CLI changes for new mount tune config parameter allowed_managed_keys (#13255)
* CLI changes for new mount tune config parameter allowed_managed_keys * Correct allowed_managed_keys description in auth and secrets * Documentation update for secrets and removed changes for auth * Add changelog and remove documentation changes for auth * removed changelog * Correct the field description
This commit is contained in:
divyapola5
GitHub
parent
14d2f08b0f
commit
bcdc57fc00
@ -116,6 +116,8 @@ const (
|
||||
flagNameAllowedResponseHeaders = "allowed-response-headers"
|
||||
// flagNameTokenType is the flag name used to force a specific token type
|
||||
flagNameTokenType = "token-type"
|
||||
// flagNameAllowedManagedKeys is the flag name used for auth/secrets enable
|
||||
flagNameAllowedManagedKeys = "allowed-managed-keys"
|
||||
)
|
||||
|
||||
var (
|
||||
|
||||
@ -37,6 +37,7 @@ type SecretsEnableCommand struct {
|
||||
flagSealWrap bool
|
||||
flagExternalEntropyAccess bool
|
||||
flagVersion int
|
||||
flagAllowedManagedKeys []string
|
||||
}
|
||||
|
||||
func (c *SecretsEnableCommand) Synopsis() string {
|
||||
@ -209,6 +210,15 @@ func (c *SecretsEnableCommand) Flags() *FlagSets {
|
||||
Usage: "Select the version of the engine to run. Not supported by all engines.",
|
||||
})
|
||||
|
||||
f.StringSliceVar(&StringSliceVar{
|
||||
Name: flagNameAllowedManagedKeys,
|
||||
Target: &c.flagAllowedManagedKeys,
|
||||
Usage: "Managed key name(s) that the mount in question is allowed to access. " +
|
||||
"Note that multiple keys may be specified either by providing the key names " +
|
||||
"as a comma separated string or by providing this option multiple times, " +
|
||||
"each time with 1 key.",
|
||||
})
|
||||
|
||||
return set
|
||||
}
|
||||
|
||||
@ -307,6 +317,10 @@ func (c *SecretsEnableCommand) Run(args []string) int {
|
||||
if fl.Name == flagNameAllowedResponseHeaders {
|
||||
mountInput.Config.AllowedResponseHeaders = c.flagAllowedResponseHeaders
|
||||
}
|
||||
|
||||
if fl.Name == flagNameAllowedManagedKeys {
|
||||
mountInput.Config.AllowedManagedKeys = c.flagAllowedManagedKeys
|
||||
}
|
||||
})
|
||||
|
||||
if err := client.Sys().Mount(mountPath, mountInput); err != nil {
|
||||
|
||||
@ -113,6 +113,7 @@ func TestSecretsEnableCommand_Run(t *testing.T) {
|
||||
"-passthrough-request-headers", "authorization,authentication",
|
||||
"-passthrough-request-headers", "www-authentication",
|
||||
"-allowed-response-headers", "authorization",
|
||||
"-allowed-managed-keys", "key1,key2",
|
||||
"-force-no-cache",
|
||||
"pki",
|
||||
})
|
||||
@ -162,6 +163,9 @@ func TestSecretsEnableCommand_Run(t *testing.T) {
|
||||
if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 {
|
||||
t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff)
|
||||
}
|
||||
if diff := deep.Equal([]string{"key1,key2"}, mountInfo.Config.AllowedManagedKeys); len(diff) > 0 {
|
||||
t.Errorf("Failed to find expected values in AllowedManagedKeys. Difference is: %v", diff)
|
||||
}
|
||||
|
||||
})
|
||||
|
||||
|
||||
@ -30,6 +30,7 @@ type SecretsTuneCommand struct {
|
||||
flagAllowedResponseHeaders []string
|
||||
flagOptions map[string]string
|
||||
flagVersion int
|
||||
flagAllowedManagedKeys []string
|
||||
}
|
||||
|
||||
func (c *SecretsTuneCommand) Synopsis() string {
|
||||
@ -137,6 +138,15 @@ func (c *SecretsTuneCommand) Flags() *FlagSets {
|
||||
Usage: "Select the version of the engine to run. Not supported by all engines.",
|
||||
})
|
||||
|
||||
f.StringSliceVar(&StringSliceVar{
|
||||
