-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to list secrets at the root of a KV2 secrets engine #255
Comments
Thanks for reporting this issue, @RyanW8! I was able to reproduce it locally printing out the request using: client.SetRequestCallbacks(func(req *http.Request) {
log.Println("REQUEST:", *req)
})
Interestingly, if I don't set the namespace, it works correctly:
The issue seems to be related to the closing slash ( vault-client-go/api_secrets.go Line 3029 in cfdcbed
I believe this pattern was introduced in #197 and, if I recall correctly, there was a special handling for the root path. @maxb, do you remember what it could have been? |
Well, if it's working in the root namespace, but not in child namespaces, that's pretty clear that some Enterprise-only code is doing something wrong, or at least implementing some unspecified behaviour differently to source-available Vault. The validity, or not, of a doubled slash character at the end of the URL path is something one could debate. No documentation that I am aware of promises that it will be accepted - but a great deal of common practice surrounding URLs suggests it probably will, and Vault's behaviour in most cases backs this up. The reason the doubled slash is present in the API call generated by the library is as a result of awkward compromises mapping the Vault API to an OpenAPI spec, and then trying to generate a client library from that in an automated fashion. Fundamentally, OpenAPI is opinionated about how APIs should work, and does not give you a toolkit to retroactively specify the behaviour of any pre-existing API - and the Vault API is not fully in accordance with OpenAPI's beliefs. (Although there are preliminary indications that a future major version of OpenAPI might address this.) Regardless, with OpenAPI v3, we're stuck with producing something that is partially correct, and hoping that we can skirt around the differences between OpenAPI and Vault. There are two key issues: 1) ListOperation vs. GetOperation Vault has two entirely different APIs (list/get) which can be invoked on the same URL-path with the same HTTP method (GET). As far as Vault is concerned, they're technically distinguished by the presence/absence of a Instead, we've been able to work around this by generating URL-paths in the OpenAPI spec that are either with or without a trailing slash. That's quite a good logical fit, as Vault canonicalizes the presence/absence of the trailing slash in this way depending on the operation type, regardless of what was actually in the request. 2) APIs with a path parameter that represents part of the Vault path hierarchy Vault has lots of APIs where part of the URL (usually but not exclusively the end) is a variable number of path segments from the Vault path hierarchy. OpenAPI really doesn't support this at all. In the OpenAPI world, path parameters do not contain unescaped slashes, ever. Since the spec doesn't define such a thing, it's not surprising that code-gen tools for OpenAPI also don't implement it. The current generated client library actually encodes slashes as A possible fix client side Since the Vault API doesn't actually require the trailing slash anyway, and the only reason we have both:
is to differentiate get vs. list operations in the OpenAPI model, it ought to work to remove the trailing slash from every operation path in the code generation template. An aside
What I think you're thinking of there, is the truly bizarre generated API the library had for a while, where there was an entirely separate client library method for listing a root path vs a non-root path. We never had that for listing KVs, because it depended on exactly how the code author had written the path regexes in the Vault codebase, but an example of this may be seen in the two methods:
in the PR #197 that you mentioned. I subsequently fixed that madness in #203 |
Expected Behavior
The
KvV2List
function should return secrets & folders at the root of the secret engine when path is empty.Current Behavior
Throws a 404 error.
Failure Information
We're running Vault enterprises and are utilizing enterprise namespaces.
vault-client-go: v1.19.0
vault: v1.15.4
Vault Enterprises with namespaces enabled/being used
Steps to Reproduce
Please provide detailed steps for reproducing the issue.
...
Additional Information
Error thrown:
The text was updated successfully, but these errors were encountered: