VAULT-2285 adding capability to accept comma separated entries for au… (#12126)

* VAULT-2285 adding capability to accept comma separated entries for auth enable/tune

* Adding changelog

* Adding logic to detect invalid input parameter for auth enable config

* Updating tune.mdx

* Updating secret enable/tune for comma separated parameters

* Adding further parameter checks for auth/secret tests
Fixing changelog
using builtin type for a switch statement
Fixing a possible panic scenario

* Changing a function name, using deep.Equal instead of what reflect package provides

* Fixing auth/secret enable/tune mdx files

* One more mdx file fix

* Only when users provide a single comma separated string in a curl command, split the entries by commas

* Fixing API docs for auth/mount enable/tune for comma separated entries

* updating docs, removing an unnecessary switch case
This commit is contained in:
hghaf099 2021-08-09 15:37:03 -04:00 committed by GitHub
parent b43f9c10cc
commit f885d97774
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 265 additions and 54 deletions

3
changelog/12126.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
cli/api: Providing consistency for the use of comma separated parameters in auth/secret enable/tune
```

View File

@ -5,6 +5,7 @@ import (
"strings" "strings"
"testing" "testing"
"github.com/go-test/deep"
"github.com/hashicorp/vault/helper/builtinplugins" "github.com/hashicorp/vault/helper/builtinplugins"
"github.com/hashicorp/vault/sdk/helper/consts" "github.com/hashicorp/vault/sdk/helper/consts"
"github.com/mitchellh/cli" "github.com/mitchellh/cli"
@ -86,6 +87,12 @@ func TestAuthEnableCommand_Run(t *testing.T) {
code := cmd.Run([]string{ code := cmd.Run([]string{
"-path", "auth_integration/", "-path", "auth_integration/",
"-description", "The best kind of test", "-description", "The best kind of test",
"-audit-non-hmac-request-keys", "foo,bar",
"-audit-non-hmac-response-keys", "foo,bar",
"-passthrough-request-headers", "authorization,authentication",
"-passthrough-request-headers", "www-authentication",
"-allowed-response-headers", "authorization",
"-listing-visibility", "unauth",
"userpass", "userpass",
}) })
if exp := 0; code != exp { if exp := 0; code != exp {
@ -113,6 +120,18 @@ func TestAuthEnableCommand_Run(t *testing.T) {
if exp := "The best kind of test"; authInfo.Description != exp { if exp := "The best kind of test"; authInfo.Description != exp {
t.Errorf("expected %q to be %q", authInfo.Description, exp) t.Errorf("expected %q to be %q", authInfo.Description, exp)
} }
if diff := deep.Equal([]string{"authorization,authentication", "www-authentication"}, authInfo.Config.PassthroughRequestHeaders); len(diff) > 0 {
t.Errorf("Failed to find expected values in PassthroughRequestHeaders. Difference is: %v", diff)
}
if diff := deep.Equal([]string{"authorization"}, authInfo.Config.AllowedResponseHeaders); len(diff) > 0 {
t.Errorf("Failed to find expected values in AllowedResponseHeaders. Difference is: %v", diff)
}
if diff := deep.Equal([]string{"foo,bar"}, authInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 {
t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys. Difference is: %v", diff)
}
if diff := deep.Equal([]string{"foo,bar"}, authInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 {
t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff)
}
}) })
t.Run("communication_failure", func(t *testing.T) { t.Run("communication_failure", func(t *testing.T) {

View File

@ -20,15 +20,17 @@ var (
type AuthTuneCommand struct { type AuthTuneCommand struct {
*BaseCommand *BaseCommand
flagAuditNonHMACRequestKeys []string flagAuditNonHMACRequestKeys []string
