tidy endpoint fixes

builtin/credential/aws/backend.go

@@ -48,14 +48,14 @@ func Backend(conf *logical.BackendConfig) (*framework.Backend, error) {
 			pathImageTag(b),
 			pathConfigClient(b),
 			pathConfigCertificate(b),
-			pathConfigTidyBlacklistRoleTag(b),
-			pathConfigTidyWhitelistIdentity(b),
+			pathConfigTidyRoleTags(b),
+			pathConfigTidyIdentities(b),
 			pathListCertificates(b),
 			pathBlacklistRoleTag(b),
 			pathListBlacklistRoleTags(b),
-			pathBlacklistRoleTagTidy(b),
+			pathTidyRoleTags(b),
 			pathWhitelistIdentity(b),
-			pathWhitelistIdentityTidy(b),
+			pathTidyIdentities(b),
 			pathListWhitelistIdentities(b),
 		}),
 	}

builtin/credential/aws/path_blacklist_roletag.go

@@ -65,7 +65,7 @@ func (b *backend) pathBlacklistRoleTagExistenceCheck(req *logical.Request, data
 
 // Fetch an entry from the role tag blacklist for a given tag.
 func blacklistRoleTagEntry(s logical.Storage, tag string) (*roleTagBlacklistEntry, error) {
-	entry, err := s.Get("blacklist/roletag/" + tag)
+	entry, err := s.Get("blacklist/roletag/" + base64.StdEncoding.EncodeToString([]byte(tag)))
 	if err != nil {
 		return nil, err
 	}
@@ -190,7 +190,7 @@ func (b *backend) pathBlacklistRoleTagUpdate(
 	// Expiration time is decided by the max_ttl value.
 	blEntry.ExpirationTime = currentTime.Add(rTag.MaxTTL)
 
-	entry, err := logical.StorageEntryJSON("blacklist/roletag/"+tag, blEntry)
+	entry, err := logical.StorageEntryJSON("blacklist/roletag/"+base64.StdEncoding.EncodeToString([]byte(tag)), blEntry)
 	if err != nil {
 		return nil, err
 	}

builtin/credential/aws/path_config_tidy_identities.go

@@ -6,9 +6,9 @@ import (
 	"github.com/hashicorp/vault/logical/framework"
 )
 
-func pathConfigTidyWhitelistIdentity(b *backend) *framework.Path {
+func pathConfigTidyIdentities(b *backend) *framework.Path {
 	return &framework.Path{
-		Pattern: "config/tidy/whitelist/identity$",
+		Pattern: "config/tidy/identities$",
 		Fields: map[string]*framework.FieldSchema{
 			"safety_buffer": &framework.FieldSchema{
 				Type:    framework.TypeDurationSecond,
@@ -23,19 +23,19 @@ expiration, before it is removed from the backend storage.`,
 			},
 		},
 
-		ExistenceCheck: b.pathConfigTidyWhitelistIdentityExistenceCheck,
+		ExistenceCheck: b.pathConfigTidyIdentitiesExistenceCheck,
 
 		Callbacks: map[logical.Operation]framework.OperationFunc{
-			logical.CreateOperation: b.pathConfigTidyWhitelistIdentityCreateUpdate,
-			logical.UpdateOperation: b.pathConfigTidyWhitelistIdentityCreateUpdate,
+			logical.CreateOperation: b.pathConfigTidyIdentitiesCreateUpdate,
+			logical.UpdateOperation: b.pathConfigTidyIdentitiesCreateUpdate,
 		},
 
-		HelpSynopsis:    pathConfigTidyWhitelistIdentityHelpSyn,
-		HelpDescription: pathConfigTidyWhitelistIdentityHelpDesc,
+		HelpSynopsis:    pathConfigTidyIdentitiesHelpSyn,
+		HelpDescription: pathConfigTidyIdentitiesHelpDesc,
 	}
 }
 
