VAULT-2285 adding capability to accept comma separated entries for au… (#12126)

* VAULT-2285 adding capability to accept comma separated entries for auth enable/tune

* Adding changelog

* Adding logic to detect invalid input parameter for auth enable config

* Updating tune.mdx

* Updating secret enable/tune for comma separated parameters

* Adding further parameter checks for auth/secret tests
Fixing changelog
using builtin type for a switch statement
Fixing a possible panic scenario

* Changing a function name, using deep.Equal instead of what reflect package provides

* Fixing auth/secret enable/tune mdx files

* One more mdx file fix

* Only when users provide a single comma separated string in a curl command, split the entries by commas

* Fixing API docs for auth/mount enable/tune for comma separated entries

* updating docs, removing an unnecessary switch case

changelog/12126.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+cli/api: Providing consistency for the use of comma separated parameters in auth/secret enable/tune
+```

command/auth_enable_test.go

@@ -5,6 +5,7 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/go-test/deep"
 	"github.com/hashicorp/vault/helper/builtinplugins"
 	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/mitchellh/cli"
@@ -86,6 +87,12 @@ func TestAuthEnableCommand_Run(t *testing.T) {
 		code := cmd.Run([]string{
 			"-path", "auth_integration/",
 			"-description", "The best kind of test",
+			"-audit-non-hmac-request-keys", "foo,bar",
+			"-audit-non-hmac-response-keys", "foo,bar",
+			"-passthrough-request-headers", "authorization,authentication",
+			"-passthrough-request-headers", "www-authentication",
+			"-allowed-response-headers", "authorization",
+			"-listing-visibility", "unauth",
 			"userpass",
 		})
 		if exp := 0; code != exp {
@@ -113,6 +120,18 @@ func TestAuthEnableCommand_Run(t *testing.T) {
 		if exp := "The best kind of test"; authInfo.Description != exp {
 			t.Errorf("expected %q to be %q", authInfo.Description, exp)
 		}
+		if diff := deep.Equal([]string{"authorization,authentication", "www-authentication"}, authInfo.Config.PassthroughRequestHeaders); len(diff) > 0 {
+			t.Errorf("Failed to find expected values in PassthroughRequestHeaders. Difference is: %v", diff)
+		}
+		if diff := deep.Equal([]string{"authorization"}, authInfo.Config.AllowedResponseHeaders); len(diff) > 0 {
+			t.Errorf("Failed to find expected values in AllowedResponseHeaders. Difference is: %v", diff)
+		}
+		if diff := deep.Equal([]string{"foo,bar"}, authInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 {
+			t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys. Difference is: %v", diff)
+		}
+		if diff := deep.Equal([]string{"foo,bar"}, authInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 {
+			t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff)
+		}
 	})
 
 	t.Run("communication_failure", func(t *testing.T) {

command/auth_tune.go

@@ -26,6 +26,8 @@ type AuthTuneCommand struct {
 	flagDescription               string
 	flagListingVisibility         string
 	flagMaxLeaseTTL               time.Duration
+	flagPassthroughRequestHeaders []string
+	flagAllowedResponseHeaders    []string
 	flagOptions                   map[string]string
 	flagTokenType                 string
 	flagVersion                   int
@@ -107,6 +109,20 @@ func (c *AuthTuneCommand) Flags() *FlagSets {
 			"or a previously configured value for the auth method.",
 	})
 
+	f.StringSliceVar(&StringSliceVar{
+		Name:   flagNamePassthroughRequestHeaders,
+		Target: &c.flagPassthroughRequestHeaders,
+		Usage: "Comma-separated string or list of request header values that " +
+			"will be sent to the plugin",
+	})
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:   flagNameAllowedResponseHeaders,
+		Target: &c.flagAllowedResponseHeaders,
+		Usage: "Comma-separated string or list of response header values that " +
+			"plugins will be allowed to set",
+	})
+
 	f.StringMapVar(&StringMapVar{
 		Name:       "options",
 		Target:     &c.flagOptions,
@@ -194,6 +210,14 @@ func (c *AuthTuneCommand) Run(args []string) int {
 			mountConfigInput.ListingVisibility = c.flagListingVisibility
 		}
 
