replace global vault handlers with newVaultHandlers() (#27515)

command/command_stubs_oss.go

@@ -35,3 +35,5 @@ func entGetFIPSInfoKey() string {
 func entGetRequestLimiterStatus(coreConfig vault.CoreConfig) string {
 	return ""
 }
+
+func entExtendAddonHandlers(handlers *vaultHandlers) {}

command/command_test.go

@@ -122,10 +122,11 @@ func testVaultServerWithKVVersion(tb testing.TB, kvVersion string) (*api.Client,
 func testVaultServerAllBackends(tb testing.TB) (*api.Client, func()) {
 	tb.Helper()
 
+	handlers := newVaultHandlers()
 	client, _, closer := testVaultServerCoreConfig(tb, &vault.CoreConfig{
-		CredentialBackends: credentialBackends,
-		AuditBackends:      auditBackends,
-		LogicalBackends:    logicalBackends,
+		CredentialBackends: handlers.credentialBackends,
+		AuditBackends:      handlers.auditBackends,
+		LogicalBackends:    handlers.logicalBackends,
 		BuiltinRegistry:    builtinplugins.Registry,
 	})
 	return client, closer

command/commands.go

@@ -129,50 +129,68 @@ const (
 	flagNameDelegatedAuthAccessors = "delegated-auth-accessors"
 )
 
-var (
-	physicalBackends = map[string]physical.Factory{
-		"inmem_ha":               physInmem.NewInmemHA,
-		"inmem_transactional_ha": physInmem.NewTransactionalInmemHA,
-		"inmem_transactional":    physInmem.NewTransactionalInmem,
-		"inmem":                  physInmem.NewInmem,
-		"raft":                   physRaft.NewRaftBackend,
-	}
+// vaultHandlers contains the handlers for creating the various Vault backends.
+type vaultHandlers struct {
+	physicalBackends     map[string]physical.Factory
+	loginHandlers        map[string]LoginHandler
+	auditBackends        map[string]audit.Factory
+	credentialBackends   map[string]logical.Factory
+	logicalBackends      map[string]logical.Factory
+	serviceRegistrations map[string]sr.Factory
+}
 
-	loginHandlers = map[string]LoginHandler{
-		"cert":  &credCert.CLIHandler{},
-		"oidc":  &credOIDC.CLIHandler{},
-		"token": &credToken.CLIHandler{},
-		"userpass": &credUserpass.CLIHandler{
-			DefaultMount: "userpass",
+// newMinimalVaultHandlers returns a new vaultHandlers that a minimal Vault would use.
+func newMinimalVaultHandlers() *vaultHandlers {
+	return &vaultHandlers{
+		physicalBackends: map[string]physical.Factory{
+			"inmem_ha":               physInmem.NewInmemHA,
+			"inmem_transactional_ha": physInmem.NewTransactionalInmemHA,
+			"inmem_transactional":    physInmem.NewTransactionalInmem,
+			"inmem":                  physInmem.NewInmem,
+			"raft":                   physRaft.NewRaftBackend,
+		},
+		loginHandlers: map[string]LoginHandler{
+			"cert":  &credCert.CLIHandler{},
+			"oidc":  &credOIDC.CLIHandler{},
+			"token": &credToken.CLIHandler{},
+			"userpass": &credUserpass.CLIHandler{
+				DefaultMount: "userpass",
+			},
+		},
+		auditBackends: map[string]audit.Factory{
+			"file":   audit.NewFileBackend,
+			"socket": audit.NewSocketBackend,
+			"syslog": audit.NewSyslogBackend,
+		},
+		credentialBackends: map[string]logical.Factory{
+			"plugin": plugin.Factory,
+		},
+		logicalBackends: map[string]logical.Factory{
+			"plugin":   plugin.Factory,
+			"database": logicalDb.Factory,
+			// This is also available in the plugin catalog, but is here due to the need to
+			// automatically mount it.
+			"kv": logicalKv.Factory,
+		},
+		serviceRegistrations: map[string]sr.Factory{
+			"consul":     csr.NewServiceRegistration,
+			"kubernetes": ksr.NewServiceRegistration,
 		},
 	}
+}
 
