
+```
+
 ## Read Mount Configuration
 
 This endpoint reads the given mount's configuration. Unlike the `mounts`