CLI Vault unwrap command doesn't work with the versioned key/value secret engine

[micheldlebeau]

Describe the bug
The Vault CLI unwrap command doesn't support the new KV Secret Engine, hitting secret/ instead of secret/data/.

To Reproduce
Steps to reproduce the behavior:

1. Run vault kv put secret/foo test=1

Key              Value
---              -----
created_time     2018-06-08T08:11:34.357837509Z
deletion_time    n/a
destroyed        false
version          1

2. Run vault kv get -wrap-ttl=60s secret/foo

vault kv get -wrap-ttl=60s secret/foo
Key                              Value
---                              -----
wrapping_token:                  aebfb959-e174-ef37-9ff0-a58a930d9b74
wrapping_accessor:               3dd357e4-4793-996e-677f-ba811514217b
wrapping_token_ttl:              1m
wrapping_token_creation_time:    2018-06-08 08:11:55.330138156 +0000 UTC
wrapping_token_creation_path:    secret/foo

3. Run vault unwrap <wrapping-token>

vault unwrap aebfb959-e174-ef37-9ff0-a58a930d9b74
Key                  Value
---                  -----
http_content_type    application/json
http_raw_body        eyJyZXF1ZXN0X2lkIjoiNzgwZmVhZWQtNzdiOS1iNTA1LTI4MTAtNzIyN2Y4NzE3OTg0IiwibGVhc2VfaWQiOiIiLCJyZW5ld2FibGUiOmZhbHNlLCJsZWFzZV9kdXJhdGlvbiI6MCwiZGF0YSI6bnVsbCwid3JhcF9pbmZvIjpudWxsLCJ3YXJuaW5ncyI6WyJJbnZhbGlkIHBhdGggZm9yIGEgdmVyc2lvbmVkIEsvViBzZWNyZXRzIGVuZ2luZS4gU2VlIHRoZSBBUEkgZG9jcyBmb3IgdGhlIGFwcHJvcHJpYXRlIEFQSSBlbmRwb2ludHMgdG8gdXNlLiBJZiB1c2luZyB0aGUgVmF1bHQgQ0xJLCB1c2UgJ3ZhdWx0IGt2IGdldCcgZm9yIHRoaXMgb3BlcmF0aW9uLiJdLCJhdXRoIjpudWxsfQ==
http_status_code     404

3. Decode the http_raw_body

echo "eyJyZXF1ZXN0X2lkIjoiNzgwZmVhZWQtNzdiOS1iNTA1LTI4MTAtNzIyN2Y4NzE3OTg0IiwibGVhc2VfaWQiOiIiLCJyZW5ld2FibGUiOmZhbHNlLCJsZWFzZV9kdXJhdGlvbiI6MCwiZGF0YSI6bnVsbCwid3JhcF9pbmZvIjpudWxsLCJ3YXJuaW5ncyI6WyJJbnZhbGlkIHBhdGggZm9yIGEgdmVyc2lvbmVkIEsvViBzZWNyZXRzIGVuZ2luZS4gU2VlIHRoZSBBUEkgZG9jcyBmb3IgdGhlIGFwcHJvcHJpYXRlIEFQSSBlbmRwb2ludHMgdG8gdXNlLiBJZiB1c2luZyB0aGUgVmF1bHQgQ0xJLCB1c2UgJ3ZhdWx0IGt2IGdldCcgZm9yIHRoaXMgb3BlcmF0aW9uLiJdLCJhdXRoIjpudWxsfQ==" | base64 -d
{"request_id":"780feaed-77b9-b505-2810-7227f8717984","lease_id":"","renewable":false,"lease_duration":0,"data":null,"wrap_info":null,"warnings":["Invalid path for a versioned K/V secrets engine. See the API docs for the appropriate API endpoints to use. If using the Vault CLI, use 'vault kv get' for this operation."],"auth":null}

Expected behavior
I should receive the original secret.

Environment:

• Vault Server Version (retrieve with vault status): 0.10.1
• Vault CLI Version (retrieve with vault version): Vault v0.10.1 ('756fdc4587350daf1c65b93647b2cc31a6f119cd')
• Server Operating System/Architecture: ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-20180522 (ami-58d7e821)

Vault server configuration file(s):
Running Vault in dev mode

[meirish]

This was fixed in 0.10.2 via #4511 . Let us know if you’re still experiencing this after upgrading and we can re-open. Thanks!

[micheldlebeau]

Hi @meirish, I just upgraded, did the same test, and got this as an output of the vault unwrap <wrapping-token>:

Key         Value
---         -----
data        map[test:1]
metadata    map[created_time:2018-06-08T13:08:42.61887267Z deletion_time: destroyed:false version:1]

Tha's still quite different from what the previous behaviour was like, and not that useful for a CLI, unless you use -field=data -format=json and then you still end up with a JSON object. Should I open a new issue or are you happy with re-opening this one?

[jefferai]

The problem is that unwrap is generic and doesn't know how to format things in the same way that the vault kv command does -- what you're seeing is the same as you'd see if using vault read. We could think about some heuristics like if secret data contains both data and metadata maps but that seems fragile. Alternately could think about adding vault kv unwrap.

[micheldlebeau]

I guess there are two ways to fix it, either by allowing unwrap to handle kv v2, or by splitting unwrap in two different commands:

• Option 1: vault kv get has the logic to handle both v1 and v2, so the same logic could be applied to unwrap, as long as unwrap can make the distinction between tokens and KV
• Option 2:vault unwrap is split in vault unwrap token and vault unwrap kv (or vault kv unwrap)