flagAuditNonHMACResponseKeys []string flagAuditNonHMACResponseKeys []string
flagDefaultLeaseTTL time.Duration flagDefaultLeaseTTL time.Duration
flagDescription string flagDescription string
flagListingVisibility string flagListingVisibility string
flagMaxLeaseTTL time.Duration flagMaxLeaseTTL time.Duration
flagOptions map[string]string flagPassthroughRequestHeaders []string
flagTokenType string flagAllowedResponseHeaders []string
flagVersion int flagOptions map[string]string
flagTokenType string
flagVersion int
} }
func (c *AuthTuneCommand) Synopsis() string { func (c *AuthTuneCommand) Synopsis() string {
@ -107,6 +109,20 @@ func (c *AuthTuneCommand) Flags() *FlagSets {
"or a previously configured value for the auth method.", "or a previously configured value for the auth method.",
}) })
f.StringSliceVar(&StringSliceVar{
Name: flagNamePassthroughRequestHeaders,
Target: &c.flagPassthroughRequestHeaders,
Usage: "Comma-separated string or list of request header values that " +
"will be sent to the plugin",
})
f.StringSliceVar(&StringSliceVar{
Name: flagNameAllowedResponseHeaders,
Target: &c.flagAllowedResponseHeaders,
Usage: "Comma-separated string or list of response header values that " +
"plugins will be allowed to set",
})
f.StringMapVar(&StringMapVar{ f.StringMapVar(&StringMapVar{
Name: "options", Name: "options",
Target: &c.flagOptions, Target: &c.flagOptions,
@ -194,6 +210,14 @@ func (c *AuthTuneCommand) Run(args []string) int {
mountConfigInput.ListingVisibility = c.flagListingVisibility mountConfigInput.ListingVisibility = c.flagListingVisibility
} }
if fl.Name == flagNamePassthroughRequestHeaders {
mountConfigInput.PassthroughRequestHeaders = c.flagPassthroughRequestHeaders
}
if fl.Name == flagNameAllowedResponseHeaders {
mountConfigInput.AllowedResponseHeaders = c.flagAllowedResponseHeaders
}
if fl.Name == flagNameTokenType { if fl.Name == flagNameTokenType {
mountConfigInput.TokenType = c.flagTokenType mountConfigInput.TokenType = c.flagTokenType
} }

View File

@ -4,6 +4,7 @@ import (
"strings" "strings"
"testing" "testing"
"github.com/go-test/deep"
"github.com/hashicorp/vault/api" "github.com/hashicorp/vault/api"
"github.com/mitchellh/cli" "github.com/mitchellh/cli"
) )
@ -92,6 +93,9 @@ func TestAuthTuneCommand_Run(t *testing.T) {
"-max-lease-ttl", "1h", "-max-lease-ttl", "1h",
"-audit-non-hmac-request-keys", "foo,bar", "-audit-non-hmac-request-keys", "foo,bar",
"-audit-non-hmac-response-keys", "foo,bar", "-audit-non-hmac-response-keys", "foo,bar",
"-passthrough-request-headers", "authorization",
"-passthrough-request-headers", "www-authentication",
"-allowed-response-headers", "authorization,www-authentication",
"-listing-visibility", "unauth", "-listing-visibility", "unauth",
"my-auth/", "my-auth/",
}) })
@ -126,6 +130,18 @@ func TestAuthTuneCommand_Run(t *testing.T) {
if exp := 3600; mountInfo.Config.MaxLeaseTTL != exp { if exp := 3600; mountInfo.Config.MaxLeaseTTL != exp {
t.Errorf("expected %d to be %d", mountInfo.Config.MaxLeaseTTL, exp) t.Errorf("expected %d to be %d", mountInfo.Config.MaxLeaseTTL, exp)
} }
if diff := deep.Equal([]string{"authorization", "www-authentication"}, mountInfo.Config.PassthroughRequestHeaders); len(diff) > 0 {
t.Errorf("Failed to find expected values in PassthroughRequestHeaders. Difference is: %v", diff)
}
if diff := deep.Equal([]string{"authorization,www-authentication"}, mountInfo.Config.AllowedResponseHeaders); len(diff) > 0 {
t.Errorf("Failed to find expected values in AllowedResponseHeaders. Difference is: %v", diff)
}
if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 {
t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys. Difference is: %v", diff)
}
if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 {
