8.9 KiB
Latest Features - Mount Point Detection & Multi-Mount Search
🎉 What's New
1. Login Verification ✅
Before: Login was assumed to work, no verification
Now: Login is verified by calling /v1/sys/internal/ui/mounts
- ✅ Confirms credentials are valid
- ✅ Provides immediate feedback
- ✅ Shows detailed error messages on failure
- ✅ Fails fast if credentials are invalid
// On login:
const mountPoints = await vaultApi.verifyLoginAndGetMounts(server, credentials);
// ✓ Login verified
// ✓ Mount points detected
2. Automatic Mount Point Discovery 🔍
Detects all KV secret engine mount points:
- Queries
/v1/sys/internal/ui/mountson login - Filters for KV secret engines only (
kvorgenerictype) - Auto-detects KV version (v1 or v2) from mount options
- Stores mount points in connection state
Example Console Output:
⚡ Verifying login and fetching mount points...
✓ Found 3 KV mount point(s): ["secret", "secret-v1", "team-secrets"]
✓ Logged in successfully.
3. Search Across All Mounts 🚀
New Feature: Optional multi-mount search
UI Changes:
- Checkbox: "Search across all mount points (N available)"
- Shows number of detected mount points
- Disabled when no mount points available
- Off by default (single path search)
When Enabled:
- Searches all detected KV mount points
- Each mount searched with correct KV version
- Results show mount point indicator: 📌
- Continues even if some mounts fail (permission denied)
Search Results:
📄 secret/prod/database/credentials
📌 secret
Depth: 2
📄 team-secrets/shared/database
📌 team-secrets
Depth: 1
4. Intelligent KV Version Handling
Per-mount KV version detection:
// Each mount can have different KV version
secret/ → KV v2 (uses /metadata/ for LIST)
secret-v1/ → KV v1 (direct LIST)
team-secrets/ → KV v2 (uses /metadata/ for LIST)
Automatic path transformation:
- KV v2:
secret/→secret/metadata/for LIST - KV v2:
secret/→secret/data/for READ/WRITE - KV v1:
secret/→secret/(no transformation)
📊 Technical Changes
New API Methods
VaultClient.listMounts()
const mounts = await client.listMounts();
// Returns all mount points with metadata
vaultApi.verifyLoginAndGetMounts()
const mountPoints = await vaultApi.verifyLoginAndGetMounts(server, credentials);
// Verifies login + returns filtered KV mount points
vaultApi.searchAllMounts()
const results = await vaultApi.searchAllMounts(
server,
credentials,
mountPoints,
searchTerm
);
// Searches across all provided mount points
Updated Types
MountPoint interface:
interface MountPoint {
path: string; // "secret"
type: string; // "kv"
description: string; // "key/value secret storage"
accessor: string; // "kv_abc123"
config: { ... };
options: {
version?: string; // "2" for KV v2
};
}
VaultConnection interface:
interface VaultConnection {
server: VaultServer;
credentials: VaultCredentials;
isConnected: boolean;
lastConnected?: Date;
mountPoints?: MountPoint[]; // ← NEW
}
SearchResult interface:
interface SearchResult {
path: string;
isDirectory: boolean;
depth: number;
mountPoint?: string; // ← NEW
}
File Changes
Modified:
- ✅
src/types.ts- Added MountPoint, updated VaultConnection - ✅
src/services/vaultClient.ts- Added listMounts() - ✅
src/services/vaultApi.ts- Added verifyLoginAndGetMounts(), searchAllMounts() - ✅
src/components/PathSearch.tsx- Added multi-mount search UI - ✅
src/components/PathSearch.css- Styles for new UI elements - ✅
src/components/Dashboard.tsx- Pass mountPoints to PathSearch - ✅
src/App.tsx- Call verifyLoginAndGetMounts() on login
New:
- ✅
MOUNT_POINTS.md- Comprehensive documentation
🎯 Use Cases
Use Case 1: I Don't Know Which Mount
Scenario: "I need the database credentials, but I don't know if they're in secret/ or team-secrets/"
Solution:
1. ☑ Enable "Search across all mount points"
2. Search: "database"
3. Results show secrets from ALL mounts with indicators
Use Case 2: Multi-Team Environment
Scenario: Organization with multiple teams, each with their own mount point
Detected:
- secret (shared)
- team-engineering-secrets
- team-ops-secrets
- team-data-secrets
Benefit: Search across all teams' secrets (if you have permission)
Use Case 3: Fast Targeted Search
Scenario: "I know exactly where to look: secret/prod/myapp/"
Solution:
1. ☐ Disable "Search across all mount points"
2. Base Path: secret/prod/myapp/
3. Search: "api-key"
4. Fast, targeted results
🔒 Security & Permissions
Required Permissions
For login verification and mount discovery:
path "sys/internal/ui/mounts" {
capabilities = ["read"]
}
For searching:
# KV v2
path "secret/metadata/*" {
capabilities = ["list"]
}
# KV v1
path "secret/*" {
capabilities = ["list"]
}
Graceful Permission Handling
What happens if you can't access a mount:
🔍 Searching across 3 mount point(s)...