-func (b *backend) pathConfigTidyWhitelistIdentityExistenceCheck(req *logical.Request, data *framework.FieldData) (bool, error) {
+func (b *backend) pathConfigTidyIdentitiesExistenceCheck(req *logical.Request, data *framework.FieldData) (bool, error) {
 	b.configMutex.RLock()
 	defer b.configMutex.RUnlock()
 
@@ -47,7 +47,7 @@ func (b *backend) pathConfigTidyWhitelistIdentityExistenceCheck(req *logical.Req
 }
 
 func configTidyWhitelistIdentity(s logical.Storage) (*tidyWhitelistIdentityConfig, error) {
-	entry, err := s.Get("config/tidy/whitelist/identity")
+	entry, err := s.Get("config/tidy/identities")
 	if err != nil {
 		return nil, err
 	}
@@ -62,7 +62,7 @@ func configTidyWhitelistIdentity(s logical.Storage) (*tidyWhitelistIdentityConfi
 	return &result, nil
 }
 
-func (b *backend) pathConfigTidyWhitelistIdentityCreateUpdate(req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+func (b *backend) pathConfigTidyIdentitiesCreateUpdate(req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
 	b.configMutex.Lock()
 	defer b.configMutex.Unlock()
 	configEntry, err := configTidyWhitelistIdentity(req.Storage)
@@ -85,7 +85,7 @@ func (b *backend) pathConfigTidyWhitelistIdentityCreateUpdate(req *logical.Reque
 		configEntry.DisablePeriodicTidy = data.Get("disable_periodic_tidy").(bool)
 	}
 
-	entry, err := logical.StorageEntryJSON("config/tidy/whitelist/identity", configEntry)
+	entry, err := logical.StorageEntryJSON("config/tidy/identities", configEntry)
 	if err != nil {
 		return nil, err
 	}
@@ -97,7 +97,7 @@ func (b *backend) pathConfigTidyWhitelistIdentityCreateUpdate(req *logical.Reque
 	return nil, nil
 }
 
-func (b *backend) pathConfigTidyWhitelistIdentityRead(req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+func (b *backend) pathConfigTidyIdentitiesRead(req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
 	b.configMutex.RLock()
 	defer b.configMutex.RUnlock()
 
@@ -114,11 +114,11 @@ func (b *backend) pathConfigTidyWhitelistIdentityRead(req *logical.Request, data
 	}, nil
 }
 
-func (b *backend) pathConfigTidyWhitelistIdentityDelete(req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+func (b *backend) pathConfigTidyIdentitiesDelete(req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
 	b.configMutex.Lock()
 	defer b.configMutex.Unlock()
 
-	if err := req.Storage.Delete("config/tidy/whitelist/identity"); err != nil {
+	if err := req.Storage.Delete("config/tidy/identities"); err != nil {
 		return nil, err
 	}
 
@@ -130,10 +130,10 @@ type tidyWhitelistIdentityConfig struct {
 	DisablePeriodicTidy bool `json:"disable_periodic_tidy" structs:"disable_periodic_tidy" mapstructure:"disable_periodic_tidy"`
 }
 
-const pathConfigTidyWhitelistIdentityHelpSyn = `
+const pathConfigTidyIdentitiesHelpSyn = `
 Configures the periodic tidying operation of the whitelisted identity entries.
 `
-const pathConfigTidyWhitelistIdentityHelpDesc = `
+const pathConfigTidyIdentitiesHelpDesc = `
 By default, the expired entries in teb whitelist will be attempted to be removed
 periodically. This operation will look for expired items in the list and purge them.
 However, there is a safety buffer duration (defaults to 72h), which purges the entries,

builtin/credential/aws/path_config_tidy_roletags.go

@@ -6,9 +6,9 @@ import (
 	"github.com/hashicorp/vault/logical/framework"
 )
 
-func pathConfigTidyBlacklistRoleTag(b *backend) *framework.Path {
+func pathConfigTidyRoleTags(b *backend) *framework.Path {
 	return &framework.Path{
-		Pattern: "config/tidy/blacklist/roletag$",
+		Pattern: "config/tidy/roletags$",
 		Fields: map[string]*framework.FieldSchema{
 			"safety_buffer": &framework.FieldSchema{
 				Type:    framework.TypeDurationSecond,
@@ -23,21 +23,21 @@ expiration, before it is removed from the backend storage.`,
 			},
 		},
 