+		if fl.Name == flagNamePassthroughRequestHeaders {
+			mountConfigInput.PassthroughRequestHeaders = c.flagPassthroughRequestHeaders
+		}
+
+		if fl.Name == flagNameAllowedResponseHeaders {
+			mountConfigInput.AllowedResponseHeaders = c.flagAllowedResponseHeaders
+		}
+
 		if fl.Name == flagNameTokenType {
 			mountConfigInput.TokenType = c.flagTokenType
 		}

command/auth_tune_test.go

@@ -4,6 +4,7 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/go-test/deep"
 	"github.com/hashicorp/vault/api"
 	"github.com/mitchellh/cli"
 )
@@ -92,6 +93,9 @@ func TestAuthTuneCommand_Run(t *testing.T) {
 				"-max-lease-ttl", "1h",
 				"-audit-non-hmac-request-keys", "foo,bar",
 				"-audit-non-hmac-response-keys", "foo,bar",
+				"-passthrough-request-headers", "authorization",
+				"-passthrough-request-headers", "www-authentication",
+				"-allowed-response-headers", "authorization,www-authentication",
 				"-listing-visibility", "unauth",
 				"my-auth/",
 			})
@@ -126,6 +130,18 @@ func TestAuthTuneCommand_Run(t *testing.T) {
 			if exp := 3600; mountInfo.Config.MaxLeaseTTL != exp {
 				t.Errorf("expected %d to be %d", mountInfo.Config.MaxLeaseTTL, exp)
 			}
+			if diff := deep.Equal([]string{"authorization", "www-authentication"}, mountInfo.Config.PassthroughRequestHeaders); len(diff) > 0 {
+				t.Errorf("Failed to find expected values in PassthroughRequestHeaders. Difference is: %v", diff)
+			}
+			if diff := deep.Equal([]string{"authorization,www-authentication"}, mountInfo.Config.AllowedResponseHeaders); len(diff) > 0 {
+				t.Errorf("Failed to find expected values in AllowedResponseHeaders. Difference is: %v", diff)
+			}
+			if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 {
+				t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys. Difference is: %v", diff)
+			}
+			if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 {
+				t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff)
+			}
 		})
 
 		t.Run("flags_description", func(t *testing.T) {

command/secrets_enable_test.go

@@ -5,6 +5,7 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/go-test/deep"
 	"github.com/hashicorp/vault/helper/builtinplugins"
 	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/mitchellh/cli"
@@ -107,6 +108,11 @@ func TestSecretsEnableCommand_Run(t *testing.T) {
 			"-description", "The best kind of test",
 			"-default-lease-ttl", "30m",
 			"-max-lease-ttl", "1h",
+			"-audit-non-hmac-request-keys", "foo,bar",
+			"-audit-non-hmac-response-keys", "foo,bar",
+			"-passthrough-request-headers", "authorization,authentication",
+			"-passthrough-request-headers", "www-authentication",
+			"-allowed-response-headers", "authorization",
 			"-force-no-cache",
 			"pki",
 		})
@@ -144,6 +150,19 @@ func TestSecretsEnableCommand_Run(t *testing.T) {
 		if exp := true; mountInfo.Config.ForceNoCache != exp {
 			t.Errorf("expected %t to be %t", mountInfo.Config.ForceNoCache, exp)
 		}
+		if diff := deep.Equal([]string{"authorization,authentication", "www-authentication"}, mountInfo.Config.PassthroughRequestHeaders); len(diff) > 0 {
+			t.Errorf("Failed to find expected values in PassthroughRequestHeaders. Difference is: %v", diff)
+		}
+		if diff := deep.Equal([]string{"authorization"}, mountInfo.Config.AllowedResponseHeaders); len(diff) > 0 {
+			t.Errorf("Failed to find expected values in AllowedResponseHeaders. Difference is: %v", diff)
+		}
+		if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 {
+			t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys. Difference is: %v", diff)
+		}
+		if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 {
+			t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff)
+		}
+
 	})
 
 	t.Run("communication_failure", func(t *testing.T) {

command/secrets_tune.go

@@ -26,6 +26,8 @@ type SecretsTuneCommand struct {
 	flagDescription               string
 	flagListingVisibility         string
 	flagMaxLeaseTTL               time.Duration
+	flagPassthroughRequestHeaders []string
+	flagAllowedResponseHeaders    []string
 	flagOptions                   map[string]string
 	flagVersion                   int
 }
@@ -106,6 +108,20 @@ func (c *SecretsTuneCommand) Flags() *FlagSets {
 			"TTL, or a previously configured value for the secrets engine.",
 	})
 
