Version v1.15.4 not compatible with latest sdk version 0.10.2

[JadeLeng]

I'm trying to update to the latest v1.15.4 version to fix CVEs as suggested. My service also imports github.com/hashicorp/vault/sdk v0.10.2.
In #24354, there introduced new functions CreateContextOriginalBody and ContextOriginalBodyValue which sdk 0.10.2 does not contains the change, it caused our building to fail.

To Reproduce
Steps to reproduce the behavior:
my go.mod:

	github.com/hashicorp/vault v1.15.4 // indirect
	github.com/hashicorp/vault/api v1.10.0 // indirect
	github.com/hashicorp/vault/api/auth/aws v0.1.0 // indirect
	github.com/hashicorp/vault/sdk v0.10.2 // indirect

1. Run go mod tidy and go mod vendor
2. Build the project
3. See error

# github.com/hashicorp/vault/vault
vendor/github.com/hashicorp/vault/vault/logical_system_raft.go:573:23: undefined: logical.ContextOriginalBodyValue
vendor/github.com/hashicorp/vault/vault/request_handling.go:581:22: undefined: logical.ContextOriginalBodyValue
vendor/github.com/hashicorp/vault/vault/request_handling.go:583:17: undefined: logical.CreateContextOriginalBody

Expected behavior
A new version of github.com/hashicorp/vault/sdk shall be available for us to update.

Environment:
I'm using go 1.21.5

[bakjos]

For me it worked by running go get github.com/hashicorp/vault/sdk@9b61934559ba

[banks]

Hi @JadeLeng, thanks for reporting this! We will release an updated SDK module soon, however I'm a little curious about the specifics of your code base.

From github.com/hashicorp/vault v1.15.4 // indirect it seems like there is some code which may be yours or another third-party library that is directly importing Vault as a library which is something we specifically don't support.

Note specifically:

We aren't likely to fix bugs relating to failure to import github.com/hashicorp/vault into your project.

While we will release a new SDK version shortly that may fix this, do you have any way to track down which code is actually importing vault in the first place as it's likely that that will continue to cause issues in the future. There are some alternative strategies noted in the README linked above that are likely to be more robust in general.

As far as I can see so far (and please correct me if wrong) the incompatibility you noted is only something that is observed if you import both the SDK and vault directly).

Thanks

[james0209]

Hey @banks - I saw you asked about the use-case above.

Use-case:

Importing Vault as a library seems to be the only way to get access to DefaultTokenHelper which is in "github.com/hashicorp/vault/command/config".

This hasn't been touched for a lil' while so not sure if it's still the best approach, but we use it like so:

// VaultTokenFromHelper returns a vault token from the configured VaultHelper
// See https://www.hashicorp.com/blog/building-a-vault-token-helper
// This retriever will not renew the vault token if it is expired, so use this
// only for CLI tools or things that are not long running and assume that
// the vault token you will source is valid at the moment the function
// is called
func VaultTokenFromHelper(vaultAddr string) VaultTokenRetriever {
	return func(*api.Client) (string, time.Time, error) {
		tokenHelper, err := config.DefaultTokenHelper()
		if err != nil {
			return "", time.Now(), err
		}

I noticed there has been an open PR for over 3 years with movement here and there about moving the functionality out into vault/api or vault/sdk but no consensus seems to have been reached - #9786.

Is there plans to move forward with this? Is there an alternative/updated approach? There are multiple 👍 on the comments in the PR, but it seems to have lost momentum after the indecision as to whether it belongs in the api or sdk.

Thanks!

[banks]

@james0209 thanks for that context - that other PR isn't something I'd come across yet!

I agree it's unfortunate that a helper of that kind that encodes canonical behavior that many tools might want to share is not importable. I'll see what I can do to resolve the direction around that as it seems useful to many in the eco-system and should remove an incentive for vault module imports.

[banks]

I'm going to keep pushing #9786 as I think it's pretty close to being something we can merge and solve that reason to import vault at least.

I'm also going to close this for now because a) this is not supposed to be a supported way to use Vault code and b) we should be releasing a new api package version in the next week or two anyway. If others have additional context for why they might still choose to import Vault feel free to let us know or open other issues to resolve those issues and avoid the need for the import.