Closed ianferguson closed 3 years ago
@steve-perkins Any chance you would have time to review this brief PR?
@marc-szalkiewicz-dd Sorry. I left BetterCloud late last year, and no longer have access to do anything with this repo. My new employer uses Vault only via the Agent Injector in Kubernetes sidecars, so I haven't used the Java driver or been in the codebase in quite some time.
There was a was a transition plan before I left, but that was pre-COVID. I don't know what the current situation is, and am not in ongoing contact.
For anyone needing this PR: I've forked this library and released a v6.0.0 version that is the same as the final BetterCloud/vault-java-driver 5.1.0, as well as a v6.1.0 version that includes the contents of this pull request:
Vault Agent (can) require consumers to include an
X-Vault-Request
header to guard against some SSRF attacks for users of the Vault Agent, particularly in auto-auth mode: https://www.vaultproject.io/api#the-x-vault-request-headerThe hashicorp/vault Golang client adds this header to every outgoing request already: https://github.com/hashicorp/vault/pull/7627/files, this PR adds the same functionality to vault-java-driver