-		ExistenceCheck: b.pathConfigTidyBlacklistRoleTagExistenceCheck,
+		ExistenceCheck: b.pathConfigTidyRoleTagsExistenceCheck,
 
 		Callbacks: map[logical.Operation]framework.OperationFunc{
-			logical.CreateOperation: b.pathConfigTidyBlacklistRoleTagCreateUpdate,
-			logical.UpdateOperation: b.pathConfigTidyBlacklistRoleTagCreateUpdate,
-			logical.ReadOperation:   b.pathConfigTidyBlacklistRoleTagRead,
-			logical.DeleteOperation: b.pathConfigTidyBlacklistRoleTagDelete,
+			logical.CreateOperation: b.pathConfigTidyRoleTagsCreateUpdate,
+			logical.UpdateOperation: b.pathConfigTidyRoleTagsCreateUpdate,
+			logical.ReadOperation:   b.pathConfigTidyRoleTagsRead,
+			logical.DeleteOperation: b.pathConfigTidyRoleTagsDelete,
 		},
 
-		HelpSynopsis:    pathConfigTidyBlacklistRoleTagHelpSyn,
-		HelpDescription: pathConfigTidyBlacklistRoleTagHelpDesc,
+		HelpSynopsis:    pathConfigTidyRoleTagsHelpSyn,
+		HelpDescription: pathConfigTidyRoleTagsHelpDesc,
 	}
 }
 
-func (b *backend) pathConfigTidyBlacklistRoleTagExistenceCheck(req *logical.Request, data *framework.FieldData) (bool, error) {
+func (b *backend) pathConfigTidyRoleTagsExistenceCheck(req *logical.Request, data *framework.FieldData) (bool, error) {
 	b.configMutex.RLock()
 	defer b.configMutex.RUnlock()
 
@@ -49,7 +49,7 @@ func (b *backend) pathConfigTidyBlacklistRoleTagExistenceCheck(req *logical.Requ
 }
 
 func configTidyBlacklistRoleTag(s logical.Storage) (*tidyBlacklistRoleTagConfig, error) {
-	entry, err := s.Get("config/tidy/blacklist/roletag")
+	entry, err := s.Get("config/tidy/roletags")
 	if err != nil {
 		return nil, err
 	}
@@ -64,7 +64,7 @@ func configTidyBlacklistRoleTag(s logical.Storage) (*tidyBlacklistRoleTagConfig,
 	return &result, nil
 }
 
-func (b *backend) pathConfigTidyBlacklistRoleTagCreateUpdate(req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+func (b *backend) pathConfigTidyRoleTagsCreateUpdate(req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
 	b.configMutex.Lock()
 	defer b.configMutex.Unlock()
 	configEntry, err := configTidyBlacklistRoleTag(req.Storage)
@@ -87,7 +87,7 @@ func (b *backend) pathConfigTidyBlacklistRoleTagCreateUpdate(req *logical.Reques
 		configEntry.DisablePeriodicTidy = data.Get("disable_periodic_tidy").(bool)
 	}
 
-	entry, err := logical.StorageEntryJSON("config/tidy/blacklist/roletag", configEntry)
+	entry, err := logical.StorageEntryJSON("config/tidy/roletags", configEntry)
 	if err != nil {
 		return nil, err
 	}
@@ -99,7 +99,7 @@ func (b *backend) pathConfigTidyBlacklistRoleTagCreateUpdate(req *logical.Reques
 	return nil, nil
 }
 
-func (b *backend) pathConfigTidyBlacklistRoleTagRead(req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+func (b *backend) pathConfigTidyRoleTagsRead(req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
 	b.configMutex.RLock()
 	defer b.configMutex.RUnlock()
 
@@ -116,11 +116,11 @@ func (b *backend) pathConfigTidyBlacklistRoleTagRead(req *logical.Request, data
 	}, nil
 }
 