-	auditBackends = map[string]audit.Factory{
-		"file":   audit.NewFileBackend,
-		"socket": audit.NewSocketBackend,
-		"syslog": audit.NewSyslogBackend,
-	}
-
-	credentialBackends = map[string]logical.Factory{
-		"plugin": plugin.Factory,
-	}
-
-	logicalBackends = map[string]logical.Factory{
-		"plugin":   plugin.Factory,
-		"database": logicalDb.Factory,
-		// This is also available in the plugin catalog, but is here due to the need to
-		// automatically mount it.
-		"kv": logicalKv.Factory,
-	}
+// newVaultHandlers returns a new vaultHandlers composed of newMinimalVaultHandlers()
+// and any addon handlers from Vault CE and Vault Enterprise selected by Go build tags.
+func newVaultHandlers() *vaultHandlers {
+	handlers := newMinimalVaultHandlers()
+	extendAddonHandlers(handlers)
+	entExtendAddonHandlers(handlers)
 
-	serviceRegistrations = map[string]sr.Factory{
-		"consul":     csr.NewServiceRegistration,
-		"kubernetes": ksr.NewServiceRegistration,
-	}
-)
+	return handlers
+}
 
 func initCommands(ui, serverCmdUi cli.Ui, runOpts *RunOptions) map[string]cli.CommandFactory {
-	extendAddonCommands()
+	handlers := newVaultHandlers()
 
 	getBaseCommand := func() *BaseCommand {
 		return &BaseCommand{
@@ -243,7 +261,7 @@ func initCommands(ui, serverCmdUi cli.Ui, runOpts *RunOptions) map[string]cli.Co
 		"auth help": func() (cli.Command, error) {
 			return &AuthHelpCommand{
 				BaseCommand: getBaseCommand(),
-				Handlers:    loginHandlers,
+				Handlers:    handlers.loginHandlers,
 			}, nil
 		},
 		"auth list": func() (cli.Command, error) {
@@ -300,7 +318,7 @@ func initCommands(ui, serverCmdUi cli.Ui, runOpts *RunOptions) map[string]cli.Co
 		"login": func() (cli.Command, error) {
 			return &LoginCommand{
 				BaseCommand: getBaseCommand(),
-				Handlers:    loginHandlers,
+				Handlers:    handlers.loginHandlers,
 			}, nil
 		},
 		"namespace": func() (cli.Command, error) {
@@ -371,7 +389,7 @@ func initCommands(ui, serverCmdUi cli.Ui, runOpts *RunOptions) map[string]cli.Co
 		"operator migrate": func() (cli.Command, error) {
 			return &OperatorMigrateCommand{
 				BaseCommand:      getBaseCommand(),
-				PhysicalBackends: physicalBackends,
+				PhysicalBackends: handlers.physicalBackends,
 				ShutdownCh:       MakeShutdownCh(),
 			}, nil
 		},
@@ -662,12 +680,11 @@ func initCommands(ui, serverCmdUi cli.Ui, runOpts *RunOptions) map[string]cli.Co
 					tokenHelper: runOpts.TokenHelper,
 					flagAddress: runOpts.Address,
 				},
-				AuditBackends:      auditBackends,
-				CredentialBackends: credentialBackends,
-				LogicalBackends:    logicalBackends,
-				PhysicalBackends:   physicalBackends,
-
-				ServiceRegistrations: serviceRegistrations,
+				AuditBackends:        handlers.auditBackends,
+				CredentialBackends:   handlers.credentialBackends,
+				LogicalBackends:      handlers.logicalBackends,
+				PhysicalBackends:     handlers.physicalBackends,
+				ServiceRegistrations: handlers.serviceRegistrations,
 
 				ShutdownCh: MakeShutdownCh(),
 				SighupCh:   MakeSighupCh(),

command/commands_full.go

@@ -43,7 +43,7 @@ import (
 	physFile "github.com/hashicorp/vault/sdk/physical/file"
 )
 
-func newFullAddonCommands() (map[string]physical.Factory, map[string]LoginHandler) {
+func newFullAddonHandlers() (map[string]physical.Factory, map[string]LoginHandler) {
 	addonPhysicalBackends := map[string]physical.Factory{
 		"aerospike":             physAerospike.NewAerospikeBackend,
 		"alicloudoss":           physAliCloudOSS.NewAliCloudOSSBackend,
@@ -88,9 +88,9 @@ func newFullAddonCommands() (map[string]physical.Factory, map[string]LoginHandle
 	return addonPhysicalBackends, addonLoginHandlers
 }
 