+	f.StringSliceVar(&StringSliceVar{
+		Name:   flagNamePassthroughRequestHeaders,
+		Target: &c.flagPassthroughRequestHeaders,
+		Usage: "Comma-separated string or list of request header values that " +
+			"will be sent to the plugin",
+	})
+
+	f.StringSliceVar(&StringSliceVar{
+		Name:   flagNameAllowedResponseHeaders,
+		Target: &c.flagAllowedResponseHeaders,
+		Usage: "Comma-separated string or list of response header values that " +
+			"plugins will be allowed to set",
+	})
+
 	f.StringMapVar(&StringMapVar{
 		Name:       "options",
 		Target:     &c.flagOptions,
@@ -189,6 +205,14 @@ func (c *SecretsTuneCommand) Run(args []string) int {
 		if fl.Name == flagNameListingVisibility {
 			mountConfigInput.ListingVisibility = c.flagListingVisibility
 		}
+
+		if fl.Name == flagNamePassthroughRequestHeaders {
+			mountConfigInput.PassthroughRequestHeaders = c.flagPassthroughRequestHeaders
+		}
+
+		if fl.Name == flagNameAllowedResponseHeaders {
+			mountConfigInput.AllowedResponseHeaders = c.flagAllowedResponseHeaders
+		}
 	})
 
 	if err := client.Sys().TuneMount(mountPath, mountConfigInput); err != nil {

command/secrets_tune_test.go

@@ -4,6 +4,7 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/go-test/deep"
 	"github.com/hashicorp/vault/api"
 	"github.com/mitchellh/cli"
 )
@@ -166,6 +167,9 @@ func TestSecretsTuneCommand_Run(t *testing.T) {
 				"-max-lease-ttl", "1h",
 				"-audit-non-hmac-request-keys", "foo,bar",
 				"-audit-non-hmac-response-keys", "foo,bar",
+				"-passthrough-request-headers", "authorization",
+				"-passthrough-request-headers", "www-authentication",
+				"-allowed-response-headers", "authorization,www-authentication",
 				"-listing-visibility", "unauth",
 				"mount_tune_integration/",
 			})
@@ -200,6 +204,18 @@ func TestSecretsTuneCommand_Run(t *testing.T) {
 			if exp := 3600; mountInfo.Config.MaxLeaseTTL != exp {
 				t.Errorf("expected %d to be %d", mountInfo.Config.MaxLeaseTTL, exp)
 			}
+			if diff := deep.Equal([]string{"authorization", "www-authentication"}, mountInfo.Config.PassthroughRequestHeaders); len(diff) > 0 {
+				t.Errorf("Failed to find expected values for PassthroughRequestHeaders. Difference is: %v", diff)
+			}
+			if diff := deep.Equal([]string{"authorization,www-authentication"}, mountInfo.Config.AllowedResponseHeaders); len(diff) > 0 {
+				t.Errorf("Failed to find expected values in AllowedResponseHeaders. Difference is: %v", diff)
+			}
+			if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 {
+				t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys. Difference is: %v", diff)
+			}
+			if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 {
+				t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff)
+			}
 		})
 
 		t.Run("flags_description", func(t *testing.T) {

vault/logical_system.go

@@ -898,6 +898,13 @@ func (b *SystemBackend) handleMount(ctx context.Context, req *logical.Request, d
 	var apiConfig APIMountConfig
 
 	configMap := data.Get("config").(map[string]interface{})
+	// Augmenting configMap for some config options to treat them as comma separated entries
+	err := expandStringValsWithCommas(configMap)
+	if err != nil {
+		return logical.ErrorResponse(
+				"unable to parse given auth config information"),
+			logical.ErrInvalidRequest
+	}
 	if configMap != nil && len(configMap) != 0 {
 		err := mapstructure.Decode(configMap, &apiConfig)
 		if err != nil {
@@ -1564,7 +1571,6 @@ func (b *SystemBackend) handleTuneWriteCommon(ctx context.Context, path string,
 
 	if rawVal, ok := data.GetOk("allowed_response_headers"); ok {
 		headers := rawVal.([]string)
-
 		oldVal := mountEntry.Config.AllowedResponseHeaders
 		mountEntry.Config.AllowedResponseHeaders = headers
 
@@ -1869,6 +1875,31 @@ func (b *SystemBackend) handleAuthTable(ctx context.Context, req *logical.Reques
 	return resp, nil
 }
 