→ Searching in secret/
✓ 45 results
→ Searching in team-secrets/
✗ Error: permission denied
→ Searching in public-secrets/
✓ 23 results
✓ Found 68 total result(s) across all mounts
- ✅ Continues with other mounts
- ✅ Logs error in console
- ✅ Returns partial results
- ✅ No error thrown to user
⚡ Performance
Caching Strategy
Each mount path cached separately:
Cache key: "server123:list:secret/"
Cache key: "server123:list:team-secrets/"
Cache key: "server123:list:public-secrets/"
Benefits:
- First search: API calls to all mounts
- Subsequent searches: Instant from cache
- Cache respects max size and expiration
Search Optimization
Sequential search with early exit:
1. Search mount 1 → 400 results
2. Search mount 2 → 300 results
3. Search mount 3 → 300 results
4. Total: 1000 results → STOP (max reached)
5. Mount 4+ not searched
🎨 UI/UX Improvements
Login Process
Visual feedback:
[Connecting...] → [✓ Login verified] → [✓ Found 3 mount points]
On failure:
[Connecting...] → [✗ Error: permission denied]
[Please check credentials]
Search Interface
Dynamic UI:
- Checkbox shows mount count: "(3 available)"
- Checkbox disabled if no mounts detected
- Base path field hidden when searching all mounts
- Results show mount indicator when relevant
Helpful hints:
ℹ️ Search Tips:
• Search all mounts: searches across all KV secret engines
(detected: secret, secret-v1, team-secrets)
• Base path: when not searching all mounts, specify starting path
• Results are cached to prevent excessive API calls
📝 Console Output Examples
Successful Login
⚡ Verifying login and fetching mount points...
✓ Found 3 KV mount point(s): ["secret", "secret-v1", "team-secrets"]
✓ Logged in successfully. Found 3 KV mount point(s).
Failed Login
⚡ Verifying login and fetching mount points...
✗ Login verification failed: permission denied
Multi-Mount Search
🔍 Searching across 3 mount point(s)...
→ Searching in secret/
⚡ API call for list: secret/metadata/
⚡ API call for list: secret/metadata/prod/
⚡ API call for list: secret/metadata/dev/
✓ Cache hit for list: secret/metadata/shared/
→ Searching in secret-v1/
✓ Cache hit for list: secret-v1/
→ Searching in team-secrets/
⚡ API call for list: team-secrets/metadata/
✓ Found 145 total result(s) across all mounts
🔧 Configuration
All existing configuration still applies:
Cache Settings:
- Max cache size (MB)
- Cache expiration time (minutes)
- Enable/disable caching
Search Settings:
- Max search depth (applies per mount)
- Max search results (applies globally across all mounts)
📚 Documentation
New comprehensive guide:
MOUNT_POINTS.md- Everything about mount point detection and multi-mount search
Updated guides:
README.md- Project overviewUSAGE.md- Usage instructionsFEATURES.md- Feature list
🎯 Summary
✅ Login verification - No more blind login attempts
✅ Auto-detect mount points - Discover all KV secret engines
✅ Search all mounts - Optional cross-mount search
✅ Mount indicators - Know which mount each result is from
✅ Smart KV handling - Per-mount version detection
✅ Graceful errors - Continue on permission denied
✅ Performance optimized - Caching + early exit
✅ Security conscious - Respects Vault ACLs
This makes discovering secrets in large Vault deployments much easier! 🚀