-func (b *backend) pathConfigTidyBlacklistRoleTagDelete(req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+func (b *backend) pathConfigTidyRoleTagsDelete(req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
 	b.configMutex.Lock()
 	defer b.configMutex.Unlock()
 
-	if err := req.Storage.Delete("config/tidy/blacklist/roletag"); err != nil {
+	if err := req.Storage.Delete("config/tidy/roletags"); err != nil {
 		return nil, err
 	}
 
@@ -132,10 +132,10 @@ type tidyBlacklistRoleTagConfig struct {
 	DisablePeriodicTidy bool `json:"disable_periodic_tidy" structs:"disable_periodic_tidy" mapstructure:"disable_periodic_tidy"`
 }
 
-const pathConfigTidyBlacklistRoleTagHelpSyn = `
+const pathConfigTidyRoleTagsHelpSyn = `
 Configures the periodic tidying operation of the blacklisted role tag entries.
 `
-const pathConfigTidyBlacklistRoleTagHelpDesc = `
+const pathConfigTidyRoleTagsHelpDesc = `
 By default, the expired entries in the blacklist will be attempted to be removed
 periodically. This operation will look for expired items in the list and purge them.
 However, there is a safety buffer duration (defaults to 72h), which purges the entries,

builtin/credential/aws/path_login.go

@@ -461,6 +461,6 @@ provided. All future logins will succeed only if the client nonce matches the no
 whitelisted entry.
 
 The entries in the whitelist are not automatically deleted. Although, they will have an
-expiration time set on the entry. There is a separate endpoint 'whitelist/identity/tidy',
+expiration time set on the entry. There is a separate endpoint 'tidy/identities',
 that needs to be invoked to clean-up all the expired entries in the whitelist.
 `

builtin/credential/aws/path_tidy_identities.go

@@ -8,9 +8,9 @@ import (
 	"github.com/hashicorp/vault/logical/framework"
 )
 
-func pathWhitelistIdentityTidy(b *backend) *framework.Path {
+func pathTidyIdentities(b *backend) *framework.Path {
 	return &framework.Path{
-		Pattern: "whitelist/identity/tidy$",
+		Pattern: "tidy/identities$",
 		Fields: map[string]*framework.FieldSchema{
 			"safety_buffer": &framework.FieldSchema{
 				Type:    framework.TypeDurationSecond,
@@ -21,11 +21,11 @@ expiration, before it is removed from the backend storage.`,
 		},
 
 		Callbacks: map[logical.Operation]framework.OperationFunc{
-			logical.UpdateOperation: b.pathWhitelistIdentityTidyUpdate,
+			logical.UpdateOperation: b.pathTidyIdentitiesUpdate,
 		},
 
-		HelpSynopsis:    pathWhitelistIdentityTidySyn,
-		HelpDescription: pathWhitelistIdentityTidyDesc,
+		HelpSynopsis:    pathTidyIdentitiesSyn,
+		HelpDescription: pathTidyIdentitiesDesc,
 	}
 }
 
@@ -67,17 +67,17 @@ func tidyWhitelistIdentity(s logical.Storage, safety_buffer int) error {
 	return nil
 }
 
-// pathWhitelistIdentityTidyUpdate is used to delete entries in the whitelist that are expired.
-func (b *backend) pathWhitelistIdentityTidyUpdate(
+// pathTidyIdentitiesUpdate is used to delete entries in the whitelist that are expired.
+func (b *backend) pathTidyIdentitiesUpdate(
 	req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
 	return nil, tidyWhitelistIdentity(req.Storage, data.Get("safety_buffer").(int))
 }
 
-const pathWhitelistIdentityTidySyn = `
+const pathTidyIdentitiesSyn = `
 Clean-up the whitelisted instance identity entries.
 `
 
-const pathWhitelistIdentityTidyDesc = `
+const pathTidyIdentitiesDesc = `
 When an instance identity is whitelisted, the expiration time of the whitelist
 entry is set to the least amont 'max_ttl' of the registered AMI, 'max_ttl' of the
 role tag and 'max_ttl' of the backend mount.