+func expandStringValsWithCommas(configMap map[string]interface{}) error {
+	configParamNameSlice := []string{
+		"audit_non_hmac_request_keys",
+		"audit_non_hmac_response_keys",
+		"passthrough_request_headers",
+		"allowed_response_headers",
+	}
+	for _, paramName := range configParamNameSlice {
+		if raw, ok := configMap[paramName]; ok {
+			switch t := raw.(type) {
+			case string:
+				// To be consistent with auth tune, and in cases where a single comma separated strings
+				// is provided in the curl command, we split the entries by the commas.
+				rawNew := raw.(string)
+				res, err := parseutil.ParseCommaStringSlice(rawNew)
+				if err != nil {
+					return fmt.Errorf("invalid input parameter %v of type %v", paramName, t)
+				}
+				configMap[paramName] = res
+			}
+		}
+	}
+	return nil
+}
+
 // handleEnableAuth is used to enable a new credential backend
 func (b *SystemBackend) handleEnableAuth(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
 	repState := b.Core.ReplicationState()
@@ -1895,6 +1926,13 @@ func (b *SystemBackend) handleEnableAuth(ctx context.Context, req *logical.Reque
 	var apiConfig APIMountConfig
 
 	configMap := data.Get("config").(map[string]interface{})
+	// Augmenting configMap for some config options to treat them as comma separated entries
+	err := expandStringValsWithCommas(configMap)
+	if err != nil {
+		return logical.ErrorResponse(
+				"unable to parse given auth config information"),
+			logical.ErrInvalidRequest
+	}
 	if configMap != nil && len(configMap) != 0 {
 		err := mapstructure.Decode(configMap, &apiConfig)
 		if err != nil {

website/content/api-docs/system/auth.mdx

@@ -83,20 +83,20 @@ For example, enable the "foo" auth method will make it accessible at
   - `max_lease_ttl` `(string: "")` - The maximum lease duration, specified as a
     string duration like "5s" or "30m".
 
-  - `audit_non_hmac_request_keys` `(array: [])` - Comma-separated list of keys
+  - `audit_non_hmac_request_keys` `(array: [])` - List of keys that will not be
-    that will not be HMAC'd by audit devices in the request data object.
+    HMAC'd by audit devices in the request data object.
 
-  - `audit_non_hmac_response_keys` `(array: [])` - Comma-separated list of keys
+  - `audit_non_hmac_response_keys` `(array: [])` - List of keys that will not be
-    that will not be HMAC'd by audit devices in the response data object.
+    HMAC'd by audit devices in the response data object.
 
   - `listing_visibility` `(string: "")` - Specifies whether to show this mount
     in the UI-specific listing endpoint.
 
-  - `passthrough_request_headers` `(array: [])` - Comma-separated list of headers
+  - `passthrough_request_headers` `(array: [])` - List of headers to whitelist
-    to whitelist and pass from the request to the plugin.
+    and pass from the request to the plugin.
 
-  - `allowed_response_headers` `(array: [])` - Comma-separated list of headers
+  - `allowed_response_headers` `(array: [])` - List of headers to whitelist,
-    to whitelist, allowing a plugin to include them in the response.
+    allowing a plugin to include them in the response.
 
 Additionally, the following options are allowed in Vault open-source, but
 relevant functionality is only supported in Vault Enterprise:
@@ -217,22 +217,20 @@ can be achieved without `sudo` via `sys/mounts/auth/[auth-path]/tune`._
 - `description` `(string: "")` – Specifies the description of the mount. This
   overrides the current stored value, if any.
 
-- `audit_non_hmac_request_keys` `(array: [])` - Specifies the comma-separated
+- `audit_non_hmac_request_keys` `(array: [])` - Specifies the list of keys
-  list of keys that will not be HMAC'd by audit devices in the request data
+  that will not be HMAC'd by audit devices in the request data object.
-  object.
 
-- `audit_non_hmac_response_keys` `(array: [])` - Specifies the comma-separated
+- `audit_non_hmac_response_keys` `(array: [])` - Specifies the list of keys
-  list of keys that will not be HMAC'd by audit devices in the response data
+  that will not be HMAC'd by audit devices in the response data object.
-  object.
 
 - `listing_visibility` `(string: "")` - Specifies whether to show this mount
   in the UI-specific listing endpoint. Valid values are `"unauth"` or `""`.
 
-- `passthrough_request_headers` `(array: [])` - Comma-separated list of headers
+- `passthrough_request_headers` `(array: [])` - List of headers to whitelist
-  to whitelist and pass from the request to the plugin.
+  and pass from the request to the plugin.
 