t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff)
}
}) })
t.Run("flags_description", func(t *testing.T) { t.Run("flags_description", func(t *testing.T) {

View File

@ -5,6 +5,7 @@ import (
"strings" "strings"
"testing" "testing"
"github.com/go-test/deep"
"github.com/hashicorp/vault/helper/builtinplugins" "github.com/hashicorp/vault/helper/builtinplugins"
"github.com/hashicorp/vault/sdk/helper/consts" "github.com/hashicorp/vault/sdk/helper/consts"
"github.com/mitchellh/cli" "github.com/mitchellh/cli"
@ -107,6 +108,11 @@ func TestSecretsEnableCommand_Run(t *testing.T) {
"-description", "The best kind of test", "-description", "The best kind of test",
"-default-lease-ttl", "30m", "-default-lease-ttl", "30m",
"-max-lease-ttl", "1h", "-max-lease-ttl", "1h",
"-audit-non-hmac-request-keys", "foo,bar",
"-audit-non-hmac-response-keys", "foo,bar",
"-passthrough-request-headers", "authorization,authentication",
"-passthrough-request-headers", "www-authentication",
"-allowed-response-headers", "authorization",
"-force-no-cache", "-force-no-cache",
"pki", "pki",
}) })
@ -144,6 +150,19 @@ func TestSecretsEnableCommand_Run(t *testing.T) {
if exp := true; mountInfo.Config.ForceNoCache != exp { if exp := true; mountInfo.Config.ForceNoCache != exp {
t.Errorf("expected %t to be %t", mountInfo.Config.ForceNoCache, exp) t.Errorf("expected %t to be %t", mountInfo.Config.ForceNoCache, exp)
} }
if diff := deep.Equal([]string{"authorization,authentication", "www-authentication"}, mountInfo.Config.PassthroughRequestHeaders); len(diff) > 0 {
t.Errorf("Failed to find expected values in PassthroughRequestHeaders. Difference is: %v", diff)
}
if diff := deep.Equal([]string{"authorization"}, mountInfo.Config.AllowedResponseHeaders); len(diff) > 0 {
t.Errorf("Failed to find expected values in AllowedResponseHeaders. Difference is: %v", diff)
}
if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 {
t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys. Difference is: %v", diff)
}
if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 {
t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff)
}
}) })
t.Run("communication_failure", func(t *testing.T) { t.Run("communication_failure", func(t *testing.T) {

View File

@ -20,14 +20,16 @@ var (
type SecretsTuneCommand struct { type SecretsTuneCommand struct {
*BaseCommand *BaseCommand
flagAuditNonHMACRequestKeys []string flagAuditNonHMACRequestKeys []string
flagAuditNonHMACResponseKeys []string flagAuditNonHMACResponseKeys []string
flagDefaultLeaseTTL time.Duration flagDefaultLeaseTTL time.Duration
flagDescription string flagDescription string
flagListingVisibility string flagListingVisibility string
flagMaxLeaseTTL time.Duration flagMaxLeaseTTL time.Duration
flagOptions map[string]string flagPassthroughRequestHeaders []string
flagVersion int flagAllowedResponseHeaders []string
flagOptions map[string]string
flagVersion int
} }
func (c *SecretsTuneCommand) Synopsis() string { func (c *SecretsTuneCommand) Synopsis() string {
@ -106,6 +108,20 @@ func (c *SecretsTuneCommand) Flags() *FlagSets {
"TTL, or a previously configured value for the secrets engine.", "TTL, or a previously configured value for the secrets engine.",
}) })
f.StringSliceVar(&StringSliceVar{
Name: flagNamePassthroughRequestHeaders,
Target: &c.flagPassthroughRequestHeaders,
Usage: "Comma-separated string or list of request header values that " +
"will be sent to the plugin",
})
f.StringSliceVar(&StringSliceVar{
Name: flagNameAllowedResponseHeaders,
Target: &c.flagAllowedResponseHeaders,
Usage: "Comma-separated string or list of response header values that " +
"plugins will be allowed to set",
})
f.StringMapVar(&StringMapVar{ f.StringMapVar(&StringMapVar{