Name: flagNameAllowedManagedKeys,
|
||||
Target: &c.flagAllowedManagedKeys,
|
||||
Usage: "Managed key name(s) that the mount in question is allowed to access. " +
|
||||
"Note that multiple keys may be specified either by providing the key names " +
|
||||
"as a comma separated string or by providing this option multiple times, " +
|
||||
"each time with 1 key.",
|
||||
})
|
||||
|
||||
return set
|
||||
}
|
||||
|
||||
@ -213,6 +223,10 @@ func (c *SecretsTuneCommand) Run(args []string) int {
|
||||
if fl.Name == flagNameAllowedResponseHeaders {
|
||||
mountConfigInput.AllowedResponseHeaders = c.flagAllowedResponseHeaders
|
||||
}
|
||||
|
||||
if fl.Name == flagNameAllowedManagedKeys {
|
||||
mountConfigInput.AllowedManagedKeys = c.flagAllowedManagedKeys
|
||||
}
|
||||
})
|
||||
|
||||
if err := client.Sys().TuneMount(mountPath, mountConfigInput); err != nil {
|
||||
|
||||
@ -170,6 +170,7 @@ func TestSecretsTuneCommand_Run(t *testing.T) {
|
||||
"-passthrough-request-headers", "authorization",
|
||||
"-passthrough-request-headers", "www-authentication",
|
||||
"-allowed-response-headers", "authorization,www-authentication",
|
||||
"-allowed-managed-keys", "key1,key2",
|
||||
"-listing-visibility", "unauth",
|
||||
"mount_tune_integration/",
|
||||
})
|
||||
@ -216,6 +217,9 @@ func TestSecretsTuneCommand_Run(t *testing.T) {
|
||||
if diff := deep.Equal([]string{"foo,bar"}, mountInfo.Config.AuditNonHMACResponseKeys); len(diff) > 0 {
|
||||
t.Errorf("Failed to find expected values in AuditNonHMACResponseKeys. Difference is: %v", diff)
|
||||
}
|
||||
if diff := deep.Equal([]string{"key1,key2"}, mountInfo.Config.AllowedManagedKeys); len(diff) > 0 {
|
||||
t.Errorf("Failed to find expected values in AllowedManagedKeys. Difference is: %v", diff)
|
||||
}
|
||||
})
|
||||
|
||||
t.Run("flags_description", func(t *testing.T) {
|
||||
|
||||
@ -98,3 +98,8 @@ flags](/docs/commands) included on all commands.
|
||||
- `-allowed-response-headers` `(string: "")` - response header values that the secrets
|
||||
engine will be allowed to set. Note that multiple keys may be
|
||||
specified by providing this option multiple times, each time with 1 key.
|
||||
|
||||
- `-allowed-managed-keys` `(string: "")` - Managed key name(s) that the mount
|
||||
in question is allowed to access. Note that multiple keys may be specified
|
||||
either by providing the key names as a comma separated string or by providing
|
||||
this option multiple times, each time with 1 key.
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
layout: docs
|
||||
page_title: secrets tune - Command
|
||||
description: |-
|
||||
The "secrets tune" command tunes the configuration options for the secrets engine at the given PATH.
|
||||
The "secrets tune" command tunes the configuration options for the secrets engine at the given PATH.
|
||||
---
|
||||
|
||||
# secrets tune
|
||||
@ -86,3 +86,8 @@ flags](/docs/commands) included on all commands.
|
||||
- `-passthrough-request-headers` `(string: "")` - request header values that will
|
||||
be sent to the secrets engine. Note that multiple keys may be
|
||||
specified by providing this option multiple times, each time with 1 key.
|
||||
|
||||
- `-allowed-managed-keys` `(string: "")` - Managed key name(s) that the mount
|
||||
in question is allowed to access. Note that multiple keys may be specified
|
||||
either by providing the key names as a comma separated string or by providing
|
||||
this option multiple times, each time with 1 key.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user