-- `allowed_response_headers` `(array: [])` - Comma-separated list of headers
+- `allowed_response_headers` `(array: [])` - List of headers to whitelist,
-  to whitelist, allowing a plugin to include them in the response.
+  allowing a plugin to include them in the response.
 
 - `token_type` `(string: "")` – Specifies the type of tokens that should be
   returned by the mount. The following values are available:

website/content/api-docs/system/mounts.mdx

@@ -137,21 +137,21 @@ This endpoint enables a new secrets engine at the given path.
 
   - `force_no_cache` `(bool: false)` - Disable caching.
 
-  - `audit_non_hmac_request_keys` `(array: [])` - Comma-separated list of keys
+  - `audit_non_hmac_request_keys` `(array: [])` - List of keys that will not be
-    that will not be HMAC'd by audit devices in the request data object.
+    HMAC'd by audit devices in the request data object.
 
-  - `audit_non_hmac_response_keys` `(array: [])` - Comma-separated list of keys
+  - `audit_non_hmac_response_keys` `(array: [])` - List of keys that will not be
-    that will not be HMAC'd by audit devices in the response data object.
+    HMAC'd by audit devices in the response data object.
 
   - `listing_visibility` `(string: "")` - Specifies whether to show this mount
     in the UI-specific listing endpoint. Valid values are `"unauth"` or
     `"hidden"`. If not set, behaves like `"hidden"`.
 
-  - `passthrough_request_headers` `(array: [])` - Comma-separated list of headers
+  - `passthrough_request_headers` `(array: [])` - List of headers to whitelist
-    to whitelist and pass from the request to the plugin.
+    and pass from the request to the plugin.
 
-  - `allowed_response_headers` `(array: [])` - Comma-separated list of headers
+  - `allowed_response_headers` `(array: [])` - List of headers to whitelist,
-    to whitelist, allowing a plugin to include them in the response.
+    allowing a plugin to include them in the response.
 
 - `options` `(map<string|string>: nil)` - Specifies mount type specific options
   that are passed to the backend.
@@ -261,23 +261,21 @@ This endpoint tunes configuration parameters for a given mount point.
 - `description` `(string: "")` – Specifies the description of the mount. This
   overrides the current stored value, if any.
 
-- `audit_non_hmac_request_keys` `(array: [])` - Specifies the comma-separated
+- `audit_non_hmac_request_keys` `(array: [])` - Specifies the list of keys that
-  list of keys that will not be HMAC'd by audit devices in the request data
+  will not be HMAC'd by audit devices in the request data object.
-  object.
 
-- `audit_non_hmac_response_keys` `(array: [])` - Specifies the comma-separated
+- `audit_non_hmac_response_keys` `(array: [])` - Specifies the list of keys that
-  list of keys that will not be HMAC'd by audit devices in the response data
+  will not be HMAC'd by audit devices in the response data object.
-  object.
 
 - `listing_visibility` `(string: "")` - Specifies whether to show this mount in
   the UI-specific listing endpoint. Valid values are `"unauth"` or `"hidden"`.
   If not set, behaves like `"hidden"`.
 
-- `passthrough_request_headers` `(array: [])` - Comma-separated list of headers
+- `passthrough_request_headers` `(array: [])` - List of headers to whitelist
-  to whitelist and pass from the request to the plugin.
+  and pass from the request to the plugin.
 
-- `allowed_response_headers` `(array: [])` - Comma-separated list of headers
+- `allowed_response_headers` `(array: [])` - List of headers to whitelist,
-  to whitelist, allowing a plugin to include them in the response.
+  allowing a plugin to include them in the response.
 
 ### Sample Payload
 

website/content/docs/commands/auth/enable.mdx

@@ -57,12 +57,29 @@ flags](/docs/commands) included on all commands.
   configured default lease TTL, or a previously configured value for the auth
   method.
 
+- `-passthrough-request-headers` `(string: "")` - request header values that will
+  be sent to the auth method. Note that multiple keys may be
+  specified by providing this option multiple times, each time with 1 key.
+
+- `-allowed-response-headers` `(string: "")` - response header values that the auth
+  method will be allowed to set. Note that multiple keys may be
+  specified by providing this option multiple times, each time with 1 key.
+
 - `-description` `(string: "")` - Human-friendly description for the purpose of
   this auth method.
 