Name: "options", Name: "options",
Target: &c.flagOptions, Target: &c.flagOptions,
@ -189,6 +205,14 @@ func (c *SecretsTuneCommand) Run(args []string) int {
if fl.Name == flagNameListingVisibility { if fl.Name == flagNameListingVisibility {
mountConfigInput.ListingVisibility = c.flagListingVisibility mountConfigInput.ListingVisibility = c.flagListingVisibility
} }
if fl.Name == flagNamePassthroughRequestHeaders {
mountConfigInput.PassthroughRequestHeaders = c.flagPassthroughRequestHeaders
}
if fl.Name == flagNameAllowedResponseHeaders {
mountConfigInput.AllowedResponseHeaders = c.flagAllowedResponseHeaders
}
}) })
if err := client.Sys().TuneMount(mountPath, mountConfigInput); err != nil { if err := client.Sys().TuneMount(mountPath, mountConfigInput); err != nil {

View File

@ -4,6 +4,7 @@ import (
"strings" "strings"
"testing" "testing"
"github.com/go-test/deep"
"github.com/hashicorp/vault/api" "github.com/hashicorp/vault/api"
"github.com/mitchellh/cli" "github.com/mitchellh/cli"
) )
@ -166,6 +167,9 @@ func TestSecretsTuneCommand_Run(t *testing.T) {
"-max-lease-ttl", "1h", "-max-lease-ttl", "1h",
"-audit-non-hmac-request-keys", "foo,bar", "-audit-non-hmac-request-keys", "foo,bar",
"-audit-non-hmac-response-keys", "foo,bar", "-audit-non-hmac-response-keys", "foo,bar",
"-passthrough-request-headers", "authorization",
"-passthrough-request-headers", "www-authentication",
"-allowed-response-headers", "authorization,www-authentication",
"-listing-visibility", "unauth", "-listing-visibility", "unauth",
"mount_tune_integration/", "mount_tune_integration/",
}) })
@ -200,6 +204,18 @@ func TestSecretsTuneCommand_Run(t *testing.T) {
if exp := 3600; mountInfo.Config.MaxLeaseTTL != exp { if exp := 3600; mountInfo.Config.MaxLeaseTTL != exp {
t.Errorf("expected %d to be %d", mountInfo.Config.MaxLeaseTTL, exp) t.Errorf("expected %d to be %d", mountInfo.Config.MaxLeaseTTL, exp)
} }
if diff := deep.Equal([]string{"authorization", "www-authentication"}, mountInfo.Config.PassthroughRequestHeaders); len(diff) > 0 {
t.Errorf("Failed to find expected values for PassthroughRequestHeaders. Difference is: %v", diff)
}
if diff := deep.Equal([]string{"authorization,www-authentication"}, mountInfo.Config.AllowedResponseHeaders); len(diff) > 0 {
t.Errorf("Failed to find expected values in AllowedResponseHeaders. Difference is: %v", diff)
}
if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACRequestKeys); len(diff) > 0 {
t.Errorf("Failed to find expected values in AuditNonHMACRequestKeys. Difference is: %v", diff)
}
if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 {
t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff)
}
}) })
t.Run("flags_description", func(t *testing.T) { t.Run("flags_description", func(t *testing.T) {

View File

@ -898,6 +898,13 @@ func (b *SystemBackend) handleMount(ctx context.Context, req *logical.Request, d
var apiConfig APIMountConfig var apiConfig APIMountConfig
configMap := data.Get("config").(map[string]interface{}) configMap := data.Get("config").(map[string]interface{})
// Augmenting configMap for some config options to treat them as comma separated entries
err := expandStringValsWithCommas(configMap)
if err != nil {
return logical.ErrorResponse(
"unable to parse given auth config information"),
logical.ErrInvalidRequest
}
if configMap != nil && len(configMap) != 0 { if configMap != nil && len(configMap) != 0 {
err := mapstructure.Decode(configMap, &apiConfig) err := mapstructure.Decode(configMap, &apiConfig)
if err != nil { if err != nil {
@ -1564,7 +1571,6 @@ func (b *SystemBackend) handleTuneWriteCommon(ctx context.Context, path string,
if rawVal, ok := data.GetOk("allowed_response_headers"); ok { if rawVal, ok := data.GetOk("allowed_response_headers"); ok {
