Add -mount flag to kv list command
#19378
Conversation
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
| c.UI.Error(err.Error()) | ||
| return 2 | ||
| } | ||
| // If true, we're working with "-mount=secret foo" syntax. |
There was a problem hiding this comment.
logic is the same as in kv put
https://github.com/hashicorp/vault/blob/d35be2d0de3d1c036248570c538c2051c4c1dc57/command/kv_put.go#L144C2-L176
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
| path and secret path, with /data/ automatically appended between KV | ||
| v2 secrets.`, |
There was a problem hiding this comment.
| path and secret path, with /data/ automatically appended between KV | |
| v2 secrets.`, | |
| path and secret path, with /data/ automatically inserted between the two | |
| paths for KV-v2 secrets.`, |
There was a problem hiding this comment.
There was a problem hiding this comment.
Perhaps adjusting both descriptions for clarity would help.
| // v1 | ||
| if mountFlagSyntax { | ||
| fullPath = path.Join(mountPath, partialPath) | ||
| } else { |
There was a problem hiding this comment.
It's a bit hard to follow these if blocks, perhaps they can be rearranged a bit for clarity? In particular we are doing path.Join(...) for kv-v1 here yet for kv-v2 in the previous if block.
There was a problem hiding this comment.
just copied the logic from kv put
each command in kv ... does this a little differently, going to look to consolidate the logic in a subsequent ticket
There was a problem hiding this comment.
Thanks for taking a look at this! The reason that I didn't have a -mount flag for this command is not that I forgot it so much as it behaved a little differently from the others so I just kinda skipped it, but I think it's tripped up a few people so it's definitely worth adding.
Here's the thing about this command: the kv list command is the only one that lets you pass just the mount path itself with no secret path at all. When you do this, it shows all the secrets at that mount path, and indeed I think this is a common use case for the command.
For example, let's say I have some secrets I've created inside the secret mount path.
If I run your code with the traditional way of passing the path:
$ vault kv list secret
Keys
----
foo
bar
vs with the -mount flag:
$ vault kv list -mount=secret
Not enough arguments (expected 1, got 0)
So basically, if you can fix it so that version of the command doesn't throw an error, and instead returns the same thing as the version without the flag, then I think this will be good to go!
|
@digivava
Lets see if there's a way to pull that off, thank you! |
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
Would it be reasonable to require a "/" or a "." parameter to be provided for this edge case: vault kv list -mount=secret / |
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com>
| { | ||
| // this is behavior that should be tested | ||
| // `kv` here is an explicit mount | ||
| // `my-prefix` is not | ||
| // the current kv code will ignore `my-prefix` | ||
| name: "ignore_multi_part_mounts", | ||
| args: []string{"-mount", "kv/my-prefix"}, | ||
| outStrings: []string{"my-prefix"}, | ||
| code: 0, | ||
| }, |
There was a problem hiding this comment.
@digivava when you have a moment, can you give this PR another pass please?
resolves #17399