-func extendAddonCommands() {
-	addonPhysicalBackends, addonLoginHandlers := newFullAddonCommands()
+func extendAddonHandlers(handlers *vaultHandlers) {
+	addonPhysicalBackends, addonLoginHandlers := newFullAddonHandlers()
 
-	maps.Copy(physicalBackends, addonPhysicalBackends)
-	maps.Copy(loginHandlers, addonLoginHandlers)
+	maps.Copy(handlers.physicalBackends, addonPhysicalBackends)
+	maps.Copy(handlers.loginHandlers, addonLoginHandlers)
 }

command/commands_full_test.go

@@ -12,34 +12,35 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-// Test_extendAddonCommands tests extendAddonCommands() extends physical and logical backends with
-// those generated by newFullAddonCommands()
-func Test_extendAddonCommands(t *testing.T) {
-	expMinPhysicalBackends := maps.Clone(physicalBackends)
-	expMinLoginHandlers := maps.Clone(loginHandlers)
+// Test_extendAddonHandlers tests extendAddonHandlers() extends the minimal Vault handlers with handlers
+// generated by newFullAddonHandlers()
+func Test_extendAddonHandlers(t *testing.T) {
+	handlers := newMinimalVaultHandlers()
+	expMinPhysicalBackends := maps.Clone(handlers.physicalBackends)
+	expMinLoginHandlers := maps.Clone(handlers.loginHandlers)
 
-	expAddonPhysicalBackends, expAddonLoginHandlers := newFullAddonCommands()
+	expAddonPhysicalBackends, expAddonLoginHandlers := newFullAddonHandlers()
 
-	extendAddonCommands()
+	extendAddonHandlers(handlers)
 
-	require.Equal(t, len(expMinPhysicalBackends)+len(expAddonPhysicalBackends), len(physicalBackends),
+	require.Equal(t, len(expMinPhysicalBackends)+len(expAddonPhysicalBackends), len(handlers.physicalBackends),
 		"extended total physical backends mismatch total of minimal and full addon physical backends")
-	require.Equal(t, len(expMinLoginHandlers)+len(expAddonLoginHandlers), len(loginHandlers),
+	require.Equal(t, len(expMinLoginHandlers)+len(expAddonLoginHandlers), len(handlers.loginHandlers),
 		"extended total login handlers mismatch total of minimal and full addon login handlers")
 
 	for k := range expMinPhysicalBackends {
-		require.Contains(t, physicalBackends, k, "expected to contain minimal physical backend")
+		require.Contains(t, handlers.physicalBackends, k, "expected to contain minimal physical backend")
 	}
 
 	for k := range expAddonPhysicalBackends {
-		require.Contains(t, physicalBackends, k, "expected to contain full addon physical backend")
+		require.Contains(t, handlers.physicalBackends, k, "expected to contain full addon physical backend")
 	}
 
 	for k := range expMinLoginHandlers {
-		require.Contains(t, loginHandlers, k, "expected to contain minimal login handler")
+		require.Contains(t, handlers.loginHandlers, k, "expected to contain minimal login handler")
 	}
 
 	for k := range expAddonLoginHandlers {
-		require.Contains(t, loginHandlers, k, "expected to contain full addon login handler")
+		require.Contains(t, handlers.loginHandlers, k, "expected to contain full addon login handler")
 	}
 }

command/commands_min.go

@@ -9,6 +9,6 @@ import (
 	_ "github.com/hashicorp/vault/helper/builtinplugins"
 )
 
-func extendAddonCommands() {
+func extendAddonHandlers(*vaultHandlers) {
 	// No-op
 }

command/commands_test.go

@@ -25,7 +25,12 @@ func Test_Commands_HCPInit(t *testing.T) {
 	}
 
 	for n, tst := range tests {
+		n := n
+		tst := tst
+
 		t.Run(n, func(t *testing.T) {
+			t.Parallel()
+
 			mockUi := cli.NewMockUi()
 			commands := initCommands(mockUi, nil, nil)
 			if tst.expectError {

command/operator_diagnose.go

@@ -203,17 +203,19 @@ func (c *OperatorDiagnoseCommand) RunWithParsedFlags() int {
 
 func (c *OperatorDiagnoseCommand) offlineDiagnostics(ctx context.Context) error {
 	rloadFuncs := make(map[string][]reloadutil.ReloadFunc)
+	handlers := newVaultHandlers()
+
 	server := &ServerCommand{
 		// TODO: set up a different one?
 		// In particular, a UI instance that won't output?
 		BaseCommand: c.BaseCommand,
 
