feat: add flags to the plugin and implement show config token flag (#168)

* feat: add flags to the plugin and implement show config token flag

* test: flags for plugin

* docs: added flags

Author: ilijamt

README.md

@@ -81,6 +81,14 @@ you may or may not be able to access certain paths.
     ^token/(?P<role_name>\w(([\w-.]+)?\w)?)$
         Generate an access token based on the specified role
 ```
+## Flags
+
+There are some flags we can specify to enable/disable some functionality in the vault plugin.
+
+
+|       Flag        | Default value | Description                                                                            |
+|:-----------------:|:-------------:|:---------------------------------------------------------------------------------------|
+| show-config-token |     false     | Display the token value when reading a config on it's endpoint like `/config/default`. |
 
 ## Security Model
 
@@ -370,7 +378,7 @@ token_sha1_hash       91a91bb30f816770081c570504c5e2723bcb1f38
 type                  self-managed
 ```
 
-**Important**: Token will be shown only after rotation, and it will not be shown again.
+**Important**: Token will be shown only after rotation, and it will not be shown again. (Unless the plugin is started with the `-show-config-token` flag)
 
 ## Upgrading
 

backend.go

@@ -27,11 +27,18 @@ with the "^config/(?P<config_name>\w(([\w-.@]+)?\w)?)$" endpoints.
 `
 )
 
+func Factory(flags Flags) logical.Factory {
+	return func(ctx context.Context, config *logical.BackendConfig) (logical.Backend, error) {
+		return factory(ctx, config, flags)
+	}
+}
+
 // Factory returns expected new Backend as logical.Backend
-func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend, error) {
+func factory(ctx context.Context, conf *logical.BackendConfig, flags Flags) (logical.Backend, error) {
 	var b = &Backend{
 		roleLocks: locksutil.CreateLocks(),
 		clients:   sync.Map{},
+		flags:     flags,
 	}
 
 	b.Backend = &framework.Backend{
@@ -74,6 +81,8 @@ func Factory(ctx context.Context, conf *logical.BackendConfig) (logical.Backend,
 type Backend struct {
 	*framework.Backend
 
+	flags Flags
+
 	// The client that we can use to create and revoke the access tokens
 	clients sync.Map
 

cmd/vault-plugin-secrets-gitlab/main.go

@@ -17,15 +17,18 @@ var (
 func main() {
 	apiClientMeta := &api.PluginAPIClientMeta{}
 	flags := apiClientMeta.FlagSet()
+	pf := &gat.Flags{}
+	pf.FlagSet(flags)
 
 	fatalIfError(flags.Parse(os.Args[1:]))
 
 	tlsConfig := apiClientMeta.GetTLSConfig()
 	tlsProviderFunc := api.VaultPluginTLSProvider(tlsConfig)
 
 	fatalIfError(plugin.ServeMultiplex(&plugin.ServeOpts{
-		BackendFactoryFunc: gat.Factory,
+		BackendFactoryFunc: gat.Factory(*pf),
 		TLSProviderFunc:    tlsProviderFunc,
+		Logger:             logger,
 	}))
 }
 

entry_config.go

@@ -139,7 +139,7 @@ func (e *EntryConfig) UpdateFromFieldData(data *framework.FieldData) (warnings [
 	return warnings, err
 }
 
-func (e *EntryConfig) LogicalResponseData() map[string]any {
+func (e *EntryConfig) LogicalResponseData(includeToken bool) (data map[string]any) {
 	var tokenExpiresAt, tokenCreatedAt = "", ""
 	if !e.TokenExpiresAt.IsZero() {
 		tokenExpiresAt = e.TokenExpiresAt.Format(time.RFC3339)
@@ -148,7 +148,7 @@ func (e *EntryConfig) LogicalResponseData() map[string]any {
 		tokenCreatedAt = e.TokenCreatedAt.Format(time.RFC3339)
 	}
 