headers := rawVal.([]string) headers := rawVal.([]string)
oldVal := mountEntry.Config.AllowedResponseHeaders oldVal := mountEntry.Config.AllowedResponseHeaders
mountEntry.Config.AllowedResponseHeaders = headers mountEntry.Config.AllowedResponseHeaders = headers
@ -1869,6 +1875,31 @@ func (b *SystemBackend) handleAuthTable(ctx context.Context, req *logical.Reques
return resp, nil return resp, nil
} }
func expandStringValsWithCommas(configMap map[string]interface{}) error {
configParamNameSlice := []string{
"audit_non_hmac_request_keys",
"audit_non_hmac_response_keys",
"passthrough_request_headers",
"allowed_response_headers",
}
for _, paramName := range configParamNameSlice {
if raw, ok := configMap[paramName]; ok {
switch t := raw.(type) {
case string:
// To be consistent with auth tune, and in cases where a single comma separated strings
// is provided in the curl command, we split the entries by the commas.
rawNew := raw.(string)
res, err := parseutil.ParseCommaStringSlice(rawNew)
if err != nil {
return fmt.Errorf("invalid input parameter %v of type %v", paramName, t)
}
configMap[paramName] = res
}
}
}
return nil
}
// handleEnableAuth is used to enable a new credential backend // handleEnableAuth is used to enable a new credential backend
func (b *SystemBackend) handleEnableAuth(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) { func (b *SystemBackend) handleEnableAuth(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
repState := b.Core.ReplicationState() repState := b.Core.ReplicationState()
@ -1895,6 +1926,13 @@ func (b *SystemBackend) handleEnableAuth(ctx context.Context, req *logical.Reque
var apiConfig APIMountConfig var apiConfig APIMountConfig
configMap := data.Get("config").(map[string]interface{}) configMap := data.Get("config").(map[string]interface{})
// Augmenting configMap for some config options to treat them as comma separated entries
err := expandStringValsWithCommas(configMap)
if err != nil {
return logical.ErrorResponse(
"unable to parse given auth config information"),
logical.ErrInvalidRequest
}
if configMap != nil && len(configMap) != 0 { if configMap != nil && len(configMap) != 0 {
err := mapstructure.Decode(configMap, &apiConfig) err := mapstructure.Decode(configMap, &apiConfig)
if err != nil { if err != nil {

View File

@ -83,20 +83,20 @@ For example, enable the "foo" auth method will make it accessible at
- `max_lease_ttl` `(string: "")` - The maximum lease duration, specified as a - `max_lease_ttl` `(string: "")` - The maximum lease duration, specified as a
string duration like "5s" or "30m". string duration like "5s" or "30m".
- `audit_non_hmac_request_keys` `(array: [])` - Comma-separated list of keys - `audit_non_hmac_request_keys` `(array: [])` - List of keys that will not be
that will not be HMAC'd by audit devices in the request data object. HMAC'd by audit devices in the request data object.
- `audit_non_hmac_response_keys` `(array: [])` - Comma-separated list of keys - `audit_non_hmac_response_keys` `(array: [])` - List of keys that will not be
that will not be HMAC'd by audit devices in the response data object. HMAC'd by audit devices in the response data object.
- `listing_visibility` `(string: "")` - Specifies whether to show this mount - `listing_visibility` `(string: "")` - Specifies whether to show this mount
in the UI-specific listing endpoint. in the UI-specific listing endpoint.
- `passthrough_request_headers` `(array: [])` - Comma-separated list of headers - `passthrough_request_headers` `(array: [])` - List of headers to whitelist
to whitelist and pass from the request to the plugin. and pass from the request to the plugin.
