Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

api: Add deprecation warnings to endpoints #17058

Merged
merged 2 commits into from
Sep 8, 2022
Merged

api: Add deprecation warnings to endpoints #17058

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
cd2339f
api: Add deprecation warnings to endpoints
mpalmi Sep 8, 2022
da3fc6f
Add changelog
mpalmi Sep 8, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions changelog/17058.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
```release-note:change
auth: `POST /sys/auth/:type` endpoint response contains a warning for `Deprecated` auth methods.
```
```release-note:change
secrets: `POST /sys/mounts/:type` endpoint response contains a warning for `Deprecated` secrets engines.
```
12 changes: 9 additions & 3 deletions vault/logical_system.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1145,13 +1145,19 @@ func (b *SystemBackend) handleMount(ctx context.Context, req *logical.Request, d
Version: version,
}

// Detect and handle deprecated secrets engines
resp, err := b.Core.handleDeprecatedMountEntry(ctx, me, consts.PluginTypeSecrets)
if err != nil {
return handleError(err)
}

// Attempt mount
if err := b.Core.mount(ctx, me); err != nil {
b.Backend.Logger().Error("error occurred during enable mount", "path", me.Path, "error", err)
return handleError(err)
}

return nil, nil
return resp, nil
}

func (b *SystemBackend) handleReadMount(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
Expand Down Expand Up @@ -2385,7 +2391,7 @@ func (b *SystemBackend) handleEnableAuth(ctx context.Context, req *logical.Reque
Version: version,
}

err = b.Core.handleDeprecatedMountEntry(ctx, me, consts.PluginTypeCredential)
resp, err := b.Core.handleDeprecatedMountEntry(ctx, me, consts.PluginTypeCredential)
if err != nil {
return handleError(err)
}
Expand All @@ -2395,7 +2401,7 @@ func (b *SystemBackend) handleEnableAuth(ctx context.Context, req *logical.Reque
b.Backend.Logger().Error("error occurred during enable credential", "path", me.Path, "error", err)
return handleError(err)
}
return nil, nil
return resp, nil
}

// handleDisableAuth is used to disable a credential backend
Expand Down
22 changes: 11 additions & 11 deletions vault/mount.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -464,7 +464,7 @@ func (c *Core) decodeMountTable(ctx context.Context, raw []byte) (*MountTable, e
}

// Immediately shutdown the core if deprecated mounts are detected and VAULT_ALLOW_PENDING_REMOVAL_MOUNTS is unset
if err := c.handleDeprecatedMountEntry(ctx, entry, consts.PluginTypeUnknown); err != nil {
if _, err := c.handleDeprecatedMountEntry(ctx, entry, consts.PluginTypeUnknown); err != nil {
c.logger.Error("shutting down core", "error", err)
c.Shutdown()
}
Expand Down Expand Up @@ -591,11 +591,6 @@ func (c *Core) mountInternal(ctx context.Context, entry *MountEntry, updateStora
addFilterablePath(c, viewPath)
}

// Detect and handle deprecated secrets engines
if err := c.handleDeprecatedMountEntry(ctx, entry, consts.PluginTypeSecrets); err != nil {
return err
}

nilMount, err := preprocessMount(c, entry, view)
if err != nil {
return err
Expand Down Expand Up @@ -923,9 +918,9 @@ func (c *Core) taintMountEntry(ctx context.Context, nsID, mountPath string, upda
// * PendingRemoval - log an error about builtin deprecation and return an error
// if VAULT_ALLOW_PENDING_REMOVAL_MOUNTS is unset
// * Removed - log an error about builtin deprecation and return an error
func (c *Core) handleDeprecatedMountEntry(ctx context.Context, entry *MountEntry, pluginType consts.PluginType) error {
func (c *Core) handleDeprecatedMountEntry(ctx context.Context, entry *MountEntry, pluginType consts.PluginType) (*logical.Response, error) {
if c.builtinRegistry == nil || entry == nil {
return nil
return nil, nil
}

// Allow type to be determined from mount entry when not otherwise specified
Expand All @@ -941,26 +936,31 @@ func (c *Core) handleDeprecatedMountEntry(ctx context.Context, entry *MountEntry

status, ok := c.builtinRegistry.DeprecationStatus(t, pluginType)
if ok {
resp := &logical.Response{}
// Deprecation sublogger with some identifying information
dl := c.logger.With("name", t, "type", pluginType, "status", status, "path", entry.Path)
errDeprecatedMount := fmt.Errorf("mount entry associated with %s builtin", status)

switch status {
case consts.Deprecated:
dl.Warn(errDeprecatedMount.Error())
resp.AddWarning(errDeprecatedMount.Error())
return resp, nil

case consts.PendingRemoval:
dl.Error(errDeprecatedMount.Error())
if allow := os.Getenv(consts.VaultAllowPendingRemovalMountsEnv); allow == "" {
return fmt.Errorf("could not mount %q: %w", t, errDeprecatedMount)
return nil, fmt.Errorf("could not mount %q: %w", t, errDeprecatedMount)
}
resp.AddWarning(errDeprecatedMount.Error())
c.Logger().Info("mount allowed by environment variable", "env", consts.VaultAllowPendingRemovalMountsEnv)
return resp, nil

case consts.Removed:
return fmt.Errorf("could not mount %s: %w", t, errDeprecatedMount)
return nil, fmt.Errorf("could not mount %s: %w", t, errDeprecatedMount)
}
}
return nil
return nil, nil
}

// remountForceInternal takes a copy of the mount entry for the path and fully unmounts
Expand Down