 		// TODO: refactor to a common place?
-		AuditBackends:        auditBackends,
-		CredentialBackends:   credentialBackends,
-		LogicalBackends:      logicalBackends,
-		PhysicalBackends:     physicalBackends,
-		ServiceRegistrations: serviceRegistrations,
+		AuditBackends:        handlers.auditBackends,
+		CredentialBackends:   handlers.credentialBackends,
+		LogicalBackends:      handlers.logicalBackends,
+		PhysicalBackends:     handlers.physicalBackends,
+		ServiceRegistrations: handlers.serviceRegistrations,
 
 		// TODO: other ServerCommand options?
 

command/operator_migrate_test.go

@@ -32,10 +32,11 @@ func init() {
 }
 
 func TestMigration(t *testing.T) {
+	handlers := newVaultHandlers()
 	t.Run("Default", func(t *testing.T) {
 		data := generateData()
 
-		fromFactory := physicalBackends["file"]
+		fromFactory := handlers.physicalBackends["file"]
 
 		folder := t.TempDir()
 
@@ -51,7 +52,7 @@ func TestMigration(t *testing.T) {
 			t.Fatal(err)
 		}
 
-		toFactory := physicalBackends["inmem"]
+		toFactory := handlers.physicalBackends["inmem"]
 		confTo := map[string]string{}
 		to, err := toFactory(confTo, nil)
 		if err != nil {
@@ -72,7 +73,7 @@ func TestMigration(t *testing.T) {
 	t.Run("Concurrent migration", func(t *testing.T) {
 		data := generateData()
 
-		fromFactory := physicalBackends["file"]
+		fromFactory := handlers.physicalBackends["file"]
 
 		folder := t.TempDir()
 
@@ -88,7 +89,7 @@ func TestMigration(t *testing.T) {
 			t.Fatal(err)
 		}
 
-		toFactory := physicalBackends["inmem"]
+		toFactory := handlers.physicalBackends["inmem"]
 		confTo := map[string]string{}
 		to, err := toFactory(confTo, nil)
 		if err != nil {
@@ -110,7 +111,7 @@ func TestMigration(t *testing.T) {
 	t.Run("Start option", func(t *testing.T) {
 		data := generateData()
 
-		fromFactory := physicalBackends["inmem"]
+		fromFactory := handlers.physicalBackends["inmem"]
 		confFrom := map[string]string{}
 		from, err := fromFactory(confFrom, nil)
 		if err != nil {
@@ -120,7 +121,7 @@ func TestMigration(t *testing.T) {
 			t.Fatal(err)
 		}
 
-		toFactory := physicalBackends["file"]
+		toFactory := handlers.physicalBackends["file"]
 		folder := t.TempDir()
 		confTo := map[string]string{
 			"path": folder,
@@ -149,7 +150,7 @@ func TestMigration(t *testing.T) {
 	t.Run("Start option (parallel)", func(t *testing.T) {
 		data := generateData()
 
-		fromFactory := physicalBackends["inmem"]
+		fromFactory := handlers.physicalBackends["inmem"]
 		confFrom := map[string]string{}
 		from, err := fromFactory(confFrom, nil)
 		if err != nil {
@@ -159,7 +160,7 @@ func TestMigration(t *testing.T) {
 			t.Fatal(err)
 		}
 
-		toFactory := physicalBackends["file"]
+		toFactory := handlers.physicalBackends["file"]
 		folder := t.TempDir()
 		confTo := map[string]string{
 			"path": folder,
@@ -269,7 +270,7 @@ storage_destination "dest_type2" {
 	})
 
 	t.Run("DFS Scan", func(t *testing.T) {
-		s, _ := physicalBackends["inmem"](map[string]string{}, nil)
+		s, _ := handlers.physicalBackends["inmem"](map[string]string{}, nil)
 
 		data := generateData()
 		data["cc"] = []byte{}