fix: dont write the token config as a secret

Author: ilijamt

entry_config.go

@@ -136,19 +136,6 @@ func (e *EntryConfig) UpdateFromFieldData(data *framework.FieldData) (warnings [
 	return warnings, err
 }
 
-func (e *EntryConfig) Response() *logical.Response {
-	return &logical.Response{
-		Secret: &logical.Secret{
-			LeaseOptions: logical.LeaseOptions{},
-			InternalData: map[string]any{
-				"token_id": e.TokenId,
-				"token":    e.Token,
-			},
-		},
-		Data: e.LogicalResponseData(),
-	}
-}
-
 func (e *EntryConfig) LogicalResponseData() map[string]any {
 	var tokenExpiresAt, tokenCreatedAt = "", ""
 	if !e.TokenExpiresAt.IsZero() {

path_config.go

@@ -149,7 +149,6 @@ func (b *Backend) pathConfigPatch(ctx context.Context, req *logical.Request, dat
 	}
 
 	return lResp, err
-
 }
 
 func (b *Backend) updateConfigClientInfo(ctx context.Context, config *EntryConfig) (et *EntryToken, err error) {

path_config_list.go

@@ -53,6 +53,6 @@ func (b *Backend) pathConfigList(ctx context.Context, req *logical.Request, data
 	if err == nil {
 		lResp = logical.ListResponse(configs)
 	}
-	b.Logger().Debug("Available configs input the system", "configs", configs)
+	b.Logger().Debug("Available", "configs", configs)
 	return lResp, err
 }

path_config_rotate.go

@@ -57,12 +57,11 @@ func (b *Backend) checkAndRotateConfigToken(ctx context.Context, request *logica
 	return err
 }
 
-func (b *Backend) pathConfigTokenRotate(ctx context.Context, request *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+func (b *Backend) pathConfigTokenRotate(ctx context.Context, request *logical.Request, data *framework.FieldData) (lResp *logical.Response, err error) {
 	var name = data.Get("config_name").(string)
 	b.Logger().Debug("Running pathConfigTokenRotate")
 	var config *EntryConfig
 	var client Client
-	var err error
 
 	b.lockClientMutex.RLock()
 	if config, err = getConfig(ctx, request.Storage, name); err != nil {
@@ -105,6 +104,8 @@ func (b *Backend) pathConfigTokenRotate(ctx context.Context, request *logical.Re
 		return nil, err
 	}
 
+	lResp = &logical.Response{Data: config.LogicalResponseData()}
+	lResp.Data["token"] = config.Token
 	event(ctx, b.Backend, "config-token-rotate", map[string]string{
 		"path":       fmt.Sprintf("%s/%s", PathConfigStorage, name),
 		"expires_at": entryToken.ExpiresAt.Format(time.RFC3339),
@@ -115,5 +116,5 @@ func (b *Backend) pathConfigTokenRotate(ctx context.Context, request *logical.Re
 	})
 
 	b.SetClient(nil, name)
-	return config.Response(), nil
+	return lResp, err
 }

path_config_test.go

@@ -76,6 +76,7 @@ func TestPathConfig(t *testing.T) {
 		assert.NotEmpty(t, resp.Data["token_sha1_hash"])
 		assert.NotEmpty(t, resp.Data["base_url"])
 		require.Len(t, events.eventsProcessed, 1)
+		require.Empty(t, resp.Data["token"])
 
 		resp, err = b.HandleRequest(ctx, &logical.Request{
 			Operation: logical.DeleteOperation,

path_role.go

@@ -108,7 +108,7 @@ func (b *Backend) pathRolesList(ctx context.Context, req *logical.Request, data
 	if err != nil {
 		return logical.ErrorResponse("Error listing roles"), err
 	}
-	b.Logger().Debug("Available roles input the system", "roles", roles)
+	b.Logger().Debug("Available", "roles", roles)
 	return logical.ListResponse(roles), nil
 }
 

with_gitlab_com_user_rotate_token_test.go

@@ -52,10 +52,8 @@ func TestWithGitlabUser_RotateToken(t *testing.T) {
 		require.NotNil(t, resp)
 		require.NotEqualValues(t, resp.Data["token"], gitlabComPersonalAccessToken)
 		oldToken = gitlabComPersonalAccessToken
-		require.NotNil(t, resp.Secret)
-		require.NotNil(t, resp.Secret.InternalData)
-		require.NotEmpty(t, resp.Secret.InternalData["token"])
-		newToken = resp.Secret.InternalData["token"].(string)
+		newToken = resp.Data["token"].(string)
+		require.Nil(t, resp.Secret) // This must not be a secret
 	}
 
 	// Old token should not have access anymore