-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add possibility to decode generated encoded root token to api #20595
Add possibility to decode generated encoded root token to api #20595
Conversation
Hi @l-with, thanks for writing this improvement. I can't remember why we didn't do this already. Maybe we just thought that it wasn't worth creating an endpoint to do an XOR? If so that was probably wrongheaded, this seems like a good addition to me today. My main objection to the way you've implemented this is that you're following the example of other code related to root token generation and putting the handler in the http package, then adding an explicit mux.Handle call to the handler. I would like us to have as few such handlers as possible. The ones we have currently all have some reason why they can't be treated like regular logical requests, e.g. they don't want to return a JSON response, or they want to use unseal/recovery keys as their authentication mechanism, or they want to work even when Vault is sealed. I can't see of any reason why your new endpoint couldn't be handled as a logical request, as in a new SystemBackend method invoked via a new path handler added in NewSystemBackend. I'm guessing you want to make it Unauthenticated, which is probably fine, and which you can also configure in NewSystemBackend. |
Hi @ncabatoff, thank you for the positive feedback. I spent a few hours to understand the implementation structure. The current implementation was the way I found out. Sorry, I accentually closed the request. It was not my intention. |
Hi @ncabatoff |
Yup, this is exactly what I had in mind. I think you're almost there, except for the tests. |
Thanks, I'll refactor the test also. |
Not sure I understand. If you mean where your handler returns
then I don't know of a more succinct way to do it. And we need to return that type (and put the returned value(s) in the Data map) in order to conform to expectations for how a regular Vault endpoint behaves. |
Thanks for the quick answer. I asked because of the difference in the structure of the response_body between the backend handlers, e.g. /sys/internal/ui/mounts and the http handlers, e.g. /sys/generate-root/attempt. |
@ncabatoff |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A couple of little cleanups are needed, but overall this looks nearly done
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good! One last minor improvement suggestion for you to consider, it's optional though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good! One last minor improvement suggestion for you to consider, it's optional though.
Oh, sorry, I forgot about docs. Could I trouble you to add the new endpoint to the api docs? I can give you some pointers if it's not clear what's involved... you seem to be pretty good at figuring this stuff out on your own though so I'm not sure you need the help. |
The latter, e.g. https://github.com/hashicorp/vault/blob/main/website/content/api-docs/system/generate-root.mdx |
Sorry, I deleted my comment, since I already started exactly what you suggested. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Docs look good, one last tweak to the changelog and I'll merge it
Sorry, one more request: one of our checks is failing:
Could you add a godoc to the test func explaining its purpose please? |
done |
solves #5236 (closed)
this makes it possible to get a root token completely using the API by adding the possibility to decode the generated encoded root token at /v1/sys/decode-token
I think it's a good thing if the API supports the same things as the cli (here vault itself).