-	return map[string]any{
+	data = map[string]any{
 		"base_url":             e.BaseURL,
 		"auto_rotate_token":    e.AutoRotateToken,
 		"auto_rotate_before":   e.AutoRotateBefore.String(),
@@ -163,6 +163,12 @@ func (e *EntryConfig) LogicalResponseData() map[string]any {
 		"type":                 e.Type.String(),
 		"name":                 e.Name,
 	}
+
+	if includeToken {
+		data["token"] = e.Token
+	}
+
+	return data
 }
 
 func getConfig(ctx context.Context, s logical.Storage, name string) (cfg *EntryConfig, err error) {

flags.go

@@ -0,0 +1,13 @@
+package gitlab
+
+import "flag"
+
+type Flags struct {
+	ShowConfigToken bool
+}
+
+// FlagSet returns the flag set for configuring the TLS connection
+func (f *Flags) FlagSet(fs *flag.FlagSet) *flag.FlagSet {
+	fs.BoolVar(&f.ShowConfigToken, "show-config-token", false, "")
+	return fs
+}

flags_test.go

@@ -0,0 +1,21 @@
+package gitlab_test
+
+import (
+	"flag"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	gitlab "github.com/ilijamt/vault-plugin-secrets-gitlab"
+)
+
+func TestFlags_FlagSet(t *testing.T) {
+	fs := flag.NewFlagSet("test", flag.ContinueOnError)
+
+	flags := &gitlab.Flags{}
+	flags.FlagSet(fs)
+
+	assert.False(t, flags.ShowConfigToken)
+	assert.NoError(t, fs.Parse([]string{"-show-config-token"}))
+	assert.True(t, flags.ShowConfigToken)
+}

helpers_test.go

@@ -92,6 +92,10 @@ func (m *mockEventsSender) expectEvents(t *testing.T, expectedEvents []expectedE
 }
 
 func getBackendWithEvents(ctx context.Context) (*gitlab.Backend, logical.Storage, *mockEventsSender, error) {
+	return getBackendWithFlagsWithEvents(ctx, gitlab.Flags{})
+}
+
+func getBackendWithFlagsWithEvents(ctx context.Context, flags gitlab.Flags) (*gitlab.Backend, logical.Storage, *mockEventsSender, error) {
 	events := &mockEventsSender{}
 	config := &logical.BackendConfig{
 		Logger:       logging.NewVaultLoggerWithWriter(io.Discard, log.NoLevel),
@@ -101,7 +105,7 @@ func getBackendWithEvents(ctx context.Context) (*gitlab.Backend, logical.Storage
 		EventsSender: events,
 	}
 
-	b, err := gitlab.Factory(ctx, config)
+	b, err := gitlab.Factory(flags)(ctx, config)
 	if err != nil {
 		return nil, nil, nil, fmt.Errorf("unable to create Backend: %w", err)
 	}

path_config.go

@@ -108,9 +108,9 @@ func (b *Backend) pathConfigRead(ctx context.Context, req *logical.Request, data
 		if config == nil {
 			return logical.ErrorResponse(ErrBackendNotConfigured.Error()), nil
 		}
-		lrd := config.LogicalResponseData()
+		lrd := config.LogicalResponseData(b.flags.ShowConfigToken)
 		b.Logger().Debug("Reading configuration info", "info", lrd)
-		lResp = &logical.Response{Data: config.LogicalResponseData()}
+		lResp = &logical.Response{Data: lrd}
 	}
 	return lResp, err
 }
@@ -142,7 +142,7 @@ func (b *Backend) pathConfigPatch(ctx context.Context, req *logical.Request, dat
 	b.lockClientMutex.Lock()
 	defer b.lockClientMutex.Unlock()
 	if err = saveConfig(ctx, *config, req.Storage); err == nil {
-		lrd := config.LogicalResponseData()
+		lrd := config.LogicalResponseData(b.flags.ShowConfigToken)
 		event(ctx, b.Backend, "config-patch", changes)
 		b.SetClient(nil, name)
 		b.Logger().Debug("Patched config", "lrd", lrd, "warnings", warnings)
@@ -214,7 +214,7 @@ func (b *Backend) pathConfigWrite(ctx context.Context, req *logical.Request, dat
 		})
 
 		b.SetClient(nil, name)
-		lrd := config.LogicalResponseData()
+		lrd := config.LogicalResponseData(b.flags.ShowConfigToken)
 		b.Logger().Debug("Wrote new config", "lrd", lrd, "warnings", warnings)
 		lResp = &logical.Response{Data: lrd, Warnings: warnings}
 	}

path_config_rotate.go

@@ -105,7 +105,7 @@ func (b *Backend) pathConfigTokenRotate(ctx context.Context, request *logical.Re
 		return nil, err
 	}
 