+- `-listing-visibility` `(string: "")` - The flag to toggle whether to show the
+  mount in the UI-specific listing endpoint.
+
 - `-local` `(bool: false)` - Mark the auth method as local-only. Local auth
   methods are not replicated nor removed by replication.
 
+- `-max-lease-ttl` `(string: "")` - The maximum lease duration, specified as
+  a string duration like "5s" or "30m".
+
 - `-path` `(string: "")` - Place where the auth method will be accessible. This
   must be unique across all auth methods. This defaults to the "type" of the
   auth method. The auth method will be accessible at `/auth/<path>`.
+
+- `-seal-wrap` `(bool: false)` - Enable seal wrapping for the mount, causing
+  values stored by the mount to be wrapped by the seal's encryption capability.

website/content/docs/commands/auth/tune.mdx

@@ -32,6 +32,9 @@ $ vault auth tune -audit-non-hmac-request-keys=value1 -audit-non-hmac-request-ke
 The following flags are available in addition to the [standard set of
 flags](/docs/commands) included on all commands.
 
+- `-allowed-response-headers` `(string: "")` - response header values that the auth
+  method will be allowed to set.
+
 - `-audit-non-hmac-request-keys` `(string: "")` - Key that will not be HMAC'd
   by audit devices in the request data object. Note that multiple keys may be
   specified by providing this option multiple times, each time with 1 key.
@@ -45,7 +48,21 @@ flags](/docs/commands) included on all commands.
   configured default lease TTL, or a previously configured value for the auth
   method.
 
+- `-description` `(string: "")` - Specifies the description of the auth method.
+  This overrides the current stored value, if any.
+
+- `-listing-visibility` `(string: "")` - The flag to toggle whether to show the
+  mount in the UI-specific listing endpoint.
+
 - `-max-lease-ttl` `(duration: "")` - The maximum lease TTL for this auth
   method. If unspecified, this defaults to the Vault server's globally
   configured maximum lease TTL, or a previously configured value for the auth
   method.
+
+- `-passthrough-request-headers` `(string: "")` - request header values that will
+  be sent to the auth method. Note that multiple keys may be
+  specified by providing this option multiple times, each time with 1 key.
+
+- `-token-type` `(string: "")` - Specifies the type of tokens that should be
+  returned by the auth method. Note that multiple keys may be
+  specified by providing this option multiple times, each time with 1 key.

website/content/docs/commands/secrets/enable.mdx

@@ -90,3 +90,11 @@ flags](/docs/commands) included on all commands.
 - `-path` `(string: "")` Place where the secrets engine will be accessible. This
   must be unique cross all secrets engines. This defaults to the "type" of the
   secrets engine.
+
+- `-passthrough-request-headers` `(string: "")` - request header values that will
+  be sent to the secrets engine. Note that multiple keys may be
+  specified by providing this option multiple times, each time with 1 key.
+
+- `-allowed-response-headers` `(string: "")` - response header values that the secrets
+  engine will be allowed to set. Note that multiple keys may be
+  specified by providing this option multiple times, each time with 1 key.

website/content/docs/commands/secrets/tune.mdx

@@ -32,6 +32,10 @@ $ vault secrets tune -audit-non-hmac-request-keys=value1 -audit-non-hmac-request
 The following flags are available in addition to the [standard set of
 flags](/docs/commands) included on all commands.
 
+`-allowed-response-headers` `(string: "")` - response header values that the
+  secrets engine will be allowed to set. Note that multiple keys may be
+  specified by providing this option multiple times, each time with 1 key.
+
 - `-audit-non-hmac-request-keys` `(string: "")` - Key that will not be HMAC'd
   by audit devices in the request data object. Note that multiple keys may be
   specified by providing this option multiple times, each time with 1 key.
@@ -45,7 +49,17 @@ flags](/docs/commands) included on all commands.
   configured default lease TTL, or a previously configured value for the secrets
   engine.
 
+- `-description` `(string: "")` - Specifies the description of the mount.
+  This overrides the current stored value, if any.
+
+- `-listing-visibility` `(string: "")` - The flag to toggle whether to show the
+  mount in the UI-specific listing endpoint.
+
 - `-max-lease-ttl` `(duration: "")` - The maximum lease TTL for this secrets
   engine. If unspecified, this defaults to the Vault server's globally
   configured maximum lease TTL, or a previously configured value for the secrets
   engine.
+
+- `-passthrough-request-headers` `(string: "")` - request header values that will
+  be sent to the secrets engine. Note that multiple keys may be
+  specified by providing this option multiple times, each time with 1 key.