vault
vault copied to clipboard
hashicorp
Vault OpenAPI is incorrect for new PKI secrets engine endpoints
Describe the bug The Vault OpenAPI generator relies on reverse-engineering path regexps to correctly generate the OpenAPI document.
Several regexps used in the new (circa 1.11) PKI secrets engine are now too complicated for the OpenAPI generator to handle correctly.
To Reproduce
- Mount a PKI secrets engine
- Examine the generated OpenAPI
- Observe these clearly incorrect paths:
/pki//delta
/pki//delta/pem
/pki//der
/pki//json
/pki//pem
/pki/internal|exported
/pki/{issuer_ref}/crl/pem|/der|/delta/pem
/pki/{issuer_ref}/der|/pem
Expected behavior The Vault OpenAPI generator should generate a document which accurately describes the Vault API.
In order to achieve this, it may well be helpful to define a strict subset of regexp syntax which can be used in Vault path regexps.
These are the regexes that are currently being misinterpreted:
`crl(/pem|/delta(/pem)?)?` # pathFetchCRL
"issuer/" + framework.GenericNameRegex(issuerRefParam) + "(/der|/pem|/json)?" # pathGetIssuer
"issuer/" + framework.GenericNameRegex(issuerRefParam) + "/crl(/pem|/der|/delta(/pem|/der)?)?" # pathGetIssuerCRL
"keys/generate/(internal|exported|kms)" # pathGenerateKey
Further investigation shows that the following regexes are also being misinterpreted - they just result in paths which are less obviously wrong than the other group:
"issuers/import/(cert|bundle)" # pathImportIssuer
`cert/(crl|delta-crl)` # pathFetchCRLViaCertPath