- `allowed_response_headers` `(array: [])` - Comma-separated list of headers - `allowed_response_headers` `(array: [])` - List of headers to whitelist,
to whitelist, allowing a plugin to include them in the response. allowing a plugin to include them in the response.
Additionally, the following options are allowed in Vault open-source, but Additionally, the following options are allowed in Vault open-source, but
relevant functionality is only supported in Vault Enterprise: relevant functionality is only supported in Vault Enterprise:
@ -217,22 +217,20 @@ can be achieved without `sudo` via `sys/mounts/auth/[auth-path]/tune`._
- `description` `(string: "")` Specifies the description of the mount. This - `description` `(string: "")` Specifies the description of the mount. This
overrides the current stored value, if any. overrides the current stored value, if any.
- `audit_non_hmac_request_keys` `(array: [])` - Specifies the comma-separated - `audit_non_hmac_request_keys` `(array: [])` - Specifies the list of keys
list of keys that will not be HMAC'd by audit devices in the request data that will not be HMAC'd by audit devices in the request data object.
object.
- `audit_non_hmac_response_keys` `(array: [])` - Specifies the comma-separated - `audit_non_hmac_response_keys` `(array: [])` - Specifies the list of keys
list of keys that will not be HMAC'd by audit devices in the response data that will not be HMAC'd by audit devices in the response data object.
object.
- `listing_visibility` `(string: "")` - Specifies whether to show this mount - `listing_visibility` `(string: "")` - Specifies whether to show this mount
in the UI-specific listing endpoint. Valid values are `"unauth"` or `""`. in the UI-specific listing endpoint. Valid values are `"unauth"` or `""`.
- `passthrough_request_headers` `(array: [])` - Comma-separated list of headers - `passthrough_request_headers` `(array: [])` - List of headers to whitelist
to whitelist and pass from the request to the plugin. and pass from the request to the plugin.
- `allowed_response_headers` `(array: [])` - Comma-separated list of headers - `allowed_response_headers` `(array: [])` - List of headers to whitelist,
to whitelist, allowing a plugin to include them in the response. allowing a plugin to include them in the response.
- `token_type` `(string: "")` Specifies the type of tokens that should be - `token_type` `(string: "")` Specifies the type of tokens that should be
returned by the mount. The following values are available: returned by the mount. The following values are available:

View File

@ -137,21 +137,21 @@ This endpoint enables a new secrets engine at the given path.
- `force_no_cache` `(bool: false)` - Disable caching. - `force_no_cache` `(bool: false)` - Disable caching.
- `audit_non_hmac_request_keys` `(array: [])` - Comma-separated list of keys - `audit_non_hmac_request_keys` `(array: [])` - List of keys that will not be
that will not be HMAC'd by audit devices in the request data object. HMAC'd by audit devices in the request data object.
- `audit_non_hmac_response_keys` `(array: [])` - Comma-separated list of keys - `audit_non_hmac_response_keys` `(array: [])` - List of keys that will not be
that will not be HMAC'd by audit devices in the response data object. HMAC'd by audit devices in the response data object.
- `listing_visibility` `(string: "")` - Specifies whether to show this mount - `listing_visibility` `(string: "")` - Specifies whether to show this mount
in the UI-specific listing endpoint. Valid values are `"unauth"` or in the UI-specific listing endpoint. Valid values are `"unauth"` or
`"hidden"`. If not set, behaves like `"hidden"`. `"hidden"`. If not set, behaves like `"hidden"`.
- `passthrough_request_headers` `(array: [])` - Comma-separated list of headers - `passthrough_request_headers` `(array: [])` - List of headers to whitelist
to whitelist and pass from the request to the plugin. and pass from the request to the plugin.
- `allowed_response_headers` `(array: [])` - Comma-separated list of headers - `allowed_response_headers` `(array: [])` - List of headers to whitelist,
to whitelist, allowing a plugin to include them in the response. allowing a plugin to include them in the response.
- `options` `(map<string|string>: nil)` - Specifies mount type specific options - `options` `(map<string|string>: nil)` - Specifies mount type specific options
that are passed to the backend. that are passed to the backend.