-	lResp = &logical.Response{Data: config.LogicalResponseData()}
+	lResp = &logical.Response{Data: config.LogicalResponseData(b.flags.ShowConfigToken)}
 	lResp.Data["token"] = config.Token
 	event(ctx, b.Backend, "config-token-rotate", map[string]string{
 		"path":        fmt.Sprintf("%s/%s", PathConfigStorage, name),

path_config_test.go

@@ -102,6 +102,61 @@ func TestPathConfig(t *testing.T) {
 		})
 	})
 
+	t.Run("write, read, delete and read config with show config token", func(t *testing.T) {
+		httpClient, url := getClient(t, "unit")
+		ctx := gitlab.HttpClientNewContext(context.Background(), httpClient)
+
+		b, l, events, err := getBackendWithFlagsWithEvents(ctx, gitlab.Flags{ShowConfigToken: true})
+		require.NoError(t, err)
+
+		resp, err := b.HandleRequest(ctx, &logical.Request{
+			Operation: logical.UpdateOperation,
+			Path:      fmt.Sprintf("%s/%s", gitlab.PathConfigStorage, gitlab.DefaultConfigName), Storage: l,
+			Data: map[string]any{
+				"token":    "glpat-secret-random-token",
+				"base_url": url,
+				"type":     gitlab.TypeSelfManaged.String(),
+			},
+		})
+
+		require.NoError(t, err)
+		require.NotNil(t, resp)
+		require.NoError(t, resp.Error())
+
+		resp, err = b.HandleRequest(ctx, &logical.Request{
+			Operation: logical.ReadOperation,
+			Path:      fmt.Sprintf("%s/%s", gitlab.PathConfigStorage, gitlab.DefaultConfigName), Storage: l,
+		})
+
+		require.NoError(t, err)
+		require.NotNil(t, resp)
+		require.NoError(t, resp.Error())
+		assert.NotEmpty(t, resp.Data["token_sha1_hash"])
+		assert.NotEmpty(t, resp.Data["base_url"])
+		require.Len(t, events.eventsProcessed, 1)
+		require.NotEmpty(t, resp.Data["token"])
+
+		resp, err = b.HandleRequest(ctx, &logical.Request{
+			Operation: logical.DeleteOperation,
+			Path:      fmt.Sprintf("%s/%s", gitlab.PathConfigStorage, gitlab.DefaultConfigName), Storage: l,
+		})
+		require.NoError(t, err)
+		require.Nil(t, resp)
+		require.Len(t, events.eventsProcessed, 2)
+
+		resp, err = b.HandleRequest(ctx, &logical.Request{
+			Operation: logical.ReadOperation,
+			Path:      fmt.Sprintf("%s/%s", gitlab.PathConfigStorage, gitlab.DefaultConfigName), Storage: l,
+		})
+		require.NoError(t, err)
+		require.NotNil(t, resp)
+		require.Error(t, resp.Error())
+
+		events.expectEvents(t, []expectedEvent{
+			{eventType: "gitlab/config-write"},
+			{eventType: "gitlab/config-delete"},
+		})
+	})
 	t.Run("invalid token", func(t *testing.T) {
 		httpClient, url := getClient(t, "unit")
 		ctx := gitlab.HttpClientNewContext(context.Background(), httpClient)

testdata/unit/TestPathConfig_write_read_delete_and_read_config_with_show_config_token.yaml