builtin/credential/aws/path_tidy_roletags.go

@@ -8,9 +8,9 @@ import (
 	"github.com/hashicorp/vault/logical/framework"
 )
 
-func pathBlacklistRoleTagTidy(b *backend) *framework.Path {
+func pathTidyRoleTags(b *backend) *framework.Path {
 	return &framework.Path{
-		Pattern: "blacklist/roletag/tidy$",
+		Pattern: "tidy/roletags$",
 		Fields: map[string]*framework.FieldSchema{
 			"safety_buffer": &framework.FieldSchema{
 				Type:    framework.TypeDurationSecond,
@@ -21,11 +21,11 @@ expiration, before it is removed from the backend storage.`,
 		},
 
 		Callbacks: map[logical.Operation]framework.OperationFunc{
-			logical.UpdateOperation: b.pathBlacklistRoleTagTidyUpdate,
+			logical.UpdateOperation: b.pathTidyRoleTagsUpdate,
 		},
 
-		HelpSynopsis:    pathBlacklistRoleTagTidySyn,
-		HelpDescription: pathBlacklistRoleTagTidyDesc,
+		HelpSynopsis:    pathTidyRoleTagsSyn,
+		HelpDescription: pathTidyRoleTagsDesc,
 	}
 }
 
@@ -66,17 +66,17 @@ func tidyBlacklistRoleTag(s logical.Storage, safety_buffer int) error {
 	return nil
 }
 
-// pathBlacklistRoleTagTidyUpdate is used to clean-up the entries in the role tag blacklist.
-func (b *backend) pathBlacklistRoleTagTidyUpdate(
+// pathTidyRoleTagsUpdate is used to clean-up the entries in the role tag blacklist.
+func (b *backend) pathTidyRoleTagsUpdate(
 	req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
 	return nil, tidyBlacklistRoleTag(req.Storage, data.Get("safety_buffer").(int))
 }
 
-const pathBlacklistRoleTagTidySyn = `
+const pathTidyRoleTagsSyn = `
 Clean-up the blacklisted role tag entries.
 `
 
-const pathBlacklistRoleTagTidyDesc = `
+const pathTidyRoleTagsDesc = `
 When a role tag is blacklisted, the expiration time of the blacklist entry is
 determined by the 'max_ttl' present in the role tag. If 'max_ttl' is not provided
 in the role tag, the backend mount's 'max_ttl' value will be used to determine

builtin/credential/aws/path_whitelist_identity.go

@@ -147,7 +147,7 @@ Each login from an EC2 instance creates/updates an entry in the identity whiteli
 Entries in this list can be viewed or deleted using this endpoint.
 
 The entries in the whitelist are not automatically deleted. Although, they will have an
-expiration time set on the entry. There is a separate endpoint 'whitelist/identity/tidy',
+expiration time set on the entry. There is a separate endpoint 'tidy/identities',
 that needs to be invoked to clean-up all the expired entries in the whitelist.
 `
 

website/source/docs/auth/aws.html.md

@@ -208,8 +208,8 @@ the backend mount. The least of these three dictates the maximum TTL of the
 issued token, and correspondingly will be set as the expiration times of these
 entries.
 
-The endpoints `aws/auth/whitelist/identity/tidy` and
-`aws/auth/blacklist/roletag/tidy` are provided to clean up the entries present
+The endpoints `aws/auth/tidy/identities` and
+`aws/auth/tidy/roletags` are provided to clean up the entries present
 in these lists. These endpoints allow defining a safety buffer, such that an
 entry must not only be expired, but be past expiration by the amount of time
 dictated by the safety buffer in order to actually remove the entry.
@@ -217,7 +217,7 @@ dictated by the safety buffer in order to actually remove the entry.
 Additionally, the backend performs has a periodic function that does the tidying
 of both blacklist role tags and whitelist identities. This periodic tidying is
 activated by default and will have a safety buffer of 72 hours. This can be
-configured via `config/tidy/blacklist/roletag` and `config/tidy/whitelist/identity`
+configured via `config/tidy/roletags` and `config/tidy/identities`
 endpoints.
 