@ -261,23 +261,21 @@ This endpoint tunes configuration parameters for a given mount point.
- `description` `(string: "")` Specifies the description of the mount. This - `description` `(string: "")` Specifies the description of the mount. This
overrides the current stored value, if any. overrides the current stored value, if any.
- `audit_non_hmac_request_keys` `(array: [])` - Specifies the comma-separated - `audit_non_hmac_request_keys` `(array: [])` - Specifies the list of keys that
list of keys that will not be HMAC'd by audit devices in the request data will not be HMAC'd by audit devices in the request data object.
object.
- `audit_non_hmac_response_keys` `(array: [])` - Specifies the comma-separated - `audit_non_hmac_response_keys` `(array: [])` - Specifies the list of keys that
list of keys that will not be HMAC'd by audit devices in the response data will not be HMAC'd by audit devices in the response data object.
object.
- `listing_visibility` `(string: "")` - Specifies whether to show this mount in - `listing_visibility` `(string: "")` - Specifies whether to show this mount in
the UI-specific listing endpoint. Valid values are `"unauth"` or `"hidden"`. the UI-specific listing endpoint. Valid values are `"unauth"` or `"hidden"`.
If not set, behaves like `"hidden"`. If not set, behaves like `"hidden"`.
- `passthrough_request_headers` `(array: [])` - Comma-separated list of headers - `passthrough_request_headers` `(array: [])` - List of headers to whitelist
to whitelist and pass from the request to the plugin. and pass from the request to the plugin.
- `allowed_response_headers` `(array: [])` - Comma-separated list of headers - `allowed_response_headers` `(array: [])` - List of headers to whitelist,
to whitelist, allowing a plugin to include them in the response. allowing a plugin to include them in the response.
### Sample Payload ### Sample Payload

View File

@ -57,12 +57,29 @@ flags](/docs/commands) included on all commands.
configured default lease TTL, or a previously configured value for the auth configured default lease TTL, or a previously configured value for the auth
method. method.
- `-passthrough-request-headers` `(string: "")` - request header values that will
be sent to the auth method. Note that multiple keys may be
specified by providing this option multiple times, each time with 1 key.
- `-allowed-response-headers` `(string: "")` - response header values that the auth
method will be allowed to set. Note that multiple keys may be
specified by providing this option multiple times, each time with 1 key.
- `-description` `(string: "")` - Human-friendly description for the purpose of - `-description` `(string: "")` - Human-friendly description for the purpose of
this auth method. this auth method.
- `-listing-visibility` `(string: "")` - The flag to toggle whether to show the
mount in the UI-specific listing endpoint.
- `-local` `(bool: false)` - Mark the auth method as local-only. Local auth - `-local` `(bool: false)` - Mark the auth method as local-only. Local auth
methods are not replicated nor removed by replication. methods are not replicated nor removed by replication.
- `-max-lease-ttl` `(string: "")` - The maximum lease duration, specified as
a string duration like "5s" or "30m".
- `-path` `(string: "")` - Place where the auth method will be accessible. This - `-path` `(string: "")` - Place where the auth method will be accessible. This
must be unique across all auth methods. This defaults to the "type" of the must be unique across all auth methods. This defaults to the "type" of the
auth method. The auth method will be accessible at `/auth/<path>`. auth method. The auth method will be accessible at `/auth/<path>`.
- `-seal-wrap` `(bool: false)` - Enable seal wrapping for the mount, causing
values stored by the mount to be wrapped by the seal's encryption capability.

View File

@ -32,6 +32,9 @@ $ vault auth tune -audit-non-hmac-request-keys=value1 -audit-non-hmac-request-ke
The following flags are available in addition to the [standard set of The following flags are available in addition to the [standard set of
flags](/docs/commands) included on all commands. flags](/docs/commands) included on all commands.
- `-allowed-response-headers` `(string: "")` - response header values that the auth
method will be allowed to set.
