api: Add deprecation warnings to secrets/auth POST endpoints (#17058)

* api: Add deprecation warnings to endpoints * Add changelog
hashicorp · Sep 8, 2022 · 4d03c49 · 4d03c49
1 parent 03d2be4
commit 4d03c49
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 14 deletions.
diff --git a/changelog/17058.txt b/changelog/17058.txt
@@ -0,0 +1,6 @@
+```release-note:change
+auth: `POST /sys/auth/:type` endpoint response contains a warning for `Deprecated` auth methods.
+```
+```release-note:change
+secrets: `POST /sys/mounts/:type` endpoint response contains a warning for `Deprecated` secrets engines.
+```
diff --git a/vault/logical_system.go b/vault/logical_system.go
@@ -1145,13 +1145,19 @@ func (b *SystemBackend) handleMount(ctx context.Context, req *logical.Request, d
 		Version:               version,
 	}
 
+	// Detect and handle deprecated secrets engines
+	resp, err := b.Core.handleDeprecatedMountEntry(ctx, me, consts.PluginTypeSecrets)
+	if err != nil {
+		return handleError(err)
+	}
+
 	// Attempt mount
 	if err := b.Core.mount(ctx, me); err != nil {
 		b.Backend.Logger().Error("error occurred during enable mount", "path", me.Path, "error", err)
 		return handleError(err)
 	}
 
-	return nil, nil
+	return resp, nil
 }
 
 func (b *SystemBackend) handleReadMount(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
@@ -2385,7 +2391,7 @@ func (b *SystemBackend) handleEnableAuth(ctx context.Context, req *logical.Reque
 		Version:               version,
 	}
 
-	err = b.Core.handleDeprecatedMountEntry(ctx, me, consts.PluginTypeCredential)
+	resp, err := b.Core.handleDeprecatedMountEntry(ctx, me, consts.PluginTypeCredential)
 	if err != nil {
 		return handleError(err)
 	}
@@ -2395,7 +2401,7 @@ func (b *SystemBackend) handleEnableAuth(ctx context.Context, req *logical.Reque
 		b.Backend.Logger().Error("error occurred during enable credential", "path", me.Path, "error", err)
 		return handleError(err)
 	}
-	return nil, nil
+	return resp, nil
 }
 
 // handleDisableAuth is used to disable a credential backend

diff --git a/vault/mount.go b/vault/mount.go
@@ -464,7 +464,7 @@ func (c *Core) decodeMountTable(ctx context.Context, raw []byte) (*MountTable, e
 		}
 
 		// Immediately shutdown the core if deprecated mounts are detected and VAULT_ALLOW_PENDING_REMOVAL_MOUNTS is unset
-		if err := c.handleDeprecatedMountEntry(ctx, entry, consts.PluginTypeUnknown); err != nil {
+		if _, err := c.handleDeprecatedMountEntry(ctx, entry, consts.PluginTypeUnknown); err != nil {
 			c.logger.Error("shutting down core", "error", err)
 			c.Shutdown()
 		}
@@ -591,11 +591,6 @@ func (c *Core) mountInternal(ctx context.Context, entry *MountEntry, updateStora
 		addFilterablePath(c, viewPath)
 	}
 
-	// Detect and handle deprecated secrets engines
-	if err := c.handleDeprecatedMountEntry(ctx, entry, consts.PluginTypeSecrets); err != nil {
-		return err
-	}
-
 	nilMount, err := preprocessMount(c, entry, view)
 	if err != nil {
 		return err
@@ -923,9 +918,9 @@ func (c *Core) taintMountEntry(ctx context.Context, nsID, mountPath string, upda
 // * PendingRemoval - log an error about builtin deprecation and return an error
 // if VAULT_ALLOW_PENDING_REMOVAL_MOUNTS is unset
 // * Removed - log an error about builtin deprecation and return an error
-func (c *Core) handleDeprecatedMountEntry(ctx context.Context, entry *MountEntry, pluginType consts.PluginType) error {
+func (c *Core) handleDeprecatedMountEntry(ctx context.Context, entry *MountEntry, pluginType consts.PluginType) (*logical.Response, error) {
 	if c.builtinRegistry == nil || entry == nil {
-		return nil
+		return nil, nil
 	}
 
 	// Allow type to be determined from mount entry when not otherwise specified
@@ -941,26 +936,31 @@ func (c *Core) handleDeprecatedMountEntry(ctx context.Context, entry *MountEntry
 
 	status, ok := c.builtinRegistry.DeprecationStatus(t, pluginType)
 	if ok {
+		resp := &logical.Response{}
 		// Deprecation sublogger with some identifying information
 		dl := c.logger.With("name", t, "type", pluginType, "status", status, "path", entry.Path)
 		errDeprecatedMount := fmt.Errorf("mount entry associated with %s builtin", status)
 
 		switch status {
 		case consts.Deprecated:
 			dl.Warn(errDeprecatedMount.Error())
+			resp.AddWarning(errDeprecatedMount.Error())
+			return resp, nil
 
 		case consts.PendingRemoval:
 			dl.Error(errDeprecatedMount.Error())
 			if allow := os.Getenv(consts.VaultAllowPendingRemovalMountsEnv); allow == "" {
-				return fmt.Errorf("could not mount %q: %w", t, errDeprecatedMount)
+				return nil, fmt.Errorf("could not mount %q: %w", t, errDeprecatedMount)
 			}
+			resp.AddWarning(errDeprecatedMount.Error())
 			c.Logger().Info("mount allowed by environment variable", "env", consts.VaultAllowPendingRemovalMountsEnv)
+			return resp, nil
 
 		case consts.Removed:
-			return fmt.Errorf("could not mount %s: %w", t, errDeprecatedMount)
+			return nil, fmt.Errorf("could not mount %s: %w", t, errDeprecatedMount)
 		}
 	}
-	return nil
+	return nil, nil
 }
 
 // remountForceInternal takes a copy of the mount entry for the path and fully unmounts