 ### Varying Public Certificates
@@ -546,7 +546,7 @@ The response will be in JSON. For example:
   </dd>
 </dl>
 
-### /auth/aws/config/tidy/whitelist/identity
+### /auth/aws/config/tidy/identities
 ##### POST
 <dl class="api">
   <dt>Description</dt>
@@ -558,7 +558,7 @@ The response will be in JSON. For example:
   <dd>POST</dd>
 
   <dt>URL</dt>
-  <dd>`/auth/aws/config/tidy/whitelist/identity`</dd>
+  <dd>`/auth/aws/config/tidy/identities`</dd>
 
   <dt>Parameters</dt>
   <dd>
@@ -597,7 +597,7 @@ The response will be in JSON. For example:
   <dd>GET</dd>
 
   <dt>URL</dt>
-  <dd>`/auth/aws/config/tidy/whitelist/identity`</dd>
+  <dd>`/auth/aws/config/tidy/identities`</dd>
 
   <dt>Parameters</dt>
   <dd>
@@ -635,7 +635,7 @@ The response will be in JSON. For example:
   <dd>DELETE</dd>
 
   <dt>URL</dt>
-  <dd>`/auth/aws/config/tidy/whitelist/identity`</dd>
+  <dd>`/auth/aws/config/tidy/identities`</dd>
 
   <dt>Parameters</dt>
   <dd>
@@ -649,7 +649,7 @@ The response will be in JSON. For example:
 
 
 
-### /auth/aws/config/tidy/blacklist/roletag
+### /auth/aws/config/tidy/roletags
 ##### POST
 <dl class="api">
   <dt>Description</dt>
@@ -661,7 +661,7 @@ The response will be in JSON. For example:
   <dd>POST</dd>
 
   <dt>URL</dt>
-  <dd>`/auth/aws/config/tidy/blacklist/roletag`</dd>
+  <dd>`/auth/aws/config/tidy/roletags`</dd>
 
   <dt>Parameters</dt>
   <dd>
@@ -699,7 +699,7 @@ The response will be in JSON. For example:
   <dd>GET</dd>
 
   <dt>URL</dt>
-  <dd>`/auth/aws/config/tidy/blacklist/roletag`</dd>
+  <dd>`/auth/aws/config/tidy/roletags`</dd>
 
   <dt>Parameters</dt>
   <dd>
@@ -737,7 +737,7 @@ The response will be in JSON. For example:
   <dd>DELETE</dd>
 
   <dt>URL</dt>
-  <dd>`/auth/aws/config/tidy/blacklist/roletag`</dd>
+  <dd>`/auth/aws/config/tidy/roletags`</dd>
 
   <dt>Parameters</dt>
   <dd>
@@ -1214,7 +1214,7 @@ The response will be in JSON. For example:
 </dl>
 
 
-### /auth/aws/blacklist/roletag/tidy
+### /auth/aws/tidy/roletags
 #### POST
 <dl class="api">
   <dt>Description</dt>
@@ -1226,7 +1226,7 @@ The response will be in JSON. For example:
   <dd>POST</dd>
 
   <dt>URL</dt>
-  <dd>`/auth/aws/blacklist/roletag/tidy`</dd>
+  <dd>`/auth/aws/tidy/roletags`</dd>
 
   <dt>Parameters</dt>
   <dd>
@@ -1358,7 +1358,7 @@ The response will be in JSON. For example:
 </dl>
 
 
-### /auth/aws/whitelist/identity/tidy
+### /auth/aws/tidy/identities
 #### POST
 <dl class="api">
   <dt>Description</dt>
@@ -1370,7 +1370,7 @@ The response will be in JSON. For example:
   <dd>POST</dd>
 
   <dt>URL</dt>
-  <dd>`/auth/aws/whitelist/identity/tidy`</dd>
+  <dd>`/auth/aws/tidy/identities`</dd>
 
   <dt>Parameters</dt>
   <dd>