- `-audit-non-hmac-request-keys` `(string: "")` - Key that will not be HMAC'd - `-audit-non-hmac-request-keys` `(string: "")` - Key that will not be HMAC'd
by audit devices in the request data object. Note that multiple keys may be by audit devices in the request data object. Note that multiple keys may be
specified by providing this option multiple times, each time with 1 key. specified by providing this option multiple times, each time with 1 key.
@ -45,7 +48,21 @@ flags](/docs/commands) included on all commands.
configured default lease TTL, or a previously configured value for the auth configured default lease TTL, or a previously configured value for the auth
method. method.
- `-description` `(string: "")` - Specifies the description of the auth method.
This overrides the current stored value, if any.
- `-listing-visibility` `(string: "")` - The flag to toggle whether to show the
mount in the UI-specific listing endpoint.
- `-max-lease-ttl` `(duration: "")` - The maximum lease TTL for this auth - `-max-lease-ttl` `(duration: "")` - The maximum lease TTL for this auth
method. If unspecified, this defaults to the Vault server's globally method. If unspecified, this defaults to the Vault server's globally
configured maximum lease TTL, or a previously configured value for the auth configured maximum lease TTL, or a previously configured value for the auth
method. method.
- `-passthrough-request-headers` `(string: "")` - request header values that will
be sent to the auth method. Note that multiple keys may be
specified by providing this option multiple times, each time with 1 key.
- `-token-type` `(string: "")` - Specifies the type of tokens that should be
returned by the auth method. Note that multiple keys may be
specified by providing this option multiple times, each time with 1 key.

View File

@ -90,3 +90,11 @@ flags](/docs/commands) included on all commands.
- `-path` `(string: "")` Place where the secrets engine will be accessible. This - `-path` `(string: "")` Place where the secrets engine will be accessible. This
must be unique cross all secrets engines. This defaults to the "type" of the must be unique cross all secrets engines. This defaults to the "type" of the
secrets engine. secrets engine.
- `-passthrough-request-headers` `(string: "")` - request header values that will
be sent to the secrets engine. Note that multiple keys may be
specified by providing this option multiple times, each time with 1 key.
- `-allowed-response-headers` `(string: "")` - response header values that the secrets
engine will be allowed to set. Note that multiple keys may be
specified by providing this option multiple times, each time with 1 key.

View File

@ -32,6 +32,10 @@ $ vault secrets tune -audit-non-hmac-request-keys=value1 -audit-non-hmac-request
The following flags are available in addition to the [standard set of The following flags are available in addition to the [standard set of
flags](/docs/commands) included on all commands. flags](/docs/commands) included on all commands.
`-allowed-response-headers` `(string: "")` - response header values that the
secrets engine will be allowed to set. Note that multiple keys may be
specified by providing this option multiple times, each time with 1 key.
- `-audit-non-hmac-request-keys` `(string: "")` - Key that will not be HMAC'd - `-audit-non-hmac-request-keys` `(string: "")` - Key that will not be HMAC'd
by audit devices in the request data object. Note that multiple keys may be by audit devices in the request data object. Note that multiple keys may be
specified by providing this option multiple times, each time with 1 key. specified by providing this option multiple times, each time with 1 key.
@ -45,7 +49,17 @@ flags](/docs/commands) included on all commands.
configured default lease TTL, or a previously configured value for the secrets configured default lease TTL, or a previously configured value for the secrets
engine. engine.
- `-description` `(string: "")` - Specifies the description of the mount.
This overrides the current stored value, if any.
- `-listing-visibility` `(string: "")` - The flag to toggle whether to show the
mount in the UI-specific listing endpoint.
- `-max-lease-ttl` `(duration: "")` - The maximum lease TTL for this secrets - `-max-lease-ttl` `(duration: "")` - The maximum lease TTL for this secrets
engine. If unspecified, this defaults to the Vault server's globally engine. If unspecified, this defaults to the Vault server's globally
configured maximum lease TTL, or a previously configured value for the secrets configured maximum lease TTL, or a previously configured value for the secrets
engine. engine.
- `-passthrough-request-headers` `(string: "")` - request header values that will
be sent to the secrets engine. Note that multiple keys may be
specified by providing this option multiple times, each time with 1 key.