search

rajanadar / VaultSharp

A comprehensive cross-platform .NET Library for HashiCorp's Vault, a secret management tool
http://rajanadar.github.io/VaultSharp
Apache License 2.0
493 stars 134 forks source link

Support Metadata LIST #334

Closed FinHorsley closed 2 months ago

FinHorsley commented 12 months ago

Describe the feature request or question Support for listing all keys at mount-path.

e.g.

curl \
    --header "X-Vault-Token: ..." \
    --request LIST \
    https://127.0.0.1:8200/v1/secret/metadata/my-secret

Link to the Vault API Docs that support this feature https://developer.hashicorp.com/vault/api-docs/secret/kv/kv-v2#list-secrets

Additional context N/A

konidev20 commented 11 months ago

Hey @FinHorsley, 

public async Task<Secret<ListInfo>> ReadSecretPathsAsync(string path, string mountPoint = null, string wrapTimeToLive = null)

Here is a link to it's usage and documentation: https://github.com/rajanadar/VaultSharp#list-secrets

Hey there is this method already available, can you validate if this works?

Thanks, @konidev20

FinHorsley commented 11 months ago

@konidev20 Ah, sorry i sent the wrong request 🤦‍♂️

I meant to use the following, to get a list of all keys at the mountPath (rather than just all keys for a given secret path, within a mountPath)

curl \
    --header "X-Vault-Token: ..." \
    --request LIST \
    https://127.0.0.1:8200/v1/kv-clients/metadata

which gives a response of 

{"request_id":"6a7fb8b6-ce32-86cc-5075-16c3403418c4","lease_id":"","renewable":false,"lease_duration":0,"data":{"keys":["client:x","client:y","client:q","client:z"]},"wrap_info":null,"warnings":null,"auth":null}

However, I can't do the same with VaultSharp as ReadSecretPathsAsync requires the path and mountPath. I tried passing null (and string.Empty), see below, but that errored with a Vault exception

await vaultClient.V1.Secrets.KeyValue.V2.ReadSecretPathsAsync(
    null, 👈 // causes Vault exception
    mountPoint: "kv-clients");

Got it working with the following, but I'm not sure if this is abusing the VaultSharp methods?

await vaultClient.V1.Secrets.KeyValue.V2.ReadSecretPathsAsync(
    "/",  👈 // returns all keys in mountPath "kv-clients"
    mountPoint: "kv-clients");
konidev20 commented 11 months ago

However, I can't do the same with VaultSharp as ReadSecretPathsAsync requires the path and mountPath. I tried passing null (and string.Empty), see below, but that errored with a Vault exception

You're right, this is because we have an Checker.NotNull("path"), in the KeyValueSecretsEngineV2Provider.

Got it working with the following, but I'm not sure if this is abusing the VaultSharp methods?

The code snippet you provided would certainly work. And IMO is not a misuse.

I think we can do without the Checker.NotNull("path"). I will raise a PR with that change. According to the API reference, it must be allowed.

[Edit] Vault documentation shows that the path values is <required>.

path (string: ) – Specifies the path of the secrets to list. This is specified as part of the URL.

I would recommend you to continue the second method you have shown above.

[/Edit]