@@ -0,0 +1,133 @@
+---
+version: 2
+interactions:
+  - id: 0
+    request:
+      proto: HTTP/1.1
+      proto_major: 1
+      proto_minor: 1
+      content_length: 0
+      transfer_encoding: []
+      trailer: {}
+      host: localhost:8080
+      remote_addr: ""
+      request_uri: ""
+      body: ""
+      form: {}
+      headers:
+        Accept:
+          - application/json
+        Private-Token:
+          - REPLACED-TOKEN
+        User-Agent:
+          - go-gitlab
+      url: http://localhost:8080/api/v4/personal_access_tokens/self
+      method: GET
+    response:
+      proto: HTTP/1.1
+      proto_major: 1
+      proto_minor: 1
+      transfer_encoding:
+        - chunked
+      trailer: {}
+      content_length: -1
+      uncompressed: true
+      body: '{"id":1,"name":"Initial token","revoked":false,"created_at":"2024-07-11T18:53:26.792Z","scopes":["api","read_api","read_user","sudo","admin_mode","create_runner","k8s_proxy","read_repository","write_repository","ai_features","read_service_ping"],"user_id":1,"last_used_at":"2024-12-14T22:52:47.081Z","active":true,"expires_at":"2025-07-11"}'
+      headers:
+        Cache-Control:
+          - max-age=0, private, must-revalidate
+        Connection:
+          - keep-alive
+        Content-Type:
+          - application/json
+        Date:
+          - Sat, 14 Dec 2024 22:52:51 GMT
+        Etag:
+          - W/"d0f486f8d8a3d398674f9cd0e555862f"
+        Referrer-Policy:
+          - strict-origin-when-cross-origin
+        Server:
+          - nginx
+        Strict-Transport-Security:
+          - max-age=63072000
+        Vary:
+          - Accept-Encoding
+          - Origin
+        X-Content-Type-Options:
+          - nosniff
+        X-Frame-Options:
+          - SAMEORIGIN
+        X-Gitlab-Meta:
+          - '{"correlation_id":"01JF3NZSKYGZEE33KZ7H81F52E","version":"1"}'
+        X-Request-Id:
+          - 01JF3NZSKYGZEE33KZ7H81F52E
+        X-Runtime:
+          - "0.011814"
+      status: 200 OK
+      code: 200
+      duration: 14.264125ms
+  - id: 1
+    request:
+      proto: HTTP/1.1
+      proto_major: 1
+      proto_minor: 1
+      content_length: 0
+      transfer_encoding: []
+      trailer: {}
+      host: localhost:8080
+      remote_addr: ""
+      request_uri: ""
+      body: ""
+      form: {}
+      headers:
+        Accept:
+          - application/json
+        Private-Token:
+          - REPLACED-TOKEN
+        User-Agent:
+          - go-gitlab
+      url: http://localhost:8080/api/v4/metadata
+      method: GET
+    response:
+      proto: HTTP/1.1
+      proto_major: 1
+      proto_minor: 1
+      transfer_encoding: []
+      trailer: {}
+      content_length: 162
+      uncompressed: false
+      body: '{"version":"16.11.6","revision":"4684e042d0b","kas":{"enabled":true,"externalUrl":"ws://7b1d891ab6bb/-/kubernetes-agent/","version":"16.11.6"},"enterprise":false}'
+      headers:
+        Cache-Control:
+          - max-age=0, private, must-revalidate
+        Connection:
+          - keep-alive
+        Content-Length:
+          - "162"
+        Content-Type:
+          - application/json
+        Date:
+          - Sat, 14 Dec 2024 22:52:51 GMT
+        Etag:
+          - W/"a29dcadce9c4771a1b7b66cc326f6617"
+        Referrer-Policy:
+          - strict-origin-when-cross-origin
+        Server:
+          - nginx
+        Strict-Transport-Security:
+          - max-age=63072000
+        Vary:
+          - Origin
+        X-Content-Type-Options:
+          - nosniff
+        X-Frame-Options:
+          - SAMEORIGIN
+        X-Gitlab-Meta:
+          - '{"correlation_id":"01JF3NZSMXEA3BW1J2RZN4AVKK","version":"1"}'
+        X-Request-Id:
+          - 01JF3NZSMXEA3BW1J2RZN4AVKK
+        X-Runtime:
+          - "0.017671"
+      status: 200 OK
+      code: 200
+      duration: 20.426875ms