Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for HEAD operations #19520

Merged
merged 3 commits into from
Mar 21, 2023

Conversation

cipherboy
Copy link
Contributor

In support of beginning ACME support, we need to allow Vault plugins to respond to HEAD operations. See Section 6.5.1 and 7.2 for the usage in the ACME protocol.

This operation is implemented like a regular operation and it is up to the plugin to correctly handle responding with only header information without processing other details of the request. Plugins which do not support HEAD operations on a specified endpoint will return 404.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
@cipherboy cipherboy added enhancement core Issues and Pull-Requests specific to Vault Core secret/pki core/http labels Mar 13, 2023
@cipherboy cipherboy added this to the 1.14 milestone Mar 13, 2023
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Copy link
Contributor

@stevendpclark stevendpclark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, would be good to get someone from Core to look at it though.

Also is there any special handling required to allow un-auth'd paths to perform HEAD ops?

sdk/logical/request.go Show resolved Hide resolved
@cipherboy
Copy link
Contributor Author

Also is there any special handling required to allow un-auth'd paths to perform HEAD ops?

I don't think so, my branch here used it: https://github.com/hashicorp/vault-enterprise/tree/cipherboy-add-acme -- if you build the earlier 9032b78dca7bf38df0314b20bc2917e2feb288d5 (top commit doesn't build apparently :-D) and do:

$ vault secrets enable pki
$ vault write /sys/mounts/pki/tune allowed_response_headers=Replay-Nonce,Cache-Control
$ curl -v -X HEAD http://localhost:8200/v1/pki/acme/new-nonce 
Warning: Setting custom HTTP method to HEAD with -X/--request may not work the 
Warning: way you want. Consider using -I/--head instead.
*   Trying 127.0.0.1:8200...
* Connected to localhost (127.0.0.1) port 8200 (#0)
> HEAD /v1/pki/acme/new-nonce HTTP/1.1
> Host: localhost:8200
> User-Agent: curl/7.81.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 204 No Content
< Cache-Control: no-store
< Cache-Control: no-store
< Content-Type: application/json
< Replay-Nonce: IY8ELCbzCodCxaFhEzHwpc3HvdUP
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< Date: Mon, 13 Mar 2023 17:33:32 GMT
< 
* Connection #0 to host localhost left intact

it works without a Vault token.

@cipherboy cipherboy requested a review from a team March 13, 2023 17:36
@cipherboy
Copy link
Contributor Author

TestAgent_Template_Basic failed in CI but passed locally, suspecting it is a flakey test so rerunning.

@cipherboy
Copy link
Contributor Author

Thank you all! Merging...

@cipherboy cipherboy merged commit 38fc3e7 into main Mar 21, 2023
@cipherboy cipherboy deleted the cipherboy-add-support-for-HEAD-operations branch April 21, 2023 13:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
core/http core Issues and Pull-Requests specific to Vault Core enhancement secret/pki
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants