Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VAULT-6433: Add namespace path to MFA read/list endpoints #16911

Merged
merged 4 commits into from Aug 29, 2022
Merged

VAULT-6433: Add namespace path to MFA read/list endpoints #16911

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
dcff276
VAULT-6433 Add namespace_path to MFA endpoints
VioletHynes Aug 26, 2022
befcaf4
VAULT-6433 add changelog
VioletHynes Aug 26, 2022
80d50fd
VAULT-6433 Return error in case of error
VioletHynes Aug 26, 2022
90102f6
VAULT-6433 Make logic a bit more concise
VioletHynes Aug 29, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
3 changes: 3 additions & 0 deletions changelog/16911.txt
View file
Open in desktop
@@ -0,0 +1,3 @@
```release-note:improvement
api/mfa: Add namespace path to the MFA read/list endpoint
```
8 changes: 8 additions & 0 deletions vault/external_tests/mfa/login_mfa_test.go
View file
Open in desktop
Expand Up @@ -138,6 +138,14 @@ func TestLoginMFA_Method_CRUD(t *testing.T) {
t.Fatal("expected response id to match existing method id but it didn't")
}

if resp.Data["namespace_id"] != "root" {
t.Fatalf("namespace id was not root, it was %s", resp.Data["namespace_id"])
}

if resp.Data["namespace_path"] != "" {
t.Fatalf("namespace path was not empty, it was %s", resp.Data["namespace_path"])
}

// listing should show it
resp, err = client.Logical().List(myPath)
if err != nil {
Expand Down
8 changes: 8 additions & 0 deletions vault/login_mfa.go
View file
Open in desktop
Expand Up @@ -1361,6 +1361,10 @@ func (b *LoginMFABackend) mfaLoginEnforcementConfigByNameAndNamespace(name, name
func (b *LoginMFABackend) mfaLoginEnforcementConfigToMap(eConfig *mfa.MFAEnforcementConfig) (map[string]interface{}, error) {
resp := make(map[string]interface{})
resp["name"] = eConfig.Name
ns, err := b.namespacer.NamespaceByID(context.Background(), eConfig.NamespaceID)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we handle the error if it is not nil?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not really sure - I don't like failing silently but similarly, the endpoint wouldn't have complained before and would have e.g. returned error, so I thought it best to keep the previous behaviour somewhat consistent (i.e. not introducing ways it could fail now where it wouldn't before).

I'm happy to change to e.g. returning the error if you feel it's appropriate!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, this check is done all over the place. My preference would be to do it here as well. But, I don't have a strong feeling about it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How do you feel about changing this logic to the following instead?

ns, err := b.namespacer.NamespaceByID(context.Background(), eConfig.NamespaceID)
if ns == nil || err != nil {
 return nil, err
}

resp["namespace_path"] = ns.Path
...

It's a bit more concise, but the same logic, so feel free to ignore :).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good suggestion, changed!

if ns != nil && err == nil {
resp["namespace_path"] = ns.Path
}
resp["namespace_id"] = eConfig.NamespaceID
resp["mfa_method_ids"] = append([]string{}, eConfig.MFAMethodIDs...)
resp["auth_method_accessors"] = append([]string{}, eConfig.AuthMethodAccessors...)
Expand Down Expand Up @@ -1417,6 +1421,10 @@ func (b *MFABackend) mfaConfigToMap(mConfig *mfa.Config) (map[string]interface{}
respData["id"] = mConfig.ID
respData["name"] = mConfig.Name
respData["namespace_id"] = mConfig.NamespaceID
ns, err := b.namespacer.NamespaceByID(context.Background(), mConfig.NamespaceID)
if ns != nil && err == nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The same comment about error handling here

respData["namespace_path"] = ns.Path
}

return respData, nil
}
Expand Down